2020年11月6日 星期五

安裝Sonarqube

1. 關閉防火牆 
systemctl stop firewalld
systemctl disable firewalld

2. 安裝常用軟體 
yum install -y vim wget unzip

3. 關閉selinux 
setenforce 0
vim /etc/sysconfig/selinux

4. 修改sysctl.conf 
vim /etc/sysctl.conf
vm.max_map_count=262144
fs.file-max=65536

套用設定 
sysctl -p

5. 安裝java 
yum install -y java-11-openjdk

6. 安裝 PostgreSQL 12 
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
yum install -y postgresql12-server
/usr/pgsql-12/bin/postgresql-12-setup initdb
systemctl enable postgresql-12
systemctl start postgresql-12

7. 修改 pg_hba.conf,不然會帳號無法驗證 
vim /var/lib/pgsql/12/data/pg_hba.conf
# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

8. 重新啟動PostgreSQL 
sudo systemctl restart postgresql-12

9. 設定PostgreSQL 修改postgres的預設密碼 
sudo passwd postgres

切換到postgres帳號 
su - postgres

新增 postgres使用帳號 => sonar 
createuser sonar

切換到PostgreSQL shell模式 
psql

設定sonar的db密碼 & 建立db給sonar使用者 
ALTER USER sonar WITH ENCRYPTED password 'mypassword';
CREATE DATABASE sonar OWNER sonar;

離開PostgreSQL shell模式 
\q

離開user 
exit

10. 下載sonarqube並且解壓縮 
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.7.0.61563.zip
unzip sonarqube-9.7.0.61563.zip -d /opt
mv /opt/sonarqube-9.7.0.61563 /opt/sonarqube

11. 修改設定檔sonar.properties 
vim /opt/sonarqube/conf/sonar.properties

sonar.jdbc.username=sonar
sonar.jdbc.password=mypassword
sonar.path.data=/var/sonarqube/data
sonar.path.temp=/var/sonarqube/temp
sonar.jdbc.url=jdbc:postgresql://localhost/sonar

##以下部分視情況修改 
sonar.web.host=127.0.0.1
sonar.web.port=9000
sonar.web.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError
sonar.search.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError

12. 建立sonar的使用者帳號 
useradd sonar
passwd sonar

13. 建立相關資料夾並且修改權限 
mkdir -p /var/sonarqube/data
mkdir -p /var/sonarqube/temp
chown -R sonar:sonar /var/sonarqube
chown -R sonar:sonar /opt/sonarqube

##以下部分視情況修改 
vim /etc/security/limits.conf
sonar   -   nofile   131072
sonar   -   nproc    8192

14. 設定Sonarqube service 
vim /etc/systemd/system/sonarqube.service
[Unit]
Description=SonarQube service
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
LimitNOFILE=131072
LimitNPROC=8192
User=sonar
Group=sonar
Restart=on-failure

[Install]
WantedBy=multi-user.target

15. 啟動服務 
systemctl daemon-reload
systemctl enable sonarqube
systemctl start sonarqube
systemctl status sonarqube

# 查修用的指令 
tail -f /opt/sonarqube/logs/sonar.log
tail -f /opt/sonarqube/logs/web.log
tail -f /opt/sonarqube/logs/es.log
tail -f /opt/sonarqube/logs/ce.log
ss -ntlp

# 額外設定 nginx reverse proxy (此步驟可以跳過) 
sudo yum -y install epel-release
yum install -y nginx
systemctl start nginx
systemctl enable nginx

修改nginx設定檔,新增以下設定 
location / {
    proxy_pass "http://127.0.0.1:9000";
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

確認設定檔是否正確 
nginx -t

重新啟動 
systemctl restart nginx

登入帳密為 admin admin

2020年9月8日 星期二

常用的awk語法



awk '{print $0}' file

~匹配正則 !~不匹配正則

|| && ! 或且非

awk '{if($2!~/Rudy/) print $0}' content

awk '{if($1=="001" && $2~/^Ru/) print $0}' content

 

2020年1月29日 星期三

安裝docker

官方建議在安裝docker前,要先把舊版移除,否則可能會產生一些衝突。 1. 移除舊版docker 
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine

2. 安裝需要套件 
yum install -y yum-utils device-mapper-persistent-data lvm2

3. 設定docker穩定版本的yum repo 
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

4. 安裝docker 
yum install -y docker-ce docker-ce-cli containerd.io

ps.中間如果詢問GPG key,請確認是否為 060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35 如果確認是,就請選擇接受 5. 啟動docker 
systemctl enable docker
systemctl start docker

5. 測試docker 
docker run hello-world

# 以下指令可以列出docker一些相關資訊 
docker info
docker version

參考資料: https://docs.docker.com/install/linux/docker-ce/centos/

2020年1月21日 星期二

安裝harbor

前置作業
1.移除舊版的docker 並且安裝新版的docker-ce
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
systemctl start docker
systemctl enable docker

2.安裝
curl -L "https://github.com/docker/compose/releases/download/v2.11.1/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version



1.建立一個CA憑證
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=TW/ST=Taiwan/L=Taipei/O=abow Inc./OU=IT/CN=abowspy.tw" \
 -key ca.key -out ca.crt

2.
openssl genrsa -out harbor.abowspy.tw.key 4096
openssl req -sha512 -new \
 -subj "/C=TW/ST=Taiwan/L=Taipei/O=abow Inc./OU=IT/CN=harbor.abowspy.tw" \
 -key harbor.abowspy.tw.key -out harbor.abowspy.tw.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.abowspy.tw
DNS.2=192.168.1.205
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext \
 -CA ca.crt -CAkey ca.key -CAcreateserial \
 -in harbor.abowspy.tw.csr -out harbor.abowspy.tw.crt

3.拷貝到某資料夾
mkdir -p /data/cert/
cp harbor.abowspy.tw.crt /data/cert/
cp harbor.abowspy.tw.key /data/cert/

4.轉換.crt變成.cert,因為docker服務預設會把.crt當作是CA憑證,.cert會當作server用憑證
openssl x509 -inform PEM -in harbor.abowspy.tw.crt -out harbor.abowspy.tw.cert
mkdir -p /etc/docker/certs.d/harbor.abowspy.tw/
cp harbor.abowspy.tw.cert /etc/docker/certs.d/harbor.abowspy.tw/
cp harbor.abowspy.tw.key /etc/docker/certs.d/harbor.abowspy.tw/
cp ca.crt /etc/docker/certs.d/harbor.abowspy.tw/

## 如果有Let's Encrypt的憑證
也可以這樣
# cp cert1.pem harbor.abow.online.crt
# cp chain1.pem ca.crt
# cp privkey1.pem harbor.abow.online.key
# openssl x509 -inform PEM -in harbor.abow.online.crt -out harbor.abow.online.cert
# cp harbor.abow.online.cert /etc/docker/certs.d/harbor.abow.online/
# cp harbor.abow.online.key /etc/docker/certs.d/harbor.abow.online/
# cp ca.crt /etc/docker/certs.d/harbor.abow.online/



4.取得安裝包並解壓縮
wget https://github.com/goharbor/harbor/releases/download/v2.6.0/harbor-offline-installer-v2.6.0.tgz
tar xvf harbor-offline-installer-v2.6.0.tgz


5.設定harbor安裝檔
cd harbor
vi harbor.yml
hostname: harbor.abowspy.tw
https:
  port: 443
  certificate: /data/cert/harbor.abowspy.tw.crt
  private_key: /data/cert/harbor.abowspy.tw.key

## 設定檔也能cp harbor.yml.tmpl harbor.yml
再去修改內容。

6.開始安裝
./prepare
./install.sh

補充:./prepare --with-trivy --with-chartmuseum

7.可以用以下指令確認是否安裝完成
docker ps
ss -ntlp

admin
Harbor12345

2020年1月19日 星期日

使用openssl自產憑證,並加入到https

#------------------------------------------------------------------------------------------------------
#1.建立 vim ssl.conf 設定檔
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req

[dn]
C = TW
ST = Taiwan
L = Taipei
O = Abow Inc.
OU = IT Department
emailAddress = abowspy@gmail.com
CN = www.abowspy.tw

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.abowspy.tw
DNS.2 = 192.168.1.201

#設定檔的 [alt_names] 區段,則是用來設定 SSL 憑證的域名,這部分設定相當重要,如果沒有設定的話,許多瀏覽器都會將憑證視為無效憑證。
#這部分你要設定幾組域名都可以,基本上沒有什麼上限,因為自簽憑證主要目的是用來開發測試之用,因此建議可以把可能會用到的本機域名 (localhost) 或是區域網路的 IP 地址都加上去,以便後續進行遠端連線測試。


#------------------------------------------------------------------------------------------------------
#2.透過 OpenSSL 命令產生出自簽憑證與相對應的私密金鑰,建立用domain名稱當作檔案名稱
openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout www.abowspy.tw.key -out www.abowspy.tw.crt -config ssl.conf

***   Nginx設定   ***
#------------------------------------------------------------------------------------------------------
#3.建立存放憑證的資料夾,並且把憑證copy過去,並且key給0600權限
mkdir -p /etc/nginx/ssl
cp *.key *.crt /etc/nginx/ssl/
chmod 0600 /etc/nginx/ssl/*.key

#------------------------------------------------------------------------------------------------------
#4.設定nginx設定檔案 vim /etc/nginx/conf.d/default.conf
在原本listen       80;底下加入這幾行
    listen       443 ssl;
    ssl_certificate /etc/nginx/ssl/www.abowspy.tw.crt;
    ssl_certificate_key /etc/nginx/ssl/www.abowspy.tw.key;

#------------------------------------------------------------------------------------------------------
#5.重新啟動 nginx
systemctl restart nginx





***   Apache設定   ***
#------------------------------------------------------------------------------------------------------
#1.要先確認mod_ssl有無安裝
yum -y install mod_ssl

#------------------------------------------------------------------------------------------------------
#3.建立存放憑證的資料夾,並且把憑證copy過去,並且key給0600權限
cp *.crt /etc/pki/tls/certs/
cp *.key /etc/pki/tls/private/
chmod 0600 /etc/pki/tls/private/*.key

#------------------------------------------------------------------------------------------------------
#3.編輯vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>
  ServerName www.abowspy.tw
  DocumentRoot /var/www/html/
</VirtualHost>
<VirtualHost *:443>
  ServerName www.abowspy.tw
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
  SSLCertificateFile /etc/pki/tls/certs/www.abowspy.tw.crt
  SSLCertificateKeyFile /etc/pki/tls/private/www.abowspy.tw.key
  DocumentRoot /var/www/html/
</VirtualHost>

#------------------------------------------------------------------------------------------------------
#4.重新啟動 apache
systemctl restart httpd





  SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt

2020年1月6日 星期一

如何使用金鑰驗證的方式登入SSH

情境
client -> ssh登入 -> server

首先要再client端上建立ssh金鑰(私鑰+公鑰 一對)
然後再把建立好的ssh公開金鑰丟到server端



#---------------------------------------------------------------------------------------------------------
在client建立金鑰之前,先確認home目錄底下有沒有 .ssh 這個隱藏目錄,並權限通常是0600
並且確認~/.ssh底下有沒有id_rsa跟id_rsa.pub檔案

如果沒有可以用以下指令建立.ssh資料夾
mkdir -p ~/.ssh
chmod 700 ~/.ssh

如果有的話,表示先前已經建立過金鑰了,可以省略ssh-keygen這個步驟,直接把id_rsa.pub上傳到要登入的server上

#---------------------------------------------------------------------------------------------------------
使用 ssh-keygen 指令產生金鑰:
ssh-keygen

ssh-keygen過程中,會詢問一些問題,對於一般的使用者而言,全部都使用預設值(直接按下 Enter 鍵)即可。

首先指定金鑰儲存的位置,使用預設值,直接按下 Enter 鍵。
Generating public/private rsa key pair.
Enter file in which to save the key (/home/seal/.ssh/id_rsa):

指定金鑰保護密碼,如果有設定密碼的話,以後每次使用都要輸入密碼,直接按下 Enter 鍵即可。
Enter passphrase (empty for no passphrase):

再次輸入密碼,直接按下 Enter 鍵,接著就會產生一對金鑰了。
Enter same passphrase again:

完成之後再~/.ssh底下就會看到一對金鑰
id_rsa.pub:公開金鑰(public key),這是可以對外公開的金鑰,之後要將它放在遠端的 Linux 伺服器上作認證使用。
id_rsa:私密金鑰(private key),這是要保護好的金鑰,它等同於你的 Linux 密碼,放在自己的電腦中。

#---------------------------------------------------------------------------------------------------------
接著可以用以下三種方式將id_rsa.pub(公開金鑰public key),複製到遠端server主機上的~/.ssh/authorized_keys
同樣的也是要先確認遠端server上,home目錄底下是不是也有.ssh 這個隱藏目錄,並且底下要有authorized_keys這個檔案

建議使用第二種方式

第一種方式:
ssh USER@HOST 'mkdir -p ~/.ssh;cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub

第二種方式:
ssh-copy-id USER@HOST
使用 -i 參數,可以指定金鑰
ssh-copy-id -i ~/.ssh/id_rsa.pub USER@HOST

第三種方式:
把id_rsa.pub內容複製起來,然後登入到遠端server後,貼在~/.ssh/authorized_keys底下
[root@localhost .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEw9Zxvie+Uevw8rGArAYNuPF4GwwiHZ1m66XAAzp+jS09ATU/mlTUg91zJc8cSX8JwfJcBLCiY+hSuN/8rxQejLgXB9DFVJatz1/mOQs5QWGfgLUq4ml3hxhiBJxyE7k6r9yjrvf1cd9HS64CnpzENdcoR18gnlJdr+5xTm5nQyxlh7zv6Iel1ckU5I5vi/JuTYawKwVCTygSbXmnM7RR9VMHcca/n1HMS63c5xleylDl1XhjUQXahB3Xnd9YORlbTjYHPi6Dl9ZUpbuMefCPyoTI9aRVcFykxPUjLHsVFdUGo9fYLiLMWvjubMw9fjwDHomWNP2WJ6av9sy/Vjp root@localhost.localdomain

#---------------------------------------------------------------------------------------------------------
之後使用 ssh 帳號@主機 登入就可以不用輸入密碼了







安裝librenms



參考文章
https://docs.librenms.org/Installation/Installation-CentOS-7-Nginx/

1.安裝需求套件
yum install -y epel-release yum-utils
yum localinstall -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php73
yum install -y cronie fping git ImageMagick jwhois mariadb mariadb-server mtr MySQL-python net-snmp net-snmp-utils nginx nmap php-fpm php-cli php-common php-curl php-gd php-mbstring php-process php-snmp php-xml php-zip php-memcached php-mysqlnd python-memcached rrdtool

2.新增librenms使用者,並且加入nginx群組
useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms nginx

3.下載librenms
cd /opt
git clone https://github.com/librenms/librenms.git

4.設定權限
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
chgrp apache /var/lib/php/session/

5.安裝PHP相依套件
su - librenms
./scripts/composer_wrapper.php install --no-dev
exit

6.安裝資料庫&建立librenms相關資料
systemctl start mariadb
mysql -u root
CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit

vi /etc/my.cnf
[mysqld]以下增加
innodb_file_per_table=1
lower_case_table_names=0


systemctl enable mariadb
systemctl restart mariadb

7.設定web server
vi /etc/php.ini
date.timezone = Asia/Taipei


vi /etc/php-fpm.d/www.conf
;user = apache
user = nginx
group = apache   ; keep group as apache
;listen = 127.0.0.1:9000
listen = /run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660


systemctl enable php-fpm
systemctl restart php-fpm


8.設定nginx
vi /etc/nginx/conf.d/librenms.conf
server {
 listen      80;
 server_name librenms.example.com;
 root        /opt/librenms/html;
 index       index.php;

 charset utf-8;
 gzip on;
 gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location /api/v0 {
  try_files $uri $uri/ /api_v0.php?$query_string;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
}

systemctl enable nginx
systemctl restart nginx


9.設定selinux
yum install -y policycoreutils-python
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
restorecon -RFvv /opt/librenms/logs/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -RFvv /opt/librenms/rrd/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/storage(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.*)?'
restorecon -RFvv /opt/librenms/storage/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/bootstrap/cache(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.*)?'
restorecon -RFvv /opt/librenms/bootstrap/cache/
setsebool -P httpd_can_sendmail=1
setsebool -P httpd_execmem 1

10.設定fping
cd /tmp
vim http_fping.tt
內容如下
---------------------------------------------------------------------------------
module http_fping 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
-------------------------------------------------------------------------------
checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp


11.關閉防火牆
firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https

12.設定snmpd
cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf
vi /etc/snmp/snmpd.conf
com2sec readonly  default         public

curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl enable snmpd
systemctl restart snmpd


13.設定排成
cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms


14.設定logrotate
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

15.開始設定
http://librenms.example.com/install.php
chown librenms:librenms /opt/librenms/config.php


16.以下這個葉面可以驗證
10.2.9.225/validate/



2020年1月5日 星期日

freeradius配合google-authenticator進行驗證

#前置作業
#---------------------------------------------------------------------------------------------------------
#關閉防火牆
systemctl disable firewalld
systemctl stop firewalld

#關閉 SElinux
setenforce 0
getenforce
修改 SElinux config 設定開機不要啟動SElinux
vim /etc/selinux/config

2.安裝freeradius跟google-authenticator
yum -y install freeradius freeradius-utils
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y google-authenticator

3.修改radiusd.conf
vim /etc/raddb/radiusd.conf
修改
user = root
group = root

4.修改/etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/default
找到
# pam
取消註解如下
        pam

5.freeradius啟用pam模組
ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam

6.修改/etc/raddb/users,使用者預設使用PAM驗證
vim /etc/raddb/users
DEFAULT        Auth-Type := PAM

7.修改/etc/raddb/clients.conf,設定要驗證的來源主機
vim /etc/raddb/clients.conf
client myserver {
        ipaddr = 192.168.1.0/24
        secret = test123
        require_message_authenticator = no
}

8.修改PAM設定
vim /etc/pam.d/radiusd
將auth       include password-auth註解
#auth       include password-auth
並且在下面補上這一行
auth requisite pam_google_authenticator.so

9.重新啟動freeradius
systemctl enable radiusd
systemctl start radiusd


10.建立一個使用者來進行測試,並且幫使用者套上google驗證
useradd radtest
su - radtest
google-authenticator
預設回答都是y

補充:如果要整合linux本機帳密
#%PAM-1.0
#auth include password-auth
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_nologin.so
account include password-auth
#password include password-auth
session include password-auth

2020年1月4日 星期六

安裝PostgreSQL

參考
https://www.postgresql.org/download/linux/redhat/

1.安裝postgresql repo
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm


2.安裝postgresql
yum install -y postgresql12 postgresql12-server


3.初始化postgresq
/usr/pgsql-12/bin/postgresql-12-setup initdb

4.啟動postgresq
systemctl enable postgresql-12
systemctl start postgresql-12

2020年1月1日 星期三

安裝jenkins



#---------------------------------------------------------------------------------------------------------
#前置作業
yum install -y wget
systemctl stop firewalld
systemctl disable firewalld

#---------------------------------------------------------------------------------------------------------
#安裝openjdk
yum install -y java-11-openjdk

#---------------------------------------------------------------------------------------------------------
#設定jenkins的yum repo
wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key


#---------------------------------------------------------------------------------------------------------
#安裝jenkins
yum install -y jenkins


#---------------------------------------------------------------------------------------------------------
#設定jenkins (以下步驟非必要,可以跳過)
4.jenkins預設是8080 port,可以利用以下設定檔去改變port
vi /etc/sysconfig/jenkins

加入以下設定可以預防發生Out of memory情況
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Xms1024m -Xmx1024m -XX:PermSize=128M -XX:PermSize=256M"

#---------------------------------------------------------------------------------------------------------
#啟動jenkins
systemctl start jenkins
systemctl enable jenkins

#---------------------------------------------------------------------------------------------------------
#最後打開網頁http://IP:8080/,一開始需要解鎖jenkins,密碼放在
cat /var/lib/jenkins/secrets/initialAdminPassword

#---------------------------------------------------------------------------------------------------------
補充:
記得要校時,否則jenkins的schedule job可能會異常。 

sudo apt-get update
sudo apt install openjdk-11-jdk -y

sudo wget -O /usr/share/keyrings/jenkins-keyring.asc https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null

sudo apt-get update
sudo apt-get install -y jenkins

systemctl start jenkins
systemctl enable jenkins

sudo timedatectl set-timezone Asia/Taipei
sudo timedatectl set-ntp yes
sudo systemctl enable systemd-timesyncd
sudo systemctl restart systemd-timesyncd
sudo systemctl status systemd-timesyncd
sudo timedatectl