非对称加密技术中的数字签名应用示例

 信息安全  No Responses »
6月 042021
 

1,生成数据文件
说明:文件iot_code.txt中写入了一条36位字符长度的有效IOT编码数据。

[root@localhost ~]# echo "0CN01000000200000000000000000000gzAY" > iot_code.txt
[root@localhost ~]# cat iot_code.txt 
0CN01000000200000000000000000000gzAY
[root@localhost ~]#

2,生成私钥
说明:非对称加密由一组密钥对构成,分别是“私钥”及其对应的“公钥”。“私钥”信息属于机密信息,“公钥”信息可以公开分享给数据交换方。

[root@localhost ~]# openssl genrsa -out private.key
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..................................................+++++
e is 65537 (0x010001)
[root@localhost ~]# cat private.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAltOrRKKvP8wKzq1BTlL2aKjpgM4mRHNWYWSexQBT69wMretq
9xGazVepAuPvZR2MtD3vX4kd3YkziXwJoHwj2DzeGlIlWYhO2v4QnfGZ4sx+9l06
86h7cQQJqzoNrIh8C9St95BMbu4ZlyFHoIHj72wlgLqNgdQLeFuMw7vrt0ZM3aBs
5gFc/7nOOSLD+AcU86fJEiJozxrV6hz8ylVDs+54Sd2ri/K6FejasjatOK9andtU
xV7h1PvnI2GwIcG8va3z3us74oyL/b6GCZmkdrdq44RXD9TVsd3POKFbb+aPAlkg
NINKU8tQJ2QwQLnc/PTsQJLNSE51xZcKefpAbwIDAQABAoIBAQCBGgOyx1Ic2Kmz
iSeqRGc45MSihVLKKrOYwAkK9aHf9MZBpI41l7Ma61r252ZF9go3SgB4lSSkOUmM
+EhBP6Fq+YbfnsrrnTpqRyiwGVqwgHx4owrP/7pR3bPtBc8ojNcpRU3352MVXOc4
rrrhz+zsRnS/gG+Z3ohG6I5QCK3WfJzu4TePHkLJoC8kmHuVGB/NTnHsh6liz1T8
IJXT2C2stCu5mVZOVaQr9AtyEVUCEaES/Lwi15/9QQfDzkXSH2Pi2sE7FlYnaVDN
ERXsnQ/73FaXcxgwNM6SiM77ZO17pfcuMaMGlrF5K4cFGe0zlR9YoCYuXf3CeFv1
5lmrxP4hAoGBAMVyZdfGhPXjXApMyZ0Iw97uFwpNsAP2SNNyndTGDNjhkG8HhZ1i
O4bsBCg+PYREraGCSWErHJ1z3uRvK37v3xDLIZYJ7+lXlWVvav9vNaR/nECvIMiF
x+QLo2IkoE55fb/p0MGhFjKkhqQBL3i/PTA9VFy7ySgt5hf0b4elgcZfAoGBAMOO
Auak7cQFJa5Ah1o2WZKgmv5qOlYDauXS8naMZ1Uw8UfnWNYL+t2QGy3eUpmiRDxc
Z6ytn3t/hklSF1gt4wcPyKxQ8CncNAEVR4FpQoFkRx+Lk5I/fw0iRa6T1Vio3lfj
AN5Hz1FJO3+4cJIT+YKkXfPKaHNO9e8kKKrm1x/xAoGBALb6yHUKbefuFzsYZHOa
TuNHZKTQ0EErudvzSV+JVxibGZ47q1DqW14zVbrxy1LLztlxg42ARZmJa1PpzrZp
mCDZDzwb43EtEK+bbN5h8qWK+YRciBYtHM0zF+v5I3L2VlpHVoZLQeYW4QwWaScO
m6cb/xWdldMdjjI+/ikIcdcjAoGAGVL/ryy2mcbs3UcAAD+/k8x2pfHNwivJISAT
RCTkkNS4uk4MZBPDFgQ+cM80tS6dVY/F4UfOumiGVGJsIYA3wUda/m2w3Erm9Sjz
TJ/7+9Onnj8uCids5Z+FlJkSbNvZh1ofV6nHAEjSirSw50ns6u0sOZEBu8UC9kgh
eBhSzZECgYEAjxZaDN1xm3zct23KcHc7G+x28OKyfanZNv4fV3oxSHDBRHgxJ4CO
Gb/ZVboAwlLTVdGA0fgBeyn9gRCLXzP8Z8Ex4wu5OiLjray9HxkCh8mikBk7PT/m
hsvhibHnX9V+/85Oo/ZS2MOyPcr12PTnHGtMSrNFbOihfvq0+8Z7bgY=
-----END RSA PRIVATE KEY-----
[root@localhost ~]#

3,使用私钥生成公钥
说明:“公钥”经由“私钥”信息经特定加密算法计算而来,每一个“私钥”与“公钥”的密钥对都是唯一组合。

[root@localhost ~]# openssl rsa -pubout -in private.key -out public.key
writing RSA key
[root@localhost ~]# cat public.key 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAltOrRKKvP8wKzq1BTlL2
aKjpgM4mRHNWYWSexQBT69wMretq9xGazVepAuPvZR2MtD3vX4kd3YkziXwJoHwj
2DzeGlIlWYhO2v4QnfGZ4sx+9l0686h7cQQJqzoNrIh8C9St95BMbu4ZlyFHoIHj
72wlgLqNgdQLeFuMw7vrt0ZM3aBs5gFc/7nOOSLD+AcU86fJEiJozxrV6hz8ylVD
s+54Sd2ri/K6FejasjatOK9andtUxV7h1PvnI2GwIcG8va3z3us74oyL/b6GCZmk
drdq44RXD9TVsd3POKFbb+aPAlkgNINKU8tQJ2QwQLnc/PTsQJLNSE51xZcKefpA
bwIDAQAB
-----END PUBLIC KEY-----
[root@localhost ~]#

4,使用私钥对文件签名
说明:非对称加密算法中,“私钥”用于签名和解密,“公钥”用于加密和验证签名。此示例仅应用了签名和验证签名功能。签名的加密算法和摘要算法是可选的,例如从合规角度选择使用国密算法。

[root@localhost ~]# openssl dgst -md5 -out iot_code.txt.md5.sign \
> -sign private.key iot_code.txt 
[root@localhost ~]# ls
anaconda-ks.cfg iot_code.txt iot_code.txt.md5.sign private.key
[root@localhost ~]#

5,使用hexdump工具查看二进制签名文件(以十六进制显示)
说明:签名成功后,特定工具可以查看签名文件的内容,实际为二进制密文,在没有公钥的情况下,该密文无法解码。

[root@localhost ~]# hexdump iot_code.txt.md5.sign 
0000000 3a82 f857 97b8 bb23 5d43 9902 d398 f6ae
0000010 478e d1a0 4a03 ab62 07e2 794e c81c 71ac
0000020 0903 135e 8c7c b3e0 164b f0d2 5e21 0009
0000030 5623 e252 2b9b ce8c 6e33 2527 b34e cbf5
0000040 9257 b8b9 4c28 5981 7b46 e732 54d3 7fae
0000050 3949 f53c 69fc 8e24 fbb0 53a1 7df4 9278
0000060 fcce a728 01b6 d15c aa91 db52 0700 8b2f
0000070 dda9 14d0 f921 9747 c8c3 70b5 aa29 8045
0000080 4770 97b7 fd31 bb81 c865 0bda 8fd3 4ba8
0000090 e194 3e9c 7de5 9673 bcc9 1150 759f 0317
00000a0 2388 7898 fe8c 1133 4bdc 5337 96e1 0fc7
00000b0 b78f cd46 96e3 d1e4 9947 2a80 c9e9 ac14
00000c0 47df 0f0b c089 9897 dd03 926f 467f b2d3
00000d0 de24 f31c 3c91 d9a8 2e7a 7269 e1ad 2b1e
00000e0 3983 45b1 750b 939e 51b2 428d ef88 75df
00000f0 4e3b 33cb 1eda 11d4 b28d 44e7 82c6 6010
0000100
[root@localhost ~]#

第6步,使用签名者公钥验证签名有效性
说明:为了验证数据及数据签名的有效性(即数据文件和签名文件是否为合法有效的组合),需使用“公钥”信息对签名信息和数据文件进行验证。

[root@localhost ~]# openssl dgst -md5 -verify public.key \
> -signature iot_code.txt.md5.sign iot_code.txt
Verified OK
[root@localhost ~]#

第7步:使用签名者私钥验证签名有效性
说明:签名者自身亦有能力对自己签发的签名信息进行验证,与“公钥”验证不同之处在于,需要使用签名者的“私钥”进行验证。

[root@localhost ~]# openssl dgst -md5 -prverify private.key \
> -signature iot_code.txt.md5.sign iot_code.txt
Verified OK
[root@localhost ~]#

 

DPI定义及其对图像分辨率和行业影响

 桌面应用  No Responses »
6月 012021
  
(10 inches * 128 dpi) * (6 inches * 128 dpi) = 1280 * 768
(8 inches * 128 dpi) * (6 inches * 128 dpi) = 1024 * 768
(10 inches * 128 dpi) * (8 inches * 128 dpi) = 1280 * 1024

What Is DPI and What Are the Requirements for Different Industries?

For businesses investing in printing and scanning resources, it’s important to understand the project requirements. Balancing cost and output, and ensuring the right resources are applied to the requirements, isn’t always easy.

Investing in the wrong technology or services can mean wasted money. Implementing the wrong solution can put your business at risk and leave employees struggling with an inadequate solution.

We’ll look at dots per inch, or DPI, and how businesses can use it to determine the scope and requirements of printing and scanning services. We’ll also look at DPI as a baseline measure for certain industries and requirements, so you can scale and budget your services.

What Is DPI and How Is It Used?

DPI, or dots per inch, is a measure of the resolution of a printed document or digital scan. The higher the dot density, the higher the resolution of the print or scan. Typically, DPI is the measure of the number of dots that can be placed in a line across one inch, or 2.54 centimeters.

The higher the DPI, the sharper the image. A higher resolution image provides the printer and printing device more information. You can get more detail and greater resolution from an image with higher DPI.

A lower DPI will produce an image with fewer dots in printing. No matter how powerful your printer is, a low-resolution image doesn’t provide enough raw data to produce high-quality images. The ink will spread on the page, making the edges look fuzzy.

Similarly, a monitor will measure the pixels per inch, or PPI, of a video display. Typically, a printer must offer a higher DPI to match the color quality and resolution of a video display PPI. This is due to the limited range of colors in a print job.

DPI Printing and Industry Standards

Let’s review a few standards and guidelines for using DPI in printing services. Keep in mind, you’ll need a better, and more capable, printer or print service to deliver higher-quality and high-resolution printing output.

1. Low-Resolution Images

Low-resolution images are considered 150dpi and less. For print, 150dpi is considered low-quality printing, even though 72dpi is considered the standard for the web (which is why it’s not easy printing quality images straight from the web). Low-resolution images will have blurring and pixelation after printing.

For business purposes, low-resolution images are suitable for scanning text documents and storing records digitally. Internal office communication can be reproduced with a low resolution, but anything used outside the office should be higher than 150dpi. After all, the printing quality needs to represent your business.

2. Medium-Resolution Images

Medium-resolution images have between 200dpi-300dpi. The industry standard for quality photographs and image is typically 300dpi.

For businesses, producing an external document like a brochure, a booklet, or a flyer requires 300dpi. You might be able to get away with 250dpi if you are less concerned with the quality and resolution of the printing. Any marketing material or collateral produced should be, at a minimum, 300dpi. Booklets, pamphlets, reports, and sales sheets should all be printed at 250dpi-300dpi or more.

A good rule to follow is when in doubt, select a higher dpi for your material.

3. High-Resolution Images

Most businesses consider 600dpi and higher to be a high-resolution image or print. High-resolution images require more memory to store and can take longer to scan. Storing high-resolution images can quickly fill a hard drive or server. Many desktop printers can’t reproduce high-quality and high-resolution images. Professional print services are often the best solution for high-resolution images.

Keep in mind, there are diminishing returns for increasing the resolution of an image. Any print above 1,200dpi will deliver improvements that are practically unnoticeable to the naked eye. You won’t be able to see any difference between documents. Only professional photographers or artists with highly detailed work will need resolution that high.

Other Factors That Influence Print Quality

DPI isn’t the only factor that determines the resolution and print quality. Often, these other factors can have more impact on quality and resolution.

For example, sometimes users will change the resolution of an image in software like Photoshop. This will increase the DPI, but it won’t change or increase the quality of the image. The pixels in the image are larger, resulting in a pixelated, almost unprintable, image. This is known as upsampling.

The printer, and ink used in the printer, can also affect print output. Laser jet printers use a toner that doesn’t bleed into the paper, producing a crisper image. Inkjet printers will bleed, which can lower the appearance of dots per inch for a printed work.

What Is DPI and What It Means for You

Selecting the right DPI printing services and office technology is important. Dots per inch is one factor that can influence the efficiency and cost of print services. It’s important to identify your business requirements and scanning and printing needs before selecting print services.

What Is DPI and What Are the Requirements for Different Industries? – Donnellon McCarthy (dme.us.com)

Python 可选复杂度随机密码生成工具

 程序设计  No Responses »
5月 302021
  
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# @Time    : 2021/5/31 09:46
# @Author  : Harvey Mei <harvey.mei@msn.com>
# @FileName: pwdgen.py
# @IDE     : PyCharm
# @GitHub  : https://github.com/harveymei/

"""
Python 密码生成器
Python Password Generator
指定长度和复杂度的密码批量生成工具
PyCharm缩进,选中代码块按tab键或shift+tab键
批量注释或取消注释,选中代码按command+/键
"""

import string
import random
from datetime import datetime as dt


# https://docs.python.org/3/library/string.html
# https://docs.python.org/3/library/random.html
# 密码字符类型

# 不同等级密码字符组合列表
print("---------------\n"
      "Python 密码生成器\n"
      "---------------\n"
      "1)数字\n"
      "2)数字+小写字母\n"
      "3)数字+小写字母+大写字母\n"
      "4)数字+小写字母+大写字母+符号\n")

password_level = input("请选择密码复杂度等级:(建议为4)")
# 密码复杂度等级
if password_level == '1':
    level = string.digits
elif password_level == '2':
    level = string.digits + string.ascii_lowercase
elif password_level == '3':
    level = string.digits + string.ascii_lowercase + string.ascii_uppercase
elif password_level == '4':
    level = string.digits + string.ascii_lowercase + string.ascii_uppercase + string.punctuation
else:
    print("Error Input")
    exit()

length_input = int(input("请输入密码长度:(建议为12)"))
if length_input == '':
    length_input = 12

number_input = int(input("请输入生成数量:"))
if number_input == '':
    number_input = 1

# 在指定字符组合中取随机字符,循环,直到满足密码长度要求,打印结果
password_list = []
while number_input > 0:
    length = length_input  # 额外增加第三变量,防止嵌套循环length_input > 0第二次值为False的情况
    pwd = ''
    while length > 0:  # 循环指定次数拼接字符串
        pwd = pwd + level[random.randrange(0, len(level))]  # 随机传入字符串切片索引值
        length = length - 1  # 直到满足密码长度退出循环
    password_list.append(pwd)
    number_input = number_input - 1  # 直到满足密码生成数量退出循环

# 遍历列表写入文件
filename = dt.now().strftime("%Y%m%d%H%M%S") + ".txt"
with open(filename, 'wt') as f:
    for password in password_list:
        f.write(password + "\n")

print("\n----------\n"
      "密码生成完成!")

Secure Boot对WireGuard模块的影响

 网络技术  No Responses »
4月 252021
 

启动接口异常

[root@localhost ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
Error: Unknown device type.
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
[root@localhost ~]#

手动加载内核模块异常

[root@localhost ~]# modprobe wireguard
modprobe: ERROR: could not insert 'wireguard': Required key not available
[root@localhost ~]#

禁用ESXi客户机Secure Boot的选项

重启系统后接口启动恢复正常

使用Linux命令工具生成qrcode二维码

 未分类  No Responses »
4月 212021
 

命令行二维码工具qrencode包信息

[root@centos-s-1vcpu-1gb-nyc3-01 ~]# dnf info qrencode
Last metadata expiration check: 0:00:11 ago on Wed 21 Apr 2021 01:24:40 AM UTC.
Installed Packages
Name         : qrencode
Version      : 3.4.4
Release      : 5.el8
Architecture : x86_64
Size         : 35 k
Source       : qrencode-3.4.4-5.el8.src.rpm
Repository   : @System
From repo    : appstream
Summary      : Generate QR 2D barcodes
URL          : http://fukuchi.org/works/qrencode/
License      : LGPLv2+
Description  : Qrencode is a utility software using libqrencode to encode string data in
             : a QR Code and save as a PNG image.

[root@centos-s-1vcpu-1gb-nyc3-01 ~]#

准备内容文件

[root@centos-s-1vcpu-1gb-nyc3-01 ~]# echo "https://www.baidu.com/" > url.txt
[root@centos-s-1vcpu-1gb-nyc3-01 ~]# cat url.txt 
https://www.baidu.com/
[root@centos-s-1vcpu-1gb-nyc3-01 ~]#

生成文本二维码

 

CentOS 8 tinc安装信息和示例配置文件

 网络技术  No Responses »
4月 122021
 

 

包信息

[root@tinc ~]# dnf info tinc
Last metadata expiration check: 0:01:55 ago on Mon 12 Apr 2021 01:44:09 AM UTC.
Installed Packages
Name         : tinc
Version      : 1.0.36
Release      : 2.el8
Architecture : x86_64
Size         : 629 k
Source       : tinc-1.0.36-2.el8.src.rpm
Repository   : @System
From repo    : epel
Summary      : A virtual private network daemon
URL          : http://www.tinc-vpn.org/
License      : GPLv2+
Description  : tinc is a Virtual Private Network (VPN) daemon that uses tunnelling
             : and encryption to create a secure private network between hosts on
             : the Internet. Because the tunnel appears to the IP level network
             : code as a normal network device, there is no need to adapt any
             : existing software. This tunnelling allows VPN sites to share
             : information with each other over the Internet without exposing any
             : information to others.

[root@tinc ~]#

安装路径

[root@tinc ~]# rpm -lq tinc
/usr/lib/.build-id
/usr/lib/.build-id/ec
/usr/lib/.build-id/ec/f0a564e8d20e169bed52480a235992928751ed
/usr/lib/systemd/system/tinc.service
/usr/lib/systemd/system/tinc@.service
/usr/sbin/tincd
/usr/share/doc/tinc
/usr/share/doc/tinc/AUTHORS
/usr/share/doc/tinc/COPYING.README
/usr/share/doc/tinc/NEWS
/usr/share/doc/tinc/README
/usr/share/doc/tinc/THANKS
/usr/share/doc/tinc/sample-config
/usr/share/doc/tinc/sample-config/hosts
/usr/share/doc/tinc/sample-config/hosts/alpha
/usr/share/doc/tinc/sample-config/hosts/beta
/usr/share/doc/tinc/sample-config/rsa_key.priv
/usr/share/doc/tinc/sample-config/tinc-down
/usr/share/doc/tinc/sample-config/tinc-up
/usr/share/doc/tinc/sample-config/tinc.conf
/usr/share/doc/tinc/texinfo.tex
/usr/share/info/tinc.info.gz
/usr/share/licenses/tinc
/usr/share/licenses/tinc/COPYING
/usr/share/man/man5/tinc.conf.5.gz
/usr/share/man/man8/tincd.8.gz
[root@tinc ~]#

服务配置文件示例

https://www.tinc-vpn.org/documentation/Main-configuration-variables.html#Main-configuration-variables
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc.conf
# Sample tinc configuration file

# This is a comment.
# Spaces and tabs are eliminated.
# The = sign isn't strictly necessary any longer, though you may want
# to leave it in as it improves readability :)
# Variable names are treated case insensitive.

# The name of this tinc host. Required.
Name = alpha

# The internet host to connect with.
# Comment these out to make yourself a listen-only connection
# You must use the name of another tinc host.
# May be used multiple times for redundance.
ConnectTo = beta

# The tap device tinc will use.
# /dev/tap0 for ethertap, FreeBSD or OpenBSD
# /dev/tun0 for Solaris
# /dev/net/tun for Linux tun/tap
Device = /dev/net/tun
[root@tinc ~]#

主机配置文件示例

https://www.tinc-vpn.org/documentation/Host-configuration-variables.html#Host-configuration-variables
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/alpha
# Sample host configuration file

# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 123.234.35.67

# Portnumber for incoming connections. Default is 655.
Port = 655

# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.1.0/24

# The public key generated by `tincd -n example -K' is stored here
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
[root@tinc ~]#
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/beta
# Sample host configuration file
# This file was generated by host beta.

# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 123.45.67.189

# Portnumber for incoming connections. Default is 655.
Port = 6500

# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.2.0/24

# The public key generated by `tincd -n example -K' is stored here
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
[root@tinc ~]#

启动和停止脚本示例(使用ifconfig命令依赖net-tools包)

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-up
#!/bin/sh
# This file sets up the tap device.
# It gives you the freedom to do anything you want with it.
# Use the correct name for the tap device:
# The environment variable $INTERFACE is set to the right name
# on most platforms, but if it doesn't work try to set it manually.

# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
[root@tinc ~]#
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-down
#!/bin/sh
# This file closes down the tap device.

ifconfig $INTERFACE down
[root@tinc ~]#

使用ip命令示例

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down

Harbor 2.2.1 CentOS 8.3 安装部署脚本

 容器化  No Responses »
4月 062021
 

Harbor 版本

v2.2.1-b0d63082

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。

#!/bin/bash
#

# https://goharbor.io/docs/2.0.0

# Disable SELinux & firewalld
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config;
setenforce 0;
systemctl disable firewalld;
systemctl stop firewalld;

# Install Docker CE
# https://docs.docker.com/engine/install/centos/
# dnf list docker-ce --showduplicates | sort -r
dnf makecache;
yum install -y yum-utils device-mapper-persistent-data lvm2 iptables;

yum-config-manager \
    --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
dnf makecache;
yum -y install docker-ce-19.03.15 docker-ce-cli-19.03.15 containerd.io;

systemctl enable docker;
systemctl start docker;

# Install Compose on Linux systems
# https://docs.docker.com/compose/install/
curl -L "https://github.com/docker/compose/releases/download/1.28.6/docker-compose-$(uname -s)-$(uname -m)" \
    -o /usr/local/bin/docker-compose;
chmod +x /usr/local/bin/docker-compose;

# Configure HTTPS Access to Harbor
# https://goharbor.io/docs/2.0.0/install-config/configure-https/
openssl genrsa -out ca.key 4096;
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.3.206" \
 -key ca.key \
 -out ca.crt;

openssl genrsa -out 192.168.3.206.key 4096;
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.3.206" \
    -key 192.168.3.206.key \
    -out 192.168.3.206.csr;

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=192.168.3.206
DNS.2=yourdomain
DNS.3=hostname
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 192.168.3.206.csr \
    -out 192.168.3.206.crt;

openssl x509 -inform PEM -in 192.168.3.206.crt -out 192.168.3.206.cert;

mkdir -p /data/cert/;
cp 192.168.3.206.crt /data/cert/;
cp 192.168.3.206.key /data/cert/;

mkdir -p /etc/docker/certs.d/192.168.3.206/;
cp 192.168.3.206.cert /etc/docker/certs.d/192.168.3.206/;
cp 192.168.3.206.key /etc/docker/certs.d/192.168.3.206/;
cp ca.crt /etc/docker/certs.d/192.168.3.206/;
systemctl restart docker;


# Download and Unpack the Installer
# https://github.com/goharbor/harbor/releases
dnf makecache;
dnf -y install wget;
wget https://github.com/goharbor/harbor/releases/download/v2.2.1/harbor-offline-installer-v2.2.1.tgz;

tar xzf harbor-offline-installer-v2.2.1.tgz;
cd harbor;
cp harbor.yml.tmpl harbor.yml;
sed -i 's/^\hostname: reg.mydomain.com/hostname: 192.168.3.206/' harbor.yml;
sed -i 's/^\  certificate: \/your\/certificate\/path/  certificate: \/data\/cert\/192.168.3.206.crt/' harbor.yml;
sed -i 's/^\  private_key: \/your\/private\/key\/path/  private_key: \/data\/cert\/192.168.3.206.key/' harbor.yml;
sed -i 's/^\harbor_admin_password: Harbor12345/harbor_admin_password: Harbor12365/' harbor.yml;

# Run the prepare script to enable HTTPS
./prepare;
# Run the Installer Script
./install.sh;

Harbor 2.2.1 harbor.yml.tmpl 标准配置

 容器化  No Responses »
4月 022021
  
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: reg.mydomain.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /your/certificate/path
  private_key: /your/private/key/path

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 1000

# The default data volume
data_volume: /data

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: false
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false
  # github_token The GitHub access token to download Trivy DB
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  #
  # github_token: xxx

jobservice:
  # Maximum number of job workers in job service
  max_job_workers: 10

notification:
  # Maximum retry count for webhook job
  webhook_job_max_retry: 10

chart:
  # Change the value of absolute_url to enabled can enable absolute url in chart
  absolute_url: disabled

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log
    location: /var/log/harbor

  # Uncomment following lines to enable external syslog endpoint.
  # external_endpoint:
  #   # protocol used to transmit log to external endpoint, options is tcp or udp
  #   protocol: tcp
  #   # The host of external endpoint
  #   host: localhost
  #   # Port of external endpoint
  #   port: 5140

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.2.0

# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Uncomment external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password:
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca

# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy

# metric:
#   enabled: false
#   port: 9090
#   path: /metrics

标准4节点Kubernetes集群RKE配置文件

 容器化  No Responses »
4月 022021
 

1 Control Plane + etcd
3 Worker

创建配置文件

[root@localhost ~]# rke config --name cluster.yml
[+] Cluster Level SSH Private Key Path [~/.ssh/id_rsa]: 
[+] Number of Hosts [1]: 4
[+] SSH Address of host (1) [none]: 192.168.3.201
[+] SSH Port of host (1) [22]: 
[+] SSH Private Key Path of host (192.168.3.201) [none]: ~/.ssh/id_rsa
[+] SSH User of host (192.168.3.201) [ubuntu]: deployer
[+] Is host (192.168.3.201) a Control Plane host (y/n)? [y]: y
[+] Is host (192.168.3.201) a Worker host (y/n)? [n]: n
[+] Is host (192.168.3.201) an etcd host (y/n)? [n]: y
[+] Override Hostname of host (192.168.3.201) [none]: k8s-cluster01-01
[+] Internal IP of host (192.168.3.201) [none]: 
[+] Docker socket path on host (192.168.3.201) [/var/run/docker.sock]: 
[+] SSH Address of host (2) [none]: 192.168.3.202
[+] SSH Port of host (2) [22]: 
[+] SSH Private Key Path of host (192.168.3.202) [none]: ~/.ssh/id_rsa
[+] SSH User of host (192.168.3.202) [ubuntu]: deployer
[+] Is host (192.168.3.202) a Control Plane host (y/n)? [y]: n
[+] Is host (192.168.3.202) a Worker host (y/n)? [n]: y
[+] Is host (192.168.3.202) an etcd host (y/n)? [n]: n
[+] Override Hostname of host (192.168.3.202) [none]: k8s-cluster01-02
[+] Internal IP of host (192.168.3.202) [none]: 
[+] Docker socket path on host (192.168.3.202) [/var/run/docker.sock]: 
[+] SSH Address of host (3) [none]: 192.168.3.203
[+] SSH Port of host (3) [22]: 
[+] SSH Private Key Path of host (192.168.3.203) [none]: ~/.ssh/id_rsa
[+] SSH User of host (192.168.3.203) [ubuntu]: deployer
[+] Is host (192.168.3.203) a Control Plane host (y/n)? [y]: n
[+] Is host (192.168.3.203) a Worker host (y/n)? [n]: y
[+] Is host (192.168.3.203) an etcd host (y/n)? [n]: n
[+] Override Hostname of host (192.168.3.203) [none]: k8s-cluster01-03
[+] Internal IP of host (192.168.3.203) [none]: 
[+] Docker socket path on host (192.168.3.203) [/var/run/docker.sock]: 
[+] SSH Address of host (4) [none]: 192.168.3.204
[+] SSH Port of host (4) [22]: 
[+] SSH Private Key Path of host (192.168.3.204) [none]: ~/.ssh/id_rsa
[+] SSH User of host (192.168.3.204) [ubuntu]: deployer
[+] Is host (192.168.3.204) a Control Plane host (y/n)? [y]: n
[+] Is host (192.168.3.204) a Worker host (y/n)? [n]: y
[+] Is host (192.168.3.204) an etcd host (y/n)? [n]: n
[+] Override Hostname of host (192.168.3.204) [none]: k8s-cluster01-04
[+] Internal IP of host (192.168.3.204) [none]: 
[+] Docker socket path on host (192.168.3.204) [/var/run/docker.sock]: 
[+] Network Plugin Type (flannel, calico, weave, canal, aci) [canal]: flannel
[+] Authentication Strategy [x509]: 
[+] Authorization Mode (rbac, none) [rbac]: 
[+] Kubernetes Docker image [rancher/hyperkube:v1.20.5-rancher1]: rancher/hyperkube:v1.19.9-rancher1
[+] Cluster domain [cluster.local]: 
[+] Service Cluster IP Range [10.43.0.0/16]: 
[+] Enable PodSecurityPolicy [n]: 
[+] Cluster Network CIDR [10.42.0.0/16]: 
[+] Cluster DNS Service IP [10.43.0.10]: 
[+] Add addon manifest URLs or YAML files [no]: 
[root@localhost ~]#

Rancher Kubernetes Docker image版本可选参数

https://github.com/rancher/rke/releases

New Images in v1.20.5-rancher1-1, v1.19.9-rancher1-1 and v1.18.16-rancher1-1
Updated Hyperkube Image based on k8s versions

rancher/hyperkube:v1.20.5-rancher1
rancher/hyperkube:v1.19.9-rancher1
rancher/hyperkube:v1.18.17-rancher1

配置文件

[root@localhost ~]# cat cluster.yml
# If you intened to deploy Kubernetes in an air-gapped environment,
# please consult the documentation on how to configure custom RKE images.
nodes:
- address: 192.168.3.201
  port: "22"
  internal_address: ""
  role:
  - controlplane
  - etcd
  hostname_override: k8s-cluster01-01
  user: deployer
  docker_socket: /var/run/docker.sock
  ssh_key: ""
  ssh_key_path: ~/.ssh/id_rsa
  ssh_cert: ""
  ssh_cert_path: ""
  labels: {}
  taints: []
- address: 192.168.3.202
  port: "22"
  internal_address: ""
  role:
  - worker
  hostname_override: k8s-cluster01-02
  user: deployer
  docker_socket: /var/run/docker.sock
  ssh_key: ""
  ssh_key_path: ~/.ssh/id_rsa
  ssh_cert: ""
  ssh_cert_path: ""
  labels: {}
  taints: []
- address: 192.168.3.203
  port: "22"
  internal_address: ""
  role:
  - worker
  hostname_override: k8s-cluster01-03
  user: deployer
  docker_socket: /var/run/docker.sock
  ssh_key: ""
  ssh_key_path: ~/.ssh/id_rsa
  ssh_cert: ""
  ssh_cert_path: ""
  labels: {}
  taints: []
- address: 192.168.3.204
  port: "22"
  internal_address: ""
  role:
  - worker
  hostname_override: k8s-cluster01-04
  user: deployer
  docker_socket: /var/run/docker.sock
  ssh_key: ""
  ssh_key_path: ~/.ssh/id_rsa
  ssh_cert: ""
  ssh_cert_path: ""
  labels: {}
  taints: []
services:
  etcd:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    win_extra_args: {}
    win_extra_binds: []
    win_extra_env: []
    external_urls: []
    ca_cert: ""
    cert: ""
    key: ""
    path: ""
    uid: 0
    gid: 0
    snapshot: null
    retention: ""
    creation: ""
    backup_config: null
  kube-api:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    win_extra_args: {}
    win_extra_binds: []
    win_extra_env: []
    service_cluster_ip_range: 10.43.0.0/16
    service_node_port_range: ""
    pod_security_policy: false
    always_pull_images: false
    secrets_encryption_config: null
    audit_log: null
    admission_configuration: null
    event_rate_limit: null
  kube-controller:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    win_extra_args: {}
    win_extra_binds: []
    win_extra_env: []
    cluster_cidr: 10.42.0.0/16
    service_cluster_ip_range: 10.43.0.0/16
  scheduler:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    win_extra_args: {}
    win_extra_binds: []
    win_extra_env: []
  kubelet:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    win_extra_args: {}
    win_extra_binds: []
    win_extra_env: []
    cluster_domain: cluster.local
    infra_container_image: ""
    cluster_dns_server: 10.43.0.10
    fail_swap_on: false
    generate_serving_certificate: false
  kubeproxy:
    image: ""
    extra_args: {}
    extra_binds: []
    extra_env: []
    win_extra_args: {}
    win_extra_binds: []
    win_extra_env: []
network:
  plugin: flannel
  options: {}
  mtu: 0
  node_selector: {}
  update_strategy: null
  tolerations: []
authentication:
  strategy: x509
  sans: []
  webhook: null
addons: ""
addons_include: []
system_images:
  etcd: rancher/coreos-etcd:v3.4.14-rancher1
  alpine: rancher/rke-tools:v0.1.72
  nginx_proxy: rancher/rke-tools:v0.1.72
  cert_downloader: rancher/rke-tools:v0.1.72
  kubernetes_services_sidecar: rancher/rke-tools:v0.1.72
  kubedns: rancher/k8s-dns-kube-dns:1.15.10
  dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.10
  kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.10
  kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1
  coredns: rancher/coredns-coredns:1.8.0
  coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1
  nodelocal: rancher/k8s-dns-node-cache:1.15.13
  kubernetes: rancher/hyperkube:v1.19.9-rancher1
  flannel: rancher/coreos-flannel:v0.13.0-rancher1
  flannel_cni: rancher/flannel-cni:v0.3.0-rancher6
  calico_node: rancher/calico-node:v3.17.2
  calico_cni: rancher/calico-cni:v3.17.2
  calico_controllers: rancher/calico-kube-controllers:v3.17.2
  calico_ctl: rancher/calico-ctl:v3.17.2
  calico_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2
  canal_node: rancher/calico-node:v3.17.2
  canal_cni: rancher/calico-cni:v3.17.2
  canal_controllers: rancher/calico-kube-controllers:v3.17.2
  canal_flannel: rancher/coreos-flannel:v0.13.0-rancher1
  canal_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2
  weave_node: weaveworks/weave-kube:2.8.1
  weave_cni: weaveworks/weave-npc:2.8.1
  pod_infra_container: rancher/pause:3.2
  ingress: rancher/nginx-ingress-controller:nginx-0.43.0-rancher1
  ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1
  metrics_server: rancher/metrics-server:v0.4.1
  windows_pod_infra_container: rancher/kubelet-pause:v0.1.6
  aci_cni_deploy_container: noiro/cnideploy:5.1.1.0.1ae238a
  aci_host_container: noiro/aci-containers-host:5.1.1.0.1ae238a
  aci_opflex_container: noiro/opflex:5.1.1.0.1ae238a
  aci_mcast_container: noiro/opflex:5.1.1.0.1ae238a
  aci_ovs_container: noiro/openvswitch:5.1.1.0.1ae238a
  aci_controller_container: noiro/aci-containers-controller:5.1.1.0.1ae238a
  aci_gbp_server_container: noiro/gbp-server:5.1.1.0.1ae238a
  aci_opflex_server_container: noiro/opflex-server:5.1.1.0.1ae238a
ssh_key_path: ~/.ssh/id_rsa
ssh_cert_path: ""
ssh_agent_auth: false
authorization:
  mode: rbac
  options: {}
ignore_docker_version: null
kubernetes_version: ""
private_registries: []
ingress:
  provider: ""
  options: {}
  node_selector: {}
  extra_args: {}
  dns_policy: ""
  extra_envs: []
  extra_volumes: []
  extra_volume_mounts: []
  update_strategy: null
  http_port: 0
  https_port: 0
  network_mode: ""
  tolerations: []
  default_backend: null
  default_http_backend_priority_class_name: ""
  nginx_ingress_controller_priority_class_name: ""
cluster_name: ""
cloud_provider:
  name: ""
prefix_path: ""
win_prefix_path: ""
addon_job_timeout: 0
bastion_host:
  address: ""
  port: ""
  user: ""
  ssh_key: ""
  ssh_key_path: ""
  ssh_cert: ""
  ssh_cert_path: ""
monitoring:
  provider: ""
  options: {}
  node_selector: {}
  update_strategy: null
  replicas: null
  tolerations: []
  metrics_server_priority_class_name: ""
restore:
  restore: false
  snapshot_name: ""
rotate_encryption_key: false
dns: null
[root@localhost ~]#

下载安装最新版本或指定版本(二进制Kubernetes组件)

https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md

查看Kubectl版本信息及节点信息

[root@localhost ~]# kubectl version --client
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.9", GitCommit:"9dd794e454ac32d97cde41ae10be801ae98f75df", GitTreeState:"clean", BuildDate:"2021-03-18T01:09:28Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
[root@localhost ~]# kubectl --kubeconfig kube_config_cluster.yml get nodes -o wide
NAME               STATUS   ROLES               AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE         KERNEL-VERSION          CONTAINER-RUNTIME
k8s-cluster01-01   Ready    controlplane,etcd   33m   v1.19.9   192.168.3.201   <none>        CentOS Linux 8   4.18.0-240.el8.x86_64   docker://19.3.15
k8s-cluster01-02   Ready    worker              33m   v1.19.9   192.168.3.202   <none>        CentOS Linux 8   4.18.0-240.el8.x86_64   docker://19.3.15
k8s-cluster01-03   Ready    worker              32m   v1.19.9   192.168.3.203   <none>        CentOS Linux 8   4.18.0-240.el8.x86_64   docker://19.3.15
k8s-cluster01-04   Ready    worker              33m   v1.19.9   192.168.3.204   <none>        CentOS Linux 8   4.18.0-240.el8.x86_64   docker://19.3.15
[root@localhost ~]#

 

 Older Entries