|
#
1.資源池要展示的。 2.在初始化和后期是可以管理的。
分別在資源中心和基礎(chǔ)設(shè)施里面加模塊就可以了。
資源中心就是展示。
不參與管理。
資源中心全是統(tǒng)計性的和展示性的。
https://help.ubuntu.com/10.04/serverguide/kerberos.html Kerberos
Kerberos is a network authentication system based on the principal of a trusted third party.
The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications
can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO).
This section covers installation and configuration of a Kerberos server, and some example client configurations.
If you are new to Kerberos there are a few terms that are good to
understand before setting up a Kerberos server. Most of the terms
will relate to things you may be familiar with in other
environments:
-
Principal: any users, computers, and services provided by servers need to be defined as Kerberos Principals.
-
Instances: are used for service principals and special administrative principals.
-
Realms: the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to
uppercase (EXAMPLE.COM).
-
Key Distribution Center: (KDC) consist of three parts, a database of all principals, the authentication server,
and the ticket granting server. For each realm there must be at least one KDC.
-
Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in
the user's password which is known only to the user and the KDC.
-
Ticket Granting Server: (TGS) issues service tickets to clients upon request.
-
Tickets: confirm the identity of the two principals. One principal being a user and the other a service requested by
the user. Tickets establish an encryption key used for secure communication during the authenticated session.
-
Keytab Files: are files extracted from the KDC principal database and contain the encryption key for a service or
host.
To put the pieces together, a Realm has at least one KDC,
preferably two for redundancy, which contains a database of Principals.
When a
user principal logs into a workstation, configured for Kerberos
authentication, the KDC issues a Ticket Granting Ticket (TGT). If the
user
supplied credentials match, the user is authenticated and can then
request tickets for Kerberized services from the Ticket Granting Server
(TGS). The service tickets allow the user to authenticate to the
service without entering another username and password.
Before installing the Kerberos server a properly configured DNS
server is needed for your domain. Since the Kerberos Realm by
convention matches the domain name, this section uses the example.com domain configured in
the section called “Primary Master”.
Also, Kerberos is a time sensitive protocol. So if the local
system time between a client machine and the server differs by
more than five minutes (by default), the workstation will not be
able to authenticate. To correct the problem all hosts
should have their time synchronized using the Network Time Protocol (NTP). For details
on setting up NTP see the section called “Time Synchronisation with NTP”.
The first step in installing a Kerberos Realm is to install the krb5-kdc and
krb5-admin-server packages. From a terminal enter:
sudo apt-get install krb5-kdc krb5-admin-server
You will be asked at the end of the install to supply a name for
the Kerberos and Admin servers, which may or may not be the
same server, for the realm.
Next, create the new realm with the kdb5_newrealm utility:
sudo krb5_newrealm
The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust
the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon.
-
Now that the KDC running an admin user is needed. It is
recommended to use a different username from your everyday username.
Using the kadmin.local utility in a terminal prompt enter:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit
In the above example steve is the Principal,
/admin is an Instance, and
@EXAMPLE.COM signifies the realm. The "every day"
Principal would be steve@EXAMPLE.COM, and should have only normal user rights.
![[Note]](https://help.ubuntu.com/libs/admon/note.png)
|
|
|
Replace EXAMPLE.COM and steve with your Realm and admin username.
|
-
Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions.
The permissions are configured in the /etc/krb5kdc/kadm5.acl file:
steve/admin@EXAMPLE.COM *
This entry grants steve/admin the ability to perform any operation on all principals in the realm.
-
Now restart the krb5-admin-server for the new ACL to take affect:
sudo /etc/init.d/krb5-admin-server restart
-
The new user principal can be tested using the kinit utility:
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:
After entering the password, use the klist utility to view information about the
Ticket Granting Ticket (TGT):
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: steve/admin@EXAMPLE.COM
Issued Expires Principal
Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
You may need to add an entry into the /etc/hosts for the KDC. For example:
192.168.0.1 kdc01.example.com kdc01
Replacing 192.168.0.1 with the IP address of your KDC.
-
In order for clients to determine the KDC for the Realm some DNS SRV records are needed. Add the following to
/etc/named/db.example.com:
_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.
|
|
|
|
Replace EXAMPLE.COM, kdc01, and kdc02 with your
domain name, primary KDC, and secondary KDC.
|
See Chapter 7, Domain Name Service (DNS) for detailed instructions on setting up DNS.
Your new Kerberos Realm is now ready to authenticate clients.
Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the
primary becomes unavailable.
-
First, install the packages, and when asked for the Kerberos and
Admin server names enter the name of the Primary KDC:
sudo apt-get install krb5-kdc krb5-admin-server
-
Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:
kadmin -q "addprinc -randkey host/kdc02.example.com"
|
|
|
|
After, issuing any kadmin commands you will be prompted for your
username/admin@EXAMPLE.COM principal password.
|
-
Extract the keytab file:
kadmin -q "ktadd -k keytab.kdc02 host/kdc02.example.com"
-
There should now be a keytab.kdc02 in the current directory, move the file to
/etc/krb5.keytab:
sudo mv keytab.kdc02 /etc/krb5.keytab
|
|
|
|
If the path to the keytab.kdc02 file is different adjust accordingly.
|
Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the
klist utility:
sudo klist -k /etc/krb5.keytab
-
Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For example,
on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
-
Create an empty database on the Secondary KDC:
sudo kdb5_util -s create
-
Now start the kpropd daemon, which listens for connections from the
kprop utility. kprop is used to transfer
dump files:
sudo kpropd -S
-
From a terminal on the Primary KDC, create a dump file of the principal database:
sudo kdb5_util dump /var/lib/krb5kdc/dump
-
Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:
kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"
sudo mv keytab.kdc01 /etc/kr5b.keytab
|
|
|
|
Make sure there is a host for kdc01.example.com before extracting the Keytab.
|
-
Using the kprop utility push the database to the Secondary KDC:
sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
|
|
|
|
There should be a SUCCEEDED message if the propagation worked. If there is an error
message check /var/log/syslog on the secondary KDC for more information.
|
You may also want to create a cron job to periodically update the database on the Secondary KDC. For
example, the following will push the database every hour:
# m h dom mon dow command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
-
Back on the Secondary KDC, create a stash file to hold the Kerberos
master key:
sudo kdb5_util stash
-
Finally, start the krb5-kdc daemon on the Secondary KDC:
sudo /etc/init.d/krb5-kdc start
The Secondary KDC should now be able to issue tickets for the Realm. You can test this by stopping
the krb5-kdc daemon on the Primary KDC, then use kinit to request a ticket.
If all goes well you should receive a ticket from the Secondary KDC.
This section covers configuring a Linux system as a Kerberos client. This will allow access
to any kerberized services once a user has successfully logged into the system.
In order to authenticate to a Kerberos Realm, the krb5-user and libpam-krb5
packages are needed, along with a few others that are not
strictly necessary but make life easier. To install the packages
enter the following in a terminal prompt:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
The auth-client-config package allows simple configuration of PAM for authentication from multiple
sources, and the libpam-ccreds
will cache authentication credentials allowing you to login in case the
Key Distribution Center (KDC) is unavailable. This package is
also useful for laptops that may authenticate using Kerberos while
on the corporate network, but will need to be accessed off the
network as well.
To configure the client in a terminal enter:
sudo dpkg-reconfigure krb5-config
You will then be prompted to enter the name of the Kerberos
Realm. Also, if you don't have DNS configured with Kerberos
SRV records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and
Realm Administration server.
The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm.
You should have entries similar to the following:
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = }
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
You can test the configuration by requesting a ticket using the kinit utility. For example:
kinit steve@EXAMPLE.COM
Password for steve@EXAMPLE.COM:
When a ticket has been granted, the details can be viewed using klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: steve@EXAMPLE.COM
Valid starting Expires Service principal
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/25/08 05:18:57
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Next, use the auth-client-config to configure the libpam-krb5 module
to request a ticket during login:
sudo auth-client-config -a -p kerberos_example
You will should now receive a ticket upon successful login authentication.
一、什么是 SSL 證書,什么是 HTTPS SSL 證書是一種數(shù)字證書,它使用 Secure Socket Layer 協(xié)議在瀏覽器和 Web 服務(wù)器之間建立一條安全通道,從而實現(xiàn):
1、數(shù)據(jù)信息在客戶端和服務(wù)器之間的加密傳輸,保證雙方傳遞信息的安全性,不可被第三方竊聽;
2、用戶可以通過服務(wù)器證書驗證他所訪問的網(wǎng)站是否真實可靠。
(via百度百科) HTTPS 是以安全為目標的 HTTP 通道,即 HTTP 下加入 SSL 加密層。HTTPS 不同于 HTTP 的端口,HTTP默認端口為80,HTTPS默認端口為443.
二、什么網(wǎng)站需要使用SSL證書 1、購物交易類網(wǎng)站
不用多說,網(wǎng)上銀行、支付寶、Paypal等肯定會全程加密以保護你的信息安全。 2、注冊與登陸
一些大的網(wǎng)站,比如電子郵箱,注冊會員或者登陸的時候,會專門通過SSL通道,保證密碼安全不被竊取。 3、某些在線代理
這個。。。嗯哼,就不說了。 4、裝B
比如我…… 三、自行頒發(fā)不受瀏覽器信任的SSL證書 為曬曬IQ網(wǎng)頒發(fā)證書。ssh登陸到服務(wù)器上,終端輸入以下命令,使用openssl生成RSA密鑰及證書。 # 生成一個RSA密鑰 $ openssl genrsa -des3 -out 33iq.key 1024 # 拷貝一個不需要輸入密碼的密鑰文件 $ openssl rsa -in 33iq.key -out 33iq_nopass.key # 生成一個證書請求 $ openssl req -new -key 33iq.key -out 33iq.csr # 自己簽發(fā)證書 $ openssl x509 -req -days 365 -in 33iq.csr -signkey 33iq.key -out 33iq.crt |
第3個命令是生成證書請求,會提示輸入省份、城市、域名信息等,重要的是,email一定要是你的域名后綴的。這樣就有一個 csr 文件了,提交給 ssl 提供商的時候就是這個 csr 文件。當然我這里并沒有向證書提供商申請,而是在第4步自己簽發(fā)了證書。 
編輯配置文件nginx.conf,給站點加上HTTPS協(xié)議 server { server_name YOUR_DOMAINNAME_HERE; listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/33iq.crt; ssl_certificate_key /usr/local/nginx/conf/33iq_nopass.key; # 若ssl_certificate_key使用33iq.key,則每次啟動Nginx服務(wù)器都要求輸入key的密碼。 } |
重啟Nginx后即可通過https訪問網(wǎng)站了。 自行頒發(fā)的SSL證書能夠?qū)崿F(xiàn)加密傳輸功能,但瀏覽器并不信任,會出現(xiàn)以下提示:
 四、受瀏覽器信任的證書 要獲取受瀏覽器信任的證書,則需要到證書提供商處申請。證書授證中心,又叫做CA機構(gòu),為每個使用公開密鑰的用戶發(fā)放一個數(shù)字證書。瀏覽器在默認情況下內(nèi)置了一些CA機構(gòu)的證書,使得這些機構(gòu)頒發(fā)的證書受到信任。VeriSign即 是一個著名的國外CA機構(gòu),工行、建行、招行、支付寶、財付通等網(wǎng)站均使用VeriSign的證書,而網(wǎng)易郵箱等非金融網(wǎng)站采用的是中國互聯(lián)網(wǎng)信息中心 CNNIC頒發(fā)的SSL證書。一般來說,一個證書的價格不菲,以VeriSign的證書為例,價格在每年8000元人民幣左右。 據(jù)說也有免費的證書可以申請。和VeriSign一樣,StartSSL也 是一家CA機構(gòu),它的根證書很久之前就被一些具有開源背景的瀏覽器支持(Firefox瀏覽器、谷歌Chrome瀏覽器、蘋果Safari瀏覽器等)。后 來StartSSL竟然搞定了微軟:在升級補丁中,微軟更新了通過Windows根證書認證(Windows Root Certificate Program)的廠商清單,并首次將StartCom公司列入了該認證清單。現(xiàn)在,在Windows 7或安裝了升級補丁的Windows Vista或Windows XP操作系統(tǒng)中,系統(tǒng)會完全信任由StartCom這類免費數(shù)字認證機構(gòu)認證的數(shù)字證書,從而使StartSSL也得到了IE瀏覽器的支持。(來源及申請步驟) 五、只針對注冊、登陸進行https加密處理 既然HTTPS能保證安全,為什么全世界大部分網(wǎng)站都仍舊在使用HTTP呢?使用HTTPS協(xié)議,對服務(wù)器來說是很大的負載開銷。從性能上考慮,我 們無法做到對于每個用戶的每個訪問請求都進行安全加密(當然,Google這種大神除外)。作為一個普通網(wǎng)站,我們所追求的只是在進行交易、密碼登陸等操 作時的安全。通過配置Nginx服務(wù)器,可以使用rewrite來做到這一點。 在https server下加入如下配置: if ($uri !~* "/logging.php$") { rewrite ^/(.*)$ http://$host/$1 redirect; } |
在http server下加入如下配置: if ($uri ~* "/logging.php$") { rewrite ^/(.*)$ https://$host/$1 redirect; } |
這樣一來,用戶會且只會在訪問logging.php的情況下,才會通過https訪問。 更新:有一些開發(fā)框架會根據(jù) $_SERVER['HTTPS'] 這個 PHP 變量是否為 on 來判斷當前的訪問請求是否是使用 https。為此我們需要在 Nginx 配置文件中添加一句來設(shè)置這個變量。遇到 https 鏈接重定向后會自動跳到 http 問題的同學(xué)可以參考一下。 server { ... listen 443; location \.php$ { ... include fastcgi_params; fastcgi_param HTTPS on; # 多加這一句 } } server { ... listen 80; location \.php$ { ... include fastcgi_params; } } |
參考鏈接:
http://zou.lu/nginx-https-ssl-module
http://blog.s135.com/startssl/
http://www.baalchina.net/2008/08/nginx-https-rewrite/
com.mysql.jdbc.CommunicationsException: The last packet
successfully received from the server was58129 seconds ago.The last
packet sent successfully to the server was 58129 seconds ago, which is
longer than the server configured value of 'wait_timeout'. You should
consider either expiring and/or testing connection validity before use
in your application, increasing the server configured values for client
timeouts, or using the Connector/J connection property
'autoReconnect=true' to avoid this problem.
查了一下,原來是mysql超時設(shè)置的問題
如果連接閑置8小時 (8小時內(nèi)沒有進行數(shù)據(jù)庫操作), mysql就會自動斷開連接, 要重啟tomcat.
解決辦法:
一種. 如果不用hibernate的話, 則在 connection url中加參數(shù): autoReconnect=true
jdbc.url=jdbc:mysql://ipaddress:3306/database?autoReconnect=true&autoReconnectForPools=true
二種。用hibernate的話, 加如下屬性:
<property name="connection.autoReconnect">true</property>
<property name="connection.autoReconnectForPools">true</property>
<property name="connection.is-connection-validation-required">true</property>
三。要是還用c3p0連接池:
<property name="hibernate.c3p0.acquire_increment">1</property>
<property name="hibernate.c3p0.idle_test_period">0</property>
<property name="hibernate.c3p0.timeout">0</property>
<property name="hibernate.c3p0.validate">true</property>
四。最不好的解決方案
使用Connector/J連接MySQL數(shù)據(jù)庫,程序運行較長時間后就會報以下錯誤:
Communications link failure,The last packet successfully received
from the server was *** millisecond ago.The last packet successfully
sent to the server was *** millisecond ago。
其中錯誤還會提示你修改wait_timeout或是使用Connector/J的autoReconnect屬性避免該錯誤。
后來查了一些資料,才發(fā)現(xiàn)遇到這個問題的人還真不少,大部分都是使用連接池方式時才會出現(xiàn)這個問題,短連接應(yīng)該很難出現(xiàn)這個問題。這個問題的原因:
MySQL服務(wù)器默認的“wait_timeout”是28800秒即8小時,意味著如果一個連接的空閑時間超過8個小時,MySQL將自動斷開該連接,而連接池卻認為該連接還是有效的(因為并未校驗連接的有效性),當應(yīng)用申請使用該連接時,就會導(dǎo)致上面的報錯。
1.按照錯誤的提示,可以在JDBC
URL中使用autoReconnect屬性,實際測試時使用了autoReconnect=true&
failOverReadOnly=false,不過并未起作用,使用的是5.1版本,可能真像網(wǎng)上所說的只對4之前的版本有效。
2.沒辦法,只能修改MySQL的參數(shù)了,wait_timeout最大為31536000即1年,在my.cnf中加入:
[mysqld]
wait_timeout=31536000
interactive_timeout=31536000
重啟生效,需要同時修改這兩個參數(shù)
SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO" NO_AUTO_VALUE_ON_ZERO影響AUTO_INCREMENT列的處理。一般情況,你可以向該列插入NULL或0生成下一個序列號。NO_AUTO_VALUE_ON_ZERO禁用0,因此只有NULL可以生成下一個序列號。 如
果將0保存到表的AUTO_INCREMENT列,該模式會很有用。(不推薦采用該慣例)。例如,如果你用mysqldump轉(zhuǎn)儲表并重載,MySQL遇
到0值一般會生成新的序列號,生成的表的內(nèi)容與轉(zhuǎn)儲的表不同。重載轉(zhuǎn)儲文件前啟用NO_AUTO_VALUE_ON_ZERO可以解決該問題。
8 Virtual Desktop program: Ulteo, NX Enteprise Server, FoSS CLOUD, Orcale Virtualbox, Thinstuff, JetClouding, Go Grid,2xCloud Computing
sudo qemu-img create -f qcow2 -o size=30240M,preallocation=metadata win2003_hda.img http://blog.kreyolys.com/2011/09/27/kvm-virtual-machines-disk-format-file-basedqcow2-or-block-devicelvm2/---比較 sudo virt-install \
--name win2003_test \
--ram=1024 \
--vcpus=2 \
--disk /kvm/win2003_hda.img,bus=virtio \
--network bridge:br0,model=virtio \
--vnc \
--accelerate \
-c /share/os/win2003-i386.iso \
--disk /home/kvm/virtio-win-1.1.16.vfd,device=floppy \
-c /home/kvm/virtio-win-0.1-22.iso \
--os-type=windows \
--os-variant=win2k3 \
--noapic \
--connect \
qemu:///system \
--hvm http://www.howtoforge.com/installing-kvm-guests-with-virt-install-on-ubuntu-12.04-lts-server 半虛擬化參考: #!/bin/sh WINISO=/path/to/win7.iso #Windows ISO INSTALLDISK=win7virtio.img #Disk location. Can be LVM LV VFD=http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-1.1.16.vfd DRVRISO=http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-0.1-22.iso [ -e $(basename $VFD) ] || wget $VFD [ -e $(basename $DRVRISO) ] || wget $DRVRISO [ -e $INSTALLDISK ] || qemu-img create $INSTALLDISK 30G sudo virt-install -c qemu:///system --virt-type kvm --name win7virtio --ram 1024 --disk path="$INSTALLDISK",bus=virtio \ --disk $(basename $VFD),device=floppy --os-variant win7 --cdrom $(basename $DRVRISO) --cdrom "$WINISO" --vcpus 2 ENDING OF BASH SCRIPT
其他參考: In my previous article KVM Guests: Using Virt-Install to Import an Existing Disk Image we discussed how to use virt-install to import an existing disk image, which already has an OS installed into it. Additionally in KVM Guests: Using Virt-Install to Install Debian and Ubuntu Guests I documented how to initiate an install directly off of the apt mirror of your choice for Debian and Ubuntu Guests using virt-install. In this article we will use virt-install to create a guest and begin the installation using a CD or ISO image for installation media. Assumptions I Have Made - My KVM host is Ubuntu 10.10 and I am assuming that yours is as well. If it is not then the syntax might be slightly different or may not include the same features.
- That you have kvm installed on the host and you can manually create VMs using virt-manager and they work perfectly.
- That you have a bridge configured and working on other guests.
- That you have virt-install and libvirt-bin installed as well as virt-manager or virt-viewer so that you can complete the install after the virt-install command has completed.
- That you are trying to import disk images that support VirtIO devices (most recent Linux distributions, Windows does not natively support the VirtIO interface, so you will had to have manually installed the VirtIO drivers into your disk image).
The Basic Command # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntu --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw -w bridge=br0,model=virtio --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso Parameters Detailed - -n vmname [the name of your VM]
- -r 2048 [the amount of RAM in MB for your VM]
- –os-type=linux [the type of OS linux or windows]
- –os-variant=ubuntu [the distribution or version of Windows for a full list see man virt-install]
- –disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw [this is a long one you define the path, then comma delimited options, device is the type of storage cdrom, disk, floppy, bus is the interface ide, scsi, usb, virtio - virtio is the fastest but you need to install the drivers for Windows and older versions of Linux don't have support]
- -w bridge=br0,model=virtio [the network configuration, in this case we are connecting to a bridge named br0, and using the virtio drivers which perform much better if you are using an OS which doesn't support virtio you can use e1000 or rtl8139. You could alternatively use --nonetworks if you do not need networking]
- –vnc [configures the graphics card to use VNC allowing you to use virt-viewer or virt-manager to see the desktop as if you were at the a monitor of a physical machine]
- –noautoconsole [configures the installer to NOT automatically try to open virt-viewer to view the console to complete the installation - this is helpful if you are working on a remote system through SSH]
- -c /kvm/images/iso/ubuntu.iso [this option specifies the cdrom device or iso image with which to boot off of. You could additionally specify the cdrom device as a disk device, and not use the -c option, it will then boot off of the cdrom if you don't specify another installation method]
LVM Disk Variation # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /dev/vg_name/lv_name,device=disk,bus=virtio -w bridge=br0,model=virtio --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso No VirtIO Variation (Uses IDE and e1000 NIC Emulation) # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=ide,size=40,sparse=true,format=raw -w bridge=br0,model=e1000 --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso Define VM Without Installation Method # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw --disk /kvm/images/iso/ubuntu.iso,device=cdrom -w bridge=br0,model=virtio --vnc --noautoconsole
################### #安裝Xming 和 Putty: ################### Xming是一個在Microsoft Windows操作系統(tǒng)上運行X Window System(也常稱為X11或X X的工作站)的自由軟件,可用于在Windows運行Linux的程序(需要在本地Windows上運行一個X Server,即是本程序)。 Linux 以及各種Unix like的操作系統(tǒng)現(xiàn)在都用基于X Window圖形界面。但是由于體積臃腫導(dǎo)致在Linux運行3D游戲十分困難。但是得益于其接口良好、擴展性和可移植性優(yōu)秀的特點(重要的是具有網(wǎng)絡(luò)透 明性),利用它可以很方便的遠程啟動Linux的圖形程序。 下載地址: https://sourceforge.net/projects/xming/ 或者 http://www.straightrunning.com/XmingNotes/ Xming 用OpenGL展示界面 Xming-fonts 標準X字體,部分傳統(tǒng)的X應(yīng)用的顯示也需要這些字體 Xming-mesa 用更慢的Mesa展示界面, 有時X轉(zhuǎn)發(fā)會更好 Xming-portable-PuTTY 提供X界面轉(zhuǎn)發(fā)ssh程序 Xming-tools-and-clients 提供一些X應(yīng)用專用的工具 Putty: http://www.putty.org/ #################################################### # 通過SSH來使用Xming,在putty terminal 中打開Linux下的圖形界面 #################################################### 1)保證Linux server中 /etc/ssh/sshd_config X11Forwarding yes 2)Putty中X11 forwarding: Putty Configuration-->Preffered SSH protocal version->SSH版本是2. Connection-->SSH-->X11-->Enable X11 forwarding, X display location填上localhost:0, 下面的協(xié)議選擇MIT-Magic-Cookie-1. 3)windows下起linux下的圖形界面 啟動Xming,"Display number"中的數(shù)字, 使用默認的0. 使用Putty連接Linux server,在putty終端下運行 set DISPLAY=10.160.13.229:0(注意:這里IP是Xming安裝程序所在的主機的IP地址,即:X Server的IP地址,這里就是你的windows的地址,X Client是linux 服務(wù)器) (DISPLAY 環(huán)境變量格式如下hostname: displaynumber.screennumber,我們需要知道,在某些機器上,可能有多個顯示設(shè)備共享使用同一套輸入設(shè)備,例如在一臺PC上連接 兩臺CRT顯示器,但是它們只共享使用一個鍵盤和一個鼠標。這一組顯示設(shè)備就擁有一個共同的displaynumber,而這組顯示設(shè)備中的每個單獨的設(shè) 備則擁有自己單獨的 screennumber。displaynumber和screennumber都是從零開始的數(shù)字。這樣,對于我們普通用戶來說, displaynumber、screennumber就都是0。 hostname指Xserver所在的主機主機名或者ip地址, 圖形將顯示在這一機器上, 可以是啟動了圖形界面的Linux/Unix機器, 也可以是安裝了Exceed, X-Deep/32等Windows平臺運行的Xserver的Windows機器.如果Host為空, 則表示Xserver運行于本機, 并且圖形程序(Xclient)使用unix socket方式連接到Xserver, 而不是TCP方式. 使用TCP方式連接時, displaynumber為連接的端口減去6000的值, 如果displaynumber為0, 則表示連接到6000端口; 使用unix socket方式連接時則表示連接的unix socket的路徑,如果displaynumber為0, 則表示連接到/tmp/.X11-unix/X0 . creennumber則幾乎總是0. ) 然后運行g(shù)vim,發(fā)現(xiàn)linux下的gvim顯示在你的windows桌面上了。 如果出現(xiàn): Xlib: connection to "10.160.13.229:0.0" refused by server Xlib: No protocol specified 在右下角點擊Xming server的view log,發(fā)現(xiàn)有如下消息 AUDIT: ... Xming: client 4 rejected from IP 10.160.23.18 這個10.160.23.18正是linux server的地址 解決辦法:
右鍵桌面上的Xming圖標,修改Xming的命令,取消權(quán)限控制,使用-ac選項:
C:\Program Files\XMing\Xming.exe :0 -clipboard -multiwindow -ac 然后啟動Xming,發(fā)現(xiàn)可以在windows下顯示linux的圖形界面了。。
Nginx 的 location 指令,允許對不同的 URI 進行不同的配置,既可以是字符串,也可以是正則表達式。使用正則表達式,須使用以下前綴:
(1) ~*, 表示不區(qū)分大小寫的匹配。
(2) ~, 表示區(qū)分大小寫的匹配。
對于非正則的匹配,即字符串匹配,有如下前綴:
(1) ^~, 表示匹配到字符串后,終止正則匹配。
(2) =, 表示精確匹配。
(3) @, 當然,這個也算不上字符串匹配。如果可以,你也可以將其理解成是正則匹配。它是一個命名標記,這種 location 不會用于正常的請求,它們通常只用于處理內(nèi)部的重定向。
在匹配過程中,Nginx 將首先匹配字符串,然后匹配正則表達式。匹配到第一個正則表達式后,會停止搜索。如果匹配到正則表達式,則使用正則表達式的搜索結(jié)果,如果沒有匹配到正則表達式,則使用字符串的搜索結(jié)果。
上面這段話的意思是說,有一個字符串和正則表達式均能匹配上,那么會使用正則表達式的搜索結(jié)果。這里,我們可以使用前綴"^~" 來禁止匹配到字符串后,繼續(xù)檢查正則表達式。匹配到 URI 后,將停止搜索。
使用前綴 "=" 可以進行精確的 URI 匹配,如果找到匹配的 URI,則停止搜索。"location = /" 只能匹配到 "/",而 "/test.html" 則不能被匹配。
正則表達式的匹配,按照它們在配置文件中的順序進行,寫在前面的優(yōu)先。
另外,前綴 "@" 是一個命名標記,這種 location 不會用于正常的請求,它們通常只用于處理內(nèi)部的重定向(例如:error_page, try_files)。
最后總結(jié)一下匹配的過程:
(1) 前綴 "=" 先進行匹配,如果找到了,終止搜索。
(2) 對所有其它 location 進行非正則的匹配,找到最精確匹配(對于 /blog/admin/ 這個 URI, location /blog 要比 location / 長,因此 location /blog 要比 location / 要精確)的那個。如果找到的這個是帶"^~" 前綴的,則終止搜索并直接返回找到的這個,否則開始正則查找。會不會出現(xiàn)所有的非正則匹配都無法匹配到 URI 呢,當然,你若不定義一個 location /,這種情況的確會發(fā)生,沒關(guān)系啊,它會進行正則查找的。
(3) 正則查找,按照我們配置文件中配置的 location 順序進行查找。
(4) 如果正則查找匹配成功,則使用此正則匹配的 location,否則,使用第二步查找的結(jié)果。如果『否則』發(fā)生了,同時,第二步中的粗體字部分的假設(shè)的情況也發(fā)生了,怎么辦?404 會等著你的。
參考:nginx location的管理以及查找
例子: location = / {
# 只匹配 / 查詢。
[ configuration A ]
} location / {
# 匹配任何查詢,因為所有請求都已 / 開頭。但是正則表達式規(guī)則和長的塊規(guī)則將被優(yōu)先和查詢匹配。
[ configuration B ]
} location ^~ /images/ {
# 匹配任何已 /images/ 開頭的任何查詢并且停止搜索。任何正則表達式將不會被測試。
[ configuration C ]
} location ~* \.(gif|jpg|jpeg)$ {
# 匹配任何已 gif、jpg 或 jpeg 結(jié)尾的請求。然而所有 /images/ 目錄的請求將使用 Configuration C。
[ configuration D ]
} 例子請求: 1, / -> 精確匹配到第1個location,匹配停止,使用configuration A
2,/some/other/url -> 首先前綴部分字符串匹配到了第2個location,然后進行正則匹配,顯然沒有匹配上,則使用第2個location的配置configurationB
3,/images /1.jpg -> 首先前綴部分字符串匹配到了第2個location,但是接著對第3個location也前綴匹配上了,而且這時已經(jīng)是配置文件里面對這個url的最大字 符串匹配了,并且location帶有 "^~" 前綴,則不再進行正則匹配,最終使用configuration C
4,/some/other/path/to/1.jpg -> 首先前綴部分同樣字符串匹配到了第2個location,然后進行正則匹配,這時正則匹配成功,則使用congifuration D 注意:按任意順序定義這4個配置結(jié)果將仍然一樣。
網(wǎng)上搜索到的是在配置文件中添加:
optimize_server_names off;
server_name_in_redirect off;
但在nginx0.8.38中提示:
Restarting nginx: [warn]: the "optimize_server_names" directive is deprecated, use the "server_name_in_redirect" directive instead in /etc/nginx/nginx.conf:44
[emerg]: "server_name_in_redirect" directive is duplicate in /etc/nginx/nginx.conf:45
configuration file /etc/nginx/nginx.conf test failed
大意是說:
optimize_server_names已經(jīng)被棄用,只用server_name_in_redirect即可。
因此,只需在nginx.conf中添加以下一行即可。
server_name_in_redirect off;
|