快速创建TLS证书并部署到Docker服务

将下方代码保存为certbot.sh,修改头部变量后,上传到装有openssl组件的linux服务器上运行即可。

#!/bin/sh
#

export PASSWORD="密码"

export COUNTRY="CN"
export STATE="省"
export CITY="市"
export ORGANIZATION="公司名称"
export ORGANIZATIONAL_UNIT="Dev"
export COMMON_NAME="域名"
export EMAIL="电子邮件地址"

export HOST_NAME="$COMMON_NAME"
export IP=`ping $HOST_NAME -c 1 | sed '1{s/[^(]*(//;s/).*//;q}'`

export DIR="cert-$HOST_NAME"

# Workspace

[ -d $DIR ] || mkdir -p $DIR

echo "PASSWORD: $PASSWORD" > $DIR/!nfo.txt
echo "HOST_NAME: $HOST_NAME" >> $DIR/!nfo.txt
echo "HOST_IP: $IP" >> $DIR/!nfo.txt

# Generate CA

openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "$DIR/ca-key.pem" 4096

openssl req -new -x509 -days 3650 -key "$DIR/ca-key.pem" -sha256 -out "$DIR/ca.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"

# Generate Server Certs

openssl genrsa -out "$DIR/server-key.pem" 4096

openssl req -subj "/CN=$HOST_NAME" -sha256 -new -key "$DIR/server-key.pem" -out $DIR/server.csr

echo "subjectAltName = DNS:$HOST_NAME,IP:$IP,IP:127.0.0.1" > $DIR/server.cnf
echo "extendedKeyUsage = serverAuth" >> $DIR/server.cnf

openssl x509 -req -days 3650 -sha256 -in $DIR/server.csr -passin "pass:$PASSWORD" -CA "$DIR/ca.pem" -CAkey "$DIR/ca-key.pem" -CAcreateserial -out "$DIR/server-cert.pem" -extfile $DIR/server.cnf

# Generate Client Certs

openssl genrsa -out "$DIR/client-key.pem" 4096

openssl req -subj '/CN=client' -new -key "$DIR/client-key.pem" -out $DIR/client.csr

echo "extendedKeyUsage = clientAuth" > $DIR/client.cnf

openssl x509 -req -days 3650 -sha256 -in $DIR/client.csr -passin "pass:$PASSWORD" -CA "$DIR/ca.pem" -CAkey "$DIR/ca-key.pem" -CAcreateserial -out "$DIR/client-cert.pem" -extfile $DIR/client.cnf

# Modify Certs Permission

chmod 0400 $DIR/*-key.pem
chmod 0444 $DIR/ca.pem $DIR/*-cert.pem

# Remove Temporary Files

rm -f $DIR/*.csr $DIR/*.cnf

如果需要部署到Docker服务,请继续

# Install To Docker Daemon

mkdir -p /etc/docker/certs.d
cp $DIR/ca.pem /etc/docker/certs.d/
cp $DIR/server-*.pem /etc/docker/certs.d/

cat <<EOF >/etc/docker/daemon.json
{
    "tlsverify": true,
    "tlscacert": "/etc/docker/certs.d/ca.pem",
    "tlscert": "/etc/docker/certs.d/server-cert.pem",
    "tlskey": "/etc/docker/certs.d/server-key.pem",
    "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
EOF

# Modify Systemd Service

if [ -f /lib/systemd/system/docker.service ]; then
    sed -i '/"hosts"/d' /etc/docker/daemon.json
    sed -i 's#server-key.pem",#server-key.pem"#' /etc/docker/daemon.json
    sed -i 's#-H fd://#-H fd:// -H tcp://0.0.0.0:2376#' /lib/systemd/system/docker.service
    systemctl daemon-reload
fi

特别注意

在systemd系统上-H已设置,因此无法使用hosts键来添加侦听地址,请参阅 https://docs.docker.com/install/linux/linux-postinstall/#configuring-remote-access-with-systemd-unit-file

Debian9/10 启用 Google BBR 加速

一、加载BBR内核模块

lsmod | grep bbr

如果回显tcp_bbr 20480 14则表示已加载,否则请使用如下命令加载BBR内核模块

modprobe tcp_bbr
echo "tcp_bbr" | tee -a /etc/modules-load.d/modules.conf

二、启用BBR网络优化

sysctl net.ipv4.tcp_available_congestion_control

如果回显net.ipv4.tcp_available_congestion_control = bbr cubic reno则表示已启用优化,否则请使用如下命令启用BBR网络优化

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p

rsync多进程并发执行同步数据

原始命令

rsync -aPv --delete rsync://1.2.3.4/dp1/ /mnt/backup

多线程模式

#!/bin/sh
#

src='rsync://1.2.3.4/dp1' #源路径,结尾不带斜线
dst='/mnt/backup' #目标路径,结尾不带斜线

opt="-aPv --delete" #同步选项

num=16 #并发进程数
depth='5 4 3 2 1' #归递目录深度

task=/tmp/`echo $src$ | md5sum | head -c 16`
[ -f $task-next ] && cp $task-next $task-skip
[ -f $task-skip ] || touch $task-skip

# 创建目标目录结构
rsync $opt --include "*/" --exclude "*" $src/ $dst

# 从深到浅同步目录
for l in $depth ;do
    # 启动rsync进程
    for i in `find $dst -maxdepth $l -mindepth $l -type d`; do
        i=`echo $i | sed "s#$dst/##"`
        if `grep -q "$i$" $task-skip`; then
            echo "skip $i"
            continue
        fi
        while true; do
            now_num=`ps axw | grep rsync | grep $dst | grep -v '\-\-daemon' | wc -l`
            if [ $now_num -lt $num ]; then
                echo "rsync $opt $src/$i/ $dst/$i" >>$task-log
                rsync $opt $src/$i/ $dst/$i &
                echo $i >>$task-next
                sleep 1
                break
            else
                sleep 5
            fi
        done
    done
done

# 最终单进程验证
while true; do
    sleep 5
    now_num=`ps axw | grep rsync | grep $dst | grep -v '\-\-daemon' | wc -l`
    if [ $now_num -lt 1 ]; then
        echo "rsync $opt $src/ $dst" >>$task-log
        rsync $opt $src/ $dst
        break
    fi
done

制作MacOS启动U盘

真是好记性不如烂笔头啊,以前经常用的命令,一时竟然没想起来

sudo /Applications/Install\ macOS\ Mojave.app/Contents/Resources/createinstallmedia --volume /Volumes/your-disk-name /Applications/Install\ macOS\ Mojave.app —nointeraction

CentOS7之LVM磁盘扩容

创建文件系统,并设置t为8e

fdisk /dev/sdb

扩容LVM卷

pvcreate /dev/sdb1
vgextend centos /dev/sdb1
lvextend -l +100%FREE /dev/centos/root

若根目录/文件系统为ext4

resize2fs /dev/centos/root

若根目录/文件系统为xfs

xfs_growfs /dev/centos/root

查看磁盘状态

df -h

Ubuntu下刷极路由不死uboot

今天帮朋友刷2个极路由的uboot,但他那边只有一台Ubuntu-Server可远程登陆。
悲剧的我,只好SSH连接他本地的Ubuntu,然后再连接极路由刷写固件:

极路由1s

wget https://breed.hackpascal.net/breed-mt7620-hiwifi-hc5761.bin

scp -P 1022 root@192.168.199.1:/tmp/
ssh -p 1022 root@192.168.199.1

输入密码,登陆系统后,执行刷写命令

mtd write /tmp/breed-mt7620-hiwifi-mt7620.bin u-boot

极路由3

wget https://breed.hackpascal.net/breed-mt7620-hiwifi-hc5861.bin

scp -P 1022 root@192.168.199.1:/tmp/
ssh -p 1022 root@192.168.199.1

输入密码,登陆系统后,执行刷写命令

mtd write /tmp/breed-mt7620-hiwifi-hc5861.bin u-boot

清理macOS蛋疼的可清除空间

自从macOS有了这个不着调的提示,一直让我这个强迫症患者无比揪心,于是各方寻访与尝试,总结如下2个方法可用于手动清理这部分空间。

1.清空 ~/library/caches 文件夹里面的内容(小白可以用这个方法试试)

2.命令行里跑一下 sudo diskutil secureErase freespace 0 /dev/disk1s1 (请自行替代分区数字,新手请绕道)