一些常见的运维操作

发表于

关键词:运维操作

sudo无需输入密码

1
echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

一键安装docker

1
2
3
curl -fsSL get.docker.com -o get-docker.sh
# sudo sh get-docker.sh --mirror 
sudo sh get-docker.sh --mirror Aliyun

docker需要使用sudo

1
2
3
4
sudo groupadd docker
sudo gpasswd -a ${USER} docker
sudo service docker restart
newgrp - docker

查看文件夹占用

1
2
sudo du -s /* | sort -nr
sudo du -h  --max-depth=1

清理docker冗余容器

1
docker system prune -a

清理k3s冗余容器

1
sudo k3s crictl rmi --prune

Systemctl定时执行任务

参考

  1. Linux 定时任务 crontab 和 Systemd Timer - 自由早晚乱余生 - 博客园

  2. https://www.junmajinlong.com/linux/systemd/systemd_timer/

执行文件

1
2
3
4
5
6
7
8
[Unit]
Description=GLaDOS Checkin Service

[Service]
ExecStart=/usr/bin/docker compose -f /home/wf09/glados/docker-compose.yml up

[Install]
WantedBy=multi-user.target

timer触发器:以每天3点执行一次为例

1
2
3
4
5
6
7
8
[Unit]
Description=GLaDOS Checkin Timer

[Timer]
OnCalendar=*-*-* 03:00:00

[Install]
WantedBy=multi-user.target

bash date日期时间

1
2
3
4
5
6
7
8
9
10
date '+%Y-%m-%d %H:%M:%S'
2021-08-17 22:49:57
date '+%Y-%m-%d'
2021-08-17
date '+%Y%m%d'
20210817
date +%Y%m%d
20210817
date +%s
1629211600

Linux软连接

1
ln -s 源文件 目的文件

debian类修改源

amd64

ubuntu
1
2
sudo sed -i 's/cn.archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo sed -i 's/security.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
debian
1
2
sudo sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo sed -i 's|security.debian.org/debian-security|mirrors.ustc.edu.cn/debian-security|g' /etc/apt/sources.list

arm64

ubuntu
1
2
sudo sed -i 's/ports.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo sed -i 's/ports.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list

树莓派

arm64架构的树莓派可以直接用debian的源 

1
2
3
sudo su
echo > /etc/apt/sources.list
sudo vim /etc/apt/sources.list
1
2
3
4
5
6
deb https://mirrors.ustc.edu.cn/debian/ bullseye main contrib non-free
# deb-src http://mirrors.ustc.edu.cn/debian bullseye main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ bullseye-updates main contrib non-free
# deb-src http://mirrors.ustc.edu.cn/debian bullseye-updates main contrib non-free
deb https://mirrors.ustc.edu.cn/debian-security bullseye-security main contrib non-free
# deb-src http://mirrors.ustc.edu.cn/debian-security/ bullseye-security main non-free contrib
树莓派基金会源 
1
sudo sed -i 's|//archive.raspberrypi.org|//mirrors.ustc.edu.cn/archive.raspberrypi.org|g' /etc/apt/sources.list.d/raspi.list
#### Docker

1
2
3
4
5
6
7
8
9
10
11
12
FROM ubuntu:20.04
RUN set -ex \ 
    && sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list \
    && sed -i 's/security.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list \
    && apt-get update \
    && apt-get install tzdata curl procps -y \
    && groupadd -g 1000 admin -o -f \
    && useradd -m -G admin --uid 1000 --gid 1000 admin \
    && apt-get clean
ENV TZ=Asia/Shanghai
WORKDIR /home/admin
USER admin

安装最新版nginx

ubuntu

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

# stable
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list
# 优先级
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx
# 安装
sudo apt update
sudo apt install nginx

debian

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring -y
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
# stable
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list
# 优先级
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx
# 安装
sudo apt update
sudo apt install nginx

nginx基本配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server {
  charset utf-8;
  #listen unix:/dev/shm/default.sock proxy_protocol;
  #listen unix:/dev/shm/h2c.sock http2 proxy_protocol;
  listen 443 default_server ssl;
  server_name harbor.lo;
  ssl_session_cache shared:SSL:10m;
  ssl_certificate     /home/ubuntu/.ssl/cert.cer;
  ssl_certificate_key  /home/ubuntu/.ssl/cert.key;

  #ssl_stapling on;
  #ssl_stapling_verify on;

  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  location / {
    #proxy_redirect off;
    #proxy_pass https://wf09.github.io/;
    #alias /home/ubuntu/tmp/;
    return 403;

  }
  }

gitlab配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 server {
   charset utf-8;
   #listen unix:/dev/shm/default.sock proxy_protocol;
   #listen unix:/dev/shm/h2c.sock http2 proxy_protocol;
   listen 443  ssl;
   server_name gitlab.lo;
   ssl_session_cache shared:SSL:10m;
   ssl_certificate     /usr/local/ssl/gitlab.lo.crt;
   ssl_certificate_key  /usr/local/ssl/gitlab.lo.key;

   #ssl_stapling on;
   #ssl_stapling_verify on;

   ssl_session_timeout 10m;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

   location / {
     #proxy_redirect off;
     #proxy_pass https://wf09.github.io/;
     #alias /home/ubuntu/tmp/;
     #return 403;
     client_max_body_size 0;
     proxy_pass http://192.168.15.200:8880;
     proxy_set_header Host $host; # required for docker client's sake
     proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
   }
}

其他配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
worker_processes auto;

events {
  worker_connections 1024;
}

http {
  proxy_headers_hash_max_size 51200;
  proxy_headers_hash_bucket_size 6400;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for" '
  '$proxy_protocol_addr:$proxy_protocol_port';

  access_log /var/log/nginx/access.log main;
  server {
    charset utf-8;
    listen 443 ssl http2;
    server_name ap-sg-do.fly97.dev;
    ssl_session_cache shared:SSL:10m;
    ssl_certificate     /usr/local/bin/cert.pem;
    ssl_certificate_key  /usr/local/bin/key.pem;
    location / {
      #proxy_redirect off;
      #proxy_pass https://wf09.github.io/;
      #alias /home/ubuntu/tmp/;
      return 403;
    }

    location ^~ /my/ {
      #auth_basic "Permission Denied";
      #auth_basic_user_file /usr/local/passwd;
      alias /mnt/volume_sgp1_01/;
      autoindex on;
      proxy_force_ranges on;
      max_ranges 32;
      autoindex_exact_size off;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }

    location /qb/ {
      proxy_redirect off;
      proxy_pass http://127.0.0.1:8090/;
      proxy_set_header Host $host;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header REMOTE-HOST $remote_addr;
      proxy_set_header Range $http_range;
      proxy_set_header If-Range $http_if_range;
      proxy_no_cache $http_range $http_if_range;
      # 如果server_name不是公网域名,这个地方可以设置成ip
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      http2_push_preload on;
      #这个是设置为0表示不管上传多大的文件都不会报request too large的问题,直接转发过去
      client_max_body_size 0;
      }
  }
}

service模版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[Unit]
Description=Lightweight Kubernetes
Documentation=https://k3s.io
Wants=network-online.target
After=network-online.target

[Install]
WantedBy=multi-user.target

[Service]
Type=notify
EnvironmentFile=-/etc/default/%N
EnvironmentFile=-/etc/sysconfig/%N
EnvironmentFile=-/etc/systemd/system/k3s.service.env
KillMode=process
Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --node-ip 192.168.7.2 --node-external-ip 192.168.15.201 --tls-san 192.168.7.2 --flannel-backend host-gw --flannel-iface wg0 --no-deploy servicelb --write-kubeconfig-mode 644 --kube-proxy-arg 'proxy-mode=ipvs' --kube-proxy-arg 'ipvs-scheduler=rr' --kube-proxy-arg 'masquerade-all=true' --kube-proxy-arg 'metrics-bind-address=0.0.0.0:10249'

docker-compose常用配置

node exporter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
version: '3'
services:
        node_exporter:
                privileged: true
                image: prom/node-exporter
                volumes:
                        - /run:/run
                        - /proc:/host/proc:ro
                        - /sys:/host/sys:ro
                        - /:/rootfs:ro
                command:
                        - "--web.listen-address=:9100"
                        - "--path.procfs=/host/proc"
                        - "--path.sysfs=/host/sys"
                        - "--path.rootfs=/rootfs" # Necessary for collecting host filesystem metrics.
                        - "--collector.filesystem.ignored-mount-points='^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)'"
                ports:
                        - 9100:9100
                restart: always

普罗米修斯

1
2
3
4
5
6
7
8
9
10
version: '3'
services:
        prometheus:
                image: prom/prometheus
                ports:
                        - 9091:9090
                restart: always
                volumes:
                        - ./conf:/etc/prometheus
                        - ./data:/prometheus

grafana

1
2
3
4
5
6
7
8
9
10
version: '3'
services:
        grafana:
                image: grafana/grafana:9.3.1-ubuntu
                restart: always
                volumes:
                        - ./sample.ini:/etc/grafana/grafana.ini
                        - ./data:/var/lib/grafana
                ports:
                        - 3000:3000

alertManager

1
2
3
4
5
6
7
8
9
version: '3'
services:
        alert:
                image: prom/alertmanager
                ports:
                        - 9093:9093
                restart: always
                volumes:
                        - ./conf:/etc/alertmanager

jenkins

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
version: '3.6'
services:
  jenkins:
    image: 'jenkins/jenkins'
    container_name: jenkins
    restart: always
    # hostname: 'gitlab.lo'                          # ssh hostname
    ports:
      - '127.0.0.1:8882:8080'
    shm_size: '256m'
    ulimits:
      nofile:
        soft: 1000000
        hard: 1000000
    privileged: true
    deploy:
      resources:
        limits:
          memory: 8G

gitlab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
version: '3.6'
services:
  gitlab:
    image: 'registry.gitlab.cn/omnibus/gitlab-jh:latest'
    container_name: gitlab-cn
    restart: always
    hostname: 'gitlab.lo'                          # ssh hostname
    environment:
       GITLAB_OMNIBUS_CONFIG: |
         external_url 'https://gitlab.lo'          # git httpsname
         nginx['redirect_http_to_https'] = false
         nginx['listen_port'] = 8880
         nginx['listen_https'] = false
         prometheus_monitoring['enable'] = false
    ports:
      - '127.0.0.1:8881:8880'
      - '22:22'
    volumes:
      - './config:/etc/gitlab'
      - './logs:/var/log/gitlab'
      - './data:/var/opt/gitlab'
    shm_size: '256m'
    privileged: true
    deploy:
      resources:
        limits:
          memory: 8G

MySQL备份脚本

将MySQL文件逻辑备份文件以Docker镜像的形式推送到Docker私有镜像服务器

bash脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
day=`date "+%Y%m%d"`
cd $(dirname $(readlink -f "$0"))/data
mkdir -p $day
cd $day
mysqldump -h192.168.31.28 -uroot -proot -A | gzip > $day.tar.gz
if [ $? -ne 0 ]; then 
    echo "MySQL备份失败"
    exit -1
fi
echo -e "FROM busybox\nADD $day.tar.gz /mysql/$day.tar.gz" > Dockerfile
if [ $? -ne 0 ]; then 
    echo "Dockerfile生成失败"
    exit -1
fi

[ -f Dockerfile ] && docker build . -t hub.deepsoft-tech.com/wf09/jixiaobackup:$day
if [ $? -ne 0 ]; then 
    echo "镜像生成构建失败"
    exit -1
fi

docker login -uadmin -pdeepsoft hub.deepsoft-tech.com

if [ $? -ne 0 ]; then 
    echo "登录成功"
    exit -1
fi

docker push hub.deepsoft-tech.com/wf09/jixiaobackup:$day

if [ $? -ne 0 ]; then 
    echo "带TAG的镜像推送失败"
    exit -1
fi

docker tag hub.deepsoft-tech.com/wf09/jixiaobackup:$day hub.deepsoft-tech.com/wf09/mysqlbackup

if [ $? -ne 0 ]; then 
    echo "镜像推送失败"
    exit -1
fi

service单元文件

1
2
3
4
5
6
7
[Unit]
Description=Backup MySQL Service

[Service]
Type=simple
ExecStart=/usr/bin/bash -c /home/deepsoft/backup/mysql/backup.sh 
StandardError=journal

timer单元文件

每周备份两次

1
2
3
4
5
6
7
8
[Unit]
Description=Backup MySQL Timer

[Timer]
OnCalendar=Sun,Wed 03:30:00

[Install]
WantedBy=multi-user.target