一些常见的运维操作

关键词:运维操作

sudo无需输入密码

1
echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

一键安装docker

1
2
3
curl -fsSL get.docker.com -o get-docker.sh
# sudo sh get-docker.sh --mirror
sudo sh get-docker.sh --mirror Aliyun

docker需要使用sudo

1
2
3
4
sudo groupadd docker
sudo gpasswd -a ${USER} docker
sudo service docker restart
newgrp - docker

查看文件夹占用

1
2
sudo du -s /* | sort -nr
sudo du -h --max-depth=1

清理docker冗余容器

1
docker system prune -a

清理k3s冗余容器

1
sudo k3s crictl rmi --prune

Systemctl定时执行任务

参考

  1. Linux 定时任务 crontab 和 Systemd Timer - 自由早晚乱余生 - 博客园

  2. https://www.junmajinlong.com/linux/systemd/systemd_timer/

执行文件

1
2
3
4
5
6
7
8
[Unit]
Description=GLaDOS Checkin Service

[Service]
ExecStart=/usr/bin/docker compose -f /home/wf09/glados/docker-compose.yml up

[Install]
WantedBy=multi-user.target

timer触发器:以每天3点执行一次为例

1
2
3
4
5
6
7
8
[Unit]
Description=GLaDOS Checkin Timer

[Timer]
OnCalendar=*-*-* 03:00:00

[Install]
WantedBy=multi-user.target

bash date日期时间

1
2
3
4
5
6
7
8
9
10
date '+%Y-%m-%d %H:%M:%S'
2021-08-17 22:49:57
date '+%Y-%m-%d'
2021-08-17
date '+%Y%m%d'
20210817
date +%Y%m%d
20210817
date +%s
1629211600

Linux软连接

1
ln -s 源文件 目的文件

debian类修改源

amd64

ubuntu
1
2
sudo sed -i 's/cn.archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo sed -i 's/security.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
debian
1
2
sudo sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo sed -i 's|security.debian.org/debian-security|mirrors.ustc.edu.cn/debian-security|g' /etc/apt/sources.list

arm64

ubuntu
1
2
sudo sed -i 's/ports.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo sed -i 's/ports.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list

树莓派

arm64架构的树莓派可以直接用debian的源

1
2
3
sudo su
echo > /etc/apt/sources.list
sudo vim /etc/apt/sources.list
1
2
3
4
5
6
deb https://mirrors.ustc.edu.cn/debian/ bullseye main contrib non-free
# deb-src http://mirrors.ustc.edu.cn/debian bullseye main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ bullseye-updates main contrib non-free
# deb-src http://mirrors.ustc.edu.cn/debian bullseye-updates main contrib non-free
deb https://mirrors.ustc.edu.cn/debian-security bullseye-security main contrib non-free
# deb-src http://mirrors.ustc.edu.cn/debian-security/ bullseye-security main non-free contrib
树莓派基金会源
1
sudo sed -i 's|//archive.raspberrypi.org|//mirrors.ustc.edu.cn/archive.raspberrypi.org|g' /etc/apt/sources.list.d/raspi.list
#### Docker

1
2
3
4
5
6
7
8
9
10
11
12
FROM ubuntu:20.04
RUN set -ex \
&& sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list \
&& sed -i 's/security.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list \
&& apt-get update \
&& apt-get install tzdata curl procps -y \
&& groupadd -g 1000 admin -o -f \
&& useradd -m -G admin --uid 1000 --gid 1000 admin \
&& apt-get clean
ENV TZ=Asia/Shanghai
WORKDIR /home/admin
USER admin

安装最新版nginx

ubuntu

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

# stable
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
# 优先级
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
# 安装
sudo apt update
sudo apt install nginx

debian

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring -y
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
# stable
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
# 优先级
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
# 安装
sudo apt update
sudo apt install nginx

nginx基本配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server {
charset utf-8;
#listen unix:/dev/shm/default.sock proxy_protocol;
#listen unix:/dev/shm/h2c.sock http2 proxy_protocol;
listen 443 default_server ssl;
server_name harbor.lo;
ssl_session_cache shared:SSL:10m;
ssl_certificate /home/ubuntu/.ssl/cert.cer;
ssl_certificate_key /home/ubuntu/.ssl/cert.key;

#ssl_stapling on;
#ssl_stapling_verify on;

ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
location / {
#proxy_redirect off;
#proxy_pass https://wf09.github.io/;
#alias /home/ubuntu/tmp/;
return 403;

}
}

gitlab配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 server {
charset utf-8;
#listen unix:/dev/shm/default.sock proxy_protocol;
#listen unix:/dev/shm/h2c.sock http2 proxy_protocol;
listen 443 ssl;
server_name gitlab.lo;
ssl_session_cache shared:SSL:10m;
ssl_certificate /usr/local/ssl/gitlab.lo.crt;
ssl_certificate_key /usr/local/ssl/gitlab.lo.key;

#ssl_stapling on;
#ssl_stapling_verify on;

ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

location / {
#proxy_redirect off;
#proxy_pass https://wf09.github.io/;
#alias /home/ubuntu/tmp/;
#return 403;
client_max_body_size 0;
proxy_pass http://192.168.15.200:8880;
proxy_set_header Host $host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

其他配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
worker_processes auto;

events {
worker_connections 1024;
}

http {
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$proxy_protocol_addr:$proxy_protocol_port';

access_log /var/log/nginx/access.log main;
server {
charset utf-8;
listen 443 ssl http2;
server_name ap-sg-do.fly97.dev;
ssl_session_cache shared:SSL:10m;
ssl_certificate /usr/local/bin/cert.pem;
ssl_certificate_key /usr/local/bin/key.pem;
location / {
#proxy_redirect off;
#proxy_pass https://wf09.github.io/;
#alias /home/ubuntu/tmp/;
return 403;
}

location ^~ /my/ {
#auth_basic "Permission Denied";
#auth_basic_user_file /usr/local/passwd;
alias /mnt/volume_sgp1_01/;
autoindex on;
proxy_force_ranges on;
max_ranges 32;
autoindex_exact_size off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

location /qb/ {
proxy_redirect off;
proxy_pass http://127.0.0.1:8090/;
proxy_set_header Host $host;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_no_cache $http_range $http_if_range;
# 如果server_name不是公网域名,这个地方可以设置成ip
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
http2_push_preload on;
#这个是设置为0表示不管上传多大的文件都不会报request too large的问题,直接转发过去
client_max_body_size 0;
}
}
}

service模版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[Unit]
Description=Lightweight Kubernetes
Documentation=https://k3s.io
Wants=network-online.target
After=network-online.target

[Install]
WantedBy=multi-user.target

[Service]
Type=notify
EnvironmentFile=-/etc/default/%N
EnvironmentFile=-/etc/sysconfig/%N
EnvironmentFile=-/etc/systemd/system/k3s.service.env
KillMode=process
Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --node-ip 192.168.7.2 --node-external-ip 192.168.15.201 --tls-san 192.168.7.2 --flannel-backend host-gw --flannel-iface wg0 --no-deploy servicelb --write-kubeconfig-mode 644 --kube-proxy-arg 'proxy-mode=ipvs' --kube-proxy-arg 'ipvs-scheduler=rr' --kube-proxy-arg 'masquerade-all=true' --kube-proxy-arg 'metrics-bind-address=0.0.0.0:10249'

docker-compose常用配置

node exporter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
version: '3'
services:
node_exporter:
privileged: true
image: prom/node-exporter
volumes:
- /run:/run
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- "--web.listen-address=:9100"
- "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys"
- "--path.rootfs=/rootfs" # Necessary for collecting host filesystem metrics.
- "--collector.filesystem.ignored-mount-points='^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)'"
ports:
- 9100:9100
restart: always

普罗米修斯

1
2
3
4
5
6
7
8
9
10
version: '3'
services:
prometheus:
image: prom/prometheus
ports:
- 9091:9090
restart: always
volumes:
- ./conf:/etc/prometheus
- ./data:/prometheus

grafana

1
2
3
4
5
6
7
8
9
10
version: '3'
services:
grafana:
image: grafana/grafana:9.3.1-ubuntu
restart: always
volumes:
- ./sample.ini:/etc/grafana/grafana.ini
- ./data:/var/lib/grafana
ports:
- 3000:3000

alertManager

1
2
3
4
5
6
7
8
9
version: '3'
services:
alert:
image: prom/alertmanager
ports:
- 9093:9093
restart: always
volumes:
- ./conf:/etc/alertmanager

jenkins

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
version: '3.6'
services:
jenkins:
image: 'jenkins/jenkins'
container_name: jenkins
restart: always
# hostname: 'gitlab.lo' # ssh hostname
ports:
- '127.0.0.1:8882:8080'
shm_size: '256m'
ulimits:
nofile:
soft: 1000000
hard: 1000000
privileged: true
deploy:
resources:
limits:
memory: 8G

gitlab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
version: '3.6'
services:
gitlab:
image: 'registry.gitlab.cn/omnibus/gitlab-jh:latest'
container_name: gitlab-cn
restart: always
hostname: 'gitlab.lo' # ssh hostname
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.lo' # git httpsname
nginx['redirect_http_to_https'] = false
nginx['listen_port'] = 8880
nginx['listen_https'] = false
prometheus_monitoring['enable'] = false
ports:
- '127.0.0.1:8881:8880'
- '22:22'
volumes:
- './config:/etc/gitlab'
- './logs:/var/log/gitlab'
- './data:/var/opt/gitlab'
shm_size: '256m'
privileged: true
deploy:
resources:
limits:
memory: 8G

MySQL备份脚本

将MySQL文件逻辑备份文件以Docker镜像的形式推送到Docker私有镜像服务器

bash脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
day=`date "+%Y%m%d"`
cd $(dirname $(readlink -f "$0"))/data
mkdir -p $day
cd $day
mysqldump -h192.168.31.28 -uroot -proot -A | gzip > $day.tar.gz
if [ $? -ne 0 ]; then
echo "MySQL备份失败"
exit -1
fi
echo -e "FROM busybox\nADD $day.tar.gz /mysql/$day.tar.gz" > Dockerfile
if [ $? -ne 0 ]; then
echo "Dockerfile生成失败"
exit -1
fi

[ -f Dockerfile ] && docker build . -t hub.deepsoft-tech.com/wf09/jixiaobackup:$day
if [ $? -ne 0 ]; then
echo "镜像生成构建失败"
exit -1
fi

docker login -uadmin -pdeepsoft hub.deepsoft-tech.com

if [ $? -ne 0 ]; then
echo "登录成功"
exit -1
fi

docker push hub.deepsoft-tech.com/wf09/jixiaobackup:$day

if [ $? -ne 0 ]; then
echo "带TAG的镜像推送失败"
exit -1
fi

docker tag hub.deepsoft-tech.com/wf09/jixiaobackup:$day hub.deepsoft-tech.com/wf09/mysqlbackup

if [ $? -ne 0 ]; then
echo "镜像推送失败"
exit -1
fi

service单元文件

1
2
3
4
5
6
7
[Unit]
Description=Backup MySQL Service

[Service]
Type=simple
ExecStart=/usr/bin/bash -c /home/deepsoft/backup/mysql/backup.sh
StandardError=journal

timer单元文件

每周备份两次

1
2
3
4
5
6
7
8
[Unit]
Description=Backup MySQL Timer

[Timer]
OnCalendar=Sun,Wed 03:30:00

[Install]
WantedBy=multi-user.target