分类 GNU/Linux 下的文章

sudo ln -s /usr/bin/basename /bin/basename
sudo ln -s bin/bash /usr/bin/bash
sudo ln -s /usr/bin/rpm /bin/rpm
sudo ln -s /usr/bin/awk /bin/awk
sudo ln -s /usr/lib/x86_64-linux-gnu /usr/lib64
sudo ln -s /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /lib64/libstdc++.so.6
sudo ln -s /lib/x86_64-linux-gnu/libgcc_s.so.1 /lib64/libgcc_s.so.1
sudo ln -s /usr/lib/i386-linux-gnu/libpthread_nonshared.a /usr/lib/libpthread_nonshared.a
sudo ln -s /lib/lsb/init-functions /etc/init.d/functions
sudo ln -sf /bin/bash /bin/sh

https://stackoverflow.com/questions/51060012/installing-oracle-12c-r2-on-ubuntu-18-04

...
Note: The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023. ...

当前最新版本 openssl 1.1.1c

先来看看./Configure提供的选项
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]

Configuration Options ---------------------

There are several options to ./config (or ./Configure) to customize
the build (note that for Windows, the defaults for --prefix and
--openssldir depend in what configuration is used and what Windows implementation OpenSSL is built on. More notes on this in NOTES.WIN):

--api=x.y.z

               Don't build with support for deprecated APIs below the
               specified version number. For example "--api=1.1.0" will
               remove support for all APIS that were deprecated in OpenSSL
               version 1.1.0 or below.

--cross-compile-prefix=PREFIX

               The PREFIX to include in front of commands for your
               toolchain. It's likely to have to end with dash, e.g.
               a-b-c- would invoke GNU compiler as a-b-c-gcc, etc.
               Unfortunately cross-compiling is too case-specific to
               put together one-size-fits-all instructions. You might
               have to pass more flags or set up environment variables
               to actually make it work. Android and iOS cases are
               discussed in corresponding Configurations/15-*.conf
               files. But there are cases when this option alone is
               sufficient. For example to build the mingw64 target on
               Linux "--cross-compile-prefix=x86_64-w64-mingw32-"
               works. Naturally provided that mingw packages are
               installed. Today Debian and Ubuntu users have option to
               install a number of prepackaged cross-compilers along
               with corresponding run-time and development packages for
               "alien" hardware. To give another example
               "--cross-compile-prefix=mipsel-linux-gnu-" suffices
               in such case. Needless to mention that you have to
               invoke ./Configure, not ./config, and pass your target
               name explicitly. Also, note that --openssldir refers
               to target's file system, not one you are building on.

--debug

               Build OpenSSL with debugging symbols and zero optimization
               level.

--libdir=DIR

               The name of the directory under the top of the installation
               directory tree (see the --prefix option) where libraries will
               be installed. By default this is "lib". Note that on Windows
               only ".lib" files will be stored in this location. dll files
               will always be installed to the "bin" directory.

--openssldir=DIR

               Directory for OpenSSL configuration files, and also the
               default certificate and key store.  Defaults are:

               Unix:           /usr/local/ssl
               Windows:        C:\Program Files\Common Files\SSL
                            or C:\Program Files (x86)\Common Files\SSL
               OpenVMS:        SYS$COMMON:[OPENSSL-COMMON]

--prefix=DIR

               The top of the installation directory tree.  Defaults are:

               Unix:           /usr/local
               Windows:        C:\Program Files\OpenSSL
                            or C:\Program Files (x86)\OpenSSL
               OpenVMS:        SYS$COMMON:[OPENSSL-'version']

--release

               Build OpenSSL without debugging symbols. This is the default.

--strict-warnings

               This is a developer flag that switches on various compiler
               options recommended for OpenSSL development. It only works
               when using gcc or clang as the compiler. If you are
               developing a patch for OpenSSL then it is recommended that
               you use this option where possible.

--with-zlib-include=DIR

               The directory for the location of the zlib include file. This
               option is only necessary if enable-zlib (see below) is used
               and the include file is not already on the system include
               path.

--with-zlib-lib=LIB

               On Unix: this is the directory containing the zlib library.
               If not provided the system library path will be used.
               On Windows: this is the filename of the zlib library (with or
               without a path). This flag must be provided if the
               zlib-dynamic option is not also used. If zlib-dynamic is used
               then this flag is optional and a default value ("ZLIB1") is
               used if not provided.
               On VMS: this is the filename of the zlib library (with or
               without a path). This flag is optional and if not provided
               then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is
               used by default depending on the pointer size chosen.

--with-rand-seed=seed1[,seed2,...]

               A comma separated list of seeding methods which will be tried
               by OpenSSL in order to obtain random input (a.k.a "entropy")
               for seeding its cryptographically secure random number
               generator (CSPRNG). The current seeding methods are:

               os:         Use a trusted operating system entropy source.
                           This is the default method if such an entropy
                           source exists.
               getrandom:  Use the L<getrandom(2)> or equivalent system
                           call.
               devrandom:  Use the the first device from the DEVRANDOM list
                           which can be opened to read random bytes. The
                           DEVRANDOM preprocessor constant expands to
                           "/dev/urandom","/dev/random","/dev/srandom" on
                           most unix-ish operating systems.
               egd:        Check for an entropy generating daemon.
               rdcpu:      Use the RDSEED or RDRAND command if provided by
                           the CPU.
               librandom:  Use librandom (not implemented yet).
               none:       Disable automatic seeding. This is the default
                           on some operating systems where no suitable
                           entropy source exists, or no support for it is
                           implemented yet.

               For more information, see the section 'Note on random number
               generation' at the end of this document.

no-afalgeng

               Don't build the AFALG engine. This option will be forced if
               on a platform that does not support AFALG.

enable-asan

               Build with the Address sanitiser. This is a developer option
               only. It may not work on all platforms and should never be
               used in production environments. It will only work when used
               with gcc or clang and should be used in conjunction with the
               no-shared option.

no-asm

               Do not use assembler code. This should be viewed as
               debugging/trouble-shooting option rather than production.
               On some platforms a small amount of assembler code may
               still be used even with this option.

no-async

               Do not build support for async operations.

no-autoalginit

               Don't automatically load all supported ciphers and digests.
               Typically OpenSSL will make available all of its supported
               ciphers and digests. For a statically linked application this
               may be undesirable if small executable size is an objective.
               This only affects libcrypto. Ciphers and digests will have to
               be loaded manually using EVP_add_cipher() and
               EVP_add_digest() if this option is used. This option will
               force a non-shared build.

no-autoerrinit

               Don't automatically load all libcrypto/libssl error strings.
               Typically OpenSSL will automatically load human readable
               error strings. For a statically linked application this may
               be undesirable if small executable size is an objective.

no-autoload-config

               Don't automatically load the default openssl.cnf file.
               Typically OpenSSL will automatically load a system config
               file which configures default ssl options.

enable-buildtest-c++

               While testing, generate C++ buildtest files that
               simply check that the public OpenSSL header files
               are usable standalone with C++.

               Enabling this option demands extra care.  For any
               compiler flag given directly as configuration
               option, you must ensure that it's valid for both
               the C and the C++ compiler.  If not, the C++ build
               test will most likely break.  As an alternative,
               you can use the language specific variables, CFLAGS
               and CXXFLAGS.

no-capieng

               Don't build the CAPI engine. This option will be forced if
               on a platform that does not support CAPI.

no-cms

               Don't build support for CMS features

no-comp

               Don't build support for SSL/TLS compression. If this option
               is left enabled (the default), then compression will only
               work if the zlib or zlib-dynamic options are also chosen.

enable-crypto-mdebug

               Build support for debugging memory allocated via
               OPENSSL_malloc() or OPENSSL_zalloc().

enable-crypto-mdebug-backtrace

               As for crypto-mdebug, but additionally provide backtrace
               information for allocated memory.
               TO BE USED WITH CARE: this uses GNU C functionality, and
               is therefore not usable for non-GNU config targets.  If
               your build complains about the use of '-rdynamic' or the
               lack of header file execinfo.h, this option is not for you.
               ALSO NOTE that even though execinfo.h is available on your
               system (through Gnulib), the functions might just be stubs
               that do nothing.

no-ct

               Don't build support for Certificate Transparency.

no-deprecated

               Don't build with support for any deprecated APIs. This is the
               same as using "--api" and supplying the latest version
               number.

no-dgram

               Don't build support for datagram based BIOs. Selecting this
               option will also force the disabling of DTLS.

enable-devcryptoeng

               Build the /dev/crypto engine.  It is automatically selected
               on BSD implementations, in which case it can be disabled with
               no-devcryptoeng.

no-dynamic-engine

               Don't build the dynamically loaded engines. This only has an
               effect in a "shared" build

no-ec

               Don't build support for Elliptic Curves.

no-ec2m

               Don't build support for binary Elliptic Curves

enable-ec_nistp_64_gcc_128

               Enable support for optimised implementations of some commonly
               used NIST elliptic curves.
               This is only supported on platforms:
               - with little-endian storage of non-byte types
               - that tolerate misaligned memory references
               - where the compiler:
                 - supports the non-standard type __uint128_t
                 - defines the built-in macro __SIZEOF_INT128__

enable-egd

               Build support for gathering entropy from EGD (Entropy
               Gathering Daemon).

no-engine

               Don't build support for loading engines.

no-err

               Don't compile in any error strings.

enable-external-tests

               Enable building of integration with external test suites.
               This is a developer option and may not work on all platforms.
               The only supported external test suite at the current time is
               the BoringSSL test suite. See the file test/README.external
               for further details.

no-filenames

               Don't compile in filename and line number information (e.g.
               for errors and memory allocation).

enable-fuzz-libfuzzer, enable-fuzz-afl

               Build with support for fuzzing using either libfuzzer or AFL.
               These are developer options only. They may not work on all
               platforms and should never be used in production environments.
               See the file fuzz/README.md for further details.

no-gost

               Don't build support for GOST based ciphersuites. Note that
               if this feature is enabled then GOST ciphersuites are only
               available if the GOST algorithms are also available through
               loading an externally supplied engine.

no-hw-padlock

               Don't build the padlock engine.

no-makedepend

               Don't generate dependencies.

no-multiblock

               Don't build support for writing multiple records in one
               go in libssl (Note: this is a different capability to the
               pipelining functionality).

no-nextprotoneg

               Don't build support for the NPN TLS extension.

no-ocsp

               Don't build support for OCSP.

no-pic

               Don't build with support for Position Independent Code.

no-pinshared By default OpenSSL will attempt to stay in memory
until the

               process exits. This is so that libcrypto and libssl can be
               properly cleaned up automatically via an "atexit()" handler.
               The handler is registered by libcrypto and cleans up both
               libraries. On some platforms the atexit() handler will run on
               unload of libcrypto (if it has been dynamically loaded)
               rather than at process exit. This option can be used to stop
               OpenSSL from attempting to stay in memory until the process
               exits. This could lead to crashes if either libcrypto or
               libssl have already been unloaded at the point
               that the atexit handler is invoked, e.g. on a platform which
               calls atexit() on unload of the library, and libssl is
               unloaded before libcrypto then a crash is likely to happen.
               Applications can suppress running of the atexit() handler at
               run time by using the OPENSSL_INIT_NO_ATEXIT option to
               OPENSSL_init_crypto(). See the man page for it for further
               details.

no-posix-io

               Don't use POSIX IO capabilities.

no-psk

               Don't build support for Pre-Shared Key based ciphersuites.

no-rdrand

               Don't use hardware RDRAND capabilities.

no-rfc3779

               Don't build support for RFC3779 ("X.509 Extensions for IP
               Addresses and AS Identifiers")

sctp

               Build support for SCTP

no-shared

               Do not create shared libraries, only static ones.  See "Note
               on shared libraries" below.

no-sock

               Don't build support for socket BIOs

no-srp

               Don't build support for SRP or SRP based ciphersuites.

no-srtp

               Don't build SRTP support

no-sse2

               Exclude SSE2 code paths from 32-bit x86 assembly modules.
               Normally SSE2 extension is detected at run-time, but the
               decision whether or not the machine code will be executed
               is taken solely on CPU capability vector. This means that
               if you happen to run OS kernel which does not support SSE2
               extension on Intel P4 processor, then your application
               might be exposed to "illegal instruction" exception.
               There might be a way to enable support in kernel, e.g.
               FreeBSD kernel can  be compiled with CPU_ENABLE_SSE, and
               there is a way to disengage SSE2 code paths upon application
               start-up, but if you aim for wider "audience" running
               such kernel, consider no-sse2. Both the 386 and
               no-asm options imply no-sse2.

enable-ssl-trace

               Build with the SSL Trace capabilities (adds the "-trace"
               option to s_client and s_server).

no-static-engine

               Don't build the statically linked engines. This only
               has an impact when not built "shared".

no-stdio

               Don't use anything from the C header file "stdio.h" that
               makes use of the "FILE" type. Only libcrypto and libssl can
               be built in this way. Using this option will suppress
               building the command line applications. Additionally since
               the OpenSSL tests also use the command line applications the
               tests will also be skipped.

no-tests

               Don't build test programs or run any test.

no-threads

               Don't try to build with support for multi-threaded
               applications.

threads

               Build with support for multi-threaded applications. Most
               platforms will enable this by default. However if on a
               platform where this is not the case then this will usually
               require additional system-dependent options! See "Note on
               multi-threading" below.

no-ts

               Don't build Time Stamping Authority support.

enable-ubsan

               Build with the Undefined Behaviour sanitiser. This is a
               developer option only. It may not work on all platforms and
               should never be used in production environments. It will only
               work when used with gcc or clang and should be used in
               conjunction with the "-DPEDANTIC" option (or the
               --strict-warnings option).

no-ui

               Don't build with the "UI" capability (i.e. the set of
               features enabling text based prompts).

enable-unit-test

               Enable additional unit test APIs. This should not typically
               be used in production deployments.

enable-weak-ssl-ciphers

               Build support for SSL/TLS ciphers that are considered "weak"
               (e.g. RC4 based ciphersuites).

zlib

               Build with support for zlib compression/decompression.

zlib-dynamic

               Like "zlib", but has OpenSSL load the zlib library
               dynamically when needed.  This is only supported on systems
               where loading of shared libraries is supported.

386

               In 32-bit x86 builds, when generating assembly modules,
               use the 80386 instruction set only (the default x86 code
               is more efficient, but requires at least a 486). Note:
               This doesn't affect code generated by compiler, you're
               likely to complement configuration command line with
               suitable compiler-specific option.

no-

               Don't build support for negotiating the specified SSL/TLS
               protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2,
               tls1_3, dtls, dtls1 or dtls1_2). If "no-tls" is selected then
               all of tls1, tls1_1, tls1_2 and tls1_3 are disabled.
               Similarly "no-dtls" will disable dtls1 and dtls1_2. The
               "no-ssl" option is synonymous with "no-ssl3". Note this only
               affects version negotiation. OpenSSL will still provide the
               methods for applications to explicitly select the individual
               protocol versions.

no--method

               As for no-<prot> but in addition do not build the methods for
               applications to explicitly select individual protocol
               versions. Note that there is no "no-tls1_3-method" option
               because there is no application method for TLSv1.3. Using
               individual protocol methods directly is deprecated.
               Applications should use TLS_method() instead.

enable-

               Build with support for the specified algorithm, where <alg>
               is one of: md2 or rc5.

no-

               Build without support for the specified algorithm, where
               <alg> is one of: aria, bf, blake2, camellia, cast, chacha,
               cmac, des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb,
               poly1305, rc2, rc4, rmd160, scrypt, seed, siphash, sm2, sm3,
               sm4 or whirlpool.  The "ripemd" algorithm is deprecated and
               if used is synonymous with rmd160.

-Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework,
-static

               These system specific options will be recognised and
               passed through to the compiler to allow you to define
               preprocessor symbols, specify additional libraries, library
               directories or other compiler options. It might be worth
               noting that some compilers generate code specifically for
               processor the compiler currently executes on. This is not
               necessarily what you might have in mind, since it might be
               unsuitable for execution on other, typically older,
               processor. Consult your compiler documentation.

               Take note of the VAR=value documentation below and how
               these flags interact with those variables.

-xxx, +xxx

               Additional options that are not otherwise recognised are
               passed through as they are to the compiler as well.  Again,
               consult your compiler documentation.

               Take note of the VAR=value documentation below and how
               these flags interact with those variables.

VAR=value

               Assignment of environment variable for Configure.  These
               work just like normal environment variable assignments,
               but are supported on all platforms and are confined to
               the configuration scripts only.  These assignments override
               the corresponding value in the inherited environment, if
               there is one.

               The following variables are used as "make variables" and
               can be used as an alternative to giving preprocessor,
               compiler and linker options directly as configuration.
               The following variables are supported:

               AR              The static library archiver.
               ARFLAGS         Flags for the static library archiver.
               AS              The assembler compiler.
               ASFLAGS         Flags for the assembler compiler.
               CC              The C compiler.
               CFLAGS          Flags for the C compiler.
               CXX             The C++ compiler.
               CXXFLAGS        Flags for the C++ compiler.
               CPP             The C/C++ preprocessor.
               CPPFLAGS        Flags for the C/C++ preprocessor.
               CPPDEFINES      List of CPP macro definitions, separated
                               by a platform specific character (':' or
                               space for Unix, ';' for Windows, ',' for
                               VMS).  This can be used instead of using
                               -D (or what corresponds to that on your
                               compiler) in CPPFLAGS.
               CPPINCLUDES     List of CPP inclusion directories, separated
                               the same way as for CPPDEFINES.  This can
                               be used instead of -I (or what corresponds
                               to that on your compiler) in CPPFLAGS.
               HASHBANGPERL    Perl invocation to be inserted after '#!'
                               in public perl scripts (only relevant on
                               Unix).
               LD              The program linker (not used on Unix, $(CC)
                               is used there).
               LDFLAGS         Flags for the shared library, DSO and
                               program linker.
               LDLIBS          Extra libraries to use when linking.
                               Takes the form of a space separated list
                               of library specifications on Unix and
                               Windows, and as a comma separated list of
                               libraries on VMS.
               RANLIB          The library archive indexer.
               RC              The Windows resource compiler.
               RCFLAGS         Flags for the Windows resource compiler.
               RM              The command to remove files and directories.

               These cannot be mixed with compiling / linking flags given
               on the command line.  In other words, something like this
               isn't permitted.

                   ./config -DFOO CPPFLAGS=-DBAR -DCOOKIE

               Backward compatibility note:

               To be compatible with older configuration scripts, the
               environment variables are ignored if compiling / linking
               flags are given on the command line, except for these:

               AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC
               and WINDRES

               For example, the following command will not see -DBAR:

                    CPPFLAGS=-DBAR ./config -DCOOKIE

               However, the following will see both set variables:

                    CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- \
                    ./config -DCOOKIE

               If CC is set, it is advisable to also set CXX to ensure
               both C and C++ compilers are in the same "family".  This
               becomes relevant with 'enable-external-tests' and
               'enable-buildtest-c++'.

reconf
reconfigure

               Reconfigure from earlier data.  This fetches the previous
               command line options and environment from data saved in
               "configdata.pm", and runs the configuration process again,
               using these options and environment.
               Note: NO other option is permitted together with "reconf".
               This means that you also MUST use "./Configure" (or
               what corresponds to that on non-Unix platforms) directly
               to invoke this option.
               Note: The original configuration saves away values for ALL
               environment variables that were used, and if they weren't
               defined, they are still saved away with information that
               they weren't originally defined.  This information takes
               precedence over environment variables that are defined
               when reconfiguring.
make
make test
make install_sw

CUBIC TCP 目前大多数Linux缺省使用的TCP流量拥塞算法 RFC8312


google bbr (Bottleneck Bandwidth and Round-trip propagation time)
google在GCP平台应用bbr TCP BBR congestion control comes to GCP
GCP-TCP-BBR-animate-r32B252812529plh0.GIF

What is BBR?
BBR ("Bottleneck Bandwidth and Round-trip propagation time") is a new congestion control algorithm developed at Google. Congestion control algorithms — running inside every computer, phone or tablet connected to a network — that decide how fast to send data.
How does a congestion control algorithm make this decision? The internet has largely used loss-based congestion control since the late 1980s, relying only on indications of lost packets as the signal to slow down. This worked well for many years, because internet switches’ and routers’ small buffers were well-matched to the low bandwidth of internet links. As a result, buffers tended to fill up and drop excess packets right at the moment when senders had really begun sending data too fast.

But loss-based congestion control is problematic in today's diverse networks:

In shallow buffers, packet loss happens before congestion. With today's high-speed, long-haul links that use commodity switches with shallow buffers, loss-based congestion control can result in abysmal throughput because it overreacts, halving the sending rate upon packet loss, even if the packet loss comes from transient traffic bursts (this kind of packet loss can be quite frequent even when the link is mostly idle).
In deep buffers, congestion happens before packet loss. At the edge of today's internet, loss-based congestion control causes the infamous “bufferbloat” problem, by repeatedly filling the deep buffers in many last-mile links and causing seconds of needless queuing delay.
We need an algorithm that responds to actual congestion, rather than packet loss. BBR tackles this with a ground-up rewrite of congestion control. We started from scratch, using a completely new paradigm: to decide how fast to send data over the network, BBR considers how fast the network is delivering data. For a given network connection, it uses recent measurements of the network's delivery rate and round-trip time to build an explicit model that includes both the maximum recent bandwidth available to that connection, and its minimum recent round-trip delay. BBR then uses this model to control both how fast it sends data and the maximum amount of data it's willing to allow in the network at any time.

找到的bbr研究BBR-Congestion-Based-Congestion-Control.pdf

审计所有命令

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

发送到syslog
sed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.conf

SNMP 版本
有V1 V2c V3
V1使用明文community,The biggest downsides are that it does not support 64 bit counters, only 32 bit counters, and that it has little security.
V2c和V1使用明文community,it adds support for 64 bit counters. SNMPv2c is a sub-version of SNMPv2. Its key advantage over previous versions is the Inform command. Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend the Inform.
V3可设置身份验证及数据在网络传输时加密

SNMP 方法
常用的是Get, GetNext, Set, Trap
ro(read only)的community/username password不能使用set方法
rw(read write)可以使用全部方法

SNMP 端口
SNMP使用UDP(IP 17) 161
SNMP trap使用UDP 162 (部分系统组件/配置发生变更,SNMP daemon主动发送消息通知网管平台)

SNMP OID结构 [图片来源Paessler AG]
653-OID+tree.png

SNMP v1 defines a special TRAP message format, different from other messages (such as GET). http://tools.ietf.org/html/rfc1157#page-27
This message format is not used any more in SNMP v2 and v3. If an SNMP agent sends out such TRAP messages for v2 or v3, that can be a bug. Since v2, TRAP starts to use the common message format (the same as GET and so on). So it is called SNMPv2-Trap-PDU. http://tools.ietf.org/search/rfc3416#page-22 SNMP v3 introduces the security model to all messages, so TRAP receives such update too. It is still based on SNMPv2-Trap-PDU.

Debian系 SNMP trap配置一些问题
启动snmp daemon,日志提示

  /etc/snmp/snmpd.conf: line 145: Warning: Unknown token: defaultMonitors.
  /etc/snmp/snmpd.conf: line 147: Warning: Unknown token: linkUpDownNotifications.
Edit /etc/default/snmpd:
comment the "export MIBS=" line:
#export MIBS=
remove ",mteTrigger,mteTriggerConf" from the SNMPDOPTS line:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /run/snmpd.pid'
install snmp-mibs-downloader. It will download abunch of MIBs in its postinst:
sudo apt install snmp-mibs-downloader

RHEL常用的OID

Network Interface Statistics
List NIC names: .1.3.6.1.2.1.2.2.1.2
Get Bytes IN: .1.3.6.1.2.1.2.2.1.10
Get Bytes IN for NIC 4: .1.3.6.1.2.1.2.2.1.10.4
Get Bytes OUT: .1.3.6.1.2.1.2.2.1.16
Get Bytes OUT for NIC 4: .1.3.6.1.2.1.2.2.1.16.4

CPU Statistics
Load
1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1
5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2
15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3

CPU times
percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
raw user cpu time: .1.3.6.1.4.1.2021.11.50.0
percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0
raw system cpu time: .1.3.6.1.4.1.2021.11.52.0
percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0
raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

Memory Statistics
Total Swap Size: .1.3.6.1.4.1.2021.4.3.0
Available Swap Space: .1.3.6.1.4.1.2021.4.4.0
Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0
Total RAM used: .1.3.6.1.4.1.2021.4.6.0
Total RAM Free: .1.3.6.1.4.1.2021.4.11.0
Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0
Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0
Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0

Disk Statistics
Add the following line to snmpd.conf and restart:
includeAllDisks 10% for all partitions and disks
Disk OID's
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1
Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1
Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1
Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1
Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1
Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

System Uptime: .1.3.6.1.2.1.1.3.0

IANA分配的OID查询 https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

打算切换到GNU/Linux,尝试走的弯路,于是产生此文。
使用Debian sid。


使用的软件

影视播放 VLC
截图 deepin-screenshot (深度[deepin.org]做的截图软件,和Windows™ 下的QQ差不多。。。
文件检索 ANGRYsearch (同样和Windows™ 下的Everything差不多


用的xfce4,自带的自动代理不知道为何不生效,Google了一下,发现如下解决方法:

Referer : does xfce4 support automatic proxy configuration?

You can set up auto_proxy/AUTO_PROXY variables in /etc/environment like:

auto_proxy="https://someurl.to/your.pac"
AUTO_PROXY="https://someurl.to/your.pac"

and logout/login after that.

魔改自 https://teddysun.com/469.html ,去掉gdrive/ftp上传,按分钟删除文件(默认删除60分钟之前的备份)。

#!/usr/bin/env bash
#
# Auto backup script
#
# Copyright (C) 2016 Teddysun <i@teddysun.com>
#
# URL: https://teddysun.com/469.html
#
# You must to modify the config before run it!!!
# Backup MySQL/MariaDB/Percona datebases, files and directories
# Backup file is encrypted with AES256-cbc with SHA1 message-digest (option)
# Auto transfer backup file to Google Drive (need install gdrive command) (option)
# Auto transfer backup file to FTP server (option)
# Auto delete Google Drive's or FTP server's remote file (option)
#

[[ $EUID -ne 0 ]] && echo "Error: This script must be run as root!" && exit 1

########## START OF CONFIG ##########

# Encrypt flag (true: encrypt, false: not encrypt)
ENCRYPTFLG=false

# WARNING: KEEP THE PASSWORD SAFE!!!
# The password used to encrypt the backup
# To decrypt backups made by this script, run the following command:
# openssl enc -aes256 -in [encrypted backup] -out decrypted_backup.tgz -pass pass:[backup password] -d -md sha1
BACKUPPASS="mypassword"

# Directory to store backups
LOCALDIR="/web/backup/"

# Temporary directory used during backup creation
TEMPDIR="/web/backup/temp/"

# File to log the outcome of backups
LOGFILE="/web/backup/log"

# OPTIONAL: If you want backup MySQL database, enter the MySQL root password below
MYSQL_ROOT_PASSWORD="mypassword"

# Below is a list of MySQL database name that will be backed up
# If you want backup ALL databases, leave it blank.
MYSQL_DATABASE_NAME[0]=""

# Below is a list of files and directories that will be backed up in the tar backup
# For example:
# File: /data/www/default/test.tgz
# Directory: /data/www/default/test
BACKUP[0]="/web/wwwroot/1"
BACKUP[1]="/web/wwwroot/2"

# Number of days to store daily local backups (default 7 days)
DELETEMIN="60"

########## END OF CONFIG ##########



# Date & Time
DAY=$(date +%d)
MONTH=$(date +%m)
YEAR=$(date +%C%y)
BACKUPDATE=$(date +%Y%m%d%H%M%S)
# Backup file name
TARFILE="${LOCALDIR}""$(hostname)"_"${BACKUPDATE}".tgz
# Encrypted backup file name
ENC_TARFILE="${TARFILE}.enc"
# Backup MySQL dump file name
SQLFILE="${TEMPDIR}mysql_${BACKUPDATE}.sql"

log() {
    echo -e "$(date "+%Y-%m-%d %H:%M:%S")" "$1" >> ${LOGFILE}
}

# Check for list of mandatory binaries
check_commands() {
    # This section checks for all of the binaries used in the backup
    BINARIES=( cat cd du date dirname echo openssl mysql mysqldump pwd rm tar )

    # Iterate over the list of binaries, and if one isn't found, abort
    for BINARY in "${BINARIES[@]}"; do
        if [ ! "$(command -v "$BINARY")" ]; then
            log "$BINARY is not installed. Install it and try again"
            exit 1
        fi
    done
}

calculate_size() {
    local file_name=$1
    local file_size=$(du -h $file_name 2>/dev/null | awk '{print $1}')
    if [ "x${file_size}" = "x" ]; then
        echo "unknown"
    else
        echo "${file_size}"
    fi
}

# Backup MySQL databases
mysql_backup() {
    if [ -z ${MYSQL_ROOT_PASSWORD} ]; then
        log "MySQL root password not set, MySQL backup skipped"
    else
        log "MySQL dump start"
        mysql -u root -p"${MYSQL_ROOT_PASSWORD}" 2>/dev/null <<EOF
exit
EOF
        if [ $? -ne 0 ]; then
            log "MySQL root password is incorrect. Please check it and try again"
            exit 1
        fi

        if [ "${MYSQL_DATABASE_NAME[*]}" == "" ]; then
            mysqldump -u root -p"${MYSQL_ROOT_PASSWORD}" --all-databases > "${SQLFILE}" 2>/dev/null
            if [ $? -ne 0 ]; then
                log "MySQL all databases backup failed"
                exit 1
            fi
            log "MySQL all databases dump file name: ${SQLFILE}"
            #Add MySQL backup dump file to BACKUP list
            BACKUP=(${BACKUP[*]} ${SQLFILE})
        else
            for db in ${MYSQL_DATABASE_NAME[*]}
            do
                unset DBFILE
                DBFILE="${TEMPDIR}${db}_${BACKUPDATE}.sql"
                mysqldump -u root -p"${MYSQL_ROOT_PASSWORD}" ${db} > "${DBFILE}" 2>/dev/null
                if [ $? -ne 0 ]; then
                    log "MySQL database name [${db}] backup failed, please check database name is correct and try again"
                    exit 1
                fi
                log "MySQL database name [${db}] dump file name: ${DBFILE}"
                #Add MySQL backup dump file to BACKUP list
                BACKUP=(${BACKUP[*]} ${DBFILE})
            done
        fi
        log "MySQL dump completed"
    fi
}

start_backup() {
    [ "${BACKUP[*]}" == "" ] && echo "Error: You must to modify the [$(basename $0)] config before run it!" && exit 1

    log "Tar backup file start"
    tar -zcPf ${TARFILE} ${BACKUP[*]}
    if [ $? -gt 1 ]; then
        log "Tar backup file failed"
        exit 1
    fi
    log "Tar backup file completed"

    # Encrypt tar file
    if ${ENCRYPTFLG}; then
        log "Encrypt backup file start"
        openssl enc -aes256 -in "${TARFILE}" -out "${ENC_TARFILE}" -pass pass:"${BACKUPPASS}" -md sha1
        log "Encrypt backup file completed"

        # Delete unencrypted tar
        log "Delete unencrypted tar file: ${TARFILE}"
        rm -f ${TARFILE}
    fi

    # Delete MySQL temporary dump file
    for sql in `ls ${TEMPDIR}*.sql`
    do
        log "Delete MySQL temporary dump file: ${sql}"
        rm -f ${sql}
    done

    if ${ENCRYPTFLG}; then
        OUT_FILE="${ENC_TARFILE}"
    else
        OUT_FILE="${TARFILE}"
    fi
    log "File name: ${OUT_FILE}, File size: `calculate_size ${OUT_FILE}`"
}

# Clean up old file
clean_up_files() {
    cd ${LOCALDIR} || exit

    if ${ENCRYPTFLG}; then
        FileExt="*.enc"
    else
        FileExt="*.tgz"
    fi
    find . -name "$FileExt" -type f -mmin +$DELETEMIN -delete
}

# Main progress
STARTTIME=$(date +%s)

# Check if the backup folders exist and are writeable
if [ ! -d "${LOCALDIR}" ]; then
    mkdir -p ${LOCALDIR}
fi
if [ ! -d "${TEMPDIR}" ]; then
    mkdir -p ${TEMPDIR}
fi

log "Backup progress start"
check_commands
mysql_backup
start_backup
log "Backup progress complete"

clean_up_files

ENDTIME=$(date +%s)
DURATION=$((ENDTIME - STARTTIME))
log "All done"
log "Backup and transfer completed in ${DURATION} seconds"

debian buster的配置例子放在/usr/share/doc/rsync/examples/rsyncd.conf
复制到etc目录下 cp /usr/share/doc/rsync/examples/rsyncd.conf /etc/rsyncd.conf
配置hosts allow后,允许的主机直接使用命令同步,不用输入密码 rsync -a rsync://0.0.0.0/example ./example

瞎逛的时候,发现了一个IP地址管理工具,phpIPAM。看名字就知道是一个基于PHP开发的。PHP是世界上最好的@#$%^&!
先看一下官方给出的要求:

1.) Requirements before you start installing phpipam, please make sure you meet following requirements: Apache2 webserver with php support or
Nginx with php-fpm Mysql server (5.1+) PHP: version 5.3 supported to
phpipam version 1.3.1 version 5.4 version 7.2 and higher supported
from phpipam release 1.3.2 PHP modules: pdo, pdo_mysql : Adds support
for mysql connections session : Adds persistent session support
sockets : Adds sockets support openssl : Adds openSSL support gmp :
Adds support for dev-libs/gmp (GNU MP library) -> to calculate IPv6
networks ldap : Adds LDAP support (Lightweight Directory Access
Protocol – for AD also) crypt : Add support for password encryption
SimpleXML: Support for SimpleXML (optional, for RIPE queries and if
required for API) json: Enable JSON support gettext: Enables
translation filter : Adds filtering support pcntl : Add support for
process creation functions (optional, required for scanning) cli :
Enable CLI (optional, required for scanning and status checks)
mbstring : Enable mbstring support php PEAR support Usually most php
modules all are built into default php installation. If some required
modules are missing phpipam will fail with warning and notify you
about them.

You can check which php modules are enabled by issuing php -m in
command line.

直接从GitHub clone
git clone https://github.com/phpipam/phpipam.git /wwwroot/ipam
切换版本
git checkout -b 1.3 origin/1.3

配置nginx和PHP7.2
官方给出了nginx的参考配置

1.) phpIPAM version 1.3.2 and higher If you are using phpIPAM version 1.3.2 or higher please use below snippet to configure your nginx server. We assume phpipam will be on separate subfolder on webserver,
e.g. http://hostname/phpipam/, if not adjust settings accordingly.

  server {
    # root directory
    root   /var/www/;

    # phpipam
    location /phpipam/ {
        try_files $uri $uri/ /phpipam/index.php;
        index index.php;
    }
    # phpipam - api
    location /phpipam/api/ {
        try_files $uri $uri/ /phpipam/api/index.php;
    }

    # php-fpm
    location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php-fpm.socket;
        fastcgi_index  index.php;
        try_files      $uri $uri/ index.php = 404;
        include        fastcgi_params;
    }  }

2.) phpIPAM up to version 1.3.1 For older phpIPAM versions please use below snippet. Again we assume phpipam will be on separate subfolder
on webserver.

server {
    # root directory
    root   /var/www/;

    # phpipam
    location /phpipam/ {
        try_files $uri $uri/ =404;
        index index.php;

        error_page 500 /app/error/index.php;
        error_page 404 /app/error/index.php;
        error_page 403 /app/error/index.php;

        rewrite ^/phpipam/login/dashboard/?$ /phpipam/dashboard/ redirect;
        rewrite ^/phpipam/logout/dashboard/?$ /phpipam/dashboard/ redirect;
        rewrite ^/phpipam/tools/search/(.*)/(.*)/(.*)/(.*)/([^/]+)$ /phpipam/index.php?page=tools§ion=search&addresses=$1&subnets=$2&vlans=$3&vrf=$4&ip=$5
last;
        rewrite ^/phpipam/tools/search/(.*) /phpipam/index.php?page=tools§ion=search&ip=$1 last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4&ipaddrid=$5&tab=$6
last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4&ipaddrid=$5
last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4 last;
        rewrite ^/phpipam/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3 last;
        rewrite ^/phpipam/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2 last;
        rewrite ^/phpipam/([^/]+)/? /phpipam/index.php?page=$1 last;
    }
    # phpipam - api
    location /phpipam/api {
        rewrite ^/phpipam/api/(.*)/(.*)/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3&id2=$4&id3=$5
last;
        rewrite ^/phpipam/api/(.*)/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3&id2=$4 last;
        rewrite ^/phpipam/api/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3 last;
        rewrite ^/phpipam/api/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2 last;
        rewrite ^/phpipam/api/(.*) /phpipam/api/index.php?app_id=$1 last;
    }
    location /phpipam/css {
        try_files $uri $uri/ =404;
    }
    location /phpipam/js {
        try_files $uri $uri/ =404;
    }

    # php-fpm
    location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php-fpm.socket;
        fastcgi_index  index.php;
        try_files      $uri $uri/ index.php = 404;
        include        fastcgi_params;
    }  }

PHP安装扩展
aptitude install php7.2-gd php-pear php7.2-pdo-mysql php7.2-mbstring php7.2-json php7.2-xml php7.2-gmp ,对LDAP有需求的可以安装php7.2-ldap

手动安装:
复制示例的config.php

3.) Initial configuration Before you start installing database files, you need to enter database details, that you will use for phpipam
connecting to database. First copy config.dist.php to config.php and
enter required details. For automatic installation phpipam will
configure database with settings you enter in config.php file, for
manual installation you will have to do it yourself.

$db['host'] = "localhost";
$db['user'] = "phpipam";
$db['pass'] = "phpipamadmin";
$db['name'] = "phpipam";

also, if you extracted
phpipam directory in any other directory than web server root folder,
you need to set that as well (BASE directive) in config.php:

define('BASE', "/");

For example, if you will have phpipam
installed in http://myserver/phpipam/ directory than set BASE as /phpipam/.

导入数据库

You can manually import sql SCHEMA file via mysql’s cli, but first you
need to create database and grant user permission (replace user/pass
with one you set in config.php):

# mysql -u root -p Enter
password:
mysql> create database phpipam;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL on phpipam.* to phpipam@localhost identified by ‘phpipamadmin’;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Once this is in place, you can import SCHEMA.sql file with following command:
mysql -u root -p phpipam < db/SCHEMA.sql

OpenConnect VPN Server官方网站 http://www.infradead.org/ocserv/
官方安装指南 https://github.com/openconnect/recipes
已经在Debian packages上线,可以使用apt install ocserv安装,而不用自己编译。
因为是SSL VPN,需要一个SSL证书(可以使用自签名,不过有Cisco AnyConnect会有安全提示)openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 365 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CRTopenssl x509 -in cacert.pem -text -noout
CSR方式 openssl req -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.req -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CSRopenssl req -in ssl.req -text -noout
生成DH算法文件,openssl dhparam -out dh.pem 1024
打开IPv4转发,net.ipv4.ip_forward = 1
用iptables做NAT转发

iptables -t nat-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip link set txqueuelen 10000 dev eth0
#配置文件: 
output-buffer = 23000 
try-mtu-discovery = true 

#服务器: 
net.core.rmem_max = 67108864 
net.core.wmem_max = 67108864 
net.ipv4.tcp_rmem = 4096 87380 33554432 
net.ipv4.tcp_wmem = 4096 65536 33554432 
net.core.netdev_max_backlog = 30000 
net.ipv4.tcp_mtu_probing=1 

支持IPv6只需打开转发即可net.ipv6.conf.all.forwarding = 1


occtl
重新载入配置 occtl reload