CentOS8的软件库

相对于华为和阿里云的mirrors,中国科技大学的mirrors的完整性和速度要好一些,而且配置文件也方便一些。现在把相关文件记一下:

系统repo

[BaseOS]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=BaseOS&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/extras/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/centosplus/$basearch/os/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[AppStream]
name=CentOS-$releasever - AppStream
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=AppStream&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[PowerTools]
name=CentOS-$releasever - PowerTools
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=PowerTools&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/PowerTools/$basearch/os/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

Zabbix的集中式部署

Zabbix是一种高效、快速、开源的企业级监控系统。本文将基于Zabbix4.4和CentOS8来实现集中式部署一台监控主站点。

  1. 主机部署

首先部署两台CentOS8(Zabbix:10.30.2.67、MySQL:10.30.2.68)主机,并安装epel-release源和zabbix源,其中建议使用[1]

dnf upgrade -y
dnf install -y epel-release
rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/8/x86_64/zabbix-release-4.4-1.el8.noarch.rpm
dnf upgrade -y
  1. Zabbix服务部署

登录Zabbix服务器,安装主程序

dnf -y upgrade
dnf -y install httpd php php-fpm
dnf -y install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-agent

#修改启动项
systemctl enable httpd php-fpm
systemctl enable zabbix-agent.service zabbix-server.service

#开放防火墙
firewall-cmd --permanent --add-service={http,https}
firewall-cmd --permanent --add-port={10051/tcp,10050/tcp}
firewall-cmd --reload

#传输监控数据库架构文件
scp /usr/share/doc/zabbix-server-mysql/create.sql.gz root@10.30.2.68:/root

#修改php配置文件
vim /etc/php-fpm.d/zabbix.conf
~~~~~~~~~~~~
#修改第24行,去掉;号并修改时区位亚洲/上海
php_value[date.timezone] = Asia/Shanghai
~~~~~~~~~~~~

#修改zabbix主程序文件
vim /etc/zabbix/zabbix_server.conf
~~~~~~~~~~~~
#修改第92行
DBHost=10.30.2.68
#修改124行,设置数据库用户密码
DBPassword=password
~~~~~~~~~~~~

#重启服务
systemctl restart httpd php-fpm
systemctl restart zabbix-agent.service zabbix-server.service
  1. 数据库部署

登录数据库服务器10.30.2.68,安装数据库文件,并进行配置

dnf -y install zabbix-agent
dnf -y install mariadb mariadb-server
systemctl enable mariadb zabbix-agent.service --now

#修改密码,删除匿名用户和测试库
mysql_secure_installation 

#安装数据库
# mysql -uroot -p
password
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> grant all privileges on zabbix.* to zabbix@'%' identified by 'password';
mysql> flush privileges;
mysql> quit;

#导入架构
zcat create.sql.gz | mysql -uzabbix -p zabbix

#配置防火墙
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-port=10050/tcp
firewall-cmd --reload

#配置监控客户端
vim /etc/zabbix/zabbix-agent.conf
~~~~~~~~~~~~
#第98行
Server=10.30.2.67

#第139行
ServerActive=10.30.2.67

#第150行,注释掉
#Hostname=Zabbix server

#第158行
HostnameItem=system.hostname
~~~~~~~~~~~~
systemctl restart mariadb zabbix-agent
  1. Zabbix站点配置

Continue reading Zabbix的集中式部署

升级CentOS8的OpenSSH版本

虽然说CentOS8的Openssl和OpenSSH的版本已经算是比较新的了,但是因为公司的信息安全建设的要求,在经过商业漏洞扫描软件扫描之后,还是需要进行升级操作(由于CentOS8的Openssl已经是比较新的1.1.1版本了,此次就不升级它了)。

安装包准备

# 配置编译环境
cd
yum update -y
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -y
mkdir -p ~/rpmbuild/{SOURCES,SPECS}
# 下载安装包
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
cp openssh-8.1p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz ~/rpmbuild/SOURCES
tar zxvf openssh-8.1p1.tar.gz
cp openssh-8.1p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/
# 修改编译文件,去掉X11环境依赖和openssl依赖
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" ~/rpmbuild/SPECS/openssh.spec p
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" ~/rpmbuild/SPECS/openssh.spec
sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" ~/rpmbuild/SPECS/openssh.spec 
# 开始编译rpm包
rpmbuild -bp openssh.spec
rpmbuild -ba openssh.spec
# yum本地安装新编译的包
yum localinstall -y ~/rpmbuild/RPMS/x86_64/openssh-*
# 修改相关公钥权限
chmod 0400 /etc/ssh/ssh_host_ecdsa_key
chmod 0400 /etc/ssh/ssh_host_ed25519_key
chmod 0400 /etc/ssh/ssh_host_rsa_key
# 修改配置文件
sed -i -e "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config
# 重置服务
systemctl restart sshd
# 查看新版本信息
openssh -V

批量分发

# 上传文件到本地YUM仓库之后建立索引
createrepo /var/www/repos/cnpe/8/x86_64/
# 安装
ansible all -m yum -a 'name=* state=latest' -b -K