Happywzy

官方文档

• Rate Limiting

说明

• nginx.ingress.kubernetes.io/limit-connections: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit.
• nginx.ingress.kubernetes.io/limit-rps: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.
• nginx.ingress.kubernetes.io/limit-rpm: number of requests accepted from a given IP each minute. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.
• nginx.ingress.kubernetes.io/limit-burst-multiplier: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, limit-req-status-code default: 503 is returned.
• nginx.ingress.kubernetes.io/limit-rate-after: initial number of kilobytes after which the further transmission of a response to a given connection will be rate limited. This feature must be used with proxy-buffering enabled.
• nginx.ingress.kubernetes.io/limit-rate: number of kilobytes per second allowed to send to a given connection. The zero value disables rate limiting. This feature must be used with proxy-buffering enabled.
• nginx.ingress.kubernetes.io/limit-whitelist: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRs.

If you specify multiple annotations in a single Ingress rule, limits are applied in the order limit-connections, limit-rpm, limit-rps.

To configure settings globally for all Ingress rules, the limit-rate-after and limit-rate values may be set in the NGINX ConfigMap. The value set in an Ingress annotation will override the global setting.

config

远程仓库

分支

合并

tag

如果创建的不是轻量tag,推送到远程后用git ls-remote --tags origin命令查看会产生一个后缀为^{}的同名tag.

switch

提交

暂存区

回退

git reset --soft和--mixed区别在于如果当前commit和上一个commit之间有新增的文件,--soft回退之后该文件处于已add的状态,--mixed回退之后该文件处于未add的状态,需要在执行git add.

日志

版本回退/复原

HEAD表示当前版本,HEAD^表示上一个版本,HEAD^^表示上上个版本,HEAD~5表示上 5 个版本.

Windows cmd 窗口下执行 git reset --hard HEAD^ 会报错, 需要为 HEAD^ 添加双引号 git reset --hard "HEAD^"

# 回退
git reset --hard HEAD^
git reset --hard HEAD^^
# 查看提交历史,根据commit_id回退
git log
git reset --hard commit_id
# 查看未来提交日志恢复提交
git reflog

问题

• 配置公钥

# 生成公钥,过程中按3次回车
ssh-keygen -t ed25519 -C "xxxxx@xxxxx.com" 
# 进入gitee添加公钥
# 测试公钥是否能用
ssh -T git@gitee.com
# 返回以下内容证明配置正确
Hi XXX! You've successfully authenticated, but Gitee.com does not provide shell access.

如果配置正确还是让输入用户密码,首先git remote -v检查远程地址是https还是ssh.使用git remote set-url origin git@gitee.com:happywzy/xxxx.git修改.

• rebase操作

# 目标希望将fd75768和e87d4921两个连续的提交rebase到master分支
# 因为是前开后闭,这里start通过^向前指定了一个区间
# 也可以start设置为fd75768前一个commitid
$ git rebase fd75768^ e87d4921 --onto master
fatal: It seems that there is already a rebase-merge directory, and
I wonder if you are in the middle of another rebase.  If that is the
case, please try
        git rebase (--continue | --abort | --skip)
If that is not the case, please
        rm -fr ".git/rebase-merge"
and run me again.  I am stopping in case you still have something
valuable there.
# 上面提示已经存在一个rebase-merge目录,先删除了
$ rm -fr ".git/rebase-merge"
# 再次执行
$ git rebase fd75768^ e87d4921 --onto master
Successfully rebased and updated detached HEAD.
# 切换到master分支,提示刚刚复制了两个提交,即HEAD后面还有两个提交
$ git checkout master
Warning: you are leaving 2 commits behind, not connected to
any of your branches:
  b9bb17a step 5
  f2d9256 step 4
If you want to keep them by creating a new branch, this may be a good time
to do so with:
 git branch <new-branch-name> b9bb17a
Switched to branch 'master'
# 现在切回master看不到复制过来的提交
# 通过下面的命令可以将HEAD重置到最新提交,即可看到rebase过来的2个提交
$ git reset --hard b9bb17a

logrotate

logrotate是linux自带的一个日志轮转工具,可以自动对日志进行截断（或轮循）、压缩以及删除旧的日志文件。如：配置/var/log/nginx.log每周轮询并删除3周前的日志.

logrotate配置

logrotate默认配置文件：/etc/logrotate.conf

需求：配置对docker容器日志轮询

# 进入到/etc/logrotate.d/目录下,该目录下有logrotate默认配置的一些规则
# 创建一个新的文件container
# 配置规则,更多规则可以自行搜索
/var/lib/docker/containers/*/*-json.log
{
    create 644 root root
    missingok
    weekly
    copytruncate
    rotate 3
    size=100M
    notifempty
}

限制docker容器日志大小的方式不仅仅只有logrotate方式,此处仅以容器日志为例.

测试

# debug模式测试配置文件
logrotate -d /etc/logrotate.d/xxxxx
# 手动运行
logrotate -f /etc/logrotate.d/xxxxx

限制docker容器日志

1. 统一限制

# 修改docker配置：vim /etc/docker/daemon.json
{
  "log-driver":"json-file",
  "log-opts": {"max-size":"500m", "max-file":"3"}
}
# 重启
systemctl daemon-reload
systemctl restart docker

2. 单独限制

docker run --name test --log-opt max-size=100m --log-opt max-file=2 -d nginx

openvpn服务器安装

# 安装服务
yum install epel-release
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
yum install -y openvpn easy-rsa
# 找到easy-ras的安装目录
[root@localhost openvpn]# whereis easy-rsa
easy-rsa: /usr/share/easy-rsa
# 并拷贝到openvpn目录下
mkdir -p /etc/openvpn/easy-rsa
# 注意3.0.8版本号可能不一样
cd /usr/share/easy-rsa/3.0.8
cp -r *  /etc/openvpn/easy-rsa

openvpn服务端配置

# 进入easy-rsa目录
cd /etc/openvpn/easy-rsa
# 将easy-rsa变量模板拷入到当前目录
find / -type f -name "vars.example"|xargs cp -t . && mv vars.example vars
[root@localhost easy-rsa]# ll
total 100
-rwxr-xr-x. 1 root root 76946 Mar 18 16:26 easyrsa
-rw-r--r--. 1 root root  4616 Mar 18 16:26 openssl-easyrsa.cnf
-rw-r--r--. 1 root root  8888 Mar 19  2022 vars
drwxr-xr-x. 2 root root   122 Mar 18 16:26 x509-types
# 修改vars主要信息,按需修改
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Jiangsu"
set_var EASYRSA_REQ_CITY        "Nanjing"
set_var EASYRSA_REQ_ORG         "Deri"
set_var EASYRSA_REQ_EMAIL       "wuzhiyong@deri.energy"
set_var EASYRSA_REQ_OU          "deri.org.cn"
# 创建空的pki
./easyrsa init-pki
# 创建新的CA,不使用密码,过程中直接回车
./easyrsa build-ca nopass
# 创建服务端证书
./easyrsa gen-req server nopass
# 签约服务端证书,过程中手动输入yes
./easyrsa sign server server
# 生成DH验证文件Diffie-Hellman
./easyrsa gen-dh
# 创建吊销列表
./easyrsa gen-crl
# 生成ta.key
openvpn --genkey --secret keys/ta.key
# 将所有需要的文件拷贝到/etc/openvpn/server目录下
cp keys/ta.key ../server/
cp pki/ca.crt ../server/
cp pki/dh.pem ../server/
cp pki/issued/server.crt ../server/
cp pki/private/server.key ../server/

创建服务器配置

[root@ecs-a017-0002 chuanda]# cat server.conf 
port 20016
;proto tcp
proto udp
dev tun
;dev tap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
tls-auth /etc/openvpn/server/ta.key 0
dh /etc/openvpn/server/dh.pem
log /etc/openvpn/openvpn.log
#duplicate-cn
push "route 10.1.0.0 255.255.255.0"
server 10.1.0.0 255.255.255.0
# 在ipp.txt可以配置静态ip: client1,11.1.0.100
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

创建openvpn启停脚本，start.sh

#!/bin/bash
CD_OVPN_PNUM=`ps -ef|grep "openvpn /etc/openvpn/server.conf"|grep -v grep|wc -l`
if [ $CD_OVPN_PNUM -le 0 ]; then
   openvpn /etc/openvpn/chuanda/server.conf &
fi

stop.sh

#!/bin/bash
ps -ef|grep "openvpn /etc/openvpn/server.conf"|grep -v grep|awk '{print$2}'|xargs kill -9

创建客户端证书

# 生成客户端证书
./easyrsa build-client-full client_name nopass

创建openvpn客户端文件

client
nobind
dev tun
remote-cert-tls server
remote 服务器IP 端口 udp
<key>
<!-- 客户端私钥 -->
</key>
<cert>
<!-- 客户端证书 -->
</cert>
<ca>
<!-- ca.crt -->
</ca>
key-direction 1
<tls-auth>
<!-- ta.key -->
</tls-auth>

遇到的问题

A: VERIFY ERROR: depth=1, error=certificate is not yet valid
or error 9 at 1 depth lookup:certificate is not yet valid
B: VERIFY ERROR: depth=0, error=certificate signature failure
C: error 7 at 0 depth lookup:certificate signature failure

解决办法：主要是由于服务器时区设置不对,客户端时间比服务器时间早导致.

思维导图

用markdown编写思维导图神器markmap.

安装markmap

安装完成后，正常编写markdown文件，点击右上角open as markmap，也可以导出.

说明

krew安装

• 官方文档

# 1.安装git
yum -y install git
# 2.安装krew
(
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
)
# 3.配置环境变量:.bashrc或者其它位置配置
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

krew快速开始

# 1.更新插件列表
kubectl krew update
# 2.查看插件列表
kubectl krew search
# 3.安装插件
kubectl krew install xxxxx
# 4.卸载插件
kubectl krew uninstall xxxxx

插件推荐

• sniff : 抓包工具

# 保存文件,可以用wireshark分析
kubectl -n test sniff website-7d7d96cdbf-6v4p6 -o test.pcap
# 明文查看
kubectl -n test sniff website-7d7d96cdbf-6v4p6 -o -
# 抓取时过滤
kubectl -n test sniff website-7d7d96cdbf-6v4p6 -f "port 80"

• 其它插件推荐: 参考链接