|
#
1.资源池要展示的。 2.在初始化和后期是可以管理的。
分别在资源中心和基础设施里面加模块就可以了。
资源中心就是展示。
不参与管理。
资源中心全是统计性的和展示性的。
https://help.ubuntu.com/10.04/serverguide/kerberos.html Kerberos
Kerberos is a network authentication system based on the principal of a trusted third party.
The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications
can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO).
This section covers installation and configuration of a Kerberos server, and some example client configurations.
If you are new to Kerberos there are a few terms that are good to
understand before setting up a Kerberos server. Most of the terms
will relate to things you may be familiar with in other
environments:
-
Principal: any users, computers, and services provided by servers need to be defined as Kerberos Principals.
-
Instances: are used for service principals and special administrative principals.
-
Realms: the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to
uppercase (EXAMPLE.COM).
-
Key Distribution Center: (KDC) consist of three parts, a database of all principals, the authentication server,
and the ticket granting server. For each realm there must be at least one KDC.
-
Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in
the user's password which is known only to the user and the KDC.
-
Ticket Granting Server: (TGS) issues service tickets to clients upon request.
-
Tickets: confirm the identity of the two principals. One principal being a user and the other a service requested by
the user. Tickets establish an encryption key used for secure communication during the authenticated session.
-
Keytab Files: are files extracted from the KDC principal database and contain the encryption key for a service or
host.
To put the pieces together, a Realm has at least one KDC,
preferably two for redundancy, which contains a database of Principals.
When a
user principal logs into a workstation, configured for Kerberos
authentication, the KDC issues a Ticket Granting Ticket (TGT). If the
user
supplied credentials match, the user is authenticated and can then
request tickets for Kerberized services from the Ticket Granting Server
(TGS). The service tickets allow the user to authenticate to the
service without entering another username and password.
Before installing the Kerberos server a properly configured DNS
server is needed for your domain. Since the Kerberos Realm by
convention matches the domain name, this section uses the example.com domain configured in
the section called “Primary Master”.
Also, Kerberos is a time sensitive protocol. So if the local
system time between a client machine and the server differs by
more than five minutes (by default), the workstation will not be
able to authenticate. To correct the problem all hosts
should have their time synchronized using the Network Time Protocol (NTP). For details
on setting up NTP see the section called “Time Synchronisation with NTP”.
The first step in installing a Kerberos Realm is to install the krb5-kdc and
krb5-admin-server packages. From a terminal enter:
sudo apt-get install krb5-kdc krb5-admin-server
You will be asked at the end of the install to supply a name for
the Kerberos and Admin servers, which may or may not be the
same server, for the realm.
Next, create the new realm with the kdb5_newrealm utility:
sudo krb5_newrealm
The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust
the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon.
-
Now that the KDC running an admin user is needed. It is
recommended to use a different username from your everyday username.
Using the kadmin.local utility in a terminal prompt enter:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit
In the above example steve is the Principal,
/admin is an Instance, and
@EXAMPLE.COM signifies the realm. The "every day"
Principal would be steve@EXAMPLE.COM, and should have only normal user rights.
![[Note]](https://help.ubuntu.com/libs/admon/note.png)
|
|
|
Replace EXAMPLE.COM and steve with your Realm and admin username.
|
-
Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions.
The permissions are configured in the /etc/krb5kdc/kadm5.acl file:
steve/admin@EXAMPLE.COM *
This entry grants steve/admin the ability to perform any operation on all principals in the realm.
-
Now restart the krb5-admin-server for the new ACL to take affect:
sudo /etc/init.d/krb5-admin-server restart
-
The new user principal can be tested using the kinit utility:
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:
After entering the password, use the klist utility to view information about the
Ticket Granting Ticket (TGT):
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: steve/admin@EXAMPLE.COM
Issued Expires Principal
Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
You may need to add an entry into the /etc/hosts for the KDC. For example:
192.168.0.1 kdc01.example.com kdc01
Replacing 192.168.0.1 with the IP address of your KDC.
-
In order for clients to determine the KDC for the Realm some DNS SRV records are needed. Add the following to
/etc/named/db.example.com:
_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.
|
|
|
|
Replace EXAMPLE.COM, kdc01, and kdc02 with your
domain name, primary KDC, and secondary KDC.
|
See Chapter 7, Domain Name Service (DNS) for detailed instructions on setting up DNS.
Your new Kerberos Realm is now ready to authenticate clients.
Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the
primary becomes unavailable.
-
First, install the packages, and when asked for the Kerberos and
Admin server names enter the name of the Primary KDC:
sudo apt-get install krb5-kdc krb5-admin-server
-
Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:
kadmin -q "addprinc -randkey host/kdc02.example.com"
|
|
|
|
After, issuing any kadmin commands you will be prompted for your
username/admin@EXAMPLE.COM principal password.
|
-
Extract the keytab file:
kadmin -q "ktadd -k keytab.kdc02 host/kdc02.example.com"
-
There should now be a keytab.kdc02 in the current directory, move the file to
/etc/krb5.keytab:
sudo mv keytab.kdc02 /etc/krb5.keytab
|
|
|
|
If the path to the keytab.kdc02 file is different adjust accordingly.
|
Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the
klist utility:
sudo klist -k /etc/krb5.keytab
-
Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For example,
on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
-
Create an empty database on the Secondary KDC:
sudo kdb5_util -s create
-
Now start the kpropd daemon, which listens for connections from the
kprop utility. kprop is used to transfer
dump files:
sudo kpropd -S
-
From a terminal on the Primary KDC, create a dump file of the principal database:
sudo kdb5_util dump /var/lib/krb5kdc/dump
-
Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:
kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"
sudo mv keytab.kdc01 /etc/kr5b.keytab
|
|
|
|
Make sure there is a host for kdc01.example.com before extracting the Keytab.
|
-
Using the kprop utility push the database to the Secondary KDC:
sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
|
|
|
|
There should be a SUCCEEDED message if the propagation worked. If there is an error
message check /var/log/syslog on the secondary KDC for more information.
|
You may also want to create a cron job to periodically update the database on the Secondary KDC. For
example, the following will push the database every hour:
# m h dom mon dow command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
-
Back on the Secondary KDC, create a stash file to hold the Kerberos
master key:
sudo kdb5_util stash
-
Finally, start the krb5-kdc daemon on the Secondary KDC:
sudo /etc/init.d/krb5-kdc start
The Secondary KDC should now be able to issue tickets for the Realm. You can test this by stopping
the krb5-kdc daemon on the Primary KDC, then use kinit to request a ticket.
If all goes well you should receive a ticket from the Secondary KDC.
This section covers configuring a Linux system as a Kerberos client. This will allow access
to any kerberized services once a user has successfully logged into the system.
In order to authenticate to a Kerberos Realm, the krb5-user and libpam-krb5
packages are needed, along with a few others that are not
strictly necessary but make life easier. To install the packages
enter the following in a terminal prompt:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
The auth-client-config package allows simple configuration of PAM for authentication from multiple
sources, and the libpam-ccreds
will cache authentication credentials allowing you to login in case the
Key Distribution Center (KDC) is unavailable. This package is
also useful for laptops that may authenticate using Kerberos while
on the corporate network, but will need to be accessed off the
network as well.
To configure the client in a terminal enter:
sudo dpkg-reconfigure krb5-config
You will then be prompted to enter the name of the Kerberos
Realm. Also, if you don't have DNS configured with Kerberos
SRV records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and
Realm Administration server.
The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm.
You should have entries similar to the following:
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = }
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
You can test the configuration by requesting a ticket using the kinit utility. For example:
kinit steve@EXAMPLE.COM
Password for steve@EXAMPLE.COM:
When a ticket has been granted, the details can be viewed using klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: steve@EXAMPLE.COM
Valid starting Expires Service principal
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/25/08 05:18:57
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Next, use the auth-client-config to configure the libpam-krb5 module
to request a ticket during login:
sudo auth-client-config -a -p kerberos_example
You will should now receive a ticket upon successful login authentication.
一、什么是 SSL 证书,什么是 HTTPS SSL 证书是一种数字证书,它使用 Secure Socket Layer 协议在浏览器和 Web 服务器之间建立一条安全通道,从而实现:
1、数据信息在客户端和服务器之间的加密传输,保证双方传递信息的安全性,不可被第三方窃听;
2、用户可以通过服务器证书验证他所访问的网站是否真实可靠。
(via百度百科) HTTPS 是以安全为目标的 HTTP 通道,即 HTTP 下加入 SSL 加密层。HTTPS 不同于 HTTP 的端口,HTTP默认端口为80,HTTPS默认端口为443.
二、什么网站需要使用SSL证书 1、购物交易类网站
不用多说,网上银行、支付宝、Paypal等肯定会全程加密以保护你的信息安全。 2、注册与登陆
一些大的网站,比如电子邮箱,注册会员或者登陆的时候,会专门通过SSL通道,保证密码安全不被窃取。 3、某些在线代理
这个。。。嗯哼,就不说了。 4、装B
比如我…… 三、自行颁发不受浏览器信任的SSL证书 为晒晒IQ网颁发证书。ssh登陆到服务器上,终端输入以下命令,使用openssl生成RSA密钥及证书。 # 生成一个RSA密钥 $ openssl genrsa -des3 -out 33iq.key 1024 # 拷贝一个不需要输入密码的密钥文件 $ openssl rsa -in 33iq.key -out 33iq_nopass.key # 生成一个证书请求 $ openssl req -new -key 33iq.key -out 33iq.csr # 自己签发证书 $ openssl x509 -req -days 365 -in 33iq.csr -signkey 33iq.key -out 33iq.crt |
第3个命令是生成证书请求,会提示输入省份、城市、域名信息等,重要的是,email一定要是你的域名后缀的。这样就有一个 csr 文件了,提交给 ssl 提供商的时候就是这个 csr 文件。当然我这里并没有向证书提供商申请,而是在第4步自己签发了证书。 
编辑配置文件nginx.conf,给站点加上HTTPS协议 server { server_name YOUR_DOMAINNAME_HERE; listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/33iq.crt; ssl_certificate_key /usr/local/nginx/conf/33iq_nopass.key; # 若ssl_certificate_key使用33iq.key,则每次启动Nginx服务器都要求输入key的密码。 } |
重启Nginx后即可通过https访问网站了。 自行颁发的SSL证书能够实现加密传输功能,但浏览器并不信任,会出现以下提示:
 四、受浏览器信任的证书 要获取受浏览器信任的证书,则需要到证书提供商处申请。证书授证中心,又叫做CA机构,为每个使用公开密钥的用户发放一个数字证书。浏览器在默认情况下内置了一些CA机构的证书,使得这些机构颁发的证书受到信任。VeriSign即 是一个著名的国外CA机构,工行、建行、招行、支付宝、财付通等网站均使用VeriSign的证书,而网易邮箱等非金融网站采用的是中国互联网信息中心 CNNIC颁发的SSL证书。一般来说,一个证书的价格不菲,以VeriSign的证书为例,价格在每年8000元人民币左右。 据说也有免费的证书可以申请。和VeriSign一样,StartSSL也 是一家CA机构,它的根证书很久之前就被一些具有开源背景的浏览器支持(Firefox浏览器、谷歌Chrome浏览器、苹果Safari浏览器等)。后 来StartSSL竟然搞定了微软:在升级补丁中,微软更新了通过Windows根证书认证(Windows Root Certificate Program)的厂商清单,并首次将StartCom公司列入了该认证清单。现在,在Windows 7或安装了升级补丁的Windows Vista或Windows XP操作系统中,系统会完全信任由StartCom这类免费数字认证机构认证的数字证书,从而使StartSSL也得到了IE浏览器的支持。(来源及申请步骤) 五、只针对注册、登陆进行https加密处理 既然HTTPS能保证安全,为什么全世界大部分网站都仍旧在使用HTTP呢?使用HTTPS协议,对服务器来说是很大的负载开销。从性能上考虑,我 们无法做到对于每个用户的每个访问请求都进行安全加密(当然,Google这种大神除外)。作为一个普通网站,我们所追求的只是在进行交易、密码登陆等操 作时的安全。通过配置Nginx服务器,可以使用rewrite来做到这一点。 在https server下加入如下配置: if ($uri !~* "/logging.php$") { rewrite ^/(.*)$ http://$host/$1 redirect; } |
在http server下加入如下配置: if ($uri ~* "/logging.php$") { rewrite ^/(.*)$ https://$host/$1 redirect; } |
这样一来,用户会且只会在访问logging.php的情况下,才会通过https访问。 更新:有一些开发框架会根据 $_SERVER['HTTPS'] 这个 PHP 变量是否为 on 来判断当前的访问请求是否是使用 https。为此我们需要在 Nginx 配置文件中添加一句来设置这个变量。遇到 https 链接重定向后会自动跳到 http 问题的同学可以参考一下。 server { ... listen 443; location \.php$ { ... include fastcgi_params; fastcgi_param HTTPS on; # 多加这一句 } } server { ... listen 80; location \.php$ { ... include fastcgi_params; } } |
参考链接:
http://zou.lu/nginx-https-ssl-module
http://blog.s135.com/startssl/
http://www.baalchina.net/2008/08/nginx-https-rewrite/
com.mysql.jdbc.CommunicationsException: The last packet
successfully received from the server was58129 seconds ago.The last
packet sent successfully to the server was 58129 seconds ago, which is
longer than the server configured value of 'wait_timeout'. You should
consider either expiring and/or testing connection validity before use
in your application, increasing the server configured values for client
timeouts, or using the Connector/J connection property
'autoReconnect=true' to avoid this problem.
查了一下,原来是mysql超时设置的问题
如果连接闲置8小时 (8小时内没有进行数据库操作), mysql就会自动断开连接, 要重启tomcat.
解决办法:
一种. 如果不用hibernate的话, 则在 connection url中加参数: autoReconnect=true
jdbc.url=jdbc:mysql://ipaddress:3306/database?autoReconnect=true&autoReconnectForPools=true
二种。用hibernate的话, 加如下属性:
<property name="connection.autoReconnect">true</property>
<property name="connection.autoReconnectForPools">true</property>
<property name="connection.is-connection-validation-required">true</property>
三。要是还用c3p0连接池:
<property name="hibernate.c3p0.acquire_increment">1</property>
<property name="hibernate.c3p0.idle_test_period">0</property>
<property name="hibernate.c3p0.timeout">0</property>
<property name="hibernate.c3p0.validate">true</property>
四。最不好的解决方案
使用Connector/J连接MySQL数据库,程序运行较长时间后就会报以下错误:
Communications link failure,The last packet successfully received
from the server was *** millisecond ago.The last packet successfully
sent to the server was *** millisecond ago。
其中错误还会提示你修改wait_timeout或是使用Connector/J的autoReconnect属性避免该错误。
后来查了一些资料,才发现遇到这个问题的人还真不少,大部分都是使用连接池方式时才会出现这个问题,短连接应该很难出现这个问题。这个问题的原因:
MySQL服务器默认的“wait_timeout”是28800秒即8小时,意味着如果一个连接的空闲时间超过8个小时,MySQL将自动断开该连接,而连接池却认为该连接还是有效的(因为并未校验连接的有效性),当应用申请使用该连接时,就会导致上面的报错。
1.按照错误的提示,可以在JDBC
URL中使用autoReconnect属性,实际测试时使用了autoReconnect=true&
failOverReadOnly=false,不过并未起作用,使用的是5.1版本,可能真像网上所说的只对4之前的版本有效。
2.没办法,只能修改MySQL的参数了,wait_timeout最大为31536000即1年,在my.cnf中加入:
[mysqld]
wait_timeout=31536000
interactive_timeout=31536000
重启生效,需要同时修改这两个参数
SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO" NO_AUTO_VALUE_ON_ZERO影响AUTO_INCREMENT列的处理。一般情况,你可以向该列插入NULL或0生成下一个序列号。NO_AUTO_VALUE_ON_ZERO禁用0,因此只有NULL可以生成下一个序列号。 如
果将0保存到表的AUTO_INCREMENT列,该模式会很有用。(不推荐采用该惯例)。例如,如果你用mysqldump转储表并重载,MySQL遇
到0值一般会生成新的序列号,生成的表的内容与转储的表不同。重载转储文件前启用NO_AUTO_VALUE_ON_ZERO可以解决该问题。
8 Virtual Desktop program: Ulteo, NX Enteprise Server, FoSS CLOUD, Orcale Virtualbox, Thinstuff, JetClouding, Go Grid,2xCloud Computing
sudo qemu-img create -f qcow2 -o size=30240M,preallocation=metadata win2003_hda.img http://blog.kreyolys.com/2011/09/27/kvm-virtual-machines-disk-format-file-basedqcow2-or-block-devicelvm2/---比较 sudo virt-install \
--name win2003_test \
--ram=1024 \
--vcpus=2 \
--disk /kvm/win2003_hda.img,bus=virtio \
--network bridge:br0,model=virtio \
--vnc \
--accelerate \
-c /share/os/win2003-i386.iso \
--disk /home/kvm/virtio-win-1.1.16.vfd,device=floppy \
-c /home/kvm/virtio-win-0.1-22.iso \
--os-type=windows \
--os-variant=win2k3 \
--noapic \
--connect \
qemu:///system \
--hvm http://www.howtoforge.com/installing-kvm-guests-with-virt-install-on-ubuntu-12.04-lts-server 半虚拟化参考: #!/bin/sh WINISO=/path/to/win7.iso #Windows ISO INSTALLDISK=win7virtio.img #Disk location. Can be LVM LV VFD=http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-1.1.16.vfd DRVRISO=http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-0.1-22.iso [ -e $(basename $VFD) ] || wget $VFD [ -e $(basename $DRVRISO) ] || wget $DRVRISO [ -e $INSTALLDISK ] || qemu-img create $INSTALLDISK 30G sudo virt-install -c qemu:///system --virt-type kvm --name win7virtio --ram 1024 --disk path="$INSTALLDISK",bus=virtio \ --disk $(basename $VFD),device=floppy --os-variant win7 --cdrom $(basename $DRVRISO) --cdrom "$WINISO" --vcpus 2 ENDING OF BASH SCRIPT
其他参考: In my previous article KVM Guests: Using Virt-Install to Import an Existing Disk Image we discussed how to use virt-install to import an existing disk image, which already has an OS installed into it. Additionally in KVM Guests: Using Virt-Install to Install Debian and Ubuntu Guests I documented how to initiate an install directly off of the apt mirror of your choice for Debian and Ubuntu Guests using virt-install. In this article we will use virt-install to create a guest and begin the installation using a CD or ISO image for installation media. Assumptions I Have Made - My KVM host is Ubuntu 10.10 and I am assuming that yours is as well. If it is not then the syntax might be slightly different or may not include the same features.
- That you have kvm installed on the host and you can manually create VMs using virt-manager and they work perfectly.
- That you have a bridge configured and working on other guests.
- That you have virt-install and libvirt-bin installed as well as virt-manager or virt-viewer so that you can complete the install after the virt-install command has completed.
- That you are trying to import disk images that support VirtIO devices (most recent Linux distributions, Windows does not natively support the VirtIO interface, so you will had to have manually installed the VirtIO drivers into your disk image).
The Basic Command # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntu --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw -w bridge=br0,model=virtio --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso Parameters Detailed - -n vmname [the name of your VM]
- -r 2048 [the amount of RAM in MB for your VM]
- –os-type=linux [the type of OS linux or windows]
- –os-variant=ubuntu [the distribution or version of Windows for a full list see man virt-install]
- –disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw [this is a long one you define the path, then comma delimited options, device is the type of storage cdrom, disk, floppy, bus is the interface ide, scsi, usb, virtio - virtio is the fastest but you need to install the drivers for Windows and older versions of Linux don't have support]
- -w bridge=br0,model=virtio [the network configuration, in this case we are connecting to a bridge named br0, and using the virtio drivers which perform much better if you are using an OS which doesn't support virtio you can use e1000 or rtl8139. You could alternatively use --nonetworks if you do not need networking]
- –vnc [configures the graphics card to use VNC allowing you to use virt-viewer or virt-manager to see the desktop as if you were at the a monitor of a physical machine]
- –noautoconsole [configures the installer to NOT automatically try to open virt-viewer to view the console to complete the installation - this is helpful if you are working on a remote system through SSH]
- -c /kvm/images/iso/ubuntu.iso [this option specifies the cdrom device or iso image with which to boot off of. You could additionally specify the cdrom device as a disk device, and not use the -c option, it will then boot off of the cdrom if you don't specify another installation method]
LVM Disk Variation # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /dev/vg_name/lv_name,device=disk,bus=virtio -w bridge=br0,model=virtio --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso No VirtIO Variation (Uses IDE and e1000 NIC Emulation) # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=ide,size=40,sparse=true,format=raw -w bridge=br0,model=e1000 --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso Define VM Without Installation Method # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw --disk /kvm/images/iso/ubuntu.iso,device=cdrom -w bridge=br0,model=virtio --vnc --noautoconsole
################### #安装Xming 和 Putty: ################### Xming是一个在Microsoft Windows操作系统上运行X Window System(也常称为X11或X X的工作站)的自由软件,可用于在Windows运行Linux的程序(需要在本地Windows上运行一个X Server,即是本程序)。 Linux 以及各种Unix like的操作系统现在都用基于X Window图形界面。但是由于体积臃肿导致在Linux运行3D游戏十分困难。但是得益于其接口良好、扩展性和可移植性优秀的特点(重要的是具有网络透 明性),利用它可以很方便的远程启动Linux的图形程序。 下载地址: https://sourceforge.net/projects/xming/ 或者 http://www.straightrunning.com/XmingNotes/ Xming 用OpenGL展示界面 Xming-fonts 标准X字体,部分传统的X应用的显示也需要这些字体 Xming-mesa 用更慢的Mesa展示界面, 有时X转发会更好 Xming-portable-PuTTY 提供X界面转发ssh程序 Xming-tools-and-clients 提供一些X应用专用的工具 Putty: http://www.putty.org/ #################################################### # 通过SSH来使用Xming,在putty terminal 中打开Linux下的图形界面 #################################################### 1)保证Linux server中 /etc/ssh/sshd_config X11Forwarding yes 2)Putty中X11 forwarding: Putty Configuration-->Preffered SSH protocal version->SSH版本是2. Connection-->SSH-->X11-->Enable X11 forwarding, X display location填上localhost:0, 下面的协议选择MIT-Magic-Cookie-1. 3)windows下起linux下的图形界面 启动Xming,"Display number"中的数字, 使用默认的0. 使用Putty连接Linux server,在putty终端下运行 set DISPLAY=10.160.13.229:0(注意:这里IP是Xming安装程序所在的主机的IP地址,即:X Server的IP地址,这里就是你的windows的地址,X Client是linux 服务器) (DISPLAY 环境变量格式如下hostname: displaynumber.screennumber,我们需要知道,在某些机器上,可能有多个显示设备共享使用同一套输入设备,例如在一台PC上连接 两台CRT显示器,但是它们只共享使用一个键盘和一个鼠标。这一组显示设备就拥有一个共同的displaynumber,而这组显示设备中的每个单独的设 备则拥有自己单独的 screennumber。displaynumber和screennumber都是从零开始的数字。这样,对于我们普通用户来说, displaynumber、screennumber就都是0。 hostname指Xserver所在的主机主机名或者ip地址, 图形将显示在这一机器上, 可以是启动了图形界面的Linux/Unix机器, 也可以是安装了Exceed, X-Deep/32等Windows平台运行的Xserver的Windows机器.如果Host为空, 则表示Xserver运行于本机, 并且图形程序(Xclient)使用unix socket方式连接到Xserver, 而不是TCP方式. 使用TCP方式连接时, displaynumber为连接的端口减去6000的值, 如果displaynumber为0, 则表示连接到6000端口; 使用unix socket方式连接时则表示连接的unix socket的路径,如果displaynumber为0, 则表示连接到/tmp/.X11-unix/X0 . creennumber则几乎总是0. ) 然后运行gvim,发现linux下的gvim显示在你的windows桌面上了。 如果出现: Xlib: connection to "10.160.13.229:0.0" refused by server Xlib: No protocol specified 在右下角点击Xming server的view log,发现有如下消息 AUDIT: ... Xming: client 4 rejected from IP 10.160.23.18 这个10.160.23.18正是linux server的地址 解决办法:
右键桌面上的Xming图标,修改Xming的命令,取消权限控制,使用-ac选项:
C:\Program Files\XMing\Xming.exe :0 -clipboard -multiwindow -ac 然后启动Xming,发现可以在windows下显示linux的图形界面了。。
Nginx 的 location 指令,允许对不同的 URI 进行不同的配置,既可以是字符串,也可以是正则表达式。使用正则表达式,须使用以下前缀:
(1) ~*, 表示不区分大小写的匹配。
(2) ~, 表示区分大小写的匹配。
对于非正则的匹配,即字符串匹配,有如下前缀:
(1) ^~, 表示匹配到字符串后,终止正则匹配。
(2) =, 表示精确匹配。
(3) @, 当然,这个也算不上字符串匹配。如果可以,你也可以将其理解成是正则匹配。它是一个命名标记,这种 location 不会用于正常的请求,它们通常只用于处理内部的重定向。
在匹配过程中,Nginx 将首先匹配字符串,然后匹配正则表达式。匹配到第一个正则表达式后,会停止搜索。如果匹配到正则表达式,则使用正则表达式的搜索结果,如果没有匹配到正则表达式,则使用字符串的搜索结果。
上面这段话的意思是说,有一个字符串和正则表达式均能匹配上,那么会使用正则表达式的搜索结果。这里,我们可以使用前缀"^~" 来禁止匹配到字符串后,继续检查正则表达式。匹配到 URI 后,将停止搜索。
使用前缀 "=" 可以进行精确的 URI 匹配,如果找到匹配的 URI,则停止搜索。"location = /" 只能匹配到 "/",而 "/test.html" 则不能被匹配。
正则表达式的匹配,按照它们在配置文件中的顺序进行,写在前面的优先。
另外,前缀 "@" 是一个命名标记,这种 location 不会用于正常的请求,它们通常只用于处理内部的重定向(例如:error_page, try_files)。
最后总结一下匹配的过程:
(1) 前缀 "=" 先进行匹配,如果找到了,终止搜索。
(2) 对所有其它 location 进行非正则的匹配,找到最精确匹配(对于 /blog/admin/ 这个 URI, location /blog 要比 location / 长,因此 location /blog 要比 location / 要精确)的那个。如果找到的这个是带"^~" 前缀的,则终止搜索并直接返回找到的这个,否则开始正则查找。会不会出现所有的非正则匹配都无法匹配到 URI 呢,当然,你若不定义一个 location /,这种情况的确会发生,没关系啊,它会进行正则查找的。
(3) 正则查找,按照我们配置文件中配置的 location 顺序进行查找。
(4) 如果正则查找匹配成功,则使用此正则匹配的 location,否则,使用第二步查找的结果。如果『否则』发生了,同时,第二步中的粗体字部分的假设的情况也发生了,怎么办?404 会等着你的。
参考:nginx location的管理以及查找
例子: location = / {
# 只匹配 / 查询。
[ configuration A ]
} location / {
# 匹配任何查询,因为所有请求都已 / 开头。但是正则表达式规则和长的块规则将被优先和查询匹配。
[ configuration B ]
} location ^~ /images/ {
# 匹配任何已 /images/ 开头的任何查询并且停止搜索。任何正则表达式将不会被测试。
[ configuration C ]
} location ~* \.(gif|jpg|jpeg)$ {
# 匹配任何已 gif、jpg 或 jpeg 结尾的请求。然而所有 /images/ 目录的请求将使用 Configuration C。
[ configuration D ]
} 例子请求: 1, / -> 精确匹配到第1个location,匹配停止,使用configuration A
2,/some/other/url -> 首先前缀部分字符串匹配到了第2个location,然后进行正则匹配,显然没有匹配上,则使用第2个location的配置configurationB
3,/images /1.jpg -> 首先前缀部分字符串匹配到了第2个location,但是接着对第3个location也前缀匹配上了,而且这时已经是配置文件里面对这个url的最大字 符串匹配了,并且location带有 "^~" 前缀,则不再进行正则匹配,最终使用configuration C
4,/some/other/path/to/1.jpg -> 首先前缀部分同样字符串匹配到了第2个location,然后进行正则匹配,这时正则匹配成功,则使用congifuration D 注意:按任意顺序定义这4个配置结果将仍然一样。
网上搜索到的是在配置文件中添加:
optimize_server_names off;
server_name_in_redirect off;
但在nginx0.8.38中提示:
Restarting nginx: [warn]: the "optimize_server_names" directive is deprecated, use the "server_name_in_redirect" directive instead in /etc/nginx/nginx.conf:44
[emerg]: "server_name_in_redirect" directive is duplicate in /etc/nginx/nginx.conf:45
configuration file /etc/nginx/nginx.conf test failed
大意是说:
optimize_server_names已经被弃用,只用server_name_in_redirect即可。
因此,只需在nginx.conf中添加以下一行即可。
server_name_in_redirect off;
|