Category Archives: Unix

Deploy Google BBR on Centos

visit https://www.elrepo.org

rpm –import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

Centos6:rpm -Uvh http://www.elrepo.org/elrepo-release-6-8.el6.elrepo.noarch.rpm

Centos7:rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm

yum –enablerepo=elrepo-kernel install kernel-ml -y

vi /boot/grub/grub.conf

default=0

vi /etc/sysctl.conf

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

reboot

sysctl net.ipv4.tcp_available_congestion_control

The output should resemble:
net.ipv4.tcp_available_congestion_control = bbr cubic reno

OpenVPN Server on FreeBSD

和Centos有点区别。

  1. 使用pkg安装openvpn:pkg install openvpn
  2. 使用easy-rsa生成数字证书,生成openvpn server配置文件,默认的即可,我们使用udp协议,把服务端口修改为443,这样比较通用。
  3. 修改rc.conf,启用pf做nat,启用gateway,增加openvpn配置。pf_enable=”YES”
    pf_rules=”/etc/pf.conf”
    pflog_enable=”YES”
    pflog_logfile=”/var/log/pflog”
    gateway_enable=”YES”
    openvpn_enable=”yes”
    openvpn_configfile=”/usr/local/etc/openvpn/2.0/conf/server.conf”
    openvpn_if=”tun”
  4. 增加pf.conf配置文件,这里我们的FreeBSD运行在ESXI上,所以网卡是vmx0,openvpn clients的网络是10.9.0.0/24,服务器的IP地址是192.168.0.99:#/etc/pf.conf
    if=”vmx0″
    vpn_if=”tun0″
    vpn_net = “10.9.0.0/24″icmp_types = “echoreq”
    open_tcp = “{22}”
    open_udp = “{443}”
    # wan ip
    ip = 192.168.0.99
    set block-policy drop
    set skip on lo0
    set limit { states 10000, frags 5000 }
    set loginterface vmx0
    set optimization normal
    set require-order yes
    set fingerprints “/etc/pf.os”
    set ruleset-optimization basicscrub in all fragment reassemble random-idnat on $if from $vpn_net to any -> $ip

    block log all
    block return

    antispoof quick for $if
    pass in quick proto udp from any to port 443 keep state label “openvpn”

    # Pass stuff on the VPN interface
    pass quick on $vpn_if keep state

    pass in on $if proto tcp from any to any port 22 keep state

    pass in on $if proto tcp from any to any port $open_tcp keep state
    pass in on $if proto udp from any to any port $open_udp keep state

    pass out quick all keep state

    pass in on $if inet proto icmp all icmp-type $icmp_types keep state

  5. 在sysctl.conf中增加IP forwarding配置:net.inet.ip.forwarding=1
  6. 可以启动了:service openvpn start
  7. 其实大同小异,不过最近发现zfs和jail都是蛮不错的好东西,大神的设计往往超越了时代,却是那些简陋而充满bug的设计流行于世间。

 

Create a bootable CentOS USB drive with a Mac (OS X) for a PC

1. Visit Centos’ web page, https://www.centos.org/download/, and download the iso image you’d like to boot from.
2. When the download has completed, open up terminal and use ‘hditutil’ to convert the *.iso to an *.img file (specifically, a UDIF read/write image).

$hdiutil convert -format UDRW -o target.img CentOS-7.0-1406-x86_64-Everything.iso
Reading Master Boot Record (MBR : 0)…
Reading CentOS 7 x86_64 (Apple_ISO : 1)…
Reading (Type EF : 2)…
Reading CentOS 7 x86_64 (Apple_ISO : 3)…
…………………………………………………………………….
Elapsed Time: 33.590s
Speed: 200.5Mbytes/sec
Savings: 0.0%
created: /tmp/target.img.dmg

3. Use the ‘dd’ utility to copy the iso to your USB drive:

$ diskutil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *121.3 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_HFS Macintosh HD 120.5 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.9 GB disk1
1: DOS_FAT_32 NO NAME 31.9 GB disk1s1
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: CentOS_7.0_Final *4.5 GB disk2
$ diskutil unmountDisk /dev/disk1
Unmount of all volumes on disk1 was successful
$ diskutil unmountDisk /dev/disk2
Unmount of all volumes on disk2 was successful
$ time sudo dd if=target.img.dmg of=/dev/disk1 bs=1m
Password:
4261+0 records in
4261+0 records out
4467982336 bytes transferred in 1215.483272 secs (3675890 bytes/sec)

Linux IPTables: Incoming and Outgoing Rule Examples

Default Chain Policy

As you notice below, it says “(policy ACCEPT)” next to all the three chain names (INPUT, OUTPUT, and FORWARD). This indicates that the default chain policy is ACCEPT.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:ssh
DROP all — anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So, you have two options here. Continue reading

Centos升级GD

Centos上的图形处理一直都是很抽风的事情,Java很麻烦,C很麻烦,连PHP也很麻烦,PHP很抽风的是,它没有任何提示。

当你把PHP runtime从5.4升级以后,Centos自带的GD库就fail了,因为OS中最高的版本不超过2.1,但是,从PHP5.5开始,默认支持的GD库就已经是2.1了,低版本的GD库调用不了,而且没有任何提示,之前很长一段时间我纠结于Wordpress的图形处理功能突然失效无法生成thumbnail,虽说使用ImageMagick的plugin解决了部分的问题,但总觉得有个bug在那里,却找不到原因,也想过是GD的问题,但从未想过是版本的问题。

下面我们来升级Centos中的GD,虽说我最爱的OS是FreeBSD,但是很多新功能在FreeBSD上不受支持,很是让人困扰。

首先download source code,

cd /tmp
wget https://github.com/libgd/libgd/archive/gd-2.1.1.tar.gz
tar zxf gd-2.1.1.tar.gz
cd libgd-gd-2.1.1

GD的source code是多平台一个package发布的,没有默认的configure,所以根据docs提示我们需要多几个步骤,当运行autoconf报错的时候,可能是缺少aclocal,automake,关键的一步是当automake提示–add-missing的时候,需要使用autoreconf -i,所以发布一个跨平台的source code package,是让人多么困扰的idea。当autoreconf -i之后,就可以正常configure和make了,和普通的编译没有什么区别,这里我们prefix在/usr/local/gd,很自然,我们在编译PHP的时候就需要添加类似的参数了, ./configure –with-gd=/usr/local/gd,最后出来的大概就是这样一个效果:

20150227001

如此之后,PHP5.5和PHP5.6中的GD才会正常operation,否则都是a piece of shit,即使phpinfo里面提示bundled正常,那也是一坨屎,可惜的是Wordpress默认只支持GD,如果支持ImageMagick应该更好些。

如下,这是木有用的。

20150227002