它告訴我們所沒有權限,這是因為我們目前使用者是root,通路nfs共享目錄時把其權限壓榨成nfsnobody使用者的權限,因為在nfs服務端共享的目錄是root屬主,root組,其他使用者對其目錄沒有寫權限,是以我們不能在裡面建立檔案等有寫的操作。
在nfs服務端授權nfsnobody使用者對/www目錄有讀寫執行權限
1、實作基于MYSQL驗證的vsftpd虛拟使用者通路
首先環境說明,資料庫伺服器是192.168.0.10,vsftpd伺服器是192.168.0.30
1)安裝vsftpd
[root@test-centos7-node3 ~]#
[root@test-centos7-node3 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4a:bd:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.30/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4a:bd74/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node3 ~]# yum install -y vsftpd
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
epel | 5.3 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:3.0.2-25.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================
Package Arch Version Repository Size
=================================================================================================
Installing:
vsftpd x86_64 3.0.2-25.el7 base 171 k
Transaction Summary
=================================================================================================
Install 1 Package
Total download size: 171 k
Installed size: 353 k
Downloading packages:
vsftpd-3.0.2-25.el7.x86_64.rpm | 171 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : vsftpd-3.0.2-25.el7.x86_64 1/1
Verifying : vsftpd-3.0.2-25.el7.x86_64 1/1
Installed:
vsftpd.x86_64 0:3.0.2-25.el7
Complete!
[root@test-centos7-node3 ~]#
2)編譯安裝pam-mysql
2.1、安裝編譯環境依賴包
[root@test-centos7-node3 ~]# yum groupinstall -y "development tools"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Maybe run: yum groups mark install (see man yum)
No packages in any requested group available to install or update
[root@test-centos7-node3 ~]# yum -y install mariadb-devel pam-devel
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package 1:mariadb-devel-5.5.64-1.el7.x86_64 already installed and latest version
Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version
Nothing to do
[root@test-centos7-node3 ~]#
說明:以上提示我們需要的包組和包都已經安裝好了
2.2、上傳pam_mysql-0.7RC1.tar.gz,解壓、編譯安裝
[root@test-centos7-node3 ~]# rz
rz waiting to receive.
zmodem trl+C ȡ
100% 326 KB 326 KB/s 00:00:01 0 Errorsgz...
[root@test-centos7-node3 ~]# ls
pam_mysql-0.7pre3.tar.gz
[root@test-centos7-node3 ~]# tar xf pam_mysql-0.7pre3.tar.gz
[root@test-centos7-node3 ~]# ls
pam_mysql-0.7pre3 pam_mysql-0.7pre3.tar.gz
[root@test-centos7-node3 ~]# cd pam_mysql-0.7pre3
[root@test-centos7-node3 pam_mysql-0.7pre3]# ./configure --with-pam-mods-dir=/lib64/security
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets $(MAKE)... yes
checking for working aclocal-1.4... missing
checking for working autoconf... found
……省略部分内容
checking for crypt... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating pam_mysql.spec
config.status: creating config.h
config.status: executing default-1 commands
[root@test-centos7-node3 pam_mysql-0.7pre3]#
提示:如果預編譯的環境檢查沒有ERROR的錯誤出現,接下來我們就可以編譯和安裝了。預編譯選項 就隻需要指定子產品的存放位置即可,pam相關的子產品存放路徑都是lib64/security目錄下,我們指定其存放位置即可
2.3、編譯、安裝pam-mysql
[root@test-centos7-node3 pam_mysql-0.7pre3]# make -j 4 && make install
提示:-j表示指定幾個程序來同時編譯,如果不指定預設是1個程序
[root@test-centos7-node3 pam_mysql-0.7pre3]# make -j 4 && make install
/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -I/usr/include/mysql -c pam_mysql.c
mkdir .libs
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/security -I/usr/include -g -O2 -I/usr/include/mysql -c pam_mysql.c -fPIC -DPIC -o .libs/pam_mysql.o
pam_mysql.c: In function 'pam_mysql_converse':
pam_mysql.c:3179:4: warning: passing argument 2 of 'conv->conv' from incompatible pointer type [enabled by default]
conv->appdata_ptr))) {
^
pam_mysql.c:3179:4: note: expected 'const struct pam_message **' but argument is of type 'struct pam_message **'
/bin/sh ./libtool --mode=link gcc -g -O2 -I/usr/include/mysql -o pam_mysql.la -rpath /lib64/security -module -avoid-version pam_mysql.lo -L/usr/lib64/mysql -lmysqlclient -lpthread -lz -lm -ldl -lssl -lcrypto -lcrypt
gcc -shared .libs/pam_mysql.o -L/usr/lib64/mysql -lmysqlclient -lpthread -lz -lm -ldl -lssl -lcrypto -lcrypt -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so
creating pam_mysql.la
(cd .libs && rm -f pam_mysql.la && ln -s ../pam_mysql.la pam_mysql.la)
make[1]: Entering directory `/root/pam_mysql-0.7pre3'
/bin/sh ./mkinstalldirs /lib64/security
/bin/sh ./libtool --mode=install /usr/bin/install -c pam_mysql.la /lib64/security/pam_mysql.la
/usr/bin/install -c .libs/pam_mysql.so /lib64/security/pam_mysql.so
/usr/bin/install -c .libs/pam_mysql.lai /lib64/security/pam_mysql.la
PATH="$PATH:/sbin" ldconfig -n /lib64/security
----------------------------------------------------------------------
Libraries have been installed in:
/lib64/security
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/pam_mysql-0.7pre3'
[root@test-centos7-node3 pam_mysql-0.7pre3]#
提示:當然這個編譯速度很快,我們可以去對應的目錄看看是不是我們需要的子產品已經安裝對應的目錄了
[root@test-centos7-node3 pam_mysql-0.7pre3]# ll /lib64/security/ |grep pam_mysql
-rwxr-xr-x 1 root root 882 Feb 16 02:57 pam_mysql.la
-rwxr-xr-x 1 root root 140904 Feb 16 02:57 pam_mysql.so
[root@test-centos7-node3 pam_mysql-0.7pre3]#
到此,vsftpd基于mysql認證的子產品已經完成了安裝,接下來我們需要配置vsftpd,讓其認證基于mysql來認證
3)配置vsftpd,讓其認證是基于mysql來做認證
建立vsftpd調用pam_mysql的配置檔案
[root@test-centos7-node3 ~]# cat /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=admin123.com host=192.168.0.10 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=admin123.com host=192.168.0.10 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@test-centos7-node3 ~]#
提示:有關pam_mysql的用法我們可以在源碼包裡看README檔案
修改vsftpd配置檔案,指定pam的配置檔案為vsftpd.mysql
[root@test-centos7-node3 ~]# grep pam /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd.mysql
[root@test-centos7-node3 ~]#
在Linux系統建立一個用于登入FTP系統映射的一個系統賬号,比如vuser
[root@test-centos7-node3 ~]# getent passwd vuser
[root@test-centos7-node3 ~]# useradd -s /sbin/nologin -d /var/ftproot/ vuser
[root@test-centos7-node3 ~]# chmod 555 /var/ftproot/
[root@test-centos7-node3 ~]# ll -d /var/ftproot/
dr-xr-xr-x 2 vuser vuser 62 Feb 16 04:40 /var/ftproot/
[root@test-centos7-node3 ~]# mkdir /var/ftproot/{upload,pub}
[root@test-centos7-node3 ~]# setfacl -m u:vuser:rwx /var/ftproot/upload
[root@test-centos7-node3 ~]# getfacl /var/ftproot/upload
getfacl: Removing leading '/' from absolute path names
# file: var/ftproot/upload
# owner: root
# group: root
user::rwx
user:vuser:rwx
group::r-x
mask::rwx
other::r-x
[root@test-centos7-node3 ~]#
提示:ftp對登入的根目錄是登入被映射成的那個使用者的家目錄,被映射的使用者是不能對其有寫的權限的,其他目錄無所謂,有寫權限表示可以上傳檔案,沒有寫權限表示不能上傳檔案
在/etc/vsftpd/vsftpd.conf中指定開啟guest使用者,并指定其映射成vuser
[root@test-centos7-node3 ~]# grep guest /etc/vsftpd/vsftpd.conf
guest_enable=YES
guest_username=vuser
[root@test-centos7-node3 ~]#
提示:到此vsftpd就配置好了,接下來準備資料庫和表
[root@test-centos7-node1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f2:82:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef2:820c/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node1 ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Syslog |
| mysql |
| performance_schema |
| test |
| wordpress |
+--------------------+
6 rows in set (0.00 sec)
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> use vsftpd
Database changed
MariaDB [vsftpd]> create table users(
-> id int auto_increment not null primary key,
-> name char(50) binary not null,
-> password char(48) binary not null);
Query OK, 0 rows affected (0.01 sec)
MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.02 sec)
MariaDB [vsftpd]>
提示:這個資料庫名稱和表的名稱參照上面的vsftpd.mysql裡面指定的名稱來
建立用于vsftpd連接配接mysql的賬号,這個賬号也是參照vsftpd.mysql的配置檔案裡指定的來建立
MariaDB [vsftpd]> grant all on vsftpd.* to vsftpd@'192.168.0.%' identified by 'admin123.com';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]>
在資料庫伺服器上添加虛拟賬号
MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
MariaDB [vsftpd]> insert users(name,password) values('tom',password('tompass')),('jerry',password('jerrypass'));
Query OK, 2 rows affected (0.01 sec)
Records: 2 Duplicates: 0 Warnings: 0
MariaDB [vsftpd]> select * from users;
+----+-------+-------------------------------------------+
| id | name | password |
+----+-------+-------------------------------------------+
| 1 | tom | *25C2DC5924C8A153CFC4075267C2C1438B48A509 |
| 2 | jerry | *D38B663230A8D7BD6F2B1C5A6E262431CE5D9293 |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [vsftpd]>
提示:到此我們在資料庫裡把虛拟賬号給建立起來了,接下來我們啟動vsftpd,然後用建立好的兩個虛拟賬号登入ftp系統
[root@test-centos7-node3 ~]# ftp 192.168.0.30
Connected to 192.168.0.30 (192.168.0.30).
220 (vsFTPd 3.0.2)
Name (192.168.0.30:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,30,53,71).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Feb 16 09:41 pub
drwxrwxr-x 2 0 0 6 Feb 16 09:41 upload
226 Directory send OK.
ftp> pwd
257 "/"
ftp> bye
221 Goodbye.
[root@test-centos7-node3 ~]# ftp 192.168.0.30
Connected to 192.168.0.30 (192.168.0.30).
220 (vsFTPd 3.0.2)
Name (192.168.0.30:root): jerry
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,30,94,10).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Feb 16 09:41 pub
drwxrwxr-x 2 0 0 6 Feb 16 09:41 upload
226 Directory send OK.
ftp> bye
221 Goodbye.
[root@test-centos7-node3 ~]#
提示:可看到我們在資料庫裡添加的使用者是可以登入到ftp系統的
以上兩個使用者都是擁有一樣的權限,不能下載下傳(預設是可以下載下傳所有權限位有r的檔案),不能上傳檔案,我們給tom添加上傳權限,對jerry不做權限修改。
在/etc/vsftpd/vsftpd.conf檔案中user_config_dir=/etc/vsftpd/vuser_conf/,然後建立對應的目錄,在其目錄裡面建立一個和使用者名一模一樣的檔案,然後在建立的檔案裡面寫對應的權限
[root@test-centos7-node3 ~]# grep user_config_dir /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vuser_config/
[root@test-centos7-node3 ~]# mkdir /etc/vsftpd/vuser_config
[root@test-centos7-node3 ~]# cd /etc/vsftpd/vuser_config
[root@test-centos7-node3 vuser_config]# touch tom
[root@test-centos7-node3 vuser_config]# cat > tom
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
^C
[root@test-centos7-node3 vuser_config]# cat tom
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_world_readable_only=NO
[root@test-centos7-node3 vuser_config]#
提示:以上表示給tom使用者授權可以上傳下載下傳檔案,建立目錄等,這個前提是對應的映射到使用者要對其檔案系統有寫權限
重新開機vsftpd,然後驗證tom和jerry的權限
[root@test-centos7-node3 ~]# ftp 192.168.0.30
Connected to 192.168.0.30 (192.168.0.30).
220 (vsFTPd 3.0.2)
Name (192.168.0.30:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,30,49,80).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Feb 16 09:41 pub
drwxrwxr-x 2 0 0 6 Feb 16 10:02 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,0,30,240,251).
150 Here comes the directory listing.
226 Directory send OK.
ftp> mkdir aa
257 "/upload/aa" created
ftp> ls
227 Entering Passive Mode (192,168,0,30,91,141).
150 Here comes the directory listing.
drwx------ 2 1000 1000 6 Feb 16 10:03 aa
226 Directory send OK.
ftp> put pam_mysql-0.7pre3.tar.gz
local: pam_mysql-0.7pre3.tar.gz remote: pam_mysql-0.7pre3.tar.gz
227 Entering Passive Mode (192,168,0,30,185,200).
150 Ok to send data.
226 Transfer complete.
333992 bytes sent in 0.000498 secs (670666.62 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,0,30,142,95).
150 Here comes the directory listing.
drwx------ 2 1000 1000 6 Feb 16 10:03 aa
-rw------- 1 1000 1000 333992 Feb 16 10:04 pam_mysql-0.7pre3.tar.gz
226 Directory send OK.
ftp> bye
221 Goodbye.
[root@test-centos7-node3 ~]# ftp 192.168.0.30
[root@test-centos7-node3 ~]# ftp 192.168.0.30
Connected to 192.168.0.30 (192.168.0.30).
220 (vsFTPd 3.0.2)
Name (192.168.0.30:root): jerry
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,30,30,110).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Feb 16 09:41 pub
drwxrwxr-x 3 0 0 48 Feb 16 10:04 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,0,30,160,189).
150 Here comes the directory listing.
drwx------ 2 1000 1000 6 Feb 16 10:03 aa
-rw------- 1 1000 1000 333992 Feb 16 10:04 pam_mysql-0.7pre3.tar.gz
226 Directory send OK.
ftp> mkdir bb
550 Permission denied.
ftp> put pam_mysql-0.7pre3.tar.gz
local: pam_mysql-0.7pre3.tar.gz remote: pam_mysql-0.7pre3.tar.gz
227 Entering Passive Mode (192,168,0,30,177,120).
550 Permission denied.
ftp> bye
221 Goodbye.
[root@test-centos7-node3 ~]#
提示:以上測試說明,我們可以對不同的使用者單獨授權。有關ftp的其他配置請參考本人部落格https://www.cnblogs.com/qiuhom-1874/p/12106900.html
2、通過NFS實作伺服器/www共享通路。
實驗環境,NFS伺服器192.168.0.30,客戶機192.168.0.10
在192.168.0.30安裝nfs-utils
[root@test-centos7-node3 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4a:bd:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.30/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4a:bd74/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node3 ~]# yum install nfs-utils -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package nfs-utils.x86_64 1:1.3.0-0.65.el7 will be installed
--> Processing Dependency: libtirpc >= 0.2.4-0.7 for package: 1:nfs-utils-1.3.0-0.65.el7.x86_64
--> Processing Dependency: gssproxy >= 0.7.0-3 for package: 1:nfs-utils-1.3.0-0.65.el7.x86_64
--> Processing Dependency: rpcbind for package: 1:nfs-utils-1.3.0-0.65.el7.x86_64
……省略部分内容
Installed:
nfs-utils.x86_64 1:1.3.0-0.65.el7
Dependency Installed:
gssproxy.x86_64 0:0.7.0-26.el7 keyutils.x86_64 0:1.5.8-3.el7 libbasicobjects.x86_64 0:0.1.1-32.el7 libcollection.x86_64 0:0.7.0-32.el7
libevent.x86_64 0:2.0.21-4.el7 libini_config.x86_64 0:1.3.1-32.el7 libnfsidmap.x86_64 0:0.25-19.el7 libpath_utils.x86_64 0:0.2.1-32.el7
libref_array.x86_64 0:0.1.5-32.el7 libtirpc.x86_64 0:0.2.4-0.16.el7 libverto-libevent.x86_64 0:0.2.5-4.el7 quota.x86_64 1:4.01-19.el7
quota-nls.noarch 1:4.01-19.el7 rpcbind.x86_64 0:0.2.0-48.el7 tcp_wrappers.x86_64 0:7.6-77.el7
Updated:
selinux-policy.noarch 0:3.13.1-252.el7_7.6
Dependency Updated:
libsemanage.x86_64 0:2.5-14.el7 policycoreutils.x86_64 0:2.5-33.el7 selinux-policy-targeted.noarch 0:3.13.1-252.el7_7.6
Complete!
[root@test-centos7-node3 ~]#
提示:安裝nfs-utils 它會把其依賴包rpcbind給一起安裝上
建立共享目錄/www
[root@test-centos7-node3 ~]# ls /
bin boot data dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp tools usr var
[root@test-centos7-node3 ~]# mkdir /www
[root@test-centos7-node3 ~]# ls /
bin boot data dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp tools usr var www
[root@test-centos7-node3 ~]#
配置nfs共享/www目錄
[root@test-centos7-node3 ~]# cat /etc/exports
/www 192.168.0.10(rw,root_squash,all_squash)
[root@test-centos7-node3 ~]#
提示:以上配置表示把/www目錄隻共享給192.168.0.10這台主機,并且以隻讀、壓榨所有使用者權限方式共享
啟動nfs-server
[root@test-centos7-node3 ~]# systemctl status rpcbind nfs-server
● rpcbind.service - RPC bind service
Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
Active: inactive (dead)
● nfs-server.service - NFS server and services
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@test-centos7-node3 ~]# systemctl start nfs-server
[root@test-centos7-node3 ~]# systemctl status rpcbind nfs-server
● rpcbind.service - RPC bind service
Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-02-16 05:33:51 EST; 2s ago
Process: 16255 ExecStart=/sbin/rpcbind -w $RPCBIND_ARGS (code=exited, status=0/SUCCESS)
Main PID: 16256 (rpcbind)
CGroup: /system.slice/rpcbind.service
└─16256 /sbin/rpcbind -w
Feb 16 05:33:51 test-centos7-node3 systemd[1]: Starting RPC bind service...
Feb 16 05:33:51 test-centos7-node3 systemd[1]: Started RPC bind service.
● nfs-server.service - NFS server and services
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
Active: active (exited) since Sun 2020-02-16 05:33:51 EST; 2s ago
Process: 16290 ExecStartPost=/bin/sh -c if systemctl -q is-active gssproxy; then systemctl reload gssproxy ; fi (code=exited, status=0/SUCCESS)
Process: 16273 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS)
Process: 16270 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Main PID: 16273 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/nfs-server.service
Feb 16 05:33:51 test-centos7-node3 systemd[1]: Starting NFS server and services...
Feb 16 05:33:51 test-centos7-node3 systemd[1]: Started NFS server and services.
[root@test-centos7-node3 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:20048 *:*
LISTEN 0 128 *:53457 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 64 *:35199 *:*
LISTEN 0 64 *:2049 *:*
LISTEN 0 128 192.168.0.30:9000 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::20048 :::*
LISTEN 0 32 :::21 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 64 :::32961 :::*
LISTEN 0 64 :::2049 :::*
LISTEN 0 128 :::60355 :::*
[root@test-centos7-node3 ~]#
提示:在centos7上啟動nfs-server它會把rpcbind服務一起啟動起來,在centos6上需要手動啟動rpcbind
在用戶端挂載共享目錄/www
[root@test-centos7-node1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f2:82:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef2:820c/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node1 ~]# showmount -e 192.168.0.30
Export list for 192.168.0.30:
/www 192.168.0.10
[root@test-centos7-node1 ~]# mount 192.168.0.30:/www /mnt
[root@test-centos7-node1 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 48209924 1664784 46545140 4% /
devtmpfs 1922828 0 1922828 0% /dev
tmpfs 1932652 0 1932652 0% /dev/shm
tmpfs 1932652 8744 1923908 1% /run
tmpfs 1932652 0 1932652 0% /sys/fs/cgroup
/dev/sda1 2086912 137672 1949240 7% /boot
tmpfs 386532 0 386532 0% /run/user/0
192.168.0.30:/www 48210432 1717760 46492672 4% /mnt
[root@test-centos7-node1 ~]#
提示:在用戶端如果沒有showmount指令,需要安裝nfs-utils即可
測試,用戶端挂載好共享目錄,用戶端在其共享目錄裡建立檔案,看看服務端是否能夠正常通路?
[root@test-centos7-node1 ~]# cd /mnt
[root@test-centos7-node1 mnt]# ls
[root@test-centos7-node1 mnt]# cp /etc/fstab .
cp: cannot create regular file ‘./fstab’: Permission denied
[root@test-centos7-node1 mnt]# touch aa
touch: cannot touch ‘aa’: Permission denied
[root@test-centos7-node1 mnt]#
提示:它告訴我們所沒有權限,這是因為我們目前使用者是root,通路nfs共享目錄時把其權限壓榨成nfsnobody使用者的權限,因為在nfs服務端共享的目錄是root屬主,root組,其他使用者對其目錄沒有寫權限,是以我們不能在裡面建立檔案等有寫的操作。
在nfs服務端授權nfsnobody使用者對/www目錄有讀寫執行權限
[root@test-centos7-node3 ~]# setfacl -m u:nfsnobody:rwx /www
[root@test-centos7-node3 ~]# getfacl /www
getfacl: Removing leading '/' from absolute path names
# file: www
# owner: root
# group: root
user::rwx
user:nfsnobody:rwx
group::r-x
mask::rwx
other::r-x
[root@test-centos7-node3 ~]#
在客戶機上在對其挂載的共享目錄建立檔案或目錄,在伺服器端看看能否看到和使用呢?
[root@test-centos7-node1 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 48209924 1664764 46545160 4% /
devtmpfs 1922828 0 1922828 0% /dev
tmpfs 1932652 0 1932652 0% /dev/shm
tmpfs 1932652 8744 1923908 1% /run
tmpfs 1932652 0 1932652 0% /sys/fs/cgroup
/dev/sda1 2086912 137672 1949240 7% /boot
tmpfs 386532 0 386532 0% /run/user/0
192.168.0.30:/www 48210432 1717760 46492672 4% /mnt
[root@test-centos7-node1 ~]# cd /mnt
[root@test-centos7-node1 mnt]# ls
[root@test-centos7-node1 mnt]# cp /etc/fstab .
[root@test-centos7-node1 mnt]# ls
fstab
[root@test-centos7-node1 mnt]# touch aa
[root@test-centos7-node1 mnt]# mkdir test
[root@test-centos7-node1 mnt]#
[root@test-centos7-node3 ~]# ll /www/
total 4
-rw-r--r-- 1 nfsnobody nfsnobody 0 Feb 16 05:45 aa
-rw-r--r-- 1 nfsnobody nfsnobody 501 Feb 16 05:45 fstab
drwxr-xr-x 2 nfsnobody nfsnobody 6 Feb 16 05:45 test
[root@test-centos7-node3 ~]#
提示:在服務端可以看到用戶端建立的檔案和目錄。這裡需要注意一點的是,服務端往共享目錄裡放檔案,需要注意權限,如果是root屬主root屬組,用戶端那邊可以能沒有辦法對檔案進行修改操作。到此nfs共享/www目錄就完成了,更多nfs的使用和說明請參考本人部落格https://www.cnblogs.com/qiuhom-1874/p/12237964.html
3、配置samba共享,實作/www目錄共享
環境說明:smb伺服器上192.168.0.30,客戶機上192.168.0.10
1)安裝samba
[root@test-centos7-node3 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4a:bd:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.30/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4a:bd74/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node3 ~]# yum install -y samba
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package samba.x86_64 0:4.9.1-10.el7_7 will be installed
--> Processing Dependency: samba-libs = 4.9.1-10.el7_7 for package: samba-4.9.1-10.el7_7.x86_64
……省略部分内容
Installed:
samba.x86_64 0:4.9.1-10.el7_7
Dependency Installed:
cups-libs.x86_64 1:1.6.3-40.el7 libldb.x86_64 0:1.4.2-1.el7 libtalloc.x86_64 0:2.1.14-1.el7 libtdb.x86_64 0:1.3.16-1.el7
libtevent.x86_64 0:0.9.37-1.el7 libwbclient.x86_64 0:4.9.1-10.el7_7 pytalloc.x86_64 0:2.1.14-1.el7 samba-client-libs.x86_64 0:4.9.1-10.el7_7
samba-common.noarch 0:4.9.1-10.el7_7 samba-common-libs.x86_64 0:4.9.1-10.el7_7 samba-common-tools.x86_64 0:4.9.1-10.el7_7 samba-libs.x86_64 0:4.9.1-10.el7_7
Dependency Updated:
dbus.x86_64 1:1.10.24-13.el7_6 dbus-libs.x86_64 1:1.10.24-13.el7_6
Complete!
[root@test-centos7-node3 ~]#
2)配置samba共享/www目錄
[root@test-centos7-node3 ~]# tail -6 /etc/samba/smb.conf
[share_www]
comment = share /www
path = /www
read only =no
create mask = 0664
directory mask = 0775
[root@test-centos7-node3 ~]#
3)檢查samba配置檔案
[root@test-centos7-node3 ~]# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[share_www]"
Loaded services file OK.
WARNING: The 'netbios name' is too long (max. 15 chars).
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
printcap name = cups
security = USER
workgroup = SAMBA
idmap config * : backend = tdb
cups options = raw
[homes]
browseable = No
comment = Home Directories
inherit acls = Yes
read only = No
valid users = %S %D%w%S
[printers]
browseable = No
comment = All Printers
create mask = 0600
path = /var/tmp
printable = Yes
[print$]
comment = Printer Drivers
create mask = 0664
directory mask = 0775
force group = @printadmin
path = /var/lib/samba/drivers
write list = @printadmin root
[share_www]
comment = share /www
create mask = 0664
directory mask = 0775
path = /www
read only = No
[root@test-centos7-node3 ~]#
4)啟動samba服務
[root@test-centos7-node3 ~]# systemctl start smb
[root@test-centos7-node3 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 *:139 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:20048 *:*
LISTEN 0 128 *:53457 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 50 *:445 *:*
LISTEN 0 64 *:35199 *:*
LISTEN 0 64 *:2049 *:*
LISTEN 0 128 192.168.0.30:9000 *:*
LISTEN 0 50 :::139 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::20048 :::*
LISTEN 0 32 :::21 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 50 :::445 :::*
LISTEN 0 64 :::32961 :::*
LISTEN 0 64 :::2049 :::*
LISTEN 0 128 :::60355 :::*
[root@test-centos7-node3 ~]#
提示:smb預設工作在tcp的445端口
5)在用戶端使用smbclient檢視是否能夠看到smb服務端共享的目錄
[root@test-centos7-node1 ~]# smbclient -L \\192.168.0.30
Enter SAMBA\root's password:
Anonymous login successful
Domain=[TEST-CENTOS7-NODE3] OS=[Windows 6.1] Server=[Samba 4.9.1]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share_www Disk share /www
IPC$ IPC IPC Service (Samba 4.9.1)
Anonymous login successful
Domain=[TEST-CENTOS7-NODE3] OS=[Windows 6.1] Server=[Samba 4.9.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@test-centos7-node1 ~]#
提示:如果提示smbclient未找到該指令,需要安裝samba-client這個包;從上面的提示看,在客戶機上是可以正常的看到samba伺服器共享出來的名為share_www目錄
6)在samba伺服器上添加一個samba賬号
[root@test-centos7-node3 ~]# getent passwd tom
[root@test-centos7-node3 ~]# useradd -s /sbin/nologin tom
[root@test-centos7-node3 ~]# getent passwd tom
tom:x:1001:1001::/home/tom:/sbin/nologin
[root@test-centos7-node3 ~]# smbpasswd -a tom
New SMB password:
Retype new SMB password:
Added user tom.
[root@test-centos7-node3 ~]# pdbedit -L
tom:1001:
[root@test-centos7-node3 ~]#
提示:samba服務的使用者必須是Linux主機上存在的使用者,為了安全我們建立使用者時需要指定其shell類型為/sbin/nologin
在客戶機上用建立的使用者去連接配接samba服務
[root@test-centos7-node1 ~]# smbclient //192.168.0.30/share_www -U tom%admin
Domain=[TEST-CENTOS7-NODE3] OS=[Windows 6.1] Server=[Samba 4.9.1]
smb: \> ls
. D 0 Sun Feb 16 05:45:53 2020
.. D 0 Sun Feb 16 05:23:56 2020
fstab N 501 Sun Feb 16 05:45:45 2020
aa N 0 Sun Feb 16 05:45:49 2020
test D 0 Sun Feb 16 05:45:53 2020
48209924 blocks of size 1024. 46455356 blocks available
smb: \> q
[root@test-centos7-node1 ~]#
提示:在客戶機上用服務端添加的smb賬号是可以看到samba共享出來的目錄,以及目錄裡的檔案
[root@test-centos7-node1 ~]# smbclient //192.168.0.30/share_www -U tom%admin
Domain=[TEST-CENTOS7-NODE3] OS=[Windows 6.1] Server=[Samba 4.9.1]
smb: \> ls
. D 0 Sun Feb 16 05:45:53 2020
.. D 0 Sun Feb 16 05:23:56 2020
fstab N 501 Sun Feb 16 05:45:45 2020
aa N 0 Sun Feb 16 05:45:49 2020
test D 0 Sun Feb 16 05:45:53 2020
48209924 blocks of size 1024. 46455336 blocks available
smb: \> !ls
test.php
smb: \> put test.php
NT_STATUS_ACCESS_DENIED opening remote file \test.php
smb: \> get fstab
getting file \fstab of size 501 as fstab (69.9 KiloBytes/sec) (average 69.9 KiloBytes/sec)
smb: \> !ls
fstab test.php
smb: \> q
[root@test-centos7-node1 ~]#
提示:我們建立的tom使用者在用戶端操作沒有上傳權限,隻有下載下傳權限。這是因為samba雖然指定了共享目錄可寫,但是對于tom使用者在服務端上的檔案系統沒有授權為可寫,是以tom使用者暫時沒法上傳,需要上傳檔案我們就必須要對其檔案系統賦予tom使用者有寫的權限才行
在服務端授權tom使用者可以對共享目錄有讀寫執行權限
[root@test-centos7-node3 ~]# setfacl -m u:tom:rwx /www
[root@test-centos7-node3 ~]# getfacl /www
getfacl: Removing leading '/' from absolute path names
# file: www
# owner: root
# group: root
user::rwx
user:tom:rwx
user:nfsnobody:rwx
group::r-x
mask::rwx
other::r-x
[root@test-centos7-node3 ~]#
測試,在用戶端用tom使用者通路共享目錄,然後上傳檔案,看是否能夠正常上傳檔案?
[root@test-centos7-node1 ~]# smbclient //192.168.0.30/share_www -U tom%admin
Domain=[TEST-CENTOS7-NODE3] OS=[Windows 6.1] Server=[Samba 4.9.1]
smb: \> ls
. D 0 Sun Feb 16 05:45:53 2020
.. D 0 Sun Feb 16 05:23:56 2020
fstab N 501 Sun Feb 16 05:45:45 2020
aa N 0 Sun Feb 16 05:45:49 2020
test D 0 Sun Feb 16 05:45:53 2020
48209924 blocks of size 1024. 46455776 blocks available
smb: \> !ls
fstab test.php
smb: \> put test.php
putting file test.php as \test.php (1.1 kb/s) (average 1.1 kb/s)
smb: \> ls
. D 0 Sun Feb 16 06:30:30 2020
.. D 0 Sun Feb 16 05:23:56 2020
fstab N 501 Sun Feb 16 05:45:45 2020
aa N 0 Sun Feb 16 05:45:49 2020
test D 0 Sun Feb 16 05:45:53 2020
test.php A 20 Sun Feb 16 06:30:30 2020
48209924 blocks of size 1024. 46455752 blocks available
smb: \> q
[root@test-centos7-node1 ~]#
提示:修改了檔案系統權限後,tom使用者就可以往共享目錄裡上傳檔案了,更多samba服務端配置和說明請參考本人部落格https://www.cnblogs.com/qiuhom-1874/p/12237973.html
4、使用rsync+inotify實作/www目錄實時同步
實驗環境說明:rsync伺服器是192.168.0.30,客戶機上192.168.0.10
1)安裝inotify-tools
[root@test-centos7-node3 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4a:bd:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.30/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4a:bd74/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node3 ~]# yum install inotify-tools -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.14-9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================
Installing:
inotify-tools x86_64 3.14-9.el7 epel 51 k
Transaction Summary
===========================================================================================================================================================================
Install 1 Package
Total download size: 51 k
Installed size: 111 k
Downloading packages:
inotify-tools-3.14-9.el7.x86_64.rpm | 51 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : inotify-tools-3.14-9.el7.x86_64 1/1
Verifying : inotify-tools-3.14-9.el7.x86_64 1/1
Installed:
inotify-tools.x86_64 0:3.14-9.el7
Complete!
[root@test-centos7-node3 ~]# rpm -ql inotify-tools
/usr/bin/inotifywait
/usr/bin/inotifywatch
/usr/lib64/libinotifytools.so.0
/usr/lib64/libinotifytools.so.0.4.1
/usr/share/doc/inotify-tools-3.14
/usr/share/doc/inotify-tools-3.14/AUTHORS
/usr/share/doc/inotify-tools-3.14/COPYING
/usr/share/doc/inotify-tools-3.14/ChangeLog
/usr/share/doc/inotify-tools-3.14/NEWS
/usr/share/doc/inotify-tools-3.14/README
/usr/share/man/man1/inotifywait.1.gz
/usr/share/man/man1/inotifywatch.1.gz
[root@test-centos7-node3 ~]# 提示:inotify是核心的一個功能,我們要使用核心的功能,必須要在使用者空間安裝對應的工具才可以對核心功能發起調用操作
2)安裝rsync
[root@test-centos7-node3 ~]# yum install -y rsync
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package rsync-3.1.2-6.el7_6.1.x86_64 already installed and latest version
Nothing to do
[root@test-centos7-node3 ~]#
提示:系統告訴我們rsync這個包已經安裝好了
3)配置rsync服務,讓其工作為守護程序模式
[root@test-centos7-node3 ~]# cat /etc/rsyncd.conf
# /etc/rsyncd: configuration file for rsync daemon mode
# See rsyncd.conf man page for more options.
# configuration example:
# uid = nobody
# gid = nobody
# use chroot = yes
# max connections = 4
# pid file = /var/run/rsyncd.pid
# exclude = lost+found/
# transfer logging = yes
# timeout = 900
# ignore nonreadable = yes
# dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2
# [ftp]
# path = /home/ftp
# comment = ftp export area
uid = root
gid = root
use chroot = no
max connections = 0
ignore errors
exclude = lost+found/
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
hosts allow = 192.168.0.0/24
[backup]
path = /backup/
comment = share backup
read only = no
auth users = jerry
secrets file = /etc/rsync.pass
[root@test-centos7-node3 ~]#
4)建立/backup目錄和/etc/rsync.pass檔案,并且配置一個使用者和密碼用于rsync同步
[root@test-centos7-node3 ~]# mkdir /backup
[root@test-centos7-node3 ~]# ll /backup
total 0
[root@test-centos7-node3 ~]# echo "jerry:admin" > /etc/rsync.pass
[root@test-centos7-node3 ~]# cat /etc/rsync.pass
jerry:admin
[root@test-centos7-node3 ~]# chmod 600 /etc/rsync.pass
[root@test-centos7-node3 ~]#
提示:rsync.pass檔案用于存放rsync同步資料時用到的使用者和密碼,這個檔案的格式是使用者名:密碼,這些都是明文的,為了其内容的安全,通常我們把其權限設定為非root使用者不可讀寫的權限
5)啟動rsysnc服務
[root@test-centos7-node3 ~]# rsync --daemon
[root@test-centos7-node3 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 192.168.0.30:9000 *:*
LISTEN 0 5 *:873 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 5 :::873 :::*
[root@test-centos7-node3 ~]#
提示:rsync預設工作在tcp的873端口
6)在客戶機上安裝inotify-tools,并建立用于連接配接rsync伺服器上的使用者對應的密碼檔案和建立/www目錄
[root@test-centos7-node1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f2:82:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef2:820c/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node1 ~]# yum install -y inotify-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.14-9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================
Installing:
inotify-tools x86_64 3.14-9.el7 epel 51 k
Transaction Summary
===========================================================================================================================================================================
Install 1 Package
Total download size: 51 k
Installed size: 111 k
Downloading packages:
inotify-tools-3.14-9.el7.x86_64.rpm | 51 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : inotify-tools-3.14-9.el7.x86_64 1/1
Verifying : inotify-tools-3.14-9.el7.x86_64 1/1
Installed:
inotify-tools.x86_64 0:3.14-9.el7
Complete!
[root@test-centos7-node1 ~]# echo "admin" > /etc/rsync.pass
[root@test-centos7-node1 ~]# chmod 600 /etc/rsync.pass
[root@test-centos7-node1 ~]# cat /etc/rsync.pass
admin
[root@test-centos7-node1 ~]# ll /etc/rsync.pass
-rw------- 1 root root 6 Feb 16 07:15 /etc/rsync.pass
[root@test-centos7-node1 ~]#
[root@test-centos7-node1 ~]# mkdir /www
[root@test-centos7-node1 ~]# ll /www
total 0
[root@test-centos7-node1 ~]#
7)在用戶端上編寫腳本,實作實時監控/www目錄下的資源,如有變動,立刻同步至rsync伺服器對應的目錄下
[root@test-centos7-node1 ~]# cat inotify_rsync.sh
#!/bin/bash
SRC='/www/'
DEST='[email protected]::backup'
inotifywait -mrq --timefmt '%Y-%m-%d %H:%M' --format '%T %w %f' -e create,delete,moved_to,close_write ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pass $SRC $DEST &&
echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
[root@test-centos7-node1 ~]#
8)運作腳本,然後在/www目錄下建立檔案,看看能不能及時同步到rsync伺服器上去
提示:沒有在/www目錄裡建立檔案時,rsync伺服器上對應的目錄是沒有任何檔案的,是一個空目錄
提示:可以看到我們在用戶端的/www目錄下建立檔案和目錄能夠及時的同步到rsync對應的/backup目錄下;更多關于inotify和rsync的說明請參考https://www.cnblogs.com/qiuhom-1874/p/12246660.html
5、使用iptable實作: 放行telnet, ftp, web服務,放行samba服務,其他端口服務全部拒絕
1)加載nf_conntrack_ftp子產品
[root@test-centos7-node3 ~]# lsmod |grep ftp
[root@test-centos7-node3 ~]# modprobe nf_conntrack_ftp
[root@test-centos7-node3 ~]# lsmod |grep ftp
nf_conntrack_ftp 18638 0
nf_conntrack 133387 3 xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[root@test-centos7-node3 ~]#
2)編寫規則
[root@test-centos7-node3 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4a:bd:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.30/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4a:bd74/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node3 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 52 packets, 3952 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 38 packets, 4088 bytes)
pkts bytes target prot opt in out source destination
[root@test-centos7-node3 ~]# iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@test-centos7-node3 ~]# iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
[root@test-centos7-node3 ~]# iptables -A INPUT -p tcp -m multiport --dports 21:23,80,139,445 -m state --state NEW -j ACCEPT
[root@test-centos7-node3 ~]# iptables -A INPUT -j DROP
[root@test-centos7-node3 ~]# iptables -A OUTPUT -j DROP
[root@test-centos7-node3 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
181 12960 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21:23,80,139,445 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
81 8524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@test-centos7-node3 ~]#
測試:在客戶機上通路192.168.0.30上的telent 、ftp、 web、samba服務,看看用戶端通路這些服務是不是正常放行的
[root@test-centos7-node1 ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f2:82:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef2:820c/64 scope link
valid_lft forever preferred_lft forever
[root@test-centos7-node1 ~]# telnet 192.168.0.30
Trying 192.168.0.30...
Connected to 192.168.0.30.
Escape character is '^]'.
test-centos7-node3 login: qiuhom
Password:
Last login: Sun Feb 16 09:44:25 from ::ffff:192.168.0.10
[qiuhom@test-centos7-node3 ~]$ ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4a:bd:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.30/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4a:bd74/64 scope link
valid_lft forever preferred_lft forever
[qiuhom@test-centos7-node3 ~]$ exit
logout
Connection closed by foreign host.
[root@test-centos7-node1 ~]# curl -I http://192.168.0.30/index.html
HTTP/1.1 200 OK
Date: Sun, 16 Feb 2020 14:46:01 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 16 Feb 2020 13:16:09 GMT
ETag: "1f5-59eb13dfb0e13"
Accept-Ranges: bytes
Content-Length: 501
Content-Type: text/html; charset=UTF-8
[root@test-centos7-node1 ~]# ftp 192.168.0.30
Connected to 192.168.0.30 (192.168.0.30).
220 (vsFTPd 3.0.2)
Name (192.168.0.30:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,30,56,188).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Feb 16 09:41 pub
drwxrwxr-x 3 0 0 48 Feb 16 10:04 upload
226 Directory send OK.
ftp> cd upload
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,0,30,91,55).
150 Here comes the directory listing.
drwx------ 2 1000 1000 6 Feb 16 10:03 aa
-rw------- 1 1000 1000 333992 Feb 16 10:04 pam_mysql-0.7pre3.tar.gz
226 Directory send OK.
ftp> get pam_mysql-0.7pre3.tar.gz
local: pam_mysql-0.7pre3.tar.gz remote: pam_mysql-0.7pre3.tar.gz
227 Entering Passive Mode (192,168,0,30,211,130).
150 Opening BINARY mode data connection for pam_mysql-0.7pre3.tar.gz (333992 bytes).
226 Transfer complete.
333992 bytes received in 0.0109 secs (30532.22 Kbytes/sec)
ftp> bye
221 Goodbye.
[root@test-centos7-node1 ~]# smbclient //192.168.0.30/share_www -U tom%admin
Domain=[TEST-CENTOS7-NODE3] OS=[Windows 6.1] Server=[Samba 4.9.1]
smb: \> ls
. D 0 Sun Feb 16 06:30:30 2020
.. D 0 Sun Feb 16 07:24:16 2020
fstab N 501 Sun Feb 16 05:45:45 2020
aa N 0 Sun Feb 16 05:45:49 2020
test D 0 Sun Feb 16 05:45:53 2020
test.php A 20 Sun Feb 16 06:30:30 2020
48209924 blocks of size 1024. 46442924 blocks available
smb: \> get aa
getting file \aa of size 0 as aa (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> ls
. D 0 Sun Feb 16 06:30:30 2020
.. D 0 Sun Feb 16 07:24:16 2020
fstab N 501 Sun Feb 16 05:45:45 2020
aa N 0 Sun Feb 16 05:45:49 2020
test D 0 Sun Feb 16 05:45:53 2020
test.php A 20 Sun Feb 16 06:30:30 2020
48209924 blocks of size 1024. 46442924 blocks available
smb: \> !ls
aa fstab inotify_rsync.sh pam_mysql-0.7pre3.tar.gz test.php
smb: \> q
[root@test-centos7-node1 ~]#
提示:可以看到在用戶端通路telnet、web、ftp、samba服務都是不受任何影響的;有關iptables的用法和說明可以參考本人系列博文https://www.cnblogs.com/qiuhom-1874/category/1642473.html
作者:Linux-1874
出處:https://www.cnblogs.com/qiuhom-1874/
本文版權歸作者和部落格園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接配接,否則保留追究法律責任的權利.