从openstack近几年发展到国内外云计算环境的不同

其实本来是想说说Openstack的,毕竟相比之下,openstack更会被大家所知晓。况且之前在学RHCA的过程中,也学习过这方面的内容,再加上后期也给朋友做过相关的项目,share一些小经验完全不为过。

但是openstack近些年一直在走下坡路,国内的一众公有云厂商大多也都放弃了基于openstack进行二次开发的计划。追其根本原因无非是那么几点:

  1. 体系过于庞杂:过于庞杂的体系导致openstack无法被国内众多追求产品的更新速度、以“先上线、后优化”为生存之道的公司所接受,往往为了满足客户的某个需求,单独抽出几个coder熬了几个通宵才写出来的一个function,结果在下一个版本中,这个function被社区实现了。此时要面临着继续follow upstream还是自己开一个新的branch的选择,无论怎么选择,最终的结果都会给原本资金、技术积累并不雄厚的公司带来很重的负担。
  2. 项目参与者私心太重:不得不说openstack原本是一场NASA和AWS之间的较量,但最终的后果却让大家很是大跌眼镜,NASA本不具有如此大规模的开发能力,只能找来HP(现在应该被称之为HPE了)、Dell、Redhat、Microsoft、F5……等一众公司来为其出力。However,这是个开源项目,为了让开源项目也能最大化创造利益,这些公司会尽可能给自己家的产品留好适配的接口以增加在该项目中的集成能力。但是这对国内的公司而言,是很难接受的,毕竟自己起家的前往往都是融资来的,买得起垃圾的服务器和国产的垃圾网络设备就已经很不错了。利用软件压榨硬件的全部价值才是王道,大品牌产品?NONONO,滚粗……然而这样,就要面临对无用的冗余组建删减的问题了。
  3. 运算能力的利用率太低……嗯,我相信搭建过实际项目的人都应该有所了解,openstack明明是奔着vSphere6.x去的,结果照猫画虎、一顿操作猛如虎,最后画虎不成反类犬……说白了,如果转化率不能达到需求,看起来再牛逼,最终也是绣花枕头大草包,除非你有自己的团队进行深度定制、删减……如果那样,我为什么不买vSphere系列的产品或者使用更轻量级的Ovirt呢?当前状况下养一个能handle 整个openstack平台团队的人工成本,往往不比买vSphere便宜,而且国内的很多公司都在用盗版vSphere,除非你是开云厂商的。
  4. 国内云计算厂商几乎已经处于饱和状态,从IaaS到PaaS,想要什么,基本上都能找得到,找不到只要你肯砸钱,做非标也不是不行。不是厂商sales没底线,而是云计算如果没有额外的经济来源真的不赚钱。大马云的本质是将平日里闲置的资源拿来做云赚外快,做活动的时候人家就算超卖,最终解释权仍然在人家手里。小马云的本质也是如此,之前在硬件厂商工作的时候,我见过它们购买的服务器,我们的trainer在在给我们做training的时候说,它们被称之为“小霸王”服务器一点都不过分。如果真的把这些过保的机器作为云计算的基础架构设施,相当于变相空手套白狼。也不知道它们是不是真的意识到了这方面的商机。不过这些机器上勉强跑一个KVM还不算过分,但是真的要跑Openstack,好像还真的不一定能支撑的起来。

也许,openstack在某些国外的企业里,会更有市场,毕竟国外很多时候没有国内的竞争这么激烈,我身边的一些朋友是专门给国外公司做openstack云产品infrastructure support的,它们不缺非常知名且业务量庞大的用户。

事实上,百年企业就是百年企业,它们可以宁可不要每年20%的不稳定增长而去选择5%的稳定增长。也许,只有在这种比较能沉淀下来的公司里,员工才会更有心思去针对于自己的公司基于openstack进行定制、冗余裁剪,项目经理才会更有底气的对sales说No,把真正急切的需求安排到下一个sprint,架构师会更愿意采购商业设备设计方案以稳定为优先,切实的把业务上出现的异常所造成的责任问题进行拆分,将垃圾的、该被淘汰的产品彻底淘汰掉。

发表在 KVM/Ovirt, Life, Platform | 标签为 , , , | 留下评论

Share 一个反ssh爆破脚本的思路

近期遇到了一些手里有点资源的脚本小子,每天都在尝试爆破我的ssh密码:

我简单的统计了一下IP地址所在隶属的组织关系,目测大都是一些少有人维护的公有云主机,被日了之后成了某些脚本小子们手里的肉鸡,来源地大都是国外,不过也不保证是某些人买了国外的肉鸡。

之前有尝试过更改端口号,不过在写脚本的时候通用性不好,毕竟现在规模还太小了,没必要为此写一个cmdb,所以最终决定自行处理一下。

有人推荐使用fail2ban,考虑过,不过由于目前不需要考虑效率问题,而且量不是很大,所以决定先用一个简单的shell脚本来实现。

目前的想法比较简单,通过刚刚截图中的日志,我们可以清晰的看到因为密码错误登录失败的IP地址,那么通过对这些IP地址进行拉取并统计,即可获取每个IP地址尝试错误密码的次数。

所以,我们可以每隔一段时间对这个日志文件进行一次分析,从分析对结果中拉取尝试使用密码登录但是失败了的IP地址的尝试次数,如果超过指定次数,则拉入/etc/hosts.deny。

之后,修改/etc/logrotate.d/syslog, 限定日志切割的周期,比如一周。

这样,之后再有来试机器ssh密码的情况,就可以送他去小黑屋关禁闭了。

咦?你说为啥不添加到iptables里,用防火墙服务来阻断?

那我问你,你见过每时每刻都在进行且无人审批的网络变更么?说白了,自动化运维的前提是有人能进行global级别的handle,而且需要对每一个change进行approval。真的想完全自动化、抛弃manual approval,需要有大量对实验样本才能实现,这个思想叫做AIOPS,几年前的GOPS大会上一直有人在畅想并push这个概念。但是追其本质,其只能在一定程度上尽可能减少ops的工作量、降低运维团队的人员成本,但是不能替代掉整个ops团队和能handle该项目的人员。

发表在 Linux, OS | 标签为 , , , , , | 留下评论

sudo 与重定向符号共用时出现permission denied的处理方案

由于之前在云厂商工作的关系,对于一次性批量操作不是很喜欢使用 ansible或者saltstack操作,而是爱用效率比较高的pssh。

当然,pssh所带来的弊端更多的会局限在sudo上,尤其是带密码的私钥和在使用重定向符号的时候报permission denied的情况,这次我们只share一下关于使用重定向符号return permission denied的解决方案。

# ssh [email protected] -x 'sudo echo " */5 *  *  *  *  user      /bin/bash /opt/auto/testing" >> /etc/crontab'
 bash: /etc/crontab: Permission denied

其实最简单的办法就是使用bash -c “” 将要sudo的命令包起来(注意,需要对引号进行转义):

ssh [email protected] -x 'sudo sh -c "echo \" */5 *  *  *  *  user      /bin/bash /opt/auto/testing\" >> /etc/crontab"'

看,单点添加成功了,把语句改成pssh即可。

发表在 AutomaticOPS, Linux, OS, SSH/PSSH | 标签为 , , , , | 留下评论

为kubectl增加插件

先下载配置文件和相应的tar包,并对tar包解压,释放出可执行文件:

wget https://storage.googleapis.com/krew/v0.2.1/krew.tar.gz
wget https://storage.googleapis.com/krew/v0.2.1/krew.yaml
tar -zxvf krew.tar.gz
# wget https://storage.googleapis.com/krew/v0.2.1/krew.tar.gz

--2020-01-13 08:34:35--  https://storage.googleapis.com/krew/v0.2.1/krew.tar.gz

Resolving storage.googleapis.com (storage.googleapis.com)… 172.217.164.112, 2607:f8b0:4005:807::2010

Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.164.112|:443… connected.

HTTP request sent, awaiting response… 200 OK

Length: 14375157 (14M) [application/x-tar]

Saving to: ‘krew.tar.gz’

100%[=====================================================>] 14,375,157  42.9MB/s   in 0.3s
2020-01-13 08:34:36 (42.9 MB/s) - ‘krew.tar.gz’ saved [14375157/14375157]
# wget https://storage.googleapis.com/krew/v0.2.1/krew.yaml

--2020-01-13 08:34:36--  https://storage.googleapis.com/krew/v0.2.1/krew.yaml

Resolving storage.googleapis.com (storage.googleapis.com)… 172.217.164.112, 2607:f8b0:4005:807::2010

Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.164.112|:443… connected.

HTTP request sent, awaiting response… 200 OK

Length: 2442 (2.4K) [application/octet-stream]

Saving to: ‘krew.yaml’

100%[=====================================================>] 2,442       --.-K/s   in 0s
2020-01-13 08:34:36 (37.2 MB/s) - ‘krew.yaml’ saved [2442/2442]
# tar -zxvf krew.tar.gz
./krew-darwin_amd64
./krew-linux_amd64
./krew-linux_arm
./krew-windows_amd64.exe
# ls
krew-darwin_amd64  krew-linux_arm  krew-windows_amd64.exe
krew-linux_amd64   krew.tar.gz     krew.yaml
./krew-linux_amd64 install --manifest=krew.yaml --archive=krew.tar.gz

Installing plugin: krew

CAVEATS:

\

 |  krew is now installed! To start using kubectl plugins, you need to add

 |  krew's installation directory to your PATH:

 |

 |    * macOS/Linux:

 |      - Add the following to your ~/.bashrc or ~/.zshrc:

 |          export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

 |      - Restart your shell.

 |

 |    * Windows: Add %USERPROFILE%.krew\bin to your PATH environment variable

 |

 |  Run "kubectl krew" to list krew commands and get help.

 |  You can find documentation at https://github.com/GoogleContainerTools/krew.

/

Installed plugin: krew

修改 ~/.bash_profile

vim .bash_profile
增加一行:
PATH=$PATH:$HOME/bin:$HOME/.krew/bin
保存后执行:
source .bash_profile

示例,安装一个tree插件:

# kubectl krew install tree
Updated the local copy of plugin index.
 Installing plugin: tree
 CAVEATS:
 \
  |  * For resources that are not in default namespace, currently you must
  |    specify -n/--namespace explicitly (the current namespace setting is not
  |    yet used).
 /
 Installed plugin: tree

[[email protected] ~]# kubectl tree deployment zzzz -n yyyy
 NAMESPACE   NAME                                READY  REASON  AGE
 yyyy  Deployment/zzzz                  -              4d14h
 yyyy  └─ReplicaSet/zzzz-58dc7468d7   -              4d14h
 yyyy    └─Pod/zzzz-58dc7468d7-nzkbh  True           3h45m
发表在 Kubernetes, Platform | 标签为 , , , , | 留下评论

pssh使用带有密码的私钥登陆在使用-A参数之后报错

pssh使用带有密码的私钥登陆在使用-A参数之后报“tderr: Enter passphrase for key ‘****”

解决方法:
修改
vim /lib/python2.7/site-packages/psshlib/askpass_client.py

OS X为: 
vim /usr/local/Cellar/pssh/2.3.1/lib/python2.7/site-packages/psshlib/askpass_client.py

将第67行的:

if not prompt.strip().lower().endswith('password:'):

改为

if not ( prompt.strip().lower().endswith('password:') or 'enter passphrase for key' in prompt.strip().lower()):

发表在 AutomaticOPS, Linux, SSH/PSSH | 一条评论

Hyper-V虚拟机安装

Install Hyper-V in windows 2008 R2 Enterprise Server Manager-add roles

Select Hyper-V

PS.Installation need reboot

Create virtual machineHyper-V manager

Action-New-Virtual Machine

Name of virtual machine

Memory

Network

Hard Disk

Install options

Summary

Tips: release mouse press”ctrl+alt+ ←” 补充以下 J, 下面Hyper-V成功安装 VM能正常运行是需要前提条件的 ,也就是你的硬件要支持虚拟化,需要在 BIOS中启用对虚拟化的支持。具体如下 :

  1. BIOS(RBSU) 中enable No-Execute, 如下图:
  2. BIOS 中启用Processor的 Virtualization,例如Intel Virtualization Technology 或者AMD  Virtualization(AMD-V),参考下图 (针对Intel processor) :

若上述没有启用会提示如下错误或者无法正常运行的提示信息 : the installer reports that the server does not contain the required hardware support或者The message will indicate that the virtual machine could not be started because the hypervisor is not running.或者cannot start the virtual machine

发表在 OS, Windows | 标签为 , | 留下评论

Windows server 空间不足

  1. WinSxS下为一些常用的动态链接库,不建议删除
  2. 使用 cleanmgr.exe进行磁盘空间清理。
  3. 使用如下方式将windows update相关的目录重定向到其他分区
net stop wuauserv
net stop bits
if exist C:\Windows\SoftwareDistribution rmdir /S /Q C:\Windows\SoftwareDistribution
rmdir /S /Q D:\SoftwareDistribution
if not exist D:\SoftwareDistribution mkdir D:\NewUpdateFolder
CD /D C:\Windows
mklink /J SoftwareDistribution D:\NewUpdateFolder
net start wuauserv
net start bits
发表在 OS, Windows | 标签为 , | 留下评论

AD域控——用户及组策略管理

  1. 获取密码策略:

Get-ADDefaultDomainPasswordPolicy 具体内容的解释,参见:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-duration

  1. 查询“密码永不过期”的用户:

Get-ADUser -Filter ‘PasswordNeverExpires -eq $true’ -Server DCHostname | select name 通常情况下,我们使用这样的方式获取所有的名称: get-aduser -filter ‘passwordNeverExpires -eq $true’ | select name

可以通过OU=xxx DC=xxx 来限定OU,注意,要用逗号分隔的方式把整个DC都用.进行拆分 Get-ADUser -searchbase ‘ OU=Dongguan,DC=szmaxcent,DC=COM,DC=CN ‘ -Filter ‘PasswordNeverExpires -eq $true’ -Server DC001 | select name

  1. 查询有哪些用户当前已经被锁定了:

Get-ADUser -filter * -properties * | where {$_.lockedout} |ft name, lockedout

  1. 解锁相应的账号:

Unlock-ADAccount -Identity jli5

  1. 查询某个账号是否被锁定:

Get-ADUser -filter * -properties * | where {$_.lockedout} |ft name, lockedout

  1. 查询空组:

Get-ADGroup -filter * -properties members | where { -not $_.members} | select name

https://blog.51cto.com/hubuxcg/1620341

  1. 显示最近6周没有登陆的用户:

dsquery.exe user -inactive 6

  1. 禁用最近6周没有登陆的用户:

dsquery.exe user -inactive 6 | dsmod user -disable yes

  1. 删除已经被禁用的用户:

dsquery user -disable | dsrm

  1. 列出已经被禁用的用户:

dsquery user -disable

  1. 显示所有域中所有用户的登陆时间。注意:输出的时间需要转换

Get-ADUser-Filter*-Properties* |select name ,lastlogon,lastLogonTimestamp

  1. 列出指定用户的全部属性:

Get-ADUser -filter ‘name -eq “b_incdata_rw” ‘ -properties * 其中,“b_incdata_rw”是用户名。

其中:  accountExpires 为0或“ 0x7FFFFFFFFFFFFFFF (9223372036854775807) ”表示永不过期。

发表在 OS, Windows | 标签为 , , , | 留下评论

windows-远程桌面提示license没有

1、客户反馈,有远程桌面,license错误,需要购买

2、可以使用:mstsc /v:IP /admin  可以临时登录,Mac用户参考下图:

4、卸载远程桌面服务

发表在 OS, Windows | 标签为 , , | 留下评论

Windows Logon Type的含义


Windows Logon Type的含义 。 

Logon type 2 Interactive  本地交互登录。最常见的登录方式。 
Logon type 3 Network 网络登录 - 最常见的是访问网络共享文件夹或打印机。IIS的认证也是Type 3 
Logon type 4 Batch 计划任务 
Logon Type 5 Service 服务 某些服务是用一个域帐号来运行的,出现Failure常见的情况是管理员更改了域帐号密码,但是忘记重设Service中的帐号密码。 
Logon Type 7 Unlock 解除屏幕锁定 很多公司都有这样的安全设置:当用户离开屏幕一段时间后,屏保程序会锁定计算机屏幕。解开屏幕锁定需要键入用户名和密码。此时产生的日志类型就是Type 7 
Logon Type 8 NetworkCleartext 网络明文登录 -- 通常发生在IIS 的 ASP登录。不推荐 
Logon Type 9 NewCredentials 新身份登录 -- 通常发生在RunAS方式运行某程序时的登录验证。 
Logon Type 10 RemoteInteractive 远程登录 -- 比如Terminal service或者RDP方式。但是Windows 2000是没有Type10的,用Type 2。WindowsXP/2003起有Type 10 
Logon Type 11 CachedInteractive 缓存登录 为方便笔记本电脑用户,Windows会缓存前10次成功登录的登录。 
 
附原文: 
 The logon/logoff category of the Windows security log gives you the ability to monitor all attempts to access the local computer. In this article I’ll examine each logon type in greater detail and show you how some other fields in Logon/Logoff events can be helpful for understanding the nature of a given logon attempt.   Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the other events in this category identify different reasons for a logon failure. However, just knowing about a successful or failed logon attempt doesn’t fill in the whole picture. Because of all the services Windows offers, there are many different ways you can logon to a computer such as interactively at the computer’s local keyboard and screen, over the network through a drive mapping or through terminal services (aka remote desktop) or through IIS. Thankfully, logon/logoff events specify the Logon Type code which reveals the type of logon that prompted the event. Logon Type 2 – Interactive This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such. Logon Type 3 – Network Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.) Logon Type 4 – Batch When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Other job scheduling systems, depending on their design, may also generate logon events with logon type 4 when starting jobs. Logon type 4 events are usually just innocent scheduled tasks startups but a malicious user could try to subvert security by trying to guess the password of an account through scheduled tasks. Such attempts would generate a logon failure event where logon type is 4. But logon failures associated with scheduled tasks can also result from an administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password. Logon Type 5 – Service Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account has been changed without updating the service but there’s always the possibility of malicious users at work too. However this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal. Logon Type 7 – Unlock Hopefully the workstations on your network automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password. Logon Type 8 – NetworkCleartext This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password. Logon Type 9 – NewCredentials If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. When you start a program with RunAs using /netonly, the program executes on your local computer as the user you are currently logged on as but for any connections to other computers on the network, Windows connects you to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the logon event with logon type 2. Logon Type 10 – RemoteInteractive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2. Logon Type 11 – CachedInteractive Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to the your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account. Conclusion I hope this discussion of logon types and their meanings helps you as you keep watch on your Windows network and try to piece together the different ways users are accessing your computers. Paying attention to logon type is important because different logon types can affect how you interpret logon events from a security perspective. For instance a failed network logon on a server might now be surprising since users must access servers over the network all the time. But a failed network logon attempt in a workstation security log is different. Why is anyone trying to access someone else’s workstation from over the network? As you can see, it pays to understand the security log.

发表在 OS, Windows | 标签为 , , | 留下评论