终于还是用上了你云的轻量应用服务器草

0x00.前言

怀疑是临时工,反正买到了就闷声发大财嘛,之前还苦恼cn-tx-bj1-c8这台好用的CentOS来年夏天就要过期了(2019-05-09 00:27:532022-05-09 00:27:54
然而现在又有新的机子实在是太开心了(2021-12-20 22:07:242024-12-20 22:07:24),假装自己还是学生党2333

0x01.修改主机名

还是万年不变的套路,毕竟是SSH连进去第一件要做的事情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@cn-tx-bj7-c8 ~]# hostnamectl set-hostname cn-tx-bj7-c8
[root@cn-tx-bj7-c8 ~]# hostnamectl status
Static hostname: cn-tx-bj7-c8
Icon name: computer-vm
Chassis: vm
Machine ID: 24955ebe6f454781b4db8ea70343d7eb
Boot ID: 2db66f2ce668440ea196c276e13866d8
Virtualization: kvm
Operating System: CentOS Linux 8
CPE OS Name: cpe:/o:centos:centos:8
Kernel: Linux 4.18.0-305.3.1.el8.x86_64
Architecture: x86-64
[root@cn-tx-bj7-c8 ~]# cat /etc/hosts
127.0.0.1 cn-tx-bj7-c8 cn-tx-bj7-c8
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4

::1 cn-tx-bj7-c8 cn-tx-bj7-c8
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

[root@cn-tx-bj7-c8 ~]# reboot

0x02.修改SSH端口

感叹昨晚十点创建的机子,今天下午两点登录就看到爆破记录草

1
2
3
4
5
6
Activate the web console with: systemctl enable --now cockpit.socket

Last failed login: Tue Dec 21 09:53:50 CST 2021 from 45.141.84.10 on ssh:notty
There were 1917 failed login attempts since the last successful login.
Last login: Mon Dec 20 22:48:55 2021 from 123.185.64.217
[root@cn-tx-bj7-c8 ~]#

改成非22端口防止爆破,并且在你云的防火墙放行新的端口,阻断默认22端口

1
2
3
4
5
6
7
8
9
10
11
12
[root@cn-tx-bj7-c8 ~]# vim /etc/ssh/sshd_config
……
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port <rm>
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
……
[root@cn-tx-bj7-c8 ~]# systemctl restart sshd

注意一定要新开个shell测试新端口是否生效,生效则可关闭旧shell,否则需重新配置(其实也还好吧,大不了就VNC救场呗

0x03.安装Fail2ban

针对爆破,祭出Fail2ban神器

1
2
3
4
5
6
[root@cn-tx-bj7-c8 ~]# dnf install fail2ban -y
[root@cn-tx-bj7-c8 ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:fail2ban(1)

配置开机自启并启动

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@cn-tx-bj7-c8 ~]# systemctl enable --now fail2ban
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service.
[root@cn-tx-bj7-c8 ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-12-21 14:53:30 CST; 2s ago
Docs: man:fail2ban(1)
Process: 277792 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 277794 (fail2ban-server)
Tasks: 3 (limit: 23722)
Memory: 10.7M
CGroup: /system.slice/fail2ban.service
└─277794 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Dec 21 14:53:30 cn-tx-bj7-c8 systemd[1]: Starting Fail2Ban Service...
Dec 21 14:53:30 cn-tx-bj7-c8 systemd[1]: Started Fail2Ban Service.
Dec 21 14:53:30 cn-tx-bj7-c8 fail2ban-server[277794]: Server ready

创建.local配置文件,防止更新时.conf可能被覆盖

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@cn-tx-bj7-c8 ~]# ll /etc/fail2ban/
total 56
drwxr-xr-x 2 root root 4096 Dec 21 14:52 action.d
-rw-r--r-- 1 root root 2816 Nov 24 2020 fail2ban.conf
drwxr-xr-x 2 root root 4096 Nov 24 2020 fail2ban.d
drwxr-xr-x 3 root root 4096 Dec 21 14:52 filter.d
-rw-r--r-- 1 root root 24996 Nov 24 2020 jail.conf
drwxr-xr-x 2 root root 4096 Dec 21 14:52 jail.d
-rw-r--r-- 1 root root 2827 Nov 24 2020 paths-common.conf
-rw-r--r-- 1 root root 930 Nov 24 2020 paths-fedora.conf
[root@cn-tx-bj7-c8 ~]# cp /etc/fail2ban/jail.{conf,local}
[root@cn-tx-bj7-c8 ~]# ll /etc/fail2ban/
total 84
drwxr-xr-x 2 root root 4096 Dec 21 14:52 action.d
-rw-r--r-- 1 root root 2816 Nov 24 2020 fail2ban.conf
drwxr-xr-x 2 root root 4096 Nov 24 2020 fail2ban.d
drwxr-xr-x 3 root root 4096 Dec 21 14:52 filter.d
-rw-r--r-- 1 root root 24996 Nov 24 2020 jail.conf
drwxr-xr-x 2 root root 4096 Dec 21 14:52 jail.d
-rw-r--r-- 1 root root 24996 Dec 21 14:54 jail.local
-rw-r--r-- 1 root root 2827 Nov 24 2020 paths-common.conf
-rw-r--r-- 1 root root 930 Nov 24 2020 paths-fedora.conf

修改配置文件/etc/fail2ban/jail.local,开启SSH防火墙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
……
# "bantime" is the number of seconds that a host is banned.
bantime = 1d

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5
……
[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
enabled = true
#mode = normal
port = <rm>
logpath = %(sshd_log)s
backend = %(sshd_backend)s

最后就可以使用Fail2ban客户端查看状态了,是不是很简单?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@cn-tx-bj7-c8 ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
[root@cn-tx-bj7-c8 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

0x04.开启Cockpit

还记得之前登录时看到的Activate the web console with: systemctl enable --now cockpit.socket嘛?搞定了SSH之后可以尝鲜开启它了,之前倒还真没用过……

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@cn-tx-bj7-c8 ~]# systemctl enable --now cockpit.socket
Created symlink /etc/systemd/system/sockets.target.wants/cockpit.socket → /usr/lib/systemd/system/cockpit.socket.
[root@cn-tx-bj7-c8 ~]# systemctl status cockpit.socket
● cockpit.socket - Cockpit Web Service Socket
Loaded: loaded (/usr/lib/systemd/system/cockpit.socket; enabled; vendor preset: disabled)
Active: active (listening) since Tue 2021-12-21 15:30:09 CST; 14s ago
Docs: man:cockpit-ws(8)
Listen: [::]:9090 (Stream)
Process: 285185 ExecStartPost=/bin/ln -snf active.motd /run/cockpit/motd (code=exited, status=0/SUCCESS)
Process: 285178 ExecStartPost=/usr/share/cockpit/motd/update-motd localhost (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 23722)
Memory: 4.0K
CGroup: /system.slice/cockpit.socket

Dec 21 15:30:09 cn-tx-bj7-c8 systemd[1]: Starting Cockpit Web Service Socket.
Dec 21 15:30:09 cn-tx-bj7-c8 systemd[1]: Listening on Cockpit Web Service Socket.
[root@cn-tx-bj7-c8 ~]# systemctl status cockpit
● cockpit.service - Cockpit Web Service
Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor preset: disabled)
Active: inactive (dead)
Docs: man:cockpit-ws(8)

然后访问9090端口,使用SSH的账户登录,哇哦界面针不戳,有那味儿了

登录
登录
概览
概览

账户中还能看到有个已锁定的lighthouse用户草

账户
账户

也可以查看各服务的运行状态

服务
服务

当然最重要的终端自然也是有滴

终端
终端

0x05.导出MongoDB数据

cn-tx-bj3-w9dC盘又告急了草,spacesniffer一扫发现MongoDB的数据有7.4G,相比其他小文件还算挺大的

C
C
data
data

因为windows上默认安装不含mongodump可执行程序,需要手动下载mongodb-database-tools-windows-x86_64-100.5.1.zip工具包并解压,然后执行mongodump

1
2
3
4
5
6
7
8
9
E:\mongodb-database-tools-windows-x86_64-100.5.1\bin>mongodump -u<rm> -p<rm> -o "X:\\mongodb_data"
2021-12-21T21:04:12.503+0800 writing admin.system.users to X:\mongodb_data\admin\system.users.bson
2021-12-21T21:04:12.548+0800 done dumping admin.system.users (2 documents)
2021-12-21T21:04:12.548+0800 writing admin.system.version to X:\mongodb_data\admin\system.version.bson
2021-12-21T21:04:12.558+0800 done dumping admin.system.version (3 documents)
……
2021-12-21T21:16:42.272+0800 [#######################.] bilibili.bilibili_all_3 4355003/4369494 (99.7%)
2021-12-21T21:16:43.128+0800 [########################] bilibili.bilibili_all_3 4369494/4369494 (100.0%)
2021-12-21T21:16:45.550+0800 done dumping bilibili.bilibili_all_3 (4369494 documents)

并且迁移过程中cn-tx-bj3-w9d连文件复制的空间都木大了,又看了一圈占用空间较大的地方,把虚拟内存修改成了256-512重启后竟然报错说虚拟内存过低,又给调大到512-1024……

data
data

调时一时爽,卡爆火葬场……又被坑了数个小时,这个虚拟内存千万不能调小,调完之后系统巨卡无比(还是得设置成让系统自动管理才对
并且图形化挂载S3的工具频频报错也太不稳定了,只好pip安装coscmd,安装的时候发现pip也被设置成了你云的镜像源,C:\>coscmd upload -r --skipmd5 X:/mongodb_data mongo_data_bak这才算是终于把mongodump导出的数据拿出来了,耗时俩小时真是日了狗了
趣事:在upload某一个集合的时候,CPU会跑满,上行速度从几十兆每秒瞬间降低到几百K至一两兆,重启无果
后来看到集合的名称是wooyun突然恍然大悟,再结合占CPU高的进程是windows defender不难得出因为内容满是漏洞POC所以劲爆扫描草,于是就先跳过了这个集合

100
100
wooyun
wooyun

0x06.安装MongoDB

这里需要手动创建一个5.0的源

1
2
3
4
5
6
7
8
9
10
[root@cn-tx-bj7-c8 ~]# cat /etc/yum.repos.d/mongodb-org-5.0.repo
[mongodb-org-5.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/5.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc
[root@cn-tx-bj7-c8 ~]# dnf install mongodb-org -y
……
[root@cn-tx-bj7-c8 ~]# systemctl enable mongod --now

等到下一步#0x07-导入MongoDB数据再执行完数据导入后,修改配置文件

1
2
3
4
5
6
7
8
9
10
[root@cn-tx-bj7-c8 ~]# vim /etc/mongod.conf
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.


security:
authorization: enabled
[root@cn-tx-bj7-c8 ~]# systemctl restart mongod
终于搞定了
终于搞定了

0x07.导入MongoDB数据

途中去挂载cn-tx-bj3-w9d导出数据所在的CIFS文件系统的时候,发现文件存储竟然不支持和cn-tx-bj7-c8内网互通,血贵的云联网简直劝退,云联网同地域 5Gbps 及以下带宽免费
弱小无助的自己费尽周折上传到了COS,毕竟文件存储是按时付费的淦,越快操作完越省钱啊,结果后来发现只要开通云联网之后内网就可以互通了草

1
2
3
4
5
6
[root@cn-tx-bj7-c8 ~]# dnf install nfs-utils -y
[root@cn-tx-bj7-c8 ~]# mkdir localfolder
[root@cn-tx-bj7-c8 ~]# ls
localfolder
[root@cn-tx-bj7-c8 ~]# mount -t nfs -o vers=3,nolock,proto=tcp,noresvport 10.0.2.15:/<rm> localfolder
mount.nfs: Connection timed out

要从COS中转就也得安装coscmd,并且确认是内网域名,毕竟是大体积下载还是得确认一下,不能外网流量被反撸(国内带宽0.5/G太贵了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@cn-tx-bj7-c8 ~]# pip -V
pip 9.0.3 from /usr/lib/python3.6/site-packages (python 3.6)
[root@cn-tx-bj7-c8 ~]# pip3 -V
pip 9.0.3 from /usr/lib/python3.6/site-packages (python 3.6)
[root@cn-tx-bj7-c8 ~]# pip3 install coscmd
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting coscmd
Downloading http://mirrors.tencentyun.com/pypi/packages/7b/68/00f9ea072d29d3692ebfdb08111cdce828e9590a03dfc8bfcf7b608167d7/coscmd-1.8.6.24.tar.gz
……
[root@cn-tx-bj7-c8 ~]# coscmd config -a <rm> -s <rm> -b centos-<rm> -r ap-beijing
Created configuration file in b'/root/.cos.conf'
[root@cn-tx-bj7-c8 ~]# nslookup centos-<rm>.cos.ap-beijing.myqcloud.com
Server: 183.60.82.98
Address: 183.60.82.98#53

Name: centos-<rm>.cos.ap-beijing.myqcloud.com
Address: 169.254.0.49

然后光速内网下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[root@cn-tx-bj7-c8 ~]# coscmd download -r /mongo_data_bak mongo_data_bak
……
Downloading mongo_data_bak/bilibili/2020AOY.bson
100%|██████████████████████████████████████| 47.0M/47.0M [00:00<00:00, 64.3MB/s]
Download cos://centos-<rm>/mongo_data_bak/bilibili/bilibili_all_2.bson => mongo_data_bak/bilibili/bilibili_all_2.bson
Downloading mongo_data_bak/bilibili/bilibili_all_2.bson
1.57GB [00:20, 82.1MB/s]
Download cos://centos-<rm>/mongo_data_bak/bilibili/bilibili_all_3.bson => mongo_data_bak/bilibili/bilibili_all_3.bson
Downloading mongo_data_bak/bilibili/bilibili_all_3.bson
11.3GB [02:09, 93.3MB/s]
Download cos://centos-<rm>/mongo_data_bak/bilibili/bilibili_all_4.bson => mongo_data_bak/bilibili/bilibili_all_4.bson
Downloading mongo_data_bak/bilibili/bilibili_all_4.bson
6.46GB [01:09, 100MB/s]
Download cos://centos-<rm>/mongo_data_bak/biliplus/view.bson => mongo_data_bak/biliplus/view.bson
Downloading mongo_data_bak/biliplus/view.bson
691MB [00:01, 380MB/s]
Download cos://centos-<rm>/mongo_data_bak/jd_campus/feeds.bson => mongo_data_bak/jd_campus/feeds.bson
Downloading mongo_data_bak/jd_campus/feeds.bson
256MB [00:03, 79.4MB/s]
Download cos://centos-<rm>/mongo_data_bak/masadora/notes.bson => mongo_data_bak/masadora/notes.bson
Downloading mongo_data_bak/masadora/notes.bson
577MB [00:06, 90.1MB/s]
Download cos://centos-<rm>/mongo_data_bak/rbc/attend_class.bson => mongo_data_bak/rbc/attend_class.bson
Downloading mongo_data_bak/rbc/attend_class.bson
89.7MB [00:00, 120MB/s]
Download cos://centos-<rm>/mongo_data_bak/twitter/inoriminase.bson => mongo_data_bak/twitter/inoriminase.bson
Downloading mongo_data_bak/twitter/inoriminase.bson
25.8MB [00:00, 55.2MB/s]
90 files downloaded, 0 files skipped, 0 files failed
……

最后终于可以导入了,这一刻真就等了一天草,因为是在本地新安装的mongod所以也不用特意指定地址和端口辣,简直太方便了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@cn-tx-bj7-c8 ~]# mongorestore mongo_data_bak
2021-12-21T23:14:50.794+0800 preparing collections to restore from
……
2021-12-21T23:14:50.810+0800 reading metadata for bilibili.bilibili_all_3 from mongo_data_bak/bilibili/bilibili_all_3.metadata.json
……
2021-12-21T23:14:50.868+0800 restoring bilibili.bilibili_all_3 from mongo_data_bak/bilibili/bilibili_all_3.bson
……
2021-12-21T23:19:12.376+0800 [########################] bilibili.bilibili_all_3 11.1GB/11.1GB (100.0%)
2021-12-21T23:19:12.376+0800 finished restoring bilibili.bilibili_all_3 (4369494 documents, 0 failures)
……
2021-12-21T23:19:13.660+0800 restoring indexes for collection bilibili.bilibili_all_3 from metadata
2021-12-21T23:19:13.660+0800 index: &idx.IndexDocument{Options:primitive.M{"background":false, "name":"aid", "unique":true, "v":2}, Key:primitive.D{primitive.E{Key:"aid", Value:1}}, PartialFilterExpression:primitive.D(nil)}
……
2021-12-21T23:19:42.663+0800 7550066 document(s) restored successfully. 0 document(s) failed to restore.

备注:翻文档的时候还发现可以标准输入导入,不过限于外网带宽只有1m还是算了:mongodump --archive --db=test --port=27017 | mongorestore --archive --port=27018
2021-12-22 01:06:31:在开通云联网之后,去搞定最后一个wooyun集合,一顿操作猛如虎

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
E:\mongodb-database-tools-windows-x86_64-100.5.1\bin>mongodump -d wooyun -o "X:\\mongodb_data"
2021-12-21T23:53:20.157+0800 writing wooyun.wooyun_drops to X:\mongodb_data\wooyun\wooyun_drops.bson
2021-12-21T23:53:20.391+0800 writing wooyun.wooyun_list to X:\mongodb_data\wooyun\wooyun_list.bson
2021-12-21T23:53:22.095+0800 [#################.......] wooyun.wooyun_drops 936/1269 (73.8%)
2021-12-21T23:53:22.101+0800 [........................] wooyun.wooyun_list 1451/40293 (3.6%)
2021-12-21T23:53:22.103+0800
2021-12-21T23:53:22.742+0800 [########################] wooyun.wooyun_drops 1269/1269 (100.0%)
2021-12-21T23:53:23.302+0800 done dumping wooyun.wooyun_drops (1269 documents)
2021-12-21T23:53:25.083+0800 [##......................] wooyun.wooyun_list 4787/40293 (11.9%)
2021-12-21T23:53:28.159+0800 [#####...................] wooyun.wooyun_list 8395/40293 (20.8%)
2021-12-21T23:53:31.083+0800 [######..................] wooyun.wooyun_list 10725/40293 (26.6%)
2021-12-21T23:53:34.149+0800 [########................] wooyun.wooyun_list 13840/40293 (34.3%)
2021-12-21T23:53:37.132+0800 [##########..............] wooyun.wooyun_list 17739/40293 (44.0%)
2021-12-21T23:53:40.083+0800 [############............] wooyun.wooyun_list 21036/40293 (52.2%)
2021-12-21T23:53:43.083+0800 [##############..........] wooyun.wooyun_list 25147/40293 (62.4%)
2021-12-21T23:53:46.124+0800 [#################.......] wooyun.wooyun_list 29754/40293 (73.8%)
2021-12-21T23:53:49.087+0800 [###################.....] wooyun.wooyun_list 32785/40293 (81.4%)
2021-12-21T23:53:52.112+0800 [#####################...] wooyun.wooyun_list 36894/40293 (91.6%)
2021-12-21T23:53:54.499+0800 [########################] wooyun.wooyun_list 40293/40293 (100.0%)
2021-12-21T23:53:56.458+0800 done dumping wooyun.wooyun_list (40293 documents)

再还原

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@cn-tx-bj7-c8 test]# mongorestore mongodb_data
2021-12-21T23:54:39.134+0800 preparing collections to restore from
2021-12-21T23:54:39.139+0800 reading metadata for wooyun.wooyun_drops from mongodb_data/wooyun/wooyun_drops.metadata.json
2021-12-21T23:54:39.142+0800 reading metadata for wooyun.wooyun_list from mongodb_data/wooyun/wooyun_list.metadata.json
2021-12-21T23:54:39.167+0800 restoring wooyun.wooyun_drops from mongodb_data/wooyun/wooyun_drops.bson
2021-12-21T23:54:39.178+0800 restoring wooyun.wooyun_list from mongodb_data/wooyun/wooyun_list.bson
2021-12-21T23:54:40.796+0800 finished restoring wooyun.wooyun_drops (1269 documents, 0 failures)
2021-12-21T23:54:42.134+0800 [##......................] wooyun.wooyun_list 182MB/1.63GB (10.9%)
2021-12-21T23:54:45.134+0800 [#####...................] wooyun.wooyun_list 369MB/1.63GB (22.1%)
2021-12-21T23:54:48.134+0800 [#######.................] wooyun.wooyun_list 554MB/1.63GB (33.2%)
2021-12-21T23:54:51.134+0800 [##########..............] wooyun.wooyun_list 729MB/1.63GB (43.7%)
2021-12-21T23:54:54.134+0800 [#############...........] wooyun.wooyun_list 925MB/1.63GB (55.5%)
2021-12-21T23:54:57.134+0800 [###############.........] wooyun.wooyun_list 1.07GB/1.63GB (65.5%)
2021-12-21T23:55:00.134+0800 [##################......] wooyun.wooyun_list 1.25GB/1.63GB (76.9%)
2021-12-21T23:55:03.134+0800 [####################....] wooyun.wooyun_list 1.41GB/1.63GB (86.9%)
2021-12-21T23:55:06.135+0800 [#######################.] wooyun.wooyun_list 1.60GB/1.63GB (98.0%)
2021-12-21T23:55:06.799+0800 [########################] wooyun.wooyun_list 1.63GB/1.63GB (100.0%)
2021-12-21T23:55:06.799+0800 finished restoring wooyun.wooyun_list (40293 documents, 0 failures)
2021-12-21T23:55:06.799+0800 restoring indexes for collection wooyun.wooyun_drops from metadata
2021-12-21T23:55:06.799+0800 index: &idx.IndexDocument{Options:primitive.M{"name":"datetime_1", "v":1}, Key:primitive.D{primitive.E{Key:"datetime", Value:1}}, PartialFilterExpression:primitive.D(nil)}
2021-12-21T23:55:06.799+0800 index: &idx.IndexDocument{Options:primitive.M{"name":"url", "unique":true, "v":2}, Key:primitive.D{primitive.E{Key:"url", Value:1}}, PartialFilterExpression:primitive.D(nil)}
2021-12-21T23:55:06.799+0800 restoring indexes for collection wooyun.wooyun_list from metadata
2021-12-21T23:55:06.799+0800 index: &idx.IndexDocument{Options:primitive.M{"name":"datetime_1", "v":1}, Key:primitive.D{primitive.E{Key:"datetime", Value:1}}, PartialFilterExpression:primitive.D(nil)}
2021-12-21T23:55:06.799+0800 index: &idx.IndexDocument{Options:primitive.M{"name":"wooyun_id", "unique":true, "v":2}, Key:primitive.D{primitive.E{Key:"wooyun_id", Value:1}}, PartialFilterExpression:primitive.D(nil)}
2021-12-21T23:55:08.285+0800 41562 document(s) restored successfully. 0 document(s) failed to restore.

最后卸载cn-tx-bj3-w9d上的MongoDB,寿终正寝已完成使命(这内存大户就是个定时炸弹,尤其是作死全文搜索的时候

卸载
卸载

0x08.安装Redis

众所周知dnf上的版本(5.0.3)要落后于源码(6.2.6)的版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@cn-tx-bj7-c8 ~]# dnf info redis.x86_64
Last metadata expiration check: 0:00:03 ago on Fri 31 Dec 2021 09:23:34 PM CST.
Available Packages
Name : redis
Version : 5.0.3
Release : 5.module_el8.4.0+955+7126e393
Architecture : x86_64
Size : 927 k
Source : redis-5.0.3-5.module_el8.4.0+955+7126e393.src.rpm
Repository : appstream
Summary : A persistent key-value database
URL : http://redis.io
License : BSD and MIT
Description : Redis is an advanced key-value store. It is often referred to as a data
: structure server since keys can contain strings, hashes, lists, sets and
: sorted sets.
:
: You can run atomic operations on these types, like appending to a string;
: incrementing the value in a hash; pushing to a list; computing set
: intersection, union and difference; or getting the member with highest
: ranking in a sorted set.
:
: In order to achieve its outstanding performance, Redis works with an
: in-memory dataset. Depending on your use case, you can persist it either
: by dumping the dataset to disk every once in a while, or by appending
: each command to a log.
:
: Redis also supports trivial-to-setup master-slave replication, with very
: fast non-blocking first synchronization, auto-reconnection on net split
: and so forth.
:
: Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
: limited time-to-live, and configuration settings to make Redis behave like
: a cache.
:
: You can use Redis from most programming languages also.

于是去下载源码然后编译安装,这里直接执行了make而没有提前make test,而想要执行后者还得额外安装tcl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@cn-tx-bj7-c8 ~]# wget https://download.redis.io/releases/redis-6.2.6.tar.gz
[root@cn-tx-bj7-c8 ~]# tar xzf redis-6.2.6.tar.gz
[root@cn-tx-bj7-c8 ~]# cd redis-6.2.6
[root@cn-tx-bj7-c8 redis-6.2.6]# make
……
Hint: It's a good idea to run 'make test' ;)

make[1]: Leaving directory '/root/redis-6.2.6/src'
[root@cn-tx-bj7-c8 redis-6.2.6]# make test
cd src && make test
make[1]: Entering directory '/root/redis-6.2.6/src'
CC Makefile.dep
You need tcl 8.5 or newer in order to run the Redis test
make[1]: *** [Makefile:391: test] Error 1
make[1]: Leaving directory '/root/redis-6.2.6/src'
make: *** [Makefile:6: test] Error 2
[root@cn-tx-bj7-c8 redis-6.2.6]# make install
cd src && make install
make[1]: Entering directory '/root/redis-6.2.6/src'

Hint: It's a good idea to run 'make test' ;)

INSTALL redis-server
INSTALL redis-benchmark
INSTALL redis-cli
make[1]: Leaving directory '/root/redis-6.2.6/src'

然后去修改配置文件,结果发现/etc/redis.conf文件不存在,需要手动将当前目录下的redis.conf复制到那里,并且还缺少redis-server.service文件

1
2
3
4
5
[root@cn-tx-bj7-c8 redis-6.2.6]# make uninstall
cd src && make uninstall
make[1]: Entering directory '/root/redis-6.2.6/src'
rm -f /usr/local/bin/{redis-server,redis-benchmark,redis-cli,redis-check-rdb,redis-check-aof,redis-sentinel}
make[1]: Leaving directory '/root/redis-6.2.6/src'

有点怂了,这里先回退至dnf安装,之后再更改为编译安装

1
[root@cn-tx-bj7-c8 ~]# dnf install redis -y

然后去修改配置文件vim /etc/redis.conf

  1. bind 0.0.0.0
  2. requirepass <rm>

最后启动redis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@cn-tx-bj7-c8 ~]# systemctl enable redis --now
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service → /usr/lib/systemd/system/redis.service.
[root@cn-tx-bj7-c8 ~]# systemctl status redis
● redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: active (running) since Fri 2021-12-31 21:37:56 CST; 9s ago
Main PID: 3469856 (redis-server)
Tasks: 4 (limit: 23722)
Memory: 6.6M
CGroup: /system.slice/redis.service
└─3469856 /usr/bin/redis-server 0.0.0.0:6379

Dec 31 21:37:56 cn-tx-bj7-c8 systemd[1]: Starting Redis persistent key-value database...
Dec 31 21:37:56 cn-tx-bj7-c8 systemd[1]: Started Redis persistent key-value database.
[root@cn-tx-bj7-c8 ~]# ss -an | grep 6379
tcp LISTEN 0 128 0.0.0.0:6379 0.0.0.0:*

0x09.安装Docker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[root@cn-tx-bj7-c8 ~]# yum install yum-utils -y
[root@cn-tx-bj7-c8 ~]# yum-config-manager \
> --add-repo \
> https://download.docker.com/linux/centos/docker-ce.repo
Adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
[root@cn-tx-bj7-c8 ~]# yum install docker-ce docker-ce-cli containerd.io -y
[root@cn-tx-bj7-c8 ~]# systemctl start docker
[root@cn-tx-bj7-c8 ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:2498fce14358aa50ead0cc6c19990fc6ff866ce72aeb5546e1d59caac3d0d60f
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/

For more examples and ideas, visit:
https://docs.docker.com/get-started/
[root@cn-tx-bj7-c8 ~]# systemctl enable docker.service containerd.service
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /usr/lib/systemd/system/containerd.service.

并安装portainer可视化

1
2
3
4
5
6
7
8
9
10
11
12
[root@cn-tx-bj7-c8 ~]# docker pull portainer/portainer:latest
latest: Pulling from portainer/portainer
94cfa856b2b1: Pull complete
49d59ee0881a: Pull complete
a2300fd28637: Pull complete
Digest: sha256:fb45b43738646048a0a0cc74fcee2865b69efde857e710126084ee5de9be0f3f
Status: Downloaded newer image for portainer/portainer:latest
docker.io/portainer/portainer:latest
[root@cn-tx-bj7-c8 ~]# docker volume create portainer_data
portainer_data
[root@cn-tx-bj7-c8 ~]# docker run -d -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer
25dbed324c43283014a6f6afa037c3cbdaa4019f12cc24a571e8cc61fcac66e0

0x10.安装Compose

curl下载不能

1
2
3
4
[root@cn-tx-bj7-c8 ~]# curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:01:30 --:--:-- 0^C

于是去手动下载二进制文件,然后再用sftp传上去……

1
2
3
4
5
6
7
8
9
10
11
[root@cn-tx-bj7-c8 ~]# echo "$(uname -s)-$(uname -m)"
Linux-x86_64
sftp> put -r "/Users/yuangezhizao/Downloads/docker-compose-Linux-x86_64"
Uploading docker-compose-Linux-x86_64 to /root/docker-compose-Linux-x86_64
100% 12438KB 6219KB/s 00:00:02
/Users/yuangezhizao/Downloads/docker-compose-Linux-x86_64: 12737304 bytes transferred in 2 seconds (6219 KB/s)
sftp>
[root@cn-tx-bj7-c8 ~]# mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
[root@cn-tx-bj7-c8 ~]# chmod +x /usr/local/bin/docker-compose
[root@cn-tx-bj7-c8 ~]# docker-compose --version
docker-compose version 1.29.2, build 5becea4c

0x11.安装Mastodon

这里选择的是Mashiro魔改版:mashirozx@mastodon,官版最新Releasev3.4.4,并做了自定义修改yuangezhizao@mastodon
昨日第一次在cn-tx-bj7-c8生产环境安装,今日补充在家中的cn-py-dl-c8测试环境安装,首先克隆仓库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@cn-py-dl-c8 ~]# yum install git -y
[root@cn-py-dl-c8 ~]# git config --global -e
[root@cn-py-dl-c8 ~]# git config --list
fatal: bad config line 6 in file /root/.gitconfig
[root@cn-py-dl-c8 ~]# vim .gitconfig
[root@cn-py-dl-c8 ~]# git config --list
user.name=yuangezhizao-serveraccount
user.email=yuangezhizao@gmail.com
http.https://github.com.proxy=socks5://192.168.25.248:1080
[root@cn-py-dl-c8 ~]# git clone https://github.com/yuangezhizao/mastodon.git
[root@cn-py-dl-c8 ~]# cd mastodon/
[root@cn-py-dl-c8 mastodon]# git pull
warning: Pulling without specifying how to reconcile divergent branches is
discouraged. You can squelch this message by running one of the following
commands sometime before your next pull:

git config pull.rebase false # merge (the default strategy)
git config pull.rebase true # rebase
git config pull.ff only # fast-forward only

You can replace "git config" with "git config --global" to set a default
preference for all repositories. You can also pass --rebase, --no-rebase,
or --ff-only on the command line to override the configured default per
invocation.

然后拉取docker镜像docker pull yuangezhizao/mastodon
运行镜像仅生成各种secretkey

1
2
3
4
5
6
7
8
9
10
11
[root@cn-py-dl-c8 mastodon]# cp .env.production.sample .env.production
[root@cn-py-dl-c8 mastodon]# docker-compose run --rm web bundle exec rake secret
Creating mastodon_web_run ... done
<rm>
[root@cn-py-dl-c8 mastodon]# docker-compose run --rm web bundle exec rake secret
Creating mastodon_web_run ... done
<rm>
[root@cn-py-dl-c8 mastodon]# docker-compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key
Creating mastodon_web_run ... done
VAPID_PRIVATE_KEY=<rm>
VAPID_PUBLIC_KEY=<rm>

写入生产环境配置文件

1
2
3
[root@cn-py-dl-c8 mastodon]# vim .env.production
SECRET_KEY_BASE=
OTP_SECRET=

初始化pg数据库

1
2
3
4
5
6
7
[root@cn-py-dl-c8 mastodon]# docker exec -it mastodon_db_1 psql -U postgres
psql (14.1)
Type "help" for help.

postgres=# CREATE USER mastodon WITH PASSWORD 'mastodon' CREATEDB;
CREATE ROLE
postgres=# exit

交互初始化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
[root@cn-py-dl-c8 mastodon]# docker-compose run --rm web bundle exec rake mastodon:setup
Creating mastodon_web_run ... done
Your instance is identified by its domain name. Changing it afterward will break things.
Domain name: test.yuangezhizao.cn

Single user mode disables registrations and redirects the landing page to your public profile.
Do you want to enable single user mode? No

Are you using Docker to run Mastodon? Yes

PostgreSQL host: db
PostgreSQL port: 5432
Name of PostgreSQL database: mastodon_development
Name of PostgreSQL user: mastodon
Password of PostgreSQL user:
Database configuration works! 🎆

Redis host: redis
Redis port: 6379
Redis password:
Redis configuration works! 🎆

Do you want to store uploaded files on the cloud? No

Do you want to send e-mails from localhost? No
SMTP server: smtp.qq.com
SMTP port: 465
SMTP username: yuangezhizao
SMTP password:
SMTP authentication: plain
SMTP OpenSSL verify mode: none
E-mail address to send e-mails "from": (Mastodon <notifications@test.yuangezhizao.cn>) yuangezhE-mail address to send e-mails "from": yuangezhizao@qq.com
Send a test e-mail with this configuration right now? no

This configuration will be written to .env.production
Save configuration? Yes
Below is your configuration, save it to an .env.production file outside Docker:

# Generated with mastodon:setup on 2022-01-03 05:01:05 UTC
……
SINGLE_USER_MODE=false
……
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=none
……

It is also saved within this container so you can proceed with this wizard.

Now that configuration is saved, the database schema must be loaded.
If the database already exists, this will erase its contents.
Prepare the database now? Yes
Running `RAILS_ENV=production rails db:setup` ...


Created database 'mastodon_development'
Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Switching object-storage-safely from green to red because Redis::CannotConnectError Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Done!

All done! You can now power on the Mastodon server 🐘

Do you want to create an admin user straight away? Yes
Username: admin
E-mail: root@yuangezhizao.cn
Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Switching object-storage-safely from green to red because Redis::CannotConnectError Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED)
You can login with the password: <rm>
You can change your password once you login.

注 ①:sed -i "s/SECRET_KEY_BASE=$/&$(docker-compose run --rm web bundle exec rake secret)/" .env.production不可用,因为这个版本的代码中ruby打印一些warning导致sed报错-bash: /usr/bin/sed: Argument list too long
注 ②:记得最后输入Y,否则不会打印配置

1
2
3
This configuration will be written to .env.production
Save configuration? no
Nothing saved. Bye!

注 ③:结果访问报错了草,去查了下Rails 6 adds guard against DNS rebinding attacks

1
2
3
4
5
6
7
<header>
<h1>Blocked host: localhost</h1>
</header>
<div id="container">
<h2>To allow requests to localhost, add the following to your environment configuration:</h2>
<pre>config.hosts &lt;&lt; "localhost"</pre>
</div>

允许config.hosts << "localhost"
注 ④:草,还发现SELinux竟然是开着的,一把梭关掉并重启

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@cn-py-dl-c8 environments]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@cn-py-dl-c8 environments]# vim /etc/selinux/config
[root@cn-py-dl-c8 environments]# reboot

注 ⑤:chown 1000:1000 -R elasticsearch
参照:Using the Docker images in production

1
2
3
4
5
6
[root@cn-tx-bj7-c8 ~]# grep vm.max_map_count /etc/sysctl.conf
[root@cn-tx-bj7-c8 ~]#
[root@cn-tx-bj7-c8 ~]# sysctl -w vm.max_map_count=262144
vm.max_map_count = 262144
[root@cn-tx-bj7-c8 ~]# grep vm.max_map_count /etc/sysctl.conf
[root@cn-tx-bj7-c8 ~]#

拉取elasticsearch-oss:7.10.2多次超时,于是采用下载镜像再导入的方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@cn-tx-bj7-c8 mastodon]# docker-compose up
Pulling es (docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2)...
ERROR: Head "https://docker.elastic.co/v2/elasticsearch/elasticsearch-oss/manifests/7.10.2": net/http: TLS handshake timeout
[root@cn-tx-bj7-c8 mastodon]# docker-compose up
Pulling es (docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2)...
7.10.2: Pulling from elasticsearch/elasticsearch-oss
ddf49b9115d7: Downloading [========================================> ] 68.05MB/84.72MB
a752d85b289a: Download complete
57c9a166c575: Download complete
44fabf20c8a1: Downloading [==========================> ] 131.7MB/252.2MB
45ea1d560ab5: Download complete
0dc15e54b214: Download complete
cf11b2a25e23: Download complete
3a66822889ec: Download complete
be7444f2e9d6: Download complete
^CGracefully stopping... (press Ctrl+C again to force)
[root@cn-tx-bj7-c8 mastodon]# cd ~

先下载镜像,确认访问COS是内网,于是光速下载,这四十兆每秒的下载速度可就阳间多了……

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@cn-tx-bj7-c8 ~]# ping mastodon-<rm>.cos.ap-beijing.myqcloud.com
PING mastodon-<rm>.cos.ap-beijing.myqcloud.com (169.254.0.49) 56(84) bytes of data.
64 bytes from 169.254.0.49 (169.254.0.49): icmp_seq=1 ttl=64 time=0.205 ms
^C
--- mastodon-<rm>.cos.ap-beijing.myqcloud.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
[root@cn-tx-bj7-c8 ~]# wget https://mastodon-<rm>.cos.ap-beijing.myqcloud.com/es.tar
--2022-01-03 23:20:09-- https://mastodon-<rm>.cos.ap-beijing.myqcloud.com/es.tar
Resolving mastodon-<rm>.cos.ap-beijing.myqcloud.com (mastodon-<rm>.cos.ap-beijing.myqcloud.com)... 169.254.0.49
Connecting to mastodon-<rm>.cos.ap-beijing.myqcloud.com (mastodon-<rm>.cos.ap-beijing.myqcloud.com)|169.254.0.49|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 709773312 (677M) [application/x-tar]
Saving to: ‘es.tar’

es.tar 100%[=======================================>] 676.89M 40.8MB/s in 19s

2022-01-03 23:20:29 (35.3 MB/s) - ‘es.tar’ saved [709773312/709773312]

再导入,并手动打上标签

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@cn-tx-bj7-c8 ~]# docker load < es.tar
2653d992f4ef: Loading layer 216.5MB/216.5MB
7d054489f6eb: Loading layer 71.64MB/71.64MB
56319c3e73b9: Loading layer 314.4kB/314.4kB
ec3900b77411: Loading layer 420.7MB/420.7MB
719b01194e7c: Loading layer 25.6kB/25.6kB
02f56ad574d0: Loading layer 4.608kB/4.608kB
a1b5f2939457: Loading layer 7.168kB/7.168kB
d66f67be6b73: Loading layer 55.3kB/55.3kB
0dcc68aca185: Loading layer 466.4kB/466.4kB
Loaded image ID: sha256:b313026e6fbdbf01894ef8c67d558d3c7d89c70214d4c9e2a147ba10540a7738
[root@cn-tx-bj7-c8 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 8bb8cc28a62d 29 hours ago 922MB
<none> <none> 20b438069ba6 31 hours ago 378MB
<none> <none> b2d017b74965 31 hours ago 1.8GB
postgres 14-alpine 2302d5724f71 4 weeks ago 209MB
redis 6-alpine 3900abf41552 4 weeks ago 32.4MB
tootsuite/mastodon latest 2289f94fb9f2 5 weeks ago 2.52GB
tootsuite/mastodon v3.4.4 2289f94fb9f2 5 weeks ago 2.52GB
ubuntu 20.04 ba6acccedd29 2 months ago 72.8MB
hello-world latest feb5d9fea6a5 3 months ago 13.3kB
portainer/portainer latest 580c0e4e98b0 9 months ago 79.1MB
<none> <none> b313026e6fbd 11 months ago 699MB
[root@cn-tx-bj7-c8 ~]# docker tag b313026e6fbd docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2

最终使用docker-compose启动,然后就看到ES报错了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
es_1         | ElasticsearchException[failed to bind service]; nested: AccessDeniedException[/usr/share/elasticsearch/data/nodes];
es_1 | Likely root cause: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/data/nodes
es_1 | at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
es_1 | at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
es_1 | at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
es_1 | at java.base/sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:388)
es_1 | at java.base/java.nio.file.Files.createDirectory(Files.java:694)
es_1 | at java.base/java.nio.file.Files.createAndCheckIsDirectory(Files.java:801)
es_1 | at java.base/java.nio.file.Files.createDirectories(Files.java:787)
es_1 | at org.elasticsearch.env.NodeEnvironment.lambda$new$0(NodeEnvironment.java:275)
es_1 | at org.elasticsearch.env.NodeEnvironment$NodeLock.<init>(NodeEnvironment.java:212)
es_1 | at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:272)
es_1 | at org.elasticsearch.node.Node.<init>(Node.java:362)
es_1 | at org.elasticsearch.node.Node.<init>(Node.java:289)
es_1 | at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227)
es_1 | at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227)
es_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393)
es_1 | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170)
es_1 | at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
es_1 | at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
es_1 | at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
es_1 | at org.elasticsearch.cli.Command.main(Command.java:90)
es_1 | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
es_1 | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
es_1 | For complete error details, refer to the log at /usr/share/elasticsearch/logs/es-mastodon.log

需要给数据存储路径赋予权限chown 1000:1000 -R elasticsearch,然后为使用ES之前的嘟文创建索引(水了39

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@cn-tx-bj7-c8 mastodon]# docker-compose run --rm web bin/tootctl search deploy
Creating mastodon_web_run ... done
/opt/ruby/lib/ruby/2.7.0/net/protocol.rb:66: warning: already initialized constant Net::ProtocRetryError
/opt/mastodon/vendor/bundle/ruby/2.7.0/gems/net-protocol-0.1.0/lib/net/protocol.rb:66: warning: previous definition of ProtocRetryError was here
/opt/ruby/lib/ruby/2.7.0/net/protocol.rb:206: warning: already initialized constant Net::BufferedIO::BUFSIZE
/opt/mastodon/vendor/bundle/ruby/2.7.0/gems/net-protocol-0.1.0/lib/net/protocol.rb:206: warning: previous definition of BUFSIZE was here
/opt/ruby/lib/ruby/2.7.0/net/protocol.rb:503: warning: already initialized constant Net::NetPrivate::Socket
/opt/mastodon/vendor/bundle/ruby/2.7.0/gems/net-protocol-0.1.0/lib/net/protocol.rb:503: warning: previous definition of Socket was here
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Using include_type_name in create index requests is deprecated. The parameter will be removed in the next major version."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Using include_type_name in create index requests is deprecated. The parameter will be removed in the next major version."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Specifying types in bulk requests is deprecated."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Using include_type_name in create index requests is deprecated. The parameter will be removed in the next major version."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Specifying types in bulk requests is deprecated."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Using include_type_name in create index requests is deprecated. The parameter will be removed in the next major version."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Specifying types in bulk requests is deprecated."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Specifying types in bulk requests is deprecated."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Specifying types in bulk requests is deprecated."
warning: 299 Elasticsearch-7.10.2-747e1cc71def077253878a59143c1f785afa92b9 "[types removal] Specifying types in bulk requests is deprecated."
39/39 |=========================================================================| Time: 00:00:04 (9 docs/s)
Indexed 39 records, de-indexed 0

最后docker-compose up -d

0x12.安装Nginx

1
2
3
4
5
6
7
8
[root@cn-tx-bj7-c8 mastodon]# dnf install nginx -y
[root@cn-tx-bj7-c8 conf.d]# cd /etc/nginx/conf.d
[root@cn-tx-bj7-c8 conf.d]# cp ~/mastodon/dist/nginx.conf mastodon.conf
[root@cn-tx-bj7-c8 conf.d]# vim mastodon.conf
[root@cn-tx-bj7-c8 conf.d]# vim /etc/nginx/nginx.conf
[root@cn-py-dl-c8 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

0x13.安装frp

1
2
3
[root@cn-tx-bj7-c8 ~]# wget https://github.com/fatedier/frp/releases/download/v0.38.0/frp_0.38.0_linux_amd64.tar.gz^C
[root@cn-tx-bj7-c8 ~]# wget http://proxy-cf.yuangezhizao.cn/dl/frp_0.38.0_linux_amd64.tar.gz
[root@cn-tx-bj7-c8 ~]# tar -zxvf frp_0.38.0_linux_amd64.tar.gz

未完待续……

0x14.安装Wiki.js

官方竟然给了通过Portainer的安装手顺,有了Mastodon的前车之鉴这次自然也要使用docker-compose
但是用Portainer创建之后不确定位置在哪,于是还是克隆代码然后docker-compose up -d更稳妥参照:https://web.archive.org/web/20220113153343/https://docs.requarks.io/install/docker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[root@cn-tx-bj7-c8 ~]# git clone https://github.com/Requarks/wiki.git^C
sftp> put wiki.zip
Uploading wiki.zip to /root/wiki.zip
100% 35732KB 3970KB/s 00:00:09
/Users/yuangezhizao/Downloads/wiki.zip: 36589768 bytes transferred in 9 seconds (3970 KB/s)
[root@cn-tx-bj7-c8 ~]# unzip wiki.zip
[root@cn-tx-bj7-c8 ~]# cd wiki/
[root@cn-tx-bj7-c8 wiki]# vim docker-compose.yml
[root@cn-tx-bj7-c8 wiki]# vim docker-compose.yml
[root@cn-tx-bj7-c8 wiki]# cat docker-compose.yml
version: "3"
services:
db:
image: postgres:11-alpine
environment:
POSTGRES_DB: wiki
POSTGRES_PASSWORD: wikijsrocks
POSTGRES_USER: wikijs
# logging:
# driver: "none"
restart: unless-stopped
volumes:
- db-data:/var/lib/postgresql/data

wiki:
image: requarks/wiki:2.5.268
depends_on:
- db
environment:
DB_TYPE: postgres
DB_HOST: db
DB_PORT: 5432
DB_USER: wikijs
DB_PASS: wikijsrocks
DB_NAME: wiki
restart: unless-stopped
ports:
- "8080:3000"

volumes:
db-data:
[root@cn-tx-bj7-c8 wiki]# docker-compose up -d
Creating network "wiki_default" with the default driver
Creating volume "wiki_db-data" with default driver
Creating wiki_db_1 ... done
Creating wiki_wiki_1 ... done

0x15.安装x-ui

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
sftp> put x-ui-linux-amd64.tar.gz
Uploading x-ui-linux-amd64.tar.gz to /root/x-ui-linux-amd64.tar.gz
100% 16122KB 1151KB/s 00:00:14
/Users/yuangezhizao/Downloads/x-ui-linux-amd64.tar.gz: 16509803 bytes transferred in 14 seconds (1151 KB/s)
[root@cn-tx-bj7-c8 ~]# pwd
/root
[root@cn-tx-bj7-c8 ~]# rm x-ui/ /usr/local/x-ui/ /usr/bin/x-ui -rf
[root@cn-tx-bj7-c8 ~]# tar zxvf x-ui-linux-amd64.tar.gz
x-ui/
x-ui/x-ui
x-ui/bin/
x-ui/x-ui.sh
x-ui/x-ui.service
x-ui/bin/geoip.dat
x-ui/bin/geosite.dat
x-ui/bin/xray-linux-amd64
[root@cn-tx-bj7-c8 ~]# chmod +x x-ui/x-ui x-ui/bin/xray-linux-* x-ui/x-ui.sh
[root@cn-tx-bj7-c8 ~]# cp x-ui/x-ui.sh /usr/bin/x-ui
[root@cn-tx-bj7-c8 ~]# cp -f x-ui/x-ui.service /etc/systemd/system/
[root@cn-tx-bj7-c8 ~]# mv x-ui/ /usr/local/
[root@cn-tx-bj7-c8 ~]# systemctl daemon-reload
[root@cn-tx-bj7-c8 ~]# systemctl enable x-ui
Created symlink /etc/systemd/system/multi-user.target.wants/x-ui.service → /etc/systemd/system/x-ui.service.
[root@cn-tx-bj7-c8 ~]# systemctl restart x-ui

0x16.后记

折腾了一天好累,反正万事开头难

0x17.引用

如何在CentOS 8上安装和配置Fail2ban
如何实时观察TCP和UDP端口
如何在Linux中安装netstat命令
如何在CentOS 8中安装Cockpit Web Console
Cockpit - 使用Web浏览器监视和管理多个Linux服务器的强大工具
如何在CentOS 8上安装MongoDB
Docker可视化工具Portainer
centos8 docker安装mastodon
Mastodon Docker Setup
如何利用Docker搭建Mastodon实例(一):基础搭建篇
使用Docker安装Mastodon
CentOS8(即其余RHEL衍生版系统)搭建mastodon(嘟文)教程
Mastodonサーバを立ててみた【CentOS 8】
Mastodon搭建小记
Proxying object storage through nginx