docker run restic/restic 參數
## 例如
docker run restic/restic version
#例如建立repository
docker run -v /root:/root restic/restic --repo /root/repo --password-file=/root/password initexport GODEBUG=asyncpreemptoff=1
docker run -v /root:/root restic/restic --repo /root/repo --password-file=/root/password backup /root/ayum install -y curl unzip wget screen fuse fuse-devel
curl https://rclone.org/install.sh | bash rclone selfupdate現在安裝docker 跟喝水一樣, 完全沒難度阿
dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf update -y
dnf install -y docker-ce docker-ce-cli containerd.io
docker --version
#########
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd --data-root /docker -H fd:// --containerd=/run/containerd/containerd.sock
#########systemctl daemon-reload
systemctl enable docker
systemctl start docker
docker ps
要確認/修改三個地方
hostnamectl set-hostname <mail>
# 短名字, 不需要完整的yum update -y
yum install -y epel-release
yum groupinstall -y "Xfce" "base-x"
yum systemctl set-default graphical
rebootyum install tigervnc-server -yadduser william
passwd williamsu - william
vncpasswd
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service vi /etc/tigervnc/vncserver.users
###############
:1=william
###############systemctl daemon-reload
systemctl enable vncserver@:1.service
systemctl start vncserver@:1.service
firewall-cmd --zone=public --permanent --add-service=vnc-server
# 或是直接指定port
# firewall-cmd --zone=public --permanent --add-port=5901/tcp
firewall-cmd --reload
之前CentOS 6,7時代, 時間更新使用的是 ntpdate -s x.x.x.x
但是來到了 8 版, 改用chronyd , 若要修改同步的 server , 請修改 /etc/chrony.conf
找到pool 後面加上server的ip即可, 或是沿用預設值也可以
若需要設定server顯示的時間符合本地時間, 可先參考server綁定的地區
ls -l /etc/localtime
然後參考地區
timedatectl list-timezones
再變更
timedatectl set-timezone "Asia/Taipei"
docker container產出log有兩種方式, 一種丟給docker輸出, 另一種是自己產出log檔案
長時間使用, volume就會莫名越來越肥, 讓備分增加難度, 有必要把這些檔案抓出來,
最簡單就是利用linux的指令, 抓出大的檔案, 再寫shell另外處理
find /docker-volume-dir -type f -size +100000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
#抓出超過100M的檔案通常我們透過廣告信給分機制, 可以另外給予”合法郵件服務器”發出來的信件給予高額的廣告判斷分數, 讓系統退件.
因為是合法的服務器, 很多很多都讓該服務器代管, 我們無法直接以 ip, 或是相關特徵, 阻擋服務器發信,
對於我們來說, 唯一的方式就是設定該廣告主email, 給予很高廣告分數, 就可以擋下來了.
煩的是有些郵件服務器使用amazon server當作mail server 發信, 原始檔案裏面的 Return-Path 與 From 不一致 , 影響擋廣告機制判斷 , 造成這些人可以肆無忌憚, 不講武德一直發信, 而你怎麼設定該email或是網域, 都沒用, 根本擋不了.
Return-Path: <0101017f0f53948e-e5e68c2b-950e-4613-bd45-c0665e232ab5-000000@us-west-2.amazonses.com>
X-Original-To: xxx@xxx.com
Delivered-To: xxx@xxx.com
Received: from a27-63.smtp-out.us-west-2.amazonses.com (a27-63.smtp-out.us-west-2.amazonses.com [54.240.27.63])
From: =?UTF-8?Q?=E3=80=90iCheers_=E9=80=B1=E5=A0=B1=E3=80=91?= <newsletter@icheers.tw>講武德的廣告信, Return-Path 與From 會一致
Return-Path: <solidwizard@s1.mailhunter.com.tw>
X-Original-To: xxx@xxx.com
Delivered-To: xxx@xxx.com
Received: from mx127.mailhunter.com.tw (mx127.mailhunter.com.tw [60.250.108.127])
From: =?utf-8?B?5a+m5aiB5ZyL6Zqb6IKh5Lu95pyJ6ZmQ5YWs5Y+4?= <solidwizard@s1.mailhunter.com.tw>所以我們必須用另外一種作法, 掃描整個郵件headers, 只要符合該email 或 domain 就擋下來
以 Rspamd 的擋廣告機制來說,
修改 /etc/rspamd/local.d/regexp.conf
"RE_EMAIL_ICHEERS" = {
re = '/@icheers.tw/i{body}';
score = 15.0;
}
#只須改紅色部分阻擋 icheers.tw 這個不講武德的廣告信 , 但是我還沒試出來完整email , 若寫完整email 還是會失敗, 有可能是bug.
之前一直維護的是 postfix + M$ 的AD 認證 , 這也可以拿來取代google 代管的mail , 但是沒事還要生出windows server , 這錢花了就算了, 就怕一直要更新… 因此花了5天時間,認真研究 , 讓postfix + openldap 認證 , 做成docker images , 也提供範例架設docker openldap server .
值得注意的是 openldap 必須要吃進去 postfix 的 ldap schema 才能跟postfix整合(aliases) .
Rspamd 讓我非常驚豔, 設定容易, 可以用來取代老牌amavisd-new套件
centos 7 系統簡易安裝如下:
curl https://rspamd.com/rpm-stable/centos-7/rspamd.repo > /etc/yum.repos.d/rspamd.repo # For Centos-7
rpm --import https://rspamd.com/rpm-stable/gpg.key
yum -y update
yum -y install ca-certificates unbound redis rspamd clamav clamav-devel clamav-scanner-systemd clamav-update clamav-data clamav-server clamav-server-systemd clamav-scanner
port 7379
bind 127.0.0.1 ::1systemctl enable redis
systemctl start redis
##########################################
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketMode 666
FixStaleSocket yes
##########################################systemctl enable clamav-freshclam
systemctl enable clamd\@scanhttps://kafeiou.pw/wp-content/uploads/2022/02/rspamd.zipusermod -aG clamscan _rspamd
usermod -aG virusgroup _rspamd
systemctl enable rspamd
chown -R _rspamd:_rspamd /etc/rspamd/override.d
systemctl start rspamdsmtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = $smtpd_milters
milter_default_action = acceptpostfix reload<VirtualHost *:443>
ServerName mail.test.com
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mail.test.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.test.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt//live/mail.test.com/fullchain.pem
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
ProxyPass /rspamd/ http://localhost:11334/
ProxyPassReverse /rspamd/ http://localhost:11334/
<Location />
Order allow,deny
Allow from all
</Location>
<Location /rspamd>
Require all granted
</Location>
RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
</VirtualHost>
rspamadm pw