分类: LINUX
2007-11-30 13:38:40
主要任务:
根据开发设计需求架设大型的网站服务器。
主要软件:
apache+jboss+oracle 简称:LAJO apache+php+mysql 简称:LAMP proftpd+mysql 简称:LPM ssh+expect iptables bind mail |
海量用户访问 海量用户存储 (国内外互通) 南北互通. |
1.保证高要求高质量高性能,需要选择系*nix操作平台(这里选择as4.3); 2.保证高访问量高数据处理,需要选数商业数据库(这里选择oracle9.2.0.4); 3.解决南北互通(包括国内外互通),需要架设基于bind-view功能的智能DNS服务器. 4.使用流行的B/S,C/S程序架构,需要选择了JBOSS服务器. 5.更好地处理静态页面效果,需要选择了Apache服务器. 6.根据程序注册用户与上传要求,需要架设ftp服务器. 7.时时自动化系统监控,需要架设LAPM服务器.(这里使用软件cacti). 8.公司与客户交流,需要架设邮件服务器.(这里使用postfix+extmail). 9.自动化文件数据处理与安全设置,需expect+ssh+iptables结合shell脚本. 10.海量,需要集群负载均衡与配备存储设备. |
具体流程:
1.硬件采购.
这里略.
2.操作系统安装
安装redhat as 4.3
系统空间划分(略)
安装开发环境,DNS,LAMP环境所需软件包.
并确认以下包已安装: compat-db compat-gcc compat-gcc-32 compat-oracle-rhel4 compat-libcwait compat-libgcc compat-libstdc++-296 compat-libstdc++-33 gcc gcc-c++ gnome-libs gnome-libs-devel libaio-devel libaio make openmotif21 xorg-x11-deprecated-libs-devel xorg-x11-deprecated-libs sysstat disk4 openmotif21 disk3 libaio disk3 libaio-devel disk3 freetype-devel disk3 fontconfig-devel disk3 xorg-x11-devel- disk3 xorg-x11-deprecated-libs-devel- disk3 glib-devel disk4 ORBit-devel disk4 gtk+-devel disk4 alsa-lib-devel disk3 audiofile-devel disk3 esound-devel- disk3 libjpeg-devel- disk3 libtiff-devel- disk3 libungif-devel- disk3 imlib-devel disk4 gnome-libs-devel disk4 expect disk4 |
#rpm –ivh kernel-elhugemem….rpm |
#cat /etc/grub.conf //////////////////////////////////////////////////////////////////// # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,1) # kernel /vmlinuz-version ro root=/dev/sda8 # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,1)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux AS (2.6.9-22.ELhugemem) root (hd0,1) kernel /vmlinuz-2.6.9-22.ELhugemem ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.9-22.ELhugemem.img title Red Hat Enterprise Linux AS (2.6.9-22.ELsmp) root (hd0,1) kernel /vmlinuz-2.6.9-22.ELsmp ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.9-22.ELsmp.img title Red Hat Enterprise Linux AS-up (2.6.9-22.EL) root (hd0,1) kernel /vmlinuz-2.6.9-22.EL ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.9-22.EL.img ////////////////////////////////////////////////////////// |
如果hiddenmenu,下面的内容顺序不对,请修改default=x(x对应ELhugemem项)
重启并加载另外2G内存.
这样让系统支持4G内存的正常运行.
2)系统安装完毕请作连接:
#ln –s /tmp /temp |
(1)修改named.conf
(2)创建与配置hosts
(3)域名解析
#vi /etc/named.conf
////////////////////////文件内容开始///////////////////
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
//modify by mingfu 060404
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.21.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.56.0.0/14;
218.60.0.0/15;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
};
view "view_cnc" {
match-clients { CNC; };
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/cnc.def";
};
view "view_any" {
match-clients { any; };
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";
};
////////////////////////文件内容结束/////////////////// |
#mkdir /var/named/master #mkdir /var/named/master/cnc #mkdir /var/named/master/telecom #touch /var/named/master/cnc.def #touch /var/named/master/telecom.def |
@Zone区文件配置:
Master/Cnc.def 网通
Master/Telecom.def 电信
*.def文件里面为解析域名的zone配置区设置部分.
@Hosts 区文件配置
Master/Cnc 网通
Master/Telecom 电信
下面以解析为例
#vi /var/named/master/cnc.def
////////////////////////文件内容开始///////////////////
zone "xxxx.com" {
type master;
file "master/cnc/xxxx.com";
};
////////////////////////文件内容结束///////////////////
#vi /var/named/master/telecom.def
////////////////////////文件内容开始///////////////////
zone "xxxx.com" {
type master;
file "master/telecom/xxxx.com";
};
////////////////////////文件内容结束///////////////////
#vi /var/named/master/cnc/xxxx.com
////////////////////////文件内容开始///////////////////
$TTL 3600
$ORIGIN xxxx.com.
@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(
2005121013 ;Serial
3600 ; Refresh ( seconds )
900 ; Retry ( seconds )
68400 ; Expire ( seconds )
15 );Minimum TTL for Zone ( seconds )
;
@ IN NS ns.xxxx.com.
@ IN MX xxxx.com.
;;ip for cnc
@ IN A x.x.x.x(网通IP)
www IN A x.x.x.x(网通IP)
////////////////////////文件内容结束///////////////////
#vi /var/named/master/telecom/xxxx.com
////////////////////////文件内容开始///////////////////
$TTL 3600
$ORIGIN xxxx.com.
@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(
2005121013 ;Serial
3600 ; Refresh ( seconds )
900 ; Retry ( seconds )
68400 ; Expire ( seconds )
15 );Minimum TTL for Zone ( seconds )
;
@ IN NS ns.xxxx.com.
@ IN MX xxxx.com.
;;ip for telecom
@ IN A x.x.x.x(电信IP)
www IN A x.x.x.x(电信IP)
////////////////////////文件内容结束/////////////////// |
客服端测试:
nslookup --type=a xxxx.com x.x.x.x(网通任意一个DNS服务器IP)
nslookup --type=a xxxx.com x.x.x.x(电信任意一个DNS服务器IP)
看到的为配置文件中对应ip则解析配置正常.
注意:
上面的xxxxx.com需要修改DNS解析服务器为
ns.xxxxx.com
对应IP为:网通IP.
备注:
1).在这里做了网通与非网通的访问控制,用于实现南北互通,如要国内外互通,需要在列出一个相应的访问控制列表ACL就可以实现了.
2).关于使用tar包编译安装请参看Linux how-to.
4.配置LAJO
软件: Apache2.0.58 JBOSS.4.0.3SP1 Oracle9.2.0.4 Mod-jk1.12 配置: 1)apache+mod-jk #tar zxvf httpd-2.0.58.tar.gz #cd httpd-2.0.58 #./configure --enable-MODULE=shared --enable-so --with-mpm=worker #make&&make install #tar zxvf jakarta-tomcat-connectors-1.2.14.1-src.tar.gz #cd /home/software/jakarta-tomcat-connectors-1.2.14.1-src/jk/native # ./configure --with-apxs=/usr/local/apache2/bin/apxs #make # cp ./apache-2.0/mod_jk.so /usr/local/apache2/modules |
httpd.conf的修改
该文件的路径位于$APACHE-HOME/conf
上述编译过程中我们选用的worker模式,因此我们将修改worker模块的配置
StartServers 4 #最初建立进程的数量
ServerLimit 24 #进程建立的最大数量,硬限制
ThreadLimit 128 #每一进程能创建线程的最大数量,硬限制,该参数建议#和ThreadsPerChild一致,如果ThreadLimit > ThreadsPerChild的话,会造成不##必要的内存消耗。
MaxClients 3072 #同时可以得到处理的客户端的最大数量
MinSpareThreads 100 #所有进程中空闲线程的总数最小数值
MaxSpareThreads 200 #所有进程中空闲线程的总数最大数值
ThreadsPerChild 128 #每个子进程可以建立的固定数量的线程
MaxRequestsPerChild 0 #用于控制服务器建立和结束进程的频率,为0表示没有#限制,但在solaris OS下该值可能会出错,可以设置为1000或2000。根据系统#的并发负载吧。
同时修改与新增httpd.conf如下内容:
|
#vi $APACHE-HOME/conf/mod_jk2.conf ////////////////////////文件内容开始/////////////////// LoadModule jk_module modules/mod_jk.so JkWorkersFile conf/workers2.properties JkLogFile logs/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel info # Select the log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # JkOptions indicate to send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # JkRequestLogFormat set the request format JkRequestLogFormat "%w %V %T" JkMount /* loadbalancer #apache will serve the static picture. #以下命令意味着所有的图片与htm,css,js页面将由APACHE解析其它交由jboss处理 JkUnMount /*.jpg loadbalancer JkUnMount /*.gif loadbalancer JkUnMount /*.swf loadbalancer JkUnMount /*.bmp loadbalancer JkUnMount /*.png loadbalancer JkUnMount /*.js loadbalancer JkUnMount /*.css loadbalancer JkUnMount /*.htm loadbalancer ////////////////////////文件内容结束/////////////////// #vi $APACHE-HOME/conf/ uriworkermap.properties ////////////////////////文件内容开始/////////////////// /jmx-console=loadbalancer /jmx-console/*=loadbalancer /web-console=loadbalancer /web-console/*=loadbalancer ////////////////////////文件内容结束/////////////////// #vi $APACHE-HOME/conf/uriworkermap.properties ////////////////////////文件内容开始/////////////////// worker.list=loadbalancer,status worker.node1.port=8009 worker.node1.host=192.168.0.192(请填写服务器的IP) worker.node1.type=ajp13 worder.node1.lbfactor=1 worker.node1.cachesize=10 worker.node2.port=8009 worker.node1.host=localhost worker.node1.type=ajp13 worder.node1.lbfactor=1 worker.node1.cachesize=10 worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=node1,node2 worker.loadbalancer.sticky_session=1 worker.status.type=status ////////////////////////文件内容结束/////////////////// 注意:如果需要负载:修改 worker.node2.port=8009 worker.node1.host=localhost worker.node1.type=ajp13 worder.node1.lbfactor=1 worker.node1.cachesize=10 为: worker.node2.port=8009 worker.node2.host=IP(进行负载的IP地址) worker.node2.type=ajp13 worder.node2.lbfactor=1 worker.node2.cachesize=10 备注:如果要进行更多的负载…. 修改: worker.noden.port=8009 worker.noden.host=IP(进行负载的IP地址) worker.noden.type=ajp13 worder.noden.lbfactor=1 worker.noden.cachesize=10 worker.loadbalancer.balance_workers=node1,node2,noden |
Jboss4.0.3sp1 解压到/site/jboss目录下…. …./ deploy/jbossweb-tomcat55.sar/server.xml中,找8080,修改为8088 Jdk环境变量设定: Jdk安装: #chmod 755 jdk-1_5_0_06-linux-i586.bin #./jdk-1_5_0_06-linux-i586.bin Java参数设置: #ln –s /usr/local/jdk1.5.0_06 /usr/local/jdk 如果你下载的是rpm包请如下操作 #./jdk-1_5_0_06-linux-i586.rpm.bin #rpm jdk-1_5_0_06-linux-i586.rpm # ln –s /usr/ jdk1.5.0_06 /usr/local/jdk #vi /etc/profile.d/java.sh ////////////////////////文件内容/////////////////// JAVA_HOME=/usr/local/jdk PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/bin export JAVA_HOME PATH ////////////////////////文件内容/////////////////// |
apache+jboss整合配置已完毕.下面是启动这些服务了.
..用户与权限分配
groupadd –g 5500 xxxx
adduser -u 5500 -s /bin/false -d /bin/null -c "proftpd user" -g xxxx xxxx
修改/etc/passwd文件中的xxxx用户中的”/bin/false”为”/bin/bash”,以便于以后jboss使用.当然你也可以这样做:
adduser -u 5500 -s /bin/bash -d /bin/null -c "proftpd user" -g xxxx xxxx
chown xxxx /site/* –R
chgrp xxxx /site/* -R
chmod 755 /site/* -R
..服务启动
添加如下内容到/etc/rc.local
/usr/local/apache2/bin/apachectl start
/etc/init.d/jboss start
#vi /etc/init.d/jboss
////////////////////////文件内容开始///////////////////
#/etc/init.d/jboss
/etc/rc.d/init.d/functions
JBOSS_HOME=/site/jboss
export JBOSS_HOME
JAVA_HOME=/usr/local/jdk
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
export PATH
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export CLASSPATH
prog="jboss"
start()
{
#Input the jbos Service log into jboss.log
echo "Jboss4.0.3SP1 Service Starting........" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
date "+%Y-%m-%d %A %T :Jboss Service start" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
su - xxxx -c $JBOSS_HOME/bin/run.sh & >>/var/log/xxxx/jboss.log
touch /var/log/xxxx/jboss.log
}
#Function stop,Stop the Jboss Service auto
#when the Linux Halt
stop()
{
#Input the jboss Service log into jboss.log
echo "jboss Service Stopping........" >>/var/log/xxxx/jboss.log
echo "------------------------------" >>/var/log/xxxx/jboss.log
date "+%Y-%m-%d %A %T :jboss Service Stop">>/var/log/xxxx/jboss.log
echo "----------------------------" >>/var/log/xxxx/jboss.log
su - xxxx -c “$JBOSS_HOME/bin/shutdown.sh –S”>>/var/log/xxxx/jboss.log
}
case $1 in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
status)
status $prog
;;
*)
echo "Please Input start|stop|restart|reload|status"
return 1
esac
////////////////////////文件内容结束/////////////////// |
注意:
请赋予jboos的执行权限:chmod 755 /etc/init.d/jboss
请注意xxxx用户是没有设置密码的,确保使用xxxx用户是无法登录的,只有root可以切换到该用户环境中去的:#su – xxxx…..
4)oracle安装与启动
创建相关安装目录和环境变量 1,创建user/group; #groupadd dba #groupadd oinstall #useradd oracle -g oinstall -G dba #passwd oracle 2,建立oracle安装文件夹; # mkdir -p /opt/ora9/product/9.2.0.4 # mkdir /var/opt/oracle # chmod oracle.dba /var/opt/oracle # chown -R oracle.dba /opt/ora9 |
export ORACLE_BASE=/opt/ora9 export ORACLE_HOME=/opt/ora9/product/9.2.0.4 export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin export ORACLE_OWNER=oracle export ORACLE_SID=oradb //此处为你的sid 使用Oracle用户登陆: #su – oracle $vi .bash_profile 以下是配置文件的内容 # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export ORACLE_BASE=/opt/ora9 export ORACLE_HOME=/opt/ora9/product/9.2.0.4 export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin export ORACLE_OWNER=oracle export ORACLE_SID=oradb export ORACLE_TERM=xterm export LD_ASSUME_KERNEL=2.4.19 export THREADS_FLAG=native export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib export NLS_LANG=”American_america.utf8” export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data export PATH unset USERNAME 4,设置系统参数; #su – root切换到root用户 a) 修改#vi /etc/sysctl.conf, 以下是配置文件的内容: # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 kernel.shmmax = 536870912 kernel.shmmni = 4096 kernel.shmall = 2097152 kernel.sem = 250 32000 100 128 fs.file-max = 65536 net.ipv4.ip_local_port_range = 1024 65000 修改后运行 #sysctl –p 命令使得内核改变立即生效; |
注:
一般情况下可以设置最大共享内存为物理内存的一半,如果物理内存是 2G,则可以设置最大共享内存为 1073741824,如上;如物理内存是 1G,则可以设置最大共享内存为 512 * 1024 * 1024 = 536870912;以此类推。
建议永久地增加 shmmax 设置。
sem 4 个参数依次为SEMMSL(每个用户拥有信号量最大数);SEMMNS(系统信号量最大数);SEMOPM(每次semopm系统调用操作数); SEMMNI(系统辛苦量集数最大数).Shmmax 最大共享内存,官方文档建议是内存的1/2,Shmmni 最小共享内存 4096KB.Shmall 所有内存大小 。
b) 设置oracle对文件的要求:
编辑文件:#vi /etc/security/limits.conf 加入以下语句:
oracle soft nofile 65536 oracle hard nofile 65536 oracle soft nproc 16384 oracle hard nproc 16384 也可以写成: * soft nofile 65536 * hard nofile 65536 * soft nproc 16384 * hard nproc 16384 c) gcc降级 #mv /usr/bin/gcc /usr/bin/gcc34 #ln –s /usr/bin/gcc32 /usr/bin/gcc #mv /usr/bin/g++ /usr/bin/g++34 #ln –s /usr/bin/g++32 /usr/bin/g++ |
# cd /opt #ls compat*.rpm compat-libcwait-2.0-2.i386.rpm compat-oracle-rhel4-1.0-5.i386.rpm # rpm -Uvh compat*.rpm Preparing... ########################################### [100%] 1:compat-libcwait-2.0-2.i386.rpm ##################################### [ 50%] 2:compat-oracle-rhel4-1.0-5.i386.rpm#################################### [100%] |
Disk1 Disk2 Disk3 .以oracle用户登录系统,进行Oracle的安装(注意请不要在root登录中切换到oracle, |
$ lsnrctl start $ sqlplus /nolog SQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. SQL>connect / as sysdba Connected. SQL> shutdown immediate 关闭数据库 Database closed. Database dismounted. ORACLE instance shut down. SQL>startup; 启动数据库 ORACLE instance started. Total System Global Area 236000356 bytes Fixed Size 451684 bytes Variable Size 201326592 bytes Database Buffers 33554432 bytes Redo Buffers 667648 bytes Database mounted. Database opened. 5, oracle服务启动 以root身份进入,编写以下脚本: vi /etc/init.d/oracle ////////////内容////////////////// #!/bin/bash #start and stop the oracle instance # chkconfig –level 5 --add ora9i #chkconfig: 345 91 19 # description: starts the oracle listener and instance export ORACLE_HOME="/opt/ora9/product/9.2.0.4" export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATH export ORACLE_OWNER="oracle" export ORACLE_SID=oradb if [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ] then echo "oracle startup:cannot start" exit 1 fi case "$1" in start) #startup the listener and instance echo -n "oracle startup: " su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start" su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstart touch /var/lock/subsys/oracle echo "finished" ;; stop) # stop listener, apache and database echo -n "oracle shutdown:" su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop" su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshut rm -f /var/lock/subsys/oracle echo "finished" ;; reload|restart) $0 stop $0 start ;; *) echo "Usage: ora9i [start|stop|reload|restart]" exit 1 esac exit 0 |
#chmod a+x /etc/rc.d/init.d /oracle #cd /etc/rc.d/rc5.d #ln -s /etc/rc.d/init.d/oracle S99ora9i #cd /etc/rc.d/rc0.d #ln -s /etc/rc.d/init.d/oracle K99ora9i 也可如下自启动oracle9i! 在/etc/rc.d/rc.local中加入如下: su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start" su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start" 注意:如果启动不理想,请编写shell scripts: 方法:以我个人习惯为例;;;;;;;;;; #mkdir /usr/local/syscmf #vi /usr/local/syscmf/oracle.sh ////////////////////////文件内容开始/////////////////// #!/bin/sh #modify by mingfu 060404 #oracle run scripts #run user for oracle lsnrctl start expect /usr/local/syscmf/oracle.exp ////////////////////////文件内容结束/////////////////// #vi /usr/local/syscmf/oracle.exp ////////////////////////文件内容开始/////////////////// #!/usr/local/bin/expect #modify by mingfu 060404 #oracle run scripts set timeout 120 spawn sqlplus \/nolog expect "SQL\>" send "conn \/ as sysdba\r" expect "SQL\>" send "startup\r" expect "SQL\>" send "exit\r" exit ////////////////////////文件内容结束/////////////////// #chown oracle /usr/local/syscmf/* #chgrp oracle /usr/local/syscmf./* #chmod 755 /usr/local/syscmf/* 在/etc/rc.local中新增如下内容: su – oracle /usr/local/syscmf/oracle.sh 删除原来的: su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start" su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start" 6, 关于数据库删除重新安装的问题: 把ORACLE安装目录删除及/etc/ora*.*删除就行了 #rm –f /etc/ora*.* 7,关于在LINUX中运行管理软件$oemapp #su – oracle $oemapp console |
sqlplus /nolog sql>conn / as sysdba sql>shutdown immediate sql>startup mount sql>alter system enable restricted session ; sql>alter system set JOB_QUEUE_PROCESSES=0; sql>alter system set AQ_TM_PROCESSES=0; sql>alter database open ; sql>alter database character set internal_use ZHS16GBK ; sql>shutdown immediate sql>startup |
系统自带安装http+php+mysql软件包,进行配置如下: Apache配置 修改/etc/httpd/conf/httpd.conf内容如下: Listen 82 ServerName 127.0.0.1:82 DocumentRoot "/var/www/html" |
创建Ftpdb结构:
Mysql>use ftpdb;
Mysql> CREATE TABLE `ftpgroup` (
`groupname` varchar(16) NOT NULL default '',
`gid` smallint(6) NOT NULL default '5500',
`members` varchar(16) NOT NULL default '',
KEY `groupname` (`groupname`)
) ;
Mysql> CREATE TABLE `ftpquotalimits` (
`name` varchar(30) default NULL,
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`per_session` enum('false','true') NOT NULL default 'false',
`limit_type` enum('soft','hard') NOT NULL default 'soft',
`bytes_in_avail` float NOT NULL default '0',
`bytes_out_avail` float NOT NULL default '0',
`bytes_xfer_avail` float NOT NULL default '0',
`files_in_avail` int(10) unsigned NOT NULL default '0',
`files_out_avail` int(10) unsigned NOT NULL default '0',
`files_xfer_avail` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpquotatallies` (
`name` varchar(30) NOT NULL default '',
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`bytes_in_used` float NOT NULL default '0',
`bytes_out_used` float NOT NULL default '0',
`bytes_xfer_used` float NOT NULL default '0',
`files_in_used` int(10) unsigned NOT NULL default '0',
`files_out_used` int(10) unsigned NOT NULL default '0',
`files_xfer_used` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpuser` (
`id` int(10) unsigned NOT NULL auto_increment,
`userid` varchar(32) NOT NULL default '',
`passwd` varchar(32) NOT NULL default '',
`uid` smallint(6) NOT NULL default '5500',
`gid` smallint(6) NOT NULL default '5500',
`homedir` varchar(255) NOT NULL default '',
`shell` varchar(16) NOT NULL default '/sbin/nologin',
`count` int(11) NOT NULL default '0',
`accessed` datetime NOT NULL default '0000-00-00 00:00:00',
`modified` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`)
) ;
Mysql> INSERT INTO `ftpgroup` |
User:root Host:IP Pswd:xxxx |
(与grant all privileges on *.* to identified by “xxxx”;
中设置的密码一致) .
8.配置MAIL
配合jboss工程程序实施与建立MAIL帐号相关联,方便维护与管理,我这里选择了邮件服务器与数据库结合的方式来实现的.
具体架设参考邮件发送程序,然后来配置邮件服务器,邮件系统的用户帐号不准创建真实的系统帐号,所有的帐号均建在mysql数据库中.
具体架设过程略。
9.安全策略
下面是一个简易有效的防火墙设置,只要没有固定IP来入侵,服务器均可正常访问.
因此服务器上线后需要提取服务器通信状态信息.这里服务器已进配置好LAMP环境,因此系统监控请安装CACTI()软件来监控.
关于它的安装方法比较简单,这里不一一说明了.
还要时时将#netstat –na|grep SYN的结果中连续15个相同的伪连接给DJOP出系统通信间道.
当有这样的入侵连接时….
#iptables –A …………..djop(注意请不要将这个写入到iptables文件中)
下面是iptables文件的所有内容:
#cat /etc/sysconfig/iptables ////////////////////文件内容//////////////////// # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT #modify by mingfu 060404 #Please do not modify the content below #ACK FIN SYN -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #port scan # NMAP FIN/URG/PSH -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # Xmas Tree -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP # Another Xmas Tree -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Null Scan(possibly) -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP # SYN/RST -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/FIN -- Scan(possibly) -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #!--syn -A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP #Dos -A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second |
#vi /etc/ssh/sshd_config 修改: #Port 22 为: Port 922 注意:修改后的ssh连接方法:ssh user@ip –p 922 如果你不想指定-p参数,请修改 /etc/ssh/ssh_config的 #Port 22 为: Port 922 |
建议将提供服务的服务器中的ssh服务端与客服端的ssh通信端口都修改……
10.测试上线
所有的配置完毕,重启服务器.测试好准备上线.
注意:以下服务不能重复多次启动,必须服务在停止的情况下才能启动,否则会出现启动错误.
#su - oracle usr/local/syscmf/oracle.sh #/etc/rc.d/init.d/jboss start |
关于这两个服务的启动用户与权限:
1.Oracle:
用户:oracle(可以进行系统登录)
切忌有关oracle的操作请在oracle用户环境中进行操作.你实在要在root用户中操作,请不要忘了#su – oracle –c “lsncrctl start”……..
a.Oracle服务停止: $sqlplus /nolog SQL>conn / as sysdba SQL>shutdown immediate SQL> exit $lsnrctl stop b.Oracle服务启动: $lsnrctl start $sqlplus /nolog SQL>conn / as sysdba SQL> startup c.Oracle服务强制启动: 在oracle服务已进启动的情况下也可启动oracle服务. $sqlplus /nolog SQL>conn / as sysdba SQL> startup force |
2.Jboss: 用户:xxxx (不可以进行系统登录) 切忌有关jboss的操作请在jboss用户环境中进行操作.你实在要在root用户中操作,请不要忘了 #su – xxxx /site/jboss/bin/run.sh 或者 #/etc/init.d/jboss start a.xxxx用户环境下: 无法登录如何使用呢? 远程文本界面启动法: 以root登录系统:切换root可以登录到xxxx用户环境来进入xxxx. #su – xxxx Jboos 启动 $/site/jboss/bin/run.sh Jboss停止 $/site/jboss/bin/shutdown.sh –S 远程图形界面法: 关于开启远程图形界面登录的问题: 只允许oracle用户可以远程图形界面登录,为了便于操作oracle. 下面是开启改功能的过程: #su – oracle $vncserver Password:******** Password:******** $exit $ps –ef|grep vnc 将看到的vnc进程kill -9. $vi .vnc/xstartup 修改: twm & 为 gnome-session & $vncserver 注意:只允许开启一个vnc服务进程…..对应的端口为5801 在已进有vncserver启动的情况下不要在次启动vncserver服务.否则它将在增加一个vnc服务进程……. 输入密码即可远程图形登录系统了. 由于是oracle登录到系统的….要启动jboss.需要如下操作: $su – Password:******** #su – xxxx Jboos 启动 $/site/jboss/bin/run.sh Jboss停止 $/site/jboss/bin/shutdown.sh –S b.root用户环境下: Jboos 启动 #su – xxxx /site/jboss/bin/run.sh 或者 #service jboss start 或者 #/etc/init.d/jboss start Jboss停止 #su – xxxx /site/jboss/bin/shutdown.sh –S 或者 #service jboss stop 或者 #/etc/init.d/jboss stop 关于(系统,软件)日志分析,根据自己的使用习惯搭建….. 关于系统用户创建问题,由于系统里面创建的xxxx用户指定了-u=5500. |
