第十三週

一、簡述DNS服務器原理，並搭建主-輔服務器。

DNS服務器原理
一、本機發出DNS請求到本地DNS服務器。本地DNS服務器通常都是你的網絡接入服務器商提供，好比中國電信，中國移動。
二、本地DNS服務器會首先查詢它的緩存記錄，若是緩存中有此條記錄，就能夠直接返回結果。若是沒有，本地DNS服務器還要向DNS根服務器進行查詢。
三、根DNS服務器沒有記錄具體的域名和IP地址的對應關係，而是告訴本地DNS服務器，能夠到域服務器上去繼續查詢，並給出域服務器的地址。
四、本地DNS服務器繼續向域服務器發出請求，若是請求對象是.com域服務器。.com域服務器收到請求以後，也不會直接返回域名和IP地址的對應關係，而是告訴本地DNS服務器，你的域名的解析服務器的地址。
五、最後，本地DNS服務器向域名的解析服務器發出請求，這時就能收到一個域名和IP地址對應關係；
六、本地DNS服務器不只要把IP地址返回給用戶電腦，還要把這個對應關係保存在緩存中，以備下次別的用戶查詢時，能夠直接返回結果，加快網絡訪問。

主--輔實驗：

主：192.168.43.107
輔：192.168.43.127

主dns服務器：

一、安裝bind
[root@dns1~]#yum -y install bind
二、改配置
[root@dns1~]#vim /etc/named.conf
listen-on port 53 { localhost; }; #監聽本機全部ip
allow-query { any; }; #容許全部主機訪問
allow-transfer { 192.168.43.127; }; #能夠向192.168.43.127傳送數據
dnssec-enable no; # 關閉dnssec功能
dnssec-validation no;
編輯 /etc/named.rfc1912.zones ，添加域配置
[root@dns1~]#vim /etc/named.rfc1912.zones
zone "thunisoft.com" {
type master;
file "thunisoft.com.zone";
};
編輯/var/named/thunisoft.com.zone ，添加解析庫文件；
[root@dns1~]#vim /var/named/thunisoft.com.zone

$TTL 1D
      @             IN      SOA     ns1     admin.thunisoft.com. ( 15 1D 5M 2D 5h )
                  NS      ns1
                  NS      ns2
      ns1                   A       192.168.43.107
      ns2                   A       192.168.43.127              ----> 從服務器須要再此添加                                                                                      
      www                   CNAME   websrv
      websrv                A       1.1.1.1
      websrv                A       4.4.4.4
      ftp                   A       2.2.2.2
      mailsrv               MX  10  3.3.3.3
      @                     A       192.168.43.107
      wang                  A       192.168.43.1

改權限和屬主
[root@dns1]#chown root.named /var/named/thunisoft.com.zone
[root@dns1]#chmod 640 /var/named/thunisoft.com.zone
[root@dns1]#ll /var/named/thunisoft.com.zone
-rw-r----- 1 root named 107 Mar 12 01:23 /var/named/thunisoft.com.zone

三、重啓服務
[root@dns1~]#systemctl restart named

從服務器配置:

一、安裝bind
[root@dns2~]#yum -y install bind
二、改配置
[root@dns2~]#vim /etc/named.conf
listen-on port 53 { localhost; }; #監聽本機全部ip
allow-query { any; }; #容許全部主機訪問
allow-transfer {none;}; #不能夠向任何主機傳數據
dnssec-enable no; # 關閉dnssec功能
dnssec-validation no;
編輯 /etc/named.rfc1912.zones ，添加域配置
[root@dns2~]#vim /etc/named.rfc1912.zones
zone "thunisoft.com" {
type slave;
masters {192.168.43.107;};
file "slaves/thunisoft.com.zone.slaves";
};

三、重啓服務：
[root@dns2~]#systemctl restart named

三、測試：

[root]#dig -t axfr thunisoft.com @192.168.43.107

二、搭建並實現智能DNS。

一、安裝bind

yum -y install bind

二、改配置

vim /etc/named.conf

options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
/*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.

• If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
  */
  recursion yes;

  //dnssec-enable yes;
  //dnssec-validation yes;
  
   ** dnssec-enable  no;**
    **dnssec-validation  no;**
  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";
  
  managed-keys-directory "/var/named/dynamic";
  
  pid-file "/run/named/named.pid";
  session-keyfile "/run/named/session.key";

  };

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

//zone "." IN {
// type hint;
// file "named.ca";
//};

acl beijingnet {
192.168.43.0/24;
192.168.44.0/24;
};

acl zhengzhounet {
172.16.0.0/24;
172.17.0.0/16;
};

acl othernet {
any;
};

view view_beijing {
match-clients { beijingnet; };
include "/etc/named.rfc1912.zones.bj";
};

view view_zhengzhou {
match-clients { zhengzhounet; };
include "/etc/named.rfc1912.zones.zz";
};

view view_other {
match-clients { othernet; };
include "/etc/named.rfc1912.zones";
};

//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

#vim /etc/named.rfc1912.zones

zone "thunisoft.com" {
type master;
file "thunisoft.com.zone.other";
};

#vim /etc/named.rfc1912.zones.bj

zone "thunisoft.com" {
type master;
file "thunisoft.com.zone.bj";
};

#vim /etc/named.rfc1912.zones.zz

zone "thunisoft.com" {
type master;
file "thunisoft.com.zone.zz";
};

vim /var/named/thunisoft.com.zone.bj

> $TTL 1D                                                                                                                                                                                                          
> @       IN      SOA     ns1     admin.thunisoft.com. ( 15 1D 5M 2D 5h )
>                 NS      ns1
> ns1             A       192.168.43.147
> www             A       192.168.43.200

vim /var/named/thunisoft.com.zone.zz

$TTL 1D                                                                                                                                                                                                          
 @       IN      SOA     ns1     admin.thunisoft.com. ( 15 1D 5M 2D 5h )
                 NS      ns1
 ns1             A       192.168.43.147
 www             A       173.16.0.200

vim /var/named/thunisoft.com.zone.other

$TTL 1D
 @       IN      SOA     ns1     admin.thunisoft.com. ( 15 1D 5M 2D 5h )
                 NS      ns1                                                                                                                                                                                      
 ns1             A       192.168.43.147
 www             A       9.9.9.9

三、更改屬主和權限

[root@ka2 ~]#chown root.named /etc/named.rfc1912.
[root@ka2 ~]#chmod 640 /etc/named.rfc1912.zones
[root@ka2 ~]#chown root.named /var/named/thunisoft.com.zone.
[root@ka2 ~]#chmod 640 /var/named/thunisoft.com.zone.

[root@ka2 ~]#ll /etc/named.rfc1912.zones*
-rw-r----- 1 root named 89 Mar 12 15:37 /etc/named.rfc1912.zones
-rw-r----- 1 root named 71 Mar 12 14:38 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 86 Mar 12 14:39 /etc/named.rfc1912.zones.zz

[root@ka2 ~]#ll /var/named/thunisoft.com.zone.*
-rw-r----- 1 root named 186 Mar 12 14:44 /var/named/thunisoft.com.zone.bj
-rw-r----- 1 root named 181 Mar 12 14:44 /var/named/thunisoft.com.zone.other
-rw-r----- 1 root named 185 Mar 12 14:44 /var/named/thunisoft.com.zone.zz

四、重啓named服務

[root@ka2 ~]#systemctl restart named

五、驗證

[root@ntp ~]# cat /etc/resolv.conf

nameserver 192.168.43.147
nameserver 172.16.0.128

三、編譯安裝Mariadb，並啓動後能夠正常登陸

一、安裝相關依賴包

yum install bison bison-devel zlib-devel libcurl-devel libarchive-devel boostdevel gcc gcc-c++ cmake ncurses-devel gnutls-devel libxml2-devel openssldevel libevent-devel libaio-devel libdb-css-devel openssl-devel

二、建立用戶和數據目錄，以及準備源碼包

[root@ka1 apps]useradd –r –s /sbin/nologin –d /data/mysql/ mysql
[root@ka1 apps] mkdir /data/mysql
[root@ka1 apps] chown mysql.mysql /data/mysql
[root@ka1 apps]#tar xvf mariadb-10.2.25.tar.gz

三、cmake 編譯

#cmake . -DCMAKE_INSTALL_PREFIX=/app/mysql -DMYSQL_DATADIR=/data/mysql/ -DSYSCONFDIR=/etc/ -DMYSQL_USER=mysql -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_ARCHIVE_STORAGE_ENGINE=1 -DWITH_BLACKHOLE_STORAGE_ENGINE=1 -DWITH_PARTITION_STORAGE_ENGINE=1 -DWITHOUT_MROONGA_STORAGE_ENGINE=1 -DWITH_DEBUG=0 -DWITH_READLINE=1 -DWITH_SSL=system -DWITH_ZLIB=system -DWITH_LIBWRAP=0 -DENABLED_LOCAL_INFILE=1 -DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock -DDEFAULT_CHARSET=utf8 -DDEFAULT_COLLATION=utf8_general_ci

#make && make install

四、執行建庫腳本：

[root@ka1 mysql]#scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql

Installing MariaDB/MySQL system tables in '/data/mysql/' ...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:

'./bin/mysqladmin' -u root password 'new-password'
'./bin/mysqladmin' -u root -h ka1 password 'new-password'

Alternatively you can run:
'./bin/mysql_secure_installation'

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.

You can start the MariaDB daemon with:
cd '.' ; ./bin/mysqld_safe --datadir='/data/mysql/'

You can test the MariaDB daemon with mysql-test-run.pl
cd './mysql-test' ; perl mysql-test-run.pl

Please report any problems at http://mariadb.org/jira

The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/

五、準備配置文件

[root@ka1 mysql]#cp /app/mysql/support-files/my-huge.cnf /etc/my.cnf

六、將mysql服務添加到服務列表：

[root@ka1 mysql]#cp /app/mysql/support-files/mysql.server /etc/init.d/mysqld
cp: overwrite ‘/etc/init.d/mysqld’? y
You have new mail in /var/spool/mail/root
[root@ka1 mysql]#chkconfig --add mysqld

七、啓動服務：

[root@ka1 mysql]#service mysql start
Redirecting to /bin/systemctl start mysql.service
[root@ka1 mysql]#service mysql status
Redirecting to /bin/systemctl status mysql.service

mysqld.service - LSB: start and stop MariaDB
Loaded: loaded (/etc/rc.d/init.d/mysqld; bad; vendor preset: disabled)
Active: active (running) since Tue 2020-03-10 16:22:44 CST; 5s ago
Docs: man:systemd-sysv-generator(8)
…….省略

八、無密碼登陸：

[root@ka1 mysql]#mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.2.25-MariaDB-log Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]>

九、設置root密碼：

[root@ka1 mysql]#mysqladmin -u root password '123456'

密碼登陸
[root@ka1 mysql]#mysql -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.2.25-MariaDB-log Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]> SELECT VERSION();
+---------------------+
| VERSION() |
+---------------------+
| 10.2.25-MariaDB-log |
+---------------------+
1 row in set (0.00 sec)

十、容許root遠程登陸：

MariaDB [mysql]> grant all on . to 'root'@'%' identified by '123456';
Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

十一、 遠程登陸：

[root@centos7 apps]#mysql -h192.168.43.137 -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 18
Server version: 10.2.25-MariaDB-log Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

架構班的小夥伴做業看這裏哦：

一、配置jenkins實現代碼自動發佈部署，回滾。

二、實現jenkins對代碼自動掃描