Juniper switch 上面的 Management Port 沒接東西就會亮 alarm
只好把它關掉
% cli
> show system alarm
> configure
# set chassis alarm management-ethernet link-down ignore
# run request system configuration rescue save
# commit
# exit
> show system alarm
> exit
% exit
alexw
[Mac] OpenCV + Python
openCV 2.x + Python 2.x on MacOS
用 brew 安裝 python
$ brew install python
安裝 cmake
$ brew install cmake
安裝 openCV 2.x
$ brew install homebrew/science/opencv
會有警告訊息
Warning: opencv dependency gcc was built with a different C++ standard
library (libstdc++ from clang). This may cause problems at runtime.
不理他 可以用
安裝 numpy
$ pip install numpy
安裝完 /Library/Caches/Homebrew/opencv-2.4.11.tar.gz 有範例
$ mkdir dev
$ cd dev
$ tar xvfz /Library/Caches/Homebrew/opencv-2.4.11.tar.gz
$ cd opencv-2.4.11/sample/python2
$ python demo.py
如果用人臉辨識 特徵在 data/haarcascades
[研習] 校園兒童安全瀏覽網路設定 BIND9 RPZ
要讓校園內學生使用的電腦強制開啟 Google 安全搜尋或是啟用 youtube 嚴格搜尋
就需要用到 DNS CNAME 功能
以下就來從無到有做一台學生專用的 DNS 為示範
測試環境
- Debian 8.2 (安裝教學這邊請)
- BIND 9.9.5
安裝 BIND
sudo apt-get update
sudo apt-get install bind9
( 如果光碟安裝 記得改 /etc/apt/sources.list 把光碟 cdrom 那行註解掉 )
設定 BIND
切換到 bind 設定檔目錄
cd /etc/bind
編輯 named.conf.options
sudo vi named.conf.options
options {
directory "/var/cache/bind";
response-policy { zone "rpz"; };
建立 zone.rpz
sudo vi zone.rpz
zone "rpz" IN {
type master;
file "/etc/bind/db.rpz.zone";
allow-query {none;};
};
修改 named.conf.local 讓系統把 zone.rpz 吃進來
sudo vi named.conf.local
//上略
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/zone.rpz";
建立 db.rpz.zone
sudo vi db.rpz.zone
$TTL 1H
$ORIGIN rpz.
@ IN SOA localhost. nobody.localhost (
2015103102
1h
15m
30d
2h )
NS localhost.
; google safe search
www.google.com IN CNAME forcesafesearch.google.com.
www.google.com.tw IN CNAME forcesafesearch.google.com.
BIND 基本操作
啟用服務
sudo systemctl start bind9
停用服務
sudo systemctl stop bind9
或用 sudo rndc stop
重啟服務
sudo systemctl restart bind9
用 sudo rndc reload
檢測 conf 檔
named-checkconf -z /etc/bind/named.conf
檢測 zone db 檔
named-checkzone -d rpz db.rpz.zone
一開始安裝完預設 BIND 是啟用的
改好設定檔之後檢測無誤 就可以 restart 一下就搞定了
youtube 嚴格(安全)搜尋
依照官方設定可以強迫啟用嚴格搜尋
可以過濾掉大部分的敏感內容
; youtube safe search
www.youtube.com IN CNAME restrict.youtube.com.
m.youtube.com IN CNAME restrict.youtube.com.
youtubei.googleapis.com IN CNAME restrict.youtube.com.
www.youtube-nocookie.com IN CNAME restrict.youtube.com.
阻擋 IP 規則
Policy Trigger (LH name) 採用: prefix.a4.a3.a2.a1.rpz-ip (沒有點.)
例如 阻擋 IP 12.23.34.45 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫
32.45.34.23.12.rpz-ip IN CNAME .
例如 阻擋 IP 12.23.34.* 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫
24.45.34.23.12.rpz-ip IN CNAME .
範例
本文的設定檔都放在 github 需要的請自取
google ccTLD 問題
Google 區段要滴水不漏的話 得要把全部的 Google ccTLD subbomains 都吃進來
www.google.com IN CNAME forcesafesearch.google.com.
www.google.ad IN CNAME forcesafesearch.google.com.
www.google.ae IN CNAME forcesafesearch.google.com.
www.google.com.af IN CNAME forcesafesearch.google.com.
www.google.com.ag IN CNAME forcesafesearch.google.com.
www.google.com.ai IN CNAME forcesafesearch.google.com.
www.google.al IN CNAME forcesafesearch.google.com.
www.google.am IN CNAME forcesafesearch.google.com.
www.google.co.ao IN CNAME forcesafesearch.google.com.
www.google.com.ar IN CNAME forcesafesearch.google.com.
www.google.as IN CNAME forcesafesearch.google.com.
www.google.at IN CNAME forcesafesearch.google.com.
www.google.com.au IN CNAME forcesafesearch.google.com.
www.google.az IN CNAME forcesafesearch.google.com.
www.google.ba IN CNAME forcesafesearch.google.com.
www.google.com.bd IN CNAME forcesafesearch.google.com.
www.google.be IN CNAME forcesafesearch.google.com.
www.google.bf IN CNAME forcesafesearch.google.com.
www.google.bg IN CNAME forcesafesearch.google.com.
www.google.com.bh IN CNAME forcesafesearch.google.com.
www.google.bi IN CNAME forcesafesearch.google.com.
www.google.bj IN CNAME forcesafesearch.google.com.
www.google.com.bn IN CNAME forcesafesearch.google.com.
www.google.com.bo IN CNAME forcesafesearch.google.com.
www.google.com.br IN CNAME forcesafesearch.google.com.
www.google.bs IN CNAME forcesafesearch.google.com.
www.google.bt IN CNAME forcesafesearch.google.com.
www.google.co.bw IN CNAME forcesafesearch.google.com.
www.google.by IN CNAME forcesafesearch.google.com.
www.google.com.bz IN CNAME forcesafesearch.google.com.
www.google.ca IN CNAME forcesafesearch.google.com.
www.google.cd IN CNAME forcesafesearch.google.com.
www.google.cf IN CNAME forcesafesearch.google.com.
www.google.cg IN CNAME forcesafesearch.google.com.
www.google.ch IN CNAME forcesafesearch.google.com.
www.google.ci IN CNAME forcesafesearch.google.com.
www.google.co.ck IN CNAME forcesafesearch.google.com.
www.google.cl IN CNAME forcesafesearch.google.com.
www.google.cm IN CNAME forcesafesearch.google.com.
www.google.cn IN CNAME forcesafesearch.google.com.
www.google.com.co IN CNAME forcesafesearch.google.com.
www.google.co.cr IN CNAME forcesafesearch.google.com.
www.google.com.cu IN CNAME forcesafesearch.google.com.
www.google.cv IN CNAME forcesafesearch.google.com.
www.google.com.cy IN CNAME forcesafesearch.google.com.
www.google.cz IN CNAME forcesafesearch.google.com.
www.google.de IN CNAME forcesafesearch.google.com.
www.google.dj IN CNAME forcesafesearch.google.com.
www.google.dk IN CNAME forcesafesearch.google.com.
www.google.dm IN CNAME forcesafesearch.google.com.
www.google.com.do IN CNAME forcesafesearch.google.com.
www.google.dz IN CNAME forcesafesearch.google.com.
www.google.com.ec IN CNAME forcesafesearch.google.com.
www.google.ee IN CNAME forcesafesearch.google.com.
www.google.com.eg IN CNAME forcesafesearch.google.com.
www.google.es IN CNAME forcesafesearch.google.com.
www.google.com.et IN CNAME forcesafesearch.google.com.
www.google.fi IN CNAME forcesafesearch.google.com.
www.google.com.fj IN CNAME forcesafesearch.google.com.
www.google.fm IN CNAME forcesafesearch.google.com.
www.google.fr IN CNAME forcesafesearch.google.com.
www.google.ga IN CNAME forcesafesearch.google.com.
www.google.ge IN CNAME forcesafesearch.google.com.
www.google.gg IN CNAME forcesafesearch.google.com.
www.google.com.gh IN CNAME forcesafesearch.google.com.
www.google.com.gi IN CNAME forcesafesearch.google.com.
www.google.gl IN CNAME forcesafesearch.google.com.
www.google.gm IN CNAME forcesafesearch.google.com.
www.google.gp IN CNAME forcesafesearch.google.com.
www.google.gr IN CNAME forcesafesearch.google.com.
www.google.com.gt IN CNAME forcesafesearch.google.com.
www.google.gy IN CNAME forcesafesearch.google.com.
www.google.com.hk IN CNAME forcesafesearch.google.com.
www.google.hn IN CNAME forcesafesearch.google.com.
www.google.hr IN CNAME forcesafesearch.google.com.
www.google.ht IN CNAME forcesafesearch.google.com.
www.google.hu IN CNAME forcesafesearch.google.com.
www.google.co.id IN CNAME forcesafesearch.google.com.
www.google.ie IN CNAME forcesafesearch.google.com.
www.google.co.il IN CNAME forcesafesearch.google.com.
www.google.im IN CNAME forcesafesearch.google.com.
www.google.co.in IN CNAME forcesafesearch.google.com.
www.google.iq IN CNAME forcesafesearch.google.com.
www.google.is IN CNAME forcesafesearch.google.com.
www.google.it IN CNAME forcesafesearch.google.com.
www.google.je IN CNAME forcesafesearch.google.com.
www.google.com.jm IN CNAME forcesafesearch.google.com.
www.google.jo IN CNAME forcesafesearch.google.com.
www.google.co.jp IN CNAME forcesafesearch.google.com.
www.google.co.ke IN CNAME forcesafesearch.google.com.
www.google.com.kh IN CNAME forcesafesearch.google.com.
www.google.ki IN CNAME forcesafesearch.google.com.
www.google.kg IN CNAME forcesafesearch.google.com.
www.google.co.kr IN CNAME forcesafesearch.google.com.
www.google.com.kw IN CNAME forcesafesearch.google.com.
www.google.kz IN CNAME forcesafesearch.google.com.
www.google.la IN CNAME forcesafesearch.google.com.
www.google.com.lb IN CNAME forcesafesearch.google.com.
www.google.li IN CNAME forcesafesearch.google.com.
www.google.lk IN CNAME forcesafesearch.google.com.
www.google.co.ls IN CNAME forcesafesearch.google.com.
www.google.lt IN CNAME forcesafesearch.google.com.
www.google.lu IN CNAME forcesafesearch.google.com.
www.google.lv IN CNAME forcesafesearch.google.com.
www.google.com.ly IN CNAME forcesafesearch.google.com.
www.google.co.ma IN CNAME forcesafesearch.google.com.
www.google.md IN CNAME forcesafesearch.google.com.
www.google.me IN CNAME forcesafesearch.google.com.
www.google.mg IN CNAME forcesafesearch.google.com.
www.google.mk IN CNAME forcesafesearch.google.com.
www.google.ml IN CNAME forcesafesearch.google.com.
www.google.com.mm IN CNAME forcesafesearch.google.com.
www.google.mn IN CNAME forcesafesearch.google.com.
www.google.ms IN CNAME forcesafesearch.google.com.
www.google.com.mt IN CNAME forcesafesearch.google.com.
www.google.mu IN CNAME forcesafesearch.google.com.
www.google.mv IN CNAME forcesafesearch.google.com.
www.google.mw IN CNAME forcesafesearch.google.com.
www.google.com.mx IN CNAME forcesafesearch.google.com.
www.google.com.my IN CNAME forcesafesearch.google.com.
www.google.co.mz IN CNAME forcesafesearch.google.com.
www.google.com.na IN CNAME forcesafesearch.google.com.
www.google.com.nf IN CNAME forcesafesearch.google.com.
www.google.com.ng IN CNAME forcesafesearch.google.com.
www.google.com.ni IN CNAME forcesafesearch.google.com.
www.google.ne IN CNAME forcesafesearch.google.com.
www.google.nl IN CNAME forcesafesearch.google.com.
www.google.no IN CNAME forcesafesearch.google.com.
www.google.com.np IN CNAME forcesafesearch.google.com.
www.google.nr IN CNAME forcesafesearch.google.com.
www.google.nu IN CNAME forcesafesearch.google.com.
www.google.co.nz IN CNAME forcesafesearch.google.com.
www.google.com.om IN CNAME forcesafesearch.google.com.
www.google.com.pa IN CNAME forcesafesearch.google.com.
www.google.com.pe IN CNAME forcesafesearch.google.com.
www.google.com.pg IN CNAME forcesafesearch.google.com.
www.google.com.ph IN CNAME forcesafesearch.google.com.
www.google.com.pk IN CNAME forcesafesearch.google.com.
www.google.pl IN CNAME forcesafesearch.google.com.
www.google.pn IN CNAME forcesafesearch.google.com.
www.google.com.pr IN CNAME forcesafesearch.google.com.
www.google.ps IN CNAME forcesafesearch.google.com.
www.google.pt IN CNAME forcesafesearch.google.com.
www.google.com.py IN CNAME forcesafesearch.google.com.
www.google.com.qa IN CNAME forcesafesearch.google.com.
www.google.ro IN CNAME forcesafesearch.google.com.
www.google.ru IN CNAME forcesafesearch.google.com.
www.google.rw IN CNAME forcesafesearch.google.com.
www.google.com.sa IN CNAME forcesafesearch.google.com.
www.google.com.sb IN CNAME forcesafesearch.google.com.
www.google.sc IN CNAME forcesafesearch.google.com.
www.google.se IN CNAME forcesafesearch.google.com.
www.google.com.sg IN CNAME forcesafesearch.google.com.
www.google.sh IN CNAME forcesafesearch.google.com.
www.google.si IN CNAME forcesafesearch.google.com.
www.google.sk IN CNAME forcesafesearch.google.com.
www.google.com.sl IN CNAME forcesafesearch.google.com.
www.google.sn IN CNAME forcesafesearch.google.com.
www.google.so IN CNAME forcesafesearch.google.com.
www.google.sm IN CNAME forcesafesearch.google.com.
www.google.sr IN CNAME forcesafesearch.google.com.
www.google.st IN CNAME forcesafesearch.google.com.
www.google.com.sv IN CNAME forcesafesearch.google.com.
www.google.td IN CNAME forcesafesearch.google.com.
www.google.tg IN CNAME forcesafesearch.google.com.
www.google.co.th IN CNAME forcesafesearch.google.com.
www.google.com.tj IN CNAME forcesafesearch.google.com.
www.google.tk IN CNAME forcesafesearch.google.com.
www.google.tl IN CNAME forcesafesearch.google.com.
www.google.tm IN CNAME forcesafesearch.google.com.
www.google.tn IN CNAME forcesafesearch.google.com.
www.google.to IN CNAME forcesafesearch.google.com.
www.google.com.tr IN CNAME forcesafesearch.google.com.
www.google.tt IN CNAME forcesafesearch.google.com.
www.google.com.tw IN CNAME forcesafesearch.google.com.
www.google.co.tz IN CNAME forcesafesearch.google.com.
www.google.com.ua IN CNAME forcesafesearch.google.com.
www.google.co.ug IN CNAME forcesafesearch.google.com.
www.google.co.uk IN CNAME forcesafesearch.google.com.
www.google.com.uy IN CNAME forcesafesearch.google.com.
www.google.co.uz IN CNAME forcesafesearch.google.com.
www.google.com.vc IN CNAME forcesafesearch.google.com.
www.google.co.ve IN CNAME forcesafesearch.google.com.
www.google.vg IN CNAME forcesafesearch.google.com.
www.google.co.vi IN CNAME forcesafesearch.google.com.
www.google.com.vn IN CNAME forcesafesearch.google.com.
www.google.vu IN CNAME forcesafesearch.google.com.
www.google.ws IN CNAME forcesafesearch.google.com.
www.google.rs IN CNAME forcesafesearch.google.com.
www.google.co.za IN CNAME forcesafesearch.google.com.
www.google.co.zm IN CNAME forcesafesearch.google.com.
www.google.co.zw IN CNAME forcesafesearch.google.com.
www.google.cat IN CNAME forcesafesearch.google.com.
常見錯誤
IPv6 查詢錯誤
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:200:5f::f#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:303:a27::2:30#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:abc::35#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:def::53#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:7cc::1#53
這就直接把 bind 強制用 IPv4 模式跑
編輯 /lib/systemd/system/bind9.service
上略
[Service]
ExecStart=/usr/sbin/named -f -4 -u bind
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
systemctl daemon-reload
systemctl restart bind9
RRSIG 問題
如果沒有時間不對 可能造成簽章驗證檢查不過
Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: no valid signature found
Nov 12 02:44:57 tt named[2114]: error (no valid RRSIG) resolving './NS/IN': 123.234.123.234#53
Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: verify failed due to bad signature (keyid=62530): RRSIG validity period has not begun
解決方法: 把時間修正
以下兩步驟
- 檢查時區設定
dpkg-reconfigure tzdata
-
網路校時
sudo apt-get install ntpdate
ntpdate clock.stdtime.gov.tw
error (no valid DS) 問題
關閉 DNSSEC
編輯 /etc/bind/named.conf.options
//dnssec-validation auto;
dnssec-validation no;
ref:
http://www.cwssoft.com/?p=1577
https://support.google.com/websearch/answer/186669
https://www.nic.ad.jp/ja/materials/iw/2011/proceedings/d1/d1-07.pdf
http://dnsops.jp/event/20130718/20130718-kume-jipo-blocking-kume-1.pdf
[ESXi] 增加虛擬硬碟容量
警語:
操作前請先將快照(snapshot)清除掉
不然會造成快照與原磁碟的容量差異 而gg
步驟:
因為需要使用 command line 所以先打開 sshd 和 防火牆
使用 vSphere Client 連到你的 ESXi server
- 組態/安全性設定檔/服務/內容… SSH 選項 啟動
- 組態/安全性設定檔/防火牆/內容… 勾選 SSH Server
然後用 ssh 連線進去
查看一下你要擴展的 vmdk 放在哪裡
# cd /vmfs/volumes/
# ls
一般會是一堆編碼的字串資料夾和 datastore1, 如果你有做 iscsi 或是其他掛載則會多出其他資料夾
我這邊先以 datastore1 為例
# cd datastore1
# ls
# cd vm_win01 (這是你虛擬機器的名稱)
# ls
找到裡面的 vmdk 應該會有兩個, 像是 vm_win01.vmdk 和 vm_win01-flat.vmdk
沒有 flat 的是設定檔
有 flat 的是真正的資料檔
不過操作部分還是會操作 沒有 flat 的 vmdk , 系統會自己去處理真正的 flat 檔
接下來使用 vmkfstools 這工具操作
用法為 vmkfstools -X --extendvirtualdisk newSize [kK|mM|gG]
( X為大寫 )
以下以擴增為 200GB 為例(記得喔 這是擴展完的大小 不是新增的大小)
# vmkfstools -X 200g vm_win01.vmdk (不是flat那個喔)
這邊作完之後你的 vm 磁碟就會擴展到你要的大小
當然你還是要操作你的 guest os 去吃你新增的空間 ( windows 在 磁碟管理 的 延伸磁碟區 )
tmux powerline boot time 出不來
今天重裝環境 tmux + powerline 出現
ERROR:tmux:uptime:Exception while computing segment: 'module' object has no attribute 'BOOT_TIME'
原來是因為 psutil 版本更新到 3 而 boot_time 是 2 版才有
解決方式很簡單 就是砍了新版 指定裝舊版
sudo pip uninstall psutil
sudo pip install 'psutil==2.2.1'
搞定收工
[debian] 一堆 mpt raid status change on 的信
用 vm 跑 debian 收到一堆 mpt-status RAID 狀態的信
很煩
>N 1 root@ggggg Tue Sep 01 14:37 20/684 info: mpt raid status change on
N 2 root@ggggg Tue Sep 01 16:37 20/684 info: mpt raid status change on
N 3 root@ggggg Tue Sep 01 18:37 20/684 info: mpt raid status change on
N 4 root@ggggg Tue Sep 01 20:37 20/684 info: mpt raid status change on
這似乎是 RAID 監控的東西 似乎沒用到 把他停用好了
因為是跑 Debian Jessie 用 systemd
所以要用 systemctl 處理
先看一下狀態
systemctl status mpt-statusd.service
果然有在動
立即停止
systemctl stop mpt-statusd.service
開機不啟動
systemctl disable mpt-statusd.service
搞定收工
[電影] 《太陽的孩子》正式預告-有一種力量,叫溫柔
很久沒發電影文了 這預告太強大了 正片未看先推
portmaster re-install 問題
The following actions will be taken if you choose to proceed:
Re-install db48-4.8.30.0_2
Re-install ruby20-2.0.0.645,1
—
portmaster -av|grep moved 1 ↵
===>>> The databases/db42 port moved to databases/db48
===>>> The databases/db42 port moved to databases/db48
===>>> The lang/ruby19 port moved to lang/ruby20
===>>> The lang/ruby19 port moved to lang/ruby20
portmaster -o databases/db48 databases/db42
portmaster -o lang/ruby20 lang/ruby19
sftp chroot
/etc/ssh/sshd_config
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match User user1, user2
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
然後 vipw 把 user1, user2 的 shell 改為 /bin/false
再把該使用者家目錄設為 root 擁有
chown root:root /home/user1
chown root:root /home/user2
最後重啟 sshd
