Microsoft Hyper-V Server 2008 R2. Установка на flash-накопитель Александр Косивченко C:\Program Files\Windows AIK\tools\x86\imagex /apply E:\SOURCES\install.wim 1 F:\ C:\Program Files\Windows AIK\tools\PETools\x86\bootsect /nt60 D: /force /mbr bcdboot F:\WINDOWS /s D: ----------------------------------------------------------------------------------------------------------------- Mandriva Pulse 2. Сетевая инфраструктура офиса на продуктах Mandriva. Часть 1 Максим Бочкин deb http://pulse2.mandriva.org/pub/pulse2/server/debian lenny stable aptitude install mmc-agent mmc-web-base mmc-web-dyngroup mmc-web-glpi mmc-web-inventory mmc-web-msc mmc-web-pkgs mmc-web-pulse2 pulse2-inventory-server pulse2-package-server pulse2-scheduler python-mmc-base python-mmc-plugins-tools python-mmc-dyngroup python-mmc-glpi python-mmc-inventory python-mmc-msc python-mmc-pkgs python-mmc-pulse2 python-pulse2-common-database-dyngroup python-pulse2-common-database-inventory python-pulse2-common-database-msc python-pulse2-common-database python-pulse2-common pulse2-launche aptitude install mkisofs mysql-server mysql-client slapd python-sqlalchemy-doc python-sqlalchemy cp /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/ldap/schema/ vim /etc/ldap/slapd.conf ... include /etc/ldap/schema/mmc.schema ls /etc/mmc/plugins mkdir /home/archives mkdir /var/lib/pulse2 mkdir /var/lib/pulse2/package mkdir /var/lib/pulse2/qactions mkdir /var/lib/pulse2/downloads ls /etc/mmc/pulse2 /etc/init.d/pulse2-inventory-server start /etc/init.d/pulse2-launcher start /etc/init.d/pulse2-package-server start /etc/init.d/pulse2-scheduler start /etc/init.d/mmc-agent restart ----------------------------------------------------------------------------------------------------------------- Управление конфигурацией с Chef Сергей Яремчук $ sudo apt-get install git-core $ git clone git://github.com/opscode/cookbooks.git $ rake new_cookbook COOKBOOK=nginx # Список поддерживаемых ОС %w{ ubuntu debian }.each do |os| supports os end # Зависимости %w{ build-essential runit }.each do |cb| depends cb end 'ubuntu', ">= 8.04" attribute "nginx/dir", :display_name => "Nginx Directory", :description => "Location of nginx configuration files", :default => "/etc/nginx" attribute "nginx/worker_connections", :display_name => "Nginx Worker Connections", :description => "Number of connections per worker", :default => "1024" package "nginx" do action :upgrade end template "nginx.conf" do path "/etc/ngnix/nginx.conf" source "nginx.conf.erb" owner "root" group "root" mode "0644" end path "/etc/ngnix/nginx.conf" path "#{node[:nginx][:dir]}/nginx.conf" case platform when "debian","ubuntu" set[:nginx][:dir] = "/etc/nginx" set[:nginx][:log_dir] = "/var/log/nginx" set[:nginx][:user] = "www-data" set[:nginx][:binary] = "/usr/sbin/nginx" else … end set_unless[:nginx][:gzip] = "on" $ sudo aptitude show chef deb http://apt.opscode.com/ lucid main universe $ sudo aptitude update $ sudo aptitude show chef $ sudo aptitude install rubygems ohai chef chef-server chef-server-webui $ sudo aptitude install rubygems ohai chef $ sudo aptitude install ruby ruby1.8-dev libopenssl-ruby1.8 rdoc ri irb build-essential wget ssl-cert libxml-ruby libxml2-dev libxslt-de $ sudo aptitude install rubygems1.9.1 couchdb stompserver $ git clone http://github.com/opscode/chef.git $ git clone http://github.com/opscode/cookbooks.git $ gem env $ sudo gem sources -r http://gems.rubyforge.org/ $ sudo gem sources -a http://rubygems.org/ $ sudo gem install ohai chef json –no-ri –no-rdoc $ cd ~/chef $ sudo cp –v chef/config/server.rb /etc/chef/ $ sudo cp -v /var/lib/gems/1.8/gems/chef-0.9.4/distro/ debian/etc/init/* /etc/init/ $ sudo cp -v /var/lib/gems/1.8/gems/chef-0.9.4/distro/ debian/etc/init.d/* /etc/init.d/ $ cd /var/lib/gems/1.8/gems/chef-0.9.4/bin/ $ sudo knife configure –i $ nano ~/solo.rb cookbook_path "/etc/chef/recipes/cookbooks" log_level :info file_store_path "/etc/chef/recipes/" file_cache_path "/etc/chef/recipes/" $ sudo mkdir –p /etc/chef/recipes/cookbooks $ nano ~/chef.json { "bootstrap": { "chef": { "url_type": "http", "init_style": "runit", "path": "/srv/chef", "serve_path": "/srv/chef", "server_fqdn": "localhost" } }, "recipes": "bootstrap::server" } $ cd /var/lib/gems/1.8/gems/chef-0.9.4/bin/ $ sudo ./chef-solo -l debug -c ~/solo.rb -j ~/chef.json ----------------------------------------------------------------------------------------------------------------- Virtual Network Computing. Инструмент поддержки пользователей Сергей Захаров ssh user@remotehost -X vino-preferences aptitude install x11vnc x11vnc -storepasswd mkdir /usr/local/sbin/x11vnc mv ~/.vnc/passwd /usr/local/sbin/x11vnc/passwd /usr/bin/x11vnc -dontdisconnect -notruecolor -noxfixes -shared -forever -rfbport 5901 -bg -o /var/log/x11vnc.log -allow /usr/local/sbin/x11vnc/allow_hosts_full -rfbauth /usr/local/sbin/x11vnc/passwd -remap /usr/local/sbin/x11vnc/remap /usr/bin/x11vnc -dontdisconnect -notruecolor -noxfixes -shared -forever -rfbport 5900 -bg -o /var/log/x11vnc.log -allow /usr/local/sbin/x11vnc/allow_hosts_view -viewonly 192.168.2.11 192.168.2.12 aptitude install nfs-kernel-server /srv/nfs 192.168.2.0/24(ro,all_squash,no_subtree_check) exportfs -a /etc/init.d/nfs-kernel-server reload showmount -e nfsserver mount -o ro nfsserver:/srv/nfs /mnt/nfs/ nfsserver:/srv/nfs /mnt/nfs nfs ro 0 0 aptitude install autofs /net -hosts --timeout=60 /etc/init.d/autofs reload if [ -e /mnt/nfs/x11vnc/x11vnc_gdm.conf ] then . /mnt/nfs/x11vnc/x11vnc_gdm.conf fi if [ -e /net/nfsserver/srv/nfs/x11vnc/x11vnc_gdm.conf ] then . /net/nfsserver/srv/nfs/x11vnc/x11vnc_gdm.conf fi nfsserver:/srv/nfs/x11vnc# ls -w 1 #192.168.2.11 Данный хост не сможет подключиться к VNC-серверу 192.168.2.12 192.168.2.13 #full access /usr/bin/x11vnc -dontdisconnect -notruecolor -noxfixes -shared -forever -rfbport 5901 -bg -o /var/log/x11vnc.log -allow /mnt/nfs/x11vnc/allow_hosts_full -rfbauth /mnt/nfs/x11vnc/passwd_full -remap /mnt/nfs/x11vnc/remap #view access /usr/bin/x11vnc -dontdisconnect -notruecolor -noxfixes -shared -forever -rfbport 5900 -bg -o /var/log/x11vnc.log -allow /mnt/nfs/x11vnc/allow_hosts_view -rfbauth /mnt/nfs/x11vnc/passwd_view -viewonly #full access /usr/bin/x11vnc -dontdisconnect -notruecolor -noxfixes -shared -forever -rfbport 5901 -bg -o /var/log/x11vnc.log -allow /net/nfsserver/srv/nfs/x11vnc/allow_hosts_full -rfbauth /net/nfsserver/srv/nfs/x11vnc/passwd_full -remap /net/nfsserver/srv/nfs/x11vnc/remap #view access /usr/bin/x11vnc -dontdisconnect -notruecolor -noxfixes -shared -forever -rfbport 5900 -bg -o /var/log/x11vnc.log -allow /net/nfsserver/srv/nfs/x11vnc/allow_hosts_view -rfbauth /net/nfsserver/srv/nfs/x11vnc/passwd_view -viewonly /etc/init.d/gdm restart vncviewer 192.168.2.11 vncviewer 192.168.2.11:5901 vncviewer -compresslevel 9 -quality 0 -bgr233 -encodings tight 192.168.2.1 ssh -N -f -L 5900:127.0.0.1:5900 user@192.168.2.11 vncviewer -bgr233 localhost ssh -N -f -L 10000:192.168.2.11:5900 -p 2222 user@gateway vncviewer -compresslevel 9 -quality 0 -bgr233 -encodings "tight zlib" localhost:10000 ----------------------------------------------------------------------------------------------------------------- FINEST воскресит. Установка и использование. Часть 2 Юрий Винник pecl install dbx pecl install ./dbx-1.1.0.tgz extension=dbx.so hosts allow = 172.17.32.1 # Здесь указываются адреса, с которых разрешен доступ к открытым сетевым ресурсам. # Впишите сюда адрес вашего сервера FINEST strict modes = false read only = false # Если вы хотите не только сохранять резервные копии файлов, но и восстанавливать их по сети, # то установите этот параметр read only в false list = false [Homes] # В квадратных скобках описывается имя сетевого ресурса path = /home # Или path = c:/Documents and Settings для ОС Windows. # Обратите внимание на способ написания пути к резервируемому каталогу! # Используйте «/» для разделения имен подкаталогов ----------------------------------------------------------------------------------------------------------------- Технологии Cisco EEM и IP SLA для резервирования активного оборудования Владимир Нефёдов ip sla 172 ! Настраиваем зондирование ICMP-пакетами состояния основного маршрутизатора icmp-echo 10.255.1.253 source-interface GigabitEthernet0/0 ! Частота опроса 20 секунд frequency 20 exit ! Запускаем сервис на маршрутизаторе ip sla schedule 172 life forever start-time now track 172 ip sla 172 ! Если в течение 20 секунд нет ответа от основного маршрутизатора, ! то track переходит в состояние down через 30 секунд: delay down 30 up 10 ! Создаем на резервном маршрутизаторе апплет, обрабатывающий событие track event manager applet ap-172 event track 172 state any ! Определяем состояние объекта action 1.0 track read 172 ! В зависимости от состояния встроенной переменной $_track_state выполняются действия ! по переводу интерфейса в рабочее или отключенное состояние и посылается сообщение на sуslog сервер action 1.1 if $_track_state eq up goto 3.0 action 2.0 puts "Track 172 DOWN" action 2.1 cli command "enable" action 2.2 cli command "configure terminal" action 2.3 cli command "interface GigabitEthernet0/1" action 2.4 cli command "no shutdown" action 2.7 cli command "end" action 2.8 syslog msg "The main router is DOWN" action 2.9 exit 2 action 3.0 puts "Track 172 UP" action 3.1 cli command "enable" action 3.2 cli command "configure terminal" action 3.3 cli command "interface GigabitEthernet0/1" action 3.4 cli command "shutdown" action 3.7 cli command "end" action 3.8 syslog msg "The main router is UP" action 3.9 exit 3 Листинг 1. Отладка работы EEM enable configure terminal interface GigabitEthernet0/1 no shutdown end enable configure terminal interface GigabitEthernet0/1 no shutdown end Листинг 2. Для основного маршрутизатора (C-3845-M) service timestamps debug datetime msec service timestamps log datetime localtime service password-encryption ! hostname C-3825-M ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! aaa new-model ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ! clock timezone MSK 3 clock summer-time MSK recurring last Sun Mar 2:00 ? last Sun Oct 3:00 ip subnet-zero ! ip cef ! no ip domain lookup login on-failure log login on-success log ! interface GigabitEthernet0/0 description Connection Office ip address 10.255.1.253 255.255.0.0 no ip redirects ip route-cache flow vrrp 2 ip 10.255.1.254 vrrp 2 timers advertise 3 vrrp 2 timers learn vrrp 2 priority 120 vrrp 2 authentication v-gi0/0 no ip redirects ip route-cache flow ! interface GigabitEthernet0/1 description Connection to IP VPN ip address 172.17.0.1 255.255.255.252 no ip redirects ip route-cache flow ! router bgp 65444 no synchronization bgp log-neighbor-changes redistribute connected neighbor 172.17.0.2 remote-as 65555 neighbor 172.17.0.2 default-originate no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Null 254 ! control-plane ! line con 0 exec-timeout 3 0 transport output all stopbits 1 line aux 0 transport output all stopbits 1 line vty 0 4 exec-timeout 5 0 transport input all transport output all ! scheduler allocate 20000 1000 ! End Листинг 3. Для резервного маршрутизатора (C-3845-B) service timestamps debug datetime msec service timestamps log datetime localtime service password-encryption ! hostname C-3825-B ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! aaa new-model ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ! clock timezone MSK 3 clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero ! ip cef ! no ip domain lookup ! ! ip sla 172 icmp-echo 10.255.1.253 source-interface GigabitEthernet0/0 frequency 20 ip sla schedule 172 life forever start-time now ! track 172 ip sla 172 delay down 30 up 10 ! ! interface GigabitEthernet0/0 description Connection Office ip address 10.255.1.252 255.255.0.0 no ip redirects ip route-cache flow vrrp 2 ip 10.255.1.254 vrrp 2 timers advertise 3 vrrp 2 timers learn vrrp 2 priority 90 vrrp 2 authentication v-gi0/0 no ip redirects ip route-cache flow shutdown ! interface GigabitEthernet0/1 description Connection to IP VPN ip address 172.17.0.1 255.255.255.252 no ip redirects ip route-cache flow ! router bgp 65444 no synchronization bgp log-neighbor-changes redistribute connected neighbor 172.17.0.2 remote-as 65555 neighbor 172.17.0.2 default-originate no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Null 254 ! control-plane ! event manager applet ap-172 event track 172 state any action 1.0 track read 172 action 1.1 if $_track_state eq up goto 3.0 action 2.0 puts "Track 172 DOWN" action 2.1 cli command "enable" action 2.2 cli command "configure terminal" action 2.3 cli command "interface GigabitEthernet0/1" action 2.4 cli command "no shutdown" action 2.7 cli command "end" action 2.8 exit exit-DOWN action 3.0 puts "Track 172 UP" action 3.1 cli command "enable" action 3.2 cli command "configure terminal" action 3.3 cli command "interface GigabitEthernet0/1" action 3.4 cli command "shutdown" action 3.7 cli command "end" action 3.8 exit exit-UP ! line con 0 exec-timeout 3 0 transport output all stopbits 1 line aux 0 transport output all stopbits 1 line vty 0 4 exec-timeout 5 0 transport input all transport output all ! scheduler allocate 20000 1000 ! End ----------------------------------------------------------------------------------------------------------------- Binary Analysis Tool. Фреймворк для анализа бинарных файлов Игорь Штомпель $ tar -xzvf gpltool-src.tgz $ sudo apt-get install python-magic binutils e2tools squashfs-tools xz-utils pylucene $ sudo apt-get install busybox $ python ./busybox.py --binary=/bin/busybox $ sudo apt-get install busybox hexcurse $ whereis busybox $ ls -l /bin/b* $ hexcurse /bin/busybox $ python ./busyboxversion.py --binary=/bin/busybox $ python ./busybox.py --binary=/bin/busybox $ python ./busybox.py --binary=/bin/busybox -f $ python ./busybox.py --binary=/bin/busybox -m $ python ./busybox.py --binary=/bin/busybox > test/config-exctracted $ python ./busybox-compare-configs.py -e test/config-exctracted -f test/config-source $ python ./busybox-compare-configs.py -e test/config-exctracted -f test/config-source -n 1.13.3 -x $ python ./appletname-extractor.py -a test/busybox-1.13.3/include/applets.h -n 1.13.3 $ python2.5 extractkernelstrings.py -d linux-2.6.15/ -i test/kernel $ python2.5 findkernelstrings.py -k test/kernelimage -i test/kernel $ python2.5 extractkernelconfig.py -d linux-2.6.15/ -i test/kernel $ python2.5 extractkernelconfig.py -d linux-2.6.15/ -i test/kernel -a mips ----------------------------------------------------------------------------------------------------------------- Simple Groupware. Простая среда для контроля бизнес-процессов Сергей Яремчук $ sudo apt-get install catdoc ppthtml imagemagick unzip xpdf-utils mp3info exiv2 gij graphviz apache2.2-common libapache2-mod-php5 php5-gd $ sudo apt-get install mysql-server php5-mysql $ sudo mkdir /var/www/sgs $ nano /etc/php5/apache2/php.ini display_errors = 1 file_uploads = 1 allow_url_fopen = 1 memory_limit = 128M # не менее 16М (24М для x64) register_globals = 0 zlib.output_compression = 0 session.auto_start = 0 magic_quotes_runtime = 0 safe_mode = 0 [mbstring] mbstring.internal_encoding = UTF-8 mbstring.func_overload = 2 $ nano /etc/php5/apache2/conf.d/suhosin.ini suhosin.session.encrypt = 0 $ sudo sh ./funambol-8.5.1.bin $ sudo cp -v /var/www/sgs/bin/tools/funambolv7_syncML/mysql/mysql-connector-java-5.1.6-bin.jar /opt/Funambol/tools $ sudo nano /opt/Funambol/ds-server/install.properties dbms=mysql jdbc.classpath=../tools/mysql-connector-java-5.1.6-bin.jar jdbc.driver=com.mysql.jdbc.Driver jdbc.url=jdbc:mysql://localhost/sgs_0_624?characterEncoding=UTF-8 ; Далее указываем логин и пароль для доступа к БД, который был создан во время установки Simple Groupware jdbc.user=admin jdbc.password=admin $ sudo /opt/Funambol/bin/funambol start $ sudo ln -s /opt/Funambol/bin/funambol /etc/init.d/funambol $ sudo update-rc.d funambol defaults FUNAMBOL_HOME=`(cd .. ; pwd)` FUNAMBOL_HOME=`(cd /opt/Funambol ; pwd)` $ sudo a2enmod rewrite > net start webclient > net use f: http://sgs-server/sgdav/ /user:grinder * ----------------------------------------------------------------------------------------------------------------- Cfengine: как применять? Константин Кондаков svn co file://localhost/var/svn/repos/environment/Cfengine/master/inputs /staging/inputs rsync -av /staging/inputs /var/cfengine/master/inputs rpm -Uvh /opt/cfengine-2.2.10-1.el5.rf.x86_64.rpm # yum install cfengine # scp -pr root@192.168.10.11:/opt/cfengine-2.2.10-1.el5.rf.x86_64.rpm /opt # rpm -Uvh /opt/cfengine-2.2.10-1.el5.rf.x86_64.rpm # scp -pr /var/cfengine/ppkeys/localhost.pub root@192.168.10.11:/var/cfengine/ppkeys-192.168.20.67.pub # scp -pr root@192.168.10.11:/var/cfengine/ppkeys/localhost.pub /var/cfengine/ppkeys/root-192.168.10.11.pub # scp -pr root@192.168.10.11:/var/cfengine/master/inputs/. /var/cfengine/inputs/. # chkconfig cfenvd on && chkconfig cfexecd on && chkconfig cfservd on && cfenvd && cfexecd && cfservd # vi /etc/hosts 67.88.88.88 cfmasterhost cfmasterhost.domain.com # telnet 67.88.88.88 5308 192.168.10.11 cfmasterhost cfmasterhost.domain.com # cfagent -v -p # cfagent -v -q sm2 = ( sm2web sm2-db-01 smreports ) sm1 = ( sm1_admin1 sm1_admin2 ) sqlboxes = ( sql1 sql2 sql3 ) linuxboxes = ( sqlboxes sm1 sm2 sqlboxes) import: sm1:: cf.sm1 sm2:: cf.sm2 sqlboxes:: cf.sql linuxboxes:: cf.linux editfiles: { /root/.bashrc AppendIfNoSuchLine "HISTSIZE=2000" AppendIfNoSuchLine "alias hh='history'" AppendIfNoSuchLine "alias inet='ifconfig -a | grep inet'" AppendIfNoSuchLine "alias hg='history | grep '" } files: /etc/sudoers mode=440 owner=root group=root checksum=md5 action=fixall /etc/passwd mode=644 owner=root group=root checksum=md5 action=fixall /etc/shadow mode=640 owner=root group=root checksum=md5 action=fixall /etc/group mode=644 owner=root group=root checksum=md5 action=fixall copy: /production/linux/check_procs.sh dest=/usr/lib/nagios/plugins/check_procs.sh recurse=inf server=$(cfhost) trustkey=true forcedirs=true owner=nagios group=nagios mode=755 /production/linux/sars.sh dest=/usr/lib/nagios/plugins/sars.sh recurse=inf server=$(cfhost) trustkey=true forcedirs=true owner=nagios group=nagios mode=755 /production/linux/check_sars dest=/usr/lib/nagios/plugins/check_sars recurse=inf server=$(cfhost) trustkey=true forcedirs=true owner=nagios group=nagios mode=755 /production/linux/check_sars_eth0 dest=/usr/lib/nagios/plugins/check_sars_eth0 recurse=inf server=$(cfhost) trustkey=true forcedirs=true owner=nagios group=nagios mode=755 disable: isuvm01:: /var/log/httpd/access_log size=>10mb rotate=3 ptr:: /jhendrix/logs/httpd/leadgen/ssl_error_log size=>1mb rotate=3 /jhendrix/logs/httpd/access_log size=>1mb rotate=3 /jhendrix/logs/httpd/error_log size=>1mb rotate=3 isunagios:: /var/log/nagios/nagios-host-perfdata size=>10mb rotate=3 /var/log/nagios/nagios-service-perfdata size=>10mb rotate=3 shellcommands: (Hr12|Hr13|Hr14)|isetlprod1:: "/usr/bin/find /data/weblogs/loadfiles/ -name '*.LOAD' -mtime +30 -exec /usr/bin/gzip {} \;" processes: isuaddb01:: "xml_reclog.pl" restart '/sbin/start_xml_reclog.sh 0<&- 1<&- 2<&- ' matches=1 useshell=true "oa_reclog.pl" restart '/sbin/start_oa_reclog.sh 0<&- 1<&- 2<&-' matches=1 useshell=true control: AddInstallable = ( cron_restart ) centos:: crontab = ( /var/spool/cron/root ) Split = ( "," ) files: centos:: ${crontab} action=touch editfiles: ### ISUVM01-сервер isuvm01:: { ${crontab} AppendIfNoSuchLine "44 * * * * /usr/sbin/cfexecd -F" AppendIfNoSuchLine "57 23 * * * /usr/bin/php /var/www/html/php-syslog-ng/scripts/logrotate.php >> /var/log/php-syslog-ng/logrotate.log" AppendIfNoSuchLine "56 23 * * * /usr/bin/find /var/www/html/php-syslog-ng/html/jpcache/ -atime 1 -exec rm -f '{}' ';'" AppendIfNoSuchLine "58 21 * * * /usr/bin/find /sata -maxdepth 2 -mtime +5 -type d -name \"*`date +%Y`*\" -exec rm -rf {} \;" DefineClasses "cron_restart" } shellcommands: centos.cron_restart:: "/etc/init.d/crond restart" editfiles: { /home/boss/.ssh/authorized_keys AppendIfNoSuchLine "ssh-dss AAAAB3NzaC1kc3MAAACBAJHOkAiQnibK2kz8VNBo6jHZVVVB1cn592Pz+qfnyY9EIEzGvrr2Ycj ... ... ... TgOiE4Up9w3KvZ/TeZU0dcPJ8Ccy3ksezZs8j3r+dVb3dRA2+FQ==boss@example.com " } editfiles: { /etc/hosts.allow DeleteLinesMatching "sshd : 67.19.15. 198.66.78.2 208.100.4.101 208.74.121.100 208.74.121.101 208.74.121.102" AppendIfNoSuchLine "sshd : 67.88.240. 67.19.15. 10.101. 208.74.121.102" } { /etc/hosts.deny AppendIfNoSuchLine "sshd : ALL" AppendIfNoSuchLine "sshdfwd-X11 : ALL" } control: actionsequence = ( shellcommands processes methods files ) shellcommands: "/usr/sbin/ntpdate $(ntphost) > /dev/null" processes: "portmap" restart "/sbin/portmap" "rpc.mountd" restart "/usr/sbin/rpc.mountd" "rpc.nfsd" restart "/usr/sbin/rpc.nfsd" "cfservd" restart "/var/cfengine/bin/cfservd" "mysqld" restart "/etc/init.d/mysql restart" methods: ImportPasswords(void) action=cf.passwds server=localhost files: /etc/passwd owner=root group=0 mode=0644 action=fixplain /etc/shadow owner=0 group=0 mode=600 action=fixplain # Make it hard for fingers to change the passwords # /usr/bin/passwd mode=0400 action=fixplain control: MethodName = ( ImportPasswords ) MethodParameters = ( none ) actionsequence = ( copy module:getusers editfiles directories tidy ) Split = ( "," ) editfilesize = ( 0 ) # unlimited # Locations of remote source and local work files srcserver = ( pmaster.cfengine.org ) srcpasswd = ( /master/etc/passwd ) srcshadow = ( /master/etc/shadow ) tmppwd = ( /var/run/workfile1 ) tmpshad = ( /var/run/workfile2 ) # File generated by module:getusers ufile = ( /var/run/userlist ) ulist = ( ReadList("${ufile}","lines","#","1000") ) copy: # Copy remote master copies ${srcpasswd} server=${pmaster} dest=${tmppwd} mode=600 type=checksum ${srcshadow} server=${pmaster} dest=${tmpshad} mode=600 type=checksum # module:getusers runs and creates var/run/userlist editfiles: # Remove all entries not in the generated user list { ${tmppwd} DeleteLinesNotStartingFileItems "$(ufile)" } { ${tempshad} DeleteLinesNotStartingFileItems "$(ufile)" } # Generate the real files from the work files { /etc/passwd DeleteLinesStartingFileItems "${ufile}" AppendIfNoSuchLinesFromFile "${tmppwd}" } { /etc/shadow DeleteLinesStartingFileItems "${ufile}" AppendIfNoSuchLinesFromFile "$(tmpshad}" } directories: # Configure user home directories /home/${ulist} owner=LastNode tidy: /var/run include=workfile* include=userlist* age=0 #!/bin/sh list=/var/run/userlist # Extract names from a database mysql -BN -h sqlserverhost -u nobody -D users -e "select account,mygroup from mytable where mygroup=’chosenfew’ and status=’ENABLED’" | cut -f1 > $list # Append some additional names echo mark >> $list echo aeleen >> $list filters: # Processes owned by root with > 2 hrs CPU time { program_gone_bad Owner: "root" FromTTime: "accumulated(0,0,0,200,0,0)" ToTTime: "inf" Result: "Owner.TTime" } processes: "." filter=program_gone_bad control: fourtimes = ( Min03 Min18 Min34 Min49 ) processes: "httpd" restart "/usr/sbin/httpd" inform=true owner=apachegroup=apache ----------------------------------------------------------------------------------------------------------------- Разворачиваем PKI на Windows Server 2008. Построение инфраструктуры. Часть 2 Андрей Бирюков [Version] Signature= "$Windows NT$" [certsrv_server] ; Устанавливается длина ключа, которая будет использоваться только при обновлении сертификата CA RenewalKeyLength = 2048 ; Устанавливается срок действия обновленного сертификата. Будет использоваться только при обновлении сертификата CA RenewalValidityPeriodUnits = 10 ; Устанавливается единица измерения для предыдущего параметра RenewalValidityPeriod = years ; Устанавливается периодичность публикации CRL в 90 дней (или 3 месяца) CRLPeriodUnits = 90 CRLPeriod = days ; Устанавливается срок продления списков отозванных сертификатов, CRL. Фактический срок действия CRL ; для клиентов увеличивается на заданный период, который в нашем случае равен 2 неделям. Это означает, что сервер ; CA будет публиковать новый CRL каждые 90 дней, а срок действия этого CRL будет 104 дня. Предполагается, что за эти ; две недели администратор сможет распространить данный CRL CRLOverlapUnits = 2 CRLOverlapPeriod = weeks ; Отключаем публикацию Delta CRL CRLDeltaPeriodUnits = 0 CRLDeltaPeriod = hours ; Включаем дискретные алгоритмы для подписей DiscreteSignatureAlgorithm = 1 {PKI-ROOT-CA} Class 1 Root Certification Authority OU=Information Security,O={PKI-ROOT-CA.},C={RU} :: Создаем папку в корне диска C, где будут храниться CRT- и CRL-файлы md C:\CertData :: Задаем точки публикации CRL-файлов и ссылки, публикуемые в издаваемых сертификатах. То же самое и для CRT-файлов certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:C:\CertData\{ PKI-ROOT-CA }_RCA%%8.crl\n2:http://www.{ PKI-ROOT-CA }/pki/{ PKI-ROOT-CA }_RCA%%8.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://www.{ PKI-ROOT-CA }/pki/{ PKI-ROOT-CA }_RCA%%4.crt" :: Поскольку мы не можем управлять публикацией CRT-файлов, мы его переименовываем в нужное имя и копируем в папку CertData ren %windir%\system32\CertSrv\CertEnroll\*.crt { PKI-ROOT-CA }_RCA.crt copy %windir%\system32\CertSrv\CertEnroll\{ PKI-ROOT-CA }_RCA.crt C:\CertData :: Задаем срок действия издаваемых сертификатов равным 10 лет certutil -setreg CA\ValidityPeriodUnits 10 certutil -setreg CA\ValidityPeriod "Years" :: Задаем параметры публикации CRL (повторяем, что было указано в CAPolicy.inf) certutil -setreg CA\CRLPeriodUnits 90 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLDeltaPeriodUnits 0 certutil -setreg CA\CRLDeltaPeriod "Days" certutil -setreg CA\CRLOverlapPeriod "Weeks" certutil -setreg CA\CRLOverlapUnits 2 :: Включаем DiscreteSignatureAlgorithm Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1 :: Включаем полный аудит для сервера CA certutil -setreg CA\AuditFilter 127 :: Включаем поддержку сертификатов OCSP Response Signing на Offline CA: certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK net stop certsvc && net start certsvc :: Публикуем новый CRL в новое расположение certutil –CRL [Version] Signature = "$Windows NT$" [PolicyStatementExtension] Policies = { PKI-ROOT-CA }CPS [{PKI-ROOT-CA }CPS] URL = http://www.{ PKI-ROOT-CA }/pki/policies.html OID = 2.5.29.32.0 [certsrv_server] RenewalKeyLength = 2048 RenewalValidityPeriodUnits = 10 RenewalValidityPeriod = years CRLPeriodUnits = 5 CRLPeriod = days CRLOverlapUnits = 1 CRLOverlapPeriod = days CRLDeltaPeriodUnits = 12 CRLDeltaPeriod = hours ; Включаем дискретные алгоритмы для подписей DiscreteSignatureAlgorithm = 1 {PKI-ROOT-CA} Class 2 Root Certification Authority OU=Information Security,O={PKI-ROOT-CA.},C={RU} certutil –addstore Root имя_сохраненного_файла.crt certutil –addstore Root имя_сохраненного_файла.crl md C:\CertData certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:C:\CertData\{ PKI-ROOT-CA }_PICA%%8.crl\n6:http://www.{ PKI-ROOT-CA }/pki/{ PKI-ROOT-CA }_PICA%%8%%9.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://www.{ PKI-ROOT-CA }/pki/{ PKI-ROOT-CA }_PICA%%4.crt\n32:http://www.{ PKI-ROOT-CA }/ocsp" certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years" certutil -setreg CA\CRLPeriodUnits 5 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLDeltaPeriodUnits 12 certutil -setreg CA\CRLDeltaPeriod "Hours" certutil -setreg CA\CRLOverlapPeriod "Days" certutil -setreg CA\CRLOverlapUnits 1 certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32" Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1 certutil -setreg CA\AuditFilter 127 certutil -setreg\CA\DSConfig "CN=Configuration,DC={ PKI-ROOT-CA },DC={com}" certutil -dspublish -f C:\CertData\{ PKI-ROOT-CA }_PICA.crt Subca certutil -dspublish -f C:\CertData\{ PKI-ROOT-CA }_PICA.crt NTAuthCA net stop certsvc && net start certsvc certutil –CRL ----------------------------------------------------------------------------------------------------------------- Типы данных в PowerShell Иван Коробко Листинг 1а. Явное объявление переменной PS C:\> [string]$obj=123456789 PS C:\> $obj.GetType() Листинг 1б. Неявное объявление переменной PS C:\> $obj=123456789 PS C:\> $obj.GetType() Листинг 2. Определение типов данных PS C:\> $str = "Пример строки" PS C:\> $str.GetType().FullNamе PS C:\> $str.GetType().Name Листинг 3. Преобразование типов данных PS C:\> [int]$obj=123456789 PS C:\> $obj.GetType().FullName PS C:\> [string]$obj=$obj PS C:\> $obj.GetType().FullName Листинг 4. Получение номера символа в таблице ASCII PS C:\> [byte][char]"F" Листинг 5. Преобразование данных GT в DateTime PS C:\> $GT= "20080410090637.0Z" PS C:\> $temp= $Gt -replace ".0Z", "" PS C:\> $style=[Globalization.CultureInfo]::CreateSpecificCulture("ru-RU") PS C:\> $format="yyyyMMddHHmmss" PS C:\> $Grinvich=[DateTime]::ParseExact($temp, $format, $style) PS C:\> $val=$Grinvich.ToString("dd MMMM yyyy, hh:mm:ss") PS C:\> Write-Host $val -----------------------------------------------------------------------------------------------------------------