virt-manager 桥接功能修复

在为某台虚拟机增加一个“共享网络设备时”(新建一台虚拟机,为其选择网络时也会出现该情况),virt-manager 残掉了。如下图,导致只能添加一个“虚拟网络”。不得已先选择添加一个“虚拟网络”,然后修改对应的 xml 文件。

将网络类型由 network 修改为 bridge:

# vi /etc/libvirt/qemu/centos.xml
<interface type='network'>
  <mac address='54:52:00:4a:30:c6'/>
  <source network='default'/>
  <model type='virtio'/>
</interface>

<interface type='bridge'>
  <mac address='54:52:00:4a:30:c6'/>
  <source bridge='br0'/>
</interface>

关闭 virt-manager,重启:

# /etc/init.d/libvirtd restart

ssh 连接缓慢的另一个原因

某台客户机连接 ssh 到服务器特别慢,经常是 1min 的时间才能登上,服务端的 UseDNS 已经关闭,-v 开启 debug 模式:
$ ssh [email protected] -v
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 52:45:r7:2r:16:45:aa:6c:3a:64:10:e6:ac:30:9d:b0
debug1: Host '[x.x.x.x]:22' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:23
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Next authentication method: password
[email protected]'s password:

可以很清楚的看到,时间慢出现在 gssapi-with-mic(Kerberos) 认证这个步骤,经过了多次的失败,到 public key 方式失败,最后才到了 passwd 的方式。要解决起来就很简单了,关闭 gssapi-with-mac 认证就可以了:
$ ssh -o GSSAPIAuthentication=no [email protected]

要想永久生效,/etc/ssh/ssh_config 或者 ~/.ssh/config 加上:
GSSAPIAuthentication no

使用 iptables 限制网速

主要利用 limit 模块实现。 控制下载的速度:

# iptables -P FORWARD ACCEPT
# iptables -A FORWARD -m limit -d 10.18.101.0/24 --limit 600/sec -j ACCEPT
# iptables -A FORWARD -d 10.18.101.0/24 -j DROP

上面的 600 转化成速度的话,理论可以达到 900KB/s,实际测试下来偏差不大。
如果要控制上传速度,将 -d 改成 -s 即可。


实践下来,70 人的环境,会出现经常断网的情况,取消现象消失,怀疑是该模块导致,具体原因不明。

 

部分网络内核参数说明

下面是我的理解,可能有误,仅供参考。

要调优,三次/四次握手必须烂熟于心。

client                  server
(SYN_SENT)      —>  (SYN_RECV)
(ESTABLISHED)   <—     
                —>  (ESTABLISHED)

client(主动)            server
(FIN_WAIT_1)    —>    (CLOSE_WAIT)
(FIN_WAIT_2)    <—    
(TIME_WAIT)     <—    (LAST_ACK)
                —>    (CLOSED)

大家熟知的 SYN flooding/SYN spoofing 就是在 SYN_RECV 的状态下发起的进攻。这种由于 TCP/IP 协议引起的缺陷只能防治而不好根治,除非换了 TCP/IP。通过下面的方式,可以在一定程度上缓解 DDOS 攻击。

  • 增大半连接的队列,即 backlog queue
  • 人工干预以减少 SYS_RECV 的时间,可以降低第一个重传包的时间或者减少重传的次数

检测 SYN 攻击,可以使用 netstat 命令查看当前的连接类型以及连接数目,如果发现有大量的 SYN_RECV,就值得怀疑了:
$ netstat -tuna | grep :80 | awk '{print $6}' | sort | uniq -c
Continue reading

关于 sudo 的两个错误

$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
bash: /proc/sys/net/ipv4/ip_forward: Permission denied

权限问题,但是使用了 sudo 了,为什么权限还是不行?
G 了之后发现,">"/">>" 也就是重定向的这两个符号也是 bash 的命令,sudo 之后只有 echo 有了 root 权限,> 并没有 root 权限。几种解决方式。

1.转变为 root 之后执行

$ su -

2.通过 sh -c 执行

$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
-c:Read commands from the command_string operand. Set the value of special parameter 0 (see  Special  Parameters  )  from  the value of the command_name operand and the positional parameters ($1, $2, and so on) in sequence from the remaining argument operands. No commands shall be read from the standard input.

3.pipe + tee

$ echo "1 " | sudo tee /proc/sys/net/ipv4/ip_forward

注意:tee 还有个 -a 选项,append 的意思,等同于 ">>",不加参数即 ">"


Continue reading