分类目录归档:Linux

linux下帐号密码过期

早上看到告警备份失败,检查发现今天并未发起备份任务,查看定时任务时报错

[oracle@ ~]$ crontab -l

Authentication token is no longer valid; new one required
You (oracle) are not allowed to access to (crontab) because of pam configuration.

看提示是oracle用户的认证有问题,不允许其调用crontab任务,可能跟pam配置文件的设置有关。

检查secure日志文件,查看具体报错信息

vim /var/log/secure

su: pam_unix(su-l:session): session opened for user oracle by (uid=0)
su: pam_unix(su-l:session): session closed for user oracle
su: pam_unix(su-l:session): session closed for user oracle
su: pam_unix(su-l:session): session opened for user oracle by root(uid=0)
crontab: pam_unix(crond:account): expired password for user oracle (password aged)

看样子是因为oracle帐号密码超期了。

在/etc/shadow文件中以加密的方式储存了每个linux用户的账户信息,和一些账户的其他熟悉

oracle:$6$w/9VcJHK$h767lV6RlyMu:17974:1:90:7:::

密码的超期信息主要包含6个方面,如/etc/shadow看到的结果,比如90天超期,还剩7天时进行告警等。可以通过修改这个文件来进行属性的变更,但是不建议这样做。而是通过命令的方式来进行配置,命令可以修改密码的超期时间。

列出当前用户的超期信息

[root@ cron]# chage -l oracle
Last password change                    : Mar 19, 2019
Password expires                    : Jun 23, 2019
Password inactive                   : never
Account expires                     : never
Minimum number of days between password change      : 1
Maximum number of days between password change      : 90
Number of days of warning before password expires   : 7

这里可以禁用掉超期限制

[root@ cron]# chage oracle
Changing the aging information for oracle
Enter the new value, or press ENTER for the default

    Minimum Password Age [1]: 0
    Maximum Password Age [90]: 99999
    Last Password Change (YYYY-MM-DD) [2019-03-19]: 
    Password Expiration Warning [7]: 
    Password Inactive [-1]: 
    Account Expiration Date (YYYY-MM-DD) [-1]:

# 重新查看超期信息
[root@ cron]# chage -l oracle
Last password change                    : Mar 19, 2019
Password expires                    : never
Password inactive                   : never
Account expires                     : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 99999
Number of days of warning before password expires   : 7

# crontab -l查看正常
[oracle@ ~]$ crontab -l
00  17  *  *  2,6  /backup/rman_level0.sh 2>/dev/null
00  17  *  *  1,3,4,5,7  /backup/rman_level1.sh 2>/dev/null

构建本地yum源

近期准备重新搭建最新的zabbix4.2,ansible等等,显而易见这些软件都需要通过yum安装会方便的多,而且便于管理以及以后的升级。公司千台以上的机器,基本都放在内网环境当中,于是就有必要搭建本地源环境,之前搭建的不是太完善,结合这个机会,重新整理一遍,尽可能涵盖到日常所用的所有软件。

首先当然需要准备一台可以访问互联网的机器

yum -y install createrepo
yum -y install yum-utils

Mysql源

因为我们的环境只有redhat6 和7,所以只用同步mysql5.7即可

wget http://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm
rpm -ivh mysql57-community-release-el7-9.noarch.rpm  --nodeps --force

这里会多出两个repo文件

mysql-community-source.repo
mysql-community.repo

同步repo到本地

reposync -r   mysql-connectors-community
reposync -r   mysql-tools-community
reposync -r   mysql57-community

将得到的三个目标合并成一个,然后创建repo库

cd /repodata/data/mysql/7
createrepo .

-- 如果之后更新了部分包,则只需要更新即可
createrepo --update .

Nginx源

rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

reposync -r nginx repo

cd /repodata/data/nginx/7
createrepo .

PIP源

创建pip源目录

mkdir -p /repodata/data/pypi
cd /repodata/data/pypi

安装pip2pi软件

pip install pip2pi

需要安装哪些包,可以一起写在requirements.txt文件里

pip2pi /repodata/data/pypi -r requirements.txt

也可以单独安装某个包pymysql

pip2pi /repodata/data/pypi pymysql

在对应目录下会生成一个simple目录,和相关下载的文件

[root@localhost pypi]# ll
total 52
-rw-r--r-- 1 root root 47738 May 19 16:00 PyMySQL-0.9.3-py2.py3-none-any.whl
drwxr-xr-x 3 root root  4096 May 19 16:00 simple

建立索引

dir2pi /repodata/data/pypi

这样源就配置好了,接下只需要在其他机器上配置这个源地址就可以了

编辑~/.pip/pip.conf

[global]
index-url = https://127.0.0.1/pypi/simple/
[install]
trusted-host= 127.0.0.1

内网机安装pymysql

[root@localhost .pip]# pip install pymysql
Collecting pymysql
  Downloading http://127.0.0.1/pypi/simple/pymysql/PyMySQL-0.9.3-py2.py3-none-any.whl (47kB)
    100% |████████████████████████████████| 51kB 43.7MB/s 
Installing collected packages: pymysql
Successfully installed pymysql-0.9.3

互联网源

这里主要是通过互联网同步zabbix源、epel源和centos源,(centos主要是因为自带的redhat有些包不存在,只有通过centos源去获取)。
一个shell脚本,通过rsync连接到互联网上的rsync服务器去定时同步

#!/bin/bash
RsyncPerm='-avSH --delete-after --no-iconv --bwlimit=5000'
Redhat_6_epel='/repodata/data/epel/6'
Redhat_7_epel='/repodata/data/epel/7'
Redhat_6_zabbix='/repodata/data/zabbix/6'
Redhat_7_zabbix='/repodata/data/zabbix/7'
zabbix_nosupport='/repodata/data/zabbix/non-supported'
Centos_6='/repodata/data/centos/6'
Centos_7='/repodata/data/centos/7'
pypi='/repodata/data/pypi'
LogFile='/repodata/log'
Date=`date +%Y-%m-%d`

function CheckStatus(){
if [ $? -eq 0 ];then
    echo -e "Rsync is success!" >>$LogFile/$Date.log
else
    echo -e "Rsync is fail!" >>$LogFile/$Date.log
fi
}

###rsync epel
echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync redhat 6 epel!' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://mirrors.ustc.edu.cn/epel/6/x86_64/ $Redhat_6_epel  >>$LogFile/$Date.log
CheckStatus

echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync redhat 7 epel!' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://mirrors.ustc.edu.cn/epel/7/x86_64/ $Redhat_7_epel  >>$LogFile/$Date.log
CheckStatus

###rsync centos
echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync centos 6 !' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://mirrors.163.com/centos/6/os/x86_64/ $Centos_6  >>$LogFile/$Date.log
CheckStatus

echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync centos 7 !' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://mirrors.163.com/centos/7/os/x86_64/ $Centos_7  >>$LogFile/$Date.log
CheckStatus

###rsync zabbix
echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync redhat 6 zabbix!' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://repo.zabbix.com/mirror/zabbix/4.2/rhel/6/x86_64/ $Redhat_6_zabbix  >>$LogFile/$Date.log
CheckStatus

echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync redhat 7 zabbix!' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://repo.zabbix.com/mirror/zabbix/4.2/rhel/7/x86_64/ $Redhat_7_zabbix  >>$LogFile/$Date.log
CheckStatus

echo `date` >>$LogFile/$Date.log
echo 'Now start to rsync no-support zabbix!' >>$LogFile/$Date.log
rsync  $RsyncPerm  rsync://repo.zabbix.com/mirror/non-supported $zabbix_nosupport  >>$LogFile/$Date.log
CheckStatus

OEL7上配置dns服务

搭建rac的时候如果选择多个scan ip 则需要考虑配置dns server,多个虚拟机也可以考虑作为公用的dns服务器

安装相关packages

[root@xb ~]# yum install bind* -y
Loaded plugins: refresh-packagekit
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.8.2-0.68.rc1.el6_10.1 will be installed
---> Package bind-chroot.x86_64 32:9.8.2-0.68.rc1.el6_10.1 will be installed
---> Package bind-devel.x86_64 32:9.8.2-0.68.rc1.el6_10.1 will be installed
---> Package bind-dyndb-ldap.x86_64 0:2.3-8.el6 will be installed
---> Package bind-libs.x86_64 32:9.8.2-0.68.rc1.el6_10.1 will be installed
---> Package bind-sdb.x86_64 32:9.8.2-0.68.rc1.el6_10.1 will be installed
---> Package bind-utils.x86_64 32:9.8.2-0.68.rc1.el6_10.1 will be installed
--> Finished Dependency Resolution

主要文件

/etc/named #named目录
/etc/named.conf #主配置文件
/etc/rc.d/init.d/named #BIND开机自动时启动的脚本
/usr/sbin/named #named进程程序文件
/usr/sbin/rndc #远程控制named进程的工具
/usr/sbin/rndc-confgen #产生rndc密钥的工具
/usr/share/doc/bind-9.8.2 # 帮助文档和例子文件
/usr/share/man/man5/ #手册
/usr/share/man/man8/#手册
/var/named # Bind配置文件的默认存放目录
/var/run/named #named进程PID文件存放的目录

修改named.conf

options {
        listen-on port 53 { any; };       
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

...省略
zone "oracle.com" IN {
        type master;
        file "oracle.com.zone";
        allow-transfer {192.0.2.1;};
};
zone "2.0.192.in-addr.arpa" IN {
        type master;
        file "2.0.192.in-addr.arpa.zone";
};

新增了两个zone,oracle.com.zone作为正向解析域,2.0.192.in-addr.arpa.zone为反向解析域,文件位于/var/named/下面

配置oracle.com.zone

$TTL    86400
@                SOA           oracle.com.       root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
@             NS              dns.oracle.com.
dns           A               192.0.2.20
rac1          A               192.0.2.11
rac2          A               192.0.2.12
rac-scan      A               192.0.2.15
rac-scan      A               192.0.2.16
rac-scan      A               192.0.2.17
rac1-vip      A               192.0.2.13
rac2-vip      A               192.0.2.14

配置2.0.192.in-addr.arpa.zone

$TTL    86400
@       IN      SOA     oracle.com. root.dns.oracle.com.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      dns.oracle.com.
11     IN      PTR     rac1.oracle.com.
12     IN      PTR     rac2.oracle.com.
13     IN      PTR     rac1-vip.oracle.com.
14     IN      PTR     rac2-vip.oracle.com.
15     IN      PTR     rac-scan.
16     IN      PTR     rac-scan.
17     IN      PTR     rac-scan.

修改/etc/resolv.conf

# Generated by NetworkManager
search oracle.com
nameserver 192.0.2.20

验证

[root@xb etc]# ping rac1.oracle.com
PING rac1.oracle.com (192.0.2.11) 56(84) bytes of data.
64 bytes from rac1.oracle.com (192.0.2.11): icmp_seq=1 ttl=64 time=1.19 ms
64 bytes from rac1.oracle.com (192.0.2.11): icmp_seq=2 ttl=64 time=0.390 ms
64 bytes from rac1.oracle.com (192.0.2.11): icmp_seq=3 ttl=64 time=0.468 ms
^C
--- rac1.oracle.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2594ms
rtt min/avg/max/mdev = 0.390/0.683/1.192/0.361 ms
[root@xb etc]# nslookup rac-scan
Server:     192.0.2.20
Address:    192.0.2.20#53

Name:   rac-scan.oracle.com
Address: 192.0.2.15
Name:   rac-scan.oracle.com
Address: 192.0.2.16
Name:   rac-scan.oracle.com
Address: 192.0.2.17