1、两台VM虚拟机，分别添加用户 nebula，配置两台服务器能使用nebula 用户做相互的无密码登录ssh登录（即A主机上可以无密码使用nebula用户登录到B，B也能使用nebula用户无密码登录到A）

1. 新建两台虚拟机node01和node02

bash
[root@node01 ~]# rpm -q --qf '%{INSTALLTIME} (%{INSTALLTIME:date}) %{NAME}\n' basesystem
1716963602 (Wed 29 May 2024 02:20:02 PM CST) basesystem

[root@node02 ~]# rpm -q --qf '%{INSTALLTIME} (%{INSTALLTIME:date}) %{NAME}\n' basesystem
1716963663 (Wed 29 May 2024 02:21:03 PM CST) basesystem

2. 关闭selinux

bash
[root@node01 ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@node01 ~]# reboot

[root@node02 ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@node02 ~]# reboot

3. 给两台虚拟机各自添加用户nebula并设置密码

bash
[root@node01 ~]# useradd nebula
[root@node01 ~]# passwd nebula
Changing password for user nebula.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.

[root@node02 ~]# useradd nebula
[root@node02 ~]# passwd nebula
Changing password for user nebula.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.

4. 分别切换到nebula用户并创建ssh公钥和私钥

bash
[root@node01 ~]# su - nebula
[nebula@node01 ~]$ ls
[nebula@node01 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nebula/.ssh/id_rsa):
Created directory '/home/nebula/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/nebula/.ssh/id_rsa.
Your public key has been saved in /home/nebula/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:z958W8JSCuZCexViLJVbVWtiMY04TcJI8k6Rhv36biw nebula@node01
The key's randomart image is:
+---[RSA 2048]----+
|       .+o=o+=+..|
|       .oBo+ooo..|
|        oo=ooo o |
|        oo.o..o  |
|        S.+ . .  |
|       . B o +   |
|        o B o o .|
|         E * ..o |
|          =.o... |
+----[SHA256]-----+
[nebula@node01 ~]$ cd .ssh/
[nebula@node01 .ssh]$ ls
id_rsa  id_rsa.pub

[root@node02 ~]# su - nebula
[nebula@node02 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nebula/.ssh/id_rsa):
Created directory '/home/nebula/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/nebula/.ssh/id_rsa.
Your public key has been saved in /home/nebula/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:gs0yhzh3dYuuf23FrtpEbbeO0z+SXF+9ezWmm5vCWlc nebula@node02
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|        . .      |
|   . = . o . .   |
|  o * * S . ..oEo|
|   o = o   . .+==|
|        . .oo+*.*|
|       .  o=+**+o|
|      ...ooo+B=o*|
+----[SHA256]-----+
[nebula@node02 ~]$ cd .ssh/
[nebula@node02 .ssh]$ ls
id_rsa  id_rsa.pub

5. 分别将node1和node2的ssh公钥互相传给对方

bash
[nebula@node01 .ssh]$ ssh-copy-id -i id_rsa.pub nebula@192.168.12.134
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
The authenticity of host '192.168.12.134 (192.168.12.134)' can't be established.
ECDSA key fingerprint is SHA256:3BDpWdiCL2UTGz/489JwVoRQDodw6rsm23ZEwAj2Kiw.
ECDSA key fingerprint is MD5:cb:3e:dd:3a:86:7f:1d:fd:47:7c:a4:cd:7f:84:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
nebula@192.168.12.134's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'nebula@192.168.12.134'"
and check to make sure that only the key(s) you wanted were added.

[nebula@node02 .ssh]$ ssh-copy-id -i id_rsa.pub nebula@192.168.12.133
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
The authenticity of host '192.168.12.133 (192.168.12.133)' can't be established.
ECDSA key fingerprint is SHA256:itBAPXVOUAtA108MHSR1DPhckHRHKUNZ4tD2JgRyoTU.
ECDSA key fingerprint is MD5:9e:a3:46:02:7d:20:61:b5:0c:14:4e:fc:2c:e8:83:39.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
nebula@192.168.12.133's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'nebula@192.168.12.133'"
and check to make sure that only the key(s) you wanted were added.

• 测试

bash
[nebula@node01 .ssh]$ ssh nebula@192.168.12.134
Last login: Wed May 29 14:31:35 2024
[nebula@node02 ~]$

[nebula@node02 .ssh]$ ssh nebula@192.168.12.133
Last login: Wed May 29 14:32:19 2024
[nebula@node01 ~]$

2、在其中一台VM上搭建rsync服务端，创建两个模块儿，用来管理两个目录（分别为/data/html 和/data/database）.

要求1： /data/html 这个模块使用root用户管理，/data/database 这个模块需要使用nebula用户管理
要求2： rsync需要限制只能允许另外一台VM这唯一的一台主机能够访问，其他主机都需要拒绝
要求3： 分别创建两个rsync的客户端用户，使用密码认证，用于向这两个模块中上传文件，上传目录， 下载文件。但不允许这两个rsync的客户端用户对这两个目录的文件进行删除。

1. 在node01和node02上安装rsync服务

bash
[root@node01 ~]# yum install rsync -y
[root@node01 ~]# rsync --version
rsync  version 3.1.2  protocol version 31
Copyright (C) 1996-2015 by Andrew Tridgell, Wayne Davison, and others.
Web site: http://rsync.samba.org/
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace,
    append, ACLs, xattrs, iconv, symtimes, prealloc

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.

[root@node02 yum.repos.d]# yum install rsync -y
[root@node02 yum.repos.d]# rsync --version
rsync  version 3.1.2  protocol version 31
Copyright (C) 1996-2015 by Andrew Tridgell, Wayne Davison, and others.
Web site: http://rsync.samba.org/
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace,
    append, ACLs, xattrs, iconv, symtimes, prealloc

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.

2. 配置rsyncd.conf

bash
# 全局配置
uid = root
gid = root
fake super = yes
use chroot = yes
max connections = 4
log file = /var/log/rsync.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock

# 允许的主机
hosts allow = 192.168.12.137  # 允许访问的主机IP地址
hosts deny = *  # 拒绝所有其他主机访问

refuse options = delete delete-before delete-after delete-excluded delete-delay max-delete remove-source-files force partial

# /data/html 模块
[html]
path = /data/html
comment = HTML Directory
read only = no
auth users = htmlUser
secrets file = /etc/rsyncd.secrets

# /data/database 模块
[database]
path = /data/database
comment = Database Directory
read only = no
auth users = dbUser
secrets file = /etc/rsyncd.secrets

3. 创建目录并设置目录所属用户和用户组

bash
[root@node01 ~]# mkdir -p /data/html /data/database
[root@node01 ~]# chown root:root /data/html
[root@node01 ~]# chown nebula:nebula /data/database
[root@node01 ~]# ll /data/
total 0
drwxr-xr-x. 2 nebula nebula 6 May 30 16:52 database
drwxr-xr-x. 2 root   root   6 May 30 16:52 html

4. 配置rsyncd.secrets

bash
[root@node01 ~]# touch /etc/rsyncd.secrets
[root@node01 ~]# ll /etc/rsyncd.secrets
-rw-r--r--. 1 root root 0 May 30 16:54 /etc/rsyncd.secrets
[root@node01 ~]# chmod 600 /etc/rsyncd.secrets
[root@node01 ~]# ll /etc/rsyncd.secrets
-rw-------. 1 root root 0 May 30 16:54 /etc/rsyncd.secrets
[root@node01 ~]# cat /etc/rsyncd.secrets
htmlUser:123456
dbUser:123456

5. 防火墙开放873端口

bash
[root@node01 ~]# firewall-cmd --add-port=873/tcp --per
success
[root@node01 ~]# firewall-cmd --reload
success
[root@node01 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: ssh dhcpv6-client
  ports: 873/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

6. 启动rsync服务

bash
[root@node01 ~]# systemctl start rsyncd
[root@node01 ~]# systemctl status rsyncd
● rsyncd.service - fast remote file copy program daemon
   Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2024-05-30 16:58:10 CST; 5s ago
 Main PID: 14078 (rsync)
   CGroup: /system.slice/rsyncd.service
           └─14078 /usr/bin/rsync --daemon --no-detach

May 30 16:58:10 node01 systemd[1]: Started fast remote file copy program daemon.
May 30 16:58:10 node01 rsyncd[14078]: rsyncd version 3.1.2 starting, listening on port 873

7. 在node02上，创建密码文件并设置权限

bash
[root@node02 ~]# echo "123456" > rsyncd.db.secrets
[root@node02 ~]# echo "123456" > rsyncd.html.secrets
[root@node02 ~]# chmod 600 rsyncd.html.secrets  rsyncd.db.secrets

• 测试

1. 上传

bash
[root@node02 ~]# touch test11
[root@node02 ~]# rsync -avz --password-file=rsyncd.html.secrets test11 htmlUser@192.168.12.136::html
sending incremental file list
test11
sent 83 bytes  received 35 bytes  10.26 bytes/sec
total size is 0  speedup is 0.00
[root@node02 ~]#
[root@node02 ~]#
[root@node02 ~]#
[root@node02 ~]# rsync -avz --password-file=rsyncd.db.secrets[C.sec^Cts test11 dbUser@192.168.12.136::db
[root@node02 ~]# rsync -avz --password-file=rsyncd.db.secrets test11 dbUser@192.168.12.136::database
sending incremental file list
test11
sent 83 bytes  received 35 bytes  11.24 bytes/sec
total size is 0  speedup is 0.00

2. 下载

bash
[root@node02 ~]# rsync -avz dbUser@192.168.12.136::database/test11 /tmp/
Password:
receiving incremental file list
test11

sent 43 bytes  received 83 bytes  8.13 bytes/sec
total size is 0  speedup is 0.00
[root@node02 ~]# rsync -avz htmlUser@192.168.12.136::html/test1 /tmp/
Password:
receiving incremental file list
test1

sent 43 bytes  received 84 bytes  9.41 bytes/sec
total size is 0  speedup is 0.00

3. 删除

bash
[root@node02 ~]# rsync -avz --delete --password-file=rsyncd.html.secrets test htmlUser@192.168.12.136::html
sending incremental file list
rsync: read error: Connection reset by peer (104)
rsync error: error in socket IO (code 10) at io.c(792) [sender=3.1.2]

提示

提示:

1. 请把自己的虚拟机重装成英文的，英文的，英文的。服务搭建的过程中，会出现很多问题，请各 位同学能够自己先参考讲义，自己折腾一下，并能把错误信息整理和记录下来，这将是你未来走向巅峰 的财富
2. 改系统的最大pid限制到 102400，修改系统最大文件描述限制到 655360
3. 以上服务搭建的过程中，需要每一步去查看进程是否存在、该进程的limits 信息、端口、进程打开的 文件描述符
4. 假设，注意是假设 你在 1 中发现从服务器A 登录服务器B 的过程中，登录过程如果非常的卡，非常的 卡，要卡很久偶尔可以登录上，大部分时间都因为卡的时间太久了，服务器A等不及超时。那请你分析一 下可能有哪些原因。

• 如果一直登录不上，又可能有哪些原因
  提示1： 按照我交给大家的套路，按照自己的理解，整理成自己的笔记，最后把你整理的笔记分享给我， 或者直接粘贴到作业中。
  提示2： 从网络 , 端口，还有服务器上进程/服务器资源【pid/fd/cpu/磁盘等等】。注意整理cpu的 us sy wait idle si 等CPU消耗