作者归档:admin

python2 pip 安装和升级的问题

一些古老的代码是基于python2的, 需要安装一些模块的时候发现提示出错了

#pip install requests

You are using pip version 7.1.0, however version 23.1.2 is available.
You should consider upgrading via the ‘pip install –upgrade pip’ command.
Collecting requests
/usr/lib/python2.6/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
/usr/lib/python2.6/site-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

看提示是SSL 协商失败了, 嗯嗯, 猜测是pip的SSL版本过于旧, 需要升级下pip,结果又失败了

#pip install –upgrade pip

You are using pip version 7.1.0, however version 23.1.2 is available.
You should consider upgrading via the ‘pip install –upgrade pip’ command.
Collecting pip
Using cached https://files.pythonhosted.org/packages/fa/ee/74ff76da0ab649eec7581233daeb43d8aa35383d8f75317b2ab3b80c922f/pip-23.1.2.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File “”, line 20, in
File “/tmp/pip-build-p1lQDp/pip/setup.py”, line 7
def read(rel_path: str) -> str:
^
SyntaxError: invalid syntax

----------------------------------------

Command “python setup.py egg_info” failed with error code 1 in /tmp/pip-build-p1lQDp/pip

其实多年以前pip的在线安装和升级已经不支持python2了, 需要手工升级下

https://bootstrap.pypa.io/pip/2.7/get-pip.py

https://bootstrap.pypa.io/pip/2.6/get-pip.py

这两个分别是python的2.6 和 2.7版本的pip手工升级包, 当前时间的版本应该是pip-20.3.4, 下载后用python执行就可以自动升级pip了, 然后安装其他模块也没有问题

SecureCRT 7.2.6在MacOS 13 Ventura不兼容

Version 7.2.6在用的SecureCRT是这个版本, 升级到MacOS Ventura就直接crash了

点击报告看看详细信息: Library not loaded: /System/Library/Frameworks/Python.framework/Versions/2.5/Python

发现是丢失了python 依赖, 原来这个版本开始移除了默认的python2

解决办法比较简单: 新安装一个2.7版本的:

https://www.python.org/ftp/python/2.7/python-2.7-macosx10.3.dmg

安装完毕后新开一个terminal:

% which python

/Library/Frameworks/Python.framework/Versions/2.7/bin/python

%cd /Library/Frameworks/Python.framework/Versions/

%sudo ln -s 2.7 2.5

这是新建个软链欺骗下系统, 因为2.5 和 2.7 的python没有太大的区别

然后打开 SecureCRT, 发现就一切OK了

nginx range回源 和 range slice回源

range request in nginx reverse proxy

nginx proxy_cache 模式下是否支持range, 取决于源站是否返回了: Accept-Range Header 

在源站没有明确支持range的请求下, 即便nginx cache 了整个文件, 也不会响应任何range 请求, 会返回整个文件

这个行为方式可以通过 修改proxy_force_range on;来修改

Syntax:proxy_force_ranges on | off;
Default:proxy_force_ranges off;
Context:httpserverlocation

This directive appeared in version 1.7.7.

Enables byte-range support for both cached and uncached responses from the proxied server regardless of the “Accept-Ranges” field in these responses.

nginx 有个特殊的模块叫做http_slice_module, 可以支持分片回源

比如如下配置, 会以1M为文件块跟源站回源, 并存成多份1M分割的cache

slice              1m;

    proxy_cache_key    $host$uri$slice_range;

    proxy_set_header   Range $slice_range;

    proxy_http_version 1.1;

    proxy_cache_valid 200  206 300m;

从测试看, 即便开启了proxy_force_range on和slice range 回源, 在源站没有明确返回Accept-Range的情况下, nginx 依然不会使用slice range回源, 保持了良好的适配性

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_force_ranges

https://forum.nginx.org/read.php?2,281946,281946#msg-281946

proxy_pass 建议写法

            location /v {
                proxy_pass https://gs.x.sohu.com;
            }
看个简单的例子, 一般为了方便我们会直接把域名写在proxy_pass的后边, 这会导致当这个域名无法解析的时候,比如机房下线了,比如第三方回源的域名被摘掉了, 导致nginx restart失败
建议的写法是:
                location /v {
                     set $new_host "gs.x.sohu.com";
                     proxy_pass https://$new_host;
                }
两者的不同之处在于: 
1. proxy_pass直接跟域名的话, 会且只会在nginx 服务起来的时候解析一次, 失败则起不来
2. proxy_pass跟一个域名变量的话, 是调用resolver的, 跟随resolver的配置, 包括有效时间等, 有请求的时候才解析, 失败了也不影响全局服务

Meanings of fields in /proc/net/dev?

seq_printf(seq, "%6s:%8lu %7lu %4lu %4lu %4lu %5lu %10lu %9lu "
       "%8lu %7lu %4lu %4lu %4lu %5lu %7lu %10lu\n",
       dev->name,
       stats->rx_bytes,
       stats->rx_packets,
       stats->rx_errors,
       stats->rx_dropped + stats->rx_missed_errors,
       stats->rx_fifo_errors,
       stats->rx_length_errors + stats->rx_over_errors +
        stats->rx_crc_errors + stats->rx_frame_errors,
       stats->rx_compressed,
       stats->multicast,
       stats->tx_bytes,
       stats->tx_packets,
       stats->tx_errors,
       stats->tx_dropped,
       stats->tx_fifo_errors,
       stats->collisions,
       stats->tx_carrier_errors + stats->tx_aborted_errors +
        stats->tx_window_errors + stats->tx_heartbeat_errors,
       stats->tx_compressed);

ffmpeg剪辑视频

标准例子:

ffmpeg -i input.mp4 -ss 01:19:27 -to 02:18:51 -c copy output.mp4

这里-ss 表示开始时间, -to 表示结束时间

从开始位置截取多少时长的内容:

ffmpeg -i input.mp4 -ss 00:01:10 -t 00:01:05 -c copy output.mp4

这里引用了-t : duration 参数, 控制了截取视频的时长

那么, 以上做法有什么缺点么?

有的, 一个是慢, 一直在seeking 那个时间的样子, 另一个是画面容易在开始时候黑屏

优化方式:

ffmpeg -ss 01:19:27 -i input.mp4 -to 02:18:51 -c copy output.mp4

这里的技巧是把-ss提前了, 相当于让ffmpeg索引到关键帧, 缺点是会重置时间, 所以这里的-to 参数就相当于-t duration了

参考文档:

https://www.arj.no/2018/05/18/trimvideo/

openssl 探测证书过期时间

true | openssl s_client -connect IP:443 -servername hostname 2>&1 | openssl x509 -noout -text -certopt no_header,no_signame,no_pubkey,no_sigdump,no_aux

这边一直都是用这个来探测证书的健康的, 在内网的使用还可以, 在公网探测中就很容易出现僵死的情况

后来在sererfault.com查到可以用timeout + 命令来解决

https://serverfault.com/questions/361464/is-it-possible-to-set-a-timeout-on-openssls-s-client-command

测试时发现”timeout 5 true | openssl …” 的管道会失败, 在公网的探测就傻兮兮的只能用了

timeout 5 openssl s_client -connect IP:443 -servername hostname 2>&1 | openssl x509 -noout -text -certopt no_header,no_signame,no_pubkey,no_sigdump,no_aux

缺点是每条指令都要等5秒, 当然, 结合多进程问题也不是太大…

直到今天, 才发现自己摆了个乌龙, 可以使用timeout 5 bash -c “true | openssl s_client… “, true可以处理实时正常结果, timeout可以处理异常结果

timeout 5 bash -c "true | openssl s_client -connect IP:443 -servername hostname 2>&1 | openssl x509 -noout -text -certopt no_header,no_signame,no_pubkey,no_sigdump,no_aux "

aws lightsail ipv6 路由问题

OS 为: amazon linux 2, 当开启ipv6.forwarding的时候, 发现路由就不通了

sysctl -w net.ipv6.conf.all.forwarding=1

#ping6 www.qq.co

connect: Network is unreachable

netstat -nr6 也能看到没有default route, 此时ipv6地址也无法被外部访问

如果关闭ipv6 forwarding, 那么就有默认路由, 也能ping通外部和被访问

::/0 fe80::7c:6bff:feef:ca54 UGDAe 1024 2 9 eth0

能看到路由有一个很特别的标志UGDAe, UpGatewayDynamicAllonlinkExpires

E(e): It maps to RTF_EXPIRES. It means the route has a non-infinite lifetime. In this case, the kernel probably learned the route dynamically from a RA (Router Advertisement).

这个路由其实是动态广播的, 那么这个现象就跟一个参数有关了

net.ipv6.conf.interface.accept_ra

Accept Router Advertisements; autoconfigure using them.

It also determines whether or not to transmit Router Solicitations. If and only if the functional setting is to accept Router Advertisements, Router Solicitations will be transmitted.

Possible values are: 0 Do not accept Router Advertisements. 1 Accept Router Advertisements if forwarding is disabled. 2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled.

Functional default: enabled if local forwarding is disabled. disabled if local forwarding is enabled.

Nb: per interface setting (where “interface” is the name of your network interface); “all” is a special interface: changes the settings for all interfaces

默认系统这个参数是1, 当开启forwarding的时候, 不接受路由广播, 所以这个场合, 应该修改为2, Accept Router Advertisements even if forwarding is enabled.

sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.eth0.accept_ra=2

备注:

 UP U
 GATEWAY G
 REJECT !
 HOST H
 REINSTATE R
 DYNAMIC D
 MODIFIED M
 DEFAULT d
 ALLONLINK a
 ADDRCONF c
 NONEXTHOP o
 EXPIRES e
 CACHE c
 FLOW f
 POLICY p
 LOCAL l
 MTU u
 WINDOW w
 IRTT i
 NOTCACHED n