分类目录归档:技术

一次错误mv /* /path/to 操作的恢复

一次错误mv /* /path/to 操作的恢复

描述:执行mv命令的时候没有注意路径,结果把根目录下的大部分目录都挪到了一个新路径中,然后立即
出错命令不能继续,因为 /lib已经被挪走了,/lib下保存有最基本的系统运行库,现代的linux系统大多
数命令已经动态连接了,当/lib路径改变的时候,那你能用来创建目录,或用来copy文件的任何命令,都
不好用了,都会报下面错误:
/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
这表示已经找不到ld-linux.so.2这个文件了

由于文件都已经被挪走了,我们平时依赖的工具都不好用了。即使你敲入绝对路径,也会提示:
/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory这个错误
尝试了下面的命令
/www/users/abcdefg.net/{ls,ln,mkdir,mktemp,ftp,rsync,mv,cp,rm,ldconfig,scp,sftp,perl,ash,zsh,csh} 报的都是上面的错误,
常规的创建文件,创建目录和目录文件转移操作,及远程或本地复制文件操作都无法进行了。
再尝试找下好用的命令:
cd export declare echo > 这些内置命令都是好用的。

我们看下现场,由于ls已经不好用了。那只好用bash的自动补齐功能(TAB键)来看看有哪些目录和文件
首先检查哪些目录被挪走了,执行下面命令:
/www/users/abcdefg.net [按TAB]
输出如下:
backup bin boot dev ecshop etc home lib lost+found media misc mnt opt proc www_logs ucenter
可以看出 bin和lib都已经被挪过来了,那我们既不能直接执行bin下的程序,也不能执行任何依赖/lib下的程序,而且etc也被mv到这里来
所以我们连修改ld.so.conf并生成新的ld.so.cache的机会也没有,因为我们无法执行创建/etc目录的命令。

开始恢复吧
过程不复杂,我们还有ld-linux.so.2 可用,虽然它已经变了位置。
ld-linux.so.2是linux系统的动态连接器,我们可以用他来执行命令,我们使用它的–library-path参数来重新指定LD_LIBRARY_PATH的位置

再看看根目录还有啥
/www/users/abcdefg.net/lib/ld-linux.so.2 –library-path /www/users/abcdefg.net/lib /www/users/abcdefg.net/bin/ls / -F
输出正常,

恢复/lib
/www/users/abcdefg.net/lib/ld-linux.so.2 –library-path /www/users/abcdefg.net/lib /www/users/abcdefg.net/bin/cp -rfp /www/users/abcdefg.net/lib /lib

恢复/bin
/www/users/abcdefg.net/lib/ld-linux.so.2 –library-path /www/users/abcdefg.net/lib /www/users/abcdefg.net/bin/cp -rfp /www/users/abcdefg.net/bin /bin

恢复其他目录
cd /www/users/abcdefg.net
for i in bin boot etc lib media misc mnt opt ; do rsync -av –progress ./$i/ /$i/; done

然后我们再还原dev目录
cd dev
cp -dRp * /dev

重新检查ssh登陆,此时已经能登陆系统了,仔细检查/boot /etc ,都已经正确恢复,重起系统,所有恢复完毕

nginx request line parsing vulnerability

CVE-2013-4547

nginx1.4.4和1.5.7版本之前有安全漏洞,会导致可能的绕开防护或者php解析攻击

比如
location ~ \.php$ {
fastcgi_pass …
}

by requesting a file as “/file /0.php”.

实地测试了一番,这个攻击在我们环境中比较难重现,需要以下条件同时成立
1.需要上传了一个带空格的文件(含攻击程序)
2.需要php设置了fix_pathinfo=1(默认为1)
3.需要php版本低于5.3.10,或者允许了所有的security.limit_extensions

因此,基于安全理由,建议升级并且升级php到5.3序列的最新版本

nginx 嵌套 error_page

nginx有时候希望嵌套的处理error_page
比如 location / {
error_page 404 @fetch
}

location @fetch {
error_page 404 @fetch2
proxy_pass http://backend1/one/;
}
location @fetch2 {
proxy_pass http://backend2/two/;
return 200 “xxx”;
}

这是个简单的例子,如果需要实现功能需要两个参数: proxy_intercept_errors on; recursive_error_pages on;
syntax: recursive_error_pages on | off;
default:
recursive_error_pages off;
context: http, server, location
Enables or disables doing several redirects using the error_page directive. The number of such redirects is limited.

syntax: proxy_intercept_errors on | off;
default:
proxy_intercept_errors off;
context: http, server, location
Determines whether proxied responses with codes greater than or equal to 300 should be passed to a client or be redirected to nginx for processing with the error_page directive.

mac air 使用搜狗输入法耗电的问题

首先,air自带的输入法的确反人类一般的难用

其次,搜狗输入法的确很好用,这个是产品好

不过,搜狗输入法很耗电,新款air的续航能力尽管非常变态,最高可以到19小时(正常是13小时),如果用了搜狗输入法,只有10-12小时

}78Q$7@H8241ET88UF8LX]J

 

 

 

 

因此,必须干掉搜狗多余的东西,发现搜狗每3秒就自动执行一个SogouServices的东西,干掉后世界就清净了

sudo rm -rf /Library/LaunchAgents/com.sogou.SogouServices.plist

以下为该plist的内容,有兴趣的同学可以看看:

/Library/LaunchAgents/com.sogou.SogouServices.plist
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>com.sogou.SogouServices</string>
<key>OnDemand</key>
<true/>
<key>Program</key>
<string>/Library/Input Methods/SogouInput.app/Contents/SogouServices</string>
<key>StartInterval</key>
<integer>3</integer>
</dict>
</plist>

在KVM里边跑KVM

从测试看,目前ubuntu支持netsted KVM,RHEL不支持
默认情况下,UBUNTU就支持这一特性:

# modprobe -r kvm-intel
# modprobe kvm-intel nested=1
# cat /sys/module/kvm_intel/parameters/nested
Y

如果没有的话,需要手工加载内核选项:

cat /etc/default/grub | grep CMDLINE
GRUB_CMDLINE_LINUX=”rd.lvm.lv=vol0/swapVol rd.md=0 rd.dm=0 KEYTABLE=us quiet rd.lvm.lv=vol0/rootVol rhgb rd.luks=0 SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 kvm-intel.nested=1

然后修改kvm的配置文件,加入:

<cpu mode=’custom’ match=’exact’>
<model fallback=’allow’>core2duo</model>
<feature policy=’require’ name=’vmx’/>
</cpu>


nginx lua 模块的一个bug

近期协助排查一个故障发现有50x错误,开error日志发现有malloc或者crash work process的记录

[emerg] 5309#0: *288 malloc(808334101) failed (12: Cannot allocate memory) while sending to client
[notice] 4579#0: signal 18 (SIGCHLD) received
[notice] 4579#0: worker process 5211 exited with code 0

这其实是lua模块导致的问题,在0.7.5之前,nginx lua module存在 ngx.req.clear_header 导致的内存溢出问题,需要升级到最新版
that is all,完毕

在防火墙环境使用facetime

你的公司或者教育机构可能使用防火墙来增强安全性.防火墙通过阻止特定的internet 流量进出来工作.
Internet 流量 通过防火墙时基于服务id的数字,这也叫端口.

Internet traffic moves through a firewall based on service-identification numbers that are referred to as ports. Certain ports must be open for FaceTime to work. Network administrators typically open a minimal set of network ports, allowing the traffic for approved applications to enter and leave the network while blocking other network traffic.

Ports to open

If the network router that you are connected to uses a firewall or security software to restrict Internet access, contact the network administrator and refer them to this article.

To use FaceTime on a restricted network, port forwarding must be enabled for these ports:

443 (TCP)
3478 through 3497 (UDP)
5223 (TCP)
16384 through 16387 (UDP)
16393 through 16402 (UDP)
Depending on the NAT configuration for the router and network, additional ports may be used to send and receive video. Some router-specific features or configurations may interfere with FaceTime. This includes port mapping on either end, SIP dropping, or dynamic opening of media ports.

The network administrator can refer to their router, firewall, or security software documentation for information about configuring port forwarding.

Additional Information
If you encounter issues using a Wi-Fi network, use standard Wi-Fi network troubleshooting to resolve interference and other issues.

FaceTime for Mac support resources can be found here. The support page has links to support pages for FaceTime on iOS devices, on the left side.
http://support.apple.com/kb/HT4245

nginx gunzip filter 模块

介绍下igor职业打手Maxim Dounin写的一个gunzip模块

Gunzip module for nginx.
This module allows gunzipping responses returned with Content-Encoding: gzip
for clients that doesn’t support it. It may be usefull if you prefer to store
data compressed (to save space or disk/network IO) but do not want to penalize
clients without gzip support.

Note well: only responses with Content-Encoding set to gzip before this module
are handled (e.g. using “add_header Content-Encoding gzip;” isn’t enough as it
happens after). As of now only proxy and fastcgi are able to do so.

这个模块能针对不支持gzip编码的客户端,直接解压gzip格式的内容
好处:
1.跟源站直接请求压缩的内容,减少回源带宽,提高响应速度
2.只保留一份压缩的内容,减少缓存的大小,相同的cache能放更多的内容
配置格式比较简单:

Configuration directives:

gunzip (on|off)

Context: http, server, location
Default: off

Switches gunzip.

gunzip_buffers

Context: http, server, location
Default: 32 4k/16 8k

Specifies number and size of buffers available for decompression.

Usage:

location /storage/ {
gunzip on;

}

需要特别指出:
1.客户端不支持gzip编码,那么gunzip模块就返回解压的内容
2.客户端支持gzip编码,那么gunzip就自动不起作用,返回原始内容

某些特殊需求,比如addition_filter,我们知道这些filter在非压缩的内容才能正常工作,要结合这个模块就不是那么方便了
因此可以简单修改代码,让它不理会客户端的header,总是返回非压缩内容,注释掉这一整块即可:
ngx_http_gunzip_filter_module.c

141 #if (nginx_version >= 8025 || (nginx_version >= 7065 && nginx_version < 8000)) 142 143 r->gzip_vary = 1;
144
145 if (!r->gzip_tested) {
146 if (ngx_http_gzip_ok(r) == NGX_OK) {
147 return ngx_http_next_header_filter(r);
148 }
149
150 } else if (!r->gzip_ok) {
151 return ngx_http_next_header_filter(r);
152 }
153
154 #else
155
156 if (ngx_http_gzip_ok(r) == NGX_OK) {
157 return ngx_http_next_header_filter(r);
158 }
159
160 #endif

有人写了个gunzip_always的开关补丁,可以控制这个属性,patch暂时不放出来

模块地址: http://mdounin.ru/hg/ngx_http_gunzip_filter_module/

apache traffic server 预缓存功能

ATS(apache traffic server)预缓存功能需要设置2个参数后才能启用:
1. proxy.config.http.background_fill_active_timeout
针对小文件可以设置为默认: INT 60
针对大文件可以设置为: INT 3600
具体可以根据文件大小和网络速度来决定
2. proxy.config.http.background_fill_completed_threshold
设置为0.0就好,默认是0.5
具体解释可以看官方说明:
http://trafficserver.apache.org/docs/trunk/admin/configuration-files/records.config.en.html
proxy.config.http.background_fill_active_timeout
INT
Default: 60
Specifies how long Traffic Server continues a background fill before giving up and dropping the origin server connection.
proxy.config.http.background_fill_completed_threshold
FLOAT
Default: 0.50000
The proportion of total document size already transferred when a client aborts at which the proxy continues fetching the document from the origin server to get it into the cache (a background fill).
Origin Server Connect Attempts