Sai ya faru da cewa a cikin sana'a ni mai kula da tsarin kwamfuta da hanyoyin sadarwa (a takaice: tsarin gudanarwa), kuma na sami damar gaya wa Farfesa tsawon shekaru fiye da 10. ayyukan tsarin iri-iri iri-iri, gami da waɗanda ke buƙatar matakan tsaro [musamman]. Hakanan ya faru cewa wani lokaci da suka gabata na sami abin ban sha'awa dev
, don haka, ina wucewa). Amma ba na magana game da ci gaba ba, ina magana ne game da yanayi mai aminci da inganci don aikace-aikace.
Fasahar kudi (fintech) je kusa da tsaron bayanai (infosec) kuma na farko zai iya aiki ba tare da na biyu ba, amma ba na dogon lokaci ba. Shi ya sa nake so in raba gwaninta da saitin kayan aikin da nake amfani da su, wanda ya haɗa da duka biyun fintechkuma infosec, kuma a lokaci guda, kuma za'a iya amfani dashi don dalilai mafi girma ko mabanbanta. A cikin wannan labarin ba zan gaya muku ba game da Bitcoin ba, amma game da tsarin samar da kayan aiki don haɓakawa da aiki na ayyuka na kudi (kuma ba kawai) ba - a cikin kalma, waɗannan ayyuka inda "B" ke da mahimmanci. Wannan ya shafi duka ga musayar Bitcoin da kuma ga mafi yawan al'ada gidan zoo na sabis na karamin kamfani ba ya haɗa da Bitcoin ta kowace hanya.
Ina so in lura cewa ni mai goyon bayan ka'idoji ne "ki kiyaye wawa sauki" и "kasan yafi", don haka, duka labarin da abin da aka kwatanta a cikinsa za su sami kaddarorin da waɗannan ƙa'idodin ke tattare da su.
Halin hasashe: Bari mu kalli komai ta amfani da misalin mai musayar bitcoin. Mun yanke shawarar ƙaddamar da musayar rubles, daloli, Yuro don bitcoins da baya, kuma mun riga mun sami mafita mai aiki, amma ga sauran kuɗin dijital kamar qiwi da webmoney, i.e. Mun rufe duk batutuwan doka, muna da aikace-aikacen da aka shirya wanda ke aiki azaman ƙofar biyan kuɗi don rubles, dala da Yuro da sauran tsarin biyan kuɗi. Yana da alaƙa da asusun banki kuma yana da wasu nau'ikan API don aikace-aikacen mu na ƙarshe. Hakanan muna da aikace-aikacen gidan yanar gizo wanda ke aiki azaman mai musayar masu amfani, da kyau, kamar asusun qiwi na yau da kullun ko asusun yanar gizo - ƙirƙira asusu, ƙara kati, da sauransu. Yana sadarwa tare da aikace-aikacen ƙofar mu, ko da yake ta REST API a cikin yanki. Don haka mun yanke shawarar haɗa bitcoins kuma a lokaci guda haɓaka abubuwan more rayuwa, saboda ... Da farko, duk abin da aka sanya cikin sauri a kan kwalaye masu kama-da-wane a cikin ofishin a ƙarƙashin tebur ... an fara amfani da shafin, kuma mun fara damuwa game da lokaci da aiki.
Don haka, bari mu fara da babban abu - zabar uwar garken. Domin Kasuwancin da ke cikin misalinmu ƙanana ne kuma mun amince da hoster (OVH) za mu zaɓa
Shigar da uwar garken
Komai yana da sauki a nan. Muna zaɓar kayan aikin da suka dace da bukatunmu. Sannan zaɓi hoton FreeBSD. To, ko kuma mu haɗa (a yanayin wani mai masaukin baki da namu kayan aikin) ta hanyar IPMI ko tare da mai saka idanu mu ciyar da hoton .iso FreeBSD a cikin zazzagewa. Don saitin kaɗe-kaɗe na yi amfani da shi
Shigar da tsarin yana faruwa a daidaitaccen hanya, ba zan tsaya a kan wannan ba, zan lura kawai cewa kafin fara aiki yana da daraja a kula da shi. taurare zaɓuɓɓukan da yake bayarwa bsdinstaller
a ƙarshen shigarwa (idan kun shigar da tsarin da kanku):
Akwai
Hakanan yana yiwuwa a kunna sigogin da aka ambata a sama akan tsarin da aka riga aka shigar. Don yin wannan, kuna buƙatar shirya fayil ɗin bootloader kuma kunna sigogin kernel. *ee edita ne kamar wannan a cikin BSD
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1
Hakanan yakamata ku tabbatar cewa kun shigar da sabon sigar tsarin, kuma
Sa'an nan kuma mu daidaita aide
, Kula da matsayin fayilolin tsarin tsarin tsarin. Kuna iya karantawa daki-daki
pkg install aide
kuma gyara crontab ɗin mu
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
Mun hada
sysrc auditd_enable=YES
# service auditd start
Yadda ake gudanar da wannan al'amari an bayyana shi daidai a ciki
Yanzu mun sake yi kuma mu ci gaba zuwa software a kan uwar garke. Kowane uwar garken babban mahalli ne don kwantena ko cikakkun injina. Sabili da haka, yana da mahimmanci cewa mai sarrafa na'ura yana goyan bayan VT-x da EPT idan muka shirya yin amfani da cikakkiyar haɓakawa.
Don sarrafa kwantena da injunan kama-da-wane da nake amfani da su
Kwantena? Docker kuma ko me?
Amma a'a. cbsd
don tsara waɗannan kwantena, waɗanda ake kira sel.
kejin shine mafita mai matuƙar inganci don gina ababen more rayuwa don dalilai iri-iri, inda ake buƙatar cikakken keɓewar sabis ko matakai na mutum a ƙarshe. Mahimmanci, shi ne clone na tsarin runduna, amma baya buƙatar cikakken ƙwarewar kayan aiki. Kuma godiya ga wannan, ba a kashe albarkatun a kan "OS baƙo", amma a kan aikin da ake yi kawai. Lokacin da ake amfani da sel don buƙatun ciki, wannan shine mafita mafi dacewa don ingantaccen amfani da albarkatu - tarin sel akan sabar kayan masarufi guda ɗaya kowanne zai iya amfani da duk albarkatun sabar idan ya cancanta. Bisa la'akari da cewa yawanci ma'aikatu daban-daban suna buƙatar ƙarin. albarkatu a lokuta daban-daban, zaku iya fitar da mafi girman aiki daga sabar ɗaya idan kun tsara yadda yakamata da daidaita sel tsakanin sabobin. Idan ya cancanta, ana iya ba da sel hani akan albarkatun da ake amfani da su.
Me game da cikakken kamantawa?
Kamar yadda na sani cbsd
yana goyan bayan aiki bhyve
da XEN hypervisors. Ban taba amfani da na biyun ba, amma na farko sabo ne bhyve
a cikin misalin da ke ƙasa.
Shigarwa da Ƙaddamar da Mai watsa shiri muhalli
Muna amfani da FS
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
ƙara ɓangaren faifai zuwa sauran sarari
geli init /dev/ada0p4
shigar da kalmar sirrinmu
geli attach /dev/ada0p4
Mun sake shigar da kalmar wucewa kuma muna da na'ura /dev/ada0p4.eli - wannan shine sararin rufaffen mu. Sa'an nan kuma mu maimaita iri ɗaya don /dev/ada1 da sauran diski a cikin array. Kuma muna ƙirƙirar sabo
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli
- To, muna da mafi ƙarancin kayan yaƙi a shirye. Dubi tsararrun faifai idan ɗaya daga cikin ukun ya gaza.
Ƙirƙirar saitin bayanai akan sabon "pool"
zfs create vms/jails
pkg install cbsd
- mun ƙaddamar da ƙungiya kuma mun kafa gudanarwa don ƙwayoyin mu.
Bayan cbsd
shigar, yana buƙatar farawa:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
To, muna amsa tarin tambayoyi, galibi tare da amsoshi na asali.
* Idan kuna amfani da boye-boye, yana da mahimmanci cewa daemon cbsdd
ba'a fara ta atomatik ba har sai kun yanke diski da hannu ko ta atomatik (a cikin misalinmu ana yin wannan ta hanyar zabbix)
**Ni kuma bana amfani da NAT daga cbsd
, kuma na saita shi da kaina pf
.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Kafa manufofin Firewall shima wani batu ne na daban, don haka ba zan zurfafa cikin kafa tsarin BLOCK ALL da kafa masu ba da izini ba, zaku iya yin hakan ta hanyar karantawa.
Da kyau ... mun shigar da cbsd, lokaci yayi da za mu ƙirƙiri doki na farko - aljanin Bitcoin!
cbsd jconstruct-tui
Anan muna ganin maganganun ƙirƙirar tantanin halitta. Bayan an saita duk ƙimar, bari mu ƙirƙira!
Lokacin ƙirƙirar tantanin halitta na farko, yakamata ku zaɓi abin da zaku yi amfani da shi azaman tushe ga sel. Na zaɓi rabawa daga ma'ajin FreeBSD tare da umarni repo
. Ana yin wannan zaɓin ne kawai lokacin ƙirƙirar tantanin halitta na farko na takamaiman sigar (zaku iya ɗaukar nauyin sel na kowane sigar da ta girmi sigar mai watsa shiri).
Bayan an shigar da komai, muna ƙaddamar da keji!
# cbsd jstart bitcoind
Amma muna buƙatar shigar da software a cikin keji.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
jexec bitcoind
don shiga cell console
kuma tuni a cikin tantanin halitta mun shigar da software tare da abubuwan dogaronta (tsarin mai masaukinmu ya kasance mai tsabta)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Akwai Bitcoin a cikin keji, amma muna buƙatar ɓoyewa saboda muna son haɗawa da wasu cages ta hanyar sadarwar TOP. Gabaɗaya, muna shirin gudanar da yawancin ƙwayoyin sel tare da software masu tuhuma kawai ta hanyar wakili. Godiya ga pf
Kuna iya kashe NAT don takamaiman kewayon adiresoshin IP akan hanyar sadarwar gida, kuma ku ba da izinin NAT kawai don kumburin TOR ɗin mu. Don haka, ko da malware ya shiga cikin tantanin halitta, da alama ba zai iya sadarwa tare da duniyar waje ba, kuma idan ya shiga, ba zai bayyana IP na sabar mu ba. Saboda haka, muna ƙirƙirar wani tantanin halitta zuwa sabis na "gaba" azaman sabis na ".albasa" kuma a matsayin wakili don samun damar Intanet zuwa sel guda ɗaya.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Saita don saurare a adireshin gida (akwai ga duk sel)
SOCKSPort 192.168.0.2:9050
Menene kuma muke bukata don cikakken farin ciki? Ee, muna buƙatar sabis don gidan yanar gizon mu, watakila fiye da ɗaya. Bari mu ƙaddamar da nginx, wanda zai yi aiki azaman wakili na baya kuma ya kula da sabunta Takaddun shaida Mu Encrypt
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Don haka mun sanya 150 MB na abin dogaro a cikin keji. Kuma har yanzu mai gida yana da tsabta.
Bari mu koma kafa nginx daga baya, muna buƙatar haɓaka ƙarin sel guda biyu don ƙofar biyan kuɗin mu akan nodejs da tsatsa da aikace-aikacen yanar gizo, wanda saboda wasu dalilai yana cikin Apache da PHP, kuma ƙarshen yana buƙatar MySQL database.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
...da kuma wani 380 MB na fakiti ware
Bayan haka, muna zazzage aikace-aikacen mu tare da git kuma mu ƙaddamar da shi.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450 MB fakiti. a cikin keji.
Anan muna ba masu haɓaka damar shiga ta hanyar SSH kai tsaye zuwa tantanin halitta, za su yi komai a can da kansu:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267
- canza tashar tashar SSH ta tantanin halitta zuwa kowane sabani
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
To, sabis ɗin yana gudana, duk abin da ya rage shine ƙara ƙa'ida zuwa pf
Firewall
Bari mu ga abin da sel ɗinmu na IP suke da kuma yadda “yankinmu na gida” gabaɗaya yayi kama.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
kuma ƙara doka
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
Da kyau, tunda muna nan, bari mu kuma ƙara ƙa'ida don wakili na baya:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# pfctl -f /etc/pf.conf
To, yanzu kadan game da bitcoins
Abin da muke da shi shine muna da aikace-aikacen yanar gizo wanda aka fallasa a waje kuma yana magana a cikin gida zuwa ƙofar biyan kuɗi. Yanzu muna buƙatar shirya yanayin aiki don hulɗa tare da hanyar sadarwar Bitcoin kanta - kumburi bitcoind
Daemon ne kawai wanda ke kiyaye kwafin gida na blockchain har zuwa yau. Wannan daemon yana da RPC da aikin walat, amma akwai mafi dacewa "nade" don haɓaka aikace-aikacen. Da farko, mun yanke shawarar saka electrum
jakar CLI ce.
kwamfutar tafi-da-gidanka. A yanzu za mu yi amfani da Electrum tare da uwar garken jama'a, kuma daga baya za mu ɗaga shi a wani tantanin halitta
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
wani 700 MB na software a kejin mu
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet
electrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}
Yanzu muna da walat da aka ƙirƙira.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]
wallet@electrum:/ % electrum-3.6 help
Zuwa ga mu on-sarkar Iyakantaccen adadin mutane ne kawai za su iya haɗawa da walat ɗin daga yanzu. Don kada a buɗe damar shiga wannan tantanin halitta daga waje, haɗin kai ta hanyar SSH zai faru ta hanyar TOP (sigar VPN mai ɓarna). Muna ƙaddamar da SSH a cikin tantanin halitta, amma kar a taɓa pf.conf ɗin mu akan mai watsa shiri.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Yanzu bari mu kashe tantanin halitta tare da damar Intanet na walat. Bari mu ba shi adireshin IP daga wani sarari na subnet wanda ba NATed ba. Da farko mu canza /etc/pf.conf
akan mai gida
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24"
mu canza shi zuwa JAIL_IP_POOL="192.168.0.0/25"
, don haka duk adiresoshin 192.168.0.126-255 ba za su sami damar shiga Intanet kai tsaye ba. Wani nau'in cibiyar sadarwa na “air-gap” software. Kuma tsarin NAT ya kasance kamar yadda yake
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Overloading dokoki
# pfctl -f /etc/pf.conf
Yanzu bari mu dauki cell mu
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200
Hmm amma yanzu tsarin da kansa zai daina yi mana aiki. Duk da haka, zamu iya ƙayyade tsarin wakili. Amma akwai abu ɗaya, akan TOR wakili ne na SOCKS5, kuma don dacewa kuma muna son wakili na HTTP.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5
polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
To, yanzu akwai sabar proxy guda biyu a cikin tsarinmu, kuma duka suna fitarwa ta hanyar TOR: socks5://192.168.0.2:9050 da
Yanzu za mu iya saita yanayin walat ɗin mu
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123
To, yanzu harsashi zai yi aiki daga ƙarƙashin wakili. Idan muna son shigar da fakiti, to ya kamata mu ƙara zuwa /usr/local/etc/pkg.conf
daga ƙarƙashin tushen keji
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}
Da kyau, yanzu lokaci ya yi da za a ƙara sabis ɗin ɓoye na TOR azaman adireshin sabis na SSH a cikin tantanin halitta.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22
tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
Wannan shine adireshin haɗin yanar gizon mu. Bari mu bincika daga injin gida. Amma da farko muna buƙatar ƙara maɓallin SSH ɗin mu:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local
To, daga injin abokin ciniki na Linux
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Mu haɗa (Don wannan ya yi aiki, kuna buƙatar TOR daemon na gida wanda ke sauraron 9050)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Nasara!
Don yin aiki tare da biya nan take da ƙananan biya, muna kuma buƙatar kumburi c-lightning
ake buƙata don aiki bitcoind
amma a.
*Akwai aiwatarwa daban-daban na ka'idar hanyar sadarwar walƙiya a cikin harsuna daban-daban. Daga cikin waɗanda muka gwada, c-walƙiya (wanda aka rubuta a cikin C) ya zama mafi kwanciyar hankali da ingantaccen albarkatu.
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...
lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Yayin da ake tattara duk abin da ake buƙata kuma an shigar dashi, bari mu ƙirƙiri mai amfani da RPC don lightningd
в bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32
bitcoind:/@[10:39] # service bitcoind restart
Canjawar rudani na tsakanin sel ya zama ba hargitsi ba idan kun lura da mai amfani tmux
, wanda ke ba ka damar ƙirƙira ƙananan ƙananan zama masu yawa a cikin zama ɗaya. Analogue: screen
Don haka, ba mu so mu bayyana ainihin IP na kullin mu, kuma muna so mu gudanar da duk ma'amaloli na kudi ta hanyar TOP. Saboda haka, wani .albasa ba a buƙatar.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735
tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion
Yanzu bari mu ƙirƙiri saitin don c-walƙiya
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like
lightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
Hakanan kuna buƙatar ƙirƙirar fayil ɗin daidaitawa don bitcoin-cli, mai amfani da ke sadarwa tare da bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test
dubawa
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]
kaddamar da lightningd
lightning@lightning:~ % lightningd --daemon
Kansa lightningd
za ka iya sarrafa mai amfani lightning-cli
, alal misali:
lightning-cli newaddr
sami adireshin don sabon biya mai shigowa
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}
lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all
aika duk kuɗin da ke cikin walat ɗin zuwa adireshin (duk adiresoshin kan sarkar)
Hakanan yana ba da umarni don ayyukan kashe sarka lightning-cli invoice
, lightning-cli listinvoices
, lightning-cli pay
da dai sauransu.
To, don sadarwa tare da aikace-aikacen muna da REST Api
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Bari mu ƙayyade sakamakon
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
Muna da saitin kwantena, kowanne yana da nasa matakin samun dama daga kuma zuwa cibiyar sadarwar gida.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-data
Kamar yadda kuke gani, bitcoind yana ɗaukar duk 190 GB na sarari. Idan muna buƙatar wani kumburi don gwaji fa? Wannan shine inda ZFS ya zo da amfani. Tare da taimako cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com
za ku iya ƙirƙirar hoto kuma ku haɗa sabon tantanin halitta zuwa wannan hoton. Sabuwar tantanin halitta zai sami nasa sararin samaniya, amma kawai bambanci tsakanin yanayin yanzu da ainihin za a yi la'akari da shi a cikin tsarin fayil (za mu adana aƙalla 190 GB)
Kowane tantanin halitta shine nasa keɓanta bayanan ZFS, kuma wannan ya dace sosai.
Har ila yau, ya kamata a lura da buƙatar kulawa ta nesa na mai watsa shiri, don waɗannan dalilai da muke da su
B - aminci
Game da tsaro, bari mu fara daga mahimman ƙa'idodi a cikin mahallin abubuwan more rayuwa:
Privacy - Daidaitaccen kayan aikin UNIX-kamar tsarin yana tabbatar da aiwatar da wannan ka'ida. A hankali muna raba damar shiga kowane nau'i na tsarin a hankali - tantanin halitta. Ana ba da damar shiga ta daidaitaccen ingantaccen mai amfani ta amfani da maɓallan sirri na masu amfani. Duk sadarwa tsakanin da zuwa ƙarshen sel yana faruwa ne a rufaffen tsari. Godiya ga boye-boye faifai, ba dole ba ne mu damu da amincin bayanan lokacin maye gurbin diski ko ƙaura zuwa wata uwar garken. Hanya mai mahimmanci kawai ita ce samun dama ga tsarin runduna, tunda irin wannan damar gabaɗaya yana ba da damar yin amfani da bayanai a cikin kwantena.
Mutunci “Ayyukan aiwatar da wannan ka'ida yana faruwa a matakai daban-daban. Da fari dai, yana da mahimmanci a lura cewa a cikin yanayin kayan aikin uwar garken, ƙwaƙwalwar ECC, ZFS riga "daga cikin akwatin" tana kula da amincin bayanan a matakin bayanan bayanan. Hotunan nan take suna ba ku damar yin ajiyar kuɗi a kowane lokaci a kan tashi. Ingantattun kayan aikin fitarwa/shigo da tantanin halitta suna yin kwafin tantanin halitta mai sauƙi.
samuwa - Wannan riga na zaɓi ne. Ya dogara da girman shahararku da gaskiyar cewa kuna da maƙiya. A cikin misalinmu, mun tabbatar da cewa ana samun damar walat ɗin daga cibiyar sadarwar TOP kawai. Idan ya cancanta, zaku iya toshe duk abin da ke kan Tacewar zaɓi kuma ku ba da damar shiga uwar garken ta hanyar tunnels na musamman (TOR ko VPN wani lamari ne). Don haka, uwar garken za a yanke shi daga duniyar waje kamar yadda zai yiwu, kuma mu kawai za mu iya yin tasiri ga samuwa.
Rashin yiwuwar ƙi - Kuma wannan ya dogara da ƙarin aiki da bin ka'idoji masu dacewa don haƙƙin mai amfani, samun dama, da dai sauransu. Amma tare da hanyar da ta dace, duk ayyukan mai amfani ana duba su, kuma godiya ga hanyoyin da za a iya ganowa ba tare da shakka ba wanda ya yi wasu ayyuka da kuma lokacin.
Tabbas, ƙayyadaddun tsarin da aka kwatanta ba cikakken misali ba ne na yadda ya kamata koyaushe ya kasance, misali ɗaya ne na yadda zai iya kasancewa, yayin da yake riƙe da sassauƙan ƙima da iya daidaitawa.
Me game da cikakken kamantawa?
Game da cikakken kamantawa ta amfani da cbsd zaka iya bhyve
Kuna buƙatar kunna wasu zaɓuɓɓukan kwaya.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...
# cat /boot/loader.conf
...
vmm_load="YES"
...
Don haka idan ba zato ba tsammani kuna buƙatar fara docker, sannan shigar da debian kuma ku tafi!
Shi ke nan
Ina tsammanin shine kawai abin da nake so in raba. Idan kuna son labarin, to zaku iya aiko min da bitcoins -
source: www.habr.com