ããŸããŸãç§ã¯è·æ¥çã«ã³ã³ãã¥ãŒã¿ã·ã¹ãã ãšãããã¯ãŒã¯ã®ç®¡çè
ïŒèŠããã«ã·ã¹ãã 管çè
ïŒã§ããã10 幎ã¡ãã£ãšåããææã«è©±ãããæ©äŒããããŸããã [極端ãª] ã»ãã¥ãªãã£å¯Ÿçãå¿
èŠãšããã·ã¹ãã ãå«ããããŸããŸãªã·ã¹ãã ã®ã¢ã¯ãã£ããã£ã ããŸããŸãå°ãåã«é¢çœããšæã£ãã®ã§ããã dev
ãã§ãéãããã£ãïŒã ããããç§ã¯éçºã«ã€ããŠè©±ããŠããã®ã§ã¯ãªããã¢ããªã±ãŒã·ã§ã³ã®ããã®å®å
šã§å¹ççãªç°å¢ã«ã€ããŠè©±ããŠããŸãã
éèãã¯ãããžãŒ (ãã£ã³ããã¯) 次ã«æ å ±ã»ãã¥ãªã㣠(INFOSEC) XNUMX ã€ç®ã¯ XNUMX ã€ç®ããªããŠãåäœããŸãããé·ãã¯ç¶ããŸããã ã ãããããç§ã®çµéšãšãç§ã䜿çšããŠããããŒã«ã»ããïŒäž¡æ¹ãå«ãïŒãå ±æããããšæããŸãã ãã£ã³ããã¯ãš INFOSECããããŠåæã«ãããåºãç®çãŸãã¯ãŸã£ããç°ãªãç®çã«ã䜿çšã§ããŸãã ãã®èšäºã§ã¯ããããã³ã€ã³ã«ã€ããŠã¯ããŸã説æããŸããããéè (ã ãã§ã¯ãããŸãã) ãµãŒãã¹ãã€ãŸããBããéèŠãªãµãŒãã¹ã®éçºãšéçšã®ããã®ã€ã³ãã©ã¹ãã©ã¯ã㣠ã¢ãã«ã«ã€ããŠèª¬æããŸãã ããã¯ããããã³ã€ã³ååŒæãšããããã³ã€ã³ãšã¯ãŸã£ããé¢ä¿ã®ãªãäžå°äŒæ¥ããµãŒãã¹ãæäŸããæãå žåçãªäŒæ¥åç©åã®äž¡æ¹ã«åœãŠã¯ãŸããŸãã
ç§ã¯ãã®ååã®æ¯æè ã§ããããšã«çæããããšæããŸã ãæããªã»ã©åçŽã«ããŠãã ããã О "å°ãªãã»ããããã§ãã"ãããã£ãŠãèšäºãšãã®äžã§èª¬æãããŠããå 容ã¯äž¡æ¹ãšãããããã®ååã察象ãšããæ§è³ªãæã£ãŠããŸãã
æ³åäžã®ã·ããªãª: ãããã³ã€ã³äº€ææ¥è ã®äŸã䜿çšããŠãã¹ãŠãèŠãŠã¿ãŸãããã ç§ãã¡ã¯ãã«ãŒãã«ããã«ããŠãŒããšãããã³ã€ã³ã®äº€æãéå§ããããšã«æ±ºããŸããããã§ã«å®çšçãªãœãªã¥ãŒã·ã§ã³ãæã£ãŠããŸãããqiwi ããŠã§ããããŒãªã©ã®ä»ã®ããžã¿ã«ãããŒãšã®äº€æãå¯èœã§ãã ç§ãã¡ã¯ãã¹ãŠã®æ³çåé¡ã解決ããŠãããã«ãŒãã«ããã«ããŠãŒãããã®ä»ã®æ¯æãã·ã¹ãã ã®æ¯æãã²ãŒããŠã§ã€ãšããŠæ©èœããæ¢è£œã®ã¢ããªã±ãŒã·ã§ã³ãæã£ãŠããŸãã ããã¯éè¡å£åº§ã«æ¥ç¶ãããŠããããšã³ãã¢ããªã±ãŒã·ã§ã³çšã®äœããã® API ãåããŠããŸãã ãŸããå žåç㪠qiwi ããŠã§ããã㌠ã¢ã«ãŠã³ãã®ããã«ãã¢ã«ãŠã³ãã®äœæãã«ãŒãã®è¿œå ãªã©ããŠãŒã¶ãŒã®äº€æ圹ãšããŠæ©èœãã Web ã¢ããªã±ãŒã·ã§ã³ããããŸãã ããŒã«ã«ãšãªã¢ã® REST API ãä»ããŠã§ã¯ãããŸãããã²ãŒããŠã§ã€ ã¢ããªã±ãŒã·ã§ã³ãšéä¿¡ããŸãã ããã§ç§ãã¡ã¯ãããã³ã€ã³ãæ¥ç¶ããåæã«ã€ã³ãã©ã¹ãã©ã¯ãã£ãã¢ããã°ã¬ãŒãããããšã«ããŸããã åœåã¯ããã¹ãŠããªãã£ã¹ã®ããŒãã«ã®äžã®ä»®æ³ããã¯ã¹ã«æ¥ãã§èšçœ®ãããŠããŸãã...ãµã€ãã䜿çšããå§ãã皌åæéãšããã©ãŒãã³ã¹ã«ã€ããŠå¿é ãå§ããŸããã
ããã§ã¯ãèå¿ã®ãµãŒããŒã®éžæããå§ããŸãããã ãªããªããã®äŸã®ããžãã¹ã¯å°èŠæš¡ã§ãããéžæãããã¹ãã£ã³ã°äŒç€Ÿ (OVH) ãä¿¡é ŒããŠããŸãã
ãµãŒããŒã®ã€ã³ã¹ããŒã«
ããã§ã¯ãã¹ãŠãã·ã³ãã«ã§ãã ããŒãºã«åã£ãããŒããŠã§ã¢ãéžæããŸãã 次ã«ãFreeBSD ã€ã¡ãŒãžãéžæããŸãã ãŸãã¯ã(å¥ã®ãã¹ã¿ãŒãšç¬èªã®ããŒããŠã§ã¢ã®å Žå) IPMI ãŸãã¯ã¢ãã¿ãŒãä»ããŠæ¥ç¶ãã.iso FreeBSD ã€ã¡ãŒãžãããŠã³ããŒãã«ãã£ãŒãããŸãã ç§ã䜿çšãããªãŒã±ã¹ãã©ã®ã»ããã¢ããã«ã¯
ã·ã¹ãã ã®ã€ã³ã¹ããŒã«ã¯æšæºçãªæ¹æ³ã§è¡ãããŸããããã«ã€ããŠã¯èª¬æããŸãããæäœãéå§ããåã«æ³šæãæã䟡å€ãããããšã ããè¿°ã¹ãŠãããŸãã 硬å æäŸãããªãã·ã§ã³ bsdinstaller
ã€ã³ã¹ããŒã«ã®æåŸã«æ¬¡ã®ããã«ããŸã (ã·ã¹ãã ãèªåã§ã€ã³ã¹ããŒã«ããå Žå)ã
ãã
ãã§ã«ã€ã³ã¹ããŒã«ãããŠããã·ã¹ãã ã§äžèšã®ãã©ã¡ãŒã¿ãæå¹ã«ããããšãã§ããŸãã ãããè¡ãã«ã¯ãããŒãããŒã㌠ãã¡ã€ã«ãç·šéããã«ãŒãã« ãã©ã¡ãŒã¿ãæå¹ã«ããå¿ èŠããããŸãã *ee 㯠BSD ã®ãã®ãããªãšãã£ã¿ã§ã
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1
ãŸããã·ã¹ãã ã®ææ°ããŒãžã§ã³ãã€ã³ã¹ããŒã«ãããŠããããšã確èªããå¿
èŠããããŸãã
次ã«ãèšå®ããŸã aide
ãã·ã¹ãã æ§æãã¡ã€ã«ã®ã¹ããŒã¿ã¹ãç£èŠããŸãã ããã«è©³ããèªãããšãã§ããŸã
pkg install aide
ãããŠcrontabãç·šéããŠãã ãã
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
ãªã³ã«ãã
sysrc auditd_enable=YES
# service auditd start
ãã®åé¡ã管çããæ¹æ³ã¯ãã«å®å
šã«èª¬æãããŠããŸã
ããã§åèµ·åãããµãŒããŒäžã®ãœãããŠã§ã¢ã«é²ã¿ãŸãã åãµãŒããŒã¯ãã³ã³ãããŒãŸãã¯å®å šãªä»®æ³ãã·ã³ã®ãã€ããŒãã€ã¶ãŒã§ãã ãããã£ãŠãå®å šä»®æ³åã䜿çšããå Žåã¯ãããã»ããµã VT-x ãš EPT ããµããŒãããŠããããšãéèŠã§ãã
䜿çšããã³ã³ãããŒãšä»®æ³ãã·ã³ã管çãããã
ã³ã³ããïŒ ãŸãããã«ãŒãäœãïŒ
ãããŠãããã§ã¯ãªãã cbsd
ã»ã«ãšåŒã°ãããããã®ã³ã³ããã調æŽããŸãã
ã±ãŒãžã¯ãæçµçã«ã¯åã ã®ãµãŒãã¹ãããã»ã¹ãå®å šã«åé¢ããå¿ èŠããããããŸããŸãªç®çã®ã€ã³ãã©ã¹ãã©ã¯ãã£ãæ§ç¯ããããã®éåžžã«å¹æçãªãœãªã¥ãŒã·ã§ã³ã§ãã åºæ¬çã«ã¯ãã¹ã ã·ã¹ãã ã®ã¯ããŒã³ã§ãããå®å šãªããŒããŠã§ã¢ä»®æ³åã¯å¿ èŠãããŸããã ãã®ãããã§ããªãœãŒã¹ã¯ãã²ã¹ã OSãã«è²»ããããã®ã§ã¯ãªããå®è¡ãããäœæ¥ã«ã®ã¿è²»ããããŸãã ã»ã«ãå éšããŒãºã«äœ¿çšãããå Žåãããã¯ãªãœãŒã¹ãæé©ã«äœ¿çšããããã®éåžžã«äŸ¿å©ãªãœãªã¥ãŒã·ã§ã³ã§ããå¿ èŠã«å¿ããŠãXNUMX å°ã®ããŒããŠã§ã¢ ãµãŒããŒäžã®å€æ°ã®ã»ã«ãããããåå¥ã«ãµãŒã㌠ãªãœãŒã¹å šäœã䜿çšã§ããŸãã éåžžãããŸããŸãªãµããµãŒãã¹ã«ã¯è¿œå ãå¿ èŠã§ããããšãèæ ®ããŠãã ããã ãµãŒããŒéã®ã»ã«ã®ãã©ã³ã¹ãé©åã«èšç»ãããã©ã³ã¹ããšãã°ããªãœãŒã¹ãç°ãªãæéã«äœ¿çšããŠããXNUMX å°ã®ãµãŒããŒããæ倧ã®ããã©ãŒãã³ã¹ãåŒãåºãããšãã§ããŸãã å¿ èŠã«å¿ããŠãã»ã«ã«äœ¿çšãããªãœãŒã¹ã®å¶éãäžããããšãã§ããŸãã
å®å šä»®æ³åã«ã€ããŠã¯ã©ãã§ãããã?
ç§ã®ç¥ãéã cbsd
ä»äºããµããŒããã bhyve
XEN ãã€ããŒãã€ã¶ãŒã XNUMXã€ç®ã¯äœ¿ã£ãããšããããŸããããXNUMXã€ç®ã¯æ¯èŒçæ°ãããã®ã§ã bhyve
以äžã®äŸã§ã¯ã
ãã¹ãç°å¢ã®ã€ã³ã¹ããŒã«ãšæ§æ
FSã䜿çšããŠããŸã
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
æ®ãã®ã¹ããŒã¹ã«ãã£ã¹ã¯ããŒãã£ã·ã§ã³ãè¿œå ããŸã
geli init /dev/ada0p4
æå·åãã¹ã¯ãŒããå ¥åããŠãã ãã
geli attach /dev/ada0p4
ããäžåºŠãã¹ã¯ãŒããå
¥åãããšãããã€ã¹ /dev/ada0p4.eli ãäœæãããŸããããã¯æå·åãããã¹ããŒã¹ã§ãã 次ã«ã/dev/ada1 ãšã¢ã¬ã€å
ã®æ®ãã®ãã£ã¹ã¯ã«å¯ŸããŠåãããšãç¹°ãè¿ããŸãã ãããŠæ°ãããã®ãäœæããŸã
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli
- ããŠãæäœéã®æŠéãããã¯æºåã§ããŸããã XNUMX å°ã®ãã¡ XNUMX å°ã«é害ãçºçããå Žåã«åããŠããã£ã¹ã¯ã®ãã©ãŒãªã³ã°ãããã¢ã¬ã€ã
æ°ãããããŒã«ãäžã«ããŒã¿ã»ãããäœæãã
zfs create vms/jails
pkg install cbsd
â ç§ãã¡ã¯ããŒã ãç«ã¡äžããã»ã«ã®ç®¡çãã»ããã¢ããããŸããã
åŸã« cbsd
ã€ã³ã¹ããŒã«ãããŠããå Žåã¯ãåæåããå¿
èŠããããŸãã
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
ããã§ãããç§ãã¡ã¯ããããã®è³ªåã«çããŸãããã»ãšãã©ãããã©ã«ãã®çãã§ãã
*æå·åã䜿çšããŠããå Žåã¯ãããŒã¢ã³ã cbsdd
ãã£ã¹ã¯ãæåãŸãã¯èªåã§åŸ©å·åãããŸã§ãèªåçã«éå§ãããŸããã§ãã (ãã®äŸã§ã¯ããã㯠zabbix ã«ãã£ãŠè¡ãããŸã)ã
**ç§ã NAT ã䜿çšããŸãã cbsd
ã§ãèªåã§èšå®ããŸã pf
.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
ãã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒã®èšå®ãå¥ã®ãããã¯ã§ãããããBLOCK ALL ããªã·ãŒã®èšå®ãšãã¯ã€ããªã¹ãã®èšå®ã«ã€ããŠã¯è©³ãã説æããŸãããããã«ã€ããŠã¯ã以äžãåç
§ããŠãã ããã
ããŠ...cbsd ãã€ã³ã¹ããŒã«ãããŸããã次ã¯ãæåã®äž»å補åã§ãã檻ã«å ¥ãããããããã³ã€ã³ã®æªéãäœæããŸãã
cbsd jconstruct-tui
ããã§ã¯ã»ã«äœæãã€ã¢ãã°ã衚瀺ãããŸãã ãã¹ãŠã®å€ãèšå®ããããäœæããŸãããã
æåã®ã»ã«ãäœæãããšãã¯ãã»ã«ã®ããŒã¹ãšããŠäœã䜿çšããããéžæããå¿
èŠããããŸãã 次ã®ã³ãã³ãã䜿çšããŠãFreeBSD ãªããžããªãããã£ã¹ããªãã¥ãŒã·ã§ã³ãéžæããŸãã repo
ã ãã®éžæã¯ãç¹å®ã®ããŒãžã§ã³ã®æåã®ã»ã«ãäœæããå Žåã«ã®ã¿è¡ãããŸã (ãã¹ã ããŒãžã§ã³ãããå€ãããŒãžã§ã³ã®ã»ã«ããã¹ãã§ããŸã)ã
ãã¹ãŠãèšçœ®ãããããã±ãŒãžãèµ·åããŸãã
# cbsd jstart bitcoind
ãã ããã±ãŒãžã«ãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
jexec bitcoind
æºåž¯ã³ã³ãœãŒã«ã«å
¥ãã«ã¯
ãããŠãã§ã«ã»ã«å ã«ãœãããŠã§ã¢ããã®äŸåé¢ä¿ãšãšãã«ã€ã³ã¹ããŒã«ããŸãïŒãã¹ãã·ã¹ãã ã¯ã¯ãªãŒã³ãªãŸãŸã§ãïŒ
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
ã±ãŒãžå
ã«ã¯ãããã³ã€ã³ããããŸãããTOP ãããã¯ãŒã¯çµç±ã§ããã€ãã®ã±ãŒãžã«æ¥ç¶ããããããå¿åæ§ãå¿
èŠã§ãã äžè¬ã«ãçããããœãããŠã§ã¢ãå«ãã»ãšãã©ã®ã»ã«ã¯ãããã·çµç±ã§ã®ã¿å®è¡ããäºå®ã§ãã ããã㧠pf
ããŒã«ã« ãããã¯ãŒã¯äžã®ç¹å®ã®ç¯å²ã® IP ã¢ãã¬ã¹ã«å¯Ÿã㊠NAT ãç¡å¹ã«ããTOR ããŒãã«å¯ŸããŠã®ã¿ NAT ãèš±å¯ããããšãã§ããŸãã ãããã£ãŠãããšããã«ãŠã§ã¢ãã»ã«ã«äŸµå
¥ãããšããŠããå€éšãšéä¿¡ããããšã¯ã»ãšãã©ãªããããšãéä¿¡ãããšããŠããµãŒããŒã® IP ãæããã«ãããããšã¯ãããŸããã ãããã£ãŠããµãŒãã¹ãã.onionããµãŒãã¹ãšããŠã転éãããåã
ã®ã»ã«ã«ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããããã®ãããã·ãšããŠå¥ã®ã»ã«ãäœæããŸãã
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
ããŒã«ã«ã¢ãã¬ã¹ã§ãªãã¹ã³ããããã«èšå®ããŸã (ãã¹ãŠã®ã»ã«ã§äœ¿çšå¯èœ)
SOCKSPort 192.168.0.2:9050
å®å šãªå¹žçŠã®ããã«ä»ã«äœãå¿ èŠã§ããããïŒ ã¯ããWeb ã«ã¯è€æ°ã®ãµãŒãã¹ãå¿ èŠã§ãã nginx ãèµ·åããŸããããnginx ã¯ãªããŒã¹ãããã·ãšããŠæ©èœããLet's Encrypt 蚌ææžã®æŽæ°ãåŠçããŸãã
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
ããã§ã150 MB ã®äŸåé¢ä¿ãã±ãŒãžã«é 眮ããŸããã ãããŠãã¹ãã¯ãŸã ã¯ãªãŒã³ã§ãã
åŸã§ nginx ã®ã»ããã¢ããã«æ»ããŸããããnodejs ãš Rust äžã®æ¯æãã²ãŒããŠã§ã€çšã«ããã« XNUMX ã€ã®ã»ã«ãäœæããå¿ èŠããããŸãããŸããWeb ã¢ããªã±ãŒã·ã§ã³ã¯äœããã®çç±ã§ Apache ãš PHP ã§æ§æãããŠãããåŸè ã«ã¯ MySQL ããŒã¿ããŒã¹ãå¿ èŠã§ãã
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
...ããã« 380 MB ã®ããã±ãŒãžãåé¢ãããŸãã
次ã«ãgit ã䜿çšããŠã¢ããªã±ãŒã·ã§ã³ãããŠã³ããŒãããèµ·åããŸãã
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450MBã®ããã±ãŒãžã 檻ã®äžã
ããã§ã¯ãéçºè ã« SSH çµç±ã§ã»ã«ã«çŽæ¥ã¢ã¯ã»ã¹ã§ããããã«ããŸããéçºè ã¯ããã§ãã¹ãŠãèªåã§è¡ããŸãã
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267
â ã»ã«ã® SSH ããŒããä»»æã®ããŒãã«å€æŽããŸã
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
ãµãŒãã¹ã¯å®è¡äžã§ããããšã¯ã«ãŒã«ãè¿œå ããã ãã§ãã pf
ãã¡ã€ã¢ãŠã©ãŒã«
ç§ãã¡ã®ã»ã«ãã©ã®ãã㪠IP ãæã£ãŠãããããããŠç§ãã¡ã®ãããŒã«ã«ãšãªã¢ããäžè¬çã«ã©ã®ãããªãã®ããèŠãŠã¿ãŸãããã
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
ãããŠã«ãŒã«ãè¿œå ããŸã
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
ããŠããããŸã§æ¥ãã®ã§ããªããŒã¹ãããã·ã®ã«ãŒã«ãè¿œå ããŸãããã
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# pfctl -f /etc/pf.conf
ããŠããããã³ã€ã³ã«ã€ããŠå°ã説æããŸã
ç§ãã¡ãæã£ãŠããã®ã¯ãå€éšã«å
¬éãããããŒã«ã«ã§æ¯æãã²ãŒããŠã§ã€ãšéä¿¡ãã Web ã¢ããªã±ãŒã·ã§ã³ã§ãã 次ã«ããããã³ã€ã³ãããã¯ãŒã¯èªäœãšå¯Ÿè©±ããããã®äœæ¥ç°å¢ãã€ãŸãããŒããæºåããå¿
èŠããããŸãã bitcoind
ããã¯ããããã¯ãã§ãŒã³ã®ããŒã«ã« ã³ããŒãææ°ã®ç¶æ
ã«ä¿ã€ããŒã¢ã³ã«ãããŸããã ãã®ããŒã¢ã³ã«ã¯ RPC ãšãŠã©ã¬ããã®æ©èœããããŸãããã¢ããªã±ãŒã·ã§ã³éçºã«ã¯ããã«äŸ¿å©ãªãã©ãããŒãããããŸãã ãŸãæåã«ã electrum
CLIãŠã©ã¬ããã§ãã
ã©ãããããã ä»ã®ãšããããããªãã¯ãµãŒããŒã§ Electrum ã䜿çšããåŸã§å¥ã®ã»ã«ã§èµ·åããŸãã
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
ã±ãŒãžã«ã¯ããã« 700 MB ã®ãœãããŠã§ã¢ãå ¥ã£ãŠããŸã
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet
electrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}
ããã§ãŠã©ã¬ãããäœæãããŸããã
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]
wallet@electrum:/ % electrum-3.6 help
ç§ãã¡ãž ãªã³ãã§ãŒã³ ä»åŸã¯éãããæ°ã®äººã®ã¿ããŠã©ã¬ããã«æ¥ç¶ã§ããããã«ãªããŸãã å€éšãããã®ã»ã«ã«ã¢ã¯ã»ã¹ã§ããªãããã«ãããããSSH çµç±ã®æ¥ç¶ã¯ TOP (VPN ã®åæ£ããŒãžã§ã³) ãä»ããŠè¡ãããŸãã ã»ã«å 㧠SSH ãèµ·åããŸããããã¹ãäžã® pf.conf ã«ã¯è§ŠããŸããã
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
次ã«ããŠã©ã¬ããã®ã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ãåããæºåž¯é»è©±ããªãã«ããŸãããã NAT åãããŠããªãå¥ã®ãµãããã空éããã® IP ã¢ãã¬ã¹ãäžããŠã¿ãŸãããã ãŸãã¯å€ããŠã¿ãŸããã /etc/pf.conf
ãã¹ãäžã§
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24"
ã«å€æŽããŸããã JAIL_IP_POOL="192.168.0.0/25"
ãããã£ãŠããã¹ãŠã®ã¢ãã¬ã¹ 192.168.0.126-255 ã¯ã€ã³ã¿ãŒãããã«çŽæ¥ã¢ã¯ã»ã¹ã§ããªããªããŸãã ãœãããŠã§ã¢ããšã¢ã®ã£ããããããã¯ãŒã¯ã®äžçš®ã NAT ã«ãŒã«ã¯ãã®ãŸãŸæ®ããŸã
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
ã«ãŒã«ã®éè² è·
# pfctl -f /etc/pf.conf
ãããç§ãã¡ã®ã»ã«ãæã«å ¥ããŸããã
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200
ããŒãããããä»åºŠã¯ã·ã¹ãã èªäœãæ©èœããªããªãã§ãããã ãã ããã·ã¹ãã ãããã·ãæå®ããããšã¯ã§ããŸãã ãã ããTOR ã§ã¯ SOCKS5 ãããã·ã§ããããã䟿å®äž HTTP ãããã·ãå¿ èŠã§ãããšããããšã XNUMX ã€ãããŸãã
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5
polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
ããŠãç§ãã¡ã®ã·ã¹ãã ã«ã¯ 5 ã€ã®ãããã· ãµãŒããŒããããã©ã¡ãã TOR çµç±ã§åºåãããŸã: sock192.168.0.2://9050:XNUMX ãš
ããã§ãŠã©ã¬ããç°å¢ãèšå®ã§ããããã«ãªããŸãã
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123
ããŠãããã§ã·ã§ã«ã¯ãããã·ã®äžã§åäœããããã«ãªããŸãã ããã±ãŒãžãã€ã³ã¹ããŒã«ãããå Žåã¯ãã«è¿œå ããå¿
èŠããããŸã /usr/local/etc/pkg.conf
ã±ãŒãžã®æ ¹å
ã®äžãã
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}
ããŠãä»åºŠã¯ TOR é ããµãŒãã¹ããŠã©ã¬ãã ã»ã«å ã® SSH ãµãŒãã¹ã®ã¢ãã¬ã¹ãšããŠè¿œå ããŸãã
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22
tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ãããæ¥ç¶ã¢ãã¬ã¹ã§ãã ããŒã«ã«ãã·ã³ãã確èªããŠã¿ãŸãããã ãã ããæåã« SSH ããŒãè¿œå ããå¿ èŠããããŸãã
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local
Linux ã¯ã©ã€ã¢ã³ã ãã·ã³ãã
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
ã€ãªãããŸããã (ãããæ©èœããã«ã¯ã9050 ããªãã¹ã³ããããŒã«ã« TOR ããŒã¢ã³ãå¿ èŠã§ã)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
æåïŒ
ã€ã³ã¹ã¿ã³ãããã³ãã€ã¯ããã€ã¡ã³ãã䜿çšããã«ã¯ãããŒããå¿
èŠã§ã c-lightning
æ©èœããããã«å¿
èŠãª bitcoind
ã§ããã¯ãã
*Lightning Network ãããã³ã«ã«ã¯ããŸããŸãªèšèªã§ããŸããŸãªå®è£ ããããŸãã ç§ãã¡ããã¹ããããã®ã®äžã§ãc-lightning (C ã§æžããã) ãæãå®å®ããŠããããªãœãŒã¹å¹çãé«ããšæãããŸããã
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...
lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
å¿
èŠãªãã®ããã¹ãŠã³ã³ãã€ã«ããã³ã€ã³ã¹ããŒã«ãããŠããéã«ã次㮠RPC ãŠãŒã¶ãŒãäœæããŸãããã lightningd
в bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32
bitcoind:/@[10:39] # service bitcoind restart
ã»ã«éã®ç¡ç§©åºãªåãæ¿ãã¯ããŠãŒãã£ãªãã£ã«æ³šç®ãããšãããã»ã©ç¡ç§©åºã§ã¯ãªãããšãããããŸãã tmux
ã䜿çšãããšãXNUMX ã€ã®ã»ãã·ã§ã³å
ã«è€æ°ã®ç«¯æ«ãµãã»ãã·ã§ã³ãäœæã§ããŸãã ã¢ããã°ïŒ screen
ãããã£ãŠãããŒãã®å®éã® IP ãæããã«ããããªãããã¹ãŠã®éèååŒã TOP ãéããŠå®è¡ããããšèããŠããŸãã ãããã£ãŠãå¥ã® .onion ã¯å¿ èŠãããŸããã
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735
tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion
次ã«ãc-lightning ã®æ§æãäœæããŸããã
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like
lightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
ãŸããbitcoin-cli ãšéä¿¡ãããŠãŒãã£ãªãã£ã®èšå®ãã¡ã€ã«ãäœæããå¿
èŠããããŸãã bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test
å°åæ
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]
æã¡äžã lightningd
lightning@lightning:~ % lightningd --daemon
圌èªèº« lightningd
ãŠãŒãã£ãªãã£ãå¶åŸ¡ã§ããŸã lightning-cli
ããšãã°ã次ã®ããã«ãªããŸãã
lightning-cli newaddr
æ°ããæ¯æãã®ã¢ãã¬ã¹ãååŸãã
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}
lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all
ãŠã©ã¬ããå
ã®ãã¹ãŠã®ãéãã¢ãã¬ã¹ (ãã¹ãŠã®ãªã³ãã§ãŒã³ ã¢ãã¬ã¹) ã«éä¿¡ããŸãã
ãªããã§ãŒã³æäœçšã®ã³ãã³ãã lightning-cli invoice
, lightning-cli listinvoices
, lightning-cli pay
ãªã©
ã¢ããªã±ãŒã·ã§ã³ãšã®éä¿¡ã«ã¯ REST API ããããŸãã
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
èŠçŽããŸã
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
ã³ã³ãããŒã®ã»ãããããããããããããŒã«ã« ãããã¯ãŒã¯ããã®ã¢ã¯ã»ã¹ãšããŒã«ã« ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ã®äž¡æ¹ã«ç¬èªã®ã¬ãã«ã®ã¢ã¯ã»ã¹ãæã£ãŠããŸãã
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-data
ã芧ã®ãšããããããã³ã€ã³ã¯ 190 GB ã®ã¹ããŒã¹ããã¹ãŠå æããŸãã ãã¹ãçšã«å¥ã®ããŒããå¿
èŠãªå Žåã¯ã©ãããã°ããã§ãããã? ãã㧠ZFS ã圹ã«ç«ã¡ãŸãã å©ããåã㊠cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com
ã¹ãããã·ã§ãããäœæãããã®ã¹ãããã·ã§ããã«æ°ããã»ã«ãã¢ã¿ããã§ããŸãã æ°ããã»ã«ã«ã¯ç¬èªã®ã¹ããŒã¹ããããŸããããã¡ã€ã« ã·ã¹ãã ã§ã¯çŸåšã®ç¶æ
ãšå
ã®ç¶æ
ã®å·®åã®ã¿ãèæ
®ãããŸã (å°ãªããšã 190 GB ãç¯çŽããŸã)ã
åã»ã«ã¯ç¬èªã®åå¥ã® ZFS ããŒã¿ã»ããã§ãããããã¯éåžžã«äŸ¿å©ã§ãã
ãã¹ãã®ãªã¢ãŒãç£èŠã®å¿
èŠæ§ã«ã泚ç®ãã䟡å€ããããŸãããããã®ç®çã®ããã«ã
B - å®å šæ§
ã»ãã¥ãªãã£ã«é¢ããŠã¯ãã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã³ã³ããã¹ãã«ãããäž»èŠãªååããå§ããŸãããã
ÐПМÑОЎеМÑОалÑМПÑÑÑ - UNIX ç³»ã·ã¹ãã ã®æšæºããŒã«ã¯ããã®ååã®å®è£ ãä¿èšŒããŸãã ã·ã¹ãã ã®è«ççã«åé¢ãããåèŠçŽ (ã»ã«) ãžã®ã¢ã¯ã»ã¹ãè«ççã«åé¢ããŸãã ã¢ã¯ã»ã¹ã¯ããŠãŒã¶ãŒã®å人ããŒã䜿çšããæšæºã®ãŠãŒã¶ãŒèªèšŒã«ãã£ãŠæäŸãããŸãã ãšã³ãã»ã«éããã³ãšã³ãã»ã«ãžã®ãã¹ãŠã®éä¿¡ã¯ãæå·åããã圢åŒã§è¡ãããŸãã ãã£ã¹ã¯æå·åã®ãããã§ããã£ã¹ã¯ã亀æããããå¥ã®ãµãŒããŒã«ç§»è¡ããããããšãã«ãããŒã¿ã®å®å šæ§ãå¿é ããå¿ èŠããããŸããã å¯äžã®éèŠãªã¢ã¯ã»ã¹ã¯ãã¹ã ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ã§ãããã®ãããªã¢ã¯ã»ã¹ã¯éåžžãã³ã³ããå ã®ããŒã¿ãžã®ã¢ã¯ã»ã¹ãæäŸããããã§ãã
èª å®ã ããã®ååã®å®è£ ã¯ãããã€ãã®ç°ãªãã¬ãã«ã§è¡ãããŸãã ãŸãããµãŒã㌠ããŒããŠã§ã¢ãECC ã¡ã¢ãªã®å ŽåãZFS ã¯ãã§ã«ãããã«äœ¿çšã§ãããæ å ±ããã ã¬ãã«ã§ããŒã¿ã®æŽåæ§ã管çããŠããããšã«æ³šæããããšãéèŠã§ãã ã€ã³ã¹ã¿ã³ã ã¹ãããã·ã§ããã䜿çšãããšããã€ã§ãå®è¡äžã«ããã¯ã¢ãããäœæã§ããŸãã 䟿å©ãªã»ã«ã®ãšã¯ã¹ããŒã/ã€ã³ããŒã ããŒã«ã«ãããã»ã«ã®è€è£œãç°¡åã«ãªããŸãã
å¯çšæ§ - ããã¯ãã§ã«ãªãã·ã§ã³ã§ãã ããã¯ããªãã®å声ã®çšåºŠãšãããªããå«ã人ããããšããäºå®ã«ãã£ãŠç°ãªããŸãã ãã®äŸã§ã¯ããŠã©ã¬ããã TOP ãããã¯ãŒã¯ããã®ã¿ã¢ã¯ã»ã¹ã§ããããã«ããŸããã å¿ èŠã«å¿ããŠããã¡ã€ã¢ãŠã©ãŒã«äžã®ãã¹ãŠããããã¯ãããã³ãã«çµç±ã®ã¿ã§ãµãŒããŒãžã®ã¢ã¯ã»ã¹ãèš±å¯ã§ããŸã (TOR ãŸã㯠VPN ã¯å¥ã®åé¡ã§ã)ã ãããã£ãŠããµãŒããŒã¯å€éšã®äžçããå¯èœãªéãé®æããããµãŒããŒã®å¯çšæ§ã«åœ±é¿ãäžããããšãã§ããã®ã¯ç§ãã¡èªèº«ã ãã«ãªããŸãã
æåŠã®äžå¯èœæ§ - ãããŠãããã¯ãä»åŸã®éçšãšããŠãŒã¶ãŒã®æš©å©ãã¢ã¯ã»ã¹ãªã©ã«é¢ããæ£ããããªã·ãŒã®éµå®ã«äŸåããŸãã ããããé©åãªã¢ãããŒãããšãã°ããã¹ãŠã®ãŠãŒã¶ãŒã®ã¢ã¯ã·ã§ã³ãç£æ»ãããæå·åãœãªã¥ãŒã·ã§ã³ã®ãããã§ã誰ããã€ç¹å®ã®ã¢ã¯ã·ã§ã³ãå®è¡ããããæ確ã«ç¹å®ããããšãå¯èœã«ãªããŸãã
ãã¡ããã説æããæ§æã¯ãåžžã«ã©ã®ããã«ããã¹ããã瀺ã絶察çãªäŸã§ã¯ãªããéåžžã«æè»ãªã¹ã±ãŒãªã³ã°ããã³ã«ã¹ã¿ãã€ãºæ©èœãç¶æããªãããã©ã®ããã«æ§æã§ãããã瀺ãäžäŸã§ãã
å®å šä»®æ³åã«ã€ããŠã¯ã©ãã§ãããã?
CBSD ã䜿çšããå®å
šä»®æ³åã«ã€ããŠã¯ã次ã®ããšãå¯èœã§ãã bhyve
ããã€ãã®ã«ãŒãã« ãªãã·ã§ã³ãæå¹ã«ããå¿
èŠããããŸãã
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...
# cat /boot/loader.conf
...
vmm_load="YES"
...
ãããã£ãŠãçªç¶ Docker ãèµ·åããå¿ èŠãããå Žåã¯ãdebian ãã€ã³ã¹ããŒã«ããŠå®è¡ããŠãã ããã
ããã ãã§ã
ç§ãå
±æãããã£ãã®ã¯ããã ãã ãšæããŸãã èšäºãæ°ã«å
¥ã£ããããããã³ã€ã³ãéã£ãŠãã ãã -
åºæïŒ habr.com