Zvakazoitika kuti nebasa ndiri maneja wemakomputa masisitimu uye network (muchidimbu: system administrator), uye ndakave nemukana wekuudza prof. kweanopfuura makore gumi. mabasa ezvirongwa zvakasiyana-siyana, kusanganisira izvo zvinoda [zvakanyanya] kuchengetedza matanho. Zvakaitikawo kuti pane imwe nguva yapfuura ndakaona zvichinakidza dev
, saka, ndakanga ndichipfuura). Asi handisi kutaura nezvebudiriro, ndiri kutaura nezve yakachengeteka uye inoshanda nharaunda yemaapplication.
Tekinoroji yemari (fintech) enda pedyo nekuchengetedzwa kwemashoko (infosec) uye yekutanga inogona kushanda pasina yechipiri, asi kwete kwenguva refu. Ndosaka ndichida kugovera ruzivo rwangu uye seti yezvishandiso zvandinoshandisa, izvo zvinosanganisira zvese fintech, uye infosec, uye panguva imwe chete, uye inogonawo kushandiswa kune chinangwa chakafara kana chakasiyana zvachose. Muchinyorwa chino ini ndichakuudza kwete zvakanyanya nezveBitcoin, asi nezvemhando yezvivakwa zvekusimudzira uye kushanda kwemari (uye kwete chete) masevhisi - mushoko, iwo masevhisi apo "B" ane basa. Izvi zvinoshanda kuBitcoin exchange uye kune yakajairwa makambani zoo yemasevhisi ekambani diki isina kubatana neBitcoin neimwe nzira.
Ndinoda kuziva kuti ndiri mutsigiri wenheyo "ramba wakapusa" ΠΈ "zvishoma zvakawanda", saka, zvose zvinyorwa uye izvo zvinotsanangurwa mairi zvichave nehupfumi izvo nheyo idzi dziri pamusoro.
Mamiriro ezvinhu ekufungidzira: Ngatitarisei pane zvese tichishandisa muenzaniso we bitcoin exchanger. Takasarudza kutanga kuchinjana kweRubles, madhora, euros ye bitcoins uye kumashure, uye isu tatova nekugadzirisa kushanda, asi kune imwe mari yedhijitari se qiwi uye webmoney, i.e. Isu takavhara nyaya dzese dzemutemo, isu tine yakagadzirira-yakagadzirirwa application inoshanda seyekubhadhara gedhi reRubles, madhora uye euro uye mamwe masystem ekubhadhara. Yakabatana nemaakaundi edu ekubhangi uye ine imwe mhando yeAPI yedu yekupedzisira maapplication. Isu tine webhu application iyo inoshanda seanotsinhanisa vashandisi, zvakanaka, seyakajairwa qiwi kana webmoney account - gadzira account, wedzera kadhi, zvichingodaro. Inotaurirana neyedu gedhi application, kunyangwe neiyo REST API munharaunda yenzvimbo. Uye saka takasarudza kubatanidza bitcoins uye panguva imwechete kusimudzira zvivakwa, nekuti ... Pakutanga, zvinhu zvose zvakasimudzwa nekukurumidza pamabhokisi e-virtual muhofisi pasi petafura ... nzvimbo yacho yakatanga kushandiswa, uye takatanga kunetseka pamusoro penguva uye kushanda.
Saka, ngatitangei nechinhu chikuru - kusarudza sevha. Nokuti bhizinesi mumuenzaniso wedu idiki uye tinovimba nehoster (OVH) yatichasarudza
Kuisa server
Zvose zviri nyore pano. Isu tinosarudza hardware inokodzera zvatinoda. Wobva wasarudza iyo FreeBSD mufananidzo. Zvakanaka, kana isu tinobatanidza (munyaya yeimwe hoster uye hardware yedu pachedu) kuburikidza ne IPMI kana nemonita uye kudyisa iyo .iso FreeBSD mufananidzo mukurodha. Kugadzira orchestral yandinoshandisa
Kuiswa kweiyo sisitimu kunoitika nenzira yakajairwa, ini handisi kuzogara pane izvi, ini ndinongoona kuti ndisati ndatanga kuvhiya zvakakodzera kuterera kune. kuomesa sarudzo dzainopa bsdinstaller
pakupera kwekuisirwa (kana iwe ukaisa iyo system pachako):
kune
Izvo zvakare zvinogoneka kugonesa izvo zvataurwa pamusoro apa parameter pane yakatoiswa system. Kuti uite izvi, unofanirwa kugadzirisa iyo bootloader faira uye kugonesa kernel paramita. *ee mupepeti seuyu muBSD
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1
Iwe unofanirwawo kuve nechokwadi chekuti une yazvino vhezheni yeiyo system yakaiswa, uye
Zvadaro tinogadzirisa aide
, kutarisa mamiriro ehurongwa hwekugadzirisa mafaira. Unogona kuverenga zvakawanda zvakadzama
pkg install aide
uye gadzirisa crontab yedu
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
Isu tinosanganisira
sysrc auditd_enable=YES
# service auditd start
Nzira yekutonga nyaya iyi inotsanangurwa zvakakwana mukati
Iye zvino tinotangazve uye tinopfuurira kune software pane server. Imwe neimwe sevha ndeye hypervisor yemidziyo kana yakazara chaiyo michina. Naizvozvo, zvakakosha kuti processor itsigire VT-x uye EPT kana tikaronga kushandisa yakazara virtualization.
Kubata midziyo nemichina chaiyo yandinoshandisa
Containers? Docker zvakare kana chii?
Asi kwete. cbsd
kuronga midziyo iyi, inonzi masero.
Iyo keji imhinduro inoshanda zvakanyanya yekuvaka zvivakwa zvezvinangwa zvakasiyana, uko kuparadzaniswa kwakakwana kwemasevhisi ega ega kana maitiro anozodiwa. Chaizvoizvo, iyo clone yeiyo host system, asi haidi yakazara hardware virtualization. Uye nekuda kweizvi, zviwanikwa hazvishandiswe pa "muenzi OS", asi pane basa riri kuitwa chete. Kana maseru achishandiswa kune zvinodiwa zvemukati, iyi ndiyo mhinduro iri nyore yekushandisa yakakwana sosi - boka remasero pane imwe sevha yehardware mumwe nemumwe anogona kushandisa ese server sosi kana zvichidikanwa. Tichifunga kuti kazhinji masevhisi akasiyana anoda kuwedzera. zviwanikwa panguva dzakasiyana, unogona kuburitsa yakanyanya kuita kubva kune imwe sevha kana iwe ukaronga nemazvo uye kuenzanisa maseru pakati pemaseva. Kana zvichidikanwa, maseru anogonawo kupihwa zvirambidzo pachishandiswa chinoshandiswa.
Zvakadini neakazara virtualization?
Sekuziva kwangu cbsd
inotsigira basa bhyve
uye XEN hypervisors. Handisati ndamboshandisa yechipiri, asi yekutanga ichangopfuura bhyve
mumuenzaniso uri pasi apa.
Kuisa uye Kugadzirisa Nzvimbo Yekugamuchira
Isu tinoshandisa FS
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
wedzera disk partition kune yakasara nzvimbo
geli init /dev/ada0p4
isa yedu encryption password
geli attach /dev/ada0p4
Isu tinoisa password zvakare uye isu tine mudziyo /dev/ada0p4.eli - iyi ndiyo nzvimbo yedu yakavharidzirwa. Zvadaro tinodzokorora zvakafanana kune / dev / ada1 uye mamwe ma disks ari muhurongwa. Uye isu tinogadzira imwe itsva
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli
- Zvakanaka, isu tine shoma yekurwa kit yakagadzirira. Chimiro chemiratidzo yedhisiki kana imwe yevatatu ikatadza.
Kugadzira dataset pane "dziva" idzva
zfs create vms/jails
pkg install cbsd
- takatangisa timu uye takamisa manejimendi emasero edu.
Pashure cbsd
yakaiswa, inoda kutanga:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
Zvakanaka, isu tinopindura boka remibvunzo, kazhinji nemhinduro dzakasarudzika.
*Kana uri kushandisa encryption, zvakakosha kuti daemon cbsdd
hazvina kutanga otomatiki kudzamara wanyora madhisiki nemaoko kana otomatiki (mumuenzaniso wedu izvi zvinoitwa ne zabbix)
**Ini zvakare handishandise NAT kubva cbsd
, uye ini ndinoigadzira ini pf
.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Kumisikidza mafirewall marongero zvakare inyaya yakaparadzana, saka ini handisi kuzopinda zvakadzama mukumisikidza iyo BLOCK ALL mutemo uye kumisikidza whitelists, unogona kuzviita nekuverenga.
Zvakanaka ... isu takaisa cbsd, yave nguva yekugadzira yedu yekutanga bhiza - iyo yakavharirwa Bitcoin dhimoni!
cbsd jconstruct-tui
Pano tinoona nhaurirano yekugadzira masero. Mushure mezvose zvakakosha zvagadziriswa, ngatigadzirei!
Paunenge uchigadzira sero rako rekutanga, iwe unofanirwa kusarudza chekushandisa sehwaro hwemasero. Ini ndinosarudza kugovera kubva kuFreeBSD repository nemurairo repo
. Sarudzo iyi inoitwa chete kana uchigadzira sero yekutanga yeimwe vhezheni (iwe unogona kugamuchira maseru echero vhezheni iyo yakakura kupfuura iyo host vhezheni).
Mushure mekunge zvese zvaiswa, tinotangisa keji!
# cbsd jstart bitcoind
Asi isu tinofanirwa kuisa software mukeji.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
jexec bitcoind
kupinda muchitokisi
uye nechekare mukati mesero isu tinoisa software ine zvinoenderana nayo (yedu yekutambira system inoramba yakachena)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Kune Bitcoin mukeji, asi tinoda kusazivikanwa nekuti tinoda kubatanidza kune mamwe matanga kuburikidza neTOP network. Kazhinji, isu tinoronga kumhanyisa maseru mazhinji neanofungidzirwa software chete kuburikidza neproxy. Thanks to pf
Iwe unogona kudzima NAT yeimwe mhando yeIP kero pane yemuno network, uye bvumidza NAT chete kune yedu TOR node. Nekudaro, kunyangwe kana malware ikapinda muchitokisi, kazhinji haigone kutaurirana nenyika yekunze, uye kana ikadaro, haizoratidze IP yeserver yedu. Nokudaro, tinogadzira imwe sero ye "mberi" sevhisi se ".onion" sevhisi uye semumiririri wekuwana Indaneti kune masero ega.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Seta kuti uteerere kune kero yenzvimbo (inowanika kumaseru ese)
SOCKSPort 192.168.0.2:9050
Chii chimwe chatinoda kuti tiwane mufaro wakakwana? Hongu, tinoda sevhisi yewebhu yedu, pamwe inodarika imwe. Ngatitangei nginx, iyo ichaita senge reverse-proxy uye ita nehanya nekuvandudza Let's Encrypt zvitupa
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Uye saka takaisa 150 MB yekutsamira mukeji. Uye muridzi wacho achiri akachena.
Ngatidzokei kunomisikidza nginx gare gare, isu tinofanirwa kusimudza mamwe masero maviri eyedu yekubhadhara gedhi pane nodejs uye ngura uye webhu application, iyo nekuda kwechimwe chikonzero iri muApache uye PHP, uye iyo yekupedzisira inodawo MySQL dhatabhesi.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
...uye imwe 380 MB yemapakeji akaparadzaniswa
Tevere, isu tinodhawunirodha application yedu negit uye toitanga.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450 MB mapakeji. muchizarira.
pano isu tinopa mugadziri mukana kuburikidza neSSH zvakananga kuchitokisi, ivo vanozoita zvese ipapo ivo pachavo:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267
- shandura SSH chiteshi chesero kune chero chinopokana
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
Zvakanaka, sevhisi iri kushanda, chasara kuwedzera mutemo kune pf
firewall
Ngationei kuti maIPs maseru edu anei uye kuti βnzvimbo yeduβ inotaridzika sei.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
uye wedzera mutemo
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
Zvakanaka, sezvo tiri pano, ngatiwedzereiwo mutemo we reverse-proxy:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# pfctl -f /etc/pf.conf
Zvakanaka, ikozvino zvishoma nezve bitcoins
Zvatinazvo isu tine webhu application iyo inoburitswa kunze uye inotaura munharaunda kune yedu yekubhadhara gedhi. Iye zvino tinoda kugadzirira nzvimbo yekushanda yekudyidzana neBitcoin network pachayo - iyo node bitcoind
ingori daemon inochengeta kopi yemuno ye blockchain kusvika parizvino. Iyi daemon ine RPC uye wallet mashandiro, asi kune mamwe ari nyore "wrappers" ekuvandudza application. Kutanga, takasarudza kuisa electrum
chikwama cheCLI.
laptops. Parizvino tichashandisa Electrum nemaseva eruzhinji, uye gare gare tichaisimudza mune imwe sero
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
imwe 700 MB yesoftware mukeji yedu
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet
electrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}
Iye zvino tine chikwama chakagadzirwa.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]
wallet@electrum:/ % electrum-3.6 help
Kwedu pamaketani Vanhu vashoma chete ndivo vachakwanisa kubatana nechikwama kubva zvino zvichienda mberi. Kuti usavhure kupinda kune iyi sero kubva kunze, zvinongedzo kuburikidza neSSH zvichaitika kuburikidza neTOP (a decentralized version yeVPN). Isu tinovhura SSH muchitokisi, asi usabate pf.conf yedu pane iyo host.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Zvino ngatidzime sero neinternet yewallet. Ngatipei iyo IP kero kubva kune imwe subnet nzvimbo isiri NATed. Kutanga ngatichinje /etc/pf.conf
pamugamuchiri
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24"
ngatichinje kuti JAIL_IP_POOL="192.168.0.0/25"
, saka kero dzese 192.168.0.126-255 hadzizove nekuwana zvakananga kuInternet. Rudzi rwesoftware "air-gap" network. Uye mutemo weNAT unoramba wakadaro
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Kuwedzeredza mitemo
# pfctl -f /etc/pf.conf
Zvino ngatitore sero yedu
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200
Hmm, asi ikozvino sisitimu yacho pachayo ichamira kutishandira. Nekudaro, isu tinogona kutsanangura system proxy. Asi pane chinhu chimwe chete, paTOR iri SOCKS5 proxy, uye kuti zvive nyore isu tinodawo HTTP proxy.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5
polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
Zvakanaka, ikozvino kune maviri proxy maseva muhurongwa hwedu, uye ese anobuda kuburikidza neTOR: socks5://192.168.0.2:9050 uye
Iye zvino tinogona kugadzirisa nharaunda yedu yechikwama
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123
Zvakanaka, ikozvino goko richashanda kubva pasi pe proxy. Kana tichida kuisa mapakeji, saka tinofanira kuwedzera kune /usr/local/etc/pkg.conf
kubva pasi pemudzi wekeji
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}
Zvakanaka, ikozvino yave nguva yekuwedzera iyo TOR yakavanzwa sevhisi sekero yeSSH yedu sevhisi muchikwama chewallet.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22
tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
Iyi ndiyo kero yedu yekubatanidza. Ngatitarisei kubva kumuchina wemuno. Asi chekutanga tinoda kuwedzera yedu SSH kiyi:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local
Zvakanaka, kubva kuLinux mutengi muchina
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Ngatibatanei (Kuti izvi zvishande, unoda yemuno TOR daemon inoteerera pa9050)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Success!
Kuti tishande nekukasira uye micro-kubhadhara, isu tinodawo node c-lightning
zvinodiwa pakushanda bitcoind
asi hongu.
*Kune akasiyana mashandisirwo eMheni Network protocol mumitauro yakasiyana. Pane izvo zvatakaedza, c-mheni (yakanyorwa muC) yairatidza kugadzikana uye inoshanda-inoshanda.
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...
lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Nepo zvese zvinodiwa zvichiunganidzwa uye kuiswa, ngatigadzirei RPC mushandisi we lightningd
Π² bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32
bitcoind:/@[10:39] # service bitcoind restart
Kuchinja kwangu kwechaotic pakati pemasero kunobva kwaita kunge kusiri mhirizhonga kana iwe ukacherekedza zvinoshandiswa tmux
, iyo inokutendera kuti ugadzire akawanda terminal sub-sessions mukati mechikamu chimwe. Analogue: screen
Saka, isu hatidi kuburitsa iyo chaiyo IP yenode yedu, uye isu tinoda kuita zvese zvekutengesa zvemari kuburikidza neTOP. Nokudaro, imwe .onion haidiwi.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735
tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion
Zvino ngatigadzirei config ye c-mheni
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like
lightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
iwe zvakare unofanirwa kugadzira faira yekumisikidza ye bitcoin-cli, chishandiso chinotaurirana nacho bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test
check
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]
launch lightningd
lightning@lightning:~ % lightningd --daemon
Iye pachako lightningd
unogona kudzora utility lightning-cli
, somuenzaniso:
lightning-cli newaddr
tora kero yekubhadhara kutsva kuri kuuya
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}
lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all
tumira mari yese muchikwama kukero (ese pa-chetani kero)
Zvakare mirairo ye off-chain mashandiro lightning-cli invoice
, lightning-cli listinvoices
, lightning-cli pay
etc.
Zvakanaka, zvekutaurirana nechishandiso isu tine REST Api
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Ngationei mhinduro
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
Isu tine seti yemidziyo, imwe neimwe iine mwero wayo wekuwana kubva uye kune yemuno network.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-data
Sezvauri kuona, bitcoind inotora ese 190 GB yenzvimbo. Ko kana tichida imwe node yekuyedza? Apa ndipo panouya ZFS inobatsira. Nerubatsiro cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com
unogona kugadzira mufananidzo uye kubatanidza sero nyowani kune iyi snapshot. Iyo sero nyowani ichave neyayo nzvimbo, asi chete mutsauko uripo pakati pemamiriro azvino uye epakutanga ndiwo uchaverengerwa mufaira system (tichachengetedza kanenge 190 GB)
Sero rega rega ndiro rayo rakaparadzana reZFS dataset, uye izvi zviri nyore kwazvo.
Izvo zvakakoshawo kucherechedza kudiwa kwekutarisisa kure kwemuenzi, nekuda kweizvi zvinangwa zvatinazvo
B - kuchengeteka
Nezve chengetedzo, ngatitangei kubva kumisimboti yakakosha mumamiriro ezvivakwa:
Kuvanzika -Maturusi akajairwa eUNIX-senge masisitimu anovimbisa kuitwa kwemusimboti uyu. Isu tinopatsanura zvine mutsindo kuwana kune yega yega yakapatsanurwa chinhu cheiyo system - sero. Kupinda kunopihwa kuburikidza neyakajairwa mushandisi echokwadi uchishandisa vashandisi makiyi ega. Kutaurirana kwese pakati uye kusvika kumagumo maseru kunoitika mune encrypted fomu. Kutenda kudhisiki encryption, isu hatifanirwe kunetseka nezve chengetedzo yedata kana uchitsiva dhisiki kana kutamira kune imwe sevha. Iyo chete yakakosha yekuwana kuwana kune iyo host system, sezvo kuwana kwakadaro kunowanzo kupa mukana kune data mukati memidziyo.
Kuperera βKuitwa kwemusimboti uyu kunoitika pamatanho akati wandei. Chekutanga, zvakakosha kuziva kuti kana iri server hardware, ECC memory, ZFS yatove "kunze kwebhokisi" inotarisira kuperera kwedata padanho remabhiti eruzivo. Instant snapshots inokutendera iwe kuti uite backups chero nguva pakubhururuka. Yakareruka sero kutumira / ekunze maturusi anoita kuti kudzokorora kwesero kuve nyore.
Kuwanika - Izvi zvatove sarudzo. Zvinoenderana nekuwanda kwemukurumbira wako uye kuti une vanokuvenga. Mumuenzaniso wedu, takava nechokwadi chekuti wallet yaiwanikwa chete kubva kuTOP network. Kana zvichidikanwa, unogona kuvhara zvese zviri pafirewall uye bvumidza kupinda kune server chete kuburikidza nematanho (TOR kana VPN imwe nyaya). Saka, sevha ichagurwa kubva kunze kwenyika zvakanyanya sezvinobvira, uye isu chete isu pachedu tichakwanisa kupesvedzera kuwanikwa kwayo.
Kusaita kwekuramba - Uye izvi zvinoenderana nekuwedzera kushanda uye kutevedzera marongero akakodzera ekodzero dzevashandisi, kuwana, nezvimwe. Asi nenzira kwayo, zvese zviito zvemushandisi zvinoongororwa, uye nekuda kwekriptographic mhinduro zvinokwanisika kuziva zvisina kujeka kuti ndiani akaita zvimwe zviito uye rinhi.
Ehe, iyo yakatsanangurwa kumisikidzwa hausi wakakwana muenzaniso wekuti inofanira kugara yakaita sei, inotova imwe muenzaniso wekuti ingave sei, uchichengeta zvakanyanya kuchinjika kuyera uye kugadzirisa maitiro.
Zvakadini neakazara virtualization?
Nezve yakazara virtualization uchishandisa cbsd unogona bhyve
Iwe unofanirwa kugonesa dzimwe sarudzo dze kernel.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...
# cat /boot/loader.conf
...
vmm_load="YES"
...
Saka kana iwe ukangoerekana wada kutanga docker, wobva waisa imwe debian uende!
Ndizvo zvose
Ndinofungidzira kuti ndizvo chete zvandaida kugovera. Kana iwe wakafarira chinyorwa, saka unogona kunditumira mamwe bitcoins -
Source: www.habr.com