Shunday bo'ldiki, men kasbim bo'yicha kompyuter tizimlari va tarmoqlari ma'muriman (qisqasi: tizim administratori) va men prof.ga 10 yildan sal ko'proq vaqt davomida aytib berish imkoniga ega bo'ldim. turli xil tizimlarning faoliyati, shu jumladan [ekstremal] xavfsizlik choralarini talab qiladigan tizimlar. Bundan tashqari, bir muncha vaqt oldin menga qiziq tuyuldi dev
, shuning uchun men o'tib ketayotgan edim). Lekin men rivojlanish haqida gapirmayapman, men ilovalar uchun xavfsiz va samarali muhit haqida gapiryapman.
Moliyaviy texnologiya (fintech) axborot xavfsizligi yoniga o'ting (infosek) va birinchisi ikkinchisiz ishlashi mumkin, lekin uzoq vaqt emas. Shuning uchun men o'z tajribamni va ikkalasini ham o'z ichiga olgan o'zim foydalanadigan vositalar to'plamini baham ko'rmoqchiman fintech, va infosek, va shu bilan birga, kengroq yoki butunlay boshqacha maqsadda ham foydalanish mumkin. Ushbu maqolada men sizga Bitcoin haqida emas, balki moliyaviy (va nafaqat) xizmatlarni rivojlantirish va ishlatish uchun infratuzilma modeli haqida - bir so'z bilan aytganda, "B" muhim bo'lgan xizmatlar haqida gapirib beraman. Bu Bitcoin birjasiga ham, Bitcoin bilan hech qanday aloqasi bo'lmagan kichik kompaniyaning eng tipik korporativ xizmatlari hayvonot bog'iga ham tegishli.
Qayd etishni istardimki, men prinsiplar tarafdoriman "Buni oddiy ahmoqona tuting" ΠΈ "kamroq bu ko'proq", shuning uchun maqola ham, unda tasvirlangan narsalar ham ushbu tamoyillar haqida bo'lgan xususiyatlarga ega bo'ladi.
Xayoliy stsenariy: Keling, bitcoin almashtirgich misolidan foydalanib, hamma narsani ko'rib chiqaylik. Biz rubl, dollar, evroni bitcoins va orqaga almashtirishni boshlashga qaror qildik va bizda allaqachon ishlaydigan yechim bor, lekin qiwi va webmoney kabi boshqa raqamli pullar uchun, ya'ni. Biz barcha huquqiy masalalarni yopdik, bizda rubl, dollar va evro va boshqa to'lov tizimlari uchun to'lov shlyuzi bo'lib xizmat qiluvchi tayyor dastur mavjud. U bizning bank hisoblarimizga ulangan va oxirgi ilovalarimiz uchun qandaydir API mavjud. Shuningdek, bizda foydalanuvchilar uchun almashtiruvchi vazifasini bajaradigan veb-ilova mavjud, masalan, odatdagi qiwi yoki webmoney hisobi - hisob yaratish, karta qo'shish va hokazo. Mahalliy hududdagi REST API orqali bo'lsa ham, u bizning shlyuz ilovamiz bilan bog'lanadi. Va shuning uchun biz bitkoinlarni ulashga va shu bilan birga infratuzilmani yangilashga qaror qildik, chunki... Dastlab, stol ostidagi ofisdagi virtual qutilarga hamma narsa shoshilinch ravishda qo'yildi ... sayt ishlatila boshlandi va biz ish vaqti va ishlash haqida tashvishlana boshladik.
Shunday qilib, keling, asosiy narsadan boshlaylik - serverni tanlash. Chunki bizning misolimizdagi biznes kichik va biz tanlagan hosterga (OVH) ishonamiz
Serverni o'rnatish
Bu erda hamma narsa oddiy. Biz ehtiyojlarimizga mos keladigan uskunani tanlaymiz. Keyin FreeBSD tasvirini tanlang. Xo'sh, yoki biz (boshqa hoster va o'z uskunamiz bo'lsa) IPMI yoki monitor orqali ulanamiz va yuklab olish uchun .iso FreeBSD tasvirini beramiz. Men foydalanaman orkestr o'rnatish uchun
Tizimni o'rnatish standart tarzda amalga oshiriladi, men bu haqda to'xtalmayman, faqat shuni ta'kidlaymanki, ishlashni boshlashdan oldin unga e'tibor berish kerak. qattiqlashishi taklif qiladigan variantlar bsdinstaller
o'rnatish oxirida (agar siz tizimni o'zingiz o'rnatsangiz):
bor
Bundan tashqari, allaqachon o'rnatilgan tizimda yuqorida ko'rsatilgan parametrlarni yoqish mumkin. Buning uchun siz bootloader faylini tahrirlashingiz va yadro parametrlarini yoqishingiz kerak. *ee BSDda shunday muharrir
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1
Shuningdek, sizda tizimning eng so'nggi versiyasi o'rnatilganligiga ishonch hosil qilishingiz kerak va
Keyin o'rnatdik aide
, tizim konfiguratsiya fayllari holatini kuzatish. Siz batafsilroq o'qishingiz mumkin
pkg install aide
va crontabimizni tahrirlang
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
Yoqing
sysrc auditd_enable=YES
# service auditd start
Bu masalani qanday boshqarish kerakligi maqolada to'liq tasvirlangan
Endi biz qayta ishga tushiramiz va serverdagi dasturiy ta'minotga o'tamiz. Har bir server konteynerlar yoki to'liq virtual mashinalar uchun gipervisordir. Shuning uchun, agar biz to'liq virtualizatsiyadan foydalanishni rejalashtirsak, protsessor VT-x va EPT ni qo'llab-quvvatlashi muhimdir.
Men foydalanadigan konteynerlar va virtual mashinalarni boshqarish uchun
Konteynerlarmi? Docker yana yoki nima?
Lekin yoq. cbsd
hujayralar deb ataladigan bu idishlarni tartibga solish.
Qafas har xil maqsadlarda infratuzilmani qurish uchun juda samarali yechim bo'lib, bu erda alohida xizmatlar yoki jarayonlarni to'liq izolyatsiya qilish talab qilinadi. Aslida, bu xost tizimining klonidir, lekin u to'liq apparat virtualizatsiyasini talab qilmaydi. Va buning natijasida resurslar "mehmon OS" ga sarflanmaydi, faqat bajarilayotgan ishlarga sarflanadi. Hujayralar ichki ehtiyojlar uchun foydalanilganda, bu resurslardan optimal foydalanish uchun juda qulay echimdir - bitta apparat serveridagi hujayralar to'plami, agar kerak bo'lsa, har biri alohida server resursidan foydalanishi mumkin. Odatda turli subservislar qo'shimcha talab qilinishini hisobga olsak. Agar siz serverlar orasidagi hujayralarni to'g'ri rejalashtirsangiz va muvozanatlashtirsangiz, bitta serverdan maksimal unumdorlikni olishingiz mumkin. Agar kerak bo'lsa, hujayralarga ishlatiladigan manbaga cheklovlar ham berilishi mumkin.
To'liq virtualizatsiya haqida nima deyish mumkin?
Bilamanki, cbsd
ishni qo'llab-quvvatlaydi bhyve
va XEN gipervisorlari. Men hech qachon ikkinchisini ishlatmaganman, lekin birinchisi nisbatan yangi bhyve
quyidagi misolda.
Xost muhitini o'rnatish va sozlash
Biz FS dan foydalanamiz
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
qolgan joyga disk qismini qo'shing
geli init /dev/ada0p4
shifrlash parolimizni kiriting
geli attach /dev/ada0p4
Biz yana parolni kiritamiz va bizda /dev/ada0p4.eli qurilmasi bor - bu bizning shifrlangan joyimiz. Keyin biz /dev/ada1 va massivdagi qolgan disklar uchun ham xuddi shunday takrorlaymiz. Va biz yangisini yaratamiz
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli
- Xo'sh, bizda minimal jangovar to'plam tayyor. Uchtasidan biri ishlamay qolganda disklarning aks ettirilgan massivi.
Yangi "hovuzda" ma'lumotlar to'plamini yaratish
zfs create vms/jails
pkg install cbsd
β biz jamoani ishga tushirdik va hujayralarimiz uchun boshqaruvni o'rnatdik.
Keyin cbsd
o'rnatilgan bo'lsa, uni ishga tushirish kerak:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
Xo'sh, biz bir nechta savollarga javob beramiz, asosan standart javoblar bilan.
*Agar siz shifrlashdan foydalanayotgan bo'lsangiz, demon muhim ahamiyatga ega cbsdd
Disklarni qo'lda yoki avtomatik ravishda shifrlamaguncha avtomatik ravishda ishga tushmadi (bizning misolimizda bu zabbix tomonidan amalga oshiriladi)
** Men NAT dan ham foydalanmayman cbsd
, va men uni o'zim sozlayman pf
.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Xavfsizlik devori qoidalarini o'rnatish ham alohida mavzu, shuning uchun men HAMMANI BLOCKLASH siyosatini o'rnatish va oq ro'yxatlarni o'rnatishga chuqur kirmayman, buni o'qish orqali qilishingiz mumkin.
Xo'sh ... bizda cbsd o'rnatildi, bizning birinchi ishchi kuchimizni - qafasdagi Bitcoin jinini yaratish vaqti keldi!
cbsd jconstruct-tui
Bu erda biz hujayra yaratish dialogini ko'ramiz. Barcha qiymatlar o'rnatilgandan so'ng, yarataylik!
Birinchi hujayrani yaratishda siz hujayralar uchun asos sifatida nimadan foydalanishni tanlashingiz kerak. Men buyruq bilan FreeBSD omboridan tarqatishni tanlayman repo
. Ushbu tanlov faqat ma'lum bir versiyaning birinchi katakchasini yaratishda amalga oshiriladi (siz xost versiyasidan eski bo'lgan har qanday versiyaning hujayralarini joylashtirishingiz mumkin).
Har bir narsa o'rnatilgandan so'ng, biz qafasni ishga tushiramiz!
# cbsd jstart bitcoind
Lekin biz qafasga dasturiy ta'minotni o'rnatishimiz kerak.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
jexec bitcoind
hujayra konsoliga kirish uchun
va allaqachon hujayra ichida biz dasturiy ta'minotni bog'liqliklari bilan o'rnatamiz (bizning xost tizimi toza bo'lib qoladi)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Qafasda Bitcoin bor, lekin bizga anonimlik kerak, chunki biz TOP tarmog'i orqali ba'zi kataklarga ulanishni xohlaymiz. Umuman olganda, biz shubhali dasturlarga ega bo'lgan ko'pchilik hujayralarni faqat proksi-server orqali ishga tushirishni rejalashtirmoqdamiz. Rahmat pf
Siz mahalliy tarmoqdagi IP manzillarning ma'lum diapazoni uchun NAT-ni o'chirib qo'yishingiz mumkin va NAT-ga faqat TOR tugunimiz uchun ruxsat berishingiz mumkin. Shunday qilib, zararli dastur hujayraga kirsa ham, u tashqi dunyo bilan aloqa qilmaydi va agar u bo'lsa, u bizning serverimiz IP-ni oshkor qilmaydi. Shuning uchun biz xizmatlarni ".onion" xizmati sifatida va alohida hujayralarga Internetga kirish uchun proksi sifatida "yo'naltirish" uchun boshqa hujayra yaratamiz.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Mahalliy manzilda tinglash uchun sozlash (barcha hujayralar uchun mavjud)
SOCKSPort 192.168.0.2:9050
To'liq baxt uchun bizga yana nima kerak? Ha, bizning veb-saytimizga xizmat kerak, ehtimol bir nechta. Nginx-ni ishga tushiramiz, u teskari proksi sifatida ishlaydi va Let's Encrypt sertifikatlarini yangilash bilan shug'ullanadi.
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Shunday qilib, biz 150 MB bog'liqlikni qafasga joylashtirdik. Va uy egasi hali ham toza.
Keling, nginx-ni sozlashga keyinroq qaytaylik, biz nodejs va rust-da to'lov shlyuzimiz uchun yana ikkita katakchani va negadir Apache va PHP-da joylashgan veb-ilovani ko'tarishimiz kerak, ikkinchisi esa MySQL ma'lumotlar bazasini talab qiladi.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
...va yana 380 MB paketlar ajratilgan
Keyinchalik, biz ilovamizni git bilan yuklab olamiz va uni ishga tushiramiz.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450 MB paketlar. qafasda.
Bu erda biz ishlab chiquvchiga SSH orqali to'g'ridan-to'g'ri hujayraga kirish huquqini beramiz, ular u erda hamma narsani o'zlari bajaradilar:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267
β hujayraning SSH portini istalgan ixtiyoriy portga o'zgartiring
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
Xo'sh, xizmat ishlayapti, qolgan narsa qoidani qo'shishdir pf
Xavfsizlik devori
Keling, bizning hujayralarimiz qanday IPga ega ekanligini va bizning "mahalliy hududimiz" qanday ko'rinishini ko'rib chiqaylik.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
va qoida qo'shing
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
Xo'sh, biz shu yerda ekanmiz, keling, teskari proksi uchun ham qoida qo'shamiz:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# pfctl -f /etc/pf.conf
Xo'sh, endi bitcoins haqida bir oz
Bizda bor narsa shundaki, bizda tashqi ko'rinishga ega bo'lgan veb-ilova mavjud va u mahalliy ravishda bizning to'lov shlyuzimiz bilan gaplashadi. Endi biz Bitcoin tarmog'ining o'zi - tugun bilan o'zaro ishlash uchun ish muhitini tayyorlashimiz kerak bitcoind
bu shunchaki blokcheynning mahalliy nusxasini yangilab turuvchi demon. Ushbu demon RPC va hamyon funksiyasiga ega, ammo ilovalarni ishlab chiqish uchun qulayroq "o'ramlar" mavjud. Boshlash uchun biz qo'yishga qaror qildik electrum
CLI hamyonidir.
noutbuklar. Hozircha biz Electrum-dan umumiy serverlar bilan foydalanamiz, keyinroq uni boshqa hujayrada ko'taramiz
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
bizning qafasimizda yana 700 MB dasturiy ta'minot
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet
electrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}
Endi bizda hamyon yaratildi.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]
wallet@electrum:/ % electrum-3.6 help
Bizning on-zanjirning Bundan buyon hamyonga faqat cheklangan miqdordagi odamlar ulanishi mumkin. Ushbu katakchaga tashqaridan kirishni ochmaslik uchun SSH orqali ulanish TOP (VPNning markazlashtirilmagan versiyasi) orqali amalga oshiriladi. Biz hujayrada SSH ni ishga tushiramiz, lekin hostdagi pf.conf ga tegmang.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Keling, hamyonning Internetga kirishi bilan hujayrani o'chirib qo'yamiz. Keling, unga NAT bo'lmagan boshqa pastki tarmoq maydonidan IP-manzil beraylik. Avval o'zgartiraylik /etc/pf.conf
uy egasida
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24"
ga o'zgartiramiz JAIL_IP_POOL="192.168.0.0/25"
, shuning uchun 192.168.0.126-255 barcha manzillar Internetga to'g'ridan-to'g'ri kirish imkoniga ega bo'lmaydi. Dasturiy ta'minotning bir turi "havo bo'shlig'i" tarmog'i. Va NAT qoidasi avvalgidek qoladi
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Qoidalarni ortiqcha yuklash
# pfctl -f /etc/pf.conf
Keling, o'z hujayramizni olaylik
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200
Hmm, lekin endi tizimning o'zi biz uchun ishlashni to'xtatadi. Biroq, tizim proksi-serverini belgilashimiz mumkin. Ammo bitta narsa bor, TORda bu SOCKS5 proksi-serveridir va qulaylik uchun biz HTTP proksi-serverini ham xohlaymiz.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5
polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
Xo'sh, endi bizning tizimimizda ikkita proksi-server mavjud va ikkalasi ham TOR orqali chiqadi: socks5://192.168.0.2:9050 va
Endi biz hamyonimiz muhitini sozlashimiz mumkin
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123
Xo'sh, endi qobiq proksi ostida ishlaydi. Agar biz paketlarni o'rnatmoqchi bo'lsak, unga qo'shishimiz kerak /usr/local/etc/pkg.conf
qafasning ildizi ostidan
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}
Xo'sh, endi TOR maxfiy xizmatini hamyon uyasidagi SSH xizmatimiz manzili sifatida qo'shish vaqti keldi.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22
tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
Bu bizning ulanish manzilimiz. Keling, mahalliy mashinadan tekshiramiz. Lekin birinchi navbatda biz SSH kalitimizni qo'shishimiz kerak:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local
Xo'sh, Linux mijoz mashinasidan
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Ulanamiz (Buning ishlashi uchun sizga 9050 da tinglaydigan mahalliy TOR demoni kerak)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Uspex!
Tezkor va mikro to'lovlar bilan ishlash uchun bizga tugun ham kerak c-lightning
ishlashi uchun zarur bitcoind
lekin ha.
*Lightning Network protokolining turli tillarda turli xil ilovalari mavjud. Biz sinab ko'rganlarimizdan c-lightning (C tilida yozilgan) eng barqaror va resurslarni tejaydigani bo'lib tuyuldi.
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...
lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Barcha kerakli narsalar kompilyatsiya qilingan va o'rnatilgan bo'lsa-da, keling, RPC foydalanuvchisini yarataylik lightningd
Π² bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32
bitcoind:/@[10:39] # service bitcoind restart
Agar yordam dasturiga e'tibor bersangiz, hujayralar orasidagi tartibsiz almashinuvim unchalik xaotik bo'lmaydi tmux
, bu bir seans ichida bir nechta terminal sub-sessiyalarini yaratish imkonini beradi. Analog: screen
Shunday qilib, biz tugunimizning haqiqiy IP-ni oshkor qilmoqchi emasmiz va barcha moliyaviy operatsiyalarni TOP orqali amalga oshirishni xohlaymiz. Shuning uchun, boshqa .piyoz kerak emas.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735
tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion
Endi c-lightning uchun konfiguratsiya yaratamiz
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like
lightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
shuningdek, bitcoin-cli bilan aloqa qiladigan yordamchi dastur uchun konfiguratsiya faylini yaratishingiz kerak bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test
tekshirish
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]
ishga tushirish lightningd
lightning@lightning:~ % lightningd --daemon
O'zini lightningd
yordam dasturini boshqarishingiz mumkin lightning-cli
, masalan:
lightning-cli newaddr
yangi kiruvchi to'lov uchun manzilni oling
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}
lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all
hamyondagi barcha pullarni manzilga yuboring (barcha zanjirdagi manzillar)
Shuningdek, zanjirdan tashqari operatsiyalar uchun buyruqlar lightning-cli invoice
, lightning-cli listinvoices
, lightning-cli pay
va hokazo.
Ilova bilan bog'lanish uchun bizda REST Api mavjud
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Natijalarni jamlaylik
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
Bizda konteynerlar to'plami mavjud bo'lib, ularning har biri mahalliy tarmoqdan va mahalliy tarmoqqa kirishning o'ziga xos darajasiga ega.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-data
Ko'rib turganingizdek, bitcoind barcha 190 GB joyni egallaydi. Sinov uchun boshqa tugun kerak bo'lsa nima bo'ladi? Bu erda ZFS yordam beradi. Yordamida cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com
oniy rasm yaratishingiz va ushbu suratga yangi katak biriktirishingiz mumkin. Yangi hujayra o'z maydoniga ega bo'ladi, lekin fayl tizimida faqat joriy holat va asl nusxa o'rtasidagi farq hisobga olinadi (biz kamida 190 Gb ni tejaymiz)
Har bir hujayra o'zining alohida ZFS ma'lumotlar to'plamidir va bu juda qulay.
Shuni ham ta'kidlash kerakki, bu maqsadlar uchun bizda uy egasining masofaviy monitoringi zarur
B - xavfsizlik
Xavfsizlikka kelsak, infratuzilma kontekstidagi asosiy tamoyillardan boshlaylik:
Maxfiylik - UNIX-ga o'xshash tizimlarning standart vositalari ushbu tamoyilni amalga oshirishni ta'minlaydi. Biz tizimning har bir mantiqiy alohida elementiga - hujayraga kirishni mantiqiy ravishda ajratamiz. Kirish foydalanuvchilarning shaxsiy kalitlari yordamida standart foydalanuvchi autentifikatsiyasi orqali ta'minlanadi. Hujayralar orasidagi va oxirgi hujayralar bilan barcha aloqa shifrlangan shaklda sodir bo'ladi. Diskni shifrlash tufayli biz diskni almashtirish yoki boshqa serverga o'tishda ma'lumotlar xavfsizligi haqida tashvishlanishimiz shart emas. Yagona muhim kirish xost tizimiga kirishdir, chunki bunday kirish odatda konteyner ichidagi ma'lumotlarga kirishni ta'minlaydi.
Butunlik βUshbu tamoyilni amalga oshirish turli darajalarda sodir bo'ladi. Birinchidan, shuni ta'kidlash kerakki, server apparati, ECC xotirasi bo'lsa, ZFS allaqachon "qutidan tashqarida" ma'lumotlar bitlari darajasida ma'lumotlar yaxlitligi haqida g'amxo'rlik qiladi. Tezkor suratlar istalgan vaqtda zahira nusxalarini yaratish imkonini beradi. Qulay hujayra eksport/import vositalari hujayra replikatsiyasini soddalashtiradi.
Mavjudligi - Bu allaqachon ixtiyoriy. Bu sizning shon-shuhratingiz darajasiga va sizni yomon ko'radiganlar borligiga bog'liq. Bizning misolimizda biz hamyonga faqat TOP tarmog'idan kirish mumkinligini ta'minladik. Agar kerak bo'lsa, siz xavfsizlik devoridagi hamma narsani bloklashingiz va serverga faqat tunnellar orqali kirishga ruxsat berishingiz mumkin (TOR yoki VPN boshqa masala). Shunday qilib, server imkon qadar tashqi dunyodan uzilib qoladi va uning mavjudligiga faqat biz o'zimiz ta'sir qila olamiz.
Rad etishning mumkin emasligi - Va bu keyingi ishlashga va foydalanuvchi huquqlari, kirish huquqi va boshqalar uchun to'g'ri siyosatga rioya qilishga bog'liq. Ammo to'g'ri yondashuv bilan foydalanuvchining barcha harakatlari tekshiriladi va kriptografik echimlar tufayli ma'lum harakatlarni kim va qachon amalga oshirganini aniq aniqlash mumkin.
Albatta, tasvirlangan konfiguratsiya har doim qanday bo'lishi kerakligining mutlaq misoli emas, balki juda moslashuvchan masshtablash va moslashtirish imkoniyatlarini saqlab qolgan holda qanday bo'lishi mumkinligiga misoldir.
To'liq virtualizatsiya haqida nima deyish mumkin?
Siz cbsd yordamida to'liq virtualizatsiya haqida bhyve
Ba'zi yadro parametrlarini yoqishingiz kerak.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...
# cat /boot/loader.conf
...
vmm_load="YES"
...
Shunday qilib, agar siz to'satdan dockerni ishga tushirishingiz kerak bo'lsa, unda debian-ni o'rnating va boring!
Ana xolos
O'ylaymanki, men baham ko'rmoqchi bo'lgan narsam shu edi. Agar sizga maqola yoqqan bo'lsa, unda siz menga bitkoinlarni yuborishingiz mumkin -
Manba: www.habr.com