O ṣẹlẹ pe nipasẹ oojọ Emi jẹ olutọju ti awọn eto kọnputa ati awọn nẹtiwọọki (ni kukuru: oluṣakoso eto), ati pe Mo ni aye lati sọ fun Ọjọgbọn fun diẹ diẹ sii ju ọdun 10 lọ. awọn iṣẹ-ṣiṣe ti ọpọlọpọ awọn ọna ṣiṣe, pẹlu awọn ti o nilo awọn ọna aabo (iwọn). O tun sele wipe diẹ ninu awọn akoko seyin ni mo ti ri ti o awon dev
, nitorina, Mo n kọja). Ṣugbọn Emi ko sọrọ nipa idagbasoke, Mo n sọrọ nipa agbegbe ailewu ati lilo daradara fun awọn ohun elo.
Imọ-ẹrọ inawo (fintech) lọ lẹgbẹẹ aabo alaye (infosec) ati akọkọ le ṣiṣẹ laisi keji, ṣugbọn kii ṣe fun pipẹ. Ti o ni idi ti Mo fẹ pin iriri mi ati ṣeto awọn irinṣẹ ti Mo lo, eyiti o pẹlu mejeeji fintech, ati infosec, ati ni akoko kanna, ati pe o tun le ṣee lo fun idi ti o gbooro tabi patapata ti o yatọ. Ninu nkan yii Emi yoo sọ fun ọ kii ṣe pupọ nipa Bitcoin, ṣugbọn nipa awoṣe amayederun fun idagbasoke ati iṣẹ ti awọn iṣẹ inawo (ati kii ṣe nikan) - ni ọrọ kan, awọn iṣẹ yẹn nibiti “B” ṣe pataki. Eyi kan mejeeji si paṣipaarọ Bitcoin ati si ile-iṣẹ ile-iṣẹ aṣoju julọ ti ile-iṣẹ kekere ti ko ni asopọ pẹlu Bitcoin ni eyikeyi ọna.
Emi yoo fẹ lati ṣe akiyesi pe Emi jẹ alatilẹyin ti awọn ipilẹ "jẹ ki o jẹ aimọgbọnwa rọrun" и "kere jẹ diẹ sii", nitorina, mejeeji nkan naa ati ohun ti a ṣalaye ninu rẹ yoo ni awọn ohun-ini ti awọn ilana wọnyi jẹ nipa.
Oju oju inu: Jẹ ki a wo ohun gbogbo nipa lilo apẹẹrẹ ti paṣipaarọ bitcoin kan. A pinnu lati ṣe ifilọlẹ paṣipaarọ awọn rubles, awọn dọla, awọn owo ilẹ yuroopu fun awọn bitcoins ati sẹhin, ati pe a ti ni ojutu iṣẹ kan, ṣugbọn fun awọn owo oni-nọmba miiran bi qiwi ati webmoney, ie. A ti paade gbogbo awọn ọran ofin, a ni ohun elo ti a ti ṣetan ti o ṣiṣẹ bi ẹnu-ọna isanwo fun awọn rubles, awọn dọla ati awọn owo ilẹ yuroopu ati awọn eto isanwo miiran. O ti sopọ si awọn akọọlẹ banki wa ati pe o ni diẹ ninu iru API fun awọn ohun elo ipari wa. A tun ni ohun elo wẹẹbu ti o ṣiṣẹ bi oluyipada fun awọn olumulo, daradara, bii qiwi aṣoju tabi akọọlẹ webmoney - ṣẹda akọọlẹ kan, ṣafikun kaadi kan, ati bẹbẹ lọ. O ṣe ibaraẹnisọrọ pẹlu ohun elo ẹnu-ọna wa, botilẹjẹpe nipasẹ REST API ni agbegbe agbegbe. Ati nitorinaa a pinnu lati sopọ awọn bitcoins ati ni akoko kanna igbesoke awọn amayederun, nitori ... Ni ibẹrẹ, ohun gbogbo ni a gbe soke ni iyara lori awọn apoti foju ni ọfiisi labẹ tabili ... aaye naa bẹrẹ lati lo, ati pe a bẹrẹ si ni aniyan nipa akoko ati iṣẹ ṣiṣe.
Nitorinaa, jẹ ki a bẹrẹ pẹlu ohun akọkọ - yiyan olupin kan. Nitori Iṣowo ti o wa ninu apẹẹrẹ wa jẹ kekere ati pe a gbẹkẹle olutọju (OVH) a yoo yan
Fifi sori olupin
Ohun gbogbo ni o rọrun nibi. A yan ohun elo ti o baamu awọn iwulo wa. Lẹhinna yan aworan FreeBSD. O dara, tabi a sopọ (ninu ọran ti alejo gbigba miiran ati ohun elo tiwa) nipasẹ IPMI tabi pẹlu atẹle kan ati ifunni aworan .iso FreeBSD sinu igbasilẹ naa. Fun eto orchestra kan Mo lo
Fifi sori ẹrọ ti eto naa waye ni ọna boṣewa, Emi kii yoo gbe lori eyi, Emi yoo ṣe akiyesi nikan ṣaaju ki o to bẹrẹ iṣẹ o tọ lati san ifojusi si lile awọn aṣayan ti o nfun bsdinstaller
ni ipari fifi sori ẹrọ (ti o ba fi eto naa sori ẹrọ funrararẹ):
Nibẹ ni o wa
O tun ṣee ṣe lati mu awọn paramita ti a mẹnuba loke lori eto ti a ti fi sii tẹlẹ. Lati ṣe eyi, o nilo lati satunkọ faili bootloader ki o mu awọn aye kernel ṣiṣẹ. *ee jẹ olootu bii eyi ni BSD
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1
O yẹ ki o tun rii daju pe o ni titun ti ikede ti awọn eto sori ẹrọ, ati
Lẹhinna a ṣeto aide
, Mimojuto awọn ipo ti awọn faili iṣeto ni eto. O le ka diẹ ẹ sii ni apejuwe awọn
pkg install aide
ati ṣatunkọ crontab wa
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
A pẹlu
sysrc auditd_enable=YES
# service auditd start
Bii o ṣe le ṣakoso ọran yii jẹ apejuwe ni pipe ninu
Bayi a tun atunbere ati tẹsiwaju si sọfitiwia lori olupin naa. Olupin kọọkan jẹ hypervisor fun awọn apoti tabi awọn ẹrọ foju kikun. Nitorinaa, o ṣe pataki pe ero isise naa ṣe atilẹyin VT-x ati EPT ti a ba gbero lati lo agbara agbara ni kikun.
Lati ṣakoso awọn apoti ati awọn ẹrọ foju Mo lo
Awọn apoti? Docker lẹẹkansi tabi kini?
Ṣugbọn rara. cbsd
lati ṣe orchestrate awọn apoti wọnyi, eyiti a pe ni awọn sẹẹli.
Ẹyẹ naa jẹ ojutu ti o munadoko pupọ fun kikọ awọn amayederun fun ọpọlọpọ awọn idi, nibiti a ti nilo ipinya pipe ti awọn iṣẹ kọọkan tabi awọn ilana nikẹhin. Ni pataki, o jẹ ẹda oniye ti eto agbalejo, ṣugbọn ko nilo agbara agbara ohun elo ni kikun. Ati pe o ṣeun si eyi, awọn orisun ko lo lori “OS alejo”, ṣugbọn lori iṣẹ ti n ṣe nikan. Nigbati a ba lo awọn sẹẹli fun awọn iwulo inu, eyi jẹ ojutu irọrun pupọ fun lilo awọn orisun to dara julọ - opo awọn sẹẹli lori olupin ohun elo kan le ọkọọkan lo gbogbo orisun olupin ti o ba jẹ dandan. Ni imọran pe igbagbogbo awọn iṣẹ abẹlẹ oriṣiriṣi nilo afikun. awọn orisun ni awọn akoko oriṣiriṣi, o le jade iṣẹ ṣiṣe ti o pọju lati ọdọ olupin kan ti o ba gbero daradara ati iwọntunwọnsi awọn sẹẹli laarin awọn olupin. Ti o ba jẹ dandan, awọn sẹẹli tun le fun ni awọn ihamọ lori orisun ti a lo.
Kini nipa ijuwe kikun?
Bi mo ti mọ, cbsd
ṣe atilẹyin iṣẹ bhyve
ati awọn hypervisors XEN. Emi ko lo ọkan keji, ṣugbọn akọkọ jẹ tuntun tuntun bhyve
ninu apẹẹrẹ ni isalẹ.
Fifi sori ẹrọ ati Ṣiṣeto Ayika Gbalejo
A lo FS
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
fi ipin disk kan kun aaye to ku
geli init /dev/ada0p4
tẹ wa ìsekóòdù ọrọigbaniwọle
geli attach /dev/ada0p4
A tẹ ọrọ igbaniwọle sii lẹẹkansi ati pe a ni ẹrọ kan /dev/ada0p4.eli - eyi ni aaye ti paroko wa. Lẹhinna a tun ṣe kanna fun / dev/ada1 ati awọn iyokù ti awọn disiki ni orun. Ati pe a ṣẹda tuntun kan
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli
- O dara, a ni ohun elo ija ti o kere ju ti ṣetan. Aworan ti awọn disiki ti o ni digi ti ọkan ninu awọn mẹta ba kuna.
Ṣiṣẹda ipilẹ data lori “pool” tuntun kan
zfs create vms/jails
pkg install cbsd
- a ṣe ifilọlẹ ẹgbẹ kan ati ṣeto iṣakoso fun awọn sẹẹli wa.
Lẹhin cbsd
ti fi sori ẹrọ, o nilo lati bẹrẹ:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
O dara, a dahun opo awọn ibeere, pupọ julọ pẹlu awọn idahun aiyipada.
* Ti o ba nlo fifi ẹnọ kọ nkan, o ṣe pataki pe daemon naa cbsdd
ko bẹrẹ laifọwọyi titi ti o fi pa awọn disiki naa pẹlu ọwọ tabi laifọwọyi (ninu apẹẹrẹ wa eyi ni a ṣe nipasẹ zabbix)
** Emi ko tun lo NAT lati cbsd
, ati ki o Mo tunto o ara mi ni pf
.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Ṣiṣeto awọn eto ogiriina tun jẹ koko-ọrọ ọtọtọ, nitorinaa Emi kii yoo jinlẹ sinu siseto eto BLOCK ALL ati ṣeto awọn iwe funfun, o le ṣe iyẹn nipa kika
O dara ... a ti fi sori ẹrọ cbsd, o to akoko lati ṣẹda ẹṣin-iṣẹ akọkọ wa - ẹmi eṣu Bitcoin ti a fi pamọ!
cbsd jconstruct-tui
Nibi ti a ba ri awọn sẹẹli ajọṣọ. Lẹhin ti gbogbo awọn iye ti ṣeto, jẹ ki a ṣẹda!
Nigbati o ba ṣẹda sẹẹli akọkọ rẹ, o yẹ ki o yan kini lati lo bi ipilẹ fun awọn sẹẹli naa. Mo yan pinpin lati ibi ipamọ FreeBSD pẹlu aṣẹ naa repo
. Yiyan yii ni a ṣe nikan nigbati o ṣẹda sẹẹli akọkọ ti ẹya kan pato (o le gbalejo awọn sẹẹli ti ẹya eyikeyi ti o dagba ju ẹya agbalejo lọ).
Lẹhin ti ohun gbogbo ti fi sori ẹrọ, a ṣe ifilọlẹ ẹyẹ naa!
# cbsd jstart bitcoind
Ṣugbọn a nilo lati fi software sori ẹrọ ni agọ ẹyẹ.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
jexec bitcoind
lati gba sinu cell console
ati tẹlẹ inu sẹẹli a fi sọfitiwia sori ẹrọ pẹlu awọn igbẹkẹle rẹ (eto agbalejo wa jẹ mimọ)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Bitcoin wa ninu agọ ẹyẹ, ṣugbọn a nilo ailorukọ nitori a fẹ sopọ si diẹ ninu awọn cages nipasẹ nẹtiwọki TOP. Ni gbogbogbo, a gbero lati ṣiṣẹ pupọ julọ awọn sẹẹli pẹlu sọfitiwia ifura nikan nipasẹ aṣoju kan. Ọpẹ si pf
O le mu NAT kuro fun iwọn awọn adirẹsi IP kan lori nẹtiwọọki agbegbe, ati gba NAT laaye nikan fun ipade TOR wa. Nitorinaa, paapaa ti malware ba wọ inu sẹẹli, o ṣeese kii yoo ṣe ibasọrọ pẹlu agbaye ita, ati pe ti o ba ṣe bẹ, kii yoo ṣafihan IP ti olupin wa. Nitorinaa, a ṣẹda sẹẹli miiran si awọn iṣẹ “siwaju” bi iṣẹ “alubosa” ati bi aṣoju fun iwọle si Intanẹẹti si awọn sẹẹli kọọkan.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Ṣeto lati tẹtisi ni adirẹsi agbegbe kan (wa fun gbogbo awọn sẹẹli)
SOCKSPort 192.168.0.2:9050
Kini ohun miiran ti a nilo fun idunnu pipe? Bẹẹni, a nilo iṣẹ kan fun oju opo wẹẹbu wa, boya ju ọkan lọ. Jẹ ki a ṣe ifilọlẹ nginx, eyiti yoo ṣiṣẹ bi aṣoju-ayipada ati tọju isọdọtun Jẹ ki a Encrypt awọn iwe-ẹri
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Ati nitorinaa a gbe 150 MB ti awọn igbẹkẹle sinu agọ ẹyẹ kan. Ati awọn ogun jẹ ṣi mọ.
Jẹ ki a pada si eto nginx nigbamii, a nilo lati gbe awọn sẹẹli meji diẹ sii fun ẹnu-ọna isanwo wa lori nodejs ati ipata ati ohun elo wẹẹbu kan, eyiti o jẹ fun idi kan ni Apache ati PHP, ati igbehin tun nilo data MySQL kan.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
... ati 380 MB miiran ti awọn idii ti o ya sọtọ
Nigbamii, a ṣe igbasilẹ ohun elo wa pẹlu git ati ṣe ifilọlẹ.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450 MB jo. ninu agọ ẹyẹ.
Nibi ti a fun ni iwọle si idagbasoke nipasẹ SSH taara si sẹẹli, wọn yoo ṣe ohun gbogbo nibẹ funrararẹ:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267
- yi ibudo SSH ti sẹẹli pada si eyikeyi lainidii
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
O dara, iṣẹ naa nṣiṣẹ, gbogbo ohun ti o ku ni lati ṣafikun ofin si pf
ogiriina
Jẹ ki a wo kini IP awọn sẹẹli wa ati kini “agbegbe agbegbe” wa ni gbogbogbo dabi.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
ki o si fi ofin kan kun
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
O dara, niwọn igba ti a wa nibi, jẹ ki a tun ṣafikun ofin kan fun aṣoju-pada:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# pfctl -f /etc/pf.conf
O dara, bayi diẹ nipa awọn bitcoins
Ohun ti a ni ni pe a ni ohun elo wẹẹbu kan ti o han ni ita ati pe o sọrọ ni agbegbe si ẹnu-ọna isanwo wa. Bayi a nilo lati mura a ṣiṣẹ ayika fun ibaraenisepo pẹlu awọn Bitcoin nẹtiwọki ara - awọn ipade bitcoind
o jẹ daemon kan ti o tọju ẹda agbegbe ti blockchain titi di oni. Daemon yii ni RPC ati iṣẹ-ṣiṣe apamọwọ, ṣugbọn awọn “awọn iwe murasilẹ” diẹ sii wa fun idagbasoke ohun elo. Lati bẹrẹ pẹlu, a pinnu lati fi electrum
jẹ apamọwọ CLI.
kọǹpútà alágbèéká. Fun bayi a yoo lo Electrum pẹlu awọn olupin ti gbogbo eniyan, ati nigbamii a yoo gbe soke ni sẹẹli miiran
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
700 MB miiran ti sọfitiwia ninu agọ ẹyẹ wa
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet
electrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}
Bayi a ti ṣẹda apamọwọ kan.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]
wallet@electrum:/ % electrum-3.6 help
Si wa lori pq Nikan nọmba ti o lopin ti eniyan yoo ni anfani lati sopọ si apamọwọ lati igba yii lọ. Ni ibere ki o má ba ṣii iraye si alagbeka yii lati ita, awọn asopọ nipasẹ SSH yoo waye nipasẹ TOP (ẹya ti a ti pin ti VPN). A ṣe ifilọlẹ SSH ninu sẹẹli, ṣugbọn maṣe fi ọwọ kan pf.conf wa lori agbalejo naa.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Bayi jẹ ki a pa sẹẹli naa pẹlu wiwọle Ayelujara ti apamọwọ. Jẹ ki a fun ni adiresi IP lati aaye subnet miiran ti kii ṣe NATed. Ni akọkọ jẹ ki a yipada /etc/pf.conf
lori agbalejo
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24"
jẹ ki a yipada si JAIL_IP_POOL="192.168.0.0/25"
, nitorina gbogbo awọn adirẹsi 192.168.0.126-255 kii yoo ni iwọle taara si Intanẹẹti. Iru sọfitiwia kan nẹtiwọọki “afẹ-afẹfẹ”. Ati pe ofin NAT wa bi o ti jẹ
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Overloading awọn ofin
# pfctl -f /etc/pf.conf
Bayi jẹ ki a gba sẹẹli wa
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200
Hmm, ṣugbọn ni bayi eto funrararẹ yoo dẹkun ṣiṣẹ fun wa. Sibẹsibẹ, a le pato kan eto aṣoju. Ṣugbọn ohun kan wa, lori TOR o jẹ aṣoju SOCKS5, ati fun irọrun a yoo tun fẹ aṣoju HTTP kan.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5
polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
O dara, ni bayi awọn olupin aṣoju meji wa ninu eto wa, ati awọn abajade mejeeji nipasẹ TOR: socks5://192.168.0.2:9050 ati
Bayi a le tunto agbegbe apamọwọ wa
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123
O dara, bayi ikarahun naa yoo ṣiṣẹ lati labẹ aṣoju kan. Ti a ba fẹ fi awọn idii sii, lẹhinna o yẹ ki a ṣafikun si /usr/local/etc/pkg.conf
lati labẹ awọn root ti awọn ẹyẹ
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}
O dara, bayi o to akoko lati ṣafikun iṣẹ ti o farapamọ TOR bi adirẹsi ti iṣẹ SSH wa ninu sẹẹli apamọwọ.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22
tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
Eyi ni adirẹsi asopọ wa. Jẹ ki a ṣayẹwo lati ẹrọ agbegbe. Ṣugbọn akọkọ a nilo lati ṣafikun bọtini SSH wa:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local
O dara, lati ẹrọ alabara Linux kan
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Jẹ ki a sopọ (Fun eyi lati ṣiṣẹ, o nilo daemon TOR agbegbe ti o tẹtisi lori 9050)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Aseyori!
Lati ṣiṣẹ pẹlu awọn sisanwo lẹsẹkẹsẹ ati bulọọgi, a tun nilo ipade kan c-lightning
beere fun iṣẹ ṣiṣe bitcoind
sugbon bẹẹni.
*Awọn imuṣẹ oriṣiriṣi wa ti Ilana Network Lightning ni awọn ede oriṣiriṣi. Ninu awọn ti a ṣe idanwo, c-monomono (ti a kọ sinu C) dabi ẹni pe o jẹ iduroṣinṣin julọ ati awọn orisun-daradara.
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...
lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Lakoko ti ohun gbogbo ti o ṣe pataki ti ṣajọ ati fi sori ẹrọ, jẹ ki a ṣẹda olumulo RPC fun lightningd
в bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32
bitcoind:/@[10:39] # service bitcoind restart
Yiyi rudurudu mi laarin awọn sẹẹli wa ni jade lati ko ni rudurudu ti o ba ṣe akiyesi ohun elo naa tmux
, eyiti o fun ọ laaye lati ṣẹda awọn igba-ipin-ipin ọpọ ebute laarin igba kan. Afọwọṣe: screen
Nitorinaa, a ko fẹ lati ṣafihan IP gidi ti oju ipade wa, ati pe a fẹ ṣe gbogbo awọn iṣowo owo nipasẹ TOP. Nitorina, alubosa miiran ko nilo.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735
tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion
Bayi jẹ ki a ṣẹda atunto kan fun c-monomono
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like
lightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
o tun nilo lati ṣẹda faili iṣeto ni fun bitcoin-cli, ohun elo ti o ni ibaraẹnisọrọ pẹlu bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test
ṣayẹwo
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]
ifilọlẹ lightningd
lightning@lightning:~ % lightningd --daemon
Ara Rẹ lightningd
o le ṣakoso ohun elo naa lightning-cli
fun apẹẹrẹ:
lightning-cli newaddr
gba adirẹsi fun titun kan ti nwọle owo
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}
lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all
fi gbogbo owo ti o wa ninu apamọwọ ranṣẹ si adirẹsi (gbogbo awọn adirẹsi pq)
Tun paṣẹ fun pipa-pq mosi lightning-cli invoice
, lightning-cli listinvoices
, lightning-cli pay
abbl.
O dara, fun ibaraẹnisọrọ pẹlu ohun elo a ni REST Api
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Jẹ ki a ṣe idajọ awọn esi
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
A ni ṣeto awọn apoti, ọkọọkan pẹlu ipele iwọle tirẹ mejeeji lati ati si nẹtiwọọki agbegbe.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-data
Bi o ti le ri, bitcoind gba gbogbo 190 GB ti aaye. Kini ti a ba nilo ipade miiran fun idanwo? Eyi ni ibiti ZFS wa ni ọwọ. Pẹlu iranlọwọ cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com
o le ṣẹda aworan kan ki o so sẹẹli titun kan si aworan yi. Ẹya tuntun yoo ni aaye tirẹ, ṣugbọn iyatọ laarin ipo lọwọlọwọ ati atilẹba ni yoo gba sinu akọọlẹ ninu eto faili (a yoo fipamọ o kere ju 190 GB)
Ẹya kọọkan jẹ data data ZFS lọtọ tirẹ, ati pe eyi rọrun pupọ.
O tun tọ lati ṣe akiyesi iwulo fun ibojuwo latọna jijin ti agbalejo, fun awọn idi wọnyi a ni
B - aabo
Nipa aabo, jẹ ki a bẹrẹ lati awọn ipilẹ pataki ni aaye ti awọn amayederun:
Asiri - Awọn irinṣẹ boṣewa ti awọn ọna ṣiṣe UNIX ṣe idaniloju ipilẹ yii. A logically ya wiwọle si kọọkan logically lọtọ ano ti awọn eto - a cell. Wiwọle ti pese nipasẹ ijẹrisi olumulo boṣewa nipa lilo awọn bọtini ti ara ẹni awọn olumulo. Gbogbo ibaraẹnisọrọ laarin ati si awọn sẹẹli ipari waye ni fọọmu ti paroko. Ṣeun si fifi ẹnọ kọ nkan disk, a ko ni lati ṣe aniyan nipa aabo data nigbati o ba rọpo disk tabi gbigbe si olupin miiran. Wiwọle pataki nikan ni iraye si eto agbalejo, nitori iru iraye si ni gbogbogbo n pese iraye si data inu awọn apoti.
Òtítọ́ “Imuse ilana yii waye ni ọpọlọpọ awọn ipele oriṣiriṣi. Ni akọkọ, o ṣe pataki lati ṣe akiyesi pe ninu ọran ti ohun elo olupin, iranti ECC, ZFS tẹlẹ “jade kuro ninu apoti” n ṣe abojuto iduroṣinṣin data ni ipele ti awọn alaye alaye. Awọn fọto lẹsẹkẹsẹ gba ọ laaye lati ṣe awọn afẹyinti nigbakugba lori fo. Awọn irinṣẹ okeere / gbigbe wọle sẹẹli ti o rọrun jẹ ki ẹda sẹẹli jẹ ki o rọrun.
Wiwa - Eyi jẹ iyan tẹlẹ. Da lori iwọn ti olokiki rẹ ati otitọ pe o ni awọn ọta. Ninu apẹẹrẹ wa, a rii daju pe apamọwọ wa ni iraye si iyasọtọ lati nẹtiwọki TOP. Ti o ba jẹ dandan, o le dènà ohun gbogbo lori ogiriina ati gba iwọle si olupin ni iyasọtọ nipasẹ awọn tunnels (TOR tabi VPN jẹ ọrọ miiran). Nitorinaa, olupin naa yoo ge kuro ni ita ita bi o ti ṣee ṣe, ati pe awa nikan yoo ni anfani lati ni ipa lori wiwa rẹ.
Ko ṣeeṣe ti kiko - Ati pe eyi da lori iṣẹ siwaju ati ibamu pẹlu awọn eto imulo to tọ fun awọn ẹtọ olumulo, iwọle, ati bẹbẹ lọ. Ṣugbọn pẹlu ọna ti o tọ, gbogbo awọn iṣe olumulo ni a ṣe ayẹwo, ati ọpẹ si awọn ojutu cryptographic o ṣee ṣe lati ṣe idanimọ lainidi ẹniti o ṣe awọn iṣe kan ati nigbawo.
Nitoribẹẹ, iṣeto ti a ṣapejuwe kii ṣe apẹẹrẹ pipe ti bii o ṣe yẹ ki o jẹ nigbagbogbo, o jẹ dipo apẹẹrẹ kan ti bii o ṣe le jẹ, lakoko ti o ni idaduro irẹjẹ rọ pupọ ati awọn agbara isọdi.
Kini nipa ijuwe kikun?
Nipa agbara agbara ni kikun nipa lilo cbsd o le bhyve
O nilo lati mu diẹ ninu awọn aṣayan ekuro ṣiṣẹ.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...
# cat /boot/loader.conf
...
vmm_load="YES"
...
Nitorinaa ti o ba nilo lojiji lati bẹrẹ docker kan, lẹhinna fi debian diẹ sii ki o lọ!
Gbogbo ẹ niyẹn
Mo gboju pe iyẹn ni gbogbo ohun ti Mo fẹ lati pin. Ti o ba fẹran nkan naa, lẹhinna o le fi awọn bitcoins ranṣẹ si mi -
orisun: www.habr.com