ESXi 升级 Mellanox 网卡固件

Posted on (Updated by yaoge123

NVMe over RoCE 对RoCE网卡的固件兼容性有较高要求

  • 打开ESXi的SSH并进入维护模式,远程登录ESXi主机
  • 用 esxcfg-nics -l 查看网卡列表,用 esxcli network nic get -n 查看网卡驱动和固件版本
[root@yaoge123:~] esxcfg-nics -l
Name    PCI          Driver      Link Speed      Duplex MAC Address       MTU    Description                   
vmnic0  0000:19:00.0 igbn        Up   1000Mbps   Full   **:**:**:**:**:** 1500   Intel Corporation I350 Gigabit Network Connection
vmnic1  0000:19:00.1 igbn        Up   1000Mbps   Full   **:**:**:**:**:** 1500   Intel Corporation I350 Gigabit Network Connection
vmnic2  0000:8a:00.0 nmlx5_core  Up   25000Mbps  Full   **:**:**:**:**:** 1500   Mellanox Technologies ConnectX-5 EN NIC; 10/25GbE; dual-port SFP28; PCIe3.0 x8; (MCX512A-ACU)
vmnic3  0000:8a:00.1 nmlx5_core  Up   25000Mbps  Full   **:**:**:**:**:** 1500   Mellanox Technologies ConnectX-5 EN NIC; 10/25GbE; dual-port SFP28; PCIe3.0 x8; (MCX512A-ACU)
vmnic4  0000:8b:00.0 nmlx5_core  Up   25000Mbps  Full   **:**:**:**:**:** 1500   Mellanox Technologies ConnectX-5 EN NIC; 10/25GbE; dual-port SFP28; PCIe3.0 x8; (MCX512A-ACU)
vmnic5  0000:8b:00.1 nmlx5_core  Up   25000Mbps  Full   **:**:**:**:**:** 1500   Mellanox Technologies ConnectX-5 EN NIC; 10/25GbE; dual-port SFP28; PCIe3.0 x8; (MCX512A-ACU)
[root@yaoge123:~] esxcli network nic get -n vmnic2
   Advertised Auto Negotiation: true
   Advertised Link Modes: Auto, 1000BaseCX-SGMII/Full, 10000BaseKR/Full, 25000BaseTwinax/Full
   Auto Negotiation: true
   Backing DPUId: N/A
   Cable Type: FIBRE
   Current Message Level: -1
   Driver Info: 
         Bus Info: 0000:8a:00:0
         Driver: nmlx5_core
         Firmware Version: 16.32.1010
         Version: 4.23.0.36
   Link Detected: true
   Link Status: Up 
   Name: vmnic2
   PHYAddress: 0
   Pause Autonegotiate: false
   Pause RX: true
   Pause TX: true
   Supported Ports: FIBRE, DA
   Supports Auto Negotiation: true
   Supports Pause: true
   Supports Wakeon: false
   Transceiver: internal
   Virtual Address: **:**:**:**:**:**
   Wakeon: None
  • VMware兼容性 搜索该网卡型号查询对应的驱动和固件版本
  • 下载 MFT,选择和ESXi版本匹配的安装包
  • 下载的Mellanox-MFT-Tools_*-package.zip解压,将解压出的.zip文件传至ESXi的/tmp,确认上传的.zip文件内根目录就有index.xml
  • 下载的Mellanox-NATIVE-NMST_*-package.zip解压,将解压出的.zip文件传至ESXi的/tmp,确认上传的.zip文件内根目录就有index.xml
  • 用 esxcli software component apply -d 安装上传的两个.zip,注意要写全路径
[root@yaoge123:/tmp] esxcli software component apply -d /tmp/Mellanox-MFT-Tools_4.26.1.101-1OEM.801.0.0.21495797_22944840.zip 
Installation Result
   Message: Operation finished successfully.
   Components Installed: Mellanox-MFT-Tools_4.26.1.101-1OEM.801.0.0.21495797
   Components Removed: 
   Components Skipped: 
   Reboot Required: false
   DPU Results: 
[root@yaoge123:/tmp] esxcli software component apply -d /tmp/Mellanox-NATIVE-NMST_4.26.1.101-1OEM.801.0.0.21495797_22944879.zip 
Installation Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Components Installed: Mellanox-NATIVE-NMST_4.26.1.101-1OEM.801.0.0.21495797
   Components Removed: 
   Components Skipped: 
   Reboot Required: true
   DPU Results:
  • 重启ESXi再打开SSH
  • 下载 Firmware ,查找对应网卡的兼容版本固件下载
  • 下载的fw-*.bin.zip解压,将解压出的.bin文件上传至ESXi的/tmp
  • 在/tmp下执行/opt/mellanox/bin/mlxfwmanager,会自动发现新固件文件,然后添加-u升级,如果已有的版本新要降级再加-f强制刷
[root@yaoge123:/tmp] /opt/mellanox/bin/mlxfwmanager
Querying Mellanox devices firmware ...

Device #1:
----------

  Device Type:      ConnectX5
  Part Number:      MCX512A-ACU_Ax_Bx
  Description:      ConnectX-5 EN network interface card; 10/25GbE dual-port SFP28; PCIe3.0 x8; UEFI Enabled (x86/ARM)
  PSID:             MT_0000000425
  PCI Device Name:  mt4119_pciconf0
  Base GUID:        ***
  Base MAC:         ***
  Versions:         Current        Available     
     FW             16.32.1010     16.34.1002    
     PXE            3.6.0502       3.6.0700      
     UEFI           14.25.0017     14.27.0014    

  Status:           Update required

Device #2:
----------

  Device Type:      ConnectX5
  Part Number:      MCX512A-ACU_Ax_Bx
  Description:      ConnectX-5 EN network interface card; 10/25GbE dual-port SFP28; PCIe3.0 x8; UEFI Enabled (x86/ARM)
  PSID:             MT_0000000425
  PCI Device Name:  mt4119_pciconf1
  Base GUID:        ***
  Base MAC:         ***
  Versions:         Current        Available     
     FW             16.32.1010     16.34.1002    
     PXE            3.6.0502       3.6.0700      
     UEFI           14.25.0017     14.27.0014    

  Status:           Update required

---------
Found 2 device(s) requiring firmware update. Please use -u flag to perform the update.

[root@yaoge123:/tmp] /opt/mellanox/bin/mlxfwmanager -u
Querying Mellanox devices firmware ...

Device #1:
----------

  Device Type:      ConnectX5
  Part Number:      MCX512A-ACU_Ax_Bx
  Description:      ConnectX-5 EN network interface card; 10/25GbE dual-port SFP28; PCIe3.0 x8; UEFI Enabled (x86/ARM)
  PSID:             MT_0000000425
  PCI Device Name:  mt4119_pciconf0
  Base GUID:        ***
  Base MAC:         ***
  Versions:         Current        Available     
     FW             16.32.1010     16.34.1002    
     PXE            3.6.0502       3.6.0700      
     UEFI           14.25.0017     14.27.0014    

  Status:           Update required

Device #2:
----------

  Device Type:      ConnectX5
  Part Number:      MCX512A-ACU_Ax_Bx
  Description:      ConnectX-5 EN network interface card; 10/25GbE dual-port SFP28; PCIe3.0 x8; UEFI Enabled (x86/ARM)
  PSID:             MT_0000000425
  PCI Device Name:  mt4119_pciconf1
  Base GUID:        ***
  Base MAC:         ***
  Versions:         Current        Available     
     FW             16.32.1010     16.34.1002    
     PXE            3.6.0502       3.6.0700      
     UEFI           14.25.0017     14.27.0014    

  Status:           Update required

---------
Found 2 device(s) requiring firmware update...

Perform FW update? [y/N]: y
Device #1: Updating FW ...     
FSMST_INITIALIZE -   OK          
Writing Boot image component -   OK                                                                                                                                                              Done
Device #2: Updating FW ...     
FSMST_INITIALIZE -   OK          
Writing Boot image component -   OK                                                                                                                                                              Done

Restart needed for updates to take effect.
  • 重启后再检查网卡的固件版本
[root@yaoge123:~] esxcli network nic get -n vmnic2
   Advertised Auto Negotiation: true
   Advertised Link Modes: Auto, 1000BaseCX-SGMII/Full, 10000BaseKR/Full, 25000BaseTwinax/Full
   Auto Negotiation: true
   Backing DPUId: N/A
   Cable Type: FIBRE
   Current Message Level: -1
   Driver Info: 
         Bus Info: 0000:8a:00:0
         Driver: nmlx5_core
         Firmware Version: 16.34.1002
         Version: 4.23.0.36
   Link Detected: true
   Link Status: Up 
   Name: vmnic2
   PHYAddress: 0
   Pause Autonegotiate: false
   Pause RX: true
   Pause TX: true
   Supported Ports: FIBRE, DA
   Supports Auto Negotiation: true
   Supports Pause: true
   Supports Wakeon: false
   Transceiver: internal
   Virtual Address: **:**:**:**:**:**
   Wakeon: None

GitLab CVE-2023-7028 临时应对措施

Posted on (Updated by yaoge123

一个非常无语的高危漏洞,任何人都可以重置任意账号的密码然后发送到指定邮箱

对于容器部署来说,直接修改 /var/opt/gitlab/nginx/conf/gitlab-http.conf 文件,在其中添加

location /users/password { 
  return 444; 
}

然后重新加载nginx配置文件

gitlab-ctl hup nginx

DNSmasq 为HPC集群外容器提供集群内主机名解析

Posted on by yaoge123

在HPC集群中通常有DNS和本地hosts提供解析服务,以便节点间通过主机名互相通信,而不是直接使用IP地址。但是如果在集群外有一个独立服务器中的容器需要与集群内的节点通过主机名通讯,就需要通过DNS来给容器提供解析服务。

通过自动化脚本将集群的hosts拷贝到独立服务器的一个目录下,如 /home/hpc/dns/hosts

自己做一个dnsmasq的容器:

[yaoge123]$ cat dnsmasq/Dockerfile 
FROM alpine:latest
RUN apk update \
 && apk upgrade \
 && apk add --no-cache \
            dnsmasq \
 && rm -rf /var/cache/apk/*

编写docker-compose.yml:

  1. dnsmasq提供了DNS服务,需要指定ip地址,以便在下面其它容器配置中指定dns ip
  2. /home/hpc/dns 是存储hosts的本机目录
  3. 生产环境用 –keep-in-foreground,调试时用–no-daemon和–log-queries
  4. –domain-needed 一定要加,防止dnsmasq将没有域的主机名(没有.的)转发给上游DNS
  5. –cache-size= 改的比hosts文件行数多一些
  6. abc是要解析集群内主机名的容器,添加的dns就是为了用dnsmasq来提供解析服务
  7. 不要解析的就不要加dns
services:
  dnsmasq:
    build: ./dnsmasq
    image: dnsmasq
    container_name: dnsmasq
    networks:
      default:
        ipv4_address: 192.168.100.200
    volumes:
      - /home/hpc/dns:/etc/dns:ro
    command:
      - dnsmasq
      - --keep-in-foreground
        #- --no-daemon
        #- --log-queries
      - --domain-needed
      - --no-hosts
      - --cache-size=3000
      - --hostsdir=/etc/dns
  abc:
    image: abc
    container_name: abc
    dns:
      - 192.168.100.200
  …………
networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24

测试解析和查看 dnsmasq 缓存情况,evictions为0最好

[yaoge123]# run --rm -it --network=docker_default --dns=192.168.100.200 alpine sh
/ # apk add bind-tools
/ # dig +short node_name
/ # for i in "cachesize.bind insertions.bind evictions.bind misses.bind hits.bind auth.bind servers.bind";do dig +short chaos txt $i;done

OnlyOffice Document Server 容器部署和监控

Posted on (Updated by yaoge123

大体架构是:前端 Nginx 卸载SSL后反代给 OnlyOffice,OnlyOffice 将监控信息喂给 statsd-exporter,Prometheus 从 statsd-exporter 拉取数据,最终用 Grafana 可视化展示。

先来 docker-compose.yml 配置如下,有一些注意修改的地方:

  1. 可以把一些onlyoffice插件挂进容器中 /var/www/onlyoffice/documentserver/sdkjs-plugins/ 目录下,启动时会自动加载。
  2. onlyoffice自带的中文字体少的可怜,一定要整理一些常用字体(特别是Windows/Office自带的字体),将ttf/otf字体文件挂进容器中 /usr/share/fonts/ 目录下,启动时会自动加载。
  3. onlyoffice的持久化配置挂进容器 /etc/onlyoffice/documentserver/local-production-linux.json,这样升级重启的时候配置才能保留下来;容器里面的配置文件改了也没用,重建就全丢了。
  4. JWT_SECRET 配置一个足够强的Token,和应用软件配置要一样。
services:
  onlyoffice:
    image: onlyoffice/documentserver-ee
    container_name: onlyoffice
    volumes:
      - ./onlyoffice/logs:/var/log/onlyoffice
      - ./onlyoffice/data:/var/www/onlyoffice/Data
      - ./onlyoffice/lib:/var/lib/onlyoffice
      - ./onlyoffice/db:/var/lib/postgresql
      - ./onlyoffice/fonts/dejavu:/usr/share/fonts/dejavu
      - ./onlyoffice/fonts/founder:/usr/share/fonts/founder
      - ./onlyoffice/fonts/liberation:/usr/share/fonts/liberation
      - ./onlyoffice/fonts/libertinus:/usr/share/fonts/libertinus
      - ./onlyoffice/fonts/noto-cjk:/usr/share/fonts/noto-cjk
      - ./onlyoffice/fonts/noto-emoji:/usr/share/fonts/noto-emoji
      - ./onlyoffice/fonts/sarasa-gothic:/usr/share/fonts/sarasa-gothic
      - ./onlyoffice/fonts/source-code-pro:/usr/share/fonts/source-code-pro
      - ./onlyoffice/fonts/source-han-sans:/usr/share/fonts/source-han-sans
      - ./onlyoffice/fonts/source-han-serif:/usr/share/fonts/source-han-serif
      - ./onlyoffice/fonts/source-sans:/usr/share/fonts/source-sans
      - ./onlyoffice/fonts/source-serif:/usr/share/fonts/source-serif
      - ./onlyoffice/fonts/windows:/usr/share/fonts/windows
      - ./onlyoffice/local-production-linux.json:/etc/onlyoffice/documentserver/local-production-linux.json
    environment:
      - TZ=Asia/Shanghai
      - JWT_ENABLED=true
      - JWT_SECRET=yaoge123
  statsd-exporter:
    image: prom/statsd-exporter
    container_name: statsd-exporter
    ports:
      - 9102:9102
    depends_on:
      - onlyoffice 
  nginx:
    image: nginx:alpine
    container_name: nginx
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx/conf.d/:/etc/nginx/conf.d/:ro
      - ./nginx/ssl/:/etc/nginx/ssl/:ro
    environment:
      - TZ=Asia/Shanghai
  nginx-exporter:
    image: nginx/nginx-prometheus-exporter
    container_name: nginx-prometheus-exporter
    ports:
      - 9113:9113
    command:
      - -nginx.scrape-uri
      - http://nginx:8080/stub_status
    depends_on:
      - nginx
……

在 local-production-linux.json 对 OnlyOffice 进行持久化配置,主要是三部分:

  1. 开启statsd监控推送,填写statsd-exporter的主机名和端口
  2. 开启自动保存
  3. 打开文件尺寸扩大至1GB(默认是100MB)
{
        "statsd": {
                "useMetrics": true,
                "host": "statsd-exporter",
                "port": "9125",
                "prefix": "ds."
        },
	"services": {
		"CoAuthoring": {
			"autoAssembly": {
				"enable": true,
				"interval": "5m"
			}
		}
	},
	"FileConverter": {
		"converter": {
			"maxDownloadBytes": 1073741824,
			"downloadAttemptMaxCount": 3
		}
	}
}

Nginx 配置反代卸载SSL

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
    default upgrade;
    "" close;
}

server {
	listen 80;
	listen [::]:80;
	server_name onlyoffice.nju.edu.cn;
	rewrite ^ https://$http_host$request_uri? permanent;
	server_tokens off;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
	server_name onlyoffice.nju.edu.cn;
	server_tokens off;

        include ssl/nju_edu_cn.conf;

	add_header X-Content-Type-Options nosniff;

	location / {
		proxy_pass http://onlyoffice;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $proxy_connection;
		proxy_set_header X-Forwarded-Host $the_host;
		proxy_set_header X-Forwarded-Proto $the_scheme;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
}

server {
	listen 8080;
	listen [::]:8080;
	server_name localhost;

	location /stub_status {
		stub_status on;
		access_log off;
	}
}

在 Consul 中注册 OnlyOffice 和 Nginx 的监控

[yaoge123 ~]$ curl -X PUT -d '{"id": "onlyoffice.nju.edu.cn_statsd-exporter","name": "statsd_exporter","address": "onlyoffice.nju.edu.cn","port": 9102,"tags": ["prometheus","vm"],"checks": [{"http": "http://onlyoffice.nju.edu.cn:9102/metrics","interval": "30s"}]}' http://consul:8500/v1/agent/service/register

[yaoge123 ~]$ curl -X PUT -d '{"id": "onlyoffice.nju.edu.cn_nginx-exporter","name": "nginx_exporter","address": "onlyoffice.nju.edu.cn","port": 9113,"tags": ["prometheus","vm"],"checks": [{"http": "http://onlyoffice.nju.edu.cn:9113/metrics","interval": "30s"}]}' http://consul:8500/v1/agent/service/register

在Grafana中导入基于官方Dashboard的修改版

https://grafana.com/grafana/dashboards/17048

安装部署 Office Online Server 集群

Posted on (Updated by yaoge123

既然是集群,首先将域控变成两台:

将AD2加入域中,服务器角色中添加AD域服务,然后将其提升为域控,选择添加到现有域。

集群嘛,多安装几台 Office Online Server,但不导入SSL证书。

在第一台上用管理员打开PowerShell部署 Office Online Server farm

New-OfficeWebAppsFarm -InternalUrl "https://officeonline1.ad.local" -ExternalUrl "https://officeonline.nju.edu.cn" -SSLOffloaded -EditingEnabled

在其它台上用管理员打开PowerShell加入 Office Online Server farm

New-OfficeWebAppsMachine -MachineToJoin "officeonline1.ad.local"

在PowerShell中查看所有节点的状态

(Get-OfficeWebAppsFarm).Machines

前端 Nginx 负载均衡卸载SSL

upstream officeonline {
	ip_hash;
	server 192.168.1.11:80;
	server 192.168.1.12:80;
	server 192.168.1.13:80;
}

map $http_upgrade $connection_upgrade {
	default	upgrade;
	''	close;
}

server {
	listen 80;
	listen [::]:80;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
	server_name officeonline.nju.edu.cn;

        include ssl/nju_edu_cn.conf;

	location / {
		proxy_pass http://officeonline;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_cache_bypass $http_upgrade;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Real-PORT $remote_port;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}
}

安装部署单台 Office Online Server

Posted on (Updated by yaoge123

Office Online Server 必须加入域,且不能装在域控上,因此先装两台带桌面体验的 Windows Server 2022 并升级。

第一台用来做域控,给2C/4G的资源就够了,服务器角色中添加AD域服务,然后将其提升为域控,如添加新林的根域名为 ad.local

第二台用来装Office Online Server,要多给资源,首先将其DNS改为域控的IP,加入域并重启。

用管理员打开PowerShell执行安装要求的角色和服务,安装完成后重启。

Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,NET-Framework-Features,NET-Framework-45-Features,NET-Framework-Core,NET-Framework-45-Core,NET-HTTP-Activation,NET-Non-HTTP-Activ,NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Server-Media-Foundation

安装如下依赖软件,部分软件在Windows 2022中已经存在(.NET和VC++ 2015),安装程序会有提示直接退出,这个没关系

安装 Office Online Server ,当前版本是2018年11月发布的16.0.10338.20039

0a764830ee8cca9a92f749c9a6a9cd6a0e99e592 en_office_online_server_last_updated_november_2018_x64_dvd_1b5ae10d.iso

Microsoft Download Center下载语言包,在下载页面切换语言可以下载不同语言的语言包,当前是2018年11月发布的语言包,将多个语言包依次安装

87b77a9abf29cf11e95f74c07fb7419026882c05 wacserverlanguagepack-20181129cn.exe
33965054f9e93f6429cf3022dea0f6a575f8d178 wacserverlanguagepack-20181129en.exe
0432a9b8a27b7f56692e37c117b8cf79c45458fa wacserverlanguagepack-20181129tw.exe

Microsoft Update Catalog查找下载最新的Microsoft Office Online Server 服务器场部署安全更新,当前版本是2022年11月8日发布的KB5002276,安装时也会自动更新语言包

5abacedb0f21d8629a0a0eab1b4d163ca0228f96  wacserver-x-none_5abacedb0f21d8629a0a0eab1b4d163ca0228f96.cab

在MMC控制台-证书(本地计算机)-个人中导入pfx格式含私钥的HTTPS证书,注意IIS不支持双证书,因此考虑兼容性导入RSA证书,导入后右击证书属性,设置友好名称(如nju.edu.cn)

用管理员打开PowerShell部署 Office Online Server farm

New-OfficeWebAppsFarm -InternalUrl "https://officeonline.ad.local" -ExternalUrl "https://officeonline.nju.edu.cn" -CertificateName "nju.edu.cn" -EditingEnabled

在PowerShell查看详细配置

Get-OfficeWebAppsFarm

使用 Singularity 容器升级固件

Posted on (Updated by yaoge123

构建一个安装了SST的CentOS8容器

singularity build –sandbox sst-build docker://centos:8.4.2105

cp sst-*.x86_64.rpm sst-build/home

singularity shell -w sst-build

rpm -ivh /home/sst-*.x86_64.rpm

rm /home/sst-*.x86_64.rpm

exit

singularity build sst.sif sst-build

到节点上升级

singularity shell –writable-tmpfs sst.sif

sst show -ssd

sst load -ssd 0

sst load -ssd 1

……

exit

reboot

 

山石网科 Hillstone 防火墙QoS详解

Posted on (Updated by yaoge123
防火墙固件StoneOS 5.5R6,两路ISP PPPoE动态IP接入和静态IP接入,需要提供SSLVPN接入并将内网服务器发布到ISP的公网IP上,对公网直接访问和SSLVPN进行限速。山石网科的原厂工程师都搞不清楚怎么配置及其含义,所以只能通过自己实验来解决。
 
接口:
  • PPPoE接入:配置接口绑定三层安全域(untrust),IP配置为PPPoE,因为是动态IP所以必须配置DDNS,关闭逆向路由。
  • 静态IP接入:配置接口绑定三层安全域(untrust),IP配置为静态IP,关闭逆向路由。
目的NAT:
  • 源Any,目的地址对于动态IP选物理端口、对于静态IP填写IP地址,服务为对外发布的端口,转换为填写内网服务器IP和端口。
安全策略:
  • 源Any,目的安全域trust,目的地址为DDNS的动态域名和静态IP,服务对应目的NAT的服务。

VPN:

  • 为每个ISP接入创建独立的VPN,绑定各自的接入接口,为每个ISP创建独立的不同子网的隧道接口和地址池。
iQoS配置:
  • 不勾选”启用NAT IP匹配“。
iQoS策略:
  • 为每一个IPS接入创建单独的第一层流控管道。
  • 管道模式为整形,此模式支持带宽借用。
  • 匹配条件创建两条,一条只设置目的接口为ISP接防火墙的物理端口(无论动态还是静态IP),服务选择目的NAT中的服务;另一条只设置目的地址条目为vpn的地址池。
  • 流控动作是重点,在上述匹配条件下,正向流量指客户端下载、防火墙向ISP上传的流量;反向流量指客户端上传,防火墙从ISP下载的流量。
  • 管道带宽是ISP分配给的带宽,特别注意对于上下行非对等的宽带一定不要设置错。
  • 限制类型选限每IP,同IP下NAT的多个客户端会按照整个IP限制。
  • 限流选目的IP,这里的目的IP是客户端IP、源IP是服务器IP,因要限速每个客户端所以选目的IP,正向和反向是一样的。
  • 设置最小带宽,最小带宽是保证带宽,保证客户端有最基本的带宽可用。不设置最大带宽,尽可能的提高带宽利用率。
  • 不勾选平均带宽,这样不能很好地利用总带宽,应该设置最小保证带宽,不限制最大带宽可以充分利用带宽。如果勾选了平均带宽,会出现20Mb总带宽,4个IP连接,只有2个IP传输数据的时候,总带宽只能跑到10Mb。如果设置了最大带宽,但最大带宽小于总带宽,在单一客户端使用的情况下,跑不满总带宽会有浪费。

在以上配置的情况下,单一客户端可以跑满总带宽,多个客户端时可以保证每个客户端至少能获得最小带宽。

NVMe 热移除

Posted on (Updated by yaoge123
  1. 通过主板BMC确认拟移除物理位置NVMe盘对应的SN
  2. 使用 nvme list 查找SN对应的盘符
  3. 使用 mmlsnsd -m|grep $HOSTNAME 查找盘符对应的NSD名称
  4. 使用 mmdeldisk 从文件系统中移除NSD
  5. 使用 mmdelnsd 删除NSD
  6. ls -l /sys/class/block/ 查找盘符对应的BUS ID
  7. 使用 lspci -vvv|grep -a1 NVMe 查找BUS ID对应的 Physical Slot
  8. cd /sys/bus/pci/slots/$slot ($slot替换为上一步查到的Physical Slot)
  9. cat address 确认BUS ID正确
  10. echo 0 > power 下电
  11. lsblk 中已无此盘符
  12. 执行 mmnsddiscover 刷新
  13. 此时对应NVMe盘指示灯应熄灭,拔出此盘