搭建私有 Linux 镜像仓库:从零到生产的完整指南
概述
为什么需要私有镜像仓库?
在企业环境中,搭建私有Linux镜像仓库具有以下优势:
- • 网络优化:减少外网带宽消耗,提升下载速度
- • 安全控制:内网环境下的安全软件分发
- • 版本管理:统一管理软件包版本,确保环境一致性
- • 离线部署:支持无外网环境的软件安装
- • 成本节约:减少重复下载,节省带宽成本
架构设计
客户端负载均衡器镜像服务器1镜像服务器2存储后端同步服务器上游镜像源
环境准备
硬件要求
| 组件 | 最低配置 | 推荐配置 | 生产环境 |
|---|---|---|---|
| CPU | 2核 | 4核 | 8核+ |
| 内存 | 4GB | 8GB | 16GB+ |
| 存储 | 500GB | 2TB | 10TB+ |
| 网络 | 100Mbps | 1Gbps | 10Gbps |
软件环境
# 操作系统:Ubuntu 22.04 LTS 或 CentOS 8
# Web服务器:Nginx
# 同步工具:rsync, apt-mirror, reposync
# 监控:Prometheus + Grafana
目录规划
# 创建目录结构
sudomkdir -p /data/mirrors/{ubuntu,centos,docker,alpine}
sudomkdir -p /data/mirrors/logs
sudomkdir -p /data/mirrors/scripts
sudomkdir -p /etc/mirrors
搭建APT私有镜像源
安装apt-mirror
# Ubuntu/Debian系统
sudo apt update
sudo apt install -y apt-mirror nginx
# 创建镜像用户
sudo useradd -r -s /bin/false -d /data/mirrors aptmirror
sudochown -R aptmirror:aptmirror /data/mirrors
配置apt-mirror
# 编辑配置文件
sudo nano /etc/apt/mirror.list
# /etc/apt/mirror.list
############# config ##################
set base_path /data/mirrors/ubuntu
set mirror_path $base_path/mirror
set skel_path $base_path/skel
set var_path $base_path/var
set cleanscript $var_path/clean.sh
set defaultarch amd64
set postmirror_script $var_path/postmirror.sh
set run_postmirror 0
set nthreads 20
set _tilde 0
############# end config ##############
# Ubuntu 22.04 LTS (Jammy)
deb http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu jammy-security main restricted universe multiverse
# Ubuntu 20.04 LTS (Focal)
deb http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu focal-security main restricted universe multiverse
# 源码包(可选)
# deb-src http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
# 清理脚本
clean http://archive.ubuntu.com/ubuntu
clean http://security.ubuntu.com/ubuntu
创建同步脚本
# 创建同步脚本
sudo nano /data/mirrors/scripts/sync-ubuntu.sh
#!/bin/bash
# Ubuntu镜像同步脚本
set -e
LOGFILE="/data/mirrors/logs/ubuntu-sync-$(date +%Y%m%d-%H%M%S).log"
LOCKFILE="/var/run/ubuntu-mirror.lock"
# 检查锁文件
if [ -f "$LOCKFILE" ]; then
echo"同步进程已在运行,退出..."
exit 1
fi
# 创建锁文件
echo $$ > "$LOCKFILE"
# 清理函数
cleanup() {
rm -f "$LOCKFILE"
}
trap cleanup EXIT
echo"开始Ubuntu镜像同步: $(date)" | tee -a "$LOGFILE"
# 执行同步
sudo -u aptmirror apt-mirror /etc/apt/mirror.list 2>&1 | tee -a "$LOGFILE"
# 更新时间戳
echo"$(date)" > /data/mirrors/ubuntu/last_update
echo"Ubuntu镜像同步完成: $(date)" | tee -a "$LOGFILE"
# 清理旧日志(保留30天)
find /data/mirrors/logs -name "ubuntu-sync-*.log" -mtime +30 -delete
# 发送通知(可选)
# curl -X POST -H 'Content-type: application/json' \
# --data '{"text":"Ubuntu镜像同步完成"}' \
# YOUR_WEBHOOK_URL
# 设置执行权限
sudochmod +x /data/mirrors/scripts/sync-ubuntu.sh
配置Nginx
# 创建Nginx配置
sudo nano /etc/nginx/sites-available/ubuntu-mirror
server {
listen80;
server_name ubuntu-mirror.example.com;
root /data/mirrors/ubuntu/mirror;
index index.html;
# 访问日志
access_log /var/log/nginx/ubuntu-mirror.access.log;
error_log /var/log/nginx/ubuntu-mirror.error.log;
# 基本配置
location / {
autoindexon;
autoindex_exact_sizeoff;
autoindex_localtimeon;
# 缓存配置
expires1d;
add_header Cache-Control "public, immutable";
# 安全头
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
}
# 包文件缓存
location~* \.(deb|udeb|tar\.gz|tar\.xz|tar\.bz2)$ {
expires7d;
add_header Cache-Control "public, immutable";
}
# 元数据文件
location~* (Release|Packages|Sources)$ {
expires1h;
add_header Cache-Control "public, must-revalidate";
}
# 状态页面
location /status {
alias /data/mirrors/ubuntu/;
try_files /last_update =404;
add_header Content-Type text/plain;
}
# 禁止访问隐藏文件
location~ /\. {
deny all;
}
}
# 启用站点
sudoln -s /etc/nginx/sites-available/ubuntu-mirror /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
搭建YUM私有镜像源
安装reposync
# CentOS/RHEL系统
sudo yum install -y yum-utils createrepo nginx
# 或者在Ubuntu上安装
sudo apt install -y yum-utils createrepo-c nginx
配置YUM仓库同步
# 创建CentOS 8同步脚本
sudo nano /data/mirrors/scripts/sync-centos.sh
#!/bin/bash
# CentOS镜像同步脚本
set -e
MIRROR_BASE="/data/mirrors/centos"
LOGFILE="/data/mirrors/logs/centos-sync-$(date +%Y%m%d-%H%M%S).log"
LOCKFILE="/var/run/centos-mirror.lock"
# 检查锁文件
if [ -f "$LOCKFILE" ]; then
echo"同步进程已在运行,退出..."
exit 1
fi
echo $$ > "$LOCKFILE"
cleanup() {
rm -f "$LOCKFILE"
}
trap cleanup EXIT
echo"开始CentOS镜像同步: $(date)" | tee -a "$LOGFILE"
# 同步CentOS 8 Stream
sync_centos_stream() {
local version=$1
local repo_dir="$MIRROR_BASE/$version"
mkdir -p "$repo_dir"
# 同步各个仓库
for repo in baseos appstream extras powertools; do
echo"同步 CentOS $version$repo..." | tee -a "$LOGFILE"
reposync \
--download-path="$repo_dir" \
--repo="$repo" \
--arch=x86_64 \
--newest-only \
--delete \
2>&1 | tee -a "$LOGFILE"
# 创建仓库元数据
createrepo_c "$repo_dir/$repo/" 2>&1 | tee -a "$LOGFILE"
done
}
# 同步不同版本
sync_centos_stream "8-stream"
sync_centos_stream "9-stream"
# 更新时间戳
echo"$(date)" > "$MIRROR_BASE/last_update"
echo"CentOS镜像同步完成: $(date)" | tee -a "$LOGFILE"
# 清理旧日志
find /data/mirrors/logs -name "centos-sync-*.log" -mtime +30 -delete
配置YUM仓库文件
# 创建仓库配置模板
sudo nano /data/mirrors/centos/centos8-stream.repo
[baseos]
name=CentOS Stream $releasever - BaseOS
baseurl=http://your-mirror.example.com/centos/8-stream/baseos/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[appstream]
name=CentOS Stream $releasever - AppStream
baseurl=http://your-mirror.example.com/centos/8-stream/appstream/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[extras]
name=CentOS Stream $releasever - Extras
baseurl=http://your-mirror.example.com/centos/8-stream/extras/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[powertools]
name=CentOS Stream $releasever - PowerTools
baseurl=http://your-mirror.example.com/centos/8-stream/powertools/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Nginx配置(CentOS)
server {
listen80;
server_name centos-mirror.example.com;
root /data/mirrors/centos;
index index.html;
access_log /var/log/nginx/centos-mirror.access.log;
error_log /var/log/nginx/centos-mirror.error.log;
location / {
autoindexon;
autoindex_exact_sizeoff;
autoindex_localtimeon;
expires1d;
add_header Cache-Control "public, immutable";
}
# RPM包缓存
location~* \.rpm$ {
expires7d;
add_header Cache-Control "public, immutable";
}
# 元数据缓存
location~* (repomd\.xml|primary\.xml|filelists\.xml|other\.xml)$ {
expires1h;
add_header Cache-Control "public, must-revalidate";
}
# 仓库配置文件下载
location /repo-files/ {
alias /data/mirrors/centos/;
try_files$uri$uri.repo =404;
add_header Content-Type text/plain;
}
}
搭建Docker私有镜像仓库
安装Docker Registry
# 安装Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
# 创建Registry目录
sudomkdir -p /data/mirrors/docker/{registry,auth,certs}
配置Registry
# 创建Registry配置文件
sudo nano /data/mirrors/docker/config.yml
version:0.1
log:
accesslog:
disabled:false
level:info
formatter:text
fields:
service:registry
storage:
cache:
blobdescriptor:inmemory
filesystem:
rootdirectory:/var/lib/registry
delete:
enabled:true
http:
addr::5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['*']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']
health:
storagedriver:
enabled:true
interval:10s
threshold:3
proxy:
remoteurl:https://registry-1.docker.io
username:your-dockerhub-username
password:your-dockerhub-password
启动Registry服务
# 创建docker-compose文件
sudo nano /data/mirrors/docker/docker-compose.yml
version:'3.8'
services:
registry:
image:registry:2.8
container_name:docker-registry
restart:unless-stopped
ports:
-"5000:5000"
environment:
REGISTRY_CONFIG_PATH:/etc/docker/registry/config.yml
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY:/var/lib/registry
volumes:
-/data/mirrors/docker/registry:/var/lib/registry
-/data/mirrors/docker/config.yml:/etc/docker/registry/config.yml:ro
networks:
-registry-net
registry-ui:
image:joxit/docker-registry-ui:latest
container_name:registry-ui
restart:unless-stopped
ports:
-"8080:80"
environment:
REGISTRY_TITLE:"Private Docker Registry"
REGISTRY_URL:http://registry:5000
DELETE_IMAGES:"true"
SHOW_CONTENT_DIGEST:"true"
depends_on:
-registry
networks:
-registry-net
networks:
registry-net:
driver:bridge
# 启动服务
cd /data/mirrors/docker
sudo docker-compose up -d
配置Registry代理
# Docker Registry Nginx配置
server {
listen80;
server_name docker-registry.example.com;
client_max_body_size0;
chunked_transfer_encodingon;
location /v2/ {
proxy_pass http://localhost:5000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout900;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
自动化同步与更新
创建统一同步脚本
# 创建主同步脚本
sudo nano /data/mirrors/scripts/sync-all.sh
#!/bin/bash
# 统一镜像同步脚本
set -e
SCRIPT_DIR="/data/mirrors/scripts"
LOG_DIR="/data/mirrors/logs"
NOTIFICATION_URL="${WEBHOOK_URL:-}"
# 日志函数
log() {
echo"[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_DIR/sync-all.log"
}
# 通知函数
notify() {
local message="$1"
local status="$2"
log"$message"
if [ -n "$NOTIFICATION_URL" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"$message\", \"status\":\"$status\"}" \
"$NOTIFICATION_URL" || true
fi
}
# 执行同步任务
run_sync() {
local script="$1"
local name="$2"
if [ -f "$script" ]; then
log"开始同步 $name"
if"$script"; then
notify "$name 同步成功""success"
else
notify "$name 同步失败""error"
return 1
fi
else
log"同步脚本不存在: $script"
return 1
fi
}
# 主执行流程
main() {
log"开始镜像同步任务"
local failed=0
# 同步Ubuntu
run_sync "$SCRIPT_DIR/sync-ubuntu.sh""Ubuntu" || ((failed++))
# 同步CentOS
run_sync "$SCRIPT_DIR/sync-centos.sh""CentOS" || ((failed++))
# 清理旧日志
find "$LOG_DIR" -name "*.log" -mtime +30 -delete
if [ $failed -eq 0 ]; then
notify "所有镜像同步完成""success"
else
notify "有 $failed 个镜像同步失败""warning"
fi
log"镜像同步任务结束"
}
main "$@"
配置定时任务
# 编辑crontab
sudo crontab -e
# 添加定时任务
# 每天凌晨2点同步
0 2 * * * /data/mirrors/scripts/sync-all.sh
# 每周日凌晨1点清理Docker Registry
0 1 * * 0 /data/mirrors/scripts/cleanup-docker.sh
# 每小时检查服务状态
0 * * * * /data/mirrors/scripts/health-check.sh
健康检查脚本
# 创建健康检查脚本
sudo nano /data/mirrors/scripts/health-check.sh
#!/bin/bash
# 服务健康检查脚本
SERVICES=("nginx""docker")
LOG_FILE="/data/mirrors/logs/health-check.log"
log() {
echo"[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE"
}
check_service() {
local service="$1"
if systemctl is-active --quiet "$service"; then
log"$service 服务正常运行"
return 0
else
log"$service 服务异常,尝试重启"
systemctl restart "$service"
sleep 5
if systemctl is-active --quiet "$service"; then
log"$service 服务重启成功"
return 0
else
log"$service 服务重启失败"
return 1
fi
fi
}
check_disk_space() {
local usage=$(df /data/mirrors | awk 'NR==2 {print $5}' | sed 's/%//')
if [ "$usage" -gt 85 ]; then
log"磁盘空间不足: ${usage}%"
# 发送告警
return 1
else
log"磁盘空间正常: ${usage}%"
return 0
fi
}
# 主检查流程
main() {
local failed=0
# 检查服务状态
for service in"${SERVICES[@]}"; do
check_service "$service" || ((failed++))
done
# 检查磁盘空间
check_disk_space || ((failed++))
# 检查网络连通性
if ! curl -s --max-time 10 http://localhost/status > /dev/null; then
log"Web服务访问异常"
((failed++))
fi
if [ $failed -eq 0 ]; then
log"所有检查项正常"
else
log"发现 $failed 个异常项"
fi
}
main "$@"
高可用与负载均衡
配置HAProxy负载均衡
# 安装HAProxy
sudo apt install -y haproxy
# 配置HAProxy
sudo nano /etc/haproxy/haproxy.cfg
global
daemon
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
option dontlognull
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend mirror_frontend
bind *:80
bind *:443 ssl crt /etc/ssl/certs/mirror.pem
redirect scheme https if !{ ssl_fc }
# 根据域名分发
acl is_ubuntu hdr(host) -i ubuntu-mirror.example.com
acl is_centos hdr(host) -i centos-mirror.example.com
acl is_docker hdr(host) -i docker-registry.example.com
use_backend ubuntu_backend if is_ubuntu
use_backend centos_backend if is_centos
use_backend docker_backend if is_docker
default_backend ubuntu_backend
backend ubuntu_backend
balance roundrobin
option httpchk GET /status
server ubuntu1 192.168.1.10:80 check
server ubuntu2 192.168.1.11:80 check backup
backend centos_backend
balance roundrobin
option httpchk GET /status
server centos1 192.168.1.10:80 check
server centos2 192.168.1.11:80 check backup
backend docker_backend
balance roundrobin
option httpchk GET /v2/
server docker1 192.168.1.10:5000 check
server docker2 192.168.1.11:5000 check backup
listen stats
bind *:8404
stats enable
stats uri /stats
stats refresh 30s
stats admin if TRUE
配置Keepalived高可用
# 安装Keepalived
sudo apt install -y keepalived
# 主节点配置
sudo nano /etc/keepalived/keepalived.conf
# 主节点配置
vrrp_script chk_haproxy {
script "/bin/kill -0 `cat /var/run/haproxy.pid`"
interval 2
weight 2
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.100
}
track_script {
chk_haproxy
}
}
监控与维护
配置Prometheus监控
# 创建Prometheus配置
sudo nano /etc/prometheus/prometheus.yml
global:
scrape_interval:15s
evaluation_interval:15s
rule_files:
-"mirror_rules.yml"
scrape_configs:
-job_name:'prometheus'
static_configs:
-targets: ['localhost:9090']
-job_name:'node-exporter'
static_configs:
-targets: ['localhost:9100']
-job_name:'nginx'
static_configs:
-targets: ['localhost:9113']
-job_name:'haproxy'
static_configs:
-targets: ['localhost:8404']
alerting:
alertmanagers:
-static_configs:
-targets:
-alertmanager:9093
创建告警规则
# 创建告警规则
sudo nano /etc/prometheus/mirror_rules.yml
groups:
-name:mirror_alerts
rules:
-alert:HighDiskUsage
expr:(node_filesystem_size_bytes{mountpoint="/data"}-node_filesystem_free_bytes{mountpoint="/data"})/node_filesystem_size_bytes{mountpoint="/data"}*100>85
for:5m
labels:
severity:warning
annotations:
summary:"磁盘使用率过高"
description:"镜像存储磁盘使用率超过85%"
-alert:ServiceDown
expr:up==0
for:2m
labels:
severity:critical
annotations:
summary:"服务不可用"
description:"{{ $labels.instance }} 服务已停止"
-alert:HighMemoryUsage
expr:(1-(node_memory_MemAvailable_bytes/node_memory_MemTotal_bytes))*100>90
for:5m
labels:
severity:warning
annotations:
summary:"内存使用率过高"
description:"内存使用率超过90%"
-alert:SyncJobFailed
expr:increase(sync_job_failures_total[1h])>0
for:0m
labels:
severity:critical
annotations:
summary:"镜像同步失败"
description:"镜像同步任务执行失败"
Grafana仪表板
{
"dashboard":{
"id":null,
"title":"Linux Mirror Repository Dashboard",
"tags":["mirror","linux"],
"timezone":"browser",
"panels":[
{
"title":"磁盘使用率",
"type":"stat",
"targets":[
{
"expr":"(node_filesystem_size_bytes{mountpoint=\"/data\"} - node_filesystem_free_bytes{mountpoint=\"/data\"}) / node_filesystem_size_bytes{mountpoint=\"/data\"} * 100",
"legendFormat":"磁盘使用率"
}
],
"fieldConfig":{
"defaults":{
"unit":"percent",
"thresholds":{
"steps":[
{"color":"green","value":null},
{"color":"yellow","value":70},
{"color":"red","value":85}
]
}
}
}
},
{
"title":"网络流量",
"type":"graph",
"targets":[
{
"expr":"rate(node_network_receive_bytes_total{device=\"eth0\"}[5m])",
"legendFormat":"接收"
},
{
"expr":"rate(node_network_transmit_bytes_total{device=\"eth0\"}[5m])",
"legendFormat":"发送"
}
]
},
{
"title":"同步状态",
"type":"table",
"targets":[
{
"expr":"sync_last_success_timestamp_seconds",
"legendFormat":"最后同步时间"
}
]
}
],
"time":{
"from":"now-1h",
"to":"now"
},
"refresh":"30s"
}
}
安全配置
SSL/TLS配置
# 生成SSL证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/mirror.key \
-out /etc/ssl/certs/mirror.crt \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=mirror.example.com"
# 合并证书文件(HAProxy使用)
sudocat /etc/ssl/certs/mirror.crt /etc/ssl/private/mirror.key > /etc/ssl/certs/mirror.pem
访问控制
# IP白名单配置
geo$allowed_ip {
default0;
192.168.0.0/16 1;
10.0.0.0/8 1;
172.16.0.0/12 1;
}
server {
listen80;
server_name mirror.example.com;
# IP访问控制
if ($allowed_ip = 0) {
return403;
}
# 限制连接数
limit_conn_zone$binary_remote_addr zone=conn_limit_per_ip:10m;
limit_conn conn_limit_per_ip 10;
# 限制请求频率
limit_req_zone$binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
limit_req zone=req_limit_per_ip burst=20 nodelay;
location / {
# 基本认证(可选)
auth_basic"Private Mirror";
auth_basic_user_file /etc/nginx/.htpasswd;
# 其他配置...
}
}
防火墙配置
# UFW防火墙配置
sudo ufw default deny incoming
sudo ufw default allow outgoing
# 允许SSH
sudo ufw allow ssh
# 允许HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# 允许内网访问
sudo ufw allow from 192.168.0.0/16 to any port 80
sudo ufw allow from 10.0.0.0/8 to any port 80
# 启用防火墙
sudo ufw enable
故障排除
常见问题诊断
1. 同步失败问题
# 检查网络连通性
curl -I http://archive.ubuntu.com/ubuntu/
# 检查磁盘空间
df -h /data/mirrors
# 检查权限
ls -la /data/mirrors/
# 查看同步日志
tail -f /data/mirrors/logs/ubuntu-sync-*.log
2. 服务访问问题
# 检查Nginx状态
sudo systemctl status nginx
sudo nginx -t
# 检查端口监听
sudo netstat -tlnp | grep :80
# 检查防火墙
sudo ufw status
# 测试本地访问
curl -I http://localhost/
3. 性能问题
# 检查系统负载
top
htop
iotop
# 检查网络流量
iftop
nethogs
# 检查磁盘IO
iostat -x 1
故障恢复脚本
# 创建故障恢复脚本
sudo nano /data/mirrors/scripts/recovery.sh
#!/bin/bash
# 故障恢复脚本
SERVICES=("nginx""docker""haproxy")
BACKUP_DIR="/data/backup"
# 服务恢复
recover_services() {
for service in"${SERVICES[@]}"; do
if ! systemctl is-active --quiet "$service"; then
echo"恢复服务: $service"
systemctl restart "$service"
sleep 5
if systemctl is-active --quiet "$service"; then
echo"$service 恢复成功"
else
echo"$service 恢复失败"
fi
fi
done
}
# 配置文件恢复
recover_configs() {
if [ -d "$BACKUP_DIR" ]; then
echo"恢复配置文件..."
# 恢复Nginx配置
if [ -f "$BACKUP_DIR/nginx.conf" ]; then
cp"$BACKUP_DIR/nginx.conf" /etc/nginx/nginx.conf
nginx -t && systemctl reload nginx
fi
# 恢复HAProxy配置
if [ -f "$BACKUP_DIR/haproxy.cfg" ]; then
cp"$BACKUP_DIR/haproxy.cfg" /etc/haproxy/haproxy.cfg
systemctl reload haproxy
fi
fi
}
# 数据完整性检查
check_data_integrity() {
echo"检查数据完整性..."
# 检查Ubuntu镜像
if [ -f "/data/mirrors/ubuntu/mirror/dists/jammy/Release" ]; then
echo"Ubuntu镜像完整"
else
echo"Ubuntu镜像损坏,需要重新同步"
/data/mirrors/scripts/sync-ubuntu.sh
fi
# 检查CentOS镜像
if [ -f "/data/mirrors/centos/8-stream/baseos/repodata/repomd.xml" ]; then
echo"CentOS镜像完整"
else
echo"CentOS镜像损坏,需要重新同步"
/data/mirrors/scripts/sync-centos.sh
fi
}
# 主恢复流程
main() {
echo"开始故障恢复..."
recover_services
recover_configs
check_data_integrity
echo"故障恢复完成"
}
main "$@"
监控脚本
# 创建监控脚本
sudo nano /data/mirrors/scripts/monitor.sh
#!/bin/bash
# 实时监控脚本
ALERT_EMAIL="admin@example.com"
WEBHOOK_URL="https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
send_alert() {
local message="$1"
local severity="$2"
echo"[$(date)] ALERT [$severity]: $message"
# 发送邮件告警
echo"$message" | mail -s "Mirror Alert [$severity]""$ALERT_EMAIL"
# 发送Webhook通知
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"$message\", \"severity\":\"$severity\"}" \
"$WEBHOOK_URL"
}
# 检查磁盘空间
check_disk() {
local usage=$(df /data/mirrors | awk 'NR==2 {print $5}' | sed 's/%//')
if [ "$usage" -gt 90 ]; then
send_alert "磁盘空间严重不足: ${usage}%""CRITICAL"
elif [ "$usage" -gt 80 ]; then
send_alert "磁盘空间不足: ${usage}%""WARNING"
fi
}
# 检查同步状态
check_sync() {
local last_sync=$(stat -c %Y /data/mirrors/ubuntu/last_update 2>/dev/null || echo 0)
local current_time=$(date +%s)
local diff=$((current_time - last_sync))
# 如果超过24小时未同步
if [ $diff -gt 86400 ]; then
send_alert "Ubuntu镜像同步超时: $((diff/3600))小时""WARNING"
fi
}
# 检查服务状态
check_services() {
local services=("nginx""docker")
for service in"${services[@]}"; do
if ! systemctl is-active --quiet "$service"; then
send_alert "$service 服务异常""CRITICAL"
fi
done
}
# 主监控循环
main() {
whiletrue; do
check_disk
check_sync
check_services
sleep 300 # 5分钟检查一次
done
}
main "$@"
总结
通过本文的详细指南,我们成功搭建了一个完整的私有Linux镜像仓库系统,包括:
核心功能
- • 多发行版支持:Ubuntu、CentOS、Docker镜像
- • 自动化同步:定时同步上游镜像源
- • 负载均衡:HAProxy + Keepalived高可用方案
- • 监控告警:Prometheus + Grafana监控体系
运维特性
- • 安全加固:SSL/TLS、访问控制、防火墙配置
- • 故障恢复:自动化故障检测和恢复机制
- • 性能优化:缓存策略、并发控制
- • 日志管理:完整的日志记录和轮转
最佳实践
-
- 定期备份:配置文件和关键数据的定期备份
-
- 容量规划:根据使用情况合理规划存储容量
-
- 网络优化:配置适当的缓存和CDN策略
-
- 安全更新:及时更新系统和软件包
这套方案可以满足企业级的私有镜像仓库需求,提供稳定、高效、安全的软件包分发服务。
黑客&网络安全如何学习**
今天只要你给我的文章点赞,我私藏的网安学习资料一样免费共享给你们,来看看有哪些东西。
1.学习路线图
攻击和防守要学的东西也不少,具体要学的东西我都写在了上面的路线图,如果你能学完它们,你去就业和接私活完全没有问题。
2.视频教程
网上虽然也有很多的学习资源,但基本上都残缺不全的,这是我们和网安大厂360共同研发的的网安视频教程,之前都是内部资源,专业方面绝对可以秒杀国内99%的机构和个人教学!全网独一份,你不可能在网上找到这么专业的教程。
内容涵盖了入门必备的操作系统、计算机网络和编程语言等初级知识,而且包含了中级的各种渗透技术,并且还有后期的CTF对抗、区块链安全等高阶技术。总共200多节视频,200多G的资源,不用担心学不全。
因篇幅有限,仅展示部分资料,需要见下图即可前往获取
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
3.技术文档和电子书
技术文档也是我自己整理的,包括我参加大型网安行动、CTF和挖SRC漏洞的经验和技术要点,电子书也有200多本,由于内容的敏感性,我就不一一展示了。
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
4.工具包、面试题和源码
“工欲善其事必先利其器”我为大家总结出了最受欢迎的几十款款黑客工具。涉及范围主要集中在 信息收集、Android黑客工具、自动化工具、网络钓鱼等,感兴趣的同学不容错过。
还有我视频里讲的案例源码和对应的工具包,需要的话也可以拿走。
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
最后就是我这几年整理的网安方面的面试题,如果你是要找网安方面的工作,它们绝对能帮你大忙。
这些题目都是大家在面试深信服、奇安信、腾讯或者其它大厂面试时经常遇到的,如果大家有好的题目或者好的见解欢迎分享。
参考解析:深信服官网、奇安信官网、Freebuf、csdn等
内容特点:条理清晰,含图像化表示更加易懂。
内容概要:包括 内网、操作系统、协议、渗透测试、安服、漏洞、注入、XSS、CSRF、SSRF、文件上传、文件下载、文件包含、XXE、逻辑漏洞、工具、SQLmap、NMAP、BP、MSF…
本文转自 https://blog.youkuaiyun.com/yy17111342926/article/details/149346960?spm=1001.2014.3001.5502,如有侵权,请联系删除。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
