cattom/blog
0
0
Fork 0
Code Actions Activity
Files
735a034c7755c2db8f21038627024d7a1cb8f4f0
blog/docs/tech/Commands-for-Server-Operation-and-Maintenance.md
Cat Tom e6dc91873a
All checks were successful
Deploy / deploy (push) Successful in 42s
Details
edit some md
2026-03-11 10:31:46 +08:00

288 lines
8.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
level: classified
---
# 服务器运行与维护常用命令
## 初始化
Maria:
```bash
git config --global credential.helper store && git clone https://github.com/cattomgithub/maria.git
cd maria/script && chmod +x *.sh && ./maria.sh
```
## 修改 SSH 配置
首先,启动 SSH 服务:
```bash
sudo systemctl enable ssh && sudo systemctl restart ssh && sudo systemctl status ssh
```
接着,生成并配置 SSH 密钥。进入 CatTomServer3-1 的终端,然后执行:
```bash
ssh-keygen -m PEM -t rsa -b 4096 -C "[username]@[server_ip]" -f ~/.ssh/[server_name]
ssh-copy-id -p 25800 -i /home/cattom/.ssh/[server_name].pub root@[server_ip]
```
最后,修改 `/etc/ssh/sshd_config`:
- Port 22 → **Port 25800**
- PermitRootLogin **prohibit-password** (取消该行注释)
- PasswordAuthentication yes → PasswordAuthentication **no**
- (可选) PubkeyAuthentication **yes**
重启 SSH 服务以刷新配置: `sudo systemctl restart ssh`
## 恢复备份文件/目录 (可选)
```bash
cd /root || exit
wget -c https://cattom.oss-cn-shenzhen.aliyuncs.com/[server_name]/backup/[file_name].tar.gz
tar -zxvf [file_name].tar.gz
sudo rm [file_name].tar.gz
```
## 安装业务程序 (按需安装)
**首先通过Maria管理工具安装需要的业务工具: `maria` - ++2++**
### Traefik
请到 [Releases - traefik/traefik](https://github.com/traefik/traefik/releases/latest) 检查最新版本。
```bash
mkdir /root/traefik
cd /root/traefik || exit
touch acme.json && chmod 600 acme.json
wget -c [link]
tar -zxvf [file_name] && rm [file_name] LICENSE.md CHANGELOG.md && mv traefik /usr/local/bin/traefik
ln -s /root/maria/config/traefik/static.yaml /root/traefik/static.yaml
ln -s /root/maria/config/${SERVER}/traefik.yaml /root/traefik/dynamic.yaml
ln -s /root/maria/config/systemd/traefik.service /etc/systemd/system/traefik.service && sudo systemctl daemon-reload
sudo systemctl enable traefik.service && sudo systemctl restart traefik.service
```
### 阿里云 CLI
**注意: 请到 [RAM 访问控制](https://ram.console.aliyun.com/) 按照业务需求生成 AccessKey.**
```bash
cd /root || exit
/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"
aliyun configure set --profile profile1 --mode AK --access-key-id [AccessKeyID] --access-key-secret [AccessKeySecret] --region "cn-shenzhen"
```
阿里云 CLI 现已集成 ossutil示例:
```bash
# Example 1
aliyun ossutil sync /root/backup/ oss://cattom/${SERVER}/backup/ --force --update --delete -e oss-cn-shenzhen.aliyuncs.com
# Example 2
aliyun ossutil sync /root/blog/site oss://cattom-blog --force --update --delete --region cn-hongkong
```
### Flexget
安装 Flexget:
```bash
cd /root || exit
sudo apt -y install python3 python3-full python3-pip python3.12-venv
python3 -m venv /root/flexget/
/root/flexget/bin/pip install --upgrade pip setuptools
/root/flexget/bin/pip install flexget
```
测试配置并启动后台进程:
```bash
sudo ln -s /root/maria/config/flexget/config.yml /root/flexget/config.yml
/root/flexget/bin/flexget -c /root/flexget/config.yml --test execute
/root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config
```
设置开机自启动:
```bash
(
crontab -u $(whoami) -l
echo "@reboot /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config"
) | crontab -u $(whoami) -
```
配置 alias:
```bash
echo 'alias flexget="/root/flexget/bin/flexget -c /root/flexget/config.yml"' >> /root/.bashrc
```
## 配置防火墙
!!! warning "注意"
所有经由 Tailscale 的连接都不需要在 UFW 中放行。
所有在 Docker Compose 文件中没有定义特定监听地址的端口都不需要在 UFW 中放行。
Maria 非标端口开放表:
| 服务器 | 端口 | 来源IP/IP段 | 目标IP/IP段 | 协议 | 备注 |
| :----: | :---: | :---------: | :---------: | :---: | :-----------: |
| 2 | 7100 | / | / | / | Frps 监听端口 |
| 2 | 18080 | 127.0.0.1 | / | / | Bitwarden |
| 2 | 5230 | 127.0.0.1 | / | / | Memos |
| 2 | 3002 | 127.0.0.1 | / | / | Homepage |
| 2 | 3100 | 127.0.0.1 | / | / | Gitea |
| 2 | 25801 | 127.0.0.1 | / | / | Gitea SSH |
| 服务器 | 端口 | 来源IP/IP段 | 目标IP/IP段 | 协议 | 备注 |
| :----: | :---: | :-----------: | :---------: | :---: | :---------------: |
| 3 | 6800 | 127.0.0.1 | / | / | Aria2 RPC |
| 3 | 6888 | / | / | / | Aria2 BT |
| 3 | 6888 | / | / | UDP | Aria2 BT |
| 3 | 9100 | 100.64.0.0/10 | / | / | Node Exporter [^1] |
[^1]: 服务器3的 Prometheus 处于容器内,而 Node Exporter 处于宿主机,必须保留该规则以保持二者连通。
```bash
# 重置防火墙
sudo ufw reset
# 添加默认条件
sudo ufw default allow outgoing # 默认允许所有数据出站
sudo ufw default deny incoming # 默认禁止所有数据入站
```
```bash
# SSH
sudo ufw allow 25800
# Web
sudo ufw allow 80 && sudo ufw allow 443
# Example 1
sudo ufw allow 7100
# Example 2
sudo ufw allow from 127.0.0.1 to any port 18080
# Example 3
sudo ufw allow 6888/udp
```
```bash
# 启用日志
sudo ufw logging medium
# 列出端口开放情况
sudo ufw status numbered
# 启用防火墙
sudo ufw enable
```
## 加载 Docker 容器
```bash
sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml pull
sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml up -d --remove-orphans
sudo docker system prune -f
# 可选
sudo systemctl restart traefik
```
## 配置自动备份 (可选)
```bash
(
crontab -u $(whoami) -l
echo "0 6 * * * /root/maria/script/backup.sh"
) | crontab -u $(whoami) -
```
## Linux 内核网络栈调优 (可选)
编辑 `/etc/sysctl.conf`,在末尾添加以下内容:
```
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_rmem = 16384 262144 8388608
net.ipv4.tcp_wmem = 32768 524288 16777216
net.core.somaxconn = 8192
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.wmem_default = 2097152
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 10240
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 7200
net.core.default_qdisc = fq_codel
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_slow_start_after_idle = 0
```
刷新配置:
``` bash
sysctl -p
```
验证是否成功启动 BBR
``` bash
lsmod | grep bbr
```
若出现 `tcp_bbr` 的输出,说明开启成功。
## 配置 SSH Action
### GitHub Actions
[cattomgithub/maria - Settings - Secrets - Actions](https://github.com/cattomgithub/maria/settings/secrets/actions)
- SSH_HOSTS: foo,bar
服务器需配置 GitHub Actions Key进入 CatTomServer3-1 的终端,执行:
```bash
ssh-copy-id -f -p 25800 -i /home/cattom/.ssh/maria-github-actions-key.pub [server_id]
```
[Ref: 用于 GitHub Actions 的 SSH](https://github.com/appleboy/ssh-action/blob/master/README.zh-cn.md)
## NFS 配置
```bash
# Install
sudo apt -y update && sudo apt -y install nfs-kernel-server nfs-common
# Modify firewall on host
sudo ufw allow from [client_ip] to any port nfs
# Create mount point on client
sudo mkdir -p [/path/on/client]
# Mount directories on client
sudo mount [host_ip]:[/path/on/host] [/path/on/client]
# Check stats on client
sudo df -h
# Mount the directories at boot
sudo echo "[host_ip]:[/path/on/host] [/path/on/client] nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab
# Unmount NFS
sudo umount [/path/on/client]
```
## 进入 Docker 容器的终端
``` bash
sudo docker exec -it [container_name] /bin/bash
# Or
sudo docker exec -it [container_name] /bin/sh
```
View Git Blame Copy Permalink