パーティション作成

【MariaDB パーティション作成】

ALTER TABLE sales.sst004 PARTITION BY RANGE COLUMNS( createdatetime ) ( 

  PARTITION p202301 VALUES LESS THAN ('20230201000000000'),

  PARTITION p202302 VALUES LESS THAN ('20230301000000000'),

  PARTITION p202303 VALUES LESS THAN ('20230401000000000'),

  PARTITION p202304 VALUES LESS THAN ('20230501000000000'),

  PARTITION p202305 VALUES LESS THAN ('20230601000000000'),

  PARTITION p202306 VALUES LESS THAN ('20230701000000000'),

  PARTITION p202307 VALUES LESS THAN ('20230801000000000'),

  PARTITION p202308 VALUES LESS THAN ('20230901000000000'),

  PARTITION p202309 VALUES LESS THAN ('20231001000000000'),

  PARTITION p202310 VALUES LESS THAN ('20231101000000000'),

  PARTITION p202311 VALUES LESS THAN ('20231201000000000'),

  PARTITION p202312 VALUES LESS THAN ('20240101000000000'),

  PARTITION p999999 VALUES LESS THAN MAXVALUE

);

追加

ALTER TABLE sales.sst004 REORGANIZE PARTITION p999999 INTO (

  PARTITION p202402 VALUES LESS THAN ('20240301000000000'),

  PARTITION p999999 VALUES LESS THAN MAXVALUE

);

データ削除

ALTER TABLE sales.sst004 TRUNCATE PARTITION p202301;

削除＆データ削除

ALTER TABLE sales.sst004 DROP PARTITION p20240101;

解放

ALTER TABLE sales.sst004 REMOVE PARTITIONING;

ALTER TABLE sales.sst004 PARTITION BY RANGE COLUMNS( createdatetime )

  SUBPARTITION BY HASH(GCODE,CCODE,SODE)

  SUBPARTITIONS 8 (

  PARTITION p202301 VALUES LESS THAN ('20230201000000000'),

  PARTITION p202302 VALUES LESS THAN ('20230301000000000'),

  PARTITION p202303 VALUES LESS THAN ('20230401000000000'),

  PARTITION p202304 VALUES LESS THAN ('20230501000000000'),

  PARTITION p202305 VALUES LESS THAN ('20230601000000000'),

  PARTITION p202306 VALUES LESS THAN ('20230701000000000'),

  PARTITION p202307 VALUES LESS THAN ('20230801000000000'),

  PARTITION p202308 VALUES LESS THAN ('20230901000000000'),

  PARTITION p202309 VALUES LESS THAN ('20231001000000000'),

  PARTITION p202310 VALUES LESS THAN ('20231101000000000'),

  PARTITION p202311 VALUES LESS THAN ('20231201000000000'),

  PARTITION p202312 VALUES LESS THAN ('20240101000000000'),

  PARTITION p999999 VALUES LESS THAN MAXVALUE

);

ALTER TABLE sales.sst004 SUBPARTITION BY HASH COLUMNS( gcode,ccode,scode ) (

 SUBPARTITIONS 8 )

 

 

 

 create table  sales.sst0041  (

   remarks1        varchar(256),

   remarks2        varchar(256),

   remarks3        varchar(256),

   remarks4        varchar(256),

   remarks5        varchar(256),

  primary key ( gcode ,ccode ,scode, createdatetime  )

) engine=innodb default charset=utf8mb4 comment='会計伝票'

 PARTITION BY RANGE  COLUMNS( createdatetime )

SUBPARTITION BY HASH(GCODE,CCODE,SODE)             → MariaDB ではエラー

SUBPARTITIONS 8

(PARTITION `p202301` VALUES LESS THAN ('20230201000000000') ,

 PARTITION `p202302` VALUES LESS THAN ('20230301000000000') ,

 PARTITION `p202303` VALUES LESS THAN ('20230401000000000') ,

 PARTITION `p202304` VALUES LESS THAN ('20230501000000000') ,

 PARTITION `p202305` VALUES LESS THAN ('20230601000000000') ,

 PARTITION `p202306` VALUES LESS THAN ('20230701000000000') ,

 PARTITION `p202307` VALUES LESS THAN ('20230801000000000') ,

 PARTITION `p202308` VALUES LESS THAN ('20230901000000000') ,

 PARTITION `p202309` VALUES LESS THAN ('20231001000000000') ,

 PARTITION `p202310` VALUES LESS THAN ('20231101000000000') ,

 PARTITION `p202311` VALUES LESS THAN ('20231201000000000') ,

 PARTITION `p202312` VALUES LESS THAN ('20240101000000000') ,

 PARTITION `p999999` VALUES LESS THAN (MAXVALUE));

【ORACLE パーティション作成】

CREATE TABLE ARCSDBCB.CCP020 (

CDATE VARCHAR2 (8) NOT NULL,
GCODE VARCHAR2 (3) NOT NULL,
CCODE VARCHAR2 (4) NOT NULL,
SCODE VARCHAR2 (4) NOT NULL,
RCODE VARCHAR2 (13) NOT NULL,
SALESDATE VARCHAR2 (8) NOT NULL,
SALESTIME VARCHAR2 (6) NOT NULL,
RCOUNTER VARCHAR2 (12) NOT NULL,
CANCELNO VARCHAR2 (12) ,
CARDTYPE VARCHAR2 (1) NOT NULL,
SALESTYPE VARCHAR2 (1) NOT NULL,
CREDITCCODE VARCHAR2 (5) NOT NULL,
CREDITBTYPE VARCHAR2 (1) NOT NULL,
CREDITKEYSID VARCHAR2 (15) NOT NULL,
CREDITSID VARCHAR2 (15) ,
AMOUNT NUMBER (10) NOT NULL,
CARDMETHOD VARCHAR2 (2) NOT NULL,
COMPANYFEE NUMBER (6,2) ,
COMPANYAMOUNT NUMBER (10) ,
MEMBERFEE NUMBER (6,2) ,
MEMBERAMOUNT NUMBER (10) ,
PAIDPLANDATE VARCHAR2 (8) DEFAULT '00000000',
APPROVALNO VARCHAR2 (10) ,
CAFISDATE VARCHAR2 (8) ,
PGCODE VARCHAR2 (3) NOT NULL,
PCCODE VARCHAR2 (4) NOT NULL,
PSCODE VARCHAR2 (4) NOT NULL,
UDATE VARCHAR2 (14) NOT NULL,
CTYPE VARCHAR2 (1) DEFAULT '0'
)
PCTFREE 10
STORAGE(INITIAL 64K)
PARTITION BY RANGE ( PAIDPLANDATE )
SUBPARTITION BY HASH ( GCODE, CCODE, PSCODE )
SUBPARTITIONS 2
(
PARTITION p202212 VALUES LESS THAN ('20230101'),
PARTITION p202301 VALUES LESS THAN ('20230201'),
PARTITION p202302 VALUES LESS THAN ('20230301'),
PARTITION p202303 VALUES LESS THAN ('20230401'),
PARTITION p202304 VALUES LESS THAN ('20230501'),
PARTITION p202305 VALUES LESS THAN ('20230601'),
PARTITION p202306 VALUES LESS THAN ('20230701'),
PARTITION p202307 VALUES LESS THAN ('20230801'),
PARTITION p202308 VALUES LESS THAN ('20230901'),
PARTITION p202309 VALUES LESS THAN ('20231001'),
PARTITION p202310 VALUES LESS THAN ('20231101'),
PARTITION p202311 VALUES LESS THAN ('20231201'),
PARTITION p202312 VALUES LESS THAN ('20240101'),
PARTITION p202401 VALUES LESS THAN ('20240201'),
PARTITION p202402 VALUES LESS THAN ('20240301'),
PARTITION p202403 VALUES LESS THAN ('20240401'),
PARTITION p202404 VALUES LESS THAN ('20240501'),
PARTITION p202405 VALUES LESS THAN ('20240601'),
PARTITION p202406 VALUES LESS THAN ('20240701'),
PARTITION p202407 VALUES LESS THAN ('20240801'),
PARTITION p202408 VALUES LESS THAN ('20240901'),
PARTITION p202409 VALUES LESS THAN ('20241001'),
PARTITION p202410 VALUES LESS THAN ('20241101'),
PARTITION p202411 VALUES LESS THAN ('20241201'),
PARTITION p202412 VALUES LESS THAN ('20250101'),
PARTITION p202501 VALUES LESS THAN ('20250201'),
PARTITION p202502 VALUES LESS THAN ('20250301'),
PARTITION p202503 VALUES LESS THAN ('20250401'),
PARTITION p202504 VALUES LESS THAN ('20250501'),
PARTITION p202505 VALUES LESS THAN ('20250601'),
PARTITION p202506 VALUES LESS THAN ('20250701'),
PARTITION p202507 VALUES LESS THAN ('20250801'),
PARTITION p202508 VALUES LESS THAN ('20250901'),
PARTITION p202509 VALUES LESS THAN ('20251001'),
PARTITION p202510 VALUES LESS THAN ('20251101'),
PARTITION p202511 VALUES LESS THAN ('20251201'),
PARTITION p202512 VALUES LESS THAN ('20260101'),
PARTITION p202601 VALUES LESS THAN ('20260201'),
PARTITION p202602 VALUES LESS THAN ('20260301'),
PARTITION p202603 VALUES LESS THAN ('20260401'),
PARTITION p202604 VALUES LESS THAN ('20260501'),
PARTITION p202605 VALUES LESS THAN ('20260601'),
PARTITION p202606 VALUES LESS THAN ('20260701'),
PARTITION p202607 VALUES LESS THAN ('20260801'),
PARTITION p202608 VALUES LESS THAN ('20260901'),
PARTITION p202609 VALUES LESS THAN ('20261001'),
PARTITION p202610 VALUES LESS THAN ('20261101'),
PARTITION p202611 VALUES LESS THAN ('20261201'),
PARTITION p202612 VALUES LESS THAN ('20270101'),
PARTITION p202701 VALUES LESS THAN ('20270201'),
PARTITION p202702 VALUES LESS THAN ('20270301'),
PARTITION p202703 VALUES LESS THAN ('20270401'),
PARTITION p202704 VALUES LESS THAN ('20270501'),
PARTITION p202705 VALUES LESS THAN ('20270601'),
PARTITION p202706 VALUES LESS THAN ('20270701'),
PARTITION p202707 VALUES LESS THAN ('20270801'),
PARTITION p202708 VALUES LESS THAN ('20270901'),
PARTITION p202709 VALUES LESS THAN ('20271001'),
PARTITION p202710 VALUES LESS THAN ('20271101'),
PARTITION p202711 VALUES LESS THAN ('20271201'),
PARTITION p202712 VALUES LESS THAN ('20280101')
)
tablespace user_data;

ALTER TABLE ARCSDBCB.CCP020 DROP CONSTRAINT CCP020_PRIMARY CASCADE DROP INDEX;

ALTER TABLE ARCSDBCB.CCP020 DROP PRIMARY KEY;
ALTER TABLE ARCSDBCB.CCP020 ADD CONSTRAINT CCP020_PRIMARY PRIMARY KEY (
CDATE,
GCODE,
CCODE,
SCODE,
RCODE,
RCOUNTER,
SALESDATE,
SALESTIME,
CARDTYPE
)
USING INDEX;


DROP INDEX arcsdbcb.ccp020_INDEX01;
DROP INDEX arcsdbcb.ccp020_index02;

CREATE INDEX ARCSDBCB.CCP020_INDEX01 ON ARCSDBCB.CCP020 (
CDATE
);

CREATE INDEX ARCSDBCB.CCP020_INDEX02 ON ARCSDBCB.CCP020 (
PAIDPLANDATE
);

【デフォルトユーザ領域変更】

SQL> CREATE TABLESPACE 表領域名

 DATAFILE 'データファイル名（フルパス指定可）.dbf' SIZE 100M

 AUTOEXTEND ON NEXT 500K MAXSIZE 1024M;

SQL> alter session set container=arcsdbms;

SQL> create tablespace user_data datafile '/u01/app/oracle/oradata/ORCL/datafile/user_data.dbf' size 1M autoextend on next 512k maxsize  1G;

SQL> SELECT USERNAME, DEFAULT_TABLESPACE FROM dba_users where username = 'ARCSDBCB';

SQL> ALTER USER ARCSDBCB DEFAULT TABLESPACE USER_DATA;

ORA-00959: 表領域'USER_DATA'は存在しません。 

→コンテナを指定していなかった為。

【統計情報更新】

$ sqlp / as sysdba

SQL>show con_name

SQL> show pdbs

SQL> alter session set container=arcsdbms;

SQL> analyze table テーブル名 compute statistics;

SQL> analyze table テーブル名 estimate statistics sample 10 percent;

SQL> analyze table テーブル名 delete statistics;

SQL> analyze index arcsdbcb.ccp020_index01 validate structure;

又は、

SQL> execute dbms_stats.gather_database_stats_job_proc();

 

BIG-IP

 https://www.infraeye.com/study/studyz6.html

https://www.youtube.com/watch?v=SXFeZxEpqqA

CISCO stack 再起動

$ssh col301
COL301> enable
COL301# show switch

Switch# Role Mac Address Priority Version State
------------------------------------------------------------

*1 Active 0042.5a70.3d00 15 V07 Ready

  2 Standby 0038.df83.d080 10 V07 Ready

Stanby機から再起動

COL301# reload slot 2
Proceed with reload?[confirm]

Switch#   Role    Mac Address     Priority Version  State 

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready               

 2       Standby  00a7.4280.a800     10     V07     Sync not started    

COL301# show switch
Switch# Role Mac Address Priority Version State

------------------------------------------------------------ 

*1 Active 0042.5a70.3d00 15 V07 Ready

 2 Standby 0038.df83.d080 10 V07 Removed


Switch# Role Mac Address Priority Version State

------------------------------------------------------------ 

*1 Active 0042.5a70.3d00 15 V07 Ready

  2 Standby 0038.df83.d080 10 V07 Initializing


Switch# Role Mac Address Priority Version State

------------------------------------------------------------ 

*1 Active 0042.5a70.3d00 15 V07 Ready

  2 Standby 0038.df83.d080 10 V07 Syncing


Switch# Role Mac Address Priority Version State

------------------------------------------------------------ 

*1 Active 0042.5a70.3d00 15 V07 Ready

  2 Standby 0038.df83.d080 10 V07 Ready


Switch# Role Mac Address Priority Version State
------------------------------------------------------------

*1 Active 0042.5a70.3d00 15 V07 Ready

  2 Standby 0038.df83.d080 10 V07 HA sync in progress

Switch# Role Mac Address Priority Version State

------------------------------------------------------------ 

*1 Active 0042.5a70.3d00 15 V07 Ready

  2 Standby 0038.df83.d080 10 V07 Ready

COL301# show logging

Nov 25 22:02:00.258: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded

Nov 25 22:01:59.517: %SPANTREE-6-PORTDEL_ALL_VLANS: GigabitEthernet1/0/23 deleted from all Vlans (COL301-2)

Nov 25 22:01:59.518: %SPANTREE-6-PORTDEL_ALL_VLANS: GigabitEthernet2/0/23 deleted from all Vlans (COL301-2) 

Nov 25 22:02:01.244: %RF-5-RF_TERMINAL_STATE: 1 ha_mgr: Terminal state reached for (SSO)


上記確認後にActive機再起動

COL301# reload slot 1                               # 1号機再起動

COL301# show switch

COL301# show processes cpu switch 1
Load for five secs: 0%/100%; one minute: 3%; five minutes: 2% Time source is NTP, 16:02:58.456 JST Tue Dec 6 2022 

Core 0: CPU utilization for five seconds: 7%; one minute: 8%; five minutes: 8% 

Core 1: CPU utilization for five seconds: 0%; one minute: 0%; five minutes: 0% 

Core 2: CPU utilization for five seconds: 2%; one minute: 1%; five minutes: 1% 

Core 3: CPU utilization for five seconds: 0%; one minute: 1%; five minutes: 1%

COL301# show processes cpu switch 2
Load for five secs: 3%/0%; one minute: 3%; five minutes: 2% Time source is NTP, 16:03:16.293 JST Tue Dec 6 2022

Core 0: CPU utilization for five seconds: 9%; one minute: 6%; five minutes: 7% 

Core 1: CPU utilization for five seconds: 0%; one minute: 0%; five minutes: 0% 

Core 2: CPU utilization for five seconds: 1%; one minute: 1%; five minutes: 1% 

Core 3: CPU utilization for five seconds: 0%; one minute: 2%; five minutes: 1%


90％を超えるCPUがない事。
COL301# show processes cpu detailed process fed sort | ex 0.0
Core 0: CPU utilization for five seconds: 20%; one minute: 25%; five minutes: 26%

Core 1: CPU utilization for five seconds: 9%; one minute: 19%; five minutes: 35% 

Core 2: CPU utilization for five seconds: 98%; one minute: 83%; five minutes: 43% 

Core 3: CPU utilization for five seconds: 8%; one minute: 24%; five minutes: 47%

PID T C TID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process (%) (%) (%)

5715 L 854223 1999768 345 27.96 27.48 27.54 0 fed <<<< 

5715 L 2 17632 1034530 1534348 0 24.53 24.15 24.10 0 PunjectRx <<<<


# show ip interface brief
# show ru
# copy running-config startup-config

# CRL301を再起動した時のログ

CRL301#show switch

Load for five secs: 3%/0%; one minute: 3%; five minutes: 3%

Time source is NTP, 14:56:47.679 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Standby  00a7.4280.a800     10     V07     Ready

CRL301# reload slot 2

Proceed with reload? [confirm]

CRL301#show switch

Load for five secs: 2%/0%; one minute: 3%; five minutes: 3%

Time source is NTP, 14:57:38.739 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Standby  00a7.4280.a800     10     V07     Ready

CRL301#show switch

Load for five secs: 2%/0%; one minute: 3%; five minutes: 3%

Time source is NTP, 14:57:40.783 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Standby  00a7.4280.a800     10     V07     Sync not started

CRL301#show switch

Load for five secs: 7%/0%; one minute: 4%; five minutes: 3%

Time source is NTP, 14:57:46.154 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Member   0000.0000.0000     0      0       Removed

CRL301#show switch

Load for five secs: 5%/1%; one minute: 3%; five minutes: 3%

Time source is NTP, 15:01:55.270 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Member   00a7.4280.a800     10     V07     Syncing

CRL301#show switch

Load for five secs: 1%/0%; one minute: 3%; five minutes: 3%

Time source is NTP, 15:02:35.511 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Member   00a7.4280.a800     10     V07     Ready

CRL301#show switch

Load for five secs: 5%/0%; one minute: 3%; five minutes: 3%

Time source is NTP, 15:04:11.033 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Standby  00a7.4280.a800     10     V07     HA sync in progress

CRL301#show switch

Load for five secs: 3%/0%; one minute: 6%; five minutes: 4%

Time source is NTP, 15:05:42.707 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State

------------------------------------------------------------

*1       Active   0042.5a7e.8880     15     V07     Ready

 2       Standby  00a7.4280.a800     10     V07     Ready

CRL301#show logging

Load for five secs: 6%/0%; one minute: 5%; five minutes: 4%

Time source is NTP, 15:06:17.472 JST Wed Dec 7 2022

Syslog logging: enabled (0 messages dropped, 12 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

.

.

.

System has been configured (CRL301-2)

Dec  7 15:05:31.330: %SYS-5-RESTART: System restarted -- (CRL301-2)

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.07.04E RELEASE SOFTWARE (fc1) (CRL301-2)

Technical Support: http://www.cisco.com/techsupport (CRL301-2)

Copyright (c) 1986-2016 by Cisco Systems, Inc. (CRL301-2)

Compiled Thu 19-May-16 11:48 by prod_rel_team (CRL301-2)

Dec  7 15:05:31.338: %AUTHMGR_SPI-6-START: Auth Manager SPI server started (CRL301-2)

Dec  7 15:05:31.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down (CRL301-2)

Dec  7 15:05:31.456: %SSH-5-ENABLED: SSH 2.0 has been enabled (CRL301-2)

Dec  7 15:05:37.410: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded

Dec  7 15:05:36.635: %SPANTREE-6-PORTDEL_ALL_VLANS: GigabitEthernet1/0/23 deleted from all Vlans  (CRL301-2)

Dec  7 15:05:36.640: %SPANTREE-6-PORTDEL_ALL_VLANS: GigabitEthernet2/0/23 deleted from all Vlans  (CRL301-2)

Dec  7 15:05:38.396: %RF-5-RF_TERMINAL_STATE: 1 ha_mgr:  Terminal state reached for (SSO)

CRL301#reload slot 1

System configuration has been modified. Save? [yes/no]: yes

Building configuration...

Compressed configuration from 6940 bytes to 3197 bytes[OK]

Proceed with reload? [confirm]

CRL301#Write failed: Broken pipe

# ssh -l nwadmin 192.168.25.21

Password:

CRL301>enable

Password:

CRL301#show switch

Load for five secs: 4%/0%; one minute: 5%; five minutes: 3%

Time source is NTP, 15:15:49.507 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Foreign Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State 

------------------------------------------------------------

 1       Member   0000.0000.0000     0      0       Removed             

*2       Active   00a7.4280.a800     10     V07     Ready               

CRL301#show switch

Load for five secs: 4%/0%; one minute: 6%; five minutes: 4%

Time source is NTP, 15:19:01.750 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State 

------------------------------------------------------------

 1       Member   0042.5a7e.8880     15     V07     Syncing             

*2       Active   00a7.4280.a800     10     V07     Ready               

CRL301#show switch

Load for five secs: 26%/22%; one minute: 8%; five minutes: 5%

Time source is NTP, 15:20:10.911 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State 

------------------------------------------------------------

 1       Member   0042.5a7e.8880     15     V07     Ready               

*2       Active   00a7.4280.a800     10     V07     Ready               

CRL301#show switch

Load for five secs: 3%/0%; one minute: 5%; five minutes: 5%

Time source is NTP, 15:20:58.372 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State 

------------------------------------------------------------

 1       Standby  0042.5a7e.8880     15     V07     HA sync in progress 

*2       Active   00a7.4280.a800     10     V07     Ready               

CRL301#show switch

Load for five secs: 7%/0%; one minute: 8%; five minutes: 6%

Time source is NTP, 15:22:38.445 JST Wed Dec 7 2022

Switch/Stack Mac Address : 0042.5a7e.8880 - Local Mac Address

Mac persistency wait time: Indefinite

                                             H/W   Current

Switch#   Role    Mac Address     Priority Version  State 

------------------------------------------------------------

 1       Standby  0042.5a7e.8880     15     V07     Ready               

*2       Active   00a7.4280.a800     10     V07     Ready               

CRL301#show logging

Load for five secs: 3%/0%; one minute: 8%; five minutes: 6%

Time source is NTP, 15:22:46.589 JST Wed Dec 7 2022

Syslog logging: enabled (0 messages dropped, 5 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

.

.

.

.

System has been configured (CRL301-1)

Dec  7 15:22:23.059: %SYS-5-RESTART: System restarted -- (CRL301-1)

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.07.04E RELEASE SOFTWARE (fc1) (CRL301-1)

Technical Support: http://www.cisco.com/techsupport (CRL301-1)

Copyright (c) 1986-2016 by Cisco Systems, Inc. (CRL301-1)

Compiled Thu 19-May-16 11:48 by prod_rel_team (CRL301-1)

Dec  7 15:22:23.067: %AUTHMGR_SPI-6-START: Auth Manager SPI server started (CRL301-1)

Dec  7 15:22:23.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down (CRL301-1)

Dec  7 15:22:23.187: %SSH-5-ENABLED: SSH 2.0 has been enabled (CRL301-1)

Dec  7 15:22:29.923: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED: Bulk Sync succeeded

Dec  7 15:22:29.149: %SPANTREE-6-PORTDEL_ALL_VLANS: GigabitEthernet1/0/23 deleted from all Vlans  (CRL301-1)

Dec  7 15:22:29.150: %SPANTREE-6-PORTDEL_ALL_VLANS: GigabitEthernet2/0/23 deleted from all Vlans  (CRL301-1)

Dec  7 15:22:30.910: %RF-5-RF_TERMINAL_STATE: 2 ha_mgr:  Terminal state reached for (SSO)

RL301# show processes cpu switch 1 detailed process fed sort | ex 0.0

Load for five secs: 4%/1%; one minute: 12%; five minutes: 13%

Time source is NTP, 15:37:47.396 JST Wed Dec 7 2022

Core 0: CPU utilization for five seconds: 7%; one minute: 5%; five minutes: 8%

Core 1: CPU utilization for five seconds: 0%; one minute: 0%; five minutes: 3%

Core 2: CPU utilization for five seconds: 0%; one minute: 0%; five minutes: 3%

Core 3: CPU utilization for five seconds: 1%; one minute: 0%; five minutes: 3%

PID    T C  TID    Runtime(ms) Invoked uSecs  5Sec      1Min     5Min     TTY   Process

                                               (%)       (%)      (%)                  

6268   L           44670       304375  146    0.54      0.50    0.59    1088  fed                

6268   L 2  6716   1710        19019   0      0.25      0.20    0.19    0     fed-ots-main       

CRL301# show processes cpu switch 2 detailed process fed sort | ex 0.0

Load for five secs: 3%/0%; one minute: 11%; five minutes: 13%

Time source is NTP, 15:37:56.144 JST Wed Dec 7 2022

Core 0: CPU utilization for five seconds: 9%; one minute: 6%; five minutes: 6%

Core 1: CPU utilization for five seconds: 0%; one minute: 1%; five minutes: 1%

Core 2: CPU utilization for five seconds: 9%; one minute: 2%; five minutes: 1%

Core 3: CPU utilization for five seconds: 0%; one minute: 0%; five minutes: 1%

PID    T C  TID    Runtime(ms) Invoked uSecs  5Sec      1Min     5Min     TTY   Process

                                               (%)       (%)      (%)                  

6269   L           63600       484607  131    0.78      0.64    0.58    1088  fed                

6269   L 0  6720   17210       3515    0      0.24      0.24    0.24    0     fed-ots-nfl        

6269   L 3  6717   2140        31602   0      0.15      0.16    0.15    1088  fed-ots-main       

CRL301#

Rocky exfat

# dnf install rpmfusion-free-release.noarch
# dnf install fuse-exfat

oracle lock 解除

$ sqlp / as sysdba

 SQL> alter system kill session '1345,21001';

                                                                 'sid, serial#'

tnsnames.ora

C:\ > sqlplus [username]/[passowrd]@[IP Addr]:[Port Number]/[Service Name]

tnsnames.ora利用の場合

C:\ > sqlplus [username]/[passowrd]@[net_service_name]

C:\oracle\product\10.2.0\client_1\network\admin\tnsnames.ora
net_service_name = 

(DESCRIPTION =  

      (ADDRESS_LIST = 

        (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.xx.xxx )(PORT = 1521))

     ) 

  (CONNECT_DATA = (SERVICE_NAME = service_name.world ) )

 )

net_service_name =

(DESCRIPTION =
(ADDRESS_LIST =
(FAILOVER = ON
(ADDRESS = (PROTOCOL = TCP)(HOST = server1)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = server2)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = sevice_name.world)
)
)

httpd security

 https://www.rem-system.com/apache-security01/

pip error

 DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.

pip (9.0.3)

# vi ~/.config/pip/pip.conf

[list] 

format=columns

chrome secure shell 便利

URL   ssh + TAB 

TLS セキュリティポリシー

クオリス web チェック

https://www.ssllabs.com/ssltest/

$ aws elbv2 describe-ssl-policies  --names ELBSecurityPolicy-FS-2018-06  --output table

$ aws elbv2 describe-ssl-policies  --names ELBSecurityPolicy-TLS-1-2-Ext-2018-06 --output table

$ openssl ciphers -v 'HIGH:!ADH:!MD5;'
$ openssl ciphers -v 'ECDH+AESGCM !aNULL !eNULL !SSLv2 !SSLv3 !CBC'

$ openssl s_client -tls1_2 -connect portal.xxxxx.co.jp:443

https://qiita.com/kuni-nakaji/items/5118b23bf2ea44fed96e

sudo pip install --upgrade setuptools

sudo pip install --upgrade sslyze
python -m sslyze --regular www.yahoo.com:443
or sslyze --regular www.yahoo.com:443

【apache httpd セキュリティ設定】

※header内のversionを削除

# vi /etc/httpd/conf.d/security.conf

ServerTokens ProductOnly
ServerSignature Off

Header unset

$ curl -I -s localhost   [--verbose]    # 確認

※ Serverヘッダー削除   apache 2.4以降 完全に消す場合。

yum -y install mod_security mod_security_crs

ServerTokens Full

# vi /etc/httpd/conf.d/mod_security.conf

# SecRuleEngine On

SecServerSignature " "

# curl --head https://portal.cxdnext.co.jp/

curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

# update-crypto-policies --set LEGACY

※ iconsフォルダーの削除
# cd /etc/httpd/conf.d/

# mv autoindex.conf autoindex.conf.org

URL https://localhost/icons    #確認

※ wellcomメッセージの削除

# cd /etc/httpd/conf.d/

# mv welcome.conf welcome.conf.org

【apache 推奨】

ECDHE-RSA-AES128-GCM-SHA256:

ECDHE-ECDSA-AES128-GCM-SHA256:

ECDHE-RSA-AES256-GCM-SHA384:

ECDHE-ECDSA-AES256-GCM-SHA384:

DHE-RSA-AES128-GCM-SHA256 :

DHE-DSS-AES128-GCM-SHA256:

kEDH+AESGCM:

ECDHE-RSA-AES128-SHA256:

ECDHE-ECDSA-AES128-SHA256:

ECDHE-RSA-AES128-SHA:

ECDHE-ECDSA-AES128-SHA:

ECDHE-RSA -AES256-SHA384:

ECDHE-ECDSA-AES256-SHA384:

ECDHE-RSA-AES256-SHA:

ECDHE-ECDSA-AES256-SHA:

DHE-RSA-AES128-SHA256:

DHE-RSA-AES128-SHA:

DHE-DSS-AES128 -SHA256:

DHE-RSA-AES256-SHA256:

DHE-DSS-AES256-SHA:

DHE-RSA-AES256-SHA:

AES128-GCM-SHA256:

AES256-GCM-SHA384:

AES128-SHA256:

AES256-SHA256:

AES128-SHA :

AES256-SHA:

AES:

CAMELLIA:

DES-CBC3-SHA:

!aNULL:

!eNULL:

!EXPORT:

!DES:

!RC4:

!MD5:

!PSK:

!aECDH:

!EDH-DSS-DES-CBC3-SHA:

!EDH-RSA-DES-CBC3-SHA:

!KRB5-DES-CBC3-SHA

【ngnx 推奨】

ECDHE-RSA-AES128-GCM-SHA256:

ECDHE-ECDSA-AES128-GCM-SHA256:

ECDHE-RSA-AES256-GCM-SHA384:

ECDHE-ECDSA-AES256-GCM-SHA384:

DHE-RSA-AES128-GCM- SHA256:

DHE-DSS-AES128-GCM-SHA256:

kEDH+AESGCM:

ECDHE-RSA-AES128-SHA256:

ECDHE-ECDSA-AES128-SHA256:

ECDHE-RSA-AES128-SHA:

ECDHE-ECDSA-AES128-SHA:

ECDHE- RSA-AES256-SHA384:

ECDHE-ECDSA-AES256-SHA384:

ECDHE-RSA-AES256-SHA:

ECDHE-ECDSA-AES256-SHA:

DHE-RSA-AES128-SHA256:

DHE-RSA-AES128-SHA:

DHE-DSS- AES128-SHA256:

DHE-RSA-AES256-SHA256:

DHE-DSS-AES256-SHA:

DHE-RSA-AES256-SHA:

AES128-GCM-SHA256:

AES256-GCM-SHA384:

AES128-SHA256:

AES256-SHA256:

AES128- SHA:

AES256-SHA:

AES:

CAMELLIA:

DES-CBC3-SHA:

!aNULL:

!eNULL:

!EXPORT:

!DES:

!RC4:

!MD5:

!PSK:

!aECDH:

!EDH-DSS-DES-CBC3-SHA :

!EDH-RSA-DES-CBC3-SHA:

!KRB5-DES-CBC3-SHA;

【topcat 推奨】

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_SHA,

TLS_ECDHE_RSA_WITH_AES_256_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_SHA,

TLS_ECDHE_ECDSA_WITH_AES_256_SHA,

TLS_DHE_RSA_WITH_AES_128_SHA256,

TLS_DHE_RSA_WITH_AES_128_SHA,

TLS_DHE_DSS_WITH_AES_128_SHA256,

TLS_DHE_RSA_WITH_AES_256_SHA256,

TLS_DHE_DSS_WITH_AES_256_SHA,

TLS_DHE_RSA_WITH_AES_256_SHA"

【NG】

# TLS 1.2 (suites in server-preferred order)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

# TLS 1.1 (suites in server-preferred order)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

# TLS 1.0 (suites in server-preferred order)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

Django REST 認証 GUI ツール 非表示

if DEBUG is True:

REST_FRAMEWORK[ 'DEFAULT_RENDERER_CLASSES'] = ( 'rest_framework.renderers.JSONRenderer', 'rest_framework.renderers.BrowsableAPIRenderer',)

else:

REST_FRAMEWORK[ 'DEFAULT_RENDERER_CLASSES'] = ( 'rest_framework.renderers.JSONRenderer', )

CentOS7 に最新版のhttpd php を入れる。

【httpd】

CentOS7 標準 ： 2.4.6
↓
2.4.54 (最新）

yum install https://repo.ius.io/ius-release-el7.rpm
systemctl stop httpd
yum remove httpd httpd-tools mod_ssl

# vi /etc/yum.repos.d/ius.repo
[ius]
name=IUS Community Packages for Enterprise Linux 7 - $basearch
#baseurl=https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/$basearch
mirrorlist=https://mirrors.iuscommunity.org/mirrorlist?repo=ius-entos7&arch=$basearch&protocol=http

failovermethod=priority

enabled=0    1から0に変更する
 
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/IUS-COMMUN

yum -y install openldap-devel expat-devel libdb-devel mailcap system-logos
yum install --disablerepo=base --disablerepo=updates --enablerepo=ius httpd mod_ssl httpd-devel

【php】
CentOS7 標準：5.4.16
# rpm -qa | grep php
# yum remove php*
# yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm

# yum install -y yum-utils

# yum-config-manager --disable 'remi-php*'

# yum-config-manager --enable remi-php80

# yum repolist

# yum update 

# yum install -y php

AWS CLI ＆ CDK

https://docs.aws.amazon.com/cdk/api/v1/python/index.html

【タイムゾーンと日本語】
$ sudo timedatectl set-timezone Asia/Tokyo
$ sudo timedatectl
$ sudo localectl set-locale LANG=ja_JP.utf8
$ sudo localectl

【CDKインストール】

# dnf remove nodejs npm

# dnf install npm

$ npm install -g n

$ n stable

$ npm install -g aws-cdk

----------------------------------------------------------------------

※ amazon linux2 にnpmをインストールするには、

$ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash

$ .   ~/.nvm/nvm.sh                          # .bash_profileに記述

$ nvm install --lts

$  node -v

v16.17.0

$ npm install -g n

$ n stable

$ npm install -g aws-cdk

--------------------------------------------------------------------------

$  cdk --version

2.40.0 (build 56ba2ab)

※ cdk version up

$ npm install -g aws-cdk

$ aws sts get-caller-identity

$ cdk bootstrap aws://99999999999/ap-northeast-1 

    ※ aws://<アカウントID>/<リージョン名>  [ --profile  default ]

$ mkdir cdk-demo

$ cd cdk-demo

$ cdk init  app  --language python     # app template 名

# Useful commands

 *  cdk ls                list all stacks in the app

 * cdk synthesize

 *  cdk synth       emits the synthesized CloudFormation template

 * cdk deploy    deploy this stack to your default AWS account/region

 * cdk diff           compare deployed stack with current state

 * cdk docs        open CDK documentation

* cdk destroy   destropy this stack
* cdk context
* cdk metadata

*

Enjoy!

# dnf install python38

# update-alternatives --config python

python3.8を選択

$ python3.8  -m venv  .venv

$ source .venv/bin/activate

$ pip install -r requirements.txt

※ python3.6では、下記エラー発生 ( 3.8はOK）

 ERROR: Could not find a version that satisfies the requirement aws-cdk-lib==2.40.0

$ pip install  aws-cdk-lib

2.23.0がインストールされた。

$ cdk synth

API リファレンス

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-construct-library.html

※ https://github.com/aws-samples/aws-cdk-examples

※ https://atsushinotes.com/deploy_wordpress_cdk_python/2/

$ cdk init --language typescript

## Useful commands * `npm run build` compile typescript to js * `npm run watch` watch for changes and compile * `npm run test` perform the jest unit tests * `cdk deploy` deploy this stack to your default AWS account/region * `cdk diff` compare deployed stack with current state * `cdk synth` emits the synthesized CloudFormation templat

AWS CLI インストール

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
$ unzip awscliv2.zip
$ sudo ./aws/install

$ aws configure

$ vi  .aws/config

$ vi .aws/credentials

 

alternatives --config python

# dnf module  install python36

# dnf module  install python38

# dnf module  install python39

$ update-alternatives --config python

Terraform Registory を使ってみた。

https://github.com/terraform-aws-modules

$ mkdir Terraform/modules
$ cd Terraform/modules

$  git clone https://github.com/terraform-aws-modules/terraform-aws-vpc
$ git clone https://github.com/terraform-aws-modules/terraform-aws-ec2-instance

$ git clone https://github.com/terraform-aws-modules/terraform-aws-alb
$ git clone https://github.com/terraform-aws-modules/terraform-aws-s3-bucket

$ git clone https://github.com/terraform-aws-modules/terraform-aws-rds-aurora

$ git clone https://github.com/terraform-aws-modules/terraform-aws-iam

$ git clone https://github.com/terraform-aws-modules/terraform-aws-rds

$ git clone https://github.com/terraform-aws-modules/terraform-aws-security-group

$ ln -s terraform-aws-vpc vpc

$ ln -s terraform-aws-ec2-instance ec2

$ ln -s terraform-aws-alb alb

$ ln -s terraform-aws-s3-bucket s3

$ ln -s terraform-aws-rds-aurora aurora

$ ln -s terraform-aws-rds rds

$ ln -s terraform-aws-iam iam

$ ln -s terraform-aws-security-group sg

CentOS brew インストール

# yum install git-all

# git --version
git version 2.37.1

# yum groupinstall 'Development Tools' && sudo yum install curl file git ruby which

$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install.sh)"

$ echo 'eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv)' >>~/.bash_profile

$ eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv)

確認

$ brew install hello

Terraform

【terraform aws 公式ドキュメント】

https://registry.terraform.io/providers/hashicorp/aws/latest/docs

tfenv 越しにtrratermインストール

$ git clone https://github.com/tfutils/tfenv.git ~/.tfenv    # インストール

$ sudo ln -s ~/.tfenv/bin/* /usr/local/bin                                  # PATH

$ tfenv list-remote                                                                              # バージョン確認

$ tfenv install 1.2.8

$ tfenv use 1.2.8                                                                                  # バージョン切り替え

$ tfenv list

$ terraform init

$ terraform init -reconfigure

$ 

$ terraform plan

$ terraform validate     # 構文チェック

$ terraform fmt              # 構文整形

$ terraform apply

$ terraform destroy

$ terraform destroy -taget = aaaa.aaaa

$ terraform workspace new "stage"

$ terraform workspace new "prod"

$ terraform workspace list

$ terraform workspace select stage

$ terraform workspace delete "prod"

$ terraform console

> cidrsubnet("10.0.0.0/16", 8, 1)

"10.0.1.0/24"

※ネットワーク部を8ビット拡張して、1を代入

1) s3にバケット(test-terraform-tfstate)作成

2) terraform ユーザ作成

3) assume role 作成

     test-AssumeRole-for-terraform

{

"Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::test-terraform-ttfstate/*" } ] }

4) terraform ユーザにassume権限を付加

# vi settings.tf

terraform { 

    required_version = "1.2.8"

    backend "s3" {

        backet = "test-terraform-tfstate"

        key = "test-teraform"

        reagion = "ap-northeast-1"

    }

}

provider "aws" {

    reagion = "ap-northeast-1"

}

"demo-vpc"   → "${terraform.workspace}-demo-vpc"

assume role

 1. role作成→AWSのサービス→EC2

ロール名称： test-AssumeRole-for-tester

{

       "Version": "2012-10-17",
        "Statement": [
        {
            "Effect": "Allow",  
            "Action": [
            "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                "ec2.amazonaws.com"
                ]
            }
        }
    ]
}

2. 対象ユーザ→インラインポリシ追加→

    サービス選択→sts

    アクション追加→assume→ AssumeRole

    リソース→role→ARNの追加→arn:aws:iam::99999999999:role/test-AssumeRole-for-tester→追加

    

    ポリシー名前:test-inline-AssumeRole-tester →ポリシ作成

3. ロールをアカウントに変更

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999999:user/tester"
},
"Action": "sts:AssumeRole"
}
]
}

$ aws sts assume-role --role-arn arn:aws:iam::999999999999:role/test-assume-role-s3FullAccess --role-session-name s3accessSitai --duration-second 900 --profile tester

$ vi .aws/config

[default]

output = json

region = ap-northeast-1

[profile tester]

output = json

region = ap-northeast-1

[profile s3-full-access-man]

output = json

region = ap-northeast-1      

  

$ vi .aws/credentials

[s3-full-access-man]

aws_access_key_id = xxxxxx

aws_secret_access_key = yyyyyyy

aws_session_token = zzzzzzzz

$ aws --profile tester  s3 ls

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

$ aws --profile assume-s3-fullaccess-user  s3 ls

$ aws --profile assume-ec2-fullaccess-user ec2 describe-instances

AWS CLI config

$ aws configure

$ aws ec2 describe-vpcs
{
"Vpcs": [
{
"VpcId": "vpc-027937fa6634e3240",
"InstanceTenancy": "default",
"Tags": [
{
"Value": "test",
"Key": "Name"
}
],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-002ab330e002211a3",
"CidrBlock": "192.168.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"State": "available",
"DhcpOptionsId": "dopt-0bf5659c981e8ca7c",
"OwnerId": "xxxxxxxxxxxxxx",
"CidrBlock": "192.168.0.0/16",
"IsDefault": false
}
]
}

]

$ aws ec2 describe-vpcs --query  Vpcs[].VpcId

AWS Application Deploy デプロイ

$  cd Make
$ ./save
$ ./aws_put

$ ssh aws.test

$ cd 

$ tar xvzf  Release.tar.20220805

$ sudo sh -c "rm -rf /var/www/wsgi/Release.1; mv /var/www/wsgi/Release /var/www/wsgi/Release.1; mv /home/ec2-user/Release  /var/www/wsgi/Release"

【環境構築】

$ sudo sh

# cd /var/www/wsgi/Release

# . ./env

# ./env create

$ vi requirements.txt

dataclasses==0.8 → 0.6

※Collecting pyreportjasper==2.1.2 # 違うサーバでは再現しなかった。？
Killed
# pip3 --no-cache-dir install pyreportjasper $INTERNET_PROXY で回避

. 

Package            Version Latest Type

------------------ ------- ------ -----

charset-normalizer      2.0.12  2.1.0  wheel

importlib-metadata     2.1.3   4.8.3  wheel

PyJWT                                1.7.1   2.4.0  wheel

setuptools                       39.2.0  59.6.0 wheel

tzlocal                                2.1     4.2    wheel

→epelを有効にしてインストール
# amazon-linux-extras install epel -y
# yum install zbar

# cd /var/www/wsgi

# chown -R apache:apache Releas

# tar cvzf delivery.tar Release

amazon linux 2 に MariaDB & Django 設定

【タイムゾーンと日本語】

$ sudo timedatectl set-timezone Asia/Tokyo

$ sudo timedatectl

$ sudo localectl set-locale LANG=ja_JP.utf8

$ sudo localectl

【Django/Python】

# mkdir /var/www/wsgi

# cd /var/www/wsgi

# mkdir Release

# ln -s Release test

# ln -s Release service

# ln -s Release link

# ln -s Release office

$ vi env

   3.6→3.7

# yum  install httpd httpd-devel

# yum  install gcc

# yum  install python3-devel

$ vi requirements.txt

dataclasses==0.8 → 0.6

※Collecting pyreportjasper==2.1.2                         # 違うサーバでは再現しなかった。？

Killed

# pip3 --no-cache-dir install pyreportjasper $INTERNET_PROXY  で回避

→epelを有効にしてインストール

# amazon-linux-extras install epel -y

# yum install zbar

【MariaDB】

#----------------------------------

#  MariaDB

#----------------------------------
# yum remove mariadb

# yum remove mariadb-devel

# yum remove mariadb-libs

# vi /etc/yum.repos.d/MariaDB.repo
[mariadb]
name=MariaDB
baseurl=http://yum.mariadb.org/10.8/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

【クライアント】
# yum install MariaDB-client MariaDB-devel
【サーバ】
# yum install -y MariaDB-server MariaDB-client MariaDB-shared MariaDB-devel

# vi /etc/my.cnf.d/server.cnf
[mariadb]
character-set-server=utf8
[mariadb-10.7]
character-set-server=utf8


# systemctl start mariadb
# systemctl enable mariadb

【プロキシ】

# vi /etc/yum.conf

proxy=http://192.168.13.101:3128

# vi  /etc/amazon-linux-extras.conf

export http_proxy=http://192.168.13.101:3128

export https_proxy=http://192.168.13.101:3128

【zabbix-agent2】

# yum remove zabbix*

# yum install https://repo.zabbix.com/zabbix/6.2/rhel/7/x86_64/zabbix-agent2-6.2.1-1.el7.x86_64.rpm

# vi /etc/zabbix/zabbix_agent2.conf

PidFile=/var/run/zabbix/zabbix_agent2.pid

LogFile=/var/log/zabbix/zabbix_agent2.log

LogFileSize=0

Server=192.168.23.103

ServerActive=192.168.23.103:10051

Hostname=zabbix

HostMetadata=Rockylinux

HostMetadataItem=system.uname

Include=/etc/zabbix/zabbix_agent2.d/*.conf

ControlSocket=/tmp/agent.sock

AllowKey=system.run[*]

※ AllowKeyを設定した場合は、下記も設定

# visudo

# Allows zabbix to run all commands without password.

zabbix ALL=NOPASSWD: ALL

# semanage boolean -l | grep zabbix

# setsebool -P httpd_can_connect_zabbix on

# setsebool -P zabbix_can_network on

# setsebool -P zabbix_run_sudo  on

# firewall-cmd --add-port=10050/tcp --zone=public --permanent

# firewall-cmd --reload

# systemctl restart zabbix-agent2
# systemctl enable zabbix-agent2

$ zabbix_get -s 192.168.20.201 -k agent.versio

【s3 Storage マウント】

# mkdir -p /s3/logs

# mkdir /s3/assets

# mkdir /s3/media

# vi /etc/fstab

192.168.210.101:/test-cxdnext-logs            /s3/logs    nfs    rw,hard,nolock    0   0

192.168.210.101:/test-cxdnext-assets          /s3/assets  nfs    rw,hard,nolock    0   0

192.168.210.101:/test-cxdnext-media           /s3/media   nfs    rw,hard,nolock    0   0

# mount -a

# mount

【clam】

# amazon-linux-extras install epel -y

# install clamav clamav-scanner-systemd clamav-update

#  vi /etc/clamd.conf

以降は、前の記事と同じ。

【料金ー参考】

https://fu3ak1.hatenablog.com/entry/2020/07/02/233639

AWS ロードバランサ EC2

 1) VPC 作成

・Name: test
・CLDR: 192.168.0.0/16
・IPv6ブロック無し

2) サブネット作成
サブネット名 アベイラビリティーゾーン IPv4 CIDR Block
subnet-public-1a ap-northeast-1a 192.168.10.0/24
subnet-public-1c ap-northeast-1c 192.168.20.0/24
subnet-public-1d ap-northeast-1d 192.168.30.0/24
subnet-private-api-1a ap-northeast-1a 192.168.11.0/24
subnet-private-api-1c ap-northeast-1c 192.168.21.0/24
subnet-private-api-1d ap-northeast-1d 192.168.31.0/24
subnet-private-web-1a ap-northeast-1a 192.168.12.0/24
subnet-private-web-1c ap-northeast-1c 192.168.22.0/24
subnet-private-web-1d ap-northeast-1d 192.168.32.0/24
subnet-private-nat-1a ap-northeast-1a 192.168.13.0/24
subnet-private-nat-1c ap-northeast-1c 192.168.23.0/24
subnet-private-nat-1d ap-northeast-1d 192.168.33.0/24
subnet-private-db-1a ap-northeast-1a 192.168.200.0/24
subnet-private-storage-1c ap-northeast-1c 192.168.210.0/24

3) インターネットゲートウェイの作成&VPCへのアタッチ
Name: test-igw
Action→VPCにアタッチ

4) ルートテーブル設定
Test-public-rtb (ルートテーブル作成）
subnet-public-1a/1c/1dを関連付け
ルート編集（0.0.0.0 igw-xxxxx )

5) パブリック内に踏み台インスタンス作成
AMI 選択 (amazon Linux)
ネットワーク: test (PVC選択）
サブネット: subnet-pubic-1a 選択
自動割り当てパブリックIP: 有効
Instance に名前を付ける

ネットワークインターフェース→プライマリIPに固定IPを設定

6） セキュリティグループの設定
Name : test-public-ec2-sg
ssh マイIP 150.246.20.210
Http カスタム 0.0.0.0 (フルオープン） ※ LB下のprivate時は、public のCLDRを指定( 192.168.10.0/24)

7) NAT ゲートウェイ 

   NATゲートウェイをパブリックサブネットに作成

     vpc->ナットゲートウェイ

  test-pablic-1a-ngw

  NAT下に置きたいプライベートサブネットのルートテーブルにデフォルトGWを設定

8) ssh鍵ペアの作成
test-key.pem download

$ cp test-key.pem ~/.ssh/

$ chmod 600 ~/.ssh/test-key.pem
$ scp -i test-key.pem ~/.ssh/test-key.pem  ec2-user@xx.xx.xx.xx:~/.ssh/

$ ssh ec2-user@xx.xx.xx.xx -i test-key.pem

$ chmod 600 ~/.ssh/test-key.pem

9) インスタンスからAMIを作る
Image-name: linux-base
EC2 auto scaling

10) セキュリティグループ作成

Scurity group name: test-oracle19c-1a

vpc

InBound Oracle-RDS  カスタム 192.168.0.0/24 Oracle-RDS

InBound ssh                   カスタム 192.168.10.0/24   from Step Server

InBound 10050             カスタム  192.168.23.0/24 from Zabbix Server

OutBoud  すべて          カスタム  192.168.0.0/16    to This VPC

Tag              Name           test-oracle19c-1a

11) EC2起動(oracleサーバ）

Name: test-oracle19c

OS image:Amazon Linux 2  64ビット

Instance type: t3.small

Key Pair:test-step-key

vpc:test-vpc

subnet:test-subnet-private-db-1a

Pabulic IP 自動割当: 無効

Security-group: test-oracle19c-1a

高度なネトワーク-プライマリIP:192.168.200.201

ストレージ設定：100G

EFS:test-common /u01

その他環境設定

vi /etc/yum.conf   proxy=http://192.168.13.101:3128

rpm -Uvh https://repo.zabbix.com/zabbix/6.2/rhel/7/x86_64/zabbix-agent2-6.2.6-release1.el7.x86_64.rpm  [ --httpproxy http://192.168.13.101:3128 ]

[ yum install zabbix-agent2.x86_64 ]

11-1) EC2起動テンプレートの作成
Template name: linux-base
Machine-image: linux-base?
Instance type : t2.micro
Key pair: hoge
Network : Virtual Private Cloud(VPC)
Security group: test-ec2-sg

12) autoScaling
Auto Scaling group Name : test-asg
起動テンプレート: linux-base
Vpc: test vpc選択
Subnet:subnet-private-api-1a subnet-private-api-1c subnet-private-api-1d

13) ロードバランサの設定
ALB選択
test-public-alb
Internet-facing
VPC: test
Subnet:
Listener: 80/443
AZ 選択 ( AZを跨って作成 1a/1c）
SG設定（NEW SG: test-alb-sg 80/443 0.0.0.0)
Target grop: test-alb-tg ( 新しいターゲットグループ作成 test-alb-tg/instance/http(80)/http1/helthcheck: /test/health )
ルールの設定で転送先を変更。DNS名で分離？
ルーティング設定

14) グループサイズとスケーリングポリシー設定

希望する容量:2
希望する最小キャパ:2
希望する最大キャパ：2

スケーリングポリシー:無し

【参考】 

https://dev.classmethod.jp/articles/introduction-to-aws-networking-and-autoscaling-web-server/

Django シンプルヘルスチェック

$ vi Config/urls.py

from django.http           import     HttpResponse

urlpatterns = [
path( 'health', lambda r: HttpResponse()),
]

$ curl -i http:///localhost:8000/health

グローバルIP確認

$ curl inet-ip.info
$ curl globalip.me
$ curl ipinfo.io
$ curl ipecho.net/plain
$ curl ifconfig.me
$ curl ifconfig.me -4
$ curl ifconfig.io -4
$ curl inet-ip.info
$ curl inet-ip.info/ip

$ curl inet-ip.info/json
$ curl ip-api.com
$ curl httpbin.org/ip

Rocky Linux chrony 設定

# dnf install chrony

NTPD停止

# systemctl stop ntpd

# systemctl disable ntpd

# systemctl start chronyd

# systemctl enable chronyd

# systemctl status chronyd

# chronyc sources

MS Name/IP address         Stratum Poll Reach LastRx Last sample               

===============================================================================

^-   v118-27-19-72.cxxt.stati>        2  10   377   518    +1271us[+1271us] +/-   13ms

^+  i45-32-25-115.vpsv.d.rsp>      3  10   207   878    +33us[  -61us] +/- 4448us

^-  y.ns.gin.ntt.net                            2  10   377   45m   -6994us[-7482us] +/-   91ms

^*  ipv4.ntp3.rbauman.com         2  10   377   874    +507us[ +412us] +/- 4536us

# chronyc -a makestep                    # 手動で同期 

【サーバ設定】
# vi /etc/chrony.conf
allow 192.168.254.0/24
# systemctl restart chronyd

# firewall-cmd --add-service=ntp --permanent

# firewall-cmd --reload

【クライアント設定】

# vi /etc/chrony.conf

#pool 2.pool.ntp.org iburst

pool 192.168.254.253 iburst

pool 192.168.254.254 iburst

# systemctl restart chronyd

# chronyc sources

MS Name/IP address         Stratum Poll Reach LastRx Last sample               

===============================================================================

^* 192.168.254.253               2   6   377    33    +58us[ +130us] +/- 2715us

M (Mode)

ソースのモードを示す。記号ごとにそれぞれ以下の意味がある。

^ はサーバー

= はピア

# はローカル

S (State)

この列は、ソースの状態を示します。

「*」は、chronyd が現在同期しているソースを表す。

「+」は、選択したソースと結合する、受け入れ可能なソースを表す。

「-」は、受け入れ可能なソースで、結合アルゴリズムにより除外されたものを表す。

「?」は、接続が切断されたソース、またはパケットがすべてのテストをパスしないソースを表す。

「x」は、chronyd が falseticker と考える (つまり、その時間が他の大半のソースと一致しない) クロックを表す。

「~」は、時間の変動性が大きすぎるように見えるソースを表します。

「?」条件は、少なくとも 3 つのサンプルが収集されるまで開始時にも表示されます。

Django web Serverの構築（websv)

# dnf install httpd httpd-devel
# dnf install python36 python3-libs python36-devel
# pip3 install --upgrade pip
# mkdir /var/www/wsgi
# chmod 0755 /var/www/wsgi

# mkdir /var/log/python/
# chmod  a+w /var/log/python                           ※ あとで直す。

# vi /etc/httpd/conf/httpd.conf

ServerName websv1:80

# dnf install gcc rpm-build
# pip3 install mod-wsgi

# vi /etc/httpd/conf.modules.d/20-wsgi.conf

LoadModule wsgi_module /usr/local/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so

# httpd -M|grep wsgi

proxy_uwsgi_module (shared)

wsgi_module (shared)

#  vi /etc/httpd/conf.d/wsgi.conf

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
WSGIApplicationGroup %{GLOBAL}
WSGISocketPrefix /var/run/wsgi

WSGIDaemonProcess test user=apache group=apache processes=1 threads=100 maximum-                               requests=10000 \
                             home=/var/www/wsgi/test \
                            python-home=/var/www/wsgi/test/myenv/venv36-d324 \
                           python-path=/var/www/wsgi/test/django:/var/www/wsgi/test/myenv/venv36-d324/lib/python3.6/site-packages \
                           lang=ja_JP.utf8

WSGIScriptAlias /test /var/www/wsgi/test/Config/wsgi.py process-group=test

Alias /static/ /var/www/wsgi/test/static/
Alias /media/ /var/www/wsgi/test/media/
WSGIPassAuthorization on

# for s3

Alias /assets/ /s3/assets/

Alias /media/  /s3/media/

<Directory /s3/assets>

   Require all granted

</Directory>

<Directory /s3/media>

   Require all granted

</Directory>

<Location /test>
WSGIProcessGroup test
</Location>

#   cd  /var/www/wsgi

#    scp -rp root@websv1:/var/www/wsgi/test  .

# chown -R apache:apache test

# firewall-cmd --add-service=http --zone=public --permanent

# firewall-cmd --reload

# dnf remove mariadb* mysql*

# curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash

# dnf install MariaDB-client 

# dnf install zbar

apache バーチャルホスト リバースプロキシ 設定（仮想ホスト）

#---------------------------------------

# LOCATION リバースプロキシ

#---------------------------------------

# vi /etc/httpd/conf.d/wsgi.conf

<Proxy *>
  Require all granted
  #Order Deny,Allow
  #Deny from all
  #Allow from 192.168.25.146
</Proxy>

ProxyRequests Off
ProxyPreserveHost On

<Location /office>
  proxyPass http://192.168.25.146:80/office/ keepalive=On
  ProxyPassReverse http://192.168.25.146:80/office/
</Location>

#----------------------------------

# VirtualHost   ( 仮想ホスト )

#----------------------------------

インターフェースに複数IPを割り当てる

  VLAN=global_network

  VLAN_IP_1=192.168.1.241/24

  VLAN_IP_1=192.168.1.242/24

  VLAN_IP_1=192.168.1.243/24

  VLAN_IP_1=192.168.1.244/24

  VLAN_GW=192.168.1.1

  nmcli c delete $VLAN

  nmcli c add type ethernet ifname $DEVICE con-name "$VLAN"

  nmcli c mod $VLAN    ipv4.addresses $VLAN_IP_1

  nmcli c mod $VLAN +ipv4.addresses $VLAN_IP_2

  nmcli c mod $VLAN +ipv4.addresses $VLAN_IP_3

  nmcli c mod $VLAN +ipv4.addresses $VLAN_IP_4

  nmcli c mod $VLAN ipv4.method manual

  nmcli c mod $VLAN connection.autoconnect yes

  nmcli c mod $VLAN ipv4.gateway $VLAN_GW

  nmcli c up $VLAN

# dnf install httpd mod_ssl

# vi /etc/httpd/conf.d/httpd-vhost.conf

#-------------------------------------------

#  Link Server

#-------------------------------------------

<VirtualHost *:80>

  ServerName link.mydomain.example

  RewriteEngine on

  RewriteRule (.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

</VirtualHost>

<VirtualHost *:443>
ServerName link.mydomain.example

<Proxy *>
Require all granted
</Proxy>

ProxyRequests Off
ProxyPreserveHost On

# LogLevel warn
# TransferLog logs/ssl_access_log

ProxyPass / http://10.0.1.101:80/ keepalive=On
ProxyPassReverse / http://10.0.1.101:80/
RequestHeader set X-Forwarded-Proto "https"

SSLEngine on

# SSLv2、SSLv3, TLS1.0 TLS1.1を無効化する
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDSA+AESGCM
# SSLCipherSuite PROFILE=SYSTEM
SSLHonorCipherOrder Off

SSLCertificateFile /etc/ssl/certs/ssl-cert-link.crt
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-link.key

</VirtualHost>

# cd /etc/ssl

 # ln -s  ../pki/tls/private private

#  apachectl configtest

# firewall-cmd --add-service=https --permanent
# firewall-cmd --reload

※ 下記は、httpdを起動すると勝手につくられる。

/etc/pki/tls/certs/localhost.crt

/etc/pki/tls/private/localhost.key
※ ssl.conf内の<VirtualHost _default_:443>は、マッチしなかった場合のデフォルト

【自己証明書】

# cd ~/Cert

#  openssl version

OpenSSL 1.1.1k  FIPS 25 Mar 2021

# openssl genrsa  -out ssl-cert-link.key  2048

# openssl req -new -key ssl-cert-link.key -out ssl-cert-link.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP

State or Province Name (full name) []:Tokyo

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:link.mydomain.example

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# openssl x509 -days 3650 -req -signkey ssl-cert-link.key -in ssl-cert-link.csr -out  ssl-cert-link.crt

# cp  ssl-cert-link.crt  /etc/ssl/certs/

# cp ssl-cert-link.key /etc/ssl/private/

※確認方法

# openssl req -noout -text -in ssl-cert-link.csr
# openssl x509 -text -fingerprint -noout -in  ssl-cert-service.crt

URL: https://link.mydomain.example/test

URL: https://service.mydomain.example/test

URL: https://office.mydomain.example/test

※ key : RSA PRIVATE KEY(鍵）
     csr: CERTIFICATE REQUES(証明書の署名リクエスト)
     crt: CERTIFICATE( サーバ証明書）

     pem: BEGIN/END行で挟んだ書式(入れ物）

firewall Nat IPマスカレード設定

【20240119　追記】

nmcli c add type ethernet ifname enp1s0 con-name "ngw_external" ethernet.mtu 1500

nmcli c add type ethernet ifname enp2s0 con-name "ngw_internal" ethernet.mtu 1500

nmcli c mod ngw_external ipv4.addresses 10.0.0.201/24
nmcli c mod ngw_external ipv4.method manual
nmcli c mod ngw_external connection.autoconnect yes

nmcli c mod ngw_internal ipv4.addresses 10.0.0.201/24
nmcli c mod ngw_internal ipv4.method manual
nmcli c mod ngw_internal connection.autoconnect yes

nmcli connection modify ngw_external connection.zone external
nmcli connection modify ngw_internal connection.zone internal

firewall-cmd --zone=external --add-masquerade --permanent

以下不要かも？

# firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp7s0 -j MASQUERADE
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp6s0 -o enp7s0 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp7s0 -o enp6s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

確認。

firewall-cmd --list-all --permanent --zone=external

これも忘れないように。

#  firewall-cmd --add-port=10050/tcp --zone=internal  --permanent

# firewall-cmd --reload

# firewall-cmd --zone=internal --list-all

---------------------前の記載-----------------------------------------

# nmcli c

NAME                        UUID                                                                            TYPE            DEVICE
internet                   d42fca83-c673-4621-b7c8-ce144ed2e37e    ethernet    enp1s0
vlan_dmz                0a7a0428-15de-41c6-8143-ea8ea2684f25   ethernet    enp4s0
vlan_dmz_front   a26299af-62df-45c6-bcfc-1cbd57484981      ethernet    enp3s0
vlan_monitor        38836aef-a8c5-4903-9c65-eca6f6831c43      ethernet    enp2s0

# nmcli d
DEVICE TYPE STATE CONNECTION
enp1s0 ethernet      接続済み internet
enp2s0 ethernet      接続済み vlan_monitor
enp3s0 ethernet      接続済み vlan_dmz_front
enp4s0 ethernet      接続済み vlan_dmz
lo             loopback    管理無し --

          

# firewall-cmd --get-active-zone
public
interfaces: enp1s0 enp2s0 enp3s0 enp4s0

# nmcli connection modify vlan_dmz connection.zone internal

# nmcli connection modify vlan_dmz_front connection.zone external

# firewall-cmd --get-active-zone
external
      interfaces: enp3s0
internal
      interfaces: enp4s0
public
      interfaces: enp1s0 enp2s0

【IPマスカレード】

# /etc/sysctl.conf
net.ipv4.ip_forward=1
# sysctl -p

# cat /proc/sys/net/ipv4/ip_forward
# firewall-cmd --zone=external --add-masquerade --permanent       # マスカレード設定
success
# firewall-cmd --zone=external --query-masquerade                                      # 確認
yes

# firewall-cmd --list-all  --zone=external

external (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp3s0

  sources: 

  services: ssh

  ports: 

  protocols: 

  forward: no

  masquerade: yes

  forward-ports: 

  source-ports: 

  icmp-blocks: 

  rich rules: 

# firewall-cmd --zone=external --add-forward-port=port=18080:proto=tcp:toport=80:toaddr=192.168.31.254  --permanent

# firewall-cmd --zone=external --add-forward-port=port=28080:proto=tcp:toport=80:toaddr=192.168.31.102 --permanent

# firewall-cmd --reload

# firewall-cmd --zone=external --list-all

external (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp3s0

  sources: 

  services: ssh

  ports: 

  protocols: 

  forward: no

  masquerade: yes

  forward-ports: 

port=28080:proto=tcp:toport=80:toaddr=192.168.31.102

port=18080:proto=tcp:toport=80:toaddr=192.168.31.254

  source-ports: 

  icmp-blocks: 

  rich rules: 

# firewall-cmd --list-all-zones                               # 全てのzoneを表示

# firewall-cmd --get-default-zone                       # defaultで設定されるzone

# firewall-cmd --get-services                                 # 設定できるサービス一覧

# firewall-cmd --set-default-zone=block         # default zoneの変更

#  firewall-cmd --direct --get-all-rules

firewall-cmd --get-zones　                             　ゾーン一覧

firewall-cmd --list-all-zone          　                   すべてのゾーン

firewall-cmd --get-active-zone  　                    現在のゾーンとそれに紐付くインターフェイス
firewall-cmd --get-default-zone 　                   デフォルトゾーン確認

firewall-cmd --set-default-zone=external　デフォルトゾーンの変更

firewall-cmd --list-all　　                                    デフォルトゾーンの設定を表示

firewall-cmd --list-all --zone=external

firewall-cmd --get-services　　                        定義されているサービス一覧
firewall-cmd --list-service --zone=external  externalゾーンに適用されているサービス
firewall-cmd --add-service=ftp --zone=external　　 externalゾーンにftpサービスを加える
firewall-cmd --add-service=ftp --zone=external --permanent  恒久的に加える
firewall-cmd --reload　　firewalldに設定を再読み込みさせる

firewall-cmd --list-ports --zone=external　　 externalゾーンで公開されているポート。
firewall-cmd --add-port=10050-10051/tcp --zone=external --permanent　公開ポートの追加
firewall-cmd --reload

# systemctl restart NetworkManager