首先应该看一下这个wiki: https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84
可以根据wiki
通过这个wiki,我们反向理解,并且我加上自己真实案例予以说明。
S老师给我做了一个名为msg.asc
的加密消息,其内容应该就是s老师给我的签名key。
cat msg.asc
-----BEGIN PGP MESSAGE-----
...
...
这就是加密的消息。下面是重点,我们需要使用--decrypt
选项将这个加密消息进行解密:
vimer@dev:~/tmp$ gpg --decrypt msg.asc
gpg: encrypted with 4096-bit RSA key, ID 66681FECEFF9AC75, created 2022-04-09
"Bo YU <[email protected]>"
...
Hi,
please find attached the user id
Bo YU <[email protected]>
of your key 954E6A70100598A2 signed by me.
If you have multiple user ids, I sent the signature for each user id
separately to that user id's associated email address. You can import
the signatures by running each through `gpg --import`.
Note that I did not upload your key to any keyservers. If you want this
new signature to be available to others, please upload it yourself.
With GnuPG this can be done using
gpg --keyserver hkp://pool.sks-keyservers.net --send-key 954E6A70100598A2
...
------------=_1689674421-10093-0
Content-Type: application/pgp-keys;
name="0x954E6A70100598A2.1.signed-by-0xxxxxxxx.asc"
Content-Disposition: attachment;
filename="0x954E6A70100598A2.1.signed-by-0xxxxxx.asc"
Content-Transfer-Encoding: 7bit
Content-Description: PGP Key 0x954E6A70100598A2, uid Bo YU <[email protected]>
(1), signed by 0xxxxxxxxxxx
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
注意,这个PUBLIC KEY BLOCK
的内容才是最重要的内容,我的做法是copy出来保存到一个xx.asc文件,然后再 import
.
vimer@dev:~/tmp$ gpg --import sun.asc
gpg: key 954E6A70100598A2: 1 signature not checked due to a missing key
gpg: key 954E6A70100598A2: "Bo YU <[email protected]>" 1 new signature
gpg: Total number processed: 1
gpg: new signatures: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
vimer@dev:~/tmp$ gpg --keyserver keyserver.ubuntu.com --send-keys 100598A2
gpg: sending key 954E6A70100598A2 to hkp://keyserver.ubuntu.com
Update:
change private domain
sudo mmdebstrap --arch=riscv64 --include=fakeroot,build-essential,ca-certificates,apt-transport-https sid sid-riscv64-revyos-sbuild.tar.xz "deb [trusted=yes] ** revyos-addons main" "deb [trusted=yes] **/revyos-base sid main contrib non-free"
```bash mkdir -p tmp/rv64-chroot cd tmp/rv64-chroot/ sudo tar -xvf ../../sid-riscv64-revyos-sbuild.tar.xz sudo chroot .
3. make image
# 根据需要确定
```bash
sudo virt-make-fs --partition=gpt --type=ext4 --size=6G tmp/rv64-chroot/ rootfs.img
qemu-system-riscv64 -nographic -machine virt -m 1.9G \
-bios /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf \
-kernel /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf \
-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-device,rng=rng0 \
-append "console=ttyS0 rw root=/dev/vda1" \
-device virtio-blk-device,drive=hd0 -drive file=rootfs.img,format=raw,id=hd0 \
-device virtio-net-device,netdev=usernet -netdev user,id=usernet,hostfwd=tcp::22222-:22
user: root psswd: riscv64
为了后面修复一些debci的bug,故把maintainer的一些嘱咐放在这里。后面再来反复看。
---
17:16 < vimer> I know what it's like. Because I also want to know which packages can trigger system's crash.:)
17:19 < vimer> how to implement the code for monitoring purposes? I mean, I can try it but I maybe need some help
17:21 -KGB-2:#debci- autopkgtest pipeline Simon McVittie 555974 * [26 minutes and 48 seconds] failed (quicktests: success; tests-sid:
failed; tests-stable: success; test-docker: success; test-lxc: success; test-podman: success; test-schroot: success;
test-unshare: success)
17:21 < elbrus> vimer: to be honest, I don't know exactly; we use munin and the main node in our infrastructure connects to the workers to
retrieve the data (if I'm correct). The munin code on the main node would need to know how to connect via the proxy somehow
17:22 < elbrus> terceiro: your new test for the global timeout seems flaky; it has failed already three times since you merged the code
17:22 < vimer> elbrus: fair enough. thanks.
17:22 < elbrus> you know where our deploy code lives, right?
17:23 < elbrus> salsa.debian.org/ci-team/debian-ci-config/
17:23 < elbrus> https://salsa.debian.org/ci-team/debian-ci-config/
17:23 < elbrus> I *think* all munin stuff is here: https://salsa.debian.org/ci-team/debian-ci-config/-/tree/master/cookbooks/munin
17:25 < elbrus> *Probably* this needs more intellegence:
https://salsa.debian.org/ci-team/debian-ci-config/-/blob/master/cookbooks/munin/templates/hosts.conf.erb
17:25 < elbrus> to be fair, we currently also can't monitor armhf and armel
17:25 < elbrus> because they are on IP6 and our main node only has IP4
17:26 < elbrus> also there we could proxy, because they are VM's on an host that has IP4
17:29 < vimer> ok, I'll take a closer look at the code you gave me. thanks again
---
需要构建2个repo: 1个amd64 (包含fakeroot), 3个all amd64: 思路: 首先是创建amd64的repo, then创建快照,最后合并快照。
repo amd64:
# 1
aptly repo create -architectures amd64 -comment 'for riscv32 sbuild-creatchroot' -component main -distribution sid amd64-tmp
Local repo [amd64-tmp]: for riscv32 sbuild-creatchroot successfully added. You can run ‘aptly repo add amd64-tmp …’ to add packages to repository.
# 2
aptly repo add amd64-tmp tmp/fakeroot_1.31-1.2_amd64.deb
# 3. 从 repo 创建一个snapshot:
aptly snapshot create yubos-reboostrap-0605-amd64 from repo amd64-tmp
Snapshot yubos-reboostrap-0605-amd64 successfully created.
## You can run 'aptly publish snapshot yubos-reboostrap-0605-amd64' to publish snapshot as Debian repository.
# 4.
aptly snapshot merge yubos-reboostrap-new-20230606 yubos-reboostrap-new-20230605 yubos-reboostrap-0605-amd64
## 必须新建一个 snapshot
# 5.
aptly publish snapshot -distribution="sid" yubos-reboostrap-new-20230606 yubos-reboostrap/20230606
// yubos-reboostrap-new-20230606 必须是已经存在snapshot, 也就是上一步命令中执行的。
## all snapshot
## aptly publish snapshot --architectures="all" -distribution="sid" yubos-base-all yubos-reboostrap/base-all //
# 6.
ln -s /home/a/.aptly/public/yubos-reboostrap/20230606/ /srv/ftp.debian.org/root/yubos-rebootstrap-test
1. aptly repo create -architectures all -comment 'all for riscv32 sbuild-creatchroot' -component main -distribution sid all-tmp
```
Local repo [all-tmp]: all for riscv32 sbuild-creatchroot successfully added.
You can run 'aptly repo add all-tmp ...' to add packages to repository.
```
2. add all packages to all-tmp
3. aptly snapshot create yubos-base-all from repo all-tmp
4. aptly snapshot merge yubos-reboostrap-rv32-all-0608 yubos-reboostrap-new-20230605 yubos-base-all
5. aptly publish snapshot -distribution="sid" yubos-reboostrap-rv32-all-0608 yubos-reboostrap/20230608
6. ln -s /home/a/.aptly/public/yubos-reboostrap/20230608/ /srv/ftp.debian.org/root/yubos-rebootstrap-test
下面是当时的一些印迹,故放在这里以防万一哪天会用到的:
1.
sudo sbuild-createchroot --debootstrap=mmdebstrap --arch=riscv32 \
--include=debian-ports-archive-keyring,ca-certificates,apt \
--make-sbuild-tarball=/srv/sid-riscv32-sbuild.tgz \
sid /tmp/chroots/sid-riscv32-sbuild/ \
http://vimer.f3322.net:63017/yubos-rebootstrap-repo/
// 可以更换 yubos-repo
2.
sudo sbuild-shell sid-riscv32-sbuild
echo "deb [trusted=yes] http://vimer.f3322.net:63017/yubos-rebootstrap-repo/ sid main" >
/etc/apt/sources.list
echo "deb [trusted=yes] http://vimer.f3322.net:63017/yubos-base-all/ sid main" >
/etc/apt/sources.list
// 首先创建 amd64
sudo sbuild-createchroot --debootstrap=mmdebstrap --arch=amd64 \
--include=debian-ports-archive-keyring,ca-certificates \
--make-sbuild-tarball=/srv/sid-amd64-sbuild.tgz \
sid /tmp/chroots/sid-amd64-sbuild/ \
https://mirror.iscas.ac.cn/debian/
//更换 rootfs
sudo mmdebstrap --arch=amd64 --variant=buildd \
--include=fakeroot,build-essential,ca-certificates,apt-transport-https,eatmydata \
sid sid-amd64-yubos-sbuild.tar.xz \
"deb [trusted=yes] http://home.revy.cn:36013/yubos-base/ sid main " \
"deb [trusted=yes] http://vimer.f3322.net:63017/yubos-base-all/ sid main"
//
sudo mv sid-amd64-yubos-sbuild.tar.xz /srv
//
backup:
```bash
# aptly issue:
a@debian:~$ aptly snapshot drop yubos-reboostrap-new-20230606
Snapshot `yubos-reboostrap-new-20230606` is published currently:
* ./sid [amd64, riscv32] publishes {main: [yubos-reboostrap-new-20230606]: Merged from sources: 'yubos-reboostrap-new-20230605', 'yubos-reboostrap-0605-amd64'}
ERROR: unable to drop: snapshot is published
这种情况只能删除 `sid`
a@debian:~$ aptly publish drop sid
Removing /home/a/.aptly/public/dists...
Removing /home/a/.aptly/public/pool...
如果这样的话,可以这样删除:
a@debian:~$ aptly publish list Published repositories:
Published repository has been removed successfully.
aptly 的使用
https://www.cnblogs.com/cookie1026/p/17039327.html
...
sudo sbuild-createchroot --debootstrap=mmdebstrap --arch=riscv32 --include=debian-ports-archive-keyring,ca-certificates,apt --make-sbuild-tarball=/srv/sid-riscv32-sbuild.tgz sid /tmp/chroots/sid-riscv32-sbuild/ http://vimer.f3322.net:63017/yubos-rebootstrap-exp
mkdir /tmp/chroots/sid-riscv32-sbuild/
...
a@debian:~$ aptly publish drop sid yubos-reboostrap/20230614
Removing /home/a/.aptly/public/yubos-reboostrap/20230614/dists...
Removing /home/a/.aptly/public/yubos-reboostrap/20230614/pool...
Published repository has been removed successfully.
a@debian:~$ aptly snapshot list
List of snapshots:
* [yubo-base-part-all-exp]: Snapshot from local repo [all-tmp]: all for riscv32 sbuild-creatchroot
* [yubos-base-all]: Snapshot from local repo [all-tmp]: all for riscv32 sbuild-creatchroot
* [yubos-base-full-all]: Snapshot from mirror [debian-all]: https://mirror.iscas.ac.cn/debian/ sid
* [yubos-reboostrap-0608-amd64]: Snapshot from local repo [amd64-tmp]: amd64 for riscv32 sbuild-creatchroot
* [yubos-reboostrap-20230604]: Snapshot from mirror [yubos-reboostrap]: http://127.0.0.1:8000/ rebootstrap
* [yubos-reboostrap-exp-20230614]: Merged from sources: 'yubo-base-part-all-exp', 'yubos-reboostrap-rv32-0614-exp'
* [yubos-reboostrap-new-20230605]: Snapshot from local repo [yubos-rebootstrap]
* [yubos-reboostrap-rv32-0614-exp]: Snapshot from local repo [yubos-rebootstrap]
* [yubos-reboostrap-rv32-all-0608]: Merged from sources: 'yubos-reboostrap-new-20230605', 'yubos-base-all'
* [yubos-rebootstrap-rv32-all-amd64]: Merged from sources: 'yubos-reboostrap-rv32-all-0608', 'yubos-reboostrap-0608-amd64'
To get more information about snapshot, run `aptly snapshot show <name>`.
a@debian:~$ aptly snapshot drop yubos-reboostrap-exp-20230614
Snapshot `yubos-reboostrap-exp-20230614` has been dropped.
a@debian:~$ aptly snapshot drop yubos-reboostrap-rv32-0614-exp
Snapshot `yubos-reboostrap-rv32-0614-exp` has been dropped.
aptly 的一些常见操作:
a@debian:~/packages/sail$ aptly repo list
List of local repos:
* [all-tmp]: all for riscv32 sbuild-creatchroot (packages: 16)
* [amd64-tmp]: amd64 for riscv32 sbuild-creatchroot (packages: 2)
* [riscv64-tmp-all]: for Debian sid ROS2 on riscv64 all packages (packages: 87)
* [riscv64-tmp]: for Debian sid ROS2 on riscv64 (packages: 1022)
* [sail-tmp]: sail for debian (packages: 36)
* [yubos-rebootstrap] (packages: 618)
a@debian:~/packages/sail$ aptly repo show sail-tmp
Name: sail-tmp
Comment: sail for debian
Default Distribution: sid
Default Component: main
Number of packages: 36
删除 package
a@debian:~/packages/sail$ aptly repo remove sail-tmp libsail-ocaml-dev
Loading packages...
[-] libsail-ocaml-dev_0.17.1-1_amd64 removed
添加 package
aptly repo add sail-tmp package-name
aptly是基于 snapshot 发布东西的:
a@debian:~/packages/sail$ aptly snapshot create sail-for-debian-amd64-0228 from repo sail-tmp
Snapshot sail-for-debian-amd64-0228 successfully created.
You can run 'aptly publish snapshot sail-for-debian-amd64-0228' to publish snapshot as Debian repository.
思路就是基于 repo 进行 package的更新, 通过snapshot进行发布。然后我们看一下 已 public 的snapshot有哪些:
发布 repo
a@debian:~/packages/sail$ aptly publish snapshot -distribution="sid" sail-for-debian-amd64-0303 sail-for-debian/20240303
Loading packages...
Generating metadata files and linking package files...
Finalizing metadata files...
Signing file 'Release' with gpg, please enter your passphrase when prompted:
Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
Snapshot sail-for-debian-amd64-0303 has been successfully published.
Please setup your webserver to serve directory '/home/a/.aptly/public' with autoindexing.
Now you can add following line to apt sources:
deb http://your-server/sail-for-debian/20240303/ sid main
Don't forget to add your GPG key to apt with apt-key.
You can also use `aptly serve` to publish your repositories over HTTP quickly.
a@debian:~/packages/sail$ aptly publish list
Published repositories:
* revyos-11-06/11-06/sid [riscv64] publishes {main: [revyos-ros2]: Merged from sources: 'revyos-ros2-11-6', 'revyos-ros2-11-6-all'}
* sail-for-debian/20240227/sid [amd64] publishes {main: [sail-for-debian-amd64-0227]: Snapshot from local repo [sail-tmp]: sail for debian}
* yubos-reboostrap/20230604/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-20230604]: Snapshot from mirror [yubos-reboostrap]: http://127.0.0.1:8000/ rebootstrap}
* yubos-reboostrap/20230605/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-new-20230605]: Snapshot from local repo [yubos-rebootstrap]}
* yubos-reboostrap/20230608/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-rv32-all-0608]: Merged from sources: 'yubos-reboostrap-new-20230605', 'yubos-base-all'}
* yubos-reboostrap/2023060801/sid [amd64, riscv32] publishes {main: [yubos-rebootstrap-rv32-all-amd64]: Merged from sources: 'yubos-reboostrap-rv32-all-0608', 'yubos-reboostrap-0608-amd64'}
* yubos-reboostrap/20230617/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-exp-20230617]: Merged from sources: 'yubo-base-part-all-exp', 'yubos-reboostrap-rv32-0617-exp'}
* yubos-reboostrap/base-full-all/sid (origin: Debian) [all] publishes {main: [yubos-base-full-all]: Snapshot from mirror [debian-all]: https://mirror.iscas.ac.cn/debian/ sid}
然后把 publish的 ln
到 server
【转载来自文末】
sudo systemctl status fail2ban
创建两个默认的配置文件/etc/fail2ban/jail.d/defaults-debian.conf和/etc/fail2ban/jail.conf
我们不建议直接修改这些文件,因为更新Fail2ban时它们可能会被覆盖。
Fail2ban将按以下顺序读取配置文件。每个.local文件都会覆盖.conf文件中的设置。 /etc/fail2ban/jail.conf,/etc/fail2ban/jail.d/.conf 。/etc/fail2ban/jail.local,/etc/fail2ban/jail.d/.local
配置Fail2ban的最简单方法是将复制jail.conf为jail.local,然后修改.local文件。你也可以从头开始构建.local配置文件。
bantime,findtime和maxretry选项的值定义了禁止时间和禁止条件。bantime是禁止持续的时间。findtime是设置失败次数之间的持续时间。
https://www.myfreax.com/install-configure-fail2ban-on-debian-10/
一个有用的用法是:
sudo fail2ban-client status sshd
有一个文件是专门控制 sshd
的,忘了找到出处了。
中国电信的这一点非常给力,这对于开源社区的参与者是一个非常好的体验。
由于我是使用的小米路由器AX3600,在设置DDNS时只能从花生壳、公云等几个指定的服务上添加,阿里的目前无法使用。 结合我自己的经验,推荐使用 公云。只不过需要注意一点就是:
要在服务商及主机名那里 填写 从公云那里得到的域名,然后在状态栏那里得到链接成功的消息才可以。
[ 花生壳注册设置ddns] https://longdada.me/dynamic-ip-ddns-use-oray-or-noip/
CNAME指定自己的域名后面的这个方法验证是ok的。 完成上面的操作其实已经可以使用域名访问了,但是花生壳的分配的域名太难记,no-ip 的域名每 30 天就要确认一次才能继续使用,所以用自己的域名最方便。 方法也很简单,就是在域名 DNS 解析中填写一条 CNAME 配置,配置内容填写花生壳分配的域名,这样就能用自己的域名访问了。
CNAME的方式有时候会有问题的,我这里直接使用的3322免费给的域名(不是不想花钱买,是目前能work)。
这里要注意一个问题,在一个局域网内,有可能会出现无法通过域名下载的情况(需要验证外部网络是否可以下载),
这时可以直接编辑/etc/hosts
文件让局域网的node直接访问。这时,最好把内外网的端口修改为一致。