桌面App 直接迁移,会提示数据要重新下载和配置。
systemctl stop containerd
mv /drives/raid_a1/.docker /drives/nvme_e1/
#
cd /tmp/nand_config
cp docker.json docker.json.bak
# 修改 docker.json
# 看后边说明
# 修改 /etc/docker/daemon.json,配置不能持久化
# 直接修改路径,可以不重启生效,但是务必按说明修改持久化配置
systemctl start containerd桌面客户端可以改配置(Docker设置 / 装载目录),建议顺手先改掉。
固件里 /tmp/nand_config/docker.json 是自动生成的,里边定义了 disk_path 和 disk_uuid,前者的值是类似 /drives/raid_a1,后者是用 disk_get_uuid_byfilepath 的函数生成的,有重建逻辑,删掉即可。
以前 EdgeRouter 时代,使用的是 DNAT + redsocks + charles/mitmproxy 实现的流量劫持和分析,比较麻烦的点是,redsocks的配置文件需要维护,服务需要重启,每次系统升级(虽然好多年没升级了)都需要重装 redsock,所以当时搞了一套初始化脚本,脱离config tree自动安装deb,自动加载配置,自动symlink配置文件。
换到 VyOS 之后,本来也想搞这一套,被研发打回来了,他们不接受过分灵活的config tree,让我用 container。
新方案用 hev-socks5-tunnel,直接把流量转给另外一台主机上的mitmproxy。charles proxy也可以用同样的方法配置
开 mitmweb,方便web看数据
mitmweb --web-host 0.0.0.0 --mode socks5 --listen-port 8889下列命令创建container,配置PBR
set container name tun2socks allow-host-networks
set container name tun2socks capability 'net-admin'
set container name tun2socks device dev-net-tun destination '/dev/net/tun'
set container name tun2socks device dev-net-tun source '/dev/net/tun'
set container name tun2socks environment CONFIG_ROUTES value '0'
set container name tun2socks environment IPV4 value '198.51.100.1'
set container name tun2socks environment LOG_LEVEL value 'debug'
set container name tun2socks environment MTU value '8500'
set container name tun2socks environment SOCKS5_ADDR value '192.168.11.19'
set container name tun2socks environment SOCKS5_PORT value '8889'
set container name tun2socks environment SOCKS5_UDP_MODE value 'udp'
set container name tun2socks environment TUN value 'tun9'
set container name tun2socks image 'ghcr.io/heiher/hev-socks5-tunnel:latest'
set protocols static table 19 description 'route to mitmproxy'
set protocols static table 19 route 0.0.0.0/0 interface tun9
set policy route PBR interface 'eth2'
set policy route PBR rule 50 set table '19'
set policy route PBR rule 50 source group address-group 'SRC_HIJACK_MITMPROXY'
# firewall rules ...防火墙规则需要自己搞定,按需NAT。
nftables 不支持 ipset 那样动态操作成员了,只能在config tree里维护。
这个方法和以前一样,只能去分析 TCP 协议。如果有 UDP 的需求可以尝试 WireGuard 的方式。
Add following to /usr/share/vyos/templates/dhcp-server/kea-dhcp4.conf.j2, node under .Dhcp4
"loggers": [
{
"name": "kea-dhcp4",
"severity": "DEBUG",
"debuglevel": 99,
"output_options": [
{
"output": "/var/log/kea/dhcp4.log",
"maxver": 10
}
]
},
{
"name": "kea-dhcp4.dhcpsrv",
"severity": "DEBUG",
"debuglevel": 99,
"output_options": [
{
"output": "/var/log/kea/dhcp4-dhcpsrv.log",
"maxver": 10
}
]
},
{
"name": "kea-dhcp4.leases",
"severity": "DEBUG",
"debuglevel": 99,
"output_options": [
{
"output": "/var/log/kea/dhcp4-leases.log",
"maxver": 10
}
]
}
],Restart VyOS configd
systemctl restart vyos-configdUpdate config in configure mode.
View files under /var/log/kea
买了个便宜的UPS,想把PVE主机和海康的R1都挂在下边,所以简单折腾一把。
本来是担心有点麻烦,结果发现海康的UPS已经用了 NUT,那就简单粗暴来了。
R1 上
echo "LISTEN 0.0.0.0 3493" >> /etc/nut/upsd.conf
killall upsd过一会儿,upsd会自己重启
cat /etc/nut/upsd.users 读账号密码
PVE
apt install nut-client执行
root@pve6:~# upsc -l 192.168.11.111
Init SSL without certificate database
HikUPS
root@pve6:~# upsc HikUPS@192.168.11.111
Init SSL without certificate database
battery.charge: 100
battery.voltage: 13.50
battery.voltage.high: 13.00
battery.voltage.low: 10.40
battery.voltage.nominal: 12.0
device.type: ups
driver.name: nutdrv_qx
driver.parameter.bus: 001
driver.parameter.pollfreq: 30
driver.parameter.pollinterval: 2
driver.parameter.port: auto
driver.parameter.product: USB to Serial
driver.parameter.productid: 5161
driver.parameter.synchronous: auto
driver.parameter.vendor: INNO TECH
driver.parameter.vendorid: 0665
driver.version: 2.8.0
driver.version.data: Voltronic-QS 0.07
driver.version.internal: 0.32
driver.version.usb: libusb-1.0.26 (API: 0x1000109)
input.voltage: 224.4
input.voltage.fault: 224.4
output.current.nominal: 2.0
output.frequency: 50.1
output.frequency.nominal: 50
output.voltage: 224.4
output.voltage.nominal: 220
ups.beeper.status: disabled
ups.delay.shutdown: 30
ups.delay.start: 180
ups.firmware.aux: PM-V
ups.load: 0
ups.productid: 5161
ups.status: OL
ups.type: offline / line interactive
ups.vendorid: 0665修改配置 /etc/nut/upsmon.conf
MONITOR HikUPS@192.168.11.111 1 hikups Aa123456 master密码是写死的
/etc/nut/nut.conf
MODE=netclient重启
systemctl restart nut-client# sqlite3 ~/Library/Messages/chat.db
select SUBSTR(fallback_hash, 1, INSTR(fallback_hash, '|') - 1) AS sender, count(*) as c from message where is_read=0 group by sender order by c;
select count(*) from message where is_read=0;不支持NFS,因为内核模块不完整,安装会报错
mount: /run/rpc_pipefs: unknown filesystem type 'rpc_pipefs'.替代方案是,加samba共享用户,root脚本添加用户和配置
# 加用户
/tmp/histor_low/root/sys_user_mng.sh ADD share the.p4sswd
# 加目录
mkdir /drives/raid_a1/share
chown share: /drives/raid_a1/share
# 加配置
cat << EOF > /tmp/smb.conf.share
[BackupShare]
path = /drives/raid_a1/share
read only = no
valid users = share
browsable = yes
writable = yes
create mask = 0770
directory mask = 0770
EOF不需要reload配置
其实在 /tmp 下还有 smb.conf.extern, smb.conf.nas 和 smb.conf.static,感觉是预留了这个逻辑(没有看程序)。
这个共享我是给pve用的,为了管理方便,我在用户目录下绑定一个目录
mkdir -p /drives/raid_a1/Users/admin/pve-share/
mount --bind /drives/raid_a1/share/ /drives/raid_a1/Users/admin/pve-share/
正常应该走app,但是我发现系统并没有为docker额外增加配置,而是直接依赖docker container create 。
以plex为例,默认它会创建两个随机名称的volume,我为了好看就手工命名了。
之前有位小朋友提及这里可以命令注入,实现更多参数,但是由于他家客户端错误提示不好,几乎等于盲注。记得闭合两边的引号。
docker volume remove plex-config
docker volume remove plex-transcode
docker rm plex
docker volume create plex-config
docker volume create plex-transcode
docker container create --name='plex' \
--volume='plex-config:/config:rw' \
--volume='/drives/raid_a1/Users/admin/video:/video:rw' \
--volume='plex-transcode:/transcode:rw' \
--device=/dev/dri:/dev/dri \
--publish='1900:1900/udp' \
--publish='32400:32400/tcp' \
--publish='32410:32410/udp' \
--publish='32412:32412/udp' \
--publish='32413:32413/udp' \
--publish='32414:32414/udp' \
--publish='32469:32469/tcp' \
--publish='8324:8324/tcp' \
--restart=unless-stopped \
--env='LANG=C.UTF-8' \
--env='LC_ALL=C.UTF-8' \
--env='PLEX_CLAIM=claim-xxxx'\
--env='ADVERTISE_IP=http://xx.yy.zz.aa:32400' \
--env='HOME=/config' \
--env='PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
--env='TERM=xterm' \
--env='TZ=Asia/Shanghai' plexinc/pms-docker:latest
docker start plex
docker volume remove ha-config
docker rm home-assistant
docker volume create ha-config
docker container create --name='home-assistant' \
--volume='ha-config:/config:rw' \
--volume='/etc/localtime:/etc/localtime:ro' \
--volume='/run/dbus:/run/dbus:ro' \
--env='LANG=C.UTF-8' \
--env='LC_ALL=C.UTF-8' \
--env='HOME=/config' \
--env='PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
--env='TERM=xterm' \
--env='TZ=Asia/Shanghai' \
--privileged \
--publish='8123:8123/tcp' \
--restart=unless-stopped \
ghcr.io/home-assistant/home-assistant:stable
docker start home-assistant
# 以下为安装 HACS
docker ps -a
docker exec -it 86 /bin/bash
wget -O - https://get.hacs.xyz | bash -
docker restart home-assistant
docker volume create portainer_data
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:2.21.4