|
# 软件环境: * Centos 7.6 * bind-9.14.1.tar.gz * postgresql 11 * python 3.7 * django 2.2.1 QPS:单节点1590 qps # 目前测试性能最高的方案 * bind-9.12.4/bind-9.12.1、postgresql 11、Centos 7.6,4核心8G的ESXi虚拟机,开4线程,单节点查询性能可达68842 qps
zone数据使用文件配置加载到内存方式(即不使用数据库)的测试性能可达:80514 qps ## 测试其他说明 bind-9.12.4、mysql开多线程则奇慢无比 bind-9.13.3到bind-9.15.0都只有单线程,即使启动参数配置多线程,实际运行也是单线程,经过测试,这些版本与mysql结果性能会比postgresql高一些,mysql性能2300 qps左右,postgresql性能1600 qps,基本范围1400-2400 qps 从bind-9.13.3及之后的版本不支持 --enable-threads 配置参数,即多线程的支持,bind-9.13.2还支持 # 安装基本包 yum install -y bind-utils traceroute wget man sudo ntp ntpdate screen patch make gcc gcc-c++ flex bison zip unzip ftp net-tools --skip-broken 关联动态库 # vi /etc/ld.so.conf 添加如下内容 include /etc/ld.so.conf.d/*.conf /usr/local/lib /usr/local/lib64 /lib /lib64 /usr/lib /usr/lib64 编辑完ld.so.conf,执行 ldconfig 使动态库生效 # 安装postgresql 参考地址:https://www./download/linux/redhat/ yum -y install https://download./pub/repos/yum/11/redhat/rhel-7-x86_64/pgdg-redhat11-11-2.noarch.rpm yum -y install postgresql11 yum -y install postgresql11-server yum -y install postgresql11-libs yum -y install postgresql11-devel /usr/pgsql-11/bin/postgresql-11-setup initdb ## 添加环境变量 把/usr/pgsql-11/bin加入到 /etc/profile系统环境变量里 如: ## PATH export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:$JAVA_HOME/bin:/usr/pgsql-11/bin . /etc/profile ## postgresql设置 /var/lib/pgsql/11/data/postgresql.conf listen_addresses = '*' port = 5432 max_connections = 5120 tail -n 20 /var/lib/pgsql/11/data/pg_hba.conf 规则从上往下匹配,匹配到一条后就停止往下匹配了  # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: ## host all all 127.0.0.1/32 identhost all all 127.0.0.1/32 md5 host all all 0.0.0.0/0 md5# IPv6 local connections: host all all ::1/128 ident # Allow replication connections from localhost, by a user with the # replication privilege. #local replication all peer #host replication all 127.0.0.1/32 ident #host replication all ::1/128 ident ## 启动postgresql systemctl start postgresql-11 ## 创建用户、数据库 su postgres create database bind_ui owner bind_ui_wr ENCODING=utf8; ## 创建只读用户 CREATE USER bind_ui_r WITH ENCRYPTED PASSWORD 'rr123456'; alter user bind_ui_r set default_transaction_read_only=on; # 设置默认事务只读 GRANT CONNECT ON DATABASE bind_ui to bind_ui_r; # 赋予用户连接数据库bind_ui的权限 \c bind_ui # 切换到指定库bind_ui GRANT USAGE ON SCHEMA public to bind_ui_r; # 把当前库现有的所有在public这个schema下的表的使用权限赋给用户 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO bind_ui_r; # 默认把当前库之后新建在public这个schema下的表的使用权限赋给bind_ui_r GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO bind_ui_r; # 赋予用户bind_ui_r所有public下的序列的查看权 GRANT SELECT ON ALL TABLES IN SCHEMA public TO bind_ui_r; # 赋予用户bind_ui_r所有public下的表的select权 ## 删除只读用户方法 revoke USAGE ON SCHEMA public from bind_ui_r; # 回收schema的usage权限 revoke SELECT ON ALL TABLES IN SCHEMA public from bind_ui_r; # 回收public下所有表的查询权限 revoke SELECT ON ALL SEQUENCES IN SCHEMA public from bind_ui_r; # 回收public下所有序列的查询权限 ALTER DEFAULT PRIVILEGES IN SCHEMA public revoke SELECT ON TABLES from bind_ui_r; # 回收默认权限 revoke CONNECT ON DATABASE foo from bind_ui_r; # 关闭数据库连接权限 alter user bind_ui_r set default_transaction_read_only=off; # 关闭默认只读事务设置 \ddp # 查看权限是否为空了 drop user bind_ui_r; # 删除用户 ## 测试连接 psql -h 127.0.0.1 -p 5432 -U bind_ui_wr -d bind_ui # 安装bind cd /usr/local/src wget http://ftp./isc/bind9/9.14.1/bind-9.14.1.tar.gz wget https://www./source/openssl-1.0.2r.tar.gz tar -zxvf openssl-1.0.2r.tar.gz; cd openssl-1.0.2r; ./config; make; make install export LDFLAGS=-L/usr/pgsql-11/lib # 指定pgsql lib,要指定多个路径时,使用:分隔,这对需要扩展多种数据库驱动时很有用,路径查找postgresql lib dir: pg_config --libdir,mysql lib查找方法mysql_config --libs ./configure --prefix=/usr/local/bind_9.14.1 --with-dlz-postgres=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r make; make install ln -s /usr/local/bind_9.14.1 /usr/local/bind ln -s /usr/local/bind/etc /etc/named groupadd -g 25 named useradd named -M -u 25 -g 25 -s /sbin/nologin chown -R named:named /usr/local/bind/var mkdir -p /var/log/named /usr/local/bind/etc/conf.d; chown -R named.named /var/log/named systemctl 启动脚本 cat /usr/lib/systemd/system/named.service [Unit] Description=Berkeley Internet Name Domain (DNS) After=network.target [Service] Type=forking PIDFile=/usr/local/bind/var/named.pid ExecStart=/usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf ExecReload=/bin/sh -c '/usr/local/bind/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' ExecStop=/bin/sh -c '/usr/local/bind/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' PrivateTmp=true Restart=always RestartSec=10 [Install] WantedBy=multi-user.target 注意: /usr/local/bind/sbin/named -n 1 线程数 经测试,bind-9.13、bind-9.14已经与线程数量无关,均为单线程了。设置-n 4与-n 1性能都一样 bind-9.12.4、postgresql 11开多线程,性能很高 systemctl enable named; cd /usr/local/bind/etc/ /usr/local/bind/sbin/rndc-confgen > rndc.conf tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf #内容类似下面这样: key "rndc-key" {
algorithm hmac-sha256;
secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};cat /etc/name/named.conf key "rndc-key" {
algorithm hmac-sha256;
secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
listen-on port 53 { any; }; # 开启侦听53端口,any表示接受任意ip连接
directory "/usr/local/bind/var";
dump-file "/usr/local/bind/var/named_dump.db"; # 执行rndc dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]时保存数据的导出文件
pid-file "named.pid"; # 文件内容就是named进程的id
allow-query{ any; }; # 允许任意ip查询
allow-query-cache { any; }; # 允许任意ip查询缓存
recursive-clients 60000;
forwarders{ # 设置转发的公网ip
202.96.128.86;
223.5.5.5;
};
forward only; # 置只使用forwarders DNS服务器做域名解析,如果查询不到则返回DNS客户端查询失败。
# forward first; 设置优先使用forwarders DNS服务器做域名解析,如果查询不到再使用本地DNS服务器做域名解析。
max-cache-size 4g;
};
logging {
channel query_log { # 查询日志
file "/var/log/named/query.log" versions 20 size 300m;
severity info;
print-time yes;
print-category yes;
};
channel error_log { # 报错日志
file "/var/log/named/error.log" versions 3 size 10m;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
category queries { query_log; };
category default { error_log; };
};
# acl
include "/etc/named/conf.d/cn_dx.acl";
include "/etc/named/conf.d/cn_lt.acl";
include "/etc/named/conf.d/cn_yd.acl";
include "/etc/named/conf.d/cn_jy.acl";
include "/etc/named/conf.d/cn.acl";
# view
include "/etc/named/conf.d/cn_dx.conf";
include "/etc/named/conf.d/cn_lt.conf";
include "/etc/named/conf.d/cn_yd.conf";
include "/etc/named/conf.d/cn_jy.conf";
include "/etc/named/conf.d/cn.conf";
include "/etc/named/conf.d/default.conf"; # default view 放最后日志级别: 在定义通道的语句中,severity是指定记录消息的级别。在bind中主要有以下几个级别(按照严重性递减的顺序): critical versions 20:保留20个文件 named-checkconf /etc/named/named.conf # 检测配置文件合法性 acl配置: 存放目录:/etc/named/conf.d ip列表:https:///chnroutes.html 示例: cat cn_yd.acl # 中国移动
# 2017101711, 74 routes
acl cn_yd {
36.128.0.0/10;
39.128.0.0/10;
42.83.200.0/23;
43.239.172.0/22;
43.241.112.0/22;
43.251.244.0/22;
45.121.68.0/22;
45.121.72.0/22;
45.121.172.0/22;
45.121.176.0/22;
45.122.96.0/21;
45.123.152.0/22;
45.124.36.0/22;
45.125.24.0/22;
58.83.240.0/21;
59.153.68.0/22;
61.14.244.0/22;
103.20.112.0/22;
103.21.176.0/22;
103.35.104.0/22;
103.37.176.0/23;
103.40.12.0/22;
103.43.124.0/22;
103.45.160.0/22;
103.61.156.0/22;
103.61.160.0/22;
103.62.24.0/22;
103.62.204.0/22;
103.62.208.0/22;
103.83.72.0/22;
103.192.0.0/22;
103.192.144.0/22;
103.193.140.0/22;
103.205.116.0/22;
103.227.48.0/22;
111.0.0.0/10;
111.235.182.0/24;
112.0.0.0/10;
114.66.68.0/22;
117.128.0.0/10;
118.187.40.0/21;
118.191.248.0/21;
118.194.165.0/24;
120.192.0.0/10;
121.255.0.0/16;
131.228.96.0/24;
163.53.56.0/22;
183.192.0.0/10;
202.141.176.0/20;
211.103.0.0/17;
211.136.0.0/13;
211.148.224.0/19;
211.155.236.0/24;
218.200.0.0/13;
221.130.0.0/15;
221.176.0.0/19;
221.176.32.0/20;
221.176.48.0/21;
221.176.56.0/24;
221.176.58.0/23;
221.176.60.0/22;
221.176.64.0/18;
221.176.128.0/17;
221.177.0.0/16;
221.178.0.0/15;
221.180.0.0/14;
223.64.0.0/11;
223.96.0.0/12;
223.112.0.0/14;
223.116.0.0/15;
223.118.2.0/24;
223.118.10.0/24;
223.118.18.0/24;
223.120.0.0/13;
}; 其他类似 view配置: 存放目录:/etc/named/conf.d 这里连接数据库的账号只需要只读权限就可以了 cat cn_yd.conf # match-clients要与定义的acl匹配 view "cn_yd" {
match-clients { cn_yd; };
dlz "Postgres zone" {
database "postgres 2
{host=127.0.0.1 dbname=bind_ui port=5432 user=bind_ui_r password=rr123456}
{select zone_name from \"DnsRecord_zonetag\" where zone_name = '$zone$'}
{select ttl, type, mx_priority,
case when lower(type)='txt' then
concat('\"', data, '\"')
when lower(type) = 'soa' then
concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
else
data
end
from \"DnsRecord_zonetag\" inner join \"DnsRecord_record\" on \"DnsRecord_record\".zone_tag_id = \"DnsRecord_zonetag\".id
and \"DnsRecord_zonetag\".zone_name = '$zone$'
and \"DnsRecord_record\".host = '$record$'
where \"DnsRecord_zonetag\".status = 'on'
and \"DnsRecord_record\".status = 'on'
and (\"DnsRecord_record\".resolution_line = '103' or \"DnsRecord_record\".resolution_line = '0')
}
";
};
};注意:这里 DnsRecord_record.resolution_line 的值要与 bindUI定义值相同,以区别不同的解析线路 其他类似 cat default.conf # 默认view,any acl表示所有,不需要定义,所以默认view需要放在配置中所有view的最后 view "default" {
match-clients { any; };
dlz "Postgres zone" {
database "postgres 2
{host=127.0.0.1 dbname=bind_ui port=5432 user=bind_ui_r password=rr123456}
{select zone_name from \"DnsRecord_zonetag\" where zone_name = '$zone$'}
{select ttl, type, mx_priority,
case when lower(type)='txt' then
concat('\"', data, '\"')
when lower(type) = 'soa' then
concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
else
data
end
from \"DnsRecord_zonetag\" inner join \"DnsRecord_record\" on \"DnsRecord_record\".zone_tag_id = \"DnsRecord_zonetag\".id
and \"DnsRecord_zonetag\".zone_name = '$zone$'
and \"DnsRecord_record\".host = '$record$'
where \"DnsRecord_zonetag\".status = 'on'
and \"DnsRecord_record\".status = 'on'
and \"DnsRecord_record\".resolution_line = '0'
}
";
};
};# 安装python 3.7 cd /usr/loca/src; wget https://www./ftp/python/3.7.3/Python-3.7.3.tar.xz tar -Jxvf Python-3.7.3.tar.xz; cd Python-3.7.3 ./configure --prefix=/usr/local/python_3.7.3; make; make install 可以把 /usr/local/python_3.7.3/bin 添加系统环境变量,这样使用更简单 /usr/local/python_3.7.3/bin/pip install --upgrade pip /usr/local/python_3.7.3/bin/pip install virtualenv ## 更换国内pipy源,安装python扩展更快 参考:https://www.cnblogs.com/meelo/p/4636340.html cat ~/.pip/pip.conf [global] index-url = https://mirrors.aliyun.com/pypi/simple/ [install] trusted-host = mirrors.aliyun.com ## 创建用于运行BindUI项目的python虚拟环境 mkdir -p /data/pyvenv/ /usr/local/python_3.7.3/bin/pyvenv /data/pyvenv/BindUI 要进虚拟python环境操作方法 . /data/pyvenv/BindUI/bin/activate 退出虚拟环境 deactivate # 部署BindUI项目 mkdir -p /data/webroot cd /data/webroot yum -y install git git clone https://github.com/cucker0/BindUI.git rm -rf /data/webroot/BindUI/.git # 为网站安全 ## 设置配置信息,设置连接数据库信息 /data/webroot/BindUI/bindUI/settings.py 注释下面这两行 # import pymysql # pymysql.install_as_MySQLdb() 这里的账号需要有写读权限 DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'bind_ui',
'USER': 'bind_ui_wr',
'PASSWORD': 'ww123456',
'HOST': '127.0.0.1',
'PORT': '5432',
}
}## 安装依赖组件 cd /data/webroot/BindUI . /data/pyvenv/BindUI/bin/activate pip install --upgrade pip pip install django Pillow pymysql IPy xlrd xlwt psycopg2 ## 初始化数据库 python manage.py migrate python manage.py makemigrations python manage.py migrate
## 创建超级用户 python manage.py createsuperuser
## 运行django python manage.py runserver 0.0.0.0:8080 此时可以通过下面的URL访问BindUI控制台 http://服务器IP:8080 使用上面的登记登录 * 登录
* 首页
* 添加域名
* 设置NS主机,可设置多个
* 添加起始授权主机、NS主机相应的记录 NS主机设置了多个就需要建立多个,起始授权主机只有一个
建一个反向解析域
同样也需要设置NS主机 建立PTR记录,与NS主机记录对应
此时就能建其他记录了 ## 给bind_ui_r用户添加相应表的只读权限 上面授权时,因为下面这些表还没有创建,所以是没有授到权的,需要重新执行一次。 su postgres psql \c bind_ui GRANT SELECT ON "DnsRecord_record" TO bind_ui_r; GRANT SELECT ON "DnsRecord_zonetag" TO bind_ui_r; ## 启动bind服务 systemctl start named bind启动调试模式方法 /usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf -d 4 -g 此时就可以解析了
# Django Nginx+ uWSGI 运行django项目 前面运行的django 在bash控制上,现在以守护进程方式运行,参考https://www.cnblogs.com/linkenpark/p/6560787.html ## 安装uwsgi /usr/local/python_3.7.3/bin/pip install uwsgi id uwsgi uid=1000(uwsgi) gid=1000(uwsgi) groups=1000(uwsgi) /usr/local/python_3.7.3/bin/uwsgi --http 0.0.0.0:8000 -H /data/pyvenv/BindUI --chdir /data/webroot/BindUI/ --wsgi-file bindUI/wsgi.py 这时在浏览器上能看到除了样式外的页面 退出uwsgi ## 配置uwsgi mkdir /etc/uwsgi vi /etc/uwsgi/uwsgi9090.ini [uwsgi] socket=127.0.0.1:9090 chdir=/data/webroot/BindUI/ wsgi-file=bindUI/wsgi.py # 开启主进程 master=True # 设置多进程 processes=8 uid=uwsgi gid=uwsgi # 最大并发 max-requests=20480 # 当服务停止的时候自动移除unix Socket和Pid文件 vacuum=True # 虚拟环境 home=/data/pyvenv/BindUI # 日志 daemonize=/var/log/uwsgi/uwsgi9090.log chown -R uwsgi:uwsgi /data/webroot/BindUI//upload/user_image # 上传用户头像的目录可写,其他目录只需要只读权限即可。 ## 设置uwsgi自动启动脚本 cat /etc/systemd/system/uwsgi.service [Unit] Description=uWSGI Emperor After=syslog.target [Service] ExecStart=/usr/local/python_3.7.3/bin/uwsgi --emperor /etc/uwsgi Restart=always KillSignal=SIGQUIT Type=notify StandardError=syslog NotifyAccess=all [Install] WantedBy=multi-user.target systemctl enable uwsgi systemctl start uwsgi ## 更新项目代码 当python项目代码有更新时,要让其生效,重载或重启 uwsgi服务即可 systemctl reload uwsgi ## 安装nginx cd /usr/local/src wget https://ftp./pub/pcre/pcre-8.43.tar.gz wget http:///download/nginx-1.16.0.tar.gz tar -zxvf pcre-8.43.tar.gz; cd pcre-8.43; ./configure --enable-jit; make; make install ldconfig yum -y install zlib zlib-devel gd gd-devel --skip-broken useradd nginx -M -s /sbin/nologin cd /usr/local/src tar -zxvf nginx-1.16.0.tar.gz; cd nginx-1.16.0 ./configure --prefix=/usr/local/nginx_1.16.0 --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.43 --with-http_realip_module --with-http_image_filter_module --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-1.0.2r --with-openssl-opt="enable-tlsext" --with-stream --with-stream_ssl_module --with-http_v2_module make; make install mkdir /usr/local/nginx/conf/conf.d ln -s /usr/local/nginx_1.16.0 /usr/local/nginx ln -s /usr/local/nginx/conf /etc/nginx /usr/local/nginx/sbin 添加到系统环境变量中 . /etc/profile # 重新加载环境变量 ## nginx自动启动脚本 cat /usr/lib/systemd/system/nginx.service [Unit] Description=nginx - high performance web server Documentation=http:///en/docs/ After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /etc/nginx/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target systemctl enable nginx systemctl start nginx ## nginx配置 cat /etc/nginx/nginx.conf user nginx nginx;
worker_processes auto;
worker_cpu_affinity auto;
error_log logs/error.log notice;
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$http_x_forwarded_for`$remote_addr`$proxy_add_x_forwarded_for`[$time_local]`"$request"`'
'$status`$body_bytes_sent`"$http_referer"`'
'"$http_user_agent"`"$request_time"`'
'$http_x_request_id`$upstream_response_time`$upstream_addr`$upstream_connect_time`$upstream_status';
log_format access '$remote_addr`[$time_local]`"$request"`'
'$status`$body_bytes_sent`"$http_referer"`'
'"$http_user_agent"`"$http_x_forwarded_for"`'
'$http_x_request_id`$upstream_response_time`$upstream_addr`$upstream_connect_time`$upstream_status';
# proxy_ignore_client_abort on;
proxy_headers_hash_max_size 2048;
proxy_headers_hash_bucket_size 256;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
server_tokens off;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
client_max_body_size 100m;
client_body_buffer_size 128k;
client_body_temp_path /dev/shm/client_body_temp;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 16k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_temp_path /dev/shm/proxy_temp;
include /etc/nginx/conf.d/*.conf;
}/etc/nginx/conf.d/bind_ui.conf upstream dns_bind_com {
server 127.0.0.1:9090 weight=10 max_fails=0;
}
server {
listen 80;
server_name dns.bind.com;
charset utf-8;
access_log logs/dns.bind.com.log main;
location /static/system/ {
alias /data/webroot/BindUI/upload/system/;
}
location /static/user_image/ {
alias /data/webroot/BindUI/upload/user_image/;
}
location /static {
alias /data/webroot/BindUI/static;
}
location / {
include uwsgi_params;
uwsgi_pass dns_bind_com;
}
}nginx -t systemctl restart nginx ## django admin静态文件加载不了问题 在/data/webroot/BindUI/bindUI/settings.py 最后添加下面设置 STATIC_ROOT = os.path.join(BASE_DIR, "static") STATICFILES_FINDERS = ( "django.contrib.staticfiles.finders.FileSystemFinder", "django.contrib.staticfiles.finders.AppDirectoriesFinder" ) cd /data/webroot/BindUI . /data/pyvenv/BindUI/bin/activate python manage.py collectstatic #生产静态问题,询问覆盖时,输入yes,这时生成了这个目录 /data/webroot/BindUI/static/admin 再把上面添加的配置删除或注释 deactivate 最终访问效果:
|
|
|
