diff --git a/.gitee/ISSUE_TEMPLATE.en.md b/.gitee/ISSUE_TEMPLATE.en.md deleted file mode 100644 index 458911819fd4e6cbadc9228ff1d2f3e0a4d39d06..0000000000000000000000000000000000000000 --- a/.gitee/ISSUE_TEMPLATE.en.md +++ /dev/null @@ -1,23 +0,0 @@ -**Is this a BUG REPORT or FEATURE REQUEST?**: - -> Uncomment only one, leave it on its own line: -> -> - bug -> -> - feature - - -**What happened**: - -**What you expected to happen**: - -**How to reproduce it (as minimally and precisely as possible)**: - -**Anything else we need to know?**: - -**Environment**: -- Version: -- OS (e.g. from /etc/os-release): -- Kernel (e.g. `uname -a`): -- Install tools: -- Others: diff --git a/.gitee/ISSUE_TEMPLATE.zh-CN.md b/.gitee/ISSUE_TEMPLATE.zh-CN.md deleted file mode 100644 index d83eeb568385f4b57166ad51ccb6c414f5f061b7..0000000000000000000000000000000000000000 --- a/.gitee/ISSUE_TEMPLATE.zh-CN.md +++ /dev/null @@ -1,22 +0,0 @@ -**这是一个bug还是新特性?**: - -> 以下两者二选一,请保留一项: -> -> - bug -> -> - 特性 - - -**发生结果**: - -**期望结果**: - -**如何重现(尽量详细)**: - -**补充说明?**: - -**环境情况**: -- 版本: -- 操作系统版本 (e.g. from /etc/os-release): -- 内核版本 (e.g. `uname -a`): -- 其它: diff --git a/.gitee/PULL_REQUEST_TEMPLATE.en.md b/.gitee/PULL_REQUEST_TEMPLATE.en.md deleted file mode 100644 index fb9f653795bc13e5cced21eb4e7a96d655a23c59..0000000000000000000000000000000000000000 --- a/.gitee/PULL_REQUEST_TEMPLATE.en.md +++ /dev/null @@ -1,15 +0,0 @@ - - -**What this PR does / why we need it**: - -**Which issue this PR fixes** *(optional, in `fixes #(, fixes #, ...)` format, will close that issue when PR gets merged)*: fixes # - -**Special notes for your reviewer**: - -**Release note**: - -```release-note -``` diff --git a/.gitee/PULL_REQUEST_TEMPLATE.zh-CN.md b/.gitee/PULL_REQUEST_TEMPLATE.zh-CN.md deleted file mode 100644 index f731c6335b44ab9a37a3006406ddbe062bc3fa86..0000000000000000000000000000000000000000 --- a/.gitee/PULL_REQUEST_TEMPLATE.zh-CN.md +++ /dev/null @@ -1,15 +0,0 @@ - - -**PR功能描述 / 为什么需要这个合入**: - -**该PR关联的issue** *(格式为fixes #, 或者resolves #)*: fixes # - -**希望检视人员了解**: - -**Release note**: - -```release-note -``` diff --git a/.gitignore b/.gitignore index 1516e93b72f23cfe2ab4c75ea88b19a12ccc9a1a..03d05707a2ee869bad3ed7089b048f3780fd564b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,9 @@ -public -resources/_gen +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +/node_modules +package-lock.json +.idea/ + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index d7c6119bfa7e3a01bbe2b405dc1f125890462a72..0000000000000000000000000000000000000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,167 +0,0 @@ -# How to contribute - -### Brief Introduction - -This project is [Apache 2.0](LICENSE) licensed and accepts contributions via pull requests. This document outlines some of the conventions on commit message formatting, contact points for developers and other resources to make getting your contribution easier. - -Before you start, NOTICE that ```master``` branch is development version. ```stable``` branch -provided for customers and users. So all code modifications SHOULD be submitted to -```master``` branch, ```stable``` branch won't accept any commits. - -This repository is integrated by website which will provide the final outline, so please only maintain docs in this repository. -anything others like styles, js are maintained in website as a combined hugo theme. - -Contents oranganized by hugo book which is a framework helping build our own book. -please refer to hugo book [website](https://github.com/alex-shpak/hugo-book) for more detailed information. - -All files are written with MarkDown syntax, please note: If you want to add internal links, -be careful to point to the .html pages corresponding to the .md pages of the folder. - -### Debug local - -This doc only provides running test on linux, please prepare linux server before running -following commands. - -1. Install hugo on server - -hugo can be installed easily after nodejs is ready. - -``` -curl -L https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_0.56.3_Linux-64bit.tar.gz | tar -xz && \ - mv hugo /usr/local/bin/ -``` - -2. Running this repository locally - -``` -hugo serve --bind 0.0.0.0 --port 80 --baseUrl / -``` - -The website will serving on http://your-server-ip:80 - - -### Debug with docker - -1. Build Image - -``` -docker build -t docs:v0.0.1 . -``` - -note: here ```docs``` is the image name, you can change it as you need. - -2. Running in container - -``` -docker run -p 80:80 -d docs:v0.0.1 > docs.pid -``` - -The website will serving on http://your-server-ip:80 - -3. Stopping the container - -``` -docker rm -f `cat docs.pid` && rm -f docs.pid -``` - -***Note***: -The defalut language(en) will serving on http://your-server-ip/ -Other language(zh) will serving on http://your-server-ip/zh - -### Add/Modify file - -Before openning a PR, running locally and have a check would be good step that will help -your commits be merged quickly. - -There are two kinds of Markdown file, one is the content files which locates in ```content/docs``` folder. -the other one is the menu file which locates in ```content/menu``` folder. please remember to update menu if -adding new file. - -Note: menu file home file name must be named ```home.md```. - -## Getting help - -- IRC: TODO -- Mail: TODO - -## Report issues - -A great way to contribute to the project is to send a detailed report when you encounter an issue. We always appreciate a well-written, thorough bug report and feature propose, and will thank you for it! - -### Issues format - -When reporting issues, refer to this format: - -- Is this a BUG REPORT or FEATURE REQUEST? -- What happened? -- What you expected to happen? -- What happened? -- How to reproduce it (as minimally and precisely as possible) -- Anything else we need to know? -- Environment - -See more about [ISSUE_TEMPLATE](.github/ISSUE_TEMPLATE.md). - -## Submit pull requests - -If you are a beginner and expect this project as the gate to open source world, this tutorial is one of the best -choices for you. Just follow the guidance and you will find the pleasure to becoming a contributor. - -### Step 1: Fork repository - -Before making modifications of this project, you need to make sure that this project have been forked to your own -repository. It means that there will be parallel development between this repo and your own repo, so be careful -to avoid the inconsistency between these two repos. - -### Step 2: Clone the remote repository - -If you want to download the code to the local machine, ```git``` is the best way: -``` -git clone https://your_repo_url/projectname.git -``` - -### Step 3: Develop code locally - -To avoid inconsistency between multiple branches, we SUGGEST checking out to a new branch: -``` -git checkout -b new_branch_name origin/master -``` -Then you can change the code arbitrarily. - -### Step 4: Push the code to the remote repository - -After updating the code, you should push the update in the formal way: -``` -git add . -git status (Check the update status) -git commit -m "Your commit title" -git commit --amend (Add the concrete description of your commit) -git push origin new_branch_name -``` - -### Step 5: Pull a request to repository - -In the last step, your need to pull a compare request between your new branch and development branch. After -finishing the pull request, the CI will be automatically set up for building test. - -### Pull requests format - -When submitting pull requests, refer to this format: - -- What this PR does / why we need it? -- Which issue this PR fixes? -- Special notes for your reviewer -- Release note - -See more about [PULL_REQUEST_TEMPLATE](.github/PULL_REQUEST_TEMPLATE.md). - -### Code style - -```TO BE DEFINED``` - - - - - - - diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index c2012b2450287d3d54be186d230e4efcf98f3f73..0000000000000000000000000000000000000000 --- a/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -FROM nginx - -MAINTAINER Edward Lee - -RUN apt-get update && \ - apt install curl -y && \ - apt-get install git -y - -ENV HUGO_VERSION=0.68.1 - -RUN mkdir -p /usr/local/src && \ - cd /usr/local/src && \ - curl -L https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.tar.gz | tar -xz && \ - mv hugo /usr/local/bin/ - -COPY . /src/ -RUN cd /src/ && /usr/local/bin/hugo -b / && \ - cp -rf /src/public/* /usr/share/nginx/html/ && \ - chmod -R 755 /usr/share/nginx/html - -ENV RUN_USER nginx -ENV RUN_GROUP nginx -EXPOSE 80 -ENTRYPOINT nginx -g "daemon off;" diff --git a/LICENSE b/LICENSE index 261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64..497481e3ba83d738a68e6168d0daf008eea50d21 100644 --- a/LICENSE +++ b/LICENSE @@ -1,201 +1,427 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. +Attribution-ShareAlike 4.0 International + +======================================================================= + +Creative Commons Corporation ("Creative Commons") is not a law firm and +does not provide legal services or legal advice. Distribution of +Creative Commons public licenses does not create a lawyer-client or +other relationship. Creative Commons makes its licenses and related +information available on an "as-is" basis. Creative Commons gives no +warranties regarding its licenses, any material licensed under their +terms and conditions, or any related information. Creative Commons +disclaims all liability for damages resulting from their use to the +fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and +conditions that creators and other rights holders may use to share +original works of authorship and other material subject to copyright +and certain other rights specified in the public license below. The +following considerations are for informational purposes only, are not +exhaustive, and do not form part of our licenses. + + Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public + permission to use material in ways otherwise restricted by + copyright and certain other rights. Our licenses are + irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. + Licensors should also secure all rights necessary before + applying our licenses so that the public can reuse the + material as expected. Licensors should clearly mark any + material not subject to the license. This includes other CC- + licensed material, or material used under an exception or + limitation to copyright. More considerations for licensors: + wiki.creativecommons.org/Considerations_for_licensors + + Considerations for the public: By using one of our public + licenses, a licensor grants the public permission to use the + licensed material under specified terms and conditions. If + the licensor's permission is not necessary for any reason--for + example, because of any applicable exception or limitation to + copyright--then that use is not regulated by the license. Our + licenses grant only permissions under copyright and certain + other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other + reasons, including because others have copyright or other + rights in the material. A licensor may make special requests, + such as asking that all changes be marked or described. + Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More_considerations + for the public: + wiki.creativecommons.org/Considerations_for_licensees + +======================================================================= + +Creative Commons Attribution-ShareAlike 4.0 International Public +License + +By exercising the Licensed Rights (defined below), You accept and agree +to be bound by the terms and conditions of this Creative Commons +Attribution-ShareAlike 4.0 International Public License ("Public +License"). To the extent this Public License may be interpreted as a +contract, You are granted the Licensed Rights in consideration of Your +acceptance of these terms and conditions, and the Licensor grants You +such rights in consideration of benefits the Licensor receives from +making the Licensed Material available under these terms and +conditions. + + +Section 1 -- Definitions. + + a. Adapted Material means material subject to Copyright and Similar + Rights that is derived from or based upon the Licensed Material + and in which the Licensed Material is translated, altered, + arranged, transformed, or otherwise modified in a manner requiring + permission under the Copyright and Similar Rights held by the + Licensor. For purposes of this Public License, where the Licensed + Material is a musical work, performance, or sound recording, + Adapted Material is always produced where the Licensed Material is + synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright + and Similar Rights in Your contributions to Adapted Material in + accordance with the terms and conditions of this Public License. + + c. BY-SA Compatible License means a license listed at + creativecommons.org/compatiblelicenses, approved by Creative + Commons as essentially the equivalent of this Public License. + + d. Copyright and Similar Rights means copyright and/or similar rights + closely related to copyright including, without limitation, + performance, broadcast, sound recording, and Sui Generis Database + Rights, without regard to how the rights are labeled or + categorized. For purposes of this Public License, the rights + specified in Section 2(b)(1)-(2) are not Copyright and Similar + Rights. + + e. Effective Technological Measures means those measures that, in the + absence of proper authority, may not be circumvented under laws + fulfilling obligations under Article 11 of the WIPO Copyright + Treaty adopted on December 20, 1996, and/or similar international + agreements. + + f. Exceptions and Limitations means fair use, fair dealing, and/or + any other exception or limitation to Copyright and Similar Rights + that applies to Your use of the Licensed Material. + + g. License Elements means the license attributes listed in the name + of a Creative Commons Public License. The License Elements of this + Public License are Attribution and ShareAlike. + + h. Licensed Material means the artistic or literary work, database, + or other material to which the Licensor applied this Public + License. + + i. Licensed Rights means the rights granted to You subject to the + terms and conditions of this Public License, which are limited to + all Copyright and Similar Rights that apply to Your use of the + Licensed Material and that the Licensor has authority to license. + + j. Licensor means the individual(s) or entity(ies) granting rights + under this Public License. + + k. Share means to provide material to the public by any means or + process that requires permission under the Licensed Rights, such + as reproduction, public display, public performance, distribution, + dissemination, communication, or importation, and to make material + available to the public including in ways that members of the + public may access the material from a place and at a time + individually chosen by them. + + l. Sui Generis Database Rights means rights other than copyright + resulting from Directive 96/9/EC of the European Parliament and of + the Council of 11 March 1996 on the legal protection of databases, + as amended and/or succeeded, as well as other essentially + equivalent rights anywhere in the world. + + m. You means the individual or entity exercising the Licensed Rights + under this Public License. Your has a corresponding meaning. + + +Section 2 -- Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, + the Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to + exercise the Licensed Rights in the Licensed Material to: + + a. reproduce and Share the Licensed Material, in whole or + in part; and + + b. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public + License does not apply, and You do not need to comply with + its terms and conditions. + + 3. Term. The term of this Public License is specified in Section + 6(a). + + 4. Media and formats; technical modifications allowed. The + Licensor authorizes You to exercise the Licensed Rights in + all media and formats whether now known or hereafter created, + and to make technical modifications necessary to do so. The + Licensor waives and/or agrees not to assert any right or + authority to forbid You from making technical modifications + necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective + Technological Measures. For purposes of this Public License, + simply making modifications authorized by this Section 2(a) + (4) never produces Adapted Material. + + 5. Downstream recipients. + + a. Offer from the Licensor -- Licensed Material. Every + recipient of the Licensed Material automatically + receives an offer from the Licensor to exercise the + Licensed Rights under the terms and conditions of this + Public License. + + b. Additional offer from the Licensor -- Adapted Material. + Every recipient of Adapted Material from You + automatically receives an offer from the Licensor to + exercise the Licensed Rights in the Adapted Material + under the conditions of the Adapter's License You apply. + + c. No downstream restrictions. You may not offer or impose + any additional or different terms or conditions on, or + apply any Effective Technological Measures to, the + Licensed Material if doing so restricts exercise of the + Licensed Rights by any recipient of the Licensed + Material. + + 6. No endorsement. Nothing in this Public License constitutes or + may be construed as permission to assert or imply that You + are, or that Your use of the Licensed Material is, connected + with, or sponsored, endorsed, or granted official status by, + the Licensor or others designated to receive attribution as + provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not + licensed under this Public License, nor are publicity, + privacy, and/or other similar personality rights; however, to + the extent possible, the Licensor waives and/or agrees not to + assert any such rights held by the Licensor to the limited + extent necessary to allow You to exercise the Licensed + Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this + Public License. + + 3. To the extent possible, the Licensor waives any right to + collect royalties from You for the exercise of the Licensed + Rights, whether directly or through a collecting society + under any voluntary or waivable statutory or compulsory + licensing scheme. In all other cases the Licensor expressly + reserves any right to collect such royalties. + + +Section 3 -- License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the +following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified + form), You must: + + a. retain the following if it is supplied by the Licensor + with the Licensed Material: + + i. identification of the creator(s) of the Licensed + Material and any others designated to receive + attribution, in any reasonable manner requested by + the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of + warranties; + + v. a URI or hyperlink to the Licensed Material to the + extent reasonably practicable; + + b. indicate if You modified the Licensed Material and + retain an indication of any previous modifications; and + + c. indicate the Licensed Material is licensed under this + Public License, and include the text of, or the URI or + hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any + reasonable manner based on the medium, means, and context in + which You Share the Licensed Material. For example, it may be + reasonable to satisfy the conditions by providing a URI or + hyperlink to a resource that includes the required + information. + + 3. If requested by the Licensor, You must remove any of the + information required by Section 3(a)(1)(A) to the extent + reasonably practicable. + + b. ShareAlike. + + In addition to the conditions in Section 3(a), if You Share + Adapted Material You produce, the following conditions also apply. + + 1. The Adapter's License You apply must be a Creative Commons + license with the same License Elements, this version or + later, or a BY-SA Compatible License. + + 2. You must include the text of, or the URI or hyperlink to, the + Adapter's License You apply. You may satisfy this condition + in any reasonable manner based on the medium, means, and + context in which You Share Adapted Material. + + 3. You may not offer or impose any additional or different terms + or conditions on, or apply any Effective Technological + Measures to, Adapted Material that restrict exercise of the + rights granted under the Adapter's License You apply. + + +Section 4 -- Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that +apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right + to extract, reuse, reproduce, and Share all or a substantial + portion of the contents of the database; + + b. if You include all or a substantial portion of the database + contents in a database in which You have Sui Generis Database + Rights, then the database in which You have Sui Generis Database + Rights (but not its individual contents) is Adapted Material, + + including for purposes of Section 3(b); and + c. You must comply with the conditions in Section 3(a) if You Share + all or a substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not +replace Your obligations under this Public License where the Licensed +Rights include other Copyright and Similar Rights. + + +Section 5 -- Disclaimer of Warranties and Limitation of Liability. + + a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + + b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + + c. The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + + +Section 6 -- Term and Termination. + + a. This Public License applies for the term of the Copyright and + Similar Rights licensed here. However, if You fail to comply with + this Public License, then Your rights under this Public License + terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided + it is cured within 30 days of Your discovery of the + violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any + right the Licensor may have to seek remedies for Your violations + of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the + Licensed Material under separate terms or conditions or stop + distributing the Licensed Material at any time; however, doing so + will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public + License. + + +Section 7 -- Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different + terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the + Licensed Material not stated herein are separate from and + independent of the terms and conditions of this Public License. + + +Section 8 -- Interpretation. + + a. For the avoidance of doubt, this Public License does not, and + shall not be interpreted to, reduce, limit, restrict, or impose + conditions on any use of the Licensed Material that could lawfully + be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the + minimum extent necessary to make it enforceable. If the provision + cannot be reformed, it shall be severed from this Public License + without affecting the enforceability of the remaining terms and + conditions. + + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + + d. Nothing in this Public License constitutes or may be interpreted + as a limitation upon, or waiver of, any privileges and immunities + that apply to the Licensor or You, including from the legal + processes of any jurisdiction or authority. + + +======================================================================= + +Creative Commons is not a party to its public +licenses. Notwithstanding, Creative Commons may elect to apply one of +its public licenses to material it publishes and in those instances +will be considered the “Licensor.” The text of the Creative Commons +public licenses is dedicated to the public domain under the CC0 Public +Domain Dedication. Except for the limited purpose of indicating that +material is shared under a Creative Commons public license or as +otherwise permitted by the Creative Commons policies published at +creativecommons.org/policies, Creative Commons does not authorize the +use of the trademark "Creative Commons" or any other trademark or logo +of Creative Commons without its prior written consent including, +without limitation, in connection with any unauthorized modifications +to any of its public licenses or any other arrangements, +understandings, or agreements concerning use of licensed material. For +the avoidance of doubt, this paragraph does not form part of the +public licenses. + +Creative Commons may be contacted at creativecommons.org. diff --git a/README-en.md b/README-en.md index 3715c1b9a700b9fb9986d3f39b7c48477e26da8c..bda49b40489de363e69bdb704c60d30fbf42ede5 100644 --- a/README-en.md +++ b/README-en.md @@ -1,21 +1,29 @@ # openEuler DOCS +English | [简体中文](./README.md) + ### Introduction -DOCS contains all documents of the openEuler community, including the release notes, OS installation guide, administrator guide, virtualization, container, and A-Tune user guides, and application development guide. +DOCS contains all documents of the openEuler community, including the release notes, OS installation guide, administrator guide, virtualization, container, A-Tune user guides and application development guide. ### Searching for a Document in DOCS -Open the **content** folder. The folder contains documents in Chinese (**zh** folder) and English (**en** folder). The English document is used as an example. In the **en** folder, the **docs** folder contains the content of a specific document, and the **menu** folder contains the overview of the document. +Open the **docs** folder. The folder contains documents in Chinese (**zh** folder) and English (**en** folder). The English document is used as an example. In the **en** folder, the **docs** folder contains the content of a specific document, and the **menu** folder contains the overview of the document. Open the **docs** folder. The relationship between guides and folders is as follows: -* **A-Tune**: *A-Tune User Guide* -* **Administrator**: *Administrator Guide* -* **ApplicationDev**: *Application Development Guide* -* **Container**: *Container User Guide* -* **Installation**: *Installation Guide* -* **Quickstart**: *Quick Start* -* **Releasenotes**: *Release Notes* -* **Virtualization**: *Virtualization Application Guide* + +| folder | Content | +|-----|-----| +| **A-Tune** | *A-Tune User Guide* | +| **Administrator** | *Administrator Guide* | +| **ApplicationDev** | *Application Development Guide* | +| **Container** | *Container User Guide* | +| **Installation** | *Installation Guide* | +| **Quickstart** | *Quick Start* +| **Releasenotes** | *Release Notes* +| **SecHarden** | *Security Hardening Guide* | +| **Virtualization** | *Virtualization Application Guide* | +| **userGuide** | *openEuler Toolset User Guide* | +| **StratoVirt** | *StratoVirt User Guide* | ### Modifying a Document @@ -23,24 +31,28 @@ Open the **docs** folder. The relationship between guides and folders is as foll When the openEuler version information is updated, the documents herein also need to be updated. Thank you for providing updates. ### Checking the Relationship Between Versions and Branches -The DOCS contains the following three branches: +The DOCS contains the following four branches: -* **master**: development branch, which is the default branch -* **stable-1.0\_Base**: 1.0 Base version branch, which is displayed in **DOCS** > **1.0 BASE** on the [openEuler community website](https://openeuler.org/) -* **stable-20.03\_LTS**: 20.03 LTS version branch, which is displayed in **DOCS** > **20.03 LTS** on the [openEuler community website](https://openeuler.org/) +| Branch | Description | Documentation | +|--------|-------------|---------------| +| **master** | development branch, which is the default branch || +| **stable2-1.0\_Base** | 1.0 Base version branch | **DOCS** > **1.0 BASE** on the [openEuler community website](https://openeuler.org/) | +| **stable2-20.03\_LTS** | 20.03 LTS version branch | **DOCS** > **20.03 LTS** on the [openEuler community website](https://openeuler.org/) | +| **stable2-20.09** | 20.09 version branch | **DOCS** > **20.09** on the [openEuler community website](https://openeuler.org/) | ### Participating in SIG Create or reply to an issue: You can discuss an issue by creating or replying to an issue. Submit a Pull Request (PR): You can participate in SIG by submitting a PR. -Submit comments: You can submit comments on issues or PRs. +Submit comments: You can submit comments on issues or PRs. You can also comment on the document through **Feedback** on the website document page. We are always pleased to receive PRs from you. ### Member #### Maintainer List -- Rudy_Tan (@rudy_tan) -- amyMaYun (@amy_mayun) -- fhxing (@fhxing168) +- Rudy_Tan[@rudy_tan](https://gitee.com/rudy_tan) +- amyMaYun[@amy_mayun](https://gitee.com/amy_mayun) +- qiaominna[@qiaominna](https://gitee.com/qiaominna) + ### Contacting Us -E-mails: dev@openeuler.org +E-mails: doc@openeuler.org IRC: #openeuler-doc \ No newline at end of file diff --git a/README.md b/README.md index c84d8fee9e82481d4cc330ae2c6e45ce1df7283b..a9fd16651f5fb5d38c2f66da01abf094783ec3f2 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,30 @@ # openEuler 文档 +[English](./README-en.md) | 简体中文 + ### 介绍 -Docs包含了openEuler社区的所有文档,包括发行说明、操作系统安装,管理员指南,虚拟化和容器的使用指导,A-Tune使用指导,应用开发指导等内容。 +Docs包含了openEuler社区的所有文档,包括发行说明、操作系统安装、管理员指南、虚拟化和容器的使用指导、A-Tune使用指导和应用开发指导等内容。 + ### 如何在Docs中查找文档 -打开“content”文件夹,该文件夹包含了中文(“zh”文件夹)和英文(“en”文件夹)两种语言文档,以中文文档举例进行说明。 -在“zh”文件夹中,“docs”文件夹包含了具体文档的内容,“menu”包含了文档的大纲内容。 -打开“docs”文件夹,各手册和文件夹对应关系如下。 -* A-Tune文件夹对应:A-Tune用户指南 -* Adminnistration文件夹对应手册为:管理员指南 -* ApplicationDev文件夹对应手册为:应用开发指南 -* Container文件夹对应手册为:容器用户指南 -* Installation文件夹对应手册为:安装指南 -* Quickstart文件夹对应手册为:快速入门 -* Releasenotes文件夹对应手册为:发行说明 -* Virtualization文件夹对应手册为:虚拟化应用指南 +打开“docs”文件夹,该文件夹包含了中文(“zh”文件夹)和英文(“en”文件夹)两种语言文档,以中文文档举例进行说明。 +在“zh”文件夹中,进入到目录docs/zh/docs/20.09,“docs”文件夹包含了具体文档的内容,“menu”包含了文档的大纲内容。 +打开“docs”文件夹,各手册和文件夹对应关系如下: + +| 文件夹 | 手册 | +|-----|----| +| A-Tune | A-Tune用户指南 | +| Adminnistration | 管理员指南 | +| ApplicationDev | 应用开发指南 | +| Container | 容器用户指南 | +| Installation | 安装指南 | +| Quickstart | 快速入门 | +| Releasenotes | 发行说明 | +| SecHarden | 安全加固指南 | +| Virtualization | 虚拟化应用指南 | +| userguide | openEuler工具集用户指南 | +| StratoVirt | StratoVrit虚拟化用户指南 | ### 如何修改文档 @@ -24,23 +33,29 @@ Docs包含了openEuler社区的所有文档,包括发行说明、操作系统 请阅读[资料开发流程指导](https://gitee.com/lss410313/docs/wikis/Home)进行操作参考。 ### 如何查看版本分支对应关系 -Docs包含了如下3个分支: -* master:开发分支,为默认分支。 -* stable-1.0_Base:1.0 Base版本分支,分支内容呈现在[openEuler社区](https://openeuler.org/)网站“文档->1.0 BASE。 -* stable-20.03_LTS:20.03 LTS版本分支,分支内容呈现在[openEuler社区](https://openeuler.org/)网站“文档->20.03 LTS”。 + +Docs当前使用如下4个分支: +| 分支 | 说明 | 内容呈现 | +|-----|----|----| +| master | 开发分支,为默认分支|| +| stable2-1.0_Base | 1.0 Base版本分支 | 分支内容呈现在[openEuler社区](https://openeuler.org/)网站“文档->1.0 BASE | +| stable2-20.03_LTS | 20.03 LTS版本分支 | 分支内容呈现在[openEuler社区](https://openeuler.org/)网站“文档->20.03 LTS | +| stable2-20.09 | 20.09 版本分支 | 分支内容呈现在[openEuler社区](https://openeuler.org/)网站“文档->20.09 | + ### 如何参与SIG + 建立或回复 issue:欢迎通过建立或回复 issue 来讨论。 提交PR:欢迎通过提交PR的方式参与SIG。具体操作方法可参考[PR提交指南](https://gitee.com/openeuler/community/blob/master/zh/contributors/pull-request.md)。 -提交评论:欢迎在issue或PR中提交评论。 +提交评论:欢迎在issue或PR中提交评论。 您也可以通过网站文档页的“意见反馈”对文档进行评论。 重要的事说三遍:欢迎提交 PR!欢迎提交 PR!欢迎提交 PR! ### 成员 #### Maintainer 列表 -- Rudy_Tan(@rudy_tan) -- amyMaYun(@amy_mayun) -- fhxing(@fhxing168) +- Rudy_Tan[@rudy_tan](https://gitee.com/rudy_tan) +- amyMaYun[@amy_mayun](https://gitee.com/amy_mayun) +- qiaominna[@qiaominna](https://gitee.com/qiaominna) ### 如何联系我们 -邮件列表: dev@openeuler.org +邮件列表: doc@openeuler.org IRC: #openeuler-doc \ No newline at end of file diff --git a/archetypes/default.md b/archetypes/default.md deleted file mode 100644 index 00e77bd79be44872c0b29256b03799c2fb00c10d..0000000000000000000000000000000000000000 --- a/archetypes/default.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: "{{ replace .Name "-" " " | title }}" -date: {{ .Date }} -draft: true ---- - diff --git a/assets/_custom.scss b/assets/_custom.scss deleted file mode 100644 index 9132fb60596fd0cce86d47583cba560f13bc7a95..0000000000000000000000000000000000000000 --- a/assets/_custom.scss +++ /dev/null @@ -1 +0,0 @@ -@import "variables"; diff --git a/config.toml b/config.toml deleted file mode 100644 index ffde1551e438cd8963e1682fa5d1d8645eec6c90..0000000000000000000000000000000000000000 --- a/config.toml +++ /dev/null @@ -1,68 +0,0 @@ -# hugo server --minify --themesDir ... --baseURL=http://0.0.0.0:1313/example - -baseURL = '/' -title = 'Hugo Book' -theme = 'project' -disableKinds = ['taxonomy', 'taxonomyTerm'] -# themesDir = '../..' - -# Book configuration -disablePathToLower = true -enableGitInfo = true -defaultContentLanguage = "en" -defaultContentLanguageInSubdir = false - -uglyURLs = true - -# Code highlight -# pygmentsStyle = 'monokailight' -pygmentsCodeFences = true - -[params] - # (Optional, default 6) Set how many table of contents levels to be showed on page. - # Use false to hide ToC, note that 0 will default to 6 (https://gohugo.io/functions/default/) - # You can also specify this parameter per page in front matter - BookToC = 3 - - # (Optional, default none) Set leaf bundle to render as side menu - # When not specified file structure and weights will be used - BookMenuBundle = '/menu' - - # (Optional, default docs) Specify section of content to render as menu - # You can also set value to '*' to render all sections to menu - #BookSection = 'docs' - - # (Optional) This value is duplicate of $link-color for making active link highlight in menu bundle mode - # BookMenuBundleActiveLinkColor = '\#004ed0' - - # Set source repository location. - # Used for 'Last Modified' and 'Edit this page' links. - BookRepo = 'https://gitee.com/openeuler/docs' - - # Enable "Edit this page" links for 'doc' page type. - # Disabled by default. Uncomment to enable. Requires 'BookRepo' param. - # Path must point to 'content' directory of repo. - BookEditPath = 'master/content' - - # Configure the date format used on the pages - # - In git information - # - In blog posts - BookDateFormat = 'Jan 2, 2006' - - # (Optional, default true) Enables search function with lunr.js, - # Index is built on fly, therefore it might slowdown your website. - BookSearch = true - - bookFlatSection = true - bookHidden = true - - -[languages] - -[languages.en] - languageCode = "en-us" - contentDir = "content/en" - -[languages.zh] - languageCode = "zh-cn" - contentDir = "content/zh" diff --git a/config.yaml b/config.yaml deleted file mode 100644 index 59d0ddc5a69c14e3094489dabec67dc5c68deffe..0000000000000000000000000000000000000000 --- a/config.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# hugo server --minify --themesDir ... --baseURL=http://0.0.0.0:1313/example - -baseURL: https://example.com/ -title: Hugo Book -theme: hugo-book -disableKinds: ['taxonomy', 'taxonomyTerm'] -# themesDir: ../.. - -# Book configuration -disablePathToLower: true -enableGitInfo: true - -# Code highlight -# pygmentsStyle: monokailight -pygmentsCodeFences: true - -params: - # (Optional, default 6) Set how many table of contents levels to be showed on page. - # Use false/off to hide ToC, note that 0 will default to 6 (https://gohugo.io/functions/default/) - # You can also specify this parameter per page in front matter - BookToC: 3 - - # (Optional, default none) Set leaf bundle to render as side menu - # When not specified file structure and weights will be used - BookMenuBundle: /menu - - # (Optional, default docs) Specify section of content to render as menu - # You can also set value to '*' to render all sections to menu - BookSection: docs - - # (Optional) This value is duplicate of $link-color for making active link highlight in menu bundle mode - # BookMenuBundleActiveLinkColor: "\#004ed0" - - # Set source repository location. - # Used for 'Last Modified' and 'Edit this page' links. - BookRepo: https://github.com/alex-shpak/hugo-book - - # Enable "Edit this page" links for 'doc' page type. - # Disabled by default. Uncomment to enable. Requires 'BookRepo' param. - # Path must point to 'content' directory of repo. - BookEditPath: edit/master/exampleSite/content - - # Configure the date format used on the pages - # - In git information - # - In blog posts - BookDateFormat: 'Jan 2, 2006' - - # (Optional, default true) Enables search function with lunr.js, - # Index is built on fly, therefore it might slowdown your website. - BookSearch: true diff --git a/content/en/docs/A-Tune/figures/en-us_image_0227497343.png b/content/en/docs/A-Tune/figures/en-us_image_0227497343.png deleted file mode 100644 index b614ad05d1f687b344f6bc1ff2f7e72938968aee..0000000000000000000000000000000000000000 Binary files a/content/en/docs/A-Tune/figures/en-us_image_0227497343.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/adding-the-inst-noverifyssl-parameter.png b/content/en/docs/Installation/figures/adding-the-inst-noverifyssl-parameter.png deleted file mode 100644 index f56a7dd0c45acf8a4c3a735ed623eaccd19bfaef..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/adding-the-inst-noverifyssl-parameter.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/advanced-user-configuration.png b/content/en/docs/Installation/figures/advanced-user-configuration.png deleted file mode 100644 index c7d708ba1b466b514c978b738f67b15723f8bc2e..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/advanced-user-configuration.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/completing-the-installation.png b/content/en/docs/Installation/figures/completing-the-installation.png deleted file mode 100644 index 6e7fb79328124e1eb03d7c2aa57d4bcb3b592d3c..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/completing-the-installation.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/creating-a-user.png b/content/en/docs/Installation/figures/creating-a-user.png deleted file mode 100644 index 8203597a9f82d2aac03987fd9c381d55eb6b40c8..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/creating-a-user.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/error-message.png b/content/en/docs/Installation/figures/error-message.png deleted file mode 100644 index 0349567af5b1695a611b8c32219b469bcf2170e8..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/error-message.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/installation-process.png b/content/en/docs/Installation/figures/installation-process.png deleted file mode 100644 index 202ef0ce7f371417d6371867c1f3bfff6d07cd91..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/installation-process.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/installation-summary.png b/content/en/docs/Installation/figures/installation-summary.png deleted file mode 100644 index d74f2eeae91338c4e8a9a9c03b19361df89ac388..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/installation-summary.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/installation-wizard.png b/content/en/docs/Installation/figures/installation-wizard.png deleted file mode 100644 index 0ee099a675eee71fdeb3ba3ad0f30e0be20d7af3..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/installation-wizard.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/manual-partitioning-page.png b/content/en/docs/Installation/figures/manual-partitioning-page.png deleted file mode 100644 index c14540e86c178f28d34be24eebd8c487ca377783..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/manual-partitioning-page.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/password-of-the-root-account.png b/content/en/docs/Installation/figures/password-of-the-root-account.png deleted file mode 100644 index 16f77d9ce59c0bf082915c2e958513fcc6244af9..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/password-of-the-root-account.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/selecting-a-language.png b/content/en/docs/Installation/figures/selecting-a-language.png deleted file mode 100644 index 2f41e205b0c8f97eee950e8ce3f44b953f1c2c71..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/selecting-a-language.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/selecting-installation-software.png b/content/en/docs/Installation/figures/selecting-installation-software.png deleted file mode 100644 index 79ea7b97705c91af1fa6cd8fb47a0a15fa3607cf..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/selecting-installation-software.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/semi-automatic-installation.png b/content/en/docs/Installation/figures/semi-automatic-installation.png deleted file mode 100644 index dcdfb60e3e77594c59cfbaaece61881347cd4032..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/semi-automatic-installation.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/setting-a-system-language.png b/content/en/docs/Installation/figures/setting-a-system-language.png deleted file mode 100644 index 79f6d5b959abaa20d077e3d0d82a2cb05bc428d6..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/setting-a-system-language.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/setting-date-and-time.png b/content/en/docs/Installation/figures/setting-date-and-time.png deleted file mode 100644 index 9a18de4816560da52bd5e6f6a5d8c0f1a0ddde13..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/setting-date-and-time.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/setting-the-installation-destination.png b/content/en/docs/Installation/figures/setting-the-installation-destination.png deleted file mode 100644 index 7dd9ba0fd65069492156fc31d3b9adbc7965de98..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/setting-the-installation-destination.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/setting-the-installation-source.png b/content/en/docs/Installation/figures/setting-the-installation-source.png deleted file mode 100644 index 94990f7c3071d7153203a2d75cf6632b1505beda..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/setting-the-installation-source.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/setting-the-keyboard-layout.png b/content/en/docs/Installation/figures/setting-the-keyboard-layout.png deleted file mode 100644 index 9aa9d72da79ca7d89c36949926ff272edc83592c..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/setting-the-keyboard-layout.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/setting-the-network-and-host-name.png b/content/en/docs/Installation/figures/setting-the-network-and-host-name.png deleted file mode 100644 index ddfb08fac47b8b4681cca2f5ce18c4258f365ac0..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/setting-the-network-and-host-name.png and /dev/null differ diff --git a/content/en/docs/Installation/figures/starting-installation.png b/content/en/docs/Installation/figures/starting-installation.png deleted file mode 100644 index fb9ca40b29b63430744920c88e8069a92a3d2ff2..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Installation/figures/starting-installation.png and /dev/null differ diff --git a/content/en/docs/Installation/installation-preparations.md b/content/en/docs/Installation/installation-preparations.md deleted file mode 100644 index d2c7c150e474250a861a0d9f47c4869ecb53600d..0000000000000000000000000000000000000000 --- a/content/en/docs/Installation/installation-preparations.md +++ /dev/null @@ -1,255 +0,0 @@ -# Installation Preparations - -This section describes the compatibility of the hardware and software and the related configurations and preparations required for the installation. - - - -- [Installation Preparations](#installation-preparations) - - [Obtaining the Installation Source](#obtaining-the-installation-source) - - [Release Package Integrity Check](#release-package-integrity-check) - - [Introduction](#introduction) - - [Prerequisites](#prerequisites) - - [Procedure](#procedure) - - [Installation Requirements for PMs](#installation-requirements-for-pms) - - [Hardware Compatibility](#hardware-compatibility) - - [Minimum Hardware Specifications](#minimum-hardware-specifications) - - [Installation Requirements for VMs](#installation-requirements-for-vms) - - [Virtualization Platform Compatibility](#virtualization-platform-compatibility) - - [Minimum Virtualization Space](#minimum-virtualization-space) - - - -## Obtaining the Installation Source - -Obtain the openEuler release package and verification file before the installation. - -Perform the following operations to obtain the openEuler release package: - -1. Log in to the [openEuler Community](https://openeuler.org) website. -2. Click **Download**. -3. Click the link provided after **Download ISO**. The download list is displayed. -4. Click **openEuler-20.03-LTS**. The openEuler 20.03 LTS version download list is displayed. -5. Click **ISO**. The ISO download list is displayed. - - **aarch64**: ISO image file of the AArch64 architecture - - **x86\_64**: ISO image file of the x86\_64 architecture - - **source**: ISO image file of the openEuler source code - -6. Select the openEuler release package and verification file to be downloaded based on the architecture of the environment to be installed. - - If the AArch64 architecture is used: - 1. Click **aarch64**. - 2. Click **openEuler-20.03-LTS-aarch64-dvd.iso** to download the openEuler release package to the local host. - 3. Click **openEuler-20.03-LTS-aarch64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. - - - If the x86\_64 architecture is used: - 1. Click **x86\_64**. - 2. Click **openEuler-20.03-LTS-x86\_64-dvd.iso** to download the openEuler release package to the local host. - 3. Click **openEuler-20.03-LTS-x86\_64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. - -## Release Package Integrity Check - ->![](C:/Users/Administrator/Downloads/openDocs/docs/content/en/docs/Installation/public_sys-resources/icon-note.gif) **NOTE:** ->This section describes how to verify the integrity of the release package in the AArch64 architecture. The procedure for verifying the integrity of the release package in the x86\_64 architecture is the same. - -### Introduction - -To prevent the software package from being incompletely downloaded due to network or storage device faults during transmission, you need to verify the integrity of the software package after obtaining it. Only the software packages that pass the verification can be installed. - -Compare the verification value recorded in the verification file with the .iso file verification value calculated manually to check whether the software package passes the verification. If the verification values are consistent, the .iso file is not damaged. If they are inconsistent, you can confirm that the file is damaged and you need to obtain the file again. - -### Prerequisites - -Before verifying the integrity of the release package, you need to prepare the following files: - -ISO file: **openEuler-20.03-LTS-aarch64-dvd.iso** - -Verification file: **openEuler-20.03-LTS-aarch64-dvd.iso.sha256sum** - -### Procedure - -To verify the file integrity, perform the following operations: - -1. Obtain the verification value in the verification file. Run the following command: - - ``` - #cat openEuler-20.03-LTS-aarch64-dvd.iso.sha256sum - ``` - -2. Calculate the SHA256 verification value of the file. Run the following command: - - ``` - #sha256sum openEuler-20.03-LTS-aarch64-dvd.iso - ``` - - After the command is run, the verification value is displayed. - -3. Check whether the values calculated in step 1 and step 2 are consistent. - - If the verification values are consistent, the .iso file is not damaged. If they are inconsistent, you can confirm that the file is damaged and you need to obtain the file again. - -## Installation Requirements for PMs - -To install the openEuler OS on a PM, the PM must meet the following hardware compatibility and minimum hardware requirements. - -### Hardware Compatibility - -You need to take hardware compatibility into account during openEuler installation. [Table 1](#table14948632047) describes the types of supported servers. - ->![](C:/Users/Administrator/Downloads/openDocs/docs/content/en/docs/Installation/public_sys-resources/icon-note.gif) **NOTE:** -> ->- TaiShan 200 servers are backed by Huawei Kunpeng 920 processors. ->- Currently, only Huawei TaiShan and FusionServer Pro servers are supported. More servers from other vendors will be supported in the future. - -**Table 1** Supported servers - - - - - - - - - - - - - - - - - -

Server Type

-

Server Name

-

Server Model

-

Rack server

-

TaiShan 200

-

2280 balanced model

-

Rack server

-

FusionServer Pro

-

FusionServer Pro 2288H V5

-
NOTE:

The server must be configured with the Avago SAS3508 RAID controller card and the LOM-X722 NIC.

-
-
- -### Minimum Hardware Specifications - -[Table 2](#tff48b99c9bf24b84bb602c53229e2541) lists the minimum hardware specifications supported by openEuler. - -**Table 2** Minimum hardware specifications - - - - - - - - - - - - - - - - - - - - - - - - - -

Component

-

Minimum Hardware Specifications

-

Description

-

Architecture

-
  • AArch64
  • x86_64
-
  • 64-bit Arm architecture
  • 64-bit Intel x86 architecture
-

CPU

-
  • Huawei Kunpeng 920 series
  • Intel ® Xeon® processor
-

-

-

Memory

-

≥ 4 GB (8 GB or higher recommended for better user experience)

-

-

-

Hard disk

-

≥ 120 GB (for better user experience)

-

The hard disk supports IDE, SATA, SAS interfaces.

-
- -## Installation Requirements for VMs - -To install the openEuler OS on a VM, the VM must meet the following hardware compatibility and minimum hardware requirements. - -### Virtualization Platform Compatibility - -When installing openEuler, pay attention to the compatibility of the virtualization platform. Currently, the following virtualization platforms are supported: - -- A virtualization platform created by the virtualization components \(openEuler as the host OS and QEMU and KVM provided in the release package\) of openEuler -- x86 virtualization platform of Huawei public cloud - -### Minimum Virtualization Space - -[Table 3](#tff48b99c9bf24b84bb602c53229e2541) lists the minimum virtualization space required by openEuler. - -**Table 3** Minimum virtualization space - - - - - - - - - - - - - - - - - - - - - - - - - -

Component

-

Minimum Virtualization Space

-

Description

-

Architecture

-
  • AArch64
  • x86_64
-

-

-

CPU

-

Two CPUs

-

-

-

Memory

-

≥ 4 GB (8 GB or higher recommended for better user experience)

-

-

-

Hard disk

-

≥ 32 GB (120 GB or higher recommended for better user experience)

-

-

-
- - - - - - - - - - - - - - - - - - - diff --git a/content/en/docs/Quickstart/figures/advanced-user-configuration.png b/content/en/docs/Quickstart/figures/advanced-user-configuration.png deleted file mode 100644 index c7d708ba1b466b514c978b738f67b15723f8bc2e..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/advanced-user-configuration.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/completing-the-installation.png b/content/en/docs/Quickstart/figures/completing-the-installation.png deleted file mode 100644 index 6e7fb79328124e1eb03d7c2aa57d4bcb3b592d3c..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/completing-the-installation.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/creating-a-user.png b/content/en/docs/Quickstart/figures/creating-a-user.png deleted file mode 100644 index 8203597a9f82d2aac03987fd9c381d55eb6b40c8..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/creating-a-user.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/installation-summary.png b/content/en/docs/Quickstart/figures/installation-summary.png deleted file mode 100644 index d74f2eeae91338c4e8a9a9c03b19361df89ac388..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/installation-summary.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/installation-wizard.png b/content/en/docs/Quickstart/figures/installation-wizard.png deleted file mode 100644 index 0ee099a675eee71fdeb3ba3ad0f30e0be20d7af3..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/installation-wizard.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/password-of-the-root-account.png b/content/en/docs/Quickstart/figures/password-of-the-root-account.png deleted file mode 100644 index 16f77d9ce59c0bf082915c2e958513fcc6244af9..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/password-of-the-root-account.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/selecting-a-language.png b/content/en/docs/Quickstart/figures/selecting-a-language.png deleted file mode 100644 index 2f41e205b0c8f97eee950e8ce3f44b953f1c2c71..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/selecting-a-language.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/selecting-installation-software.png b/content/en/docs/Quickstart/figures/selecting-installation-software.png deleted file mode 100644 index 79ea7b97705c91af1fa6cd8fb47a0a15fa3607cf..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/selecting-installation-software.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/setting-the-installation-destination.png b/content/en/docs/Quickstart/figures/setting-the-installation-destination.png deleted file mode 100644 index 7dd9ba0fd65069492156fc31d3b9adbc7965de98..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/setting-the-installation-destination.png and /dev/null differ diff --git a/content/en/docs/Quickstart/figures/starting-installation.png b/content/en/docs/Quickstart/figures/starting-installation.png deleted file mode 100644 index fb9ca40b29b63430744920c88e8069a92a3d2ff2..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Quickstart/figures/starting-installation.png and /dev/null differ diff --git a/content/en/docs/Quickstart/quick-start.md b/content/en/docs/Quickstart/quick-start.md deleted file mode 100644 index aec39101da082efdc375548a4fe42db476f92dfa..0000000000000000000000000000000000000000 --- a/content/en/docs/Quickstart/quick-start.md +++ /dev/null @@ -1,338 +0,0 @@ -# Quick Start - -This document uses openEuler 20.03 LTS installed on the TaiShan 200 server as an example to describe how to quickly install and use openEuler OS. For details about the installation requirements and methods, see [openEuler 20.03 LTS Installation Guide](https://openeuler.org/en/docs/20.03_LTS/docs/Installation/Installation.html). - - -- [Quick Start](#quick-start) - - [Installation Preparations](#installation-preparations) - - [Obtaining the Installation Source](#obtaining-the-installation-source) - - [Release Package Integrity Check](#release-package-integrity-check) - - [Starting the Installation](#starting-the-installation) - - [Installation](#installation) - - [Viewing System Information](#viewing-system-information) - - - -## Installation Preparations - -- Hardware Compatibility - - [Table 1](#table14948632047) describes the types of supported servers. - - **Table 1** Supported servers - - - - - - - - - - - - - - - - -

Server Type

-

Server Name

-

Server Model

-

Rack server

-

TaiShan 200

-

2280 balanced model

-

Rack server

-

FusionServer Pro

-

FusionServer Pro 2288H V5

-
NOTE:

The server must be configured with the Avago SAS3508 RAID controller card and the LOM-X722 NIC.

-
-
- -- Minimum Hardware Specifications - - [Table 2](#tff48b99c9bf24b84bb602c53229e2541) lists the minimum hardware specifications supported by openEuler. - - **Table 2** Minimum hardware specifications - - - - - - - - - - - - - - - - - - - - - - - - -

Component

-

Minimum Hardware Specifications

-

Description

-

Architecture

-
  • AArch64
  • x86_64
-
  • 64-bit Arm architecture
  • 64-bit Intel x86 architecture
-

CPU

-
  • Huawei Kunpeng 920 series
  • Intel ® Xeon® processor
-

-

-

Memory

-

≥ 4 GB (8 GB or higher recommended for better user experience)

-

-

-

Hard disk

-

≥ 120 GB (for better user experience)

-

The hard disk supports IDE, SATA, SAS interfaces.

-
- - -## Obtaining the Installation Source - -Perform the following operations to obtain the openEuler release package: - -1. Log in to the [openEuler Community](https://openeuler.org) website. -2. Click **Download**. -3. Click the link provided after **Download ISO**. The download list is displayed. -4. Click **openEuler-20.03-LTS**. The openEuler 20.03 LTS version download list is displayed. -5. Click **ISO**. The ISO download list is displayed. - - **aarch64**: ISO image file of the AArch64 architecture - - **x86\_64**: ISO image file of the x86\_64 architecture - - **source**: ISO image file of the openEuler source code - -6. Select the openEuler release package and verification file to be downloaded based on the architecture of the environment to be installed. - - If the AArch64 architecture is used: - 1. Click **aarch64**. - 2. Click **openEuler-20.03-LTS-aarch64-dvd.iso** to download the openEuler release package to the local host. - 3. Click **openEuler-20.03-LTS-aarch64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. - - - If the x86\_64 architecture is used: - 1. Click **x86\_64**. - 2. Click **openEuler-20.03-LTS-x86\_64-dvd.iso** to download the openEuler release package to the local host. - 3. Click **openEuler-20.03-LTS-x86\_64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. - - - -## Release Package Integrity Check - -To prevent incomplete download of the software package due to network or storage device problems during the transmission, you can perform the following steps to check the integrity of the obtained openEuler software package: - -1. Obtain the verification value in the verification file. Run the following command: - - ``` - #cat openEuler-20.03-LTS-aarch64-dvd.iso.sha256sum - ``` - -2. Calculate the SHA256 verification value of the file. Run the following command: - - ``` - #sha256sum openEuler-20.03-LTS-aarch64-dvd.iso - ``` - - After the command is run, the verification value is displayed. - -3. Check whether the values calculated in step 1 and step 2 are consistent. - - If the verification values are consistent, the .iso file is not damaged. If they are inconsistent, you can confirm that the file is damaged and you need to obtain the file again. - - -## Starting the Installation - -1. Log in to the iBMC WebUI. - - For details, see [TaiShan 200 Server User Guide \(Model 2280\)](https://support.huawei.com/enterprise/en/doc/EDOC1100093459). - -2. Choose **Configuration** from the main menu, and select **Boot Device** from the navigation tree. The **Boot Device** page is displayed. - - Set **Effective** and **Boot Medium** to **One-time** and **DVD-ROM**, respectively, and click **Save**, as shown in [Figure 1](#fig1011938131018). - - **Figure 1** Setting the boot device - ![](figures/setting-the-boot-device.png "setting-the-boot-device") - -3. Choose **Remote Console** from the main menu. The **Remote Console** page is displayed. - - Select an integrated remote console as required to access the remote virtual console, for example, **Java Integrated Remote Console \(Shared\)**. - -4. On the toolbar, click the icon shown in the following figure. - - **Figure 2** Drive icon - ![](figures/drive-icon.png "drive-icon") - - An image dialog box is displayed, as shown in the following figure. - - **Figure 3** Image dialog box - ![](figures/image-dialog-box.png "image-dialog-box") - -5. Select **Image File** and then click **Browse**. The **Open** dialog box is displayed. -6. Select the image file and click **Open**. In the image dialog box, click **Connect**. If **Connect** changes to **Disconnect**, the virtual CD/DVD-ROM drive is connected to the server. -7. On the toolbar, click the restart icon shown in the following figure to restart the device. - - **Figure 4** Restart icon - ![](figures/restart-icon.png "restart-icon") - -8. A boot menu is displayed after the system restarts, as shown in [Figure 5](#fig1648754873314). - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >- If you do not perform any operations within 1 minute, the system automatically selects the default option **Test this media & install openEuler 20.03 LTS** and enters the installation page. - >- During PM installation, if you cannot use the arrow keys to select boot options and the system does not respond after you press **Enter**, click ![](figures/en-us_image_0229420473.png) on the BMC page and configure **Key & Mouse Reset**. - - **Figure 5** Installation Wizard - - -9. On the installation wizard page, press **Enter** to select the default option **Test this media & install openEuler 20.03 LTS** to enter the GUI installation page. - -## Installation - -After entering the GUI installation page, perform the following operations to install the system: - -1. Set an installation language. The default language is English. You can change the language based on the site requirements, as shown in [Figure 6](#fig874344811484). - - **Figure 6** Selecting a language - - -2. On the **INSTALLATION SUMMARY** page, set configuration items based on the site requirements. - - - A configuration item with an alarm symbol must be configured. When the alarm symbol disappears, you can perform the next operation. - - A configuration item without an alarm symbol is configured by default. - - You can click **Begin Installation** to install the system only when all alarms are cleared. - - **Figure 7** Installation summary - - - 1. Select **Software Selection** to set configuration items. - - Based on the site requirements, select **Minimal Install** on the left box and select an add-on in the **Add-Ons for Selected Environment** area on the right, as shown in [Figure 8](#fig1133717611109). - - **Figure 8** Selecting installation software - - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >- In **Minimal Install** mode, not all packages in the installation source will be installed. If the required package is not installed, you can mount the installation source to the local PC and configure a repo source, and use DNF to install the package. - >- If you select **Virtual Host**, the virtualization components QEMU, libvirt, and edk2 are installed by default. You can select whether to install the OVS component in the add-on area. - - After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - - 2. Select **Installation Destination** to set configuration items. - - On the **INSTALLATION DESTINATION** page, select a local storage device. - - >![](public_sys-resources/icon-notice.gif) **NOTICE:** - >When selecting the device to be installed, you are advised not to use the NVMe SSD storage medium as the OS installation disk. - - You also need to configure the storage to partition the system. You can either manually configure partitions or select **Automatic** to automatically configure partitioning. Select **Automatic** if the software is installed in a new storage device or the data in the storage device is not required, as shown in [Figure 9](#fig153381468101). - - **Figure 9** Setting the installation destination - - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >- During partitioning, to ensure system security and performance, you are advised to divide the device into the following partitions: **/boot**, **/var**, **/var/log**, **/var/log/audit**, **/home**, and **/tmp**. - >- If the system is configured with the swap partition, the swap partition is used when the physical memory of the system is insufficient. Although the swap partition can be used to expand the physical memory, if the swap partition is used due to insufficient memory, the system response slows and the system performance deteriorates. Therefore, you are not advised to configure the swap partition in the system with sufficient physical memory or the performance sensitive system. - >- If you need to split a logical volume group, select **Custom** to manually partition the logical volume group. On the **MANUAL PARTITIONING** page, click **Modify** in the **Volume Group** area to reconfigure the logical volume group. - - After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - - 3. Set other configuration items. You can use the default values for other configuration items. - -3. Click **Begin Installation** to install the system, as shown in [Figure 10](#fig1717019357392). - - **Figure 10** Starting installation - - -4. Set the root user password. - - Click **Root Password**. In the displayed dialog box, as shown in [Figure 11](#en-us_topic_0186390266_en-us_topic_0122145909_fig1323165793018), enter a password and re-enter to confirm. - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >The **root** password must be configured when you install software packages. Otherwise, the installation will fail. A **root** account is used for performing critical system administration tasks. It is not recommended to use this account for daily work or system access. - - The password of the **root** user must meet the password complexity requirements. Otherwise, the password configuration or user creation will fail. The password complexity requirements are as follows: - - - A password must contain at least eight characters. - - A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. - - A password must be different from the account name. - - A password cannot contain words in the dictionary. - - >![](public_sys-resources/icon-note.gif) **NOTE:** - > In the installed openEuler environment, you can run the `cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt` command to export the dictionary library file **dictionary.txt**, and then check whether the password is in the dictionary. - - **Figure 11** Password of the **root** account - - -5. Create a user. - - Click **User Creation**. [Figure 12](#en-us_topic_0186390266_en-us_topic_0122145909_fig1237715313319) shows the page for creating a user. Enter a username and set a password. The password complexity requirements are the same as those of the user **root**. By clicking **Advanced**, you can also configure a home directory and a user group, as shown in [Figure 13](#en-us_topic_0186390266_en-us_topic_0122145909_fig128716531312). - - **Figure 12** Creating a user - - - **Figure 13** Advanced user configuration - - - After configuration, click **Done** in the left-upper corner to switch back to the installation process page. - -6. After the installation is complete, restart the system. - - openEuler has been installed, as shown in [Figure 14](#en-us_topic_0186390267_en-us_topic_0122145917_fig1429512116338). Click **Reboot** to restart the system. - - **Figure 14** Completing the installation - - - -## Viewing System Information - -After the system is installed and restarted, the system CLI login page is displayed. Enter the username and password set during the installation to log in to openEuler OS and view the following system information. For details about system management and configuration, see the [openEuler 20.03 LTS Administrator Guide](https://openeuler.org/en/docs/20.03_LTS/docs/Administration/administration.html). - -- Run the following command to view the system information: - - ``` - cat /etc/os-release - ``` - - For example, the command and output are as follows: - - ``` - # cat /etc/os-release - NAME="openEuler" - VERSION="20.09" - ID="openEuler" - VERSION_ID="20.09" - PRETTY_NAME="openEuler 20.09" - ANSI_COLOR="0;31" - ``` - -- View system resource information. - - Run the following command to view the CPU information: - - ``` - lscpu - ``` - - Run the following command to view the memory information: - - ``` - free - ``` - - Run the following command to view the disk information: - - ``` - fdisk -l - ``` - -- Run the following command to view the IP address: - - ``` - ip addr - ``` - - diff --git a/content/en/docs/Releasenotes/key-features.md b/content/en/docs/Releasenotes/key-features.md deleted file mode 100644 index 9590ee5de7e7c3e07ea69341207b44d69c1db228..0000000000000000000000000000000000000000 --- a/content/en/docs/Releasenotes/key-features.md +++ /dev/null @@ -1,29 +0,0 @@ -# Key Features - -- iSula lightweight container solution, unified IoT, and edge and cloud computing container solutions - - Shortens a trace chain by three levels, and the memory usage of hundreds of containers is significantly lower than that of the Docker engine. - - Supports standard open-source container runtime interface \(CRI\) and open container initiative \(OCI\) and flexibly interconnects with multiple OCI runtimes such as runC and Kata. - - Secure container: combines the virtualization technology and container technology to ensure better isolation of secure containers. - - System container: supports local file system startup to implement quick deployment, and supports systemd deployment to improve user namespace isolation. - -- Kunpeng acceleration engine \(KAE\), supporting encryption and decryption acceleration - - Digest algorithm SM3, which supports asynchronous models. - - Symmetric encryption algorithm SM4, which supports asynchronous models and CTR, XTS, and CBC modes. - - Symmetric encryption algorithm AES, which supports asynchronous models and ECB, CTR, XTS, and CBC modes. - - Asymmetric algorithm RSA, which supports asynchronous models and key sizes 1024, 2048, 3072, and 4096. - - Key negotiation algorithm DH, which supports asynchronous models and key sizes 768, 1024, 1536, 2048, 3072, and 4096. - - -- A-Tune intelligent system performance optimization engine, inferring service features and configuring optimal system parameters to ensure optimal service running -- Enhancing the performance of glibc, zlib, and gzip and fully using the NEON instruction set of AArch64 to improve the basic library performance -- Kernel feature enhancement - - Supports ARM64 kernel hot patches. - - Numa Aware Qspinlock: reduces cache/bus conflicts across NUMA nodes. - - Optimizes the IOVA page table lookup and release algorithms to improve the performance of the IOMMU subsystem. - - Optimizes the implementation of CRC32 and checksum based on ARM64 instructions and pipeline features, greatly improving data verification performance. - - Supports ARM v8.4 Memory System Resource Partitioning and Monitoring \(MPAM\). -- virtualization feature enhancement - - Interruption virtualization optimization: The process for an IRQfd to inject an interrupt is optimized, greatly improving the performance of high-performance passthrough devices (sush as NICs and SSDs). - - Memory virtualization optimization: The Kunpeng hardware feature is used to improve the memory loading speed during VM startup. - - Storage virtualization optimization: NUMA affinity self-binding is optimized for the iSCSI module **kworker** to improve the I/O performance of IP SAN disks. - diff --git a/content/en/docs/Releasenotes/known-issues.md b/content/en/docs/Releasenotes/known-issues.md deleted file mode 100644 index aad4be328d247d0ea0bf51c9163aaf856318f4e1..0000000000000000000000000000000000000000 --- a/content/en/docs/Releasenotes/known-issues.md +++ /dev/null @@ -1,11 +0,0 @@ -# Known Issues - -- The FIPS boot mode of the kernel has not been fully authenticated. The FIPS boot may be abnormal. [I17Z18](https://gitee.com/src-openeuler/crypto-policies/issues/I17Z18?from=project-issue) -- When libvirt is used to start the GlusterFS VM, a 300-byte memory leak occurs each time. For details about the discussion, click [https://github.com/gluster/glusterfs/issues/818](https://github.com/gluster/glusterfs/issues/818). [I185CH](https://gitee.com/src-openeuler/glusterfs/issues/I185CH?from=project-issue) -- When the libvirt interface is used to continuously perform disk hot swap operations, there is a possibility that the hot remove interface returns a success message, but the disk is not removed and cannot be hot swapped again. You can stop the VM and then restart it. [I1C72L](https://gitee.com/src-openeuler/qemu/issues/I1C72L?from=project-issue) -- There is a low probability that an unknown installation exception occurs when the x86\_64 VM is used for installation. In this case, install the x86\_64 VM again. [I1C8HS](https://gitee.com/src-openeuler/anaconda/issues/I1C8HS?from=project-issue) -- CVE-2012-0039: When a local application calls the **g\_str\_hash** function, the application continuously consumes CPU resources, causing DoS attacks. This issue will not be resolved in the community. -- CVE-2015-9541: When Qt attempts to parse the abnormal SVG files which are constructed to launch exponential XML entity extension attacks, the memory may be insufficient. For details about the discussion, click [https://codereview.qt-project.org/c/qt/qtbase/+/293909](https://codereview.qt-project.org/c/qt/qtbase/+/293909). -- Before compiling some open-source packages, you need to install basic software such as GDB, GCC, and make. Otherwise, the compilation fails due to lack of dependency. -- AArch64 and x86\_64 have different definitions of the character type. As a result, an error is reported during the self-check using Coreutils, Augeas, and Diffutils. You can add the **--fsigned-char** compilation option to solve the problem. - diff --git a/content/en/docs/Releasenotes/release_notes.md b/content/en/docs/Releasenotes/release_notes.md deleted file mode 100644 index 2ddacc438016ed80eb04e163e1a17986ed0abb00..0000000000000000000000000000000000000000 --- a/content/en/docs/Releasenotes/release_notes.md +++ /dev/null @@ -1 +0,0 @@ -This document is the release notes for the openEuler 20.03 LTS release version. \ No newline at end of file diff --git a/content/en/docs/Releasenotes/resolved-issues.md b/content/en/docs/Releasenotes/resolved-issues.md deleted file mode 100644 index 5d2d7831aec011a3bc52381f88f5694db3097261..0000000000000000000000000000000000000000 --- a/content/en/docs/Releasenotes/resolved-issues.md +++ /dev/null @@ -1,75 +0,0 @@ -# Resolved Issues - -For details about the complete issue list, click [https://gitee.com/organizations/src-openeuler/issues](https://gitee.com/organizations/src-openeuler/issues). - -For details about the complete kernel submission records, click [https://gitee.com/openeuler/kernel/commits/openEuler-1.0-LTS](https://gitee.com/openeuler/kernel/commits/openEuler-1.0-LTS). - -[Table 1](#table249714911433) lists the resolved issues. - -**Table 1** Resolved issues - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Issue

-

Description

-

I1BJTF

-

[Kernel bug] The lscpu command on the ARM server cannot be used to display the CPU dominant frequency, and the CPU cache is incorrect.

-

I1BWPD

-

Failed to pull an image using the isula pull or curl pull command.

-

I1BV56

-

Delete redundant gpg sig file for shadow-4.6.

-

I1BV38

-

The unbuffer command is unavailable.

-

I1BA9B

-

The arping -w parameter is invalid.

-

I1AV3S

-

The oops error occurs when the latest LTP pty03 test case is executed.

-

I1AZ1I

-

500 scheduled tasks are started. After 4 to 5 minutes, the tasks cannot be processed and the system stops responding.

-

I1AH2C

-

The warning information captured when the Kata container fails to be started is insufficient for fault locating. More errors need to be printed.

-

I1AGXO

-

In kata-runtime remote mode, the kata-runtime kill is not called when the isula rm -f command is executed. As a result, residual data exists.

-

I1AF39

-

The soft lockup is found when the open function is triggered in the ext4 file system.

-

I1ADUD

-

Isulad breaks down when a pod is created using kubectl.

-
- diff --git a/content/en/docs/Virtualization/figures/virtual-network-structure.png b/content/en/docs/Virtualization/figures/virtual-network-structure.png deleted file mode 100644 index 5f33ec1554b398715fb63835ac0cb6b763fa77b0..0000000000000000000000000000000000000000 Binary files a/content/en/docs/Virtualization/figures/virtual-network-structure.png and /dev/null differ diff --git a/content/en/menu/index.md b/content/en/menu/index.md deleted file mode 100644 index c954b2d3f2f749220a4042b26bdfe00f8b4334b4..0000000000000000000000000000000000000000 --- a/content/en/menu/index.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -headless: true - - ---- - -- [Terms of Use]({{< relref "./docs/Releasenotes/terms-of-use.md" >}}) -- [Release Notes]({{< relref "./docs/Releasenotes/release_notes.md" >}}) - - [User Notice]({{< relref "./docs/Releasenotes/user-notice.md" >}}) - - [Introduction]({{< relref "./docs/Releasenotes/introduction.md" >}}) - - [Installing the OS]({{< relref "./docs/Releasenotes/installing-the-os.md" >}}) - - [Key Features]({{< relref "./docs/Releasenotes/key-features.md" >}}) - - [Known Issues]({{< relref "./docs/Releasenotes/known-issues.md" >}}) - - [Resolved Issues]({{< relref "./docs/Releasenotes/resolved-issues.md" >}}) - - [Common Vulnerabilities and Exposures \(CVE\)]({{< relref "./docs/Releasenotes/common-vulnerabilities-and-exposures-(cve).md" >}}) - - [Source Code]({{< relref "./docs/Releasenotes/source-code.md" >}}) - - [Contribution]({{< relref "./docs/Releasenotes/contribution.md" >}}) - - [Acknowledgement]({{< relref "./docs/Releasenotes/acknowledgement.md" >}}) - -- [Quick Start]({{< relref "./docs/Quickstart/quick-start.md" >}}) -- [Installation Guide]({{< relref "./docs/Installation/Installation.md" >}}) - - [Installation Preparations]({{< relref "./docs/Installation/installation-preparations.md" >}}) - - [Installation Mode]({{< relref "./docs/Installation/installation-mode.md" >}}) - - [Installation Guideline]({{< relref "./docs/Installation/installation-guideline.md" >}}) - - [Using Kickstart for Automatic Installation]({{< relref "./docs/Installation/using-kickstart-for-automatic-installation.md" >}}) - - [FAQs]({{< relref "./docs/Installation/faqs.md" >}}) - -- [Administrator Guide]({{< relref "./docs/Administration/administration.md" >}}) - - [Viewing System Information]({{< relref "./docs/Administration/viewing-system-information.md" >}}) - - [Basic Configuration]({{< relref "./docs/Administration/basic-configuration.md" >}}) - - [User and User Group Management]({{< relref "./docs/Administration/user-and-user-group-management.md" >}}) - - [Using the DNF to Manage Software Packages]({{< relref "./docs/Administration/using-the-dnf-to-manage-software-packages.md" >}}) - - [Service Management]({{< relref "./docs/Administration/service-management.md" >}}) - - [Process Management]({{< relref "./docs/Administration/process-management.md" >}}) - - [Configuring the Network]({{< relref "./docs/Administration/configuring-the-network.md" >}}) - - [Managing Hard Disks Through LVM]({{< relref "./docs/Administration/managing-hard-disks-through-lvm.md" >}}) - - [Using the KAE]({{< relref "./docs/Administration/using-the-kae.md" >}}) - - [Configuring Services]({{< relref "./docs/Administration/configuring-services.md" >}}) - - [Configuring the Repo Server]({{< relref "./docs/Administration/configuring-the-repo-server.md" >}}) - - [Configuring the FTP Server]({{< relref "./docs/Administration/configuring-the-ftp-server.md" >}}) - - [Configuring the Web Server]({{< relref "./docs/Administration/configuring-the-web-server.md" >}}) - - [Setting Up the Database Server]({{< relref "./docs/Administration/setting-up-the-database-server.md" >}}) - - [FAQs]({{< relref "./docs/Administration/faqs.md" >}}) - - -- [Virtualization User Guide]({{< relref "./docs/Virtualization/virtualization.md" >}}) - - [Introduction to Virtualization]({{< relref "./docs/Virtualization/introduction-to-virtualization.md" >}}) - - [Installation to Virtualization]({{< relref "./docs/Virtualization/installation-to-virtualization.md" >}}) - - [Environment Preparation]({{< relref "./docs/Virtualization/environment-preparation.md" >}}) - - [VM Configuration]({{< relref "./docs/Virtualization/vm-configuration.md" >}}) - - [Managing VMs]({{< relref "./docs/Virtualization/managing-vms.md" >}}) - - [VM Live Migration]({{< relref "./docs/Virtualization/vm-live-migration.md" >}}) - - [System Resource Management]({{< relref "./docs/Virtualization/system-resource-management.md" >}}) - - [Managing Devices]({{< relref "./docs/Virtualization/managing-devices.md" >}}) - - [Best Practices]({{< relref "./docs/Virtualization/best-practices.md" >}}) - - [Appendix]({{< relref "./docs/Virtualization/appendix.md" >}}) - - -- [Container User Guide]({{< relref "./docs/Container/container.md" >}}) - - [iSulad Container Engine]({{< relref "./docs/Container/isulad-container-engine.md" >}}) - - [Installation, Upgrade and Uninstallation]({{< relref "./docs/Container/installation-upgrade-Uninstallation.md" >}}) - - [Installation and Configuration]({{< relref "./docs/Container/installation-configuration.md" >}}) - - [Upgrade Methods]({{< relref "./docs/Container/upgrade-methods.md" >}}) - - [Uninstallation]({{< relref "./docs/Container/uninstallation.md" >}}) - - - [Application Scenarios]({{< relref "./docs/Container/application-scenarios.md" >}}) - - [Container Management]({{< ref "./docs/Container/container-management.md" >}}) - - [Interconnection with the CNI Network]({{< ref "./docs/Container/interconnection-with-the-cni-network.md" >}}) - - [Container Resource Management]({{< ref "./docs/Container/container-resource-management.md" >}}) - - [Privileged Container]({{< ref "./docs/Container/privileged-container.md" >}}) - - [CRI]({{< ref "./docs/Container/cri.md" >}}) - - [Image Management]({{< ref "./docs/Container/image-management.md" >}}) - - [Checking the Container Health Status]({{< ref "./docs/Container/checking-the-container-health-status.md" >}}) - - [Querying Information]({{< ref "./docs/Container/querying-information.md" >}}) - - [Security Features]({{< ref "./docs/Container/security-features.md" >}}) - - [Supporting OCI hooks]({{< ref "./docs/Container/supporting-oci-hooks.md" >}}) - - [Appendix]({{< ref "./docs/Container/appendix.md" >}}) - - - [System Container]({{< relref "./docs/Container/system-container.md" >}}) - - [Installation Guideline]({{< relref "./docs/Container/installation-guideline.md" >}}) - - [Usage Guide]({{< relref "./docs/Container/usage-guide.md" >}}) - - [Specifying Rootfs to Create a Container]({{< ref "./docs/Container/specifying-rootfs-to-create-a-container.md" >}}) - - [Using systemd to Start a Container]({{< ref "./docs/Container/using-systemd-to-start-a-container.md" >}}) - - [Reboot or Shutdown in a Container]({{< ref "./docs/Container/reboot-or-shutdown-in-a-container.md" >}}) - - [Configurable Cgroup Path]({{< ref "./docs/Container/configurable-cgroup-path.md" >}}) - - [Writable Namespace Kernel Parameters]({{< ref "./docs/Container/writable-namespace-kernel-parameters.md" >}}) - - [Shared Memory Channels]({{< ref "./docs/Container/shared-memory-channels.md" >}}) - - [Dynamically Loading the Kernel Module]({{< ref "./docs/Container/dynamically-loading-the-kernel-module.md" >}}) - - [Environment Variable Persisting]({{< ref "./docs/Container/environment-variable-persisting.md" >}}) - - [Maximum Number of Handles]({{< ref "./docs/Container/maximum-number-of-handles.md" >}}) - - [Security and Isolation]({{< ref "./docs/Container/security-and-isolation.md" >}}) - - [Dynamically Managing Container Resources \(syscontainer-tools\)]({{< ref "./docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md" >}}) - - [Appendix]({{< ref "./docs/Container/appendix-1.md" >}}) - - - [Secure Container]({{< relref "./docs/Container/secure-container.md" >}}) - - [Installation and Deployment]({{< relref "./docs/Container/installation-and-deployment-1.md" >}}) - - [Application Scenarios]({{< relref "./docs/Container/application-scenarios-2.md" >}}) - - [Managing the Lifecycle of a Secure Container]({{< ref "./docs/Container/managing-the-lifecycle-of-a-secure-container.md" >}}) - - [Configuring Resources for a Secure Container]({{< ref "./docs/Container/configuring-resources-for-a-secure-container.md" >}}) - - [Configuring Networking for a Secure Container]({{< ref "./docs/Container/configuring-networking-for-a-secure-container.md" >}}) - - [Monitoring Secure Containers]({{< ref "./docs/Container/monitoring-secure-containers.md" >}}) - - [Appendix]({{< ref "./docs/Container/appendix-2.md" >}}) - - - [Docker Container]({{< relref "./docs/Container/docker-container.md" >}}) - - [Installation and Deployment]({{< relref "./docs/Container/installation-and-deployment-2.md" >}}) - - [Container Management]({{< ref "./docs/Container/container-management-1.md" >}}) - - [Image Management]({{< ref "./docs/Container/image-management-1.md" >}}) - - [Command Reference]({{< ref "./docs/Container/command-reference.md" >}}) - - [Container Engine]({{< ref "./docs/Container/container-engine.md" >}}) - - [Container Management]({{< ref "./docs/Container/container-management-2.md" >}}) - - [Image Management]({{< ref "./docs/Container/image-management-2.md" >}}) - - [Statistics]({{< ref "./docs/Container/statistics.md" >}}) - - -- [A-Tune User Guide]({{< relref "./docs/A-Tune/A-Tune.md" >}}) - - [Getting to Know A-Tune]({{< relref "./docs/A-Tune/getting-to-know-a-tune.md" >}}) - - [Installation and Deployment]({{< relref "./docs/A-Tune/installation-and-deployment.md" >}}) - - [Application Scenarios]({{< relref "./docs/A-Tune/application-scenarios.md" >}}) - - [FAQs]({{< relref "./docs/A-Tune/faqs.md" >}}) - - [Appendixes]({{< relref "./docs/A-Tune/appendixes.md" >}}) - - - -- [Application Development Guide]({{< relref "./docs/ApplicationDev/application-development.md" >}}) - - [Preparation]({{< relref "./docs/ApplicationDev/preparation.md" >}}) - - [Using GCC for Compilation]({{< relref "./docs/ApplicationDev/using-gcc-for-compilation.md" >}}) - - [Using Make for Compilation]({{< relref "./docs/ApplicationDev/using-make-for-compilation.md" >}}) - - [Using JDK for Compilation]({{< relref "./docs/ApplicationDev/using-jdk-for-compilation.md" >}}) - - [Building an RPM Package]({{< relref "./docs/ApplicationDev/building-an-rpm-package.md" >}}) \ No newline at end of file diff --git a/content/zh/docs/A-Tune/figures/zh-cn_image_0227497343.png b/content/zh/docs/A-Tune/figures/zh-cn_image_0227497343.png deleted file mode 100644 index 6db5a0793fe3068c7519d9a157abc856560e71b2..0000000000000000000000000000000000000000 Binary files a/content/zh/docs/A-Tune/figures/zh-cn_image_0227497343.png and /dev/null differ diff --git "a/content/zh/docs/Container/isula-build\346\236\204\345\273\272\345\267\245\345\205\267.md" "b/content/zh/docs/Container/isula-build\346\236\204\345\273\272\345\267\245\345\205\267.md" deleted file mode 100644 index 174a2ed26e8a86923768c59c958a65a9c9414f6e..0000000000000000000000000000000000000000 --- "a/content/zh/docs/Container/isula-build\346\236\204\345\273\272\345\267\245\345\205\267.md" +++ /dev/null @@ -1,798 +0,0 @@ -# isula-build容器镜像构建 - -## 概述 - -### 简介 - -isula-build是iSula团队推出的容器镜像构建工具,安装部署过程简单,通过Dockerfile文件可以迅速构建出容器镜像。其中,isula-build提供命令行工具,isula-builder常驻后台,处理客户端请求。 - -- 该工具目前所支持功能: - 1. ctr-img,构建容器镜像。 - 1. build,根据给定dockerfile构建出容器镜像。 - 2. images,列出本地容器镜像。 - 3. import,导入容器基础镜像。 - 4. load,导入层叠镜像。 - 5. rm,删除本地镜像。 - 6. save,导出容器镜像至本地磁盘。 - 7. tag,给本地容器镜像打tag。 - 2. login,登陆容器镜像仓库。 - 3. logout,登出容器镜像仓库。 - 4. version,查看版本号。 -- isula-build包含主要特性: - 1. 兼容Dockerfile语法。 - 3. 支持文件系统扩展属性,如Selinux、IMA、EVM等。 - 4. 支持多种镜像导出格式,可以直接将构建镜像结果推送至iSulad或docker。 - -### 快速引导 - -#### 安装部署 - -- rpm包安装 - - ``` - sudo rpm -ivh isula-build-*.rpm && systemctl start isula-build - ``` - -- yum安装 - - 推荐该方式,只需要配置openEuler yum源即可。 - - ``` - sudo yum install -y isula-build && systemctl start isula-build - ``` - - 说明: - - isula-build 构建时依赖 runc,当你安装时需要再安装单独的docker-runc或完整的docker-engine。 - -#### 示例 - -- 新建buildDir目录,在该目录下创建一个dockerfile文件,内容如下: - - ``` - FROM busybox:latest - MAINTAINER "someone" - RUN ["touch", "bar"] - LABEL foo=bar - EXPOSE 8888/udp - EXPOSE 9999/tcp - ENV a=hello - ARG word - ADD ./* /home/ - COPY ./* /home/dir1/ - VOLUME ["var/log"] - STOPSIGNAL 15 - HEALTHCHECK --interval=5m --timeout=3s --retries=1 - CMD ["pwd"] - SHELL ["pwd"] - ``` - -- 在该目录下使用isula-build构建镜像,过程如下: - - ``` - $ sudo isula-build ctr-img build -f dockerfile . - STEP 1: FROM busybox:latest - STEP 2: MAINTAINER "someone" - STEP 3: RUN ["touch", "bar"] - STEP 4: LABEL foo=bar - STEP 5: EXPOSE 8888/udp - STEP 6: EXPOSE 9999/tcp - STEP 7: ENV a=hello - STEP 8: ARG word - STEP 9: ADD ./* /home/ - STEP 10: COPY ./* /home/dir1/ - STEP 11: VOLUME ["var/log"] - STEP 12: STOPSIGNAL 15 - STEP 13: HEALTHCHECK --interval=5m --timeout=3s --retries=1 CMD ["pwd"] - STEP 14: SHELL ["pwd"] - Getting image source signatures - Copying blob sha256:e9235582825a2691b1c91a96580e358c99acfd48082cbf1b92fd2ba4a791efc3 - Copying blob sha256:dc3bca97af8b81508c343b13a08493c7809b474dc25986fcbae90c6722201be3 - Copying config sha256:9ec92a8819f9da1b06ea9ff83307ff859af2959b70bfab101f6a325b1a211549 - Writing manifest to image destination - Storing signatures - Build success with image id: 9ec92a8819f9da1b06ea9ff83307ff859af2959b70bfab101f6a325b1a211549 - ``` - -- 列出所构建镜像。 - - ``` - $ sudo isula-build ctr-img images - ----------------- ----------- ---------------- ---------------------------------------------- - REPOSITORY TAG IMAGE ID CREATED - ------------------ ---------- ---------------- ---------------------------------------------- - foo latest 9ec92a8819f9 2020-06-11 07:45:39.265106109 +0000 UTC - ``` - -- 删除镜像。 - - ``` - $ sudo isula-build ctr-img rm 9ec92a8819f9 - Deleted: sha256:86567f7a01b04c662a9657aac436e8d63ecebb26da4252abb016d177721fa11b - ``` - -#### 重点特性 - -- isula-build兼容dockerfile语法。 -- isula-build可以将构建好的容器镜像直接导入到iSulad、dockerd、registry和本地tar包。 - - - -#### 集成 - -关于iSulad和docker的集成,详情见[与容器引擎集成](#与容器引擎集成)。 - -### 注意事项 - -关于相关约束限制以及与docker build的区别详情见[使用注意事项](#使用注意事项)。 - - - -## 使用指南 - -### 配置 - -isula-builder 包含如下配置文件: - -- /etc/isula-build/configuration.toml:isula-builder 总配置文件,包含设置 isula-builder 日志级别、持久化目录和运行时目录、OCI runtime等。 - 1. debug:设置是否打开debug日志,可选参数:true、false。 - 2. loglevel:设置日志级别,可选参数:“debug”、“info”、“warn”、“error”。 - 3. run_root:设置运行时数据根目录。 - 4. data_root:设置本地持久化目录。 - 5. runtime:设置runtime种类,目前支持runc。 -- /etc/isula-build/storage.toml: 本地持久化存储的配置文件,包含所使用的存储驱动的配置。 - 1. driver:存储驱动类型,目前支持overlay2。 - 2. runroot:临时存储目录。 - 3. graphroot:可读写的镜像存储目录。 - 4. 更多设置可参考 [containers-storage.conf.5.md](https://github.com/containers/storage/blob/master/docs/containers-storage.conf.5.md)。 -- /etc/isula-build/registries.toml : 针对各个镜像仓库的配置文件,含可用的镜像仓库列表、镜像仓库黑名单。 - 1. registries.search:镜像仓库搜索域,在此list的镜像仓库可以被感知,不在此列的不被感知。 - 2. registries.insecure:可访问的不安全镜像仓库地址,在此列表中的镜像仓库将不会通过鉴权,不推荐使用。 - 3. 更多设置可参考 [containers-registries.conf.5.md](https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md)。 -- /etc/isula-build/policy.json:镜像pull/push策略文件。注:当前不支持对其进行配置 - -在启动 isula-builder 服务之前,先对服务按需配置,在还未熟悉配置的情况下,也可以直接使用rpm包安装的默认配置直接启动服务。 - -说明: - -以上配置文件,isula-build 支持最大 1M 的配置文件。 - -### 启动服务 - -#### 通过systemd启动 - -1. 配置需在上述配置文件中进行修改。 - - - 启动 isula-build 服务: - - ``` - systemctl start isula-build.service - ``` - - - 停止 isula-build 服务: - - ``` - systemctl stop isula-build.service - ``` - - - 重启 isula-builder 服务: - - ``` - systemctl restart isula-build.service - ``` - - - 查看 isula-build 服务的运行日志: - - ``` - journalctl -u isula-build - ``` - -2. 修改完配置文件后,需使用如下命令使配置生效。 - - ``` - systemctl daemon-reload - ``` - -#### 直接运行二进制启动 - -部分配置可通过isula-builder的flag进行设置,例如: - -``` -isula-builder --dataroot "/var/lib/isula-build" --debug=false -``` - -#### isula-builder目前支持的flags - -``` - --dataroot string persistent dir (default "/var/lib/isula-build") - -D, --debug print debugging information (default true) - -h, --help help for isula-builder - --log-level string The log level to be used. Either "debug", "info", "warn" or "error". (default "info") - --runroot string runtime dir (default "/var/run/isula-build") - --storage-driver string storage-driver (default "overlay") - --storage-opt strings storage driver option (default [overlay.mountopt=nodev]) - --version version for isula-builder -``` - -- -d, --debug: 是否开启调测模式。 -- --log-level: 日志级别,支持 "debug", "info", "warn" or "error",默认为 "info"。 -- --dataroot: 本地持久化路径,默认为"/var/lib/isula-build/"。 -- --runroot: 运行时路径,默认为"/var/run/isula-build/"。 -- --storage-driver:底层存储驱动类型。 -- --storage-opt: 底层存储驱动配置。 - -当命令行启动参数中传递了与配置文件相同的配置选项,优先使用命令行参数启动。 - -### 子命令使用 - -目前 isula-build提供了如下对于容器镜像(ctr-img)操作的功能: - -- build,根据给定dockerfile构建出容器镜像。 -- images,列出本地容器镜像。 -- import,导入容器基础镜像。 -- load,导入层叠镜像。 -- rm,删除本地容器镜像。 -- save, 导出层叠镜像至本地磁盘。 -- tag,给本地容器镜像打tag。 - -同时提供了如下通用指令: - -- info,查看isula-build的运行环境和系统信息。 -- login,登入远端容器镜像仓库。 -- logout,从远端容器镜像仓库登出。 -- version,查看isula-build和isula-builder的版本号。 -- completion(隐式提供),生成bash环境命令补全脚本。 - -#### 容器镜像构建 - -``` -isula-build ctr-img build -``` - -其中 build 包含如下 flags: - -1. --build-arg:string列表,构建过程中需要用到的变量。 -2. --build-static:KV值,构建二进制一致性。目前包含如下K值: - 1. build-time:string,使用固定时间戳来构建容器镜像;时间戳格式为“YYYY-MM-DD HH-MM-SS”。 -3. -f, --filename:string,Dockerfile的路径,不指定则是使用当前路径的Dockerfile文件。 -4. --iidfile:string,输出 image ID 到本地文件。 -5. -o, --output:string,镜像导出的方式和路径。 -6. --proxy:布尔值,继承主机侧环境的proxy环境变量(默认为true)。 -7. --tag:string,设置构建成功的镜像的tag值。 -8. --cap-add:string列表,构建过程中RUN指令所需要的权限。 - -以下为各个 flags 的详解。 - -- **--build-arg** - - 从命令行接受参数作为Dockerfile中的参数,用法: - - ``` - isula-build ctr-img build --build-arg foo=bar -f Dockerfile - ``` - - ``` - $ echo "This is bar file" > bar.txt - $ cat Dockerfile_arg - FROM busybox - ARG foo - ADD ${foo}.txt . - RUN cat ${foo}.txt - $ sudo isula-build ctr-img build --build-arg foo=bar -f Dockerfile_arg - STEP 1: FROM busybox - Getting image source signatures - Copying blob sha256:8f52abd3da461b2c0c11fda7a1b53413f1a92320eb96525ddf92c0b5cde781ad - Copying config sha256:e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b - Writing manifest to image destinationStoring signatures - STEP 2: ARG foo - STEP 3: ADD ${foo}.txt . - STEP 4: RUN cat ${foo}.txt - This is bar file - Getting image source signatures - Copying blob sha256:6194458b07fcf01f1483d96cd6c34302ffff7f382bb151a6d023c4e80ba3050a - Copying blob sha256:6bb56e4a46f563b20542171b998cb4556af4745efc9516820eabee7a08b7b869 - Copying config sha256:39b62a3342eed40b41a1bcd9cd455d77466550dfa0f0109af7a708c3e895f9a2 - Writing manifest to image destination - Storing signatures - Build success with image id: 39b62a3342eed40b41a1bcd9cd455d77466550dfa0f0109af7a708c3e895f9a2 - ``` - -- **--build-static** - - 指定为静态构建,则isula-build会消除所有时间戳差异,同时消除其他构建过程差异,包括:容器ID、hsotname等, 最终构建出能满足BEP要求的容器镜像。 - - 在使用isula-build进行容器镜像构建时,假如给 build 子命令一个固定的时间戳,并在限定如下条件的时候: - - - 构建环境前后保持一致。 - - 构建Dockerfile前后保持一致。 - - 构建产生的中间数据前后保持一致。 - - 构建命令相同。 - - 第三方库版本一致。 - - 对于容器镜像构建,isula-build支持相同的Dockerfile。如果构建环境相同,则多次构建生成的镜像内容和镜像ID相同。 - - --build-static接受k=v形式的键值对选项,当前支持的选项有: - - - build-time:字符串类型。构建静态镜像的固定时间戳,格式为“YYYY-MM-DD HH-MM-SS”。时间戳影响diff层创建修改时间的文件属性。 - - 使用方式如下: - - ``` - $ sudo isula-build ctr-img build -f Dockerfile --build-static='build-time=2020-05-23 10:55:33' . - ``` - - 以此方式,同一环境多次构建出来的容器镜像和镜像ID均会保持一致。 - -- **--iidfile** - - 将构建的镜像ID输出到文件,用法: - - ``` - isula-build ctr-img build --iidfile testfile - ``` - - ``` - $ sudo isula-build ctr-img build -f Dockerfile_arg --iidfile testfile - - $ cat testfile - 76cbeed38a8e716e22b68988a76410eaf83327963c3b29ff648296d5cd15ce7b - ``` - -- **-o, --output** - - 目前 -o, --output 支持如下形式: - - - `isulad:image:tag`:将构建成功的镜像直接推送到 iSulad。比如:`-o isulad:busybox:latest`。同时需要注意如下约束: - - isula-build 和 iSulad 必须在同一个节点上 - - tag必须配置 - - isula-build client端需要将构建成功的镜像暂存成 /var/tmp/isula-build-tmp-%v.tar 再导入至 iSulad,用户需要保证 /var/tmp/ 目录有足够磁盘空间 - - `docker-daemon:image:tag`:将构建成功的镜像直接推送到 Docker daemon。比如:`-o docker-daemon:busybox:latest`。同时需要注意如下约束: - - isula-build 和 docker 必须在同一个节点上 - - tag必须配置 - - `docker://registry.example.com/repository:tag`:将构建成功的镜像直接推送到远端镜像仓库。比如:`-o docker://localhost:5000/library/busybox:latest`。 - - `docker-archive:/:image:tag`:将构建成功的镜像以Docker image的格式保存至本地。比如:`-o docker-archive:/root/image.tar:busybox:latest`。 - - 除去各个flags之外,build子命令的命令行最后还会接收一个argument,该argument类型是string,意义为context,即该Dockerfile构建环境的上下文。该参数默认值为isula-build被执行的当前路径。该路径会影响 .dockerignore 和 Dockerfile的ADD/COPY指令 所检索的路径。 - -- **--proxy** - - 选择构建时RUN指令启动的容器是否从环境上继承proxy相关环境变量"http_proxy","https_proxy","ftp_proxy","no_proxy","HTTP_PROXY","HTTPS_PROXY","FTP_PROXY","NO_PROXY",默认为true。 - - 当用户在Dockerfile配置proxy相关ARG或ENV,将覆盖所继承的环境变量。 - - 注意:若client与daemon不在同一个终端运行,所能继承的环境变量为daemon所在终端的环境变量。 - -- **--tag** - - 设置镜像构建成功之后,该镜像在本地磁盘存储时的tag。 - -- **--cap-add** - - 添加构建过程中RUN指令所需权限,用法: - - ``` - isula-build ctr-img build --cap-add CAP_SYS_ADMIN --cap-add CAP_SYS_PTRACE -f Dockerfile - ``` - -说明: - -isula-build最大支持并发构建100个容器镜像、支持Dockerfile最大1M、支持 .dockerignore 最大 1M - -#### 查看本地持久化构建镜像 - -可通过images命令查看当前本地持久化存储的镜像: - -``` -$ sudo isula-build ctr-img images ----------------------------------------------- ----------- ----------------- -------------------------- ------------ -REPOSITORY TAG IMAGE ID CREATED SIZE ----------------------------------------------- ----------- ----------------- -------------------------- ------------ -localhost:5000/library/alpine latest a24bb4013296 2020-20-19 19:59:197 5.85 MB - 39b62a3342ee 2020-20-38 38:66:387 1.45 MB ----------------------------------------------- ----------- ----------------- -------------------------- ------------ -``` - -#### 导入容器基础镜像 - -openEuler会随版本发布一个容器基础镜像,比如openEuler-docker.x86_64.tar.xz。可以通过ctr-img import指令将它导入。 - -命令原型如下: - -``` -isula-build ctr-img import [flags] -``` - -使用举例: - -``` -$ sudo isula-build ctr-img import ./openEuler-docker.x86_64.tar.xz openeuler:20.03 -Import success with image id: 7317851cd2ab33263eb293f68efee9d724780251e4e92c0fb76bf5d3c5585e37 -$ sudo isula-build ctr-img images ----------------------------------------------- -------------------- ----------------- ------------------------ ------------ -REPOSITORY TAG IMAGE ID CREATED SIZE ----------------------------------------------- -------------------- ----------------- ------------------------ ------------ -openeuler 20.03 7317851cd2ab 2020-08-01 06:25:34 500 MB ----------------------------------------------- -------------------- ----------------- ------------------------ ------------ -``` - -说明: - -isula-build 支持导入最大1G的容器基础镜像 - -#### 导入层叠镜像 - -层叠镜像指的是通过 docker save 或 isula-build ctr-img save 等指令,将一个构建完成的镜像保存至本地之后,镜像压缩包内是一层一层 layer.tar 的镜像包。可以通过 ctr-img load 指令将它导入至 isula-build。 - -命令原型如下: - -``` -isula-build ctr-img load [flags] -``` - -使用举例如下: - -``` -$ sudo isula-build ctr-img load -i ubuntu.tarGetting image source signatures -Copying blob sha256:cf612f747e0fbcc1674f88712b7bc1cd8b91cf0be8f9e9771235169f139d507c -Copying blob sha256:f934e33a54a60630267df295a5c232ceb15b2938ebb0476364192b1537449093 -Copying blob sha256:943edb549a8300092a714190dfe633341c0ffb483784c4fdfe884b9019f6a0b4 -Copying blob sha256:e7ebc6e16708285bee3917ae12bf8d172ee0d7684a7830751ab9a1c070e7a125 -Copying blob sha256:bf6751561805be7d07d66f6acb2a33e99cf0cc0a20f5fd5d94a3c7f8ae55c2a1 -Copying blob sha256:c1bd37d01c89de343d68867518b1155cb297d8e03942066ecb44ae8f46b608a3 -Copying blob sha256:a84e57b779297b72428fc7308e63d13b4df99140f78565be92fc9dbe03fc6e69 -Copying blob sha256:14dd68f4c7e23d6a2363c2320747ab88986dfd43ba0489d139eeac3ac75323b2 -Copying blob sha256:a2092d776649ea2301f60265f378a02405539a2a68093b2612792cc65d00d161 -Copying blob sha256:879119e879f682c04d0784c9ae7bc6f421e206b95d20b32ce1cb8a49bfdef202 -Copying blob sha256:e615448af51b848ecec00caeaffd1e30e8bf5cffd464747d159f80e346b7a150 -Copying blob sha256:f610bd1e9ac6aa9326d61713d552eeefef47d2bd49fc16140aa9bf3db38c30a4 -Copying blob sha256:bfe0a1336d031bf5ff3ce381e354be7b2bf310574cc0cd1949ad94dda020cd27 -Copying blob sha256:f0f15db85788c1260c6aa8ad225823f45c89700781c4c793361ac5fa58d204c7 -Copying config sha256:c07ddb44daa97e9e8d2d68316b296cc9343ab5f3d2babc5e6e03b80cd580478e -Writing manifest to image destination -Storing signatures -Loaded image as c07ddb44daa97e9e8d2d68316b296cc9343ab5f3d2babc5e6e03b80cd580478e -``` - -说明: - -- isula-build load命令仅支持导入包含单个层叠镜像的镜像压缩文件 -- isula-build 支持导入最大50G的容器层叠镜像 - -#### 删除本地持久化镜像 - -可通过rm命令删除当前本地持久化存储的镜像 - -目前支持的flags有: - -``` -Flags: - -a, --all remove all images - -h, --help help for rm - -p, --prune remove all untagged images -``` - -这些flags分别: - -- -a, --all:删除所有本地持久化存储的镜像。 - -- -p, --prune:删除所有没有tag的本地持久化存储的镜像。 - - 使用举例: - - ``` - isula-build ctr-img rm -p - ``` - - ``` - $ sudo isula-build ctr-img rm -p - Deleted: sha256:78731c1dde25361f539555edaf8f0b24132085b7cab6ecb90de63d72fa00c01d - Deleted: sha256:eeba1bfe9fca569a894d525ed291bdaef389d28a88c288914c1a9db7261ad12c - ``` - -#### 导出层叠镜像 - -可通过save命令导出层叠镜像到本地磁盘。命令原型如下: - -``` -isula-build ctr-img save [REPOSITORY:TAG]|imageID -o xx.tar -``` - -通过镜像名字/tag进行导出: - -``` -$ sudo isula-build ctr-img save busybox:latest -o busybox.tar -Getting image source signatures -Copying blob sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a -Copying blob sha256:824082a6864774d5527bda0d3c7ebd5ddc349daadf2aa8f5f305b7a2e439806f -Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef -Copying config sha256:21c3e96ac411242a0e876af269c0cbe9d071626bdfb7cc79bfa2ddb9f7a82db6 -Writing manifest to image destination -Storing signatures -Save success with image: busybox:latest -``` - -通过ImageID进行导出: - -``` -$ sudo isula-build ctr-img save 21c3e96ac411 -o busybox.tar -Getting image source signatures -Copying blob sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a -Copying blob sha256:824082a6864774d5527bda0d3c7ebd5ddc349daadf2aa8f5f305b7a2e439806f -Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef -Copying config sha256:21c3e96ac411242a0e876af269c0cbe9d071626bdfb7cc79bfa2ddb9f7a82db6 -Writing manifest to image destination -Storing signatures -Save success with image: 21c3e96ac411 -``` - -#### 查看运行环境与系统信息 - -可以通过“isula-build info”指令查看 - -命令原型如下: - -``` -isula-build info [flags] -``` - -支持如下Flags: - -- -H, --human-readable 布尔值,以常用内存表示格式打印内存信息,使用1000次幂 - - 使用举例: - - ``` - $ sudo - isula-build info -H - General: - MemTotal: 7.63 GB - MemFree: 757 MB - SwapTotal: 8.3 GB - SwapFree: 8.25 GB - OCI Runtime: runc - DataRoot: /var/lib/isula-build/ - RunRoot: /var/run/isula-build/ - Builders: 0 - Goroutines: 12 - Store: - Storage Driver: overlay - Backing Filesystem: extfs - Registry: - Search Registries: - oepkgs.net - Insecure Registries: - localhost:5000 - oepkgs.net - ``` - -#### 与远程镜像仓库认证 - -可以通过 login 或 logout 命令来与远程镜像仓库交互 - -- **Login 使用**: - - ``` - isula-build login mydockerhub.io - ``` - - 你可以运行 login 命令来登录远程镜像仓库 - - 目前支持的flag有: - - ``` - Flags: - -p, --password-stdin Read password from stdin - -u, --username string Username to access registry - ``` - - 通过stdin输入密码: - - ``` - $ cat creds.txt | sudo isula-build login -u cooper -p mydockerhub.io - Login Succeeded - ``` - - 通过交互式输入密码: - - ``` - $ sudo isula-build login mydockerhub.io -u cooper - Password: - Login Succeeded - ``` - -- **Logout 使用**: - - ``` - isula-build logout mydockerhub.io - ``` - - 你可以运行 logout 命令来登出远程镜像仓库。 - - 目前支持的flag有: - - ``` - Flags: - -a, --all Logout all registries - ``` - - Flags解释如下: - - -a, --all:登出所有的镜像仓库。 - - ``` - $ sudo isula-build logout -a - Removed authentications - ``` - -#### 版本查询 - -可通过version命令查看当前版本信息: - -``` -$ sudo isula-build version -Client: - Version: 0.9.2 - Go Version: go1.13.3 - Git Commit: ccb2a13 - Built: Sat Aug 22 08:06:47 2020 - OS/Arch: linux/amd64 - -Server: - Version: 0.9.2 - Go Version: go1.13.3 - Git Commit: ccb2a13 - Built: Sat Aug 22 08:06:47 2020 - OS/Arch: linux/amd64 -``` - -说明: - -isula-build completion 和 isula-builder completion 命令用于生成bash命令补全脚本。该命令为命令行框架隐式提供,不会显示在help信息中。 - - - -### 与容器引擎集成 - -isula-build可以与iSulad和docker集成,将构建好的容器镜像导入到容器引擎的本地存储中。 - -#### 与iSulad集成 - -支持将构建成功的镜像直接导出到iSulad。命令行举例: - -``` -$ sudo isula-build ctr-img build -f Dockerfile -o isulad:busybox:2.0 -``` - -通过在-o参数中指定iSulad,将构建好的容器镜像导出到iSulad,可以通过isula images查询。 - -说明: - -要求isula-build和iSulad在同一节点。 - -#### 与Docker集成 - -支持将构建成功的镜像直接导出到Docker daemon。命令行举例: - -``` -$ sudo isula-build ctr-img build -f Dockerfile -o docker-daemon:busybox:2.0 -``` - -通过在-o参数中指定docker-daemon,将构建好的容器镜像导出到docker, 可以通过docker images查询。 - -说明: - -要求isula-build和Docker在同一节点。 - - - -## 使用注意事项 - -本章节主要介绍在使用isula-build构建镜像时相关的约束和限制,以及与docker build的差异。 - -### 约束和限制 - -1. 直接导出镜像到iSulad或docker daemon时,必须指定tag。 -2. 直接导出镜像到iSulad时,isula-build client端需要将构建成功的镜像暂存成 `/var/tmp/isula-build-tmp-%v.tar` 再导入至 iSulad,用户需要保证 /var/tmp/ 目录有足够磁盘空间;同时如果在导出过程中 isula-build client进程被KILL或Ctrl+C终止,需要依赖用户手动清理 `/var/tmp/isula-build-tmp-%v.tar` 文件。 -3. 用户需保证OCI runtime(runc)可执行文件的安全性,避免被恶意替换。 -4. isula-build不支持将持久化工作目录dataroot配置在内存盘上,比如tmpfs。 -5. isula-build目前仅支持使用overlay2为底层graphdriver。 -6. isula-build当前仅支持Docker镜像。 -7. 用户需保证Dockerfile文件的权限为仅当前用户可读写,避免别的用户进行篡改。 -8. 目前仅支持使用主机网络。 -9. 导出的镜像压缩格式,目前仅支持tar.gz格式。 -10. stage name不能以数字开头、stage name的长度限制为64个字符 - -### 与docker差异 - -- isula-build兼容dockerfile语法,但与docker build相比,使用isula-build进行镜像构建和docker build的差异如下: - 1. 在每一个镜像构建stage完成后做一次提交,而不是按行提交。 - 2. isula-build暂不支持缓存。 - 3. 仅RUN指令在构建容器中执行。 - 4. 目前不支持history。 - 5. isula-build的stage name支持以数字开头。 - 6. isula-build的stage name最长可为64个字符。 - 7. ADD指令目前不支持远端URL形式。 - 8. 暂不支持对单次构建进行资源限额,可采取对isula-builder配置资源限额的方式进行限制。 -- isula-build与docker的其它差异如下: - 1. 统计镜像大小时,isula-build是直接计算每层tar包大小之和,而docker是通过解压tar遍历diff目录计算文件大小之和,因此通过`isula-build ctr-img images`查看的镜像大小与`docker images`的显示上有一定差异。 - -### 与Dockerfile语法上的差异 - -1. 暂不支持ADD指令提供的来源是远端url。 - - - -## 附录 - -### 命令行参数说明 - -**表1** ctr-img build 命令参数列表 - -| **命令** | **参数** | **说明** | -| ------------- | -------------- | ------------------------------------------------------------ | -| ctr-img build | --build-arg | string列表,构建过程中需要用到的变量 | -| | --build-static | KV值,构建二进制一致性。目前包含如下K值:- build-time:string,使用固定时间戳来构建容器镜像;时间戳格式为“YYYY-MM-DD HH-MM-SS” | -| | -f, --filename | string,Dockerfile的路径,不指定则是使用当前路径的Dockerfile文件 | -| | --iidfile | string,输出 image ID 到本地文件 | -| | -o, --output | string,镜像导出的方式和路径 | -| | --proxy | 布尔值,继承主机侧环境的proxy环境变量(默认为true) | -| | --tag | string,给构建的镜像添加tag | -| | --cap-add | string列表,构建过程中RUN指令所需要的权限 | - -**表2** ctr-img load 命令参数列表 - -| **命令** | **参数** | **说明** | -| ------------ | ----------- | --------------------------------- | -| ctr-img load | -i, --input | string,需要导入的本地tar包的路径 | - -**表3** ctr-img rm 命令参数列表 - -| **命令** | **参数** | **说明** | -| ---------- | ----------- | --------------------------------------------- | -| ctr-img rm | -a, --all | 布尔值,删除所有本地持久化存储的镜像 | -| | -p, --prune | 布尔值,删除所有没有tag的本地持久化存储的镜像 | - -**表4** ctr-img save 命令参数列表 - -| **命令** | **参数** | **说明** | -| ------------ | ------------ | ---------------------------------- | -| ctr-img save | -o, --output | string,镜像导出后在本地的存储路径 | - -**表5** login 命令参数列表 - -| **命令** | **参数** | **说明** | -| -------- | -------------------- | ------------------------------------------------------- | -| login | -p, --password-stdin | 布尔值,是否通过stdin读入密码;或采用交互式界面输入密码 | -| | -u, --username | string,登陆镜像仓库所使用的用户名 | - -**表6** logout 命令参数列表 - -| **命令** | **参数** | **说明** | -| -------- | --------- | ------------------------------------ | -| logout | -a, --all | 布尔值,是否登出所有已登陆的镜像仓库 | - -### 通信矩阵 - -isula-build两个组件进程之间通过unix socket套接字文件进行通信,无端口通信。 - -### 文件与权限 - -1. isula-build 所有的操作均需要使用 root 权限。 - -2. isula-build 运行涉及文件权限如下表所示: - - | **文件路径** | **文件/文件夹权限** | **说明** | - | ------------------------------------------- | ------------------- | ------------------------------------------------------------ | - | /usr/bin/isula-build | 550 | 命令行工具二进制文件。 | - | /usr/bin/isula-builder | 550 | 服务端isula-builder进程二进制文件。 | - | /usr/lib/systemd/system/isula-build.service | 640 | systemd配置文件,用于管理isula-build服务。 | - | /etc/isula-build/configuration.toml | 600 | isula-builder 总配置文件,包含设置 isula-builder 日志级别、持久化目录和运行时目录、OCI runtime等。 | - | /etc/isula-build/policy.json | 600 | 签名验证策略文件的语法文件。 | - | /etc/isula-build/registries.toml | 600 | 针对各个镜像仓库的配置文件,含可用的镜像仓库列表、镜像仓库黑名单。 | - | /etc/isula-build/storage.toml | 600 | 本地持久化存储的配置文件,包含所使用的存储驱动的配置。 | - | /var/run/isula_build.sock | 600 | 服务端isula-builder的本地套接字。 | - | /var/lib/isula-build | 700 | 本地持久化目录。 | - | /var/run/isula-build | 700 | 本地运行时目录。 | - | /var/tmp/isula-build-tmp-*.tar | 600 | 镜像导出至iSulad时的本地暂存目录。 | - - \ No newline at end of file diff --git "a/content/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227.md" "b/content/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227.md" deleted file mode 100644 index 204d1b97fd50e5fbcfe66866410676bff526c889..0000000000000000000000000000000000000000 --- "a/content/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227.md" +++ /dev/null @@ -1,18 +0,0 @@ -# 使用指南 - -本章介绍iSula容器引擎的使用方法。 ->![](public_sys-resources/icon-note.gif) **说明:** ->iSulad的所有使用操作均需要使用root权限。 - - -- [容器管理](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E5%AE%B9%E5%99%A8%E7%AE%A1%E7%90%86.html) -- [支持CNI网络](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E6%94%AF%E6%8C%81CNI%E7%BD%91%E7%BB%9C.html) -- [容器资源管理](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E5%AE%B9%E5%99%A8%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86.html) -- [特权容器](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E7%89%B9%E6%9D%83%E5%AE%B9%E5%99%A8.html) -- [CRI接口](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/CRI%E6%8E%A5%E5%8F%A3.html) -- [镜像管理](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E9%95%9C%E5%83%8F%E7%AE%A1%E7%90%86.html) -- [容器健康状态检查](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E5%AE%B9%E5%99%A8%E5%81%A5%E5%BA%B7%E7%8A%B6%E6%80%81%E6%A3%80%E6%9F%A5.html) -- [查询信息](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E6%9F%A5%E8%AF%A2%E4%BF%A1%E6%81%AF.html) -- [安全特性](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E5%AE%89%E5%85%A8%E7%89%B9%E6%80%A7.html) -- [支持OCI hooks](https://openeuler.org/zh/docs/20.03_LTS/docs/Container/%E6%94%AF%E6%8C%81OCI-hooks.html) - diff --git a/content/zh/docs/Installation/FAQ-1.md b/content/zh/docs/Installation/FAQ-1.md deleted file mode 100644 index 284a0108acfff0cd1b7879554f302299f5675164..0000000000000000000000000000000000000000 --- a/content/zh/docs/Installation/FAQ-1.md +++ /dev/null @@ -1,27 +0,0 @@ -# FAQ - - -- [FAQ](#faq) - - [树莓派启动失败](#树莓派启动失败) - - [问题现象](#问题现象) - - [原因分析](#原因分析) - - [解决方法](#解决方法) - - - -## 树莓派启动失败 - -### 问题现象 - -将 openEuler 发布的树莓派镜像刷写入 SD 卡后,树莓派启动失败。 - -### 原因分析 - -刷写 openEuler 发布的树莓派镜像后,树莓派启动失败,大致有以下几种情况: - -1. 下载的镜像文件不完整,请确保该镜像通过完整性校验。 -2. 镜像写入 SD 卡过程中出现问题,多出现在 Windows 环境下使用应用软件刷写镜像到 SD 卡的情况。 - -### 解决方法 - -将完整的镜像重新刷写入 SD 卡。 diff --git "a/content/zh/docs/Installation/figures/root\345\257\206\347\240\201.png" "b/content/zh/docs/Installation/figures/root\345\257\206\347\240\201.png" deleted file mode 100644 index b5bf8835c1b04a8ec679a34fdd20b0419b081431..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/root\345\257\206\347\240\201.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\210\233\345\273\272\347\224\250\346\210\267.png" "b/content/zh/docs/Installation/figures/\345\210\233\345\273\272\347\224\250\346\210\267.png" deleted file mode 100644 index 9c2208da7baf239a879277d53374037d9ff48410..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\210\233\345\273\272\347\224\250\346\210\267.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\215\212\350\207\252\345\212\250-new.png" "b/content/zh/docs/Installation/figures/\345\215\212\350\207\252\345\212\250-new.png" deleted file mode 100644 index dcdfb60e3e77594c59cfbaaece61881347cd4032..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\215\212\350\207\252\345\212\250-new.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\242\236\345\212\240inst-noverifyssl\345\217\202\346\225\260.png" "b/content/zh/docs/Installation/figures/\345\242\236\345\212\240inst-noverifyssl\345\217\202\346\225\260.png" deleted file mode 100644 index f56a7dd0c45acf8a4c3a735ed623eaccd19bfaef..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\242\236\345\212\240inst-noverifyssl\345\217\202\346\225\260.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\345\274\225\345\257\274\347\225\214\351\235\242.png" "b/content/zh/docs/Installation/figures/\345\256\211\350\243\205\345\274\225\345\257\274\347\225\214\351\235\242.png" deleted file mode 100644 index 0ee099a675eee71fdeb3ba3ad0f30e0be20d7af3..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\345\274\225\345\257\274\347\225\214\351\235\242.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\346\246\202\350\247\210.png" "b/content/zh/docs/Installation/figures/\345\256\211\350\243\205\346\246\202\350\247\210.png" deleted file mode 100644 index d64da9c1ad2a4afc657eb50f1e4439b5b870ea2a..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\346\246\202\350\247\210.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\346\272\220.png" "b/content/zh/docs/Installation/figures/\345\256\211\350\243\205\346\272\220.png" deleted file mode 100644 index 25a28495bad27f26cac8ce19009d2c780d92f0fd..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\346\272\220.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\347\233\256\346\240\207\344\275\215\347\275\256.png" "b/content/zh/docs/Installation/figures/\345\256\211\350\243\205\347\233\256\346\240\207\344\275\215\347\275\256.png" deleted file mode 100644 index 4c13cb4faff2f8a4292ec5d940e63aa80e268f1d..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\347\233\256\346\240\207\344\275\215\347\275\256.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\350\277\207\347\250\213.png" "b/content/zh/docs/Installation/figures/\345\256\211\350\243\205\350\277\207\347\250\213.png" deleted file mode 100644 index 9278b364149636a26a21409afc1342aa1c546ddb..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\256\211\350\243\205\350\277\207\347\250\213.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\256\214\346\210\220\345\256\211\350\243\205.png" "b/content/zh/docs/Installation/figures/\345\256\214\346\210\220\345\256\211\350\243\205.png" deleted file mode 100644 index b54d9ef9c15affd3f41ce6622be66d883ef7e744..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\256\214\346\210\220\345\256\211\350\243\205.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\345\274\200\345\247\213\345\256\211\350\243\205.png" "b/content/zh/docs/Installation/figures/\345\274\200\345\247\213\345\256\211\350\243\205.png" deleted file mode 100644 index 1a5771d8f56ef2472f488e3524d0d0bc91827d10..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\345\274\200\345\247\213\345\256\211\350\243\205.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\346\211\213\345\212\250\345\210\206\345\214\272.png" "b/content/zh/docs/Installation/figures/\346\211\213\345\212\250\345\210\206\345\214\272.png" deleted file mode 100644 index f56b1aba62237b74ecc60c1cf9eee9b5cd4902c0..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\346\211\213\345\212\250\345\210\206\345\214\272.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\346\227\245\346\234\237\345\222\214\346\227\266\351\227\264.png" "b/content/zh/docs/Installation/figures/\346\227\245\346\234\237\345\222\214\346\227\266\351\227\264.png" deleted file mode 100644 index 33b528bb77d0d6b0f51da604e2bad89e3a9daafe..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\346\227\245\346\234\237\345\222\214\346\227\266\351\227\264.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\347\233\230\347\254\246.png" "b/content/zh/docs/Installation/figures/\347\233\230\347\254\246.png" deleted file mode 100644 index b49213bd19cb5b9cdac6ce25564be17df2810d72..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\347\233\230\347\254\246.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\347\275\221\347\273\234\345\222\214\344\270\273\346\234\272\345\220\215.png" "b/content/zh/docs/Installation/figures/\347\275\221\347\273\234\345\222\214\344\270\273\346\234\272\345\220\215.png" deleted file mode 100644 index 24aee8cb2ca13e004d2439ffd89de047c330b58c..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\347\275\221\347\273\234\345\222\214\344\270\273\346\234\272\345\220\215.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\350\216\267\345\217\226IP.png" "b/content/zh/docs/Installation/figures/\350\216\267\345\217\226IP.png" deleted file mode 100644 index 26b6f8f60a36c4b43ebebe4dbdce169ade4b13ae..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\350\216\267\345\217\226IP.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\350\257\255\350\250\200\346\224\257\346\214\201.png" "b/content/zh/docs/Installation/figures/\350\257\255\350\250\200\346\224\257\346\214\201.png" deleted file mode 100644 index a7ddd3a5a6c3c6f377675af294a978d12480ff87..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\350\257\255\350\250\200\346\224\257\346\214\201.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\350\275\257\344\273\266\351\200\211\346\213\251.png" "b/content/zh/docs/Installation/figures/\350\275\257\344\273\266\351\200\211\346\213\251.png" deleted file mode 100644 index 011be38bc7b0030cde009574831b1a5d5a356a1f..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\350\275\257\344\273\266\351\200\211\346\213\251.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\351\200\211\346\213\251\350\257\255\350\250\200.png" "b/content/zh/docs/Installation/figures/\351\200\211\346\213\251\350\257\255\350\250\200.png" deleted file mode 100644 index 738853f1685aeaf2fc7a135f9f13443341f42c48..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\351\200\211\346\213\251\350\257\255\350\250\200.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\351\205\215\347\275\256\351\224\231\350\257\257\346\217\220\347\244\272.png" "b/content/zh/docs/Installation/figures/\351\205\215\347\275\256\351\224\231\350\257\257\346\217\220\347\244\272.png" deleted file mode 100644 index 0349567af5b1695a611b8c32219b469bcf2170e8..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\351\205\215\347\275\256\351\224\231\350\257\257\346\217\220\347\244\272.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\351\224\256\347\233\230\345\270\203\345\261\200.png" "b/content/zh/docs/Installation/figures/\351\224\256\347\233\230\345\270\203\345\261\200.png" deleted file mode 100644 index d91d52d773a277d91ebaccbd7e9ae7d770e6528b..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\351\224\256\347\233\230\345\270\203\345\261\200.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/figures/\351\253\230\347\272\247\347\224\250\346\210\267\351\205\215\347\275\256.png" "b/content/zh/docs/Installation/figures/\351\253\230\347\272\247\347\224\250\346\210\267\351\205\215\347\275\256.png" deleted file mode 100644 index 9a87dffd881b279a4b8c40c798e917a9ac7a3ede..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Installation/figures/\351\253\230\347\272\247\347\224\250\346\210\267\351\205\215\347\275\256.png" and /dev/null differ diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207.md" "b/content/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207.md" deleted file mode 100644 index 31b4eb9b7205099ee0ca942bd18b389f78be8896..0000000000000000000000000000000000000000 --- "a/content/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207.md" +++ /dev/null @@ -1,241 +0,0 @@ -# 安装准备 - -介绍安装前需要考虑软硬件兼容性状况,以及相关的配置和准备工作。 - - -- [安装准备](#安装准备) - - [获取安装源](#获取安装源) - - [发布包完整性校验](#发布包完整性校验) - - [简介](#简介) - - [前提条件](#前提条件) - - [操作指导](#操作指导) - - [物理机的安装要求](#物理机的安装要求) - - [硬件兼容支持](#硬件兼容支持) - - [最小硬件要求](#最小硬件要求) - - [虚拟机的安装要求](#虚拟机的安装要求) - - [虚拟化平台兼容性](#虚拟化平台兼容性) - - [最小虚拟化空间要求](#最小虚拟化空间要求) - - - -## 获取安装源 - -在安装开始前,您需要获取openEuler的发布包和校验文件。 - -> ![](public_sys-resources/icon-note.gif) **说明:** -> AArch64架构的发布包支持UEFI模式,x86\_64架构的发布包支持UEFI模式和Legacy模式。 - -请按以下步骤获取openEuler的发布包和校验文件: - -1. 登录[openEuler社区](https://openeuler.org)网站。 -2. 单击“下载”。 -3. 单击“获取ISO:”后面的“Link”,显示版本列表。 -4. 单击“openEuler-20.09-beta”,进入openEuler 20.09 beta版本下载列表。 -5. 单击“ISO”,进入ISO下载列表。 - - aarch64:AArch64架构的ISO。 - - x86\_64:x86\_64架构的ISO。 - - source:openEuler源码ISO。 - -6. 根据实际待安装环境的架构选择需要下载的openEuler的发布包和校验文件。 - - 若为AArch64架构。 - 1. 单击“aarch64”。 - 2. 单击“openEuler-20.09-beta-aarch64-dvd.iso”,将openEuler发布包下载到本地。 - 3. 单击“openEuler-20.09-beta-aarch64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 - - - 若为x86\_64架构。 - 1. 单击“x86\_64”。 - 2. 单击“openEuler-20.09-beta-x86\_64-dvd.iso”,将openEuler发布包下载到本地。 - 3. 单击“openEuler-20.09-beta-x86\_64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 - -## 发布包完整性校验 - ->![](public_sys-resources/icon-note.gif) **说明:** ->本章节以AArch64架构的发布包完整性校验为例,x86\_64架构的发布包完整性校验的操作方法相同。 - -### 简介 - -为了防止软件包在传输过程中由于网络原因或者存储设备原因出现下载不完整的问题,在获取到软件包后,需要对软件包的完整性进行校验,通过了校验的软件包才能部署。 - -这里通过对比校验文件中记录的校验值和手动方式计算的iso文件校验值,判断软件包是否完成。若两个值相同,说明iso文件完整,否则,iso完整性被破坏,请重新获取iso发布包。 - -### 前提条件 - -在校验发布包完整性之前,需要准备如下文件: - -iso文件:openEuler-20.09-beta-aarch64-dvd.iso - -校验文件:openEuler-20.09-beta-aarch64-dvd.iso.sha256sum - -### 操作指导 - -文件完整性校验操作步骤如下: - -1. 获取校验文件中的校验值。执行命令如下: - - ``` - $ cat openEuler-20.09-beta-aarch64-dvd.iso.sha256sum - ``` - -2. 计算文件的sha256校验值。执行命令如下: - - ``` - $ sha256sum openEuler-20.09-beta-aarch64-dvd.iso - ``` - - 命令执行完成后,输出校验值。 - -3. 对比步骤1和步骤2计算的校验值是否一致。 - - 如果校验值一致说明iso文件完整性没有破坏,如果校验值不一致则可以确认文件完整性已被破坏,需要重新获取。 - -## 物理机的安装要求 - -若需要在物理机环境上安装openEuler操作系统,则物理机需要满足如下的硬件兼容性和最小硬件要求。 - -### 硬件兼容支持 - -openEuler安装时,应注意硬件兼容性方面的问题,当前已支持的服务器类型如[表1](#table14948632047)所示。 - ->![](public_sys-resources/icon-note.gif) **说明:** -> ->- TaiShan 200服务器基于华为鲲鹏920处理器。 ->- 当前仅支持华为TaiShan服务器和FusionServer Pro 机架服务器,后续将逐步增加对其他厂商服务器的支持。 - -**表 1** 支持的服务器类型 - - - - - - - - - - - - - - - - - -

服务器形态

-

服务器名称

-

服务器型号

-

机架服务器

-

TaiShan 200

-

2280均衡型

-

机架服务器

-

FusionServer Pro 机架服务器

-

FusionServer Pro 2288H V5

-
说明:

服务器要求配置Avago 3508 RAID控制卡和启用LOM-X722网卡。

-
-
- -### 最小硬件要求 - -openEuler所需的最小硬件要求如[表2](#tff48b99c9bf24b84bb602c53229e2541)所示。 - -**表 2** 最小硬件要求 - - - - - - - - - - - - - - - - - - - - - - - - - -

部件名称

-

最小硬件要求

-

说明

-

架构

-
  • AArch64
  • x86_64
-
  • 支持Arm的64位架构。
  • 支持Intel的x86 64位架构。
-

CPU

-
  • 华为鲲鹏920系列CPU
  • Intel® Xeon®处理器
-

-

-

内存

-

不小于4GB(为了获得更好的应用体验,建议不小于8GB)

-

-

-

硬盘

-

为了获得更好的应用体验,建议不小于120GB)

-

支持IDE、SATA、SAS等接口的硬盘。

-
- -## 虚拟机的安装要求 - -若需要在虚拟机环境上安装openEuler操作系统,则虚拟机需要满足如下的虚拟化平台兼容性和最小虚拟化要求。 - -### 虚拟化平台兼容性 - -openEuler安装时,应注意虚拟化平台兼容性的问题,当前已支持的虚拟化平台为: - -- openEuler自有的虚拟化组件(HostOS为openEuler,虚拟化组件为发布包中的qemu、KVM)创建的虚拟化平台。 -- 华为公有云的x86虚拟化平台。 - -### 最小虚拟化空间要求 - -openEuler所需的最小虚拟化空间要求如[表3](#tff48b99c9bf24b84bb602c53229e2541)所示。 - -**表 3** 最小虚拟化空间要求 - - - - - - - - - - - - - - - - - - - - - - - - - -

部件名称

-

最小虚拟化空间要求

-

说明

-

架构

-
  • AArch64
  • x86_64
-

-

-

CPU

-

2个CPU

-

-

-

内存

-

不小于4GB(为了获得更好的应用体验,建议不小于8GB)

-

-

-

硬盘

-

不小于32GB(为了获得更好的应用体验,建议不小于120GB)

-

-

-
- - - diff --git "a/content/zh/docs/Quickstart/figures/root\345\257\206\347\240\201.png" "b/content/zh/docs/Quickstart/figures/root\345\257\206\347\240\201.png" deleted file mode 100644 index b5bf8835c1b04a8ec679a34fdd20b0419b081431..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/root\345\257\206\347\240\201.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\345\210\233\345\273\272\347\224\250\346\210\267.png" "b/content/zh/docs/Quickstart/figures/\345\210\233\345\273\272\347\224\250\346\210\267.png" deleted file mode 100644 index 9c2208da7baf239a879277d53374037d9ff48410..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\345\210\233\345\273\272\347\224\250\346\210\267.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\345\274\225\345\257\274\347\225\214\351\235\242.png" "b/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\345\274\225\345\257\274\347\225\214\351\235\242.png" deleted file mode 100644 index 0ee099a675eee71fdeb3ba3ad0f30e0be20d7af3..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\345\274\225\345\257\274\347\225\214\351\235\242.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\346\246\202\350\247\210.png" "b/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\346\246\202\350\247\210.png" deleted file mode 100644 index d64da9c1ad2a4afc657eb50f1e4439b5b870ea2a..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\346\246\202\350\247\210.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\347\233\256\346\240\207\344\275\215\347\275\256.png" "b/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\347\233\256\346\240\207\344\275\215\347\275\256.png" deleted file mode 100644 index 4c13cb4faff2f8a4292ec5d940e63aa80e268f1d..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\345\256\211\350\243\205\347\233\256\346\240\207\344\275\215\347\275\256.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\345\256\214\346\210\220\345\256\211\350\243\205.png" "b/content/zh/docs/Quickstart/figures/\345\256\214\346\210\220\345\256\211\350\243\205.png" deleted file mode 100644 index b54d9ef9c15affd3f41ce6622be66d883ef7e744..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\345\256\214\346\210\220\345\256\211\350\243\205.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\345\274\200\345\247\213\345\256\211\350\243\205.png" "b/content/zh/docs/Quickstart/figures/\345\274\200\345\247\213\345\256\211\350\243\205.png" deleted file mode 100644 index 1a5771d8f56ef2472f488e3524d0d0bc91827d10..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\345\274\200\345\247\213\345\256\211\350\243\205.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\350\275\257\344\273\266\351\200\211\346\213\251.png" "b/content/zh/docs/Quickstart/figures/\350\275\257\344\273\266\351\200\211\346\213\251.png" deleted file mode 100644 index 011be38bc7b0030cde009574831b1a5d5a356a1f..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\350\275\257\344\273\266\351\200\211\346\213\251.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\351\200\211\346\213\251\350\257\255\350\250\200.png" "b/content/zh/docs/Quickstart/figures/\351\200\211\346\213\251\350\257\255\350\250\200.png" deleted file mode 100644 index 738853f1685aeaf2fc7a135f9f13443341f42c48..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\351\200\211\346\213\251\350\257\255\350\250\200.png" and /dev/null differ diff --git "a/content/zh/docs/Quickstart/figures/\351\253\230\347\272\247\347\224\250\346\210\267\351\205\215\347\275\256.png" "b/content/zh/docs/Quickstart/figures/\351\253\230\347\272\247\347\224\250\346\210\267\351\205\215\347\275\256.png" deleted file mode 100644 index 9a87dffd881b279a4b8c40c798e917a9ac7a3ede..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Quickstart/figures/\351\253\230\347\272\247\347\224\250\346\210\267\351\205\215\347\275\256.png" and /dev/null differ diff --git a/content/zh/docs/Releasenotes/README.md b/content/zh/docs/Releasenotes/README.md deleted file mode 100644 index 63751f53f739f8a7c2bf8e8431e7d59f5dad323a..0000000000000000000000000000000000000000 --- a/content/zh/docs/Releasenotes/README.md +++ /dev/null @@ -1,43 +0,0 @@ -# 组件分类 - -**应用和基础服务** -- 包括Application && Base-service - -**编程语言和编译器** -- 包括Programming-language && Compiler && sig-golang && sig-perl-modules && sig-python-modules - -**运行时和中间件** -- 包括Runtime && sig-ai-bigdata && sig-ROS && DB - -**虚拟化和容器** -- 包括Virt && oVirt && iSulad && Docker && sig-android-middleware - -**集群管理** -- 包括sig-Ha && sig-Kubernetes - -**内核** -- 包括Kernel - -**安全** -- 包括SIG-Security_facility && sig-bounds_checking_function - -**硬件和芯片使能** -- sig-RaspberryPi && sig-RISC-V && sig-Compatibility-Infra - -**文件系统** -- 包括Storage & sig-ceph - -**计算和加速库** -- 包括Computing && kae - -**网络** -- 包括Network && dpdk && sig-REDF - -**桌面** -- 包括Desktop && sig-mate-desktop && sig-UKUI && xfce && GNOME && sig-DDE - -**系统工具** -- 包括System-tool && A-Tune && dev-utils && sig-EasyLife - -**其它** -- 包括other && private \ No newline at end of file diff --git a/content/zh/docs/Releasenotes/release_notes.md b/content/zh/docs/Releasenotes/release_notes.md deleted file mode 100644 index b8f6f7d801aaa764c4f3b2a854e54c2e0677bb31..0000000000000000000000000000000000000000 --- a/content/zh/docs/Releasenotes/release_notes.md +++ /dev/null @@ -1 +0,0 @@ -本文是 openEuler 20.09 LTS 版本的发行说明。 \ No newline at end of file diff --git a/content/zh/docs/Releasenotes/zh-cn_bookmap_0225720059.md b/content/zh/docs/Releasenotes/zh-cn_bookmap_0225720059.md deleted file mode 100644 index 843daf755b25db9714413552d037bdb0d9715945..0000000000000000000000000000000000000000 --- a/content/zh/docs/Releasenotes/zh-cn_bookmap_0225720059.md +++ /dev/null @@ -1,14 +0,0 @@ -# 版本发行说明 - -- [法律声明](法律声明.md) -- [用户须知](用户须知.md) -- [简介](简介.md) -- [系统安装](系统安装.md) -- [关键特性](关键特性.md) -- [已知问题](已知问题.md) -- [已修复问题](已修复问题.md) -- [CVE漏洞](CVE漏洞.md) -- [源代码](源代码.md) -- [参与贡献](参与贡献.md) -- [致谢](致谢.md) - diff --git "a/content/zh/docs/Releasenotes/\345\205\263\351\224\256\347\211\271\346\200\247.md" "b/content/zh/docs/Releasenotes/\345\205\263\351\224\256\347\211\271\346\200\247.md" deleted file mode 100644 index 310894c2ba830da82ff91ca63dd6daeb8468b7b3..0000000000000000000000000000000000000000 --- "a/content/zh/docs/Releasenotes/\345\205\263\351\224\256\347\211\271\346\200\247.md" +++ /dev/null @@ -1,41 +0,0 @@ -# 关键特性 - -**编程语言和编译器** -- JDK8优化:APPCDS特性支持、crc32硬加速指令支持。 -- GCC优化:循环优化、自动矢量化、全局优化。 - -**运行时和中间件** -- QVisor:轻量级虚拟化Runtime。 -- iSula轻量级容器解决方案,统一IoT,边缘和云计算容器解决方案。 - -**虚拟化** -- Kunpeng虚拟化特性:CPU和内存热插拔、NMI Watchdog、KVM Custom、SmartPolling。 -- 可信启动度量:vTPM机制支撑启动阶段的对各个部件的可信度量。 -- VMTOP工具:虚拟机组件配套DFX工具,支持抓取虚拟机陷出开销,调度时延等各种数据。 - -**内核** -- TLB Range 指令支持:批量TLB invalid提升性能,MMU gather减少TLBi调用。 -- Numa aware qspinlock支持:减少跨NUMA节点的Cache/总线冲突。 -- Ktask并行化支持:内核任务并行化框架支持,内核任务并行化运行。 -- 内存系统锁优化:vmalloc分配大锁优化、Pagecache锁优化。 - -**安全** -- CloudEncalve支持:提供机密计算统一框架、南向屏蔽SGX和TrustZone的差异,北向提供统一API和SDK。 -- IMA支持:完整性度量机制 - -**硬件和芯片使能** -- Raspberry Pi支持:Raspberry系列板卡支持。 - -**计算和加速库** -- 摘要算法SM3,支持异步模型 -- 对称加密算法SM4,支持异步模型,支持CTR/XTS/CBC模式 -- 对称加密算法AES,支持异步模型,支持ECB/CTR/XTS/CBC模式 -- 非对称算法RSA,支持异步模型,支持Key Sizes 1024/2048/3072/4096 -- 密钥协商算法DH,支持异步模型,支持Key Sizes 768/1024/1536/2048/3072/4096 - -**桌面** -- UKUI:麒麟操作系统的默认桌面环境,其布局、风格和使用习惯接近传统Windows - -**系统工具** -- A-Tune:智能系统性能优化引擎,推理出业务特征,配置最佳的系统参数合,使业务处于最优运行状态 -- A-OPS: 内核热升级框架,以及配套工具 diff --git "a/content/zh/docs/Releasenotes/\345\267\262\344\277\256\345\244\215\351\227\256\351\242\230.md" "b/content/zh/docs/Releasenotes/\345\267\262\344\277\256\345\244\215\351\227\256\351\242\230.md" deleted file mode 100644 index 5000634b5d83b42b9a4e668826a8f44439baf98d..0000000000000000000000000000000000000000 --- "a/content/zh/docs/Releasenotes/\345\267\262\344\277\256\345\244\215\351\227\256\351\242\230.md" +++ /dev/null @@ -1,243 +0,0 @@ -# 已修复问题 - -完整问题清单请参见[完整问题清单](https://gitee.com/organizations/src-openeuler/issues)。 - -完整的内核提交记录请参见[提交记录](https://gitee.com/openeuler/kernel/commits/openEuler-1.0-LTS)。 - -**应用和基础服务** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**编程语言和编译器** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**运行时和中间件** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**虚拟化和容器** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**集群管理** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**内核** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**安全** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**硬件和芯片使能** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**文件系统** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**计算和加速库** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**网络** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**桌面** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**系统工具** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**其它** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
\ No newline at end of file diff --git "a/content/zh/docs/Releasenotes/\345\267\262\347\237\245\351\227\256\351\242\230.md" "b/content/zh/docs/Releasenotes/\345\267\262\347\237\245\351\227\256\351\242\230.md" deleted file mode 100644 index 7730294041314d5b9e4e2904f56a2babbbb0c732..0000000000000000000000000000000000000000 --- "a/content/zh/docs/Releasenotes/\345\267\262\347\237\245\351\227\256\351\242\230.md" +++ /dev/null @@ -1,238 +0,0 @@ -# 已知问题 -**应用和基础服务** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**编程语言和编译器** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**运行时和中间件** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**虚拟化和容器** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**集群管理** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**内核** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**安全** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**硬件和芯片使能** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**文件系统** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**计算和加速库** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**网络** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**桌面** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**系统工具** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
- -**其它** - - - - - - - - - - -

ISSUE

-

问题描述

-

I1BJTF

-

DEMO

-
diff --git "a/content/zh/docs/Virtualization/figures/\350\231\232\346\213\237\347\275\221\347\273\234\347\273\223\346\236\204\345\233\276.png" "b/content/zh/docs/Virtualization/figures/\350\231\232\346\213\237\347\275\221\347\273\234\347\273\223\346\236\204\345\233\276.png" deleted file mode 100644 index af5b2c44fe451371fb16115df15ae8ea8a723e28..0000000000000000000000000000000000000000 Binary files "a/content/zh/docs/Virtualization/figures/\350\231\232\346\213\237\347\275\221\347\273\234\347\273\223\346\236\204\345\233\276.png" and /dev/null differ diff --git a/content/zh/docs/userguide/pkgship.md b/content/zh/docs/userguide/pkgship.md deleted file mode 100644 index 937597d4f3a3e2d1a84fbeb71cb2e2371655b155..0000000000000000000000000000000000000000 --- a/content/zh/docs/userguide/pkgship.md +++ /dev/null @@ -1,192 +0,0 @@ -pkgship -=== - -# 介绍 -pkgship是一款管理OS软件包依赖关系,提供依赖和被依赖关系完整图谱的查询工具,pkgship提供软件包依赖查询、生命周期管理、补丁查询等功能。 -1. 软件包依赖查询:方便社区人员在软件包引入、更新和删除的时候了解软件的影响范围。 -2. 生命周期管理:跟踪上游软件包发布状态,方便维护人员了解当前软件状态,及时升级到合理的版本。 -3. 补丁查询:方便社区人员了解openEuler软件包的补丁情况以及提取补丁内容。 - -# 架构 -系统采用flask-restful开发,使用SQLAlchemy ORM查询框架,同时支持mysql和sqlite两种数据库,可以通过配置文件的更改使用哪种数据库。 - -# 软件下载 -* Repo源挂载地址:https://repo.openeuler.org/ -* 源码获取地址:https://gitee.com/openeuler/openEuler-Advisor/tree/master/packageship -* rpm包获取地址:https://117.78.1.88/project/show/openEuler:Mainline - -# 安装工具 -工具安装可通过以下两种方式实现。 - -* 先使用dnf挂载pkgship软件在所在repo源(具体方法可参考[应用开发指南](https://openeuler.org/zh/docs/20.03_LTS/docs/ApplicationDev/%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87.html)),然后执行如下指令下载以及安装pkgship及其依赖。 - - ``` - dnf install pkgship - ``` - -* 先下载pkgship的rpm包,然后执行如下命令进行安装(其中“x.x-x”表示版本号,请用实际情况代替)。 - - ``` - rpm -ivh pkgship-x.x-x.oe1.noarch.rpm - ``` - - 或者 - - ``` - dnf install pkgship-x.x-x.oe1.noarch.rpm - ``` - -# 配置参数 -1. 在配置文件中对相应参数进行配置,系统的默认配置文件存放在 /etc/pkgship/packge.ini,请根据实际情况进行配置更改。 - - ``` - vim /etc/pkgship/package.ini - ``` - -2. 创建初始化数据库的yaml配置文件: - conf.yaml 文件默认存放在 /etc/pkgship/ 路径下,pkgship会通过该配置读取要建立的数据库名称以及需要导入的sqlite文件。conf.yaml 示例如下所示。 - - ``` - - dbname:openEuler-20.03-LTS - src_db_file: - - /etc/pkgship/src.sqlite - bin_db_file: - - /etc/pkgship/bin.sqlite - status:enable - priority:1 - ``` - -> 如需更改存放路径,请更改package.ini下的 init_conf_path 选项 - - -# 服务启动和停止 -pkgship使用uWSGI web服务器,启动和停止命令如下所示。 -``` -pkgshipd start - -pkgshipd stop -``` -# 工具使用 -1. 数据库初始化。 - - ``` - pkgship init - ``` - -2. 单包查询。 - - 查询源码包(sourceName)在所有数据库中的信息 。 - - ``` - pkgship single sourceName - ``` - - 查询当前源码包(sourceName)在指定数据库(dbName)中的信息。 - ``` - pkgship single sourceName -db dbName - ``` - -3. 所有包查询。 - 查询所有数据库下包含的所有包的信息。 - - ``` - pkgship list - ``` - - 查询指定数据库(dbName)下的所有包的信息。 - ``` - pkgship list -db dbName - ``` - -4. 安装依赖查询。 - 查询二进制包(binaryName)的安装依赖,按照默认优先级查询数据库。 - - ``` - pkgship installdep binaryName - ``` - - 在指定数据库(dbName)下查询二进制包(binaryName)的所有安装依赖,按照先后顺序指定数据库查询的优先级。 - ``` - pkgship installdep binaryName -dbs dbName1 dbName2... - ``` - -5. 编译依赖查询。 - 查询源码包(sourceName)的所有编译依赖,按照默认优先级查询数据库。 - - ``` - pkgship builddep sourceName - ``` - - 在指定数据库(dbName)下查询源码包(sourceName)的所有安装依赖,按照先后顺序指定数据库查询的优先级。 - ``` - pkgship builddep sourceName -dbs dbName1 dbName2... - ``` - -6. 自编译自安装依赖查询。 - 查询二进制包(binaryName)的安装和编译依赖,按照默认优先级查询数据库。 - - ``` - pkgship selfbuild binaryName - ``` - - 查询源码包(sourceName )的安装和编译依赖,按照默认优先级查询数据库。 - ``` - pkgship selfbuild sourceName -t source - ``` - 其他参数: - - -dbs 指定数据库优先级。 - - ``` - 示例:pkgship selfbuild binaryName -dbs dbName1 dbName2 - ``` - -s 是否查询自编译依赖。其中0表示不查询自编译依赖,1表示查询自编译依赖,默认为0,可以指定1。 - - ``` - 查询自编译示例:pkgship selfbuild sourceName -t source -s 1 - ``` - -w 是否查询对应包的子包。其中0表示不查询对应子包,1表示查询对应子包,默认为0,可以指定1。 - - ``` - 查询子包示例:pkgship selfbuild binaryName -w 1 - ``` - -7. 被依赖查询。 - 查询源码包(sourceName)在某数据库(dbName)中被哪些包所依赖,查询结果默认不包含对应二进制包的子包 。 - - ``` - pkgship bedepend sourceName -db dbName - ``` - - 使查询结果包含二进制包的子包加入参数 -w。 - ``` - pkgship bedepend sourceName -db dbName -w 1 - ``` - -8. 包信息记录修改。 - 变更数据库中(dbName)源码包(sourceName)的maintainer为Newmaintainer 。 - - ``` - pkgship updatepkg sourceName db dbName -m Newmaintainer - ``` - - 变更数据库中(dbName)源码包(sourceName)的maintainlevel为Newmaintainlevel,值在1~4之间。 - - ``` - pkgship updatepkg sourceName db dbName -l Newmaintainlevel - ``` - - 同时变更数据库中(dbName)源码包(sourceName)的maintainer 为Newmaintainer和变更 maintainlevel为Newmaintainlevel。 - - ``` - pkgship updatepkg sourceName db dbName -m Newmaintainer -l Newmaintainlevel - ``` -9. 数据库删除。 - 删除指定数据库(dbName)。 - - ``` - pkgship rm db dbName - ``` - - - diff --git a/content/zh/menu/index.md b/content/zh/menu/index.md deleted file mode 100644 index 1d6d99d870b18d22a517af3574a05d86ae517626..0000000000000000000000000000000000000000 --- a/content/zh/menu/index.md +++ /dev/null @@ -1,137 +0,0 @@ ---- -headless: true ---- -- [法律声明]({{< relref "./docs/Releasenotes/法律声明.md" >}}) -- [发行说明]({{< relref "./docs/Releasenotes/release_notes.md" >}}) - - [用户须知]({{< relref "./docs/Releasenotes/用户须知.md" >}}) - - [简介]({{< relref "./docs/Releasenotes/简介.md" >}}) - - [系统安装]({{< relref "./docs/Releasenotes/系统安装.md" >}}) - - [关键特性]({{< relref "./docs/Releasenotes/关键特性.md" >}}) - - [已知问题]({{< relref "./docs/Releasenotes/已知问题.md" >}}) - - [已修复问题]({{< relref "./docs/Releasenotes/已修复问题.md" >}}) - - [CVE漏洞]({{< relref "./docs/Releasenotes/CVE漏洞.md" >}}) - - [源代码]({{< relref "./docs/Releasenotes/源代码.md" >}}) - - [参与贡献]({{< relref "./docs/Releasenotes/参与贡献.md" >}}) - - [致谢]({{< relref "./docs/Releasenotes/致谢.md" >}}) - -- [快速入门]({{< relref "./docs/Quickstart/quick-start.md" >}}) - -- [安装指南]({{< relref "./docs/Installation/installation.md" >}}) - - [安装在服务器]({{< relref "./docs/Installation/安装在服务器.md" >}}) - - [安装准备]({{< relref "./docs/Installation/安装准备.md" >}}) - - [安装方式介绍]({{< relref "./docs/Installation/安装方式介绍.md" >}}) - - [安装指导]({{< relref "./docs/Installation/安装指导.md" >}}) - - [使用kickstart自动化安装]({{< relref "./docs/Installation/使用kickstart自动化安装.md" >}}) - - [FAQ]({{< relref "./docs/Installation/FAQ.md" >}}) - - [安装在树莓派]({{< relref "./docs/Installation/安装在树莓派.md" >}}) - - [安装准备]({{< relref "./docs/Installation/安装准备-1.md" >}}) - - [安装方式介绍]({{< relref "./docs/Installation/安装方式介绍-1.md" >}}) - - [安装指导]({{< relref "./docs/Installation/安装指导-1.md" >}}) - - [FAQ]({{< relref "./docs/Installation/FAQ-1.md" >}}) - - [更多资源]({{< relref "./docs/Installation/更多资源.md" >}}) - - -- [管理员指南]({{< relref "./docs/Administration/administration.md" >}}) - - [查看系统信息]({{< relref "./docs/Administration/查看系统信息.md" >}}) - - [基础配置]({{< relref "./docs/Administration/基础配置.md" >}}) - - [管理用户和用户组]({{< relref "./docs/Administration/管理用户和用户组.md" >}}) - - [使用DNF管理软件包]({{< relref "./docs/Administration/使用DNF管理软件包.md" >}}) - - [管理服务]({{< relref "./docs/Administration/管理服务.md" >}}) - - [管理进程]({{< relref "./docs/Administration/管理进程.md" >}}) - - [配置网络]({{< relref "./docs/Administration/配置网络.md" >}}) - - [使用LVM管理硬盘]({{< relref "./docs/Administration/使用LVM管理硬盘.md" >}}) - - [使用KAE加速引擎]({{< relref "./docs/Administration/使用KAE加速引擎.md" >}}) - - [搭建服务]({{< relref "./docs/Administration/搭建服务.md" >}}) - - [搭建repo服务器]({{< relref "./docs/Administration/搭建repo服务器.md" >}}) - - [搭建FTP服务器]({{< relref "./docs/Administration/搭建FTP服务器.md" >}}) - - [搭建web服务器]({{< relref "./docs/Administration/搭建web服务器.md" >}}) - - [搭建数据库服务器]({{< relref "./docs/Administration/搭建数据库服务器.md" >}}) - - [FAQ]({{< relref "./docs/Administration/FAQ-54.md" >}}) - - -- [虚拟化用户指南]({{< relref "./docs/Virtualization/virtualization.md" >}}) - - [认识虚拟化]({{< relref "./docs/Virtualization/认识虚拟化.md" >}}) - - [安装虚拟化]({{< relref "./docs/Virtualization/安装虚拟化.md" >}}) - - [准备使用环境]({{< relref "./docs/Virtualization/准备使用环境.md" >}}) - - [虚拟机配置]({{< relref "./docs/Virtualization/虚拟机配置.md" >}}) - - [管理虚拟机]({{< relref "./docs/Virtualization/管理虚拟机.md" >}}) - - [热迁移虚拟机]({{< relref "./docs/Virtualization/热迁移虚拟机.md" >}}) - - [管理系统资源]({{< relref "./docs/Virtualization/管理系统资源.md" >}}) - - [管理设备]({{< relref "./docs/Virtualization/管理设备.md" >}}) - - [最佳实践]({{< relref "./docs/Virtualization/最佳实践.md" >}}) - - [附录]({{< relref "./docs/Virtualization/附录.md" >}}) - - -- [容器用户指南]({{< relref "./docs/Container/container.md" >}}) - - [iSula容器引擎]({{< relref "./docs/Container/iSula容器引擎.md" >}}) - - [安装、升级与卸载]({{< relref "./docs/Container/安装-升级与卸载.md" >}}) - - [安装与配置]({{< relref "./docs/Container/安装与配置.md" >}}) - - [升级]({{< relref "./docs/Container/升级.md" >}}) - - [卸载]({{< relref "./docs/Container/卸载.md" >}}) - - [使用指南]({{< relref "./docs/Container/使用指南.md" >}}) - - [容器管理]({{< relref "./docs/Container/容器管理.md" >}}) - - [支持CNI网络]({{< relref "./docs/Container/支持CNI网络.md" >}}) - - [特权容器]({{< relref "./docs/Container/特权容器.md" >}}) - - [CRI接口]({{< relref "./docs/Container/CRI接口.md" >}}) - - [镜像管理]({{< relref "./docs/Container/镜像管理.md" >}}) - - [容器健康状态检查]({{< relref "./docs/Container/容器健康状态检查.md" >}}) - - [查询信息]({{< relref "./docs/Container/查询信息.md" >}}) - - [安全特性]({{< relref "./docs/Container/安全特性.md" >}}) - - [支持OCI hooks]({{< relref "./docs/Container/支持OCI-hooks.md" >}}) - - [附录]({{< relref "./docs/Container/附录.md" >}}) - - - [系统容器]({{< relref "./docs/Container/系统容器.md" >}}) - - [安装指导]({{< relref "./docs/Container/安装指导.md" >}}) - - [使用指南]({{< relref "./docs/Container/使用指南-1.md" >}}) - - [指定rootfs创建容器]({{< relref "./docs/Container/指定rootfs创建容器.md" >}}) - - [通过systemd启动容器]({{< relref "./docs/Container/通过systemd启动容器.md" >}}) - - [容器内reboot/shutdown]({{< relref "./docs/Container/容器内reboot-shutdown.md" >}}) - - [cgroup路径可配置]({{< relref "./docs/Container/cgroup路径可配置.md" >}}) - - [namespace化内核参数可写]({{< relref "./docs/Container/namespace化内核参数可写.md" >}}) - - [共享内存通道]({{< relref "./docs/Container/共享内存通道.md" >}}) - - [动态加载内核模块]({{< relref "./docs/Container/动态加载内核模块.md" >}}) - - [环境变量持久化]({{< relref "./docs/Container/环境变量持久化.md" >}}) - - [最大句柄数限制]({{< relref "./docs/Container/最大句柄数限制.md" >}}) - - [安全性和隔离性]({{< relref "./docs/Container/安全性和隔离性.md" >}}) - - [容器资源动态管理]({{< relref "./docs/Container/容器资源动态管理.md" >}}) - - [附录]({{< relref "./docs/Container/附录-2.md" >}}) - - - [安全容器]({{< relref "./docs/Container/安全容器.md" >}}) - - [安装与配置]({{< relref "./docs/Container/安装与配置-2.md" >}}) - - [使用方法]({{< relref "./docs/Container/使用方法-1.md" >}}) - - [管理安全容器的生命周期]({{< relref "./docs/Container/管理安全容器的生命周期.md" >}}) - - [为安全容器配置资源]({{< relref "./docs/Container/为安全容器配置资源.md" >}}) - - [为安全容器配置网络]({{< relref "./docs/Container/为安全容器配置网络.md" >}}) - - [监控安全容器]({{< relref "./docs/Container/监控安全容器.md" >}}) - - [附录]({{< relref "./docs/Container/附录-3.md" >}}) - - - [Docker容器]({{< relref "./docs/Container/Docker容器.md" >}}) - - [安装配置]({{< relref "./docs/Container/安装配置-3.md" >}}) - - [容器管理]({{< relref "./docs/Container/容器管理-3.md" >}}) - - [镜像管理]({{< relref "./docs/Container/镜像管理-3.md" >}}) - - [命令行参考]({{< relref "./docs/Container/命令行参考.md" >}}) - - [容器引擎]({{< relref "./docs/Container/容器引擎-4.md" >}}) - - [容器管理]({{< relref "./docs/Container/容器管理-4.md" >}}) - - [镜像管理]({{< relref "./docs/Container/镜像管理-4.md" >}}) - - [统计信息]({{< relref "./docs/Container/统计信息-4.md" >}}) - - [isula-build构建工具]({{< relref "./docs/Container/isula-build构建工具.md" >}}) - - -- [A-Tune用户指南]({{< relref "./docs/A-Tune/A-Tune.md" >}}) - - [认识A-Tune]({{< relref "./docs/A-Tune/认识A-Tune.md" >}}) - - [安装与部署]({{< relref "./docs/A-Tune/安装与部署.md" >}}) - - [使用方法]({{< relref "./docs/A-Tune/使用方法.md" >}}) - - [常见问题与解决方法]({{< relref "./docs/A-Tune/常见问题与解决方法.md" >}}) - - [附录]({{< relref "./docs/A-Tune/附录.md" >}}) - - -- [应用开发指南]({{< relref "./docs/ApplicationDev/application-development.md" >}})userguide - - [开发环境准备]({{< relref "./docs/ApplicationDev/开发环境准备.md" >}}) - - [使用GCC编译]({{< relref "./docs/ApplicationDev/使用GCC编译.md" >}}) - - [使用make编译]({{< relref "./docs/ApplicationDev/使用make编译.md" >}}) - - [使用JDK编译]({{< relref "./docs/ApplicationDev/使用JDK编译.md" >}}) - - [构建RPM包]({{< relref "./docs/ApplicationDev/构建RPM包.md" >}}) - -- [openEuler工具集用户指南]({{< relref "./docs/userguide/概述.md" >}}) - - [补丁工具]({{< relref "./docs/userguide/补丁工具.md" >}}) - - [pkgship]({{< relref "./docs/userguide/pkgship.md" >}}) \ No newline at end of file diff --git a/content/en/docs/A-Tune/A-Tune.md b/docs/en/docs/A-Tune/A-Tune.md similarity index 100% rename from content/en/docs/A-Tune/A-Tune.md rename to docs/en/docs/A-Tune/A-Tune.md diff --git a/content/en/docs/A-Tune/appendixes.md b/docs/en/docs/A-Tune/appendixes.md similarity index 55% rename from content/en/docs/A-Tune/appendixes.md rename to docs/en/docs/A-Tune/appendixes.md index 46f489cac3e98bcc418e368e7f442270d31a13fa..2d776555c04a00f5a7c56e5d8b503925019af32a 100644 --- a/content/en/docs/A-Tune/appendixes.md +++ b/docs/en/docs/A-Tune/appendixes.md @@ -8,19 +8,13 @@ **Table 1** Terminology - - - - - @@ -28,3 +22,4 @@

Term

Description

workload_type

-

Workload type, which is used to identify a type of service with the same characteristics.

-

profile

+

profile

Set of optimization items and optimal parameter configuration.
+ diff --git a/content/en/docs/A-Tune/application-scenarios.md b/docs/en/docs/A-Tune/application-scenarios.md similarity index 69% rename from content/en/docs/A-Tune/application-scenarios.md rename to docs/en/docs/A-Tune/application-scenarios.md index 924170be9956171063f74f8a718545db93e55907..e1401b69a97062fdb9513018a30df0916b9e464e 100644 --- a/content/en/docs/A-Tune/application-scenarios.md +++ b/docs/en/docs/A-Tune/application-scenarios.md @@ -41,10 +41,6 @@ You can use functions provided by A-Tune through the CLI client atune-adm. This - The **define**, **update**, **undefine**, **collection**, **train**, and **upgrade **commands do not support remote execution. - In the command format, brackets \(\[\]\) indicate that the parameter is optional, and angle brackets \(<\>\) indicate that the parameter is mandatory. The actual parameters prevail. -- In the command format, meanings of each command are as follows: - - **WORKLOAD\_TYPE**: name of a user-defined workload type. For details about the supported workload types, see the query result of the **list** command. - - **PROFILE\_NAME**: user-defined profile name. - - **PROFILE\_PATH**: path of the user-defined profile. ## Querying Workload Types @@ -55,7 +51,7 @@ You can use functions provided by A-Tune through the CLI client atune-adm. This #### Function -Query the supported workload types, profiles, and the values of Active. +Query the supported profiles, and the values of Active. #### Format @@ -66,39 +62,111 @@ Query the supported workload types, profiles, and the values of Active. ``` # atune-adm list -Support WorkloadTypes: -+-----------------------------------+------------------------+-----------+ -| WorkloadType | ProfileName | Active | -+===================================+========================+===========+ -| default | default | true | -+-----------------------------------+------------------------+-----------+ -| webserver | ssl_webserver | false | -+-----------------------------------+------------------------+-----------+ -| big_database | database | false | -+-----------------------------------+------------------------+-----------+ -| big_data | big_data | false | -+-----------------------------------+------------------------+-----------+ -| in-memory_computing | in-memory_computing | false | -+-----------------------------------+------------------------+-----------+ -| in-memory_database | in-memory_database | false | -+-----------------------------------+------------------------+-----------+ -| single_computer_intensive_jobs | compute-intensive | false | -+-----------------------------------+------------------------+-----------+ -| communication | rpc_communication | false | -+-----------------------------------+------------------------+-----------+ -| idle | default | false | -+-----------------------------------+------------------------+-----------+ +Support profiles: ++------------------------------------------------+-----------+ +| ProfileName | Active | ++================================================+===========+ +| arm-native-android-container-robox | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-fio | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-lmbench | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-netperf | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-stream | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-unixbench | false | ++------------------------------------------------+-----------+ +| basic-test-suite-speccpu-speccpu2006 | false | ++------------------------------------------------+-----------+ +| basic-test-suite-specjbb-specjbb2015 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-hdfs-dfsio-hdd | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-hdfs-dfsio-ssd | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-bayesian | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-kmeans | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql1 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql10 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql2 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql3 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql4 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql5 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql6 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql7 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql8 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql9 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-tersort | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-wordcount | false | ++------------------------------------------------+-----------+ +| cloud-compute-kvm-host | false | ++------------------------------------------------+-----------+ +| database-mariadb-2p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| database-mariadb-4p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| database-mongodb-2p-sysbench | false | ++------------------------------------------------+-----------+ +| database-mysql-2p-sysbench-hdd | false | ++------------------------------------------------+-----------+ +| database-mysql-2p-sysbench-ssd | false | ++------------------------------------------------+-----------+ +| database-postgresql-2p-sysbench-hdd | false | ++------------------------------------------------+-----------+ +| database-postgresql-2p-sysbench-ssd | false | ++------------------------------------------------+-----------+ +| default-default | false | ++------------------------------------------------+-----------+ +| docker-mariadb-2p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| docker-mariadb-4p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| hpc-gatk4-human-genome | false | ++------------------------------------------------+-----------+ +| in-memory-database-redis-redis-benchmark | false | ++------------------------------------------------+-----------+ +| middleware-dubbo-dubbo-benchmark | false | ++------------------------------------------------+-----------+ +| storage-ceph-vdbench-hdd | false | ++------------------------------------------------+-----------+ +| storage-ceph-vdbench-ssd | false | ++------------------------------------------------+-----------+ +| virtualization-consumer-cloud-olc | false | ++------------------------------------------------+-----------+ +| virtualization-mariadb-2p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| virtualization-mariadb-4p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| web-apache-traffic-server-spirent-pingpo | false | ++------------------------------------------------+-----------+ +| web-nginx-http-long-connection | true | ++------------------------------------------------+-----------+ +| web-nginx-https-short-connection | false | ++------------------------------------------------+-----------+ ``` >![](public_sys-resources/icon-note.gif) **NOTE:** ->If the value of Active is **true**, the profile is activated. In the example, the profile of the default type is activated. +>If the value of Active is **true**, the profile is activated. In the example, the profile of web-nginx-http-long-connection is activated. ## Workload Type Analysis and Auto Optimization - - ### analysis #### Function @@ -121,7 +189,12 @@ Collect real-time statistics from the system to identify and automatically optim

--model, -m

-

Model generated by user-defined training

+

New model generated after user self-training

+ + +

--characterization, -c

+ +

Use the default model for application identification and do not perform automatic optimization

@@ -130,12 +203,18 @@ Collect real-time statistics from the system to identify and automatically optim #### Example -- Use the default model for classification and identification. +- Use the default model for application identification. ``` - # atune-adm analysis + # atune-adm analysis --characterization ``` +- Use the default model to identify applications and perform automatic tuning. + + ``` + # atune-adm analysis + ``` + - Use the user-defined training model for recognition. ``` @@ -147,60 +226,56 @@ Collect real-time statistics from the system to identify and automatically optim A-Tune allows users to define and learn new models. To define a new model, perform the following steps: -1. Run the **define** command to define workload\_type and profile. -2. Run the **collection** command to collect the profile data corresponding to workload\_type. +1. Run the **define** command to define a new profile. +2. Run the **collection** command to collect the system data corresponding to the application. 3. Run the **train** command to train the model. - - ### define #### Function -Add a user-defined workload type and the corresponding profile optimization item. +Add a user-defined application scenarios and the corresponding profile tuning items. #### Format -**atune-adm define** +**atune-adm define** #### Example -Add a workload type. Set workload type to **test\_type**, profile name to **test\_name**, and configuration file of an optimization item to **example.conf**. +Add a profile whose service_type is **test_service**, application_name is **test_app**, scenario_name is **test_scenario**, and tuning item configuration file is **example.conf**. ``` -# atune-adm define test_type test_name ./example.conf +# atune-adm define test_service test_app test_scenario ./example.conf ``` -The **example.conf** file can be written as follows \(the following optimization items are optional and are for reference only\). You can also run the **atune-adm info** command to view how the existing profile is written. +The **example.conf** file can be written as follows (the following optimization items are optional and are for reference only). You can also run the **atune-adm info** command to view how the existing profile is written. ``` -[main] -# list its parent profile -[tip] -# the recommended optimization, which should be performed manunaly -[check] -# check the environment -[affinity.irq] -# to change the affinity of irqs -[affinity.task] -# to change the affinity of tasks -[bios] -# to change the bios config -[bootloader.grub2] -# to change the grub2 config -[kernel_config] -# to change the kernel config -[script] -# the script extention of cpi -[sysctl] -# to change the /proc/sys/* config -[sysfs] -# to change the /sys/* config -[systemctl] -# to change the system service config -[ulimit] -# to change the resources limit of user + [main] + # list its parent profile + [kernel_config] + # to change the kernel config + [bios] + # to change the bios config + [bootloader.grub2] + # to change the grub2 config + [sysfs] + # to change the /sys/* config + [systemctl] + # to change the system service status + [sysctl] + # to change the /proc/sys/* config + [script] + # the script extention of cpi + [ulimit] + # to change the resources limit of user + [schedule_policy] + # to change the schedule policy + [check] + # check the environment + [tip] + # the recommended optimization, which should be performed manunaly ``` ### collection @@ -247,9 +322,9 @@ Collect the global resource usage and OS status information during service runni

Network port used during service running, for example, eth0.

-

--workload_type, -t

+

--app_type, -t

-

Workload type, which is used as a label for training.

+

Mark the application type of the service as a label for training.

--duration, -d

@@ -269,14 +344,14 @@ Collect the global resource usage and OS status information during service runni #### Example ``` -# atune-adm collection --filename name --interval 5 --duration 1200 --output_path /home/data --disk sda --network eth0 --workload_type test_type +# atune-adm collection --filename name --interval 5 --duration 1200 --output_path /home/data --disk sda --network eth0 --app_type test_type ``` ### train #### Function -Use the collected data to train the model. Collect data of at least two workload types during training. Otherwise, an error is reported. +Use the collected data to train the model. Collect data of at least two application types during training. Otherwise, an error is reported. #### Format @@ -304,18 +379,18 @@ Use the CSV file in the **data** directory as the training input. The generate #### Function -Delete a user-defined workload type. +Delete a user-defined profile. #### Format -**atune-adm undefine** +**atune-adm undefine** #### Example -Delete the **test\_type** workload type. +Delete the user-defined profile. ``` -# atune-adm undefine test_type +# atune-adm undefine test_service-test_app-test_scenario ``` ## Querying Profiles @@ -325,26 +400,26 @@ Delete the **test\_type** workload type. #### Function -View the profile content of a workload type. +View the profile content. #### Format -**atune-adm info** _ +**atune-adm info** #### Example -View the profile content of webserver. +View the profile content of web-nginx-http-long-connection. ``` -# atune-adm info webserver +# atune-adm info web-nginx-http-long-connection -*** ssl_webserver: +*** web-nginx-http-long-connection: # -# webserver tuned configuration +# nginx http long connection A-Tune configuration # [main] -#TODO CONFIG +include = default-default [kernel_config] #TODO CONFIG @@ -352,11 +427,18 @@ View the profile content of webserver. [bios] #TODO CONFIG +[bootloader.grub2] +iommu.passthrough = 1 + [sysfs] #TODO CONFIG +[systemctl] +sysmonitor = stop +irqbalance = stop + [sysctl] -fs.file-max=6553600 +fs.file-max = 6553600 fs.suid_dumpable = 1 fs.aio-max-nr = 1048576 kernel.shmmax = 68719476736 @@ -384,63 +466,46 @@ net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 -[systemctl] -sysmonitor=stop -irqbalance=stop - -[bootloader.grub2] -selinux=0 -iommu.passthrough=1 - -[tip] -bind your master process to the CPU near the network = affinity -bind your network interrupt to the CPU that has this network = affinity -relogin into the system to enable limits setting = OS - [script] -openssl_hpre = 0 prefetch = off +ethtool = -X {network} hfunc toeplitz [ulimit] {user}.hard.nofile = 102400 {user}.soft.nofile = 102400 -[affinity.task] -#TODO CONFIG - -[affinity.irq] +[schedule_policy] #TODO CONFIG [check] #TODO CONFIG +[tip] +SELinux provides extra control and security features to linux kernel. Disabling SELinux will improve the performance but may cause security risks. = kernel +disable the nginx log = application ``` -   - ## Updating a Profile You can update the existing profile as required. - - ### update #### Function -Update an optimization item of a workload type to the content in the **new.conf** file. +Update the original tuning items in the existing profile to the content in the **new.conf** file. #### Format -**atune-adm update** +**atune-adm update** #### Example -Update the workload type to **test\_type** and the optimization item of test\_name to **new.conf**. +Change the tuning item of the profile named **test_service-test_app-test_scenario** to **new.conf**. ``` -# atune-adm update test_type test_name ./new.conf +# atune-adm update test_service-test_app-test_scenario ./new.conf ``` ## Activating a Profile @@ -449,30 +514,26 @@ Update the workload type to **test\_type** and the optimization item of test\_ #### Function -Manually activate a profile of a workload type. +Manually activate the profile to make it in the active state. #### Format -**atune-adm profile **_<_WORKLOAD\_TYPE_\>_ +**atune-adm profile** #### Parameter Description -You can run the **list** command to query the supported workload types. +For details about the profile name, see the query result of the list command. #### Example -Activate the profile configuration of webserver. +Activate the profile corresponding to the web-nginx-http-long-connection. ``` -# atune-adm profile webserver +# atune-adm profile web-nginx-http-long-connection ``` ## Rolling Back Profiles -   - - - ### rollback #### Functions @@ -491,10 +552,6 @@ Roll back the current configuration to the initial configuration of the system. ## Updating Database -   - - - ### upgrade #### Function @@ -522,10 +579,6 @@ The database is updated to **new\_sqlite.db**. ## Querying System Information -   - - - ### check @@ -561,9 +614,7 @@ Check the CPU, BIOS, OS, and NIC information. ## Automatic Parameter Optimization -A-Tune provides the automatic search capability for optimal configurations, eliminating the need for repeated manual parameter adjustment and performance evaluation. This greatly improves the search efficiency of optimal configurations. - - +A-Tune provides the automatic search capability with the optimal configuration, saving the trouble of manually configuring parameters and performance evaluation. This greatly improves the search efficiency of optimal configurations. ### Tuning @@ -574,12 +625,12 @@ Use the specified project file to search the dynamic space for parameters and fi #### Format +**atune-adm tuning** \[OPTIONS\] + >![](public_sys-resources/icon-note.gif) **NOTE:** >Before running the command, ensure that the following conditions are met: ->1. The YAML configuration file of the server has been edited and placed in the **/etc/atuned/tuning/** directory on the server by the server administrator. ->2. The YAML configuration file of the client has been edited and placed in an arbitrary directory on the client. - -**atune-adm tuning** \[OPTIONS\] +>1. The YAML configuration file on the server has been edited and stored in the **/etc/atuned/tuning/** directory of the atuned service. +>2. The YAML configuration file of the client has been edited and stored on the atuned client. #### Parameter Description @@ -601,11 +652,22 @@ Use the specified project file to search the dynamic space for parameters and fi

Specifies the project name in the YAML file to be restored.

+

--restart, -c

+ +

Perform tuning based on historical tuning results.

+ + +

--detail, -d

+ +

Print detailed information about the tuning process.

+ + - + + >![](public_sys-resources/icon-note.gif) **NOTE:** - >The preceding two parameters must be used at the same time, and the -p parameter must be followed by the specific project name. + >If this parameter is used, the -p parameter must be followed by a specific project name and the YAML file of the project must be specified. - **PROJECT\_YAML**: YAML configuration file of the client. @@ -672,6 +734,7 @@ Use the specified project file to search the dynamic space for parameters and fi + **Table 2** Description of object configuration items - - - - - - - - @@ -783,21 +846,13 @@ Use the specified project file to search the dynamic space for parameters and fi - - - - -

Name

@@ -740,36 +803,36 @@ Use the specified project file to search the dynamic space for parameters and fi

dtype

This parameter is available only when type is set to discrete. Currently, only int and string are supported.

+

This parameter is available only when type is set to discrete. Currently, int, float and string are supported.

Enumeration

int, string

+

int, float, string

scope

Parameter setting range. This parameter is valid only when type is set to discrete and dtype is set to int, or type is set to continuous.

+

Parameter setting range. This parameter is valid only when type is set to discrete and dtype is set to int or float, or type is set to continuous.

Integer

+

Integer/Float

The value is user-defined and must be within the valid range of this parameter.

step

Parameter value step, which is used when dtype is set to int.

+

Parameter value step, which is used when dtype is set to int or float.

Integer

+

Integer/Float

This value is user-defined.

items

Enumerated value of which the parameter value is not within the scope. This is used when dtype is set to int.

+

Enumerated value of which the parameter value is not within the scope. This is used when dtype is set to int or float.

Integer

+

Integer/Float

The value is user-defined and must be within the valid range of this parameter.

The value is user-defined and must be within the valid range of this parameter.

ref

-

Recommended initial value of the parameter

-

Integer or character string

-

The value is user-defined and must be within the valid range of this parameter.

-
**Table 3** Description of configuration items of a YAML file on the client + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Description

@@ -817,6 +872,15 @@ Use the specified project file to search the dynamic space for parameters and fi

-

engine

+

Tuning algorithm.

+

Character string

+

"random", "forest", "gbrt", "bayes", "extraTrees"

+

iterations

Number of optimization iterations.

@@ -826,6 +890,51 @@ Use the specified project file to search the dynamic space for parameters and fi

≥ 10

random_starts

+

Number of random iterations.

+

Integer

+

< iterations

+

feature_filter_engine

+

Parameter search algorithm, which is used to select important parameters. This parameter is optional.

+

Character string

+

"lhs"

+

feature_filter_cycle

+

Parameter search cycles, which is used to select important parameters. This parameter is used together with feature_filter_engine.

+

Integer

+

-

+

feature_filter_iters

+

Number of iterations for each cycle of parameter search, which is used to select important parameters. This parameter is used together with feature_filter_engine.

+

Integer

+

-

+

split_count

+

Number of evenly selected parameters in the value range of tuning parameters, which is used to select important parameters. This parameter is used together with feature_filter_engine.

+

Integer

+

-

+

benchmark

Performance test script.

@@ -847,6 +956,8 @@ Use the specified project file to search the dynamic space for parameters and fi
+ + **Table 4** Description of evaluations configuration item - - @@ -528,35 +528,35 @@ The iSulad server daemon **isulad** can be configured with a configuration fil - - - - - @@ -588,7 +588,7 @@ The iSulad server daemon **isulad** can be configured with a configuration fil - Log file management: - >![](public_sys-resources/icon-notice.gif) **NOTICE:** + >![](./public_sys-resources/icon-notice.gif) **NOTICE:** >Log function interconnection: logs are managed by systemd as iSulad is and then transmitted to rsyslogd. By default, rsyslog restricts the log writing speed. You can add the configuration item **$imjournalRatelimitInterval 0** to the **/etc/rsyslog.conf** file and restart the rsyslogd service. - Restrictions on command line parameter parsing @@ -782,7 +782,7 @@ Mode 1 is used for the server, and mode 2 for the client if the two-way authenti Mode 2 is used for the server and the client if the unidirectional authentication mode is used for communication. ->![](public_sys-resources/icon-notice.gif) **NOTICE:** +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** >- If RPM is used for installation, the server configuration can be modified in the **/etc/isulad/daemon.json** and **/etc/sysconfig/iSulad** files. >- Two-way authentification is recommended as it is more secure than non-authentication or unidirectional authentication. >- GRPC open-source component logs are not taken over by iSulad. To view gRPC logs, set the environment variables **gRPC\_VERBOSITY** and **gRPC\_TRACE** as required. diff --git a/content/en/docs/Container/installation-guideline.md b/docs/en/docs/Container/installation-guideline.md similarity index 100% rename from content/en/docs/Container/installation-guideline.md rename to docs/en/docs/Container/installation-guideline.md diff --git a/content/en/docs/Container/installation-upgrade-Uninstallation.md b/docs/en/docs/Container/installation-upgrade-Uninstallation.md similarity index 100% rename from content/en/docs/Container/installation-upgrade-Uninstallation.md rename to docs/en/docs/Container/installation-upgrade-Uninstallation.md diff --git a/content/en/docs/Container/interconnection-with-the-cni-network.md b/docs/en/docs/Container/interconnection-with-the-cni-network.md similarity index 99% rename from content/en/docs/Container/interconnection-with-the-cni-network.md rename to docs/en/docs/Container/interconnection-with-the-cni-network.md index eea018fcb02e3f99dfaa79f1a67766156aeaaba1..ea181545190975bf2c889636a7975a51db940254 100644 --- a/content/en/docs/Container/interconnection-with-the-cni-network.md +++ b/docs/en/docs/Container/interconnection-with-the-cni-network.md @@ -114,7 +114,7 @@ If **--network-plugin=cni** is configured for iSulad and the default network p When StopPodSandbox is called, the interface for removing a pod from the CNI network list will be called to clear network resources. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >1. Before calling the RemovePodSandbox interface, you must call the StopPodSandbox interface at least once. >2. If StopPodSandbox fails to call the CNI, residual network resources may exist. diff --git a/docs/en/docs/Container/isula-build.md b/docs/en/docs/Container/isula-build.md new file mode 100644 index 0000000000000000000000000000000000000000..6630ce840f4f0237d2f5a22574a1df2a0903983e --- /dev/null +++ b/docs/en/docs/Container/isula-build.md @@ -0,0 +1,918 @@ +# Container Image Building + + + + +* [Installation](#installation) + * [Preparations](#preparations) + * [Installing isula-build](#installing-isula-build) +* [Configuring and Managing the isula-build Service](#configuring-and-managing-the-isula-build-service) + * [Configuring the isula-build Service](#configuring-the-isula-build-service) + * [Managing the isula-build Service](#managing-the-isula-build-service) + * [(Recommended) Using systemd for Management](#recommended-using-systemd-for-management) + * [Directly Running isula-builder](#directly-running-isula-builder) +* [Usage Guidelines](#usage-guidelines) + * [Prerequisites](#prerequisites) + * [Overview](#overview) + * [ctr-img: Container Image Management](#ctr-img-container-image-management) + * [build: Container Image Build](#build-container-image-build) + * [image: Viewing Local Persistent Build Images](#image-viewing-local-persistent-build-images) + * [import: Importing a Basic Container Image](#import-importing-a-basic-container-image) + * [load: Importing Cascade Images](#load-importing-cascade-images) + * [rm: Deleting a Local Persistent Image](#rm-deleting-a-local-persistent-image) + * [save: Exporting Cascade Images](#save-exporting-cascade-images) + * [tag: Tagging Local Persistent Images](#tag-tagging-local-persistent-images) + * [pull: Pulling an Image To a Local Host](#pull-pulling-an-image-to-a-local-host) + * [push: Pushing a Local Image to a Remote Repository](#push-pushing-a-local-image-to-a-remote-repository) + * [info: Viewing the Operating Environment and System Information](#info-viewing-the-operating-environment-and-system-information) + * [login: Logging In to the Remote Image Repository](#login-logging-in-to-the-remote-image-repository) + * [logout: Logging Out of the Remote Image Repository](#logout-logging-out-of-the-remote-image-repository) + * [version: Querying the isula-build Version](#version-querying-the-isula-build-version) +* [Directly Integrating a Container Engine](#directly-integrating-a-container-engine) + * [Integration with iSulad](#integration-with-isulad) + * [Integration with Docker](#integration-with-docker) +* [\Appendix](#span-idappendixappendix) + * [Command Line Parameters](#command-line-parameters) + * [Communication Matrix](#communication-matrix) + * [File and Permission](#file-and-permission) + + + + +## Overview + +isula-build is a container image build tool developed by the iSula container team. It allows you to quickly build container images using Dockerfiles. + +The isula-build uses the server/client mode. The isula-build functions as a client and provides a group of command line tools for image build and management. The isula-builder functions as the server, processes client management requests, and functions as the daemon process in the background. + +![isula-build architecure](./figures/isula-build_arch.png) + +Note: + +- Currently, isula-build supports only Docker images. + +## Installation + +### Preparations + +To ensure that isula-build can be successfully installed, the following software and hardware requirements must be met: + +- Supported architectures: x86_64 and AArch64 +- Supported OS: openEuler +- You have the permissions of the root user. + +#### Installing isula-build + +Before using isula-build to build a container image, you need to install the following software packages: + + + +**(Recommended) Method 1: Using YUM** + +1. Configure the openEuler yum source. + +2. Log in to the target server as the root user and install isula-build. + + ``` + sudo yum install -y isula-build + ``` + + + +**Method 2: Using the RPM Package** + +1. Obtain the isula-build-*.rpm installation package from the openEuler yum source, for example, isula-build-0.9.3-1.oe1.x86_64.rpm. + +2. Upload the obtained RPM software package to any directory on the target server, for example, /home/. + +3. Log in to the target server as the root user and run the following command to install isula-build: + + ``` + sudo rpm -ivh /home/isula-build-*.rpm + ``` + +> **Note:** +After the installation is complete, you need to manually start the isula-build service. For details about how to start the service, see "Managing the isula-build Service." + +## Configuring and Managing the isula-build Service + +### Configuring the isula-build Service + +After the isula-build software package is installed, the systemd starts the isula-build service based on the default configuration contained in the isula-build software package on the isula-build server. If the default configuration file on the isula-build server cannot meet your requirements, perform the following operations to customize the configuration file: After the default configuration is modified, restart the isula-build server for the new configuration to take effect. For details, see "Managing the isula-build Service." + +Currently, the isula-build server contains the following configuration file: + +- /etc/isula-build/configuration.toml: general isula-builder configuration file, which is used to set the isula-builder log level, persistency directory, runtime directory, and OCI runtime. Parameters in the configuration file are described as follows: + +| Configuration Item | Mandatory or Optional | Description | Value | +| --------- | -------- | --------------------------------- | ----------------------------------------------- | +| debug | Optional | Indicates whether to enable the debug log function. | true: Enable the debug log function. false: Disable the debug log function. | +| loglevel | Optional | Sets the log level. | debug
info
warn
error | +| run_root | Mandatory | Sets the root directory of runtime data. | For example, /var/run/isula-build/ | +| data_root | Mandatory | Sets the local persistency directory. | For example, /var/lib/isula-build/ | +| runtime | Optional | Sets the runtime type. Currently, only runc is supported. | runc | +| group | Optional | Sets an owner group for the local socket file isula_build.sock so that non-privileged users in the group can use isula-build. | isula | + +- /etc/isula-build/storage.toml: configuration file for local persistent storage, including the configuration of the storage driver in use. + +| Configuration Item | Mandatory or Optional | Description | +| ------ | -------- | ------------------------------ | +| driver | Optional | Storage driver type. Currently, overlay2 is supported. | + + For more settings, see [containers-storage.conf.5.md](https://github.com/containers/storage/blob/master/docs/containers-storage.conf.5.md). + + +- /etc/isula-build/registries.toml: configuration file for each image repository. + +| Configuration Item | Mandatory or Optional | Description | +| ------------------- | -------- | ------------------------------------------------------------ | +| registries.search | Optional | Search domain of the image repository. Only listed image repositories can be found. | +| registries.insecure | Optional | Accessible insecure image repositories. Listed image repositories cannot pass the authentication and are not recommended. | + + For more settings, see [containers-registries.conf.5.md](https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md). + +- /etc/isula-build/policy.json: image pull/push policy file. Note: Currently, this parameter cannot be configured. + +>![](./public_sys-resources/icon-note.gif) **Note:** +> +> - isula-build supports the preceding configuration file with the maximum size of 1 MiB. +> - The persistent working directory dataroot cannot be configured on the memory disk, for example, tmpfs. +> - Currently, only overlay2 can be used as the underlying graphdriver. +> - Before setting the --group option, ensure that the corresponding user group has been created on a local OS and non-privileged users have been added to the group. After the isula-builder is restarted, non-privileged users can use the isula-build function. In addition, to ensure permission consistency, the array of the isula-build configuration file directory /etc/isula-build is set to the group specified by --group. + + + +### Managing the isula-build Service + +Currently, openEuler uses systemd to manage the isula-build service. The isula-build software package contains the systemd service file. After installing the isula-build software package, you can use the systemd tool to start or stop the isula-build service. You can also manually start the isula-builder software. Note that only one isula-builder process can be started on a node at a time. + +>![](./public_sys-resources/icon-note.gif) **Note:** +> Only one isula-builder process can be started on a node at a time. + +#### (Recommended) Using systemd for Management + +You can run the following systemd commands to start, stop, and restart the isula-build service: + +- Run the following command to start the isula-build service: + + ```sh + sudo systemctl start isula-build.service + ``` + +- Run the following command to stop the isula-build service: + + ```sh + sudo systemctl stop isula-build.service + ``` + +- Run the following command to restart the isula-builder service: + + ```sh + sudo systemctl restart isula-build.service + ``` + +The systemd service file of the isula-build software installation package is stored in the `/usr/lib/systemd/system/isula-build.service` directory. If you need to modify the systemd configuration of the isula-build service, modify the file and run the following command to make the modification take effect. Then restart the isula-build service based on the systemd management command. + +```sh +sudo systemctl daemon-reload +``` + +#### Directly Running isula-builder + +You can also run the isula-builder command on the server to start the service. The isula-builder command can contain flags for service startup. The following flags are supported: + +- -D, --debug: whether to enable the debugging mode. +- --log-level: log level. The options are debug, info, warn, and error. The default value is info. +- --dataroot: local persistency directory. The default value is /var/lib/isula-build/. +- --runroot: runtime directory. The default value is /var/run/isula-build/. +- --storage-driver: underlying storage driver type. +- --storage-opt: underlying storage driver configuration. +- --group: an owner group for the local socket file isula_build.sock so that non-privileged users in the group can use isula-build. The default owner group is "isula". + +>![](./public_sys-resources/icon-note.gif) **Note:** +> If the command line startup parameters contain the same configuration options as those in the configuration file, the command line parameters are preferentially used for startup. + +Start the isula-build service. For example, to specify the local persistency directory /var/lib/isula-build and disable debugging, run the following command: + +```sh +sudo isula-builder --dataroot "/var/lib/isula-build" --debug=false +``` + +## Usage Guidelines + +### Prerequisites + +isula-build depends on the executable file runc to build the RUN command in the Dockerfile. Therefore, the runc must be pre-installed in the running environment of isula-build. The installation method depends on the application scenario. If you do not need to use the complete docker-engine tool chain, you can install only the docker-runc RPM package. + +```sh +sudo yum install -y docker-runc +``` + +If you need to use a complete docker-engine tool chain, install the docker-engine RPM package, which contains the executable file runc by default. + +```sh +sudo yum install -y docker-engine +``` + +>![](./public_sys-resources/icon-note.gif) **Note:** +>Users must ensure the security of OCI runtime (runc) executable files to prevent malicious replacement. + + + +### Overview + +The isula-build client provides a series of commands for building and managing container images. Currently, the isula-build client provides the following command lines: + +- ctr-img: manages container images. The ctr-img command contains the following subcommands: + - build: builds a container image based on the specified Dockerfile. + - images: lists local container images. + - import: imports a basic container image. + - load: imports a cascade image. + - rm: deletes a local container image. + - save: exports a cascade image to a local disk. + - tag: adds a tag to a local container image. + - pull: pulls an image to a local host. + - push: pushes a local image to a remote repository. +- info: displays the running environment and system information of isula-build. +- login: logs in to the remote container image repository. +- logout: logs out of the remote container image repository. +- version: displays the versions of isula-build and isula-builder. + +>![](./public_sys-resources/icon-note.gif) **Note:** +The isula-build completion and isula-builder completion commands are used to generate the bash command completion script. This command is implicitly provided by the command line framework and is not displayed in the help information. + + + +The following describes how to use these commands in detail. + + + + +### ctr-img: Container Image Management + +The isula-build command groups all container image management commands into the `ctr-img` command. The command is as follows: + +``` +isula-build ctr-img [command] +``` + +#### build: Container Image Build + +The subcommand build of the ctr-img command is used to build container images. The command is as follows: + +``` +isula-build ctr-img build [flags] +``` + +The build command contains the following flags: + +- --build-arg: string list, which contains variables required during the build process. +- --build-static: key value, which is used to build binary equivalence. Currently, the following key values are included: + - build-time: string, which indicates that a fixed timestamp is used to build a container image. The timestamp format is YYYY-MM-DD HH-MM-SS. +- -f, --filename: string, which indicates the path of the Dockerfiles. If this parameter is not specified, the current path is used. +- --iidfile: string, which indicates the ID of the image output to a local file. +- -o, --output: string, which indicates the image export mode and path. +- --proxy: Boolean, which inherits the proxy environment variable on the host. The default value is true. +- --tag: string, which indicates the tag value of the image that is successfully built. +- --cap-add: string list, which contains permissions required by the RUN command during the build process. + +** The following describes the flags in detail. ** + +**\--build-arg** + +Parameters in the Dockerfile are inherited from the command lines. The usage is as follows: + +```sh +$ echo "This is bar file" > bar.txt +$ cat Dockerfile_arg +FROM busybox +ARG foo +ADD ${foo}.txt . +RUN cat ${foo}.txt +$ sudo isula-build ctr-img build --build-arg foo=bar -f Dockerfile_arg +STEP 1: FROM busybox +Getting image source signatures +Copying blob sha256:8f52abd3da461b2c0c11fda7a1b53413f1a92320eb96525ddf92c0b5cde781ad +Copying config sha256:e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b +Writing manifest to image destinationStoring signatures +STEP 2: ARG foo +STEP 3: ADD ${foo}.txt . +STEP 4: RUN cat ${foo}.txt +This is bar file +Getting image source signatures +Copying blob sha256:6194458b07fcf01f1483d96cd6c34302ffff7f382bb151a6d023c4e80ba3050a +Copying blob sha256:6bb56e4a46f563b20542171b998cb4556af4745efc9516820eabee7a08b7b869 +Copying config sha256:39b62a3342eed40b41a1bcd9cd455d77466550dfa0f0109af7a708c3e895f9a2 +Writing manifest to image destination +Storing signatures +Build success with image id: 39b62a3342eed40b41a1bcd9cd455d77466550dfa0f0109af7a708c3e895f9a2 +``` + +**\--build-static** + +Specifies a static build. That is, when isula-build is used to build a container image, differences between all timestamps and other build factors (such as the container ID and hostname) are eliminated. Finally, a container image that meets the static requirements is built. + +When isula-build is used to build a container image, assume that a fixed timestamp is given to the build subcommand and the following conditions are met: + +- The build environment is consistent before and after the upgrade. +- The Dockerfile is consistent before and after the build. +- The intermediate data generated before and after the build is consistent. +- The build commands are the same. +- The versions of the third-party libraries are the same. + +For container image build, isula-build supports the same Dockerfile. If the build environments are the same, the image content and image ID generated in multiple builds are the same. + +--build-static supports the key-value pair option in the k=v format. Currently, the following options are supported: + +- build-time: string, which indicates the fixed timestamp for creating a static image. The value is in the format of YYYY-MM-DD HH-MM-SS. The timestamp affects the attribute of the file for creating and modifying the time at the diff layer. + + Example: + + ```sh + $ sudo isula-build ctr-img build -f Dockerfile --build-static='build-time=2020-05-23 10:55:33' . + ``` + + In this way, the container images and image IDs built in the same environment for multiple times are the same. + +**\--iidfile** + +Run the following command to output the ID of the built image to a file: + +``` +isula-build ctr-img build --iidfile filename +``` + +For example, to export the container image ID to the testfile file, run the following command: + + ```sh +$ sudo isula-build ctr-img build -f Dockerfile_arg --iidfile testfile + ``` + + Check the container image ID in the testfile file. + + ```sh +$ cat testfile +76cbeed38a8e716e22b68988a76410eaf83327963c3b29ff648296d5cd15ce7b + ``` + + + +**\-o, --output** + +Currently, -o and --output support the following formats: + +- `isulad:image:tag`: directly pushes the image that is successfully built to iSulad, for example, `-o isulad:busybox:latest`. Pay attention to the following restrictions: + + - isula-build and iSulad must be on the same node. + - The tag must be configured. + - On the isula-build client, you need to temporarily save the successfully built image as `/var/tmp/isula-build-tmp-%v.tar` and then import it to iSulad. Ensure that the `/var/tmp/` directory has sufficient disk space. + +- `docker-daemon:image:tag`: directly pushes the successfully built image to Docker daemon, for example, `-o docker-daemon:busybox:latest`. Pay attention to the following restrictions: +- isula-build and Docker must be on the same node. + - The tag must be configured. + +- `docker://registry.example.com/repository:tag`: directly pushes the successfully built image to the remote image repository, for example, `-o docker://localhost:5000/library/busybox:latest`. + +- `docker-archive:/:image:tag`: saves the successfully built image to the local host in Docker image format, for example, `-o docker-archive:/root/image.tar:busybox:latest`. + +In addition to flags, the build subcommand also supports an argument whose type is string and meaning is context, that is, the context of the Dockerfile build environment. The default value of this parameter is the current path where isula-build is executed. This path affects the path retrieved by the ADD and COPY commands of .dockerignore and Dockerfile. + +**\--proxy** + +Specifies whether the container started by the RUN command inherits the proxy-related environment variables http_proxy, https_proxy, ftp_proxy, no_proxy, HTTP_PROXY, HTTPS_PROXY, and FTP_PROXY. The default value of NO_PROXY is true. + +When a user configures proxy-related ARG or ENV in the Dockerfile, the inherited environment variables will be overwritten. + +Note: If the client and daemon are not running on the same terminal, the environment variables that can be inherited are the environment variables of the terminal where the daemon is located. + +**\--tag** + +Specifies the tag of the image stored on the local disk after the image is successfully built. + +**\--cap-add** + +Run the following command to add the permission required by the RUN command during the build process: + +``` +isula-build ctr-img build --cap-add ${CAP} +``` + +Example: + +```sh +$ sudo isula-build ctr-img build --cap-add CAP_SYS_ADMIN --cap-add CAP_SYS_PTRACE -f Dockerfile +``` + +> **Note:** +> +> - A maximum of 100 container images can be concurrently built. +> - isula-build supports Dockerfiles with a maximum size of 1 MiB. +> - isula-build supports the .dockerignore file with a maximum size of 1 MiB. +> - Ensure that only the current user has the read and write permissions on the Dockerfiles to prevent other users from tampering with the files. +> - During the build, the RUN command starts the container to build in the container. Currently, isula-build supports the host network only. +> - isula-build only supports the tar.gz compression format. +> - isula-build commits once after each image build stage is complete, instead of each time a Dockerfile line is executed. +> - isula-build does not support cache build. +> - isula-build starts the build container only when the RUN command is built. +> - Currently, the history function of Docker images is not supported. +> - The stage name can start with a digit. +> - The stage name can contain a maximum of 64 characters. +> - isula-build does not support resource restriction on a single Dockerfile build. If resource restriction is required, you can configure a resource limit on the isula-builder. +> - Currently, isula-build does not support a remote URL as the data source of the ADD command in the Dockerfile. +> - The local tarball exported using the 'docker-archive' type is not compressed, you can manually compress the file as required. + + + +#### image: Viewing Local Persistent Build Images + +You can run the images command to view the images in the local persistent storage. + +```sh +$ sudo isula-build ctr-img images +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +REPOSITORY TAG IMAGE ID CREATED SIZE +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +localhost:5000/library/alpine latest a24bb4013296 2020-20-19 19:59:197 5.85 MB + 39b62a3342ee 2020-20-38 38:66:387 1.45 MB +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +``` + +**Note**: The image size displayed by running the `isula-build ctr-img images` command may be different from that displayed by running the `docker images` command. When calculating the image size, isula-build directly calculates the total size of .tar packages at each layer, while Docker calculates the total size of files by decompressing the .tar package and traversing the diff directory. Therefore, the statistics are different. + + + +#### import: Importing a Basic Container Image + +openEuler releases a basic container image, for example, openEuler-docker.x86_64.tar.xz, with the version. You can run the `ctr-img import` command to import the image to isula-build. + +The command is as follows: + +``` +isula-build ctr-img import [flags] +``` + +Example: + +```sh +$ sudo isula-build ctr-img import ./openEuler-docker.x86_64.tar.xz openeuler:21.03 +Import success with image id: "aac8223a40e9c37558477671c4d66692c8ee5d37b28d947e10010911dd0549d8" +$ sudo isula-build ctr-img images +--------------- ----------- ----------------- ------------------------ ------------ + REPOSITORY TAG IMAGE ID CREATED SIZE +--------------- ----------- ----------------- ------------------------ ------------ + openeuler 21.03 aac8223a40e9 2021-04-02 00:56:46 210 MB +--------------- ----------- ----------------- ------------------------ ------------ +``` + +>![](./public_sys-resources/icon-note.gif) **Note** +>isula-build supports the import of container basic images with a maximum size of 1 GiB. + + + +#### load: Importing Cascade Images + +Cascade images are images that are saved to the local computer by running the docker save or isula-build ctr-img save command. The compressed image package contains a layer-by-layer image package named layer.tar. You can run the ctr-img load command to import the image to isula-build. + +The command is as follows: + +``` +isula-build ctr-img load [flags] +``` + +Currently, the following flags are supported: + +- -i, --input: path of the local .tar package. + +Example: + +```sh +$ sudo isula-build ctr-img load -i ubuntu.tarGetting image source signatures +Copying blob sha256:cf612f747e0fbcc1674f88712b7bc1cd8b91cf0be8f9e9771235169f139d507c +Copying blob sha256:f934e33a54a60630267df295a5c232ceb15b2938ebb0476364192b1537449093 +Copying blob sha256:943edb549a8300092a714190dfe633341c0ffb483784c4fdfe884b9019f6a0b4 +Copying blob sha256:e7ebc6e16708285bee3917ae12bf8d172ee0d7684a7830751ab9a1c070e7a125 +Copying blob sha256:bf6751561805be7d07d66f6acb2a33e99cf0cc0a20f5fd5d94a3c7f8ae55c2a1 +Copying blob sha256:c1bd37d01c89de343d68867518b1155cb297d8e03942066ecb44ae8f46b608a3 +Copying blob sha256:a84e57b779297b72428fc7308e63d13b4df99140f78565be92fc9dbe03fc6e69 +Copying blob sha256:14dd68f4c7e23d6a2363c2320747ab88986dfd43ba0489d139eeac3ac75323b2 +Copying blob sha256:a2092d776649ea2301f60265f378a02405539a2a68093b2612792cc65d00d161 +Copying blob sha256:879119e879f682c04d0784c9ae7bc6f421e206b95d20b32ce1cb8a49bfdef202 +Copying blob sha256:e615448af51b848ecec00caeaffd1e30e8bf5cffd464747d159f80e346b7a150 +Copying blob sha256:f610bd1e9ac6aa9326d61713d552eeefef47d2bd49fc16140aa9bf3db38c30a4 +Copying blob sha256:bfe0a1336d031bf5ff3ce381e354be7b2bf310574cc0cd1949ad94dda020cd27 +Copying blob sha256:f0f15db85788c1260c6aa8ad225823f45c89700781c4c793361ac5fa58d204c7 +Copying config sha256:c07ddb44daa97e9e8d2d68316b296cc9343ab5f3d2babc5e6e03b80cd580478e +Writing manifest to image destination +Storing signatures +Loaded image as c07ddb44daa97e9e8d2d68316b296cc9343ab5f3d2babc5e6e03b80cd580478e +``` + +>![](./public_sys-resources/icon-note.gif) **Note:** +> +>The - isula-build load command can only be used to import a compressed image file that contains a single cascade image. +> +>- isula-build allows you to import a container image with a maximum size of 50 GB. + + + +#### rm: Deleting a Local Persistent Image + +You can run the rm command to delete an image from the local persistent storage. The command is as follows: + +``` +isula-build ctr-img rm IMAGE [IMAGE...] [FLAGS] +``` + +Currently, the following flags are supported: + +- -a, --all: deletes all images stored locally. +- -p, --prune: deletes all images that are stored locally and do not have tags. + +Example: + +```sh +$ sudo isula-build ctr-img rm -p +Deleted: sha256:78731c1dde25361f539555edaf8f0b24132085b7cab6ecb90de63d72fa00c01d +Deleted: sha256:eeba1bfe9fca569a894d525ed291bdaef389d28a88c288914c1a9db7261ad12c +``` + + + +#### save: Exporting Cascade Images + +You can run the save command to export the cascade images to the local disk. The command is as follows: + +``` +isula-build ctr-img save [REPOSITORY:TAG]|imageID -o xx.tar +``` + +The following example shows how to export an image in `image/tag` format: + +```sh +$ sudo isula-build ctr-img save busybox:latest -o busybox.tar +Getting image source signatures +Copying blob sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a +Copying blob sha256:824082a6864774d5527bda0d3c7ebd5ddc349daadf2aa8f5f305b7a2e439806f +Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef +Copying config sha256:21c3e96ac411242a0e876af269c0cbe9d071626bdfb7cc79bfa2ddb9f7a82db6 +Writing manifest to image destination +Storing signatures +Save success with image: busybox:latest +``` + +The following example shows how to export an image in `ImageID` format: + +```sh +$ sudo isula-build ctr-img save 21c3e96ac411 -o busybox.tar +Getting image source signatures +Copying blob sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a +Copying blob sha256:824082a6864774d5527bda0d3c7ebd5ddc349daadf2aa8f5f305b7a2e439806f +Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef +Copying config sha256:21c3e96ac411242a0e876af269c0cbe9d071626bdfb7cc79bfa2ddb9f7a82db6 +Writing manifest to image destination +Storing signatures +Save success with image: 21c3e96ac411 +``` + +The following example shows how to export multiple images to the same tarball: + +```sh +$ sudo isula-build ctr-img save busybox:latest nginx:latest -o all.tar +Getting image source signatures +Copying blob sha256:eb78099fbf7fdc70c65f286f4edc6659fcda510b3d1cfe1caa6452cc671427bf +Copying blob sha256:29f11c413898c5aad8ed89ad5446e89e439e8cfa217cbb404ef2dbd6e1e8d6a5 +Copying blob sha256:af5bd3938f60ece203cd76358d8bde91968e56491daf3030f6415f103de26820 +Copying config sha256:b8efb18f159bd948486f18bd8940b56fd2298b438229f5bd2bcf4cedcf037448 +Writing manifest to image destination +Storing signaturesGetting image source signatures +Copying blob sha256:e2d6930974a28887b15367769d9666116027c411b7e6c4025f7c850df1e45038 +Copying config sha256:a33de3c85292c9e65681c2e19b8298d12087749b71a504a23c576090891eedd6 +Writing manifest to image destination +Storing signatures +Save success with image: [busybox:latest nginx:latest] +``` + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> +>- save exports an image in .tar format by default. If necessary, you can save the image and then manually compress it. +>- When exporting an image, specify the image integrity in the format of IMAGE_NAME:IMAGE_TAG. + + +#### tag: Tagging Local Persistent Images + +You can run the tag command to add a tag to a local persistent container image. The command is as follows: + +``` +isula-build ctr-img tag / busybox:latest +``` + +Example: + +```sh +$ sudo isula-build ctr-img images +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +REPOSITORY TAG IMAGE ID CREATED SIZE +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +alpine latest a24bb4013296 2020-05-29 21:19:46 5.85 MB +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +$ sudo isula-build ctr-img tag a24bb4013296 alpine:v1 +$ sudo isula-build ctr-img images +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +REPOSITORY TAG IMAGE ID CREATED SIZE +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +alpine latest a24bb4013296 2020-05-29 21:19:46 5.85 MB +alpine v1 a24bb4013296 2020-05-29 21:19:46 5.85 MB +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +``` + +#### pull: Pulling an Image To a Local Host + +Run the pull command to pull an image from a remote image repository to a local host. Command format: + +``` +isula-build ctr-img pull REPOSITORY[:TAG] +``` + +Example: + +```sh +$ sudo isula-build ctr-img pull example-registry/library/alpine:latest +Getting image source signatures +Copying blob sha256:8f52abd3da461b2c0c11fda7a1b53413f1a92320eb96525ddf92c0b5cde781ad +Copying config sha256:e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b +Writing manifest to image destination +Storing signatures +Pull success with image: example-registry/library/alpine:latest +``` + +#### push: Pushing a Local Image to a Remote Repository + +Run the push command to push a local image to a remote repository. Command format: + +``` +isula-build ctr-img push REPOSITORY[:TAG] +``` + +Example: + +```sh +$ sudo isula-build ctr-img push example-registry/library/mybusybox:latest +Getting image source signatures +Copying blob sha256:d2421964bad195c959ba147ad21626ccddc73a4f2638664ad1c07bd9df48a675 +Copying config sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f +Writing manifest to image destination +Storing signatures +Push success with image: example-registry/library/mybusybox:latest +``` + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> +>- Before pushing an image, log in to the corresponding image repository. + + +### info: Viewing the Operating Environment and System Information + +You can run the isula-build info command to view the running environment and system information of isula-build. The command is as follows: + +``` + isula-build info [flags] +``` + +The following flags are supported: + +- -H, --human-readable: Boolean. The memory information is printed in the common memory format. The value is 1000 power. +- -V, --verbose: Boolean. The memory usage is displayed during system running. + +Example: + +```sh +$ sudo isula-build info -H + General: + MemTotal: 7.63 GB + MemFree: 757 MB + SwapTotal: 8.3 GB + SwapFree: 8.25 GB + OCI Runtime: runc + DataRoot: /var/lib/isula-build/ + RunRoot: /var/run/isula-build/ + Builders: 0 + Goroutines: 12 + Store: + Storage Driver: overlay + Backing Filesystem: extfs + Registry: + Search Registries: + oepkgs.net + Insecure Registries: + localhost:5000 + oepkgs.net + Runtime: + MemSys: 68.4 MB + HeapSys: 63.3 MB + HeapAlloc: 7.41 MB + MemHeapInUse: 8.98 MB + MemHeapIdle: 54.4 MB + MemHeapReleased: 52.1 MB +``` + +### login: Logging In to the Remote Image Repository + +You can run the login command to log in to the remote image repository. The command is as follows: + +``` + isula-build login SERVER [FLAGS] +``` + +Currently, the following flags are supported: + +``` + Flags: + -p, --password-stdin Read password from stdin + -u, --username string Username to access registry +``` + +Enter the password through stdin. In the following example, the password in creds.txt is transferred to the stdin of isula-build through a pipe for input. + +```sh + $ cat creds.txt | sudo isula-build login -u cooper -p mydockerhub.io + Login Succeeded +``` + +Enter the password in interactive mode. + +```sh + $ sudo isula-build login mydockerhub.io -u cooper + Password: + Login Succeeded +``` + +### logout: Logging Out of the Remote Image Repository + +You can run the logout command to log out of the remote image repository. The command is as follows: + +``` + isula-build logout [SERVER] [FLAGS] +``` + +Currently, the following flags are supported: + +``` + Flags: + -a, --all Logout all registries +``` + +Example: + +```sh + $ sudo isula-build logout -a + Removed authentications +``` + +### version: Querying the isula-build Version + +You can run the version command to view the current version information. + +```sh + $ sudo isula-build version + Client: + Version: 0.9.5-6 + Go Version: go1.15.7 + Git Commit: b82408f + Built: Tue Mar 30 11:08:00 2021 + OS/Arch: linux/amd64 + + Server: + Version: 0.9.5 + Go Version: go1.15.5 + Git Commit: 64dbad50 + Built: Mon Apr 12 20:30:31 2021 + OS/Arch: linux/amd64 +``` + + +## Directly Integrating a Container Engine + +isula-build can be integrated with iSulad or Docker to import the built container image to the local storage of the container engine. + +### Integration with iSulad + +Images that are successfully built can be directly exported to the iSulad. + +Example: + +```sh +$ sudo isula-build ctr-img build -f Dockerfile -o isulad:busybox:2.0 +``` + +Specify iSulad in the -o parameter to export the built container image to iSulad. You can query the image using isula images. + +```sh +$ sudo isula images +isula images +REPOSITORY TAG IMAGE ID CREATED SIZE +busybox 2.0 2d414a5cad6d 2020-08-01 06:41:36 5.577 MB +``` + +>![](./public_sys-resources/icon-note.gif) **Note:** +> - It is required that isula-build and iSulad be on the same node. +> - When an image is directly exported to the iSulad, the isula-build client needs to temporarily store the successfully built image as `/var/lib/isula-build/tmp/[buildid]/isula-build-tmp-%v.tar` and then import it to the iSulad. Ensure that the /var/tmp/ directory has sufficient disk space. If the isula-build client process is killed or Ctrl+C is pressed during the export, you need to manually clear the `/var/lib/isula-build/tmp/[buildid]/isula-build-tmp-%v.tar` file. + +### Integration with Docker + +Images that are successfully built can be directly exported to the Docker daemon. + +Example: + +```sh +$ sudo isula-build ctr-img build -f Dockerfile -o docker-daemon:busybox:2.0 +``` + +Specify docker-daemon in the -o parameter to export the built container image to Docker. You can run the docker images command to query the image. + +```sh +$ sudo docker images +REPOSITORY TAG IMAGE ID CREATED SIZE +busybox 2.0 2d414a5cad6d 2 months ago 5.22MB +``` + +>![](./public_sys-resources/icon-note.gif) **Note:** +> +> - The isula-build and Docker must be on the same node. + +## \Appendix + + +### Command Line Parameters + +**Table 1** Parameters in the ctr-img build command + +| **Command** | **Parameter** | **Description** | +| ------------- | -------------- | ------------------------------------------------------------ | +| ctr-img build | --build-arg | String list, which contains variables required during the build. | +| | --build-static | Key value, which is used to build binary equivalence. Currently, the following key values are included: - build-time: string, which indicates that a fixed timestamp is used to build a container image. The timestamp format is YYYY-MM-DD HH-MM-SS. | +| | -f, --filename | String, which indicates the path of the Dockerfiles. If this parameter is not specified, the current path is used. | +| | --iidfile | String, which indicates the ID of the image output to a local file. | +| | -o, --output | String, which indicates the image export mode and path.| +| | --proxy | Boolean, which inherits the proxy environment variable on the host. The default value is true. | +| | --tag | String, which indicates the tag value of the image that is successfully built. | +| | --cap-add | String list, which contains permissions required by the RUN command during the build process.| + +**Table 2** Parameters in the ctr-img load command + +| **Command** | **Parameter** | **Description** | +| ------------ | ----------- | --------------------------------- | +| ctr-img load | -i, --input | String, Path of the local .tar package to be imported| + +**Table 3** Parameters in the ctr-img rm command + +| **Command** | **Parameter** | **Description** | +| ---------- | ----------- | --------------------------------------------- | +| ctr-img rm | -a, --all | Boolean, which is used to delete all local persistent images. | +| | -p, --prune | Boolean, which is used to delete all images that are stored persistently on the local host and do not have tags. | + +**Table 4** Parameters in the ctr-img save command + +| **Command** | **Parameter** | **Description** | +| ------------ | ------------ | ---------------------------------- | +| ctr-img save | -o, --output | String, which indicates the local path for storing the exported images.| + +**Table 5** Parameters in the login command + +| **Command** | **Parameter** | **Description** | +| -------- | -------------------- | ------------------------------------------------------- | +| login | -p, --password-stdin | Boolean, which indicates whether to read the password through stdin. or enter the password in interactive mode. | +| | -u, --username | String, which indicates the username for logging in to the image repository.| + +**Table 6** Parameters in the logout command + +| **Command** | **Parameter** | **Description** | +| -------- | --------- | ------------------------------------ | +| logout | -a, --all | Boolean, which indicates whether to log out of all logged-in image repositories. | + +### Communication Matrix + +The isula-build component processes communicate with each other through the Unix socket file. No port is used for communication. + +### File and Permission + +- All isula-build operations must be performed by the root user. To perform operations as a non-privileged user, you need to configure the --group option. + +- The following table lists the file permissions involved in the running of isula-build. + +| **File Path** | **File/Folder Permission** | **Description** | +| ------------------------------------------- | ------------------- | ------------------------------------------------------------ | +| /usr/bin/isula-build | 551 | Binary file of the command line tool. | +| /usr/bin/isula-builder | 550 | Binary file of the isula-builder process on the server. | +| /usr/lib/systemd/system/isula-build.service | 640 | systemd configuration file, which is used to manage the isula-build service. | +| /usr/isula-build | 650 | Root directory of the isula-builder configuration file. | +| /etc/isula-build/configuration.toml | 600 | General isula-builder configuration file, which sets the isula-builder log level, persistency directory, runtime directory, and OCI runtime. | +| /etc/isula-build/policy.json | 600 | Syntax file of the signature verification policy file. | +| /etc/isula-build/registries.toml | 600 | Configuration file of each image repository, including the available image repository list and image repository blacklist. | +| /etc/isula-build/storage.toml | 600 | Configuration file for local persistent storage, including the configuration of the used storage driver. | +| /etc/isula-build/isula-build.pub | 444 | Asymmetric encryption public key file. | +| /var/run/isula_build.sock | 660 | Local socket of isula-builder. | +| /var/lib/isula-build | 700 | Local persistency directory. | +| /var/run/isula-build | 700 | Local runtime directory. | +| /var/lib/isula-build/tmp/[buildid]/isula-build-tmp-*.tar | 644 | Local directory for temporarily storing the images when they are exported to the iSulad. | + + diff --git a/content/en/docs/Container/isulad-container-engine.md b/docs/en/docs/Container/isulad-container-engine.md similarity index 93% rename from content/en/docs/Container/isulad-container-engine.md rename to docs/en/docs/Container/isulad-container-engine.md index 5e5299c966d38474dfd602f0b4f100388a2609ba..54cd5ca2112776a9d584b4eb2e5132607a5dd743 100644 --- a/content/en/docs/Container/isulad-container-engine.md +++ b/docs/en/docs/Container/isulad-container-engine.md @@ -8,5 +8,5 @@ Compared with Docker, iSulad is a new container solution with a unified architec **Figure 1** Unified container architecture -![](figures/en-us_image_0183048952.png) +![](./figures/en-us_image_0183048952.png) diff --git a/docs/en/docs/Container/local-volume-management.md b/docs/en/docs/Container/local-volume-management.md new file mode 100644 index 0000000000000000000000000000000000000000..df43aed406db776f03cf7e8d620267c2166cd85a --- /dev/null +++ b/docs/en/docs/Container/local-volume-management.md @@ -0,0 +1,206 @@ +#Local Volume Management + + + +- [Local Volume Management](#local-volume-management) + - [Overview](#overview) + - [Precautions](#precautions) + - [Usage](#usage) + - [Using the -v Option to Mount Data](#using-the--v-option-to-mount-data) + - [**Format**](#format) + - [**Functions**](#functions) + - [**Parameter Description**](#parameter-description) + - [**Examples**](#examples) + - [Using the --mount Option to Mount Data](#using-the---mount-option-to-mount-data) + - [**Format**](#format-1) + - [**Functions**](#functions-1) + - [**Parameter Description**](#parameter-description-1) + - [**Examples**](#examples-1) + - [Reusing the Mounting Configuration in Other Containers](#reusing-the-mounting-configuration-in-other-containers) + - [**Format**](#format-2) + - [**Functions**](#functions-2) + - [**Parameter Description**](#parameter-description-2) + - [**Examples**](#examples-2) + - [Using the Anonymous Volume in an Image](#using-the-anonymous-volume-in-an-image) + - [Querying a Volume](#querying-a-volume) + - [**Format**](#format-3) + - [**Functions**](#functions-3) + - [**Parameter Description**](#parameter-description-3) + - [**Examples**](#examples-3) + - [Deleting a Volume](#deleting-a-volume) + - [**Format**](#format-4) + - [**Functions**](#functions-4) + - [**Parameter Description**](#parameter-description-4) + - [**Examples**](#examples-4) + - [Precautions](#precautions-1) + - [Conflict Combination Rules](#conflict-combination-rules) + - [Differences Between iSula and Docker](#differences-between-isula-and-docker) + + + +## Overview + +After a container managed by iSula is destroyed, all data in the container is destroyed. If you want to retain data after the container is destroyed, a data persistence mechanism is required. iSula allows files, directories, or volumes on a host to be mounted to a container at runtime. You can write the data to be persisted to the mount point in the container. After the container is destroyed, the files, directories, and volumes on the host are retained. If you need to delete a file, directory, or volume on the host, you can manually delete the file or directory, or run the iSula command to delete the volume. Currently, the iSula supports only local volume management. Local volumes are classified into named volumes and anonymous volumes. A volume whose name is specified by a user is called a named volume. If a user does not specify a name for a volume, iSula automatically generates a name (a 64-bit random number) for the volume, that is, an anonymous volume. + +The following describes how to use iSula to manage local volumes. + +## Precautions + +- The volume name contains 2 to 64 characters and complies with the regular expression ^[a-zA-Z0-9][a-zA-Z0-9_.-]{1,63}$. That is, the first character of the volume name must be a letter or digit, and other characters can be letters, digits, underscores (_), periods (.), and hyphens (-). +- During container creation, if data exists at the mount point of the container corresponding to the volume, the data is copied to the volume by default. If the iSula breaks down or restarts or the system is powered off during the copy process, the data in the volume may be incomplete. In this case, you need to manually delete the volume or the data in the volume to ensure that the data is correct and complete. + +## Usage + +### Using the -v Option to Mount Data + +#### **Format** + +```shell +isula run -v [SRC:]DST[:MODE,MODE...] IMAGE +``` + +#### **Functions** + +When you create and run a container, use the -v/--volume option to mount the files, directories, or volumes on the host to the container for data persistence. + +#### **Parameter Description** +- SRC: Path of the file, directory, or volume to be mounted on the host. If the value is an absolute path, a file or folder on the host is mounted. If the value is a volume name, a volume is mounted. If this parameter is not specified, an anonymous volume is mounted. If a folder or volume does not exist, iSula creates a folder or volume and then mounts it. +- DST: Mount path in the container. The value must be an absolute path. +- MODE: When the source to be mounted is a directory or file, the valid parameters are ro, rw, z, Z, private, rprivate, slave, rslave, shared, and rshared. Only one parameter of the same type can be configured. If the source is a volume, the valid parameters are ro, rw, z, Z, and nocopy. Only one parameter of the same type can be configured. Use commas (,) to separate multiple attributes. The parameters are described as follows: + +| Parameter | Description | +| -------- | -----------------------------------------------| +| ro | The mount point in the container is mounted in read-only mode. | +| rw | The mount point in the container is mounted in read/write mode. | +| z | If SELinux is enabled, add the SELinux share label during mounting. | +| Z | If SELinux is enabled, add the SELinux private label during mounting. | +| private | The mount point in the container is mounted in private propagation mode. | +| rprivate | The mount point in the container is recursively mounted in private propagation mode. | +| slave | The mount point in the container is mounted in subordinate propagation mode. | +| rslave | The mount point in the container is recursively mounted in subordinate propagation mode. | +| shared | The mount point in the container is mounted in shared propagation mode. | +| rshared | The mount point in the container is recursively mounted in shared propagation mode. | +| nocopy | Data at the mount point is not copied. If this parameter is not set, data is copied by default. In addition, if data already exists in the volume, the data will not be copied. | + + +#### **Examples** +Run the container based on BusyBox, create or mount a volume named vol to the /vol directory of the container, and set the mount point to read-only. In addition, if data exists at the mount point in the container, the data is not copied. +```shell +isula run -v vol:/vol:ro,nocopy busybox +``` + +### Using the --mount Option to Mount Data + +#### **Format** +```shell +isula run --mount [type=TYPE,][src=SRC,]dst=DST[,KEY=VALUE] busybox +``` + +#### **Functions** +When you create and run a container, use the --mount option to mount the files, directories, or volumes on the host to the container for data persistence. + +#### **Parameter Description** +- type: Type of data mounted to the container. The value can be bind, volume, or squashfs. If this parameter is not specified, the default value is volume. +- src: Path of the file, directory, or volume to be mounted on the host. If the value is an absolute path, the file or directory on the host is mounted. If the value is a volume name, a volume is mounted. If this parameter is not specified, the volume is an anonymous volume. If a folder or volume does not exist, iSula creates a file or volume and then mounts it. The keyword src is also called source. +- dst: Mount path in the container. The value must be an absolute path. The keyword dst is also called destination or target. +- KEY=VALUE: Parameter of --mount. The values are as follows: + +| KEY | VALUE | +| ------------------------------ | --------------------------------------------------------------------------- | +| selinux-opts/bind-selinux-opts | z or Z. z indicates that if SELinux is enabled, the SELinux share label is added during mounting. Z indicates that if SELinux is enabled, the SELinux private label is added during mounting. +| ro/readonly | 0/false indicates that the mount is read/write. 1/true indicates that the mount is read-only. If this parameter is not specified, the mount is read-only. The parameter is supported only when type is set to bind. | +| volume-nocopy | Data at the mount point is not copied. If this parameter is not specified, data is copied by default. In addition, if data already exists in the volume, the data will not be copied. This parameter is supported only when type is set to volume. | + +#### **Examples** +Run the container based on BusyBox, create or mount a volume named vol to the /vol directory of the container, and set the mount point to read-only. In addition, if data exists at the mount point in the container, the data is not copied. +```shell +isula run --mount type=volume,src=vol,dst=/vol,ro=true,volume-nocopy=true busybox +``` + +### Reusing the Mounting Configuration in Other Containers + +#### **Format** +```shell +isula run --volumes-from CON1[:MODE] busybox +``` + +#### **Functions** +When you create and run a container, use the --volumes-from option to indicate that the mount point configuration includes that of the CON1 container. You can set multiple --volumes-from options. + +#### **Parameter Description** +- CON1: Name or ID of the container whose mount point is reused. +- MODE: If the value is ro, the mount point is read-only. If the value is rw, the mount point is read/write. + +#### **Examples** +Assume that a container named container1 has been configured with a volume vol1 to the container directory /vol1, and a container named container2 has been configured with a volume vol2 to the container directory /vol2. Run a new container to reuse the mounting configuration of container1 and container2. That is, volume vol1 is mounted to the /vol1 directory of the container, and volume vol2 is mounted to the /vol2 directory of the container. +```shell +isula run --volumes-from container1 --volumes-from container2 busbyox +``` + +### Using the Anonymous Volume in an Image + +You do not need to perform any configuration to use the anonymous volume in the image. If an anonymous volume is configured in the image, iSula automatically creates an anonymous volume and mounts it to the specified path in the image at container runtime. You can write data to the mount point of an anonymous volume in a container for data persistence. + +### Querying a Volume + +#### **Format** +```shell +isula volume ls [OPTIONS] +``` + +#### **Functions** +This command is used to query all volumes managed by iSula. + +#### **Parameter Description** +Option: +- -q,--quit: If this parameter is not specified, only the volume driver information and volume name are queried by default. If this parameter is specified, only the volume name is queried. + +#### **Examples** +This command is used to query all volumes managed by iSula and return only the volume name. +```shell +isula volume ls -q +``` + +### Deleting a Volume + +#### **Format** +``` +isula volume rm [OPTIONS] VOLUME [VOLUME...] +isula volume prune [OPTIONS] +``` + +#### **Functions** +- rm: deletes a specified volume. If the volume is used by a container, the volume fails to be deleted. +- prune: deletes all volumes that are not used by containers. + +#### **Parameter Description** +OPTIONS in the prune command: +- -f,--force: specifies that the system does not display a message asking you whether to delete the volume. By default, a risk message is displayed. You need to enter y to continue the operation. + +#### **Examples** +Delete volumes vol1 and vol2. +```shell +isula volume rm vol1 vol2 +``` +Delete all unused volumes in the following format. No risk message is displayed. +```shell +isula volume prune -f +``` + +### Precautions + +#### Conflict Combination Rules +If a volume mount point conflict occurs, perform the following operations: +- If configurations of -v and --mount conflict, a failure message is returned. +- If the configuration obtained from --volumes-from conflicts with the -v or --mount configuration, the configuration is discarded. +- If the anonymous volume configuration in the image conflicts with the -v, --mount, or --volumes-from configuration, the configuration is discarded. + +#### Differences Between iSula and Docker +| iSula Behavior | Docker Behavior | +| ------------------------------------------- | ------------------------------------------- | +| The volume name can contain a maximum of 64 characters. | The length of the volume name is not limited. | +| If the source to be mounted does not exist, the --mount parameter is created. | If the source to be mounted does not exist, an error is reported. | +| The --mount parameter supports the z or Z parameter configuration in bind-selinux-opts and selinux-opts. | The --mount parameter does not support the parameter configuration in the bind-selinux-opts and selinux-opts. | +| Rules for combining mount point conflicts are not processed. | The anonymous volume specified by -v is processed as the anonymous volume in the image. | +| The volume prune command displays the space that has been reclaimed. | The volume prune command does not display the space that has been reclaimed. | +| -v, --mount, and --volumes-from are configured in hostconfig, and the anonymous volume is configured in config. | The anonymous volume specified by -v is configured in config, and other configurations are configured in hostconfig. | diff --git a/content/en/docs/Container/managing-the-lifecycle-of-a-secure-container.md b/docs/en/docs/Container/managing-the-lifecycle-of-a-secure-container.md similarity index 97% rename from content/en/docs/Container/managing-the-lifecycle-of-a-secure-container.md rename to docs/en/docs/Container/managing-the-lifecycle-of-a-secure-container.md index d6a2cb3265d314e699a7a3cb198f033657724011..c16a2ee9a8a087af3d2b3643aba0a162d85f8b2a 100644 --- a/content/en/docs/Container/managing-the-lifecycle-of-a-secure-container.md +++ b/docs/en/docs/Container/managing-the-lifecycle-of-a-secure-container.md @@ -36,7 +36,7 @@ To start a secure container, perform the following steps: isula run -tid --runtime kata-runtime --network none busybox ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The secure container supports the CNI network only and does not support the CNM network. The **-p** and **--expose** options cannot be used to expose container ports. When using a secure container, you need to specify the **--net=none** option. 4. Start a pod. @@ -101,7 +101,7 @@ The pause container functions only as a placeholder container. Therefore, if you docker exec -ti ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >1. If the preceding command has no response because another host runs the **docker restart** or **docker stop** command to access the same container, you can press **Ctrl**+**P**+**Q** to exit the operation. >2. If the **-d** option is used, the command is executed in the background and no error information is displayed. The exit code cannot be used to determine whether the command is executed correctly. diff --git a/content/en/docs/Container/maximum-number-of-handles.md b/docs/en/docs/Container/maximum-number-of-handles.md similarity index 100% rename from content/en/docs/Container/maximum-number-of-handles.md rename to docs/en/docs/Container/maximum-number-of-handles.md diff --git a/content/en/docs/Container/monitoring-secure-containers.md b/docs/en/docs/Container/monitoring-secure-containers.md similarity index 100% rename from content/en/docs/Container/monitoring-secure-containers.md rename to docs/en/docs/Container/monitoring-secure-containers.md diff --git a/content/en/docs/Container/privileged-container.md b/docs/en/docs/Container/privileged-container.md similarity index 100% rename from content/en/docs/Container/privileged-container.md rename to docs/en/docs/Container/privileged-container.md diff --git a/content/en/docs/Container/public_sys-resources/icon-caution.gif b/docs/en/docs/Container/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/Container/public_sys-resources/icon-caution.gif rename to docs/en/docs/Container/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/Container/public_sys-resources/icon-danger.gif b/docs/en/docs/Container/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/Container/public_sys-resources/icon-danger.gif rename to docs/en/docs/Container/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/Container/public_sys-resources/icon-note.gif b/docs/en/docs/Container/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/Container/public_sys-resources/icon-note.gif rename to docs/en/docs/Container/public_sys-resources/icon-note.gif diff --git a/content/en/docs/Container/public_sys-resources/icon-notice.gif b/docs/en/docs/Container/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/Container/public_sys-resources/icon-notice.gif rename to docs/en/docs/Container/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/Container/public_sys-resources/icon-tip.gif b/docs/en/docs/Container/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/Container/public_sys-resources/icon-tip.gif rename to docs/en/docs/Container/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/Container/public_sys-resources/icon-warning.gif b/docs/en/docs/Container/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/Container/public_sys-resources/icon-warning.gif rename to docs/en/docs/Container/public_sys-resources/icon-warning.gif diff --git a/content/en/docs/Container/querying-information.md b/docs/en/docs/Container/querying-information.md similarity index 100% rename from content/en/docs/Container/querying-information.md rename to docs/en/docs/Container/querying-information.md diff --git a/content/en/docs/Container/reboot-or-shutdown-in-a-container.md b/docs/en/docs/Container/reboot-or-shutdown-in-a-container.md similarity index 100% rename from content/en/docs/Container/reboot-or-shutdown-in-a-container.md rename to docs/en/docs/Container/reboot-or-shutdown-in-a-container.md diff --git a/content/en/docs/Container/secure-container.md b/docs/en/docs/Container/secure-container.md similarity index 90% rename from content/en/docs/Container/secure-container.md rename to docs/en/docs/Container/secure-container.md index 5f5e7b51446f18fc11dd1fc025e6cef8d8467c36..760d0296ff0c680eeba4c07dc4be7e6683a7d750 100644 --- a/content/en/docs/Container/secure-container.md +++ b/docs/en/docs/Container/secure-container.md @@ -12,7 +12,7 @@ Secure containers are isolated by the virtualization layers. Containers on the s **Figure 1** Secure container architecture -![](figures/安全容器框架1.png) +![](./figures/secure-container.png) Secure containers are closely related to the concept of pod in Kubernetes. Kubernetes is the open-source ecosystem standard for the container scheduling management platform. It defines a group of container runtime interfaces \(CRIs\). @@ -25,5 +25,5 @@ In a secure container, you can start a single container or start a pod. [Figure 2](#fig17734185518269) shows the relationship between the secure container and peripheral components. **Figure 2** Relationship between the secure container and peripheral components -![](figures/relationship-between-the-secure-container-and-peripheral-components.png "relationship-between-the-secure-container-and-peripheral-components") +![](./figures/relationship-between-the-secure-container-and-peripheral-components.png "relationship-between-the-secure-container-and-peripheral-components") diff --git a/content/en/docs/Container/security-and-isolation.md b/docs/en/docs/Container/security-and-isolation.md similarity index 99% rename from content/en/docs/Container/security-and-isolation.md rename to docs/en/docs/Container/security-and-isolation.md index ad8608788471782846e03fca5bc8336732c8caf1..ada1aada90a1c37d05acf92751d5ed5c0f461eb8 100644 --- a/content/en/docs/Container/security-and-isolation.md +++ b/docs/en/docs/Container/security-and-isolation.md @@ -49,7 +49,7 @@ In system containers, you can configure the **--user-remap** API parameter to ### Usage Guide ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Before specifying the **--user-remap** parameter, configure an offset value for UIDs and GIDs of all directories and files in rootfs. The offset value should be equal to that for _uid_ and _gid_ in **--user-remap**. >For example, run the following command to offset UIDs and GIDs of all files in the **dev** directory with 100000: >chown 100000:100000 dev @@ -187,7 +187,7 @@ You can configure the startup parameters of the iSulad container engine to speci - Alice can perform any container operations: **\{"name":"policy\_5","users":\["alice"\],"actions":\["container"\]\}** - Alice can perform any container operations, but the request type can only be **get**: **\{"name":"policy\_5","users":\["alice"\],"actions":\["container"\], "readonly":true\}** - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- **action** indicates that regular expressions are supported. >- **users** indicates that regular expressions are not supported. >- Users configured in **users** must be unique. That is, a user cannot match multiple rules. diff --git a/content/en/docs/Container/security-features.md b/docs/en/docs/Container/security-features.md similarity index 98% rename from content/en/docs/Container/security-features.md rename to docs/en/docs/Container/security-features.md index 09eab1a3e499c34b36687f3d232d9a9ad0833839..667f89a14a263b34ef6ce9ca001524cd907fe09b 100644 --- a/content/en/docs/Container/security-features.md +++ b/docs/en/docs/Container/security-features.md @@ -47,7 +47,7 @@ Use **--security-opt** to transfer the configuration file to the container whe isula run -itd --security-opt seccomp=/path/to/seccomp/profile.json rnd-dockerhub.huawei.com/official/busybox ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >1. When the configuration file is transferred to the container by using **--security-opt** during container creation, the default configuration file \(**/etc/isulad/seccomp\_default.json**\) is used. >2. When **--security-opt** is set to **unconfined** during container creation, system calls are not filtered for the container. >3. **/path/to/seccomp/profile.json** must be an absolute path. @@ -133,7 +133,7 @@ The configuration file template is as follows: } ``` ->![](public_sys-resources/icon-notice.gif) **NOTICE:** +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** >- **defaultAction** and **syscalls**: The types of their corresponding actions are the same, but their values must be different. The purpose is to ensure that each syscall has a default action. Clear definitions in the syscall array shall prevail. As long as the values of **defaultAction** and **action** are different, no action conflicts will occur. The following actions are supported: > **SCMP\_ACT\_ERRNO**: forbids calling syscalls and displays error information. > **SCMP\_ACT\_ALLOW**: allows calling syscalls. @@ -217,7 +217,7 @@ Security-Enhanced Linux \(SELinux\) is a Linux kernel security module that provi - The introduction of SELinux affects the performance. Therefore, evaluate the scenario before setting SELinux. Enable the SELinux function for the daemon and set the SELinux configuration in the container only when necessary. - When you configure labels for a mounted volume, the source directory cannot be a subdirectory of **/**, **/usr**, **/etc**, **/tmp**, **/home**, **/run**, **/var**, **/root**, or **/usr**. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- iSulad does not support labeling the container file system. To ensure that the container file system and configuration directory are labeled with the container access permission, run the **chcon** command to label them. >- If SELinux access control is enabled for iSulad, you are advised to add a label to the **/var/lib/isulad** directory before starting daemon. Files and folders generated in the directory during container creation inherit the label by default. For example: > ``` diff --git a/content/en/docs/Container/shared-memory-channels.md b/docs/en/docs/Container/shared-memory-channels.md similarity index 99% rename from content/en/docs/Container/shared-memory-channels.md rename to docs/en/docs/Container/shared-memory-channels.md index b82de5bda7d032e6e7545a7ea4f9391ca77be228..f00335a8fe96cb4b9e08c181566800601a15d63a 100644 --- a/content/en/docs/Container/shared-memory-channels.md +++ b/docs/en/docs/Container/shared-memory-channels.md @@ -52,7 +52,7 @@ dd: error writing '/testdir/test.file': No space left on device 33554432 bytes (34 MB, 32 MiB) copied, 0.0766899 s, 438 MB/s ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- If **--host-channel** is used for size limit, the file size is constrained by the memory limit in the container. \(The OOM error may occur when the memory usage reaches the upper limit.\) >- If a user creates a shared file on the host, the file size is not constrained by the memory limit in the container. >- If you need to create a shared file in the container and the service is memory-intensive, you can add the value of **--host-channel** to the original value of the container memory limit, eliminating the impact. diff --git a/content/en/docs/Container/specifying-rootfs-to-create-a-container.md b/docs/en/docs/Container/specifying-rootfs-to-create-a-container.md similarity index 98% rename from content/en/docs/Container/specifying-rootfs-to-create-a-container.md rename to docs/en/docs/Container/specifying-rootfs-to-create-a-container.md index ada346f99c309b483c72ccc808132126159ca8e8..8b0763f4d276fbf56c952c00acc251abbf1160ac 100644 --- a/content/en/docs/Container/specifying-rootfs-to-create-a-container.md +++ b/docs/en/docs/Container/specifying-rootfs-to-create-a-container.md @@ -44,6 +44,6 @@ If the local rootfs path is **/root/myrootfs**, run the following command to st # isula run -tid --system-container --external-rootfs /root/myrootfs none init ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Rootfs is a user-defined file system. Prepare it by yourself. For example, a rootfs is generated after the TAR package of container images is decompressed. diff --git a/content/en/docs/Container/statistics.md b/docs/en/docs/Container/statistics.md similarity index 100% rename from content/en/docs/Container/statistics.md rename to docs/en/docs/Container/statistics.md diff --git a/content/en/docs/Container/supporting-oci-hooks.md b/docs/en/docs/Container/supporting-oci-hooks.md similarity index 100% rename from content/en/docs/Container/supporting-oci-hooks.md rename to docs/en/docs/Container/supporting-oci-hooks.md diff --git a/content/en/docs/Container/system-container.md b/docs/en/docs/Container/system-container.md similarity index 100% rename from content/en/docs/Container/system-container.md rename to docs/en/docs/Container/system-container.md diff --git a/content/en/docs/Container/uninstallation.md b/docs/en/docs/Container/uninstallation.md similarity index 100% rename from content/en/docs/Container/uninstallation.md rename to docs/en/docs/Container/uninstallation.md diff --git a/content/en/docs/Container/upgrade-methods.md b/docs/en/docs/Container/upgrade-methods.md similarity index 95% rename from content/en/docs/Container/upgrade-methods.md rename to docs/en/docs/Container/upgrade-methods.md index 31e8df2eeb06351021eb2036e056d338fe9f4cf4..5294263ed82402538f59fb9cfe43f950e9b367e8 100644 --- a/content/en/docs/Container/upgrade-methods.md +++ b/docs/en/docs/Container/upgrade-methods.md @@ -8,7 +8,7 @@ - For an upgrade between major versions, for example, upgrading 1.x.x to 2.x.x, save the current configuration file **/etc/isulad/daemon.json**, uninstall the existing iSulad software package, install the iSulad software package to be upgraded, and restore the configuration file. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- You can run the **sudo rpm -qa |grep iSulad** or **isula version** command to check the iSulad version. >- If you want to manually perform upgrade between patch versions of a major version, run the following command to download the RPM packages of iSulad and all its dependent libraries: > ``` diff --git a/content/en/docs/Container/usage-guide.md b/docs/en/docs/Container/usage-guide.md similarity index 100% rename from content/en/docs/Container/usage-guide.md rename to docs/en/docs/Container/usage-guide.md diff --git a/content/en/docs/Container/using-systemd-to-start-a-container.md b/docs/en/docs/Container/using-systemd-to-start-a-container.md similarity index 100% rename from content/en/docs/Container/using-systemd-to-start-a-container.md rename to docs/en/docs/Container/using-systemd-to-start-a-container.md diff --git a/content/en/docs/Container/writable-namespace-kernel-parameters.md b/docs/en/docs/Container/writable-namespace-kernel-parameters.md similarity index 100% rename from content/en/docs/Container/writable-namespace-kernel-parameters.md rename to docs/en/docs/Container/writable-namespace-kernel-parameters.md diff --git a/docs/en/docs/Installation/FAQ1.md b/docs/en/docs/Installation/FAQ1.md new file mode 100644 index 0000000000000000000000000000000000000000..9f065f6c2b1f9e7d18c90b3f8f76f04fa50a2ee4 --- /dev/null +++ b/docs/en/docs/Installation/FAQ1.md @@ -0,0 +1,26 @@ +# FAQ + + +- [FAQ](#faq) + - [Failing to Start the Raspberry Pi](#树莓派启动失败) + - [Symptom](#问题现象) + - [Cause Analysis](#原因分析) + - [Solution](#解决方法) + + +## Failing to Start the Raspberry Pi + +### Symptom + +After the Raspberry Pi image released by the openEuler is written to the SD card, the Raspberry Pi fails to be started. + +### Cause Analysis + +The possible causes are as follows: + +1. The downloaded image file is incomplete. To avoid this problem, ensure that the image passes the integrity verification. +2. An error occurs when the image is written to the SD card. In most cases, the error occurs when the image is written to the SD card in the Windows environment using the application software. + +### Solution + +Re-write the complete image to the SD card. \ No newline at end of file diff --git a/docs/en/docs/Installation/Installation-Guide1.md b/docs/en/docs/Installation/Installation-Guide1.md new file mode 100644 index 0000000000000000000000000000000000000000..763dcf35f37ef5ffb54423573dbc20037130f21c --- /dev/null +++ b/docs/en/docs/Installation/Installation-Guide1.md @@ -0,0 +1,188 @@ +# Installation Guide + +This section describes how to enable the Raspberry Pi function after [Writing Raspberry Pi Images into the SD card](./安装方式介绍-1.html). + + +- [Installation Guide](#安装指导) + - [Starting the System](#启动系统) + - [Logging in to the System](#启动系统) + - [Configuring the System](#启动系统) + - [Expanding the Root Directory Partition](#扩展根目录分区) + - [Connecting to the Wi-Fi Network](#连接-wifi) + + +## Starting the System + +After an image is written into the SD card, insert the SD card into the Raspberry Pi and power on the SD card. + +For details about the Raspberry Pi hardware, visit the [Raspberry Pi official website](https://www.raspberrypi.org/). + +## Logging in to the System + +You can log in to the Raspberry Pi in either of the following ways: + +1. Local login + + Connect the Raspberry Pi to the monitor (the Raspberry Pi video output interface is Micro HDMI), keyboard, and mouse, and start the Raspberry Pi. The Raspberry Pi startup log is displayed on the monitor. After Raspberry Pi is started, enter the user name **root** and password **openeuler** to log in. + +2. SSH remote login + + By default, the Raspberry Pi uses the DHCP mode to automatically obtain the IP address. If the Raspberry Pi is connected to a known router, you can log in to the router to check the IP address. The new IP address is the Raspberry Pi IP address. + + **Figure 1** Obtain the IP address + ![](./figures/Obtain the IP address) + + According to the preceding figure, the IP address of the Raspberry Pi is **192.168.31.109**. You can run the `ssh root@192.168.31.109` command and enter the password `openeuler` to remotely log in to the Raspberry Pi. + +## Configuring the System + +### Expanding the Root Directory Partition + +The space of the default root directory partition is small. Therefore, you need to expand the partition capacity before using it. + +To expand the root directory partition capacity, perform the following procedure: + +1. Run the `fdisk -l` command as the root user to check the drive partition information. The command output is as follows: + + ``` + # fdisk -l + Disk /dev/mmcblk0: 14.86 GiB, 15931539456 bytes, 31116288 sectors + Units: sectors of 1 * 512 = 512 bytes + Sector size (logical/physical): 512 bytes / 512 bytes + I/O size (minimum/optimal): 512 bytes / 512 bytes + Disklabel type: dos + Disk identifier: 0xf2dc3842 + + Device Boot Start End Sectors Size Id Type + /dev/mmcblk0p1 * 8192 593919 585728 286M c W95 FAT32 (LBA) + /dev/mmcblk0p2 593920 1593343 999424 488M 82 Linux swap / Solaris + /dev/mmcblk0p3 1593344 5044223 3450880 1.7G 83 Linux + ``` + + The drive letter of the SD card is **/dev/mmcblk0**, which contains three partitions: + + - **/dev/mmcblk0p1**: boot partition + - **/dev/mmcblk0p2**: swap partition + - **/dev/mmcblk0p3**: root directory partition + + Here, we need to expand the capacity of `/dev/mmcblk0p3`. + +2. Run the `fdisk /dev/mmcblk0` command as the root user and the interactive command line interface (CLI) is displayed. To expand the partition capacity, perform the following procedure as shown in [Figure 2](#zh-cn_topic_0151920806_f6ff7658b349942ea87f4521c0256c315). + + 1. Enter `p` to check the partition information. + + Record the start sector number of `/dev/mmcblk0p3`. That is, the value in the `Start` column of the `/dev/mmcblk0p3` information. In the example, the start sector number is `1593344`. + + 2. Enter `d` to delete the partition. + + 3. Enter `3` or press `Enter` to delete the partition whose number is `3`. That is, the `/dev/mmcblk0p3`. + + 4. Enter `n` to create a partition. + + 5. Enter `p` or press `Enter` to create a partition of the `Primary` type. + + 6. Enter `3` or press `Enter` to create a partition whose number is `3`. That is, the `/dev/mmcblk0p3`. + + 7. Enter the start sector number of the new partition. That is, the start sector number recorded in Step `1`. In the example, the start sector number is `1593344`. + + > ![](./public_sys-resources/icon-notice.gif) **NOTE:** +Do not press **Enter** or use the default parameters. + + 8. Press `Enter` to use the last sector number by default as the end sector number of the new partition. + + 9. Enter `N` without changing the sector ID. + + 10. Enter `w` to save the partition settings and exit the interactive CLI. + + **Figure 2** Expand the partition capacity +![](./figures/Expand the partition capacity) + +3. Run the `fdisk -l` command as the root user to check the drive partition information and ensure that the drive partition is correct. The command output is as follows: + + ``` + # fdisk -l + Disk /dev/mmcblk0: 14.86 GiB, 15931539456 bytes, 31116288 sectors + Units: sectors of 1 * 512 = 512 bytes + Sector size (logical/physical): 512 bytes / 512 bytes + I/O size (minimum/optimal): 512 bytes / 512 bytes + Disklabel type: dos + Disk identifier: 0xf2dc3842 + + Device Boot Start End Sectors Size Id Type + /dev/mmcblk0p1 * 8192 593919 585728 286M c W95 FAT32 (LBA) + /dev/mmcblk0p2 593920 1593343 999424 488M 82 Linux swap / Solaris + /dev/mmcblk0p3 1593344 31116287 29522944 14.1G 83 Linux + ``` + +4. Run the `resize2fs /dev/mmcblk0p3` command as the root user to increase the size of the unloaded file system. + +5. Run the `df -lh` command to check the drive space information and ensure that the root directory partition has been expanded. + + > ![](./public_sys-resources/icon-notice.gif) **NOTE:** +If the root directory partition is not expanded, run the `reboot` command to restart the Raspberry Pi and then run the `resize2fs /dev/mmcblk0p3` command as the root user. + +### Connecting to the Wi-Fi Network + +To connect to the Wi-Fi network, perform the following procedure: + +1. Check the IP address and network adapter information. + + `ip a` + + Obtain information about the wireless network adapter **wlan0**: + + ``` + 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever + 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 + link/ether dc:a6:32:50:de:57 brd ff:ff:ff:ff:ff:ff + inet 192.168.31.109/24 brd 192.168.31.255 scope global dynamic noprefixroute eth0 + valid_lft 41570sec preferred_lft 41570sec + inet6 fe80::cd39:a969:e647:3043/64 scope link noprefixroute + valid_lft forever preferred_lft forever + 3: wlan0: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 + link/ether e2:e6:99:89:47:0c brd ff:ff:ff:ff:ff:ff + ``` + +2. Scan information about available Wi-Fi networks. + + `nmcli dev wifi` + +3. Connect to the Wi-Fi network. + + Run the `nmcli dev wifi connect SSID password PWD` command as the root user to connect to the Wi-Fi network. + + In the command, `SSID` indicates the SSID of the available Wi-Fi network scanned in the preceding step, and `PWD` indicates the password of the Wi-Fi network. For example, if the `SSID` is `openEuler-wifi`and the password is `12345678`, the command for connecting to the Wi-Fi network is `nmcli dev wifi connect openEuler-wifi password 12345678`. The connection is successful. + + ``` + Device 'wlan0' successfully activated with '26becaab-4adc-4c8e-9bf0-1d63cf5fa3f1'. + ``` + +4. Check the IP address and wireless network adapter information. + + `ip a` + + ``` + 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever + 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 + link/ether dc:a6:32:50:de:57 brd ff:ff:ff:ff:ff:ff + inet 192.168.31.109/24 brd 192.168.31.255 scope global dynamic noprefixroute eth0 + valid_lft 41386sec preferred_lft 41386sec + inet6 fe80::cd39:a969:e647:3043/64 scope link noprefixroute + valid_lft forever preferred_lft forever + 3: wlan0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether dc:a6:32:50:de:58 brd ff:ff:ff:ff:ff:ff + inet 192.168.31.110/24 brd 192.168.31.255 scope global dynamic noprefixroute wlan0 + valid_lft 43094sec preferred_lft 43094sec + inet6 fe80::394:d086:27fa:deba/64 scope link noprefixroute + valid_lft forever preferred_lft forever + ``` \ No newline at end of file diff --git a/docs/en/docs/Installation/Installation-Modes1.md b/docs/en/docs/Installation/Installation-Modes1.md new file mode 100644 index 0000000000000000000000000000000000000000..30b15df258893f11d90d7249036a1f8d31e0d6fe --- /dev/null +++ b/docs/en/docs/Installation/Installation-Modes1.md @@ -0,0 +1,121 @@ +# Installation Modes + +> ![](./public_sys-resources/icon-notice.gif) **NOTE:** +> +> - The hardware supports only Raspberry Pi 3B/3B+/4B. +> - The installation is performed by writing images to the SD card. This section describes how to write images using Windows, Linux, and Mac. +> - The image used in this section is the Raspberry Pi image of openEuler. For details about how to obtain the image, see [Installation Preparations](./安装准备-1.html). + + + +- [Installation Modes](./Installation Modes) + - [Writing Images Using Windows](./Writing Images Using Windows) + - [Formatting the SD Card](./Formatting the SD Card) + - [Writing Images to the SD Card](./Writing Images to the SD Card) + - [Writing Images Using Linux](./Writing Images Using Linux) + - [Checking Drive Partition Information](./Checking Drive Partition Information) + - [Unmouting the SD Card](./Unmouting the SD Card) + - [Writing Images to the SD Card](./Writing Images to the SD Card) + - [Writing Images Using the Mac OS](./Writing Images Using the Mac OS) + - [Checking Drive Partition Information](./Checking Drive Partition Information) + - [Unmouting the SD Card](./Unmouting the SD Card) + - [Writing Images to the SD Card](./Writing Images to the SD Card) + + +## Writing Images Using Windows + +This section uses Windows 10 as an example to describe how to write images to the SD card using Windows. + +### Formatting the SD Card + +To format the SD card, perform the following procedure: + +1. Download and install the tool for SD card formatting. The following operations use the SD Card Formatter as an example. + +2. Start the SD Card Formatter. In **Select card**, select the drive letter of the SD card to be formatted. + + If no image has been installed in the SD card, only one drive letter exists. In **Select card**, select the drive letter of the SD card to be formatted. + + If an image has been installed in the SD card, one or more drive letters exist. In **Select card**, select the drive letter E of the boot partition corresponding to the SD card to be formatted. The SD card corresponds to three drive letters: E, G, and H, as shown in the following figure: + + Figure 1 Drive letter +![](./figures/Drive letter) + +3. In **Formatting options**, select a formatting mode. The default mode is **Quick format**. + +4. Click **Format** to start formatting. A progress bar is displayed to show the formatting progress. + +5. After the formatting is completed, a dialog box is displayed, indicating that formatting is successfully completed. Click **OK**. + +### Writing Images to the SD Card + +> ![](./public_sys-resources/icon-notice.gif) **NOTE:** +If the compressed image file **openEuler-21.03-raspi-aarch64.img.xz** is obtained, decompress the file to obtain the **openEuler-21.03-raspi-aarch64.img** image file. + +To write the **openEuler-21.03-raspi-aarch64.img** image file to the SD card, perform the following procedure: + +1. Download and install the tool for writing images. The following operations use the Win32 Disk Imager as an example. +2. Start the Win32 Disk Imager and right-click **Run as administrator**. +3. Select the path of the image file in IMG format from the **Image File** drop-down list box. +4. In **Device**, select the drive letter of the SD card to which data is written. +5. Click **Write**. A progress bar is displayed to show the progress of writing data to the SD card. +6. After the write operation is completed, a dialog box is displayed, indicating that the write operation is successfully completed. Click **OK**. + +## Writing Images Using Linux + +This section describes how to write images to the SD card in the Linux environment. + +### Checking Drive Partition Information + +Run the `fdisk -l` command as the root user to obtain the information of the SD card and drive partitions. For example, the drive partition corresponding to the SD card can be /dev/sdb. + +### Unmouting the SD Card + +1. Run the `df -lh` command to check the mounted volumes. + +2. If the partitions corresponding to the SD card are not mounted, skip this step. If the partitions corresponding to the SD card are mounted, for example, /dev/sdb1 and /dev/sdb3, run the following commands as the root user to unmount the partitions: + + `umount /dev/sdb1` + + `umount /dev/sdb3` + +### Writing Images to the SD Card + +1. If the image obtained is compressed, run the `xz -d openEuler-21.03-raspi-aarch64.img.xz` command to decompress the compressed file to obtain the **openEuler-21.03-raspi-aarch64.img** image file. Otherwise, skip this step. + +2. Run the following command as the root user to write the `openEuler-21.03-raspi-aarch64.img` image to the SD card: + + `dd bs=4M if=openEuler-21.03-raspi-aarch64.img of=/dev/sdb` + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** Generally, the block size is set to 4 MB. If the write operation fails or the written image cannot be used, you can set the block size to 1 MB and try again. However, the write operation is time-consuming when the block size is set to 1 MB. + +## Writing Images Using the Mac OS + +This section describes how to flash images to the SD card in the Mac environment. + +### Checking Drive Partition Information + +Run the `diskutil list` command as user root to obtain the information of SD cards and drive partitions. For example, the drive partition corresponding to the SD card can be /dev/disk3. + +### Unmouting the SD Card + +1. Run the `df -lh` command to check the mounted volumes. + +2. If the partitions corresponding to the SD card are not mounted, skip this step. If the partitions corresponding to the SD card are mounted, for example, dev/disk3s1 and /dev/disk3s3, run the following commands as the root user to unmount the partitions: + + `diskutil umount /dev/disk3s1` + + `diskutil umount /dev/disk3s3` + +### Writing Images to the SD Card + +1. If the image obtained is compressed, run the `xz -d openEuler-21.03-raspi-aarch64.img.xz` command to decompress the compressed file to obtain the **openEuler-21.03-raspi-aarch64.img** image file. Otherwise, skip this step. + +2. Run the following command as the root user to write the image `openEuler-21.03-raspi-aarch64.img` to the SD card: + + `dd bs=4m if=openEuler-21.03-raspi-aarch64.img of=/dev/sdb` + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** + > + > Generally, the block size is set to 4 MB. If the write operation fails or the written image cannot be used, you can set the block size to 1 MB and try again. However, the write operation is time-consuming when the block size is set to 1 MB. + diff --git a/docs/en/docs/Installation/Installation-Preparations1.md b/docs/en/docs/Installation/Installation-Preparations1.md new file mode 100644 index 0000000000000000000000000000000000000000..f3fb9d318d1620a2cdb2b1c24e9d338b70891bb4 --- /dev/null +++ b/docs/en/docs/Installation/Installation-Preparations1.md @@ -0,0 +1,125 @@ +# Installation Preparations + +This section describes the compatibility of the hardware and software and the related configurations and preparations required for the installation. + + +- [Installation Preparations](#安装准备) + - [Obtaining the Installation Source](#获取安装源) + - [Verifying the Image Integrity](#镜像完整性校验) + - [Overview](#简介) + - [Prerequisites](#前提条件) + - [Procedure](#操作指导) + - [Installation Requirements](#安装要求) + - [Hardware Compatibility](#硬件兼容支持) + - [Minimum Hardware Specifications](#最小硬件要求) + + +## Obtaining the Installation Source + +Before installation, obtain the openEuler Raspberry Pi image and its verification file. + +1. Log in to the [openEuler Community](https://openeuler.org) website. + +2. Click **Download**. + +3. Click the **Link** provided after **Download ISO**. The download list is displayed. + +4. Click **openEuler-21.03**. The openEuler 21.03 version download list is displayed. + +5. Click **Raspberry Pi**. The Raspberry Pi image download list is displayed. + + - **aarch64**: image of the AArch64 architecture + +6. Click **aarch64** to download the Raspberry Pi AArch64 image download list. + +7. Click **openEuler-21.03-raspi-aarch64.img.xz** to download the openEuler Raspberry Pi image to the local PC. + +8. Click **openEuler-21.03-raspi-aarch64.img.xz.sha256sum** to download the verification file of the openEuler Raspberry Pi image to the local PC. + +## Verifying the Image Integrity + +### Overview + +During package transmission, to prevent software packages from being incompletely downloaded due to network or storage device problems, you need to verify the integrity of the software packages after obtaining them. Only the software packages that pass the verification can be deployed. + +Compare the verification value recorded in the verification file with the verification value that is manually calculated to determine whether the software package is complete. If the two values are the same, the downloaded file is complete. Otherwise, the downloaded file is incomplete and you need to obtain the software package again. + +### Prerequisites + +Before verifying the integrity of the image file, ensure that the following files are available: + +Image file: **openEuler-21.03-raspi-aarch64.img.xz** + +Verification file: **openEuler-21.03-raspi-aarch64.img.xz.sha256sum** + +### Procedure + +To verify the file integrity, perform the following procedure: + +1. Obtain the verification value from the verification file. Run the following command: + + ``` + $ cat openEuler-21.03-raspi-aarch64.img.xz.sha256sum + ``` + +2. Calculate the SHA256 verification value of the file. Run the following command: + + ``` + $ sha256sum openEuler-21.03-raspi-aarch64.img.xz + ``` + + After the command is executed, the verification value is displayed. + +3. Check whether the verification value calculated in step 1 is consistent with that calculated in step 2. + + If the verification values are consistent, the downloaded file is not damaged. Otherwise, the downloaded file is incomplete and you need to obtain the file again. + +## Installation Requirements + +If the openEuler operating system is installed in the Raspberry Pi environment, the Raspberry Pi environment must meet the hardware compatibility and minimum hardware specifications as follows. + +### Hardware Compatibility + +Currently, the openEuler Raspberry Pi image supports the 3B, 3B+, and 4B versions. + +### Minimum Hardware Specifications + +[Table 1](#tff48b99c9bf24b84bb602c53229e2542) lists the minimum hardware specifications for the openEuler Raspberry Pi image. + +**Table 1** Minimum hardware specifications + + + +

Name

@@ -912,86 +1023,36 @@ Use the specified project file to search the dynamic space for parameters and fi The following is an example of the YAML file configuration on a server: ``` -project: "example" -maxiterations: 10 +project: "compress" +maxiterations: 500 startworkload: "" stopworkload: "" object : - - name : "vm.swappiness" + name : "compressLevel" info : - desc : "the vm.swappiness" - get : "sysctl -a | grep vm.swappiness" - set : "sysctl -w vm.swappiness=$value" - needrestart: "false" + desc : "The compresslevel parameter is an integer from 1 to 9 controlling the level of compression" + get : "cat /root/A-Tune/examples/tuning/compress/compress.py | grep 'compressLevel=' | awk -F '=' '{print $2}'" + set : "sed -i 's/compressLevel=\\s*[0-9]*/compressLevel=$value/g' /root/A-Tune/examples/tuning/compress/compress.py" + needrestart : "false" type : "continuous" scope : - - 0 - - 10 - ref : 1 - - - name : "irqbalance" - info : - desc : "system irqbalance" - get : "systemctl status irqbalance" - set : "systemctl $value sysmonitor;systemctl $value irqbalance" - needrestart: "false" - type : "discrete" - options: - - "start" - - "stop" - dtype : "string" - ref : "start" - - - name : "net.tcp_min_tso_segs" - info : - desc : "the minimum tso number" - get : "cat /proc/sys/net/ipv4/tcp_min_tso_segs" - set : "echo $value > /proc/sys/net/ipv4/tcp_min_tso_segs" - needrestart: "false" - type : "continuous" - scope: - 1 - - 16 - ref : 2 + - 9 + dtype : "int" - - name : "prefetcher" + name : "compressMethod" info : - desc : "" - get : "cat /sys/class/misc/prefetch/policy" - set : "echo $value > /sys/class/misc/prefetch/policy" - needrestart: "false" + desc : "The compressMethod parameter is a string controlling the compression method" + get : "cat /root/A-Tune/examples/tuning/compress/compress.py | grep 'compressMethod=' | awk -F '=' '{print $2}' | sed 's/\"//g'" + set : "sed -i 's/compressMethod=\\s*[0-9,a-z,\"]*/compressMethod=\"$value\"/g' /root/A-Tune/examples/tuning/compress/compress.py" + needrestart : "false" type : "discrete" - options: - - "0" - - "15" + options : + - "bz2" + - "zlib" + - "gzip" dtype : "string" - ref : "15" - - - name : "kernel.sched_min_granularity_ns" - info : - desc : "Minimal preemption granularity for CPU-bound tasks" - get : "sysctl kernel.sched_min_granularity_ns" - set : "sysctl -w kernel.sched_min_granularity_ns=$value" - needrestart: "false" - type : "continuous" - scope: - - 5000000 - - 50000000 - ref : 10000000 - - - name : "kernel.sched_latency_ns" - info : - desc : "" - get : "sysctl kernel.sched_latency_ns" - set : "sysctl -w kernel.sched_latency_ns=$value" - needrestart: "false" - type : "continuous" - scope: - - 10000000 - - 100000000 - ref : 16000000 - ```    @@ -999,17 +1060,25 @@ object : The following is an example of the YAML file configuration on a client: ``` -project: "example" -iterations : 10 -benchmark : "sh /home/Benchmarks/mysql/tunning_mysql.sh" +project: "compress" +engine : "gbrt" +iterations : 20 +random_starts : 10 + +benchmark : "python3 /root/A-Tune/examples/tuning/compress/compress.py" evaluations : - - name: "tps" + name: "time" + info: + get: "echo '$out' | grep 'time' | awk '{print $3}'" + type: "positive" + weight: 20 + - + name: "compress_ratio" info: - get: "echo -e '$out' |grep 'transactions:' |awk '{print $3}' | cut -c 2-" + get: "echo '$out' | grep 'compress_ratio' | awk '{print $3}'" type: "negative" - weight: 100 - threshold: 100 + weight: 80 ```    @@ -1019,13 +1088,13 @@ evaluations : - Perform tuning. ``` - # atune-adm tuning example-client.yaml + # atune-adm tuning --project compress --detail compress_client.yaml ``` -- Restore the initial configuration before tuning. The example value is the project name in the YAML file. +- Restore the initial configuration before tuning. The compress is the project name in the YAML file. ``` - # atune-adm tuning --restore --project example + # atune-adm tuning --restore --project compress ``` diff --git a/content/en/docs/A-Tune/faqs.md b/docs/en/docs/A-Tune/faqs.md similarity index 100% rename from content/en/docs/A-Tune/faqs.md rename to docs/en/docs/A-Tune/faqs.md diff --git a/content/en/docs/A-Tune/figures/en-us_image_0213178479.png b/docs/en/docs/A-Tune/figures/en-us_image_0213178479.png similarity index 100% rename from content/en/docs/A-Tune/figures/en-us_image_0213178479.png rename to docs/en/docs/A-Tune/figures/en-us_image_0213178479.png diff --git a/content/en/docs/A-Tune/figures/en-us_image_0213178480.png b/docs/en/docs/A-Tune/figures/en-us_image_0213178480.png similarity index 100% rename from content/en/docs/A-Tune/figures/en-us_image_0213178480.png rename to docs/en/docs/A-Tune/figures/en-us_image_0213178480.png diff --git a/content/en/docs/A-Tune/figures/en-us_image_0214540398.png b/docs/en/docs/A-Tune/figures/en-us_image_0214540398.png similarity index 100% rename from content/en/docs/A-Tune/figures/en-us_image_0214540398.png rename to docs/en/docs/A-Tune/figures/en-us_image_0214540398.png diff --git a/content/en/docs/A-Tune/figures/en-us_image_0227497000.png b/docs/en/docs/A-Tune/figures/en-us_image_0227497000.png similarity index 100% rename from content/en/docs/A-Tune/figures/en-us_image_0227497000.png rename to docs/en/docs/A-Tune/figures/en-us_image_0227497000.png diff --git a/docs/en/docs/A-Tune/figures/en-us_image_0227497343.png b/docs/en/docs/A-Tune/figures/en-us_image_0227497343.png new file mode 100644 index 0000000000000000000000000000000000000000..a8654b170295b4b0be3c37187e4b227ca635fbc0 Binary files /dev/null and b/docs/en/docs/A-Tune/figures/en-us_image_0227497343.png differ diff --git a/content/en/docs/A-Tune/figures/en-us_image_0231122163.png b/docs/en/docs/A-Tune/figures/en-us_image_0231122163.png similarity index 100% rename from content/en/docs/A-Tune/figures/en-us_image_0231122163.png rename to docs/en/docs/A-Tune/figures/en-us_image_0231122163.png diff --git a/docs/en/docs/A-Tune/figures/en-us_image_0245342444.png b/docs/en/docs/A-Tune/figures/en-us_image_0245342444.png new file mode 100644 index 0000000000000000000000000000000000000000..10f0fceb42c00c80ef49decdc0c480eb04c2ca6d Binary files /dev/null and b/docs/en/docs/A-Tune/figures/en-us_image_0245342444.png differ diff --git a/content/en/docs/A-Tune/getting-to-know-a-tune.md b/docs/en/docs/A-Tune/getting-to-know-a-tune.md similarity index 74% rename from content/en/docs/A-Tune/getting-to-know-a-tune.md rename to docs/en/docs/A-Tune/getting-to-know-a-tune.md index 03415ded0cdc5fe96a42f1d872a45dde1ede6c4d..2092e0152e2c31ea4bf1aa95277302bcc981b6a9 100644 --- a/content/en/docs/A-Tune/getting-to-know-a-tune.md +++ b/docs/en/docs/A-Tune/getting-to-know-a-tune.md @@ -26,7 +26,7 @@ A-Tune is an AI-based engine that optimizes system performance. It uses AI techn The following figure shows the A-Tune core technical architecture, which consists of intelligent decision-making, system profile, and interaction system. - Intelligent decision-making layer: consists of the awareness and decision-making subsystems, which implements intelligent awareness of applications and system optimization decision-making, respectively. -- System profile layer: consists of the labeling and learning subsystems. The labeling subsystem is used to cluster service models, and the learning subsystem is used to learn and classify service models. +- System profile layer: consists of the feature engineering and two-layer classification model. The feature engineering is used to automatically select service features, and the two-layer classification model is used to learn and classify service models. - Interaction system layer: monitors and configures various system resources and executes optimization policies. ![](figures/en-us_image_0227497343.png) @@ -39,7 +39,6 @@ The following figure shows the A-Tune core technical architecture, which consist **Table 1** Feature maturity - - - @@ -72,18 +71,19 @@ The following figure shows the A-Tune core technical architecture, which consist

Feature

Maturity

@@ -48,14 +47,14 @@ The following figure shows the A-Tune core technical architecture, which consist

Auto optimization of 11 applications in seven workload types

+

Auto optimization of 15 applications in 11 workload types

Tested

Pilot

User-defined workload types and service models

+

User-defined profile and service models

Tested
+ ### Supported Service Models -Based on the workload characteristics of applications, A-Tune classifies services into seven types. For details about the workload characteristics of each type and the applications supported by A-Tune, see [Table 2](#table2819164611311). +Based on the workload characteristics of applications, A-Tune classifies services into 11 types. For details about the bottleneck of each type and the applications supported by A-Tune, see [Table 2](#table2819164611311). **Table 2** Supported workload types and applications - - - - -

Workload

+ - @@ -93,87 +93,103 @@ Based on the workload characteristics of applications, A-Tune classifies service - - - - - - - - - - - - - - - - + + + + + - - - - - - - - - - - + + + + +

Service category

Type

Workload Characteristic

+

Bottleneck

Supported Application

Default type

The usage of CPU, memory bandwidth, network, and I/O resources is low.

+

Low resource usage in terms of cpu, memory, network, and I/O

N/A

webserver

HTTPS application

+

Web application

The CPU usage is high.

+

Bottlenecks of cpu and network

Nginx

+

Nginx, Apache Traffic Server

big_database

+

database

Database

  • Relational database

    Read: The usage of CPU, memory bandwidth, and network is high.

    -

    Write: The usage of I/O is high.

    -
-
  • Non-relational database

    The usage of CPU and I/O is high.

    -
+		Bottlenecks of cpu, memory, and I/O

MongoDB, MySQL, PostgreSQL, and MariaDB

+

Mongodb, Mysql, Postgresql, Mariadb

big_data

Big data

The usage of CPU and I/O is high.

+

Bottlenecks of cpu and memory

Hadoop and Spark

+

Hadoop-hdfs, Hadoop-spark

in-memory_computing

+

middleware

Memory-intensive application

+

Middleware framework

The usage of CPU and memory bandwidth is high.

+

Bottlenecks of cpu and network

SPECjbb2015

+

Dubbo

in-memory_database

Computing- and network-intensive application

+

Memory database

The usage of a single-core CPU is high, and the network usage is high in multi-instance scenarios.

+

Bottlenecks of memory and I/O

Redis

single_computer_intensive_jobs

+

basic-test-suite

+

Basic test suite

+

Bottlenecks of cpu and memory

+

SPECCPU2006, SPECjbb2015

+

hpc

Computing-intensive application

+

Human genome

The usage of a single-core CPU is high, and the usage of memory bandwidth of some subitems is high.

+

Bottlenecks of cpu, memory, and I/O

SPECCPU2006

+

Gatk4

communication

+

storage

Network-intensive application

+

Storage

The usage of CPU and network is high.

+

Bottlenecks of network, and I/O

Dubbo

+

Ceph

idle

+

virtualization

System in idle state

+

Virtualization

The system is in idle state and no applications are running.

+

Bottlenecks of cpu, memory, and I/O

N/A

+

Consumer-cloud, Mariadb

+

docker

+

Docker

+

Bottlenecks of cpu, memory, and I/O

+

Mariadb
+ + diff --git a/content/en/docs/A-Tune/installation-and-deployment.md b/docs/en/docs/A-Tune/installation-and-deployment.md similarity index 30% rename from content/en/docs/A-Tune/installation-and-deployment.md rename to docs/en/docs/A-Tune/installation-and-deployment.md index 96a1e025d01cdf9261809680afb1e6e42115feaf..c1a9b811734c75446b7d6550786462628ea78c51 100644 --- a/content/en/docs/A-Tune/installation-and-deployment.md +++ b/docs/en/docs/A-Tune/installation-and-deployment.md @@ -10,6 +10,7 @@ This chapter describes how to install and deploy A-Tune. - [Installation Procedure](#installation-procedure) - [A-Tune Deployment](#a-tune-deployment) - [Starting A-Tune](#starting-a-tune) + - [Starting A-Tune engine](#starting-a-tune-engine) @@ -22,11 +23,11 @@ This chapter describes how to install and deploy A-Tune. ### Software Requirement -- OS: openEuler 20.03 LTS +- OS: openEuler 21.03 ## Environment Preparation -For details about installing an openEuler OS, see _openEuler 20.03 LTS Installation Guide_. +For details about installing an openEuler OS, see _openEuler 21.03 Installation Guide_. ## A-Tune Installation @@ -47,7 +48,7 @@ A-Tune can be installed in single-node or distributed mode. The installation modes are as follows: -![](figures/en-us_image_0231122163.png) +![](./figures/en-us_image_0231122163.png)    @@ -58,7 +59,7 @@ To install the A-Tune, perform the following steps: 1. Mount an openEuler ISO file. ``` - # mount openEuler-20.03-LTS-aarch64-dvd.iso /mnt + # mount openEuler-21.03-aarch64-dvd.iso /mnt ``` 2. Configure the local yum source. @@ -84,16 +85,17 @@ To install the A-Tune, perform the following steps: ``` -4. Install an A-Tune server. +4. Install an A-Tune server. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >In this step, both the server and client software packages are installed. For the single-node deployment, skip **Step 5**. ``` # yum install atune -y + # yum install atune-engine -y ``` -5. For a distributed mode, install an A-Tune client. +5. For a distributed mode, install an A-Tune client on associated server. ``` # yum install atune-client -y @@ -106,8 +108,9 @@ To install the A-Tune, perform the following steps: atune-client-xxx atune-db-xxx atune-xxx + atune-engine-xxx ``` - + If the preceding information is displayed, the installation is successful. @@ -121,16 +124,37 @@ This chapter describes how to deploy A-Tune. The configuration items in the A-Tune configuration file **/etc/atuned/atuned.cnf** are described as follows: -- A-Tune service startup configuration +- A-Tune service startup configuration You can modify the parameter value as required. - **protocol**: Protocol used by the gRPC service. The value can be **unix** or **tcp**. **unix** indicates the local socket communication mode, and **tcp** indicates the socket listening port mode. The default value is **unix**. - - **address**: Listening IP address of the gRPC service. The default value is **unix socket**. If the gRPC service is deployed in distributed mode, change the value to the listening IP address. - - **port**: Listening port of the gRPC server. The value ranges from 0 to 65535. If **protocol** is set to **unix**, you do not need to set this parameter. - - **rest\_port**: Listening port of the system REST service. The value ranges from 0 to 65535. - - **sample\_num**: Number of samples collected when the system executes the analysis process. + - **port**: Listening port of the gRPC server. The value ranges from 0 to 65535. If **protocol** is set to **unix**, you do not need to set this parameter. + - **connect**: IP address list of the nodes where the A-Tune is located when the A-Tune is deployed in a cluster. IP addresses are separated by commas (,). + - **rest_host**: Listening address of the REST service. The default value is localhost. + - **rest_port**: Listening port of the REST service. The value ranges from 0 to 65535. The default value is 8383. + - **engine_host**: IP address for connecting to the A-Tune engine service of the system. + - **engine_port**: Port for connecting to the A-Tune engine service of the system. + - **sample_num**: Number of samples collected when the system executes the analysis process. The default value is 20. + - **interval**: Interval for collecting samples when the system executes the analysis process. The default value is 5s. + - **grpc_tls**: Indicates whether to enable SSL/TLS certificate verification for the gRPC service. By default, this function is disabled. After grpc_tls is enabled, you need to set the following environment variables before running the **atune-adm** command to communicate with the server: + - export ATUNE_TLS=yes + - export ATUNED_CACERT= + - export ATUNED_CLIENTCERT= + - export ATUNED_CLIENTKEY= + - export ATUNED_SERVERCN=server + - **tlsservercafile**: Path of the gPRC server's CA certificate. + - **tlsservercertfile**: Path of the gPRC server certificate. + - **tlsserverkeyfile**: Path of the gPRC server key. + - **rest_tls**: Indicates whether to enable SSL/TLS certificate verification for the REST service. This function is enabled by default. + - **tlsrestcacertfile**: Path of the server's CA certificate of the REST service. + - **tlsrestservercertfile**: Path of the server certificate of the REST service. + - **tlsrestserverkeyfile**: Indicates the key path of the REST service. + - **engine_tls**: Indicates whether to enable SSL/TLS certificate verification for the A-Tune engine service. This function is enabled by default.. + - **tlsenginecacertfile**: Path of the client CA certificate of the A-Tune engine service. + - **tlsengineclientcertfile**: Client certificate path of the A-Tune engine service. + - **tlsengineclientkeyfile**: Client key path of the A-Tune engine service. - System information @@ -139,104 +163,199 @@ The configuration items in the A-Tune configuration file **/etc/atuned/atuned.c - **disk**: Disk information to be collected during the analysis process or specified disk during disk optimization. - **network**: NIC information to be collected during the analysis process or specified NIC during NIC optimization. - **user**: User name used for ulimit optimization. Currently, only the user **root** is supported. - - **tls**: SSL/TLS certificate verification for the gRPC and HTTP services of A-Tune. This is disabled by default. After TLS is enabled, you need to set the following environment variables before running the **atune-adm** command to communicate with the server: - - export ATUNE\_TLS=yes - - export ATUNE\_CLICERT= - - - **tlsservercertfile**: path of the gPRC server certificate. - - **tlsserverkeyfile**: gPRC server key path. - - **tlshttpcertfile**: HTTP server certificate path. - - **tlshttpkeyfile**: HTTP server key path. - - **tlshttpcacertfile**: CA certificate path of the HTTP server. - + - Log information - Change the log path and level based on the site requirements. By default, the log information is stored in **/var/log/messages**. + Change the log level as required. The default log level is info. Log information is recorded in the **/var/log/messages** file. - Monitor information Hardware information that is collected by default when the system is started. + +- Tuning information + + Tuning is the parameter information required for offline tuning. + + - **noise**: Evaluation value of Gaussian noise. + - **sel_feature**: Indicates whether to enable the function of generating the importance ranking of offline tuning parameters. By default, this function is disabled. + + +#### Example + +``` +#################################### server ############################### + # atuned config + [server] + # the protocol grpc server running on + # ranges: unix or tcp + protocol = unix + + # the address that the grpc server to bind to + # default is unix socket /var/run/atuned/atuned.sock + # ranges: /var/run/atuned/atuned.sock or ip address + address = /var/run/atuned/atuned.sock + + # the atune nodes in cluster mode, separated by commas + # it is valid when protocol is tcp + # connect = ip01,ip02,ip03 + + # the atuned grpc listening port + # the port can be set between 0 to 65535 which not be used + # port = 60001 + + # the rest service listening port, default is 8383 + # the port can be set between 0 to 65535 which not be used + rest_host = localhost + rest_port = 8383 + + # the tuning optimizer host and port, start by engine.service + # if engine_host is same as rest_host, two ports cannot be same + # the port can be set between 0 to 65535 which not be used + engine_host = localhost + engine_port = 3838 + + # when run analysis command, the numbers of collected data. + # default is 20 + sample_num = 20 + + # interval for collecting data, default is 5s + interval = 5 + + # enable gRPC authentication SSL/TLS + # default is false + # grpc_tls = false + # tlsservercafile = /etc/atuned/grpc_certs/ca.crt + # tlsservercertfile = /etc/atuned/grpc_certs/server.crt + # tlsserverkeyfile = /etc/atuned/grpc_certs/server.key + + # enable rest server authentication SSL/TLS + # default is true + rest_tls = true + tlsrestcacertfile = /etc/atuned/rest_certs/ca.crt + tlsrestservercertfile = /etc/atuned/rest_certs/server.crt + tlsrestserverkeyfile = /etc/atuned/rest_certs/server.key + + # enable engine server authentication SSL/TLS + # default is true + engine_tls = true + tlsenginecacertfile = /etc/atuned/engine_certs/ca.crt + tlsengineclientcertfile = /etc/atuned/engine_certs/client.crt + tlsengineclientkeyfile = /etc/atuned/engine_certs/client.key + + + #################################### log ############################### + [log] + # either "debug", "info", "warn", "error", "critical", default is "info" + level = info + + #################################### monitor ############################### + [monitor] + # with the module and format of the MPI, the format is {module}_{purpose} + # the module is Either "mem", "net", "cpu", "storage" + # the purpose is "topo" + module = mem_topo, cpu_topo + + #################################### system ############################### + # you can add arbitrary key-value here, just like key = value + # you can use the key in the profile + [system] + # the disk to be analysis + disk = sda + + # the network to be analysis + network = enp189s0f0 + + user = root + + #################################### tuning ############################### + # tuning configs + [tuning] + noise = 0.000000001 + sel_feature = false +``` + +The configuration items in the configuration file **/etc/atuned/engine.cnf** of the A-Tune engine are described as follows: + +- Startup configuration of the A-Tune engine service + + You can modify the parameter value as required. + + - **engine_host**: Listening address of the A-Tune engine service. The default value is localhost. + - **engine_port**: Listening port of the A-Tune engine service. The value ranges from 0 to 65535. The default value is 3838. + - **engine_tls**: Indicates whether to enable SSL/TLS certificate verification for the A-Tune engine service. This function is enabled by default. + - **tlsenginecacertfile**: Path of the server CA certificate of the A-Tune engine service. + - **tlsengineservercertfile**: Path of the server certificate of the A-Tune engine service. + - **tlsengineserverkeyfile**: Server key path of the A-Tune engine service. + +- Log information + + Change the log level as required. The default log level is info. Log information is recorded in the **/var/log/messages** file. #### Example ``` -#################################### server ############################### -# atuned config -[server] -# the protocol grpc server running on -# ranges: unix or tcp -protocol = unix - -# the address that the grpc server to bind to -# default is unix socket /var/run/atuned/atuned.sock -# ranges: /var/run/atuned/atuned.sock or ip -address = /var/run/atuned/atuned.sock - -# the atuned grpc listening port, default is 60001 -# the port can be set between 0 to 65535 which not be used -port = 60001 - -# the rest service listening port, default is 8383 -# the port can be set between 0 to 65535 which not be used -rest_port = 8383 - -# when run analysis command, the numbers of collected data. -# default is 20 -sample_num = 20 - -# Enable gRPC and http server authentication SSL/TLS -# default is false -# tls = true -# tlsservercertfile = /etc/atuned/server.pem -# tlsserverkeyfile = /etc/atuned/server.key -# tlshttpcertfile = /etc/atuned/http/server.pem -# tlshttpkeyfile = /etc/atuned/http/server.key -# tlshttpcacertfile = /etc/atuned/http/cacert.pem - -#################################### log ############################### -# Either "debug", "info", "warn", "error", "critical", default is "info" -level = info - -#################################### monitor ############################### -[monitor] -# With the module and format of the MPI, the format is {module}_{purpose} -# The module is Either "mem", "net", "cpu", "storage" -# The purpose is "topo" -module = mem_topo, cpu_topo - -#################################### system ############################### -# you can add arbitrary key-value here, just like key = value -# you can use the key in the profile -[system] -# the disk to be analysis -disk = sda - -# the network to be analysis -network = enp189s0f0 - -user = root +#################################### engine ############################### + [server] + # the tuning optimizer host and port, start by engine.service + # if engine_host is same as rest_host, two ports cannot be same + # the port can be set between 0 to 65535 which not be used + engine_host = localhost + engine_port = 3838 + + # enable engine server authentication SSL/TLS + # default is true + engine_tls = true + tlsenginecacertfile = /etc/atuned/engine_certs/ca.crt + tlsengineservercertfile = /etc/atuned/engine_certs/server.crt + tlsengineserverkeyfile = /etc/atuned/engine_certs/server.key + + #################################### log ############################### + [log] + # either "debug", "info", "warn", "error", "critical", default is "info" + level = info ``` ## Starting A-Tune After the A-Tune is installed, you need to start the A-Tune service. -- Start the atuned service. +- Start the atuned service. + + ``` + # systemctl start atuned + ``` + + +- Query the atuned service status. + + ``` + # systemctl status atuned + ``` + + If the following command output is displayed, the service is started successfully: + + ![](./figures/en-us_image_0214540398.png) + +## Starting A-Tune engine + +To use AI functions, you need to start the A-Tune engine service. + +- Start the atune-engine service. ``` - # systemctl start atuned + # systemctl start atune-engine ``` -- To query the status of the atuned service, run the following command: +- Query the atune-engine service status. ``` - # systemctl status atuned + # systemctl status atune-engine ``` - If the following information is displayed, the service is started successfully: + If the following command output is displayed, the service is started successfully: - ![](figures/en-us_image_0214540398.png) + ![](./figures/en-us_image_0245342444.png) diff --git a/content/en/docs/A-Tune/public_sys-resources/icon-caution.gif b/docs/en/docs/A-Tune/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/A-Tune/public_sys-resources/icon-caution.gif rename to docs/en/docs/A-Tune/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/A-Tune/public_sys-resources/icon-danger.gif b/docs/en/docs/A-Tune/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/A-Tune/public_sys-resources/icon-danger.gif rename to docs/en/docs/A-Tune/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/A-Tune/public_sys-resources/icon-note.gif b/docs/en/docs/A-Tune/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/A-Tune/public_sys-resources/icon-note.gif rename to docs/en/docs/A-Tune/public_sys-resources/icon-note.gif diff --git a/content/en/docs/A-Tune/public_sys-resources/icon-notice.gif b/docs/en/docs/A-Tune/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/A-Tune/public_sys-resources/icon-notice.gif rename to docs/en/docs/A-Tune/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/A-Tune/public_sys-resources/icon-tip.gif b/docs/en/docs/A-Tune/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/A-Tune/public_sys-resources/icon-tip.gif rename to docs/en/docs/A-Tune/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/A-Tune/public_sys-resources/icon-warning.gif b/docs/en/docs/A-Tune/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/A-Tune/public_sys-resources/icon-warning.gif rename to docs/en/docs/A-Tune/public_sys-resources/icon-warning.gif diff --git a/content/en/docs/Administration/administration.md b/docs/en/docs/Administration/administration.md similarity index 100% rename from content/en/docs/Administration/administration.md rename to docs/en/docs/Administration/administration.md diff --git a/content/en/docs/Administration/basic-configuration.md b/docs/en/docs/Administration/basic-configuration.md similarity index 98% rename from content/en/docs/Administration/basic-configuration.md rename to docs/en/docs/Administration/basic-configuration.md index 65e7e6167e256f1511eef3039dd677ca70f5660e..617937b9bf1e85b2a9d6ae00f227c3ef2f39678c 100644 --- a/content/en/docs/Administration/basic-configuration.md +++ b/docs/en/docs/Administration/basic-configuration.md @@ -71,7 +71,7 @@ For example, if you want to use Simplified Chinese as the locale, run the follow # localectl set-locale LANG=zh_CN.UTF-8 ``` -> ![](public_sys-resources/icon-note.gif) **NOTE:** +> ![](./public_sys-resources/icon-note.gif) **NOTE:** > After the modification, log in again or run the command `source /etc/locale.conf` as the user **root** to update the configuration file for the modification to take effect: @@ -161,7 +161,7 @@ System clock synchronized: no Your system clock can be automatically synchronized with a remote server using the Network Time Protocol (NTP). Run the following command as the user **root** to enable or disable NTP. The value of _boolean_ is **yes** or **no**, indicating that the NTP is enabled or disabled for automatic system clock synchronization. Change the value based on the site requirements. -> ![](public_sys-resources/icon-note.gif) **NOTE:** +> ![](./public_sys-resources/icon-note.gif) **NOTE:** If the remote NTP server is enabled to automatically synchronize the system clock, you cannot manually change the date and time. If you need to manually change the date or time, ensure that automatic NTP system clock synchronization is disabled. You can run the **timedatectl set-ntp no** command to disable the NTP service. ``` @@ -176,7 +176,7 @@ For example, to enable automatic remote time synchronization, run the following #### Changing the Current Date -> ![](public_sys-resources/icon-note.gif) **NOTE:** +> ![](./public_sys-resources/icon-note.gif) **NOTE:** Before changing the date, ensure that automatic NTP system clock synchronization has been disabled. Run the following command as the user **root** to change the current date. In the command, _YYYY_ indicates the year, _MM_ indicates the month, and _DD_ indicates the day. Change them based on the site requirements. @@ -193,7 +193,7 @@ For example, to change the current date to August 14, 2019, run the following co #### Changing the Current Time -> ![](public_sys-resources/icon-note.gif) **NOTE:** +> ![](./public_sys-resources/icon-note.gif) **NOTE:** Before changing the time, ensure that automatic NTP system clock synchronization has been disabled. To change the current time, run the following command as the user **root**. In the command, _HH_ indicates the hour, _MM_ indicates the minute, and _SS_ indicates the second. Change them based on the site requirements. @@ -457,7 +457,7 @@ The memory reserved for kdump must be added to the bootargs in the **/boot/efi/E | General solution| crashkernel=2048M,high| If the memory size is less than 4 GB, 256 MB is reserved for kdump. If the memory size is greater than 4 GB, 2048 MB is reserved for kdump. 256 + 2048 MB in total.| | Economical solution| crashkernel=1024M,high| If the memory size is less than 4 GB, 256 MB is reserved for kdump. If the memory size is greater than 4 GB, 1024 MB is reserved for kdump. 256 + 1024 MB in total. It is recommended that kdump files not be dumped using the network in scenarios where the system memory size is less than 512 GB. In VM scenarios, you can reduce the reserved memory. You are advised to set crashkernel to 512M or crashkernel to 256M,high.| -> ![](public_sys-resources/icon-note.gif) **NOTE:** +> ![](./public_sys-resources/icon-note.gif) **NOTE:** > > If kdump files are not dumped using the network, you need to set the kdump file system not to pack network drivers. Loading the network driver requires a large amount of memory. As a result, the memory reserved for kdump may be insufficient and kdump may fail. Therefore, you are advised to disable network drivers. diff --git a/content/en/docs/Administration/configuring-services.md b/docs/en/docs/Administration/configuring-services.md similarity index 100% rename from content/en/docs/Administration/configuring-services.md rename to docs/en/docs/Administration/configuring-services.md diff --git a/content/en/docs/Administration/configuring-the-ftp-server.md b/docs/en/docs/Administration/configuring-the-ftp-server.md similarity index 99% rename from content/en/docs/Administration/configuring-the-ftp-server.md rename to docs/en/docs/Administration/configuring-the-ftp-server.md index 98104b86eed332120d8b8de539b866cb996812bb..e841f0f63bc612e9e07973d8ae8e67c8f11cd14d 100644 --- a/content/en/docs/Administration/configuring-the-ftp-server.md +++ b/docs/en/docs/Administration/configuring-the-ftp-server.md @@ -87,7 +87,7 @@ To start, stop, or restart the vsftpd service, run the corresponding command as tcp6 0 0 :::21 :::* LISTEN 19716/vsftpd ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >If the **netstat** command does not exist, run the **dnf install net-tools** command to install the **net-tools** software and then run the **netstat** command. - Stopping the vsftpd services @@ -170,7 +170,7 @@ You can modify the vsftpd configuration file to control user permissions. [Tabl ### Default Configuration Description ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The configuration content in this document is for reference only. You can modify the content based on the site requirements \(for example, security hardening requirements\). In the openEuler system, vsftpd does not open to anonymous users by default. Run the vim command to view the main configuration file. The content is as follows: @@ -385,7 +385,7 @@ ftp> bye 221 Goodbye. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If the **ftp** command does not exist, run the **dnf install ftp** command as the **root** user to install the **ftp** software and then run the **ftp** command. ## Configuring a Firewall @@ -478,7 +478,7 @@ Generally, the get or mget command is used to download files. ftp> mget *.* ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- In this case, a message is displayed each time a file is downloaded. To block the prompt information, run the **prompt off** command before running the **mget \*.\*** command. >- The files are downloaded to the current directory on the Linux host. For example, if you run the ftp command in /home/myopenEuler/, all files are downloaded to /home/myopenEuler/. diff --git a/content/en/docs/Administration/configuring-the-network.md b/docs/en/docs/Administration/configuring-the-network.md similarity index 97% rename from content/en/docs/Administration/configuring-the-network.md rename to docs/en/docs/Administration/configuring-the-network.md index 370ae8c6afdd5762779bfa1bf1a3da3a14eec05a..ce912c33916557a0952eb47256ce8115622d8af2 100644 --- a/content/en/docs/Administration/configuring-the-network.md +++ b/docs/en/docs/Administration/configuring-the-network.md @@ -27,7 +27,7 @@ ### Using the nmcli Command ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The network configuration configured by running the **nmcli** command takes effect immediately and will not be lost after the system restarts. @@ -79,6 +79,26 @@ Common commands are listed as follows: ``` +#### Device Management + +##### Connecting to a Device + +Run the following command to connect NetworkManager to the corresponding network device. Try to find the proper connection configuration and activate it. + + ``` + $nmcli device connect "$IFNAME" + ``` + +> If the corresponding connection configuration does not exist, NetworkManager creates and activates a configuration file with default settings. + +##### Disconnecting to a Device + +Run the following command to disconnect NetworkManager with the network device and prevent the device from being automatically activated. + + ``` + $nmcli device disconnect "$IFNAME" + ``` + #### Setting Network Connections Run the following command to display all the available network connections: @@ -93,7 +113,7 @@ enp3s0 c88d7b69-f529-35ca-81ab-aa729ac542fd ethernet enp3s0 virbr0 ba552da6-f014-49e3-91fa-ec9c388864fa bridge virbr0 ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >In the command output, **NAME** indicates the connection ID \(name\). After a network connection is added, the corresponding configuration file is generated and associated with the corresponding device. To check for available devices, run the following command: @@ -159,7 +179,7 @@ To add a static IPv4 network connection, run the following command: nmcli connection add type ethernet con-name connection-name ifname interface-name ip4 address gw4 address ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >To add an IPv6 address and related gateway information, use the **ip6** and **gw6** options. For example, to create a static connection configuration file named **net-static**, run the following command as the **root** user: @@ -244,26 +264,38 @@ connection.llmnr: -1 (default) ##### Adding a Wi-Fi Connection -Run the following command to check for available Wi-Fi access points: +You can add the Wi-Fi connection using either of the following methods: + +**Method 1: Connect to the Wi-Fi network using a network port.** + +Connect to the Wi-Fi network specified by the SSID or BSSID. Run the following command to find a matching connection or create a connection, and then activate the connection on the device. + +``` +$ nmcli device wifi connect "$SSID" password "$PASSWORD" ifname "$IFNAME" +$ nmcli --ask device wifi connect "$SSID" +``` +**Method 2: Connect to the Wi-Fi network using the configuration file.** + +1,Run the following command to check for available Wi-Fi access points: ``` $ nmcli dev wifi list ``` -Run the following command to generate a static IP address configuration that allows Wi-Fi connections automatically allocated by the DNS: +2,Run the following command to generate a static IP address configuration that allows Wi-Fi connections automatically allocated by the DNS: ``` $ nmcli con add con-name Wifi ifname wlan0 type wifi ssid MyWifi ip4 192.168.100.101/24 gw4 192.168.100.1 ``` -Run the following command to set a WPA2 password, for example, **answer**: +3,Run the following command to set a WPA2 password, for example, **answer**: ``` $ nmcli con modify Wifi wifi-sec.key-mgmt wpa-psk $ nmcli con modify Wifi wifi-sec.psk answer ``` -Run the following command to change the Wi-Fi status: +4,Run the following command to change the Wi-Fi status: ``` $ nmcli radio wifi [ on | off ] @@ -321,7 +353,7 @@ $ nmcli connection show id 'Wifi ' | grep mtu ### Using the ip Command ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The network configuration configured using the **ip** command takes effect immediately, but the configuration will be lost after the system restarts. @@ -413,7 +445,7 @@ In the preceding command, **192.168.2.1** is the IP address of the target netw ### Configuring the Network Through the ifcfg File ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The network configured in the **ifcfg** file does not take effect immediately. You need to run the **systemctl reload NetworkManager** command as the **root** user to restart the network service for the configuration to take effect. #### Configuring a Static Network @@ -486,7 +518,7 @@ There are three types of host names: **static**, **transient**, and **pretty* - **transient**: Dynamic host name, which is maintained by the kernel. The initial value is a static host name. The default value is **localhost**. The value can be changed when the DHCP or mDNS server is running. - **pretty**: Flexible host name, which can be set in any form \(including special characters/blanks\). Static and transient host names are subject to the general domain name restrictions. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Static and transient host names can contain only letters \(a–z and A–Z\), digits \(0–9\), hyphens \(-\), underlines \(\_\), and periods \(.\). The host names cannot start or end with a period \(.\) or contain two consecutive periods \(.\). The host name can contain a maximum of 64 characters. ### Configuring a Host Name by Running the **hostnamectl** Command @@ -498,7 +530,7 @@ Run the following command to view the current host name: $ hostnamectl status ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If no option is specified in the command, the **status** option is used by default. #### Setting All Host Names @@ -684,7 +716,7 @@ Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkMa Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8) ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If an interface is in **up** state, run the **ifdown** _enp3s0_ command to change the state to **down**. In the command, _enp3s0_ indicates the actual NIC name. After that, enable all the slave interfaces to enable the bonding \(do not set them to **Down**\). @@ -834,7 +866,7 @@ Both IPv6 and IPv4 addresses can be obtained through DHCP as the **root** user. } ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- \: a 32-digit integer, indicating the enterprise ID. The enterprise is registered through the IANA. >- \: a 16-digit integer, indicating the length of the vendor class string. >- \: character string of the vendor class to be set, for example, HWHW. @@ -865,7 +897,7 @@ Both IPv6 and IPv4 addresses can be obtained through DHCP as the **root** user. } ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >In substring \(option dhcp6.vendor-class, 6, 10\), the start position of the substring is 6, because the substring contains four bytes of and two bytes of . The end position of the substring is 6+. In this example, the vendor class string is HWHW, and the length of the string is 4. Therefore, the end position of the substring is 6 + 4 = 10. You can specify and as required. On the server: @@ -894,7 +926,7 @@ struct sockaddr_in6 { }; ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >sin6\_scope\_id: a 32-bit integer. For the link-local address, it identifies the index of the specified interface. For the link-range sin6\_addr, it identifies the index of the specified interface. For the site-range sin6\_addr, it is used as the site identifier \(the site-local address has been discarded\). When the link-local address is used for socket communication, the interface index corresponding to the address needs to be specified when the destination address is constructed. Generally, you can use the if\_nametoindex function to convert an interface name into an interface index number. Details are as follows: @@ -945,7 +977,7 @@ PERSISTENT_DHCLIENT=yes|no|1|0 - DHCPV6C: **no** indicates that an IPv6 address is statically configured, and **yes** indicates that the DHCPv6 dhclient is enabled to dynamically obtain the IPv6 address. - PERSISTENT\_DHCLIENT: **no|0** indicates that the IPv4 dhclient process is configured as nonpersistent. If the dhclient sends a request packet to the DHCP server but does not receive any response, the dhclient exits after a period of time and the exit value is 2. **yes|1** indicates that the IPv4 dhclient process is configured to be persistent. The dhclient process repeatedly sends request packets to the DHCP server. **If PERSISTENT\_DHCLIENT is not configured, dhclient of IPv4 is set to yes|1 by default.** - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The PERSISTENT\_DHCLIENT configuration takes effect only for IPv4 and does not take effect for IPv6-related dhclient -6 processes. By default, the persistence configuration is not performed for IPv6. @@ -1298,6 +1330,6 @@ $ActionQueueType Direct $MainMsgQueueType Direct ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- In direct mode, the queue size is reduced by 1. Therefore, one log is reserved in the queue for the next log output. >- The direct mode degrades the rsyslog performance of the server. diff --git a/content/en/docs/Administration/configuring-the-repo-server.md b/docs/en/docs/Administration/configuring-the-repo-server.md similarity index 86% rename from content/en/docs/Administration/configuring-the-repo-server.md rename to docs/en/docs/Administration/configuring-the-repo-server.md index 6399f5afef0c40891d748774022984c4bd8b2fc9..35bde9dbab1874b010c6e5cde74c2840e6751829 100644 --- a/content/en/docs/Administration/configuring-the-repo-server.md +++ b/docs/en/docs/Administration/configuring-the-repo-server.md @@ -1,8 +1,8 @@ # Configuring the Repo Server ->![](public_sys-resources/icon-note.gif) **NOTE:** -> openEuler provides multiple repo sources for users online. For details about the repo sources, see [System Installation](../Releasenotes/installing-the-os.html). If you cannot obtain the openEuler repo source online, you can use the ISO release package provided by openEuler to create a local openEuler repo source. This section uses the **openEuler-20.03-LTS-aarch64-dvd.iso** file as an example. Modify the ISO file as required. - +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> openEuler provides multiple repo sources for users online. For details about the repo sources, see [System Installation](./../Releasenotes/installing-the-os.html). If you cannot obtain the openEuler repo source online, you can use the ISO release package provided by openEuler to create a local openEuler repo source. This section uses the **openEuler-21.03-aarch64-dvd.iso** file as an example. Modify the ISO file as required. + - [Configuring the Repo Server](#configuring-the-repo-server) @@ -24,17 +24,17 @@ ## Overview -Create the **openEuler-20.03-LTS-aarch64-dvd.iso** file provided by openEuler as the repo source. The following uses Nginx as an example to describe how to deploy the repo source and provide the HTTP service. +Create the **openEuler-21.03-aarch64-dvd.iso** file provided by openEuler as the repo source. The following uses Nginx as an example to describe how to deploy the repo source and provide the HTTP service. ## Creating or Updating a Local Repo Source -Mount the openEuler ISO file **openEuler-20.03-LTS-aarch64-dvd.iso** to create and update a repo source. +Mount the openEuler ISO file **openEuler-21.03-aarch64-dvd.iso** to create and update a repo source. ### Obtaining the ISO File Obtain the openEuler ISO file from the following website: -[https://repo.openeuler.org/openEuler-20.03-LTS/ISO/](https://repo.openeuler.org/openEuler-20.03-LTS/ISO/) +[https://repo.openeuler.org/openEuler-21.03/ISO/](https://repo.openeuler.org/openEuler-21.03/ISO/) ### Mounting an ISO File to Create a Repo Source @@ -43,7 +43,7 @@ Run the mount command as the **root** user to mount the ISO file. The following is an example: ``` -# mount /home/openEuler/openEuler-20.03-LTS-aarch64-dvd.iso /mnt/ +# mount /home/openEuler/openEuler-21.03-aarch64-dvd.iso /mnt/ ``` The mounted mnt directory is as follows: @@ -67,7 +67,7 @@ In the preceding command, **Packages** indicates the directory where the RPM p You can copy related files in the ISO file to a local directory to create a local repo source. The following is an example: ``` -# mount /home/openEuler/openEuler-20.03-LTS-aarch64-dvd.iso /mnt/ +# mount /home/openEuler/openEuler-21.03-aarch64-dvd.iso /mnt/ $ mkdir -p ~/srv/repo/ $ cp -r /mnt/Packages ~/srv/repo/ $ cp -r /mnt/repodata ~/srv/repo/ @@ -99,7 +99,7 @@ You can update the repo source in either of the following ways: In this command, --update indicates the update, and --workers indicates the number of threads, which can be customized. -> ![](public_sys-resources/icon-note.gif) **NOTE:** +> ![](./public_sys-resources/icon-note.gif) **NOTE:** If the command output contains "createrepo: command not found", run the **dnf install createrepo** command as the **root** user to install the **createrepo** softeware. ## Deploying the Remote Repo Source @@ -112,7 +112,7 @@ Install openEuler OS and deploy the repo source using Nginx on openEuler OS. 2. After installing Nginx, configure /etc/nginx/nginx.conf as the **root** user. - > ![](public_sys-resources/icon-note.gif) **NOTE:** + > ![](./public_sys-resources/icon-note.gif) **NOTE:** The configuration content in this document is for reference only. You can configure the content based on the site requirements (for example, security hardening requirements). ``` @@ -172,7 +172,7 @@ The configuration content in this document is for reference only. You can config - [Figure 1](#en-us_topic_0151920971_fd25e3f1d664b4087ae26631719990a71) indicates that the Nginx service is started successfully. **Figure 1** The Nginx service is successfully started. -![](figures/the-nginx-service-is-successfully-started.png "the-nginx-service-is-successfully-started") +![](./figures/the-nginx-service-is-successfully-started.png "the-nginx-service-is-successfully-started") - If the Nginx service fails to be started, view the error information. @@ -180,8 +180,8 @@ The configuration content in this document is for reference only. You can config $ systemctl status nginx.service --full ``` - **Figure 2** Nginx startup failure - ![](figures/nginx-startup-failure.png "nginx-startup-failure") + **Figure 2** Nginx startup failure + ![](./figures/nginx-startup-failure.png "nginx-startup-failure") As shown in [Figure 2](#en-us_topic_0151920971_f1f9f3d086e454b9cba29a7cae96a4c54), the Nginx service fails to be created because the /var/spool/nginx/tmp/client\_body directory fails to be created. You need to manually create the directory as the **root** user. Similar problems are solved as follows: @@ -229,21 +229,21 @@ The configuration content in this document is for reference only. You can config 4. After the Nginx service is configured, you can use the IP address to access the web page, as shown in [Figure 3](#en-us_topic_0151921017_fig1880404110396). **Figure 3** Nginx deployment succeeded -![](figures/nginx-deployment-succeeded.png "nginx-deployment-succeeded") +![](./figures/nginx-deployment-succeeded.png "nginx-deployment-succeeded") 5. Use either of the following methods to add the repo source to the /usr/share/nginx/repo directory: - Copy related files in the image to the /usr/share/nginx/repo directory as the **root** user. ``` - # mount /home/openEuler/openEuler-20.03-LTS-aarch64-dvd.iso /mnt/ + # mount /home/openEuler/openEuler-21.03-aarch64-dvd.iso /mnt/ # cp -r /mnt/Packages /usr/share/nginx/repo/ # cp -r /mnt/repodata /usr/share/nginx/repo/ # cp -r /mnt/RPM-GPG-KEY-openEuler /usr/share/nginx/repo/ # chmod -R 755 /usr/share/nginx/repo ``` - The **openEuler-20.03-LTS-aarch64-dvd.iso** file is stored in the **/home/openEuler** directory. + The **openEuler-21.03-aarch64-dvd.iso** file is stored in the **/home/openEuler** directory. - Create a soft link for the repo source in the /usr/share/nginx/repo directory as the **root** user. @@ -274,7 +274,7 @@ You can configure the built repo as the yum source and create the \*\*\*.repo co gpgkey=file:///home/openEuler/srv/repo/RPM-GPG-KEY-openEuler ``` - > ![](public_sys-resources/icon-note.gif) **NOTE:** + > ![](./public_sys-resources/icon-note.gif) **NOTE:** > > - The repoid in \[repoid\] indicates the ID of the software repository. Repoids in all .repo configuration files must be unique. In the example, repoid is set to **base**. > - **name** indicates the string that the software repository describes. @@ -298,7 +298,7 @@ You can configure the built repo as the yum source and create the \*\*\*.repo co gpgkey=http://192.168.139.209/RPM-GPG-KEY-openEuler ``` - > ![](public_sys-resources/icon-note.gif) **NOTE:** + > ![](./public_sys-resources/icon-note.gif) **NOTE:** > 192.168.139.209 is an example. Replace it with the actual IP address. - If the openEuler repo source provided by openEuler is used as the yum source, the content of **openEuler.repo** is as follows (the aarch64-based OS repo source is used as an example): @@ -306,10 +306,10 @@ You can configure the built repo as the yum source and create the \*\*\*.repo co ``` [base] name=base - baseurl=http://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/ + baseurl=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/ enabled=1 gpgcheck=1 - gpgkey=http://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/RPM-GPG-KEY-openEuler + gpgkey=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/RPM-GPG-KEY-openEuler ``` ### repo Priority diff --git a/content/en/docs/Administration/configuring-the-web-server.md b/docs/en/docs/Administration/configuring-the-web-server.md similarity index 98% rename from content/en/docs/Administration/configuring-the-web-server.md rename to docs/en/docs/Administration/configuring-the-web-server.md index 080c8e167d71925c97fd52da903bc40758e72e50..c915961e7b8231156bd3d35f4d58db3afc153345 100644 --- a/content/en/docs/Administration/configuring-the-web-server.md +++ b/docs/en/docs/Administration/configuring-the-web-server.md @@ -41,7 +41,7 @@ You can use the systemctl tool to manage the httpd service, including starting, # dnf install httpd ``` - For more information about service management, see [Service Management](service-management.html). + For more information about service management, see [Service Management](./service-management.html). - To start, stop, and restart the httpd service, you must have the root permission. @@ -61,7 +61,7 @@ You can use the systemctl tool to manage the httpd service, including starting, ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If the running Apache HTTP server functions as a secure server, a password is required after the system is started. The password is an encrypted private SSL key. #### Stopping the Service @@ -155,7 +155,7 @@ If the following information is displayed, the syntax of the configuration file Syntax OK ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- Before modifying the configuration file, back up the original file so that the configuration file can be quickly restored if a fault occurs. >- The modified configuration file takes effect only after the web service is restarted. @@ -194,7 +194,7 @@ For example, to load the asis DSO module, perform the following steps: ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >**Common httpd commands** >- httpd -v: views the httpd version number. >- httpd -l: views the static modules compiled into the httpd program. @@ -313,7 +313,7 @@ Nginx is a lightweight web server which also acts as a reverse proxy server and ### Installing Nginx -1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). +1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). 2. Clear the cache. ``` @@ -347,7 +347,7 @@ You can use the systemctl tool to manage the Nginx service, including starting, #### Prerequisites - Ensure that the Nginx service has been installed. If not, install it by referring to [Installing Nginx](#installing-nginx). - For more information about service management, see [Service Management](service-management.html). + For more information about service management, see [Service Management](./service-management.html). - To start, stop, and restart the Nginx service, you must have the **root** permission. @@ -367,7 +367,7 @@ You can use the systemctl tool to manage the Nginx service, including starting, ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If the running Nginx server functions as a secure server, a password is required after the system is started. The password is an encrypted private SSL key. #### Stopping the Service @@ -457,7 +457,7 @@ Although the default configuration can be used in most cases, you need to be fam If the command output contains **syntax is ok**, the syntax of the configuration file is correct. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- Before modifying the configuration file, back up the original file so that the configuration file can be quickly restored if a fault occurs. >- The modified configuration file takes effect only after the web service is restarted. diff --git a/content/en/docs/Administration/faqs.md b/docs/en/docs/Administration/faqs.md similarity index 100% rename from content/en/docs/Administration/faqs.md rename to docs/en/docs/Administration/faqs.md diff --git "a/content/en/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230-0.png" b/docs/en/docs/Administration/figures/creat_datadisk.png similarity index 100% rename from "content/en/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230-0.png" rename to docs/en/docs/Administration/figures/creat_datadisk.png diff --git "a/content/en/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230.png" b/docs/en/docs/Administration/figures/creat_datadisk1.png similarity index 100% rename from "content/en/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230.png" rename to docs/en/docs/Administration/figures/creat_datadisk1.png diff --git a/content/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e-1.png b/docs/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e-1.png similarity index 100% rename from content/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e-1.png rename to docs/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e-1.png diff --git a/content/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e.png b/docs/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e.png similarity index 100% rename from content/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e.png rename to docs/en/docs/Administration/figures/d1376b2a-d036-41c4-b852-e8368f363b5e.png diff --git a/content/en/docs/Administration/figures/en-us_image_0229622729.png b/docs/en/docs/Administration/figures/en-us_image_0229622729.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0229622729.png rename to docs/en/docs/Administration/figures/en-us_image_0229622729.png diff --git a/content/en/docs/Administration/figures/en-us_image_0229622789.png b/docs/en/docs/Administration/figures/en-us_image_0229622789.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0229622789.png rename to docs/en/docs/Administration/figures/en-us_image_0229622789.png diff --git a/content/en/docs/Administration/figures/en-us_image_0230050789.png b/docs/en/docs/Administration/figures/en-us_image_0230050789.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0230050789.png rename to docs/en/docs/Administration/figures/en-us_image_0230050789.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143189.png b/docs/en/docs/Administration/figures/en-us_image_0231143189.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143189.png rename to docs/en/docs/Administration/figures/en-us_image_0231143189.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143191.png b/docs/en/docs/Administration/figures/en-us_image_0231143191.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143191.png rename to docs/en/docs/Administration/figures/en-us_image_0231143191.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143193.png b/docs/en/docs/Administration/figures/en-us_image_0231143193.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143193.png rename to docs/en/docs/Administration/figures/en-us_image_0231143193.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143195.png b/docs/en/docs/Administration/figures/en-us_image_0231143195.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143195.png rename to docs/en/docs/Administration/figures/en-us_image_0231143195.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143196.png b/docs/en/docs/Administration/figures/en-us_image_0231143196.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143196.png rename to docs/en/docs/Administration/figures/en-us_image_0231143196.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143197.png b/docs/en/docs/Administration/figures/en-us_image_0231143197.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143197.png rename to docs/en/docs/Administration/figures/en-us_image_0231143197.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231143198.png b/docs/en/docs/Administration/figures/en-us_image_0231143198.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231143198.png rename to docs/en/docs/Administration/figures/en-us_image_0231143198.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231563132.png b/docs/en/docs/Administration/figures/en-us_image_0231563132.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231563132.png rename to docs/en/docs/Administration/figures/en-us_image_0231563132.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231563134.png b/docs/en/docs/Administration/figures/en-us_image_0231563134.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231563134.png rename to docs/en/docs/Administration/figures/en-us_image_0231563134.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231563135.png b/docs/en/docs/Administration/figures/en-us_image_0231563135.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231563135.png rename to docs/en/docs/Administration/figures/en-us_image_0231563135.png diff --git a/content/en/docs/Administration/figures/en-us_image_0231563136.png b/docs/en/docs/Administration/figures/en-us_image_0231563136.png similarity index 100% rename from content/en/docs/Administration/figures/en-us_image_0231563136.png rename to docs/en/docs/Administration/figures/en-us_image_0231563136.png diff --git a/content/en/docs/Administration/figures/example-command-output.png b/docs/en/docs/Administration/figures/example-command-output.png similarity index 100% rename from content/en/docs/Administration/figures/example-command-output.png rename to docs/en/docs/Administration/figures/example-command-output.png diff --git a/docs/en/docs/Administration/figures/ima_digest_list_update.png b/docs/en/docs/Administration/figures/ima_digest_list_update.png new file mode 100644 index 0000000000000000000000000000000000000000..771067e31cee84591fbb914d7be4e8c576d7f5d2 Binary files /dev/null and b/docs/en/docs/Administration/figures/ima_digest_list_update.png differ diff --git a/docs/en/docs/Administration/figures/ima_performance.png b/docs/en/docs/Administration/figures/ima_performance.png new file mode 100644 index 0000000000000000000000000000000000000000..f5d641e8682ad2b9c0fbfad191add1819f5b2eef Binary files /dev/null and b/docs/en/docs/Administration/figures/ima_performance.png differ diff --git a/docs/en/docs/Administration/figures/ima_verification.png b/docs/en/docs/Administration/figures/ima_verification.png new file mode 100644 index 0000000000000000000000000000000000000000..fc879949db5387c61ccf6176f948b9a00f4fb053 Binary files /dev/null and b/docs/en/docs/Administration/figures/ima_verification.png differ diff --git "a/content/en/docs/Administration/figures/\347\231\273\345\275\225.png" b/docs/en/docs/Administration/figures/login.png similarity index 100% rename from "content/en/docs/Administration/figures/\347\231\273\345\275\225.png" rename to docs/en/docs/Administration/figures/login.png diff --git a/content/en/docs/Administration/figures/mariadb-logical-architecture.png b/docs/en/docs/Administration/figures/mariadb-logical-architecture.png similarity index 100% rename from content/en/docs/Administration/figures/mariadb-logical-architecture.png rename to docs/en/docs/Administration/figures/mariadb-logical-architecture.png diff --git a/content/en/docs/Administration/figures/nginx-deployment-succeeded.png b/docs/en/docs/Administration/figures/nginx-deployment-succeeded.png similarity index 100% rename from content/en/docs/Administration/figures/nginx-deployment-succeeded.png rename to docs/en/docs/Administration/figures/nginx-deployment-succeeded.png diff --git a/content/en/docs/Administration/figures/nginx-startup-failure.png b/docs/en/docs/Administration/figures/nginx-startup-failure.png similarity index 100% rename from content/en/docs/Administration/figures/nginx-startup-failure.png rename to docs/en/docs/Administration/figures/nginx-startup-failure.png diff --git a/content/en/docs/Administration/figures/postgres.png b/docs/en/docs/Administration/figures/postgres.png similarity index 100% rename from content/en/docs/Administration/figures/postgres.png rename to docs/en/docs/Administration/figures/postgres.png diff --git a/content/en/docs/Administration/figures/postgresql-architecture.png b/docs/en/docs/Administration/figures/postgresql-architecture.png similarity index 100% rename from content/en/docs/Administration/figures/postgresql-architecture.png rename to docs/en/docs/Administration/figures/postgresql-architecture.png diff --git a/content/en/docs/Administration/figures/the-nginx-service-is-successfully-started.png b/docs/en/docs/Administration/figures/the-nginx-service-is-successfully-started.png similarity index 100% rename from content/en/docs/Administration/figures/the-nginx-service-is-successfully-started.png rename to docs/en/docs/Administration/figures/the-nginx-service-is-successfully-started.png diff --git a/docs/en/docs/Administration/figures/trusted_chain.png b/docs/en/docs/Administration/figures/trusted_chain.png new file mode 100644 index 0000000000000000000000000000000000000000..034f0f092f41fb500ee4122339c447d10d4138ec Binary files /dev/null and b/docs/en/docs/Administration/figures/trusted_chain.png differ diff --git a/content/en/docs/Administration/managing-hard-disks-through-lvm.md b/docs/en/docs/Administration/managing-hard-disks-through-lvm.md similarity index 99% rename from content/en/docs/Administration/managing-hard-disks-through-lvm.md rename to docs/en/docs/Administration/managing-hard-disks-through-lvm.md index 45c63cd6e2a964cc0857e8be9103f0f62584b4f1..10e5910556072e84aefd1d61cecf406d0f0d2fb0 100644 --- a/content/en/docs/Administration/managing-hard-disks-through-lvm.md +++ b/docs/en/docs/Administration/managing-hard-disks-through-lvm.md @@ -60,10 +60,10 @@ When disks are managed using LVM, file systems are distributed on multiple disks ## Installing the LVM ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The LVM has been installed on the openEuler OS by default. You can run the **rpm -qa | grep lvm2** command to check whether it is installed. If the command output contains "lvm2", the LVM has been installed. In this case, skip this section. If no information is output, the LVM is not installed. Install it by referring to this section. -1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). +1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). 2. Clear the cache. ``` @@ -358,7 +358,7 @@ In the preceding information: - _lvname_: device file corresponding to the LV whose attributes are to be displayed. If this option is not set, attributes of all LVs are displayed. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Device files corresponding to LVs are stored in the VG directory. For example, if LV **lv1** is created in VG **vg1**, the device file corresponding to **lv1** is **/dev/vg1/lv1**. diff --git a/content/en/docs/Administration/process-management.md b/docs/en/docs/Administration/process-management.md similarity index 99% rename from content/en/docs/Administration/process-management.md rename to docs/en/docs/Administration/process-management.md index e745e2271bdefd0a6a940ca09e88ff61d8547874..4032595e9628a73264e53976e363328e2a4cb716 100644 --- a/content/en/docs/Administration/process-management.md +++ b/docs/en/docs/Administration/process-management.md @@ -111,7 +111,7 @@ Both the top and the ps commands can display a list of currently running process [Figure 1](#en-us_topic_0151921029_f289234fcdbac453796200d80e9889cd1) provides an example output of the top command. **Figure 1** Example command output -![](figures/example-command-output.png "example-command-output") +![](./figures/example-command-output.png "example-command-output") ### kill Command The **kill** command is used to terminate a process regardless of whether the process is running in foreground or background. It differs from the combo key **Ctrl+c**, which can terminate only foreground processes. The kill command is used to terminate a process regardless of whether the process is running in foreground or background. The reason for terminating a background process can be heavy use of CPU resources or deadlock. @@ -310,7 +310,7 @@ For example, to create a crontab file for the userexample user, perform the foll After the new file is installed, you will find a file named userexample in the **/var/spool/cron** directory. This file is the required crontab file. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Do not restart the cron service after a crontab file is modified, because the cron service, once started, reads the crontab file every minute to check whether there are commands that need to be executed periodically. You do not need to restart the **cron** service after modifying the **crontab** file. #### /etc/crontab File @@ -328,7 +328,7 @@ HOME=/ 42 4 1 * * root run-parts /etc/cron.monthly //Run scripts in the /etc/cron.monthly directory once a month. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If the **run-parts** parameter is deleted, a script name instead of a directory name is executed. ## Suspending/Resuming a Process diff --git a/content/en/docs/Administration/public_sys-resources/icon-caution.gif b/docs/en/docs/Administration/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/Administration/public_sys-resources/icon-caution.gif rename to docs/en/docs/Administration/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/Administration/public_sys-resources/icon-danger.gif b/docs/en/docs/Administration/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/Administration/public_sys-resources/icon-danger.gif rename to docs/en/docs/Administration/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/Administration/public_sys-resources/icon-note.gif b/docs/en/docs/Administration/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/Administration/public_sys-resources/icon-note.gif rename to docs/en/docs/Administration/public_sys-resources/icon-note.gif diff --git a/content/en/docs/Administration/public_sys-resources/icon-notice.gif b/docs/en/docs/Administration/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/Administration/public_sys-resources/icon-notice.gif rename to docs/en/docs/Administration/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/Administration/public_sys-resources/icon-tip.gif b/docs/en/docs/Administration/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/Administration/public_sys-resources/icon-tip.gif rename to docs/en/docs/Administration/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/Administration/public_sys-resources/icon-warning.gif b/docs/en/docs/Administration/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/Administration/public_sys-resources/icon-warning.gif rename to docs/en/docs/Administration/public_sys-resources/icon-warning.gif diff --git a/content/en/docs/Administration/service-management.md b/docs/en/docs/Administration/service-management.md similarity index 98% rename from content/en/docs/Administration/service-management.md rename to docs/en/docs/Administration/service-management.md index 58457238c65e283618308bc13ea644c034a77fd8..f7950c0494a2d0714b2cef3d08edd88b4e90a9a0 100644 --- a/content/en/docs/Administration/service-management.md +++ b/docs/en/docs/Administration/service-management.md @@ -115,13 +115,6 @@ In systemd, the targets of most actions are units, which are resources systemd k

A group of hierarchically organized units that manage system processes.

Snapshot unit

-

.snapshot

-

A saved state of the systemd manager.

-

Socket unit

.socket

@@ -710,7 +703,7 @@ Give root password for maintenance (or press Control-D to continue): ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >You need to restart the system to enter the normal working mode from the rescue mode. ### Changing to Emergency Mode @@ -728,7 +721,7 @@ Give root password for maintenance (or press Control-D to continue): ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >You need to restart the system to enter the normal working mode from the emergency mode. ## Shutting Down, Suspending, and Hibernating the Operating System diff --git a/content/en/docs/Administration/setting-up-the-database-server.md b/docs/en/docs/Administration/setting-up-the-database-server.md similarity index 96% rename from content/en/docs/Administration/setting-up-the-database-server.md rename to docs/en/docs/Administration/setting-up-the-database-server.md index c88049f01333ce83b94cb8d52d8979a4eeca1df7..000f8f03a830276fcab208747b8f059e79915562 100644 --- a/content/en/docs/Administration/setting-up-the-database-server.md +++ b/docs/en/docs/Administration/setting-up-the-database-server.md @@ -32,7 +32,7 @@ [Figure 1](#fig26022387391) shows the PostgreSQL architecture and [Table 1](#table62020913417) describes the main processes. **Figure 1** PostgreSQL architecture -![](figures/postgresql-architecture.png "postgresql-architecture") +![](./figures/postgresql-architecture.png "postgresql-architecture") **Table 1** Main processes in PostgreSQL @@ -109,14 +109,14 @@ ### Configuring the Environment ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The following environment configuration is for reference only. Configure the environment based on the site requirements. #### Disabling the Firewall and Automatic Startup ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >It is recommended that firewall be disabled in the test environment to prevent network impact. Configure the firewall based on actual requirements. 1. Stop the firewall service as the **root** user. @@ -131,7 +131,7 @@ # systemctl disable firewalld ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The automatic startup is automatically disabled as the firewall is disabled. @@ -146,7 +146,7 @@ #### Creating a User Group and a User ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >In the server environment, independent users are assigned to each process to implement permission isolation for security purposes. The user group and user are created for the OS, not for the database. 1. Create a PostgreSQL user or user group as the **root** user. @@ -168,7 +168,7 @@ #### Creating Data Drives ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- When testing the ultimate performance, you are advised to attach NVMe SSDs with better I/O performance to create PostgreSQL test instances to avoid the impact of disk I/O on the performance test result. This section uses NVMe SSDs as an example. For details, see Step 1 to Step 4. >- In a non-performance test, run the following command as the **root** user to create a data directory. Then skip this section. > \# mkdir /data @@ -206,7 +206,7 @@ #### Installing PostgreSQL -1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). +1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). 2. Clear the cache. ``` @@ -238,7 +238,7 @@ ##### Initializing the Database ->![](public_sys-resources/icon-notice.gif) **NOTICE:** +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** >Perform this step as the postgres user. 1. Switch to the created PostgreSQL user. @@ -270,7 +270,7 @@ If the following information is displayed, the PostgreSQL processes have been started. - ![](figures/postgres.png) + ![](./figures/postgres.png) ##### Logging In to the Database @@ -281,9 +281,9 @@ $ /usr/bin/psql -U postgres ``` - ![](figures/登录.png) + ![](./figures/login.png) - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >You do not need to enter a password when logging in to the database for the first time. @@ -295,7 +295,7 @@ postgres=#alter user postgres with password '123456'; ``` - ![](figures/en-us_image_0230050789.png) + ![](./figures/en-us_image_0230050789.png) ##### Exiting the Database @@ -708,7 +708,7 @@ postgres=# \l; You can run the **DROP DATABASE** statement or **dropdb** command to delete a database. The **dropdb** command encapsulates the **DROP DATABASE** statement and needs to be executed on the shell GUI instead of the database GUI. ->![](public_sys-resources/icon-caution.gif) **CAUTION:** +>![](./public_sys-resources/icon-caution.gif) **CAUTION:** >Exercise caution when deleting a database. Once a database is deleted, all tables and data in the database will be deleted. ``` @@ -802,7 +802,7 @@ The MariaDB database management system is a branch of MySQL and is maintained by [Figure 2](#fig13492418164520) shows the MariaDB architecture. **Figure 2** MariaDB logical architecture -![](figures/mariadb-logical-architecture.png "mariadb-logical-architecture") +![](./figures/mariadb-logical-architecture.png "mariadb-logical-architecture") When MariaDB receives a SQL statement, the execution process is as follows: @@ -824,14 +824,14 @@ Each storage engine manages and stores data in different ways, and supports diff ### Configuring the Environment ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The following environment configuration is for reference only. Configure the environment based on the site requirements. #### Disabling the Firewall and Automatic Startup ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >It is recommended that firewall be disabled in the test environment to prevent network impact. Configure the firewall based on actual requirements. 1. Stop the firewall service as the **root** user. @@ -846,7 +846,7 @@ Each storage engine manages and stores data in different ways, and supports diff # systemctl disable firewalld ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The automatic startup is automatically disabled as the firewall is disabled. @@ -861,7 +861,7 @@ Each storage engine manages and stores data in different ways, and supports diff #### Creating a User Group and a User ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >In the server environment, independent users are assigned to each process to implement permission isolation for security purposes. The user group and user are created for the OS, not for the database. 1. Create a MySQL user or user group as the **root** user. @@ -885,7 +885,7 @@ Each storage engine manages and stores data in different ways, and supports diff #### Creating Data Drives ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- If a performance test needs to be performed, an independent drive is required for the data directory. You need to format and mount the drive. For details, see Method 1 or Method 2. >- In a non-performance test, run the following command as the **root** user to create a data directory. Then skip this section. > \# mkdir /data @@ -923,13 +923,13 @@ Each storage engine manages and stores data in different ways, and supports diff In the last line, **/dev/nvme0n1p1** is only an example. - ![](figures/搭建数据盘.png) + ![](./figures/creat_datadisk1.png) ##### Method 2: Using LVM for Drive Management as the **root** user ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Install the LVM2 package in the image as follows: ->1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). If the repository has been configured, skip this step. +>1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). If the repository has been configured, skip this step. >2. Install LVM2. > **\# yum install lvm2** @@ -971,7 +971,7 @@ Each storage engine manages and stores data in different ways, and supports diff In the last line, **/dev/datavg/datalv** is only an example. - ![](figures/d1376b2a-d036-41c4-b852-e8368f363b5e.png) + ![](./figures/d1376b2a-d036-41c4-b852-e8368f363b5e.png) #### Creating a Database Directory and Granting Permissions @@ -991,7 +991,7 @@ Each storage engine manages and stores data in different ways, and supports diff #### Installing MariaDB -1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). +1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). 2. Clear the cache. ``` @@ -1041,7 +1041,7 @@ Each storage engine manages and stores data in different ways, and supports diff After the command is executed, the system prompts you to enter the password. The password is the one set in [2](#li197143190587). - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Run the **\\q** or **exit** command to exit the database. @@ -1174,7 +1174,7 @@ In the preceding information: - **FOR 'username'@'hostname'**: specifies the username and hostname whose password is to be changed. This parameter is optional. - **PASSWORD\('newpassword'\)**: indicates that the **PASSWORD\(\)** function is used to set a new password. That is, the new password must be transferred to the **PASSWORD\(\)** function for encryption. ->![](public_sys-resources/icon-caution.gif) **CAUTION:** +>![](./public_sys-resources/icon-caution.gif) **CAUTION:** >The **PASSWORD\(\)** function is a unidirectional encryption function. Once encrypted, the original plaintext cannot be decrypted. If the **FOR** clause is not added to the **SET PASSWORD** statement, the password of the current user is changed. @@ -1198,7 +1198,7 @@ Use the **DROP USER** statement to delete one or more user accounts and relate DROP USER 'username1'@'hostname1' [,'username2'@'hostname2']...; ``` ->![](public_sys-resources/icon-caution.gif) **CAUTION:** +>![](./public_sys-resources/icon-caution.gif) **CAUTION:** >The deletion of users does not affect the tables, indexes, or other database objects that they have created, because the database does not record the accounts that have created these objects. The **DROP USER** statement can be used to delete one or more database accounts and their original permissions. @@ -1321,7 +1321,7 @@ In the preceding command, **databasename** indicates the database name. You can run the **DROP DATABASE** statement to delete a database. ->![](public_sys-resources/icon-caution.gif) **CAUTION:** +>![](./public_sys-resources/icon-caution.gif) **CAUTION:** >Exercise caution when deleting a database. Once a database is deleted, all tables and data in the database will be deleted. ``` @@ -1415,7 +1415,7 @@ In the preceding information: Run the **mysql** command as the **root** user to restore the database. -Back up one or more tables: +Restore one or more tables: ``` mysql -h hostname -P portnumber -u username -ppassword databasename < infile @@ -1451,14 +1451,14 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard ### Configuring the Environment ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The following environment configuration is for reference only. Configure the environment based on the site requirements. #### Disabling the Firewall and Automatic Startup ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >It is recommended that firewall be disabled in the test environment to prevent network impact. Configure the firewall based on actual requirements. 1. Stop the firewall service as the **root** user. @@ -1473,7 +1473,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard # systemctl disable firewalld ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The automatic startup is automatically disabled as the firewall is disabled. @@ -1488,7 +1488,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard #### Creating a User Group and a User ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >In the server environment, independent users are assigned to each process to implement permission isolation for security purposes. The user group and user are created for the OS, not for the database. 1. Create a MySQL user or user group as the **root** user. @@ -1512,7 +1512,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard #### Creating Data Drives ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- If a performance test needs to be performed, an independent drive is required for the data directory. You need to format and mount the drive. For details, see Method 1 or Method 2. >- In a non-performance test, run the following command as the **root** user to create a data directory. Then skip this section. > \# mkdir /data @@ -1550,13 +1550,13 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard In the last line, **/dev/nvme0n1p1** is only an example. - ![](figures/搭建数据盘-0.png) + ![](./figures/creat_datadisk.png) ##### Method 2: Using LVM for Drive Management as the **root** user ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Install the LVM2 package in the image as follows: ->1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). If the repository has been configured, skip this step. +>1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). If the repository has been configured, skip this step. >2. Install LVM2. > **\# yum install lvm2** @@ -1598,7 +1598,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard In the last line, **/dev/datavg/datalv** is only an example. - ![](figures/d1376b2a-d036-41c4-b852-e8368f363b5e-1.png) + ![](./figures/d1376b2a-d036-41c4-b852-e8368f363b5e-1.png) #### Creating a Database Directory and Granting Permissions @@ -1619,7 +1619,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard #### Installing MySQL -1. Configure the local yum source. For details, see [Configuring the Repo Server](configuring-the-repo-server.html). +1. Configure the local yum source. For details, see [Configuring the Repo Server](./configuring-the-repo-server.html). 2. Clear the cache. ``` @@ -1635,13 +1635,13 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard 4. Install the MySQL server as the **root** user. ``` - # dnf install mysql + # dnf install mysql-server ``` 5. Check the installed RPM package. ``` - $ rpm -qa | grep mysql + $ rpm -qa | grep mysql-server ``` @@ -1682,9 +1682,9 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard $ cat /etc/my.cnf ``` - ![](figures/en-us_image_0231563132.png) + ![](./figures/en-us_image_0231563132.png) - >![](public_sys-resources/icon-caution.gif) **CAUTION:** + >![](./public_sys-resources/icon-caution.gif) **CAUTION:** >In the configuration file, **basedir** specifies the software installation path. Change it based on actual situation. 3. Change the group and user of the **/etc/my.cnf** file to **mysql:mysql** as the **root** user. @@ -1700,7 +1700,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard # echo export PATH=$PATH:/usr/local/mysql/bin >> /etc/profile ``` - >![](public_sys-resources/icon-caution.gif) **CAUTION:** + >![](./public_sys-resources/icon-caution.gif) **CAUTION:** >In the command, **/usr/local/mysql/bin** is the absolute path of the **bin** files in the MySQL software installation directory. Change it based on actual situation. 2. Run the following command as the **root** user to make the environment variables take effect: @@ -1711,7 +1711,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard 3. Initialize the database as the **root** user. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The second line from the bottom contains the initial password, which will be used when you log in to the database. ``` @@ -1725,7 +1725,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard 4. Start the database. - >![](public_sys-resources/icon-caution.gif) **CAUTION:** + >![](./public_sys-resources/icon-caution.gif) **CAUTION:** >Start MySQL as user **mysql** if it is the first time to start the database service. If you start MySQL as user **root**, a message will be displayed indicating that the **mysql.log** file is missing. If you start MySQL as user **mysql**, the **mysql.log** file will be generated in the **/data/mysql/log** directory. No error will be displayed if you start the database as user **root** again. 1. Modify the file permission as the **root** user. @@ -1750,7 +1750,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard 5. Log in to the database. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- Enter the initial password generated during database initialization \([3](#li15634560582)\). >- If MySQL is installed by using an RPM package obtained from the official website, the **mysqld** file is located in the **/usr/sbin** directory. Ensure that the directory specified in the command is correct. @@ -1758,7 +1758,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard $ /usr/local/mysql/bin/mysql -uroot -p -S /data/mysql/run/mysql.sock ``` - ![](figures/en-us_image_0231563134.png) + ![](./figures/en-us_image_0231563134.png) 6. Configure the database accounts and passwords. 1. After logging in to the database, change the password of user **root** for logging in to the database. @@ -1780,7 +1780,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard mysql>flush privileges; ``` - ![](figures/en-us_image_0231563135.png) + ![](./figures/en-us_image_0231563135.png) 7. Exit the database. @@ -1790,7 +1790,7 @@ The Structured Query Language \(SQL\) used by MySQL is the most common standard mysql>exit ``` - ![](figures/en-us_image_0231563136.png) + ![](./figures/en-us_image_0231563136.png) #### Uninstalling MySQL @@ -1943,7 +1943,7 @@ Use the **DROP USER** statement to delete one or more user accounts and relate DROP USER 'username1'@'hostname1' [,'username2'@'hostname2']...; ``` ->![](public_sys-resources/icon-caution.gif) **CAUTION:** +>![](./public_sys-resources/icon-caution.gif) **CAUTION:** >The deletion of users does not affect the tables, indexes, or other database objects that they have created, because the database does not record the accounts that have created these objects. The **DROP USER** statement can be used to delete one or more database accounts and their original permissions. @@ -2065,7 +2065,7 @@ In the preceding command, _databasename_ indicates the database name. Run the **DROP DATABASE** statement to delete a database. ->![](public_sys-resources/icon-caution.gif) **CAUTION:** +>![](./public_sys-resources/icon-caution.gif) **CAUTION:** >Exercise caution when deleting a database. Once a database is deleted, all tables and data in the database will be deleted. ``` @@ -2159,7 +2159,7 @@ In the preceding information: Run the **mysql** command as the **root** user to restore the database. -Back up one or more tables: +Restore one or more tables: ``` mysql -h hostname -P portnumber -u username -ppassword databasename < infile diff --git a/docs/en/docs/Administration/trusted-computing.md b/docs/en/docs/Administration/trusted-computing.md new file mode 100644 index 0000000000000000000000000000000000000000..914ab62bcd2a109e1544f440ff1bcc73d71678ba --- /dev/null +++ b/docs/en/docs/Administration/trusted-computing.md @@ -0,0 +1,638 @@ +# Trusted Computing + + +- [Trusted Computing](#可信计算) + - [Trusted Computing Basics](#可信计算基础) + - [Trusted Computing](#可信计算-1) + - [Kernel Integrity Measurement Architecture (IMA)](#内核完整性度量ima) + - [Overview](#概述) + - [Constraints](#约束限制) + - [Application Scenarios](#使用场景) + - [Procedure](#操作指导) + - [FAQ](#faq) + - [Appendix](#附录) + + +## Trusted Computing Basics + +### Trusted Computing + +The definition of being trusted varies with international organizations. + +1. Trusted Computing Group (TCG): + + An entity that is trusted always achieves the desired goal in an expected way. + +2. International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (1999): + + The components, operations, or processes involved in computing are predictable under any conditions and are resistant to viruses and a certain degree of physical interference. + +3. IEEE Computer Society Technical Committee on Dependable Computing: + + Being trusted means that the services provided by the computer system can be proved to be reliable, and mainly refers to the reliability and availability of the system. + +In short, being trusted means that the system operates according to a pre-determined design and policy. + +A trusted computing system consists of a root of trust, a trusted hardware platform, operating system (OS), and application. The basic idea of the system is to create a trusted computing base (TCB) first, and then establish a trust chain that covers the hardware platform, OS, and application. In the trust chain, authentication is performed from the root to the next level, extending trust level by level and building a secure and trusted computing environment. + +![](./figures/trusted_chain.png) + +Unlike the traditional security mechanism that eliminates viruses without solving the root of the problem, trusted computing adopts the whitelist mechanism to allow only authorized kernels, kernel modules, and applications to run on the system. The system will reject the execution of a program that is unknown or has been changed. + +## Kernel Integrity Measurement Architecture (IMA) + +### Overview + +#### IMA + +The integrity measurement architecture (IMA) is a subsystem in the kernel. The IMA can measure files accessed through **execve()**, **mmap()**, and **open()** systems based on user-defined policies. The measurement result can be used for **local or remote attestation**, or can be compared with an existing reference value to **control the access to files**. + +According to the Wiki definition, the function of the kernel integrity subsystem include three parts: + +- Measure: Detects accidental or malicious modifications to files, either remotely or locally. +- Appraise: Measures a file and compares it with a reference value stored in the extended attribute to control the integrity of the local file. +- Audit: Writes the measurement result into system logs for auditing. + +Figuratively, IMA measurement is an observer that only records modification without interfering in it, and IMA appraisal is more like a strict security guard that rejects any unauthorized access to programs. + +#### EVM + +The extended verification module (EVM) is used to calculate a hash value based on the security extended attributes of a file in the system, including **security.ima** and **security.selinux**. Then this value is signed by the key stored in the TPM or other trusted environments. The signature value is stored in **security.evm** and cannot be tampered with. If the value is tampered with, the signature verification fails when the file is accessed again. + +In summary, the EVM is used to provide offline protection for security extended attributes by calculating the digest of the attributes and signing and storing them in **security.evm**. + +#### IMA Digest Lists + +IMA Digest Lists are an enhancement of the original kernel integrity protection mechanism provided by openEuler. It replaces the original IMA mechanism to protect file integrity. + +Digest lists are binary data files in a special format. Each digest list corresponds to an RPM package and records the hash values of protected files (executable files and dynamic library files) in the RPM package. + +After the startup parameters are correctly configured, the kernel maintains a hash table (invisible to the user space) and provides interfaces (**digest\_list\_data** and **digest\_list\_data\_del**) that update the hash table using **securityfs**. The digest lists are signed by the private key when they are built. When uploaded to the kernel through the interface, the digest lists need to be verified by the public key in the kernel. + +![](./figures/ima_digest_list_update.png) + +When IMA appraisal is enabled, each time an executable file or dynamic library file is accessed, the hook in the kernel is invoked to calculate the hash values of the file content and extended attributes and search in the kernel hash table. If the calculated hash values match the one in the table, the file is allowed to be executed. Otherwise, the access is denied. + +![1599719649188](./figures/ima_verification.png) + +The IMA Digest Lists extension provided by the openEuler kernel provides higher security, performance, and usability than the native IMA mechanism of the kernel community, facilitating the implementation of the integrity protection mechanism in the production environment. + +- **A complete trust chain for high security** + + The native IMA mechanism requires that the file extended attribute be generated and marked in advance on the live network. When the file is accessed, the file extended attribute is used as a reference value, resulting in an incomplete trust chain. + + The IMA Digest Lists extension saves the reference digest value of the file in the kernel space. During the construction, the reference digest value of the file is carried in the released RPM package in the form of a digest list. When the RPM package is installed, the digest list is imported and the signature is verified, ensuring that the reference value comes from the software publisher and implementing a complete trust chain. + +- **Superior performance** + + The trusted platform module (TPM) chip is a low-speed chip, making the PCR extension operation a performance bottleneck in the IMA measurement scenario. To shatter this bottleneck, the Digest Lists extension reduces unnecessary PCR extension operations while ensuring security, providing 65% higher performance than the native IMA mechanism. + + In the IMA appraisal scenario, the Digest Lists extension performs signature verification in the startup phase to prevent signature verification from being performed each time the file is accessed. This helps deliver a 20% higher file access performance in the operation phase than that in the native IMA appraisal scenario. + +- **Fast deployment and smooth upgrade** + + When the native IMA mechanism is deployed for the first time or the software package is updated, you need to switch to the fix mode, manually mark the extended attributes of the file, and then restart the system to enter the enforcing mode. In this way, the installed program can be accessed normally. + + The Digest Lists extension can be used immediately after the installation is completed. In addition, the RPM package can be directly installed or upgraded in the enforcing mode without restarting the system or manually marking the extended attributes of the file. This minimizes user perception during the operation, allowing for quick deployment and smooth upgrade on the live network. + +Note: The IMA Digest Lists extension advances the signature verification of the native IMA to the startup phase. This causes the assumption that the memory in the kernel space cannot be tampered with. As a result, the IMA depends on other security mechanisms (secure startup of kernel module and dynamic memory measurement) to protect the integrity of the kernel memory. + +However, either the native IMA mechanism of the community or the IMA Digest Lists extension is only a link in the trust chain of trusted computing, and cannot ensure the system security alone. Security construction is always a systematic project that builds in-depth defense. + +### Constraints + +1. The current IMA appraisal mode can only protect immutable files in the system, including executable files and dynamic library files. +2. The IMA provides integrity measurement at the application layer. The security of the IMA depends on the reliability of the previous links. +3. Currently, the IMA does not support the import of the third-party application digest lists. +4. The startup log may contain `Unable to open file: /etc/keys/x509_ima.der`. This error is reported from the open source community and does not affect the use of the IMA digest lists feature. +5. In the ARM version, audit errors may occur when the log mode is enabled for the IMA. This occurs because the modprobe loads the kernel module before the digest lists are imported, but does not affect the normal functions. + +### Application Scenario + +#### IMA Measurement + +The purpose of IMA measurement is to detect unexpected or malicious modifications to system files. The measurement result can be used for local or remote attestation. + +If a TPM chip exists in the system, the measurement result is extended to a specified PCR register of the TPM chip. Due to the unidirectional PCR extension and the hardware security of the TPM chip, a user cannot modify the extended measurement result, thereby ensuring authenticity of the measurement result. + +The file scope and triggering conditions of IMA measurement can be configured by the user using the IMA policy. + +By default, IMA is disabled. However, the system searches for the **ima-policy** policy file in the `/etc/ima/` path. If the file is found, the system measures the files in the system based on the policy during startup. If you do not want to manually compile the policy file, you can configure the `ima_policy=tcb` in the startup parameters using the default policy. For details about more policy parameters, see the section *IMA Startup Parameters* in *Appendix*. + +You can check the currently loaded IMA policy in the `/sys/kernel/security/ima/policy` file. The IMA measurement log is located in the `/sys/kernel/security/ima/ascii_runtime_measurements` file, as shown in the following figure: + +```shell +$ head /sys/kernel/security/ima/ascii_runtime_measurements +10 ddee6004dc3bd4ee300406cd93181c5a2187b59b ima-ng sha1:9797edf8d0eed36b1cf92547816051c8af4e45ee boot_aggregate +10 180ecafba6fadbece09b057bcd0d55d39f1a8a52 ima-ng sha1:db82919bf7d1849ae9aba01e28e9be012823cf3a /init +10 ac792e08a7cf8de7656003125c7276968d84ea65 ima-ng sha1:f778e2082b08d21bbc59898f4775a75e8f2af4db /bin/bash +10 0a0d9258c151356204aea2498bbca4be34d6bb05 ima-ng sha1:b0ab2e7ebd22c4d17d975de0d881f52dc14359a7 /lib64/ld-2.27.so +10 0d6b1d90350778d58f1302d00e59493e11bc0011 ima-ng sha1:ce8204c948b9fe3ae67b94625ad620420c1dc838 /etc/ld.so.cache +10 d69ac2c1d60d28b2da07c7f0cbd49e31e9cca277 ima-ng sha1:8526466068709356630490ff5196c95a186092b8 /lib64/libreadline.so.7.0 +10 ef3212c12d1fbb94de9534b0bbd9f0c8ea50a77b ima-ng sha1:f80ba92b8a6e390a80a7a3deef8eae921fc8ca4e /lib64/libc-2.27.so +10 f805861177a99c61eabebe21003b3c831ccf288b ima-ng sha1:261a3cd5863de3f2421662ba5b455df09d941168 /lib64/libncurses.so.6.1 +10 52f680881893b28e6f0ce2b132d723a885333500 ima-ng sha1:b953a3fa385e64dfe9927de94c33318d3de56260 /lib64/libnss_files-2.27.so +10 4da8ce3c51a7814d4e38be55a2a990a5ceec8b27 ima-ng sha1:99a9c095c7928ecca8c3a4bc44b06246fc5f49de /etc/passwd +``` + +From left to right, the content of each record indicates: + +1. PCR: PCR register for extending measurement results (The default value is 10. This register is valid only when the TPM chip is installed in the system.) +2. Template hash value: hash value that is finally used for extension, combining the file content hash and the length and value of the file path +3. Template: template of the extended measurement value, for example, **ima-ng** +4. File content hash value: hash value of the measured file content +5. File path: path of the measured file + +#### IMA Appraisal + +The purpose of IMA appraisal is to control access to local files by comparing the reference value with the standard reference value. + +IMA uses the security extension attributes **security.ima** and **security.evm** to store the reference values of file integrity measurement. + +- **security.ima**: stores the hash value of the file content +- **security.evm**: stores the hash value signature of a file extended attribute + +When a protected file is accessed, the hook in the kernel is triggered to verify the integrity of the extended attributes and content of the file. + +1. Use the public key in the kernel keyring to verify the signature value in the extended attribute of the **security.evm** file, and compare this signature value with the hash value of the extended attribute of the current file. If they match, the extended attribute of the file is complete (including **security.ima**). +2. When the extended attribute of the file is complete, the system compares the extended attribute of the file **security.ima** with the digest value of the current file content. If they match, the system allows for the access to the file. + +Likewise, the file scope and trigger conditions for IMA appraisal can be configured by users using IMA policies. + +#### IMA Digest Lists + +Currently, the IMA Digest Lists extension supports the following three combinations of startup parameters: + +* IMA measurement mode: + + ```shell + ima_policy=exec_tcb ima_digest_list_pcr=11 + ``` + +* IMA appraisal log mode + IMA measurement mode: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=log evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + +* IMA appraisal enforcing mode + IMA measurement mode: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=enforce-evm evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + +### Procedure + +#### Initial Deployment in the Native IMA Scenario + +When the system is started for the first time, you need to configure the following startup parameters: + +```shell +ima_appraise=fix ima_policy=appraise_tcb +``` + +In the `fix` mode, the system can be started when no reference value is available. `appraise_tcb` corresponds to an IMA policy. For details, see *IMA Startup Parameters* in the *Appendix*. + +Next, you need to access all the files that need to be verified to add IMA extended attributes to them: + +```shell +$ time find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; +``` + +This process takes some time. After the command is executed, you can see the marked reference value in the extended attributes of the protected file. + +```shell +$ getfattr -m - -d /sbin/init +# file: sbin/init +security.ima=0sAXr7Qmun5mkGDS286oZxCpdGEuKT +security.selinux="system_u:object_r:init_exec_t" +``` + +Configure the following startup parameters and restart the system: + +```shell +ima_appraise=enforce ima_policy=appraise_tcb +``` + +#### Initial Deployment in the Digest Lists Scenario + +1. Set kernel parameters to enter the log mode. + + Add the following parameters to edit the `/boot/efi/EFI/euleros/grub.cfg` file: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=log evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + + Run the `reboot` command to restart the system and enter the log mode. In this mode, integrity check has been enabled, but the system can be started even if the check fails. + +2. Install the dependency package. + + Run the **yum** command to install **digest-list-tools** and **ima-evm-utils**. Ensure that the versions are not earlier than the following: + + ```shell + $ yum install digest-list-tools ima-evm-utils + $ rpm -qa | grep digest-list-tools + digest-list-tools-0.3.93-1.oe1.x86_64 + $ rpm -qa | grep ima-evm-utils + ima-evm-utils-1.2.1-9.oe1.x86_64 + ``` + +3. If the **plymouth** package is installed, you need to add `-a` to the end of the **cp** command in line 147 in the `/usr/libexec/plymouth/plymouth-populate-initrd` script file: + + ```shell + ... + ddebug "Installing $_src" + cp -a --sparse=always -pfL "$PLYMOUTH_SYSROOT$_src" "${initdir}/$target" + } + ``` + +4. Run `dracut` to generate **initrd** again: + + ```shell + $ dracut -f -e xattr + ``` + + Edit the `/boot/efi/EFI/euleros/grub.cfg` file by changing **ima\_appraise=log** to **ima\_appraise=enforce-evm**. + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=enforce-evm evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + + Run the **reboot** command to complete the initial deployment. + +#### Building Digest Lists on OBS + +Open Build Service (OBS) is a compilation system that was first used for building software packages in openSUSE and supports distributed compilation of multiple architectures. + +Before building a digest list, ensure that your project contains the following RPM packages from openEuler: + +* digest-list-tools +* pesign-obs-integration +* selinux-policy +* rpm +* openEuler-rpm-config + +Add **Project Config** in the deliverable project: + +```shell +Preinstall: pesign-obs-integration digest-list-tools selinux-policy-targeted +Macros: +%__brp_digest_list /usr/lib/rpm/openEuler/brp-digest-list %{buildroot} +:Macros +``` + +* The following content is added to **Preinstall**: **digest-list-tools** for generating the digest list; **pesign-obs-integration** for generating the digest list signature; **selinux-policy-targeted**, ensuring that the SELinux label in the environment is correct when the digest list is generated. +* Define the macro **%\_\_brp\_digest\_list** in Macros. The RPM runs this macro to generate a digest list for the compiled binary file in the build phase. This macro can be used as a switch to control whether the digest list is generated in the project. + +After the configuration is completed, OBS automatically performs full build. In normal cases, the following two files are added to the software package: + +* **/etc/ima/digest\_lists/0-metadata\_list-compact-\[package name]-\[version number]** +* **/etc/ima/digest\_lists.tlv/0-metadata\_list-compact\_tlv-\[package name]-\[version number]** + +#### Building Digest Lists on Koji + +Koji is a compilation system of the Fedora community. The openEuler community will support Koji in the future. + +### FAQ + +1. Why does the system fail to be started, or commands fail to be executed, or services are abnormal after the system is started in enforcing mode? + + In enforcing mode, IMA controls file access. If the content or extended attributes of a file to be accessed are incomplete, the access will be denied. If key commands that affect system startup cannot be executed, the system cannot be started. + + Check whether the following problems exist: + + * **Check whether the digest list is added to initrd.** + + Check whether the **dracut** command is executed to add the digest list to the kernel during the initial deployment. If the digest list is not added to **initrd**, the digest list cannot be imported during startup. As a result, the startup fails. + + * **Check whether the official RPM package is used.** + + If a non-official openEuler RPM package is used, the RPM package may not carry the digest list, or the private key for signing the digest list does not match the public key for signature verification in the kernel. As a result, the digest list is not imported to the kernel. + + If the cause is not clear, enter the log mode and find the cause from the error log: + + ```shell + $ dmesg | grep appraise + ``` + +2. Why access control is not performed on system files in enforcing mode? + + When the system does not perform access control on the file as expected, check whether the IMA policy in the startup parameters is correctly configured: + + ```shell + $ cat /proc/cmdline + ...ima_policy=exec_tcb|appraise_exec_tcb|appraise_exec_immutable... + ``` + + Run the following command to check whether the IMA policy in the current kernel has taken effect: + + ```shell + $ cat /sys/kernel/security/ima/policy + ``` + + If the policy file is empty, it indicates that the policy fails to be set. In this case, the system does not perform access control. + +3. After the initial deployment is completed, do I need to manually run the **dracut** command to generate **initrd** after installing, upgrading, or uninstalling the software package? + + No. The **digest\_list.so** plug-in provided by the RPM package can automatically update the digest list at the RPM package granularity, allowing users to be unaware of the digest list. + +### Appendix + +#### Description of the IMA securityfs Interface + +The native IMA provides the following **securityfs** interfaces: + +> Note: The following interface paths are in the `/sys/kernel/security/` directory. + +| Path | Permission | Description | +| ------------------------------ | ---------- | ------------------------------------------------------------ | +| ima/policy | 600 | IMA policy interface | +| ima/ascii_runtime_measurement | 440 | IMA measurement result in ASCII code format | +| ima/binary_runtime_measurement | 440 | IMA measurement result in binary format | +| ima/runtime_measurement_count | 440 | Measurement result statistics | +| ima/violations | 440 | Number of IMA measurement result conflicts | +| evm | 660 | EVM mode, that is, the mode for verifying the integrity of extended attributes of files | + +The values of `/sys/kernel/security/evm` are as follows: + +* 0: EVM uninitialized. +* 1: Uses HMAC (symmetric encryption) to verify the integrity of extended attributes. +* 2: Uses the public key signature (asymmetric encryption) to verify the integrity of extended attributes. +* 6: Disables the integrity check of extended attributes (This mode is used for openEuler). + +The additional **securityfs** interfaces provided by the IMA Digest Lists extension are as follows: + +| Path | Permission | Description | +| ------------------------ | ---------- | ---------------------------------------------------------- | +| ima/digests_count | 440 | Total number of digests (IMA+EVM) in the system hash table | +| ima/digest_list_data | 200 | New interfaces in the digest list | +| ima/digest_list_data_del | 200 | Interfaces deleted from the digest list | + +#### IMA Policy Syntax + +Each IMA policy statement must start with an **action** represented by the keyword action and be followed by a **filtering condition**: + +- **action**: indicates the action of a policy. Only one **action** can be selected for a policy. + + > Note: You can **ignore the word action** and directly write **dont\_measure** instead of **action=dont\_measure**. + +- **func**: indicates the type of the file to be measured or authenticated. It is often used together with **mask**. Only one **func** can be selected for a policy. + + - **FILE\_CHECK** can be used only with **MAY\_EXEC**, **MAY\_WRITE**, and **MAY\_READ**. + - **MODULE\_CHECK**, **MMAP\_CHECK**, and **BPRM\_CHECK** can be used only with **MAY\_EXEC**. + - A combination without the preceding matching relationships does not take effect. + +- **mask**: indicates the operation upon which files will be measured or appraised. Only one **mask** can be selected for a policy. + +- **fsmagic**: indicates the hexadecimal magic number of the file system type, which is defined in the `/usr/include/linux/magic.h` file. + + > Note: By default, all file systems are measured unless you use the **dont\_measure/dont\_appraise** to mark a file system not to be measured. + +- **fsuid**: indicates the UUID of a system device. The value is a hexadecimal string of 16 characters. + +- **objtype**: indicates the file type. Only one file type can be selected for a policy. + + > Note: **objtype** has a finer granularity than **func**. For example, **obj\_type=nova\_log\_t** indicates the nova log file. + +- **uid**: indicates the user (represented by the user ID) who performs operations on the file. Only one **uid** can be selected for a policy. + +- **fowner**: indicates the owner (represented by the user ID) of the file. Only one **fowner** can be selected for a policy. + +The values and description of the keywords are as follows: + +| Keyword | Value | Description | +| ------------- | ------------------ | ------------------------------------------------------------ | +| action | measure | Enables IMA measurement | +| | dont_measure | Disables IMA measurement | +| | appraise | Enables IMA appraisal | +| | dont_appraise | Disables IMA appraisal | +| | audit | Enables audit | +| func | FILE_CHECK | File to be opened | +| | MODULE_CHECK | Kernel module file to be loaded | +| | MMAP_CHECK | Dynamic library file to be mapped to the memory space of the process | +| | BRPM_CHECK | File to be executed (excluding script files opened by programs such as `/bin/hash`) | +| | POLICY_CHECK | File to be loaded as a supplement to the IMA policy | +| | FIRMWARE_CHECK | Firmware to be loaded into memory | +| | DIGEST_LIST_CHECK | Digest list file to be loaded into the kernel | +| | KEXEC_KERNEL_CHECK | kexec kernel to be switched to | +| mask | MAY_EXEC | Executes a file | +| | MAY_WRITE | Writes data to a file This operation is not recommended because it is restricted by open source mechanisms such as echo and vim (the essence of modification is to create a temporary file and then rename it). The IMA measurement of **MAY\_WRITE** is not triggered each time the file is modified. | +| | MAY_READ | Reads a file | +| | MAY_APPEND | Extends file attributes | +| fsmagic | fsmagic=xxx | Hexadecimal magic number of the file system type | +| fsuuid | fsuuid=xxx | UUID of a system device. The value is a hexadecimal string of 16 characters. | +| fowner | fowner=xxx | User ID of the file owner | +| uid | uid=xxx | ID of the user who operates the file | +| obj_type | obj_type=xxx_t | File type (based on the SELinux tag) | +| pcr | pcr= | Selects the PCR used to extend the measurement values in the TPM. The default value is 10. | +| appraise_type | imasig | Signature-based IMA appraisal | +| | meta_immutable | Evaluates the extended attributes of the file based on signatures (supporting the digest list). | + +> Note: **PATH\_CHECK** is equivalent to **FILE\_CHECK**, and **FILE\_MMAP** is equivalent to **MMAP\_CHECK**. They are not mentioned in this table. + +#### IMA Native Startup Parameters + +The following table lists the kernel startup parameters of the native IMA. + +| Parameter | Value | Description | +| ---------------- | ------------ | ------------------------------------------------------------ | +| ima_appraise | off | Disables the IMA appraisal mode. The integrity check is not performed when the file is accessed and no new reference value is generated for the file. | +| | enforce | Enables the IMA appraisal enforcing mode to perform the integrity check when the file is accessed. That is, the file digest value is calculated and compared with the reference value. If the comparison fails, the file access is rejected. In this case, the IMA generates a new reference value for the new file. | +| | fix | Enables the IMA repair mode. In this mode, the reference value of a protected file can be updated. | +| | log | Enables the IMA appraisal log mode to perform the integrity check when the file is accessed. However, commands can be executed even if the check fails, and only logs are recorded. | +| ima_policy | tcb | Measures all file execution, dynamic library mapping, kernel module import, and device driver loading. The file read behavior of the root user is also measured. | +| | appraise_tcb | Evaluates all files whose owner is the root user. | +| | secure_boot | Evaluates the kernel module import, hardware driver loading, kexec kernel switchover, and IMA policies. The prerequisite is that these files have IMA signatures. | +| ima_tcb | None | Equivalent to **ima\_policy=tcb**. | +| ima_appraise_tcb | None | Equivalent to **ima\_policy=appraise\_tcb**. | +| ima_hash | sha1/md5/... | IMA digest algorithm. The default value is sha1. | +| ima_template | ima | IMA measurement extension template | +| | ima-ng | IMA measurement extension template | +| | ima-sig | IMA measurement extension template | +| integrity_audit | 0 | Basic integrity audit information (default) | +| | 1 | Additional integrity audit information | + +> Note: The **ima\_policy** parameter can specify multiple values at the same time, for example, **ima\_policy=tcb\|appraise\_tcb**. After the system is started, the IMA policy of the system is the sum of the policies for the two parameters. + +The IMA policy for the `ima_policy=tcb` startup parameter is as follows: + +``` +# PROC_SUPER_MAGIC = 0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC = 0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC = 0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC = 0x01021994 +dont_measure fsmagic=0x1021994 +# DEVPTS_SUPER_MAGIC=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BINFMTFS_MAGIC=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUX_MAGIC=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# SMACK_MAGIC=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC=0x27e0eb +dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC=0x63677270 +dont_measure fsmagic=0x63677270 +# NSFS_MAGIC=0x6e736673 +dont_measure fsmagic=0x6e736673 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=MAY_READ uid=0 +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +``` + +The IMA policy for the `ima_policy=tcb_appraise` startup parameter is as follows: + +``` +# PROC_SUPER_MAGIC = 0x9fa0 +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC = 0x62656572 +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC = 0x64626720 +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC = 0x01021994 +dont_appraise fsmagic=0x1021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC=0x1cd1 +dont_appraise fsmagic=0x1cd1 +# BINFMTFS_MAGIC=0x42494e4d +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC=0x73636673 +dont_appraise fsmagic=0x73636673 +# SELINUX_MAGIC=0xf97cff8c +dont_appraise fsmagic=0xf97cff8c +# SMACK_MAGIC=0x43415d53 +dont_appraise fsmagic=0x43415d53 +# NSFS_MAGIC=0x6e736673 +dont_appraise fsmagic=0x6e736673 +# CGROUP_SUPER_MAGIC=0x27e0eb +dont_appraise fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC=0x63677270 +dont_appraise fsmagic=0x63677270 +appraise fowner=0 +``` + +The IMA policy for the `ima_policy=secure_boot` startup parameter is as follows: + +``` +appraise func=MODULE_CHECK appraise_type=imasig +appraise func=FIRMWARE_CHECK appraise_type=imasig +appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig +appraise func=POLICY_CHECK appraise_type=imasig +``` + +#### IMA Digest List Startup Parameters + +The kernel startup parameters added to the IMA digest list feature are as follows: + +| Parameter | Value | Description | +| ------------------------ | ----------------------- | ------------------------------------------------------------ | +| integrity | 0 | Disables the IMA feature (by default) | +| | 1 | Enables the IMA feature | +| ima_appraise | off | Disables the IMA appraisal mode | +| | enforce-evm | Enables the IMA appraisal forced mode to perform the integrity check when the file is accessed and control the access. | +| ima_appraise_digest_list | digest | When the EVM is disabled, the abstract list is used for IMA appraise. The abstract list protects both the content and extended attributes of the file. | +| | digest-nometadata | If the EVM digest value does not exist, the integrity check is performed only based on the IMA digest value (the file extended attribute is not protected). | +| evm | fix | Allows for any modification to the extended attribute (even if the modification causes the failure to verify the integrity of the extended attribute). | +| | ignore | Allowed to modify the extended attribute only when it does not exist or is incorrect. | +| ima_policy | exec_tcb | IMA measurement policy. For details, see the following policy description. | +| | appraise_exec_tcb | IMA appraisal policy. For details, see the following policy description. | +| | appraise_exec_immutable | IMA appraisal policy. For details, see the following policy description. | +| ima_digest_list_pcr | 11 | Uses PCR 11 instead of PCR 10, and uses only the digest list for measurement. | +| | +11 | The PCR 10 measurement is reserved. When the TPM chip is available, the measurement result is written to the TPM chip. | +| initramtmpfs | None | Adds the support for **tmpfs**. | + + + +The IMA policy for the `ima_policy=exec_tcb` startup parameter is as follows: + +``` +dont_measure fsmagic=0x9fa0 +dont_measure fsmagic=0x62656572 +dont_measure fsmagic=0x64626720 +dont_measure fsmagic=0x1cd1 +dont_measure fsmagic=0x42494e4d +dont_measure fsmagic=0x73636673 +dont_measure fsmagic=0xf97cff8c +dont_measure fsmagic=0x43415d53 +dont_measure fsmagic=0x27e0eb +dont_measure fsmagic=0x63677270 +dont_measure fsmagic=0x6e736673 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +measure func=POLICY_CHECK +measure func=DIGEST_LIST_CHECK +measure parser +``` + +The IMA policy for the `ima_policy=appraise_exec_tcb` startup parameter is as follows: + +``` +appraise func=MODULE_CHECK appraise_type=imasig +appraise func=FIRMWARE_CHECK appraise_type=imasig +appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig +appraise func=POLICY_CHECK appraise_type=imasig +appraise func=DIGEST_LIST_CHECK appraise_type=imasig +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 +dont_appraise fsmagic=0x64626720 +dont_appraise fsmagic=0x858458f6 +dont_appraise fsmagic=0x1cd1 +dont_appraise fsmagic=0x42494e4d +dont_appraise fsmagic=0x73636673 +dont_appraise fsmagic=0xf97cff8c +dont_appraise fsmagic=0x43415d53 +dont_appraise fsmagic=0x6e736673 +dont_appraise fsmagic=0x27e0eb +dont_appraise fsmagic=0x63677270 +``` + +The IMA policy for the `ima_policy=appraise_exec_immutable` startup parameter is as follows: + +``` +appraise func=BPRM_CHECK appraise_type=imasig appraise_type=meta_immutable +appraise func=MMAP_CHECK +appraise parser appraise_type=imasig +``` + +#### IMA Kernel Compilation Options + +The native IMA provides the following compilation options: + +| Compilation Option | Description | +| -------------------------------- | ------------------------------------------------------- | +| CONFIG_INTEGRITY | IMA/EVM compilation switch | +| CONFIG_INTEGRITY_SIGNATURE | Enables IMA signature verification | +| CONFIG_INTEGRITY_ASYMMETRIC_KEYS | Enables IMA asymmetric signature verification | +| CONFIG_INTEGRITY_TRUSTED_KEYRING | Enables IMA/EVM key ring | +| CONFIG_INTEGRITY_AUDIT | Compiles the IMA audit module | +| CONFIG_IMA | IMA compilation switch | +| CONFIG_IMA_WRITE_POLICY | Allows updating the IMA policy in the running phase | +| CONFIG_IMA_MEASURE_PCR_IDX | Allows specifying the PCR number of the IMA measurement | +| CONFIG_IMA_LSM_RULES | Allows configuring LSM rules | +| CONFIG_IMA_APPRAISE | IMA appraisal compilation switch | +| IMA_APPRAISE_BOOTPARAM | Enables IMA appraisal startup parameters | +| CONFIG_EVM | EVM compilation switch | + +The additional compilation options provided by the IMA Digest Lists extension are as follows: + +| Compilation Option | Description | +| ------------------ | ----------------------------------- | +| CONFIG_DIGEST_LIST | Enables the IMA Digest List feature | + +#### IMA Performance Reference Data + +The following figure compares the performance when IMA is disabled, native IMA is enabled, and IMA digest list is enabled. + +![img](./figures/ima_performance.png) \ No newline at end of file diff --git a/content/en/docs/Administration/user-and-user-group-management.md b/docs/en/docs/Administration/user-and-user-group-management.md similarity index 96% rename from content/en/docs/Administration/user-and-user-group-management.md rename to docs/en/docs/Administration/user-and-user-group-management.md index a63178022f5bebfc4764bc4302eadf80708b2003..9a88a1214db0d532dfb73fd44793c09a312159a1 100644 --- a/content/en/docs/Administration/user-and-user-group-management.md +++ b/docs/en/docs/Administration/user-and-user-group-management.md @@ -48,7 +48,7 @@ For example, to create a user named userexample, run the following command as th # useradd userexample ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If no prompt is displayed, the user is successfully created. After the user is created, run the **passwd** command to assign a password to the user. A new account without a password will be banned. To view information about the new user, run the **id** command: @@ -65,7 +65,7 @@ To change the password of the userexample, run the following command: ``` -The password of the user must meet the password complexity requirements. The password complexity requirements are as follows: +It is recommended that the new user password meet the complexity requirements. The password complexity requirements are as follows: 1. A password must contain at least eight characters. 2. A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. @@ -96,7 +96,7 @@ Retype new password: passwd: all authentication tokens updated successfully. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If the command output contains **BAD PASSWORD: The password fails the dictionary check - it is too simplistic/sytematic**, the password is too simple and needs to be reset. ### Modifying a User Account @@ -161,7 +161,7 @@ For example, run the following command to delete user Test: If you also need to delete the user's home directory and all contents in the directory, run the **userdel** command with the -r option to delete them recursively. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >You are not advised to directly delete a user who has logged in to the system. To forcibly delete a user, run the **userdel -f** _Test_ command. ### Granting Rights to a Common User @@ -213,7 +213,7 @@ The information configured in the **/etc/sudoers** file is as follows: This indicates that newuser1 on the ted1 host can run the **useradd** and **userdel** commands as the user **root**. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- You can define multiple aliases in a line and separate them with colons \(:\). >- You can add an exclamation mark \(!\) before a command or a command alias to make the command or the command alias invalid. >- There are two keywords: ALL and NOPASSWD. ALL indicates all files, hosts, or commands, and NOPASSWD indicates that no password is required. @@ -297,7 +297,7 @@ For example, run the following command to delete user group Test: # groupdel Test ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The user's primary group cannot be directly deleted. To forcibly delete a user's primary group, run the **groupdel -f** _Test_ command. ### Adding a User to a Group or Removing a User from a Group diff --git a/content/en/docs/Administration/using-the-dnf-to-manage-software-packages.md b/docs/en/docs/Administration/using-the-dnf-to-manage-software-packages.md similarity index 94% rename from content/en/docs/Administration/using-the-dnf-to-manage-software-packages.md rename to docs/en/docs/Administration/using-the-dnf-to-manage-software-packages.md index 4f2074cc13cc035f17b1184fd1d6cb83eab94c61..21b303b28ab6e98e98c13ae3b8617038ebfa4a28 100644 --- a/content/en/docs/Administration/using-the-dnf-to-manage-software-packages.md +++ b/docs/en/docs/Administration/using-the-dnf-to-manage-software-packages.md @@ -2,7 +2,7 @@ DNF is a Linux software package management tool used to manage RPM software packages. The DNF can query software package information, obtain software packages from a specified software library, automatically process dependencies to install or uninstall software packages, and update the system to the latest available version. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- DNF is fully compatible with YUM and provides YUM-compatible command lines and APIs for extensions and plug-ins. >- You must have the administrator rights to use the DNF. All commands in this chapter must be executed by the administrator. @@ -39,12 +39,12 @@ DNF is a Linux software package management tool used to manage RPM software pack The main configuration file of the DNF is /etc/dnf/dnf.conf which consists of two parts: -- The **main** part in the file stores the global settings of the DNF. +- The **main** part in the file stores the global settings of the DNF. -- The **repository** part in the file stores the settings of the software source. You can add one or more **repository** sections to the file. +- The **repository** part in the file stores the settings of the software source. You can add one or more **repository** sections to the file. + +In addition, the /etc/yum.repos.d directory stores one or more repo source files, which define different repositories. -In addition, the /etc/yum.repos.d directory stores one or more repo source files, which define different repositories. - You can configure a software source by either directly configuring the /etc/dnf/dnf.conf file or configuring the .repo file in the /etc/yum.repos.d directory. #### Configuring the main Part @@ -130,8 +130,8 @@ The repository part allows you to customize openEuler software source repositori baseurl=repository_url ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** - >openEuler provides an online image source at [https://repo.openeuler.org/](https://repo.openeuler.org/). For example, if the openEuler 20.03 version is aarch64, the **baseurl** can be set to [https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/](https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/). + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >openEuler provides an online image source at [https://repo.openeuler.org/](https://repo.openeuler.org/). For example, if the openEuler 21.03 version is aarch64, the **baseurl** can be set to [https://repo.openeuler.org/openEuler-21.03/OS/aarch64/](https://repo.openeuler.org/openEuler-21.03/OS/aarch64/). Common options are as follows: @@ -158,28 +158,25 @@ The repository part allows you to customize openEuler software source repositori - Configuring the .repo file in the /etc/yum.repos.d directory - - - openEuler provides multiple repo sources for users online. For details about the repo sources, see [System Installation](../Releasenotes/installing-the-os.md.html). This section uses the OS repo source of the AArch64 architecture as an example. - - For example, run the following command as the **root** user to add the openeuler repo source to the openEuler_aarch64.repo file. - + openEuler provides multiple repo sources for users online. For details about the repo sources, see [System Installation](./../Releasenotes/installing-the-os.md.html). + + For example, run the following command as the **root** user to add the openeuler repo source to the openEuler.repo file. + ``` - # vi /etc/yum.repos.d/openEuler_aarch64.repo + # vi /etc/yum.repos.d/openEuler.repo ``` - + ``` - [osrepo] - name=osrepo - baseurl=https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/ + [OS] + name=openEuler-$releasever - OS + baseurl=https://repo.openeuler.org/openEuler-21.03/OS/$basearch/ enabled=1 gpgcheck=1 - gpgkey=https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/RPM-GPG-KEY-openEuler - + gpgkey=https://repo.openeuler.org/openEuler-21.03/OS/$basearch/RPM-GPG-KEY-openEuler ``` - - >![](public_sys-resources/icon-note.gif) **NOTE:** - > - **enabled** indicates whether to enable the software source repository. The value can be **1** or **0**. The default value is **1**, indicating that the software source repository is enabled. + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + > - **enabled** indicates whether to enable the software source repository. The value can be **1** or **0**. The default value is **1**, indicating that the software source repository is enabled. > - **gpgkey** is the public key used to verify the signature. @@ -223,7 +220,7 @@ To create a local repository of software sources, perform the following steps. 3. Run the following command to create a software source: ``` - createrepo --database /mnt/local_repo + createrepo /mnt/local_repo ``` @@ -327,7 +324,7 @@ Available Packages Name : httpd Version : 2.4.34 Release : 8.h5.oe1 -Arch : aarch64 +Arch : aarch64 Size : 1.2 M Repo : Local Summary : Apache HTTP Server @@ -356,8 +353,8 @@ The following is an example: # dnf install httpd ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** ->If the RPM package fails to be installed, see [Installation Failure Caused by Software Package Conflict, File Conflict, or Missing Software Package](faqs.html#installation-failure-caused-by-software-package-conflict-file-conflict-or-missing-software-package). +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>If the RPM package fails to be installed, see [Installation Failure Caused by Software Package Conflict, File Conflict, or Missing Software Package](./faqs.html#installation-failure-caused-by-software-package-conflict-file-conflict-or-missing-software-package). ### Downloading Software Packages To download the software package using the DNF, run the following command as the user **root**: @@ -480,7 +477,7 @@ dnf group install groupid For example, to install the software package group of Development Tools, run the following command: ``` -# dnf group install "Development Tools" +# dnf group install "Development Tools" ``` ``` @@ -501,7 +498,7 @@ dnf group remove groupid For example, to delete the software package group of Development Tools, run the following command: ``` -# dnf group remove "Development Tools" +# dnf group remove "Development Tools" ``` ``` diff --git a/content/en/docs/Administration/using-the-kae.md b/docs/en/docs/Administration/using-the-kae.md similarity index 97% rename from content/en/docs/Administration/using-the-kae.md rename to docs/en/docs/Administration/using-the-kae.md index 66b0fd514d36a969872499fac630e00f9c55c890..6f696e68734a8b603d698a97d2d99c8cd9381d63 100644 --- a/content/en/docs/Administration/using-the-kae.md +++ b/docs/en/docs/Administration/using-the-kae.md @@ -80,12 +80,12 @@ The KAE applies to the following scenarios, as shown in [Table 1](#table1191582 ##### Environment Requirements - The accelerator engine is enabled on TaiShan 200 servers. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- You need to import the accelerator license. For details, see section "License Management" in the [TaiShan Rack Server iBMC \(V500 or Later\) User Guide](https://support.huawei.com/enterprise/en/doc/EDOC1100121685/426cffd9?idPath=7919749|9856522|21782478|8060757). >- If the accelerator is used in the physical machine scenario, the SMMU must be disabled. For details, see the [TaiShan 200 Server BIOS Parameter Reference](https://support.huawei.com/enterprise/en/doc/EDOC1100088647). - CPU: Kunpeng 920 -- OS: openEuler-20.03-LTS-aarch64-dvd.iso +- OS: openEuler-21.03-aarch64-dvd.iso ##### KAE Software Description **Table 2** RPM software packages of the KAE @@ -138,7 +138,7 @@ The KAE applies to the following scenarios, as shown in [Table 1](#table1191582 3. Use SSH to copy all accelerator engine software package to the created directory. 4. In the directory, run the **rpm -ivh** command to install the accelerator engine software packages. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Install the **libwd** package first because the **libkae** package installation depends on the **libwd** package. ``` @@ -282,7 +282,7 @@ You can run the following commands to test some accelerator functions. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >\#After KAE acceleration, the signature performance is improved from 724.1 sign/s to 2819 sign/s. - Use the OpenSSL software algorithm to test the asynchronous RSA performance. @@ -304,7 +304,7 @@ You can run the following commands to test some accelerator functions. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >\#After KAE acceleration, the asynchronous RSA signature performance is improved from 735.7 sign/s to 54384.1 sign/s. - Use the OpenSSL software algorithm to test the performance of the SM4 CBC mode. @@ -332,7 +332,7 @@ You can run the following commands to test some accelerator functions. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >After KAE acceleration, the SM4 CBC mode performance is improved from 82312.53 kbit/s to 383317.33 kbit/s when the input data block size is 8 MB. - Use the OpenSSL software algorithm to test the SM3 mode performance. @@ -359,7 +359,7 @@ You can run the following commands to test some accelerator functions. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >After KAE acceleration, the SM3 algorithm performance is improved from 52428.80 kbit/s to 668292.44 kbit/s when the input data block size is 8 MB. - Use the OpenSSL software algorithm to test the asynchronous performance of the AES algorithm in CBC mode. @@ -388,7 +388,7 @@ You can run the following commands to test some accelerator functions. ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- The AES algorithm supports only asynchronous usage when the data length is 256 KB or less. >- After KAE acceleration, the AES algorithm performance is improved from 1123328.00 kbit/s to 3996774.40 kbit/s when the input data block size is 100 KB. @@ -405,15 +405,15 @@ You can run the **rpm -Uvh** command to upgrade the accelerator software. The command and output are as follows: - ![](figures/en-us_image_0231143189.png) + ![](./figures/en-us_image_0231143189.png) - ![](figures/en-us_image_0231143191.png) + ![](./figures/en-us_image_0231143191.png) 5. Run the **rpm -qa** command to check whether the upgrade is successful. Ensure that the queried version is the latest version. - ![](figures/en-us_image_0231143193.png) + ![](./figures/en-us_image_0231143193.png) - ![](figures/en-us_image_0231143195.png) + ![](./figures/en-us_image_0231143195.png) 6. Restart the system or run the following commands to manually uninstall the drivers of the earlier version, load the drivers of the latest version, and check whether the new drivers are successfully loaded. @@ -458,16 +458,16 @@ You do not need the accelerator engine software or you want to install new accel 3. Run the **rpm -e** command to uninstall the accelerator engine software packages. The following is an example: - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Due to the dependency relationships, the **libkae** package must be uninstalled before the **libwd** package. - ![](figures/en-us_image_0231143196.png) + ![](./figures/en-us_image_0231143196.png) - ![](figures/en-us_image_0231143197.png) + ![](./figures/en-us_image_0231143197.png) 4. Run the **rpm -qa |grep** command to check whether the uninstallation is successful. - ![](figures/en-us_image_0231143198.png) + ![](./figures/en-us_image_0231143198.png) ## Querying Logs @@ -511,7 +511,7 @@ You do not need the accelerator engine software or you want to install new accel ## Acceleration Engine Application ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If you have not purchased the engine license, you are advised not to use the KAE engine to invoke the corresponding algorithms. Otherwise, the performance of the OpenSSL encryption algorithm may be affected. diff --git a/content/en/docs/Administration/viewing-system-information.md b/docs/en/docs/Administration/viewing-system-information.md similarity index 88% rename from content/en/docs/Administration/viewing-system-information.md rename to docs/en/docs/Administration/viewing-system-information.md index 460bfa3bfff0bf5e5a08802b9e44037442e36086..729b2eb5589a177ef03c822640f4f0f3ecc21f17 100644 --- a/content/en/docs/Administration/viewing-system-information.md +++ b/docs/en/docs/Administration/viewing-system-information.md @@ -11,10 +11,10 @@ ``` $ cat /etc/os-release NAME="openEuler" - VERSION="20.09" + VERSION="21.03" ID="openEuler" - VERSION_ID="20.09" - PRETTY_NAME="openEuler 20.09" + VERSION_ID="21.03" + PRETTY_NAME="openEuler 21.03" ANSI_COLOR="0;31" ``` diff --git a/docs/en/docs/ApplicationDev/FAQ.md b/docs/en/docs/ApplicationDev/FAQ.md new file mode 100644 index 0000000000000000000000000000000000000000..8b355eeed2a4e1db834a8383829dfebc77752f89 --- /dev/null +++ b/docs/en/docs/ApplicationDev/FAQ.md @@ -0,0 +1,27 @@ +# FAQ + + + +- [FAQ](#faq) + - [The self-compilation of some applications that depend on the **java-devel** package fails.](#部分依赖java-devel的应用程序自编译失败) + + + +## The self-compilation of some applications that depend on the **java-devel** package fails. + +### Symptom + +The self-compilation of some applications that depend on java-devel fails when the rpmbuild command is executed. + +### Cause Analysis + +To provide OpenJDK features that are updated and compatible with Java applications, the openEuler provides OpenJDK of multiple versions, such as OpenJDK 1.8.0 and OpenJDK 11. The compilation of some applications depends on the **java-devel** package. When the **java-devel** package is installed, the system installs java-11-openjdk of a later version by default. As a result, the compilation of these applications fails. + +### Solution + +You need to run the following command to install java-1.8.0-openjdk and then run the **rpmbuild** command to perform self-compilation: + +``` +# yum install java-1.8.0-openjdk + +``` \ No newline at end of file diff --git a/content/en/docs/ApplicationDev/application-development.md b/docs/en/docs/ApplicationDev/application-development.md similarity index 95% rename from content/en/docs/ApplicationDev/application-development.md rename to docs/en/docs/ApplicationDev/application-development.md index d80e8b2f7d0a55040966ae74f04c1a3b2cde40b2..7c67238c6ced29f21db9c79f6f75b65f2581cf3f 100644 --- a/content/en/docs/ApplicationDev/application-development.md +++ b/docs/en/docs/ApplicationDev/application-development.md @@ -23,19 +23,20 @@ This document is intended for all users who use the openEuler OS for code develo The symbols that may be found in this document are defined as follows. + - - - - diff --git a/content/en/docs/ApplicationDev/building-an-rpm-package.md b/docs/en/docs/ApplicationDev/building-an-rpm-package.md similarity index 97% rename from content/en/docs/ApplicationDev/building-an-rpm-package.md rename to docs/en/docs/ApplicationDev/building-an-rpm-package.md index ff247ecf8f7e7e0ab0d52d6355ab02a75eee4a19..42d917c3824dcdefd49b0106af71fd6704d01d7c 100644 --- a/content/en/docs/ApplicationDev/building-an-rpm-package.md +++ b/docs/en/docs/ApplicationDev/building-an-rpm-package.md @@ -513,7 +513,7 @@ This section describes how to build an RPM software package online on OBS. #### Building an Existing Software Package ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- If you use OBS for the first time, register an individual account on the OBS web page. >- With this method, you must copy the modified code and commit it to the code directory before performing the following operations. The code directory is specified in the **\_service** file. @@ -526,7 +526,7 @@ To modify the source code of the existing software and build the modified source 5. Click **Branch package**. In the displayed dialog box, click **Accept**, as shown in [Figure 1](#fig77646143214). **Figure 1** **Branch Confirmation** page - ![](figures/branch-confirmation-page.png "branch-confirmation-page") + ![](./figures/branch-confirmation-page.png "branch-confirmation-page") 6. Click the **\_service** file to go to the editing page, modify the file content, and click **Save**. An example of the **\_service** file content is as follows. _userCodeURL_ and _userCommitID_ indicate the user code path and commission version number or branch, respectively. @@ -544,14 +544,14 @@ To modify the source code of the existing software and build the modified source ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Click **Save** to save the **\_service** file. OBS downloads the source code from the specified URL to the software directory of the corresponding OBS project based on the **\_service** file description and replaces the original file. For example, the **kernel** directory of the **openEuler:Mainline** project in the preceding example. 7. After the files are copied and replaced, OBS automatically starts to build the RPM software package. Wait until the build is complete and view the build status in the status bar on the right. - **succeeded**: The build is successful. You can click **succeeded** to view the build logs, as shown in [Figure 2](#fig10319114217337). **Figure 2** **Succeeded** page - ![](figures/succeeded-page.png "succeeded-page") + ![](./figures/succeeded-page.png "succeeded-page") - **failed**: The build failed. Click **failed** to view error logs, locate the fault, and rebuild again. - **unresolvable**: The build is not performed. The possible cause is that the dependency is missing. @@ -570,23 +570,23 @@ To add a new software package on the OBS web page, perform the following steps: 5. Click **Delete package** to delete the software package in the new subproject, as shown in [Figure 3](#fig18306181103615). **Figure 3** Deleting a software package from a subproject - ![](figures/deleting-a-software-package-from-a-subproject.png "deleting-a-software-package-from-a-subproject") + ![](./figures/deleting-a-software-package-from-a-subproject.png "deleting-a-software-package-from-a-subproject") - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The purpose of creating a project by using existing software is to inherit the dependency such as the environment. Therefore, you need to delete these files. 6. Click **Create Package**. On the page that is displayed, enter the software package name, title, and description, and click **Create** to create a software package, as shown in [Figure 4](#fig6762111693811) and [Figure 5](#fig18351153518389). **Figure 4** **Create Package** page - ![](figures/create-package-page.png "create-package-page") + ![](./figures/create-package-page.png "create-package-page") **Figure 5** Creating a software package - ![](figures/creating-a-software-package.png "creating-a-software-package") + ![](./figures/creating-a-software-package.png "creating-a-software-package") 7. Click **Add file** to upload the .spec file and the file to be compiled \(specified in the .spec file\), as shown in [Figure 6](#fig1475845284011). **Figure 6** **Add file** page - ![](figures/add-file-page.png "add-file-page") + ![](./figures/add-file-page.png "add-file-page") 8. After the file is uploaded, OBS automatically starts to build the RPM software package. Wait until the build is complete and view the build status in the status bar on the right. - **succeeded**: The build is successful. You can click **succeeded** to view the build logs. @@ -604,15 +604,15 @@ After the RPM software package is built, perform the following operations to obt 2. Click **All Projects** and find the project corresponding to the required software package, for example, **openEuler:Mainline**. 3. Click the name of the required software package in the project. The software package details page is displayed, for example, the **kernel** page in the preceding example. -1. Click the **Repositories** tab. On the software repository management page that is displayed, click **Enable** in **Publish Flag** to enable the RPM software package download function \(the status changes from ![](figures/en-us_image_0229243704.png) to ![](figures/en-us_image_0229243702.png)\), as shown in [Figure 7](#fig17480830144217). +1. Click the **Repositories** tab. On the software repository management page that is displayed, click **Enable** in **Publish Flag** to enable the RPM software package download function \(the status changes from ![](./figures/en-us_image_0229243704.png) to ![](./figures/en-us_image_0229243702.png)\), as shown in [Figure 7](#fig17480830144217). **Figure 7** **Repositories** page - ![](figures/repositories-page.png "repositories-page") + ![](./figures/repositories-page.png "repositories-page") 2. Click the project name in the **Repository** column. On the RPM software package download page that is displayed, click **Download** on the right of the RPM software package to download the RPM software package, as shown in [Figure 8](#fig12152145615438). **Figure 8** RPM software package download page - ![](figures/rpm-software-package-download-page.png "rpm-software-package-download-page") + ![](./figures/rpm-software-package-download-page.png "rpm-software-package-download-page") ### Building a Software Package Using OSC @@ -633,7 +633,7 @@ You have obtained the **root** permission, and have configured a repo source f # dnf install osc build ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The compilation of RPM software packages depends on build. 2. Configure the OSC. @@ -714,25 +714,31 @@ You have obtained the **root** permission, and have configured a repo source f $ osc addremove * ``` -2. Modify the source code and .spec file, and synchronize all modifications of the corresponding software package to the OBS server. The following is a command example. The information after the **-m** parameter is the commission record. +2. Modify the source code and .spec file, and run the following command to update the file. + + ``` + $ osc up + ``` + +3. Synchronize all modifications of the corresponding software package to the OBS server. The following is an example of command. The information after the **-m** parameter indicates the submmission record. ``` $ osc ci -m "commit log" ``` -3. Run the following command to obtain the repository name and architecture of the current project: +4. Run the following command to obtain the repository name and architecture of the current project: ``` $ osc repos home:testUser:branches:openEuler:Mainline ``` -4. After the modification is committed, OBS automatically compiles the software package. You can run the following command to view the compilation logs of the corresponding repository. In the command, *standard\_aarch64* and _aarch64_ indicate the repository name and architecture obtained in the command output. +5. After the modification is committed, OBS automatically compiles the software package. You can run the following command to view the compilation logs of the corresponding repository. In the command, *standard\_aarch64* and _aarch64_ indicate the repository name and architecture obtained in the command output. ``` $ osc buildlog standard_aarch64 aarch64 ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >You can also open the created project on the web client to view the build logs. @@ -788,7 +794,7 @@ To use the OSC tool of OBS to add a new software package, perform the following $ osc buildlog standard_aarch64 aarch64 ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >You can also open the created project on the web client to view the build logs. @@ -807,6 +813,6 @@ The parameters in the command are described as follows. You can modify the param - _standard\_aarch64_: repository name. - _aarch64_: repository architecture name. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >You can also obtain the software package built using OSC from the web page. For details, see [Obtaining the Software Package](#obtaining-the-software-package). diff --git a/content/en/docs/ApplicationDev/figures/add-file-page.png b/docs/en/docs/ApplicationDev/figures/add-file-page.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/add-file-page.png rename to docs/en/docs/ApplicationDev/figures/add-file-page.png diff --git a/content/en/docs/ApplicationDev/figures/branch-confirmation-page.png b/docs/en/docs/ApplicationDev/figures/branch-confirmation-page.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/branch-confirmation-page.png rename to docs/en/docs/ApplicationDev/figures/branch-confirmation-page.png diff --git a/content/en/docs/ApplicationDev/figures/create-package-page.png b/docs/en/docs/ApplicationDev/figures/create-package-page.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/create-package-page.png rename to docs/en/docs/ApplicationDev/figures/create-package-page.png diff --git a/content/en/docs/ApplicationDev/figures/creating-a-software-package.png b/docs/en/docs/ApplicationDev/figures/creating-a-software-package.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/creating-a-software-package.png rename to docs/en/docs/ApplicationDev/figures/creating-a-software-package.png diff --git a/content/en/docs/ApplicationDev/figures/deleting-a-software-package-from-a-subproject.png b/docs/en/docs/ApplicationDev/figures/deleting-a-software-package-from-a-subproject.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/deleting-a-software-package-from-a-subproject.png rename to docs/en/docs/ApplicationDev/figures/deleting-a-software-package-from-a-subproject.png diff --git a/content/en/docs/ApplicationDev/figures/en-us_image_0229243671.png b/docs/en/docs/ApplicationDev/figures/en-us_image_0229243671.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/en-us_image_0229243671.png rename to docs/en/docs/ApplicationDev/figures/en-us_image_0229243671.png diff --git a/content/en/docs/ApplicationDev/figures/en-us_image_0229243702.png b/docs/en/docs/ApplicationDev/figures/en-us_image_0229243702.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/en-us_image_0229243702.png rename to docs/en/docs/ApplicationDev/figures/en-us_image_0229243702.png diff --git a/content/en/docs/ApplicationDev/figures/en-us_image_0229243704.png b/docs/en/docs/ApplicationDev/figures/en-us_image_0229243704.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/en-us_image_0229243704.png rename to docs/en/docs/ApplicationDev/figures/en-us_image_0229243704.png diff --git a/content/en/docs/ApplicationDev/figures/en-us_image_0229243712.png b/docs/en/docs/ApplicationDev/figures/en-us_image_0229243712.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/en-us_image_0229243712.png rename to docs/en/docs/ApplicationDev/figures/en-us_image_0229243712.png diff --git a/content/en/docs/ApplicationDev/figures/repositories-page.png b/docs/en/docs/ApplicationDev/figures/repositories-page.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/repositories-page.png rename to docs/en/docs/ApplicationDev/figures/repositories-page.png diff --git a/content/en/docs/ApplicationDev/figures/rpm-software-package-download-page.png b/docs/en/docs/ApplicationDev/figures/rpm-software-package-download-page.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/rpm-software-package-download-page.png rename to docs/en/docs/ApplicationDev/figures/rpm-software-package-download-page.png diff --git a/content/en/docs/ApplicationDev/figures/succeeded-page.png b/docs/en/docs/ApplicationDev/figures/succeeded-page.png similarity index 100% rename from content/en/docs/ApplicationDev/figures/succeeded-page.png rename to docs/en/docs/ApplicationDev/figures/succeeded-page.png diff --git a/content/en/docs/ApplicationDev/preparation.md b/docs/en/docs/ApplicationDev/preparation.md similarity index 92% rename from content/en/docs/ApplicationDev/preparation.md rename to docs/en/docs/ApplicationDev/preparation.md index 32e097dab4e27478964471a5317f770204c5fb71..2e11b6c0d5fa98ed0d1ac5826dbf9048ecb907a0 100644 --- a/content/en/docs/ApplicationDev/preparation.md +++ b/docs/en/docs/ApplicationDev/preparation.md @@ -117,7 +117,7 @@ The openEuler OS is required. -For details about how to install the openEuler OS, see the \[*openEuler 20.09 Installation Guide*\](../Installation/Installation.html ). On the **SOFTWARE SELECTION** page, select **Development Tools** in the **Add-Ons for Selected Environment** area. +For details about how to install the openEuler OS, see the \[*openEuler 21.03 Installation Guide*\](./../Installation/Installation.html ). On the **SOFTWARE SELECTION** page, select **Development Tools** in the **Add-Ons for Selected Environment** area. ## Configuring a Repo Source @@ -125,8 +125,8 @@ Configure an online yum source by directly obtaining the online openEuler repo s ### Configuring a Repo Source by Directly Obtaining the Repo Source File -> ![](public_sys-resources/icon-note.gif) **NOTE:** -> openEuler provides multiple repo sources for users online. For details about the repo sources, see [System Installation](../Releasenotes/installing-the-os.html). This section uses the **openEuler\_aarch64.repo** file as an example to describe how to configure the OS repo source as the yum source. +> ![](./public_sys-resources/icon-note.gif) **NOTE:** +> openEuler provides multiple repo sources for users online. For details about the repo sources, see [System Installation](./../Releasenotes/installing-the-os.html). This section uses the **openEuler\_aarch64.repo** file as an example to describe how to configure the OS repo source as the yum source. 1. Go to the yum source directory and check the .repo configuration file in the directory. @@ -147,16 +147,16 @@ Configure an online yum source by directly obtaining the online openEuler repo s ``` [osrepo] name=osrepo - baseurl=http://repo.openeuler.org/openEuler-20.09/OS/aarch64/ + baseurl=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/ enabled=1 gpgcheck=1 - gpgkey=http://repo.openeuler.org/openEuler-20.09/OS/aarch64/RPM-GPG-KEY-openEuler + gpgkey=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/RPM-GPG-KEY-openEuler ``` **** - > ![](public_sys-resources/icon-note.gif) **NOTE:** + > ![](./public_sys-resources/icon-note.gif) **NOTE:** > > - The repoid in \[*repoid* \] indicates the ID of the software repository. Repoids in all .repo configuration files must be unique. In the example, repoid is set to **base**. > - **name** indicates the string that the software repository describes. @@ -168,8 +168,8 @@ Configure an online yum source by directly obtaining the online openEuler repo s ### Configuring a Repo Source by Mounting an ISO File -> ![](public_sys-resources/icon-note.gif) ********NOTE:******** -> openEuler provides multiple ISO release packages. For details about each ISO release package, see [System Installation](../Releasenotes/installing-the-os.html). This section uses the **openEuler-20.09-aarch64-dvd.iso** file and **openEuler-20.09-aarch64-dvd.iso.sha256sum** verification file as examples. Modify them based on the actual requirements. +> ![](./public_sys-resources/icon-note.gif) ********NOTE:******** +> openEuler provides multiple ISO release packages. For details about each ISO release package, see [System Installation](./../Releasenotes/installing-the-os.html). This section uses the **openEuler-21.03-aarch64-dvd.iso** file and **openEuler-21.03-aarch64-dvd.iso.sha256sum** verification file as examples. Modify them based on the actual requirements. 1. Download the ISO release package. @@ -181,7 +181,7 @@ Configure an online yum source by directly obtaining the online openEuler repo s 3. Click the link provided after **Download ISO**. The download list is displayed. - 4. Select the version to be downloaded, for example, openEuler 20.03 LTS. Then, click **openEuler-20.09**. The download list is displayed. + 4. Select the version to be downloaded, for example, openEuler 21.03. Then, click **openEuler-21.03**. The download list is displayed. 5. Click **ISO**. The ISO download list is displayed. @@ -191,9 +191,9 @@ Configure an online yum source by directly obtaining the online openEuler repo s 6. Click **aarch64**. - 7. Click **openEuler-20.09-aarch64-dvd.iso** to download the openEuler release package to the local host. + 7. Click **openEuler-21.03-aarch64-dvd.iso** to download the openEuler release package to the local host. - 8. Click **openEuler-20.09-aarch64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. + 8. Click **openEuler-21.03-aarch64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. 9. Log in to the openEuler OS and create a directory for storing the release package and verification file, for example, ~/iso\*\*. @@ -211,7 +211,7 @@ Configure an online yum source by directly obtaining the online openEuler repo s 3. Click the link provided after **Download ISO**. The download list is displayed. - 4. Select the version to be downloaded, for example, openEuler 20.09. Then, click **openEuler-20.09**. The download list is displayed. + 4. Select the version to be downloaded, for example, openEuler 21.03. Then, click **openEuler-21.03**. The download list is displayed. 5. Click **ISO**. The ISO download list is displayed. @@ -221,9 +221,9 @@ Configure an online yum source by directly obtaining the online openEuler repo s 6. Click **aarch64**. - 7. Right-click **openEuler-20.09-aarch64-dvd.iso** and choose **Copy URL** from the shortcut menu to copy the address of the openEuler release package. + 7. Right-click **openEuler-21.03-aarch64-dvd.iso** and choose **Copy URL** from the shortcut menu to copy the address of the openEuler release package. - 8. Right-click **openEuler-20.09-aarch64-dvd.iso.sha256sum** and choose **Copy URL** from the shortcut menu to copy the address of the openEuler verification file. + 8. Right-click **openEuler-21.03-aarch64-dvd.iso.sha256sum** and choose **Copy URL** from the shortcut menu to copy the address of the openEuler verification file. 9. Log in to the openEuler OS, create a directory (for example, **~/iso**) for storing the release package and verification file, and switch to the directory. @@ -244,13 +244,13 @@ Configure an online yum source by directly obtaining the online openEuler repo s 1. Obtain the verification value in the verification file. ``` - $ cat openEuler-20.09-aarch64-dvd.iso.sha256sum + $ cat openEuler-21.03-aarch64-dvd.iso.sha256sum ``` 2. Calculate the SHA256 verification value of the openEuler release package. ``` - $ sha256sum openEuler-20.09-aarch64-dvd.iso + $ sha256sum openEuler-21.03-aarch64-dvd.iso ``` After the command is run, the verification value is displayed. @@ -266,7 +266,7 @@ Configure an online yum source by directly obtaining the online openEuler repo s The following is an example: ``` - # mount /home/iso/openEuler-20.09-aarch64-dvd.iso /mnt/ + # mount /home/iso/openEuler-21.03-aarch64-dvd.iso /mnt/ ``` The mounted **mnt** directory is as follows: diff --git a/content/en/docs/ApplicationDev/public_sys-resources/icon-caution.gif b/docs/en/docs/ApplicationDev/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/ApplicationDev/public_sys-resources/icon-caution.gif rename to docs/en/docs/ApplicationDev/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/ApplicationDev/public_sys-resources/icon-danger.gif b/docs/en/docs/ApplicationDev/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/ApplicationDev/public_sys-resources/icon-danger.gif rename to docs/en/docs/ApplicationDev/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/ApplicationDev/public_sys-resources/icon-note.gif b/docs/en/docs/ApplicationDev/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/ApplicationDev/public_sys-resources/icon-note.gif rename to docs/en/docs/ApplicationDev/public_sys-resources/icon-note.gif diff --git a/content/en/docs/ApplicationDev/public_sys-resources/icon-notice.gif b/docs/en/docs/ApplicationDev/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/ApplicationDev/public_sys-resources/icon-notice.gif rename to docs/en/docs/ApplicationDev/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/ApplicationDev/public_sys-resources/icon-tip.gif b/docs/en/docs/ApplicationDev/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/ApplicationDev/public_sys-resources/icon-tip.gif rename to docs/en/docs/ApplicationDev/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/ApplicationDev/public_sys-resources/icon-warning.gif b/docs/en/docs/ApplicationDev/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/ApplicationDev/public_sys-resources/icon-warning.gif rename to docs/en/docs/ApplicationDev/public_sys-resources/icon-warning.gif diff --git a/content/en/docs/ApplicationDev/using-gcc-for-compilation.md b/docs/en/docs/ApplicationDev/using-gcc-for-compilation.md similarity index 99% rename from content/en/docs/ApplicationDev/using-gcc-for-compilation.md rename to docs/en/docs/ApplicationDev/using-gcc-for-compilation.md index 173ff7bd287c0671f1bf091738445f8c6eff8731..bd66aaf38282ff97ec281d35e0af4dfb933f0e17 100644 --- a/content/en/docs/ApplicationDev/using-gcc-for-compilation.md +++ b/docs/en/docs/ApplicationDev/using-gcc-for-compilation.md @@ -312,7 +312,7 @@ If you choose to search for a DLL, to ensure that the DLL can be linked when the $ export LD\_LIBRARY\_PATH=libraryDIR:$LD\_LIBRARY\_PATH - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >**LD\_LIBRARY\_PATH** is an environment variable of the DLL. If the DLL is not in the default directories \(**/lib** and **/usr/lib**\), you need to specify the environment variable **LD\_LIBRARY\_PATH**. - Add the DLL path **libaryDIR** to **/etc/ld.so.conf** and run **ldconfig**, or use the DLL path **libaryDIR** as a parameter to run **ldconfig**. diff --git a/content/en/docs/ApplicationDev/using-jdk-for-compilation.md b/docs/en/docs/ApplicationDev/using-jdk-for-compilation.md similarity index 100% rename from content/en/docs/ApplicationDev/using-jdk-for-compilation.md rename to docs/en/docs/ApplicationDev/using-jdk-for-compilation.md diff --git a/content/en/docs/ApplicationDev/using-make-for-compilation.md b/docs/en/docs/ApplicationDev/using-make-for-compilation.md similarity index 100% rename from content/en/docs/ApplicationDev/using-make-for-compilation.md rename to docs/en/docs/ApplicationDev/using-make-for-compilation.md diff --git a/content/en/docs/Container/appendix-1.md b/docs/en/docs/Container/appendix-1.md similarity index 100% rename from content/en/docs/Container/appendix-1.md rename to docs/en/docs/Container/appendix-1.md diff --git a/content/en/docs/Container/appendix-2.md b/docs/en/docs/Container/appendix-2.md similarity index 99% rename from content/en/docs/Container/appendix-2.md rename to docs/en/docs/Container/appendix-2.md index 483c1d83b6e4135f70aafb888058366c50342ace..f5342bf482626a31862cf0e1d902874e8bc6f336 100644 --- a/content/en/docs/Container/appendix-2.md +++ b/docs/en/docs/Container/appendix-2.md @@ -6,7 +6,7 @@ ## configuration.toml ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The value of each field in the **configuration.toml** file is subject to the **configuration.toml** file in the **kata-containers-<**_version_**\>.rpm package**. You cannot set any field in the configuration file. ``` @@ -127,14 +127,14 @@ experimental: enables the experimental feature, which does not support user-defi - - - - + + +

Symbol

Description

+

![](./figures/en-us_image_0229243712.png)

Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results.

NOTICE is used to address practices not related to personal injury.

+

![](./figures/en-us_image_0229243671.png)

Supplements the important information in the main text.

NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration.

@@ -80,12 +81,12 @@ The symbols that may be found in this document are defined as follows.

Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{ x | y | ... }*

+

{ x | y | ... }\*

Optional items are grouped in brackets and separated by vertical bars. A minimum of one or a maximum of all can be selected.

[ x | y | ... ]*

+

[ x | y | ... ]\*

Optional items are grouped in brackets and separated by vertical bars. One or more items are selected or no item is selected.

Sets the name of the NIC on a host.

Mandatory. The value can contain a maximum of 15 characters, including letters, digits, underscores (_), hyphens (-), and periods (.). It must start with a letter. The device name must be unique on the same host.

+

Mandatory. The value can contain a maximum of 15 characters, including letters, digits, underscores (\_), hyphens (-), and periods (.). It must start with a letter. The device name must be unique on the same host.

name

Sets the name of the NIC in the container.

Mandatory. The value can contain a maximum of 15 characters, including letters, digits, underscores (_), hyphens (-), and periods (.). It must start with a letter. Ensure that the name is unique in the same sandbox.

+

Mandatory. The value can contain a maximum of 15 characters, including letters, digits, underscores (\_), hyphens (-), and periods (.). It must start with a letter. Ensure that the name is unique in the same sandbox.

IPAddresses

diff --git a/content/en/docs/Container/appendix.md b/docs/en/docs/Container/appendix.md similarity index 100% rename from content/en/docs/Container/appendix.md rename to docs/en/docs/Container/appendix.md diff --git a/content/en/docs/Container/application-scenarios-2.md b/docs/en/docs/Container/application-scenarios-2.md similarity index 100% rename from content/en/docs/Container/application-scenarios-2.md rename to docs/en/docs/Container/application-scenarios-2.md diff --git a/content/en/docs/Container/application-scenarios.md b/docs/en/docs/Container/application-scenarios.md similarity index 100% rename from content/en/docs/Container/application-scenarios.md rename to docs/en/docs/Container/application-scenarios.md diff --git a/content/en/docs/Container/checking-the-container-health-status.md b/docs/en/docs/Container/checking-the-container-health-status.md similarity index 100% rename from content/en/docs/Container/checking-the-container-health-status.md rename to docs/en/docs/Container/checking-the-container-health-status.md diff --git a/content/en/docs/Container/command-reference.md b/docs/en/docs/Container/command-reference.md similarity index 100% rename from content/en/docs/Container/command-reference.md rename to docs/en/docs/Container/command-reference.md diff --git a/content/en/docs/Container/configurable-cgroup-path.md b/docs/en/docs/Container/configurable-cgroup-path.md similarity index 100% rename from content/en/docs/Container/configurable-cgroup-path.md rename to docs/en/docs/Container/configurable-cgroup-path.md diff --git a/content/en/docs/Container/configuring-networking-for-a-secure-container.md b/docs/en/docs/Container/configuring-networking-for-a-secure-container.md similarity index 98% rename from content/en/docs/Container/configuring-networking-for-a-secure-container.md rename to docs/en/docs/Container/configuring-networking-for-a-secure-container.md index ae4bbcea38c500e6eab7603423c1d5c23d7433f1..001355c89d3ee5d8426dfd8bb199310105275cfb 100644 --- a/content/en/docs/Container/configuring-networking-for-a-secure-container.md +++ b/docs/en/docs/Container/configuring-networking-for-a-secure-container.md @@ -117,7 +117,7 @@ Related commands are as follows: null ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >If an IP address is specified for an NIC that is successfully added, Kata adds a default route whose destination is in the same network segment as the IP address of the NIC. In the preceding example, after the NIC is added, the following route is added to the container: >``` >[root@6ec7a98 /]# ip route @@ -197,7 +197,7 @@ Related commands are as follows: - **gateway**: Next-hop gateway of the route. When **"dest":"default"** is configured, the gateway is mandatory. In other cases, this parameter is optional. - **device**: Name of the NIC corresponding to the route, which is mandatory. The value contains a maximum of 15 characters. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >If a route is added for the loopback device **lo** in the container, the device name corresponding to the **device** field in the route configuration file is **lo**. 4. **Run the following command to delete a specified route:** @@ -228,7 +228,7 @@ Related commands are as follows: null ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- In the input fields, **dest** is mandatory, and both **device** and **gateway** are optional. Kata performs fuzzy match based on different fields and deletes the corresponding routing rules. For example, if **dest** is set to an IP address, all rules of this IP address will be deleted. >- If the route of the loopback device **lo** in the container is deleted, the device name corresponding to the **device** field in the route configuration file is **lo**. @@ -238,7 +238,7 @@ Related commands are as follows: $ cat ./test-iface.json | kata-runtime kata-network del-iface 6ec7a98 - ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >When deleting an NIC, you can only delete it based on the **name** field in the NIC container. Kata does not identify other fields. The following describes the output of the **kata-runtime kata-network del-iface **command for deleting NICs: @@ -317,7 +317,7 @@ The secure container provides an API for adding the **ipvs** command and setti kata-runtime kata-ipvs ipvsadm --restore - < ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >By default, the NAT mode is used for adding a single real server. To add real servers in batches, you need to manually add the **-m** option to use the NAT mode. >The following is an example of the rule file content: >-A -t 10.10.11.12:100 -s rr -p 3000 @@ -337,7 +337,7 @@ The secure container provides an API for adding the **ipvs** command and setti kata-runtime kata-ipvs ipvsadm --parameters "--set 100 100 200" ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >1. Each container supports a maximum of 20000 iptables rules \(5000 services and three servers/services\). Both add-service and add-server are rules. >2. Before importing rules in batches, you need to clear existing rules. >3. No concurrent test scenario exists. diff --git a/content/en/docs/Container/configuring-resources-for-a-secure-container.md b/docs/en/docs/Container/configuring-resources-for-a-secure-container.md similarity index 98% rename from content/en/docs/Container/configuring-resources-for-a-secure-container.md rename to docs/en/docs/Container/configuring-resources-for-a-secure-container.md index 09c05bf98473557a452aa9d67b4f2aed5ec89a11..ded03af6d5b7f39ab1e55bb239fec3a7687b45f2 100644 --- a/content/en/docs/Container/configuring-resources-for-a-secure-container.md +++ b/docs/en/docs/Container/configuring-resources-for-a-secure-container.md @@ -45,7 +45,7 @@ When a pod is started, all containers in the pod share the same net namespace an Socket(s): 4 ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The maximum number of CPUs that can be configured is the number of CPUs \(excluding isolated cores\) that can run on the OS. The minimum number of CPUs is 0.5. 2. Configure CPU resources for running a container. @@ -98,7 +98,7 @@ When a pod is started, all containers in the pod share the same net namespace an 3. Configure CPU hot swap. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The CPU hot swap function of the secure container requires the virtualization component QEMU. The **enable\_cpu\_memory\_hotplug** option in the kata-runtime configuration file **config.toml** is used to enable or disable CPU and memory hot swap. The default value is **false**, indicating that CPU and memory hot swap is disabled. If the value is **true**, CPU and memory hot swap is enabled. @@ -157,7 +157,7 @@ When a pod is started, all containers in the pod share the same net namespace an    - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The pause container is only a placeholder container and does not have any workload. Therefore, when a lightweight VM is started, the CPU allocated by default can be shared by other containers. Therefore, you only need to hot add three CPUs to the lightweight VM for the new container started in the preceding example. - After the container where the CPU is hot added is stopped, the CPU is removed when the container is started. @@ -187,7 +187,7 @@ When a pod is started, all containers in the pod share the same net namespace an Swap: 0 0 0 ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- If the memory size of a lightweight VM is not set using **--annotation com.github.containers.virtcontainers.sandbox\_mem**, the lightweight VM uses 1 GB memory by default. >- The minimum memory size of a pod in a secure container is 1 GB, and the maximum memory size is 256 GB. If the memory size allocated to a user exceeds 256 GB, an undefined error may occur. Currently, secure containers do not support the scenario where the memory size exceeds 256 GB. @@ -216,7 +216,7 @@ When a pod is started, all containers in the pod share the same net namespace an The memory hot add function is also configured by the **enable\_cpu\_memory\_hotplug** option in the kata-runtime configuration file **config.toml**. For details, see [3](#limiting-cpu-resources.md#en-us_topic_0183903699_li2167326144011). - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Currently, memory resources support hot add only. The **-m** option is reused in kata-runtime to implement the memory hot add function. The sum of the **-m** options of all containers in a pod is collected to determine the number of memories to be hot added to a lightweight VM. @@ -255,7 +255,7 @@ When a pod is started, all containers in the pod share the same net namespace an Swap: 0 0 0 ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The pause container is only a placeholder container and does not have any workload. Therefore, the memory allocated to the lightweight VM during startup can be shared by other containers. You only need to hot add 3 GB memory to the lightweight VM for the new container started in the preceding example. @@ -334,7 +334,7 @@ The secure container reuses the **--files-limit** option in the **docker run* docker run -tid --runtime kata-runtime --network none --annotation io.kubernetes.docker.type=podsandbox --files-limit bash ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- If the value of **--files-limit** is less than the default minimum value **1024** and is not **0**, the maximum number of file descriptors that can be opened by the QEMU process of the secure container is set to the minimum value **1024**. >- If the value of **--files-limit** is 0, the maximum number of file descriptors that can be opened by the QEMU process of the secure container is the default value obtained by dividing the maximum number of file descriptors that can be opened by the system \(/proc/sys/fs/file-max\) by 400. >- If the maximum number of file descriptors that can be opened by the QEMU process of the secure container is not displayed when the secure container is started, the maximum number of file descriptors that can be opened by the QEMU process of the secure container is the same as the system default value. diff --git a/content/en/docs/Container/container-engine.md b/docs/en/docs/Container/container-engine.md similarity index 99% rename from content/en/docs/Container/container-engine.md rename to docs/en/docs/Container/container-engine.md index 58147841a9fd75a8cf9ab7dcfe3fb0c627af57b1..5b8e754314ec95d9f920c49da86af5b650de6898 100644 --- a/content/en/docs/Container/container-engine.md +++ b/docs/en/docs/Container/container-engine.md @@ -128,9 +128,7 @@ The **docker** command supports the following parameters:

Parameter to be executed when a container is started.

For example, set the native.umask parameter.

-
#The umask value of the started container is 0022.
---exec-opt native.umask=normal 
-
+
#The umask value of the started container is 0022.--exec-opt native.umask=normal 
 #The umask value of the started container is 0027 (default value).
 --exec-opt  native.umask=secure    

 
Note: If native.umask is also configured in docker create or docker run command, the configuration in command is used.

diff --git a/content/en/docs/Container/container-management-1.md b/docs/en/docs/Container/container-management-1.md
similarity index 99%
rename from content/en/docs/Container/container-management-1.md
rename to docs/en/docs/Container/container-management-1.md
index 6b22156ca3dbc69a130f7d4bc1ce3c42a72f3654..0619fdd77430868ca53239aee2d6f4aea8cb2ec4 100644
--- a/content/en/docs/Container/container-management-1.md
+++ b/docs/en/docs/Container/container-management-1.md
@@ -578,7 +578,7 @@ When the container is running, the health check status is written into the conta
 }
 ```
 
->![](public_sys-resources/icon-note.gif) **NOTE:**   
+>![](./public_sys-resources/icon-note.gif) **NOTE:**   
 >-   A maximum of five health check status records can be stored in a container. The last five records are saved.  
 >-   Only one health check configuration item can take effect in a container at a time. The later items configured in the Dockerfile will overwrite the earlier ones. Configurations during container creation will overwrite those in images.  
 >-   In the Dockerfile, you can set  **HEALTHCHECK NONE**  to cancel the health check configuration in a referenced image. When a container is running, you can set  **--no-healthcheck**  to cancel the health check configuration in an image. Do not configure the health check and  **--no-healthcheck**  parameters at the same time during the startup.  
diff --git a/content/en/docs/Container/container-management-2.md b/docs/en/docs/Container/container-management-2.md
similarity index 99%
rename from content/en/docs/Container/container-management-2.md
rename to docs/en/docs/Container/container-management-2.md
index dbde4ac1f49c094e1d763b50d7473915598c4c1b..1ce5d85ff343c2f1e84c0cc1f0d917d373236146 100644
--- a/content/en/docs/Container/container-management-2.md
+++ b/docs/en/docs/Container/container-management-2.md
@@ -1029,7 +1029,7 @@ Example:
 $ sudo docker restart busybox
 ```
 
->![](public_sys-resources/icon-note.gif) **NOTE:**   
+>![](./public_sys-resources/icon-note.gif) **NOTE:**   
 >During the container restart, if a process in the  **D**  or  **Z**  state exists in the container, the container may fail to be restarted. In this case, you need to analyze the cause of the  **D**  or  **Z**  state of the process in the container. Restart the container after the  **D**  or  **Z**  state of the process in the container is released.  
 
 ## rm
diff --git a/content/en/docs/Container/container-management.md b/docs/en/docs/Container/container-management.md
similarity index 99%
rename from content/en/docs/Container/container-management.md
rename to docs/en/docs/Container/container-management.md
index 3597e9b292bee333c781a3a8e28614c22fccb41b..ef6dc65d475f8680e1908be5eb7c62a718944d89 100644
--- a/content/en/docs/Container/container-management.md
+++ b/docs/en/docs/Container/container-management.md
@@ -51,7 +51,7 @@ The following table lists the parameters supported by the  **create**  command.

Description

create

+

create

  

--annotation

@@ -234,7 +234,7 @@ The following table lists the parameters supported by the **create** command.

--mount

Mounts a host directory to a container.

+

Mounts the host directory, volume, or file system to the container.

--no-healthcheck

@@ -303,6 +303,11 @@ The following table lists the parameters supported by the **create** command.

Mounts a volume.

--volumes-from=[]

+

Uses the mounting configuration of the specified container.

+
@@ -740,12 +745,12 @@ The following table lists the parameters supported by the **run** command.
- >![](public_sys-resources/icon-notice.gif) **NOTICE:** + >![](./public_sys-resources/icon-notice.gif) **NOTICE:** >Scenario 1: Mount **/home/test1** and then **/home/test2**. In this case, the content in **/home/test1** overwrites the content in **/mnt**. As a result, the **abc** directory does not exist in **/mnt**, and mounting** /home/test2** to **/mnt/abc** fails. >Scenario 2: Mount **/home/test2** and then **/home/test1**. In this case, the content of **/mnt** is replaced with the content of **/home/test1** during the second mounting. In this way, the content mounted during the first mounting from **/home/test2** to **/mnt/abc** is overwritten. >The first scenario is not supported. For the second scenario, users need to understand the risk of data access failures. - >![](public_sys-resources/icon-notice.gif) **NOTICE:** + >![](./public_sys-resources/icon-notice.gif) **NOTICE:** >- In high concurrency scenarios \(200 containers are concurrently started\), the memory management mechanism of Glibc may cause memory holes and large virtual memory \(for example, 10 GB\). This problem is caused by the restriction of the Glibc memory management mechanism in the high concurrency scenario, but not by memory leakage. Therefore, the memory consumption does not increase infinitely. You can set the **MALLOC\_ARENA\_MAX** environment variable to reduce the virtual memory and increase the probability of reducing the physical memory. However, this environment variable will cause the iSulad concurrency performance to deteriorate. Set this environment variable based on the site requirements. > ``` > To balance performance and memory usage, set MALLOC_ARENA_MAX to 4. (The iSulad performance deterioration on the ARM64 server is controlled by less than 10%.) @@ -1241,7 +1246,7 @@ The following table lists the parameters supported by the **inspect** command. ### Constraints -- Lightweight containers do not support the output in \{\{.State\}\} format but support the output in the \{\{json .State\}\} format. The **-f** parameter is not supported when the object is an image. +- Lightweight containers do not support the output in \{ \{.State\} \} format but support the output in the \{ \{json .State\} \} format. The **-f** parameter is not supported when the object is an image. ### Example diff --git a/content/en/docs/Container/container-resource-management.md b/docs/en/docs/Container/container-resource-management.md similarity index 99% rename from content/en/docs/Container/container-resource-management.md rename to docs/en/docs/Container/container-resource-management.md index b09a880f1ec839182e397772a70fc16f8c3ae63f..3b7166202e7354619bb61d14e55eaa1d0386e9c3 100644 --- a/content/en/docs/Container/container-resource-management.md +++ b/docs/en/docs/Container/container-resource-management.md @@ -168,7 +168,7 @@ To restrict a container to use a specific CPU, add **--cpuset-cpus number** wh isula run -tid --cpuset-cpus 0,2-3 busybox sh ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >You can check whether the configuration is successful. For details, see "Querying Information About a Single Container." ## Restricting the Memory Usage of a Running Container @@ -459,7 +459,7 @@ overlay 10.0M 10.0M 0 100% / When using iSulad with the quota function to switch data disks, ensure that the data disks to be switched are mounted using the **prjquota** option and the mounting mode of the **/var/lib/isulad/storage/overlay2** directory is the same as that of the **/var/lib/isulad** directory. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Before switching the data disk, ensure that the mount point of **/var/lib/isulad/storage/overlay2** is unmounted. diff --git a/content/en/docs/Container/container.md b/docs/en/docs/Container/container.md similarity index 100% rename from content/en/docs/Container/container.md rename to docs/en/docs/Container/container.md diff --git a/content/en/docs/Container/cri.md b/docs/en/docs/Container/cri.md similarity index 99% rename from content/en/docs/Container/cri.md rename to docs/en/docs/Container/cri.md index 00bd00dd44c01724efe4a38d020d4c5d5c436732..cd412f0664db94d13f0fcbe4e3c9cd08245022cf 100644 --- a/content/en/docs/Container/cri.md +++ b/docs/en/docs/Container/cri.md @@ -44,7 +44,7 @@ The current CRI version is v1alpha1. For official API description, access the fo iSulad uses the API description file of version 1.14 used by Pass, which is slightly different from the official API description file. API description in this document prevails. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The listening IP address of the CRI WebSocket streaming service is **127.0.0.1** and the port number is **10350**. The port number can be configured in the **--websocket-server-listening-port** command or in the **daemon.json** configuration file. ## APIs diff --git a/content/en/docs/Container/docker-container.md b/docs/en/docs/Container/docker-container.md similarity index 100% rename from content/en/docs/Container/docker-container.md rename to docs/en/docs/Container/docker-container.md diff --git a/content/en/docs/Container/dynamically-loading-the-kernel-module.md b/docs/en/docs/Container/dynamically-loading-the-kernel-module.md similarity index 96% rename from content/en/docs/Container/dynamically-loading-the-kernel-module.md rename to docs/en/docs/Container/dynamically-loading-the-kernel-module.md index ae2efef6eef35d14072b5f71877a710d98bc93a3..7c1458075e1501d1422440e86b86ad3f3512467d 100644 --- a/content/en/docs/Container/dynamically-loading-the-kernel-module.md +++ b/docs/en/docs/Container/dynamically-loading-the-kernel-module.md @@ -5,7 +5,7 @@ Dynamically Loading the Kernel Module ## Function Description -Services in a container may depend on some kernel modules. You can set environment variables to dynamically load the kernel modules required by services in the container to the host before the system container starts. This feature must be used together with isulad-hooks. For details, see [Dynamically Managing Container Resources \(syscontainer-tools\)](dynamically-managing-container-resources-(syscontainer-tools).md). +Services in a container may depend on some kernel modules. You can set environment variables to dynamically load the kernel modules required by services in the container to the host before the system container starts. This feature must be used together with isulad-hooks. For details, see [Dynamically Managing Container Resources \(syscontainer-tools\)](./dynamically-managing-container-resources-(syscontainer-tools).md). ## Parameter Description @@ -50,7 +50,7 @@ nf_defrag_ipv6 20480 2 nf_conntrack,ip_vs libcrc32c 16384 3 nf_conntrack,nf_nat,ip_vs ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- isulad-tools must be installed on the host. >- **--hooks-spec** must be set to **isulad hooks**. diff --git a/content/en/docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md b/docs/en/docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md similarity index 99% rename from content/en/docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md rename to docs/en/docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md index 50f9a0602506b9d40ce5c640e5c7664fef3b3cd1..1c0aa377631d6c50d51d63b5b89fba237f1f658f 100644 --- a/content/en/docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md +++ b/docs/en/docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md @@ -254,7 +254,7 @@ In the preceding format: Add network interface to container 2aaca5c1af7c (eth3,eth1) done ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >When adding a virtual or physical NIC, ensure that the NIC is in the idle state. Adding a NIC in use will disconnect the system network. diff --git a/content/en/docs/Container/environment-variable-persisting.md b/docs/en/docs/Container/environment-variable-persisting.md similarity index 100% rename from content/en/docs/Container/environment-variable-persisting.md rename to docs/en/docs/Container/environment-variable-persisting.md diff --git a/content/en/docs/Container/figures/en-us_image_0183048952.png b/docs/en/docs/Container/figures/en-us_image_0183048952.png similarity index 100% rename from content/en/docs/Container/figures/en-us_image_0183048952.png rename to docs/en/docs/Container/figures/en-us_image_0183048952.png diff --git a/content/en/docs/Container/figures/en-us_image_0221924926.png b/docs/en/docs/Container/figures/en-us_image_0221924926.png similarity index 100% rename from content/en/docs/Container/figures/en-us_image_0221924926.png rename to docs/en/docs/Container/figures/en-us_image_0221924926.png diff --git a/content/en/docs/Container/figures/en-us_image_0221924927.png b/docs/en/docs/Container/figures/en-us_image_0221924927.png similarity index 100% rename from content/en/docs/Container/figures/en-us_image_0221924927.png rename to docs/en/docs/Container/figures/en-us_image_0221924927.png diff --git a/docs/en/docs/Container/figures/isula-build_arch.png b/docs/en/docs/Container/figures/isula-build_arch.png new file mode 100644 index 0000000000000000000000000000000000000000..911a9ae6f46988586ab49f15de282948f5470c37 Binary files /dev/null and b/docs/en/docs/Container/figures/isula-build_arch.png differ diff --git a/content/en/docs/Container/figures/relationship-between-the-secure-container-and-peripheral-components.png b/docs/en/docs/Container/figures/relationship-between-the-secure-container-and-peripheral-components.png similarity index 100% rename from content/en/docs/Container/figures/relationship-between-the-secure-container-and-peripheral-components.png rename to docs/en/docs/Container/figures/relationship-between-the-secure-container-and-peripheral-components.png diff --git "a/content/en/docs/Container/figures/\345\256\211\345\205\250\345\256\271\345\231\250\346\241\206\346\236\2661.png" b/docs/en/docs/Container/figures/secure-container.png similarity index 100% rename from "content/en/docs/Container/figures/\345\256\211\345\205\250\345\256\271\345\231\250\346\241\206\346\236\2661.png" rename to docs/en/docs/Container/figures/secure-container.png diff --git a/content/en/docs/Container/image-management-1.md b/docs/en/docs/Container/image-management-1.md similarity index 100% rename from content/en/docs/Container/image-management-1.md rename to docs/en/docs/Container/image-management-1.md diff --git a/content/en/docs/Container/image-management-2.md b/docs/en/docs/Container/image-management-2.md similarity index 100% rename from content/en/docs/Container/image-management-2.md rename to docs/en/docs/Container/image-management-2.md diff --git a/content/en/docs/Container/image-management.md b/docs/en/docs/Container/image-management.md similarity index 100% rename from content/en/docs/Container/image-management.md rename to docs/en/docs/Container/image-management.md diff --git a/content/en/docs/Container/installation-and-deployment-1.md b/docs/en/docs/Container/installation-and-deployment-1.md similarity index 100% rename from content/en/docs/Container/installation-and-deployment-1.md rename to docs/en/docs/Container/installation-and-deployment-1.md diff --git a/content/en/docs/Container/installation-and-deployment-2.md b/docs/en/docs/Container/installation-and-deployment-2.md similarity index 99% rename from content/en/docs/Container/installation-and-deployment-2.md rename to docs/en/docs/Container/installation-and-deployment-2.md index 287c55db39ee38d50a510bb350e0394fa426ec53..e001954b7c15c4d9daa8d8ab930826bf67c20bcf 100644 --- a/content/en/docs/Container/installation-and-deployment-2.md +++ b/docs/en/docs/Container/installation-and-deployment-2.md @@ -52,12 +52,12 @@ cat /etc/docker/daemon.json Re-configuring various running directories and files \(including **--graph** and **--exec-root**\) may cause directory conflicts or file attribute changes, affecting the normal use of applications. ->![](public_sys-resources/icon-notice.gif) **NOTICE:** +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** >Therefore, the specified directories or files should be used only by Docker to avoid file attribute changes and security issues caused by conflicts. - Take **--graph** as an example. When **/new/path/** is used as the new root directory of the daemon, if a file exists in **/new/path/** and the directory or file name conflicts with that required by Docker \(for example, **containers**, **hooks**, and **tmp**\), Docker may update the original directory or file attributes, including the owner and permission. ->![](public_sys-resources/icon-notice.gif) **NOTICE:** +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** >From Docker 17.05, the **--graph** parameter is marked as **Deprecated** and replaced with the **--data-root** parameter. ### Daemon Network Configuration @@ -72,7 +72,7 @@ The default **umask** value of the main container process and exec process is The default value of **umask** is **0027** when Docker starts a container. You can change the value to **0022** by running the **--exec-opt native.umask=normal** command during container startup. ->![](public_sys-resources/icon-notice.gif) **NOTICE:** +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** >If **native.umask** is configured in **docker create** or **docker run** command, its value is used. For details, see the parameter description in [4.6.2.4 create](#create.md#EN-US_TOPIC_0184808242) and [4.6.2.16 run](#container-management-40.md#EN-US_TOPIC_0184808238). @@ -145,7 +145,7 @@ The following uses **-w /var/lib/docker -k docker** as an example to describe [root@localhost signal]# auditctl -l | grep docker -w /var/lib/docker/ -p rwxa -k docker ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >**-p \[r|w|x|a\]** and **-w** are used together to monitor the read, write, execution, and attribute changes \(such as timestamp changes\) of the directory. In this case, any file or directory operation in the **/var/lib/docker** directory will be recorded in the **audit.log** file. As a result, too many logs will be recorded in the **audit.log** file, which severely affects the memory or CPU usage of the auditd, and further affects the OS. For example, logs similar to the following will be recorded in the **/var/log/audit/audit.log** file each time the **ls /var/lib/docker/containers** command is executed: ``` @@ -447,7 +447,7 @@ When a system is unexpectedly powered off or system panic occurs, Docker daemon - Cache construction: The cache construction information will be deleted after the node is restarted. - Metadata stored in containerd: Metadata stored in containerd will be recreated when a container is started. Therefore, the metadata stored in containerd will be deleted when the node is restarted. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >If you want to manually clear data and restore the environment, you can set the environment variable **DISABLE\_CRASH\_FILES\_DELETE** to **true** to disable the function of clearing DB files when the daemon process is restarted due to power-off. diff --git a/content/en/docs/Container/installation-configuration.md b/docs/en/docs/Container/installation-configuration.md similarity index 99% rename from content/en/docs/Container/installation-configuration.md rename to docs/en/docs/Container/installation-configuration.md index 0ac4a800c3f0d9de03fdd6e22ce1f9db5919c743..50f0d97008c28b7b1441fae52af44bc0ff695998 100644 --- a/content/en/docs/Container/installation-configuration.md +++ b/docs/en/docs/Container/installation-configuration.md @@ -1,7 +1,7 @@ # Installation and Configuration -- [Installation and Configuration](installation-configuration) +- [Installation and Configuration](./installation-configuration) - [Installation Methods](#installation-methods) - [Deployment Configuration](#deployment-configuration) - [Configuration Mode](#configuration-mode) @@ -39,7 +39,7 @@ This section describes two installation methods. The iSulad server daemon **isulad** can be configured with a configuration file or by running the **isulad --xxx** command. The priority in descending order is as follows: CLI \> configuration file \> default configuration in code. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >If systemd is used to manage the iSulad process, modify the **OPTIONS** field in the **/etc/sysconfig/iSulad** file, which functions the same as using the CLI. - **CLI** @@ -485,7 +485,7 @@ The iSulad server daemon **isulad** can be configured with a configuration fil } ``` - >![](public_sys-resources/icon-notice.gif) **NOTICE:** + >![](./public_sys-resources/icon-notice.gif) **NOTICE:** >The default configuration file **/etc/isulad/daemon.json** is for reference only. Configure it based on site requirements. @@ -500,14 +500,14 @@ The iSulad server daemon **isulad** can be configured with a configuration fil

*

+

\*

/etc/default/isulad/

Stores the OCI configuration file and hook template file of iSulad. The file configuration permission is set to 0640, and the sysmonitor check permission is set to 0550.

*

+

\*

/etc/isulad/

File for storing the iSulad PIDs. It is also a file lock to prevent multiple iSulad instances from being started.

*

+

\*

/run/lxc/

Lock file, which is created during iSulad running.

*

+

\*

/var/run/isulad/

Real-time communication cache file, which is created during iSulad running.

*

+

\*

/var/run/isula/

Real-time communication cache file, which is created during iSulad running.

*

+

\*

/var/lib/lcr/

Temporary directory of the LCR component.

*

+

\*

/var/lib/isulad/

+ + + + + + + + + + + + + + + + + + +

Component Name

+

Minimum Hardware Specifications

+

Description

+

Raspberry Pi version

+
  • Raspberry Pi 3B
  • Raspberry Pi 3B+
  • Raspberry Pi 4B
+

-

+

Memory

+

≥ 2 GB (4 GB or higher recommended for better user experience)

+

-

+

Drive

+

8 GB or higher recommended for better user experience

+

-

+
+ diff --git a/content/en/docs/Installation/Installation.md b/docs/en/docs/Installation/Installation.md similarity index 100% rename from content/en/docs/Installation/Installation.md rename to docs/en/docs/Installation/Installation.md diff --git a/docs/en/docs/Installation/More-Resources.md b/docs/en/docs/Installation/More-Resources.md new file mode 100644 index 0000000000000000000000000000000000000000..b8dd200267a33c4ec6d56d7c473095202df6bd68 --- /dev/null +++ b/docs/en/docs/Installation/More-Resources.md @@ -0,0 +1,4 @@ +# Reference + +- [How to Create a Raspberry Pi Image File](https://gitee.com/openeuler/raspberrypi/blob/master/documents/openEuler镜像的构建.md) +- [How to Use Raspberry Pi](https://gitee.com/openeuler/raspberrypi/blob/master/documents/树莓派使用.md) \ No newline at end of file diff --git a/content/en/docs/Installation/faqs.md b/docs/en/docs/Installation/faqs.md similarity index 80% rename from content/en/docs/Installation/faqs.md rename to docs/en/docs/Installation/faqs.md index b6124125082eb59ce3098cdc78e8aa12f7dde748..e8c193411530fca2dd1000d58ed12df776b526a6 100644 --- a/content/en/docs/Installation/faqs.md +++ b/docs/en/docs/Installation/faqs.md @@ -1,17 +1,4 @@ # FAQs - - -- [FAQs](#faqs) - - [Why Does openEuler Fail to Start After I Install It to the Second Disk?](#why-does-openeuler-fail-to-start-after-i-install-it-to-the-second-disk) - - [What Are the Constraints on Network Configurations?](#what-are-the-constraints-on-network-configurations) - - [Why Does openEuler Enter Emergency Mode After It Is Powered On?](#why-does-openeuler-enter-emergency-mode-after-it-is-powered-on) - - [Failed to Reinstall openEuler When a Logical Volume Group That Cannot Be Activated Has Existed in openEuler](#failed-to-reinstall-openeuler-when-a-logical-volume-group-that-cannot-be-activated-has-existed-in-openeuler) - - [An Exception Occurs During the Selection of the Installation Source](#an-exception-occurs-during-the-selection-of-the-installation-source) - - [How Do I Manually Enable the kdump Service?](#how-do-i-manually-enable-the-kdump-service) - - [Failed to Selected Only One Disk for Reinstallation When openEuler Was Installed on a Logical Volume Consisting of Multiple Disks](#failed-to-selected-only-one-disk-for-reinstallation-when-openeuler-was-installed-on-a-logical-volume-consisting-of-multiple-disks) - - [Failed to Install openEuler on an x86 PM in UEFI Mode due to Secure Boot Option Setting](#failed-to-install-openeuler-on-an-x86-pm-in-uefi-mode-due-to-secure-boot-option-setting) - - ## Why Does openEuler Fail to Start After I Install It to the Second Disk? @@ -35,30 +22,6 @@ This problem can be solved using either of the following two methods: - During the installation of openEuler, select the first disk or both disks, and install the boot loader on the first disk **sda**. - After installing openEuler, restart it by modifying the boot option on the BIOS window. -## What Are the Constraints on Network Configurations? - -The NetworkManager and network services are network service management tools. Some functions of the two services overlap. - -- If the NetworkManager service is used, run the **nmcli** command or modify the configuration file to configure the network \(such as the IP address and route\). Do not run the **ip**, **ifconfig**, or **route** command to configure the network. - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >When the NetworkManager service is enabled and you run commands such as **ip**, **ifconfig**, and **route** to configure the network, the configurations will be overwritten by NetworkManager. - - To check whether NetworkManager is enabled, run the following command: - - ``` - systemctl status NetworkManager - ``` - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >For details about the use of the **nmcli** command, see the execution result of the **nmcli --help** or **man nmcli** command. - -- If you want to run commands such as **ip**, **ifconfig**, and **route** commands to manage network information, run the following command to disable the NetworkManager service: - - ``` - systemctl stop NetworkManager - ``` - ## Why Does openEuler Enter Emergency Mode After It Is Powered On? @@ -66,7 +29,7 @@ The NetworkManager and network services are network service management tools. So openEuler enters emergency mode after it is powered on. -![](figures/en-us_image_0229291264.jpg) +![](./figures/en-us_image_0229291264.jpg) ### Possible Causes @@ -79,7 +42,7 @@ An unexpected system power-off, and low I/O performance of disks may also cause 1. Enter the password of the **root** account to log in to openEuler. 2. Check and restore files by using the file system check \(fsck\) tool, and restart openEuler. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The fsck tool checks and maintains inconsistent file systems. If the system is powered off or a disk is faulty, run the **fsck** command to check file systems. Run the **fsck.ext3 -h** and **fsck.ext4 -h** commands to view the usage method of the fsck tool. @@ -167,7 +130,7 @@ Check whether the installation source is abnormal. Use the new installation sour Run the **systemctl status kdump** command. The following information is displayed, indicating that no memory is reserved. -![](figures/en-us_image_0229291280.png) +![](./figures/en-us_image_0229291280.png) ### Possible Cause @@ -187,7 +150,7 @@ For the scenario where the OS has been installed If the following information is displayed, the kdump status is **active**, indicating that the kdump service is enabled. No further action is required. - ![](figures/en-us_image_0229291272.png) + ![](./figures/en-us_image_0229291272.png) ### Parameter Description @@ -254,7 +217,7 @@ The following table describes the parameters of the memory reserved for the kdum If openEuler was installed on a logical volume consisting of multiple disks, an error message will be displayed as shown in [Figure 1](#fig115949762617) when you attempt to select one of the disks for reinstallation. **Figure 1** Error message -![](figures/error-message.png "error-message") +![](./figures/error-message.png "error-message") ### Possible Cause @@ -270,7 +233,7 @@ The logical volume formed by multiple disks is equivalent to a volume group. The vgs ``` - ![](figures/en-us_image_0231657950.png) + ![](./figures/en-us_image_0231657950.png) 2. Run the following command to delete the volume group: @@ -284,7 +247,7 @@ The logical volume formed by multiple disks is equivalent to a volume group. The systemctl restart anaconda ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >You can also press **Ctrl**+**Alt**+**F6** to return to the GUI and click **Refresh** in the lower right corner to refresh the storage configuration. @@ -295,7 +258,7 @@ The logical volume formed by multiple disks is equivalent to a volume group. The During the installation of openEuler on an x86 PM in UEFI mode, the system stays at the "No bootable device" page and the installation cannot continue because **secure boot** is set to **enabled** \(by default, it is set to **disabled**\), as shown in [Figure 2](#fig115949762617). **Figure 2** Dialog box showing "No bootable device" -![](figures/dialog-box-showing-no-bootable-device.png "dialog-box-showing-no-bootable-device") +![](./figures/dialog-box-showing-no-bootable-device.png "dialog-box-showing-no-bootable-device") ### Possible Cause @@ -307,16 +270,37 @@ Access the BIOS, set **secure boot** to **disabled**, and reinstall the openE 1. During the system startup, press **F11** and enter the password **Admin@9000** to access the BIOS. - ![](figures/bios.png) + ![](./figures/bios.png) 2. Choose **Administer Secure Boot**. - ![](figures/security.png) + ![](./figures/security.png) 3. Set **Enforce Secure Boot** to **Disabled**. - ![](figures/enforce-secure-boot.png) + ![](./figures/enforce-secure-boot.png) - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >After **Enforce Secure Boot** is set to **Disabled**, save the settings, and exit. Then, reinstall the system. +## The Installation Fails when a User Selects Two Drives on Which the OS Has Been Installed and Customizes Partitioning. + +### Symptom + +During the OS installation, the OS has been installed on two drives. In this case, if you select one drive for customized partitioning, and click **Cancel** to perform customized partitioning on the other drive, the installation fails. + +![](./figures/cancle_disk.png) + +![](./figures/custom_paratition.png) + +### Cause Analysis + +A user selects a drive for partitioning. After the user clicks **Cancel** and then selects the other drive, the drive information is incorrect. As a result, the installation fails. + +### Solution + +Select the target drive for customized partitioning. Do not frequently cancel the operation. If you have to cancel and select another drive, you are advised to reinstall the OS. + +### Learn More About the Issue at: + +https://gitee.com/src-openeuler/anaconda/issues/I29P84?from=project-issue \ No newline at end of file diff --git a/docs/en/docs/Installation/figures/Installation_source.png b/docs/en/docs/Installation/figures/Installation_source.png new file mode 100644 index 0000000000000000000000000000000000000000..558374e3260e5218b6528ddd8d021606bf790787 Binary files /dev/null and b/docs/en/docs/Installation/figures/Installation_source.png differ diff --git a/docs/en/docs/Installation/figures/Installation_wizard.png b/docs/en/docs/Installation/figures/Installation_wizard.png new file mode 100644 index 0000000000000000000000000000000000000000..350936cd80af6661f39716dc0c9a49f281600c62 Binary files /dev/null and b/docs/en/docs/Installation/figures/Installation_wizard.png differ diff --git a/docs/en/docs/Installation/figures/advanced-user-configuration.png b/docs/en/docs/Installation/figures/advanced-user-configuration.png new file mode 100644 index 0000000000000000000000000000000000000000..59a188aece92ad19cc9b42f69e235d9a9d4f702a Binary files /dev/null and b/docs/en/docs/Installation/figures/advanced-user-configuration.png differ diff --git a/content/en/docs/Installation/figures/bios.png b/docs/en/docs/Installation/figures/bios.png similarity index 100% rename from content/en/docs/Installation/figures/bios.png rename to docs/en/docs/Installation/figures/bios.png diff --git a/docs/en/docs/Installation/figures/cancle_disk.png b/docs/en/docs/Installation/figures/cancle_disk.png new file mode 100644 index 0000000000000000000000000000000000000000..f1db0f2c524695303f0d8791fcb3c256c75507ad Binary files /dev/null and b/docs/en/docs/Installation/figures/cancle_disk.png differ diff --git a/content/en/docs/Installation/figures/completing-the-automatic-installation.png b/docs/en/docs/Installation/figures/completing-the-automatic-installation.png similarity index 100% rename from content/en/docs/Installation/figures/completing-the-automatic-installation.png rename to docs/en/docs/Installation/figures/completing-the-automatic-installation.png diff --git a/docs/en/docs/Installation/figures/confignetwork.png b/docs/en/docs/Installation/figures/confignetwork.png new file mode 100644 index 0000000000000000000000000000000000000000..79903b72948a06d3fceff97c11f49d12f7571b94 Binary files /dev/null and b/docs/en/docs/Installation/figures/confignetwork.png differ diff --git a/docs/en/docs/Installation/figures/creating-a-user.png b/docs/en/docs/Installation/figures/creating-a-user.png new file mode 100644 index 0000000000000000000000000000000000000000..0e2befb0832d1167f5ffdcafdf7d9952d9ccdfbe Binary files /dev/null and b/docs/en/docs/Installation/figures/creating-a-user.png differ diff --git a/docs/en/docs/Installation/figures/custom_paratition.png b/docs/en/docs/Installation/figures/custom_paratition.png new file mode 100644 index 0000000000000000000000000000000000000000..d2e8c68e6af866e96bf5dd2a2f532de81c59a9d9 Binary files /dev/null and b/docs/en/docs/Installation/figures/custom_paratition.png differ diff --git a/content/en/docs/Installation/figures/dialog-box-showing-no-bootable-device.png b/docs/en/docs/Installation/figures/dialog-box-showing-no-bootable-device.png similarity index 100% rename from content/en/docs/Installation/figures/dialog-box-showing-no-bootable-device.png rename to docs/en/docs/Installation/figures/dialog-box-showing-no-bootable-device.png diff --git a/content/en/docs/Installation/figures/disk-encryption-password.png b/docs/en/docs/Installation/figures/disk-encryption-password.png similarity index 100% rename from content/en/docs/Installation/figures/disk-encryption-password.png rename to docs/en/docs/Installation/figures/disk-encryption-password.png diff --git a/content/en/docs/Installation/figures/drive-icon.png b/docs/en/docs/Installation/figures/drive-icon.png similarity index 100% rename from content/en/docs/Installation/figures/drive-icon.png rename to docs/en/docs/Installation/figures/drive-icon.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291229.png b/docs/en/docs/Installation/figures/en-us_image_0229291229.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291229.png rename to docs/en/docs/Installation/figures/en-us_image_0229291229.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291236.png b/docs/en/docs/Installation/figures/en-us_image_0229291236.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291236.png rename to docs/en/docs/Installation/figures/en-us_image_0229291236.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291243.png b/docs/en/docs/Installation/figures/en-us_image_0229291243.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291243.png rename to docs/en/docs/Installation/figures/en-us_image_0229291243.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291247.png b/docs/en/docs/Installation/figures/en-us_image_0229291247.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291247.png rename to docs/en/docs/Installation/figures/en-us_image_0229291247.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291264.jpg b/docs/en/docs/Installation/figures/en-us_image_0229291264.jpg similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291264.jpg rename to docs/en/docs/Installation/figures/en-us_image_0229291264.jpg diff --git a/content/en/docs/Installation/figures/en-us_image_0229291270.png b/docs/en/docs/Installation/figures/en-us_image_0229291270.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291270.png rename to docs/en/docs/Installation/figures/en-us_image_0229291270.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291272.png b/docs/en/docs/Installation/figures/en-us_image_0229291272.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291272.png rename to docs/en/docs/Installation/figures/en-us_image_0229291272.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291280.png b/docs/en/docs/Installation/figures/en-us_image_0229291280.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291280.png rename to docs/en/docs/Installation/figures/en-us_image_0229291280.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229291286.png b/docs/en/docs/Installation/figures/en-us_image_0229291286.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229291286.png rename to docs/en/docs/Installation/figures/en-us_image_0229291286.png diff --git a/content/en/docs/Installation/figures/en-us_image_0229420473.png b/docs/en/docs/Installation/figures/en-us_image_0229420473.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0229420473.png rename to docs/en/docs/Installation/figures/en-us_image_0229420473.png diff --git a/content/en/docs/Installation/figures/en-us_image_0231657950.png b/docs/en/docs/Installation/figures/en-us_image_0231657950.png similarity index 100% rename from content/en/docs/Installation/figures/en-us_image_0231657950.png rename to docs/en/docs/Installation/figures/en-us_image_0231657950.png diff --git a/content/en/docs/Installation/figures/enforce-secure-boot.png b/docs/en/docs/Installation/figures/enforce-secure-boot.png similarity index 100% rename from content/en/docs/Installation/figures/enforce-secure-boot.png rename to docs/en/docs/Installation/figures/enforce-secure-boot.png diff --git a/docs/en/docs/Installation/figures/error-message.png b/docs/en/docs/Installation/figures/error-message.png new file mode 100644 index 0000000000000000000000000000000000000000..c5802a2b7a750eed8429ec06c7e4919a3d161a9e Binary files /dev/null and b/docs/en/docs/Installation/figures/error-message.png differ diff --git a/docs/en/docs/Installation/figures/host_env8.png b/docs/en/docs/Installation/figures/host_env8.png new file mode 100644 index 0000000000000000000000000000000000000000..d08dcc89f40e1671a55a42fbcb02f26e987a461e Binary files /dev/null and b/docs/en/docs/Installation/figures/host_env8.png differ diff --git a/content/en/docs/Installation/figures/image-dialog-box.png b/docs/en/docs/Installation/figures/image-dialog-box.png similarity index 100% rename from content/en/docs/Installation/figures/image-dialog-box.png rename to docs/en/docs/Installation/figures/image-dialog-box.png diff --git a/docs/en/docs/Installation/figures/installation-process.png b/docs/en/docs/Installation/figures/installation-process.png new file mode 100644 index 0000000000000000000000000000000000000000..2d219c7605ee75e73dffba1e2dd7c277968d4801 Binary files /dev/null and b/docs/en/docs/Installation/figures/installation-process.png differ diff --git a/docs/en/docs/Installation/figures/installation-summary.png b/docs/en/docs/Installation/figures/installation-summary.png new file mode 100644 index 0000000000000000000000000000000000000000..d5ca555a2b2291e139b67098a7c23d29b23b8b24 Binary files /dev/null and b/docs/en/docs/Installation/figures/installation-summary.png differ diff --git a/docs/en/docs/Installation/figures/installsourceen.png b/docs/en/docs/Installation/figures/installsourceen.png new file mode 100644 index 0000000000000000000000000000000000000000..43e59b694ec1afcf8591e8272390da927da9a3fe Binary files /dev/null and b/docs/en/docs/Installation/figures/installsourceen.png differ diff --git a/docs/en/docs/Installation/figures/manual-partitioning-page.png b/docs/en/docs/Installation/figures/manual-partitioning-page.png new file mode 100644 index 0000000000000000000000000000000000000000..6d61aa6c698b9dbc01255d7d646548e636482872 Binary files /dev/null and b/docs/en/docs/Installation/figures/manual-partitioning-page.png differ diff --git a/docs/en/docs/Installation/figures/password-of-the-root-account.png b/docs/en/docs/Installation/figures/password-of-the-root-account.png new file mode 100644 index 0000000000000000000000000000000000000000..fe65e73a81e25e5fa90a13af707165911e7fa459 Binary files /dev/null and b/docs/en/docs/Installation/figures/password-of-the-root-account.png differ diff --git a/content/en/docs/Installation/figures/restart-icon.png b/docs/en/docs/Installation/figures/restart-icon.png similarity index 100% rename from content/en/docs/Installation/figures/restart-icon.png rename to docs/en/docs/Installation/figures/restart-icon.png diff --git a/content/en/docs/Installation/figures/security.png b/docs/en/docs/Installation/figures/security.png similarity index 100% rename from content/en/docs/Installation/figures/security.png rename to docs/en/docs/Installation/figures/security.png diff --git a/docs/en/docs/Installation/figures/selecting-a-language.png b/docs/en/docs/Installation/figures/selecting-a-language.png new file mode 100644 index 0000000000000000000000000000000000000000..930bec7d3822a9e8289ee444a9fe6ee2dfdbad6c Binary files /dev/null and b/docs/en/docs/Installation/figures/selecting-a-language.png differ diff --git a/docs/en/docs/Installation/figures/selecting-installation-software.png b/docs/en/docs/Installation/figures/selecting-installation-software.png new file mode 100644 index 0000000000000000000000000000000000000000..c246e997d787d0d6a0439dcaf8780a09a9b72ca7 Binary files /dev/null and b/docs/en/docs/Installation/figures/selecting-installation-software.png differ diff --git a/docs/en/docs/Installation/figures/setting-a-system-language.png b/docs/en/docs/Installation/figures/setting-a-system-language.png new file mode 100644 index 0000000000000000000000000000000000000000..e8e6faa69580e707657cba3f2f589918321a4b4d Binary files /dev/null and b/docs/en/docs/Installation/figures/setting-a-system-language.png differ diff --git a/docs/en/docs/Installation/figures/setting-date-and-time.png b/docs/en/docs/Installation/figures/setting-date-and-time.png new file mode 100644 index 0000000000000000000000000000000000000000..6e366072db2ca698ae2bc317a361e9d38877a2d0 Binary files /dev/null and b/docs/en/docs/Installation/figures/setting-date-and-time.png differ diff --git a/docs/en/docs/Installation/figures/setting-the-installation-destination.png b/docs/en/docs/Installation/figures/setting-the-installation-destination.png new file mode 100644 index 0000000000000000000000000000000000000000..224f165b222598aa140187bdfa9b1e75af36c0c5 Binary files /dev/null and b/docs/en/docs/Installation/figures/setting-the-installation-destination.png differ diff --git a/docs/en/docs/Installation/figures/setting-the-keyboard-layout.png b/docs/en/docs/Installation/figures/setting-the-keyboard-layout.png new file mode 100644 index 0000000000000000000000000000000000000000..62b0074220b8e2c8ebca37dceecc92e0c2fcdffc Binary files /dev/null and b/docs/en/docs/Installation/figures/setting-the-keyboard-layout.png differ diff --git a/docs/en/docs/Installation/figures/setting-the-network-and-host-name.png b/docs/en/docs/Installation/figures/setting-the-network-and-host-name.png new file mode 100644 index 0000000000000000000000000000000000000000..b17ebdaafeaa2228ddbe0d8135fee3eabdc1cb76 Binary files /dev/null and b/docs/en/docs/Installation/figures/setting-the-network-and-host-name.png differ diff --git a/docs/en/docs/Installation/figures/sourceftp.png b/docs/en/docs/Installation/figures/sourceftp.png new file mode 100644 index 0000000000000000000000000000000000000000..2e18d3f5c6d999c8a637ebed36ccb740a96d8449 Binary files /dev/null and b/docs/en/docs/Installation/figures/sourceftp.png differ diff --git a/docs/en/docs/Installation/figures/sourcenfs.png b/docs/en/docs/Installation/figures/sourcenfs.png new file mode 100644 index 0000000000000000000000000000000000000000..3a4564871319deb546776b2542575ed43f2f2a35 Binary files /dev/null and b/docs/en/docs/Installation/figures/sourcenfs.png differ diff --git a/docs/en/docs/Installation/figures/startparam.png b/docs/en/docs/Installation/figures/startparam.png new file mode 100644 index 0000000000000000000000000000000000000000..b197f4d492213513edf84a99cdb14f186630a828 Binary files /dev/null and b/docs/en/docs/Installation/figures/startparam.png differ diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\234\215\345\212\241\345\231\250.md" b/docs/en/docs/Installation/install-pi.md similarity index 100% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\234\215\345\212\241\345\231\250.md" rename to docs/en/docs/Installation/install-pi.md diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\240\221\350\216\223\346\264\276.md" b/docs/en/docs/Installation/install-server.md similarity index 100% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\240\221\350\216\223\346\264\276.md" rename to docs/en/docs/Installation/install-server.md diff --git a/content/en/docs/Installation/installation-guideline.md b/docs/en/docs/Installation/installation-guideline.md similarity index 40% rename from content/en/docs/Installation/installation-guideline.md rename to docs/en/docs/Installation/installation-guideline.md index ba60382a03ef42ae52b1d368b26d8f9d0e23fd9c..6942d2700c6993ca96244770ca7d1e7a93615ed7 100644 --- a/content/en/docs/Installation/installation-guideline.md +++ b/docs/en/docs/Installation/installation-guideline.md @@ -1,311 +1,342 @@ -# Installation Guideline - -This section describes how to install openEuler using a CD-ROM. The installation process is the same for other installation modes except the boot option. - - -- [Installation Guideline](#installation-guideline) - - [Starting the Installation](#starting-the-installation) - - [Booting from the CD/DVD-ROM Drive](#booting-from-the-cddvd-rom-drive) - - [Installation Wizard](#installation-wizard) - - [Installation in GUI Mode](#installation-in-gui-mode) - - [Configuring an Installation Program Language](#configuring-an-installation-program-language) - - [Entering the Installation Page](#entering-the-installation-page) - - [Setting the Keyboard Layout](#setting-the-keyboard-layout) - - [Setting a System Language](#setting-a-system-language) - - [Setting Date and Time](#setting-date-and-time) - - [Setting the Installation Source](#setting-the-installation-source) - - [Selecting Installation Software](#selecting-installation-software) - - [Setting the Installation Destination](#setting-the-installation-destination) - - [Storage Configuration](#storage-configuration) - - [Setting the Network and Host Name](#setting-the-network-and-host-name) - - [Starting Installation](#starting-installation) - - [Configurations During Installation](#configurations-during-installation) - - [Password Complexity](#password-complexity) - - [Setting the Root User Password](#setting-the-root-user-password) - - [Creating a User](#creating-a-user) - - [Completing the Installation](#completing-the-installation) - - - -## Starting the Installation - -### Booting from the CD/DVD-ROM Drive - -Load the ISO image of openEuler from the CD/DVD-ROM drive of the server and restart the server. The procedure is as follows: - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->Before the installation, ensure that the server boots from the CD/DVD-ROM drive preferentially. The following steps describe how to install the openEuler using the virtual CD/DVD-ROM drive on the baseboard management controller \(BMC\). Installing the openEuler from a physical drive is simple. After the installation starts, the procedure for the physical drive is the same as that of the virtual drive. - -1. On the toolbar, click the icon shown in the following figure. - - **Figure 1** Drive icon - ![](figures/drive-icon.png "drive-icon") - - An image dialog box is displayed, as shown in the following figure. - - **Figure 2** Image dialog box - ![](figures/image-dialog-box.png "image-dialog-box") - -2. Select **Image File** and then click **Browse**. The **Open** dialog box is displayed. -3. Select the image file and click **Open**. In the image dialog box, click **Connect**. If **Connect** changes to **Disconnect**, the virtual CD/DVD-ROM drive is connected to the server. -4. On the toolbar, click the restart icon shown in the following figure to restart the device. - - **Figure 3** Restart icon - ![](figures/restart-icon.png "restart-icon") - - -### Installation Wizard - -A boot menu is displayed after the system is booted using the boot medium. In addition to options for starting the installation program, some other options are available on the boot menu. During system installation, the **Test this media & install openEuler 20.03 LTS** mode is used by default. Press the arrow keys on the keyboard to change the selection, and press **Enter** when the desired option is highlighted. - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->- If you do not perform any operations within 1 minute, the system automatically selects the default option **Test this media & install openEuler 20.03 LTS** and enters the installation page. ->- During PM installation, if you cannot use the arrow keys to select boot options and the system does not respond after you press **Enter**, click ![](figures/en-us_image_0229420473.png) on the BMC page and configure **Key & Mouse Reset**. - -**Figure 4** Installation Wizard -![](figures/installation-wizard.png "installation-wizard") - -Installation wizard options are described as follows: - -- **Install openEuler 20.03 LTS**: Install openEuler on your server in GUI mode. - -- **Test this media & install openEuler 20.03 LTS**: Default option. Install openEuler on your server in GUI mode. The integrity of the installation medium is checked before the installation program is started. - -- **Troubleshooting**: Troubleshooting mode, which is used when the system cannot be installed properly. In troubleshooting mode, the following options are available: - - **Install openEuler 20.03-LTS in basic graphics mode**: Basic graphics installation mode. In this mode, the video driver is not started before the system starts and runs. - - **Rescue the openEuler system**: Rescue mode, which is used to restore the system. In rescue mode, the installation process is printed in the VNC or BMC, and the serial port is unavailable. - -On the installation wizard screen, press **e** to go to the parameter editing screen of the selected option, and press **c** to go to the command-line interface \(CLI\). - -### Installation in GUI Mode - -On the installation wizard page, select **Test this media & install openEuler 20.03 LTS** to enter the GUI installation mode. - -Perform graphical installation operations using a keyboard. - -- Press **Tab** or **Shift**+**Tab** to move between GUI controls \(such as buttons, area boxes, and check boxes\). -- Press the up or down arrow key to move a target in the list. -- Press the left or right arrow key to move between the horizontal toolbar and watch bar. -- Press the spacebar or **Enter** to select or delete highlighted options, expand or collapse a drop-down list. -- Press **Alt**+a shortcut key \(the shortcut key varies for different pages\) to select the control where the shortcut key is located. The shortcut key can be highlighted \(underlined\) by holding down Alt. - - -## Configuring an Installation Program Language - -After the installation starts, the system will prompt the language that is used during the configuration installation process. English is configured by default, as shown in [Figure 5](#en-us_topic_0186390093_en-us_topic_0122145864_fig144630179151). Configure another language as required. - -**Figure 5** Selecting a language -![](figures/selecting-a-language.png "selecting-a-language") - -After configurations, click **Continue**. The main installation configuration page is displayed. - -If you want to exit the installation, click **Exit**. The message "Are you sure you want to exit the installation program?" is displayed. Click **Yes** in the dialog box to go back to the installation wizard page. - -## Entering the Installation Page - -After the installation program starts, the main installation configuration page is displayed, as shown in [Figure 6](#en-us_topic_0186390094_en-us_topic_0122145883_fig5969171592212). On the page, you can configure the time, language, installation source, network, and storage device. - -Some configuration items are matched with safety symbols. A safety symbol will disappear after the item is configured. Start the installation only when all the safety symbols disappear from the page. - -If you want to exit the installation, click **Exit**. The message "Are you sure you want to exit the installation program?" is displayed. Click **Yes** in the dialog box to go back to the installation wizard page. - -**Figure 6** Installation summary -![](figures/installation-summary.png "installation-summary") - -## Setting the Keyboard Layout - -On the **INSTALLATION SUMMARY** page, click **KEYBOARD**. You can add or delete multiple keyboard layouts in the system. - -- On the left white box, click to select the keyboard layout and click the keyboard under the box. -- To test the keyboard layout: On the left white box, click to select the keyboard layout, click the inside of the right text box, and enter the text to ensure that the keyboard layout can work properly. - -**Figure 7** Setting the keyboard layout -![](figures/setting-the-keyboard-layout.png "setting-the-keyboard-layout") - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - -## Setting a System Language - -On the **INSTALLATION SUMMARY** page, click **LANGUAGE SUPPORT** to set the system language, as shown in [Figure 8](#en-us_topic_0186390098_en-us_topic_0122145772_fig187301927172619). Set another language as required, such as Chinese. - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->- If you select Chinese, the system does not display Chinese characters after you log in to the system using VNC, because VNC does not support Chinese characters. If you log in to the system in SSH mode, Chinese characters will be displayed. ->- If you select English, there will be no impact. - -**Figure 8** Setting a system language -![](figures/setting-a-system-language.png "setting-a-system-language") - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - -## Setting Date and Time - -On the **INSTALLATION SUMMARY** page, click **TIME & DATE**. On the **TIME & DATE** page, set the system time zone, date, and time. - -When setting the time zone, you can click a specific city on the map with the mouse, or select a region from the drop-down list of **Region** or a city from the drop-down list of **City** at the top of the page, as shown in [Figure 9](#en-us_topic_0186390096_en-us_topic_0122145900_fig1260162652312). - -If your city is not displayed on the map or in the drop-down list, select the nearest city in the same time zone. - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->- Before manually setting the time zone, disable the network time synchronization function in the upper right corner. ->- If you want to use the network time, ensure that the network can connect to the remote NTP server. For details about how to set the network, see [Setting the Network and Host Name](#setting-the-network-and-host-name). - -**Figure 9** Setting date and time -![](figures/setting-date-and-time.png "setting-date-and-time") - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - -## Setting the Installation Source - -On the **INSTALLATION SUMMARY** page, click **INSTALLATION SOURCE** to locate the installation source. - -If you use a CD/DVD-ROM for installation, the installation program automatically detects and displays the installation source information. You can use the default settings. [Figure 10](#en-us_topic_0186390100_en-us_topic_0144427079_fig93633295132) shows an example. - -**Figure 10** Setting the installation source -![](figures/setting-the-installation-source.png "setting-the-installation-source") - -When you use the network for installation, if the HTTPS server uses a private certificate, press **e** on the installation wizard page to go to the parameter editing page and add the **inst.noverifyssl** parameter, as shown in [Figure 11](#fig113517811415). - -**Figure 11** Adding the **inst.noverifyssl** parameter -![](figures/adding-the-inst-noverifyssl-parameter.png "adding-the-inst-noverifyssl-parameter") - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->During the installation, if you have any questions about configuring the installation source, see [An Exception Occurs During the Selection of the Installation Source](faqs.html#an-exception-occurs-during-the-selection-of-the-installation-source). - -## Selecting Installation Software - -On the **INSTALLATION SUMMARY** page, click **SOFTWARE SELECTION** to specify the software package to be installed. - -Based on the actual requirements, select **Minimal Install** on the left box and select an add-on in the **Add-Ons for Selected Environment** area on the right, as shown in [Figure 12](#en-us_topic_0186390261_en-us_topic_0122145865_fig03031519101414). - -**Figure 12** Selecting installation software -![](figures/selecting-installation-software.png "selecting-installation-software") - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->- In **Minimal Install** mode, not all packages in the installation source will be installed. If the required package is not installed, you can mount the installation source to the local PC and configure a repo source, and use DNF to install the package. ->- If you select **Virtual Host**, the virtualization components QEMU, libvirt, and edk2 are installed by default. You can select whether to install the OVS component in the add-on area. - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - -## Setting the Installation Destination - -On the **INSTALLATION SUMMARY** page, click **INSTALLATION DESTINATION** to select the OS installation disk and partition. - -You can view available local storage devices in [Figure 13](#fig1195417125015). - ->![](public_sys-resources/icon-notice.gif) **NOTICE:** ->When selecting the device to be installed, you are advised not to use the NVMe SSD storage medium as the OS installation disk. - -**Figure 13** Setting the installation destination -![](figures/setting-the-installation-destination.png "setting-the-installation-destination") - -### Storage Configuration - -On the **INSTALLATION DESTINATION** page, configure storage for system partition. You can either manually configure partitions or select **Automatic** to automatically configure partitioning. - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->- During partitioning, to ensure system security and performance, you are advised to divide the device into the following partitions: **/boot**, **/var**, **/var/log**, **/var/log/audit**, **/home**, and **/tmp**. ->- If the system is configured with the swap partition, the swap partition is used when the physical memory of the system is insufficient. Although the swap partition can be used to expand the physical memory, if the swap partition is used due to insufficient memory, the system response slows and the system performance deteriorates. Therefore, you are not advised to configure the swap partition in the system with sufficient physical memory or the performance sensitive system. ->- If you need to split a logical volume group, select **Custom** to manually partition the logical volume group. On the **MANUAL PARTITIONING** page, click **Modify** in the **Volume Group** area to reconfigure the logical volume group. - -**Automatic** - -Select **Automatic** if the software is installed in a new storage device or the data in the storage device is not required. - -**Customize** - -If you need to manually partition the disk, click **Customize** and click **Done** in the upper left corner. The following page is displayed. - -**Figure 14** MANUAL PARTITIONING page -![](figures/manual-partitioning-page.png "manual-partitioning-page") - -On the **MANUAL PARTITIONING** page, you can partition the disk in either of the following ways: - -- Automatic creation: Click **Click here to create them automatically**. The system automatically assigns four mount points according to the available storage space: **/boot**, **/**, **/boot/efi**, and **swap**. -- Manual creation: Click ![](figures/en-us_image_0229291243.png) to add a mount point. It is recommended that the expected capacity of each mount point not exceed the available space. - - >![](public_sys-resources/icon-note.gif) **NOTE:** - >If the expected capacity of the mount point exceeds the available space, the system allocates the remaining available space to the mount point. - - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - -## Setting the Network and Host Name - -On the **INSTALLATION SUMMARY** page, select **NETWORK & HOST NAME** to configure the system network functions. - -The installation program automatically detects a local access interface. The detected interface is listed in the left box, and the interface details are displayed in the right-hand area, as shown in [Figure 15](#en-us_topic_0186390264_en-us_topic_0122145831_fig123700157297). In the upper right corner, click the switchover button to enable or disable the network interface. You can also click **Configure** to configure the selected interface. - -In the lower left box, enter the host name. The host name can be the fully quantified domain name \(FQDN\) in the format of hostname.domainname or the brief host name in the format of hostname. - -**Figure 15** Setting the network and host name -![](figures/setting-the-network-and-host-name.png "setting-the-network-and-host-name") - -After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. - -## Starting Installation - -On the installation page, after all the mandatory items are configured, the safety symbols will disappear. Then, you can click **Begin Installation** to install the system. - -**Figure 16** Starting installation -![](figures/starting-installation.png "starting-installation") - -## Configurations During Installation - -After the installation starts, the overall installation progress and the progress of writing the software package to the system are displayed. - -**Figure 17** Installation process -![](figures/installation-process.png "installation-process") - -During the process of installing software packages, you need to configure the root password and create users. - -### Password Complexity - -The password of the **root** user or the password of the new user must meet the password complexity requirements. Otherwise, the password configuration or user creation will fail. The password complexity requirements are as follows: - -1. A password must contain at least eight characters. -2. A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. -3. A password must be different from the account name. -4. A password cannot contain words in the dictionary. - - >![](public_sys-resources/icon-note.gif) **NOTE:** - > In the installed openEuler environment, you can run the `cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt` command to export the dictionary library file **dictionary.txt**, and then check whether the password is in the dictionary. - -### Setting the Root User Password - -Click **Root Password**. In the displayed dialog box, as shown in [Figure 18](#en-us_topic_0186390266_en-us_topic_0122145909_fig1323165793018), enter a password and re-enter to confirm. - ->![](public_sys-resources/icon-note.gif) **NOTE:** ->The root password is required to be configured at the same time of installing software packages. Otherwise, the installation will fail. A **root** account is used for performing critical system administration tasks. It is not recommended to use this account for daily work or system access. - -**Figure 18** Password of the **root** account -![](figures/password-of-the-root-account.png "password-of-the-root-account") - -After configuration, click **Done** in the left-upper corner to switch back to the installation process page. - -### Creating a User - -Click **User Creation**. [Figure 19](#en-us_topic_0186390266_en-us_topic_0122145909_fig1237715313319) shows the page for creating a user. Enter a username and set a password. By clicking **Advanced**, you can also configure a home directory and a user group, as shown in [Figure 20](#en-us_topic_0186390266_en-us_topic_0122145909_fig128716531312). - -**Figure 19** Creating a user -![](figures/creating-a-user.png "creating-a-user") - -**Figure 20** Advanced user configuration -![](figures/advanced-user-configuration.png "advanced-user-configuration") - -After configuration, click **Done** in the left-upper corner to switch back to the installation process page. - -Click **Finish**. The configuration of openEuler is complete. - -![](figures/completing-the-configuration.png) - -## Completing the Installation - -openEuler has been installed, as shown in [Figure 21](#en-us_topic_0186390267_en-us_topic_0122145917_fig1429512116338). Click **Reboot** to restart the system. - -**Figure 21** Completing the installation -![](figures/completing-the-installation.png "completing-the-installation") - -- If the physical DVD-ROM is used to install the OS and the DVD-ROM drive is not automatically ejected during the restart, manually remove the DVD-ROM. Then, the openEuler CLI login page is displayed. -- If the virtual DVD-ROM drive is used to install the OS, change the server boot option to **Hard Disk** and restart the server. Then, the openEuler CLI login page is displayed. +# Installation Guideline + +This section describes how to install openEuler using a CD-ROM. The installation process is the same for other installation modes except the boot option. + + + +- [Installation Guideline](#installation-guideline) + - [Starting the Installation](#starting-the-installation) + - [Booting from the CD/DVD-ROM Drive](#booting-from-the-cddvd-rom-drive) + - [Installation Wizard](#installation-wizard) + - [Installation in GUI Mode](#installation-in-gui-mode) + - [Configuring an Installation Program Language](#configuring-an-installation-program-language) + - [Entering the Installation Page](#entering-the-installation-page) + - [Setting the Keyboard Layout](#setting-the-keyboard-layout) + - [Setting a System Language](#setting-a-system-language) + - [Setting Date and Time](#setting-date-and-time) + - [Setting the Installation Source](#setting-the-installation-source) + - [Selecting Installation Software](#selecting-installation-software) + - [Setting the Installation Destination](#setting-the-installation-destination) + - [Storage Configuration](#storage-configuration) + - [Setting the Network and Host Name](#setting-the-network-and-host-name) + - [Setting the Root Password](#设置根密码) + - [Password Complexity](#密码复杂度) + - [Creating a User](#创建用户) + - [Starting the Installation](#开始安装) + - [Installation Procedure](#安装过程) + - [Completing the Installation](#安装完成) + + +## Starting the Installation + +### Booting from the CD/DVD-ROM Drive + +Load the ISO image of openEuler from the CD/DVD-ROM drive of the server and restart the server. The procedure is as follows: + +> ![](./public_sys-resources/icon-note.gif) **NOTE:** +> Before the installation, ensure that the server boots from the CD/DVD-ROM drive preferentially. The following steps describe how to install the openEuler using the virtual CD/DVD-ROM drive on the baseboard management controller (BMC). Installing the openEuler from a physical drive is simple. After the installation starts, the procedure for the physical drive is the same as that of the virtual drive. + +1. On the toolbar, click the icon shown in the following figure. + + **Figure 1** Drive icon + ![](./figures/drive-icon.png "drive-icon") + + An image dialog box is displayed, as shown in the following figure. + + **Figure 2** Image dialog box + ![](./figures/image-dialog-box.png "image-dialog-box") + +2. Select **Image File** and then click **Browse**. The **Open** dialog box is displayed. + +3. Select the image file and click **Open**. In the image dialog box, click **Connect**. If **Connect** changes to **Disconnect**, the virtual CD/DVD-ROM drive is connected to the server. + +4. On the toolbar, click the restart icon shown in the following figure to restart the device. + + **Figure 3** Restart icon + ![](./figures/restart-icon.png "restart-icon") + + +### Installation Wizard + +A boot menu is displayed after the system is booted using the boot medium. In addition to options for starting the installation program, some other options are available on the boot menu. During system installation, the **Test this media \& install openEuler 21.03** mode is used by default. Press the arrow keys on the keyboard to change the selection, and press **Enter** when the desired option is highlighted. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> +>- If you do not perform any operations within 1 minute, the system automatically selects the default option **Test this media \& install openEuler 21.03** and enters the installation page. +>- During PM installation, if you cannot use the arrow keys to select boot options and the system does not respond after you press **Enter**, click ![](./figures/en-us_image_0229420473.png) on the BMC page and configure **Key & Mouse Reset**. + +**Figure 4** Installation Wizard +![](./figures/Installation_wizard.png "installation-wizard") + +Installation wizard options are described as follows: + +- **Install openEuler 21.03**: Install openEuler on your server in GUI mode. + +- **Test this media & install openEuler 21.03**: Default option. Install openEuler on your server in GUI mode. The integrity of the installation medium is checked before the installation program is started. + +- **Troubleshooting**: Troubleshooting mode, which is used when the system cannot be installed properly. In troubleshooting mode, the following options are available: + + - **Install openEuler 21.03 in basic graphics mode**: Basic graphics installation mode. In this mode, the video driver is not started before the system starts and runs. + - **Rescue the openEuler system**: Rescue mode, which is used to restore the system. In rescue mode, the installation process is printed in the VNC or BMC, and the serial port is unavailable. + +On the installation wizard screen, press **e** to go to the parameter editing screen of the selected option, and press **c** to go to the command-line interface (CLI). + +### Installation in GUI Mode + +On the installation wizard page, select **Test this media \& install openEuler 21.03** to enter the GUI installation mode. + +Perform graphical installation operations using a keyboard. + +- Press **Tab** or **Shift**+**Tab** to move between GUI controls (such as buttons, area boxes, and check boxes). +- Press the up or down arrow key to move a target in the list. +- Press the left or right arrow key to move between the horizontal toolbar and watch bar. +- Press the spacebar or **Enter** to select or delete highlighted options, expand or collapse a drop-down list. +- Press **Alt**+a shortcut key (the shortcut key varies for different pages) to select the control where the shortcut key is located. The shortcut key can be highlighted (underlined) by holding down Alt. + + +## Configuring an Installation Program Language + +After the installation starts, the system will prompt the language that is used during the configuration installation process. English is configured by default, as shown in [Figure 5](#en-us_topic_0186390093_en-us_topic_0122145864_fig144630179151). Configure another language as required. + +**Figure 5** Selecting a language +![](./figures/selecting-a-language.png "selecting-a-language") + +After configurations, click **Continue**. The main installation configuration page is displayed. + +If you want to exit the installation, click **Exit**. The message "Are you sure you want to exit the installation program?" is displayed. Click **Yes** in the dialog box to go back to the installation wizard page. + +## Entering the Installation Page + +After the installation program starts, the main installation configuration page is displayed, as shown in [Figure 6](#en-us_topic_0186390094_en-us_topic_0122145883_fig5969171592212). On the page, you can configure the time, language, installation source, network, and storage device. + +Some configuration items are matched with safety symbols. A safety symbol will disappear after the item is configured. Start the installation only when all the safety symbols disappear from the page. + +If you want to exit the installation, click **Exit**. The message "Are you sure you want to exit the installation program?" is displayed. Click **Yes** in the dialog box to go back to the installation wizard page. + +**Figure 6** Installation summary +![](./figures/installation-summary.png "installation-summary") + +## Setting the Keyboard Layout + +On the **INSTALLATION SUMMARY** page, click **KEYBOARD**. You can add or delete multiple keyboard layouts in the system. + +- On the left white box, click to select the keyboard layout and click the keyboard under the box. +- To test the keyboard layout: On the left white box, click to select the keyboard layout, click the inside of the right text box, and enter the text to ensure that the keyboard layout can work properly. + +**Figure 7** Setting the keyboard layout +![](./figures/setting-the-keyboard-layout.png "setting-the-keyboard-layout") + +After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +## Setting a System Language + +On the **INSTALLATION SUMMARY** page, click **LANGUAGE SUPPORT** to set the system language, as shown in [Figure 8](#en-us_topic_0186390098_en-us_topic_0122145772_fig187301927172619). Set another language as required, such as Chinese. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> +> - If you select **Chinese**, the system does not support the display of Chinese characters when you log in to the system using VNC, but supports the display of Chinese characters when you log in to the system using a serial port. When you log in to the system using SSH, whether the system supports the display of Chinese characters depends on the SSH client. If you select **English**, the display is not affected. + +**Figure 8** Setting a system language +![](./figures/setting-a-system-language.png "setting-a-system-language") + +After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +## Setting Date and Time + +On the **INSTALLATION SUMMARY** page, click **TIME \& DATE**. On the **TIME \& DATE** page, set the system time zone, date, and time. + +When setting the time zone, you can click a specific city on the map with the mouse, or select a region from the drop-down list of **Region** or a city from the drop-down list of **City** at the top of the page, as shown in [Figure 9](#en-us_topic_0186390096_en-us_topic_0122145900_fig1260162652312). + +If your city is not displayed on the map or in the drop-down list, select the nearest city in the same time zone. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> +>- Before manually setting the time zone, disable the network time synchronization function in the upper right corner. +>- If you want to use the network time, ensure that the network can connect to the remote NTP server. For details about how to set the network, see [Setting the Network and Host Name](#setting-the-network-and-host-name). + +**Figure 9** Setting date and time +![](./figures/setting-date-and-time.png "setting-date-and-time") + +After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +## Setting the Installation Source + +On the **INSTALLATION SUMMARY** page, click **INSTALLATION SOURCE** to locate the installation source. + +* When you use the complete CD-ROM for installation, the installation program automatically detects and displays the installation source information. You can use the default settings, as shown in [Figure 10](#zh-cn_topic_0186390100_zh-cn_topic_0144427079_fig93633295132): + + **Figure 10** Installation source +![](./figures/Installation_source.png) + +* When the network source is used for installation, you need to set the URL of the network source. + + - HTTP or HTTPS mode + + The following figure shows the installation source in HTTP or HTTPS mode: + + ![](./figures/installsourceen.png) + + If the HTTPS server uses a private certificate, press **e** on the installation wizard page to go to the parameter editing page of the selected option, and add the **inst.noverifyssl** parameter. + + Enter the actual installation source address, for example, **https://repo.openeuler.org/openEuler-21.03/OS/aarch64**, in the text box. **openEuler-21.03** indicates the version number, and **aarch64** indicates the CPU architecture. + + - FTP mode + + The following figure shows the installation source in FTP mode. Enter the FTP address in the text box. + + ![](./figures/sourceftp.png) + + You need to set up an FTP server, mount the **openEuler-21.03-aarch64-dvd.iso** image, and copy the mounted files to the shared directory on the FTP server. **aarch64** indicates the CPU architecture. You can use images as required. + + - NFS mode + + The following figure shows the installation source in NFS mode. Enter the NFS address in the text box. + + ![](./figures/sourcenfs.png) + + You need to set up an NFS server, mount the **openEuler-21.03-aarch64-dvd.iso** image, and copy the mounted file to the shared directory on the NFS server. **aarch64** indicates the CPU architecture. You can use images as required. + +During the installation, if you have any questions about configuring the installation source, see [An Exception Occurs During the Selection of the Installation Source](./faqs.html#an-exception-occurs-during-the-selection-of-the-installation-source). + +After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +## Selecting Installation Software + +On the **INSTALLATION SUMMARY** page, click **SOFTWARE SELECTION** to specify the software package to be installed. + +Based on the actual requirements, select **Minimal Install** on the left box and select an add-on in the **Add-Ons for Selected Environment** area on the right, as shown in [Figure 11](#en-us_topic_0186390261_en-us_topic_0122145865_fig03031519101414). + +**Figure 11** Selecting installation software +![](./figures/selecting-installation-software.png "selecting-installation-software") + +> ![](./public_sys-resources/icon-note.gif) **NOTE:** +>- In **Minimal Install** mode, not all packages in the installation source will be installed. If the required package is not installed, you can mount the installation source to the local PC and configure a repo source, and use DNF to install the package. +>- If you select **Virtual Host**, the virtualization components QEMU, libvirt, and edk2 are installed by default. You can select whether to install the OVS component in the add-on area. + +After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +## Setting the Installation Destination + +On the **INSTALLATION SUMMARY** page, click **INSTALLATION DESTINATION** to select the OS installation disk and partition. + +You can view available local storage devices in [Figure 12](#fig1195417125015). + +> ![](./public_sys-resources/icon-notice.gif) **NOTICE:** +When selecting the device to be installed, you are advised not to use the NVMe SSD storage medium as the OS installation disk. + +**Figure 12** Setting the installation destination +![](./figures/setting-the-installation-destination.png "setting-the-installation-destination") + +### Storage Configuration + +On the **INSTALLATION DESTINATION** page, configure storage for system partition. You can either manually configure partitions or select **Automatic** to automatically configure partitioning. + +> ![](./public_sys-resources/icon-note.gif) **NOTE:** +> +> - During partitioning, to ensure system security and performance, you are advised to divide the device into the following partitions: **/boot**, **/var**, **/var/log**, **/var/log/audit**, **/home**, and **/tmp**. +> - If the system is configured with the swap partition, the swap partition is used when the physical memory of the system is insufficient. Although the swap partition can be used to expand the physical memory, if the swap partition is used due to insufficient memory, the system response slows and the system performance deteriorates. Therefore, you are not advised to configure the swap partition in the system with sufficient physical memory or the performance sensitive system. +> - If you need to split a logical volume group, select **Custom** to manually partition the logical volume group. On the **MANUAL PARTITIONING** page, click **Modify** in the **Volume Group** area to reconfigure the logical volume group. + +**Automatic** + +Select **Automatic** if the software is installed in a new storage device or the data in the storage device is not required. After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +**Customize** + +If you need to manually partition the disk, click **Customize** and click **Done** in the upper left corner. The following page is displayed. + +On the **MANUAL PARTITIONING** page, you can partition the disk in either of the following ways. After the partitioning is completed, the window shown in [Figure 14](#fig1277151815248) is displayed. + +- Automatic creation: Click **Click here to create them automatically**. The system automatically assigns four mount points according to the available storage space: **/boot**, **/**, **/boot/efi**, and **swap**. +- Manual creation: Click ![](./figures/en-us_image_0229291243.png) to add a mount point. It is recommended that the expected capacity of each mount point not exceed the available space. + + >![](./public_sys-resources/icon-note.gif) **NOTE:** +If the expected capacity of the mount point exceeds the available space, the system allocates the remaining available space to the mount point. + +**Figure 13** MANUAL PARTITIONING page +![](./figures/manual-partitioning-page.png "manual-partitioning-page") + +After the setting is complete, click **Done** in the upper left corner to go back to the **SUMMARY OF CHANGES** page. +click **Accept Changes** to go back to the **INSTALLATION SUMMARY** page. + +## Setting the Network and Host Name + +On the **INSTALLATION SUMMARY** page, select **NETWORK \& HOST NAME** to configure the system network functions. + +The installation program automatically detects a local access interface. The detected interface is listed in the left box, and the interface details are displayed in the right-hand area, as shown in [Figure 14](#en-us_topic_0186390264_en-us_topic_0122145831_fig123700157297). You can enable or disable a network interface by clicking the switch in the upper right corner of the page. The switch is turned off by default. If the installation source is set to be the network, turn on the switch. You can also click **Configure** to configure the selected interface. Select **Connect automatically with priority** to enable the NIC to start automatically upon system startup, as shown in Figure 16. + +In the lower left box, enter the host name. The host name can be the fully quantified domain name (FQDN) in the format of hostname.domainname or the brief host name in the format of hostname. + +**Figure 14** Setting the network and host name +![](./figures/setting-the-network-and-host-name.png "setting-the-network-and-host-name") + +**Figure 15** Config the network +![](./figures/confignetwork.png "config-the-network") + +After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + +## Setting the Root Password + +Select **Root Password** on the **INSTALLATION SUMMARY** page. The **Root Password** page is displayed, as shown in [Figure 15](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1323165793018). Enter a password based on [Password Complexity](#密码复杂度) requirements and confirm the password. + +> ![](./public_sys-resources/icon-note.gif) **NOTE:** +> +> - The root account is used to perform key system management tasks. You are not advised to use the root account for daily work or system access. +> +> - If you select **Lock root account** on the **Root Password** page, the root account will be disabled. + +**Figure 15** Root password +![](./figures/password-of-the-root-account.png "Root password") + +### Password Complexity + +The password of the **root** user or the password of the new user must meet the password complexity requirements. Otherwise, the password configuration or user creation will fail. The password complexity requirements are as follows: + +1. A password must contain at least eight characters. + +2. A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. + +3. A password must be different from the account name. + +4. A password cannot contain words in the dictionary. + + >![](./public_sys-resources/icon-note.gif) **NOTE:** +In the installed openEuler environment, you can run the `cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt` command to export the dictionary library file **dictionary.txt**, and then check whether the password is in the dictionary. + +After the settings are completed, click **Done** in the upper left corner to return to the **INSTALLATION SUMMARY** page. + +## Creating a User + +Click **User Creation**. [Figure 16](#en-us_topic_0186390266_en-us_topic_0122145909_fig1237715313319) shows the page for creating a user. Enter a username and set a password. By clicking **Advanced**, you can also configure a home directory and a user group, as shown in [Figure 17](#en-us_topic_0186390266_en-us_topic_0122145909_fig128716531312). + +**Figure 16** Creating a user +![](./figures/creating-a-user.png "creating-a-user") + +**Figure 17** Advanced user configuration +![](./figures/advanced-user-configuration.png "advanced-user-configuration") + +After configuration, click **Done** in the left-upper corner to switch back to the installation process page. + +## Starting Installation + +On the installation page, after all the mandatory items are configured, the safety symbols will disappear. Then, you can click **Begin Installation** to install the system. + +## Installation Procedure + +After the installation starts, the overall installation progress and the progress of writing the software package to the system are displayed. + + >![](./public_sys-resources/icon-note.gif) **NOTE:** +If you click **Exit** or reset or power off the server during the installation, the installation is interrupted and the system is unavailable. In this case, you need to reinstall the system. + +**Figure 18** Installation process +![](./figures/installation-process.png "installation-process") + +## Completing the Installation + +openEuler has been installed, Click **Reboot** to restart the system. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> - If the physical DVD-ROM is used to install the OS and the DVD-ROM drive is not automatically ejected during the restart, manually remove the DVD-ROM. Then, the openEuler CLI login page is displayed. +> - If the virtual DVD-ROM drive is used to install the OS, change the server boot option to **Hard Disk** and restart the server. Then, the openEuler CLI login page is displayed. + + diff --git a/content/en/docs/Installation/installation-mode.md b/docs/en/docs/Installation/installation-mode.md similarity index 86% rename from content/en/docs/Installation/installation-mode.md rename to docs/en/docs/Installation/installation-mode.md index b0920a914013fed75d526eabc37a3158bc9d5451..b043a6ada2863c059a603a7797fe38b497400934 100644 --- a/content/en/docs/Installation/installation-mode.md +++ b/docs/en/docs/Installation/installation-mode.md @@ -1,7 +1,7 @@ # Installation Mode ->![](public_sys-resources/icon-notice.gif) **NOTICE:** ->- Only TaiShan 200 and FusionServer Pro servers are supported. For details about the supported server models, see [Hardware Compatibility](installation-preparations.html#hardware-compatibility). Only a virtualization platform created by the virtualization components \(openEuler as the host OS and QEMU and KVM provided in the release package\) of openEuler and the x86 virtualization platform of Huawei public cloud are supported. +>![](./public_sys-resources/icon-notice.gif) **NOTICE:** +>- Only TaiShan 200 and FusionServer Pro servers are supported. For details about the supported server models, see [Hardware Compatibility](./installation-preparations.html#hardware-compatibility). Only a virtualization platform created by the virtualization components \(openEuler as the host OS and QEMU and KVM provided in the release package\) of openEuler and the x86 virtualization platform of Huawei public cloud are supported. >- Currently, only installation modes such as CD-ROM, USB flash drive, network, QCOW2 image, and private image are supported. In addition, only the x86 virtualization platform of Huawei public cloud supports the private image installation mode. @@ -35,7 +35,7 @@ If you have obtained a CD/DVD-ROM, install the OS using the CD/DVD-ROM. If you h Perform the following operations to start the installation: ->![](C:/Users/Administrator/Downloads/openDocs/docs/content/en/docs/Installation/public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Set the system to preferentially boot from the CD/DVD-ROM drive. Take the BIOS as an example. You need to move the **CD/DVD-ROM Drive** option under **Boot Type Order** to the top. 1. Disconnect all drives that are not required, such as USB drives. @@ -59,7 +59,7 @@ Pay attention to the capacity of the USB flash drive. The USB flash drive must h [ 170.171135] sd 5:0:0:0: [sdb] Attached SCSI removable disk ``` - >![](C:/Users/Administrator/Downloads/openDocs/docs/content/en/docs/Installation/public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Take the **sdb** USB flash drive as an example. 2. Switch to user **root**. When running the **su** command, you need to enter the password. @@ -98,10 +98,10 @@ Pay attention to the capacity of the USB flash drive. The USB flash drive must h Replace **/path/to/image.iso** with the complete path of the downloaded ISO image file, replace **device** with the device name provided by the **dmesg** command, and set a proper block size \(for example, 512 KB\) to replace **blocksize** to accelerate the write progress. - For example, if the ISO image file name is **/home/testuser/Downloads/openEuler-20.03-LTS-aarch64-dvd.iso** and the detected device name is **sdb**, run the following command: + For example, if the ISO image file name is **/home/testuser/Downloads/openEuler-21.03-aarch64-dvd.iso** and the detected device name is **sdb**, run the following command: ``` - # dd if=/home/testuser/Downloads/openEuler-20.03-LTS-aarch64-dvd.iso of=/dev/sdb bs=512k + # dd if=/home/testuser/Downloads/openEuler-21.03-aarch64-dvd.iso of=/dev/sdb bs=512k ``` 5. After the image is written, remove the USB flash drive. @@ -113,7 +113,7 @@ Pay attention to the capacity of the USB flash drive. The USB flash drive must h Perform the following operations to start the installation: ->![](C:/Users/Administrator/Downloads/openDocs/docs/content/en/docs/Installation/public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Set the system to preferentially boot from the USB flash drive. Take the BIOS as an example. You need to move the **USB** option under **Boot Type Order** to the top. 1. Disconnect all drives that are not required. @@ -131,8 +131,8 @@ If the target hardware is installed with a PXE-enabled NIC, we can configure it For installation through the network using PXE, the client uses a PXE-enabled NIC to send a broadcast request for DHCP information and IP address to the network. The DHCP server provides the client with an IP address and other network information, such as the IP address or host name of the DNS and FTP server \(which provides the files required for starting the installation program\), and the location of the files on the server. ->![](C:/Users/Administrator/Downloads/openDocs/docs/content/en/docs/Installation/public_sys-resources/icon-note.gif) **NOTE:** ->The TFTP, DHCP, and HTTP server configurations are not described here. For details, see [Full-automatic Installation Guide](using-kickstart-for-automatic-installation.html#full-automatic-installation-guide). +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>The TFTP, DHCP, and HTTP server configurations are not described here. For details, see [Full-automatic Installation Guide](./using-kickstart-for-automatic-installation.html#full-automatic-installation-guide). ## Installation Through a QCOW2 Image @@ -178,7 +178,7 @@ Perform the following operations to start the installation: 5. Create a VM. 6. Start the VM. -For details, see the [*openEuler 20.03 LTS Virtualization User Guide*](../Virtualization/virtualization.html). +For details, see the [*Virtualization User Guide*](./../Virtualization/virtualization.html). ## Installation Through a Private Image diff --git a/docs/en/docs/Installation/installation-preparations.md b/docs/en/docs/Installation/installation-preparations.md new file mode 100644 index 0000000000000000000000000000000000000000..c62e2d3e74d05ade6ce6ba1a54b097fcb9da77f8 --- /dev/null +++ b/docs/en/docs/Installation/installation-preparations.md @@ -0,0 +1,164 @@ +# Installation Preparations + +This section describes the compatibility of the hardware and software and the related configurations and preparations required for the installation. + + + +- [Installation Preparations](#installation-preparations) + - [Obtaining the Installation Source](#obtaining-the-installation-source) + - [Release Package Integrity Check](#release-package-integrity-check) + - [Introduction](#introduction) + - [Prerequisites](#prerequisites) + - [Procedure](#procedure) + - [Installation Requirements for PMs](#installation-requirements-for-pms) + - [Hardware Compatibility](#hardware-compatibility) + - [Minimum Hardware Specifications](#minimum-hardware-specifications) + - [Installation Requirements for VMs](#installation-requirements-for-vms) + - [Virtualization Platform Compatibility](#virtualization-platform-compatibility) + - [Minimum Virtualization Space](#minimum-virtualization-space) + + + +## Obtaining the Installation Source + +Obtain the openEuler release package and verification file before the installation. + +Perform the following operations to obtain the openEuler release package: + +1. Log in to the [openEuler Community](https://openeuler.org/zh/) website. +2. Click **Download**. +3. Choose the card **openEuler-21.03**. Click the link provided after **Download ISO**.The download list is displayed. + - **aarch64**: ISO image file of the AArch64 architecture + - **x86\_64**: ISO image file of the x86\_64 architecture + - **source**: ISO image file of the openEuler source code +4. Select the openEuler release package and verification file to be downloaded that adapt to the architecture of the environment to be installed. + - AArch64 architecture: + 1. Click **aarch64**. + 2. If you install the environment on the local host, download the release package **openEuler-21.03-aarch64-dvd.iso** and the verification file **openEuler-21.03-aarch64-dvd.iso.sha256sum** to the local host. + 3. If you install the environment on the network, download the release package **openEuler-21.03-netinst-aarch64-dvd.iso** and the verification file **openEuler-21.03-netinst-aarch64-dvd.iso.sha256sum** to the local host. + + - x86_64 architecture: + 1. Click **x86_64**. + 2. If you install the environment on the local host, download the release package **openEuler-21.03-x86_64-dvd.iso** and the verification file **openEuler-21.03-x86_64-dvd.iso.sha256sum** to the local host. + 3. If you install the environment on the network, download the release package **openEuler-21.03-netinst-x86_64-dvd.iso** and the verification file **openEuler-21.03-netinst-x86_64-dvd.iso.sha256sum** to the local host. + +>![](./public_sys-resources/icon-note.gif) **Note** +> When the network is available, install the environment on the network because the ISO release package is small. + +## Release Package Integrity Check + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>This section describes how to verify the integrity of the release package in the AArch64 architecture. The procedure for verifying the integrity of the release package in the x86\_64 architecture is the same. + +### Introduction + +To prevent the software package from being incompletely downloaded due to network or storage device faults during transmission, you need to verify the integrity of the software package after obtaining it. Only the software packages that pass the verification can be installed. + +Compare the verification value recorded in the verification file with the .iso file verification value calculated manually to check whether the software package passes the verification. If the verification values are consistent, the .iso file is not damaged. If they are inconsistent, you can confirm that the file is damaged and you need to obtain the file again. + +### Prerequisites + +Before verifying the integrity of the release package, you need to prepare the following files: + +ISO file: **openEuler-21.03-aarch64-dvd.iso** + +Verification file: **openEuler-21.03-aarch64-dvd.iso.sha256sum** + +### Procedure + +To verify the file integrity, perform the following operations: + +1. Obtain the verification value in the verification file. Run the following command: + + ``` + $ cat openEuler-21.03-aarch64-dvd.iso.sha256sum + ``` + +2. Calculate the SHA256 verification value of the file. Run the following command: + + ``` + $ sha256sum openEuler-21.03-aarch64-dvd.iso + ``` + + After the command is run, the verification value is displayed. + +3. Check whether the values calculated in step 1 and step 2 are consistent. + + If the verification values are consistent, the .iso file is not damaged. If they are inconsistent, you can confirm that the file is damaged and you need to obtain the file again. + +## Installation Requirements for PMs + +To install the openEuler OS on a PM, the PM must meet the following hardware compatibility and minimum hardware requirements. + +### Hardware Compatibility + +You need to take hardware compatibility into account during openEuler installation. [Table 1](#table14948632047) describes the types of supported servers. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +> +>- TaiShan 200 servers are backed by Huawei Kunpeng 920 processors. +>- Currently, only Huawei TaiShan and FusionServer Pro servers are supported. More servers from other vendors will be supported in the future. + +**Table 1** Supported servers + +| Server Type | Server Name | Server Model | +| :---- | :---- | :---- | +| Rack server | TaiShan 200 | 2280 balanced model | +| Rack server | FusionServer Pro | FusionServer Pro 2288H V5
NOTE:
The server must be configured with the Avago SAS3508 RAID controller card and the LOM-X722 NIC.| + +### Minimum Hardware Specifications + +[Table 2](#tff48b99c9bf24b84bb602c53229e2541) lists the minimum hardware specifications supported by openEuler. + +**Table 2** Minimum hardware specifications + +| Component | Minimum Hardware Specifications | +| :---- | :---- | +| Architecture | AArch64 or x86_64 | +| CPU | Two CPUs | +| Memory | ≥ 4 GB (8 GB or higher recommended for better user experience) | +| Hard disk | ≥ 120 GB (for better user experience) | + +## Installation Requirements for VMs + +To install the openEuler OS on a VM, the VM must meet the following hardware compatibility and minimum hardware requirements. + +### Virtualization Platform Compatibility + +When installing openEuler, pay attention to the compatibility of the virtualization platform. Currently, the following virtualization platforms are supported: + +- A virtualization platform created by the virtualization components \(openEuler as the host OS and QEMU and KVM provided in the release package\) of openEuler +- x86 virtualization platform of Huawei public cloud + +### Minimum Virtualization Space + +[Table 3](#tff48b99c9bf24b84bb602c53229e2541) lists the minimum virtualization space required by openEuler. + +**Table 3** Minimum virtualization space + +| Component | Minimum Virtualization Space | +| :---- | :---- | +| Architecture | AArch64 or x86_64 | +| CPU | Two CPUs| +| Memory | ≥ 4 GB (8 GB or higher recommended for better user experience) | +| Hard disk | ≥ 32 GB (120 GB or higher recommended for better user experience) | + + + + + + + + + + + + + + + + + + + + diff --git a/content/en/docs/Installation/public_sys-resources/icon-caution.gif b/docs/en/docs/Installation/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/Installation/public_sys-resources/icon-caution.gif rename to docs/en/docs/Installation/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/Installation/public_sys-resources/icon-danger.gif b/docs/en/docs/Installation/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/Installation/public_sys-resources/icon-danger.gif rename to docs/en/docs/Installation/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/Installation/public_sys-resources/icon-note.gif b/docs/en/docs/Installation/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/Installation/public_sys-resources/icon-note.gif rename to docs/en/docs/Installation/public_sys-resources/icon-note.gif diff --git a/content/en/docs/Installation/public_sys-resources/icon-notice.gif b/docs/en/docs/Installation/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/Installation/public_sys-resources/icon-notice.gif rename to docs/en/docs/Installation/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/Installation/public_sys-resources/icon-tip.gif b/docs/en/docs/Installation/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/Installation/public_sys-resources/icon-tip.gif rename to docs/en/docs/Installation/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/Installation/public_sys-resources/icon-warning.gif b/docs/en/docs/Installation/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/Installation/public_sys-resources/icon-warning.gif rename to docs/en/docs/Installation/public_sys-resources/icon-warning.gif diff --git a/content/en/docs/Installation/using-kickstart-for-automatic-installation.md b/docs/en/docs/Installation/using-kickstart-for-automatic-installation.md similarity index 89% rename from content/en/docs/Installation/using-kickstart-for-automatic-installation.md rename to docs/en/docs/Installation/using-kickstart-for-automatic-installation.md index e461976b19b6b557ac6d2d3af4d082a70e1d3aff..19aca36dcb9a7a5ac520494b6324b72abaef141c 100644 --- a/content/en/docs/Installation/using-kickstart-for-automatic-installation.md +++ b/docs/en/docs/Installation/using-kickstart-for-automatic-installation.md @@ -80,7 +80,7 @@ The environment requirements for semi-automatic installation of openEuler using - PM/VM \(for details about how to create VMs, see the documents from corresponding vendors\): includes the computer where kickstart is used for automatic installation and the computer where the kickstart tool is installed. - Httpd: stores the kickstart file. -- ISO: openEuler-20.03-LTS-aarch64-dvd.iso +- ISO: openEuler-21.03-aarch64-dvd.iso ### Procedure @@ -88,11 +88,11 @@ To use kickstart to perform semi-automatic installation of openEuler, perform th **Environment Preparation** ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Before the installation, ensure that the firewall of the HTTP server is disabled. Run the following command to disable the firewall: >``` >iptables -F ->``` +>``` 1. Install httpd and start the service. @@ -106,7 +106,7 @@ To use kickstart to perform semi-automatic installation of openEuler, perform th ``` # mkdir /var/www/html/ks - #vim /var/www/html/ks/openEuler-ks.cfg ===>The file can be obtained by modifying the anaconda-ks.cfg file automatically generated from openEuler. + #vim /var/www/html/ks/openEuler-ks.cfg ===>The file can be obtained by modifying the anaconda-ks.cfg file automatically generated from openEuler, or can be created using the system-config-kickstart tool. ==================================== ***Modify the following information as required.*** #version=DEVEL @@ -156,16 +156,18 @@ To use kickstart to perform semi-automatic installation of openEuler, perform th ===================================== ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >The method of generating the password ciphertext is as follows: - >\# python3 - >Python 3.7.0 \(default, Apr 1 2019, 00:00:00\) - >\[GCC 7.3.0\] on linux + >``` + ># python3 + >Python 3.7.0 (default, Apr 1 2019, 00:00:00) + >[GCC 7.3.0] on linux >Type "help", "copyright", "credits" or "license" for more information. - >\>\>\> import crypt - >\>\>\> passwd = crypt.crypt\("myPasswd"\) - >\>\>\> print\(passwd\) + >>>> import crypt + >>>> passwd = crypt.crypt("myPasswd") + >>>> print (passwd) >$6$63c4tDmQGn5SDayV$mZoZC4pa9Jdt6/ALgaaDq6mIExiOO2EjzomB.Rf6V1BkEMJDcMddZeGdp17cMyc9l9ML9ldthytBEPVcnboR/0 + >``` 3. Mount the ISO image file to the CD-ROM drive of the computer where openEuler is to be installed. @@ -175,18 +177,18 @@ To use kickstart to perform semi-automatic installation of openEuler, perform th **Installing the System** 1. The installation selection dialog box is displayed. - 1. On the installation wizard page in [Starting the Installation](installation-guideline.html#starting-the-installation), select **Install openEuler 20.03 LTS** and press **e**. + 1. On the installation wizard page in [Starting the Installation](./installation-guideline.html#starting-the-installation), select **Install openEuler 21.03** and press **e**. 2. Add **inst.ks=http://server ip/ks/openEuler-ks.cfg** to the startup parameters. - ![](figures/semi-automatic-installation.png) + ![](./figures/startparam.png) 3. Press **Ctrl**+**x** to start the automatic installation. 2. Verify that the installation is complete. - After the installation is complete, the system automatically restarts. Then, the installation page is displayed again. Shut down the computer and change startup option to start from the hard disk preferentially. + After the installation is complete, the system automatically boots. If the first boot option of the system is set to the CD_ROM, the installation page is displayed again. Shut down the computer and change startup option to start from the hard disk preferentially. - ![](figures/completing-the-automatic-installation.png) + ![](./figures/completing-the-automatic-installation.png) ## Full-automatic Installation Guide @@ -199,7 +201,7 @@ The environment requirements for full-automatic installation of openEuler using - Httpd: stores the kickstart file. - TFTP: provides vmlinuz and initrd files. - DHCPD/PXE: provides the DHCP service. -- ISO: openEuler-20.03-LTS-aarch64-dvd.iso +- ISO: openEuler-21.03-aarch64-dvd.iso ### Procedure @@ -207,11 +209,11 @@ To use kickstart to perform full-automatic installation of openEuler, perform th **Environment Preparation** ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Before the installation, ensure that the firewall of the HTTP server is disabled. Run the following command to disable the firewall: >``` >iptables -F ->``` +>``` 1. Install httpd and start the service. @@ -249,7 +251,7 @@ To use kickstart to perform full-automatic installation of openEuler, perform th 3. Run the following commands to prepare the installation source: ``` - # mount openEuler-20.03-LTS-aarch64-dvd.iso /mnt + # mount openEuler-21.03-aarch64-dvd.iso /mnt # cp -r /mnt/* /var/www/html/openEuler/ ``` @@ -271,7 +273,7 @@ To use kickstart to perform full-automatic installation of openEuler, perform th # System language lang zh_CN.UTF-8 #Use http installation source - url --url=http://192.168.122.1/openEuler/ + url --url=//192.168.122.1/openEuler/ %post #enable kdump sed -i "s/ ro / ro crashkernel=1024M,high /" /boot/efi/EFI/openEuler/grub.cfg @@ -314,8 +316,8 @@ To use kickstart to perform full-automatic installation of openEuler, perform th ### BEGIN /etc/grub.d/10_linux ### - menuentry 'Install openEuler 20.03 LTS' --class red --class gnu-linux --class gnu --class os { - set root=(tftp,192.168.122.1) + menuentry 'Install openEuler 21.03 ' --class red --class gnu-linux --class gnu --class os { + set root=(tftp,192.168.1.1) linux /vmlinuz ro inst.geoloc=0 console=ttyAMA0 console=tty0 rd.iscsi.waitnet=0 inst.ks=http://192.168.122.1/ks/openEuler-ks.cfg initrd /initrd.img } @@ -336,7 +338,7 @@ To use kickstart to perform full-automatic installation of openEuler, perform th filename "grubaa64.efi"; # pxelinux location of the startup file; next-server 192.168.122.1; # (IMPORTANT) TFTP server IP address; subnet 192.168.122.0 netmask 255.255.255.0 { - option routers 192.168.122.1; # Gateway address + option routers 192.168.111.1; # Gateway address option subnet-mask 255.255.255.0; # Subnet mask range dynamic-bootp 192.168.122.50 192.168.122.200; # Dynamic IP address range default-lease-time 21600; @@ -351,14 +353,14 @@ To use kickstart to perform full-automatic installation of openEuler, perform th 1. On the **Start boot option** screen, press **F2** to boot from the PXE and start automatic installation. - ![](figures/en-us_image_0229291270.png) + ![](./figures/en-us_image_0229291270.png) - ![](figures/en-us_image_0229291286.png) + ![](./figures/en-us_image_0229291286.png) - ![](figures/en-us_image_0229291247.png) + ![](./figures/en-us_image_0229291247.png) 2. The automatic installation window is displayed. 3. Verify that the installation is complete. - ![](figures/completing-the-automatic-installation.png) + ![](./figures/completing-the-automatic-installation.png) diff --git a/docs/en/docs/Quickstart/figures/Installation_wizard.png b/docs/en/docs/Quickstart/figures/Installation_wizard.png new file mode 100644 index 0000000000000000000000000000000000000000..350936cd80af6661f39716dc0c9a49f281600c62 Binary files /dev/null and b/docs/en/docs/Quickstart/figures/Installation_wizard.png differ diff --git a/docs/en/docs/Quickstart/figures/advanced-user-configuration.png b/docs/en/docs/Quickstart/figures/advanced-user-configuration.png new file mode 100644 index 0000000000000000000000000000000000000000..59a188aece92ad19cc9b42f69e235d9a9d4f702a Binary files /dev/null and b/docs/en/docs/Quickstart/figures/advanced-user-configuration.png differ diff --git a/docs/en/docs/Quickstart/figures/creating-a-user.png b/docs/en/docs/Quickstart/figures/creating-a-user.png new file mode 100644 index 0000000000000000000000000000000000000000..0e2befb0832d1167f5ffdcafdf7d9952d9ccdfbe Binary files /dev/null and b/docs/en/docs/Quickstart/figures/creating-a-user.png differ diff --git a/content/en/docs/Quickstart/figures/drive-icon.png b/docs/en/docs/Quickstart/figures/drive-icon.png similarity index 100% rename from content/en/docs/Quickstart/figures/drive-icon.png rename to docs/en/docs/Quickstart/figures/drive-icon.png diff --git a/content/en/docs/Quickstart/figures/en-us_image_0229420473.png b/docs/en/docs/Quickstart/figures/en-us_image_0229420473.png similarity index 100% rename from content/en/docs/Quickstart/figures/en-us_image_0229420473.png rename to docs/en/docs/Quickstart/figures/en-us_image_0229420473.png diff --git a/content/en/docs/Quickstart/figures/image-dialog-box.png b/docs/en/docs/Quickstart/figures/image-dialog-box.png similarity index 100% rename from content/en/docs/Quickstart/figures/image-dialog-box.png rename to docs/en/docs/Quickstart/figures/image-dialog-box.png diff --git a/docs/en/docs/Quickstart/figures/installation-process.png b/docs/en/docs/Quickstart/figures/installation-process.png new file mode 100644 index 0000000000000000000000000000000000000000..2d219c7605ee75e73dffba1e2dd7c277968d4801 Binary files /dev/null and b/docs/en/docs/Quickstart/figures/installation-process.png differ diff --git a/docs/en/docs/Quickstart/figures/installation-summary.png b/docs/en/docs/Quickstart/figures/installation-summary.png new file mode 100644 index 0000000000000000000000000000000000000000..d5ca555a2b2291e139b67098a7c23d29b23b8b24 Binary files /dev/null and b/docs/en/docs/Quickstart/figures/installation-summary.png differ diff --git a/docs/en/docs/Quickstart/figures/password-of-the-root-account.png b/docs/en/docs/Quickstart/figures/password-of-the-root-account.png new file mode 100644 index 0000000000000000000000000000000000000000..fe65e73a81e25e5fa90a13af707165911e7fa459 Binary files /dev/null and b/docs/en/docs/Quickstart/figures/password-of-the-root-account.png differ diff --git a/content/en/docs/Quickstart/figures/restart-icon.png b/docs/en/docs/Quickstart/figures/restart-icon.png similarity index 100% rename from content/en/docs/Quickstart/figures/restart-icon.png rename to docs/en/docs/Quickstart/figures/restart-icon.png diff --git a/docs/en/docs/Quickstart/figures/selecting-a-language.png b/docs/en/docs/Quickstart/figures/selecting-a-language.png new file mode 100644 index 0000000000000000000000000000000000000000..930bec7d3822a9e8289ee444a9fe6ee2dfdbad6c Binary files /dev/null and b/docs/en/docs/Quickstart/figures/selecting-a-language.png differ diff --git a/docs/en/docs/Quickstart/figures/selecting-installation-software.png b/docs/en/docs/Quickstart/figures/selecting-installation-software.png new file mode 100644 index 0000000000000000000000000000000000000000..c246e997d787d0d6a0439dcaf8780a09a9b72ca7 Binary files /dev/null and b/docs/en/docs/Quickstart/figures/selecting-installation-software.png differ diff --git a/content/en/docs/Quickstart/figures/setting-the-boot-device.png b/docs/en/docs/Quickstart/figures/setting-the-boot-device.png similarity index 100% rename from content/en/docs/Quickstart/figures/setting-the-boot-device.png rename to docs/en/docs/Quickstart/figures/setting-the-boot-device.png diff --git a/docs/en/docs/Quickstart/figures/setting-the-installation-destination.png b/docs/en/docs/Quickstart/figures/setting-the-installation-destination.png new file mode 100644 index 0000000000000000000000000000000000000000..224f165b222598aa140187bdfa9b1e75af36c0c5 Binary files /dev/null and b/docs/en/docs/Quickstart/figures/setting-the-installation-destination.png differ diff --git a/content/en/docs/Quickstart/public_sys-resources/icon-caution.gif b/docs/en/docs/Quickstart/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/Quickstart/public_sys-resources/icon-caution.gif rename to docs/en/docs/Quickstart/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/Quickstart/public_sys-resources/icon-danger.gif b/docs/en/docs/Quickstart/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/Quickstart/public_sys-resources/icon-danger.gif rename to docs/en/docs/Quickstart/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/Quickstart/public_sys-resources/icon-note.gif b/docs/en/docs/Quickstart/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/Quickstart/public_sys-resources/icon-note.gif rename to docs/en/docs/Quickstart/public_sys-resources/icon-note.gif diff --git a/content/en/docs/Quickstart/public_sys-resources/icon-notice.gif b/docs/en/docs/Quickstart/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/Quickstart/public_sys-resources/icon-notice.gif rename to docs/en/docs/Quickstart/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/Quickstart/public_sys-resources/icon-tip.gif b/docs/en/docs/Quickstart/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/Quickstart/public_sys-resources/icon-tip.gif rename to docs/en/docs/Quickstart/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/Quickstart/public_sys-resources/icon-warning.gif b/docs/en/docs/Quickstart/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/Quickstart/public_sys-resources/icon-warning.gif rename to docs/en/docs/Quickstart/public_sys-resources/icon-warning.gif diff --git a/docs/en/docs/Quickstart/quick-start.md b/docs/en/docs/Quickstart/quick-start.md new file mode 100644 index 0000000000000000000000000000000000000000..51eb4231f8fb832675bea3050294e82a822d573c --- /dev/null +++ b/docs/en/docs/Quickstart/quick-start.md @@ -0,0 +1,355 @@ +# Quick Start + +This document uses openEuler 21.03 installed on the TaiShan 200 server as an example to describe how to quickly install and use openEuler OS. For details about the installation requirements and methods, see [ Installation Guide](./../Installation/Installation.html). + + + +- [Quick Start](#quick-start) + - [Installation Preparations](#installation-preparations) + - [Obtaining the Installation Source](#obtaining-the-installation-source) + - [Release Package Integrity Check](#release-package-integrity-check) + - [Starting the Installation](#starting-the-installation) + - [Installation](#installation) + - [Viewing System Information](#viewing-system-information) + + +## Installation Preparations + +- Hardware Compatibility + + [Table 1](#table14948632047) describes the types of supported servers. + + **Table 1** Supported servers + + + + + + + + + + + + + + + + + +

Server Type

+

Server Name

+

Server Model

+

Rack server

+

TaiShan 200

+

2280 balanced model

+

Rack server

+

FusionServer Pro

+

FusionServer Pro 2288H V5

+
NOTE:

The server must be configured with the Avago SAS3508 RAID controller card and the LOM-X722 NIC.

+
+
+ +- Minimum Hardware Specifications + + [Table 2](#tff48b99c9bf24b84bb602c53229e2541) lists the minimum hardware specifications supported by openEuler. + + **Table 2** Minimum hardware specifications + + + + + + + + + + + + + + + + + + + + + + + + + +

Component

+

Minimum Hardware Specifications

+

Description

+

Architecture

+
  • AArch64
  • x86_64
+
  • 64-bit Arm architecture
  • 64-bit Intel x86 architecture
+

CPU

+
  • Huawei Kunpeng 920 series
  • Intel ® Xeon® processor
+

-

+

Memory

+

≥ 4 GB (8 GB or higher recommended for better user experience)

+

-

+

Hard disk

+

≥ 120 GB (for better user experience)

+

The hard disk supports IDE, SATA, SAS interfaces.

+
+ + +## Obtaining the Installation Source + +Perform the following operations to obtain the openEuler release package: + +> ![](./public_sys-resources/icon-note.gif) **NOTE:** +The release packages of the AArch64 architecture support the UEFI mode, and the release packages of the x86\_64 architecture support the UEFI and Legacy modes. + +1. Log in to the [openEuler Community](https://openeuler.org) website. + +2. Click **Download**. + +3. Click the link provided after **Download ISO**. The download list is displayed. + +4. Click **openEuler-21.03**. The openEuler 21.03 version download list is displayed. + +5. Click **ISO**. The ISO download list is displayed. + + - **aarch64**: ISO image file of the AArch64 architecture + - **x86\_64**: ISO image file of the x86\_64 architecture + - **source**: ISO image file of the openEuler source code + +6. Select the openEuler release package and verification file to be downloaded based on the architecture of the environment to be installed. + + - If the AArch64 architecture is used: + + 1. Click **aarch64**. + 2. Click **openEuler-21.03-aarch64-dvd.iso** to download the openEuler release package to the local host. + 3. Click **openEuler-21.03-aarch64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. + + - If the x86\_64 architecture is used: + + 1. Click **x86\_64**. + 2. Click **openEuler-21.03-x86\_64-dvd.iso** to download the openEuler release package to the local host. + 3. Click **openEuler-21.03-x86\_64-dvd.iso.sha256sum** to download the openEuler verification file to the local host. + +## Release Package Integrity Check + +To prevent incomplete download of the software package due to network or storage device problems during the transmission, you can perform the following steps to check the integrity of the obtained openEuler software package: + +1. Obtain the verification value in the verification file. Run the following command: + + ``` + $cat openEuler-21.03-aarch64-dvd.iso.sha256sum + ``` + +2. Calculate the SHA256 verification value of the file. Run the following command: + + ``` + $sha256sum openEuler-21.03-aarch64-dvd.iso + ``` + + After the command is run, the verification value is displayed. + +3. Check whether the values calculated in step 1 and step 2 are consistent. + + If the verification values are consistent, the .iso file is not damaged. If they are inconsistent, you can confirm that the file is damaged and you need to obtain the file again. + +## Starting the Installation + +1. Log in to the iBMC WebUI. + + For details, see [TaiShan 200 Server User Guide (Model 2280)](https://support.huawei.com/enterprise/en/doc/EDOC1100093459). + +2. Choose **Configuration** from the main menu, and select **Boot Device** from the navigation tree. The **Boot Device** page is displayed. + + Set **Effective** and **Boot Medium** to **One-time** and **DVD-ROM**, respectively, and click **Save**, as shown in [Figure 1](#fig1011938131018). + + **Figure 1** Setting the boot device +![](./figures/setting-the-boot-device.png "setting-the-boot-device") + +3. Choose **Remote Console** from the main menu. The **Remote Console** page is displayed. + + Select an integrated remote console as required to access the remote virtual console, for example, **Java Integrated Remote Console (Shared)**. + +4. On the toolbar, click the icon shown in the following figure. + + **Figure 2** Drive icon +![](./figures/drive-icon.png "drive-icon") + + An image dialog box is displayed, as shown in the following figure. + + **Figure 3** Image dialog box +![](./figures/image-dialog-box.png "image-dialog-box") + +5. Select **Image File** and then click **Browse**. The **Open** dialog box is displayed. + +6. Select the image file and click **Open**. In the image dialog box, click **Connect**. If **Connect** changes to **Disconnect**, the virtual CD/DVD-ROM drive is connected to the server. + +7. On the toolbar, click the restart icon shown in the following figure to restart the device. + + **Figure 4** Restart icon +![](./figures/restart-icon.png "restart-icon") + +8. A boot menu is displayed after the system restarts, as shown in [Figure 5](#fig1648754873314). + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** + > + > - If you do not perform any operations within 1 minute, the system automatically selects the default option **Test this media \& install openEuler 21.03** and enters the installation page. + > - During PM installation, if you cannot use the arrow keys to select boot options and the system does not respond after you press **Enter**, click ![](./figures/en-us_image_0229420473.png) on the BMC page and configure **Key \& Mouse Reset**. + + **Figure 5** Installation Wizard + ![](./figures/Installation_wizard.png "Installation_wizard") + +9. On the installation wizard page, press **Enter** to select the default option **Test this media \& install openEuler 21.03** to enter the GUI installation page. + +## Installation + +After entering the GUI installation page, perform the following operations to install the system: + +1. Set an installation language. The default language is English. You can change the language based on the site requirements, as shown in [Figure 6](#fig874344811484). + + **Figure 6** Selecting a language + ![](./figures/selecting-a-language.png "selecting-a-language") + +2. On the **INSTALLATION SUMMARY** page, set configuration items based on the site requirements. + + - A configuration item with an alarm symbol must be configured. When the alarm symbol disappears, you can perform the next operation. + - A configuration item without an alarm symbol is configured by default. + - You can click **Begin Installation** to install the system only when all alarms are cleared. + + **Figure 7** Installation summary + ![](./figures/installation-summary.png "installation-summary") + + 1. Select **Software Selection** to set configuration items. + + Based on the site requirements, select **Minimal Install** on the left box and select an add-on in the **Add-Ons for Selected Environment** area on the right, as shown in [Figure 8](#fig1133717611109). + + **Figure 8** Selecting installation software + ![](./figures/selecting-installation-software.png "selecting-installation-software") + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** + > + > - In **Minimal Install** mode, not all packages in the installation source will be installed. If the required package is not installed, you can mount the installation source to the local PC and configure a repo source, and use DNF to install the package. + > - If you select **Virtual Host**, the virtualization components QEMU, libvirt, and edk2 are installed by default. You can select whether to install the OVS component in the add-on area. + + After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + + 2. Select **Installation Destination** to set configuration items. + + On the **INSTALLATION DESTINATION** page, select a local storage device. + + > ![](./public_sys-resources/icon-notice.gif) **NOTICE:** + > When selecting the device to be installed, you are advised not to use the NVMe SSD storage medium as the OS installation disk. + + You also need to configure the storage to partition the system. You can either manually configure partitions or select **Automatic** to automatically configure partitioning. Select **Automatic** if the software is installed in a new storage device or the data in the storage device is not required, as shown in [Figure 9](#fig153381468101). + + **Figure 9** Setting the installation destination + ![](./figures/setting-the-installation-destination.png "setting-the-installation-destination") + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** + > + > - During partitioning, to ensure system security and performance, you are advised to divide the device into the following partitions: **/boot**, **/var**, **/var/log**, **/var/log/audit**, **/home**, and **/tmp**. + > - If the system is configured with the swap partition, the swap partition is used when the physical memory of the system is insufficient. Although the swap partition can be used to expand the physical memory, if the swap partition is used due to insufficient memory, the system response slows and the system performance deteriorates. Therefore, you are not advised to configure the swap partition in the system with sufficient physical memory or the performance sensitive system. + > - If you need to split a logical volume group, select **Custom** to manually partition the logical volume group. On the **MANUAL PARTITIONING** page, click **Modify** in the **Volume Group** area to reconfigure the logical volume group. + + After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page. + + 3. Select **Root Password** and set the root password. + + On the **ROOT PASSWORD** page, enter a password that meets the [Password Complexity](#密码复杂度) requirements and confirm the password, as shown in [Figure 10](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1323165793018). + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** + > + > - The root account is used to perform key system management tasks. You are not advised to use the root account for daily work or system access. + > + > - If you select **Lock root account** on the **Root Password** page, the root account will be disabled. + + **Password Complexity** + + The password of user root or a new user must meet the password complexity requirements. Otherwise, the password setting or user creation will fail. The password must meet the following requirements: + + 1. Contain at least eight characters. + + 2. Contain at least three of the following: uppercase letters, lowercase letters, digits, and special characters. + + 3. Different from the user name. + + 4. Not allowed to contain words in the dictionary. + + > ![](./public_sys-resources/icon-note.gif) **NOTE:** + > In the openEuler environment, you can run the `cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt` command to export the dictionary library file **dictionary.txt**. You can check whether the password is in this dictionary. + + **Figure 10** Root password + ![](./figures/password-of-the-root-account.png "Root password") + + After the settings are completed, click **Done** in the upper left corner to return to the **INSTALLATION SUMMARY** page. + + 4. Select **Create a User** and set the parameters. + + Figure 11](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319) shows the page for creating a user. Enter the user name and set the password. The password complexity must be the same as that of the root password. In addition, you can set the home directory and user group by clicking **Advanced**, as shown in [Figure 12](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319). + + **Figure 11** Creating a user + ![](./figures/creating-a-user.png "creating-a-user") + + **Figure 12** Advanced user configuration + ![](./figures/advanced-user-configuration.png "Advanced user configuration") + After the settings are completed, click **Done** in the upper left corner to return to the **INSTALLATION SUMMARY** page. + + 5. Set other configuration items. You can use the default values for other configuration items. + +3. Click **Start the Installation** to install the system, as shown in [Figure 13](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319). + + **Figure 13** Starting the installation + ![](./figures/installation-process.png "installation-process") +4. After the installation is completed, restart the system. + + openEuler has been installed. Click **Reboot** to restart the system. + +## Viewing System Information + +After the system is installed and restarted, the system CLI login page is displayed. Enter the username and password set during the installation to log in to openEuler OS and view the following system information. For details about system management and configuration, see the [openEuler 21.03 Administrator Guide](./../Administration/administration.html). + +- Run the following command to view the system information: + + ``` + cat /etc/os-release + ``` + + For example, the command and output are as follows: + + ``` + $ cat /etc/os-release + NAME="openEuler" + VERSION="21.03" + ID="openEuler" + VERSION_ID="21.03" + PRETTY_NAME="openEuler 21.03" + ANSI_COLOR="0;31" + ``` + +- View system resource information. + + Run the following command to view the CPU information: + + ``` + lscpu + ``` + + Run the following command to view the memory information: + + ``` + free + ``` + + Run the following command to view the disk information: + + ``` + fdisk -l + ``` + +- Run the following command to view the IP address: + + ``` + ip addr + ``` \ No newline at end of file diff --git a/content/en/docs/Releasenotes/acknowledgement.md b/docs/en/docs/Releasenotes/acknowledgement.md similarity index 100% rename from content/en/docs/Releasenotes/acknowledgement.md rename to docs/en/docs/Releasenotes/acknowledgement.md diff --git a/content/en/docs/Releasenotes/common-vulnerabilities-and-exposures-(cve).md b/docs/en/docs/Releasenotes/common-vulnerabilities-and-exposures-(cve).md similarity index 100% rename from content/en/docs/Releasenotes/common-vulnerabilities-and-exposures-(cve).md rename to docs/en/docs/Releasenotes/common-vulnerabilities-and-exposures-(cve).md diff --git a/content/en/docs/Releasenotes/contribution.md b/docs/en/docs/Releasenotes/contribution.md similarity index 62% rename from content/en/docs/Releasenotes/contribution.md rename to docs/en/docs/Releasenotes/contribution.md index cdac896b9a5b0634beec67586d09cdd93403958f..5ac221e1384a2093fdbb6effa314b17f5f896add 100644 --- a/content/en/docs/Releasenotes/contribution.md +++ b/docs/en/docs/Releasenotes/contribution.md @@ -1,22 +1,22 @@ # Contribution -As an openEuler user, you can contribute to the openEuler community in multiple ways. For details about how to contribute to the community, see [Contributions to the Community](https://openeuler.org/en/developer.html). Here, some methods are listed for reference. +As an openEuler user, you can contribute to the openEuler community in multiple ways. For details about how to contribute to the community, see [How to Contribute](https://openeuler.org/en/community/contribution/). Here, some methods are listed for reference. ## Special Interest Groups \(SIGs\) -openEuler brings together people of common interest to form different special interest groups \(SIGs\). For details about existing SIGs, see the [SIG list](https://openeuler.org/en/sig.html). +openEuler brings together people of common interest to form different special interest groups \(SIGs\). For details about existing SIGs, see the [SIG list](https://openeuler.org/en/sig/sig-list/). -You are welcome to join an existing SIG or create a SIG. For details about how to create a SIG, see the [SIG Management Procedure](https://gitee.com/openeuler/community/blob/master/zh/technical-committee/governance/README.md). +You are welcome to join an existing SIG or create a SIG. For details about how to create a SIG, see the [SIG Management Procedure](https://gitee.com/openeuler/community/blob/master/en/technical-committee/governance/README.md). ## Mail List and Tasks -You are welcome to actively help users solve problems raised in the [mail list](https://openeuler.org/en/community/mails.html) and issues \(including [code repository issues](https://gitee.com/organizations/openeuler/issues) and [software package repository issues](https://gitee.com/organizations/src-openeuler/issues)\). In addition, you can submit an issue. All these will help the openEuler community to develop better. +You are welcome to actively help users solve problems raised in the [mail list](https://openeuler.org/en/community/mailing-list/) and issues \(including [code repository issues](https://gitee.com/organizations/openeuler/issues) and [software package repository issues](https://gitee.com/organizations/src-openeuler/issues)\). In addition, you can submit an issue. All these will help the openEuler community to develop better. ## Documents -You can contribute to the community by submitting code. We also welcome your feedback on problems and difficulties, or suggestions on improving the usability and integrity of documents. For example, problems in obtaining software or documents and difficulties in using the system. Welcome to pay attention to and improve the documentation module of the [openEuler community](https://openeuler.org/zh/). +You can contribute to the community by submitting code. We also welcome your feedback on problems and difficulties, or suggestions on improving the usability and integrity of documents. For example, problems in obtaining software or documents and difficulties in using the system. Welcome to pay attention to and improve the documentation module of the [openEuler community](https://openeuler.org/en/). ## IRC -openEuler has also opened a channel in IRC as an additional channel to provide community support and interaction. For details, see [openEuler IRC](https://openeuler.org/zh/community/irc.html). +openEuler has also opened a channel in IRC as an additional channel to provide community support and interaction. For details, see [openEuler IRC](https://gitee.com/openeuler/community/blob/master/en/communication/IRCs.md). diff --git a/content/en/docs/Releasenotes/installing-the-os.md b/docs/en/docs/Releasenotes/installing-the-os.md similarity index 84% rename from content/en/docs/Releasenotes/installing-the-os.md rename to docs/en/docs/Releasenotes/installing-the-os.md index bf34200af0a9f62c2c345a42b8f31b24253346d0..27cda92414b98895cb39dc8a402ce709bf0193c8 100644 --- a/content/en/docs/Releasenotes/installing-the-os.md +++ b/docs/en/docs/Releasenotes/installing-the-os.md @@ -2,7 +2,7 @@ ## Release Package -The following table lists the [openEuler release files](http://repo.openeuler.org/openEuler-20.03-LTS/), including the ISO release package, container image, VM image, and repo source that is used online. +The following table lists the [openEuler release files](http://repo.openeuler.org/openEuler-21.03/), including the ISO release package, container image, VM image, and repo source that is used online. **Table 1** openEuler release files @@ -15,14 +15,14 @@ The following table lists the [openEuler release files](http://repo.openeuler.or - ISO + ISO ISO release package The directory differentiates the ISO release packages for the AArch64, x86, and source, respectively. The details are as follows:
    -
  • openEuler-20.03-LTS-aarch64-dvd.iso and openEuler-20.03-LTS-x86_64-dvd.iso are the openEuler basic installation software package ISO files for the AArch64 and x86 architectures, respectively. The ISO files contain basic components running on the openEuler OS and meet the basic requirements of developers.
    • -
  • openEuler-20.03-LTS-everything-aarch64-dvd.iso and openEuler-20.03-LTS-everything-x86_64-dvd.iso are the openEuler full software package ISO files for the AArch64 and x86 architectures, respectively. In addition to all software in the openEuler basic installation software package, the ISO files also contain the software packages that have been verified in the openEuler community, which meet the advanced requirements of developers.
    • -
  • openEuler-20.03-LTS-debuginfo-aarch64-dvd.iso and openEuler-20.03-LTS-debuginfo-x86_64-dvd.iso are the openEuler debugging software package ISO files for the AArch64 and x86 architectures, respectively. The ISO files contain the symbol table information required for debugging and are used for debugging software functions and performance.
    • -
  • openEuler-20.03-LTS-source-dvd.iso is the ISO file that contains all source code software packages of the openEuler community, which is used offline by developers.
    • +
  • openEuler-21.03-aarch64-dvd.iso and openEuler-21.03-x86_64-dvd.iso are the openEuler basic installation software package ISO files for the AArch64 and x86 architectures, respectively. The ISO files contain basic components running on the openEuler OS and meet the basic requirements of developers.
    • +
  • openEuler-21.03-everything-aarch64-dvd.iso and openEuler-21.03-everything-x86_64-dvd.iso are the openEuler full software package ISO files for the AArch64 and x86 architectures, respectively. In addition to all software in the openEuler basic installation software package, the ISO files also contain the software packages that have been verified in the openEuler community, which meet the advanced requirements of developers.
    • +
  • openEuler-21.03-debuginfo-aarch64-dvd.iso and openEuler-21.03-debuginfo-x86_64-dvd.iso are the openEuler debugging software package ISO files for the AArch64 and x86 architectures, respectively. The ISO files contain the symbol table information required for debugging and are used for debugging software functions and performance.
    • +
  • openEuler-21.03-source-dvd.iso is the ISO file that contains all source code software packages of the openEuler community, which is used offline by developers.
Note:

Each ISO release package has its own verification file, which is used to verify the integrity of the ISO release package.

@@ -30,7 +30,7 @@ The following table lists the [openEuler release files](http://repo.openeuler.or - docker_img + docker_img Container image The openEuler container image, which provides only the basic bash environment, is used as the basic container image. The directory differentiates the container images for the AArch64 and x86 architectures, respectively.
Note: @@ -39,7 +39,7 @@ The following table lists the [openEuler release files](http://repo.openeuler.or - virtual_machine_img + virtual_machine_img VM image

The openEuler VM image provides only the basic running environment to shorten the VM deployment time. The directory differentiates the VM images for the AArch64 and x86 architectures, respectively.

说明: @@ -53,32 +53,32 @@ The following table lists the [openEuler release files](http://repo.openeuler.or - EPOL + EPOL Repo source The repo sources of the openEuler third-party software package are mainly contributed by third parties and communities, and are maintained by the providers. The directory differentiates the repo sources for the AArch64 and x86 architectures, respectively. - OS + OS The repo source of the openEuler basic installation software package provides the offline version upgrade function. The content of the software package is the same as that of the basic installation software package ISO in the ISO release package. The directory differentiates the repo sources for the AArch64 and x86 architectures, respectively. - debuginfo + debuginfo The repo source of the openEuler debugging software package provides the online download function. The content of the software package is the same as that of the debugging software package ISO in the ISO release package. The directory differentiates the repo sources for the AArch64 and x86 architectures, respectively. - everything + everything The repo source of the openEuler full software package provides the online download and version upgrade functions. The content of the software package is the same as that of the full software package ISO in the ISO release package. The directory differentiates the repo sources for the AArch64 and x86 architectures, respectively. - extras + extras The repo source of the openEuler extended software package is used to release new software packages with added features. The directory differentiates the repo sources for the AArch64 and x86 architectures, respectively. - source + source The repo source of all source code software packages in the openEuler community, which is used online by developers. - update + update The repo source of the openEuler upgrade software package, which is used to fix bugs and common vulnerabilities and exposures (CVE) in released versions and to update and release software with enhancements. It provides online download and software upgrade functions. The directory differentiates the repo sources for the AArch64 and x86 architectures, respectively. @@ -87,7 +87,7 @@ The following table lists the [openEuler release files](http://repo.openeuler.or ## Minimal Hardware Specifications -[Table 5](#en-us_topic_0182825778_tff48b99c9bf24b84bb602c53229e2541) lists the minimum hardware specifications for installing openEuler 20.03 LTS. +[Table 5](#en-us_topic_0182825778_tff48b99c9bf24b84bb602c53229e2541) lists the minimum hardware specifications for installing openEuler 21.03. **Table 5** Minimal hardware specifications @@ -149,7 +149,7 @@ The following table lists the [openEuler release files](http://repo.openeuler.or

Memory

-

32G*4 2933MHz

+

32G\*4 2933MHz

RAID controller card

diff --git a/content/en/docs/Releasenotes/introduction.md b/docs/en/docs/Releasenotes/introduction.md similarity index 100% rename from content/en/docs/Releasenotes/introduction.md rename to docs/en/docs/Releasenotes/introduction.md diff --git a/docs/en/docs/Releasenotes/key-features.md b/docs/en/docs/Releasenotes/key-features.md new file mode 100644 index 0000000000000000000000000000000000000000..b964afe59e6a3d8b2e465da656b3ac58ca1a8691 --- /dev/null +++ b/docs/en/docs/Releasenotes/key-features.md @@ -0,0 +1,101 @@ +# Key Features + +## Brand New 5.10 Kernel + +In-depth optimization of scheduling, I/O, and memory management has been performed, providing more computing capabilities such as ARM64, x86, and RISC-V. + +- **Optimized scheduler**. The fairness of CFS tasks has been optimized. The NUMA aware asynchronous calling mechanism has been added so that the NVDIMM initialization is significantly improved. The SCHED\_IDLE scheduling policy is optimized to significantly reduce the scheduling delay of high-priority tasks and reduce interference to other tasks. +- **Optimized the NUMA balancing mechanism**. Better affinity, higher utilization, and fewer invalid migrations are achieved. +- **Enhanced the CPU isolation mechanism**. Interrupt isolation and unbound kthreads isolation are supported to enhance the isolation of CPU cores and avoid mutual interference between services. +- **Optimized Cgroup single-thread migration**. The dependency on the read and write semaphores of the thread group is eliminated. Time namespaces are introduced to facilitate container migration. +- **Limitable number of file handles that can be used in a container**. File handles include common file handles and network sockets. When a container is started, you can specify the `--files-limit` parameter to limit the maximum number of handles that can be opened in the container. +- **PSI support**. Pressure Stall Information (PSI) provides a method for evaluating system resources, such as the CPU, memory, and I/O pressure. An accurate detection method can help a resource user determine an appropriate workload, and can also help a system formulate an efficient resource scheduling policy, so as to maximize system resource utilization and improve user experience. +- **Optimized inter-process communication**. The **pipe/epoll\_wait** wakeup mechanism is optimized to improve the performance of waking up multiple waiting threads. +- **Enhanced memory management**. Memory control and statistics are refined, and heterogeneous memory, hot swap, and memory initialization functions are improved. More effective user control interfaces are provided. Hotspot locks and semaphores are optimized. Radical memory normalization and defragmentation are supported. The vmap/vmalloc mechanism is optimized, significantly improving the memory application efficiency. Memory maintenance and test features, such as **KASAN**, **kmemleak**, **slub\_debug**, and **oom**, are enhanced to improve the efficiency of locating and resolving memory problems. +- **Early Departure Time model switching**. It eliminates the limitation of the TCP framework during packet sending. The EDT timestamp is set for data packets based on the scheduling policy, which avoids the delay caused by large queue buffer and greatly improves the TCP performance. +- **MultiPath TCP**. MultiPath TCP improves performance and reliability in mobile and data scenarios and supports parallel transmission of multiple subflows in load balancing scenarios. +- **Log fast commit method**. EXT4 introduces a new and lightweight log method `-fast commit`, which can greatly accelerate time-consuming operations such as `fsync` and bring better performance. +- **dm writecache feature**. The dm writecache feature is supported to improve the sequential write performance of large SSD blocks and the performance of the DDR persistent memory. +- **io\_uring**. io\_uring is a new asynchronous I/O framework and implementation. It supports the polling mode. In polling mode, the performance is greatly improved, which is close to that of the SPDK. When the queue depth is high, the performance is better. +- **ILP32**. 32-bit applications are supported in the Kunpeng 920 ARM64 environment. +- **Enhanced IMA commercial use**. Based on the open-source IMA solution, the security, performance, and ease-of-use of IMA are enhanced to facilitate commercial use. +- **Per task stack check**. Per task stack check is supported to enhance the capability of defending against ROP attacks. +- **MPAM resource management and control**. The cache QoS and memory bandwidth control technologies of the ARM64 architecture is supported. +- **SEDI-based NMI mechanism and PMU-based NMI mechanism**. Hard lockup detection is enabled. perf nmi is enabled so that the performance analysis becomes more accurate. +- **VM CPU hot swap in the ARM64 platform**. CPU hot swap is supported in ARM64 for more flexible resource allocation. +- **Enhanced ARM64 kdump**. Memory reservation for addresses greater than 4 GB is supported so that the kdump can reserve more memory space to support machines with larger memory. +- **Raspberry PI series board**s. The support for the Raspberry PI has been integrated into the native openEuler 21.03 kernel. You can directly use the openEuler 21.03 kernel source code for debugging the boards. +- **KVM virtualization in the RISC-V platform** +- **1822 iNICs** + +## Kernel Hot Upgrade + +NVWA is an OS vulnerability repair and upgrade solution that implements quick hot replacement of the kernel without affecting services. + +- **The CPU park and quick kexec features** accelerate system startup and shutdown, reduce system downtime, and improve system availability. +- **The pin memory and PMem features** ensure quick and accurate recovery of service processes and improve service resilience. +- **The NVWA controllere** provides the gRPC communication interface, which is easy to use. + +## Enhanced Virtualization Function and Maintainability + +The live migration Pro capability is extended to improve the maintainability and testability. + +- **Live migration Pro feature**. multifd is enhanced to support TLS, ensuring data security during migration. Concurrent compression of live migration data is supported, improving migration performance. Statistics on data page access frequency are added for live migration data prediction in advance. +- **Performance debugging tool (vmtop).** You can dynamically view the resource usage of VMs in real time, including the CPU usage and memory usage. The x86\_64 architecture is supported. +- **I/O suspension**. I/O suspension is supported so that automatic retry is performed by default in case an I/O error occurs. If the retry times out, an alarm is reported. +- **Virtualization live migration on RISC-V architecture** + +## Lightweight Virtual Runtime (StratoVirt) + +Elastic memory, huge page, and system call filtering are added to enhance the performance and stability of the I/O subsystem. + +- **Elastic memory**. The memory can be allocated and reclaimed based on the memory requirements of the workload. The memory reclamation speed of virtio-balloon can reach 3 GB/s. +- **Huge page**. Huge page in the lightweight framework provides continuous physical memory pages for lightweight VMs, improving VM memory access efficiency. +- **System call filtering**. The device model has been simplified and system call filtering is supported. In the simplest configuration, only 35 system calls are required, effectively reducing the system attack surface. +- **Enhanced I/O subsystem**. Multi-channel concurrent I/O capability is supported and the performance is improved. The I/O-QoS capability improves the flexibility and stability of VM I/O traffic management. + +## Vertical Memory Expansion + +Various memory and storage media are supported to expand the system memory capacity and reduce memory usage costs. + +- **Hot and cold page identification**. The busy/idle status statistics mechanism of the kernel-mode memory page can accurately identify the cold and hot distribution of process memory page accesses. +- **Configurable elimination policies**. A configuration interface is provided to customize the cold and hot tiering policies for memory pages. +- **Smooth expansion**. Cold pages are automatically swapped out to the extended memory. The software deployed on the cold pages can run properly without changing or adapting the programming mode. +- **Multi-media expansion**. Multiple media such as SCM, XL flash, and NVMe SSD can be used as the extended memory. The cold and hot memory tiering solution is specified based on the access speed of the media to expand the memory and reduce performance loss. + +## OpenStack Victoria Integration + +OpenStack Victoria is a simple, scalable, rich, and standard cloud management operating system. For details about more features, see OpenStack Victoria release notes. + +- **Integrated OpenStack Victoria**. OpenStack Victoria enables the IaaS solution. +- **Enhanced block storage.** Advanced functions such as capacity expansion, snapshots, and VM image cloning are supported. +- **Container-based deployment and network capabilities**. Better integration with containers is achieved. +- **Extended services**. Extended services such as control panel management, bare metal server deployment, and cloud resource tracing are supported. + +## Kubernetes 1.20 Integration + +Kubernetes 1.20 is a cloud-native OS used to automatically deploy, scale, and manage containerized applications. For more information, see Kubernetes 1.20 release notes. + +- **Automatic rollout and rollback**. Kubernetes automatically rolls out applications or instances whose configurations have been modified and monitors the running status of the applications. If any application fails to be rolled out, Kubernetes will roll back the previous modification. +- **Service discovery and load balancing**. Service discovery and load balancing based on the container IP addresses and DNS names are supported. +- **Storage orchestration**. Automatic mounting of multiple storage backends, such as local storage, NFS, iSCSI, Gluster, and Ceph. +- **Scaleou**t. Manual scaleout on the CLI and UI, and automatic scaleout based on the CPU usage are supported. + +## HA Cluster Solution + +The high-availability (HA) cluster solution provided by Kylinsoft implements second-level failover and provides users with an HA environment that ensures service continuity, continuous data protection, and disaster recovery. + +- **Multiple protection modes**. Protection modes such as dual-system hot backup, dual-system mutual backup, and multi-system backup (*N* + *M*) are supported to meet various protection requirements of service applications. +- **Physical machine and cloud scenarios**. HA can be configured in the VM pool, and for physical server nodes as well. +- **Network heartbeat modes (the single-heartbeat and dual-heartbeat modes)**. Shared data resources can be comprehensively monitored to ensure data consistency in extreme conditions. +- **Low resource consumption**. Online deployment is supported with secure use of protected application resources. +- **Mainstream system services and application software supported.** Nginx, httpd, MariaDB are supported. Secondary development is made possible. +- **HA-WEB man-machine interaction interfaces.** Interfaces for user login, cluster status display, and resource control are supported. +- **HA-API machine-machine interaction interfaces**. Interfaces for backend cluster control, resource management, cluster status monitoring, and resource status monitoring are supported. + +## More Desktop Environments + +More development desktop options and better development experience are provided. + +- **Xfce.** Xfce is a lightweight Linux desktop that occupies fewer resources than mainstream UIs. +- **DDE**. DDE is a Linux desktop environment provided by Uniontech Software. It is aesthetic, easy-to-use, and efficient. \ No newline at end of file diff --git a/docs/en/docs/Releasenotes/known-issues.md b/docs/en/docs/Releasenotes/known-issues.md new file mode 100644 index 0000000000000000000000000000000000000000..d79eae95f727ea83e11928d77f41827461ee9fa9 --- /dev/null +++ b/docs/en/docs/Releasenotes/known-issues.md @@ -0,0 +1,11 @@ +# Known Issues + +| ISSUE| Description| +|:----------|:----------| +| [I39AN0](https://gitee.com/openeuler/community/issues/I26ZLO?from=project-issue)| \[21.03] ARM Physical Machine Reports the Kernel Error: "ACPI CPPC: Failed to find PCC channel for subspace 0"| +| [I39I7C](https://gitee.com/open_euler/dashboard?issue_id=I29P84)| \[21.03] ARM Physical Machine Reports the Kernel Error: "The BMC does not support, but the BMC needs to be fixed"| +| [I39MQQ](https://gitee.com/open_euler/dashboard?issue_id=I39MQQ)| \[21.03] Input Is Abnormal and the User Login Fails in the RC1 Version After the Up and Down Arrow Keys Are Used in the Login Area on the Character Interface| +| [I3A52C](https://gitee.com/open_euler/dashboard?issue_id=I3A52C)| \[21.03] Samba Service Fails to Start| +| [I3AB65](https://gitee.com/open_euler/dashboard?issue_id=I3AB65)| \[21.03] SCAP Security Guide Does Not Support the Check of OPSS (General Operating System Protection Configuration File)| +| [I3A8YY](https://gitee.com/open_euler/dashboard?issue_id=I3A8YY)| \[21.03] Stopping of nfs-blkmap Is in the "failed" State| + diff --git a/content/en/docs/Releasenotes/public_sys-resources/icon-caution.gif b/docs/en/docs/Releasenotes/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/Releasenotes/public_sys-resources/icon-caution.gif rename to docs/en/docs/Releasenotes/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/Releasenotes/public_sys-resources/icon-danger.gif b/docs/en/docs/Releasenotes/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/Releasenotes/public_sys-resources/icon-danger.gif rename to docs/en/docs/Releasenotes/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/Releasenotes/public_sys-resources/icon-note.gif b/docs/en/docs/Releasenotes/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/Releasenotes/public_sys-resources/icon-note.gif rename to docs/en/docs/Releasenotes/public_sys-resources/icon-note.gif diff --git a/content/en/docs/Releasenotes/public_sys-resources/icon-notice.gif b/docs/en/docs/Releasenotes/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/Releasenotes/public_sys-resources/icon-notice.gif rename to docs/en/docs/Releasenotes/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/Releasenotes/public_sys-resources/icon-tip.gif b/docs/en/docs/Releasenotes/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/Releasenotes/public_sys-resources/icon-tip.gif rename to docs/en/docs/Releasenotes/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/Releasenotes/public_sys-resources/icon-warning.gif b/docs/en/docs/Releasenotes/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/Releasenotes/public_sys-resources/icon-warning.gif rename to docs/en/docs/Releasenotes/public_sys-resources/icon-warning.gif diff --git a/docs/en/docs/Releasenotes/release_notes.md b/docs/en/docs/Releasenotes/release_notes.md new file mode 100644 index 0000000000000000000000000000000000000000..146d127b10ffcbf95e9018b67d3eb2de167ade40 --- /dev/null +++ b/docs/en/docs/Releasenotes/release_notes.md @@ -0,0 +1,3 @@ +# Release Notes + +This document is the release notes for the openEuler 21.03 release version. \ No newline at end of file diff --git a/docs/en/docs/Releasenotes/resolved-issues.md b/docs/en/docs/Releasenotes/resolved-issues.md new file mode 100644 index 0000000000000000000000000000000000000000..ea183276474059d823213ff713499aa3969c979d --- /dev/null +++ b/docs/en/docs/Releasenotes/resolved-issues.md @@ -0,0 +1,235 @@ +# Resolved Issues + +For the complete issue list, see [Complete Issue List](https://gitee.com/organizations/src-openeuler/issues). + +For details about the kernel submission records, see \[Submission Record] (https://gitee.com/openeuler/kernel/commits/openEuler-21.03). + +For details about the resolved issues, see [Table 1](#table249714911433). + +Table 1 Resolved issues + +| ISSUE| Description| +|:----------|:----------| +| [I385CW](https://gitee.com/open_euler/dashboard?issue_id=I385CW)| \[21.03] An Error Is Reported During the Installation of mod\_fcgid, Indicating that Warnings and Failures Exist| +| [I38NM0](https://gitee.com/open_euler/dashboard?issue_id=I38NM0)| A Segment Error Occurs When the Same Enclave Is Destroyed Twice| +| [I38NO8](https://gitee.com/open_euler/dashboard?issue_id=I38NO8)| No Error Message Is Displayed When the Same Enclave Is Created Twice| +| [I38PJ8](https://gitee.com/open_euler/dashboard?issue_id=I38PJ8)| Infinite loop in htmlParseChunk found by fuzz| +| [I38QDA](https://gitee.com/open_euler/dashboard?issue_id=I38QDA)| Stack overflow found by honggfuzz| +| [I38SNU](https://gitee.com/open_euler/dashboard?issue_id=I38SNU)| \[21.03] System Services Fail to Be Started Due to SELinux Rules| +| [I38SON](https://gitee.com/open_euler/dashboard?issue_id=I38SON)| Codegen Fails to Display Messages When the Permission on the EDL Directory That Depends on the SDK Is Abnormal| +| [I38T6R](https://gitee.com/open_euler/dashboard?issue_id=I38T6R)| Displayed Message Is Unclear When the EDL File Is Not Specified or Is Added After **--search-path**| +| [I38WFT](https://gitee.com/open_euler/dashboard?issue_id=I38WFT)| Pacemaker Service Fails to Be Started in the Daily Build Version of openEuler 21.03, Which Can Be Resolved After the libqb Software Package Is Upgraded| +| [I38XEC](https://gitee.com/open_euler/dashboard?issue_id=I38XEC)| \[21.03] Rsyslog Service Fails to Be Started After the Minimum Installation Is Complete| +| [I38XHF](https://gitee.com/open_euler/dashboard?issue_id=I38XHF)| \[21.03] irqbalance Process Occasionally Times Out During VM Startup or Restart| +| [I38XPQ](https://gitee.com/open_euler/dashboard?issue_id=I38XPQ)| \[21.03] lm\_sensors Fails to Start or Restart on a Physical Machine or VM| +| [I38XQ2](https://gitee.com/open_euler/dashboard?issue_id=I38XQ2)| \[21.03] \[ARM/x86] Software Package Is Not Downloaded Based on the **dnf --downloadonly** Parameter | +| [I38XRJ](https://gitee.com/open_euler/dashboard?issue_id=I38XRJ)| \[21.03] tcsd.service Fails to Start or Restart on a VM| +| [I38XSC](https://gitee.com/open_euler/dashboard?issue_id=I38XSC)| \[21.03] VM Fails to Start or Restart rdisc| +| [I38ZCF](https://gitee.com/open_euler/dashboard?issue_id=I38ZCF)| \[21.03] \[ARM/x86] Kernel Version Displayed in **/etc/openEuler-latest** Is Different from the Actual Kernel Version | +| [I38ZTE](https://gitee.com/open_euler/dashboard?issue_id=I38ZTE)| \[21.03] File Conflict Occurs When hibernate-jpa-2.0-api-javadoc and hibernate-jpa-2.0-api-help Are Installed| +| [I391F2](https://gitee.com/open_euler/dashboard?issue_id=I391F2)| \[21.03] File Conflict Occurs When freeradius-posgresql and freeradius-mysql Are Installed| +| [I391PG](https://gitee.com/open_euler/dashboard?issue_id=I391PG)| \[21.03] "20.03" Is Displayed on the Boot Screen of the x86/ARM netinst Image and x86 Standard Image| +| [I3927G](https://gitee.com/open_euler/dashboard?issue_id=I3927G)| \[21.03] \[x86] Subpackages Conflict Occurs When NVML, nvml-help and PMDK Are Installed at the Same Time| +| [I392CF](https://gitee.com/open_euler/dashboard?issue_id=I392CF)| \[21.03] Warning Information Is Displayed During Firebird Installation| +| [I392HC](https://gitee.com/open_euler/dashboard?issue_id=I392HC)| \[openEuler 21.03] \[StratoVirt] Second Startup with the Same Configuration Fails and the Return Value Is Still 0 When the **-daemonize** Parameter Is Specified to Start a VM| +| [I392JK](https://gitee.com/open_euler/dashboard?issue_id=I392JK)| \[21.03] \[ARM/x86] Two python3-wheel Problems| +| [I392KT](https://gitee.com/open_euler/dashboard?issue_id=I392KT)| \[openEuler 21.03] \[StratoVirt] Error Message Is Displayed If the iothread Configured for the Device Specified by **-drive** Does Not Exist When a VM Is Started Using the CLI, But the Return Value Is Still 0 | +| [I393DJ](https://gitee.com/open_euler/dashboard?issue_id=I393DJ)| \[21.03] "call trace" Is Displayed in the Log After Minimum ARM Physical Machine Installation Is Performed and the System Is Rebooted| +| [I393JS](https://gitee.com/open_euler/dashboard?issue_id=I393JS)| \[21.03] \[x86] Error Message Is Displayed When the linux-sgx-driver Is Installed| +| [I393MX](https://gitee.com/open_euler/dashboard?issue_id=I393MX)| \[21.03] Error Message Is Displayed During the Installation of iavf| +| [I393NF](https://gitee.com/open_euler/dashboard?issue_id=I393NF)| \[21.03] Failure Reported During the Installation of sgx-dcap-pccs| +| [I393PF](https://gitee.com/open_euler/dashboard?issue_id=I393PF)| \[21.03] sgx-dcap-pccs Source Code Package Queried by Running the **dnf info** Command Is **sgx-dcap-pccs** Instead of **linux-sgx** | +| [I393U6](https://gitee.com/open_euler/dashboard?issue_id=I393U6)| \[21.03] Exception Occurs When fprintd Is Uninstalled| +| [I395AI](https://gitee.com/open_euler/dashboard?issue_id=I395AI)| \[openEuler 21.03] \[StratoVirt] Hot Swap Command Provided by virtio-net in **config\_guidebook.md** Is Incorrect | +| [I396YM](https://gitee.com/open_euler/dashboard?issue_id=I396YM)| \[21.03] Service Status Is "Failed" After authz Is Disabled on a VM| +| [I3980L](https://gitee.com/open_euler/dashboard?issue_id=I3980L)| Default Port Number Needs to Be Changed to 5000 Because 35357 Is No Longer Used| +| [I398PU](https://gitee.com/open_euler/dashboard?issue_id=I398PU)| \[21.03] \[x86/ARM] Error "Can't open PID file /run/irqbalance.pid" Reported by irqbalance| +| [I399FI](https://gitee.com/open_euler/dashboard?issue_id=I399FI)| No Configuration Files Available| +| [I399L1](https://gitee.com/open_euler/dashboard?issue_id=I399L1)| HTTPD Configuration File of Horizon Is Unavailable| +| [I399MW](https://gitee.com/open_euler/dashboard?issue_id=I399MW)| Duplicate spec and package| +| [I39A55](https://gitee.com/open_euler/dashboard?issue_id=I39A55)| Segment Error Occurs When An Enclave Is Created, A Random Number Is Generated, Encrypted, or Decrypted, or a Large Amount of Information Is Printed| +| [I39AEY](https://gitee.com/open_euler/dashboard?issue_id=I39AEY)| \[21.03] \[ARM/x86] Error Is Reported When **powertop2tuned new\_profile\_name --force** Is Executed | +| [I39AFM](https://gitee.com/open_euler/dashboard?issue_id=I39AFM)| \[21.03] Error "could not open '/sys/module/ib\_cm/holders'" Is Reported in System Logs of ARM Physical Machines| +| [I39AH8](https://gitee.com/open_euler/dashboard?issue_id=I39AH8)| \[21.03] \[ARM/x86] Error "startup phases are not supported" Is Reported by systemd-xdg-autostart-generator| +| [I39AJJ](https://gitee.com/open_euler/dashboard?issue_id=I39AJJ)| \[21.03] ARM Physical Machine Reports the Kernel Error "hisi\_sec2 0000:75:00.0: fail to alloc uacce"| +| [I39ALG](https://gitee.com/open_euler/dashboard?issue_id=I39ALG)| \[21.03] \[ARM] Kernel Error Is Reported on the TaiShan 2280 V2 Physical Machine: "cma: cma\_alloc: alloc failed"| +| [I39AM8](https://gitee.com/open_euler/dashboard?issue_id=I39AM8)| \[21.03] \[ARM] Kernel Error Is Reported on the TaiShan 2280 V2 Physical Machine: "swapper/0 page allocation failure"| +| [I39ANR](https://gitee.com/open_euler/dashboard?issue_id=I39ANR)| \[21.03] slpd Service Fails to Be Started Because the Binary File Is Missing When the OpenSLP Is Installed Using the base Source| +| [I39ET0](https://gitee.com/open_euler/dashboard?issue_id=I39ET0)| \[21.03] \[ARM/x86] Error Is Reported When oemaker Constructs the Standard ISO| +| [I39EVJ](https://gitee.com/open_euler/dashboard?issue_id=I39EVJ)| NULL pointer dereference in cil\_fill\_ipaddr| +| [I39GGV](https://gitee.com/open_euler/dashboard?issue_id=I39GGV)| \[21.03] Alarm Is Generated When the VM Starts or Restarts the php-fpm Service| +| [I39H0X](https://gitee.com/open_euler/dashboard?issue_id=I39H0X)| \[21.03] Self-Compiling of Some Packages Fails Because the Maven Script Is Missing in the Source Code| +| [I39HQB](https://gitee.com/open_euler/dashboard?issue_id=I39HQB)| \[21.03] Kernel Fails to Be Compiled Locally| +| [I39IB4](https://gitee.com/open_euler/dashboard?issue_id=I39IB4)| \[21.03] NIC Name Is Displayed as "rename" on the NIC and Host Name Setting Page During the Installation of an x86 Physical Machine| +| [I39IFV](https://gitee.com/open_euler/dashboard?issue_id=I39IFV)| \[21.03] NGINX Service Document Contains "redhat"| +| [I39KLF](https://gitee.com/open_euler/dashboard?issue_id=I39KLF)| Placement HTTPD Configuration Is Unavailable| +| [I39LM9](https://gitee.com/open_euler/dashboard?issue_id=I39LM9)| \[openEuler 21.03-RC1] \[vmtop] Terminal Page Is Refreshed| +| [I39LMD](https://gitee.com/open_euler/dashboard?issue_id=I39LMD)| \[openEuler 21.03-RC1] \[vmtop] Parameter Parsing and Error Information Is Missing| +| [I39MI9](https://gitee.com/open_euler/dashboard?issue_id=I39MI9)| \[21.03] Some SRC Files Fail to Be Compiled Locally Due to the Lack of maven-plugins-pom| +| [I39N4Y](https://gitee.com/open_euler/dashboard?issue_id=I39N4Y)| \[21.03] Local Compilation of Some Source Code Packages Fails Because totem-pl-parser-devel and pkgconfig (totem-plparser) Are Missing| +| [I39NDA](https://gitee.com/open_euler/dashboard?issue_id=I39NDA)| \[21.03] Local Compilation of XSane Fails Due to the Lack of gimp-devel| +| [I39NWJ](https://gitee.com/open_euler/dashboard?issue_id=I39NWJ)| \[21.03] Local Compilation of gnulib Fails| +| [I39OT1](https://gitee.com/open_euler/dashboard?issue_id=I39OT1)| \[21.03] PR Needs to Be Synchronized to the Fix iscsiadm segfault when exiting Branch| +| [I39OZA](https://gitee.com/open_euler/dashboard?issue_id=I39OZA)| \[openEuler 21.03] \[Virtualization] Support for the Zstd Compression Algorithm by Live Migration Is Not Included in the 21.03 Version| +| [I39PTI](https://gitee.com/open_euler/dashboard?issue_id=I39PTI)| Compilation Fails If the Signature Tool and Codegen Are Not Included in the secGear RPM Files| +| [I39Q0V](https://gitee.com/open_euler/dashboard?issue_id=I39Q0V)| \[21.03] "Failed to migrate controller cgroups" Is Displayed When a Common User Is Added and the user@id.service Corresponding to the User Is Started| +| [I39RTQ](https://gitee.com/open_euler/dashboard?issue_id=I39RTQ)| Optimized the Command Output for Database Initialization | +| [I39S7T](https://gitee.com/open_euler/dashboard?issue_id=I39S7T)| No Log Is Recorded When installdep, builddep, and bedepend Are Used to Query a Package That Does Not Exist for Multiple Times| +| [I39SCE](https://gitee.com/open_euler/dashboard?issue_id=I39SCE)| \[21.03] "opening triplet file failed" Is Displayed When Logs Are Queried After strongswan Is Enabled| +| [I39SYV](https://gitee.com/open_euler/dashboard?issue_id=I39SYV)| \[21.03] Local Compilation of Gemini Blueprint Fails Due to the Lack of springframework-context-support| +| [I39T5C](https://gitee.com/open_euler/dashboard?issue_id=I39T5C)| \[21.03] Error Is Displayed During the Startup of the Physical Machine: rdma-init-kernel: Failed to add sysattr match| +| [I39T7I](https://gitee.com/open_euler/dashboard?issue_id=I39T7I)| No Log Is Recorded If a File Does Not Exist During the Querying of Multiple Packages by selfdepend| +| [I39T9E](https://gitee.com/open_euler/dashboard?issue_id=I39T9E)| Compilation Fails If the EDL File Is Not Included When secGear-related RPM Packages Are Installed| +| [I39T9T](https://gitee.com/open_euler/dashboard?issue_id=I39T9T)| \[21.03] \[ARM/x86] System Reports an Error When the systemctl for Starting the rsyslog service and the rsyslogd Command Are Executed at the Same Time| +| [I39THU](https://gitee.com/open_euler/dashboard?issue_id=I39THU)| \[21.03] Error Message Is Displayed During the Startup of an x86 Physical Machine: "rdma-ndd: set Node Description failed on i40iw0"| +| [I39TLM](https://gitee.com/open_euler/dashboard?issue_id=I39TLM)| \[21.03] \[ARM/x86] All Commands in the sos Package Cannot be Executed and an Error Is Displayed Indicating that the **/etc/sos/sos.conf** Configuration File Does Not Exist | +| [I39TTG](https://gitee.com/open_euler/dashboard?issue_id=I39TTG)| \[21.03] \[ARM/x86] An Error Is Reported When the **cppcheck-htmlreport** Command in the cppcheck File Is Executed | +| [I39TTT](https://gitee.com/open_euler/dashboard?issue_id=I39TTT)| "sgx\_sign:command not found" Is Displayed During Compilation After the secGear RPM Package Is Installed. You Need to Run the **source** Command on the sgx Package, Compress the Package and Link It Directly| +| [I39TZM](https://gitee.com/open_euler/dashboard?issue_id=I39TZM)| \[21.03] openEuler-latest-release Fails to Be Compiled Locally| +| [I39U52](https://gitee.com/open_euler/dashboard?issue_id=I39U52)| \[21.03] Duplicate partuids Exist When Parted Partitions Are Used| +| [I39U8C](https://gitee.com/open_euler/dashboard?issue_id=I39U8C)| \[21.03] \[ARM/x86] Integrity Error Is Reported on the Physical Machine: "Unable to open file: /etc/keys/x509\_ima.der (-2)" | +| [I39W2T](https://gitee.com/open_euler/dashboard?issue_id=I39W2T)| \[21.03] Timestamps of the Files in the XFS File System Cannot Be Changed to Later than 2038| +| [I39W4K](https://gitee.com/open_euler/dashboard?issue_id=I39W4K)| Code Generation Tool Needs to Adapt to the secGear/host\_inc Directory Created When the secGear-related RPM Files Are Installed| +| [I39WJX](https://gitee.com/open_euler/dashboard?issue_id=I39WJX)| No Exception Is Captured When a Common User Is Initialized| +| [I39Y6E](https://gitee.com/open_euler/dashboard?issue_id=I39Y6E)| CMake Reports an Error After a secGear RPM File Is Installed| +| [I3A028](https://gitee.com/open_euler/dashboard?issue_id=I3A028)| \[21.03] Service Status Is "Failed" After atuned Is Disabled on a VM| +| [I3A0UX](https://gitee.com/open_euler/dashboard?issue_id=I3A0UX)| \[21.03] Local Compilation of Augeas Fails| +| [I3A0WO](https://gitee.com/open_euler/dashboard?issue_id=I3A0WO)| \[21.03] Local Compilation of Ceph Fails| +| [I3A103](https://gitee.com/open_euler/dashboard?issue_id=I3A103)| \[21.03] Local Compilation of Coreutils Fails| +| [I3A11P](https://gitee.com/open_euler/dashboard?issue_id=I3A11P)| Local Compilation of createrepo\_c Fails| +| [I3A16L](https://gitee.com/open_euler/dashboard?issue_id=I3A16L)| \[21.03] Local Compilation of Devhelp| +| [I3A1AI](https://gitee.com/open_euler/dashboard?issue_id=I3A1AI)| Setting Permission of the Encrypted Signature File and Others to 600| +| [I3A1TC](https://gitee.com/open_euler/dashboard?issue_id=I3A1TC)| \[21.03] \[x86] System Is Suspended and a Crash File Is Generated After Long-term Stability Test Cases Are Executed| +| [I3A2BR](https://gitee.com/open_euler/dashboard?issue_id=I3A2BR)| \[21.03] "Failed to parse PID from file /run/nginx.pid" Is Displayed When Logs Are Queried Using nginx start| +| [I3A3KM](https://gitee.com/open_euler/dashboard?issue_id=I3A3KM)| \[openEuler 21.03] \[Virtualization] cpu\_custom Patch Is Not Integrated Into Kernel 5.10.0-4.0.0| +| [I3A3X0](https://gitee.com/open_euler/dashboard?issue_id=I3A3X0)| \[21.03] "Error setting audit daemon pid (Permission denied)" Is Recorded in the Log After the System Is Installed and Anaconda Is Restarted| +| [I3A50O](https://gitee.com/open_euler/dashboard?issue_id=I3A50O)| \[21.03] Service Fails to Be Started After atune-engine Is Restarted on a VM| +| [I3A554](https://gitee.com/open_euler/dashboard?issue_id=I3A554)| \[openEuler 21.03] \[Virtualization] openEuler 21.03 Occupies a Large Amount of Memory After the ARM Server Is Started| +| [I3A5VT](https://gitee.com/open_euler/dashboard?issue_id=I3A5VT)| \[openEuler 21.03] \[Virtualization] A Small Amount of Memory Leaks During TLS Live Migration| +| [I3A5YC](https://gitee.com/open_euler/dashboard?issue_id=I3A5YC)| \[21.03] Service speech-dispatcher Fails To Be Started| +| [I3A600](https://gitee.com/open_euler/dashboard?issue_id=I3A600)| Command **/usr/sbin/sfcbd** Fails to Run| +| [I3A66H](https://gitee.com/open_euler/dashboard?issue_id=I3A66H)| \[21.03] \[ARM] System Reports an Exception After a Long-term Stability Test Case Is Executed for a Period of Time| +| [I3A6CP](https://gitee.com/open_euler/dashboard?issue_id=I3A6CP)| Two Basic Packages Fail to Be Compiled Locally After the Value of the Macro openEuler Is Changed to **21.03**| +| [I3A6FU](https://gitee.com/open_euler/dashboard?issue_id=I3A6FU)| \[21.03] \[x86/ARM] An Error Is Reported for the **semctl09/proc01/tpci** Case When LTP Is Executed | +| [I3A84O](https://gitee.com/open_euler/dashboard?issue_id=I3A84O)| An Error Is Reported When Flags Is Set to **0** During Enclave Creation | +| [I3A89D](https://gitee.com/open_euler/dashboard?issue_id=I3A89D)| \[21.03] nghttpx.service Fails to Be Started| +| [I3A8GH](https://gitee.com/open_euler/dashboard?issue_id=I3A8GH)| Segment Error Occurs When an Enclave Is Destroyed and Then Recreated| +| [I3A8IJ](https://gitee.com/open_euler/dashboard?issue_id=I3A8IJ)| \[21.03] spice-webdavd.service Fails to Be Restarted| +| [I3A8OS](https://gitee.com/open_euler/dashboard?issue_id=I3A8OS)| \[21.03] vma Service Status Changes to "inactive" After It Is Reloaded| +| [I3A8X9](https://gitee.com/open_euler/dashboard?issue_id=I3A8X9)| \[21.03] Error Logs Are Reported After the named-sdb-chroot,named-chroot and named Services Are Started| +| [I3A8YF](https://gitee.com/open_euler/dashboard?issue_id=I3A8YF)| \[21.03] Error Log "auxpropfunc error no mechanism available" Is Displayed After slapd.service Is Started| +| [I3A8Z8](https://gitee.com/open_euler/dashboard?issue_id=I3A8Z8)| \[21.03] Status of sm-client.service After Start Is: "sm-client.service: Failed to..."| +| [I3A8ZA](https://gitee.com/open_euler/dashboard?issue_id=I3A8ZA)| \[21.03] Error Log "auxpropfunc error no mechanism available" Is Displayed After the sendmail.service Is Started| +| [I3A936](https://gitee.com/open_euler/dashboard?issue_id=I3A936)| \[21.03] Service Status of the bacular-dir, bacular-fd and bacula-sd Services Changes to "failed" After They Are Started and Then Stopped| +| [I3ABFW](https://gitee.com/open_euler/dashboard?issue_id=I3ABFW)| Interface Is Changed Due to Package Upgrade| +| [I3AS0I](https://gitee.com/open_euler/dashboard?issue_id=I3AS0I)| \[RC1] Core Dump Is Triggered When glade Is Executed on the Xfce GUI in the AArch64 Architecture, But It Does Not Occur in the x86\_64 Environment| +| [I3AT8N](https://gitee.com/open_euler/dashboard?issue_id=I3AT8N)| \[21.03] \[ARM/x86] systemd-resolved.service Fails to Be Started and the NFS/SMB Service Fails to Be Restarted After the Server Is Restarted After the SELinux Is Enabled | +| [I3AXP2](https://gitee.com/open_euler/dashboard?issue_id=I3AXP2)| Error Is Reported When the Enclave Is Repeatedly Created, Random Numbers Are Generated, and the Enclave Is Destroyed | +| [I3B0IH](https://gitee.com/open_euler/dashboard?issue_id=I3B0IH)| \[21.03] [x86] Physical Machine Cannot Be Brought Online After CPU 0 Is Brought Offline | +| [I2433Y](https://gitee.com/open_euler/dashboard?issue_id=I2433Y)| \[pkgship] File **/usr/share/doc/pkgship/README.md** Is Not Updated| +| [I38NK4](https://gitee.com/open_euler/dashboard?issue_id=I38NK4)| Segment Error Occurs After the Enclave Is Destroyed| +| [I3A2CO](https://gitee.com/open_euler/dashboard?issue_id=I3A2CO)| sealert Command Is Unavailable After the Installation| +| [I3A8AW](https://gitee.com/open_euler/dashboard?issue_id=I3A8AW)| \[21.03] System Responds Abnormally When You Click a Button During the Installation of an x86 VM| +| [I3AAEM](https://gitee.com/open_euler/dashboard?issue_id=I3AAEM)| \[pkgship] Error Is Reported When Elasticsearch Is Installed and Started Using the Automatic Installation and Deployment Script| +| [I3AEG7](https://gitee.com/open_euler/dashboard?issue_id=I3AEG7)| \[21.03] Matplotlib Fails to Run| +| [I3AHWR](https://gitee.com/open_euler/dashboard?issue_id=I3AHWR)| \[pkgship] Database Initialization Often Fails| +| [I3AITX](https://gitee.com/open_euler/dashboard?issue_id=I3AITX)| \[21.03] Source Information Queried Using **dnf info apache-zookeeper** Is Inconsistent with the Source Package Name | +| [I3AIVF](https://gitee.com/open_euler/dashboard?issue_id=I3AIVF)| \[21.03] Failure Message Is Displayed When the Mailman Is Uninstalled| +| [I3AIZP](https://gitee.com/open_euler/dashboard?issue_id=I3AIZP)| \[openEuler 21.03] Error Message Is Displayed When the Kernel RPM Fails to Be Installed, Indicating that Headers Are Required| +| [I3AJ2L](https://gitee.com/open_euler/dashboard?issue_id=I3AJ2L)| \[pkgship] Error Is Reported During Command Execution When **init\_conf\_path** in the Configuration File Is Set to a Non-YAML File | +| [I3AJ33](https://gitee.com/open_euler/dashboard?issue_id=I3AJ33)| \[21.03] NIC Is Not Enabled and No IP Address Is Available After the System Is Started| +| [I3AJ36](https://gitee.com/open_euler/dashboard?issue_id=I3AJ36)| \[pkgship] Code Exception Occurs When the Initialization Command Specifies a File Path that Does Not Exist| +| [I3AJ5Q](https://gitee.com/open_euler/dashboard?issue_id=I3AJ5Q)| \[21.03] Service lvm2.pvscan Reports an Error Because the System Installed on the RAID Disk Cannot Be Identified| +| [I3AJZ3](https://gitee.com/open_euler/dashboard?issue_id=I3AJZ3)| \[21.03] spice-webdavd Fails to Be Started Due to the Lack of the Avahi Dependency Package| +| [I3AK1K](https://gitee.com/open_euler/dashboard?issue_id=I3AK1K)| \[pkgship] Initialized Databases Are Not Sorted Alphabetically When the Configured Database Priorities Are the Same| +| [I3AKM2](https://gitee.com/open_euler/dashboard?issue_id=I3AKM2)| \[21.03] \[x86/ARM] **mount -t cgroup -o memory ltp\_cgroup /dev/cgroup/** Fails to Be Executed After the **/dev/cgroup** Directory Is Created | +| [I3AKUR](https://gitee.com/open_euler/dashboard?issue_id=I3AKUR)| \[openEuler 21.03] \[iSCSI] Error Message "Unknown driver'iscsi'" Is Displayed When network\_disk Is Started in the New Version| +| [I3ALZ6](https://gitee.com/open_euler/dashboard?issue_id=I3ALZ6)| \[openEuler 21.03] \[I/O Suspension] Foolproof Is Not Set and the VM Can Still Be Started Using the QEMU Command When I/O Suspension Is Configured and **retry\_interval** and **retry\_timeout** Are Set to -1| +| [I3AM39](https://gitee.com/open_euler/dashboard?issue_id=I3AM39)| \[openEuler 21.03] Core Dump Fails Using the **virsh dump** Command Immediately After a VM Is Started| +| [I3AM4T](https://gitee.com/open_euler/dashboard?issue_id=I3AM4T)| \[openEuler 21.03] Memory Information Is Missing from the Cgroup Information of the QEMU Process| +| [I3AMMG](https://gitee.com/open_euler/dashboard?issue_id=I3AMMG)| \[openEuler 21.03] Setting **emulator\_quota** to **18446744073709551** Fails| +| \[[I3AMTA](https://gitee.com/open_euler/dashboard?issue_id=I3AMTA)| \[pkgship] Elasticsearch Times Out When the openEuler 20.09 Database Is Initialized| +| [I3AMVH](https://gitee.com/open_euler/dashboard?issue_id=I3AMVH)| \[21.03] \[ARM/x86] Some Services Fail to Be Started After SELinux Is Enabled | +| [I3AMW5](https://gitee.com/open_euler/dashboard?issue_id=I3AMW5)| \[pkgship] Interaction Is Canceled During Automatic Redis/Elasticsearch Installation and Deployment| +| [I3AN14](https://gitee.com/open_euler/dashboard?issue_id=I3AN14)| \[pkgship] System Should Prompt the User to Start the pkgship Service Instead of the uWSGI Service When the User Queries a Service That Is Not Started| +| [I3ANFP](https://gitee.com/open_euler/dashboard?issue_id=I3ANFP)| \[pkgship] Initialization Using the Local Repo Source that Does Not Exist Is Successful| +| [I3AP8U](https://gitee.com/open_euler/dashboard?issue_id=I3AP8U)| \[pkgship] **-install** and **-build** Parameters Cannot Be Transferred at the Same Time During pkgship bedepend Query| +| [I3AR58](https://gitee.com/open_euler/dashboard?issue_id=I3AR58)| \[21.03] \[x86/ARM] Installed LXCFS Service Fails to Be Started Due to the Lack of the Module to Load FUSE| +| [I3AR6K](https://gitee.com/open_euler/dashboard?issue_id=I3AR6K)| \[21.03] \[ARM/x86] Parameter **-q** of radeapclient Is Incorrect| +| [I3ARDX](https://gitee.com/open_euler/dashboard?issue_id=I3ARDX)| \[pkgship] Message Is Displayed Indicating that the Local pkgship Service Needs to be Started When a Client Sends a Request to Query the Server| +| [I3ARHT](https://gitee.com/open_euler/dashboard?issue_id=I3ARHT)| \[pkgship] System Falsely Displays a Message Indicating that the Service is Started When the Remote Redis Cannot Be Accessed| +| [I3ARNO](https://gitee.com/open_euler/dashboard?issue_id=I3ARNO)| \[21.03] Formatting of the mkfs.ext3 1.1 TB Disk of a Physical Machine Is Stuck| +| [I3AROU](https://gitee.com/open_euler/dashboard?issue_id=I3AROU)| \[pkgship] There Is No Traffic Control Measure for Local Query Accesses| +| [I3ART8](https://gitee.com/open_euler/dashboard?issue_id=I3ART8)| \[pkgship] Path in the Log Dump File Is Not Changed Accordingly After the Service Log Path Is Changed and the Service Is Started| +| [I3ARZH](https://gitee.com/open_euler/dashboard?issue_id=I3ARZH)| \[pkgship] Deleted **log\_name** in the Configuration File Takes Effect After It Is Manually Added and Assigned with a Value| +| [I3ASPJ](https://gitee.com/open_euler/dashboard?issue_id=I3ASPJ)| \[openEuler 21.03] \[Virtualization] Compression Level Range That Can Be Set for Zstd Compression Migration Is Inconsistent with that Described in the Document| +| [I3AUO2](https://gitee.com/open_euler/dashboard?issue_id=I3AUO2)| Using **kexec -l** to Add **cpuparkmem** to Reserve Memory Fails When **cpuparkmem** Is Not Added in the Baseline Version| +| [I3AVDX](https://gitee.com/open_euler/dashboard?issue_id=I3AVDX)| \[pkgship] Service Fails to Be Started When **query\_ip\_addr** Is Set to an IP Address That Does Not Exist| +| [I3AVO6](https://gitee.com/open_euler/dashboard?issue_id=I3AVO6)| \[21.03] ARM VM Reports the Following Kernel Error: "ERROR: Endpoint drop flag = 0, add flag = 1..."| +| [I3AW41](https://gitee.com/open_euler/dashboard?issue_id=I3AW41)| \[pkgship] Code Exception Is Thrown in the Command Output When an Invalid Address Is Configured for **remote\_host**| +| [I3AWPM](https://gitee.com/open_euler/dashboard?issue_id=I3AWPM)| \[21.03] ARM Kernel Does Not Support Files Cgroup| +| [I3AX0D](https://gitee.com/open_euler/dashboard?issue_id=I3AX0D)| **-q** Occasionally Fails to Load the Kernel When the Kernel Is Replaced Repeatedly Using **-q** and **-l** Alternately | +| [I3AZUU](https://gitee.com/open_euler/dashboard?issue_id=I3AZUU)| Account Is Not Locked If a User Enters Incorrect Login Passwords for Three Consecutive Times| +| [I3AZYM](https://gitee.com/open_euler/dashboard?issue_id=I3AZYM)| \[21.03 RC2] Error Is Reported When podman stats Is Executed| +| [I3B0ZW](https://gitee.com/open_euler/dashboard?issue_id=I3B0ZW)| sudo File Syntax Is Incorrect and Cannot Be Used| +| [I3B17Q](https://gitee.com/open_euler/dashboard?issue_id=I3B17Q)| \[21.03] Error Message "blk\_update\_request" Is Displayed When the ARM Physical Machine Boots from the USB I/O error| +| [I3B2B2](https://gitee.com/open_euler/dashboard?issue_id=I3B2B2)| \[21.03] Drive Letter Shift Occurs Occasionally Because No Hot Swap Is Performed| +| [I3B3BD](https://gitee.com/open_euler/dashboard?issue_id=I3B3BD)| \[21.03] Kernel Error "hisi\_sec2: Failed to enable PASID" Occurs on a TaiShan 200 (Model 2280) ARM Physical Machine| +| [I3B3G0](https://gitee.com/open_euler/dashboard?issue_id=I3B3G0)| \[pkgship] CLI Throws an Exception and Does Not Process It After the Value of database\_engine\_type in the Configuration File Is Changed| +| [I3B3IP](https://gitee.com/open_euler/dashboard?issue_id=I3B3IP)| \[pkgship] Value Assignment of the **REDIS** Parameter in the Configuration File Is Not Verified| +| [I3B3J7](https://gitee.com/open_euler/dashboard?issue_id=I3B3J7)| Specifications Should Be Provided for Large Memory Encryption and Decryption| +| [I3B48M](https://gitee.com/open_euler/dashboard?issue_id=I3B48M)| \[21.03] \[ARM/x86] Exception Occurs After the System Is Restarted When All Base Image Packages Are Installed and SELinux Is Enabled | +| [I3B4PB](https://gitee.com/open_euler/dashboard?issue_id=I3B4PB)| \[21.03] Kernel Occasionally Reports the Error on the Physical Machine: "usbhid: probe of 1-1.1:1.1 failed with error -110"| +| [I3B4VE](https://gitee.com/open_euler/dashboard?issue_id=I3B4VE)| \[ARM] \[21.03] kexec-related Logs Are Not Recorded During the nvwa Operation| +| [I3B4XH](https://gitee.com/open_euler/dashboard?issue_id=I3B4XH)| \[ARM] \[21.03] Method of Modifying the Service File Configuration Is Improper if the Port Needs to Be Changed During the nvwa Operation| +| [I3B4XU](https://gitee.com/open_euler/dashboard?issue_id=I3B4XU)| \[ARM] \[21.03] Restoration Using nvwa Update Fails If PID Is Occupied| +| [I3B4ZE](https://gitee.com/open_euler/dashboard?issue_id=I3B4ZE)| \[ARM] \[21.03] Service nvwa Needs to Support Configuration Update During Restart| +| [I3B514](https://gitee.com/open_euler/dashboard?issue_id=I3B514)| \[21.03] Kernel Error Occurs on an x86 Physical Machine: "xhci\_hcd: ERROR: unexpected command completion code 0x11"| +| [I3B5Z4](https://gitee.com/open_euler/dashboard?issue_id=I3B5Z4)| \[21.03] Field "20.03" Is Found in the Quick Start Document| +| [I3B60G](https://gitee.com/open_euler/dashboard?issue_id=I3B60G)| \[21.03] Corresponding Image Is Missing| +| [I3B85Z](https://gitee.com/open_euler/dashboard?issue_id=I3B85Z)| \[21.03] Kernel Error Occurs on an x86 Physical Machine: "ERROR: unexpected command completion code 0x11"| +| [I3B8JG](https://gitee.com/open_euler/dashboard?issue_id=I3B8JG)| \[21.03] Version Information in the Quick Start Document Is Incorrect| +| [I3B8NK](https://gitee.com/open_euler/dashboard?issue_id=I3B8NK)| \[21.03] Chinese Installation Guide Does Not Contain the Corresponding Screenshots| +| [I3BC45](https://gitee.com/open_euler/dashboard?issue_id=I3BC45)| \[21.03] Formatting of the mkfs.ext3 1.1 TB Disk of a Physical Machine Is Stuck| +| [I3BD57](https://gitee.com/open_euler/dashboard?issue_id=I3BD57)| \[21.03] Option Scanning of Security Compilation Is Abnormal| +| [I3BFEO](https://gitee.com/open_euler/dashboard?issue_id=I3BFEO)| Inspector Startup Service File Does Not Contain the --config-file Option and the Default Configuration File Is Missing| +| [I3BGE4](https://gitee.com/open_euler/dashboard?issue_id=I3BGE4)| \[21.03] \[ARM/x86] Parameter **radsqlrelay -P** Is Invalid| +| [I3BMBV](https://gitee.com/open_euler/dashboard?issue_id=I3BMBV)| \[21.03] \[ARM] No Use Option for the nvwa Binary| +| [I3BMHR](https://gitee.com/open_euler/dashboard?issue_id=I3BMHR)| \[21.03] Error Occurs When the samba-tool Command Is Executed| +| [I3BMJF](https://gitee.com/open_euler/dashboard?issue_id=I3BMJF)| \[ARM] \[21.03] Description of the Configuration Items That Users Do Not Need to Pay Attention to in the **server.yaml** File Should be Optimized to Avoid Incorrect Modification| +| [I3BQDY](https://gitee.com/open_euler/dashboard?issue_id=I3BQDY)| Process isgx Is Still Running After the linux-sgx-driver Is Installed and Then Removed| +| [I3BQH3](https://gitee.com/open_euler/dashboard?issue_id=I3BQH3)| \[ARM] \[21.03] Error Message "File \* already exists" Is Displayed When **syatemctl enable nvwa** Is Used| +| [I3BW4X](https://gitee.com/open_euler/dashboard?issue_id=I3BW4X)| \[openEuler 21.03] Error Is Reported When **cpu.cfs\_quota\_us** of cgroup Is Set to **18446744073709551**| +| [I3C6MP](https://gitee.com/open_euler/dashboard?issue_id=I3C6MP)| Spelling Error for Error Message "permission denied" Reported by the Codegen| +| [I3BHF2](https://gitee.com/open_euler/dashboard?issue_id=I3BHF2)| \[ARM] \[21.03] Service nvwa Supports Live Migration Only for the Daemon Process and SELinux Needs To Be Disabled| +| [I3BJIJ](https://gitee.com/open_euler/dashboard?issue_id=I3BJIJ)| \[pkgship] Initialization Progress Bar Keeps Running When the Files Fail to be Verified| +| [I3BMKM](https://gitee.com/open_euler/dashboard?issue_id=I3BMKM)| \[21.03] Error Message Is Displayed During i40e Installation| +| [I3BOC4](https://gitee.com/open_euler/dashboard?issue_id=I3BOC4)| \[openEuler 21.03] Sub-item 502.gcc of SPEC2017 Is Suspended| +| [I3BPQ8](https://gitee.com/open_euler/dashboard?issue_id=I3BPQ8)| \[21.03] Description About User Passwords in the *Administration/Managing Users and User Groups.md* Needs to Be Modified| +| [I3BQ2Z](https://gitee.com/open_euler/dashboard?issue_id=I3BQ2Z)| \[pkgship] Initialization Can Be Performed When the Service Is Disabled| +| [I3BQDX](https://gitee.com/open_euler/dashboard?issue_id=I3BQDX)| \[21.03] Description About Creating a Local Software Repository in the *Administration/Managing Software Packages Through DNF.md* Needs to Be Modified| +| [I3BQE3](https://gitee.com/open_euler/dashboard?issue_id=I3BQE3)| \[21.03] Some Packages Cannot Be Found During Group Installation| +| [I3BQVH](https://gitee.com/open_euler/dashboard?issue_id=I3BQVH)| \[21.03] Description About Extending a VG in the *Administration/Managing Hard Disks Through LVM.md* Needs to Be Modified| +| [I3BQW6](https://gitee.com/open_euler/dashboard?issue_id=I3BQW6)| \[21.03] Deletion of the **/** Partition Fails But the System Prompts That It Is Successfully Deleted| +| [I3BRDW](https://gitee.com/open_euler/dashboard?issue_id=I3BRDW)| \[openEuler 21.03] Device Update Using virsh update-device Fails| +| [I3BT7H](https://gitee.com/open_euler/dashboard?issue_id=I3BT7H)| \[ARM] \[21.03] No Dump Failure Log Is Generated in **/etc/nvwa/running** When the Service Dump Fails| +| [I3BT8M](https://gitee.com/open_euler/dashboard?issue_id=I3BT8M)| \[pkgship] pkginfo Interface Implementation Does Not Comply with the Design Document| +| [I3BTUX](https://gitee.com/open_euler/dashboard?issue_id=I3BTUX)| \[21.03] \[ARM/x86] Words in the Dictionary Can Be Used as the Password, Which Is Inconsistent with the Description in the Official Website Manual| +| [I3BU08](https://gitee.com/open_euler/dashboard?issue_id=I3BU08)| \[21.03] \[ARM/x86] LTP Test Case memcg\_stat\_test/memcg\_use\_hierarchy Fails to Be Executed| +| [I3BU3W](https://gitee.com/open_euler/dashboard?issue_id=I3BU3W)| \[21.03] \[x86/ARM] systemd-xdg-autostart-generator Reports an Error Because the pkcs11-register.desktop File Is Not Deleted| +| [I3BUAQ](https://gitee.com/open_euler/dashboard?issue_id=I3BUAQ)| \[21.03] Local Compilation of Atlas Fails| +| [I3BVKD](https://gitee.com/open_euler/dashboard?issue_id=I3BVKD)| \[21.03] Local Compilation of LAPACK Fails| +| [I3BVX5](https://gitee.com/open_euler/dashboard?issue_id=I3BVX5)| \[21.03] Error Log "Can't open PID file /run/sendmail.pid" Is Displayed After the sendmail.service Is Started| +| [I3BWCP](https://gitee.com/open_euler/dashboard?issue_id=I3BWCP)| \[21.03] \[ARM/x86] LTP semctl09 Fails Due to the glibc Problem | +| [I3BYW0](https://gitee.com/open_euler/dashboard?issue_id=I3BYW0)| \[21.03] Error Log "Unable to render networking" Is Displayed for the cloud-init Service After It Is Installed and the System Is Restarted| +| [I3BYW2](https://gitee.com/open_euler/dashboard?issue_id=I3BYW2)| \[21.03] Local Compilation of secGear Fails| +| [I3C00V](https://gitee.com/open_euler/dashboard?issue_id=I3C00V)| Description in the pkgship Document Is Incorrect| +| [I3C2ES](https://gitee.com/open_euler/dashboard?issue_id=I3C2ES)| \[21.03] Service rasdaemon of the Physical Machine Displays: "rasdaemon: Can't register mce handler" and "diskerror\_eventstore"| +| [I3C2JT](https://gitee.com/open_euler/dashboard?issue_id=I3C2JT)| \[21.03] \[x86] Error Log "Server GSSAPI error" Is Displayed After MariaDB Is Started| +| [I3C5A9](https://gitee.com/open_euler/dashboard?issue_id=I3C5A9)| \[openEuler 21.03] \[ARM] Compilation of libvirt Using the SRC Package Fails| +| [I3C5LD](https://gitee.com/open_euler/dashboard?issue_id=I3C5LD)| Core Occurs After etmemd Is Started and **etmem migrate start** Is Executed| +| [I3CBT0](https://gitee.com/open_euler/dashboard?issue_id=I3CBT0)| \[21.03] \[ARM] kdump Fails to Be Started| +| [I3CBXD](https://gitee.com/open_euler/dashboard?issue_id=I3CBXD)| \[21.03] Error Message Is Displayed When the Subpackage of GRUB2 Is Uninstalled| +| [I3CDJQ](https://gitee.com/open_euler/dashboard?issue_id=I3CDJQ)| \[21.03] Local Compilation Using rpmbuild Fails| +| [I3CEO1](https://gitee.com/open_euler/dashboard?issue_id=I3CEO1)| \[21.03] Local Compilation Using rpmbuild Fails| + diff --git a/content/en/docs/Releasenotes/source-code.md b/docs/en/docs/Releasenotes/source-code.md similarity index 84% rename from content/en/docs/Releasenotes/source-code.md rename to docs/en/docs/Releasenotes/source-code.md index c6a18531937da2a5a63e5ed41689230f3d068784..e8e41391360885baba774fecef9a255a2c6ff987 100644 --- a/content/en/docs/Releasenotes/source-code.md +++ b/docs/en/docs/Releasenotes/source-code.md @@ -5,5 +5,5 @@ openEuler contains two code repositories: - Code repository: [https://gitee.com/openeuler](https://gitee.com/openeuler) - Software package repository: [https://gitee.com/src-openeuler](https://gitee.com/src-openeuler) -The openEuler release packages also provide the source ISO files. For details, see [Installing the OS](installing-the-os.md). +The openEuler release packages also provide the source ISO files. For details, see [Installing the OS](./installing-the-os.md). diff --git a/content/en/docs/Releasenotes/terms-of-use.md b/docs/en/docs/Releasenotes/terms-of-use.md similarity index 79% rename from content/en/docs/Releasenotes/terms-of-use.md rename to docs/en/docs/Releasenotes/terms-of-use.md index dbbef6358b01550f1c2b03252c9b254e4682b953..8c3262c5130b4a587a7563ff69c8451b2e33b468 100644 --- a/content/en/docs/Releasenotes/terms-of-use.md +++ b/docs/en/docs/Releasenotes/terms-of-use.md @@ -1,14 +1,13 @@ # Terms of Use -**Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.** +**Copyright © 2021 openEuler Community** Your replication, use, modification, and distribution of this document are governed by the Creative Commons License Attribution-ShareAlike 4.0 International Public License \(CC BY-SA 4.0\). You can visit [https://creativecommons.org/licenses/by-sa/4.0/](https://creativecommons.org/licenses/by-sa/4.0/) to view a human-readable summary of \(and not a substitute for\) CC BY-SA 4.0. For the complete CC BY-SA 4.0, visit [https://creativecommons.org/licenses/by-sa/4.0/legalcode](https://creativecommons.org/licenses/by-sa/4.0/legalcode). **Trademarks and Permissions** -openEuler is a trademark of Huawei Technologies Co., Ltd. All other trademarks and registered trademarks mentioned in this document are the property of their respective holders. +openEuler is the trademark of the openEuler community. All other trademarks and registered trademarks mentioned in this document are the property of their respective holders. **Disclaimer** This document is used only as a guide. Unless otherwise specified by applicable laws or agreed by both parties in written form, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, including but not limited to non-infringement, timeliness, and specific purposes. - diff --git a/content/en/docs/Releasenotes/user-notice.md b/docs/en/docs/Releasenotes/user-notice.md similarity index 55% rename from content/en/docs/Releasenotes/user-notice.md rename to docs/en/docs/Releasenotes/user-notice.md index aba8b99475bb57ec2abe3ac65d7f22904cd0f9f6..65e12ded998bf253624df6e3802e58e015e92f46 100644 --- a/content/en/docs/Releasenotes/user-notice.md +++ b/docs/en/docs/Releasenotes/user-notice.md @@ -1,5 +1,5 @@ # User Notice -- The version number counting rule of openEuler is changed from openEuler _x.x_ to openEuler _year_._month_. For example, openEuler 20.03 indicates that the version is released in March 2020. -- The [Python core team](https://www.python.org/dev/peps/pep-0373/#update) has stopped maintaining Python 2 in January 2020. In 2020, openEuler 20.03 LTS fixes only the critical CVE of Python 2 and will reach the end of maintenance \(EOM\) on December 31, 2020. Please switch to Python 3 as soon as possible. +- The version number counting rule of openEuler is changed from openEuler _x.x_ to openEuler _year_._month_. For example, openEuler 21.03 indicates that the version is released in March 2020. +- The [Python core team](https://www.python.org/dev/peps/pep-0373/#update) has stopped maintaining Python 2 in January 2020. In 2020, openEuler 21.03 fixes only the critical CVE of Python 2 and will reach the end of maintenance \(EOM\) on December 31, 2020. Please switch to Python 3 as soon as possible. diff --git a/docs/en/docs/SecHarden/account-passwords.md b/docs/en/docs/SecHarden/account-passwords.md new file mode 100644 index 0000000000000000000000000000000000000000..10b81b847bebbb6b7772fbb165a9311ccf8c6ea2 --- /dev/null +++ b/docs/en/docs/SecHarden/account-passwords.md @@ -0,0 +1,335 @@ +# Account Passwords + +- [Account Passwords](#account-passwords) + - [Shielding System Accounts](#shielding-system-accounts) + - [Restricting Permissions on the su Command](#restricting-permissions-on-the-su-command) + - [Setting Password Complexity](#setting-password-complexity) + - [Setting the Password Validity Period](#setting-the-password-validity-period) + - [Setting Password Encryption Algorithms](#setting-password-encryption-algorithms) + - [Locking an Account After Three Login Failures](#locking-an-account-after-three-login-failures) + - [Hardening the su Command](#hardening-the-su-command) + +## Shielding System Accounts + +### Description + +Accounts excluding user accounts are system accounts. System accounts cannot be used for logins or performing other operations. Therefore, system accounts must be shielded. + +### Implementation + +Modify the shell of a system account to **/sbin/nologin**. + +``` +usermod -L -s /sbin/nologin $systemaccount +``` + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>_$systemaccount_ indicates the system account. + +## Restricting Permissions on the su Command + +### Description + +The **su** command is used to switch user accounts. To improve system security, only the user **root** and users in the wheel group can use the **su** command. + +### Implementation + +Modify the **/etc/pam.d/su** file as follows: + +``` +auth required pam_wheel.so use_uid +``` + +   + +**Table 1** Configuration item in pam\_wheel.so + + + + + + + + + + +

Item

+

Description

+

use_uid

+

UID of the current account.

+
+ +## Setting Password Complexity + +### Description + +You can set the password complexity requirements by modifying the corresponding configuration file. You are advised to set the password complexity based on the site requirements. + +### Implementation + +The password complexity is implemented by the **pam\_pwquality.so** and **pam\_pwhistory.so** modules in the **/etc/pam.d/password-auth** and **/etc/pam.d/system-auth** files. You can modify the configuration items of the two modules to change the password complexity requirements. + +### Example + +This section provides an example for configuring password complexity. + +**Password Complexity Requirements** + +1. Contains at least eight characters. +2. Contains at least three types of the following characters: + + - At least one lowercase letter + + - At least one uppercase letter + + - At least one digit + + - At least one space or one of the following special characters: \` \~ ! @ \# $ % ^ & \* \( \) - \_ = + \\ | \[ \{ \} \] ; : ' " , < . \> / ? + +3. Cannot be the same as an account or the account in reverse order. +4. Cannot be the last five passwords used. + +**Implementation** + +Add the following content to the **/etc/pam.d/password-auth** and **/etc/pam.d/system-auth** files: + +``` +password requisite pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0 +password required pam_pwhistory.so use_authtok remember=5 enforce_for_root +``` + +   + +**Configuration Item Description** + +For details about the configuration items of **pam\_pwquality.so** and **pam\_pwhistory.so**, see [Table 1](#table201221044172117) and [Table 2](#table1212544452120), respectively. + +**Table 1** Configuration items in pam\_pwquality.so + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item

+

Description

+

minlen=8

+

A password must contain at least eight characters.

+

minclass=3

+

A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.

+

ucredit=0

+

A password contains any number of uppercase letters.

+

lcredit=0

+

A password contains any number of lowercase letters.

+

dcredit=0

+

A password contains any number of digits.

+

ocredit=0

+

A password contains any number of special characters.

+

retry=3

+

Each time a maximum of three password changes is allowed.

+

enforce_for_root

+

This configuration is also effective for user root.

+
+ +**Table 2** Configuration items in pam\_pwhistory.so + + + + + + + + + + + + + +

Item

+

Description

+

remember=5

+

A password must be different from the last five passwords used.

+

enforce_for_root

+

This configuration is also effective for user root.

+
+ +## Setting the Password Validity Period + +### Description + +To ensure system security, you are advised to set the password validity period and notify users to change passwords before the passwords expire. + +### Implementation + +The password validity period is set by modifying the **/etc/login.defs** file. [Table 1](#en-us_topic_0152100281_t77b5d0753721450c81911c18b74e82eb) describes the hardening items. All hardening items in the table are in the **/etc/login.defs** file. You can directly modify the items in the configuration file. + +**Table 1** Configuration items in login.defs + + + + + + + + + + + + + + + + + + + + + + + + +

Item

+

Description

+

Suggestion

+

Configured as Suggested

+

PASS_MAX_DAYS

+

Maximum validity period of a password.

+

90

+

No

+

PASS_MIN_DAYS

+

Minimum interval between password changes.

+

0

+

No

+

PASS_WARN_AGE

+

Number of days before the password expires.

+

7

+

No

+
+ +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>The **login.defs** file is used to set restrictions on user accounts, such as setting the maximum password validity period and maximum length. The configuration in this file is invalid for the user **root**. If the **/etc/shadow** file contains the same items, the **/etc/shadow** configuration takes precedence over the **/etc/login.defs** configuration. When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system. + +## Setting Password Encryption Algorithms + +### Description + +For system security, passwords cannot be stored in plaintext in the system and must be encrypted. The passwords that do not need to be restored must be encrypted using irreversible algorithms. Set the password encryption algorithm to SHA-512. This item has been set by default in openEuler. The preceding settings can effectively prevent password disclosure and ensure password security. + +### Implementation + +To set the password encryption algorithm, add the following configuration to the **/etc/pam.d/password-auth** and **/etc/pam.d/system-auth** files: + +``` +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +``` + +   + +**Table 1** Configuration items in pam\_unix.so + + + + + + + + + + +

Item

+

Description

+

sha512

+

The SHA-512 algorithm is used for password encryption.

+
+ +## Locking an Account After Three Login Failures + +### Description + +To ensure user system security, you are advised to set the maximum number of incorrect password attempts \(three attempts are recommended\) and the automatic unlocking time \(300 seconds are recommended\) for a locked account. + +If an account is locked, any input is invalid but does not cause the locking timer to recount. Records of the user's invalid inputs are cleared once unlocked. The preceding settings protect passwords from being forcibly cracked and improve system security. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>By default, the maximum number of incorrect password attempts is 3 in openEuler. After the system is locked, the automatic unlock time is 60 seconds. + +### Implementation + +The password complexity is set by modifying the **/etc/pam.d/password-auth** and **/etc/pam.d/system-auth** files. The maximum number of incorrect password attempts is set to **3**, and the unlocking time after the system is locked is set to **300** seconds. The configuration is as follows: + +``` +auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300 +auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300 +``` + +**Table 1** Configuration items in pam\_faillock.so + + + + + + + + + + + + + + + + + + + +

Item

+

Description

+

authfail

+

Captures account login failure events.

+

deny=3

+

A user account will be locked after three login attempts.

+

unlock_time=300

+

A locked common user account is automatically unlocked in 300 seconds.

+

even_deny_root

+

This configuration is also effective for user root.

+
+ +## Hardening the su Command + +### Description + +To enhance system security and prevent the environment variables of the current user from being brought into other environments when you run the **su** command to switch to another user, this item has been configured by default in openEuler. The **PATH** variable is always initialized when the **su** command is used to switch users. + +### Implementation + +Modify the **/etc/login.defs** file. The configuration is as follows: + +``` +ALWAYS_SET_PATH=yes +``` diff --git a/docs/en/docs/SecHarden/appendix.md b/docs/en/docs/SecHarden/appendix.md new file mode 100644 index 0000000000000000000000000000000000000000..2c47d84fc9055ad6390ee0eb7e63cd76f9b6eff3 --- /dev/null +++ b/docs/en/docs/SecHarden/appendix.md @@ -0,0 +1,36 @@ +# Appendix + +This chapter describes the file permissions and **umask** values. + +- [Appendix](#appendix.md) + - [Permissions on Files and Directories](#permissions-on-files-and-directories) + - [umask Values](#umask-values) + + + + + +## Permissions on Files and Directories + +Permission on files and directories in Linux specifies the users who can access and perform operations on files and directories and the access and operation modes. Permissions on files and directories include read only, write only, and execute. + +The following types of users can access files and directories: + +- File creator +- Users in the same group as a file creator +- Users not in the same group as a file creator + +An example of permission on files and directories is described as follows: + +If the permission on **/usr/src** is set to **755** which is 111101101 in binary mode, permissions for each type of users are described as follows: + +- The left-most **111** indicates that the file owner can read, write, and execute the file. +- The middle **101** indicates the group users can read and execute but cannot write the file. +- The right-most **101** indicates that other users can read and execute but cannot write the file. + +## umask Values + +When a user creates a file or directory, the file or directory has a default permission. The default permission is specified by the **umask** value. + +The **umask** value is the complement of the permission value. The actual permission value is obtained by subtracting the **umask** value from the default maximum permission value. The default maximum permission of a file is readable and writable. The default maximum permission of a directory is readable, writable, and executable. The default permission of a file is 666 minus the **umask** value. The default permission of a directory is 777 minus the **umask** value. + diff --git a/docs/en/docs/SecHarden/authentication-and-authorization.md b/docs/en/docs/SecHarden/authentication-and-authorization.md new file mode 100644 index 0000000000000000000000000000000000000000..e12f2bae5575b2295f2fe704b2dfc60856cf4b35 --- /dev/null +++ b/docs/en/docs/SecHarden/authentication-and-authorization.md @@ -0,0 +1,156 @@ +# Authentication and Authorization + +- [Authentication and Authorization](#authentication-and-authorization) + - [Setting a Warning for Remote Network Access](#setting-a-warning-for-remote-network-access) + - [Forestalling Unauthorized System Restart by Holding Down Ctrl, Alt, and Delete](#forestalling-unauthorized-system-restart-by-holding-down-ctrl-alt-and-delete) + - [Setting an Automatic Exit Interval for Shell](#setting-an-automatic-exit-interval-for-shell) + - [Setting the Default umask Value for Users to 0077](#setting-the-default-umask-value-for-users-to-0077) + - [Setting the GRUB2 Encryption Password](#setting-the-grub2-encryption-password) + - [Setting the Secure Single-user Mode](#setting-the-secure-single-user-mode) + - [Disabling Interactive Startup](#disabling-interactive-startup) + + + +## Setting a Warning for Remote Network Access + +### Description + +A warning for remote network access is configured and displayed for users who attempt to remotely log in to the system. The warning indicates the penalty for authorized access and is used to threaten potential attackers. When the warning is displayed, system architecture and other system information are hidden to protect the system from being attacked. + +### Implementation + +This setting can be implemented by modifying the **/etc/issue.net** file. Replace the original content in the **/etc/issue.net** file with the following information \(which has been set by default in openEuler\): + +``` +Authorized users only. All activities may be monitored and reported. +``` + +## Forestalling Unauthorized System Restart by Holding Down Ctrl, Alt, and Delete + +### Description + +By default, you can restart the OS by holding down **Ctrl**, **Alt**, and **Delete**. It is advised to disable this feature to prevent data loss caused by misoperations. + +### Implementation + +To disable the feature of restarting the system by holding down **Ctrl**, **Alt**, and **Delete**, perform the following steps: + +1. Run the following commands to delete the two **ctrl-alt-del.target** files: + + ``` + rm -f /etc/systemd/system/ctrl-alt-del.target + rm -f /usr/lib/systemd/system/ctrl-alt-del.target + ``` + +2. Change **\#CtrlAltDelBurstAction=reboot-force** to **CtrlAltDelBurstAction=none** in the **/etc/systemd/system.conf** file. +3. Run the following command to restart systemd for the modification to take effect: + + ``` + systemctl daemon-reexec + ``` + +## Setting an Automatic Exit Interval for Shell + +### Description + +An unattended shell is prone to listening or attacks. Therefore, it is advised that a mechanism be configured to ensure that a shell can automatically exit when it does not run for a period. + +### Implementation + +At the end of file **/etc/profile**, set the **TMOUT** field \(unit: second\) that specifies the interval for automatic exit as follows: + +``` +export TMOUT=300 +``` + +## Setting the Default umask Value for Users to 0077 + +### Description + +The **umask** value is used to set default permission on files and directories. A smaller **umask** value indicates that group users or other users have incorrect permission, which brings system security risks. Therefore, the default **umask** value must be set to **0077** for all users, that is, the default permission on user directories is **700** and the permission on user files is **600**. The **umask** value indicates the complement of a permission. For details about how to convert the **umask** value to a permission, see [umask Values](#umask-values.md). + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>By default, the **umask** value of the openEuler user is set to **0077**. + +### Implementation + +1. Add **umask 0077** to the **/etc/bashrc** file and all files in the **/etc/profile.d/** directory. + + ``` + echo "umask 0077" >> $FILE + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >_$FILE_ indicates the file name, for example, echo "umask 0077" \>\> /etc/bashrc. + +2. Set the ownership and group of the **/etc/bashrc** file and all files in the **/etc/profile.d/** directory to **root**. + + ``` + chown root.root $FILE + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >_$FILE_ indicates the file name, for example, **chown root.root /etc/bashrc**. + + +## Setting the GRUB2 Encryption Password + +### Description + +GRand Unified Bootloader \(GRUB\) is an operating system boot manager used to boot different systems \(such as Windows and Linux\). GRUB2 is an upgraded version of GRUB. + +When starting the system, you can modify the startup parameters of the system on the GRUB2 screen. To ensure that the system startup parameters are not modified randomly, you need to encrypt the GRUB2 screen. The startup parameters can be modified only when the correct GRUB2 password is entered. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>The default password of GRUB2 is **openEuler\#12**. You are advised to change the default password upon the first login and periodically update the password. If the password is leaked, startup item configurations may be modified, causing the system startup failure. + +### Implementation + +1. Run the **grub2-mkpasswd-pbkdf2** command to generate an encrypted password. + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >SHA-512 is used as the GRUB2 encryption algorithm. + + ``` + # grub2-mkpasswd-pbkdf2 + Enter password: + Reenter password: + PBKDF2 hash of your password is + grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08 + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >Enter the same password in the **Enter password** and **Reenter password** lines. + >After **openEuler\#12** is encrypted by **grub2-mkpasswd-pbkdf2**, the output is **grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08**. The ciphertext is different each time. + +2. Open **/boot/efi/EFI/openEuler/grub.cfg** in a vi editor. Append the following fields to the beginning of **/boot/efi/EFI/openEuler/grub.cfg**. + + ``` + set superusers="root" + password_pbkdf2 root grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08 + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >- The **superusers** field is used to set the account name of the super GRUB2 administrator. + >- The first parameter following the **password\_pbkdf2** field is the GRUB2 account name, and the second parameter is the encrypted password of the account. + + +## Setting the Secure Single-user Mode + +### Description + +When you log in to the system as user **root** in single-user mode, if the **root** password is not set, high security risks exist. + +### Implementation + +This setting can be implemented by modifying the **/etc/sysconfig/init** file. Set **SINGLE** to **SINGLE=/sbin/sulogin**. + +## Disabling Interactive Startup + +### Description + +With interactive guidance, console users can disable audit, firewall, or other services, which compromises system security. Users can disable interactive startup to improve security. This item is disabled by default in openEuler. + +### Implementation + +This setting can be implemented by modifying the **/etc/sysconfig/init** file. Set **PROMPT** to **no**. diff --git a/docs/en/docs/SecHarden/figures/en-us_image_0221925211.png b/docs/en/docs/SecHarden/figures/en-us_image_0221925211.png new file mode 100644 index 0000000000000000000000000000000000000000..62ef0decdf6f1e591059904001d712a54f727e68 Binary files /dev/null and b/docs/en/docs/SecHarden/figures/en-us_image_0221925211.png differ diff --git a/docs/en/docs/SecHarden/figures/en-us_image_0221925212.png b/docs/en/docs/SecHarden/figures/en-us_image_0221925212.png new file mode 100644 index 0000000000000000000000000000000000000000..ad5ed3f7beeb01e6a48707c4806606b41d687e22 Binary files /dev/null and b/docs/en/docs/SecHarden/figures/en-us_image_0221925212.png differ diff --git a/docs/en/docs/SecHarden/file-permissions.md b/docs/en/docs/SecHarden/file-permissions.md new file mode 100644 index 0000000000000000000000000000000000000000..23f7dbefaabb9ba8e7cd7847efb7e857dc27ebe1 --- /dev/null +++ b/docs/en/docs/SecHarden/file-permissions.md @@ -0,0 +1,241 @@ + +## File Permissions + +- [File Permissions](#file-permissions) + - [Setting the Permissions on and Ownership of Files](#setting-the-permissions-on-and-ownership-of-files) + - [Deleting Unowned Files](#deleting-unowned-files) + - [Removing a Symbolic Link to /dev/null](#removing-a-symbolic-link-to-dev-null) + - [Setting the umask Value for a Daemon](#setting-the-umask-value-for-a-daemon) + - [Adding a Sticky Bit Attribute to Globally Writable Directories](#adding-a-sticky-bit-attribute-to-globally-writable-directories) + - [Disabling the Globally Writable Permission on Unauthorized Files](#disabling-the-globally-writable-permission-on-unauthorized-files) + - [Restricting Permissions on the at Command](#restricting-permissions-on-the-at-command) + - [Restricting Permissions on the cron Command](#restricting-permissions-on-the-cron-command) + - [Restricting Permissions on the sudo Command](#restricting-permissions-on-the-sudo-command) + + +## Setting the Permissions on and Ownership of Files + +### Description + +In Linux, all objects are processed as files. Even a directory will be processed as a large file containing many files. Therefore, the most important thing in Linux is the security of files and directories. Their security is ensured by permissions and owners. + +By default, the permissions and ownership of common directories, executable files, and configuration files in the system are set in openEuler. + +### Implementation + +The following uses the **/bin** directory as an example to describe how to change the permission and ownership of a file: + +- Modify the file permission. For example, set the permission on the **/bin** directory to **755**. + + ``` + chmod 755 /bin + ``` + +- Change the ownership of the file. For example, set the ownership and group of the **/bin** directory to **root:root**. + + ``` + chown root:root /bin + ``` + + +## Deleting Unowned Files + +### Description + +When deleting a user or group, the system administrator may forget to delete the files of the user or group. If the name of a new user or group is the same as that of the deleted user or group, the new user or group will own files on which it has no permission. You are advised to delete these files. + +### Implementation + +Delete the file whose user ID does not exist. + +1. Search for the file whose user ID does not exist. + + ``` + find / -nouser + ``` + +2. Delete the found file. In the preceding command, _filename_ indicates the name of the file whose user ID does not exist. + + ``` + rm -f filename + ``` + + +Delete the file whose group ID does not exist. + +1. Search for the file whose user ID does not exist. + + ``` + find / -nogroup + ``` + +2. Delete the found file. In the preceding command, _filename_ indicates the name of the file whose user ID does not exist. + + ``` + rm -f filename + ``` + + +## Removing a Symbolic Link to /dev/null + +### Description + +A symbolic link to **/dev/null** may be used by malicious users. This affects system security. You are advised to delete these symbolic links to improve system security. + +### Special Scenario + +After openEuler is installed, symbolic links to **/dev/null** may exist. These links may have corresponding functions. \(Some of them are preconfigured and may be depended by other components.\) Rectify the fault based on the site requirements. For details, see [Implementation](#en-us_topic_0152100319_s1b24647cdd834a8eaca3032611baf072). + +For example, openEuler supports UEFI and legacy BIOS installation modes. The GRUB packages supported in the two boot scenarios are installed by default. If you select the legacy BIOS installation mode, a symbolic link **/etc/grub2-efi.cfg** is generated. If you select the UEFI installation mode, a symbolic link **/etc/grub2.cfg** is generated. You need to process these symbolic links based on the site requirements. + +### Implementation + +1. Run the following command to search for symbolic links to **/dev/null**: + + ``` + find dirname -type l -follow 2>/dev/null + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >_dir__name_ indicates the directory to be searched. Normally, key system directories, such as **/bin**, **/boot**, **/usr**, **/lib64**, **/lib**, and **/var**, need to be searched. + +2. If these symbolic links are useless, run the following command to delete them: + + ``` + rm -f filename + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >_filename_ indicates the file name obtained in [Step 1](#en-us_topic_0152100319_l4dc74664c4fb400aaf91fb314c4f9da6). + + +## Setting the umask Value for a Daemon + +### Description + +The **umask** value is used to set default permission on files and directories. If the **umask** value is not specified, the file has the globally writable permission. This brings risks. A daemon provides a service for the system to receive user requests or network customer requests. To improve the security of files and directories created by the daemon, you are advised to set **umask** to **0027**. The **umask** value indicates the complement of a permission. For details about how to convert the **umask** value to a permission, see [umask Values](#umask-values.md). + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>By default, the **umask** value of the daemon is set to **0022** in openEuler. + +### Implementation + +In configuration file **/etc/sysconfig/init**, add **umask 0027** as a new row. + +## Adding a Sticky Bit Attribute to Globally Writable Directories + +### Description + +Any user can delete or modify a file or directory in a globally writable directory, which leads to unauthorized file or directory deletion. Therefore, the sticky bit attribute is required for globally writable directories. + +### Implementation + +1. Search for globally writable directories. + + ``` + find / -type d -perm -0002 ! -perm -1000 -ls | grep -v proc + ``` + +2. Add the sticky bit attribute to globally writable directories. _dirname_ indicates the name of the directory that is found. + + ``` + chmod +t dirname + ``` + + +## Disabling the Globally Writable Permission on Unauthorized Files + +### Description + +Any user can modify globally writable files, which affects system integrity. + +### Implementation + +1. Search for all globally writable files. + + ``` + find / -type d \( -perm -o+w \) | grep -v procfind / -type f \( -perm -o+w \) | grep -v proc + ``` + +2. View the settings of files \(excluding files and directories with sticky bits\) listed in step 1, and delete the files or disable the globally writable permission on them. Run the following command to remove the permission. In the command, _filename_ indicates the file name. + +    + + ``` + chmod o-w filename + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >You can run the following command to check whether the sticky bit is set for the file or directory. If the command output contains the **T** flag, the file or directory is with a sticky bit. In the command, _filename_ indicates the name of the file or directory to be queried. + >``` + >ls -l filename + >``` + + +## Restricting Permissions on the at Command + +### Description + +The **at** command is used to create a scheduled task. Users who can run the **at** command must be specified to protect the system from being attacked. + +### Implementation + +1. Delete the **/etc/at.deny** file. + + ``` + rm -f /etc/at.deny + ``` + +2. Run the following command to change the ownership of file **/etc/at.allow** file to **root:root**. + + ``` + chown root:root /etc/at.allow + ``` + +3. Set that only user **root** can operate file **/etc/at.allow**. + + ``` + chmod og-rwx /etc/at.allow + ``` + + +## Restricting Permissions on the cron Command + +### Description + +The **cron** command is used to create a routine task. Users who can run the **cron** command must be specified to protect the system from being attacked. + +### Implementation + +1. Delete the **/etc/cron.deny** file. + + ``` + rm -f /etc/at.deny + ``` + +2. Run the following command to change the ownership of the **/etc/cron.allow** file to **root:root**: + + ``` + chown root:root /etc/cron.allow + ``` + +3. Set that only user **root** can operate file **/etc/cron.allow**. + + ``` + chmod og-rwx /etc/cron.allow + ``` + + +## Restricting Permissions on the sudo Command + +### Description + +A common user can use the **sudo** command to run commands as the user **root**. To harden system security, it is necessary to restrict permissions on the **sudo** command. Only user **root** can use the **sudo** command. By default, openEuler does not retrict the permission of non-root users to run the sudo command. + +### Implementation + +Modify the **/etc/sudoers** file to restrict permissions on the **sudo** command. Comment out the following configuration line: + +``` +#%wheel ALL=(ALL) ALL +``` diff --git a/docs/en/docs/SecHarden/kernel-parameters.md b/docs/en/docs/SecHarden/kernel-parameters.md new file mode 100644 index 0000000000000000000000000000000000000000..b193426b3b65a5e4bcad99a471cc2c82c2d46cc8 --- /dev/null +++ b/docs/en/docs/SecHarden/kernel-parameters.md @@ -0,0 +1,229 @@ +# Kernel Parameters + +- [Kernel Parameters](#kernel-parameters) + - [Hardening the Security of Kernel Parameters](#hardening-the-security-of-kernel-parameters) + + +## Hardening the Security of Kernel Parameters + +### Description + +Kernel parameters specify the status of network configurations and application privileges. The kernel provides system control which can be fine-tuned or configured by users. This function can improve the security of the OS by controlling configurable kernel parameters. For example, you can fine-tune or configure network options to improve system security. + +### Implementation + +1. Write the hardening items in [Table 1](#en-us_topic_0152100187_t69b5423c26644b26abe94d88d38878eb) to the **/etc/sysctl.conf** file. + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >Record security hardening items as follows: + >``` + >net.ipv4.icmp_echo_ignore_broadcasts = 1 + >net.ipv4.conf.all.rp_filter = 1 + >net.ipv4.conf.default.rp_filter = 1 + >``` + + **Table 1** Policies for hardening the security of kernel parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item

+

Description

+

Suggestion

+

Configured as Suggested

+

net.ipv4.icmp_echo_ignore_broadcasts

+

Specifies whether ICMP broadcast packets are accepted. They are not accepted according to the hardening policy.

+

1

+

Yes

+

net.ipv4.conf.all.rp_filter

+

Specifies whether the actual source IP address used by a data packet is related to a routing table and whether the data packet receives responses through interfaces. The item is enabled according to the hardening policy.

+

1

+

Yes

+

net.ipv4.conf.default.rp_filter

+

1

+

Yes

+

net.ipv4.ip_forward

+

The IP forwarding function prevents unauthorized IP address packets from being transferred to a network. The item is disabled according to the hardening policy.

+

0

+

Yes

+

net.ipv4.conf.all.accept_source_route

+

accept_source_route indicates that a packet sender can specify a path for sending the packet and a path for receiving a response. The item is disabled according to the hardening policy.

+

0

+

Yes

+

net.ipv4.conf.default.accept_source_route

+

0

+

Yes

+

net.ipv4.conf.all.accept_redirects

+

Specifies whether a redirected ICMP packet is sent. The packet is not sent according to the hardening policy.

+

0

+

Yes

+

net.ipv4.conf.default.accept_redirects

+

0

+

Yes

+

net.ipv6.conf.all.accept_redirects

+

0

+

Yes

+

net.ipv6.conf.default.accept_redirects

+

0

+

Yes

+

net.ipv4.conf.all.send_redirects

+

Specifies whether a redirected ICMP packet is sent to another server. This item is enabled only when the host functions as a route. The item is disabled according to the hardening policy.

+

0

+

Yes

+

net.ipv4.conf.default.send_redirects

+

0

+

Yes

+

net.ipv4.icmp_ignore_bogus_error_responses

+

Fake ICMP packets are not recorded to logs, which saves disk space. The item is enabled according to the hardening policy.

+

1

+

Yes

+

net.ipv4.tcp_syncookies

+

SYN attack is a DoS attack that forces system restart by occupying system resources. TCP-SYN cookie protection is enabled according to the hardening policy.

+

1

+

Yes

+

kernel.dmesg_restrict

+

Hardens dmesg messages. Only the administrator is allowed to view the messages.

+

1

+

Yes

+

kernel.sched_autogroup_enabled

+

Determines whether the kernel automatically groups and schedules threads. After this item is enabled, scheduling groups compete for time slices, and threads in a scheduling group compete for the time slices allocated to the scheduling group. The item is disabled according to the hardening policy.

+

0

+

No

+

kernel.sysrq

+

Disables the magic key.

+
NOTE:

You are advised to disable the magic key so that commands cannot be directly passed to the kernel.

+
+

0

+

Yes

+

net.ipv4.conf.all.secure_redirects

+

Specifies whether redirected ICMP messages sent from any servers or from gateways listed in the default gateway list are accepted. Redirected ICMP messages are received from any servers according to the hardening policy.

+

0

+

Yes

+

net.ipv4.conf.default.secure_redirects

+

0

+

Yes

+
+ +2. Run the following command to load the kernel parameters set in the **sysctl.conf** file: + + ``` + sysctl -p /etc/sysctl.conf + ``` + + +### Other Security Suggestions + +- **net.ipv4.icmp\_echo\_ignore\_all**: ignores ICMP requests. + + For security purposes, you are advised to enable this item. The default value is **0**. Set the value to **1** to enable this item. + + After this item is enabled, all incoming ICMP Echo request packets will be ignored, which will cause failure to ping the target host. Determine whether to enable this item based on your actual networking condition. + +- **net.ipv4.conf.all.log\_martians/net.ipv4.conf.default.log\_martians**: logs spoofed, source routed, and redirect packets. + + For security purposes, you are advised to enable this item. The default value is **0**. Set the value to **1** to enable this item. + + After this item is enabled, data from forbidden IP addresses will be logged. Too many new logs will overwrite old logs because the total number of logs allowed is fixed. Determine whether to enable this item based on your actual usage scenario. + +- **net.ipv4.tcp\_timestamps**: disables tcp\_timestamps. + + For security purposes, you are advised to disable tcp\_timestamps. The default value is **1**. Set the value to **0** to disable tcp\_timestamps. + + After this item is disabled, TCP retransmission timeout will be affected. Determine whether to disable this item based on the actual usage scenario. + +- **net.ipv4.tcp\_max\_syn\_backlog**: determines the number of queues that is in SYN\_RECV state. + + This parameter determines the number of queues that is in SYN\_RECV state. When this number is exceeded, new TCP connection requests will not be accepted. This to some extent prevents system resource exhaustion. Configure this parameter based on your actual usage scenario. diff --git a/docs/en/docs/SecHarden/os-hardening-overview.md b/docs/en/docs/SecHarden/os-hardening-overview.md new file mode 100644 index 0000000000000000000000000000000000000000..44fd1bdd4083b58b5cf375cc9437cdf5874b5bf7 --- /dev/null +++ b/docs/en/docs/SecHarden/os-hardening-overview.md @@ -0,0 +1,121 @@ +# OS Hardening Overview +- [OS Hardening Overview](#os-hardening-overview) + - [Security Hardening Purpose](#security-hardening-purpose) + - [Security Hardening Solution](#security-hardening-solution) + - [Security Hardening Impacts](#security-hardening-impacts) + +This chapter describes the purpose and solution of openEuler system hardening. + + + +## security-hardening-purpose + +The OS, as the core of the information system, manages hardware and software resources and is the basis of information system security. Applications must depend on the OS to ensure the integrity, confidentiality, availability, and controllability of information. Without the OS security protection, protective methods against hackers and virus attacks at other layers cannot meet the security requirements. + +Therefore, security hardening is essential for an OS. Security hardening helps build a dynamic and complete security system, enhance product security, and improve product competitiveness. + +## security-hardening-solution + +This section describes the openEuler security hardening solution, including the hardening method and items. + +### Security Hardening Method + +You can manually modify security hardening configurations or run commands to harden the system, or use the security hardening tool to modify security hardening items in batches. The openEuler security hardening tool runs as openEuler-security.service. When the system is started for the first time, the system automatically runs the service to execute the default hardening policy, and automatically set the service not to start as the system starts. + +You can modify the **security.conf** file and use the security hardening tool to implement user-defined security hardening. + + +## security hardening impacts + +Security hardening on file permissions and account passwords may change user habits, affecting system usability. For details about common hardening items that affect system usability, see [Table 1](#en-us_topic_0152100325_ta4a48f54ff2849ada7845e2380209917). + +**Table 1** Security hardening impacts + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item

+

Suggestion

+

Impact

+

Configured By Default

+

Timeout setting on the text-based user interface (TUI)

+

When the TUI is idle for a long period of time, it automatically exits.

+
NOTE:

When a user logs in to the system using SSH, the timeout period is determined by the smaller value of the TMOUT field in the /etc/profile file and the ClientAliveInterval field in the /etc/ssh/sshd_config file. You are advised to set this parameter to 300 seconds.

+
+

If you do not perform any operation on the TUI for a long time, TUI automatically exits.

+

No

+

Password complexity

+

The password is a string containing at least eight characters chosen from three or four of the following types: uppercase letters, lowercase letters, digits, and special characters.

+

All passwords must comply with the complexity requirements.

+

No

+

Password retry limits

+

If a user fails to enter the correct password for three consecutive times when logging in to the OS, the user account will be locked for 60 seconds.

+

After the account is locked, the user can log in to the system only after 60 seconds.

+

Yes

+

Default umask value

+

The default umask value of all users is set to 077 so that the default permission on files created by users is 600 and the default permission on directories is 700.

+

Users must modify the permission on specified files or directories as required.

+

Yes

+

Password validity period

+

The password validity period can be modified in the /etc/login.defs file and is set to 90 days by default. It can be modified in any time. An expiration notification will be displayed seven days before a password is to expire.

+

When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

+

No

+

su permission control

+

The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

+

Common users can successfully run the su command only after joining in the wheel group.

+

Yes

+

Disabling user root from logging in using SSH

+

Set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to no. In this way, user root cannot directly log in to the system using SSH.

+

You need to log in to the system as a common user in SSH mode and then switch to user root.

+

No

+

Strong SSH encryption algorithm

+

The MACs and Ciphers configurations of SSH services support the CTR and SHA2 algorithms and do not support the CBC, MD5, and SHA1 algorithms.

+

Some early Xshell and PuTTY versions do not support aes128-ctr, aes192-ctr, aes256-ctr, hmac-sha2-256, and hmac-sha2-512 algorithms. Ensure that the latest PuTTY (0.63 or later) and Xshell (5.0 or later) are used.

+

Yes

+
+ diff --git a/content/en/docs/Virtualization/public_sys-resources/icon-caution.gif b/docs/en/docs/SecHarden/public_sys-resources/icon-caution.gif similarity index 100% rename from content/en/docs/Virtualization/public_sys-resources/icon-caution.gif rename to docs/en/docs/SecHarden/public_sys-resources/icon-caution.gif diff --git a/content/en/docs/Virtualization/public_sys-resources/icon-danger.gif b/docs/en/docs/SecHarden/public_sys-resources/icon-danger.gif similarity index 100% rename from content/en/docs/Virtualization/public_sys-resources/icon-danger.gif rename to docs/en/docs/SecHarden/public_sys-resources/icon-danger.gif diff --git a/content/en/docs/Virtualization/public_sys-resources/icon-note.gif b/docs/en/docs/SecHarden/public_sys-resources/icon-note.gif similarity index 100% rename from content/en/docs/Virtualization/public_sys-resources/icon-note.gif rename to docs/en/docs/SecHarden/public_sys-resources/icon-note.gif diff --git a/content/en/docs/Virtualization/public_sys-resources/icon-notice.gif b/docs/en/docs/SecHarden/public_sys-resources/icon-notice.gif similarity index 100% rename from content/en/docs/Virtualization/public_sys-resources/icon-notice.gif rename to docs/en/docs/SecHarden/public_sys-resources/icon-notice.gif diff --git a/content/en/docs/Virtualization/public_sys-resources/icon-tip.gif b/docs/en/docs/SecHarden/public_sys-resources/icon-tip.gif similarity index 100% rename from content/en/docs/Virtualization/public_sys-resources/icon-tip.gif rename to docs/en/docs/SecHarden/public_sys-resources/icon-tip.gif diff --git a/content/en/docs/Virtualization/public_sys-resources/icon-warning.gif b/docs/en/docs/SecHarden/public_sys-resources/icon-warning.gif similarity index 100% rename from content/en/docs/Virtualization/public_sys-resources/icon-warning.gif rename to docs/en/docs/SecHarden/public_sys-resources/icon-warning.gif diff --git a/docs/en/docs/SecHarden/secHarden.md b/docs/en/docs/SecHarden/secHarden.md new file mode 100644 index 0000000000000000000000000000000000000000..6539f6bd1eb52da6f2076345facd9c4759538a79 --- /dev/null +++ b/docs/en/docs/SecHarden/secHarden.md @@ -0,0 +1,5 @@ +# Security Hardening Guide + +This document describes how to perform security hardening for openEuler. + +This document is intended for administrators who need to perform security hardening for openEuler. You must be familiar with the OS security architecture and technologies. diff --git a/docs/en/docs/SecHarden/security-hardening-guide.md b/docs/en/docs/SecHarden/security-hardening-guide.md new file mode 100644 index 0000000000000000000000000000000000000000..38b3bec79c4e11aaebbd80e5b19204ebfb9edc7a --- /dev/null +++ b/docs/en/docs/SecHarden/security-hardening-guide.md @@ -0,0 +1,4 @@ +# Security Hardening Guide + +You can modify the hardening policy configuration file or script to harden the system. This chapter describes the hardening items, whether the items are hardened by default, and how to perform security hardening. + diff --git a/docs/en/docs/SecHarden/security-hardening-tools.md b/docs/en/docs/SecHarden/security-hardening-tools.md new file mode 100644 index 0000000000000000000000000000000000000000..8aecf8637386d110f16e28b56ee14871affff539 --- /dev/null +++ b/docs/en/docs/SecHarden/security-hardening-tools.md @@ -0,0 +1,137 @@ +# Security Hardening Tools + +- [Security Hardening Tools](#security-hardening-tools) + - [Security Hardening Procedure](#security-hardening-procedure) + - [Hardening Items Taking Effect](#hardening-items-taking-effect) + + + + + +## Security Hardening Procedure + +### Overview + +You need to modify the **usr-security.conf** file so that the security hardening tool can set hardening policies based on the **usr-security.conf** file. This section describes rules for modifying the **usr-security.conf** file. For details about the configurable security hardening items, see [Security Hardening Guide](#security-hardening-guide.md). + +### Precautions + +- After modifying the items, restart the security hardening service for the modification to take effect. For details about how to restart the service, see [Hardening Items Taking Effect](#hardening-items-taking-effect.md). +- When modifying security hardening items, you only need to modify the **/etc/openEuler\_security/usr-security.conf** file. You are not advised to modify the **/etc/openEuler\_security/security.conf** file. The **security.conf** file contains basic hardening items which are executed only once. +- After the security hardening service is restarted for the configuration to take effect, the previous configuration cannot be deleted by deleting the corresponding hardening items from the **usr-security.conf** file and restarting the security hardening service. +- Security hardening operations are recorded in the **/var/log/openEuler-security.log** file. + +### Configuration Format + +Each line in the **usr-security.conf** file indicates a configuration item. The configuration format varies according to the configuration content. The following describes the format of each configuration item. + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>- All configuration items start with an execution ID. The execution ID is a positive integer and can be customized. +>- Contents of a configuration item are separated by an at sign \(@\). +>- If the actual configuration content contains an at sign \(@\), use two at signs \(@@\) to distinguish the content from the separator. For example, if the actual content is **xxx@yyy**, set this item to **xxx@@yyy**. Currently, an at sign \(@\) cannot be placed at the beginning or end of the configuration content. + +   + +- **d**: comment + + Format: _Execution ID_**@d@**_Object file_**@**_Match item_ + + Function: Comment out lines starting with the match item \(the line can start with a space\) in an object file by adding a number sign \(\#\) at the beginning of the line. + + Example: If the execution ID is **401**, comment out lines starting with **%wheel** in the **/etc/sudoers** file. + + ``` + 401@d@/etc/sudoers@%wheel + ``` + + +- **m**: replacement + + Format: _Execution ID_**@m@**_Object file_**@**_Match item_**@**_Target value_ + + Function: Replace lines starting with the match item \(the line can start with a space\) in an object file with _match item_ and _target value_. If the match line starts with spaces, the spaces will be deleted after the replacement. + + Example: If the execution ID is **101**, replace lines starting with **Protocol** in the **/etc/ssh/sshd\_config** file with **Protocol 2**. The spaces after **Protocol** are matched and replaced. + + ``` + 101@m@/etc/ssh/sshd_config@Protocol @2 + ``` + +- **sm**: accurate modification + + Format: _Execution ID_**@sm@**_Object file_**@**_Match item_**@**_Target value_ + + Function: Replace lines starting with the match item \(the line can start with a space\) in an object file with _match item_ and _target value_. If the match line starts with spaces, the spaces are retained after the replacement. This is the difference between **sm** and **m**. + + Example: If the execution ID is **201**, replace lines starting with **size** in the **/etc/audit/hzqtest** file with **size 2048**. + + ``` + 201@sm@/etc/audit/hzqtest@size@ 2048 + ``` + + +- **M**: subitem modification + + Format: _Execution ID_**@M@**_Object file_**@**_Match item_**@**_Match subitem__\[@Value of the match subitem\]_ + + Function: Match lines starting with the match item \(the line can start with a space\) in an object file and replace the content starting with the match subitem in these lines with the _match subitem_ and _value of the match subitem_. The value of the match subitem is optional. + + Example: If the execution ID is **101**, find lines starting with **key** in the file and replace the content starting with **key2** in these lines with **key2value2**. + + ``` + 101@M@file@key@key2@value2 + ``` + +- **systemctl**: service management + + Format: _Execution ID_**@systemctl@**_Object service_**@**_Operation_ + + Function: Use **systemctl** to manage object services. The value of **Operation** can be **start**, **stop**, **restart**, or **disable**. + + Example: If the execution ID is **218**, stop the **cups.service**. This provides the same function as running the **systemctl stop cups.service** command. + + ``` + 218@systemctl@cups.service@stop + ``` + +    + +- Other commands + + Format: _Execution ID_**@**_Command_**@**_Object file_ + + Function: Run the corresponding command, that is, run the command line _Command_ _Object file_. + + Example 1: If the execution ID is **402**, run the **rm -f** command to delete the **/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem** file. + + ``` + 402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem + ``` + + Example 2: If the execution ID is **215**, run the **touch** command to create the **/etc/cron.allow** file. + + ``` + 215@touch @/etc/cron.allow + ``` + + Example 3: If the execution ID is **214**, run the **chown** command to change the owner of the **/etc/at.allow** file to **root:root**. + + ``` + 214@chown root:root @/etc/at.allow + ``` + + Example 4: If the execution ID is **214**, run the **chmod** command to remove the **rwx** permission of the group to which the owner of the** /etc/at.allow** file belongs and other non-owner users. + + ``` + 214@chmod og-rwx @/etc/at.allow + ``` + + +## Hardening Items Taking Effect + +After modifying the **usr-security.conf** file, run the following command for the new configuration items to take effect: + +``` +systemctl restart openEuler-security.service +``` + diff --git a/docs/en/docs/SecHarden/selinux-configuration.md b/docs/en/docs/SecHarden/selinux-configuration.md new file mode 100644 index 0000000000000000000000000000000000000000..6644c4cc137bcee59b900dfd0333effb3ba907aa --- /dev/null +++ b/docs/en/docs/SecHarden/selinux-configuration.md @@ -0,0 +1,67 @@ +# SELinux Configuration + +## Overview + +Discretionary access control \(DAC\) determines whether a resource can be accessed based on users, groups, and other permissions. It does not allow the system administrator to create comprehensive and fine-grained security policies. SELinux \(Security-Enhanced Linux\) is a module of the Linux kernel and a security subsystem of Linux. SELinux implements mandatory access control \(MAC\). Each process and system resource has a special security label. In addition to the principles specified by the DAC, the SELinux needs to determine whether each type of process has the permission to access a type of resource. + +By default, openEuler uses SELinux to improve system security. SELinux has three modes: + +- **permissive**: The SELinux outputs alarms but does not forcibly execute the security policy. +- **enforcing**: The SELinux security policy is forcibly executed. +- **disabled**: The SELinux security policy is not loaded. + +## Configuration Description + +SELinux is enabled for openEuler by default and the default mode is enforcing. You can change the SELinux mode by changing the value of **SELINUX** in **/etc/selinux/config**. + +- To disable the SELinux policy, run the following command: + + ``` + SELINUX=disabled + ``` + +- To use the permissive policy, run the following command: + + ``` + SELINUX=permissive + ``` + + +>![](./public_sys-resources/icon-note.gif) **NOTE:** +>When you switch between the disabled mode and the other mode, you need to restart the system for the switch to take effect. +>``` +># reboot +>``` + +## SELinux Commands + +- Query the SELinux mode. For example, the following shows that the SELinux mode is permissive. + + ``` + # getenforce + Permissive + ``` + +- Set the SELinux mode. **0** indicates the permissive mode, and **1** indicates the enforcing mode. For example, run the following command to set the SELinux mode to enforcing. This command cannot be used to set the disabled mode. After the system is restarted, the mode set in **/etc/selinux/config** is restored. + + ``` + # setenforce 1 + ``` + +- Query the SELinux status. **SELinux status** indicates the SELinux status. **enabled** indicates that SELinux is enabled, and **disabled** indicates that SELinux is disabled. **Current mode** indicates the current security policy of the SELinux. + + ``` + # sestatus + SELinux status: enabled + SELinuxfs mount: /sys/fs/selinux + SELinux root directory: /etc/selinux + Loaded policy name: targeted + Current mode: enforcing + Mode from config file: enforcing + Policy MLS status: enabled + Policy deny_unknown status: allowed + Memory protection checking: actual (secure) + Max kernel policy version: 31 + ``` + + diff --git a/docs/en/docs/SecHarden/system-services.md b/docs/en/docs/SecHarden/system-services.md new file mode 100644 index 0000000000000000000000000000000000000000..8f90f69253b13d02a285b4075eadb7f22b8bdfd7 --- /dev/null +++ b/docs/en/docs/SecHarden/system-services.md @@ -0,0 +1,468 @@ +# system-services + +- [System Services](#system-services) + - [Hardening the SSH Service](#hardening-the-ssh-service) + + +## hardening-the-ssh-service + +### Description + +The Secure Shell \(SSH\) is a reliable security protocol for remote logins and other network services. SSH prevents information disclosure during remote management. SSH encrypts transferred data to prevent domain name server \(DNS\) spoofing and IP spoofing. OpenSSH was created as an open source alternative to the proprietary SSH protocol. + +Hardening the SSH service is to modify configurations of the SSH service to set the algorithm and authentication parameters when the system uses the OpenSSH protocol, improving the system security. [Table 1](#en-us_topic_0152100390_ta2fdb8e4931b4c1a8f502b3c7d887b95) describes the hardening items, recommended hardening values, and default policies. + +### Implementation + +To harden a server, perform the following steps: + +1. Open the configuration file **/etc/ssh/sshd\_config** of the SSH service on the server, and modify or add hardening items and values in the file. +2. Save the **/etc/ssh/sshd\_config** file. +3. Run the following command to restart the SSH service: + + ``` + systemctl restart sshd + ``` + + +   + +To harden a client, perform the following steps: + +1. Open the configuration file **/etc/ssh/ssh\_config** of the SSH service on the client, and modify or add hardening items and values in the file. +2. Save the **/etc/ssh/ssh\_config** file. +3. Run the following command to restart the SSH service: + + ``` + systemctl restart sshd + ``` + + +### Hardening Items + +- Server hardening policies + + All SSH service hardening items are stored in the **/etc/ssh/sshd\_config** configuration file. For details about the server hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see [Table 1](#en-us_topic_0152100390_ta2fdb8e4931b4c1a8f502b3c7d887b95). + + **Table 1** SSH hardening items on a server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item

+

Description

+

Suggestion

+

Configured as Suggested

+

Protocol

+

SSH protocol version.

+

2

+

Yes

+

SyslogFacility

+

Log type of the SSH service. The item is set to AUTH, indicating authentication logs.

+

AUTH

+

Yes

+

LogLevel

+

Level for recording SSHD logs.

+

VERBOSE

+

Yes

+

X11Forwarding

+

Specifies whether a GUI can be used after login using SSH.

+

no

+

Yes

+

MaxAuthTries

+

Maximum number of authentication attempts.

+

3

+

No

+

PubkeyAuthentication

+

Specifies whether public key authentication is allowed.

+

yes

+

Yes

+

RSAAuthentication

+

Specifies whether only RSA security authentication is allowed.

+

yes

+

Yes

+

IgnoreRhosts

+

Specifies whether the rhosts and shosts files are used for authentication. The rhosts and shosts files record the names of the servers that support remote access and related login names.

+

yes

+

Yes

+

RhostsRSAAuthentication

+

Specifies whether the RSA algorithm security authentication based on the rhosts file is used. The rhosts file records the names of the servers that support remote access and related login names.

+

no

+

Yes

+

HostbasedAuthentication

+

Specifies whether host-based authentication is used. Host-based authentication indicates that any user of a trusted client can use the SSH service.

+

no

+

Yes

+

PermitRootLogin

+

Specifies whether to allow user root to log in to the system using SSH.

+
NOTE:

If you want to log in to the system using SSH as user root, set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to yes.

+
+

no

+

No

+

PermitEmptyPasswords

+

Specifies whether accounts with empty passwords can log in.

+

no

+

Yes

+

PermitUserEnvironment

+

Specifies whether to resolve the environment variables set in ~/.ssh/environment and ~/.ssh/authorized_keys.

+

no

+

Yes

+

Ciphers

+

Encryption algorithm of SSH data transmission.

+

aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

+

Yes

+

ClientAliveCountMax

+

Timeout count. After the server sends a request, if the number of times that the client does not respond reaches a specified value, the server automatically disconnects from the client.

+

0

+

No

+

Banner

+

File of the prompt information displayed before and after SSH login.

+

/etc/issue.net

+

Yes

+

MACs

+

Hash algorithm for SSH data verification.

+

hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com

+

Yes

+

StrictModes

+

Specifies whether to check the permission on and ownership of the home directory and rhosts file before SSH receives login requests.

+

yes

+

Yes

+

UsePAM

+

Specifies whether to use PAM for login authentication.

+

yes

+

Yes

+

AllowTcpForwarding

+

Specifies whether to allow TCP forwarding.

+

no

+

Yes

+

Subsystem sftp /usr/libexec/openssh/sftp-server

+

SFTP log record level, which records the INFO level and authentication logs.

+

-l INFO -f AUTH

+

Yes

+

AllowAgentForwarding

+

Specifies whether to allow SSH Agent forwarding.

+

no

+

Yes

+

GatewayPorts

+

Specifies whether SSH can connect to ports on the forwarding client.

+

no

+

Yes

+

PermitTunnel

+

Specifies whether Tunnel devices are allowed.

+

no

+

Yes

+

KexAlgorithms

+

SSH key exchange algorithms.

+

curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group-exchange-sha256

+

Yes

+

LoginGraceTime

+

Time limit for users passing the authentication. 0 indicates no limit. The default value is 60 seconds.

+

60

+

No

+
+ + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >By default, the messages displayed before and after SSH login are saved in the **/etc/issue.net** file. The default information in the **/etc/issue.net** file is **Authorized users only.** **All activities may be monitored and reported.** + + +- Client hardening policies + + All SSH service hardening items are stored in the **/etc/ssh/ssh\_config** configuration file. For details about the client hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see [Table 2](#en-us_topic_0152100390_tb289c5a6f1c7420ab4339187f9018ea4). + + **Table 2** SSH hardening items on a client + + + + + + + + + + + + + + + + + + + +

Item

+

Description

+

Suggestion

+

Configured as Suggested

+

KexAlgorithms

+

SSH key exchange algorithms.

+

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

+

No

+

VerifyHostKeyDNS

+

Specifies whether to verify HostKey files by using DNS or SSHFP.

+

ask

+

No

+
+ + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection. + + +### Other Security Suggestions + +- The SSH service only listens on specified IP addresses. + + For security purposes, you are advised to only listen on required IP addresses rather than listen on 0.0.0.0 when using the SSH service. You can specify the IP addresses that SSH needs to listen on in the ListenAddress configuration item in the **/etc/ssh/sshd\_config** file. + + 1. Open and modify the **/etc/ssh/sshd\_config** file. + + ``` + vi /etc/ssh/sshd_config + ``` + + The following information indicates that the bound listening IP address is **192.168.1.100**. You can change the listening IP address based on the site requirements. + + ``` + ... + ListenAddress 192.168.1.100 + ... + ``` + + 2. Restart the SSH service. + + ``` + systemctl restart sshd.service + ``` + + + +- SFTP users are restricted from access to upper-level directories. + + SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows: + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >In the following configurations, **sftpgroup** is an example user group name, and **sftpuser** is an example username. + + 1. Create an SFTP user group. + + ``` + groupadd sftpgroup + ``` + + 2. Create an SFTP root directory. + + ``` + mkdir /sftp + ``` + + 3. Modify the ownership of and permission on the SFTP root directory. + + ``` + chown root:root /sftp + chmod 755 /sftp + ``` + + 4. Create an SFTP user. + + ``` + useradd -g sftpgroup -s /sbin/nologin sftpuser + ``` + + 5. Set the password of the SFTP user. + + ``` + passwd sftpuser + ``` + + 6. Create a directory used to store files uploaded by the SFTP user. + + ``` + mkdir /sftp/sftpuser + ``` + + 7. Modify the ownership of and permission on the upload directory of the SFTP user. + + ``` + chown root:root /sftp/sftpuser + chmod 777 /sftp/sftpuser + ``` + + 8. Modify the **/etc/ssh/sshd\_config** file. + + ``` + vi /etc/ssh/sshd_config + ``` + + Modify the following information: + + ``` + #Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH + Subsystem sftp internal-sftp -l INFO -f AUTH + ... + + Match Group sftpgroup + ChrootDirectory /sftp/%u + ForceCommand internal-sftp + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >- **%u** is a wildcard character. Enter **%u** to represent the username of the current SFTP user. + >- The following content must be added to the end of the **/etc/ssh/sshd\_config** file: + > ``` + > Match Group sftpgroup + > ChrootDirectory /sftp/%u + > ForceCommand internal-sftp + > ``` + + 9. Restart the SSH service. + + ``` + systemctl restart sshd.service + ``` + + + +- Remotely execute commands using SSH. + + When a command is executed remotely through OpenSSH, TTY is disabled by default. If a password is required during command execution, the password is displayed in plain text. To ensure password input security, you are advised to add the **-t** option to the command. Example: + + ``` + ssh -t testuser@192.168.1.100 su + ``` + + >![](./public_sys-resources/icon-note.gif) **NOTE:** + >**192.168.1.100** is an example IP address, and **testuser** is an example username. diff --git a/docs/en/docs/StratoVirt/Install_StratoVirt.md b/docs/en/docs/StratoVirt/Install_StratoVirt.md new file mode 100644 index 0000000000000000000000000000000000000000..cadf49501491021b072792c1a3bf60af6dc9165e --- /dev/null +++ b/docs/en/docs/StratoVirt/Install_StratoVirt.md @@ -0,0 +1,37 @@ +# Installing StratoVirt + +## Software and Hardware Requirements + +### Minimum Hardware Requirements + +- Processor architecture: Only the AArch64 and x86_64 processor architectures are supported. AArch64 requires ARMv8 or a later version and supports virtualization extension. x86_64 supports VT-x. + +- 2-core CPU +- 4 GiB memory +- 16 GiB available disk space + +### Software Requirements + +Operating system: openEuler 21.03 + + + +## Installing Components + +To use StratoVirt virtualization, it is necessary to install StratoVirt. Before the installation, ensure that the openEuler yum source has been configured. + +1. Run the following command as user root to install the StratoVirt components: + + ``` + # yum install stratovirt + ``` + + +2. Check whether the installation is successful. + + ``` + $ stratovirt -version + StratoVirt 0.1.0 + ``` + + diff --git a/docs/en/docs/StratoVirt/Interconnect_isula.md b/docs/en/docs/StratoVirt/Interconnect_isula.md new file mode 100644 index 0000000000000000000000000000000000000000..225b952ca0ffb5b62f94a9e4d16f85892d1976c3 --- /dev/null +++ b/docs/en/docs/StratoVirt/Interconnect_isula.md @@ -0,0 +1,108 @@ +# Connecting to the iSula Security Container + +## Overview + +To provide a better isolation environment for containers and improve system security, it is recommended to use the iSula security container, that is, connect StratoVirt to the iSula security container. + +## Connecting to the iSula Security Container + +### **Prerequisites** + +The iSulad and kata-containers have been installed, and the iSulad supports the kata-runtime container runtime and the devicemapper storage driver. + +The following describes how to install and configure iSulad and kata-containers. + +1. Configure the yum repo and install iSulad and kata-containers as user **root**. + + ```shell + # yum install iSulad + # yum install kata-containers + ``` + +2. Create and configure a storage device. + + Plan the drive in advance, for example, /dev/sdx, which will be formatted. + + ```shell + # pvcreate /dev/sdxx + # vgcreate isulaVG0 /dev/sdxx + # lvcreate --wipesignatures y -n thinpool isulaVG0 -l 95%VG + # lvcreate --wipesignatures y -n thinpoolmeta isulaVG0 -l 1%VG + # lvconvert -y --zero n -c 512K --thinpool isulaVG0/thinpool --poolmetadata isulaVG0/thinpoolmeta + ``` + + Add the following information to the **/etc/lvm/profile/isulaVG0-thinpool.profile** file: + + ``` + activation { + thin_pool_autoextend_threshold=80 + thin_pool_autoextend_percent=20 + } + ``` + + Modify storage-driver and storage-opts in the **/etc/isulad/daemon.json** configuration file as follows. Set the default storage driver type **overlay** to **devicemapper**. + + ``` + "storage-driver": "devicemapper", + "storage-opts": [ + "dm.thinpooldev=/dev/mapper/isulaVG0-thinpool", + "dm.fs=ext4", + "dm.min_free_space=10%" + ], + ``` + +3. Restart iSulad. + + ```shell + # systemctl daemon-reload + # systemctl restart isulad + ``` + +4. Check whether the iSula storage driver is successfully configured. + + ```shell + # isula info + ``` + + If the following information is displayed, the configuration is successful: + + ``` + Storage Driver: devicemapper + ``` + +### **Connection Guide** + +StratoVirt connects to the iSula security container, that is, StratoVirt connects to kata-runtime in the iSula security container. The procedure is as follows: + +1. Modify the kata configuration file (the default path is **/usr/share/defaults/kata-containers/configuration.toml**). Set the hypervisor type of the secure container to **stratovirt**, the kernel to the absolute path of the StratoVirt kernel image, and initrd to the initrd image file of kata-containers. When using yum to install kata-containers, the two image files are downloaded by default and stored in the **/var/lib/kata/ directory**. Other images is permitted as well. + + The configuration is as follows: + + ```shell + [hypervisor.stratovirt] + path = "/usr/bin/stratovirt" + kernel = "/var/lib/kata/vmlinux.bin" + initrd = "/var/lib/kata/kata-containers-initrd.img" + block_device_driver = "virtio-mmio" + use_vsock = true + enable_netmon = true + internetworking_model="tcfilter" + sandbox_cgroup_with_emulator = false + disable_new_netns = false + disable_block_device_use = false + disable_vhost_net = true + ``` + +2. Use the root permission and **isula** command to run the BusyBox security container to connect the StratoVirt to the security container. + + ```shell + # isula run -tid --runtime=kata-runtime --net=none --name test busybox:latest sh + ``` + +3. Run the **isula ps** command to check whether the test security container is running properly. If yes, run the following command to access the test container: + + ``` + # isula exec –ti test sh + ``` + +Now, it is feasible to run container commands in the test container. \ No newline at end of file diff --git a/docs/en/docs/StratoVirt/Manage_life_cycle.md b/docs/en/docs/StratoVirt/Manage_life_cycle.md new file mode 100644 index 0000000000000000000000000000000000000000..bb0e4f7551fab8936283dda5fff482e15bf8f2e0 --- /dev/null +++ b/docs/en/docs/StratoVirt/Manage_life_cycle.md @@ -0,0 +1,123 @@ +# Managing the VM Lifecycle + + +## Overview + +This section describes how to use StratoVirt to manage the lifecycle of a VM, namely starting, pausing, resuming, and exiting a VM. + + + +## Creating and Starting a VM + +As described in the section "Configuring a VM", users can specify the VM configuration by using command line parameters or the JSON file, and run the stratovirt command on the host to create and start a VM. + +- Run the following command to create and start a VM: + +``` +$/path/to/stratovirt - [Parameter 1] [Parameter Option] - [Parameter 2] [Parameter Option]... +``` + + + +- Use the JSON file to provide the VM configuration. The command for creating and starting a VM is as follows: + +``` +$ /path/to/stratovirt \ + -config /path/to/json \ + -api-channel unix:/path/to/socket +``` + +Where, /path/to/json indicates the path of the JSON configuration file. /path/to/socket is the socket file specified by the user (for example, /tmp/stratovirt.socket). After the command is executed, the socket file is automatically created. Ensure that the socket file does not exist before executing the command, so that the VM can be started properly. + + + +> ![](./figures/en-05.png) +> +> After the VM is started, there are two NICs: eth0 and eth1. The two NICs are reserved for hot plugging: eth0 first, and then eth1. Currently, only two virtio-net NICs can be hot-plugged. + + + +## Connecting a VM + +StratoVirt uses QMP to manage VMs. To pause, resume, and exit a VM, connect it to StratoVirt through QMP first. + +Open a new CLI (CLI B) on the host and run the following command to perform the api-channel connection: + +``` +$ ncat -U /path/to/socket +``` + +After the connection is set up, a greeting message will be received from StratoVirt, as shown in the following figure. + +``` +{"QMP":{"version":{"qemu":{"micro":1,"minor":0,"major":4},"package":""},"capabilities":[]}} +``` + +Now, manage the VM by entering QMP commands in CLI B. + + + +> ![](./figures/en-05.png) +> +> QMP provides stop, cont, quit, and query-status to manage and query the VM status. +> +> All QMP commands for managing VMs are entered in CLI B. `<-` indicates the command input, and `->` indicates the QMP returned result. + + + + + +## Pausing a VM + +QMP provides the stop command for pausing a VM, that is, pausing all vCPUs of the VM. Command format: + +**{"execute":"stop"}** + +**Example:** + +Run the stop command to pause the VM. The command output is as follows: + +``` +<- {"execute":"stop"} +-> {"event":"STOP","data":{},"timestamp":{"seconds":1583908726,"microseconds":162739}} +-> {"return":{}} +``` + + + + + +## Resuming a VM + +QMP provides the cont command to resume a VM, that is, to resume all vCPUs of the VM. Command format: + +**{"execute":"cont"}** + +**Example:** + +Run the cont command to resume the VM. The command output is as follows: + +``` +<- {"execute":"cont"} +-> {"event":"RESUME","data":{},"timestamp":{"seconds":1583908853,"microseconds":411394}} +-> {"return":{}} +``` + + + + + +## Exiting a VM + +QMP provides the quit command to exit a VM, that is, to exit the StratoVirt process. Command format: + +**{"execute":"quit"}** + +**Example:** + +``` +<- {"execute":"quit"} +-> {"event":"SHUTDOWN","data":{"guest":false,"reason":"host-qmp-quit"},"timestamp":{"ds":1590563776,"microseconds":519808}} +-> {"return":{}} +``` + diff --git a/docs/en/docs/StratoVirt/Manage_resource.md b/docs/en/docs/StratoVirt/Manage_resource.md new file mode 100644 index 0000000000000000000000000000000000000000..6cd758863291fdae97ee6248c95f01074e3f6a36 --- /dev/null +++ b/docs/en/docs/StratoVirt/Manage_resource.md @@ -0,0 +1,137 @@ +# Managing VM resources + + +## Overview + +This section describes how to use QMP commands to manage disks and NICs. + + + +> ![](./figures/en-05.png) +> +> StratoVirt uses QMP to manage VMs. Before using QMP to manage VM resources, use it to connect StratoVirt to the VM. For details, see "Managing the VM Life Cycle". + + + +## Hot-Pluggable Hard Disks + +StratoVirt supports adjusting the number of disks during VM running. That is, you can add or delete VM disks without interrupting services. + +### Hot Plugged-in Disk + +**Usage** + +``` +{"execute": "blockdev-add", "arguments": {"node-name": "drive-0", "file": {"driver": "file", "filename": "/path/to/block"}, "cache": {"direct": true}, "read-only": false}} +{"execute": "device_add", "arguments": {"id": "drive-0", "driver": "virtio-blk-mmio", "addr": "0x1"}} +``` + +**Parameter** + +- The value of node-name in blockdev-add must be the same as the value of id in device_add. They are both drive-0. + +- /path/to/block is the mirror path of the hot plugged-in disk. It cannot be the path of the disk image that boots the rootfs. +- For addr, 0x0 is mapped to vda of the VM, 0x1 is mapped to vdb, and so on. To be compatible with the QMP protocol, "addr" can be replaced by "lun", but lun=0 is mapped to the vdb of the client. Only six virtio-blk disks can be hot added. + +**Example** + +``` +<- {"execute": "blockdev-add", "arguments": {"node-name": "drive-0", "file": {"driver": "file", "filename": "/path/to/block"}, "cache": {"direct": true}, "read-only": false}} +-> {"return": {}} +<- {"execute": "device_add", "arguments": {"id": "drive-0", "driver": "virtio-blk-mmio", "addr": "0x1"}} +-> {"return": {}} +``` + + + +### Hot Plugged-out Disk + +**Usage** + +**{"execute": "device_del", "arguments": {"id":"drive-0"}}** + +**Parameter** + +id indicates the ID of the hot plugged-out disk. + +**Example** + +``` +<- {"execute": "device_del", "arguments": {"id": "drive-0"}} +-> {"event":"DEVICE_DELETED","data":{"device":"drive-0","path":"drive-0"},"timestamp":{"seconds":1598513162,"microseconds":367129}} +-> {"return": {}} +``` + + + +## Hot-Pluggable NIC + +StratoVirt allows users to adjust the number of NICs during VM running. That is, users can add or delete NICs for VMs without interrupting services. + +### Hot Plugged-in NIC + +**Preparations (Requiring the Root Permission)** + +1. Create and enable a Linux bridge. For example, if the bridge name is qbr0, run the following command: + + ```shell + # brctl addbr qbr0 + # ifconfig qbr0 up + ``` + +2. Create and enable a tap device. For example, if the tap device name is **tap0**, run the following command: + + ```shell + # ip tuntap add tap0 mode tap + # ifconfig tap0 up + ``` + +3. Add the tap device to the bridge. + + ```shell + # brctl addif qbr0 tap0 + ``` + + ​ + +**Usage** + +``` +{"execute":"netdev_add", "arguments":{"id":"net-0", "ifname":"tap0"}} +{"execute":"device_add", "arguments":{"id":"net-0", "driver":"virtio-net-mmio", "addr":"0x0"}} +``` + +**Parameter** + +- The ID in netdev_add must be the same as that in device_add. Ifname indicates the name of the TAP device. + +- For addr, 0x0 is mapped to eth0 of the VM, and 0x1 to eth1. Only two virtio-net NICs can be hot plugged in. + + +**Example** + +``` +<- {"execute":"netdev_add", "arguments":{"id":"net-0", "ifname":"tap0"}} +<- {"execute":"device_add", "arguments":{"id":"net-0", "driver":"virtio-net-mmio", "addr":"0x0"}} +``` + +Where, addr:0x0 corresponds to eth0 in the VM. + +### Hot Plugged-out NIC + +**Usage** + +**{"execute": "device_del", "arguments": {"id": "net-0"}}** + +**Parameter** + +id: specifies the NIC ID, for example, net-0. + +**Example** + +``` +<- {"execute": "device_del", "arguments": {"id": "net-0"}} +-> {"event":"DEVICE_DELETED","data":{"device":"net-0","path":"net-0"},"timestamp":{"seconds":1598513339,"microseconds":97310}} +-> {"return": {}} +``` + diff --git a/docs/en/docs/StratoVirt/Prepare_env.md b/docs/en/docs/StratoVirt/Prepare_env.md new file mode 100644 index 0000000000000000000000000000000000000000..d8f9ff3e5a0e0ca459408792e1b75167a721537f --- /dev/null +++ b/docs/en/docs/StratoVirt/Prepare_env.md @@ -0,0 +1,147 @@ +# Preparing the Environment + + +## Usage + +- StratoVirt supports only Linux VMs that use the x86_64 or AArch64 processor architecture and start the VM with same architecture. +- It is advised to compile, commissione, and deploye the StratoVirt on openEuler 21.03. +- StratoVirt can run with non-root permissions. + +## Environment Requirements + +The following environment is required for running StratoVirt: + +- /dev/vhost-vsock device (for implementing the MMIO) +- Nmap tool +- Kernel image and rootfs image + + + +## Preparing Devices and Tools + +- StratoVirt needs to implement the MMIO device. Therefore, before running StratoVirt, ensure that the `/dev/vhost-vsock` device exists. + + Check whether the device exists. + + ``` + $ ls /dev/vhost-vsock + /dev/vhost-vsock + ``` + + If the device does not exist, run the following command to generate the /dev/vhost-vsock device: + + ``` + $ modprobe vhost_vsock + ``` + + +- To use QMP commands, install the nmap tool. After configuring the yum source, run the following command to install the nmap tool: + + ``` + # yum install nmap + ``` + +## Preparing Images + +### Creating the Kernel Image + +The StratoVirt of the current version supports only the PE kernel image of the x86_64 and AArch64 platforms. The kernel image in PE format can be generated by using the following method: + +1. Run the following command to obtain the kernel source code of the openEuler: + + ``` + $ git clone https://gitee.com/openeuler/kernel + $ cd kernel + ``` + +2. Run the following command to check and switch the kernel version to 4.19: + + ``` + $ git checkout kernel-4.19 + ``` + +3. Configure and compile the Linux kernel. It is better to use the recommended configuration file ([Obtain configuration file](https://gitee.com/openeuler/stratovirt/tree/master/docs/kernel_config)). Copy it to the kernel directory, and rename it as `.config`. You can also run the following command to configure the kernel as prompted: + + ``` + $ make menuconfig + ``` + +4. Run the following command to create and convert the kernel image to the PE format. The converted image is vmlinux.bin. + + ``` + $ make -j vmlinux && objcopy -O binary vmlinux vmlinux.bin + ``` + + After the compilation is complete, the kernel image vmlinux.bin is generated in the current directory. + + ​ + +## Creating the Rootfs Image + +The rootfs image is a file system image. When the StratoVirt is started, the ext4 image with init can be loaded. To create an ext4 rootfs image, perform the following steps: + +1. Prepare a file with a proper size (for example, create a file with the size of 10 GiB in /home). + + ``` + $ cd /home + $ dd if=/dev/zero of=./rootfs.ext4 bs=1G count=10 + ``` + +2. Create an empty ext4 file system on this file. + + ``` + $ mkfs.ext4 ./rootfs.ext4 + ``` + +3. Mount the file image. Create the /mnt/rootfs directory and mount rootfs.ext4 to the /mnt/rootfs directory as user root. + + ``` + $ mkdir /mnt/rootfs + $ cd /home + $ sudo mount ./rootfs.ext4 /mnt/rootfs && cd /mnt/rootfs + ``` + +4. Obtain the latest alpine-mini rootfs of the corresponding processor architecture. + + - If the AArch64 processor architecture is used, run the following command: + + ``` + $ wget http://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/aarch64/alpine-minirootfs-3.12.0-aarch64.tar.gz + $ tar -zxvf alpine-minirootfs-3.12.0-aarch64.tar.gz + $ rm alpine-minirootfs-3.12.0-aarch64.tar.gz + ``` + + + - For the x86_64 processor architecture, run the following command: + + ``` + $ wget http://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz + $ tar -zxvf alpine-minirootfs-3.12.0-x86_64.tar.gz + $ rm alpine-minirootfs-3.12.0-x86_64.tar.gz + ``` + + +5. Run the following command to create a simple /sbin/init for the ext4 file image: + + ``` + $ rm sbin/init; touch sbin/init && cat > sbin/init < { "return": { "running": true,"singlestep": false,"status": "running" } +``` + + + +## Querying Topology Information + +Run the query-cpus command to query the topology of all CPUs. + +- Usage: + +**{ "execute": "query-cpus" }** + +- Example: + +``` +<- { "execute": "query-cpus" } +-> {"return":[{"CPU":0,"arch":"x86","current":true,"halted":false,"props":{"core-id":0,"socket-id":0,"thread-id":0},"qom_path":"/machine/unattached/device[0]","thread_id":8439},{"CPU":1,"arch":"x86","current":true,"halted":false,"props":{"core-id":0,"socket-id":1,"thread-id":0},"qom_path":"/machine/unattached/device[1]","thread_id":8440}]} +``` + +## Querying vCPU Online Status + +Run the query-hotpluggable-cpus command to query the online or offline status of all vCPUs. + +- Usage: + +**{ "execute": "query-hotpluggable-cpus" }** + +- Example: + +``` +<- { "execute": "query-hotpluggable-cpus" } +-> {"return":[{"props":{"core-id":0,"socket-id":0,"thread-id":0},"qom-path":"/machine/unattached/device[0]","type":"host-x86-cpu","vcpus-count":1},{"props":{"core-id":0,"socket-id":1,"thread-id":0},"qom-path":"/machine/unattached/device[1]","type":"host-x86-cpu","vcpus-count":1}]} +``` + +Where, online vCPUs have the `qom-path` item, while offline vCPUs do not. diff --git a/docs/en/docs/StratoVirt/StratoVirt_Intoduction.md b/docs/en/docs/StratoVirt/StratoVirt_Intoduction.md new file mode 100644 index 0000000000000000000000000000000000000000..582ba255a1e2c2c9729088849d9b272af1de9694 --- /dev/null +++ b/docs/en/docs/StratoVirt/StratoVirt_Intoduction.md @@ -0,0 +1,24 @@ +# Introduction to StratoVirt + + +## Overview + +StratoVirt is an enterprise-class virtualization platform for cloud data centers in the computing industry, enabling a unified architecture that supports virtual machines, containers and Serverless scenarios. On top of that, StratoVirt has a key technology competitive advantage in terms of lightweight, low noise, hard and soft collaboration, Rust language-level security, and more. StratoVirt reserves the capabilities and interfaces for component assembly in architectural design and interfaces. More importantly, StratoVirt has the flexibility to assemble advanced features on demand until it evolves to support standard virtualization, finding the best balance between feature requirements, applications scenarios, and light flexibility. + + + +## Architecture Description + +The StratoVirt core architecture is divided into three layers from top to bottom: + +- OCI: compatible with the QEMU Machine Protocol (QMP), which has complete OCI compatibility capabilities. +- BootLoader: discards the traditional BIOS+GRUB boot mode and implements a lighter and faster bootloader. +- MicroVM: virtualization layer, which fully leverages the capability of software and hardware collaboration to simplify the device model and the capability of low-latency resource scaling. + +The overall architecture is shown in **Figure 1**. + +**Figure 1** Overall architecture of StratoVirt + +![](./figures/arc.png) + + diff --git a/docs/en/docs/StratoVirt/StratoVrit_guidence.md b/docs/en/docs/StratoVirt/StratoVrit_guidence.md new file mode 100644 index 0000000000000000000000000000000000000000..461f0bf0490f0a18176972f10c4ea8f7edee1491 --- /dev/null +++ b/docs/en/docs/StratoVirt/StratoVrit_guidence.md @@ -0,0 +1,4 @@ +# StratoVirt Virtualization User Guide + +This document describes Stratovirt virtualization, providing instructions on how to install Stratovirt based on openEuler and how to use Stratovirt virtualization. The purpose is to help users learn about Stratovirt and guide users and administrators to install and use StratoVirt. + diff --git a/docs/en/docs/StratoVirt/VM_configuration.md b/docs/en/docs/StratoVirt/VM_configuration.md new file mode 100644 index 0000000000000000000000000000000000000000..55d47b434a04e42f85bf44b7aee386d666f178e6 --- /dev/null +++ b/docs/en/docs/StratoVirt/VM_configuration.md @@ -0,0 +1,232 @@ +# Configuring a VM + +## Overview + +Different from Libvirt that uses XML files to configure VMs, StratoVirt can use command line parameters or the JSON file to configure the VM CPU, memory, and disk information. This section describes the two configuration methods. + +> ![](./figures/en-05.png) +> +> If both methods can be used, incline to the command line configuration. +> +> In this document, /path/to/socket is the socket file in the user-defined path. + + + + + +## Specifications + +- Number of VM CPUs: [1,254] +- VM memory size: [128MiB,512GiB] +- Number of VM disks (including hot swap disks): [0,6] +- Number of VM NICs (including hot swap NICs): [0,2] +- The VM console device supports only single way connection. +- On the x86_64 platform, a maximum of 11 mmio devices can be configured. But a maximum of two other devices except disks and NICs is recommended. On the AArch64 platform, the maximum of mmio devices is 160, but the maximum of other devices is recommend to be 12, also excluding disks and NICs. + +## Minimum Configuration + +The minimum configuration of the StratoVirt is as follows: + +- There is a Linux kernel file in PE format. +- Set the rootfs image as the virtio-blk device and add it to kernel parameters. +- Use api-channel to control StratoVirt. +- If you want to use ttyS0 for login, add a serial port to the startup command line and add ttyS0 to kernel parameters. + + + +## Command Line Configuration + +**Overview** + +Command line configuration directly specifies the VM configuration content using command line parameters. + +**Command Format** + +The format of the command configured by running the cmdline command is as follows: + +**$ /path/to/stratovirt** *-[Parameter 1] [Parameter Option] -[Parameter 2] [Parameter Option] ...* + +**Usage** + +1. To ensure that the socket required by api-channel can be created, run the following command to clear the environment: + + ``` + $rm [parameter] [user-defined socket file path] + ``` + + +2. Run the cmdline command. + + ``` + $ /path/to/stratovirt -[Parameter 1] [Parameter Option] -[Parameter 2] [Parameter Option] ... + ``` + + +**Parameter Description** + +The following table lists the parameters of the cmdline command. + +**Table 1** Description of command line configuration parameters + +| Parameter | Value | Description | +| ---------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | +| -name | *VMName* | Configures the VM name (a string of 1 to 255 characters).| +| -kernel | /path/to/vmlinux.bin | Configures the kernel image.| +| -append | console=ttyS0 root=/dev/vda reboot=k panic=1 | Configures kernel command line parameters.| +| -initrd | /path/to/initrd.img | Configures the initrd file.| +| -smp | [cpus=] Number of CPUs | Configures the number of CPUs. The value range is [1,254].| +| -m | Byte/MiB/GiB | Configures the memory size. The value range is [128MiB,512GiB]. | +| -drive | id=rootfs,file=/path/to/rootfs[,readonly=false,direct=true,serial=serial_num] | Configures the virtio-blk device.| +| -netdev | id=iface_id,netdev=tap0[,mac=mac_address] | Configures the virtio-net device.| +| -chardev | id=console_id,path=/path/to/socket | Configures virtio-console. Ensure that the socket file does not exist before running the command.| +| -device | vsock,id=vsock_id,guest-cid=3 | Configures vhost-vsock.| +| -api-channel | unix:/path/to/socket | Configures api-channel. Before running this command, ensure that the socket file does not exist.| +| -serial | stdio | Configures a serial port device.| +| -D | /path/to/logfile | Configures log files.| +| -pidfile | /path/to/pidfile | Configures the PID file. This parameter must be used together with -daemonize.| +| -disable-seccomp | N/A | Disables the Seccomp, which is enabled by default.| +| -omit_vm_memory | N/A | Do not dump the VM memory when the process enters the panic state.| +| -daemonize | N/A | Enables the daemon process.| + + + +**Example** + +1. Delete the socket file to ensure that the api-channel can be created. + + ``` + $ rm -f /tmp/stratovirt.socket + ``` + + +2. Run StratoVirt. + + ``` + $ /path/to/stratovirt \ + -kernel /path/to/vmlinux.bin \ + -append console=ttyS0 root=/dev/vda rw reboot=k panic=1 \ + -drive file=/home/rootfs.ext4,id=rootfs,readonly=false \ + -api-channel unix:/tmp/stratovirt.socket \ + -serial stdio + ``` + + After the running is successful, the VM is created and started based on the specified configuration parameters. + + + +## JSON Configuration + + + +**Overview** + +Configuration using the JSON file indicates that when running StratoVirt to create a VM, the system reads the specified JSON file that contains the VM configuration. + +**Command Format** + +The format of the command for configuring a VM using the JSON file is as follows. In this command, /path/to/json indicates the path of the corresponding file. + +**$ /path/to/stratovirt -config** */path/to/json -[Parameter] [Parameter Option]* + +**Usage** + +1. Create a JSON file and write the VM configuration to the file. + +2. Run the StratoVirt command to create a VM. + + ``` + $ /path/to/stratovirt -config /path/to/json - [Parameter] [Parameter Option] + ``` + +**Parameter Description** + +The following table describes the configurable parameters in the JSON file. + +**Table 2** Parameters in the configuration file + +| Parameter | Value | Description | +| -------------- | ------------------------------------------------------------ | ---------------------------------------------------- | +| boot-source | "kernel_image_path": "/path/to/vmlinux.bin","boot_args": "console=ttyS0 reboot=k panic=1 pci=off tsc=reliable ipv6.disable=1 root=/dev/vda quiet","initrd_fs_path": "/path/to/initrd.img" | Configures the kernel image and kernel parameters. The `initrd_fs_path` parameter is optional. | +| machine-config | "name": "abc","vcpu_count": 4,"mem_size": 805306368,"omit_vm_memory": true | Configures the virtual CPU and memory size. The `omit_vm_memory` parameter is optional. | +| drive | "drive_id": "rootfs","path_on_host": "/path/to/rootfs.ext4","read_only": false,"direct": true,"serial_num": "xxxxx" | Configures the virtio-blk disk. The `serial_num` parameter is optional. | +| net | "iface_id": "net0","host_dev_name": "tap0","mac": "xx:xx:xx:xx:xx:xx" | Configures the virtio-net NIC. The `mac` parameter is optional. | +| console | "console_id": "charconsole0","socket_path": "/path/to/socket" | Configures the virtio-console serial port. Before running the serial port, ensure that the socket file does not exist. | +| vsock | "vsock_id": "vsock0","guest_cid": 3 | Configures the virtio-vsock device. | +| serial | "stdio": true | Configures a serial port device.| + + + +The following table lists the parameters running in JSON. + +**Table 3** Parameters running in JSON + +| Parameter | Value | Description | +| ---------------- | -------------------- | ------------------------------------------------------------ | +| -config | /path/to/json | Configures the file path.| +| -api-channel | unix:/path/to/socket | Configures api-channel. Before running this command, ensure that the socket file does not exist. | +| -D | /path/to/logfile | Configures log files.| +| -pidfile | /path/to/pidfile | Configures the PID file, which must be used together with daemonize. Before running the command, make sure that the PID file does not exist. | +| -disable-seccomp | N/A | Disables the Seccomp, which is enabled by default. | +| -daemonize | N/A | Enables the daemon process.| + + + +**Example** + +1. Create a JSON file, for example, /home/config.json. The file content is as follows: + +``` +{ + "boot-source": { + "kernel_image_path": "/path/to/vmlinux.bin", + "boot_args": "console=ttyS0 reboot=k panic=1 pci=off tsc=reliable ipv6.disable=1 root=/dev/vda quiet" + }, + "machine-config": { + "name": "abc", + "vcpu_count": 2, + "mem_size": 268435456, + "omit_vm_memory": false + }, + "drive": [ + { + "drive_id": "rootfs", + "path_on_host": "/path/to/rootfs.ext4", + "direct": true, + "read_only": false, + "serial_num": "abcd" + } + ], + "net": [ + { + "iface_id": "net0", + "host_dev_name": "tap0", + "mac": "0e:90:df:9f:a8:88" + } + ], + "console": { + "console_id": "charconsole0", + "socket_path": "/path/to/console.socket" + }, + "serial": { + "stdio": true + }, + "vsock": { + "vsock_id": "vsock-123321132", + "guest_cid": 4 + } +} + +``` + + + +2. Run StratoVirt to read the JSON file and create and start the VM. + +``` +$ /path/to/stratovirt \ + -config /home/config.json \ + -api-channel unix:/tmp/stratovirt.socket +``` + +Successful execution of the command indicates that the VM is successfully created and started. + diff --git a/docs/en/docs/StratoVirt/figures/arc.png b/docs/en/docs/StratoVirt/figures/arc.png new file mode 100644 index 0000000000000000000000000000000000000000..baf5526d077a452c9d8a18af38638c8db9150d27 Binary files /dev/null and b/docs/en/docs/StratoVirt/figures/arc.png differ diff --git a/docs/en/docs/StratoVirt/figures/en-05.png b/docs/en/docs/StratoVirt/figures/en-05.png new file mode 100644 index 0000000000000000000000000000000000000000..ad5ed3f7beeb01e6a48707c4806606b41d687e22 Binary files /dev/null and b/docs/en/docs/StratoVirt/figures/en-05.png differ diff --git a/content/en/docs/Virtualization/appendix.md b/docs/en/docs/Virtualization/appendix.md similarity index 100% rename from content/en/docs/Virtualization/appendix.md rename to docs/en/docs/Virtualization/appendix.md diff --git a/content/en/docs/Virtualization/best-practices.md b/docs/en/docs/Virtualization/best-practices.md similarity index 56% rename from content/en/docs/Virtualization/best-practices.md rename to docs/en/docs/Virtualization/best-practices.md index c2b4164230dd668da1cad297852c496e09e71a50..52bb9051da6c1db32b7e7663f11f8f14fa9e7b60 100644 --- a/content/en/docs/Virtualization/best-practices.md +++ b/docs/en/docs/Virtualization/best-practices.md @@ -1,16 +1,5 @@ # Best Practices -- [Best Practices](#best-practices) - - [Performance Best Practices](#performance-best-practices) - - [Halt-Polling](#halt-polling) - - [I/O Thread Configuration](#i-o-thread-configuration) - - [Raw Device Mapping](#raw-device-mapping) - - [kworker Isolation and Binding](#kworker-isolation-and-binding) - - [HugePage Memory](#hugepage-memory) - - [Security Best Practices](#security-best-practices) - - [Libvirt Authentication](#libvirt-authentication) - - [qemu-ga](#qemu-ga) - - [sVirt Protection](#svirt-protection) ## Performance Best Practices @@ -20,7 +9,7 @@ If compute resources are sufficient, the halt-polling feature can be used to enable VMs to obtain performance similar to that of physical machines. If the halt-polling feature is not enabled, the host allocates CPU resources to other processes when the vCPU exits due to idle timeout. When the halt-polling feature is enabled on the host, the vCPU of the VM performs polling when it is idle. The polling duration depends on the actual configuration. If the vCPU is woken up during the polling, the vCPU can continue to run without being scheduled from the host. This reduces the scheduling overhead and improves the VM system performance. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The halt-polling mechanism ensures that the vCPU thread of the VM responds in a timely manner. However, when the VM has no load, the host also performs polling. As a result, the host detects that the CPU usage of the vCPU is high, but the actual CPU usage of the VM is not high. #### Instructions @@ -219,6 +208,92 @@ If VMs use static HugePages, you can disable THP to reduce the overhead of the h ``` +### PV-qspinlock + +#### Overview + +PV-qspinlock optimizes the spin lock in the virtual scenario of CPU overcommitment. It allows the hypervisor to set the vCPU in the lock context to the block state and wake up the corresponding vCPU after the lock is released. In this way, pCPU resources can be better used in the overcommitment scenario, and the compilation application scenario is optimized to reduce the compilation duration. + +#### Procedure + +Modify the /boot/efi/EFI/openEuler/grub.cfg configuration file of the VM, add arm_pvspin to the startup parameter in the command line, and restart the VM for the modification to take effect. After PV-qspinlock takes effect, run the dmesg command on the VM. The following information is displayed: + +``` +[ 0.000000] arm-pv: PV qspinlocks enabled +``` + +>![](./public_sys-resources/icon-note.gif) **Note:** +>PV-qspinlock is supported only when the operating systems of the host machine and VM are both openEuler 20.09 or later and the VM kernel compilation option CONFIG_PARAVIRT_SPINLOCKS is set to y (default value for openEuler). + +### Guest-Idle-Haltpoll + +#### Overview + +To ensure fairness and reduce power consumption, when the vCPU of the VM is idle, the VM executes the WFx/HLT instruction to exit to the host machine and triggers context switchover. The host machine determines whether to schedule other processes or vCPUs on the physical CPU or enter the energy saving mode. However, overheads of switching between a virtual machine and a host machine, additional context switching, and IPI wakeup are relatively high, and this problem is particularly prominent in services where sleep and wakeup are frequently performed. The Guest-Idle-Haltpoll technology indicates that when the vCPU of a VM is idle, the WFx/HLT is not executed immediately and VM-exit occurs. Instead, polling is performed on the VM for a period of time. During this period, the tasks of other vCPUs that share the LLC on the vCPU are woken up without sending IPI interrupts. This reduces the overhead of sending and receiving IPI interrupts and the overhead of VM-exit, thereby reducing the task wakeup latency. + +>![](public_sys-resources/icon-note.gif) **Note:** + The execution of the idle-haltpoll command by the vCPU on the VM increases the CPU overhead of the vCPU on the host machine. Therefore, it is recommended that the vCPU exclusively occupy physical cores on the host machine when this feature is enabled. + +#### Procedure + +The Guest-Idle-Haltpoll feature is disabled by default. The following describes how to enable this feature. + +1. Enable the Guest-Idle-Haltpoll feature. + - If the processor architecture of the host machine is x86, you can configure hint-dedicated in the XML file of the VM on the host machine to enable this feature. In this way, the status that the vCPU exclusively occupies the physical core can be transferred to the VM through the VM XML configuration. The host machine ensures the status of the physical core exclusively occupied by the vCPU. + + ``` + + ... + + + ... + + + + ... + + ``` + + Alternatively, set cpuidle\_haltpoll.force to Y in the kernel startup parameters of the VM to forcibly enable the function. This method does not require the host machine to configure the vCPU to exclusively occupy the physical core. + ``` + cpuidle_haltpoll.force=Y + ``` + + - If the processor architecture of the host machine is AArch64, this feature can be enabled only by configuring cpuidle\_haltpoll.force=Y haltpoll.enable=Y in the VM kernel startup parameters. + + ``` + cpuidle_haltpoll.force=Y haltpoll.enable=Y + ``` + +2. Check whether the Guest-Idle-Haltpoll feature takes effect. Run the following command on the VM. If haltpoll is returned, the feature has taken effect. + + ``` + # cat /sys/devices/system/cpu/cpuidle/current_driver + ``` + +3. (Optional) Set the Guest-Idle-Haltpoll parameter. + + The following configuration files are provided in the /sys/module/haltpoll/parameters/ directory of the VM. You can adjust the configuration parameters based on service characteristics. + + - guest\_halt\_poll\_ns: a global parameter that specifies the maximum polling duration after the vCPU is idle. The default value is 200000 (unit: ns). + - guest\_halt\_poll\_shrink: a divisor that is used to shrink the current vCPU guest\_halt\_poll\_ns when the wakeup event occurs after the global guest\_halt\_poll\_ns time. The default value is 2. + - guest\_halt\_poll\_grow: a multiplier that is used to extend the current vCPU guest\_halt\_poll\_ns when the wakeup event occurs after the current vCPU guest\_halt\_poll\_ns and before the global guest\_halt\_poll\_ns. The default value is 2. + - guest\_halt\_poll\_grow\_start: When the system is idle, the guest\_halt\_poll\_ns of each vCPU reaches 0. This parameter is used to set the initial value of the current vCPU guest\_halt\_poll\_ns to facilitate scaling in and scaling out of the vCPU polling duration. The default value is 50000 (unit: ns). + - guest\_halt\_poll\_allow\_shrink: a switch that is used to enable vCPU guest\_halt\_poll\_ns scale-in. The default value is Y. (Y indicates enabling the scale-in; N indicates disabling the scale-in.) + + You can run the following command as the user root to change the parameter values: In the preceding command, _value_ indicates the parameter value to be set, and _configFile_ indicates the corresponding configuration file. + + ``` + # echo value > /sys/module/haltpoll/parameters/configFile + ``` + + For example, to set the global guest\_halt\_poll\_ns to 200000 ns, run the following command: + + ``` + # echo 200000 > /sys/module/haltpoll/parameters/guest_halt_poll_ns + ``` + + ## security Best Practices ### Libvirt Authentication @@ -313,7 +388,7 @@ QEMU guest agent \(qemu-ga\) is a daemon running within VMs. It allows users on In some scenarios with high security requirements, qemu-ga provides the blacklist function to prevent internal information leakage of VMs. You can use a blacklist to selectively shield some functions provided by qemu-ga. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The qemu-ga installation package is **qemu-guest-agent-**_xx_**.rpm**. It is not installed on openEuler by default. _xx_ indicates the actual version number. #### Procedure @@ -364,7 +439,7 @@ To add a qemu-ga blacklist, perform the following steps: root 727 1 0 08:17 ? 00:00:00 /usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=guest-file-open guest-file-close guest-file-read guest-file-write guest-file-seek guest-file-flush -F/etc/qemu-ga/fsfreeze-hook ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >For more information about qemu-ga, visit [https://wiki.qemu.org/Features/GuestAgent](https://wiki.qemu.org/Features/GuestAgent). @@ -429,3 +504,153 @@ In a virtualization environment that uses the discretionary access control \(DAC ``` +### VM Trusted Boot + +#### Overview + +Trusted boot includes measure boot and remote attestation. The measure boot function is mainly provided by virtualization component. The remote attestation function is enabled by users who install related software (RA client) on VMs and set up the RA server. + +The two basic elements for measure boot are the root of trust (RoT) and chain of trust. The basic idea is to establish a RoT in the computer system. The trustworthiness of the RoT is ensured by physical security, technical security, and management security, that is, CRTM (Core Root of Trust for Measurement). A chain of trust is established, starting from the RoT to the BIOS/BootLoader, operating system, and then to the application. The measure boot and trust is performed by one level to the previous level. Finally, the trust is extended to the entire system. The preceding process looks like a chain, so it is called a chain of trust. + +The CRTM is the root of the measure boot and the first component of the system startup. No other code is used to check the integrity of the CRTM. Therefore, as the starting point of the chain of trust, it must be an absolutely trusted source of trust. The CRTM needs to be technically designed as a segment of read-only or strictly restricted code to defend against BIOS attacks and prevent remote injection of malicious code or modification of startup code at the upper layer of the operating system. In a physical host, the CPU microcode is used as the CRTM. In a virtualization environment, the sec part of the vBIOS is generally the CRTM. + +During startup, the previous component measures (calculates the hash value) the next component, and then extends the measurement value to the trusted storage area, for example, the PCR of the TPM. The CRTM measurement BootLoader extends the measurement value to the PCR, and the BootLoader measurement OS extends the measurement value to the PCR. + + + +#### Configuring the vTPM Device to Enable Measurement Startup + +**Installing the swtpm and libtpms Software** + +swtpm provides a TPM emulator (TPM 1.2 and TPM 2.0) that can be integrated into a virtualization environment. So far, it has been integrated into QEMU and serves as a prototype system in RunC. swtpm uses libtpms to provide TPM1.2 and TPM2.0 simulation functions. +Currently, openEuler 21.03 provides the libtpms and swtpm sources. You can run the yum command to install them. + +``` +# yum install libtpms swtpm swtpm-devel swtpm-tools + +``` + + +**Configuring the vTPM Device for the VM** + +1. Add the following information to the AArch64 VM configuration file: + + ``` + + ... + + ... + + + + ... + + ... + + ``` + + Add the following information to the x86 VM configuration file: + + ``` + + ... + + ... + + + + ... + + ... + + ``` + >![](public_sys-resources/icon-note.gif) **NOTE:** + > Currently, openEuler20.09 AArch64 version does not support ACPI feature in VM trusted boot process. Therefore, do not configure the ACPI feature for VMs. Otherwise, the vTPM device cannot be identified after the VM is started. + +2. Create the VM. + + ``` + # virsh define MeasuredBoot.xml + ``` +3. Start the VM. + + Before starting the VM, run the chmod command to grant the following permission to the /var/lib/swtpm-localca/ directory. Otherwise, the libvirt cannot start the swtpm. + + ``` + # chmod -R 777 /var/lib/swtpm-localca/ + # + # virsh start MeasuredbootVM + ``` + + +**Confirming that the Measure Boot Is Successfully Enabled** + +The vBIOS determines whether to enable the measure boot function. Currently, the vBIOS in openEuler 20.09 has the measure boot capability. If the host machine uses the edk2 component of another version, check whether the edk2 component supports the measure boot function. + +Log in to the VM as user root and check whether the TPM driver, tpm2-tss protocol stack, and tpm2-tools are installed on the VM. +By default, the tpm driver (tpm_tis.ko), tpm2-tss protocol stack, and tpm2-tools are installed in openEuler 21.03. If another OS is used, run the following command to check whether the driver and related tools are installed: + + +``` +# lsmod |grep tpm +# tpm_tis 16384 0 +# +# yum list installed | grep -E 'tpm2-tss|tpm2-tools' +# +# yum install tpm2-tss tpm2-tools +``` +You can run the tpm2_pcrread (tpm2_pcrlist in tpm2_tools of earlier versions) command to list all PCR values. + +``` +# tpm2_pcrread +sha1 : + 0 : fffdcae7cef57d93c5f64d1f9b7f1879275cff55 + 1 : 5387ba1d17bba5fdadb77621376250c2396c5413 + 2 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 + 3 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 + 4 : e5d40ace8bb38eb170c61682eb36a3020226d2c0 + 5 : 367f6ea79688062a6df5f4737ac17b69cd37fd61 + 6 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 + 7 : 518bd167271fbb64589c61e43d8c0165861431d8 + 8 : af65222affd33ff779780c51fa8077485aca46d9 + 9 : 5905ec9fb508b0f30b2abf8787093f16ca608a5a + 10 : 0000000000000000000000000000000000000000 + 11 : 0000000000000000000000000000000000000000 + 12 : 0000000000000000000000000000000000000000 + 13 : 0000000000000000000000000000000000000000 + 14 : 0000000000000000000000000000000000000000 + 15 : 0000000000000000000000000000000000000000 + 16 : 0000000000000000000000000000000000000000 + 17 : ffffffffffffffffffffffffffffffffffffffff + 18 : ffffffffffffffffffffffffffffffffffffffff + 19 : ffffffffffffffffffffffffffffffffffffffff + 20 : ffffffffffffffffffffffffffffffffffffffff + 21 : ffffffffffffffffffffffffffffffffffffffff + 22 : ffffffffffffffffffffffffffffffffffffffff + 23 : 0000000000000000000000000000000000000000 +sha256 : + 0 : d020873038268904688cfe5b8ccf8b8d84c1a2892fc866847355f86f8066ea2d + 1 : 13cebccdb194dd916f2c0c41ec6832dfb15b41a9eb5229d33a25acb5ebc3f016 + 2 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 + 3 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 + 4 : 07f9074ccd4513ef1cafd7660f9afede422b679fd8ad99d25c0659eba07cc045 + 5 : ba34c80668f84407cd7f498e310cc4ac12ec6ec43ea8c93cebb2a688cf226aff + 6 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 + 7 : 65caf8dd1e0ea7a6347b635d2b379c93b9a1351edc2afc3ecda700e534eb3068 + 8 : f440af381b644231e7322babfd393808e8ebb3a692af57c0b3a5d162a6e2c118 + 9 : 54c08c8ba4706273f53f90085592f7b2e4eaafb8d433295b66b78d9754145cfc + 10 : 0000000000000000000000000000000000000000000000000000000000000000 + 11 : 0000000000000000000000000000000000000000000000000000000000000000 + 12 : 0000000000000000000000000000000000000000000000000000000000000000 + 13 : 0000000000000000000000000000000000000000000000000000000000000000 + 14 : 0000000000000000000000000000000000000000000000000000000000000000 + 15 : 0000000000000000000000000000000000000000000000000000000000000000 + 16 : 0000000000000000000000000000000000000000000000000000000000000000 + 17 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 18 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 19 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 20 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 21 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 22 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 23 : 0000000000000000000000000000000000000000000000000000000000000000 +``` diff --git a/content/en/docs/Virtualization/environment-preparation.md b/docs/en/docs/Virtualization/environment-preparation.md similarity index 89% rename from content/en/docs/Virtualization/environment-preparation.md rename to docs/en/docs/Virtualization/environment-preparation.md index 3124c15cc358b2f58047b191002a18611334056d..38f159cecac279ff014175321f2bfccdced114bd 100644 --- a/content/en/docs/Virtualization/environment-preparation.md +++ b/docs/en/docs/Virtualization/environment-preparation.md @@ -114,7 +114,7 @@ To enable the VM to communicate with external networks, you need to configure th This section describes how to set up a Linux bridge and an Open vSwitch bridge to connect a VM to the network. You can select a bridge type based on the site requirements. **Figure 1** Virtual network structure -![](figures/virtual-network-structure.png "virtual-network-structure") +![](./figures/virtual-network-structure.png "virtual-network-structure") ### Setting Up a Linux Bridge @@ -172,7 +172,6 @@ If the Open vSwitch is used to provide virtual network, you need to install the 1. Install the Open vSwitch component. ``` - # yum install -y openvswitch-kmod # yum install -y openvswitch ``` @@ -185,35 +184,9 @@ If the Open vSwitch is used to provide virtual network, you need to install the **2. Check whether the installation is successful.** -Check whether the Open vSwitch components, openvswitch-kmod and openvswitch, are successfully installed. +Check whether the Open vSwitch components. -1. Check whether the openvswitch-kmod component is successfully installed. If the installation is successful, the software package information is displayed. The command and output are as follows: - - ``` - # rpm -qi openvswitch-kmod - Name : openvswitch-kmod - Version : 2.11.1 - Release : 1.oe3 - Architecture: aarch64 - Install Date: Thu 15 Aug 2019 05:07:49 PM CST - Group : System Environment/Daemons - Size : 15766774 - License : GPLv2 - Signature : (none) - Source RPM : openvswitch-kmod-2.11.1-1.oe3.src.rpm - Build Date : Thu 08 Aug 2019 04:33:08 PM CST - Build Host : armbuild10b175b113b44 - Relocations : (not relocatable) - Vendor : OpenSource Security Ralf Spenneberg - URL : http://www.openvswitch.org/ - Summary : Open vSwitch Kernel Modules - Description : - Open vSwitch provides standard network bridging functions augmented with - support for the OpenFlow protocol for remote per-flow control of - traffic. This package contains the kernel modules. - ``` - -2. Check whether the openvswitch component is successfully installed. If the installation is successful, the software package information is displayed. The command and output are as follows: +1. Check whether the openvswitch component is successfully installed. If the installation is successful, the software package information is displayed. The command and output are as follows: ``` # rpm -qi openvswitch @@ -239,7 +212,7 @@ Check whether the Open vSwitch components, openvswitch-kmod and openvswitch, are traffic. ``` -3. Check whether the Open vSwitch service is started successfully. If the service is in the **Active** state, the service is started successfully. You can use the command line tool provided by the Open vSwitch. The command and output are as follows: +2. Check whether the Open vSwitch service is started successfully. If the service is in the **Active** state, the service is started successfully. You can use the command line tool provided by the Open vSwitch. The command and output are as follows: ``` # systemctl status openvswitch diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP1.png b/docs/en/docs/Virtualization/figures/CertEnrollP1.png new file mode 100644 index 0000000000000000000000000000000000000000..536e0618a3ab5b70937292205242a08237e34712 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP1.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP2.png b/docs/en/docs/Virtualization/figures/CertEnrollP2.png new file mode 100644 index 0000000000000000000000000000000000000000..0557c8782960188dbe9d84a1d0e66c9b45d2b303 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP2.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP3.png b/docs/en/docs/Virtualization/figures/CertEnrollP3.png new file mode 100644 index 0000000000000000000000000000000000000000..326fcf1e8d5e3c795ebcde286d8e0fef14bec7d1 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP3.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP4.png b/docs/en/docs/Virtualization/figures/CertEnrollP4.png new file mode 100644 index 0000000000000000000000000000000000000000..bc77c038e1e3a5ec30d7ba4f805ca937792e9327 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP4.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP5.png b/docs/en/docs/Virtualization/figures/CertEnrollP5.png new file mode 100644 index 0000000000000000000000000000000000000000..0f22b3cbd84f7c93f74898a926bc3e32f231667f Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP5.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP6.png b/docs/en/docs/Virtualization/figures/CertEnrollP6.png new file mode 100644 index 0000000000000000000000000000000000000000..08235013ca71f1ec51e9af2f143629d1a6132fe9 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP6.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP7.png b/docs/en/docs/Virtualization/figures/CertEnrollP7.png new file mode 100644 index 0000000000000000000000000000000000000000..f934521d59dd4a75449fcb2ca8abc54045b9102b Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP7.png differ diff --git a/docs/en/docs/Virtualization/figures/CertEnrollP8.png b/docs/en/docs/Virtualization/figures/CertEnrollP8.png new file mode 100644 index 0000000000000000000000000000000000000000..9a8158e3378bf25dee05b892cc60f424542455d7 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/CertEnrollP8.png differ diff --git a/docs/en/docs/Virtualization/figures/OSBootFlow.png b/docs/en/docs/Virtualization/figures/OSBootFlow.png new file mode 100644 index 0000000000000000000000000000000000000000..f496c5675c72359e5160384c766a11399b04bfa6 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/OSBootFlow.png differ diff --git a/docs/en/docs/Virtualization/figures/SecureBootFlow.png b/docs/en/docs/Virtualization/figures/SecureBootFlow.png new file mode 100644 index 0000000000000000000000000000000000000000..d639975800752c6eca6765a416c256a4752fb590 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/SecureBootFlow.png differ diff --git a/content/en/docs/Virtualization/figures/en-us_image_0218587435.png b/docs/en/docs/Virtualization/figures/en-us_image_0218587435.png similarity index 100% rename from content/en/docs/Virtualization/figures/en-us_image_0218587435.png rename to docs/en/docs/Virtualization/figures/en-us_image_0218587435.png diff --git a/content/en/docs/Virtualization/figures/en-us_image_0218587436.png b/docs/en/docs/Virtualization/figures/en-us_image_0218587436.png similarity index 100% rename from content/en/docs/Virtualization/figures/en-us_image_0218587436.png rename to docs/en/docs/Virtualization/figures/en-us_image_0218587436.png diff --git a/content/en/docs/Virtualization/figures/kvm-architecture.png b/docs/en/docs/Virtualization/figures/kvm-architecture.png similarity index 100% rename from content/en/docs/Virtualization/figures/kvm-architecture.png rename to docs/en/docs/Virtualization/figures/kvm-architecture.png diff --git a/content/en/docs/Virtualization/figures/status-transition-diagram.png b/docs/en/docs/Virtualization/figures/status-transition-diagram.png similarity index 100% rename from content/en/docs/Virtualization/figures/status-transition-diagram.png rename to docs/en/docs/Virtualization/figures/status-transition-diagram.png diff --git a/docs/en/docs/Virtualization/figures/virtual-network-structure.png b/docs/en/docs/Virtualization/figures/virtual-network-structure.png new file mode 100644 index 0000000000000000000000000000000000000000..8a884a9212f8e35f545cfa01dc7320d145844390 Binary files /dev/null and b/docs/en/docs/Virtualization/figures/virtual-network-structure.png differ diff --git a/content/en/docs/Virtualization/figures/virtualized-architecture.png b/docs/en/docs/Virtualization/figures/virtualized-architecture.png similarity index 100% rename from content/en/docs/Virtualization/figures/virtualized-architecture.png rename to docs/en/docs/Virtualization/figures/virtualized-architecture.png diff --git a/content/en/docs/Virtualization/installation-to-virtualization.md b/docs/en/docs/Virtualization/installation-to-virtualization.md similarity index 98% rename from content/en/docs/Virtualization/installation-to-virtualization.md rename to docs/en/docs/Virtualization/installation-to-virtualization.md index d49588392512857b973c8a159aa2a3b27e051cf4..ea5c5457495869edfc8d5f84f86b04a6bee6d209 100644 --- a/content/en/docs/Virtualization/installation-to-virtualization.md +++ b/docs/en/docs/Virtualization/installation-to-virtualization.md @@ -25,7 +25,7 @@ The minimum hardware requirements for installing virtualization components on op #### Prerequisites -- The yum source has been configured. For details, see _openEuler 20.03 LTS Administrator Guide_. +- The yum source has been configured. For details, see _openEuler 21.03 Administrator Guide_. - Only the administrator has permission to perform the installation. #### Procedure @@ -49,7 +49,7 @@ The minimum hardware requirements for installing virtualization components on op ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The KVM module is integrated in the openEuler kernel and does not need to be installed separately. ### Verifying the Installation diff --git a/content/en/docs/Virtualization/introduction-to-virtualization.md b/docs/en/docs/Virtualization/introduction-to-virtualization.md similarity index 97% rename from content/en/docs/Virtualization/introduction-to-virtualization.md rename to docs/en/docs/Virtualization/introduction-to-virtualization.md index a97608208c1538e076c478f6f1a78b7706cd025f..0abe43ba5f4a5d869f2c8a5c68cbac325d9a4f83 100644 --- a/content/en/docs/Virtualization/introduction-to-virtualization.md +++ b/docs/en/docs/Virtualization/introduction-to-virtualization.md @@ -7,7 +7,7 @@ In computer technologies, virtualization is a resource management technology. It Virtualization enables multiple virtual machines \(VMs\) to run on a physical server. The VMs share the processor, memory, and I/O resources of the physical server, but are logically isolated from each other. In the virtualization technology, the physical server is called a host machine, the VM running on the host machine is called a guest, and the operating system \(OS\) running on the VM is called a guest OS. A layer of software, called the virtualization layer, exists between a host machine and a VM to simulate virtual hardware. This virtualization layer is called a VM monitor, as shown in the following figure. **Figure 1** Virtualized architecture -![](figures/virtualized-architecture.png "virtualized-architecture") +![](./figures/virtualized-architecture.png "virtualized-architecture") ## Virtualized Architecture @@ -25,7 +25,7 @@ Currently, mainstream virtualization technologies are classified into two types Kernel-based Virtual Machine \(KVM\) is a kernel module of Linux. It makes Linux a hypervisor. [Figure 2](#fig310953013541) shows the KVM architecture. KVM does not simulate any hardware device. It is used to enable virtualization capabilities provided by the hardware, such as Intel VT-x, AMD-V, Arm virtualization extensions. The user-mode QEMU simulates the mainboard, memory, and I/O devices. The user-mode QEMU works with the kernel KVM module to simulate VM hardware. The guest OS runs on the hardware simulated by the QEMU and KVM. **Figure 2** KVM architecture -![](figures/kvm-architecture.png "kvm-architecture") +![](./figures/kvm-architecture.png "kvm-architecture") ## Virtualization Components diff --git a/content/en/docs/Virtualization/managing-devices.md b/docs/en/docs/Virtualization/managing-devices.md similarity index 94% rename from content/en/docs/Virtualization/managing-devices.md rename to docs/en/docs/Virtualization/managing-devices.md index 9b963276fc2c671e42a9b8ec48889e01e6302b20..d9044dd93cf124863e74f723dfdc279744a3f6ea 100644 --- a/content/en/docs/Virtualization/managing-devices.md +++ b/docs/en/docs/Virtualization/managing-devices.md @@ -283,7 +283,7 @@ PCI passthrough directly assigns a physical PCI device on the host to a VM. The ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >VFIO passthrough is implemented by IOMMU group. Devices are divided to IOMMU groups based on access control services \(ACS\) on hardware. Devices in the same IOMMU group can be assigned to only one VM. If multiple functions on a PCI device belong to the same IOMMU group, they can be directly assigned to only one VM as well. ### SR-IOV Passthrough @@ -292,7 +292,7 @@ PCI passthrough directly assigns a physical PCI device on the host to a VM. The Single Root I/O Virtualization \(SR-IOV\) is a hardware-based virtualization solution. With the SR-IOV technology, a physical function \(PF\) can provide multiple virtual functions \(VFs\), and each VF can be directly assigned to a VM. This greatly improves hardware resource utilization and I/O performance of VMs. A typical application scenario is SR-IOV passthrough for NICs. With the SR-IOV technology, a physical NIC \(PF\) can function as multiple VF NICs, and then the VFs can be directly assigned to VMs. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- SR-IOV requires the support of physical hardware. Before using SR-IOV, ensure that the hardware device to be directly assigned supports SR-IOV and the device driver on the host OS works in SR-IOV mode. >- The following describes how to query the NIC model: >In the following command output, values in the first column indicate the PCI numbers of NICs, and **19e5:1822** indicates the vendor ID and device ID of the NIC. @@ -305,11 +305,13 @@ Single Root I/O Virtualization \(SR-IOV\) is a hardware-based virtualization sol >0b:00.0 Ethernet controller: Device 19e5:1822 (rev 45) >81:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) >81:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) -``` + +>``` #### Procedure + To configure SR-IOV passthrough for a NIC, perform the following steps: 1. Enable the SR-IOV mode for the NIC. @@ -450,7 +452,7 @@ To configure SR-IOV passthrough for a NIC, perform the following steps: - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >Disabling the SR-IOV function: >To disable the SR-IOV function after the VM is stopped and no VF is in use, run the following command: >The following uses the Hi1822 NIC \(corresponding network interface name: eth0\) as an example: @@ -459,6 +461,33 @@ To configure SR-IOV passthrough for a NIC, perform the following steps: >``` +#### SR-IOV Passthrough for the HPRE Accelerator + +The accelerator engine is a hardware acceleration solution provided by TaiShan 200 server based on the Kunpeng 920 processor. The HPRE accelerator is used to accelerate SSL/TLS applications. It significantly reduces processor consumption and improves processor efficiency. +On the Kunpeng server, the VF of the HPRE accelerator on the host needs to be passed through to the VM for internal services of the VM. + +**Table 1** HPRE accelerator description + +| items | Description | +|-------------|-----------------------------------------------------------------------------------------------------| +| Device name | Hi1620 on-chip RSA/DH security algorithm accelerator (HPRE engine) | +| Function | Modular exponentiation, RSA key pair operation, DH calculation, and auxiliary operations of large numbers (modular exponentiation, modular multiplication, modulo, modular inverse, primality test, and co-prime test) | +| VendorID | 0x19E5 | +| PF DeviceID | 0xA258 | +| VF DeviceID | 0xA259 | +| Maximum number of VF | A maximum of 63 VFs can be created for an HPRE PF | + + +>![](./public_sys-resources/icon-note.gif) **Note** +>When a VM is using a VF device, the driver on the host cannot be uninstalled, and the accelerator does not support hot swap. +>VF operation (If VFNUMS is 0, the VF is disabled. hpre_num is used to identify a specific accelerator device): +>``` +>echo $VFNUMS > /sys/class/uacce/hisi_hpre-$hpre_num/device/sriov_numvfs +>``` + + + + ## Managing VM USB To facilitate the use of USB devices such as USB key devices and USB mass storage devices on VMs, openEuler provides the USB device passthrough function. Through USB passthrough and hot-swappable interfaces, you can configure USB passthrough devices for VMs, or hot swap USB devices when VMs are running. @@ -605,7 +634,7 @@ To configure USB passthrough, perform the following steps: The VM system may be damaged due to virus damage, system file deletion by mistake, or incorrect formatting. As a result, the system cannot be started. To quickly restore a damaged system, openEuler provides the storage snapshot function. openEuler can create a snapshot that records the VM status at specific time points without informing users \(usually within a few seconds\). The snapshot can be used to restore the VM to the status when the snapshots were taken. For example, a damaged system can be quickly restored with the help of snapshots, which improves system reliability. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Currently, storage snapshots can be QCOW2 and RAW images only. Block devices are not supported. ### Procedure diff --git a/content/en/docs/Virtualization/managing-vms.md b/docs/en/docs/Virtualization/managing-vms.md similarity index 76% rename from content/en/docs/Virtualization/managing-vms.md rename to docs/en/docs/Virtualization/managing-vms.md index d2ba205d45693d00d596d65e8e4b2fb5b5aa572b..480172aa2e1abf1164c4b62872ef0a49b5dd2e1d 100644 --- a/content/en/docs/Virtualization/managing-vms.md +++ b/docs/en/docs/Virtualization/managing-vms.md @@ -10,7 +10,9 @@ - [Logging In to a VM](#logging-in-to-a-vm) - [Logging In Using VNC Passwords](#logging-in-using-vnc-passwords) - [Configuring VNC TLS Login](#configuring-vnc-tls-login) - + - [VM Secure Boot](#VM-Secure-Boot) + - [General Introduction](#General-Introduction) + - [Secure Boot Practice](#Secure-Boot-Practice) ### VM Life Cycle @@ -36,7 +38,7 @@ A VM can be in one of the following status: VMs in different status can be converted, but certain rules must be met. [Figure 1](#fig671014583483) describes the common rules for transiting the VM status. **Figure 1** Status transition diagram -![](figures/status-transition-diagram.png "status-transition-diagram") +![](./figures/status-transition-diagram.png "status-transition-diagram") ##### VM ID @@ -71,7 +73,7 @@ In libvirt, a created VM instance is called a **domain**, which describes the c ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >Run the **virsh** command to query the VM ID and UUID. For details, see [Querying VM Information](#querying-vm-information). #### Management Commands @@ -454,7 +456,7 @@ Libvirt component provides a group of commands for querying the VM status, inclu Target Source --------------------------------------------------------------------- sda /home/openeuler/vm/openEuler_aarch64.qcow2 - sdb /home/openeuler/vm/openEuler-20.03-LTS-aarch64-dvd.iso + sdb /home/openeuler/vm/openEuler-21.03-aarch64-dvd.iso ``` - Run the **virsh domiflist** command to query the VM NIC information. The query result shows that the VM has one NIC, the backend is vnet0, which is on the br0 bridge of the host. The MAC address is 00:05:fe:d4:f1:cc. @@ -499,7 +501,7 @@ Before logging in to a VM using a client, such as RealVNC or TightVNC, ensure th - You have obtained the VNC listening port of the VM. This port is automatically allocated when the client is started. Generally, the port number is **5900 + x** \(_x_ is a positive integer and increases in ascending order based on the VM startup sequence. **5900** is invisible to users.\) - If a password has been set for the VNC, you also need to obtain the VNC password of the VM. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >To set a password for the VM VNC, edit the XML configuration file of the VM. That is, add the **passwd** attribute to the **graphics** element and set the attribute value to the password to be configured. For example, to set the VNC password of the VM to **n8VfjbFK**, configure the XML file as follows: >``` > @@ -518,7 +520,7 @@ Before logging in to a VM using a client, such as RealVNC or TightVNC, ensure th :3 ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >To log in to the VNC, you need to configure firewall rules to allow the connection of the VNC port. The reference command is as follows, where _X_ is **5900 + Port number**, for example, **5903**. >``` >firewall-cmd --zone=public --add-port=X/tcp @@ -533,7 +535,7 @@ Before logging in to a VM using a client, such as RealVNC or TightVNC, ensure th By default, the VNC server and client transmit data in plaintext. Therefore, the communication content may be intercepted by a third party. To improve security, openEuler allows the VNC server to configure the Transport Layer Security \(TLS\) mode for encryption and authentication. TLS implements encrypted communication between the VNC server and client to prevent communication content from being intercepted by third parties. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- To use the TLS encryption authentication mode, the VNC client must support the TLS mode \(for example, TigerVNC\). Otherwise, the VNC client cannot be connected. >- The TLS encryption authentication mode is configured at the host level. After this feature is enabled, the TLS encryption authentication mode is enabled for the VNC clients of all VMs running on the host. @@ -552,7 +554,7 @@ To enable the TLS encryption authentication mode for the VNC, perform the follow 2. Create a certificate and a private key file for the VNC. The following uses GNU TLS as an example. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >To use GNU TLS, install the gnu-utils software package in advance. 1. Create a certificate file issued by the Certificate Authority \(CA\). @@ -644,7 +646,157 @@ To enable the TLS encryption authentication mode for the VNC, perform the follow 5. Copy the generated client certificates **ca-cert.pem**, **client-cert.pem**, and **client-key.pem** to the VNC client. After the TLS certificate of the VNC client is configured, you can use VNC TLS to log in to the VM. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- For details about how to configure the VNC client certificate, see the usage description of each client. >- For details about how to log in to the VM, see Logging In Using VNC Passwords. +### VM Secure Boot + +#### General Introduction + +##### Overview + +Secure boot uses public and private key pairs to sign and validate boot components. During the startup, the previous component validates the digital signature of the next component. If the validation is successful, the next component starts. If the validation fails, the startup fails. Secure boot is used to detect whether the firmware and software during startup of the device are tampered with to prevent malware from intrusion and modification. Secure boot ensures the integrity of each component during system startup and prevents unauthorized components from being loaded and running, thereby preventing security threats to the system and user data. Secure boot is implemented based on the UEFI boot mode. It is not supported by the legacy boot mode. According to UEFI specifications, some reliable public keys can be built in the mainboard before delivery. Any operating system or hardware drivers that you want to load on this mainboard must be authenticated by these public keys. The secure boot of a physical machine is implemented by the physical BIOS, while the secure boot of a VM is simulated by software. The process of the VM secure boot is the same as that of the host secure boot, both complying with the open-source UEFI specifications. The UEFI on the virtualization platform is provided by the edk component. When a VM starts, QEMU maps the UEFI image to the memory to simulate the firmware startup process for the VM. Secure boot is a security protection capability provided by edk during the VM startup to protect the OS kernel of the VM from being tampered with. The sequence of signature validation for the secure boot is as follows: UEFI BIOS->shim->GRUB->vmlinuz (signature validation is passed and loaded in sequence). + +| English | Acronyms and Abbreviations | Description | +| :----- | :----- | :----- | +| Secure boot | - | Secure boot indicates that a component validates the digital signature of the next component during startup. If the validation is successful, the component runs. If the validation fails, the component stops running. It ensures the integrity of each component during system startup. | +| Platform key | PK | Platform key is owned by the OEM vendor and must be RSA2048 or stronger. The PK establishes a trusted relationship between the platform owner and the platform firmware. The platform owner registers the PKpub, public key of the PK, with the platform firmware. The platform owner can use the PKpriv, private part of the PK, to change the ownership of the platform or register the KEK key. | +| Key exchange key | KEK | Key exchange key creates a trusted relationship between the platform firmware and the OS. Each OS and third-party application that communicates with the platform firmware register the KEKpub, public part of the KEK key, in the platform firmware. | +| Database trustlist | DB | Database trustlist stores and validates the keys of components such as shim, GRUB, and vmlinuz. | +| Database blocklist | DBx | Database blocklist stores revoked keys. | + +##### Function Description + +The VM secure boot feature is implemented based on the edk open-source project. In non-secure boot mode, the basic Linux process is as follows: + +**Figure 1** System startup process + +![](./figures/OSBootFlow.png) + +In secure boot mode, the first component loaded after UEFI BIOS starts is shim in the system image. By interacting with UEFI BIOS, shim obtains the key stored in the variable DB of UEFI BIOS to validate GRUB. After GRUB is loaded, the key and the authentication API are also called to validate the kernel. The Linux boot process is as follows: + +**Figure 2** Secure boot process + +![](./figures/SecureBootFlow.png) + +The secure boot feature involves multiple key scenarios. Based on the scenario analysis and system breakdown, the secure boot feature involves the following subsystems: UEFI BIOS validating shim, shim validating GRUB, and GRUB validating kernel. When UEFI BIOS validates shim, if the validation is successful, shim is started. If the validation fails, an error message is displayed and shim fails to start. Shim needs to use the private key for signature during image compilation and creation, and the public key certificate needs to be imported to the variable area DB of UEFI BIOS. After shim is started, validate the startup of GRUB. If the validation is successful, GRUB is started. If the validation fails, an error message is displayed and GRUB fails to start. GRUB needs to be signed during image compilation and creation. The public and private key pairs are the same as those of shim. After GRUB is started, it calls the key and the authentication API key registered in UEFI BIOS to validate the kernel. If the validation is successful, GRUB starts the kernel. If the validation fails, an error message is displayed. GRUB needs to sign the image during compilation and creation and uses the public and private key pair that is the same as that of shim. + +##### Constraints + +* Running on the UEFI BIOS that does not support secure boot does not affect existing functions and services. +* The secure boot feature depends on the UEFI BIOS and takes effect only when the UEFI supports this feature. +* When secure boot is enabled in the UEFI BIOS, the system cannot be started if the related components have no signature or the signature is incorrect. +* If secure boot is disabled in the UEFI BIOS, the validation function during the boot process is disabled. +* The second half of the secure boot validation chain, that is, shim->GRUB->kernel, guides the kernel to start. This part of the validation chain is implemented by the OS image. If the OS does not support guiding the kernel for secure boot, the VM secure boot fails. +* Currently, the x86 architecture do not provide nvram file configuration to configure VM secure boot. + +#### Secure Boot Practice + +VM secure boot depends on UEFI BIOS. The UEFI BIOS image is installed using the edk rpm package. This section uses AArch64 as an example to describe how to configure VM secure boot. + +##### Configuring VM + +The components in the edk rpm package are installed in the /usr/share/edk2/aarch64 directory, including `QEMU_EFI-pflash.raw` and `vars-template-pflash.raw`. The following describes the XML configuration of the UEFI BIOS during VM startup. + +``` + + hvm + /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw + /path/to/QEMU-VARS.fd + +``` + +In the preceding configuration, /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw indicates the path of the UEFI BIOS image. /usr/share/edk2/aarch64/vars-template-pflash.raw is the path of the NVRAM image template, and /path/to/QEMU-VARS.fd is the path of the NVRAM image file of the current VM, which is used to store environment variables in the UEFI BIOS. + +##### Importing Certificate + +The certificate for VM secure boot is imported from the BIOS page. Before importing the certificate, you need to import the certificate file to the VM. You can mount the directory where the certificate file is located to the VM by mounting a disk. For example, you can create an image that contains the certificate and mount the image in the XML configuration file of the VM. + +Create a certificate file image. + +``` +dd of='/path/to/data.img' if='/dev/zero' bs=1M count=64 +mkfs.vfat -I /path/to/data.img +mkdir /path/to/mnt +mount path/to/data.img /path/to/mnt/ +cp -a /path/to/certificates/* /path/to/mnt/ +umount /path/to/mnt/ +``` +In the preceding command, /path/to/certificates/ indicates the path where the certificate file is located, /path/to/data.img indicates the path where the certificate file image is located, and /path/to/mnt/ indicates the image mounting path. + +Mount the image in the XML file of the VM. + +``` + + + + + + + + + +``` + +Start the VM and import the PK certificate. The procedure is as follows (the procedure for importing the KEK certificate is the same as that for importing the DB certificate): + +After the VM is started, press F2 to go to the BIOS screen. + +**Figure 1** BIOS screen + +![](./figures/CertEnrollP1.png) + +**Figure 2** Device Manager + +![](./figures/CertEnrollP2.png) + +**Figure 3** Custom Secure Boot Options + +![](./figures/CertEnrollP3.png) + +**Figure 4** PK Options + +![](./figures/CertEnrollP4.png) + +**Figure 5** Enrolling PK + +![](./figures/CertEnrollP5.png) + +In the File Explorer window, many disk directories are displayed, including the certificate file directory mounted through the disk. + +**Figure 6** File Explorer + +![](./figures/CertEnrollP6.png) + +Select the PK certificate to be imported in the disk directory. + +**Figure 7** Disk where the certificate is stored + +![](./figures/CertEnrollP7.png) + +**Figure 8** Selecting Commit Changes and Exit to save the imported certificate + +![](./figures/CertEnrollP8.png) + +After the certificate is imported, the UEFI BIOS writes the certificate information and secure boot attributes to the NVRAM configuration file /path/to/QEMU-VARS.fd. Upon the next startup, the VM reads related configurations from the /path/to/QEMU-VARS.fd file, initializes certificate information and secure boot attributes, automatically imports the certificate, and enables secure boot. Similarly, you can use /path/to/QEMU-VARS.fd as the UEFI BIOS boot configuration template file of other VMs with the same configuration. Modify the nvram template field so that the certificate is automatically imported and the secure boot option is enabled when other VMs are started. The VM XML configuration is modified as follows: + +``` + + hvm + /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw + + +``` + +##### Secure Boot Observation + +After the VM is correctly configured and the PK, KEK, and DB certificates are imported, the VM runs in secure boot mode. You can configure the serial port log file in the VM configuration file in XML format to check whether the VM is in the secure boot mode. The following figure shows how to configure the serial port log file. + +``` + + + +``` + +After the OS image is successfully loaded to the VM, if "UEFI Secure Boot is enabled" is displayed in the serial port log file, the VM is in the secure boot state. \ No newline at end of file diff --git a/content/zh/docs/A-Tune/public_sys-resources/icon-caution.gif b/docs/en/docs/Virtualization/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/A-Tune/public_sys-resources/icon-caution.gif rename to docs/en/docs/Virtualization/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/A-Tune/public_sys-resources/icon-danger.gif b/docs/en/docs/Virtualization/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/A-Tune/public_sys-resources/icon-danger.gif rename to docs/en/docs/Virtualization/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/A-Tune/public_sys-resources/icon-note.gif b/docs/en/docs/Virtualization/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/A-Tune/public_sys-resources/icon-note.gif rename to docs/en/docs/Virtualization/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/A-Tune/public_sys-resources/icon-notice.gif b/docs/en/docs/Virtualization/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/A-Tune/public_sys-resources/icon-notice.gif rename to docs/en/docs/Virtualization/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/A-Tune/public_sys-resources/icon-tip.gif b/docs/en/docs/Virtualization/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/A-Tune/public_sys-resources/icon-tip.gif rename to docs/en/docs/Virtualization/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/A-Tune/public_sys-resources/icon-warning.gif b/docs/en/docs/Virtualization/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/A-Tune/public_sys-resources/icon-warning.gif rename to docs/en/docs/Virtualization/public_sys-resources/icon-warning.gif diff --git a/content/en/docs/Virtualization/system-resource-management.md b/docs/en/docs/Virtualization/system-resource-management.md similarity index 56% rename from content/en/docs/Virtualization/system-resource-management.md rename to docs/en/docs/Virtualization/system-resource-management.md index 998e47d7cd29478435ca7989fb03d60dbac6d24f..4030b8dcf66faacc4eed5a25e93bcfdc0f04a9a3 100644 --- a/content/en/docs/Virtualization/system-resource-management.md +++ b/docs/en/docs/Virtualization/system-resource-management.md @@ -1,5 +1,7 @@ # system Resource Management + + The **libvirt** command manages VM system resources, such as vCPU and virtual memory resources. Before you start: @@ -7,17 +9,6 @@ Before you start: - Ensure that the libvirtd daemon is running on the host. - Run the **virsh list --all** command to check that the VM has been defined. -- [System Resource Management](#system-resource-management) - - [Managing vCPU](#managing-vcpu) - - [CPU Shares](#cpu-shares) - - [Binding the QEMU Process to a Physical CPU](#binding-the-qemu-process-to-a-physical-cpu) - - [Adjusting the vCPU Binding Relationship](#adjusting-the-vcpu-binding-relationship) - - [Managing Virtual Memory](#managing-virtual-memory) - - [Introduction to NUMA](#introduction-to-numa) - - [Configuring Host NUMA](#configuring-host-numa) - - [Configuring Guest NUMA](#configuring-guest-numa) - - ## Managing vCPU @@ -203,6 +194,91 @@ Run the **virsh vcpupin** command to adjust the binding relationship between v The preceding commands bind vCPU **0** of VM **openEulerVM** to physical CPUs **0**, **2**, and **3**. That is, vCPU **0** is scheduled only on the three physical CPUs. The modification of the binding relationship does not take effect immediately. Instead, the modification takes effect after the next startup of the VM and takes effect permanently. +### CPU Hot Add + +#### Overview + +This feature allows users to hot add CPUs to a running VM without affecting its normal running. When the internal service pressure of a VM keeps increasing, all CPUs will be overloaded. To improve the computing capability of the VM, you can use the CPU hot add function to increase the number of CPUs on the VM without stopping it. + +#### Constraints + +- For processors using the AArch64 architecture, the specified VM chipset type \(machine\) needs to be virt-4.1 or a later version when a VM is created. For processors using the x86\_64 architecture, the specified VM chipset type \(machine\) needs to be pc-i440fx-1.5 or a later version when a VM is created. +- When configuring Guest NUMA, you need to configure the vCPUs that belong to the same socket in the same vNode. Otherwise, the VM may be soft locked up after the CPU is hot added, which may cause the VM panic. +- VMs do not support CPU hot add during migration, hibernation, wake-up, or snapshot. +- Whether the hot added CPU can automatically go online depends on the VM OS logic rather than the virtualization layer. +- CPU hot add is restricted by the maximum number of CPUs supported by the Hypervisor and GuestOS. +- When a VM is being started, stopped, or restarted, the hot added CPU may become invalid. However, the hot added CPU takes effect after the VM is restarted. +- During VM CPU hot add, if the number of added CPUs is not an integer multiple of the number of cores in the VM CPU topology configuration item, the CPU topology displayed in the VM may be disordered. You are advised to add CPUs whose number is an integer multiple of the number of cores each time. +- If the hot added CPU needs to take effect online and is still valid after the VM is restarted, the --config and --live options need to be transferred to the virsh setvcpus API to persist the hot added CPU. + +#### Procedure + +**VM XML Configuration** + +1. To use the CPU hot add function, configure the number of CPUs, the maximum number of CPUs supported by the VM, and the VM chipset type when creating the VM. (For the AArch64 architecture, the virt-4.1 or a later version is required. For the x86\_64 architecture, the pc-i440fx-1.5 or later version is required. The AArch64 VM is used as an example. The configuration template is as follows: + + ``` + + ... + n + + hvm + + ... + + ``` + + >![](./public_sys-resources/icon-note.gif) **Note** + >- The value of placement must be static. + >- m indicates the current number of CPUs on the VM, that is, the default number of CPUs after the VM is started. n indicates the maximum number of CPUs that can be hot added to a VM. The value cannot exceed the maximum CPU specifications supported by the Hypervisor or GuestOS. n is greater than or equal to m. + + For example, if the current number of CPUs of a VM is 4 and the maximum number of hot added CPUs is 64, the XML configuration is as follows: + + ``` + + …… + 64 + + hvm + + …… + ``` + + +**Hot Adding and Bringing CPUs Online** + +1. If the hot added CPU needs to be automatically brought online, create the udev rules file /etc/udev/rules.d/99-hotplug-cpu.rules in the VM as user root and define the udev rules in the file. The following is an example: + + ``` + ### automatically online hot-plugged cpu + ACTION=="add", SUBSYSTEM=="cpu", ATTR{online}="1" + ``` + + >![](./public_sys-resources/icon-note.gif) **Note** + >If you do not use the udev rules, you can use the root permission to manually bring the hot added CPU online by running the following command: + >``` + >for i in `grep -l 0 /sys/devices/system/cpu/cpu*/online` + >do + > echo 1 > $i + >done + >``` + +2. Use the virsh tool to hot add CPUs to the VM. For example, to set the number of CPUs after hot adding to 6 on the VM named openEulerVM and make the hot add take effect online, run the following command: + + ``` + virsh setvcpus openEulerVM 6 --live + ``` + + >![](./public_sys-resources/icon-note.gif) **Note** + >The format for running the virsh setvcpus command to hot add a VM CPU is as follows: + >``` + >virsh setvcpus [--config] [--live] + >``` + >- domain: Parameter, which is mandatory. Specifies the name of a VM. + >- count: Parameter, which is mandatory. Specifies the number of target CPUs, that is, the number of CPUs after hot adding. + >- --config: Option, which is optional. This parameter is still valid when the VM is restarted. + >- --live: Option, which is optional. The configuration takes effect online. + ## Managing Virtual Memory @@ -253,7 +329,7 @@ To improve VM performance, you can specify NUMA nodes for a VM using the VM XML If the vCPU of the VM is bound to the physical CPU of **node 0**, the performance deterioration caused by the vCPU accessing the remote memory can be avoided. - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >- The sum of memory allocated to the VM cannot exceed the remaining available memory of the NUMA node. Otherwise, the VM may fail to start. >- You are advised to bind the VM memory and vCPU to the same NUMA node to avoid the performance deterioration caused by vCPU access to the remote memory. For example, bind the vCPU to NUMA node 0 as well. @@ -288,8 +364,99 @@ After Guest NUMA is configured in the VM XML configuration file, you can view th ``` ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >- **** provides the NUMA topology function for VMs. **cell id** indicates the vNode ID, **cpus** indicates the vCPU ID, and **memory** indicates the memory size on the vNode. >- If you want to use Guest NUMA to provide better performance, configure <**numatune\>** and **** so that the vCPU and memory are distributed on the same physical NUMA node. > - **cellid** in **** corresponds to **cell id** in ****. **mode** can be set to **strict** \(apply for memory from a specified node strictly. If the memory is insufficient, the application fails.\), **preferred** \(apply for memory from a node first. If the memory is insufficient, apply for memory from another node\), or **interleave** \(apply for memory from a specified node in cross mode\).; **nodeset** indicates the specified physical NUMA node. > - In ****, you need to bind the vCPU in the same **cell id** to the physical NUMA node that is the same as the **memnode**. + + + +### Memory Hot Add + +#### Overview +In virtualization scenarios, the memory, CPU, and external devices of VMs are simulated by software. Therefore, the memory can be adjusted online for VMs at the virtualization bottom layer. In the current openEuler version, memory can be added to a VM online. If the physical memory of a VM is insufficient and the VM cannot be shut down, you can use this feature to add physical memory resources to the VM. + +#### Constraints + +- For processors using the AArch64 architecture, the specified VM chipset type \(machine\) needs to be virt-4.1 or a later version when a VM is created.For processors using the x86 architecture, the specified VM chipset type \(machine\) needs to be a later version than pc-i440fx-1.5 when a VM is created. +- Guest NUMA on which the memory hot add feature depends needs to be configured on the VM. Otherwise, the memory hot add process cannot be completed. +- When hot adding memory, you need to specify the ID of Guest NUMA node to which the new memory belongs. Otherwise, the memory hot add fails. +- The VM kernel should support memory hot add. Otherwise, the VM cannot identify the newly added memory or the memory cannot be brought online. +- For a VM that uses hugepages, the capacity of the hot added memory should be an integral multiple of hugepagesz. Otherwise, the hot add fails. +- The hot added memory size should be an integral multiple of the Guest physical memory block size (block\_size\_bytes). Otherwise, the VM cannot go online. The value of block\_size\_bytes can be obtained using the lsmem command in Guest. +- After n pieces of virtio-net NICs are configured, the maximum number of hot add times is set to min\{max\_slot, 64 - n\} to reserve slots for NICs. +- The vhost-user device and the memory hot add feature are mutually exclusive. A VM configured with the vhost-user device does not support memory hot add. After the memory is hot added to a VM, the vhost-user device cannot be hot added. +- If the VM OS is Linux, ensure that the initial memory is greater than or equal to 4 GB. +- If the VM OS is Windows, the first hot added memory needs to be specified to Guest NUMA node0. Otherwise, the hot added memory cannot be identified by the VM. +- In passthrough scenarios, memory needs to be allocated in advance. Therefore, it is normal that the startup and hot add of memory are slower than those of common VMs (especially large-specification VMs). +- It is recommended that the ratio of the available memory to the hot added memory be at least 1:32. That is, at least 1 GB available memory is required for the VM with 32 GB hot added memory. If the ratio is less than 1:32, the VM may be suspended. +- Whether the hot added memory can automatically go online depends on the VM OS logic. You can manually bring the memory online or configure the udev rules to automatically bring the memory online. + +#### Procedure + +**VM XML Configuration** + +1. To use the memory hot add function, configure the maximum hot add memory size and reserved slot number, and configure the Guest NUMA topology when creating a VM. + + For example, run the following command to configure 32 GB initial memory for a VM, reserve 256 slots, set the memory upper limit to 1 TB, and configure two NUMA nodes: + + ``` + + 32 + 1024 + + + + + + + + .... + ``` + + +>![](./public_sys-resources/icon-note.gif) **Note** +>In the preceding information, +>the value of slots in the maxMemory field indicates the reserved memory slots. The maximum value is 256. +>maxMemory indicates the maximum physical memory supported by the VM. +>For details about how to configure Guest NUMA, see "Configuring Guest NUMA." + +**Hot Adding and Bringing Memory Online** + +1. If the hot added memory needs to be automatically brought online, create the udev rules file /etc/udev/rules.d/99-hotplug-memory.rules in the VM as user root and define the udev rules in the file. The following is an example: + + ``` + ### automatically online hot-plugged memory + ACTION=="add", SUBSYSTEM=="memory", ATTR{state}="online" + ``` + +2. Create a memory description XML file based on the size of the memory to be hot added and the Guest NUMA node of the VM. + + For example, to hot add 1 GB memory to NUMA node0, run the following command: + + ``` + + + 1024 + 0 + + + ``` + +3. Run the virsh attach-device command to hot add memory to the VM. In the command, openEulerVM indicates the VM name, memory.xml indicates the description file of the hot added memory, and --live indicates that the hot added memory takes effect online. You can also run the --config command to persist the hot added memory to the VM XML file. + + ``` + ### virsh attach-device openEulerVM memory.xml --live + ``` + + >![](./public_sys-resources/icon-note.gif) **Note** + >If you do not use the udev rules, you can use the root permission to manually bring the hot added memory online by running the following command: + >``` + >for i in `grep -l offline /sys/devices/system/memory/memory*/state` + >do + > echo online > $i + >done + >``` + + diff --git a/docs/en/docs/Virtualization/tool-guide.md b/docs/en/docs/Virtualization/tool-guide.md new file mode 100644 index 0000000000000000000000000000000000000000..d22f203deaa05c79cb05eebb48ef455c5b2dce8f --- /dev/null +++ b/docs/en/docs/Virtualization/tool-guide.md @@ -0,0 +1,140 @@ +# Tool Guide + +- [vmtop](#vmtop) + +## vmtop + +### Overview +vmtop is a user-mode tool running on the host machine. You can use the vmtop tool to dynamically view the usage of VM resources in real time, such as CPU usage, memory usage, and the number of vCPU traps. Therefore, the vmtop tool can be used to locate virtualization problems and optimize performance. + +The vmtop monitoring items are as follows (sampling difference: difference between two data obtained at a specified interval): +- VM/task-name: VM/Process name +- DID: VM ID +- PID: PID of the qemu process of the VM +- %CPU: CPU usage of a process +- EXThvc: Number of hvc-exits (sampling difference) +- EXTwfe: Number of wfe-exits (sampling difference) +- EXTwfi: Number of wfi-exits (sampling difference) +- EXTmmioU: Number of mmioU-exits (sampling difference) +- EXTmmioK: Number of mmioK-exits (sampling difference) +- EXTfp: Number of fp-exits (sampling difference) +- EXTirq: Number of irq-exits (sampling difference) +- EXTsys64: Number of sys64 exits (sampling difference) +- EXTmabt: Number of mem abort exits (sampling difference) +- EXTsum: Total number of KVM exits (sampling difference) +- S: Process status +- P: Physical CPU usage of a process +- %ST: Ratio of the preemption time to the CPU running time (KVM data) +- %GUE: Ratio of the VM internal occupation time to the CPU running time (KVM data) +- %HYP: Virtualization overhead ratio (KVM data) + +### Usage +vmtop is a command line tool. You can directly run the vmtop in command line mode. +In addition, the vmtop tool provides different options for querying different information. + +#### Syntax +```sh +vmtop [option] +``` + +#### Option Description +- -d: sets the refresh interval, in seconds. +- -H: displays the VM thread information. +- -n: sets the number of refresh times and exits after the refresh is complete. +- -b: displays Batch mode, which can be used to redirect to a file. +- -h: displays help information. +- -v: displays versions. + +#### Keyboard Shortcut +Shortcut key used when the vmtop is running. +- H: displays or stops the VM thread information. The information is displayed by default. +- up/down: moves the VM list upwards or downwards. +- left/right: moves the cursor leftwards or rightwards to display the columns that are hidden due to the screen width. +- f: enters the editing mode of a monitoring item and selects the monitoring item to be enabled. +- q: exits the vmtop process. + +### Example +Run the vmtop command on the host. +```sh +vmtop +``` +The command output is as follows: +```sh +vmtop - 2020-09-14 09:54:48 - 1.0 +Domains: 1 running + + DID VM/task-name PID %CPU EXThvc EXTwfe EXTwfi EXTmmioU EXTmmioK EXTfp EXTirq EXTsys64 EXTmabt EXTsum S P %ST %GUE %HYP + 2 example 4054916 13.0 0 0 1206 10 0 144 62 174 0 1452 S 106 0.0 99.7 16.0 +``` +As shown in the output, there is only one VM named "example" on the host. The ID is 2. The CPU usage is 13.0%. The total number of traps within one second is 1452. The physical CPU occupied by the VM process is CPU 106. The ratio of the VM internal occupation time to the CPU running time is 99.7%. + +1. Display VM thread information. +Press H to display the thread information. +```sh +vmtop - 2020-09-14 10:11:27 - 1.0 +Domains: 1 running + + DID VM/task-name PID %CPU EXThvc EXTwfe EXTwfi EXTmmioU EXTmmioK EXTfp EXTirq EXTsys64 EXTmabt EXTsum S P %ST %GUE %HYP + 2 example 4054916 13.0 0 0 1191 17 4 120 76 147 0 1435 S 119 0.0 123.7 4.0 + |_ qemu-kvm 4054916 0.0 0 0 0 0 0 0 0 0 0 0 S 119 0.0 0.0 0.0 + |_ qemu-kvm 4054928 0.0 0 0 0 0 0 0 0 0 0 0 S 119 0.0 0.0 0.0 + |_ signalfd_com 4054929 0.0 0 0 0 0 0 0 0 0 0 0 S 120 0.0 0.0 0.0 + |_ IO mon_iothr 4054932 0.0 0 0 0 0 0 0 0 0 0 0 S 117 0.0 0.0 0.0 + |_ CPU 0/KVM 4054933 3.0 0 0 280 6 4 28 19 41 0 350 S 105 0.0 27.9 0.0 + |_ CPU 1/KVM 4054934 3.0 0 0 260 0 0 16 12 36 0 308 S 31 0.0 20.0 0.0 + |_ CPU 2/KVM 4054935 3.0 0 0 341 0 0 44 20 26 0 387 R 108 0.0 27.9 4.0 + |_ CPU 3/KVM 4054936 5.0 0 0 310 11 0 32 25 44 0 390 S 103 0.0 47.9 0.0 + |_ memory_lock 4054940 0.0 0 0 0 0 0 0 0 0 0 0 S 126 0.0 0.0 0.0 + |_ vnc_worker 4054944 0.0 0 0 0 0 0 0 0 0 0 0 S 118 0.0 0.0 0.0 + |_ worker 4143738 0.0 0 0 0 0 0 0 0 0 0 0 S 120 0.0 0.0 0.0 +``` +The example VM has 11 threads, including the vCPU thread, vnc_worker, and IO mon_iotreads. Each thread also displays detailed CPU usage and trap information. + +2. Select the monitoring item. +Enter f to edit the monitoring item. +```sh +field filter - select which field to be showed +Use up/down to navigate, use space to set whether chosen filed to be showed +'q' to quit to normal display + + * DID + * VM/task-name + * PID + * %CPU + * EXThvc + * EXTwfe + * EXTwfi + * EXTmmioU + * EXTmmioK + * EXTfp + * EXTirq + * EXTsys64 + * EXTmabt + * EXTsum + * S + * P + * %ST + * %GUE + * %HYP +``` +By default, all monitoring items are displayed. You can press the up or down key to select a monitoring item. Press the space bar to set the monitoring item, and press q to exit. +After %ST, %GUE, and %HYP are hidden, the following information is displayed: +```sh +vmtop - 2020-09-14 10:23:25 - 1.0 +Domains: 1 running + + DID VM/task-name PID %CPU EXThvc EXTwfe EXTwfi EXTmmioU EXTmmioK EXTfp EXTirq EXTsys64 EXTmabt EXTsum S P + 2 example 4054916 12.0 0 0 1213 14 1 144 68 168 0 1464 S 125 + |_ qemu-kvm 4054916 0.0 0 0 0 0 0 0 0 0 0 0 S 125 + |_ qemu-kvm 4054928 0.0 0 0 0 0 0 0 0 0 0 0 S 119 + |_ signalfd_com 4054929 0.0 0 0 0 0 0 0 0 0 0 0 S 120 + |_ IO mon_iothr 4054932 0.0 0 0 0 0 0 0 0 0 0 0 S 117 + |_ CPU 0/KVM 4054933 2.0 0 0 303 6 0 29 10 35 0 354 S 98 + |_ CPU 1/KVM 4054934 4.0 0 0 279 0 0 39 17 49 0 345 S 1 + |_ CPU 2/KVM 4054935 3.0 0 0 283 0 0 33 20 40 0 343 S 122 + |_ CPU 3/KVM 4054936 3.0 0 0 348 8 1 43 21 44 0 422 S 110 + |_ memory_lock 4054940 0.0 0 0 0 0 0 0 0 0 0 0 S 126 + |_ vnc_worker 4054944 0.0 0 0 0 0 0 0 0 0 0 0 S 118 + |_ worker 1794 0.0 0 0 0 0 0 0 0 0 0 0 S 126 +``` +%ST, %GUE, and %HYP will not be displayed on the screen. diff --git a/content/en/docs/Virtualization/user-and-administrator-guide.md b/docs/en/docs/Virtualization/user-and-administrator-guide.md similarity index 99% rename from content/en/docs/Virtualization/user-and-administrator-guide.md rename to docs/en/docs/Virtualization/user-and-administrator-guide.md index eb75d5342560e396d81dfa5ec83bd0f0a5877a46..47646f59b84e0a9b7e9952054286eba74f6ebdd1 100644 --- a/content/en/docs/Virtualization/user-and-administrator-guide.md +++ b/docs/en/docs/Virtualization/user-and-administrator-guide.md @@ -26,7 +26,7 @@ This chapter describes how to create VMs on the virtualization platform, manage If compute resources are sufficient, the halt-polling feature can be used to enable VMs to obtain performance similar to that of physical machines. If the halt-polling feature is not enabled, the host allocates CPU resources to other processes when the vCPU exits due to idle timeout. When the halt-polling feature is enabled on the host, the vCPU of the VM performs polling when it is idle. The polling duration depends on the actual configuration. If the vCPU is woken up during the polling, the vCPU can continue to run without being scheduled from the host. This reduces the scheduling overhead and improves the VM system performance. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The halt-polling mechanism ensures that the vCPU thread of the VM responds in a timely manner. However, when the VM has no load, the host also performs polling. As a result, the host detects that the CPU usage of the vCPU is high, but the actual CPU usage of the VM is not high. ##### Instructions @@ -319,7 +319,7 @@ QEMU guest agent \(qemu-ga\) is a daemon running within VMs. It allows users on In some scenarios with high security requirements, qemu-ga provides the blacklist function to prevent internal information leakage of VMs. You can use a blacklist to selectively shield some functions provided by qemu-ga. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The qemu-ga installation package is **qemu-guest-agent-**_xx_**.rpm**. It is not installed on openEuler by default. _xx_ indicates the actual version number. ##### Procedure @@ -370,7 +370,7 @@ To add a qemu-ga blacklist, perform the following steps: root 727 1 0 08:17 ? 00:00:00 /usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=guest-file-open guest-file-close guest-file-read guest-file-write guest-file-seek guest-file-flush -F/etc/qemu-ga/fsfreeze-hook ``` - >![](public_sys-resources/icon-note.gif) **NOTE:** + >![](./public_sys-resources/icon-note.gif) **NOTE:** >For more information about qemu-ga, visit [https://wiki.qemu.org/Features/GuestAgent](https://wiki.qemu.org/Features/GuestAgent). diff --git a/content/en/docs/Virtualization/virtualization.md b/docs/en/docs/Virtualization/virtualization.md similarity index 100% rename from content/en/docs/Virtualization/virtualization.md rename to docs/en/docs/Virtualization/virtualization.md diff --git a/content/en/docs/Virtualization/vm-configuration.md b/docs/en/docs/Virtualization/vm-configuration.md similarity index 95% rename from content/en/docs/Virtualization/vm-configuration.md rename to docs/en/docs/Virtualization/vm-configuration.md index a290a4a05d92b6440a67f627f3857f5cde638164..a96e55b6880bcccf1b0118b1a47f04e96aca2b30 100644 --- a/content/en/docs/Virtualization/vm-configuration.md +++ b/docs/en/docs/Virtualization/vm-configuration.md @@ -97,11 +97,29 @@ This section describes how to configure the vCPU and virtual memory. - **cpu**: The mode of the virtual processor. - **mode**: The mode of the vCPU. The **host-passthrough** indicates that the architecture and features of the virtual CPU are the same as those of the host. + **mode**: The mode of the vCPU. + + - **host-passthrough**: indicates that the architecture and features of the virtual CPU are the same as those of the host. + + - **custom**: indicates that the architecture and features of the virtual CPU are configured by the **cpu** element. Sub-element **topology**: A sub-element of the element cpu, used to describe the topology structure of a vCPU mode. - - The attributes **socket**, **cores**, and **threads** of the sub-element topology describe the number of CPU sockets of a VM, the number of processor cores included in each CPU socket, and the number of hyperthreads included in each processor core, respectively. The attribute value is a positive integer, and a product of the three values is equal to the number of of vCPUs. + - The attributes **socket**, **cores**, and **threads** of the sub-element topology describe the number of CPU sockets of a VM, the number of processor cores included in each CPU socket, and the number of threads included in each processor core, respectively. The attribute value is a positive integer, and the product of the three values equals the number of vCPUs. + - The ARM architecture supports the virtual hyper-threading function. The virtual CPU hot add and the virtual hyper-threading function are mutually exclusive. + Sub-element **model**: A sub-element of the element cpu, used to describe the CPU model when **mode** is custom. + + Sub-element **feature**: A sub-element of the element cpu, used to enable/disable a CPU feature when **mode** is custom. The attribute **name** describes the name of the CPU feature. And whether enable the CPU feature is controlled by the attribute **policy**: + + - **force**: force enable the CPU feature regardless of it being supported by host CPU. + + - **require**: enable the CPU feature. + + - **optional**: the CPU feature will be enabled if and only if it is supported by host CPU. + + - **disable**: disable the CPU feature. + + - **forbid**: disable the CPU feature and guest creation will fail if the feature is supported by host CPU. ### Configuration Example @@ -120,6 +138,21 @@ For example, if the number of vCPUs is 4, the processing mode is host-passthroug ``` +If the virtual memory is 8 GiB, the number of vCPUs is 4, the processing mode is custom, the CPU model is Kunpeng-920, and pmull is disabled, the configuration is as follows: + +``` + + ... + 4 + 8 + + Kunpeng-920 + + + ... + +``` + ## Virtual Device Configuration The VM XML configuration file uses the **devices** elements to configure virtual devices, including storage devices, network devices, buses, and mouse devices. This section describes how to configure common virtual devices. @@ -244,7 +277,7 @@ In this example, two I/O threads, one block disk device and one CD, are configur - + @@ -371,7 +404,7 @@ The bus is a channel for information communication between components of a compu The PCIe bus is a typical tree structure and has good scalability. The buses are associated with each other by using a controller. The following uses the PCIe bus as an example to describe how to configure a bus topology for a VM. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >The bus configuration is complex. If the device topology does not need to be precisely controlled, the default bus configuration automatically generated by libvirt can be used. #### Elements @@ -573,7 +606,7 @@ In addition to storage devices and network devices, some external devices need t For example, in the following example, the VM emulator path, pty serial port, VirtIO media device, USB tablet, USB keyboard, and VNC graphics device are configured. ->![](public_sys-resources/icon-note.gif) **NOTE:** +>![](./public_sys-resources/icon-note.gif) **NOTE:** >When **type** of **graphics** is set to **VNC**, you are advised to set the **passwd** attribute, that is, the password for logging in to the VM using VNC. ``` @@ -744,7 +777,7 @@ An XML configuration file of AArch64 VM, which contains basic elements. The foll - + diff --git a/content/en/docs/Virtualization/vm-live-migration.md b/docs/en/docs/Virtualization/vm-live-migration.md similarity index 100% rename from content/en/docs/Virtualization/vm-live-migration.md rename to docs/en/docs/Virtualization/vm-live-migration.md diff --git a/docs/en/docs/Virtualization/vm-maintainability-management.md b/docs/en/docs/Virtualization/vm-maintainability-management.md new file mode 100644 index 0000000000000000000000000000000000000000..0fd8b277f1d62cf656a514fd179329eb254e80a0 --- /dev/null +++ b/docs/en/docs/Virtualization/vm-maintainability-management.md @@ -0,0 +1,32 @@ +# VM Maintainability Management + + +## VM NMI Watchdog + +### Overview + +The NMI Watchdog is a mechanism used to detect hardlockup in Linux. Even if normal interrupts are disabled, non-maskable interrupt (NMI) can interrupt the code execution and further detect hardlockup. The current Arm architecture does not support native NMI, so it enables Pseudo-NMI based on the interrupt priority and configures Performance Monitoring Interrupt (PMI) as NMI to implement NMI Watchdog (PMU Watchdog). + + +### Precautions + +- The VM OS needs to support Pseudo-NMI and corresponding kernel parameters needs to be configured. +- The configuration of the VM PMU Watchdog is the same as that of the host PMU Watchdog. The XML file configuration is not required. +- Both SDEI Watchdog and PMU Watchdog are NMI Watchdogs, whereas the SDEI Watchdog has a higher priority than PMU Watchdog. Therefore, the PMU Watchdog can be enabled only when the SDEI Watchdog is disabled. The VM does not support SDEI Watchdog, so you need to disable it by configuring kernel parameters. + +### Procedure + +To configure the NMI Watchdog for a VM in ARM architecture,perform the following steps: + +1. Add the following parameters to the VM boot configuration file grub.cfg: + +2. Check whether the PMU Watchdog is successfully loaded on the VM. + If the loading is successful, information similar to the following is displayed in the dmesg log of the kernel: + + ``` + [2.1173222] NMI watchdog: CPU0 freq probed as 2399999942 HZ. + ``` + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/DDE-User-Manual.md b/docs/en/docs/desktop/DDE-User-Manual.md new file mode 100755 index 0000000000000000000000000000000000000000..1472942cbcd2445a4731108094f6dadd8304db8d --- /dev/null +++ b/docs/en/docs/desktop/DDE-User-Manual.md @@ -0,0 +1,843 @@ + + +# DDE Desktop Environment User Manual + +## Overview +DDE desktop environment is an elegant, secure, reliable and easy to use GUI comprised of the desktop, dock, launcher and control center. Acting as the key basis for our operating system, its main interface is shown as below. + +![1|desk](./figures/43.jpg) + +### Getting Started + +When you enter DDE for the very first time, a welcome program will automatically start. You can watch the introduction video, select your desktop style and icon theme, and learn more about the system functions. + +![0|welcome](./figures/46.png) + + + +## Desktop + +Desktop is the main screen you see after logging in. On the desktop, you can create a new file/folder, sort files, open in terminal, set wallpaper and screensaver and etc. You can also add shortcuts for applications on desktop by using [Send to desktop](#Set App Shortcut). + +![0|contextmenu](./figures/41.png) + +### Create New Folder/Document +Just as in File Manager, you can create a new folder/document on the desktop, or do some operations for the files on it. + +- Right-click the desktop, select **New folder** and enter the name for it. +- Right-click the desktop, select **New document**, select the type and enter its name. + +Right-click a file or folder on the desktop, and use the features of File Manager as below: + +| Function | Description | +| ---------------- | ------------------------------------------------------------ | +| Open with | Select an app to open it. | +| Cut | Move it to another location. | +| Copy | Copy it to another location. | +| Rename | Change its name. | +| Delete | Delete and move it to the trash. | +| Create link | Create a shortcut of the file or folder. | +| Tag information | Add a tag. | +| Compress/Extract | Compress the file or folder, or extract the compressed file. | +| Properties | View the basic info, share it or change the permission. | + +### Sort Files + +Sort the files on your desktop to make it organized and fit your needs. + +1. Right-click the desktop. +2. Click **Sort by**, you can: + + - Click **Name** to display files in the name sequence. + - Click **Size** to display files in the size sequence. + - Click **Type** to display files in type. + - Click **Time modified** to display files in the order of last modified date. + + +> ![tips](./figures/icon125-o.svg)Tips: *Check **Auto arrange**, icons on the desktop will be listed in order automatically, and if an icon is removed, another one will fill in the blank.* + + + + +### Adjust Icon Size + +1. Right-click the desktop. +2. Click **Icon size**, and choose a proper size. + +> ![tips](./figures/icon125-o.svg)Tips: *Press **Ctrl** + ![=](./figures/icon134-o.svg)/![-](./figures/icon132-o.svg) scrolling mouse wheel to adjust icon size on the desktop and in Launcher.* + +### Set Display +You can set display scaling, screen resolution, brightness and so on from the desktop. + +1. Right-click the desktop. +2. Click **Display Settings** to open the settings in Control Center. + +> ![notes](./figures/icon99-o.svg)Notes: *For specific operations, please refer to [Display](#Display).* + +### Change Wallpaper +Select some elegant and fashionable wallpapers to beautify your desktop and make it distinctive. + +1. Right-click the desktop. +2. Click **Wallpaper and Screensaver** to preview all the wallpapers. +3. Click your favorite one and it will apply in your desktop and screen lock. +4. You can also choose **Only desktop** or **Only lock screen**. + +![1|wallpaper](./figures/63.jpg) + + + +> ![tips](./figures/icon125-o.svg)Tips: *You can also set your favorite picture as wallpaper in an image viewer.* + +### Clipboard + +All the texts, pictures and documents cut and copied by the current user after login are displayed in the clipboard, which can be copied quickly by double-clicking the clipboard. The clipboard is cleared automatically after logout and shutdown. + +1. Use the shortcuts **Ctrl**+**Alt**+ **V** to wake up the clipboard. + +2. Double-click in the clipboard to copy the current content quickly and the corresponding block will be moved to the top of the clipboard. + +3. Select the target destination to paste it. + +4. Click![close](./figures/icon57-o.svg)to delete the current content and click **Clear All** to clear the clipboard. + + ![1|clipboard](./figures/40.png) + +## Dock + +Dock is at the bottom of the desktop by default to help you quickly open frequently-used applications, which includes Launcher, applications, system tray, and plugins. In the dock, you can open launcher, show the desktop, enter the workspaces, open and exit apps, set input methods, adjust the volume, connect to the network, view the calendar and enter the shutdown interface, and so on. + +### Icons on Dock +In the Dock, there are icons of Launcher, applications, system tray, and plugins. + + + +![1|fashion](./figures/45.png) + +| Icon | Description | +| ---- | ---- | +| ![launcher](./figures/icon66-o.svg) | Launcher - click to view all the installed applications. | +| ![deepin-toggle-desktop](./figures/icon69-o.svg) | Click to show the desktop. | +| ![dde-file-manager](./figures/icon63-o.svg) | File Manager - click to view files and folders on the disk. | +| ![dde-calendar](./figures/icon62-o.svg) | Calendar - view dates and create new schedules. | +| ![controlcenter](./figures/icon58-o.svg) | Control Center - click to check or change system settings. | +| ![notification](./figures/icon101-o.svg) | Notification Center - show all notifications from the system and applications. | +| ![onboard](./figures/icon103-o.svg) | Onboard virtual keyboard. | +| ![shutdown](./figures/icon122-o.svg) | Click to enter the shutdown interface. | +| ![trash](./figures/icon126-o.svg) | Trash. | + +> ![tips](./figures/icon125-o.svg)Tips: *In Efficient Mode, you can click the right side of Dock to show the desktop. Move the cursor to the running app in the Dock and you will see its preview window.* + +### Switch Display Mode +There are two display modes of Dock: fashion mode and efficient mode, icon sizes are different in them. + +![1|fashion](./figures/46.png) + +![1|efficient](./figures/63.png) + +You can switch the display modes by the following operations: + +1. Right-click the Dock and select **Mode**. +2. Select the display mode. + +### Change Dock Location +You can place Dock on any direction of your desktop. + +1. Right-click the Dock and select **Location**. +2. Select a location. + +### Change Dock Height +Drag the top edge to increase or decrease the height. + + +### Show/Hide Plugins + +1. Right-click the Dock and select **Plugins**. +2. On the submenu, you can check or uncheck **Trash, Power, Show Desktop, Onboard**, and **Datetime** to show or hide the corresponding icon in the Dock. + +### View Notifications +When there are system or application notifications, they will be shown in the middle of the screen. If there are buttons in the message, click buttons to do the actions; if there are not, click the message to close it. + + + +![notification](./figures/51.png) + +Click notification in Dock to view all the notifications. + +### View Date and Time + +- Hover the cursor over the Time icon in Dock to view the current time, date and day of the week. +- Click the Time icon to open Calendar. + +### Enter Shutdown Interface + +There are two ways to enter the shutdown interface: + +- Click ![shutdown](./figures/icon122-o.svg) in Dock. +- Click ![poweroff_normal](./figures/icon136-o.svg) at the bottom right corner of Launcher mini mode. + +| Function | Description | +| ------------------------------------------------------------ | ------------------------------------------------------------ | +| Shut down ![poweroff_normal](./figures/icon136-o.svg) | Shut down the computer. | +| Reboot ![reboot_normal](./figures/icon110-o.svg) | Restart the computer. | +| Lock ![lock_normal](./figures/icon90-o.svg) | Lock the computer with the password. Or press **Super** + **L** to lock it. | +| Switch user ![userswitch_normal](./figures/icon128-o.svg) | Log in with another user account. | +| Log out ![logout_normal](./figures/icon92-o.svg) | End all the processes and initialize the system. | +| Start system monitor![deepin-system-monitor](./figures/icon68-o.svg) | View the running processes and end the one you want. | + +> ![notes](./figures/icon99-o.svg)Notes: ![userswitch_normal](./figures/icon128-o.svg) *will be shown if there are multiple accounts in the system.* + +### Trash +You can find all deleted files in the trash, which can be restored or emptied. + +#### Restore Files + +You can restore deleted files in Trash or press **Ctrl** + **Z** to restore the lately deleted files. + +1. Select the file in the trash. +2. Right-click the file and select **Restore**. +3. The file will be in its original path. + +> ![attention](./figures/icon52-o.svg)Attention: *If the original folder of the file has been deleted, the deleted file will be restored to a new folder automatically created.* + +#### Empty Trash +In the trash, click **Empty** to permanently delete all the files in the trash. + +## Launcher +Launcher ![launcher](./figures/icon66-o.svg) helps you manage all the installed applications, where you can quickly find an application by category navigation or by a search. + +> ![tips](./figures/icon125-o.svg)Tips: *You can view newly installed applications in Launcher. The newly-installed ones are followed with a blue dot.* + + +### Switch Launcher Modes + +There are two display modes of Launcher: fullscreen mode and mini mode. Click the icon at the upper right corner to switch modes. + +Both modes support searching applications and sending them to the desktop or Dock. + +The mini mode also supports opening File Manager, Control Center and shutdown interface directly. + +![1|fullscreen](./figures/47.jpg) +![1|mini](./figures/52.png) + +### Sort Applications + +In fullscreen mode, all applications in Launcher are listed by the installation time by default. You can sort the application icons as the ways below: + +- Hover the cursor over an application icon, hold down the left key of mouse, drag and drop the application icon to arrange it freely. +- Click the category icon ![category](./figures/icon56-o.svg) on the upper left in Launcher to arrange the icons by category. + +![1|sortapp](./figures/60.jpg) + +In mini mode, applications are displayed according to using frequency by default. + +### Find Applications + +In Launcher, you can scroll up and down to find an application, or locate it with the category navigation. + +If you already know the application name, just search for it. + +### Set App Shortcut +The shortcut offers a method to run applications easily and quickly. + +#### Create App Shortcut +Send the application icon to the desktop or Dock to facilitate the follow-up operations. + +In Launcher, right-click an app icon and you can: + +* Select **Send to desktop** to create a shortcut on the desktop. +* Select **Send to dock** to fix the application icon in Dock. + +![0|sendto](./figures/58.png) + +> ![notes](./figures/icon99-o.svg)Notes: *You can drag the application icon from Launcher to Dock. But you cannot drag and drop the application while it is running. Then you can right-click the application icon in Dock and select **Dock** to fix it in order to open it quickly for the next time.* + +#### Delete Shortcut +Delete a shortcut from the desktop directly, or remove it from Dock or Launcher. + +**Remove the shortcut from Dock:** + +- Hold down the left key of mouse, drag and drop the icon away from Dock. +- You cannot drag and drop the application icon while it is running. Then you can right-click the application icon in Dock and select **Undock** to remove it from Dock. + +**Remove the shortcut from Launcher:** + +In Launcher, right-click the icon and you can: +- Select **Remove from desktop** to delete the shortcut from the desktop. +- Select **Remove from dock** to remove the application icon from Dock. + +> ![notes](./figures/icon99-o.svg)Notes: *The above operations only delete the shortcut rather than uninstall the applications.* + +### Run Applications +For the applications whose shortcuts have been created on the desktop or Dock, you can open them in the following ways: + +- Double-click the desktop icon or right-click it and select **Open**. +- Click the application icon in Dock or right-click it and select **Open**. + +To open the application only shown in Launcher, click the icon or right-click it and select **Open**. + +> ![tips](./figures/icon125-o.svg)Tips: *For the frequently-used applications, right-click the app icon and select **Add to startup** to run it when the computer boots.* + + +## Control Center +You can manage the system settings in Control Center, including account management, network settings, date and time, personalization, display settings, etc. After entering the desktop environment, click ![controlcenter](./figures/icon58-o.svg) to open Control Center. + +### Homepage Introduction +The homepage of Control Center provides several setting modules and click one to enter the detailed settings. + +![0|dcchomepage](./figures/42.png) + +Once you open a setting module in Control Center, the navigation appears on the left. Click the left navigation to quickly switch to other settings. + +![0|cc-navigation](./figures/39.png) + +#### Title Bar + +The title bar contains the back button, search box, main menu and the window buttons. + +- Back button: Click ![back](./figures/icon53-o.svg) to go back to the homepage. +- Search box: Input a keyword and search the related settings. +- Main menu: Click ![menu](./figures/icon83-o.svg) to enter the main menu where you can set the window theme, view the manual and exit. + +### Accounts +You have already created an account when installing the system. Here you can modify account settings or create a new one. + +![0|account](./figures/38.png) + +#### Create New Account + +1. On the homepage of Control Center, click ![account_normal](./figures/icon49-o.svg). +2. Click ![add](./figures/icon50-o.svg). +3. Input a username and a password twice. +4. Click **Create**. +5. Input the password of the current user account in the authentication dialog box, and the new account will be added to the account list. + + +#### Change Account Avatar + +1. On the homepage of Control Center, click ![account_normal](./figures/icon49-o.svg). +2. Click an existing account in the list. +3. Click the user avatar. +4. Select a avatar or upload a local avatar. + +#### Set Full Name +The account full name is shown in account list and system login interface and you can set it as needed. + +1. On the homepage of Control Center, click ![account_normal](./figures/icon49-o.svg). +2. Click an existing account in the list. +3. Click ![edit](./figures/icon75-o.svg) after **Full Name**, and input a name. + +#### Change Password + +1. On the homepage of Control Center, click ![account_normal](./figures/icon49-o.svg). + +2. Click the current account. + +3. Click **Change Password**. + +4. Input a new password twice and confirm. + +#### Delete Account + +1. On the homepage of Control Center, click ![account_normal](./figures/icon49-o.svg). +2. Click an account that's not logged in. +3. Click **Delete Account**. +4. Click **Delete** in the pop-up window. + +> ![attention](./figures/icon52-o.svg)Attention: *The logged in account cannot be deleted.* + +#### Privilege + +The first account has administrator privilege when you install the system. All other accounts you add after that are common users. One account can be grouped in many user groups. + +##### Group setting + +When you add or modify accounts, you can: + +- Select a group existing in the system. +- Select the group with the same name as the current user. +- Select the group with the same name as another user when the account was previously added. + +### Display +Set screen resolution, brightness, direction and display scaling properly to have the best visual effect. + +![0|display](./figures/44.png) + + +#### Single Screen Settings + +##### Change Resolution + +1. On the homepage of Control Center, click ![display_normal](./figures/icon72-o.svg). +2. Click **Resolution**. +3. Select a proper resolution in the list. +4. Click **Save**. + +##### Adjust Brightness + +1. On the homepage of Control Center, click ![display_normal](./figures/icon72-o.svg). +2. Click **Brightness**. + - Drag the slider to set screen brightness. + - Switch on **Night Shift**, the screen hue will be auto-adjusted according to your location. + - Switch on **Auto Brightness**, the monitor will change the brightness automatically according to ambient light (shown only if PC has a light sensor). + +##### Change Refresh Rate +1. On the homepage of Control Center, click ![display_normal](./figures/icon72-o.svg). +2. Click **Refresh Rate**. +3. Select a proper one, and click **Save**. + +##### Change Display Direction + +1. On the homepage of Control Center, click ![display_normal](./figures/icon72-o.svg). +2. Click ![rotate](./figures/icon112-o.svg). +3. Every time you click, the screen will rotate 90 degrees counterclockwise. +4. To restore to the original direction, click the right button to exit; to use the current direction, press **Ctrl**+ **S** to save it. + +#### Multiple Screen Settings + +Expand your desktop by multiple screens! Use VGA/HDMI/DP cable to connect your computer to other display devices. + +1. On the homepage of Control Center, click ![display_normal](./figures/icon72-o.svg). +2. Click **Multiple Displays**. +3. Select a display mode: + - **Duplicate**: display the same image on other screens. + - **Extend**: expand the desktop across the screens. + - **Customize**: customize the display settings for multiple screens. + +In multiple displays, press **Super** + **P** to show its OSD. + +Operations are as follows: + +1. Hold **Super** and press **P** or click to select the options. +2. Release the keys, the selected mode will take into effect. + +>![notes](./figures/icon99-o.svg)Notes: *When the multiple displays are in the extend mode, only the main screen supports desktop icon display, right-click menu operation and other functions, while the sub-screens do not.* + +##### Custom Settings + +1. On the homepage of Control Center, click ![display_normal](./figures/icon72-o.svg). +2. Click **Multiple Displays** > **Customize**. +3. Click **Recognize**. +4. Choose **Merge** or **Split** the screens, specify the main screen, set the resolution and refresh rate, and rotate screen if you want. +5. Click **Save**. + +> ![notes](./figures/icon99-o.svg)Notes: *"Merge" means duplicate mode, "Split" means extend mode.* + +### Default Application Settings +If you have installed several applications with similar functions, such as text editor, choose one of them to be the default application to open that type of file. + +![0|default](./figures/39.png) + +#### Set Default Application + +1. Right-click the file, choose **Open with** > **Set default program**. +2. Select one application, **Set as default** is checked by default, and click **Confirm**. +3. The application will automatically be added to the default application list in Control Center. + +#### Change Default Application + +1. On the homepage of Control Center, click ![default_applications_normal](./figures/icon70-o.svg). +2. Select a file type. +3. Select another one in the list as the default application. + +#### Add Default Application + +1. On the homepage of Control Center, click ![default_applications_normal](./figures/icon70-o.svg). +2. Select a file type. +3. Click ![add](./figures/icon50-o.svg) below to add a desktop file (usually at /usr/share/applications) or a specified binary file as the default application. +4. The application will be added to the list and set as default application automatically. + +#### Delete Default Application + +In the default application list, you can only delete the applications you added. To remove other applications from the list, the only way is to uninstall them. Once uninstalled, they will automatically be deleted from the list. + +To delete the default applications you have added, do as below: + +1. On the homepage of Control Center, click ![default_applications_normal](./figures/icon70-o.svg). +2. Select a file type. +3. Click ![close](./figures/icon57-o.svg) after the application name to delete it. + + +### Personalization Settings +You can set theme, accent color, font, change the appearance of the desktop and windows to your favorite style. + +![0|personalise](./figures/56.png) + +#### Set Window Theme +1. On the homepage of Control Center, click ![personalization_normal](./figures/icon105-o.svg). +2. Click **General**. +3. Select one window theme, which will be used as system theme. + +> ![notes](./figures/icon99-o.svg)Notes: *"Auto" means changing window theme automatically according to the sunset and sunrise time. After sunrise, it is light theme; after sunset, it is dark theme.* + +#### Change Accent Color +Accent color refers to the color used when you select one option or file in the system. + +1. On the homepage of Control Center, click ![personalization_normal](./figures/icon105-o.svg). +2. Click **General**. +3. Pick a color under **Accent Color** and view its effects. + +#### Set Icon Theme + +1. On the homepage of Control Center, click ![personalization_normal](./figures/icon105-o.svg). +2. Click **Icon Theme** and select an icon style. + + +#### Set Cursor Theme + +1. On the homepage of Control Center, click ![personalization_normal](./figures/icon105-o.svg). +2. Click **Cursor Theme** and select a set of cursors. + +#### Change Font + +1. On the homepage of Control Center, click ![personalization_normal](./figures/icon105-o.svg). +2. Click **Font**. +3. Set the font and font size for the system. + + +### Network Settings +After login, you need to connect to a network first and then surf the Internet! + +> ![tips](./figures/icon125-o.svg)Tips: *Check your network status by hovering over or clicking the network icon in Dock.* + +![0|network](./figures/54.png) + +#### Wired Network + +Wired network is secure and stable, which makes it the most common way to connect to the Internet. After your router is set, connect both ends of the network cable to the computer and router to connect to a wired network. + +1. Plug the cable into the network slot of a computer. +2. Plug another end of the cable into the router or network port. +3. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +4. Click **Wired Network** to enter the setting page of wired network. +5. Switch on **Wired Network Adapter** to enable wired network. +6. If it is successfully connected to the network, there will be a prompt "Wired Connection connected". + +You can also edit and add a new wired network in the setting page. + +#### Mobile Network +If you are at a place without network, mobile network adapter is a useful tool to help you connect to the Internet as long as the place is covered by telephone signals. + +1. Plug the mobile network adapter into your computer USB port. +2. Your computer will auto connect to the network. +3. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +4. Click **Mobile Network** to view the detailed network info. + +#### DSL/PPPoE Connections + +DSL is a dial-up connection using a standard phone line and analog modem to access the Internet. Configure the modem, plug the telephone line into the network interface of the computer, create a broadband dial-up connection, and enter the user name and password provided by the operator to dial up the Internet. + +##### Create a PPPoE Connection + +1. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +2. Click **DSL**. +3. Click ![add](./figures/icon50-o.svg). +4. Enter the name, your account and password the operator provides. +5. Click **Save**. The connection will automatically start. + + +#### VPN + +VPN is a virtual private network. Its main function is to establish a private network on the public network for encrypted communication. Whether you are on a business trip or working at home, you can use VPN to access intranet resources as long as you can access the Internet. You can also use VPN to speed up access to websites in other countries. + +1. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +2. Click **VPN**, and click ![add](./figures/icon50-o.svg) or ![import](./figures/icon84-o.svg). +3. Select the VPN protocol type, and enter the name, gateway, account, password and other information. (Importing VPN will automatically fill in information) +4. Click **Save**, the system will try to connect VPN network automatically. +5. You can export the VPN settings to backup or share with other users. + +> ![notes](./figures/icon99-o.svg)Notes: *If you don't want to use the VPN as the default routing, but only want it to take effect on specific network resources, switch on **Only applied in corresponding resources**.* + +#### System Proxy + +1. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +2. Click **System Proxy**. + - Click **None** and **Save** to disable the proxy. + - Click **Manual** and input the address and port of proxy servers. + - Click **Auto** and input a URL to configure the proxy info. + +#### Application Proxy + +1. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +2. Click **Application Proxy**. +3. Select a proxy type, and fill in the IP address, port, etc. +4. Click **Save** to save the proxy settings. + +> ![notes](./figures/icon99-o.svg)Notes: *After being configured, run Launcher, right-click any application's icon and check **Use a proxy**, and then the application will be opened by proxy.* + +#### Network Info + +You can view MAC, IP address, gateway and other network info in network details. + +1. On the homepage of Control Center, click ![network_normal](./figures/icon97-o.svg). +2. Click **Network Details**. +3. View the network info of the current network. + +### Sound Settings + +Set your speaker and microphone properly to make you hear more comfortable and make clearer recordings. + +![0|sound](./figures/61.png) + +#### Output + +1. On the homepage of Control Center, click ![sound_normal](./figures/icon116-o.svg). + +2. Click **Output** to: + + - Select output device type from the dropdown list after **Output Device**. + + - Drag the slider to adjust output volume and left/right balance. + - Switch on **Volume Boost**, the volume could be adjustable from 0~150% (the former range is 0~100%). + + + +#### Input + +1. On the homepage of Control Center, click ![sound_normal](./figures/icon116-o.svg). +2. Click **Input** to: + - Select input device type from the dropdown list after **Input Device**. + - Adjust input volume by dragging the slider. + - You can enable **Automatic Noise Suppression** by clicking the button after "Automatic Noise Suppression". + +> ![tips](./figures/icon125-o.svg)Tips: *Usually, you need to turn up the input volume to make sure that you can hear the sound of the sound source, but the volume should not be too high, because it will cause distortion of the sound. Here is how to set input volume: Speak to your microphone at a normal volume and view "Input Level". If the indicator changes obviously according to the volume, then the input volume is at a proper level.* + + + +#### System Sound Effects + +1. On the homepage of Control Center, click ![sound_normal](./figures/icon116-o.svg). +2. Click **Sound Effects**, check the options you want to switch on the sound when the corresponding event occurs. + +> ![tips](./figures/icon125-o.svg)Tips: *Click to listen to the sound effect.* + +### Date and Time +Set your timezone properly to have correct date and time. You can also change them manually. + +![0|time](./figures/62.png) + +#### Change Timezone +You have selected the timezone during system installation and do as follows to change it. + +1. On the homepage of Control Center, click ![time](./figures/icon124-o.svg). +2. Click **Timezone List**. +3. Click **Change System Timezone** and select a timezone by searching or clicking on the map. +4. Click **Confirm**. + +#### Add Timezone +Add another timezone to see the date and time there. + +1. On the homepage of Control Center, click ![time](./figures/icon124-o.svg). +2. Click **Timezone List**. +3. Click ![add](./figures/icon50-o.svg), select a timezone by searching or clicking on the map. +4. Click **Add**. + +#### Delete Timezone + +1. On the homepage of Control Center, click ![time](./figures/icon124-o.svg). +2. Click **Timezone List**. +3. Click **Edit** after "Timezone List". +4. Click ![delete](./figures/icon71-o.svg) to remove the timezone. + +#### Change Date and Time +Note that the auto-sync function will be disabled after changing date and time manually. + +1. On the homepage of Control Center, click ![time](./figures/icon124-o.svg). +2. Click **Time Settings**. + - Switch on/off **Auto Sync**. + - Enter the correct date and time. +3. Click **Confirm**. + +#### Set Time Format + +Setting the format of time and date is supported. + +1. On the homepage of Control Center, click ![time](./figures/icon124-o.svg). +2. Click **Time Format** to set the first day of week, long date, short date, long time, and short time. + + + +### Power Management + +Power management helps you to improve system safety. + +![0|power](./figures/57.png) + + + +#### Time to Suspend + +1. On the homepage of Control Center, click ![power_normal](./figures/icon107-o.svg). +2. Click **Plugged In**. +3. Set the time to suspend. + +#### Time to Lock Screen +1. On the homepage of Control Center, click ![power_normal](./figures/icon107-o.svg). +2. Click **Plugged In**. +3. Set the time to lock screen. + +#### Power button settings + +1. On the homepage of Control Center, click ![power_normal](./figures/icon107-o.svg). +2. Click **Plugged In**. +3. You can select **Shut down, Suspend, Hibernate, Turn off the monitor, Do nothing** from the drop-down list after **When pressing the power button**. + +Any operation done here will take effect immediately. At the same time, the system will notify the user that the power button setting is changed. + + + +### Mouse + +Mouse is common computer input device. Using the mouse, you can make the operation easier and faster. + +![0|mouse](./figures/53.png) + +#### General Settings + +1. On the homepage of Control Center, click ![mouse_touchpad_normal](./figures/icon94-o.svg). +2. Click **General**. +3. Switch on **Left Hand**, and adjust **Scrolling Speed**, **Double-click Speed**. + +> ![notes](./figures/icon99-o.svg)Notes: *If "Left Hand" is enabled, left-click and right-click of the mouse exchange.* + +#### Mouse +After inserting or connecting the mouse, make relevant settings in the Control Center to make it more in line with your usage habits. + +1. On the homepage of Control Center, click ![mouse_touchpad_normal](./figures/icon94-o.svg). +2. Click **Mouse**. +3. Adjust **Pointer Speed**, which helps you to control the speed at which the pointer moves as the mouse moves. +4. Switch on **Natural Scrolling**/**Mouse Acceleration** if you want. + +> ![notes](./figures/icon99-o.svg)Notes: +> - *Turn on the mouse acceleration to improve the accuracy of the pointer. The moving distance of the mouse pointer on the screen will increase according to the acceleration of the moving speed. It can be turned on or off according to the usage.* +> - *If Natural Scrolling is enabled, when you scroll down, the page will scroll down, when you scroll up, the page will scroll up as well.* + +### Keyboard and Language +Set keyboard properties and select your keyboard layout to keep your typing habit. You can also adjust the keyboard layout according to the country and language, change system language, and customize shortcuts here. + +![0|keyboard](./figures/59.png) + +#### Keyboard Properties + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **General**. +3. Adjust **Repeat Delay**/**Repeat Rate**. +4. Click "Test here" and hold down a key to test the repeat rate. +5. Switch on **Numeric Keypad** and **Caps Lock Prompt** if you want. + +#### Keyboard Layout +Set the keyboard layout to customize the keyboard for the current language. When you press a key on the keyboard, the keyboard layout controls which characters are displayed on the screen. After changing the keyboard layout, the characters on the screen may not match the characters on the keyboard keys. + +You have set a keyboard layout during system installation, but you can add more for other purposes. + +![layout](./figures/50.png) + +##### Add Keyboard Layout + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **Keyboard Layout**. +3. Click ![add](./figures/icon50-o.svg). Click a keyboard layout to add it. + +##### Delete Keyboard Layout + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **Keyboard Layout**. +3. Click **Edit**. +4. Click ![delete](./figures/icon71-o.svg) to delete keyboard layout. + +##### Switch Keyboard Layout + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **Keyboard Layout**. +3. Click the layout you want to switch to. +4. After successful switching, the layout will be marked with a check. + +> ![tips](./figures/icon125-o.svg)Tips: *You can also select one or more shortcuts to switch the keyboard layouts in order. Select **Applies to** to make the keyboard layout after switching be applied to the whole system or current application.* + +#### System Language + +The system language is the language you selected when you installed the system by default, which can be changed at any time. + +##### Add System Language +Add multiple languages into the list to change language conveniently. + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **System Language**. +3. Click ![add](./figures/icon50-o.svg) to enter the language list. +4. Select the language you want, and it will be added into system language list automatically. + +##### Change System Language + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **System Language**. +3. Select the language you want to switch to, and the language package will be installed automatically. +4. After being successfully installed, log out and log in again to view the changes. + +> ![attention](./figures/icon52-o.svg)Attention: *The keyboard layout may also be changed in the process of switching the system language. Please make sure that you select a correct keyboard layout to enter the login password.* + +#### Shortcuts +The shortcut list includes all shortcuts in the system. View, modify and customize the shortcuts here as you want. + +![0|shortcut](./figures/59.png) + +##### View Shortcuts + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **Shortcuts**. +3. You can search or view the default shortcuts for system, window and workspace. + + +##### Modify Shortcuts + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **Shortcuts**. +3. Click the shortcut you want to modify. +4. Press new shortcut to change it. + +> ![tips](./figures/icon125-o.svg)Tips: *To disable a shortcut, please press ![Backspace](./figures/icon54-o.svg) on the keyboard. To cancel modifying, press **Esc** or click Restore Defaults at the bottom.* + +##### Customize Shortcuts + +1. On the homepage of Control Center, click ![keyboard_normal](./figures/icon86-o.svg). +2. Click **Shortcuts**. +3. Click ![add](./figures/icon50-o.svg). +4. Enter the name, command and shortcut. +5. Click **Add**. +6. After being successfully added, click **Edit**. +7. Click ![delete](./figures/icon71-o.svg) to delete the custom shortcut. + +> ![tips](./figures/icon125-o.svg)Tips: *To change the shortcut, click it and press a new shortcut to change it directly. To edit the name and command of the custom shortcut, click **Edit ** > ![edit](./figures/icon75-o.svg) near the shortcut name to enter the shortcut settings.* + +### System Info + +You can view system version, authorization info, hardware info, and the agreements here. + +![0|info](./figures/48.png) + +#### About This PC + +1. On the homepage of Control Center, click ![system_info_normal](./figures/icon120-o.svg). +2. Under **About This PC**, you can view system version, authorization and hardware information. +3. If the system has not been activated, click **Activate** to activate the system. + +#### Edition License + +1. On the homepage of Control Center, click ![system_info_normal](./figures/icon120-o.svg). +2. View the system edition license under **Edition License**. + +#### End User License Agreement + +1. On the homepage of Control Center, click ![system_info_normal](./figures/icon120-o.svg). +2. View the End User License Agreement under **End User License Agreement**. + +## Keyboard Interaction + +You can use the keyboard to switch between various interface areas, select objects and perform operations. + +| Key | Function | +| :----------------------------------------------------------- | :----------------------------------------------------------- | +| **Tab** | Switch between different areas or dialog buttons. | +| ![Up](./figures/icon127-o.svg) ![Down](./figures/icon73-o.svg) ![Left](./figures/icon88-o.svg) ![Right](./figures/icon111-o.svg) | Used to select different objects in the same area. Press ![Right](./figures/icon111-o.svg) to enter the lower menu and ![Left](./figures/icon88-o.svg) to return to the upper menu. Press![Up](./figures/icon127-o.svg)and ![Down](./figures/icon73-o.svg) to switch between up and down. | +| **Enter** | Execute the selected operation. | +| **Space** | Preview the selected object in File Manager; start and pause the playback in Music and Movie; expand the drop-down options in the drop-down list (The enter key is also available.). | +| **Ctrl** + **M** | Open the right-click menu. | + diff --git a/docs/en/docs/desktop/Install_XFCE.md b/docs/en/docs/desktop/Install_XFCE.md new file mode 100644 index 0000000000000000000000000000000000000000..a1cc296893e10ff28b794a74fcc8505866b6bea7 --- /dev/null +++ b/docs/en/docs/desktop/Install_XFCE.md @@ -0,0 +1,64 @@ +# Xfce Installation Guide + +Xfce is a lightweight Linux desktop. In the current version, all components have been updated from GTK2 to GTK3 and from D-Dbus Glib to GDBus. Most components support GObject Introspection (GI), which is used to generate and parse the API meta information of the C program library, so that the dynamic language (or managed language) can be bound to the program library based on C + GObject. In the current version, user experience is optimized, new features are added, and a large number of bugs are fixed. Xfce occupies fewer memory and CPU resources than other UIs (GNOME and KDE), providing smoother and more efficient user experience. + +Xfce supports the x86\_64 and AArch64 architectures. + +You are advised to create an administrator during the installation. + +1. [Download ](https://openeuler.org/en/download/)the openEuler ISO image and install the system. Run the following command to update the software source. You are advised to configure the Everything source and the EPOL source. This document describes how to install Xfce in the minimum installation scenario. + + ``` + sudo dnf update + ``` + +2. Run the following command to install the font library: + + ``` + sudo dnf install dejavu-fonts liberation-fonts gnu-*-fonts google-*-fonts + ``` + +3. Run the following command to install Xorg: + + ``` + sudo dnf install xorg-* + ``` + +4. Run the following command to install Xfce: + + ``` + sudo dnf install xfwm4 xfdesktop xfce4-* xfce4-*-plugin + ``` + +5. Run the following command to install the login manager: + + ``` + sudo dnf install lightdm lightdm-gtk + ``` + +6. Run the following command to start Xfce using the login manager: + + ```` + sudo systemctl start lightdm + ```` + + After the login manager is started, choose **Xfce Session** in the upper right corner and enter the user name and password to log in. + +7. Run the following command to set the GUI to start upon system boot: + + ``` + sudo systemctl enable lightdm + sudo systemctl set-default graphical.target + ``` + + If GDM is installed by default, you are advised to disable GDM. + + ``` + systemctl disable gdm + ``` + +8. Restart the server. + + ``` + sudo reboot + ``` \ No newline at end of file diff --git a/docs/en/docs/desktop/UKUI-user-guide.md b/docs/en/docs/desktop/UKUI-user-guide.md new file mode 100755 index 0000000000000000000000000000000000000000..a67e3cc70918928ed0a6244cbc09ee685e14cf32 --- /dev/null +++ b/docs/en/docs/desktop/UKUI-user-guide.md @@ -0,0 +1,366 @@ +# UKUI Desktop Environment + +## Overview +Desktop Environment is the basis for the user's operation on the graphical interface, and provides multiple functions including taskbar, start menu, etc. The main interface is shown in figure below. + +![Fig. 1 Desktop main interface-big](./figures/1.png) + +
+ +## Desktop + +### Desktop’s Icons +The system places three icons Computer, Recycle Bin and Personal by default, and double click the left mouse button to open the page. The functions are shown in table below. + +| Icon | Description | +| :------------ | :------------ | +| ![](./figures/icon1.png) | Computer: Show the drives and hardwares connected to the machine| +| ![](./figures/icon2.png) | Recycle Bin: Show documents that have been diverted| +| ![](./figures/icon3.png) | Personal: Show personal home directory| + +
+ +In addition, right-clicking "Computer" and selecting "Properties", it can show the current system version, kernel version, activation and other related informations. + +![Fig. 2 "Computer" - "Properties"-big](./figures/2.png) + +### Right-click Menu +Right-click on the desktop blank and a menu appears as shown in figure below, providing the users with some shortcut features. + +![Fig. 3 Right-click Menu](./figures/3.png) + +Some of the options are described in table below. + +| Option | Description | +| :------------ | :------------ | +| New | Create new folders, text documents, WPS files | +| View type | Four view types are available: small icon, medium icon, large icon, super large icon | +| Sort by | Four ways to arrange documents according to name, type of document, size and date of modification | + +
+ +## Taskbar + +### Basic Function +Taskbar is located at the bottom and includes the Start Menu, Multi View Switch, File Browser, Firefox Web Browser, WPS, and Tray Menu. + +![Fig. 4 Taskbar](./figures/4.png) + +| Component | Decsription | +| :------------ | :------------ | +|![](./figures/icon4.png)| Start menu: Open the system menu to find applications and files | +|![](./figures/icon5.png)| Multi View Switch: Operate in multiple workspaces without interfering with each other | +|![](./figures/icon6.png)| File Browser: Browse and manage documents in the system | +|![](./figures/icon7.png)| Firefox Web Browser: Provide a convenient and safe way to access the Internet | +|![](./figures/icon8.png)| WPS: Realize the most common functions of office software such as text, forms, presentations, and more | +|Window Display Area| The blank part in the middle of the horizontal bar. Display running programs, opened documents, and allow users to close the windows, top the windows, etc | +|![](./figures/icon9.png)| Tray Menu: Include settings for voice, Kylin weather,input method, internet connection, notification center, date, and night mode | +|Show Desktop| The button is on the far right. Minimize all windows on the desktop and return to the desktop; Clicking again will restore the windows | + +#### Multi View Switch +Click the icon "![](./figures/icon10-o.png)" on the taskbar to enter the interface shown in figure below, and select the operation area that users need to work on at the moment in multiple work areas. + +![Fig. 5 Multi View Switch-big](./figures/5.png) + +#### Preview Window +Users move the mouse over the app icon in the taskbar, and then a small preview window will be shown if this app has already been opened. + +Hover over the specified window as shown below for hover state, the window will be slightly fuzzy glass effect (left), the rest of the window as default Status (right). + +![Fig. 6 Taskbar - Preview Window](./figures/6.png) + +Users can close the application by right-clicking on the app icon in the taskbar. + +![Fig. 7 Taskbar - Right-click Preview](./figures/7.png) + +#### Sidebar +The sidebar is located at the right of the entire desktop. Click the icon "![](./figures/icon11-o.png)" in the taskbar tray menu to open the storage menu, and click the icon "![](./figures/icon12-o.png)" in Sidebar to pop up the sidebar as shown in figure below. + +The sidebar consists of two parts: Notification Center, Clipboard and Widget. + +![Fig. 8 Sidebar without message status-big](./figures/8.png) + +##### Notification Center +Notification center will display a list of recent important and newest informations. + +Select "Clear" in the upper right corner to clear the list of informations; Select "Setting" in the upper right corner to go to the notification settings in the control center, and users can set which applications can show informations and the quantity of informations. + +![Fig. 9 Notification Center-big](./figures/9.png) + +Workspace at right side can be set to fold by applications. + +![Fig. 10 Fold messages by applications-big](./figures/10.png) + +Icon "![](./figures/icon13-o.png)" at the top right corner of the sidebar can store unimportant informations. When the messages are more than 999+, it will be shown as the form of ![](./figures/icon14-o.png) which means limitless. + +![Fig. 11 Message Organizer](./figures/11.png) + +##### Clipboard +Clipboard can save the contents those were recently selected to copy or cut, and users can operate them by using the icons in Table. + +![Fig. 12 Clipboard](./figures/12.png) + +Clicking "![](./figures/icon15-o.png)", users can edit the the contents of the clipboard. + +![Fig. 13 edit the content](./figures/13.png) + +| Icon | Description | Icon | Description | +| :------------ | :------------ | :------------ | :------------ | +| ![](./figures/icon16.png) | Copy the content | ![](./figures/icon18.png) | Edit the content | +| ![](./figures/icon17.png) | Delete the content | | | + +
+ +The second label of the clipboard is the small plug-in that contains alarm clock, notebook, user feedback. + +![Fig. 14 Plug-in](./figures/14.png) + +#### Tray Menu +##### Storage Menu +Click "![](./figures/icon19-o.png)" at the tray menu to open the storage menu. + +It contains Kylin Weather, Input Method, Bluetooth, USB, etc. + +![Fig. 15 Storage Menu](./figures/15.png) + +##### Input Method +The taskbar input method defaults to Sogou input method. Use the shortcut key "Ctrl+Space" to switch it out, and the "Shift" key to switch between Chinese and English modes. + +![Fig. 16 Input Method](./figures/16.png) + +##### USB +When the USB is inserted into the computer, it will be matically read the data inside. + +Click "![](./figures/icon26-o.png)" to open the window as shown in figure below. + +When users need to umount the USB, please click the icon "![](./figures/icon27-o.png)". + +![Fig. 17 The status of USB](./figures/17.png) + +##### Power Supply +Click the icon "![](./figures/icon28-o.png)": + +When no power supply is detected. + +![Fig. 18 No Power Supply](./figures/18.png) + +When power supply is detected. + +![Fig. 19 Have Power Supply](./figures/19.png) + +Users right-click the icon "![](./figures/icon30-o.png)" of power manager to open the power setting menu. + +It provides two setting options: adjust screen brightness, and set power and sleep. + +![Fig. 20 Power Manager](./figures/20.png) + +If the power manager pops up a"low battery" window, users can click to turn on the power save mode, and the power manager will set the machine to run in this mode immediately. + +![Fig. 21 Power Saving Mode](./figures/21.png) + +##### Network +Users can choose wired or wireless network connections by clicking the icon "![](./figures/icon31-o.png)" of network manager. + +| Icon | Description | Icon | Description | +| :------------ | :------------ | :------------ | :------------ | +|![](./figures/icon32.png)| Connected |![](./figures/icon37.png)| Unconnected | +|![](./figures/icon33.png)| Connection limited |![](./figures/icon38.png)| Locked | +|![](./figures/icon34.png)| Connecting |![](./figures/icon39.png)| Wifi connected | +|![](./figures/icon35.png)| Wifi unconnected |![](./figures/icon40.png)| Wificonnection limited | +|![](./figures/icon36.png)| Wifi locked |![](./figures/icon41.png)| Wifi connecting | + +
+ +![Fig. 22 Network Connection](./figures/22.png) + +- Wired Network + In the wired network connection interface, click on the wired network plan to expand. Details of the network. + + ![Fig. 23 Wired Network](./figures/23.png) + +- Wireless Network + Click the switch button in the upper right corner to turn on the wireless network connection, and select the WiFi from the list of available wireless networks. Enter the password to access the Internet. + + ![Fig. 24 Wireless Network](./figures/24.png) + +- Network Setting + Right-click the icon "![](./figures/icon42-o.png)" of network mnager to pop up the setting menu. + + ![Fig. 25 Wired Network Setting](./figures/25.png) + + Click network setting to go to the setting window immediately. + + ![Fig. 26 Network Setting](./figures/26.png) + +##### Volume +Click the icon "![](./figures/icon43-o.png)" to open the volume window, and there provides three modes. + +- Mini Mode + It only displays the volume of the speaker. + + ![Fig. 27 Mini Mode](./figures/27.png) + +- According to Equipment + It contains input equipments and output equipments. + + ![Fig. 28 According to Equipment List](./figures/28.png) + +- According to Application + It contains system volume and other applications' volume. + + ![Fig. 29 According to Application List](./figures/29.png) + +##### Calendar +Click the date&time on the taskbar to open the calendar window. + +Users can view the day's informations by filtering the year, month, day. The date will be displayed in large letters, with the time, the week, the festival,and the lunar calendar. Taboos can be seen by checking. + +![Fig. 30 Calendar-big](./figures/30.png) + +##### Night Mode +Click the icon "![](./figures/icon44-o.png)" on the Taskbar and then the system changes to the night mode. + +#### Advanced Setting +Right-click the Taskbar to open the menu. + +![Fig. 31 Right-Clicking Menu](./figures/31.png) + +Users can set the lauserst of taskbar accroding to "Taskbar Settings". + +
+ +## Window +### Window Manager +The functions provided as shown in Table. + +| Function | Description | +| :--------| :----------| +| Title Bar | Show the title name of current window | +| Minimize/Maximize/Close | The three icon buttons at the right of the title bar correspond to minimize, maximize and close respectively | +| Side Sliding | Users can scroll up and down to view the page by the slider at the right of the window | +| Stack | Allow overlap among windows | +| Drag and Drop | Long press the left mouse button at the title bar to move the window to any position | +| Resize | Move the mouse to the corner of the window and long press the left button to resize the window | + +
+ +### Window Switch +There are three ways to switch windows: + +* Click the window title on the Taskbar. + +* Click the different window at the desktop. + +* Use shortcut keys < Alt > + < Tab >. + +
+ +## Start Menu +### Basic Function +Click the button to open the "Start Menu". + +It provides sliding bar. + +![Fig. 32 Start Menu](./figures/32.png) + +#### Category Menu at right side +When the mouse is over the right side of the start menu, it will appear a pre-expanded cue bar. Clicking to expand, and then three categories are showing at the right side by default: "Common Software", "Alphabetical Category", and "Functional category". + +* All Software: List all software, recently used software will be displayed on the top of this page. + +* Alphabetical Category: List all softwares by first letter. + +* Functional category: List all softwares by their functions. + +Users can click the button at top right corner to view fullscreen menu mode. + +![Fig. 33 Fullscreen Menu-big](./figures/33.png) + +#### Function Button at right side +It provides User Avatar, Computer, Control Center and Shutdown four options. + +##### User Avatar +Click "![](./figures/icon45-o.png)" to view user's informations. + +##### Computer +Click "![](./figures/icon46-o.png)" to open personal home folder + +##### Control Center +Click "![](./figures/icon47-o.png)" to go to the control center. + +##### Shutdown +###### Lock Screen +When users do not need to use the computer temporarily, the lock screen can be selected (without affecting the current running state of the system) to prevent misoperations. And input the password to re-enter the system. + + The system will matically lock the screen after a period of idle time by default. + +![Fig. 34 Lock Screen-big](./figures/34.png) + +###### Switch Users & Log Out +When users want to select another user to log in uing the computer, users can select "Log out" or "Switch user". + +At this point, the system will close all running applications; Therefore, please save the current jobs before performing this action. + +###### Shutdown & Reboot +There are two ways: + +1)"Start Menu" > "Power" > "Shutdown" + +It will pop up a dialog box, and users can choose shutdown or reboot as needed. + +![Fig. 35 Shutdown Dialog Box-big](./figures/35.png) + +2)"Start Menu" > right side menu of the "Shutdown" button > "Shutdown"/"Reboot" + +The system will shutdown or reboot immediately without poping up the dialog box. + +### Advanced Setting + +Right-clicking Start Menu, it provides lock screen, switch user, log out, reboot, and shutdown five shortcut options. + +### Applications +Users can search apps in the search box by key words. As shown in figure below, the result will show up matically with the input. + +![Fig. 36 Search Apps](./figures/36.png) + +Right-clicking one app in the Start Menu, the right-click menu poping up. + +![Fig. 37 Right-click Menu](./figures/37.png) + +The options are described in table below. + +| Option | Description | +| :------| :--------| +| Attach to "All Software" |Add the selected software to the top of the list of All Software| +| Attach to Taskbar |Generate icon for the application on the Taskbar| +| Add to Desktop Shortcut |Generate shortcut icon for the application on the desktop| +| Uninstall |Remove the application| + +
+ +## FAQ + +### Can’t login to the system after locking the screen? + +- Switch to character terminal by < Ctrl + Alt + F1 >. + +- Input the user-name and passwd to login to the system. + +- Do "sudo rm -rf ~/.Xauthority". + +- Switch to graphical interface by < Ctrl + Alt + F7 >, and input the passwd. + +
+ +## Appendix +### Shortcut Key + +|Shortcut Key|Function| +| :------ | :----- +| F5 | Refresh the desktop | +| F1 | Open the user-guide| +| Alt + Tab | Switch the window | +| win | Open the Start Menu | +| Ctrl + Alt + L | Lock Screen | +| Ctrl + Alt + Delete | Log out | + diff --git a/docs/en/docs/desktop/Xfce_userguide.md b/docs/en/docs/desktop/Xfce_userguide.md new file mode 100644 index 0000000000000000000000000000000000000000..ea6396320d845f3c7f44ac8d2bdfb95a7ff6d4a0 --- /dev/null +++ b/docs/en/docs/desktop/Xfce_userguide.md @@ -0,0 +1,275 @@ +# Table of Contents + +* [Xfce User Guide](#Xfce User Guide) + * [1. Overview](#1. Overview) + * [2. Desktop](#2. Desktop) + * [2.1 Desktop Icons](#2.1 Desktop Icons) + * [2.2 Shortcut Menu](#2.2 Shortcut Menu) + * [3. Taskbar](#3. Taskbar) + * [3.1 Basic Functions](#3.1 Basic Functions) + * [3.1.1 Applications](#3.1.1 Applications) + * [3.1.2 Window Display Area](#3.1.2 Window Display Area) + * [3.1.3 Multi-View Switching](#3.1.3 Multi-View Switching) + * [3.1.4 Tray](#3.1.4 Tray) + * [3.1.4.1 Network](#3.1.4.1 Network) + * [3.1.4.2 Volume](#3.1.4.2 Volume) + * [3.1.4.3 Power Supply](#3.1.4.3 Power Supply) + * [3.1.4.4 Notification Center](#3.1.4.4 Notification Center) + * [3.1.4.5 Calendar](#3.1.4.5 Calendar) + * [3.1.4.6 Advanced Settings](#3.1.4.6 Advanced Settings) + * [3.1.4.7 Login User Actions](#3.1.4.7 Login User Actions) + * [3.1.4.7.1 Lock Screen](#3.1.4.7.1 Lock Screen) + * [3.1.4.7.2 Switch User](#3.1.4.7.2 Switch User) + * [3.1.4.7.3 Suspend](#3.1.4.7.3 Suspend) + * [3.1.4.7.3 Shut Down](#3.1.4.7.3 Shut Down) + * [3.1.4.7.3 Log Out](#3.1.4.7.3 Log Out) + * [4. Shortcut Operation Bar](#4. Shortcut Operation Bar) + * [4.1 Basic Functions](#4.1 [Basic Functions]) + * [4.1.1 Show Desktop](#4.1.1 Show Desktop) + * [4.1.2 Terminal](#4.1.2 Terminal) + * [4.1.3 File Manager](#4.1.3 File Manager) + * [4.1.4 Web Browser](#4.1.4 Web Browser) + * [4.1.5 Application Finder](#4.1.5 Application Finder) + * [4.1.6 User Home Directory](#4.1. 6 User Home Directory) + +# Xfce User Guide + +## 1\. Overview + +Xfce is a lightweight desktop environment running on Unix-like operating systems. Xfce provides multiple functional components, including all applications. This document describes how to use Xfce. + +The following figure shows the WebUI. + +![Figure 1 Main screen of the desktop - big](./figures/xfce-1.png) + +
+## 2\. Desktop + +### 2.1 Desktop Icons + +By default, icons such as the file system, main folder, and mount directory are placed. You can double-click the icons to open the page. + +![Figure 2 Default desktop icons - big](./figures/xfce-2.png) + +### 2.2 Shortcut Menu + +Right-click in the blank area on the desktop. The shortcut menus are displayed, as shown in the following figure. + +![Figure 3 Shortcut menu](./figures/xfce-3.png) + +The following table describes some options. + +| Parameter| Description| +|:----------|:----------| +| Open in New Window| Open the **Desktop** directory of the login user.| +| Create Launcher| Create a launcher.| +| Create URL Link| Create a URL link.| +| Create Folder| Create a folder.| +| Create Document| Create a text file.| +| Open Terminal Here| Create a terminal.| +| Arrange Desktop Icons| Automatically arrange desktop icons.| +| Desktop Settings| Set the background, menus, and icons.| +| Properties| Set desktop properties, such as the general, logo, and permission.| +| Applications| Applications| + +
+## 3\. Taskbar + +### 3.1 Basic Functions + +The taskbar is located at the top, including application, window display area, multi-view switch, and tray menus. + +![Figure 4 Taskbar](./figures/xfce-4.png) + +| Component| Description| +|:----------|:----------| +| Applications| Display all applications and settings, and allow you to search for applications and settings.| +| Window display area| The blank area in the middle of the horizontal bar, which displays running programs or opened documents. You can minimize, maximize, close, or pin the window to the top.| +| Switching views| Perform operations in multiple workspaces without interfering with each other.| +| Tray| Set the network connection, sound, power, notification center, calendar, and login user actions.| + +#### 3.1.1 Applications + +![Figure 5 All applications – big](./figures/xfce-5.png) + +#### 3.1.2 Window Display Area + +![Figure 6 Window display area - big](./figures/xfce-6.png) + +#### 3.1.3 Multi-View Switching + +Click ![](./figures/xfce-7.png) in the taskbar to enter the corresponding work area. + +For example, you can use the mouse to switch among multiple workspaces to select the operation area that you want to work in. + +![Figure 7 Switching among multiple views - big](./figures/xfce-71.png) + +#### 3.1.4 Tray + +![Figure 8 Tray menu - big](./figures/xfce-8.png) + +##### 3.1.4.1 Network + +You can click ![](./figures/xfce-81.png) on the taskbar and select a network connection mode as required. + +![Figure 9 Network connection page](./figures/xfce-811.png) + +Network settings dialog box + +Right-click the network icon ![](./figures/xfce-81.png) on the taskbar. The network setting menu is displayed. + +![Figure 10 Network settings](./figures/xfce-812.png) + +Click **Edit Connections**. The network setting dialog box is displayed. + +![Figure 11 Network setting dialog box](./figures/xfce-813.png) + +Double-click the specified network connection, for example, **enp1s0**. The page for setting the connection is displayed. + +![Figure 12 Setting the wired network](./figures/xfce-814.png) + +##### 3.1.4.2 Volume + +Click the volume icon ![](./figures/xfce-82.png) on the taskbar to open the sound page. + +![Figure 13 Volume setting window](./figures/xfce-821.png) + +##### 3.1.4.3 Power supply + +Click ![](./figures/xfce-83.png) on the taskbar. + +![Figure 14 Power supply devices](./figures/xfce-831.png) + +You can click **Power Manager Settings** to configure the display and nodes. + +![Figure 15 Setting the power manager](./figures/xfce-832.png) + +##### 3.1.4.4 Notification Center + +Click ![](./figures/xfce-84.png) on the taskbar. + +![Figure 16 Notification center - big](./figures/xfce-841.png) + +You can disable the notification function by selecting **Do not disturb**. + +The notification center displays the latest important information list. You can click **Clear log** to clear the information list. + +You can click **Notification settings** to go to the notification setting page of the control panel and set the applications to be displayed and the number of messages to be displayed. + +![Figure 17 Notification center - big](./figures/xfce-842.png) + +##### 3.1.4.5 Calendar + +You can click the date and time on the taskbar to display the calendar window and view the calendar, month calendar, and annual calendar. + +You can choose a year, a month and a day to view the information of a specific day. + +![Figure 18 Calendar-big](./figures/xfce-85.png) + +Right-click the time and date on the taskbar and click **Properties** to set the time. + +![Figure 19 Date setting - big](./figures/xfce-851.png) + +#### 3.1.4.6 Advanced Settings + +Right-click the taskbar and choose **Panel** from the shortcut menu. + +![Figure 20 Shortcut menu on the taskbar](./figures/xfce-86.png) + +You can set the layout of the taskbar and add or delete items. + +![Figure 21 Shortcut menu on the taskbar](./figures/xfce-861.png) + +##### 3.1.4.7 Login User Actions + +Click the login user on the task bar to view related actions. + +![Figure 22 Actions of a login user](./figures/xfce-87.png) + +###### 3.1.4.7.1 Lock Screen + +If you use the computer currently, you can lock the screen (which does not affect the current running status of the system) to prevent misoperations. After locking the screen, you can enter the password to log in to the system again. + +By default, the system automatically locks the screen after a period of idle time. + +###### 3.1.4.7.2 Switch User + +If you want to log in to the computer as another user, choose **Switch User**. + +Then, the system closes all running applications. Therefore, before performing this operation, save the current work. + +###### 3.1.4.7.3 Suspend + +For the sake of environmental protection and energy saving, you can select **Suspend****.** + +After that, the related data is read into the memory. Do not switch the power supply. + +###### 3.1.4.7.3 Shut Down + +You can choose **Shut Down** to shut down a computer. + +Before performing this operation, save the current work. + +###### 3.1.4.7.3 Log Out + +To log out of the GUI, click **Log Out**. + +Then, the system closes all running applications. Therefore, before performing this operation, save the current work. + +
+## 4\. Shortcut Operation Bar + +### 4.1 Basic Functions + +The shortcut operation bar is located at the bottom, including the icons for displaying all the desktops, terminals, file managers, web browsers, application search, and user home directories. + +![Figure 23 Shortcut operation bar](./figures/xfce-9.png) + +| Component| Description | +|:----------|:----------| +| Show Desktop| Hide all windows and show the desktop. Click again to restore the window.| +| Terminal| Open a terminal.| +| File Manager| Open a file manager.| +| Web Browser| Open a web browser.| +| Application Finder| Open the application search window.| +| User Home Directory| Open the home directory of the login user.| + +#### 4.1.1 Show Desktop + +Click ![](./figures/xfce-91.png) on the shortcut operation bar to display the desktop. + +![Figure 24 Showing the desktop - big](./figures/xfce-911.png) + +#### 4.1.2 Terminal + +Click ![](./figures/xfce-92.png) on the shortcut operation bar to open a terminal. + +![Figure 25 Terminal-big](./figures/xfce-921.png) + +#### 4.1.3 File Manager + +You can click the ![](./figures/xfce-93.png) icon on the shortcut operation bar to open a file manager. + +![Figure 26 File manager - big](./figures/xfce-931.png) + +#### 4.1.4 Web Browser + +You can click the ![](./figures/xfce-94.png) icon on the shortcut operation bar to open a web browser. + +![Figure 27 Web browser - big](./figures/xfce-941.png) + +#### 4.1.5 Application Finder + +You can click the ![](./figures/xfce-95.png) icon on the shortcut operation bar to open an application program search interface. + +![Figure 28 Searching for an application - big](./figures/xfce-951.png) + +#### 4.1. 6 User Home Directory + +Click ![](./figures/xfce-96.png) on the shortcut operation bar and click **Open File**. The user home directory page is displayed. + +![Figure 29 User home directory - big](./figures/xfce-961.png) + +Click the ![](./figures/xfce-96.png) icon on the shortcut operation bar, and then click **Open in Terminal** to open a terminal. The current directory is the home directory of the user. + +![Figure 30 User home directory - big](./figures/xfce-962.png) \ No newline at end of file diff --git a/docs/en/docs/desktop/dde.md b/docs/en/docs/desktop/dde.md new file mode 100644 index 0000000000000000000000000000000000000000..96d37a7b4d8c7a4544454fce5ca5368845a560a7 --- /dev/null +++ b/docs/en/docs/desktop/dde.md @@ -0,0 +1,3 @@ +# DDE User Guide + +This section describes how to install and use the Deepin Desktop Environment (DDE). \ No newline at end of file diff --git a/docs/en/docs/desktop/desktop.md b/docs/en/docs/desktop/desktop.md new file mode 100644 index 0000000000000000000000000000000000000000..b6b171f161391dc9b208ef2a90af0e913d230db4 --- /dev/null +++ b/docs/en/docs/desktop/desktop.md @@ -0,0 +1,3 @@ +# Desktop Environment User Guide + +This document describes how to install and use two common desktop environments, which provide a user-friendly, secure, and reliable GUI for better user experience. diff --git a/docs/en/docs/desktop/figures/1.png b/docs/en/docs/desktop/figures/1.png new file mode 100755 index 0000000000000000000000000000000000000000..40af4242eebb440a76c749a8d970d50cd7b89bf4 Binary files /dev/null and b/docs/en/docs/desktop/figures/1.png differ diff --git a/docs/en/docs/desktop/figures/10.png b/docs/en/docs/desktop/figures/10.png new file mode 100755 index 0000000000000000000000000000000000000000..e588ffbe3d8d7b66d92ae8f2b4bcec7c80d0592c Binary files /dev/null and b/docs/en/docs/desktop/figures/10.png differ diff --git a/docs/en/docs/desktop/figures/11.png b/docs/en/docs/desktop/figures/11.png new file mode 100755 index 0000000000000000000000000000000000000000..1989a5bb08155f920363e154e68bb148715c7e9e Binary files /dev/null and b/docs/en/docs/desktop/figures/11.png differ diff --git a/docs/en/docs/desktop/figures/12.png b/docs/en/docs/desktop/figures/12.png new file mode 100755 index 0000000000000000000000000000000000000000..cb6346161182d2cfeaf3818d5ec518ddb11c732e Binary files /dev/null and b/docs/en/docs/desktop/figures/12.png differ diff --git a/docs/en/docs/desktop/figures/13.png b/docs/en/docs/desktop/figures/13.png new file mode 100755 index 0000000000000000000000000000000000000000..0a7def1fb66c90da62acde799eaffca97e3b5396 Binary files /dev/null and b/docs/en/docs/desktop/figures/13.png differ diff --git a/docs/en/docs/desktop/figures/14.png b/docs/en/docs/desktop/figures/14.png new file mode 100755 index 0000000000000000000000000000000000000000..3a27a66d57e284775420d467f90dcc02889bbffe Binary files /dev/null and b/docs/en/docs/desktop/figures/14.png differ diff --git a/docs/en/docs/desktop/figures/15.png b/docs/en/docs/desktop/figures/15.png new file mode 100755 index 0000000000000000000000000000000000000000..370bea32abcaa8a2b06a1a61c1455d4b35f43474 Binary files /dev/null and b/docs/en/docs/desktop/figures/15.png differ diff --git a/docs/en/docs/desktop/figures/16.png b/docs/en/docs/desktop/figures/16.png new file mode 100755 index 0000000000000000000000000000000000000000..812ee462669c5263ef4bffc49ca4f9b6af4541c6 Binary files /dev/null and b/docs/en/docs/desktop/figures/16.png differ diff --git a/docs/en/docs/desktop/figures/17.png b/docs/en/docs/desktop/figures/17.png new file mode 100755 index 0000000000000000000000000000000000000000..36e524b806874fa3788f5e4dcd78350686281107 Binary files /dev/null and b/docs/en/docs/desktop/figures/17.png differ diff --git a/docs/en/docs/desktop/figures/18.png b/docs/en/docs/desktop/figures/18.png new file mode 100755 index 0000000000000000000000000000000000000000..51b32442980aa60646f77dabd53ade74f55891fe Binary files /dev/null and b/docs/en/docs/desktop/figures/18.png differ diff --git a/docs/en/docs/desktop/figures/19.png b/docs/en/docs/desktop/figures/19.png new file mode 100755 index 0000000000000000000000000000000000000000..c9457d09aa9f1662b2c9e4550cdbdb9f57dd020e Binary files /dev/null and b/docs/en/docs/desktop/figures/19.png differ diff --git a/docs/en/docs/desktop/figures/2.png b/docs/en/docs/desktop/figures/2.png new file mode 100755 index 0000000000000000000000000000000000000000..97917cc245484a43bec8562757d920a06f123121 Binary files /dev/null and b/docs/en/docs/desktop/figures/2.png differ diff --git a/docs/en/docs/desktop/figures/20.png b/docs/en/docs/desktop/figures/20.png new file mode 100755 index 0000000000000000000000000000000000000000..b0943189920d7a541d35da27340593ea93f92a17 Binary files /dev/null and b/docs/en/docs/desktop/figures/20.png differ diff --git a/docs/en/docs/desktop/figures/21.png b/docs/en/docs/desktop/figures/21.png new file mode 100755 index 0000000000000000000000000000000000000000..e590c22c0ea28906b5f4ea7ccbc6ab11e47ad173 Binary files /dev/null and b/docs/en/docs/desktop/figures/21.png differ diff --git a/docs/en/docs/desktop/figures/22.png b/docs/en/docs/desktop/figures/22.png new file mode 100755 index 0000000000000000000000000000000000000000..03a548b1ffb1f0ad53cfa5387af2721af90bca81 Binary files /dev/null and b/docs/en/docs/desktop/figures/22.png differ diff --git a/docs/en/docs/desktop/figures/23.png b/docs/en/docs/desktop/figures/23.png new file mode 100755 index 0000000000000000000000000000000000000000..834c492094715cde1c02c91752ecabfe7921ed62 Binary files /dev/null and b/docs/en/docs/desktop/figures/23.png differ diff --git a/docs/en/docs/desktop/figures/24.png b/docs/en/docs/desktop/figures/24.png new file mode 100755 index 0000000000000000000000000000000000000000..1881e868b74a60888b319576fa38fb4af92ba75c Binary files /dev/null and b/docs/en/docs/desktop/figures/24.png differ diff --git a/docs/en/docs/desktop/figures/25.png b/docs/en/docs/desktop/figures/25.png new file mode 100755 index 0000000000000000000000000000000000000000..f38839725d27a3486984d152e5d9de305364fbd2 Binary files /dev/null and b/docs/en/docs/desktop/figures/25.png differ diff --git a/docs/en/docs/desktop/figures/26.png b/docs/en/docs/desktop/figures/26.png new file mode 100755 index 0000000000000000000000000000000000000000..6d7957119133ecb98b1b6b104e54a3a4647ec2a5 Binary files /dev/null and b/docs/en/docs/desktop/figures/26.png differ diff --git a/docs/en/docs/desktop/figures/27.png b/docs/en/docs/desktop/figures/27.png new file mode 100755 index 0000000000000000000000000000000000000000..3e4733717fdc5172d6479b393005219e65e96df4 Binary files /dev/null and b/docs/en/docs/desktop/figures/27.png differ diff --git a/docs/en/docs/desktop/figures/28.png b/docs/en/docs/desktop/figures/28.png new file mode 100755 index 0000000000000000000000000000000000000000..a77772e818e3f6c11acac3b9cfa18bad14a0a48c Binary files /dev/null and b/docs/en/docs/desktop/figures/28.png differ diff --git a/docs/en/docs/desktop/figures/29.png b/docs/en/docs/desktop/figures/29.png new file mode 100755 index 0000000000000000000000000000000000000000..c4f58ffe5855295268298448744e5aadbdc55276 Binary files /dev/null and b/docs/en/docs/desktop/figures/29.png differ diff --git a/docs/en/docs/desktop/figures/3.png b/docs/en/docs/desktop/figures/3.png new file mode 100755 index 0000000000000000000000000000000000000000..fbb76b336957020ed6867d908e0a8bdcfc953c52 Binary files /dev/null and b/docs/en/docs/desktop/figures/3.png differ diff --git a/docs/en/docs/desktop/figures/30.png b/docs/en/docs/desktop/figures/30.png new file mode 100755 index 0000000000000000000000000000000000000000..d91adefba1753959e90ccf4aa1501ac08d7144bd Binary files /dev/null and b/docs/en/docs/desktop/figures/30.png differ diff --git a/docs/en/docs/desktop/figures/31.png b/docs/en/docs/desktop/figures/31.png new file mode 100755 index 0000000000000000000000000000000000000000..0abef09ab438f5f8cfb68090993f55c493b8c15e Binary files /dev/null and b/docs/en/docs/desktop/figures/31.png differ diff --git a/docs/en/docs/desktop/figures/32.png b/docs/en/docs/desktop/figures/32.png new file mode 100755 index 0000000000000000000000000000000000000000..d567cfbacc07a9eb46ff2c54a68432f45e034e94 Binary files /dev/null and b/docs/en/docs/desktop/figures/32.png differ diff --git a/docs/en/docs/desktop/figures/33.png b/docs/en/docs/desktop/figures/33.png new file mode 100755 index 0000000000000000000000000000000000000000..7b5896e2884520672c0bd88d68471b45a09c56fe Binary files /dev/null and b/docs/en/docs/desktop/figures/33.png differ diff --git a/docs/en/docs/desktop/figures/34.png b/docs/en/docs/desktop/figures/34.png new file mode 100755 index 0000000000000000000000000000000000000000..81bc9480fbbd81a97c559d7a6a74274deeab2bd1 Binary files /dev/null and b/docs/en/docs/desktop/figures/34.png differ diff --git a/docs/en/docs/desktop/figures/35.png b/docs/en/docs/desktop/figures/35.png new file mode 100755 index 0000000000000000000000000000000000000000..ab2399847a643a87279337704e23fea7609bb211 Binary files /dev/null and b/docs/en/docs/desktop/figures/35.png differ diff --git a/docs/en/docs/desktop/figures/36.png b/docs/en/docs/desktop/figures/36.png new file mode 100755 index 0000000000000000000000000000000000000000..536981609b9ae5d32be56bec612f2b3446146184 Binary files /dev/null and b/docs/en/docs/desktop/figures/36.png differ diff --git a/docs/en/docs/desktop/figures/37.png b/docs/en/docs/desktop/figures/37.png new file mode 100755 index 0000000000000000000000000000000000000000..e39aa03587642dc1f8622fff515b05a9a3085b28 Binary files /dev/null and b/docs/en/docs/desktop/figures/37.png differ diff --git a/docs/en/docs/desktop/figures/38.png b/docs/en/docs/desktop/figures/38.png new file mode 100644 index 0000000000000000000000000000000000000000..838f5ff0616a83cdf42edb053f4e72b93bfa644e Binary files /dev/null and b/docs/en/docs/desktop/figures/38.png differ diff --git a/docs/en/docs/desktop/figures/39.png b/docs/en/docs/desktop/figures/39.png new file mode 100644 index 0000000000000000000000000000000000000000..12a379403d73a47b2fa564120a28fdb58d188963 Binary files /dev/null and b/docs/en/docs/desktop/figures/39.png differ diff --git a/docs/en/docs/desktop/figures/4.png b/docs/en/docs/desktop/figures/4.png new file mode 100755 index 0000000000000000000000000000000000000000..5078e36aca713706d2cf08a3ebecdc3769951899 Binary files /dev/null and b/docs/en/docs/desktop/figures/4.png differ diff --git a/docs/en/docs/desktop/figures/40.png b/docs/en/docs/desktop/figures/40.png new file mode 100755 index 0000000000000000000000000000000000000000..bf419894eab852b45604966c62fafa71f051c4df Binary files /dev/null and b/docs/en/docs/desktop/figures/40.png differ diff --git a/docs/en/docs/desktop/figures/41.png b/docs/en/docs/desktop/figures/41.png new file mode 100755 index 0000000000000000000000000000000000000000..f94b0ee72e0d4e9277e9b44b4268cfbdb8402104 Binary files /dev/null and b/docs/en/docs/desktop/figures/41.png differ diff --git a/docs/en/docs/desktop/figures/42.png b/docs/en/docs/desktop/figures/42.png new file mode 100644 index 0000000000000000000000000000000000000000..3182e551c4e4b03885bad6339f1de514b3f55f8c Binary files /dev/null and b/docs/en/docs/desktop/figures/42.png differ diff --git a/docs/en/docs/desktop/figures/43.jpg b/docs/en/docs/desktop/figures/43.jpg new file mode 100644 index 0000000000000000000000000000000000000000..26e9244f58ea9800081fd61ae135477f05b21b40 Binary files /dev/null and b/docs/en/docs/desktop/figures/43.jpg differ diff --git a/docs/en/docs/desktop/figures/44.png b/docs/en/docs/desktop/figures/44.png new file mode 100644 index 0000000000000000000000000000000000000000..c3abaecd6e053272d81e0ad9bd183c6858b4f3c5 Binary files /dev/null and b/docs/en/docs/desktop/figures/44.png differ diff --git a/docs/en/docs/desktop/figures/45.png b/docs/en/docs/desktop/figures/45.png new file mode 100755 index 0000000000000000000000000000000000000000..86b051acde857c88479714414f721a7f59cca483 Binary files /dev/null and b/docs/en/docs/desktop/figures/45.png differ diff --git a/docs/en/docs/desktop/figures/46.png b/docs/en/docs/desktop/figures/46.png new file mode 100755 index 0000000000000000000000000000000000000000..d8ec41c87628bf28c9905523f99ae93aebd13614 Binary files /dev/null and b/docs/en/docs/desktop/figures/46.png differ diff --git a/docs/en/docs/desktop/figures/47.jpg b/docs/en/docs/desktop/figures/47.jpg new file mode 100755 index 0000000000000000000000000000000000000000..bf95f03c8ea0f84a878bc63af20972c9da71bc04 Binary files /dev/null and b/docs/en/docs/desktop/figures/47.jpg differ diff --git a/docs/en/docs/desktop/figures/48.png b/docs/en/docs/desktop/figures/48.png new file mode 100644 index 0000000000000000000000000000000000000000..ef21fa1ce1e2e9848a8dca16e692de673df7c6d7 Binary files /dev/null and b/docs/en/docs/desktop/figures/48.png differ diff --git a/docs/en/docs/desktop/figures/49.png b/docs/en/docs/desktop/figures/49.png new file mode 100644 index 0000000000000000000000000000000000000000..3b77668e5a4d1bdb3043c473dff9b36fa7144714 Binary files /dev/null and b/docs/en/docs/desktop/figures/49.png differ diff --git a/docs/en/docs/desktop/figures/5.png b/docs/en/docs/desktop/figures/5.png new file mode 100755 index 0000000000000000000000000000000000000000..2976a745cfaede26594d6daa01cfc18d18b1de8b Binary files /dev/null and b/docs/en/docs/desktop/figures/5.png differ diff --git a/docs/en/docs/desktop/figures/50.png b/docs/en/docs/desktop/figures/50.png new file mode 100644 index 0000000000000000000000000000000000000000..b86a55fe4363f56fc18befc9d27025a75ca427ad Binary files /dev/null and b/docs/en/docs/desktop/figures/50.png differ diff --git a/docs/en/docs/desktop/figures/51.png b/docs/en/docs/desktop/figures/51.png new file mode 100755 index 0000000000000000000000000000000000000000..d427ac871dba9c32eb4ffe736d5352f8408da533 Binary files /dev/null and b/docs/en/docs/desktop/figures/51.png differ diff --git a/docs/en/docs/desktop/figures/52.png b/docs/en/docs/desktop/figures/52.png new file mode 100644 index 0000000000000000000000000000000000000000..0ca0a2db05c70bc25f9bb59e82d074f671cfc74e Binary files /dev/null and b/docs/en/docs/desktop/figures/52.png differ diff --git a/docs/en/docs/desktop/figures/53.png b/docs/en/docs/desktop/figures/53.png new file mode 100644 index 0000000000000000000000000000000000000000..76fbc34a1d5621b83c2d8c93222766acad33350d Binary files /dev/null and b/docs/en/docs/desktop/figures/53.png differ diff --git a/docs/en/docs/desktop/figures/54.png b/docs/en/docs/desktop/figures/54.png new file mode 100644 index 0000000000000000000000000000000000000000..49ecae6f8941a118223f3765c23015df074c4983 Binary files /dev/null and b/docs/en/docs/desktop/figures/54.png differ diff --git a/docs/en/docs/desktop/figures/56.png b/docs/en/docs/desktop/figures/56.png new file mode 100644 index 0000000000000000000000000000000000000000..36fee795bfe593b6246c8d6c2bddea9386b06f45 Binary files /dev/null and b/docs/en/docs/desktop/figures/56.png differ diff --git a/docs/en/docs/desktop/figures/57.png b/docs/en/docs/desktop/figures/57.png new file mode 100644 index 0000000000000000000000000000000000000000..539d06b77b058a933cb154c43641d498050986e0 Binary files /dev/null and b/docs/en/docs/desktop/figures/57.png differ diff --git a/docs/en/docs/desktop/figures/58.png b/docs/en/docs/desktop/figures/58.png new file mode 100755 index 0000000000000000000000000000000000000000..396ca16d873e54505bcdbd41d669366eea7f5dee Binary files /dev/null and b/docs/en/docs/desktop/figures/58.png differ diff --git a/docs/en/docs/desktop/figures/59.png b/docs/en/docs/desktop/figures/59.png new file mode 100644 index 0000000000000000000000000000000000000000..9b1de98ac4fe686937ca844d3e9481548a79ce63 Binary files /dev/null and b/docs/en/docs/desktop/figures/59.png differ diff --git a/docs/en/docs/desktop/figures/6.png b/docs/en/docs/desktop/figures/6.png new file mode 100755 index 0000000000000000000000000000000000000000..275c23872f2353f007371672714902babcc3db53 Binary files /dev/null and b/docs/en/docs/desktop/figures/6.png differ diff --git a/docs/en/docs/desktop/figures/60.jpg b/docs/en/docs/desktop/figures/60.jpg new file mode 100755 index 0000000000000000000000000000000000000000..033c88aaadd04f7d4058ec2eb5b2c70498319bf7 Binary files /dev/null and b/docs/en/docs/desktop/figures/60.jpg differ diff --git a/docs/en/docs/desktop/figures/61.png b/docs/en/docs/desktop/figures/61.png new file mode 100644 index 0000000000000000000000000000000000000000..8df17062963a3baf92318a12ec34b1378122687b Binary files /dev/null and b/docs/en/docs/desktop/figures/61.png differ diff --git a/docs/en/docs/desktop/figures/62.png b/docs/en/docs/desktop/figures/62.png new file mode 100644 index 0000000000000000000000000000000000000000..ec312d6c0c22018c1745dd866da71ce9be47fbda Binary files /dev/null and b/docs/en/docs/desktop/figures/62.png differ diff --git a/docs/en/docs/desktop/figures/63.jpg b/docs/en/docs/desktop/figures/63.jpg new file mode 100755 index 0000000000000000000000000000000000000000..504f7cf59768f6fd1cd73a115d01fbc4e15a02e1 Binary files /dev/null and b/docs/en/docs/desktop/figures/63.jpg differ diff --git a/docs/en/docs/desktop/figures/63.png b/docs/en/docs/desktop/figures/63.png new file mode 100755 index 0000000000000000000000000000000000000000..86b051acde857c88479714414f721a7f59cca483 Binary files /dev/null and b/docs/en/docs/desktop/figures/63.png differ diff --git a/docs/en/docs/desktop/figures/64.png b/docs/en/docs/desktop/figures/64.png new file mode 100755 index 0000000000000000000000000000000000000000..cbbd2ede047e735c3766e08b04595f08cd72f5b2 Binary files /dev/null and b/docs/en/docs/desktop/figures/64.png differ diff --git a/docs/en/docs/desktop/figures/7.png b/docs/en/docs/desktop/figures/7.png new file mode 100755 index 0000000000000000000000000000000000000000..4d397959ac7f6d166ef5a3b7084bd5c3c93b475f Binary files /dev/null and b/docs/en/docs/desktop/figures/7.png differ diff --git a/docs/en/docs/desktop/figures/8.png b/docs/en/docs/desktop/figures/8.png new file mode 100755 index 0000000000000000000000000000000000000000..8ade274092d7b3e461c96d7909a9d89d3a944f09 Binary files /dev/null and b/docs/en/docs/desktop/figures/8.png differ diff --git a/docs/en/docs/desktop/figures/9.png b/docs/en/docs/desktop/figures/9.png new file mode 100755 index 0000000000000000000000000000000000000000..f7b2215404929346f1a814b0b1d6d482559c08b5 Binary files /dev/null and b/docs/en/docs/desktop/figures/9.png differ diff --git a/docs/en/docs/desktop/figures/icon1.png b/docs/en/docs/desktop/figures/icon1.png new file mode 100755 index 0000000000000000000000000000000000000000..9bac00355cf4aa57d32287fd4271404f6fd3fd4d Binary files /dev/null and b/docs/en/docs/desktop/figures/icon1.png differ diff --git a/docs/en/docs/desktop/figures/icon10-o.png b/docs/en/docs/desktop/figures/icon10-o.png new file mode 100755 index 0000000000000000000000000000000000000000..d6c56d1a64c588d86f8fe510c74e5a7c4cb810d4 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon10-o.png differ diff --git a/docs/en/docs/desktop/figures/icon101-o.svg b/docs/en/docs/desktop/figures/icon101-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..af1c5d3dc0277a6ea59e71efb6ca97bdfc782e8e --- /dev/null +++ b/docs/en/docs/desktop/figures/icon101-o.svg @@ -0,0 +1,3 @@ + + + diff --git a/docs/en/docs/desktop/figures/icon103-o.svg b/docs/en/docs/desktop/figures/icon103-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..c06c885725c569ab8db1fe7d595a7c65f18c5142 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon103-o.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon105-o.svg b/docs/en/docs/desktop/figures/icon105-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..36c49949fa569330b761c2d65518f36c10435508 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon105-o.svg @@ -0,0 +1,111 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon107-o.svg b/docs/en/docs/desktop/figures/icon107-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..fb5a3ea756f6ccb7b3e5c31122a433347a908c96 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon107-o.svg @@ -0,0 +1,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon11-o.png b/docs/en/docs/desktop/figures/icon11-o.png new file mode 100755 index 0000000000000000000000000000000000000000..47a1f2cb7f99b583768c7cbd7e05a57f302dbe8a Binary files /dev/null and b/docs/en/docs/desktop/figures/icon11-o.png differ diff --git a/docs/en/docs/desktop/figures/icon110-o.svg b/docs/en/docs/desktop/figures/icon110-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..7958e3f192061592e002e1e8a1bad06ffa86742c --- /dev/null +++ b/docs/en/docs/desktop/figures/icon110-o.svg @@ -0,0 +1,12 @@ + + + + reboot_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon111-o.svg b/docs/en/docs/desktop/figures/icon111-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..097d16a08d305a8b3f3b2268ab1ea8342e799377 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon111-o.svg @@ -0,0 +1,13 @@ + + + + Right + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon112-o.svg b/docs/en/docs/desktop/figures/icon112-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e51628c2b8b10495f3410d219814286696ea2fd5 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon112-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon116-o.svg b/docs/en/docs/desktop/figures/icon116-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..4d79cd6dbbbfd3969f4e0ad0ad88e27398853505 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon116-o.svg @@ -0,0 +1,72 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon12-o.png b/docs/en/docs/desktop/figures/icon12-o.png new file mode 100755 index 0000000000000000000000000000000000000000..f1f0f59dd3879461a0b5bc0632693a4a4124def3 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon12-o.png differ diff --git a/docs/en/docs/desktop/figures/icon120-o.svg b/docs/en/docs/desktop/figures/icon120-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e895c347d16a200aea46b00428b0b9f1a3c94246 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon120-o.svg @@ -0,0 +1,49 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon122-o.svg b/docs/en/docs/desktop/figures/icon122-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..7fb014b5fd6097ca37a84d0b6a27dc982d675c8a --- /dev/null +++ b/docs/en/docs/desktop/figures/icon122-o.svg @@ -0,0 +1,3 @@ + + + diff --git a/docs/en/docs/desktop/figures/icon124-o.svg b/docs/en/docs/desktop/figures/icon124-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..960c0ec096c925213f8953398f0e8e5db3cdaed3 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon124-o.svg @@ -0,0 +1,55 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon125-o.svg b/docs/en/docs/desktop/figures/icon125-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..011c05f4b8f296867cd408a339230323fcbb28dd --- /dev/null +++ b/docs/en/docs/desktop/figures/icon125-o.svg @@ -0,0 +1,9 @@ + + + tips + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon126-o.svg b/docs/en/docs/desktop/figures/icon126-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e0a43b6b8beb434090ac0dd3a8fd68c023f11fce --- /dev/null +++ b/docs/en/docs/desktop/figures/icon126-o.svg @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon127-o.svg b/docs/en/docs/desktop/figures/icon127-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..bed95d35334a8d0151211054236c0bacddcc0dd3 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon127-o.svg @@ -0,0 +1,13 @@ + + + + Up + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon128-o.svg b/docs/en/docs/desktop/figures/icon128-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..aa727f3f5d5883b3fb83a79c4b98e8b5bfe4ade6 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon128-o.svg @@ -0,0 +1,12 @@ + + + + userswitch_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon13-o.png b/docs/en/docs/desktop/figures/icon13-o.png new file mode 100755 index 0000000000000000000000000000000000000000..c05a981b29d8ad11c6682f796f79b4cafd0f088b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon13-o.png differ diff --git a/docs/en/docs/desktop/figures/icon132-o.svg b/docs/en/docs/desktop/figures/icon132-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..588ba9d98864ba67a562fa9179f29405f7687aa0 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon132-o.svg @@ -0,0 +1,15 @@ + + + + - + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon133-o.svg b/docs/en/docs/desktop/figures/icon133-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..886d90a83e33497d134bdb3dcc864a5c2df53f20 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon133-o.svg @@ -0,0 +1,13 @@ + + + + + + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon134-o.svg b/docs/en/docs/desktop/figures/icon134-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..784cf383eb0e8f5c7a57a602047be50ad0a3bc05 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon134-o.svg @@ -0,0 +1,15 @@ + + + + = + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon135-o.svg b/docs/en/docs/desktop/figures/icon135-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..cea628a8f5eb92d10661b690242b6de41ca64816 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon135-o.svg @@ -0,0 +1,15 @@ + + + + ~ + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon136-o.svg b/docs/en/docs/desktop/figures/icon136-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..24aa139ab2fefaee20935551f1af5aef473719ed --- /dev/null +++ b/docs/en/docs/desktop/figures/icon136-o.svg @@ -0,0 +1,12 @@ + + + + poweroff_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon14-o.png b/docs/en/docs/desktop/figures/icon14-o.png new file mode 100755 index 0000000000000000000000000000000000000000..b21deee4d98593d93fb5f72158d2d78f3d3f1cb9 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon14-o.png differ diff --git a/docs/en/docs/desktop/figures/icon15-o.png b/docs/en/docs/desktop/figures/icon15-o.png new file mode 100755 index 0000000000000000000000000000000000000000..1827a20e9da4d28e35e8ab2eae739b2fec37b385 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon15-o.png differ diff --git a/docs/en/docs/desktop/figures/icon16.png b/docs/en/docs/desktop/figures/icon16.png new file mode 100755 index 0000000000000000000000000000000000000000..f271594dda9d3ad0f038c9d719dd68c3e82c59f1 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon16.png differ diff --git a/docs/en/docs/desktop/figures/icon17.png b/docs/en/docs/desktop/figures/icon17.png new file mode 100755 index 0000000000000000000000000000000000000000..dbe58b89347c857920bce25f067fbd11c308e502 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon17.png differ diff --git a/docs/en/docs/desktop/figures/icon18.png b/docs/en/docs/desktop/figures/icon18.png new file mode 100755 index 0000000000000000000000000000000000000000..1827a20e9da4d28e35e8ab2eae739b2fec37b385 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon18.png differ diff --git a/docs/en/docs/desktop/figures/icon19-o.png b/docs/en/docs/desktop/figures/icon19-o.png new file mode 100755 index 0000000000000000000000000000000000000000..47a1f2cb7f99b583768c7cbd7e05a57f302dbe8a Binary files /dev/null and b/docs/en/docs/desktop/figures/icon19-o.png differ diff --git a/docs/en/docs/desktop/figures/icon2.png b/docs/en/docs/desktop/figures/icon2.png new file mode 100755 index 0000000000000000000000000000000000000000..9101e4b386df065a87d422bc5a0b287528ea5ec7 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon2.png differ diff --git a/docs/en/docs/desktop/figures/icon20.png b/docs/en/docs/desktop/figures/icon20.png new file mode 100755 index 0000000000000000000000000000000000000000..4de3c7c695893539967245ea5e269b26e2b735be Binary files /dev/null and b/docs/en/docs/desktop/figures/icon20.png differ diff --git a/docs/en/docs/desktop/figures/icon21.png b/docs/en/docs/desktop/figures/icon21.png new file mode 100755 index 0000000000000000000000000000000000000000..e7b4320b6ce1fd4adb52525ba2c60983ffb2eed3 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon21.png differ diff --git a/docs/en/docs/desktop/figures/icon22.png b/docs/en/docs/desktop/figures/icon22.png new file mode 100755 index 0000000000000000000000000000000000000000..43bfa96965ad13e0a34ead3cb1102a76b9346a23 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon22.png differ diff --git a/docs/en/docs/desktop/figures/icon23.png b/docs/en/docs/desktop/figures/icon23.png new file mode 100755 index 0000000000000000000000000000000000000000..aee221ddaa81d06fa7bd5b89a624da90cd1e53da Binary files /dev/null and b/docs/en/docs/desktop/figures/icon23.png differ diff --git a/docs/en/docs/desktop/figures/icon24.png b/docs/en/docs/desktop/figures/icon24.png new file mode 100755 index 0000000000000000000000000000000000000000..a9e5d700431ca1666fe9eda2cefce5dd2f83bdcd Binary files /dev/null and b/docs/en/docs/desktop/figures/icon24.png differ diff --git a/docs/en/docs/desktop/figures/icon25.png b/docs/en/docs/desktop/figures/icon25.png new file mode 100755 index 0000000000000000000000000000000000000000..3de0f9476bbee9e89c3b759afbed968f17b5bbcc Binary files /dev/null and b/docs/en/docs/desktop/figures/icon25.png differ diff --git a/docs/en/docs/desktop/figures/icon26-o.png b/docs/en/docs/desktop/figures/icon26-o.png new file mode 100755 index 0000000000000000000000000000000000000000..2293a893caf6d89c3beb978598fe7f281e68e7d5 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon26-o.png differ diff --git a/docs/en/docs/desktop/figures/icon27-o.png b/docs/en/docs/desktop/figures/icon27-o.png new file mode 100755 index 0000000000000000000000000000000000000000..abbab8e40f7e3ca7c2a6f28ff78f08f15117828e Binary files /dev/null and b/docs/en/docs/desktop/figures/icon27-o.png differ diff --git a/docs/en/docs/desktop/figures/icon28-o.png b/docs/en/docs/desktop/figures/icon28-o.png new file mode 100755 index 0000000000000000000000000000000000000000..e40d45fc0a9d2af93280ea14e01512838bb3c3dc Binary files /dev/null and b/docs/en/docs/desktop/figures/icon28-o.png differ diff --git a/docs/en/docs/desktop/figures/icon29-o.png b/docs/en/docs/desktop/figures/icon29-o.png new file mode 100755 index 0000000000000000000000000000000000000000..e40d45fc0a9d2af93280ea14e01512838bb3c3dc Binary files /dev/null and b/docs/en/docs/desktop/figures/icon29-o.png differ diff --git a/docs/en/docs/desktop/figures/icon3.png b/docs/en/docs/desktop/figures/icon3.png new file mode 100755 index 0000000000000000000000000000000000000000..930ee8909e89e3624c581f83d713af271cd96c75 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon3.png differ diff --git a/docs/en/docs/desktop/figures/icon30-o.png b/docs/en/docs/desktop/figures/icon30-o.png new file mode 100755 index 0000000000000000000000000000000000000000..e40d45fc0a9d2af93280ea14e01512838bb3c3dc Binary files /dev/null and b/docs/en/docs/desktop/figures/icon30-o.png differ diff --git a/docs/en/docs/desktop/figures/icon31-o.png b/docs/en/docs/desktop/figures/icon31-o.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon31-o.png differ diff --git a/docs/en/docs/desktop/figures/icon32.png b/docs/en/docs/desktop/figures/icon32.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon32.png differ diff --git a/docs/en/docs/desktop/figures/icon33.png b/docs/en/docs/desktop/figures/icon33.png new file mode 100755 index 0000000000000000000000000000000000000000..88ed145b25f6f025ad795ceb012500e0944cb54c Binary files /dev/null and b/docs/en/docs/desktop/figures/icon33.png differ diff --git a/docs/en/docs/desktop/figures/icon34.png b/docs/en/docs/desktop/figures/icon34.png new file mode 100755 index 0000000000000000000000000000000000000000..8247f52a3424c81b451ceb318f4a7979a5eddece Binary files /dev/null and b/docs/en/docs/desktop/figures/icon34.png differ diff --git a/docs/en/docs/desktop/figures/icon35.png b/docs/en/docs/desktop/figures/icon35.png new file mode 100755 index 0000000000000000000000000000000000000000..7c656e9030b94809a57c7e369921e6a585f3574c Binary files /dev/null and b/docs/en/docs/desktop/figures/icon35.png differ diff --git a/docs/en/docs/desktop/figures/icon36.png b/docs/en/docs/desktop/figures/icon36.png new file mode 100755 index 0000000000000000000000000000000000000000..7d29d173e914dfff48245d3d3a4d42575ce2d1db Binary files /dev/null and b/docs/en/docs/desktop/figures/icon36.png differ diff --git a/docs/en/docs/desktop/figures/icon37.png b/docs/en/docs/desktop/figures/icon37.png new file mode 100755 index 0000000000000000000000000000000000000000..58be4c621b6638115153e361801deb9ee06634d8 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon37.png differ diff --git a/docs/en/docs/desktop/figures/icon38.png b/docs/en/docs/desktop/figures/icon38.png new file mode 100755 index 0000000000000000000000000000000000000000..0c861ccb891f4fb5e533eb7f7151a8fce1571f17 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon38.png differ diff --git a/docs/en/docs/desktop/figures/icon39.png b/docs/en/docs/desktop/figures/icon39.png new file mode 100755 index 0000000000000000000000000000000000000000..b1ba1f347452d0cd1c06c6c51d2cdf5aea5e490b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon39.png differ diff --git a/docs/en/docs/desktop/figures/icon4.png b/docs/en/docs/desktop/figures/icon4.png new file mode 100755 index 0000000000000000000000000000000000000000..548dc8b648edb73ff1dd8a0266e8479203e72ca0 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon4.png differ diff --git a/docs/en/docs/desktop/figures/icon40.png b/docs/en/docs/desktop/figures/icon40.png new file mode 100755 index 0000000000000000000000000000000000000000..9c29dd1e9a1bf22c36abf51cb18fa9e47b455fab Binary files /dev/null and b/docs/en/docs/desktop/figures/icon40.png differ diff --git a/docs/en/docs/desktop/figures/icon41.png b/docs/en/docs/desktop/figures/icon41.png new file mode 100755 index 0000000000000000000000000000000000000000..9e8aea527a2119433fffec5a8800ebfa4fa5062f Binary files /dev/null and b/docs/en/docs/desktop/figures/icon41.png differ diff --git a/docs/en/docs/desktop/figures/icon42-o.png b/docs/en/docs/desktop/figures/icon42-o.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon42-o.png differ diff --git a/docs/en/docs/desktop/figures/icon42.png b/docs/en/docs/desktop/figures/icon42.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon42.png differ diff --git a/docs/en/docs/desktop/figures/icon43-o.png b/docs/en/docs/desktop/figures/icon43-o.png new file mode 100755 index 0000000000000000000000000000000000000000..284bdd551baf25beb4143013402e77a1a4c60ccb Binary files /dev/null and b/docs/en/docs/desktop/figures/icon43-o.png differ diff --git a/docs/en/docs/desktop/figures/icon44-o.png b/docs/en/docs/desktop/figures/icon44-o.png new file mode 100755 index 0000000000000000000000000000000000000000..810f4d784ee140dbf562e67a0d3fd391272626a5 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon44-o.png differ diff --git a/docs/en/docs/desktop/figures/icon45-o.png b/docs/en/docs/desktop/figures/icon45-o.png new file mode 100755 index 0000000000000000000000000000000000000000..3e528ce2c98284f020ae4912a853f5864526396b Binary files /dev/null and b/docs/en/docs/desktop/figures/icon45-o.png differ diff --git a/docs/en/docs/desktop/figures/icon46-o.png b/docs/en/docs/desktop/figures/icon46-o.png new file mode 100755 index 0000000000000000000000000000000000000000..ec6a3ca0fe57016f3685981ed518493ceea1c855 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon46-o.png differ diff --git a/docs/en/docs/desktop/figures/icon47-o.png b/docs/en/docs/desktop/figures/icon47-o.png new file mode 100755 index 0000000000000000000000000000000000000000..6eeaba98d908775bd363a8ffcec27c3b6a214013 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon47-o.png differ diff --git a/docs/en/docs/desktop/figures/icon49-o.svg b/docs/en/docs/desktop/figures/icon49-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..72ffb173fdb95e1aff5b0001b08ed6b71122b7f2 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon49-o.svg @@ -0,0 +1,178 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon5.png b/docs/en/docs/desktop/figures/icon5.png new file mode 100755 index 0000000000000000000000000000000000000000..e4206b7b584bf0702c7cb2f03a3a41e20bfba844 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon5.png differ diff --git a/docs/en/docs/desktop/figures/icon50-o.svg b/docs/en/docs/desktop/figures/icon50-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..05026802be4718205065d6369e14cc0b6ef05bc7 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon50-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon52-o.svg b/docs/en/docs/desktop/figures/icon52-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..23149c05873259cd39721b8ee9c3ab7db86d64c5 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon52-o.svg @@ -0,0 +1,9 @@ + + + attention + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon53-o.svg b/docs/en/docs/desktop/figures/icon53-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..50e33489ce984b0acfd621da4a8ef837fdf048c1 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon53-o.svg @@ -0,0 +1,11 @@ + + + + previous + Created with Sketch. + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon54-o.svg b/docs/en/docs/desktop/figures/icon54-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..3b599aef4b822c707d2f646405bb00837aed96fd --- /dev/null +++ b/docs/en/docs/desktop/figures/icon54-o.svg @@ -0,0 +1,18 @@ + + + + Backspace + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon56-o.svg b/docs/en/docs/desktop/figures/icon56-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..9f13b6861e3858deec8d57a5301c934acc247069 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon56-o.svg @@ -0,0 +1,19 @@ + + + + Slice 1 + Created with Sketch. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon57-o.svg b/docs/en/docs/desktop/figures/icon57-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e6fbfa1381b76ab3fcd45652b33267a7f6c69bb7 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon57-o.svg @@ -0,0 +1,11 @@ + + + + titlebutton/close_normal + Created with Sketch. + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon58-o.svg b/docs/en/docs/desktop/figures/icon58-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..9746dcacfc8e5d4c4b63233801e37418a190fc8f --- /dev/null +++ b/docs/en/docs/desktop/figures/icon58-o.svg @@ -0,0 +1,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon6.png b/docs/en/docs/desktop/figures/icon6.png new file mode 100755 index 0000000000000000000000000000000000000000..88ced3587e9a42b145fe11393726f40aba9d1b2c Binary files /dev/null and b/docs/en/docs/desktop/figures/icon6.png differ diff --git a/docs/en/docs/desktop/figures/icon62-o.svg b/docs/en/docs/desktop/figures/icon62-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..09f61b446669df2e05a3351d40d8c30879c7b035 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon62-o.svg @@ -0,0 +1,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon63-o.svg b/docs/en/docs/desktop/figures/icon63-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..06c03ed99260ffadc681475dad35610aedf67f83 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon63-o.svg @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon66-o.svg b/docs/en/docs/desktop/figures/icon66-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..5793b3846b7fe6a5758379591215b16c7f9e1b52 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon66-o.svg @@ -0,0 +1,43 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon68-o.svg b/docs/en/docs/desktop/figures/icon68-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..a7748052dfa436116d8742dca28f7d90865231ed --- /dev/null +++ b/docs/en/docs/desktop/figures/icon68-o.svg @@ -0,0 +1,23 @@ + + + + deepin-system-monitor + Created with Sketch. + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon69-o.svg b/docs/en/docs/desktop/figures/icon69-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e21dfd00a32a44ee1c8e3882b4ca8239be04690f --- /dev/null +++ b/docs/en/docs/desktop/figures/icon69-o.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon7.png b/docs/en/docs/desktop/figures/icon7.png new file mode 100755 index 0000000000000000000000000000000000000000..05fe8aa38c84ca0c0c99b0b005ddec2f2ba42f4a Binary files /dev/null and b/docs/en/docs/desktop/figures/icon7.png differ diff --git a/docs/en/docs/desktop/figures/icon70-o.svg b/docs/en/docs/desktop/figures/icon70-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..b5787a7ffa5ed9519a48c6937c60927fd11fd455 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon70-o.svg @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon71-o.svg b/docs/en/docs/desktop/figures/icon71-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..669a21f143b06cb45ea3f45f7f071809f2cbc8a8 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon71-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon72-o.svg b/docs/en/docs/desktop/figures/icon72-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..79067ed9b9ff7912e1742183b461fa056601b9cc --- /dev/null +++ b/docs/en/docs/desktop/figures/icon72-o.svg @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon73-o.svg b/docs/en/docs/desktop/figures/icon73-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..cf6292387f5e790db6ebd66184aabcbb39257ee7 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon73-o.svg @@ -0,0 +1,13 @@ + + + + Down + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon75-o.svg b/docs/en/docs/desktop/figures/icon75-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..ef6823ccc19858f57374f0b78ad31514e8311be3 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon75-o.svg @@ -0,0 +1,3 @@ + + + diff --git a/docs/en/docs/desktop/figures/icon8.png b/docs/en/docs/desktop/figures/icon8.png new file mode 100755 index 0000000000000000000000000000000000000000..01543c3e0f5e96a023b4e1f0859a03e3a0dafd56 Binary files /dev/null and b/docs/en/docs/desktop/figures/icon8.png differ diff --git a/docs/en/docs/desktop/figures/icon83-o.svg b/docs/en/docs/desktop/figures/icon83-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..35dd6eacc54a933dc9ebc3f3010edfa7363fecc0 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon83-o.svg @@ -0,0 +1,84 @@ + + + + + + image/svg+xml + + img_upload + + + + + + img_upload + Created with Sketch. + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon84-o.svg b/docs/en/docs/desktop/figures/icon84-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..9bd11b9e7b45b506dd7e1c87d09d545d8f48af06 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon84-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon86-o.svg b/docs/en/docs/desktop/figures/icon86-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..5da20233309c43d4fc7b315f441cde476c835c67 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon86-o.svg @@ -0,0 +1,66 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon88-o.svg b/docs/en/docs/desktop/figures/icon88-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..c2570c26575fd14cb5e9d9fe77831d2e8f6c9333 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon88-o.svg @@ -0,0 +1,13 @@ + + + + Left + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon9.png b/docs/en/docs/desktop/figures/icon9.png new file mode 100755 index 0000000000000000000000000000000000000000..a07c9ab8e51decd9a3bca8c969d2ae95bd68512c Binary files /dev/null and b/docs/en/docs/desktop/figures/icon9.png differ diff --git a/docs/en/docs/desktop/figures/icon90-o.svg b/docs/en/docs/desktop/figures/icon90-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..79b5e0a141f7969a8f77ae61f4c240de7187afe9 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon90-o.svg @@ -0,0 +1,12 @@ + + + + lock_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon92-o.svg b/docs/en/docs/desktop/figures/icon92-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..21341b64a832e1935252aa82e7a4e0b083c16eae --- /dev/null +++ b/docs/en/docs/desktop/figures/icon92-o.svg @@ -0,0 +1,12 @@ + + + + logout_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/icon94-o.svg b/docs/en/docs/desktop/figures/icon94-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..a47044149a02101dbd24a3fdb2f3ead77efca6c1 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon94-o.svg @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon97-o.svg b/docs/en/docs/desktop/figures/icon97-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..4f4670de29d8c86885b5aa806b2c8cdc6fc16dcb --- /dev/null +++ b/docs/en/docs/desktop/figures/icon97-o.svg @@ -0,0 +1,84 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/en/docs/desktop/figures/icon99-o.svg b/docs/en/docs/desktop/figures/icon99-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e9a3aa60a51404c9390bfbea8d8ff09edc0e2e32 --- /dev/null +++ b/docs/en/docs/desktop/figures/icon99-o.svg @@ -0,0 +1,11 @@ + + + notes + + + + + + + + \ No newline at end of file diff --git a/docs/en/docs/desktop/figures/xfce-1.png b/docs/en/docs/desktop/figures/xfce-1.png new file mode 100644 index 0000000000000000000000000000000000000000..2ed383546fb5b5d4c3729fa72396c7280fec55f9 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-1.png differ diff --git a/docs/en/docs/desktop/figures/xfce-2.png b/docs/en/docs/desktop/figures/xfce-2.png new file mode 100644 index 0000000000000000000000000000000000000000..5656ea4f6a5e632e657c79ea86e89eb5e78be0d3 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-2.png differ diff --git a/docs/en/docs/desktop/figures/xfce-3.png b/docs/en/docs/desktop/figures/xfce-3.png new file mode 100644 index 0000000000000000000000000000000000000000..33377ebd8e620ce777fecd32c849901a61113969 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-3.png differ diff --git a/docs/en/docs/desktop/figures/xfce-4.png b/docs/en/docs/desktop/figures/xfce-4.png new file mode 100644 index 0000000000000000000000000000000000000000..d2a7871d03a33c09576a225c99659d34a6430389 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-4.png differ diff --git a/docs/en/docs/desktop/figures/xfce-5.png b/docs/en/docs/desktop/figures/xfce-5.png new file mode 100644 index 0000000000000000000000000000000000000000..ef043cc24d07307287a8961d3a87047aa92aca5c Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-5.png differ diff --git a/docs/en/docs/desktop/figures/xfce-6.png b/docs/en/docs/desktop/figures/xfce-6.png new file mode 100644 index 0000000000000000000000000000000000000000..25f35d8156a47ec67cd55d3b4f46b8f2f3be5a60 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-6.png differ diff --git a/docs/en/docs/desktop/figures/xfce-7.png b/docs/en/docs/desktop/figures/xfce-7.png new file mode 100644 index 0000000000000000000000000000000000000000..d43d55fc1887cdf3b5e9644a0cf6a33730de4506 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-7.png differ diff --git a/docs/en/docs/desktop/figures/xfce-71.png b/docs/en/docs/desktop/figures/xfce-71.png new file mode 100644 index 0000000000000000000000000000000000000000..e2f11ff9e06ba9a9cc6134b0923f8dfe50a3fa38 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-71.png differ diff --git a/docs/en/docs/desktop/figures/xfce-8.png b/docs/en/docs/desktop/figures/xfce-8.png new file mode 100644 index 0000000000000000000000000000000000000000..375014b1f191b1c5e361820aa1c46ac6dee3e969 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-8.png differ diff --git a/docs/en/docs/desktop/figures/xfce-81.png b/docs/en/docs/desktop/figures/xfce-81.png new file mode 100644 index 0000000000000000000000000000000000000000..3534bc5c4d7a173d230219412353772b717ccceb Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-81.png differ diff --git a/docs/en/docs/desktop/figures/xfce-811.png b/docs/en/docs/desktop/figures/xfce-811.png new file mode 100644 index 0000000000000000000000000000000000000000..6cbf6f8c930c4fa2dd070da99c7d625de8bb98c6 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-811.png differ diff --git a/docs/en/docs/desktop/figures/xfce-812.png b/docs/en/docs/desktop/figures/xfce-812.png new file mode 100644 index 0000000000000000000000000000000000000000..9431c07a3af00da6089abada553c6b44043211e9 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-812.png differ diff --git a/docs/en/docs/desktop/figures/xfce-813.png b/docs/en/docs/desktop/figures/xfce-813.png new file mode 100644 index 0000000000000000000000000000000000000000..e6663494af2b36f7c2bb51bbde7f9417dd5d1989 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-813.png differ diff --git a/docs/en/docs/desktop/figures/xfce-814.png b/docs/en/docs/desktop/figures/xfce-814.png new file mode 100644 index 0000000000000000000000000000000000000000..f588b0ebe0e8e68e01e0d608d84e4920375eb9bb Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-814.png differ diff --git a/docs/en/docs/desktop/figures/xfce-82.png b/docs/en/docs/desktop/figures/xfce-82.png new file mode 100644 index 0000000000000000000000000000000000000000..f2e5a4c1b0223f051d7de988e740493f9ace8872 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-82.png differ diff --git a/docs/en/docs/desktop/figures/xfce-821.png b/docs/en/docs/desktop/figures/xfce-821.png new file mode 100644 index 0000000000000000000000000000000000000000..690f3f0b528dfdaf6586549cdeb105df2214fc44 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-821.png differ diff --git a/docs/en/docs/desktop/figures/xfce-83.png b/docs/en/docs/desktop/figures/xfce-83.png new file mode 100644 index 0000000000000000000000000000000000000000..32ce47754669aa66080f523f052ee6f87cb651a5 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-83.png differ diff --git a/docs/en/docs/desktop/figures/xfce-831.png b/docs/en/docs/desktop/figures/xfce-831.png new file mode 100644 index 0000000000000000000000000000000000000000..9dc09d9599b0be8867f0b73bd776b1a2e8288310 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-831.png differ diff --git a/docs/en/docs/desktop/figures/xfce-832.png b/docs/en/docs/desktop/figures/xfce-832.png new file mode 100644 index 0000000000000000000000000000000000000000..e62fce2944c5e24a176f021d2ff02344a1a09964 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-832.png differ diff --git a/docs/en/docs/desktop/figures/xfce-84.png b/docs/en/docs/desktop/figures/xfce-84.png new file mode 100644 index 0000000000000000000000000000000000000000..e0435c2edf9f68d193cff036215f32c259d378f0 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-84.png differ diff --git a/docs/en/docs/desktop/figures/xfce-841.png b/docs/en/docs/desktop/figures/xfce-841.png new file mode 100644 index 0000000000000000000000000000000000000000..c39c6c81dd5c01ca74135555c1b532134ced6ae5 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-841.png differ diff --git a/docs/en/docs/desktop/figures/xfce-842.png b/docs/en/docs/desktop/figures/xfce-842.png new file mode 100644 index 0000000000000000000000000000000000000000..9c8a48751cb6f11561133837f23a1cf8e944f488 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-842.png differ diff --git a/docs/en/docs/desktop/figures/xfce-85.png b/docs/en/docs/desktop/figures/xfce-85.png new file mode 100644 index 0000000000000000000000000000000000000000..5777b003b3f0795b6169f687dc6954f8676dcf39 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-85.png differ diff --git a/docs/en/docs/desktop/figures/xfce-851.png b/docs/en/docs/desktop/figures/xfce-851.png new file mode 100644 index 0000000000000000000000000000000000000000..7cb5c27952465f18d19de6a1653fe69b91209d39 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-851.png differ diff --git a/docs/en/docs/desktop/figures/xfce-86.png b/docs/en/docs/desktop/figures/xfce-86.png new file mode 100644 index 0000000000000000000000000000000000000000..cf73e3e44f2faa5acfaf2829aa6eaaf42cc58a3f Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-86.png differ diff --git a/docs/en/docs/desktop/figures/xfce-861.png b/docs/en/docs/desktop/figures/xfce-861.png new file mode 100644 index 0000000000000000000000000000000000000000..cccae7de5ab2dcbb4ee5b32ac5925711b3597e5d Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-861.png differ diff --git a/docs/en/docs/desktop/figures/xfce-87.png b/docs/en/docs/desktop/figures/xfce-87.png new file mode 100644 index 0000000000000000000000000000000000000000..0325b922affdaf4d1f685f41972957cf777ff66b Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-87.png differ diff --git a/docs/en/docs/desktop/figures/xfce-9.png b/docs/en/docs/desktop/figures/xfce-9.png new file mode 100644 index 0000000000000000000000000000000000000000..f6402b34a929e520c27318fe16eb509d31c17131 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-9.png differ diff --git a/docs/en/docs/desktop/figures/xfce-91.png b/docs/en/docs/desktop/figures/xfce-91.png new file mode 100644 index 0000000000000000000000000000000000000000..0cdc4824cb3cc1035f5d04863bb5f3eb4d83292b Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-91.png differ diff --git a/docs/en/docs/desktop/figures/xfce-911.png b/docs/en/docs/desktop/figures/xfce-911.png new file mode 100644 index 0000000000000000000000000000000000000000..4d6c564e9a74d187d50ebd3f3c05dcb5d1bd5fa0 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-911.png differ diff --git a/docs/en/docs/desktop/figures/xfce-92.png b/docs/en/docs/desktop/figures/xfce-92.png new file mode 100644 index 0000000000000000000000000000000000000000..a79f2473d27759c79ecdddcdee380b357babcac1 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-92.png differ diff --git a/docs/en/docs/desktop/figures/xfce-921.png b/docs/en/docs/desktop/figures/xfce-921.png new file mode 100644 index 0000000000000000000000000000000000000000..cd436652f3bc251f6f27d707d6eb48eec95e8900 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-921.png differ diff --git a/docs/en/docs/desktop/figures/xfce-93.png b/docs/en/docs/desktop/figures/xfce-93.png new file mode 100644 index 0000000000000000000000000000000000000000..62d98b23d682341e2b0ee835561c6f52b7fd70b9 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-93.png differ diff --git a/docs/en/docs/desktop/figures/xfce-931.png b/docs/en/docs/desktop/figures/xfce-931.png new file mode 100644 index 0000000000000000000000000000000000000000..a868877c0d0ee0ff5a23d6bf2dbf7ada861dd850 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-931.png differ diff --git a/docs/en/docs/desktop/figures/xfce-94.png b/docs/en/docs/desktop/figures/xfce-94.png new file mode 100644 index 0000000000000000000000000000000000000000..09118f9047af97152aae746274d6df4f539b5564 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-94.png differ diff --git a/docs/en/docs/desktop/figures/xfce-941.png b/docs/en/docs/desktop/figures/xfce-941.png new file mode 100644 index 0000000000000000000000000000000000000000..23b9fa1d6b8b033a9126606ca094113bc19b4434 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-941.png differ diff --git a/docs/en/docs/desktop/figures/xfce-95.png b/docs/en/docs/desktop/figures/xfce-95.png new file mode 100644 index 0000000000000000000000000000000000000000..bf970f67c835941961ffcc77632079564c2a9ef5 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-95.png differ diff --git a/docs/en/docs/desktop/figures/xfce-951.png b/docs/en/docs/desktop/figures/xfce-951.png new file mode 100644 index 0000000000000000000000000000000000000000..048fa3f0b26d4a4b609bd9129d0e13b43467ce91 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-951.png differ diff --git a/docs/en/docs/desktop/figures/xfce-96.png b/docs/en/docs/desktop/figures/xfce-96.png new file mode 100644 index 0000000000000000000000000000000000000000..0115dd146cb01ecc61a78c1db55be121ff1e0820 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-96.png differ diff --git a/docs/en/docs/desktop/figures/xfce-961.png b/docs/en/docs/desktop/figures/xfce-961.png new file mode 100644 index 0000000000000000000000000000000000000000..cb76616e9dd459d4046bc634814e46cb970cccc3 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-961.png differ diff --git a/docs/en/docs/desktop/figures/xfce-962.png b/docs/en/docs/desktop/figures/xfce-962.png new file mode 100644 index 0000000000000000000000000000000000000000..35424896fb7348531cdf81a20f434bcae2c71976 Binary files /dev/null and b/docs/en/docs/desktop/figures/xfce-962.png differ diff --git a/docs/en/docs/desktop/install-DDE.md b/docs/en/docs/desktop/install-DDE.md new file mode 100644 index 0000000000000000000000000000000000000000..05a05125a3867f2b12897901f08bcddad9a24274 --- /dev/null +++ b/docs/en/docs/desktop/install-DDE.md @@ -0,0 +1,31 @@ +# DDE installation +#### Introduction + +DDE is a powerful desktop environment developed by UnionTech Team. Contains dozens of powerful desktop applications, which are truly self-developed desktop products. + +#### installation method + +1. [download](https://openeuler.org/zh/download/) openEuler ISO and install the OS. +2. update the software source +```bash +sudo dnf update +``` +3. install DDE +```bash +sudo dnf install dde +``` +4. set to start with a graphical interface +```bash +sudo systemctl set-default graphical.target +``` +5. reboot +```bash +sudo reboot +``` +6. After the restart is complete, use the user created during the installation process or the openeuler user to log in to the desktop. + + > dde cannot log in with root account + > dde has built-in openeuler user, the password of this user is openeuler + +Now you can use dde. + diff --git a/docs/en/docs/desktop/install-UKUI.md b/docs/en/docs/desktop/install-UKUI.md new file mode 100755 index 0000000000000000000000000000000000000000..f4d215604fb57492201c78e899426dc42a5bd0a1 --- /dev/null +++ b/docs/en/docs/desktop/install-UKUI.md @@ -0,0 +1,21 @@ +# UKUI installation +UKUI is a Linux desktop built by the KylinSoft software team over the years, primarily based on GTK and QT. Compared to other UI interfaces, UKUI is easy to use. The components of UKUI are small and low coupling, can run alone without relying on other suites. It can provide user a friendly and efficient experience. + +UKUI supports both x86_64 and aarch64 architectures. + +We recommend you create a new administrator user before install UKUI. + +1.download openEuler and update the software source. +``` +sudo dnf update +``` +2.install UKUI. +``` +sudo dnf install ukui +``` +3.If you want to start with graphical interface after confirming the installation, please run this code and reboot(`reboot`). +``` +systemctl set-default graphical.target +``` +At present, UKUI version is still constantly updated. Please check the latest installation method : +[https://gitee.com/openkylin/ukui-issues](https://gitee.com/openkylin/ukui-issues) diff --git a/docs/en/docs/desktop/ukui.md b/docs/en/docs/desktop/ukui.md new file mode 100644 index 0000000000000000000000000000000000000000..251ea381cad7ea1ca415bcb1c482e1f1f9ba7e16 --- /dev/null +++ b/docs/en/docs/desktop/ukui.md @@ -0,0 +1,3 @@ +# UKUI User Guide + +This section describes how to install and use the UKUI. \ No newline at end of file diff --git a/docs/en/docs/desktop/xfce.md b/docs/en/docs/desktop/xfce.md new file mode 100644 index 0000000000000000000000000000000000000000..f7563d6532f9c442c2a62b0e71cf8d0d22076d01 --- /dev/null +++ b/docs/en/docs/desktop/xfce.md @@ -0,0 +1,3 @@ +# Xfce User Guide + +This section describes how to install and use theXfce. \ No newline at end of file diff --git a/docs/en/docs/thirdparty_migration/OpenStack-victoria.md b/docs/en/docs/thirdparty_migration/OpenStack-victoria.md new file mode 100644 index 0000000000000000000000000000000000000000..2f638242fda1d44071da02b87341d9253cf52b01 --- /dev/null +++ b/docs/en/docs/thirdparty_migration/OpenStack-victoria.md @@ -0,0 +1,1352 @@ +# OpenStack Victoria Deployment Guide + +## OpenStack + +OpenStack is an open source cloud computing infrastructure software project developed by the community. It provides an operating platform or tool set for deploying the cloud, offering scalable and flexible cloud computing for organizations. + +As an open source cloud computing management platform, OpenStack consists of several major components, such as Nova, Cinder, Neutron, Glance, Keystone, and Horizon. OpenStack supports almost all cloud environments. The project aims to provide a cloud computing management platform that is easy-to-use, scalable, unified, and standardized. OpenStack provides an infrastructure as a service (IaaS) solution that combines complementary services, each of which provides an API for integration. + +The official Yum source of openEuler 21.03 supports the Openstack Victoria version. You can configure the official Yum source and then deploy OpenStack by following the instructions of this document. + +## Preparing the Environment + +### Installing the SQL Database + +1. Run the following command to install the software package: + + ```plain + # yum install mariadb mariadb-server python-PyMySQL + ``` + +2. Run the following command to create and edit the `/etc/my.cnf.d/openstack.cnf` file: + + ``` + vim /etc/my.cnf.d/openstack.cnf + ``` + + Copy the following content to the file (set **bind-address** to the management IP address of the controller node): + + ``` + [mysqld] + bind-address = 10.0.0.11 + default-storage-engine = innodb + innodb_file_per_table = on + max_connections = 4096 + collation-server = utf8_general_ci + character-set-server = utf8 + ``` + +3. Run the following command to start the database service and enable it to automatically start upon system boot: + + ``` + # systemctl enable mariadb.service + # systemctl start mariadb.service + ``` + +### Installing RabbitMQ + +1. Run the following command to install the software package: + + ``` + #yum install rabbitmq-server + ``` + +2. Start the RabbitMQ service and enable it to automatically start upon system boot. + + ``` + #systemctl enable rabbitmq-server.service + #systemctl start rabbitmq-server.service + ``` + +3. Add an OpenStack user. + + ``` + #rabbitmqctl add_user openstack RABBIT_PASS + ``` + +4. Replace **RABBIT\_PASS** with the password of the OpenStack user. + +5. Run the following command to set the permission of the **openstack** user so that the user can perform configuration, write, and read operations: + + ``` + #rabbitmqctl set_permissions openstack ".*" ".*" ".*" + ``` + +### Installing Memcached + +1. Run the following command to install the target software package: + + ``` + #yum install memcached python3-memcached + ``` + +2. Run the following command to edit the `/etc/sysconfig/memcached` file: + + ``` + #vim /etc/sysconfig/memcached + OPTIONS="-l 127.0.0.1,::1,controller" + ``` + + Change the value of **OPTIONS** to the actual management IP address of the controller node. + +3. Run the following command to start the Memcached service and enable it to automatically start upon system boot: + + ``` + # systemctl enable memcached.service + # systemctl start memcached.service + ``` + +## Installing OpenStack + +### Installing Keystone + +1. Log in to the database as the **root** user. Create the **keystone** database, and grant permissions to the user. + + ``` + # mysql -u root -p + MariaDB [(none)]> CREATE DATABASE keystone; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; + MariaDB [(none)]> exit + ``` + + Replace **KEYSTONE\_DBPASS** with the password of the **keystone** database. + +2. Run the following command to install the software package: + + ``` + #yum install openstack-keystone httpd mod_wsgi + ``` + +3. Edit the `/etc/keystone/keystone.conf` file to configure the **keystone** database. In the **\[database]** section, configure the database entry. In the **\[token]** section, configure the token provider. + + ``` + # vim /etc/keystone/keystone.conf + [database] + connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone + [token] + provider = fernet + ``` + + Replace **KEYSTONE\_DBPASS** with the password of the **keystone** database. + +4. Run the following command to synchronize the database. + + ``` + su -s /bin/sh -c "keystone-manage db_sync" keystone + ``` + +5. Run the following command to initialize the Fernet keystore: + + ``` + # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone + # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone + ``` + +6. Run the following commands to enable the identity service: + + ``` + # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ + --bootstrap-admin-url http://controller:5000/v3/ \ + --bootstrap-internal-url http://controller:5000/v3/ \ + --bootstrap-public-url http://controller:5000/v3/ \ + --bootstrap-region-id RegionOne + ``` + + Replace **ADMIN\_PASS** with the password of the **admin** user. + +7. Edit the `/etc/httpd/conf/httpd.conf` file and configure the Apache HTTP server. + + ``` + #vim /etc/httpd/conf/httpd.conf + ``` + + Enable **ServerName** to reference the controller node: + + ``` + ServerName controller + ``` + + If **ServerName** does not exist, create it. + +8. Run the following command to create a link for the `/usr/share/keystone/wsgi-keystone.conf` file: + + ``` + #ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ + + #vim /etc/httpd/conf.d/wsgi-keystone.conf + ``` + + ... + + TraceEnable off + + LoadModule wsgi\_module /usr/lib64/httpd/modules/mod\_wsgi\_python3.so + + ... + +9. After the installation is complete, run the following command to start the Apache HTTP service: + + ``` + # systemctl enable httpd.service + # systemctl start httpd.service + ``` + +10. Run the following command to set environment variables: + + ``` + $ export OS_USERNAME=admin + $ export OS_PASSWORD=ADMIN_PASS + $ export OS_PROJECT_NAME=admin + $ export OS_USER_DOMAIN_NAME=Default + $ export OS_PROJECT_DOMAIN_NAME=Default + $ export OS_AUTH_URL=http://controller:5000/v3 + $ export OS_IDENTITY_API_VERSION=3 + ``` + + Replace **ADMIN\_PASS** with the password set in the **keystone-manage bootstrap** command. + +11. Run the following commands to create the domain, project, user, and role: + + Create a domain named **example**. + + ``` + $ openstack domain create --description "An Example Domain" example + ``` + + Note: The domain **default** has been created in **keystone-manage bootstrap**. + + Create a project named **service**. + + ``` + $ openstack project create --domain default --description "Service Project" service + ``` + + Create a non-admin project named **myproject**, a user named **myuser**, and a role named **myrole**. Add the **myrole** role to **myproject** and **myuser**. + + ``` + $ openstack project create --domain default --description "Demo Project" myproject + $ openstack user create --domain default --password-prompt myuser + $ openstack role create myrole + $ openstack role add --project myproject --user myuser myrole + ``` + +12. Perform the verification. + + Cancel the temporary environment variables **OS\_AUTH\_URL** and **OS\_PASSWORD**. + + ``` + $ unset OS_AUTH_URL OS_PASSWORD + ``` + + Request a token for the **admin** user: + + ``` + $ openstack --os-auth-url http://controller:5000/v3 \ + --os-project-domain-name Default --os-user-domain-name Default \ + --os-project-name admin --os-username admin token issue + ``` + + Request a token for the **myuser** user: + + ``` + $ openstack --os-auth-url http://controller:5000/v3 \ + --os-project-domain-name Default --os-user-domain-name Default \ + --os-project-name myproject --os-username myuser token issue + ``` + +13. Create the environment script for the OpenStack client. + + Create environment variable scripts for the **admin** and **demo** users. + + ``` + # vim admin-openrc + export OS_PROJECT_DOMAIN_NAME=Default + export OS_USER_DOMAIN_NAME=Default + export OS_PROJECT_NAME=admin + export OS_USERNAME=admin + export OS_PASSWORD=ADMIN_PASS + export OS_AUTH_URL=http://controller:5000/v3 + export OS_IDENTITY_API_VERSION=3 + export OS_IMAGE_API_VERSION=2 + # + ``` + + ``` + # vim demo-openrc + export OS_PROJECT_DOMAIN_NAME=Default + export OS_USER_DOMAIN_NAME=Default + export OS_PROJECT_NAME=myproject + export OS_USERNAME=myuser + export OS_PASSWORD=DEMO_PASS + export OS_AUTH_URL=http://controller:5000/v3 + export OS_IDENTITY_API_VERSION=3 + export OS_IMAGE_API_VERSION=2 + ``` + + Replace **ADMIN\_PASS** with the password of the **admin** user. + + Replace **DEMO\_PASS** with the password of the **myuser** user. + + Run the following script to load environment variables: + + ``` + $ . admin-openrc + ``` + +### Installing Glance + +1. Create a database, service credentials, and API endpoints. + + Create a database. + + Log in to the database as the **root** user. Create the **glance** database, and grant permissions to the database. + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE glance; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \ + IDENTIFIED BY 'GLANCE_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \ + IDENTIFIED BY 'GLANCE_DBPASS'; + MariaDB [(none)]> exit + ``` + + Replace **GLANCE\_DBPASS** with the password of the **glance** database. + + ``` + $ . admin-openrc + ``` + + Run the following commands to create the **glance** service credential, create the **glance** user, and add the **admin** role to the **glance** user: + + ``` + $ openstack user create --domain default --password-prompt glance + $ openstack role add --project service --user glance admin + $ openstack service create --name glance --description "OpenStack Image" image + ``` + + Create API endpoints for the image service. + + ``` + $ openstack endpoint create --region RegionOne image public http://controller:9292 + $ openstack endpoint create --region RegionOne image internal http://controller:9292 + $ openstack endpoint create --region RegionOne image admin http://controller:9292 + ``` + +2. Perform the installation and configuration. + + Install the software package: + + ``` + #yum install openstack-glance openstack-glance-api + ``` + + Configure Glance: + + Edit the **/etc/glance/glance-api.conf** file: + + In the **\[database]** section, configure the database entry. + + In the **\[keystone\_authtoken]** and **\[paste\_deploy]** sections, configure the identity authentication service entry. + + In the **\[glance\_store]** section, configure the local file system storage and the location where image files are stored. + + ``` + # vim /etc/glance/glance-api.conf + [database] + # ... + connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000 + auth_url = http://controller:5000 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = Default + user_domain_name = Default + project_name = service + username = glance + password = GLANCE_PASS + [paste_deploy] + # ... + flavor = keystone + [glance_store] + # ... + stores = file,http + default_store = file + filesystem_store_datadir = /var/lib/glance/images/ + ``` + + In the preceding command, replace **GLANCE\_DBPASS** with the password of the **glance** database, and replace **GLANCE\_PASS** with the password of the **glance** user. + + Synchronize the database: + + ``` + su -s /bin/sh -c "glance-manage db_sync" glance + ``` + + Run the following command to start the image service: + + ``` + # systemctl enable openstack-glance-api.service + # systemctl start openstack-glance-api.service + ``` + +3. Perform the verification. + + Download the image. + + ``` + $ . admin-openrc + $ wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img + ``` + + Upload the image to the image service. + + ``` + $ glance image-create --name "cirros" --file cirros-0.4.0-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility=public + ``` + + Confirm the image upload and verify the attributes. + + ``` + $ glance image-list + ``` + +### Installing Placement + +1. Create a database, service credentials, and API endpoints. + + Create a database. + + Access the database as the **root** user. Create the **placement** database, and grant permissions. + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE placement; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' \ + IDENTIFIED BY 'PLACEMENT_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' \ + IDENTIFIED BY 'PLACEMENT_DBPASS'; + MariaDB [(none)]> exit + ``` + + Replace **PLACEMENT\_DBPASS** with the password of the **placement** database. + + ``` + $ . admin-openrc + ``` + + Run the following commands to create the placement service credentials, create the **placement** user, and add the **admin** role to the **placement** user: + + Create the Placement API Service. + + ``` + $ openstack user create --domain default --password-prompt placement + $ openstack role add --project service --user placement admin + $ openstack service create --name placement --description "Placement API" placement + ``` + + Create API endpoints of the Placement service. + + ``` + $ openstack endpoint create --region RegionOne placement public http://controller:8778 + $ openstack endpoint create --region RegionOne placement internal http://controller:8778 + $ openstack endpoint create --region RegionOne placement admin http://controller:8778 + ``` + +2. Perform the installation and configuration. + + Install the software package: + + ``` + yum install openstack-placement-api + ``` + + Configure Placement: + + Edit the **/etc/placement/placement.conf** file: + + In the **\[placement\_database]** section, configure the database entry. + + In **\[api]** and **\[keystone\_authtoken]** sections, configure the identity authentication service entry. + + ``` + # vim /etc/placement/placement.conf + [placement_database] + # ... + connection = mysql+pymysql://placement:PLACEMENT_DBPASS@controller/placement + [api] + # ... + auth_strategy = keystone + [keystone_authtoken] + # ... + auth_url = http://controller:5000/v3 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = Default + user_domain_name = Default + project_name = service + username = placement + password = PLACEMENT_PASS + ``` + + Replace **PLACEMENT\_DBPASS** with the password of the **placement** database, and replace **PLACEMENT\_PASS** with the password of the **placement** user. + + Note: Configure the permission. + + ``` + # vim /etc/httpd/conf.d/00-placement-api.conf + + = 2.4> + Require all granted + + + Order allow,deny + Allow from all + + + ``` + + Synchronize the database: + + ``` + #su -s /bin/sh -c "placement-manage db sync" placement + ``` + + Start the httpd service. + + ``` + #systemctl restart httpd + ``` + +3. Perform the verification. + + Run the following command to check the status: + + ``` + $ . admin-openrc + $ placement-status upgrade check + ``` + + Run the following command to install **osc-placement** and list the available resource types and features: + + ``` + $ yum install python3-osc-placement + $ openstack --os-placement-api-version 1.2 resource class list --sort-column name + $ openstack --os-placement-api-version 1.6 trait list --sort-column name + ``` + +### Installing Nova + +1. Create a database, service credentials, and API endpoints. + + Create a database. + + Access the database as the **root** user. Create the **nova**, **nova\_api**, and **nova\_cell0** databases and grant permissions. + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE nova_api; + MariaDB [(none)]> CREATE DATABASE nova; + MariaDB [(none)]> CREATE DATABASE nova_cell0; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> exit + ``` + + Replace **NOVA\_DBPASS** with the password of the **nova** database. + + Run the following commands to create Nova service credentials, create a **nova** user, and add the **admin** role to the **nova** user: + + ``` + $ . admin-openrc + $ openstack user create --domain default --password-prompt nova + $ openstack role add --project service --user nova admin + $ openstack service create --name nova --description "OpenStack Compute" compute + ``` + + Create API endpoints for the computing service. + + ``` + $ openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1 + $ openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1 + $ openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1 + ``` + +2. Perform the installation and configuration. + + Install the software package: + + ``` + # yum install openstack-nova-api openstack-nova-conductor \ + openstack-nova-novncproxy openstack-nova-scheduler openstack-nova-compute + ``` + + Configure Nova: + + Edit the **/etc/nova/nova.conf** file. + + In the **\[default]** section, enable the computing and metadata APIs, configure the RabbitMQ message queue entry, and set **my\_ip**. + + In the **\[api\_database]** and **\[database]** sections, configure the database entry. + + In the **\[api]** and **\[keystone\_authtoken]** sections, configure the identity service entry. + + In the **\[vnc]** section, enable and configure the entry for the remote console. + + In the **\[glance]** section, configure the API address for the image service. + + In the **\[oslo\_concurrency]** section, configure the lock path. + + In the **\[placement]** section, configure the entry of the Placement service. + + ``` + # vim /etc/nova/nova.conf + [DEFAULT] + # ... + enabled_apis = osapi_compute,metadata + transport_url = rabbit://openstack:RABBIT_PASS@controller:5672/ + my_ip = 10.0.0.11 + [api_database] + # ... + connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova_api + [database] + # ... + connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova + [api] + # ... + auth_strategy = keystone + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000/ + auth_url = http://controller:5000/ + memcached_servers = controller:11211 + auth_type = password + project_domain_name = Default + user_domain_name = Default + project_name = service + username = nova + password = NOVA_PASS + [vnc] + enabled = true + # ... + server_listen = $my_ip + server_proxyclient_address = $my_ip + novncproxy_base_url = http://controller:6080/vnc_auto.html + [glance] + # ... + api_servers = http://controller:9292 + [oslo_concurrency] + # ... + lock_path = /var/lib/nova/tmp + [placement] + # ... + region_name = RegionOne + project_domain_name = Default + project_name = service + auth_type = password + user_domain_name = Default + auth_url = http://controller:5000/v3 + username = placement + password = PLACEMENT_PASS + [neutron] + # ... + auth_url = http://controller:5000 + auth_type = password + project_domain_name = default + user_domain_name = default + region_name = RegionOne + project_name = service + username = neutron + password = NEUTRON_PASS + ``` + + Replace **RABBIT\_PASS** with the password of the **openstack** user in RabbitMQ. + + Set **my\_ip** to the management IP address of the controller node. + + Replace **NOVA\_DBPASS** with the password of the **nova** database. + + Replace **NOVA\_PASS** with the password of the **nova** user. + + Replace **PLACEMENT\_PASS** with the password of the **placement** user. + + Replace **NEUTRON\_PASS** with the password of the **neutron** user. + + Run the following command to synchronize the **nova-api** database: + + ``` + su -s /bin/sh -c "nova-manage api_db sync" nova + ``` + + Run the following command to register the **cell0** database: + + ``` + su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova + ``` + + Create the **cell1** cell: + + ``` + su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova + ``` + + Synchronize the **nova** database: + + ``` + su -s /bin/sh -c "nova-manage db sync" nova + ``` + + Verify whether **cell0** and **cell1** are correctly registered: + + ``` + su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova + ``` + + Check whether VM hardware acceleration (x86 architecture) is supported: + + ``` + $ egrep -c '(vmx|svm)' /proc/cpuinfo + ``` + + If the returned value is **0**, hardware acceleration is not supported. You need to configure libvirt to use QEMU instead of KVM. + + ``` + # vim /etc/nova/nova.conf + [libvirt] + # ... + virt_type = qemu + ``` + + If the returned value is **1** or a larger value, hardware acceleration is supported, and no extra configuration is required. + + Start the computing service and its dependencies, and enable the service to start automatically upon system boot. + + ``` + # systemctl enable \ + openstack-nova-api.service \ + openstack-nova-scheduler.service \ + openstack-nova-conductor.service \ + openstack-nova-novncproxy.service + # systemctl start \ + openstack-nova-api.service \ + openstack-nova-scheduler.service \ + openstack-nova-conductor.service \ + openstack-nova-novncproxy.service + ``` + + ``` + # systemctl enable libvirtd.service openstack-nova-compute.service + # systemctl start libvirtd.service openstack-nova-compute.service + ``` + + Add the compute nodes to the **cell** database: + + Check whether the compute node exists: + + ``` + $ . admin-openrc + $ openstack compute service list --service nova-compute + ``` + + Register a compute node: + + ``` + #su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova + ``` + +3. Perform the verification. + + ``` + $ . admin-openrc + ``` + + List service components to verify that each process is successfully started and registered. + + ``` + $ openstack compute service list + ``` + + List the API endpoints in the identity service and verify the connection to the identity service. + + ``` + $ openstack catalog list + ``` + + List the images in the image service and verify the connections: + + ``` + $ openstack image list + ``` + + Check whether the cells and placement APIs are running properly and whether other prerequisites are met. + + ``` + #nova-status upgrade check + ``` + +### Installing Neutron + +1. Create a database, service credentials, and API endpoints. + + Create a database. + + Access the database as the **root** user, create the **neutron** database, and grant permissions. + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE neutron; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ + IDENTIFIED BY 'NEUTRON_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ + IDENTIFIED BY 'NEUTRON_DBPASS'; + MariaDB [(none)]> exit + ``` + + Replace **NEUTRON\_DBPASS** with the password of the **neutron** database. + + ``` + $ . admin-openrc + ``` + + Run the following commands to create the **neutron** service credential, create the **neutron** user, and add the **admin** role to the **neutron** user: + + Create the **neutron** service credential. + + ``` + $ openstack user create --domain default --password-prompt neutron + $ openstack role add --project service --user neutron admin + $ openstack service create --name neutron --description "OpenStack Networking" network + ``` + + Create API endpoints of the network services. + + ``` + $ openstack endpoint create --region RegionOne network public http://controller:9696 + $ openstack endpoint create --region RegionOne network internal http://controller:9696 + $ openstack endpoint create --region RegionOne network admin http://controller:9696 + ``` + +2. Install and configure the self-service network. + + Install the software package: + + ``` + # yum install openstack-neutron openstack-neutron-ml2 \ + openstack-neutron-linuxbridge ebtables ipset + ``` + + Configure Neutron: + + Edit the **/etc/neutron/neutron.conf** file: + + In the **\[database]** section, configure the database entry. + + In the **\[default]** section, enable the ML2 and router plug-ins. Allow IP address overlapping, and configure the RabbitMQ message queue entry. + + In the **\[default]** and **\[keystone]** sections, configure the identity authentication service entry. + + In the **\[default]** and **\[nova]** sections, enable the network to notify the change of the computing network topology. + + In the **\[oslo\_concurrency]** section, configure the lock path. + + ``` + # vim /etc/neutron/neutron.conf + [database] + # ... + connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron + [DEFAULT] + # ... + core_plugin = ml2 + service_plugins = router + allow_overlapping_ips = true + transport_url = rabbit://openstack:RABBIT_PASS@controller + auth_strategy = keystone + notify_nova_on_port_status_changes = true + notify_nova_on_port_data_changes = true + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000 + auth_url = http://controller:5000 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = default + user_domain_name = default + project_name = service + username = neutron + password = NEUTRON_PASS + [nova] + # ... + auth_url = http://controller:5000 + auth_type = password + project_domain_name = default + user_domain_name = default + region_name = RegionOne + project_name = service + username = nova + password = NOVA_PASS + [oslo_concurrency] + # ... + lock_path = /var/lib/neutron/tmp + ``` + + Replace **NEUTRON\_DBPASS** with the password of the **neutron** database. + + Replace **RABBIT\_PASS** with the password of the **openstack** user in RabbitMQ. + + Replace **NEUTRON\_PASS** with the password of the **neutron** user. + + Replace **NOVA\_PASS** with the password of the **nova** user. + + Configure the ML2 plug-in. + + Edit the **/etc/neutron/plugins/ml2/ml2\_conf.ini** file. + + In the **\[ml2]** section, enable the flat, VLAN, and VXLAN networks, enable the bridge and layer-2 population mechanism, and enable the port security extension driver. + + In the **\[ml2\_type\_flat]** section, configure the flat network as the provider virtual network. + + In the **\[ml2\_type\_vxlan]** section, configure the VXLAN network identifier range. + + In the **\[securitygroup]** section, set **ipset**. + + ``` + # vim /etc/neutron/plugins/ml2/ml2_conf.ini + [ml2] + # ... + type_drivers = flat,vlan,vxlan + tenant_network_types = vxlan + mechanism_drivers = linuxbridge,l2population + extension_drivers = port_security + [ml2_type_flat] + # ... + flat_networks = provider + [ml2_type_vxlan] + # ... + vni_ranges = 1:1000 + [securitygroup] + # ... + enable_ipset = true + ``` + + Configure the Linux bridge agent: + + Edit the **/etc/neutron/plugins/ml2/linuxbridge\_agent.ini** file: + + In the **\[linux\_bridge]** section, map the provider virtual network to the physical network API. + + In the **\[vxlan]** section, enable the VXLAN network. Configure the IP address of the physical network API that processes the coverage network, and enable layer-2 population. + + In the **\[securitygroup]** section, enable the security group and configure the **linux bridge iptables** firewall driver. + + ``` + # vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini + [linux_bridge] + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME + [vxlan] + enable_vxlan = true + local_ip = OVERLAY_INTERFACE_IP_ADDRESS + l2_population = true + [securitygroup] + # ... + enable_security_group = true + firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + ``` + + Replace **PROVIDER\_INTERFACE\_NAME** with the physical network API. + + Replace **OVERLAY\_INTERFACE\_IP\_ADDRESS** with the management IP address of the controller node. + + Configure the Layer 3 proxy. + + Edit the **/etc/neutron/l3\_agent.ini** file: + + In the **\[default]** section, set the API driver to **linuxbridge**. + + ``` + # vim /etc/neutron/l3_agent.ini + [DEFAULT] + # ... + interface_driver = linuxbridge + ``` + + Configures the DHCP agent: + + Edit the **/etc/neutron/dhcp\_agent.ini** file. + + In the **\[default]** section, configure the linuxbridge interface driver and Dnsmasq DHCP driver. Enable the isolated metadata. + + ``` + # vim /etc/neutron/dhcp_agent.ini + [DEFAULT] + # ... + interface_driver = linuxbridge + dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq + enable_isolated_metadata = true + ``` + + Configure the metadata proxy. + + Edit the **/etc/neutron/metadata\_agent.ini** file. + + In the **\[default]**, configure the metadata host and shared secret. + + ``` + # vim /etc/neutron/metadata_agent.ini + [DEFAULT] + # ... + nova_metadata_host = controller + metadata_proxy_shared_secret = METADATA_SECRET + ``` + + Replace **METADATA\_SECRET** with a proper metadata agent secret. + +3. Configure the computing service. + + Edit the **/etc/nova/nova.conf** file. + + In the **\[neutron]** section, configure access parameters, enable the metadata proxy, and configure secret. + + ``` + # vim /etc/nova/nova.conf + [neutron] + # ... + auth_url = http://controller:5000 + auth_type = password + project_domain_name = default + user_domain_name = default + region_name = RegionOne + project_name = service + username = neutron + password = NEUTRON_PASS + service_metadata_proxy = true + metadata_proxy_shared_secret = METADATA_SECRET + ``` + + Replace **NEUTRON\_PASS** with the password of the **neutron** user. + + Replace **METADATA\_SECRET** with a proper metadata agent secret. + +4. Complete the installation. + + Add a link: + + ``` + #ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini + ``` + + Synchronize the database: + + ``` + # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ + --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron + ``` + + Run the following command to restart the computing API service: + + ``` + #systemctl restart openstack-nova-api.service + ``` + + Start the network service and enable the service to start automatically upon system boot. + + ``` + # systemctl enable neutron-server.service \ + neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ + neutron-metadata-agent.service + # systemctl start neutron-server.service \ + neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ + neutron-metadata-agent.service + # systemctl enable neutron-l3-agent.service + # systemctl start neutron-l3-agent.service + ``` + +5. Perform the verification. + + Run the following command to list the neutron agents: + + ``` + $ openstack network agent list + ``` + +### Installing Cinder + +1. Create a database, service credentials, and API endpoints. + + Create a database. + + Access the database as the **root** user. Create the **cinder** database, and grant permissions. + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE cinder; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' \ + IDENTIFIED BY 'CINDER_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' \ + IDENTIFIED BY 'CINDER_DBPASS'; + MariaDB [(none)]> exit + ``` + + Replace **CINDER\_DBPASS** with the password for the **cinder** database. + + $ . admin-openrc + + Create Cinder service credentials: + + Create the **cinder** user. + + Add the **admin** role to the **cinder** user. + + Create the **cinderv2** and **cinderv3** services. + + ``` + $ openstack user create --domain default --password-prompt cinder + $ openstack role add --project service --user cinder admin + $ openstack service create --name cinderv2 --description "OpenStack Block Storage" volumev2 + $ openstack service create --name cinderv3 --description "OpenStack Block Storage" volumev3 + ``` + + Create API endpoints for the block storage service. + + ``` + $ openstack endpoint create --region RegionOne volumev2 public http://controller:8776/v2/%s + $ openstack endpoint create --region RegionOne volumev2 internal http://controller:8776/v2/%s + $ openstack endpoint create --region RegionOne volumev2 admin http://controller:8776/v2/%s + $ openstack endpoint create --region RegionOne volumev3 public http://controller:8776/v3/%s + $ openstack endpoint create --region RegionOne volumev3 internal http://controller:8776/v3/%s + $ openstack endpoint create --region RegionOne volumev3 admin http://controller:8776/v3/%s + ``` + +2. Install and configure the controller node. + + Install the software package: + + ``` + #yum install openstack-cinder + ``` + + Configure Cinder: + + Edit the **/etc/cinder/cinder.conf** file. + + In the **\[database]** section, configure the database entry. + + In the **\[DEFAULT]** section, configure the RabbitMQ message queue entry and **my\_ip**. + + In the **\[DEFAULT]** and **\[keystone\_authtoken]** sections, configure the identity authentication service entry. + + In the **\[oslo\_concurrency]** section, configure the lock path. + + ``` + # vim /etc/cinder/cinder.conf + [database] + # ... + connection = mysql+pymysql://cinder:CINDER_DBPASS@controller/cinder + [DEFAULT] + # ... + transport_url = rabbit://openstack:RABBIT_PASS@controller + auth_strategy = keystone + my_ip = 10.0.0.11 + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000 + auth_url = http://controller:5000 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = default + user_domain_name = default + project_name = service + username = cinder + password = CINDER_PASS + [oslo_concurrency] + # ... + lock_path = /var/lib/cinder/tmp + ``` + + Replace **CINDER\_DBPASS** with the password of the **cinder** database. + + Replace **RABBIT\_PASS** with the password of the **openstack** user in RabbitMQ. + + Set **my\_ip** to the management IP address of the controller node. + + Replace **CINDER\_PASS** with the password of the **cinder** user. + + Synchronize the database: + + ``` + su -s /bin/sh -c "cinder-manage db sync" cinder + ``` + + Configure the block storage for the compute nodes. + + Edit the **/etc/nova/nova.conf** file. + + ``` + # vim /etc/nova/nova.conf + [cinder] + os_region_name = RegionOne + ``` + + Complete the installation. + + Restart the computing API service. + + ``` + systemctl restart openstack-nova-api.service + ``` + + Start the block storage service. + + ``` + # systemctl enable openstack-cinder-api.service openstack-cinder-scheduler.service + # systemctl start openstack-cinder-api.service openstack-cinder-scheduler.service + ``` + +3. Install and configure the storage node. + + Install the software package: + + ``` + yum install lvm2 device-mapper-persistent-data targetcli python-keystone + ``` + + Start the service: + + ``` + # systemctl enable lvm2-lvmetad.service + # systemctl start lvm2-lvmetad.service + ``` + + Create the LVM physical volume **/dev/sdb**. + + ``` + pvcreate /dev/sdb + ``` + + Create the LVM volume group **cinder-volumes**. + + ``` + vgcreate cinder-volumes /dev/sdb + ``` + + Edit the **/etc/lvm/lvm.conf** file. + + In the **devices** section, add filtering to allow the **/dev/sdb** device to reject other devices. + + devices { + + ... + + filter = \[ "a/sdb/", "r/.\*/"] + + Edit the **/etc/cinder/cinder.conf** file. + + In the **\[lvm]** section, configure the LVM backend using the LVM driver, cinder-volumes volume group, iSCSI protocol, and appropriate iSCSI services. + + In the **\[DEFAULT]** section, enable the LVM backend and configure the location of the API of the image service. + + ``` + [lvm] + volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver + volume_group = cinder-volumes + target_protocol = iscsi + target_helper = lioadm + [DEFAULT] + # ... + enabled_backends = lvm + glance_api_servers = http://controller:9292 + ``` + + Complete the installation. + + ``` + # systemctl enable openstack-cinder-volume.service target.service + # systemctl start openstack-cinder-volume.service target.service + ``` + +4. Install and configure the backup service. + + Edit the **/etc/cinder/cinder.conf** file. + + In the **\[DEFAULT]** section, configure the backup options. + + ``` + [DEFAULT] + # ... + backup_driver = cinder.backup.drivers.swift.SwiftBackupDriver + backup_swift_url = SWIFT_URL + ``` + + Replace **SWIFT\_URL** with the URL of the object storage service. The URL can be found through the object storage API endpoint. + + ``` + $ openstack catalog show object-store + ``` + + Complete the installation. + + ``` + # systemctl enable openstack-cinder-backup.service + # systemctl start openstack-cinder-backup.service + ``` + +5. Perform the verification. + + List service components and verify that each step is successful. + + ``` + $ . admin-openrc + $ openstack volume service list + ``` + + Note: Currently, the Swift component is not supported. If possible, you can configure the interconnection with Ceph. + +### Installing Horizon + +1. Install the software package: + + ```plain + yum install openstack-horizon + ``` + +2. Modify the `/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py` file. + + Modify the variables. + + ```plain + ALLOWED_HOSTS = ['*', ]OPENSTACK_HOST = "controller"OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST + ``` + + Add variables. + + ```plain + OPENSTACK_API_VERSIONS = {   "identity": 3,   "image": 2,   "volume": 3,}WEBROOT = "/dashboard/"COMPRESS_OFFLINE = TrueOPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "default"OPENSTACK_KEYSTONE_DEFAULT_ROLE = "admin"LOGIN_URL = '/dashboard/auth/login/'LOGOUT_URL = '/dashboard/auth/logout/' + ``` + +3. Run the following command in the **/usr/share/openstack-dashboard** directory: + + ```plain + ./manage.py compress + ``` + +4. Restart the httpd service. + + ```plain + systemctl restart httpd + ``` + +5. Open a browser and enter **http://***\* in the address box to log in to Horizon. \ No newline at end of file diff --git a/docs/en/docs/thirdparty_migration/figures/HA-api.png b/docs/en/docs/thirdparty_migration/figures/HA-api.png new file mode 100644 index 0000000000000000000000000000000000000000..f825fe005705d30809d12df97958cff0e5a80135 Binary files /dev/null and b/docs/en/docs/thirdparty_migration/figures/HA-api.png differ diff --git a/docs/en/docs/thirdparty_migration/figures/HA-corosync.png b/docs/en/docs/thirdparty_migration/figures/HA-corosync.png new file mode 100644 index 0000000000000000000000000000000000000000..c4d93242e65c503b6e1b6a457e2517f647984a66 Binary files /dev/null and b/docs/en/docs/thirdparty_migration/figures/HA-corosync.png differ diff --git a/docs/en/docs/thirdparty_migration/figures/HA-login.png b/docs/en/docs/thirdparty_migration/figures/HA-login.png new file mode 100644 index 0000000000000000000000000000000000000000..65d0ae11ec810da7574ec72bebf6e1b020c94a0d Binary files /dev/null and b/docs/en/docs/thirdparty_migration/figures/HA-login.png differ diff --git a/docs/en/docs/thirdparty_migration/figures/HA-pacemaker.png b/docs/en/docs/thirdparty_migration/figures/HA-pacemaker.png new file mode 100644 index 0000000000000000000000000000000000000000..7681f963f67d2b803fef6fb2c3247384136201f8 Binary files /dev/null and b/docs/en/docs/thirdparty_migration/figures/HA-pacemaker.png differ diff --git a/docs/en/docs/thirdparty_migration/figures/HA-pcs.png b/docs/en/docs/thirdparty_migration/figures/HA-pcs.png new file mode 100644 index 0000000000000000000000000000000000000000..283670d7c3d0961ee1cb41345c2b2a013d7143b0 Binary files /dev/null and b/docs/en/docs/thirdparty_migration/figures/HA-pcs.png differ diff --git a/docs/en/docs/thirdparty_migration/installha.md b/docs/en/docs/thirdparty_migration/installha.md new file mode 100644 index 0000000000000000000000000000000000000000..849ea3a1805042be48be1c1e0b56820380df88d2 --- /dev/null +++ b/docs/en/docs/thirdparty_migration/installha.md @@ -0,0 +1,201 @@ +# Installing and Deploying an HA Cluster + +This section describes how to install and deploy an HA cluster. + +\[\[toc]] + +## Installation and Deployment + +### Preparing the Environment + +At least two physical machines or virtual machines (VMs) installed with openEuler 21.03 are required. This section uses two physical machines or VMs as an example. For details about how to install openEuler 21.03, see the installation guide. + +### Modifying the Host Name and the /etc/hosts File + +**Note: You need to perform the following operations on both hosts. The following uses one host as an example. The IP address used in this section is for reference only.** + +Before using the HA software, ensure that the host name has been changed and all host names have been written into the **/etc/hosts** file. + +1. Run the following command to change the host name: + + ``` + # hostnamectl set-hostname ha1 + ``` + +2. Edit the `/etc/hosts` file and write the following fields: + + ``` + 172.30.30.65 ha1 + 172.30.30.66 ha2 + ``` + +### Configuring the Yum Source + +After the system is successfully installed, the Yum source is configured by default. The file location is stored in the `/etc/yum.repos.d/openEuler.repo` file. The HA software package uses the following sources: + +``` +[OS] +name=OS +baseurl=http://repo.openeuler.org/openEuler-20.03-LTS-SP1/OS/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://repo.openeuler.org/openEuler-20.03-LTS-SP1/OS/$basearch/RPM-GPG-KEY-openEuler + +[everything] +name=everything +baseurl=http://repo.openeuler.org/openEuler-20.03-LTS-SP1/everything/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://repo.openeuler.org/openEuler-20.03-LTS-SP1/everything/$basearch/RPM-GPG-KEY-openEuler + +[EPOL] +name=EPOL +baseurl=http://repo.openeuler.org/openEuler-20.03-LTS-SP1/EPOL/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://repo.openeuler.org/openEuler-20.03-LTS-SP1/OS/$basearch/RPM-GPG-KEY-openEuler +``` + +### Installing the Components of the HA Software Package + +``` +# yum install -y corosync pacemaker pcs fence-agents fence-virt corosync-qdevice sbd drbd drbd-utils +``` + +### Setting the **hacluster** User Password + +``` +# passwd hacluster +``` + +### Modifying the `/etc/corosync/corosync.conf` file + +``` +totem { + version: 2 + cluster_name: hacluster + crypto_cipher: none + crypto_hash: none +} +logging { + fileline: off + to_stderr: yes + to_logfile: yes + logfile: /var/log/cluster/corosync.log + to_syslog: yes + debug: on + logger_subsys { + subsys: QUORUM + debug: on + } +} +quorum { + provider: corosync_votequorum + expected_votes: 2 + two_node: 1 + } +nodelist { + node { + name: ha1 + nodeid: 1 + ring0_addr: 172.30.30.65 + } + node { + name: ha2 + nodeid: 2 + ring0_addr: 172.30.30.66 + } + } +``` + +### Managing Services + +#### Disabling the Firewall + +1. Run the following command to disable the firewall: + ``` + # systemctl stop firewalld + ``` +2. Change **SELinux** to **disabled** in the **`/etc/selinux/config`** file. + ``` + # SELINUX=disabled + ``` + +#### Managing the pcs Service + +1. Run the following command to start the pcs service: + + ``` + # systemctl start pcsd + ``` + +2. Run the following command to query the pcs service status: + + ``` + # systemctl status pcsd + ``` + + The service is started successfully if the following information is displayed: + + ![](./figures/HA-pcs.png) + +#### Managing the Pacemaker Service + +1. Run the following command to start the Pacemaker service: + + ``` + # systemctl start pacemaker + ``` + +2. Run the following command to query the Pacemaker service status: + + ``` + # systemctl status pacemaker + ``` + + The service is started successfully if the following information is displayed: + + ![](./figures/HA-pacemaker.png) + +#### Managing the Corosync Service + +1. Run the following command to start the Corosync service: + + ``` + # systemctl start corosync + ``` + +2. Run the following command to query the Corosync service status: + + ``` + # systemctl status corosync + ``` + + The service is started successfully if the following information is displayed: + + ![](./figures/HA-corosync.png) + +### Performing Node Authentication + +**Note: Perform this operation on either node.** + +``` +# pcs host auth ha1 ha2 +``` + +### Accessing the Front-End Management Platform + +After the preceding services are started, open the browser (Chrome or Firefox is recommended) and enter `https://localhost:2224` in the address box. + +- The following figure shows the native management platform: + +![](./figures/HA-login.png) + +For details about how to install the management platform newly developed by the community, see `https://gitee.com/openeuler/ha-api/blob/master/docs/build.md`. + +- The following is the management platform newly developed by the community: + +![](./figures/HA-api.png) + +>**Note:** +> only the Chinese version is available. \ No newline at end of file diff --git a/docs/en/docs/thirdparty_migration/thidrparty.md b/docs/en/docs/thirdparty_migration/thidrparty.md new file mode 100644 index 0000000000000000000000000000000000000000..3006ebf93f9f7e50db86948a79f3f795cade7add --- /dev/null +++ b/docs/en/docs/thirdparty_migration/thidrparty.md @@ -0,0 +1,5 @@ +# Third-Party Software Porting Guide + +This document helps you quickly port and deploy third-party software on openEuler. + +This document is intended for community developers, open source enthusiasts, and partners who use the openEuler OS and intend to learn more about third-party software. Basic knowledge about the Linux OS is required for reading this document. \ No newline at end of file diff --git a/docs/en/docs/userguide/images/Maintainer.jpg b/docs/en/docs/userguide/images/Maintainer.jpg new file mode 100644 index 0000000000000000000000000000000000000000..45912da4e7915715df0f598b9429f63bc8695667 Binary files /dev/null and b/docs/en/docs/userguide/images/Maintainer.jpg differ diff --git a/docs/en/docs/userguide/images/PatchTracking.jpg b/docs/en/docs/userguide/images/PatchTracking.jpg new file mode 100644 index 0000000000000000000000000000000000000000..3bac7d2f1b4a228da8d273cdaef55f2d33792fab Binary files /dev/null and b/docs/en/docs/userguide/images/PatchTracking.jpg differ diff --git a/docs/en/docs/userguide/images/packagemanagement.png b/docs/en/docs/userguide/images/packagemanagement.png new file mode 100644 index 0000000000000000000000000000000000000000..20808309c820d9d732dd4f25d6b882e5d802afdb Binary files /dev/null and b/docs/en/docs/userguide/images/packagemanagement.png differ diff --git a/docs/en/docs/userguide/images/pkgship_outline.png b/docs/en/docs/userguide/images/pkgship_outline.png new file mode 100644 index 0000000000000000000000000000000000000000..6fe1247c22c6b12a83aa01a5812c444f1667b952 Binary files /dev/null and b/docs/en/docs/userguide/images/pkgship_outline.png differ diff --git a/docs/en/docs/userguide/overview.md b/docs/en/docs/userguide/overview.md new file mode 100644 index 0000000000000000000000000000000000000000..e3b656290f017e8688b1f831d00dd9ebeb86c576 --- /dev/null +++ b/docs/en/docs/userguide/overview.md @@ -0,0 +1,3 @@ +# Toolset User Guide + +This document describes the toolkit used for the openEuler release, including the overview, installation, and usage of tools. diff --git a/docs/en/docs/userguide/patch-tracking.md b/docs/en/docs/userguide/patch-tracking.md new file mode 100644 index 0000000000000000000000000000000000000000..1f427a5d9f65e5d3ab41e023a57ad91d867071cf --- /dev/null +++ b/docs/en/docs/userguide/patch-tracking.md @@ -0,0 +1,338 @@ +# patch-tracking + + + +- [patch-tracking](#patch-tracking) + - [Overview](#overview) + - [Architecture](#architecture) + - [C/S Architecture](#cs-architecture) + - [Core Procedure](#core-procedure) + - [Data structure](#data-structure) + - [Tool Deployment](#tool-deployment) + - [Downloading Software](#downloading-software) + - [Installing the Tool](#installing-the-tool) + - [Generating a Certificate](#generating-a-certificate) + - [Configuring Parameters](#configuring-parameters) + - [Starting the Patch Tracking Service](#starting-the-patch-tracking-service) + - [Tool Usage](#tool-usage) + - [FAQ](#faq) + - [When I access api.github.com, the connection is refused.](#when-i-access-apigithubcom-the-connection-is-refused) + + + + +## Overview + +During the development of the openEuler release, the latest code of each software package in the upstream community needs to be updated in a timely manner to fix function bugs and security issues, preventing the openEuler release from defects and vulnerabilities. + +This tool manages the patches for software packages, proactively monitors the patches submitted by the upstream community, automatically generates patches, submits issues to the corresponding Maintainer, and verifies basic patch functions to reduce the verification workload and help the Maintainer make decisions quickly. + +## Architecture + +### C/S Architecture + +The patch-tracking uses the C/S architecture. + +The patch-tracking is located in the server. It executes patch tracking tasks, including maintaining tracking items, identifying branch code changes in the upstream repository and generating patch files, and submitting issues and PRs to Gitee. In addition, the patch-tracking provides RESTful APIs for adding, deleting, modifying, and querying tracking items. + +The patch-tracking-cli is a command line tool located in the client. It invokes the RESTful APIs of the patch-tracking to add, delete, modify, and query tracking items. + +### Core Procedure + +1, Patch tracking service procedure + +The procedure for handling the submitted patch is as follows: + +1. Add the tracking item using the command line tool. +2. Automatically obtain patch files from the upstream repository (for example, GitHub) that is configured for the tracking item. +3. Create a temporary branch and submit the obtained patch file to the temporary branch. +4. Automatically submit an issue to the corresponding repository and generate the PR associated with the issue. + +![PatchTracking](./images/PatchTracking.jpg) + +2, Procedure for the Maintainer to handle the submitted patch + +The procedure for handling the submitted patch is as follows: + +1. The Maintainer analyzes the PR. +2. Execute the continuous integration (CI). After the CI is successfully executed, determine whether to merge the PR. + +![Maintainer](./images/Maintainer.jpg) + +### Data structure + +* Tracking table + +| No. | Name | Description | Type | Key | Is Null Allowed | +| :--: | --------------- | ------------------------------------------------------------ | ------- | ------- | --------------- | +| 1 | id | Sequence number of the tracking item of the self-added patch | int | - | No | +| 2 | version_control | Version control system type of the upstream SCM | String | - | No | +| 3 | scm_repo | Upstream SCM repository address | String | - | No | +| 4 | scm_branch | Upstream SCM tracking branch | String | - | No | +| 5 | scm_commit | Latest Commit ID processed by the upstream code | String | - | Yes | +| 6 | repo | Address of the Gitee repository where the package source code is stored | String | Primary | No | +| 7 | branch | Branch of the Gitee repository where the package source code is stored | String | Primary | No | +| 8 | enabled | Indicating whether to start tracking | Boolean | - | No | + +* Issue table + +| No. | Name | Description | Type | Key | Is Null Allowed | +| :--: | ------ | ------------------------------------------------------------ | ------ | ------- | --------------- | +| 1 | issue | Issue No. | String | Primary | No | +| 2 | repo | Address of the Gitee repository where the package source code is stored | String | - | No | +| 3 | branch | Branch of the Gitee repository where the package source code is stored | String | - | No | + +## Tool Deployment + +### Downloading Software + +The repo source is officially released at https://repo.openeuler.org/. + +The RPM package can be obtained from https://build.openeuler.org/package/show/openEuler:21.03/patch-tracking. + +### Installing the Tool + +Method 1: Install the patch-tracking from the repo source. + +1. Use DNF to mount the repo source (The repo source of 21.03 or later is required. For details, see the [Application Development Guide](https://openeuler.org/zh/docs/21.03/docs/ApplicationDev/%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87.html)). Run the following command to download and install the patch-tracking and its dependencies. + +2. Run the following command to install the `patch-tracking`: + + ```shell script + dnf install patch-tracking + ``` + +Method 2: Install the patch-tracking using the RPM package. + +1. Install the required dependencies. + + ```shell script + dnf install python3-uWSGI python3-flask python3-Flask-SQLAlchemy python3-Flask-APScheduler python3-Flask-HTTPAuth python3-requests python3-pandas + ``` + +2. `patch-tracking-1.0.0-1.oe1.noarch.rpm` is used as an example. Run the following command to install the patch-tracking. + + ```shell script + rpm -ivh patch-tracking-1.0.0-1.oe1.noarch.rpm + ``` + +### Generating a Certificate + +Run the following command to generate a certificate: + +```shell script +openssl req -x509 -days 3650 -subj "/CN=self-signed" \ +-nodes -newkey rsa:4096 -keyout self-signed.key -out self-signed.crt +``` + +Copy the generated `self-signed.key` and `self-signed.crt` files to the **/etc/patch-tracking** directory. + +### Configuring Parameters + +Configure the corresponding parameters in the configuration file. The path of the configuration file is `/etc/patch-tracking/settings.conf`. + +1. Configure the service listening address. + + ``` + LISTEN = "127.0.0.1:5001" + ``` + +2. GitHub Token is used to access the repository information hosted in the upstream open source software repository of GitHub. For details about how to create a GitHub token, see [Creating a personal access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token). + + ``` + GITHUB_ACCESS_TOKEN = "" + ``` + +3. For a repository that is hosted on Gitee and needs to be tracked, configure a Gitee Token with the repository permission to submit patch files, issues, and PRs. + + ``` + GITEE_ACCESS_TOKEN = "" + ``` + +4. Scan the database as scheduled to detect whether new or modified tracking items exist and obtain upstream patches for the detected tracking items. Set the interval of scanning and the unit is second. + + ``` + SCAN_DB_INTERVAL = 3600 + ``` + +5. When the command line tool is running, you need to enter the user name and password hash value for the authentication for the POST interface. + + ``` + USER = "admin" + + PASSWORD = "" + ``` + +> The default value of `USER` is `admin`. + +Run the following command to obtain the password hash value. **Test@123** is the configured password. + +``` +[root]# generate_password Test@123 +pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2b28e9e34bfbbae +``` + +> The password hash value must meet the following complexity requirements: +> +> * The length is more than or equal to 6 bytes. +> * The password must contain uppercase letters, lowercase letters, digits, and special characters (~!@#%\^\*-\_=+). + +Add the password hash value `pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2b28e9e34bfbbae` to the quotation marks of `PASSWORD = ""`. + +### Starting the Patch Tracking Service + +You can use either of the following methods to start the service: + +* Use the systemd mode. + + ``` + systemctl start patch-tracking + ``` + +* Run the executable program. + + ``` + /usr/bin/patch-tracking + ``` + +## Tool Usage + +1, Adding a Tracking Item + +You can associate the software repository and branch to be tracked with the corresponding upstream open source software repository and branch in any of the following ways: + +* Using CLI + +Parameter description: + +> --user: User name to be authenticated for the POST interface. It is the same as the USER parameter in the **settings.conf** file. +> --password: Password to be authenticated for the POST interface. It is the password string corresponding to the PASSWORD hash value in the **settings.conf** file. +> --server: URL for starting the patch tracking service, for example, 127.0.0.1:5001. +> --version\_control: Control tool of the upstream repository version. Only GitHub is supported. +> --repo: Name of the repository to be tracked, in the format of organization/repository. +> +> --branch: Branch name of the repository to be tracked. +> --scm\_repo: Name of the upstream repository to be tracked, in the GitHub format of organization/repository. +> --scm\_branch: Branch of the upstream repository to be tracked. +> +> --enabled: Indicates whether to automatically track the repository. + +For example: + +```shell script +patch-tracking-cli add --server 127.0.0.1:5001 --user admin --password Test@123 --version_control github --repo testPatchTrack/testPatch1 --branch master --scm_repo BJMX/testPatch01 --scm_branch test --enabled true +``` + +* Using a Specified File + +Parameter description: + +> --server: URL for starting the patch tracking service, for example, 127.0.0.1:5001. +--user: User name to be authenticated for the POST interface. It is the same as the USER parameter in the **settings.conf** file. +--password: Password to be authenticated for the POST interface. It is the password string corresponding to the PASSWORD hash value in the **settings.conf** file. +--file: YAML file path. + +Add the information about the repository, branch, version management tool, and whether to enable monitoring to the YAML file (for example, **tracking.yaml**). The file path is used as the command of the `--file` to invoke the input parameters. + +For example: + +```shell script +patch-tracking-cli add --server 127.0.0.1:5001 --user admin --password Test@123 --file tracking.yaml +``` + +The format of the YAML file is as follows. The content on the left of the colon (:) cannot be modified, and the content on the right of the colon (:) needs to be set based on the site requirements. + +```shell script +version_control: github +scm_repo: xxx/xxx +scm_branch: master +repo: xxx/xxx +branch: master +enabled: true +``` + +> version\_control: Control tool of the upstream repository version. Only GitHub is supported. +scm\_repo: Name of the upstream repository to be tracked, in the GitHub format of organization/repository. +scm\_branch: Branch of the upstream repository to be tracked. +repo: Name of the repository to be tracked, in the format of organization/repository. +branch: Branch name of the repository to be tracked. +enabled: Indicates whether to automatically track the repository. + +* Using a Specified Directory + +Place multiple `xxx.yaml` files in a specified directory, such as the `test_yaml`, and run the following command to record the tracking items of all YAML files in the specified directory. + +Parameter description: + +> --user: User name to be authenticated for the POST interface. It is the same as the USER parameter in the **settings.conf** file. +--password: Password to be authenticated for the POST interface. It is the password string corresponding to the PASSWORD hash value in the **settings.conf** file. +--server: URL for starting the patch tracking service, for example, 127.0.0.1:5001. +--dir: Path where the YAML file is stored. + +```shell script +patch-tracking-cli add --server 127.0.0.1:5001 --user admin --password Test@123 --dir /home/Work/test_yaml/ +``` + +2, Querying a Tracking Item + +Parameter description: + +> --server: (Mandatory) URL for starting the patch tracking service, for example, 127.0.0.1:5001. +--table: (Mandatory) Table to be queried. +--Repo: (Optional) repo to be queried. Query all content in the table if this parameter is not configured. +--branch: (Optional) Branch to be queried. + +```shell script +patch-tracking-cli query --server --table tracking +``` + +The website can be accessed properly. + +```shell script +patch-tracking-cli query --server 127.0.0.1:5001 --table tracking +``` + +3, Querying the Generated Issue + +```shell script +patch-tracking-cli query --server --table issue +``` + +For example: + +```shell script +patch-tracking-cli query --server 127.0.0.1:5001 --table issue +``` + +4, Deleting a Tracking Item + +```shell script +patch-tracking-cli delete --server SERVER --user USER --password PWD --repo REPO [--branch BRANCH] +``` + +For example: + +```shell script +patch-tracking-cli delete --server 127.0.0.1:5001 --user admin --password Test@123 --repo testPatchTrack/testPatch1 --branch master +``` + +> You can delete a single piece of data from a specified repo or branch. You can also delete data of all branches in a specified repo. + +5, Checking Issues and PRs on Gitee + +Log in to Gitee and check the software project to be tracked. On the Issues and Pull Requests tab pages of the project, you can see the item named in `[patch tracking] TIME`, for example, the `[patch tracking] 20200713101548`. This item is the issue and PR of the patch file that is just generated. + +## FAQ + +### When I access api.github.com, the connection is refused. + +#### Symptom + +During the operation of the patch-tracking, the following error message may occur: +``` + 9月 21 22:00:10 localhost.localdomain patch-tracking[36358]: 2020-09-21 22:00:10,812 - patch_tracking.util.github_api - WARNING - HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /user (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused')) +``` + +#### Cause Analysis + +The preceding problem is caused by the unstable network access between the patch-tracking and GitHub API. Ensure that the patch-tracking is operating in a stable network environment (for example, HUAWEI CLOUD Hong Kong). \ No newline at end of file diff --git a/docs/en/docs/userguide/pkgship.md b/docs/en/docs/userguide/pkgship.md new file mode 100644 index 0000000000000000000000000000000000000000..0fdd4c721c3fb0f376ec3bcc8b12efb8af95ec3d --- /dev/null +++ b/docs/en/docs/userguide/pkgship.md @@ -0,0 +1,407 @@ +# pkgship + + +- [pkgship](#pkgship) + - [Introduction](#Introduction) + - [Architecture](#Architecture) + - [Downloading the Software](#Downloading the Software) + - [Operating Environment](#Operating Environment) + - [Installing the Tool](#Installing the Tool) + - [Configuring Parameters](#Configuring Parameters) + - [Starting and Stopping the Service](#Starting and Stopping the Service) + - [Using the Tool](#Using the Tool) + - [Viewing and Dumping Logs](#Viewing and Dumping Logs) + + + +## Introduction + +The pkgship is a query tool used to manage the dependency of OS software packages and provide a complete dependency graph. The pkgship provides functions such as software package dependency query, lifecycle management, and patch query. + +1. Software package dependency query: Allow community personnel to understand the impact on software when software packages are introduced, updated, or deleted. +2. Patch query: Allow community personnel to learn about the patches in the openEuler software package and obtain the patch information. For details, see [patch-tracking](../patch-tracking/README.md). + +## Architecture + +The system uses the Flask-RESTful development mode. The following figure shows the architecture: + +![avatar](./images/packagemanagement.png) + +## Downloading the Software + +* The repo source is officially released at: +* You can obtain the source code at: +* You can obtain the RPM package at: + +## Operating Environment + +- Hardware configuration: + +| Item| Recommended Specification| +|----------|----------| +| CPU| 8 cores| +| Memory| 32 GB (minimum: 4 GB)| +| Network bandwidth| 300 Mbit/s| +| I/O| 375 MB/s| + +- Software configuration: + +| Name| Specifications| +|----------|----------| +| Elasticsearch| 7.10.1. Single-node and cluster deployment is available.| +| Redis| 5.0.4 or later is recommended. You are advised to set the size to 3/4 of the memory.| +| Python| 3.8 or later.| + +## Installing the Tool + +**1\. Installing the pkgship** + +You can use either of the following methods to install the pkgship: + +* Method 1: Mount the repo source using DNF. +Use DNF to mount the repo source where the pkgship is located (for details, see the [Application Development Guide](https://openeuler.org/zh/docs/20.09/docs/ApplicationDev/%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87.html)). Then run the following command to download and install the pkgship and its dependencies: + + ```bash + dnf install pkgship + ``` + +* Method 2: Install the RPM package. Download the RPM package of the pkgship and run the following command to install the pkgship (x.x-x indicates the version number and needs to be replaced with the actual one): + + ```bash + rpm -ivh pkgship-x.x-x.oe1.noarch.rpm + ``` + + Or + + ```bash + dnf install pkgship-x.x-x.oe1.noarch.rpm + ``` + +**2\. Installing Elasticsearch and Redis** + +If Elasticsearch or Redis is not installed in the environment, you can execute the automatic installation script after the pkgship is installed. + +The default script path is as follows: + +``` +/etc/pkgship/auto_install_pkgship_requires.sh +``` + +Run the following command: + +``` +/bin/bash auto_install_pkgship_requires.sh elasticsearch +``` + +Or + +``` + /bin/bash auto_install_pkgship_requires.sh redis +``` + +**3\. Adding a User After the Installation** + +After the pkgship software is installed, the system automatically creates a user named **pkgshipuser** and a user group named **pkgshipuser**. They will be used when the service is started and running. + +## Configuring Parameters + +1\. Configure the parameters in the configuration file. The default configuration file of the system is stored in **/etc/pkgship/packge.ini**. Modify the configuration file as required. + +``` +vim /etc/pkgship/package.ini +``` + +```ini +[SYSTEM-System Configuration] +; Path for storing the .yaml file imported during database initialization. The .yaml file records the location of the imported .sqlite file. +init_conf_path=/etc/pkgship/conf.yaml + +; Service query port +query_port=8090 + +; Service query IP address +query_ip_addr=127.0.0.1 + +; Address of the remote service. The command line can directly call the remote service to complete the data request. +remote_host=https://api.openeuler.org/pkgmanage + +; Directory for storing temporary files during initialization and download. The directory will not be occupied for a long time. It is recommended that the available space be at least 1 GB. +temporary_directory=/opt/pkgship/tmp/ + +[LOG-Logs] +; Service log storage path +log_path=/var/log/pkgship/ + +; Log level. The options are as follows: +; INFO DEBUG WARNING ERROR CRITICAL +log_level=INFO + +; Maximum size of a service log file. If the size of a service log file exceeds the value of this parameter, the file is automatically compressed and dumped. The default value is 30 MB. +max_bytes=31457280 + +; Maximum number of backup log files. The default value is 30. +backup_count=30 + +[UWSGI-Web Server Configuration] +; Operation log path +daemonize=/var/log/pkgship-operation/uwsgi.log +; Size of data transmitted between the front end and back end +buffer-size=65536 +; Network connection timeout interval +http-timeout=600 +; Service response time +harakiri=600 + +[REDIS-Cache Configuration] +; The address of the Redis cache server can be the released domain or IP address that can be accessed. +; The default link address is 127.0.0.1. +redis_host=127.0.0.1 + +; Port number of the Redis cache server. The default value is 6379. +redis_port=6379 + +; Maximum number of connections allowed by the Redis server at a time. +redis_max_connections=10 + +[DATABASE-Database] +; Database access address. The default value is the IP address of the local host. +database_host=127.0.0.1 + +; Database access port. The default value is 9200. +database_port=9200 + +``` + +2\. Create a YAML configuration file to initialize the database. The **conf.yaml** file is stored in the **/etc/pkgship/** directory by default. The pkgship reads the name of the database to be created and the SQLite file to be imported based on this configuration. You can also configure the repo address of the SQLite file. An example of the **conf.yaml** file is as follows: + +```yaml +dbname: oe20.03 #Database name +src_db_file: /etc/pkgship/repo/openEuler-20.09/src #Local path of the source package +bin_db_file: /etc/pkgship/repo/openEuler-20.09/bin #Local path of the binary package +priority: 1 #Database priority + +dbname: oe20.09 +src_db_file: https://repo.openeuler.org/openEuler-20.09/source #Repo source of the source package +bin_db_file: https://repo.openeuler.org/openEuler-20.09/everything/aarch64 #Repo source of the binary package +priority: 2 +``` + +> To change the storage path, change the value of **init\_conf\_path** in the **package.ini** file. +> +> The SQLite file path cannot be configured directly. +> +> The value of **dbname** can contain only lowercase letters and digits. + +## Starting and Stopping the Service + +The pkgship can be started and stopped in two modes: systemctl mode and pkgshipd mode. In systemctl mode, the automatic startup mechanism can be stopped when an exception occurs. You can run any of the following commands: + +```shell +systemctl start pkgship.service Start the service. + +systemctl stop pkgship.service Stop the service. + +systemctl restart pkgship.service Restart the service. +``` + +```sh +pkgshipd start Start the service. + +pkgshipd stop Stop the service. +``` + +> Only one mode is supported in each start/stop period. The two modes cannot be used at the same time. +> +> The pkgshipd startup mode can be used only by the **pkgshipuser** user. + +## Using the Tool + +1. Initialize the database. + + > Application scenario: After the service is started, to query the package information and dependency in the corresponding database (for example, oe20.03 and oe20.09), you need to import the SQLite (including the source code library and binary library) generated by the **createrepo** to the service. Then insert the generated JSON body of the package information into the corresponding database of Elasticsearch. The database name is the value of d**bname-source/binary** generated based on the value of **dbname** in the **conf.yaml** file. + + ```bash + pkgship init [-filepath path] + ``` + + > Parameter description: +**-filepath**: (Optional) Specifies the path of the initialization configuration file **config.yaml.** You can use either a relative path or an absolute path. If no parameter is specified, the default configuration is used for initialization. + +2. Query a single package. + + You can query details about a source package or binary package (**packagename**) in the specified **database** table. + + > Application scenario: You can query the detailed information about the source package or binary package in a specified database. + + ```bash + pkgship pkginfo $packageName $database [-s] + ``` + + > Parameter description: +**packagename**: (Mandatory) Specifies the name of the software package to be queried. +**database**: (Mandatory) Specifies the database name. + > + > **-s**: (Optional) Specifies that the source package `src` is to be queried by `-s`. If this parameter is not specified, the binary package information of `bin` is queried by default. + +3. Query all packages. + + Query information about all packages in the database. + + > Application scenario: You can query information about all software packages in a specified database. + + ```bash + pkgship list $database [-s] + ``` + + > Parameter description: +**database**: (Mandatory) Specifies the database name. +**-s**: (Optional) Specifies that the source package `src` is to be queried by `-s`. If this parameter is not specified, the binary package information of `bin` is queried by default. + +4. Query the installation dependency. + + Query the installation dependency of the binary package (**binaryName**). + + > Application scenario: When you need to install the binary package A, you need to install B, the installation dependency of A, and C, the installation dependency of B, etc. A can be installed only after all the installation dependencies are installed in the system. Therefore, before installing the binary package A, you may need to query all installation dependencies of A. You can run the following command to query multiple databases based on the default priority of the platform, and to customize the database query priority. + + ```bash + pkgship installdep [$binaryName $binaryName1 $binaryName2...] [-dbs] [db1 db2...] [-level] $level + ``` + + > Parameter description: +**binaryName**: (Mandatory) Specifies the name of the dependent binary package to be queried. Multiple packages can be transferred. + > + > **-dbs:** (Optional) Specifies the priority of the database to be queried. If this parameter is not specified, the database is queried based on the default priority. + > + > **-level**: (Optional) Specifies the dependency level to be queried. If this parameter is not specified, the default value **0** is used, indicating that all levels are queried. + +5. Query the compilation dependency. + + Query all compilation dependencies of the source code package (**sourceName**). + + > Application scenario: To compile the source code package A, you need to install B, the compilation dependency package of A. To install B, you need to obtain all installation dependency packages of B. Therefore, before compiling the source code package A, you need to query the compilation dependencies of A and all installation dependencies of these compilation dependencies. You can run the following command to query multiple databases based on the default priority of the platform, and to customize the database query priority. + + ```bash + pkgship builddep [$sourceName $sourceName1 $sourceName2..] -dbs [db1 db2 ..] [-level] $level + ``` + + > Parameter description: +**sourceName**: (Mandatory) Specifies the name of the source package on which the compilation depends. Multiple packages can be queried. + > + > **-dbs:** (Optional) Specifies the priority of the database to be queried. If this parameter is not specified, the database is queried based on the default priority. + > + > **-level**: (Optional) Specifies the dependency level to be queried. If this parameter is not specified, the default value **0** is used, indicating that all levels are queried. + +6. Query the self-compilation and self-installation dependencies. + + Query the installation and compilation dependencies of a specified binary package (**binaryName**) or source package (**sourceName**). In the command, **\[pkgName]** indicates the name of the binary package or source package to be queried. When querying a binary package, you can query all installation dependencies of the binary package, and the compilation dependencies of the source package corresponding to the binary package, as well as all installation dependencies of these compilation dependencies. When querying a source package, you can query its compilation dependency, and all installation dependencies of the compilation dependency, as well as all installation dependencies of the binary packages generated by the source package. In addition, you can run this command together with the corresponding parameters to query the self-compilation dependency of a software package and the dependency of a subpackage. + + > Application scenario: If you want to introduce a new software package based on the existing version library, you need to introduce all compilation and installation dependencies of the software package. You can run this command to query these two dependency types at the same time to know the packages introduced by the new software package, and to query binary packages and source packages. + + ```bash + pkgship selfdepend [$pkgName1 $pkgName2 $pkgName3 ..] [-dbs] [db1 db2..] [-b] [-s] [-w] + ``` + + > Parameter description: + > + > **pkgName**: (Mandatory) Specifies the name of the software package on which the installation depends. Multiple software packages can be transferred. + > + > **-dbs:** (Optional) Specifies the priority of the database to be queried. If this parameter is not specified, the database is queried based on the default priority. + > + > **-b**: (Optional) Specifies that the package to be queried is a binary package. If this parameter is not specified, the source package is queried by default. + > + > **-s**: (Optional) If **-s** is specified, all installation dependencies, compilation dependencies (that is, compilation dependencies of the source package on which compilation depends), and installation dependencies of all compilation dependencies of the software package are queried. If **-s** is not added, all installation dependencies and layer-1 compilation dependencies of the software package, as well as all installation dependencies of layer-1 compilation dependencies, are queried. + > + > **-w**: (Optional) If **-s** is specified, when a binary package is introduced, the query result displays the source package corresponding to the binary package and all binary packages generated by the source package. If **-w** is not specified, only the corresponding source package is displayed in the query result when a binary package is imported. + +7. Query dependency. +Query the packages that depend on the software package (**pkgName**) in a database (**dbName**). + + > Application scenario: You can run this command to query the software packages that will be affected by the upgrade or deletion of the software source package A. This command displays the source packages (for example, B) that depend on the binary packages generated by source package A (if it is a source package or the input binary package for compilation). It also displays the binary packages (for example, C1) that depend on A for installation. Then, it queries the source package (for example, D) that depend on the binary package generated by B C1 for compilation and the binary package (for example E1) for installation. This process continues until it traverses the packages that depend on the binary packages. + + ```bash + pkgship bedepend dbName [$pkgName1 $pkgName2 $pkgName3] [-w] [-b] [-install/build] + ``` + + > Parameter description: + > + > **dbName**: (Mandatory) Specifies the name of the repository whose dependency needs to be queried. Only one repository can be queried each time. + > + > **pkgName**: (Mandatory) Specifies the name of the software package to be queried. Multiple software packages can be queried. + > + > **-w**: (Optional) If **-w** is not specified, the query result does not contain the subpackages of the corresponding source package by default. If **\[-w]** is specified after the command, not only the dependency of binary package C1 is queried, but also the dependency of other binary packages (such as C2 and C3) generated by source package C corresponding to C1 is queried. + > + > **-b**: (Optional) Specifies `-b` and indicates that the package to be queried is a binary package. By default, the source package is queried. + > + > **-install/build**: (Optional) `-install` indicates that installation dependencies are queried. `-build` indicates that build dependencies are queried. By default, all dependencies are queried. `-install` and `-build` are exclusive to each other. + +8. Query the database information. + + > Application scenario: Check which databases are initialized in Elasticsearch. This function returns the list of initialized databases based on the priority. + + `pkgship dbs` + +9. Obtain the version number. + + > Application scenario: Obtain the version number of the pkgship software. + + `pkgship -v` + +## Viewing and Dumping Logs + +**Viewing Logs** + +When the pkgship service is running, two types of logs are generated: service logs and operation logs. + +1\. Service logs: + +Path: **/var/log/pkgship/log\_info.log**. You can customize the path through the **log\_path** field in the **package.ini** file. + +Function: This log records the internal running of the code to facilitate fault locating. + +Permission: The permissions on the path and the log file are 755 and 644, respectively. Common users can view the log file. + +2\. Operation logs: + +Path: **/var/log/pkgship-operation/uwsgi.log**. You can customize the path through the **daemonize** field in the **package.ini** file. + +Function: This log records user operation information, including the IP address, access time, URL, and result, to facilitate subsequent queries and record attacker information. + +Permission: The permissions on the path and the log file are 700 and 644, respectively. Only the **root** and **pkgshipuser** users can view the log file. + +**Dumping Logs** + +1\. Service log dumping: + +- Dumping mechanism + + Use the dumping mechanism of the logging built-in function of Python to back up logs based on the log size. + +> The items are used to configure the capacity and number of backups of each log in the **package.ini** file. +> +> ```ini +> ; Maximum capacity of each file, the unit is byte, default is 30M +> max_bytes=31457280 +> +> ; Number of old logs to keep;default is 30 +> backup_count=30 +> ``` + +- Dumping process + + After a log is written, if the size of the log file exceeds the configured log capacity, the log file is automatically compressed and dumped. The compressed file name is **log\_info.log.***x***.gz**, where *x* is a number. A smaller number indicates a later backup. + + When the number of backup log files reaches the threshold, the earliest backup log file is deleted and the latest compressed log file is backed up. + +2\. Operation log dumping: + +- Dumping mechanism + + A script is used to dump data by time. Data is dumped once a day and is retained for 30 days. Customized configuration is not supported. + + > The script is stored in **/etc/pkgship/uwsgi\_logrotate.sh**. + +- Dumping process + + When the pkgship is started, the script for dumping data runs in the background. From the startup, dumping and compression are performed every other day. A total of 30 compressed files are retained. The compressed file name is **uwsgi.log-20201010***x***.zip**, where *x* indicates the hour when the file is compressed. + + After the pkgship is stopped, the script for dumping data is stopped and data is not dumped . When the pkgship is started again, the script for dumping data is executed again. \ No newline at end of file diff --git a/docs/en/menu/index.md b/docs/en/menu/index.md new file mode 100644 index 0000000000000000000000000000000000000000..3475e2590ba70910594def60eb65e3e1fb88c605 --- /dev/null +++ b/docs/en/menu/index.md @@ -0,0 +1,161 @@ +--- +headless: true +--- +- [Terms of Use]({{< relref "./docs/Releasenotes/terms-of-use.md" >}}) +- [Release Notes]({{< relref "./docs/Releasenotes/release_notes.md" >}}) + - [User Notice]({{< relref "./docs/Releasenotes/user-notice.md" >}}) + - [Introduction]({{< relref "./docs/Releasenotes/introduction.md" >}}) + - [Installing the OS]({{< relref "./docs/Releasenotes/installing-the-os.md" >}}) + - [Key Features]({{< relref "./docs/Releasenotes/key-features.md" >}}) + - [Known Issues]({{< relref "./docs/Releasenotes/known-issues.md" >}}) + - [Resolved Issues]({{< relref "./docs/Releasenotes/resolved-issues.md" >}}) + - [Common Vulnerabilities and Exposures (CVE)]({{< relref "./docs/Releasenotes/common-vulnerabilities-and-exposures-(cve).md" >}}) + - [Source Code]({{< relref "./docs/Releasenotes/source-code.md" >}}) + - [Contribution]({{< relref "./docs/Releasenotes/contribution.md" >}}) + - [Acknowledgement]({{< relref "./docs/Releasenotes/acknowledgement.md" >}}) +- [Quick Start]({{< relref "./docs/Quickstart/quick-start.md" >}}) +- [Installation Guide]({{< relref "./docs/Installation/Installation.md" >}}) + - [Installation on Servers]({{< relref "./docs/Installation/install-server.md" >}}) + - [Installation Preparations]({{< relref "./docs/Installation/installation-preparations.md" >}}) + - [Installation Mode]({{< relref "./docs/Installation/installation-mode.md" >}}) + - [Installation Guideline]({{< relref "./docs/Installation/installation-guideline.md" >}}) + - [Using Kickstart for Automatic Installation]({{< relref "./docs/Installation/using-kickstart-for-automatic-installation.md" >}}) + - [FAQs]({{< relref "./docs/Installation/faqs.md" >}}) + - [Installation on Raspberry Pi]({{< relref "./docs/Installation/install-pi.md" >}}) + - [Installation Preparations]({{< relref "./docs/Installation/Installation-Preparations1.md" >}}) + - [Installation Mode]({{< relref "./docs/Installation/Installation-Modes1.md" >}}) + - [Installation Guideline]({{< relref "./docs/Installation/Installation-Guide1" >}}) + - [FAQs]({{< relref "./docs/Installation/FAQ1.md" >}}) + - [More Resources]({{< relref "./docs/Installation/More-Resources.md" >}}) +- [Administrator Guide]({{< relref "./docs/Administration/administration.md" >}}) + - [Viewing System Information]({{< relref "./docs/Administration/viewing-system-information.md" >}}) + - [Basic Configuration]({{< relref "./docs/Administration/basic-configuration.md" >}}) + - [User and User Group Management]({{< relref "./docs/Administration/user-and-user-group-management.md" >}}) + - [Using the DNF to Manage Software Packages]({{< relref "./docs/Administration/using-the-dnf-to-manage-software-packages.md" >}}) + - [Service Management]({{< relref "./docs/Administration/service-management.md" >}}) + - [Process Management]({{< relref "./docs/Administration/process-management.md" >}}) + - [Configuring the Network]({{< relref "./docs/Administration/configuring-the-network.md" >}}) + - [Managing Hard Disks Through LVM]({{< relref "./docs/Administration/managing-hard-disks-through-lvm.md" >}}) + - [Using the KAE]({{< relref "./docs/Administration/using-the-kae.md" >}}) + - [Configuring Services]({{< relref "./docs/Administration/configuring-services.md" >}}) + - [Configuring the Repo Server]({{< relref "./docs/Administration/configuring-the-repo-server.md" >}}) + - [Configuring the FTP Server]({{< relref "./docs/Administration/configuring-the-ftp-server.md" >}}) + - [Configuring the Web Server]({{< relref "./docs/Administration/configuring-the-web-server.md" >}}) + - [Setting Up the Database Server]({{< relref "./docs/Administration/setting-up-the-database-server.md" >}}) + - [Trusted Computing]({{< relref "./docs/Administration/trusted-computing.md" >}}) + - [FAQs]({{< relref "./docs/Administration/faqs.md" >}}) +- [Security Hardening Guide]({{< relref "./docs/SecHarden/secHarden.md" >}}) + - [OS Hardening Overview]({{< relref "./docs/SecHarden/os-hardening-overview.md" >}}) + - [Security Hardening Guide]({{< relref "./docs/SecHarden/security-hardening-guide.md" >}}) + - [Account Passwords]({{< relref "./docs/SecHarden/account-passwords.md" >}}) + - [Authentication and Authorization]({{< relref "./docs/SecHarden/authentication-and-authorization.md" >}}) + - [System Services]({{< relref "./docs/SecHarden/system-services.md" >}}) + - [File Permissions]({{< relref "./docs/SecHarden/file-permissions.md" >}}) + - [Kernel Parameters]({{< relref "./docs/SecHarden/kernel-parameters.md" >}}) + - [SELinux Configuration]({{< relref "./docs/SecHarden/selinux-configuration.md" >}}) + - [Security Hardening Tools]({{< relref "./docs/SecHarden/security-hardening-tools.md" >}}) + - [Appendix]({{< relref "./docs/SecHarden/appendix.md" >}}) +- [Virtualization User Guide]({{< relref "./docs/Virtualization/virtualization.md" >}}) + - [Introduction to Virtualization]({{< relref "./docs/Virtualization/introduction-to-virtualization.md" >}}) + - [Installation to Virtualization]({{< relref "./docs/Virtualization/installation-to-virtualization.md" >}}) + - [Environment Preparation]({{< relref "./docs/Virtualization/environment-preparation.md" >}}) + - [VM Configuration]({{< relref "./docs/Virtualization/vm-configuration.md" >}}) + - [Managing VMs]({{< relref "./docs/Virtualization/managing-vms.md" >}}) + - [VM Live Migration]({{< relref "./docs/Virtualization/vm-live-migration.md" >}}) + - [System Resource Management]({{< relref "./docs/Virtualization/system-resource-management.md" >}}) + - [Managing Devices]({{< relref "./docs/Virtualization/managing-devices.md" >}}) + - [VM Maintainability Management]({{< relref "./docs/Virtualization/vm-maintainability-management.md" >}}) + - [Best Practices]({{< relref "./docs/Virtualization/best-practices.md" >}}) + - [Tool Guide]({{< relref "./docs/Virtualization/tool-guide.md" >}}) + - [Appendix]({{< relref "./docs/Virtualization/appendix.md" >}}) +- [StratoVirt User Guide]({{< relref "./docs/StratoVirt/StratoVrit_guidence.md" >}}) + - [Introduction to StratoVirt]({{< relref "./docs/StratoVirt/StratoVirt_Intoduction.md" >}}) + - [Installing StratoVirt]({{< relref "./docs/StratoVirt/Install_StratoVirt.md" >}}) + - [Preparing the Environment]({{< relref "./docs/StratoVirt/Prepare_env.md" >}}) + - [Configuring a VM]({{< relref "./docs/StratoVirt/VM_configuration.md" >}}) + - [Querying VM Information]({{< relref "./docs/StratoVirt/Query_VM_information.md" >}}) + - [Managing the VM Lifecycle]({{< relref "./docs/StratoVirt/Manage_life_cycle.md" >}}) + - [Managing VM resources]({{< relref "./docs/StratoVirt/Manage_resource.md" >}}) + - [Interconnecting with the iSula Secure Container]({{< relref "./docs/StratoVirt/Interconnect_isula.md" >}}) +- [Container User Guide]({{< relref "./docs/Container/container.md" >}}) + - [iSulad Container Engine]({{< relref "./docs/Container/isulad-container-engine.md" >}}) + - [Installation, Upgrade and Uninstallation]({{< relref "./docs/Container/installation-upgrade-Uninstallation.md" >}}) + - [Installation and Configuration]({{< relref "./docs/Container/installation-configuration.md" >}}) + - [Upgrade Methods]({{< relref "./docs/Container/upgrade-methods.md" >}}) + - [Uninstallation]({{< relref "./docs/Container/uninstallation.md" >}}) + - [Application Scenarios]({{< relref "./docs/Container/application-scenarios.md" >}}) + - [Container Management]({{< relref "./docs/Container/container-management.md" >}}) + - [Interconnection with the CNI Network]({{< relref "./docs/Container/interconnection-with-the-cni-network.md" >}}) +}) + - [Container Resource Management]({{< relref "./docs/Container/container-resource-management.md" >}}) + - [Privileged Container]({{< relref "./docs/Container/privileged-container.md" >}}) + - [CRI]({{< relref "./docs/Container/cri.md" >}}) + - [Image Management]({{< relref "./docs/Container/image-management.md" >}}) + - [Checking the Container Health Status]({{< relref "./docs/Container/checking-the-container-health-status.md" >}}) + - [Querying Information]({{< relref "./docs/Container/querying-information.md" >}}) + - [Security Features]({{< relref "./docs/Container/security-features.md" >}}) + - [Supporting OCI hooks]({{< relref "./docs/Container/supporting-oci-hooks.md" >}}) + - [Local Volume Management]({{< relref "./docs/Container/local-volume-management.md" >}}) + - [Appendix]({{< relref "./docs/Container/appendix.md" >}}) + - [System Container]({{< relref "./docs/Container/system-container.md" >}}) + - [Installation Guideline]({{< relref "./docs/Container/installation-guideline.md" >}}) + - [Usage Guide]({{< relref "./docs/Container/usage-guide.md" >}}) + - [Specifying Rootfs to Create a Container]({{< relref "./docs/Container/specifying-rootfs-to-create-a-container.md" >}}) + - [Using systemd to Start a Container]({{< relref "./docs/Container/using-systemd-to-start-a-container.md" >}}) + - [Reboot or Shutdown in a Container]({{< relref "./docs/Container/reboot-or-shutdown-in-a-container.md" >}}) + - [Configurable Cgroup Path]({{< relref "./docs/Container/configurable-cgroup-path.md" >}}) + - [Writable Namespace Kernel Parameters]({{< relref "./docs/Container/writable-namespace-kernel-parameters.md" >}}) + - [Shared Memory Channels]({{< relref "./docs/Container/shared-memory-channels.md" >}}) + - [Dynamically Loading the Kernel Module]({{< relref "./docs/Container/dynamically-loading-the-kernel-module.md" >}}) + - [Environment Variable Persisting]({{< relref "./docs/Container/environment-variable-persisting.md" >}}) + - [Maximum Number of Handles]({{< relref "./docs/Container/maximum-number-of-handles.md" >}}) + - [Security and Isolation]({{< relref "./docs/Container/security-and-isolation.md" >}}) + - [Dynamically Managing Container Resources \\(syscontainer-tools\\)]({{< relref "./docs/Container/dynamically-managing-container-resources-(syscontainer-tools).md" >}}) + - [Appendix]({{< relref "./docs/Container/appendix-1.md" >}}) + - [Secure Container]({{< relref "./docs/Container/secure-container.md" >}}) + - [Installation and Deployment]({{< relref "./docs/Container/installation-and-deployment-1.md" >}}) + - [Application Scenarios]({{< relref "./docs/Container/application-scenarios-2.md" >}}) + - [Managing the Lifecycle of a Secure Container]({{< relref "./docs/Container/managing-the-lifecycle-of-a-secure-container.md" >}}) + - [Configuring Resources for a Secure Container]({{< relref "./docs/Container/configuring-resources-for-a-secure-container.md" >}}) + - [Configuring Networking for a Secure Container]({{< relref "./docs/Container/configuring-networking-for-a-secure-container.md" >}}) + - [Monitoring Secure Containers]({{< relref "./docs/Container/monitoring-secure-containers.md" >}}) + - [Appendix]({{< relref "./docs/Container/appendix-2.md" >}}) + - [Docker Container]({{< relref "./docs/Container/docker-container.md" >}}) + - [Installation and Deployment]({{< relref "./docs/Container/installation-and-deployment-2.md" >}}) + - [Container Management]({{< relref "./docs/Container/container-management-1.md" >}}) + - [Image Management]({{< relref "./docs/Container/image-management-1.md" >}}) + - [Command Reference]({{< relref "./docs/Container/command-reference.md" >}}) + - [Container Engine]({{< relref "./docs/Container/container-engine.md" >}}) + - [Container Management]({{< relref "./docs/Container/container-management-2.md" >}}) + - [Image Management]({{< relref "./docs/Container/image-management-2.md" >}}) + - [Statistics]({{< relref "./docs/Container/statistics.md" >}}) + - [Image Building]({{< relref "./docs/Container/isula-build.md" >}}) +- [A-Tune User Guide]({{< relref "./docs/A-Tune/A-Tune.md" >}}) + - [Getting to Know A-Tune]({{< relref "./docs/A-Tune/getting-to-know-a-tune.md" >}}) + - [Installation and Deployment]({{< relref "./docs/A-Tune/installation-and-deployment.md" >}}) + - [Application Scenarios]({{< relref "./docs/A-Tune/application-scenarios.md" >}}) + - [FAQs]({{< relref "./docs/A-Tune/faqs.md" >}}) + - [Appendixes]({{< relref "./docs/A-Tune/appendixes.md" >}}) +- [Application Development Guide]({{< relref "./docs/ApplicationDev/application-development.md" >}}) + - [Preparation]({{< relref "./docs/ApplicationDev/preparation.md" >}}) + - [Using GCC for Compilation]({{< relref "./docs/ApplicationDev/using-gcc-for-compilation.md" >}}) + - [Using Make for Compilation]({{< relref "./docs/ApplicationDev/using-make-for-compilation.md" >}}) + - [Using JDK for Compilation]({{< relref "./docs/ApplicationDev/using-jdk-for-compilation.md" >}}) + - [Building an RPM Package]({{< relref "./docs/ApplicationDev/building-an-rpm-package.md" >}}) + - [FAQ]({{< relref "./docs/ApplicationDev/FAQ.md" >}}) +- [Third-Party Software Deployment Guide]({{< relref "./docs/thirdparty_migration/thidrparty.md" >}}) + - [OpenStack Victoria Deployment Guide]({{< relref "./docs/thirdparty_migration/OpenStack-victoria.md" >}}) + - [Installing and Deploying an HA Cluster]({{< relref "./docs/thirdparty_migration/installha.md" >}}) +- [Desktop Environment User Guide]({{< relref "./docs/desktop/desktop.md" >}}) + - [UKUI]({{< relref "./docs/desktop/ukui.md" >}}) + - [Installation UKUI]({{< relref "./docs/desktop/install-UKUI.md" >}}) + - [UKUI User Guide]({{< relref "./docs/desktop/UKUI-user-guide.md" >}}) + - [DDE]({{< relref "./docs/desktop/dde.md" >}}) + - [install-DDE]({{< relref "./docs/desktop/install-DDE.md" >}}) + - [DDE User Guide]({{< relref "./docs/desktop/DDE-User-Manual.md" >}}) + - [XFCE]({{< relref "./docs/desktop/xfce.md" >}}) + - [Xfce Installation Guide]({{< relref "./docs/desktop/Install_XFCE.md" >}}) + - [Xfce User Guide]({{< relref "./docs/desktop/Xfce_userguide.md" >}}) +- [Toolset User Guide]({{< relref "./docs/userguide/overview.md" >}}) + - [patch-tracking]({{< relref "./docs/userguide/patch-tracking.md" >}}) + - [pkgship]({{< relref "./docs/userguide/pkgship.md" >}}) \ No newline at end of file diff --git a/content/zh/docs/A-Tune/A-Tune.md b/docs/zh/docs/A-Tune/A-Tune.md similarity index 100% rename from content/zh/docs/A-Tune/A-Tune.md rename to docs/zh/docs/A-Tune/A-Tune.md diff --git a/content/zh/docs/A-Tune/figures/zh-cn_image_0213178479.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0213178479.png similarity index 100% rename from content/zh/docs/A-Tune/figures/zh-cn_image_0213178479.png rename to docs/zh/docs/A-Tune/figures/zh-cn_image_0213178479.png diff --git a/content/zh/docs/A-Tune/figures/zh-cn_image_0213178480.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0213178480.png similarity index 100% rename from content/zh/docs/A-Tune/figures/zh-cn_image_0213178480.png rename to docs/zh/docs/A-Tune/figures/zh-cn_image_0213178480.png diff --git a/content/zh/docs/A-Tune/figures/zh-cn_image_0214540398.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0214540398.png similarity index 100% rename from content/zh/docs/A-Tune/figures/zh-cn_image_0214540398.png rename to docs/zh/docs/A-Tune/figures/zh-cn_image_0214540398.png diff --git a/content/zh/docs/A-Tune/figures/zh-cn_image_0227497000.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0227497000.png similarity index 100% rename from content/zh/docs/A-Tune/figures/zh-cn_image_0227497000.png rename to docs/zh/docs/A-Tune/figures/zh-cn_image_0227497000.png diff --git a/docs/zh/docs/A-Tune/figures/zh-cn_image_0227497343.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0227497343.png new file mode 100644 index 0000000000000000000000000000000000000000..aecf293846ebd12f15b9a3fb5fdc2618d9d527dc Binary files /dev/null and b/docs/zh/docs/A-Tune/figures/zh-cn_image_0227497343.png differ diff --git a/content/zh/docs/A-Tune/figures/zh-cn_image_0231122163.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0231122163.png similarity index 100% rename from content/zh/docs/A-Tune/figures/zh-cn_image_0231122163.png rename to docs/zh/docs/A-Tune/figures/zh-cn_image_0231122163.png diff --git a/docs/zh/docs/A-Tune/figures/zh-cn_image_0245342444.png b/docs/zh/docs/A-Tune/figures/zh-cn_image_0245342444.png new file mode 100644 index 0000000000000000000000000000000000000000..10f0fceb42c00c80ef49decdc0c480eb04c2ca6d Binary files /dev/null and b/docs/zh/docs/A-Tune/figures/zh-cn_image_0245342444.png differ diff --git a/content/zh/docs/Administration/public_sys-resources/icon-caution.gif b/docs/zh/docs/A-Tune/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/Administration/public_sys-resources/icon-caution.gif rename to docs/zh/docs/A-Tune/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/Administration/public_sys-resources/icon-danger.gif b/docs/zh/docs/A-Tune/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/Administration/public_sys-resources/icon-danger.gif rename to docs/zh/docs/A-Tune/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/Administration/public_sys-resources/icon-note.gif b/docs/zh/docs/A-Tune/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/Administration/public_sys-resources/icon-note.gif rename to docs/zh/docs/A-Tune/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/Administration/public_sys-resources/icon-notice.gif b/docs/zh/docs/A-Tune/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/Administration/public_sys-resources/icon-notice.gif rename to docs/zh/docs/A-Tune/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/Administration/public_sys-resources/icon-tip.gif b/docs/zh/docs/A-Tune/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/Administration/public_sys-resources/icon-tip.gif rename to docs/zh/docs/A-Tune/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/Administration/public_sys-resources/icon-warning.gif b/docs/zh/docs/A-Tune/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/Administration/public_sys-resources/icon-warning.gif rename to docs/zh/docs/A-Tune/public_sys-resources/icon-warning.gif diff --git "a/content/zh/docs/A-Tune/\344\275\277\347\224\250\346\226\271\346\263\225.md" "b/docs/zh/docs/A-Tune/\344\275\277\347\224\250\346\226\271\346\263\225.md" similarity index 70% rename from "content/zh/docs/A-Tune/\344\275\277\347\224\250\346\226\271\346\263\225.md" rename to "docs/zh/docs/A-Tune/\344\275\277\347\224\250\346\226\271\346\263\225.md" index 9839fd35342575be2482db35d4c716361c24d917..0b581c71f27dda073d586e992e24a59646d56460 100644 --- "a/content/zh/docs/A-Tune/\344\275\277\347\224\250\346\226\271\346\263\225.md" +++ "b/docs/zh/docs/A-Tune/\344\275\277\347\224\250\346\226\271\346\263\225.md" @@ -2,6 +2,7 @@ 用户可以通过命令行客户端atune-adm使用A-Tune提供的功能。本章介绍A-Tune客户端包含的功能和使用方法。 + - [使用方法](#使用方法) - [总体说明](#总体说明) - [查询负载类型](#查询负载类型) @@ -42,10 +43,6 @@ - define、update、undefine、collection、train、upgrade不支持远程执行。 - 命令格式中,\[ \] 表示参数可选,<\> 表示参数必选,具体参数由实际情况确定。 -- 命令格式中,各命令含义如下: - - WORKLOAD\_TYPE:用户自定义负载类型的名称,负载支持的类型参考list命令查询结果。 - - PROFILE\_NAME:用户自定义profile的名称 - - PROFILE\_PATH:用户自定义profile的路径 ## 查询负载类型 @@ -53,7 +50,7 @@ ### 功能描述 -查询系统当前支持的workload\_type和对应的profile,以及当前处于active状态的profile。 +查询系统当前支持的profile,以及当前处于active状态的profile。 ### 命令格式 @@ -62,35 +59,109 @@ ### 使用示例 ``` -# atune-adm list - -Support WorkloadTypes: -+-----------------------------------+------------------------+-----------+ -| WorkloadType | ProfileName | Active | -+===================================+========================+===========+ -| default | default | true | -+-----------------------------------+------------------------+-----------+ -| webserver | ssl_webserver | false | -+-----------------------------------+------------------------+-----------+ -| big_database | database | false | -+-----------------------------------+------------------------+-----------+ -| big_data | big_data | false | -+-----------------------------------+------------------------+-----------+ -| in-memory_computing | in-memory_computing | false | -+-----------------------------------+------------------------+-----------+ -| in-memory_database | in-memory_database | false | -+-----------------------------------+------------------------+-----------+ -| single_computer_intensive_jobs | compute-intensive | false | -+-----------------------------------+------------------------+-----------+ -| communication | rpc_communication | false | -+-----------------------------------+------------------------+-----------+ -| idle | default | false | -+-----------------------------------+------------------------+-----------+ +# atune-adm list + +Support profiles: ++------------------------------------------------+-----------+ +| ProfileName | Active | ++================================================+===========+ +| arm-native-android-container-robox | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-fio | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-lmbench | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-netperf | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-stream | false | ++------------------------------------------------+-----------+ +| basic-test-suite-euleros-baseline-unixbench | false | ++------------------------------------------------+-----------+ +| basic-test-suite-speccpu-speccpu2006 | false | ++------------------------------------------------+-----------+ +| basic-test-suite-specjbb-specjbb2015 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-hdfs-dfsio-hdd | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-hdfs-dfsio-ssd | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-bayesian | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-kmeans | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql1 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql10 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql2 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql3 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql4 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql5 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql6 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql7 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql8 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-sql9 | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-tersort | false | ++------------------------------------------------+-----------+ +| big-data-hadoop-spark-wordcount | false | ++------------------------------------------------+-----------+ +| cloud-compute-kvm-host | false | ++------------------------------------------------+-----------+ +| database-mariadb-2p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| database-mariadb-4p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| database-mongodb-2p-sysbench | false | ++------------------------------------------------+-----------+ +| database-mysql-2p-sysbench-hdd | false | ++------------------------------------------------+-----------+ +| database-mysql-2p-sysbench-ssd | false | ++------------------------------------------------+-----------+ +| database-postgresql-2p-sysbench-hdd | false | ++------------------------------------------------+-----------+ +| database-postgresql-2p-sysbench-ssd | false | ++------------------------------------------------+-----------+ +| default-default | false | ++------------------------------------------------+-----------+ +| docker-mariadb-2p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| docker-mariadb-4p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| hpc-gatk4-human-genome | false | ++------------------------------------------------+-----------+ +| in-memory-database-redis-redis-benchmark | false | ++------------------------------------------------+-----------+ +| middleware-dubbo-dubbo-benchmark | false | ++------------------------------------------------+-----------+ +| storage-ceph-vdbench-hdd | false | ++------------------------------------------------+-----------+ +| storage-ceph-vdbench-ssd | false | ++------------------------------------------------+-----------+ +| virtualization-consumer-cloud-olc | false | ++------------------------------------------------+-----------+ +| virtualization-mariadb-2p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| virtualization-mariadb-4p-tpcc-c3 | false | ++------------------------------------------------+-----------+ +| web-apache-traffic-server-spirent-pingpo | false | ++------------------------------------------------+-----------+ +| web-nginx-http-long-connection | true | ++------------------------------------------------+-----------+ +| web-nginx-https-short-connection | false | ++------------------------------------------------+-----------+ ``` ->![](public_sys-resources/icon-note.gif) **说明:** ->Active为true表示当前激活的profile,示例表示当前激活的是default类型对应的profile。 +>![](./public_sys-resources/icon-note.gif) **说明:** +>Active为true表示当前激活的profile,示例表示当前激活的profile是web-nginx-http-long-connection。 ## 分析负载类型并自优化 ### analysis @@ -108,6 +179,7 @@ Support WorkloadTypes: - OPTIONS + + + +

参数

描述

@@ -119,19 +191,30 @@ Support WorkloadTypes:

用户自训练产生的新模型

--characterization, -c

+

使用默认的模型进行应用识别,不进行自动优化

+
### 使用示例 -- 使用默认的模型进行分类识别 +- 使用默认的模型进行应用识别 ``` - # atune-adm analysis + # atune-adm analysis --characterization ``` -- 使用自训练的模型进行识别 +- 使用默认的模型进行应用识别,并进行自动优化 + + ``` + # atune-adm analysis + ``` + +- 使用自训练的模型进行应用识别 ``` # atune-adm analysis --model /usr/libexec/atuned/analysis/models/new-model.m @@ -142,8 +225,8 @@ Support WorkloadTypes: A-Tune支持用户定义并学习新模型。定义新模型的操作流程如下: -1. 用define命令定义workload\_type和profile -2. 用collection命令收集workload\_type对应的画像数据 +1. 用define命令定义一个新应用的profile +2. 用collection命令收集应用对应的系统数据 3. 用train命令训练得到模型 @@ -152,49 +235,47 @@ A-Tune支持用户定义并学习新模型。定义新模型的操作流程如 ### 功能描述 -添加用户自定义的workload\_type,及对应的profile优化项。 +添加用户自定义的应用场景,及对应的profile优化项。 ### 命令格式 -**atune-adm define** +**atune-adm define** ### 使用示例 -新增一个workload type,workload type的名称为test\_type,profile name的名称为test\_name,优化项的配置文件为example.conf。 +新增一个profile,service_type的名称为test_service,application_name的名称为test_app,scenario_name的名称为test_scenario,优化项的配置文件为example.conf。 ``` -# atune-adm define test_type test_name ./example.conf +# atune-adm define test_service test_app test_scenario ./example.conf ``` example.conf 可以参考如下方式书写(以下各优化项非必填,仅供参考),也可通过**atune-adm info**查看已有的profile是如何书写的。 ``` -[main] -# list its parent profile -[tip] -# the recommended optimization, which should be performed manunaly -[check] -# check the environment -[affinity.irq] -# to change the affinity of irqs -[affinity.task] -# to change the affinity of tasks -[bios] -# to change the bios config -[bootloader.grub2] -# to change the grub2 config -[kernel_config] -# to change the kernel config -[script] -# the script extention of cpi -[sysctl] -# to change the /proc/sys/* config -[sysfs] -# to change the /sys/* config -[systemctl] -# to change the system service config -[ulimit] -# to change the resources limit of user + [main] + # list its parent profile + [kernel_config] + # to change the kernel config + [bios] + # to change the bios config + [bootloader.grub2] + # to change the grub2 config + [sysfs] + # to change the /sys/* config + [systemctl] + # to change the system service status + [sysctl] + # to change the /proc/sys/* config + [script] + # the script extention of cpi + [ulimit] + # to change the resources limit of user + [schedule_policy] + # to change the schedule policy + [check] + # check the environment + [tip] + # the recommended optimization, which should be performed manunaly ``` ### collection @@ -203,7 +284,7 @@ example.conf 可以参考如下方式书写(以下各优化项非必填,仅 采集业务运行时系统的全局资源使用情况以及OS的各项状态信息,并将收集的结果保存到csv格式的输出文件中,作为模型训练的输入数据集。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 本命令依赖采样工具perf,mpstat,vmstat,iostat,sar。 >- CPU型号目前仅支持鲲鹏920,可通过dmidecode -t processor检查CPU型号。 @@ -242,9 +323,9 @@ example.conf 可以参考如下方式书写(以下各优化项非必填,仅

业务运行时使用的网络接口,如eth0

-

--workload_type, -t

+

--app_type, -t

-

标记业务的负载类型,作为训练时使用的标签

+

标记业务的应用类型,作为训练时使用的标签

--duration, -d

@@ -264,14 +345,14 @@ example.conf 可以参考如下方式书写(以下各优化项非必填,仅 ### 使用示例 ``` -# atune-adm collection --filename name --interval 5 --duration 1200 --output_path /home/data --disk sda --network eth0 --workload_type test_type +# atune-adm collection --filename name --interval 5 --duration 1200 --output_path /home/data --disk sda --network eth0 --app_type test_type ``` ### train ### 功能描述 -使用采集的数据进行模型的训练。训练时至少采集两种workload\_type的数据,否则训练会出错。 +使用采集的数据进行模型的训练。训练时至少采集两种应用类型的数据,否则训练会出错。 ### 命令格式 @@ -314,18 +395,18 @@ example.conf 可以参考如下方式书写(以下各优化项非必填,仅 ### 功能描述 -删除用户自定义的workload\_type。 +删除用户自定义的profile。 ### 命令格式 -**atune-adm undefine** +**atune-adm undefine** ### 使用示例 -删除自定义的负载类型test\_type。 +删除自定义的profile。 ``` -# atune-adm undefine test_type +# atune-adm undefine test_service-test_app-test_scenario ``` ## 查询profile @@ -334,26 +415,26 @@ example.conf 可以参考如下方式书写(以下各优化项非必填,仅 ### 功能描述 -查看workload\_type对应的profile内容。 +查看对应的profile内容。 ### 命令格式 -**atune-adm info** _ +**atune-adm info** ### 使用示例 -查看webserver的profile内容: +查看web-nginx-http-long-connection的profile内容: ``` -# atune-adm info webserver +# atune-adm info web-nginx-http-long-connection -*** ssl_webserver: +*** web-nginx-http-long-connection: # -# webserver tuned configuration +# nginx http long connection A-Tune configuration # [main] -#TODO CONFIG +include = default-default [kernel_config] #TODO CONFIG @@ -361,11 +442,18 @@ example.conf 可以参考如下方式书写(以下各优化项非必填,仅 [bios] #TODO CONFIG +[bootloader.grub2] +iommu.passthrough = 1 + [sysfs] #TODO CONFIG +[systemctl] +sysmonitor = stop +irqbalance = stop + [sysctl] -fs.file-max=6553600 +fs.file-max = 6553600 fs.suid_dumpable = 1 fs.aio-max-nr = 1048576 kernel.shmmax = 68719476736 @@ -393,36 +481,23 @@ net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 -[systemctl] -sysmonitor=stop -irqbalance=stop - -[bootloader.grub2] -selinux=0 -iommu.passthrough=1 - -[tip] -bind your master process to the CPU near the network = affinity -bind your network interrupt to the CPU that has this network = affinity -relogin into the system to enable limits setting = OS - [script] -openssl_hpre = 0 prefetch = off +ethtool = -X {network} hfunc toeplitz [ulimit] {user}.hard.nofile = 102400 {user}.soft.nofile = 102400 -[affinity.task] -#TODO CONFIG - -[affinity.irq] +[schedule_policy] #TODO CONFIG [check] #TODO CONFIG +[tip] +SELinux provides extra control and security features to linux kernel. Disabling SELinux will improve the performance but may cause security risks. = kernel +disable the nginx log = application ``` ## 更新profile @@ -432,18 +507,18 @@ prefetch = off ### 功能描述 -将workload\_type原来的优化项更新为new.conf中的内容。 +将已有profile中原来的优化项更新为new.conf中的内容。 ### 命令格式 -**atune-adm update** +**atune-adm update** ### 使用示例 -更新负载类型为test\_type,优化项名称为test\_name的优化项为new.conf。 +更新名为test_service-test_app-test_scenario的profile优化项为new.conf。 ``` -# atune-adm update test_type test_name ./new.conf +# atune-adm update test_service-test_app-test_scenario ./new.conf ``` ## 激活profile @@ -451,22 +526,22 @@ prefetch = off ### 功能描述 -手动激活workload\_type对应的profile,使得workload\_type处于active状态。 +手动激活profile,使其处于active状态。 ### 命令格式 -**atune-adm profile **_<_WORKLOAD\_TYPE_\>_ +**atune-adm profile** ### 参数说明 -WORKLOAD\_TYPE支持的类型参考list命令查询结果。 +profile名参考list命令查询结果。 ### 使用示例 -激活webserver对应的profile配置。 +激活web-nginx-http-long-connection对应的profile配置。 ``` -# atune-adm profile webserver +# atune-adm profile web-nginx-http-long-connection ``` ## 回滚profile @@ -556,10 +631,10 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数 ### 命令格式 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >在运行命令前,需要满足如下条件: ->1. 编辑好服务端yaml配置文件,且需要服务端管理员将该配置文件放到服务端的/etc/atuned/tuning/目录下。 ->2. 编辑好客户端yaml配置文件并放在客户端任一目录。 +>1. 服务端的yaml配置文件已经编辑完成并放置于 atuned服务下的**/etc/atuned/tuning/**目录中。 +>2. 客户端的yaml配置文件已经编辑完成并放置于atuned客户端任意目录下。 **atune-adm tuning** \[OPTIONS\] @@ -568,6 +643,7 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数 - OPTIONS + + + + + + +

参数

描述

@@ -584,11 +660,22 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数

指定需要恢复的yaml文件中的项目名称

--restart, -c

+

基于历史调优结果进行调优

+

--detail, -d

+

打印tuning过程的详细信息

+
- - >![](public_sys-resources/icon-note.gif) **说明:** - >当使用参数时,上述两个参数需要同时使用,且-p参数后需要跟具体的项目名称。 + + + >![](./public_sys-resources/icon-note.gif) **说明:** + >当使用参数时,-p参数后需要跟具体的项目名称且必须指定该项目yaml文件。 - PROJECT\_YAML:客户端yaml配置文件。 @@ -660,6 +747,7 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数 **表 2** object项配置说明 + - - - - - - - - @@ -769,21 +857,15 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数 - - - - -

配置名称

配置说明

@@ -726,36 +814,36 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数

dtype

该参数仅在type为discrete类型时配置,目前支持int和string两种类型

+

该参数仅在type为discrete类型时配置,目前支持int, float, string类型

枚举

int, string

+

int, float, string

scope

参数设置范围,仅在type为discrete且dtype为int时或者type为continuous时生效

+

参数设置范围,仅在type为discrete且dtype为int或float时或者type为continuous时生效

整型

+

整型/浮点型

用户自定义,取值在该参数的合法范围

step

参数值步长,dtype为int时使用

+

参数值步长,dtype为int或float时使用

整型

+

整型/浮点型

用户自定义

items

参数值在scope定义范围之外的枚举值,dtype为int时使用

+

参数值在scope定义范围之外的枚举值,dtype为int或float时使用

整型

+

整型/浮点型

用户自定义,取值在该参数的合法范围

用户自定义,取值在该参数的合法范围

ref

-

参数的推荐初始值

-

整型或字符串

-

用户自定义,取值在该参数的合法范围

-
+ + **表 3** 客户端yaml文件配置说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

配置名称

配置说明

@@ -803,6 +885,15 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数

-

engine

+

调优算法

+

字符串

+

"random", "forest", "gbrt", "bayes", "extraTrees"

+

iterations

调优迭代次数

@@ -812,6 +903,51 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数

>=10

random_starts

+

随机迭代次数

+

整型

+

<iterations

+

feature_filter_engine

+

参数搜索算法,用于重要参数选择,该参数可选

+

字符串

+

"lhs"

+

feature_filter_cycle

+

参数搜索轮数,用于重要参数选择,该参数配合feature_filter_engine使用

+

整型

+

-

+

feature_filter_iters

+

每轮参数搜索的迭代次数,用于重要参数选择,该参数配合feature_filter_engine使用

+

整型

+

-

+

split_count

+

调优参数取值范围中均匀选取的参数个数,用于重要参数选择,该参数配合feature_filter_engine使用

+

整型

+

-

+

benchmark

性能测试脚本

@@ -834,9 +970,12 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数
+ + **表 4** evaluations项配置说明 + - - @@ -72,18 +72,19 @@ A-Tune支持的主要特性、特性成熟度以及使用建议请参见[表1](#

配置名称

配置说明

@@ -900,102 +1039,60 @@ A-Tune提供了最佳配置的自动搜索能力,免去人工反复做参数 服务端yaml文件配置示例: ``` -project: "example" -maxiterations: 10 +project: "compress" +maxiterations: 500 startworkload: "" stopworkload: "" object : - - name : "vm.swappiness" + name : "compressLevel" info : - desc : "the vm.swappiness" - get : "sysctl -a | grep vm.swappiness" - set : "sysctl -w vm.swappiness=$value" - needrestart: "false" + desc : "The compresslevel parameter is an integer from 1 to 9 controlling the level of compression" + get : "cat /root/A-Tune/examples/tuning/compress/compress.py | grep 'compressLevel=' | awk -F '=' '{print $2}'" + set : "sed -i 's/compressLevel=\\s*[0-9]*/compressLevel=$value/g' /root/A-Tune/examples/tuning/compress/compress.py" + needrestart : "false" type : "continuous" scope : - - 0 - - 10 - ref : 1 - - - name : "irqbalance" - info : - desc : "system irqbalance" - get : "systemctl status irqbalance" - set : "systemctl $value sysmonitor;systemctl $value irqbalance" - needrestart: "false" - type : "discrete" - options: - - "start" - - "stop" - dtype : "string" - ref : "start" - - - name : "net.tcp_min_tso_segs" - info : - desc : "the minimum tso number" - get : "cat /proc/sys/net/ipv4/tcp_min_tso_segs" - set : "echo $value > /proc/sys/net/ipv4/tcp_min_tso_segs" - needrestart: "false" - type : "continuous" - scope: - 1 - - 16 - ref : 2 + - 9 + dtype : "int" - - name : "prefetcher" + name : "compressMethod" info : - desc : "" - get : "cat /sys/class/misc/prefetch/policy" - set : "echo $value > /sys/class/misc/prefetch/policy" - needrestart: "false" + desc : "The compressMethod parameter is a string controlling the compression method" + get : "cat /root/A-Tune/examples/tuning/compress/compress.py | grep 'compressMethod=' | awk -F '=' '{print $2}' | sed 's/\"//g'" + set : "sed -i 's/compressMethod=\\s*[0-9,a-z,\"]*/compressMethod=\"$value\"/g' /root/A-Tune/examples/tuning/compress/compress.py" + needrestart : "false" type : "discrete" - options: - - "0" - - "15" + options : + - "bz2" + - "zlib" + - "gzip" dtype : "string" - ref : "15" - - - name : "kernel.sched_min_granularity_ns" - info : - desc : "Minimal preemption granularity for CPU-bound tasks" - get : "sysctl kernel.sched_min_granularity_ns" - set : "sysctl -w kernel.sched_min_granularity_ns=$value" - needrestart: "false" - type : "continuous" - scope: - - 5000000 - - 50000000 - ref : 10000000 - - - name : "kernel.sched_latency_ns" - info : - desc : "" - get : "sysctl kernel.sched_latency_ns" - set : "sysctl -w kernel.sched_latency_ns=$value" - needrestart: "false" - type : "continuous" - scope: - - 10000000 - - 100000000 - ref : 16000000 - ``` 客户端yaml文件配置示例: ``` -project: "example" -iterations : 10 -benchmark : "sh /home/Benchmarks/mysql/tunning_mysql.sh" +project: "compress" +engine : "gbrt" +iterations : 20 +random_starts : 10 + +benchmark : "python3 /root/A-Tune/examples/tuning/compress/compress.py" evaluations : - - name: "tps" + name: "time" + info: + get: "echo '$out' | grep 'time' | awk '{print $3}'" + type: "positive" + weight: 20 + - + name: "compress_ratio" info: - get: "echo -e '$out' |grep 'transactions:' |awk '{print $3}' | cut -c 2-" + get: "echo '$out' | grep 'compress_ratio' | awk '{print $3}'" type: "negative" - weight: 100 - threshold: 100 + weight: 80 ``` ### 使用示例 @@ -1003,13 +1100,13 @@ evaluations : - 进行tuning调优 ``` - # atune-adm tuning example-client.yaml + # atune-adm tuning --project compress --detail compress_client.yaml ``` -- 恢复tuning调优前的初始配置,example为yaml文件中的项目名称 +- 恢复tuning调优前的初始配置,compress为yaml文件中的项目名称 ``` - # atune-adm tuning --restore --project example + # atune-adm tuning --restore --project compress ``` diff --git "a/content/zh/docs/A-Tune/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" "b/docs/zh/docs/A-Tune/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" similarity index 32% rename from "content/zh/docs/A-Tune/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" rename to "docs/zh/docs/A-Tune/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" index ba4ec2d291b4cad7ddaf9ec6e4ca274aed275547..730c751418ae50d13e313ebf6d59da20ec974c6b 100644 --- "a/content/zh/docs/A-Tune/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" +++ "b/docs/zh/docs/A-Tune/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" @@ -2,16 +2,18 @@ 本章介绍如何安装和部署A-Tune。 + - [安装与部署](#安装与部署) - [软硬件要求](#软硬件要求) - [环境准备](#环境准备) - - [安装A-Tune](#安装A-Tune) + - [安装A-Tune](#安装a-tune) - [安装模式介绍](#安装模式介绍) - [安装操作](#安装操作) - - [部署A-Tune](#部署A-Tune) + - [部署A-Tune](#部署a-tune) - [配置介绍](#配置介绍) - - [启动A-Tune](#启动A-Tune) - + - [启动A-Tune](#启动a-tune) + - [启动A-Tune engine](#启动a-tune-engine) + ## 软硬件要求 @@ -21,11 +23,11 @@ ### 软件要求 -- 操作系统:openEuler 20.03 LTS +- 操作系统:openEuler 21.03 ## 环境准备 -- 安装openEuler系统,安装方法参考《openEuler 20.03 LTS 安装指南》。 +- 安装openEuler系统,安装方法参考 《openEuler 21.03 安装指南》。 - 安装A-Tune需要使用root权限。 @@ -47,7 +49,7 @@ A-Tune支持单机模式和分布式模式安装: 两种安装模式的简单图示如下: -![](figures/zh-cn_image_0231122163.png) +![](./figures/zh-cn_image_0231122163.png) ### 安装操作 @@ -56,7 +58,7 @@ A-Tune支持单机模式和分布式模式安装: 1. 挂载openEuler的iso文件。 ``` - # mount openEuler-20.03-LTS-aarch64-dvd.iso /mnt + # mount openEuler-21.03-aarch64-dvd.iso /mnt ``` 2. 配置本地yum源。 @@ -82,13 +84,14 @@ A-Tune支持单机模式和分布式模式安装: ``` -4. 安装A-Tune服务端。 +4. 安装A-Tune服务端。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >本步骤会同时安装服务端和客户端软件包,对于单机部署模式,请跳过**步骤5**。 ``` # yum install atune -y + # yum install atune-engine -y ``` 5. 若为分布式部署,请安装A-Tune客户端。 @@ -104,6 +107,7 @@ A-Tune支持单机模式和分布式模式安装: atune-client-xxx atune-db-xxx atune-xxx + atune-engine-xxx ``` @@ -114,16 +118,37 @@ A-Tune支持单机模式和分布式模式安装: A-Tune配置文件/etc/atuned/atuned.cnf的配置项说明如下: -- A-Tune服务启动配置 +- A-Tune服务启动配置 可根据需要进行修改。 - protocol:系统grpc服务使用的协议,unix或tcp,unix为本地socket通信方式,tcp为socket监听端口方式。默认为unix。 - - address:系统grpc服务的侦听地址,默认为unix socket,若为分布式部署,需修改为侦听的ip地址。 - port:系统grpc服务的侦听端口,范围为0\~65535未使用的端口。如果protocol配置是unix,则不需要配置。 - - rest\_port:系统restservice的侦听端口, 范围为0\~65535未使用的端口。 - - sample\_num:系统执行analysis流程时采集样本的数量。 + - connect:若为集群部署时,atune所在节点的ip列表,ip地址以逗号分隔。 + - rest_host:系统rest service的侦听地址,默认为localhost。 + - rest_port:系统rest service的侦听端口,范围为0~65535未使用的端口,默认为8383。 + - engine_host:与系统atune engine service链接的地址。 + - engine_port:与系统atune engine service链接的端口。 + - sample_num:系统执行analysis流程时采集样本的数量,默认为20。 + - interval:系统执行analysis流程时采集样本的间隔时间,默认为5s。 + - grpc_tls:系统grpc的SSL/TLS证书校验开关,默认不开启。开启grpc_tls后,atune-adm命令在使用前需要设置以下环境变量方可与服务端进行通讯: + - export ATUNE_TLS=yes + - export ATUNED_CACERT=<客户端CA证书路径> + - export ATUNED_CLIENTCERT=<客户端证书路径> + - export ATUNED_CLIENTKEY=<客户端秘钥路径> + - export ATUNED_SERVERCN=server + - tlsservercafile:gPRC服务端CA证书路径。 + - tlsservercertfile:gPRC服务端证书路径。 + - tlsserverkeyfile:gPRC服务端秘钥路径。 + - rest_tls:系统rest service的SSL/TLS证书校验开关,默认开启。 + - tlsrestcacertfile:系统rest service的服务端CA证书路径。 + - tlsrestservercertfile:系统rest service的服务端证书路径 + - tlsrestserverkeyfile:系统rest service的服务端秘钥路径。 + - engine_tls:系统atune engine service的SSL/TLS证书校验开关,默认开启。 + - tlsenginecacertfile:系统atune engine service的客户端CA证书路径。 + - tlsengineclientcertfile:系统atune engine service的客户端证书路径 + - tlsengineclientkeyfile:系统atune engine service的客户端秘钥路径 - system信息 @@ -131,84 +156,158 @@ A-Tune配置文件/etc/atuned/atuned.cnf的配置项说明如下: - disk:执行analysis流程时需要采集的对应磁盘的信息或执行磁盘相关优化时需要指定的磁盘。 - network:执行analysis时需要采集的对应的网卡的信息或执行网卡相关优化时需要指定的网卡。 + - user:执行ulimit相关优化时用到的用户名。目前只支持root用户。 - - tls:开启A-Tune的gRPC和http服务SSL/TLS证书校验,默认不开启。开启TLS后atune-adm命令在使用前需要设置以下环境变量方可与服务端进行通讯: - - export ATUNE\_TLS=yes - - export ATUNE\_CLICERT=<客户端证书路径\> - - - tlsservercertfile:gPRC服务端证书路径。 - - tlsserverkeyfile:gPRC服务端秘钥路径。 - - tlshttpcertfile:http服务端证书路径。 - - tlshttpkeyfile:http服务端秘钥路径。 - - tlshttpcacertfile:http服务端CA证书路径。 - + - 日志信息 - 根据情况修改日志的路径和级别,默认的日志信息在/var/log/messages中。 + 根据情况修改日志的级别,默认为info级别,日志信息打印在/var/log/messages中。 - monitor信息 为系统启动时默认采集的系统硬件信息。 + +- tuning信息 + + tuning为系统进行离线调优时需要用到的参数信息。 + + - noise:高斯噪声的评估值。 + - sel_feature:控制离线调优参数重要性排名输出的开关,默认关闭。 ### 配置示例 ``` -##################################### server ############################### -# atuned config -[server] -# the protocol grpc server running on -# ranges: unix or tcp -protocol = unix - -# the address that the grpc server to bind to -# default is unix socket /var/run/atuned/atuned.sock -# ranges: /var/run/atuned/atuned.sock or ip -address = /var/run/atuned/atuned.sock - -# the atuned grpc listening port, default is 60001 -# the port can be set between 0 to 65535 which not be used -port = 60001 - -# the rest service listening port, default is 8383 -# the port can be set between 0 to 65535 which not be used -rest_port = 8383 - -# when run analysis command, the numbers of collected data. -# default is 20 -sample_num = 20 - -# Enable gRPC and http server authentication SSL/TLS -# default is false -# tls = true -# tlsservercertfile = /etc/atuned/server.pem -# tlsserverkeyfile = /etc/atuned/server.key -# tlshttpcertfile = /etc/atuned/http/server.pem -# tlshttpkeyfile = /etc/atuned/http/server.key -# tlshttpcacertfile = /etc/atuned/http/cacert.pem - -##################################### log ############################### -# Either "debug", "info", "warn", "error", "critical", default is "info" -level = info - -##################################### monitor ############################### -[monitor] -# With the module and format of the MPI, the format is {module}_{purpose} -# The module is Either "mem", "net", "cpu", "storage" -# The purpose is "topo" -module = mem_topo, cpu_topo - -##################################### system ############################### -# you can add arbitrary key-value here, just like key = value -# you can use the key in the profile -[system] -# the disk to be analysis -disk = sda - -# the network to be analysis -network = enp189s0f0 - -user = root +#################################### server ############################### + # atuned config + [server] + # the protocol grpc server running on + # ranges: unix or tcp + protocol = unix + + # the address that the grpc server to bind to + # default is unix socket /var/run/atuned/atuned.sock + # ranges: /var/run/atuned/atuned.sock or ip address + address = /var/run/atuned/atuned.sock + + # the atune nodes in cluster mode, separated by commas + # it is valid when protocol is tcp + # connect = ip01,ip02,ip03 + + # the atuned grpc listening port + # the port can be set between 0 to 65535 which not be used + # port = 60001 + + # the rest service listening port, default is 8383 + # the port can be set between 0 to 65535 which not be used + rest_host = localhost + rest_port = 8383 + + # the tuning optimizer host and port, start by engine.service + # if engine_host is same as rest_host, two ports cannot be same + # the port can be set between 0 to 65535 which not be used + engine_host = localhost + engine_port = 3838 + + # when run analysis command, the numbers of collected data. + # default is 20 + sample_num = 20 + + # interval for collecting data, default is 5s + interval = 5 + + # enable gRPC authentication SSL/TLS + # default is false + # grpc_tls = false + # tlsservercafile = /etc/atuned/grpc_certs/ca.crt + # tlsservercertfile = /etc/atuned/grpc_certs/server.crt + # tlsserverkeyfile = /etc/atuned/grpc_certs/server.key + + # enable rest server authentication SSL/TLS + # default is true + rest_tls = true + tlsrestcacertfile = /etc/atuned/rest_certs/ca.crt + tlsrestservercertfile = /etc/atuned/rest_certs/server.crt + tlsrestserverkeyfile = /etc/atuned/rest_certs/server.key + + # enable engine server authentication SSL/TLS + # default is true + engine_tls = true + tlsenginecacertfile = /etc/atuned/engine_certs/ca.crt + tlsengineclientcertfile = /etc/atuned/engine_certs/client.crt + tlsengineclientkeyfile = /etc/atuned/engine_certs/client.key + + + #################################### log ############################### + [log] + # either "debug", "info", "warn", "error", "critical", default is "info" + level = info + + #################################### monitor ############################### + [monitor] + # with the module and format of the MPI, the format is {module}_{purpose} + # the module is Either "mem", "net", "cpu", "storage" + # the purpose is "topo" + module = mem_topo, cpu_topo + + #################################### system ############################### + # you can add arbitrary key-value here, just like key = value + # you can use the key in the profile + [system] + # the disk to be analysis + disk = sda + + # the network to be analysis + network = enp189s0f0 + + user = root + + #################################### tuning ############################### + # tuning configs + [tuning] + noise = 0.000000001 + sel_feature = false +``` + +A-Tune engine配置文件/etc/atuned/engine.cnf的配置项说明如下: + +- A-Tune engine服务启动配置 + + 可根据需要进行修改。 + + - engine_host:系统atune engine service的侦听地址,默认为localhost。 + - engine_port:系统atune engine service的侦听端口,范围为0~65535未使用的端口,默认为3838。 + - engine_tls:系统atune engine service的SSL/TLS证书校验开关,默认开启。 + - tlsenginecacertfile:系统atune engine service的服务端CA证书路径。 + - tlsengineservercertfile:系统atune engine service的服务端证书路径 + - tlsengineserverkeyfile:系统atune engine service的服务端秘钥路径。 + +- 日志信息 + + 根据情况修改日志的级别,默认为info级别,日志信息打印在/var/log/messages中。 + +### 配置示例 + +``` + #################################### engine ############################### + [server] + # the tuning optimizer host and port, start by engine.service + # if engine_host is same as rest_host, two ports cannot be same + # the port can be set between 0 to 65535 which not be used + engine_host = localhost + engine_port = 3838 + + # enable engine server authentication SSL/TLS + # default is true + engine_tls = true + tlsenginecacertfile = /etc/atuned/engine_certs/ca.crt + tlsengineservercertfile = /etc/atuned/engine_certs/server.crt + tlsengineserverkeyfile = /etc/atuned/engine_certs/server.key + + #################################### log ############################### + [log] + # either "debug", "info", "warn", "error", "critical", default is "info" + level = info ``` ## 启动A-Tune @@ -230,6 +329,25 @@ A-Tune安装完成后,需要启动A-Tune服务才能使用。 若回显为如下,则服务启动成功。 - ![](figures/zh-cn_image_0214540398.png) + ![](./figures/zh-cn_image_0214540398.png) + +## 启动A-Tune engine + +若需要使用AI相关的功能,需要启动A-Tune engine服务才能使用。 + +- 启动atune-engine服务: + + ``` + # systemctl start atune-engine + ``` + + +- 查询atune-engine服务状态: + + ``` + # systemctl status atune-engine + ``` + 若回显为如下,则服务启动成功。 + ![](./figures/zh-cn_image_0245342444.png) diff --git "a/content/zh/docs/A-Tune/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" "b/docs/zh/docs/A-Tune/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" similarity index 100% rename from "content/zh/docs/A-Tune/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" rename to "docs/zh/docs/A-Tune/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" diff --git "a/content/zh/docs/A-Tune/\350\256\244\350\257\206A-Tune.md" "b/docs/zh/docs/A-Tune/\350\256\244\350\257\206A-Tune.md" similarity index 72% rename from "content/zh/docs/A-Tune/\350\256\244\350\257\206A-Tune.md" rename to "docs/zh/docs/A-Tune/\350\256\244\350\257\206A-Tune.md" index 25ad1784b7ae566694af07a31cb79e5974d068e2..4553464fe538a2be8b316fc72ea40d000f0f4878 100644 --- "a/content/zh/docs/A-Tune/\350\256\244\350\257\206A-Tune.md" +++ "b/docs/zh/docs/A-Tune/\350\256\244\350\257\206A-Tune.md" @@ -19,17 +19,17 @@ A-Tune是一款基于AI开发的系统性能优化引擎,它利用人工智能技术,对业务场景建立精准的系统画像,感知并推理出业务特征,进而做出智能决策,匹配并推荐最佳的系统参数配置组合,使业务处于最佳运行状态。 -![](figures/zh-cn_image_0227497000.png) +![](./figures/zh-cn_image_0227497000.png) ## 架构 A-Tune核心技术架构如下图,主要包括智能决策、系统画像和交互系统三层。 - 智能决策层:包含感知和决策两个子系统,分别完成对应用的智能感知和对系统的调优决策。 -- 系统画像层:主要包括标注和学习系统,标注系统用于业务模型的聚类,学习系统用于业务模型的学习和分类。 +- 系统画像层:主要包括自动特征工程和两层分类模型,自动特征工程用于业务特征的自动选择,两层分类模型用于业务模型的学习和分类。 - 交互系统层:用于各类系统资源的监控和配置,调优策略执行在本层进行。 -![](figures/zh-cn_image_0227497343.png) +![](./figures/zh-cn_image_0227497343.png) ## 支持特性与业务模型 @@ -48,14 +48,14 @@ A-Tune支持的主要特性、特性成熟度以及使用建议请参见[表1](#

七大类11款应用负载类型自动优化

+

11大类15款应用负载类型自动优化

已测试

试用

自定义负载类型和业务模型

+

自定义profile和业务模型

已测试
+ ### 支持业务模型 -根据应用的负载特征,A-Tune将业务分为七大类,各类型的负载特征和A-Tune支持的应用请参见[表2](#table2819164611311)。 +根据应用的负载特征,A-Tune将业务分为11大类,各类型的负载特征和A-Tune支持的应用请参见[表2](#table2819164611311)。 **表 2** 支持的业务类型和应用 - - - - +

负载模型

+ - @@ -93,87 +94,102 @@ A-Tune支持的主要特性、特性成熟度以及使用建议请参见[表1](# - - - - - - - - - - - - - - - - - - + + + + + - - - - - - - - - - - + + + + +

业务大类

业务类型

负载特征

+

瓶颈点

支持的应用

默认类型

CPU、内存带宽、网络、IO各维度资源使用率都不高

+

算力、内存、网络、IO各维度资源使用率都不高

N/A

webserver

https应用

+

web应用

CPU使用率高

+

算力瓶颈、网络瓶颈

Nginx

+

Nginx、Apache Traffic Server

big_database

+

database

数据库

  • 关系型数据库

    读: CPU、内存带宽、网络使用率高

    -

    写:IO使用率高

    -
-
  • 非关系型数据库

    CPU、IO使用率高

    -
+		算力瓶颈、内存瓶颈、IO瓶颈

MongoDB、MySQL、PostgreSQL、MariaDB

+

Mongodb、Mysql、Postgresql、Mariadb

big_data

+

big-data

大数据

CPU、IO使用率较高

+

算力瓶颈、内存瓶颈

Hadoop、Spark

+

Hadoop-hdfs、Hadoop-spark

in-memory_computing

+

middleware

内存密集型应用

+

中间件框架

CPU、内存带宽使用率高

+

算力瓶颈、网络瓶颈

SPECjbb2015

+

Dubbo

in-memory_database

+

in-memory-database

计算+网络密集型应用

+

内存数据库

CPU单核使用率高,多实例下网络使用率高

+

内存瓶颈、IO瓶颈

Redis

single_computer_intensive_jobs

+

basic-test-suite

+

基础测试套

+

算力瓶颈、内存瓶颈

+

SPECCPU2006、SPECjbb2015

+

hpc

计算密集型应用

+

人类基因组

CPU单核使用率高,部分子项内存带宽使用率高

+

算力瓶颈、内存瓶颈、IO瓶颈

SPECCPU2006

+

Gatk4

communication

+

storage

网络密集型应用

+

存储

CPU、网络使用率高

+

网络瓶颈、IO瓶颈

Dubbo

+

Ceph

idle

+

virtualization

系统idle

+

虚拟化

系统处于空闲状态,无任何应用运行

+

算力瓶颈、内存瓶颈、IO瓶颈

N/A

+

Consumer-cloud、Mariadb

+

docker

+

容器

+

算力瓶颈、内存瓶颈、IO瓶颈

+

Mariadb
+ diff --git "a/content/zh/docs/A-Tune/\351\231\204\345\275\225.md" "b/docs/zh/docs/A-Tune/\351\231\204\345\275\225.md" similarity index 69% rename from "content/zh/docs/A-Tune/\351\231\204\345\275\225.md" rename to "docs/zh/docs/A-Tune/\351\231\204\345\275\225.md" index f533f90985f5861224579785e2ea25a8bfcba1a9..80c87bad98827cce03e146ba202bad25b65b32fa 100644 --- "a/content/zh/docs/A-Tune/\351\231\204\345\275\225.md" +++ "b/docs/zh/docs/A-Tune/\351\231\204\345\275\225.md" @@ -17,11 +17,7 @@

workload_type

-

负载类型,用于标记具有相同特征的一类业务

-

profile

优化项集合,最佳的参数配置

@@ -29,3 +25,4 @@
+ diff --git a/content/zh/docs/Administration/FAQ-54.md b/docs/zh/docs/Administration/FAQ-54.md similarity index 57% rename from content/zh/docs/Administration/FAQ-54.md rename to docs/zh/docs/Administration/FAQ-54.md index 4f2b420466c5793add418c2f551ce62c12d405cc..2d8a2f11284133df0236af4df1b8a190bab53d83 100644 --- a/content/zh/docs/Administration/FAQ-54.md +++ b/docs/zh/docs/Administration/FAQ-54.md @@ -7,6 +7,11 @@ - [使用rpmbuild编译mariadb失败](#使用rpmbuild编译mariadb失败) - [使用默认配置启动SNTP服务失败](#使用默认配置启动sntp服务失败) - [安装时出现软件包冲突、文件冲突或缺少软件包导致安装失败](#安装时出现软件包冲突文件冲突或缺少软件包导致安装失败) + - [libiscsi降级失败](#libiscsi降级失败) + - [xfsprogs降级失败](#xfsprogs降级失败) + - [cpython/Lib发现CVE-2019-9674:Zip炸弹漏洞](#cpython/Lib发现CVE-2019-9674:Zip炸弹漏洞) + - [不合理使用glibc正则表达式引起ReDoS攻击](#不合理使用glibc正则表达式引起ReDoS攻击) + @@ -177,3 +182,107 @@ Error: ``` 3. 重新进行升级操作。 + +## libiscsi降级失败 + +### 问题现象 + +libiscsi-1.19.4 版本及以上降级到 libiscsi-1.19.3 及以下版本时失败。 + +``` +Error: +Problem: problem with installed package libiscsi-utils-1.19.0-4.oe1.x86_64 +- package libiscsi-utils-1.19.0-4.oe1.x86_64 requires libiscsi(x86-64) = 1.19.0-4.oe1, but none of the providers can be installed +- cannot install both libiscsi-1.19.0-3.oe1.x86_64 and libiscsi-1.19.0-4.oe1.x86_64 +- cannot install both libiscsi-1.19.0-4.oe1.x86_64 and libiscsi-1.19.0-3.oe1.x86_64 +- conflicting requests +(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) +``` + +### 原因分析 + +libiscsi-1.19.3 之前的版本把 iscsi-xxx 等二进制文件打包进了主包 libiscsi,而这些二进制文件引入了不合理的依赖 CUnit, 为了解决这种不合理的依赖,在 libiscsi-1.19.4 版本把这些二进制文件单独拆分出来一个子包 libiscsi-utils,主包弱依赖于子包,产品可以根据自己的需求在做镜像时是否集成该子包;不集成或卸载子包不会影响 libiscsi 主包的功能。 +如果系统中安装了 libiscsi-utils 子包,libiscsi-1.19.4 及以上版本降级到 libiscsi-1.19.3 及以下版本时,由于 libiscsi-1.19.3 及以下版本无法提供对应的 libiscsi-utils,因此 libiscsi-utils 不会降级,但 libiscsi-utils 依赖于降级前的 libiscsi 主包,导致依赖问题无法解决,最终导致降级失败。 + +### 解决方案 + +执行以下命令,卸载 libiscsi-utils 子包,卸载成功后再进行降级操作。 + +``` +yum remove libiscsi-utils +``` + +## xfsprogs降级失败 + +### 问题现象 + +xfsprogs-5.6.0-2 及以上版本降级到 xfsprogs-5.6.0-1 及以下版本时失败。 + +``` +Error: +Problem: problem with installed package xfsprogs-xfs_scrub-5.6.0-2.oe1.x86_64 +- package xfsprogs-xfs_scrub-5.6.0-2.oe1.x86_64 requires xfsprogs = 5.6.0-2.oe1, but none of the providers can be installed +- cannot install both xfsprogs-5.6.0-1.oe1.x86_64 and xfsprogs-5.6.0-2.oe1.x86_64 +- cannot install both xfsprogs-5.6.0-2.oe1.x86_64 and xfsprogs-5.6.0-1.oe1.x86_64 +- conflicting requests +``` + +### 原因分析 + +在 xfsprogs-5.6.0-2 版本中,为了减少 xfsprogs 主包的不合理依赖,同时将实验性质的命令从主包中分来,我们将 xfs_scrub* 命令拆分到单独的 xfsprogs-xfs_scrub 子包中。而 xfsprogs 主包弱依赖于 xfsprogs-xfs_scrub 子包,所以产品可以根据自己的需求在做镜像时是否集成该子包,或者是否卸载该子包。不集成或卸载该子包不会影响 xfsprogs 主包功能。 + +如果系统中安装了 xfsprogs-xfs_scrub 子包,从 xfsprogs-5.6.0-2 及以上版本降级到 xfsprogs-5.6.0-1 及以下版本时,由于 xfsprogs-5.6.0-1 及以下版本无法提供对应的 xfsprogs-xfs_scrub,因此 xfsprogs-xfs_scrub 不会降级,但 xfsprogs-xfs_scrub 依赖于降级前的 xfsprogs 主包,导致依赖问题无法解决,最终导致降级失败。 + +### 解决方案 + +执行以下命令,卸载 xfsprogs-xfs_scrub 子包,卸载成功后再进行降级操作。 + +``` +yum remove xfsprogs-xfs_scrub +``` + +## cpython/Lib发现CVE-2019-9674:Zip炸弹漏洞 + +### 问题现象 + +Python 3.7.2 及以下版本中的 Lib/zipfile.py 允许远程攻击者通过 zip 炸弹制造拒绝服务请求,从而导致资源消耗过大。 + +### 原因分析 + +远程攻击者通过 zip 炸弹导致拒绝服务,影响目标系统业务甚至达到使系统崩溃的结果。zip 炸弹就是一个高压缩比的 zip 文件,它本身可能只有几M或几十M的大小,但是解压缩之后会产生巨大的数据量,产生巨大的资源消耗。 + +### 解决方案 + +在 zipfile 文档中添加告警信息: https://github.com/python/cpython/blob/3.7/Doc/library/zipfile.rst。 + +## 不合理使用glibc正则表达式引起ReDoS攻击 + +### 问题现象 + +使用glibc的regcomp/regexec接口编程,或者grep/sed等应用glibc正则表达式的shell命令,不合理的正则表达式或输入会造成ReDoS攻击(CVE-2019-9192/CVE-2018-28796)。 +典型正则表达式pattern为“反向引用”(\1表示)与“*”(匹配零次或多次)、“+”(匹配一次或多次)、“{m,n}”(最小匹配m次,最多匹配n次)的组合,或者配合超长字符串输入,示例如下: +``` +# echo D | grep -E "$(printf '(\0|)(\\1\\1)*')"Segmentation fault (core dumped) +# grep -E "$(printf '(|)(\\1\\1)*')" +Segmentation fault (core dumped) +# echo A | sed '/\(\)\(\1\1\)*/p' +Segmentation fault (core dumped) +# time python -c 'print "a"*40000' | grep -E "a{1,32767}" +Segmentation fault (core dumped) +# time python -c 'print "a"*40900' | grep -E "(a)\\1" +Segmentation fault (core dumped) +``` + +### 原因分析 + +使用正则表达式的进程coredump。具体原因为glibc正则表达式的实现为NFA/DFA混合算法,内部原理是使用贪婪算法进行递归查找,目的是尽可能匹配更多的字符串,贪婪算法在处理递归正则表达式时会导致ReDoS。 + +### 解决方案 + +1. 需要对用户做严格的权限控制,减少攻击面。 +2. 用户需保证正则表达式的正确性,不输入无效正则表达式,或者超长字符串配合正则的“引用” “*”等容易触发无限递归的组合。 + ``` + # ()(\1\1)* + # "a"*400000 + ``` +3. 用户程序在检测到进程异常之后,通过重启进程等手段恢复业务,提升程序的可靠性。 diff --git a/content/zh/docs/Administration/administration.md b/docs/zh/docs/Administration/administration.md similarity index 100% rename from content/zh/docs/Administration/administration.md rename to docs/zh/docs/Administration/administration.md diff --git a/content/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E-1.png b/docs/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E-1.png similarity index 100% rename from content/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E-1.png rename to docs/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E-1.png diff --git a/content/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E.png b/docs/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E.png similarity index 100% rename from content/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E.png rename to docs/zh/docs/Administration/figures/D1376B2A-D036-41C4-B852-E8368F363B5E.png diff --git "a/content/zh/docs/Administration/figures/PostgreSql\346\236\266\346\236\204.png" b/docs/zh/docs/Administration/figures/PostgreSql_architecture.png similarity index 100% rename from "content/zh/docs/Administration/figures/PostgreSql\346\236\266\346\236\204.png" rename to docs/zh/docs/Administration/figures/PostgreSql_architecture.png diff --git "a/content/zh/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230-0.png" b/docs/zh/docs/Administration/figures/creat_datadisk.png similarity index 100% rename from "content/zh/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230-0.png" rename to docs/zh/docs/Administration/figures/creat_datadisk.png diff --git "a/content/zh/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230.png" b/docs/zh/docs/Administration/figures/creat_datadisk1.png similarity index 100% rename from "content/zh/docs/Administration/figures/\346\220\255\345\273\272\346\225\260\346\215\256\347\233\230.png" rename to docs/zh/docs/Administration/figures/creat_datadisk1.png diff --git a/docs/zh/docs/Administration/figures/etmem-system-architecture.png b/docs/zh/docs/Administration/figures/etmem-system-architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..1e077e00f44c0404526a4742d49c6e866601eee1 Binary files /dev/null and b/docs/zh/docs/Administration/figures/etmem-system-architecture.png differ diff --git a/docs/zh/docs/Administration/figures/ima_digest_list_update.png b/docs/zh/docs/Administration/figures/ima_digest_list_update.png new file mode 100644 index 0000000000000000000000000000000000000000..771067e31cee84591fbb914d7be4e8c576d7f5d2 Binary files /dev/null and b/docs/zh/docs/Administration/figures/ima_digest_list_update.png differ diff --git a/docs/zh/docs/Administration/figures/ima_performance.gif b/docs/zh/docs/Administration/figures/ima_performance.gif new file mode 100644 index 0000000000000000000000000000000000000000..72fad8a8333f7357c64a160c1d1c174c31201eaa Binary files /dev/null and b/docs/zh/docs/Administration/figures/ima_performance.gif differ diff --git a/docs/zh/docs/Administration/figures/ima_verification.png b/docs/zh/docs/Administration/figures/ima_verification.png new file mode 100644 index 0000000000000000000000000000000000000000..d022b9d4ea08d4af386c7b76ca28115ad90e5451 Binary files /dev/null and b/docs/zh/docs/Administration/figures/ima_verification.png differ diff --git "a/content/zh/docs/Administration/figures/MariaDB\351\200\273\350\276\221\346\236\266\346\236\204.png" b/docs/zh/docs/Administration/figures/logical_architectureofMariaDB.png similarity index 100% rename from "content/zh/docs/Administration/figures/MariaDB\351\200\273\350\276\221\346\236\266\346\236\204.png" rename to docs/zh/docs/Administration/figures/logical_architectureofMariaDB.png diff --git "a/content/zh/docs/Administration/figures/\347\231\273\345\275\225.png" b/docs/zh/docs/Administration/figures/login.png similarity index 100% rename from "content/zh/docs/Administration/figures/\347\231\273\345\275\225.png" rename to docs/zh/docs/Administration/figures/login.png diff --git "a/content/zh/docs/Administration/figures/nginx\351\203\250\347\275\262\346\210\220\345\212\237.png" b/docs/zh/docs/Administration/figures/nginx_deployed_success.png similarity index 100% rename from "content/zh/docs/Administration/figures/nginx\351\203\250\347\275\262\346\210\220\345\212\237.png" rename to docs/zh/docs/Administration/figures/nginx_deployed_success.png diff --git "a/content/zh/docs/Administration/figures/nginx\346\234\215\345\212\241\345\220\257\345\212\250\345\244\261\350\264\245.png" b/docs/zh/docs/Administration/figures/nginx_start_failed.png similarity index 100% rename from "content/zh/docs/Administration/figures/nginx\346\234\215\345\212\241\345\220\257\345\212\250\345\244\261\350\264\245.png" rename to docs/zh/docs/Administration/figures/nginx_start_failed.png diff --git "a/content/zh/docs/Administration/figures/nginx\346\234\215\345\212\241\345\220\257\345\212\250\346\210\220\345\212\237.png" b/docs/zh/docs/Administration/figures/nginx_start_success.png similarity index 100% rename from "content/zh/docs/Administration/figures/nginx\346\234\215\345\212\241\345\220\257\345\212\250\346\210\220\345\212\237.png" rename to docs/zh/docs/Administration/figures/nginx_start_success.png diff --git a/content/zh/docs/Administration/figures/postgres.png b/docs/zh/docs/Administration/figures/postgres.png similarity index 100% rename from content/zh/docs/Administration/figures/postgres.png rename to docs/zh/docs/Administration/figures/postgres.png diff --git "a/content/zh/docs/Administration/figures/top\346\230\276\347\244\272.png" b/docs/zh/docs/Administration/figures/top_display.png similarity index 100% rename from "content/zh/docs/Administration/figures/top\346\230\276\347\244\272.png" rename to docs/zh/docs/Administration/figures/top_display.png diff --git a/docs/zh/docs/Administration/figures/trusted_chain.png b/docs/zh/docs/Administration/figures/trusted_chain.png new file mode 100644 index 0000000000000000000000000000000000000000..034f0f092f41fb500ee4122339c447d10d4138ec Binary files /dev/null and b/docs/zh/docs/Administration/figures/trusted_chain.png differ diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0229622729.png b/docs/zh/docs/Administration/figures/zh-cn_image_0229622729.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0229622729.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0229622729.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0229622789.png b/docs/zh/docs/Administration/figures/zh-cn_image_0229622789.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0229622789.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0229622789.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0230050789.png b/docs/zh/docs/Administration/figures/zh-cn_image_0230050789.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0230050789.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0230050789.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143176.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143176.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143176.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143176.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143177.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143177.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143177.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143177.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143178.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143178.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143178.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143178.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143180.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143180.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143180.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143180.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143181.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143181.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143181.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143181.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143183.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143183.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143183.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143183.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143185.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143185.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143185.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143185.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143187.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143187.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143187.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143187.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143189.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143189.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143189.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143189.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143191.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143191.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143191.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143191.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143193.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143193.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143193.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143193.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143195.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143195.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143195.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143195.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143196.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143196.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143196.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143196.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143197.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143197.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143197.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143197.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231143198.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231143198.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231143198.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231143198.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231563132.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231563132.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231563132.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231563132.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231563134.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231563134.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231563134.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231563134.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231563135.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231563135.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231563135.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231563135.png diff --git a/content/zh/docs/Administration/figures/zh-cn_image_0231563136.png b/docs/zh/docs/Administration/figures/zh-cn_image_0231563136.png similarity index 100% rename from content/zh/docs/Administration/figures/zh-cn_image_0231563136.png rename to docs/zh/docs/Administration/figures/zh-cn_image_0231563136.png diff --git a/docs/zh/docs/Administration/memory-management.md b/docs/zh/docs/Administration/memory-management.md new file mode 100644 index 0000000000000000000000000000000000000000..6ab5946b20f593f11524d614ccf008c072358a0f --- /dev/null +++ b/docs/zh/docs/Administration/memory-management.md @@ -0,0 +1,211 @@ +# etmem内存分级扩展 + +## 介绍 +随着CPU算力的发展,尤其是ARM核成本的降低,内存成本和内存容量成为约束业务成本和性能的核心痛点,因此如何节省内存成本,如何扩大内存容量成为存储迫切要解决的问题。 + +etmem内存分级扩展技术,通过DRAM+内存压缩/高性能存储新介质形成多级内存存储,对内存数据进行分级,将分级后的内存冷数据从内存介质迁移到高性能存储介质中,达到内存容量扩展的目的,从而实现内存成本下降。 + +## 软件架构 +![](./figures/etmem-system-architecture.png) + +etmem客户端通过socket通信机制与服务端进行交互,下发创建/删除工程、启动/停止工程、查询工程的命令,服务端通过客户端下发的配置文件,读取project管理配置信息,以及engine配置信息,并执行客户端下发的操作。启动工程之后,服务端会对业务进程进行扫描,并根据扫描统计结果以及淘汰策略,对页面进行分级淘汰,实现节省内存的目标。 + + +## 编译教程 + +1. 下载etmem源码 +``` + # git clone https://gitee.com/src-openeuler/etmem.git +``` +2. 编译和运行依赖 + +etmem的编译和运行依赖于libboundscheck组件。 + +3. 编译 +``` + # cd etmem + # mkdir build + # cd build + # cmake .. + # make +``` +## 使用说明 + +### 启动etmemd进程 + +#### 使用方法 + +通过运行etmemd二进制运行服务端进程,例如: +``` +# etmemd -l 0 -s etmemd_socket +``` +#### 帮助信息 +``` +options: +-l|--log-level Log level +-s|--socket Socket name to listen to +-h|--help Show this message +``` +#### 命令行参数说明 + +| 参数 | 参数含义 | 是否必须 | 是否有参数 | 参数范围 | 示例说明 | +| --------------- | ---------------------------------- | -------- | ---------- | --------------------- | ------------------------------------------------------------ | +| -l或--log-level | etmemd日志级别 | 否 | 是 | 0~3 | 0:debug级别 1:info级别 2:warning级别 3:error级别 只有大于等于配置的级别才会打印到/var/log/message文件中 | +| -s或--socket | etmemd监听的名称,用于与客户端交互 | 是 | 是 | 107个字符之内的字符串 | 指定服务端监听的名称 | +| -h或--help | 帮助信息 | 否 | 否 | NA | 执行时带有此参数会打印后退出 | + +### etmem配置文件 + +在运行etmem进程之前,需要管理员预先规划哪些进程需要做内存扩展,将进程信息配置到etmem配置文件中,并配置内存扫描的周期、扫描次数、内存冷热阈值等信息。 + +配置文件的示例文件在源码包中,放置在源码根目录的conf/example_conf.yaml,建议在使用时放置在/etc/etmem/目录下,示例内容为: + +``` +options: + loop : 3 + interval : 1 + sleep: 2 + policies: + type : pid/name + value : 123456/mysql + max_threads: 3 + engine : slide + param: + T: 3 +``` + +配置文件各字段说明: + +| **置项** | **配置项含义** | **是否必须** | **是否有参数** | **参数范围** | **示例说明** | +| ----------- | ------------------------------------------------------------ | ------------ | -------------- | ------------------------- | ------------------------------------------------------------ | +| options | project公用配置段起始标识 | 是 | 否 | NA | 每个配置文件有且仅有一个此字段,并且文件以此字段开始 | +| loop | 内存扫描的循环次数 | 是 | 是 | 1~120 | loop:3 //扫描3次 | +| interval | 每次内存扫描的时间间隔 | 是 | 是 | 1~1200 | interval:5 //每次扫描之间间隔5s | +| sleep | 每个内存扫描+操作的大周期之间时间间隔 | 是 | 是 | 1~1200 | sleep:10 //每次大周期之间间隔10s | +| policies | project中各task任务配置段起始标识 | 是 | 否 | NA | 一个project中可以配置多个task,每个task以policies:开头 | +| type | 目标进程识别的方式 | 是 | 是 | pid/name | pid代表通过进程号识别,name代表通过进程名称识别 | +| value | 目标进程识别的具体字段 | 是 | 是 | 实际的进程号/进程名称 | 与type字段配合使用,指定目标进程的进程号或进程名称,由使用者保证配置的正确及唯一性 | +| max_threads | etmemd内部线程池最大线程数,每个线程处理一个进程/子进程的内存扫描+操作任务 | 否 | 是 | 1~2 * core数 + 1,默认为1 | 对外部无表象,控制etmemd服务端内部处理线程个数,当目标进程有多个子进程时,配置越大,并发执行的个数也多,但占用资源也越多 | +| engine | 扫描引擎类型 | 是 | 是 | slide | 声明使用slide引擎进行冷热内存识别 | +| param | 扫描引擎私有参数配置起始标识 | 是 | 否 | NA | 引擎私有参数配置段以此标识起始,每个task对应一种引擎,每个引擎对应一个param及其字段 | +| T | slide引擎的水线配置 | 是 | 否 | 1~3 * loop | 水线阈值,大于等于此值的内存会被识别为热内存,反之为冷内存 | + +### etmem工程创建、删除、查询 + +#### 场景描述 + +1)管理员创建etmem工程(一个工程可包含多个etmem任务) + +2)管理员查询已有的etmem工程 + +3)管理员删除已有的etmem工程(删除工程前,会自动先停止该工程中的所有任务) + +#### 使用方法 + +通过etmem二进制执行工程创建/删除/查询操作,前提是服务端已经成功运行,并且配置文件(e.g. /etc/etmem/example_conf.yaml)内容正确。 + +添加工程: +``` +# etmem project add -n test -f /etc/etmem/example_conf.yaml -s etmemd_socket +``` +删除工程: +``` +# etmem project del -n test -s etmemd_socket +``` +查询工程: +``` +# etmem project show -s etmemd_socket +``` +打印帮助: +``` +# etmem project help +``` +#### 帮助信息 +``` +Usage: + etmem project add [options] + etmem project del [options] + etmem project show + etmem project help + + Options: + -f|--file Add configuration file + -n|--name Add project name + -s|--sock Socket name to connect + + Notes: + 1. Project name and socket name must be given when execute add or del option. + 2. Configuration file must be given when execute add option. + 3. Socket name must be given when execute show option. +``` +#### 命令行参数说明 + +add命令: + +| 参数 | 参数含义 | 是否必须 | 是否有参数 | 示例说明 | +| ------------ | ------------------------------------------------------------ | -------- | ---------- | -------------------------------------------------------- | +| -n或--name | 指定project名称 | 是 | 是 | project名称,与配置文件一一对应 | +| -f或--file | 指定project的配置文件 | 是 | 是 | 需要指定路径名称 | +| -s或--socket | 与etmemd服务端通信的socket名称,需要与etmemd启动时指定的保持一致 | 是 | 是 | 必须配置,在有多个etmemd时,由管理员选择与哪个etmemd通信 | + +del命令: + +| 参数 | 参数含义 | 是否必须 | 是否有参数 | 示例说明 | +| ------------ | ------------------------------------------------------------ | -------- | ---------- | -------------------------------------------------------- | +| -n或--name | 指定project名称 | 是 | 是 | project名称,与配置文件一一对应 | +| -s或--socket | 与etmemd服务端通信的socket名称,需要与etmemd启动时指定的保持一致 | 是 | 是 | 必须配置,在有多个etmemd时,由管理员选择与哪个etmemd通信 | + +show命令: + +| 参数 | 参数含义 | 是否必须 | 是否有参数 | 示例说明 | +| ------------ | ------------------------------------------------------------ | -------- | ---------- | -------------------------------------------------------- | +| -s或--socket | 与etmemd服务端通信的socket名称,需要与etmemd启动时指定的保持一致 | 是 | 是 | 必须配置,在有多个etmemd时,由管理员选择与哪个etmemd通信 | + +### etmem任务启动、停止 + +#### 场景描述 + +在已经通过etmem project add添加工程之后,在还未调用etmem project del删除工程之前,可以对etmem的工程进行启动和停止。 + +1)管理员启动已添加的工程 + +2)管理员停止已启动的工程 + +在管理员调用project del删除工程时,如果工程已经启动,则会自动停止。 + +#### 使用方法 + +通过etmem二进制执行任务启动/停止操作,前提是服务端已经成功运行,配置文件(e.g. /etc/etmem/example_conf.yaml)内容正确,且etmem工程已经创建。 + +启动工程 +``` +# etmem migrate start -n test -s etmemd_socket +``` +停止工程 +``` +# etmem migrate stop -n test -s etmemd_socket +``` +打印帮助 +``` +# etmem migrate help +``` +#### 帮助信息 +``` +Usage: + etmem migrate start [options] + etmem migrate stop [options] + etmem migrate help + + Options: + -n|--name Add project name + -s|--sock Socket name to connect + + Notes: + Project name and socket name must be given when execute start or stop option. +``` +#### 命令行参数说明 + +| 参数 | 参数含义 | 是否必须 | 是否有参数 | 示例说明 | +| ------------ | ------------------------------------------------------------ | -------- | ---------- | -------------------------------------------------------- | +| -n或--name | 指定project名称 | 是 | 是 | project名称,与配置文件一一对应 | +| -s或--socket | 与etmemd服务端通信的socket名称,需要与etmemd启动时指定的保持一致 | 是 | 是 | 必须配置,在有多个etmemd时,由管理员选择与哪个etmemd通信 | diff --git a/content/zh/docs/ApplicationDev/public_sys-resources/icon-caution.gif b/docs/zh/docs/Administration/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/ApplicationDev/public_sys-resources/icon-caution.gif rename to docs/zh/docs/Administration/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/ApplicationDev/public_sys-resources/icon-danger.gif b/docs/zh/docs/Administration/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/ApplicationDev/public_sys-resources/icon-danger.gif rename to docs/zh/docs/Administration/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/ApplicationDev/public_sys-resources/icon-note.gif b/docs/zh/docs/Administration/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/ApplicationDev/public_sys-resources/icon-note.gif rename to docs/zh/docs/Administration/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/ApplicationDev/public_sys-resources/icon-notice.gif b/docs/zh/docs/Administration/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/ApplicationDev/public_sys-resources/icon-notice.gif rename to docs/zh/docs/Administration/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/ApplicationDev/public_sys-resources/icon-tip.gif b/docs/zh/docs/Administration/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/ApplicationDev/public_sys-resources/icon-tip.gif rename to docs/zh/docs/Administration/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/ApplicationDev/public_sys-resources/icon-warning.gif b/docs/zh/docs/Administration/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/ApplicationDev/public_sys-resources/icon-warning.gif rename to docs/zh/docs/Administration/public_sys-resources/icon-warning.gif diff --git "a/content/zh/docs/Administration/\344\275\277\347\224\250DNF\347\256\241\347\220\206\350\275\257\344\273\266\345\214\205.md" "b/docs/zh/docs/Administration/\344\275\277\347\224\250DNF\347\256\241\347\220\206\350\275\257\344\273\266\345\214\205.md" similarity index 93% rename from "content/zh/docs/Administration/\344\275\277\347\224\250DNF\347\256\241\347\220\206\350\275\257\344\273\266\345\214\205.md" rename to "docs/zh/docs/Administration/\344\275\277\347\224\250DNF\347\256\241\347\220\206\350\275\257\344\273\266\345\214\205.md" index 91cffb82946202d9805fc1d6d2a53be00374398f..4543034539daf4aa39c5cf9745b33b9a5421649b 100644 --- "a/content/zh/docs/Administration/\344\275\277\347\224\250DNF\347\256\241\347\220\206\350\275\257\344\273\266\345\214\205.md" +++ "b/docs/zh/docs/Administration/\344\275\277\347\224\250DNF\347\256\241\347\220\206\350\275\257\344\273\266\345\214\205.md" @@ -1,598 +1,597 @@ -# 使用DNF管理软件包 - -DNF是一款Linux软件包管理工具,用于管理RPM软件包。DNF可以查询软件包信息,从指定软件库获取软件包,自动处理依赖关系以安装或卸载软件包,以及更新系统到最新可用版本。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->- DNF与YUM完全兼容,提供了YUM兼容的命令行以及为扩展和插件提供的API。 ->- 使用DNF需要管理员权限,本章所有命令需要在管理员权限下执行。 - - -- [使用DNF管理软件包](#使用dnf管理软件包) - - [配置DNF](#配置dnf) - - [DNF配置文件](#dnf配置文件) - - [创建本地软件源仓库](#创建本地软件源仓库) - - [添加、启用和禁用软件源](#添加启用和禁用软件源) - - [管理软件包](#管理软件包) - - [搜索软件包](#搜索软件包) - - [列出软件包清单](#列出软件包清单) - - [显示RPM包信息](#显示rpm包信息) - - [安装RPM包](#安装rpm包) - - [下载软件包](#下载软件包) - - [删除软件包](#删除软件包) - - [管理软件包组](#管理软件包组) - - [列出软件包组清单](#列出软件包组清单) - - [显示软件包组信息](#显示软件包组信息) - - [安装软件包组](#安装软件包组) - - [删除软件包组](#删除软件包组) - - [检查并更新](#检查并更新) - - [检查更新](#检查更新) - - [升级](#升级) - - [更新所有的包和它们的依赖](#更新所有的包和它们的依赖) - - - -## 配置DNF - - - -### DNF配置文件 - -DNF 的主要配置文件是 /etc/dnf/dnf.conf,该文件包含两部分: - -- “main”部分保存着DNF的全局设置。 - -- “repository”部分保存着软件源的设置,可以有一个或多个“repository”。 - -另外,在/etc/yum.repos.d 目录中保存着一个或多个repo源相关文件,它们也可以定义不同的“repository”。 - -所以openEuler软件源的配置一般有两种方式,一种是直接配置/etc/dnf/dnf.conf文件中的“repository”部分,另外一种是在/etc/yum.repos.d目录下增加.repo文件。 - -#### 配置main部分 - -/etc/dnf/dnf.conf 文件包含的“main”部分,配置示例如下: - -``` -[main] -gpgcheck=1 -installonly_limit=3 -clean_requirements_on_remove=True -best=True -``` - -常用选项说明: - -**表 1** main参数说明 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

参数

-

说明

-

cachedir

-

缓存目录,该目录用于存储RPM包和数据库文件。

-

keepcache

-

可选值是1和0,表示是否要缓存已安装成功的那些RPM包及头文件,默认值为0,即不缓存。

-

debuglevel

-

设置dnf生成的debug信息。取值范围:[0-10],数值越大会输出越详细的debug信息。默认值为2,设置为0表示不输出debug信息。

-

clean_requirements_on_remove

-

删除在dnf remove期间不再使用的依赖项,如果软件包是通过DNF安装的,而不是通过显式用户请求安装的,则只能通过clean_requirements_on_remove删除软件包,即它是作为依赖项引入的。 默认值为True。

-

best

-

升级包时,总是尝试安装其最高版本,如果最高版本无法安装,则提示无法安装的原因并停止安装。默认值为True。

-

obsoletes

-

可选值1和0,设置是否允许更新陈旧的RPM包。默认值为1,表示允许更新。

-

gpgcheck

-

可选值1和0,设置是否进行gpg校验。默认值为1,表示需要进行校验。

-

plugins

-

可选值1和0,表示启用或禁用dnf插件。默认值为1,表示启用dnf插件。

-

installonly_limit

-

设置可以同时安装“installonlypkgs”指令列出包的数量。默认值为3,不建议降低此值。

-
- -#### 配置repository部分 - -repository部分允许您定义定制化的openEuler软件源仓库,各个仓库的名称不能相同,否则会引起冲突。配置repository部分有两种方式,一种是直接配置/etc/dnf/dnf.conf文件中的“repository”部分,另外一种是配置/etc/yum.repos.d目录下的.repo文件。 - -- 直接配置/etc/dnf/dnf.conf文件中的“repository”部分 - - 下面是\[repository\]部分的一个最小配置示例: - - ``` - [repository] - name=repository_name - baseurl=repository_url - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - >openEuler提供在线的镜像源,地址:[https://repo.openeuler.org/](https://repo.openeuler.org/)。以 openEuler 20.03的aarch64版本为例,baseurl可配置为[https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/](https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/)。 - - 选项说明: - - **表 2** repository参数说明 - - - - - - - - - - - -

参数

-

说明

-

name=repository_name

-

软件仓库(repository )描述的字符串。

-

baseurl=repository_url

-

软件仓库(repository )的地址。

-
  • 使用http协议的网络位置:例如 http://path/to/repo
  • 使用ftp协议的网络位置:例如 ftp://path/to/repo
  • 本地位置:例如 file:///path/to/local/repo
-
- - -- 配置/etc/yum.repos.d目录下的.repo文件 - - openEuler提供了多种repo源供用户在线使用,各repo源含义可参考[系统安装]({{< relref "../Releasenotes/系统安装.md" >}}),以AArch64架构的OS repo源为例。使用root权限在openEuler_aarch64.repo文件中添加openEuler repo源,示例如下: - - ``` - # vi /etc/yum.repos.d/openEuler_aarch64.repo - ``` - - ``` - [osrepo] - name=osrepo - baseurl=https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/ - enabled=1 - gpgcheck=1 - gpgkey=https://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/RPM-GPG-KEY-openEuler - - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - > - enabled为是否启用该软件源仓库,可选值为1和0。默认值为1,表示启用该软件源仓库。 - > - gpgkey为验证签名用的公钥。 - - -#### 显示当前配置 - -- 要显示当前的配置信息: - - ``` - dnf config-manager --dump - ``` - -- 要显示相应软件源的配置,首先查询repo id: - - ``` - dnf repolist - ``` - - 然后执行如下命令,显示对应id的软件源配置,其中 _repository_ 为查询得到的repo id: - - ``` - dnf config-manager --dump repository - ``` - -- 您也可以使用一个全局正则表达式,来显示所有匹配部分的配置: - - ``` - dnf config-manager --dump glob_expression - ``` - - -### 创建本地软件源仓库 - -要建立一个本地软件源仓库,请按照下列步骤操作。 - -1. 安装createrepo软件包。在root权限下执行如下命令: - - ``` - dnf install createrepo - ``` - -2. 将需要的软件包复制到一个目录下,如/mnt/local\_repo/ 。 -3. 创建软件源,执行以下命令: - - ``` - createrepo --database /mnt/local_repo - ``` - - -### 添加、启用和禁用软件源 - -本节将介绍如何通过“dnf config-manager”命令添加、启用和禁用软件源仓库。 - -#### 添加软件源 - -要定义一个新的软件源仓库,您可以在 /etc/dnf/dnf.conf 文件中添加“repository”部分,或者在/etc/yum.repos.d/目录下添加“.repo”文件进行说明。建议您通过添加“.repo”的方式,每个软件源都有自己对应的“.repo”文件,以下介绍该方式的操作方法。 - -要在您的系统中添加一个这样的源,请在root权限下执行如下命令,执行完成之后会在/etc/yum.repos.d/目录下生成对应的repo文件。其中 _repository\_url_ 为repo源地址,详情请参见[表2](#zh-cn_topic_0151921080_t2df9dceb0ff64b2f8db8ec5cd779792a)。 - -``` -dnf config-manager --add-repo repository_url -``` - -#### 启用软件源 - -要启用软件源,请在root权限下执行如下命令,其中 _repository_ 为新增.repo文件中的repo id(可通过dnf repolist查询): - -``` -dnf config-manager --set-enable repository -``` - -您也可以使用一个全局正则表达式,来启用所有匹配的软件源。其中 _glob\_expression_ 为对应的正则表达式,用于同时匹配多个repo id: - -``` -dnf config-manager --set-enable glob_expression -``` - -#### 禁用软件源 - -要禁用软件源,请在root权限下执行如下命令: - -``` -dnf config-manager --set-disable repository -``` - -同样的,您也可以使用一个全局正则表达式来禁用所有匹配的软件源: - -``` -dnf config-manager --set-disable glob_expression -``` - -## 管理软件包 - -使用dnf能够让您方便的进行查询、安装、删除软件包等操作。 - -### 搜索软件包 - -您可以使用rpm包名称、缩写或者描述搜索需要的RPM包,使用命令如下: - -``` -dnf search term -``` - -示例如下: - -``` -$ dnf search httpd -========================================== N/S matched: httpd ========================================== -httpd.aarch64 : Apache HTTP Server -httpd-devel.aarch64 : Development interfaces for the Apache HTTP server -httpd-manual.noarch : Documentation for the Apache HTTP server -httpd-tools.aarch64 : Tools for use with the Apache HTTP Server -libmicrohttpd.aarch64 : Lightweight library for embedding a webserver in applications -mod_auth_mellon.aarch64 : A SAML 2.0 authentication module for the Apache Httpd Server -mod_dav_svn.aarch64 : Apache httpd module for Subversion server -``` - -### 列出软件包清单 - -要列出系统中所有已安装的以及可用的RPM包信息,使用命令如下: - -``` -dnf list all -``` - -要列出系统中特定的RPM包信息,使用命令如下: - -``` -dnf list glob_expression... -``` - -示例如下: - -``` -$ dnf list httpd -Available Packages -httpd.aarch64 2.4.34-8.h5.oe1 Local -``` - -### 显示RPM包信息 - -要显示一个或者多个RPM包信息,使用命令如下: - -``` -dnf info package_name... -``` - -例如搜索,命令如下: - -``` -$ dnf info httpd -Available Packages -Name : httpd -Version : 2.4.34 -Release : 8.h5.oe1 -Arch : aarch64 -Size : 1.2 M -Repo : Local -Summary : Apache HTTP Server -URL : http://httpd.apache.org/ -License : ASL 2.0 -Description : The Apache HTTP Server is a powerful, efficient, and extensible - : web server. -``` - -### 安装RPM包 - -要安装一个软件包及其所有未安装的依赖,请在root权限下执行如下命令: - -``` -dnf install package_name -``` - -您也可以通过添加软件包名字同时安装多个软件包。配置文件/etc/dnf/dnf.conf添加参数strict=False,运行dnf命令参数添加\-\-setopt=strict=0。请在root权限下执行如下命令: - -``` -dnf install package_name package_name... --setopt=strict=0 -``` - -示例如下: - -``` -# dnf install httpd -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->安装RPM包过程中,若出现安装失败,可参考[安装时出现软件包冲突、文件冲突或缺少软件包导致安装失败](FAQ-54.html#安装时出现软件包冲突文件冲突或缺少软件包导致安装失败)。 - -### 下载软件包 - -使用dnf下载软件包,请在root权限下输入如下命令: - -``` -dnf download package_name -``` - -如果需要同时下载未安装的依赖,则加上\-\-resolve,使用命令如下: - -``` -dnf download --resolve package_name -``` - -示例如下: - -``` -# dnf download --resolve httpd -``` - -### 删除软件包 - -要卸载软件包以及相关的依赖软件包,请在root权限下执行如下命令: - -``` -dnf remove package_name... -``` - -示例如下: - -``` -# dnf remove totem -``` - -## 管理软件包组 - -软件包集合是服务于一个共同的目的一组软件包,例如系统工具集等。使用dnf可以对软件包组进行安装/删除等操作,使相关操作更高效。 - -### 列出软件包组清单 - -使用summary参数,可以列出系统中所有已安装软件包组、可用的组,可用的环境组的数量,命令如下: - -``` -dnf groups summary -``` - -使用示例如下: - -``` -# dnf groups summary -Last metadata expiration check: 0:11:56 ago on Sat 17 Aug 2019 07:45:14 PM CST. -Available Groups: 8 -``` - -要列出所有软件包组和它们的组ID ,命令如下: - -``` -dnf group list -``` - -使用示例如下: - -``` -# dnf group list -Last metadata expiration check: 0:10:32 ago on Sat 17 Aug 2019 07:45:14 PM CST. -Available Environment Groups: - Minimal Install - Custom Operating System - Server -Available Groups: - Development Tools - Graphical Administration Tools - Headless Management - Legacy UNIX Compatibility - Network Servers - Scientific Support - Security Tools - System Tools - -``` - -### 显示软件包组信息 - -要列出包含在一个软件包组中必须安装的包和可选包,使用命令如下: - -``` -dnf group info glob_expression... -``` - -例如显示Development Tools信息,示例如下: - -``` -# dnf group info "Development Tools" -Last metadata expiration check: 0:14:54 ago on Wed 05 Jun 2019 08:38:02 PM CST. - -Group: Development Tools - Description: A basic development environment. - Mandatory Packages: - binutils - glibc-devel - make - pkgconf - pkgconf-m4 - pkgconf-pkg-config - rpm-sign - Optional Packages: - expect -``` - -### 安装软件包组 - -每一个软件包组都有自己的名称以及相应的ID(groupid),您可以使用软件包组名称或它的ID进行安装。 - -要安装一个软件包组,请在root权限下执行如下命令: - -``` -dnf group install group_name -``` - -``` -dnf group install groupid -``` - -例如安装Development Tools相应的软件包组,命令如下: - -``` -# dnf group install "Development Tools" -``` - -``` -# dnf group install development -``` - -### 删除软件包组 - -要卸载软件包组,您可以使用软件包组名称或它的ID,在root权限下执行如下命令: - -``` -dnf group remove group_name -``` - -``` -dnf group remove groupid -``` - -例如删除Development Tools相应的软件包组,命令如下: - -``` -# dnf group remove "Development Tools" -``` - -``` -# dnf group remove development -``` - -## 检查并更新 - -dnf可以检查您的系统中是否有软件包需要更新。您可以通过dnf列出需要更新的软件包,并可以选择一次性全部更新或者只对指定包进行更新。 - -### 检查更新 - -如果您需要显示当前系统可用的更新,使用命令如下: - -``` -dnf check-update -``` - -使用实例如下: - -``` -# dnf check-update -Last metadata expiration check: 0:02:10 ago on Sun 01 Sep 2019 11:28:07 PM CST. - -anaconda-core.aarch64 19.31.123-1.14 updates -anaconda-gui.aarch64 19.31.123-1.14 updates -anaconda-tui.aarch64 19.31.123-1.14 updates -anaconda-user-help.aarch64 19.31.123-1.14 updates -anaconda-widgets.aarch64 19.31.123-1.14 updates -bind-libs.aarch64 32:9.9.4-29.3 updates -bind-libs-lite.aarch64 32:9.9.4-29.3 updates -bind-license.noarch 32:9.9.4-29.3 updates -bind-utils.aarch64 32:9.9.4-29.3 updates -... -``` - -### 升级 - -如果您需要升级单个软件包,在root权限下执行如下命令: - -``` -dnf update package_name -``` - -例如升级rpm包,示例如下: - -``` -# dnf update anaconda-gui.aarch64 -Last metadata expiration check: 0:02:10 ago on Sun 01 Sep 2019 11:30:27 PM CST. -Dependencies Resolved -================================================================================ - Package Arch Version Repository Size -================================================================================ -Updating: - anaconda-gui aarch64 19.31.123-1.14 updates 461 k - anaconda-core aarch64 19.31.123-1.14 updates 1.4 M - anaconda-tui aarch64 19.31.123-1.14 updates 274 k - anaconda-user-help aarch64 19.31.123-1.14 updates 315 k - anaconda-widgets aarch64 19.31.123-1.14 updates 748 k - -Transaction Summary -================================================================================ -Upgrade 5 Package - -Total download size: 3.1 M -Is this ok [y/N]: -``` - -类似的,如果您需要升级软件包组,在root权限下执行如下命令: - -``` -dnf group update group_name -``` - -### 更新所有的包和它们的依赖 - -要更新所有的包和它们的依赖,在root权限下执行如下命令: - -``` -dnf update -``` +# 使用DNF管理软件包 + +DNF是一款Linux软件包管理工具,用于管理RPM软件包。DNF可以查询软件包信息,从指定软件库获取软件包,自动处理依赖关系以安装或卸载软件包,以及更新系统到最新可用版本。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- DNF与YUM完全兼容,提供了YUM兼容的命令行以及为扩展和插件提供的API。 +>- 使用DNF需要管理员权限,本章所有命令需要在管理员权限下执行。 + + +- [使用DNF管理软件包](#使用dnf管理软件包) + - [配置DNF](#配置dnf) + - [DNF配置文件](#dnf配置文件) + - [创建本地软件源仓库](#创建本地软件源仓库) + - [添加、启用和禁用软件源](#添加启用和禁用软件源) + - [管理软件包](#管理软件包) + - [搜索软件包](#搜索软件包) + - [列出软件包清单](#列出软件包清单) + - [显示RPM包信息](#显示rpm包信息) + - [安装RPM包](#安装rpm包) + - [下载软件包](#下载软件包) + - [删除软件包](#删除软件包) + - [管理软件包组](#管理软件包组) + - [列出软件包组清单](#列出软件包组清单) + - [显示软件包组信息](#显示软件包组信息) + - [安装软件包组](#安装软件包组) + - [删除软件包组](#删除软件包组) + - [检查并更新](#检查并更新) + - [检查更新](#检查更新) + - [升级](#升级) + - [更新所有的包和它们的依赖](#更新所有的包和它们的依赖) + + + +## 配置DNF + + + +### DNF配置文件 + +DNF 的主要配置文件是 /etc/dnf/dnf.conf,该文件包含两部分: + +- “main”部分保存着DNF的全局设置。 + +- “repository”部分保存着软件源的设置,可以有一个或多个“repository”。 + +另外,在/etc/yum.repos.d 目录中保存着一个或多个repo源相关文件,它们也可以定义不同的“repository”。 + +所以openEuler软件源的配置一般有两种方式,一种是直接配置/etc/dnf/dnf.conf文件中的“repository”部分,另外一种是在/etc/yum.repos.d目录下增加.repo文件。 + +#### 配置main部分 + +/etc/dnf/dnf.conf 文件包含的“main”部分,配置示例如下: + +``` +[main] +gpgcheck=1 +installonly_limit=3 +clean_requirements_on_remove=True +best=True +``` + +常用选项说明: + +**表 1** main参数说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

参数

+

说明

+

cachedir

+

缓存目录,该目录用于存储RPM包和数据库文件。

+

keepcache

+

可选值是1和0,表示是否要缓存已安装成功的那些RPM包及头文件,默认值为0,即不缓存。

+

debuglevel

+

设置dnf生成的debug信息。取值范围:[0-10],数值越大会输出越详细的debug信息。默认值为2,设置为0表示不输出debug信息。

+

clean_requirements_on_remove

+

删除在dnf remove期间不再使用的依赖项,如果软件包是通过DNF安装的,而不是通过显式用户请求安装的,则只能通过clean_requirements_on_remove删除软件包,即它是作为依赖项引入的。 默认值为True。

+

best

+

升级包时,总是尝试安装其最高版本,如果最高版本无法安装,则提示无法安装的原因并停止安装。默认值为True。

+

obsoletes

+

可选值1和0,设置是否允许更新陈旧的RPM包。默认值为1,表示允许更新。

+

gpgcheck

+

可选值1和0,设置是否进行gpg校验。默认值为1,表示需要进行校验。

+

plugins

+

可选值1和0,表示启用或禁用dnf插件。默认值为1,表示启用dnf插件。

+

installonly_limit

+

设置可以同时安装“installonlypkgs”指令列出包的数量。默认值为3,不建议降低此值。

+
+ +#### 配置repository部分 + +repository部分允许您定义定制化的openEuler软件源仓库,各个仓库的名称不能相同,否则会引起冲突。配置repository部分有两种方式,一种是直接配置/etc/dnf/dnf.conf文件中的“repository”部分,另外一种是配置/etc/yum.repos.d目录下的.repo文件。 + +- 直接配置/etc/dnf/dnf.conf文件中的“repository”部分 + + 下面是\[repository\]部分的一个最小配置示例: + + ``` + [repository] + name=repository_name + baseurl=repository_url + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >openEuler提供在线的镜像源,地址:[https://repo.openeuler.org/](https://repo.openeuler.org/)。以 openEuler 21.03的aarch64版本为例,baseurl可配置为[https://repo.openeuler.org/openEuler-21.03/OS/aarch64/](https://repo.openeuler.org/openEuler-21.03/OS/aarch64/)。 + + 选项说明: + + **表 2** repository参数说明 + + + + + + + + + + + +

参数

+

说明

+

name=repository_name

+

软件仓库(repository )描述的字符串。

+

baseurl=repository_url

+

软件仓库(repository )的地址。

+
  • 使用http协议的网络位置:例如 http://path/to/repo
  • 使用ftp协议的网络位置:例如 ftp://path/to/repo
  • 本地位置:例如 file:///path/to/local/repo
+
+ + +- 配置/etc/yum.repos.d目录下的.repo文件 + + openEuler提供了多种repo源供用户在线使用,各repo源含义可参考[系统安装](./../Releasenotes/系统安装.md)。使用root权限添加openEuler repo源,示例如下: + + ``` + # vi /etc/yum.repos.d/openEuler.repo + ``` + + ``` + [OS] + name=openEuler-$releasever - OS + baseurl=https://repo.openeuler.org/openEuler-21.03/OS/$basearch/ + enabled=1 + gpgcheck=1 + gpgkey=https://repo.openeuler.org/openEuler-21.03/OS/$basearch/RPM-GPG-KEY-openEuler + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + > - enabled为是否启用该软件源仓库,可选值为1和0。默认值为1,表示启用该软件源仓库。 + > - gpgkey为验证签名用的公钥。 + + +#### 显示当前配置 + +- 要显示当前的配置信息: + + ``` + dnf config-manager --dump + ``` + +- 要显示相应软件源的配置,首先查询repo id: + + ``` + dnf repolist + ``` + + 然后执行如下命令,显示对应id的软件源配置,其中 _repository_ 为查询得到的repo id: + + ``` + dnf config-manager --dump repository + ``` + +- 您也可以使用一个全局正则表达式,来显示所有匹配部分的配置: + + ``` + dnf config-manager --dump glob_expression + ``` + + +### 创建本地软件源仓库 + +要建立一个本地软件源仓库,请按照下列步骤操作。 + +1. 安装createrepo软件包。在root权限下执行如下命令: + + ``` + dnf install createrepo + ``` + +2. 将需要的软件包复制到一个目录下,如/mnt/local\_repo/ 。 +3. 创建软件源,执行以下命令: + + ``` + createrepo /mnt/local_repo + ``` + + +### 添加、启用和禁用软件源 + +本节将介绍如何通过“dnf config-manager”命令添加、启用和禁用软件源仓库。 + +#### 添加软件源 + +要定义一个新的软件源仓库,您可以在 /etc/dnf/dnf.conf 文件中添加“repository”部分,或者在/etc/yum.repos.d/目录下添加“.repo”文件进行说明。建议您通过添加“.repo”的方式,每个软件源都有自己对应的“.repo”文件,以下介绍该方式的操作方法。 + +要在您的系统中添加一个这样的源,请在root权限下执行如下命令,执行完成之后会在/etc/yum.repos.d/目录下生成对应的repo文件。其中 _repository\_url_ 为repo源地址,详情请参见[表2](#zh-cn_topic_0151921080_t2df9dceb0ff64b2f8db8ec5cd779792a)。 + +``` +dnf config-manager --add-repo repository_url +``` + +#### 启用软件源 + +要启用软件源,请在root权限下执行如下命令,其中 _repository_ 为新增.repo文件中的repo id(可通过dnf repolist查询): + +``` +dnf config-manager --set-enable repository +``` + +您也可以使用一个全局正则表达式,来启用所有匹配的软件源。其中 _glob\_expression_ 为对应的正则表达式,用于同时匹配多个repo id: + +``` +dnf config-manager --set-enable glob_expression +``` + +#### 禁用软件源 + +要禁用软件源,请在root权限下执行如下命令: + +``` +dnf config-manager --set-disable repository +``` + +同样的,您也可以使用一个全局正则表达式来禁用所有匹配的软件源: + +``` +dnf config-manager --set-disable glob_expression +``` + +## 管理软件包 + +使用dnf能够让您方便的进行查询、安装、删除软件包等操作。 + +### 搜索软件包 + +您可以使用rpm包名称、缩写或者描述搜索需要的RPM包,使用命令如下: + +``` +dnf search term +``` + +示例如下: + +``` +$ dnf search httpd +========================================== N/S matched: httpd ========================================== +httpd.aarch64 : Apache HTTP Server +httpd-devel.aarch64 : Development interfaces for the Apache HTTP server +httpd-manual.noarch : Documentation for the Apache HTTP server +httpd-tools.aarch64 : Tools for use with the Apache HTTP Server +libmicrohttpd.aarch64 : Lightweight library for embedding a webserver in applications +mod_auth_mellon.aarch64 : A SAML 2.0 authentication module for the Apache Httpd Server +mod_dav_svn.aarch64 : Apache httpd module for Subversion server +``` + +### 列出软件包清单 + +要列出系统中所有已安装的以及可用的RPM包信息,使用命令如下: + +``` +dnf list all +``` + +要列出系统中特定的RPM包信息,使用命令如下: + +``` +dnf list glob_expression... +``` + +示例如下: + +``` +$ dnf list httpd +Available Packages +httpd.aarch64 2.4.34-8.h5.oe1 Local +``` + +### 显示RPM包信息 + +要显示一个或者多个RPM包信息,使用命令如下: + +``` +dnf info package_name... +``` + +例如搜索,命令如下: + +``` +$ dnf info httpd +Available Packages +Name : httpd +Version : 2.4.34 +Release : 8.h5.oe1 +Arch : aarch64 +Size : 1.2 M +Repo : Local +Summary : Apache HTTP Server +URL : http://httpd.apache.org/ +License : ASL 2.0 +Description : The Apache HTTP Server is a powerful, efficient, and extensible + : web server. +``` + +### 安装RPM包 + +要安装一个软件包及其所有未安装的依赖,请在root权限下执行如下命令: + +``` +dnf install package_name +``` + +您也可以通过添加软件包名字同时安装多个软件包。配置文件/etc/dnf/dnf.conf添加参数strict=False,运行dnf命令参数添加\-\-setopt=strict=0。请在root权限下执行如下命令: + +``` +dnf install package_name package_name... --setopt=strict=0 +``` + +示例如下: + +``` +# dnf install httpd +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>安装RPM包过程中,若出现安装失败,可参考[安装时出现软件包冲突、文件冲突或缺少软件包导致安装失败](./FAQ-54.html#安装时出现软件包冲突文件冲突或缺少软件包导致安装失败)。 + +### 下载软件包 + +使用dnf下载软件包,请在root权限下输入如下命令: + +``` +dnf download package_name +``` + +如果需要同时下载未安装的依赖,则加上\-\-resolve,使用命令如下: + +``` +dnf download --resolve package_name +``` + +示例如下: + +``` +# dnf download --resolve httpd +``` + +### 删除软件包 + +要卸载软件包以及相关的依赖软件包,请在root权限下执行如下命令: + +``` +dnf remove package_name... +``` + +示例如下: + +``` +# dnf remove totem +``` + +## 管理软件包组 + +软件包集合是服务于一个共同的目的一组软件包,例如系统工具集等。使用dnf可以对软件包组进行安装/删除等操作,使相关操作更高效。 + +### 列出软件包组清单 + +使用summary参数,可以列出系统中所有已安装软件包组、可用的组,可用的环境组的数量,命令如下: + +``` +dnf groups summary +``` + +使用示例如下: + +``` +# dnf groups summary +Last metadata expiration check: 0:11:56 ago on Sat 17 Aug 2019 07:45:14 PM CST. +Available Groups: 8 +``` + +要列出所有软件包组和它们的组ID ,命令如下: + +``` +dnf group list +``` + +使用示例如下: + +``` +# dnf group list +Last metadata expiration check: 0:10:32 ago on Sat 17 Aug 2019 07:45:14 PM CST. +Available Environment Groups: + Minimal Install + Custom Operating System + Server +Available Groups: + Development Tools + Graphical Administration Tools + Headless Management + Legacy UNIX Compatibility + Network Servers + Scientific Support + Security Tools + System Tools + +``` + +### 显示软件包组信息 + +要列出包含在一个软件包组中必须安装的包和可选包,使用命令如下: + +``` +dnf group info glob_expression... +``` + +例如显示Development Tools信息,示例如下: + +``` +# dnf group info "Development Tools" +Last metadata expiration check: 0:14:54 ago on Wed 05 Jun 2019 08:38:02 PM CST. + +Group: Development Tools + Description: A basic development environment. + Mandatory Packages: + binutils + glibc-devel + make + pkgconf + pkgconf-m4 + pkgconf-pkg-config + rpm-sign + Optional Packages: + expect +``` + +### 安装软件包组 + +每一个软件包组都有自己的名称以及相应的ID(groupid),您可以使用软件包组名称或它的ID进行安装。 + +要安装一个软件包组,请在root权限下执行如下命令: + +``` +dnf group install group_name +``` + +``` +dnf group install groupid +``` + +例如安装Development Tools相应的软件包组,命令如下: + +``` +# dnf group install "Development Tools" +``` + +``` +# dnf group install development +``` + +### 删除软件包组 + +要卸载软件包组,您可以使用软件包组名称或它的ID,在root权限下执行如下命令: + +``` +dnf group remove group_name +``` + +``` +dnf group remove groupid +``` + +例如删除Development Tools相应的软件包组,命令如下: + +``` +# dnf group remove "Development Tools" +``` + +``` +# dnf group remove development +``` + +## 检查并更新 + +dnf可以检查您的系统中是否有软件包需要更新。您可以通过dnf列出需要更新的软件包,并可以选择一次性全部更新或者只对指定包进行更新。 + +### 检查更新 + +如果您需要显示当前系统可用的更新,使用命令如下: + +``` +dnf check-update +``` + +使用实例如下: + +``` +# dnf check-update +Last metadata expiration check: 0:02:10 ago on Sun 01 Sep 2019 11:28:07 PM CST. + +anaconda-core.aarch64 19.31.123-1.14 updates +anaconda-gui.aarch64 19.31.123-1.14 updates +anaconda-tui.aarch64 19.31.123-1.14 updates +anaconda-user-help.aarch64 19.31.123-1.14 updates +anaconda-widgets.aarch64 19.31.123-1.14 updates +bind-libs.aarch64 32:9.9.4-29.3 updates +bind-libs-lite.aarch64 32:9.9.4-29.3 updates +bind-license.noarch 32:9.9.4-29.3 updates +bind-utils.aarch64 32:9.9.4-29.3 updates +... +``` + +### 升级 + +如果您需要升级单个软件包,在root权限下执行如下命令: + +``` +dnf update package_name +``` + +例如升级rpm包,示例如下: + +``` +# dnf update anaconda-gui.aarch64 +Last metadata expiration check: 0:02:10 ago on Sun 01 Sep 2019 11:30:27 PM CST. +Dependencies Resolved +================================================================================ + Package Arch Version Repository Size +================================================================================ +Updating: + anaconda-gui aarch64 19.31.123-1.14 updates 461 k + anaconda-core aarch64 19.31.123-1.14 updates 1.4 M + anaconda-tui aarch64 19.31.123-1.14 updates 274 k + anaconda-user-help aarch64 19.31.123-1.14 updates 315 k + anaconda-widgets aarch64 19.31.123-1.14 updates 748 k + +Transaction Summary +================================================================================ +Upgrade 5 Package + +Total download size: 3.1 M +Is this ok [y/N]: +``` + +类似的,如果您需要升级软件包组,在root权限下执行如下命令: + +``` +dnf group update group_name +``` + +### 更新所有的包和它们的依赖 + +要更新所有的包和它们的依赖,在root权限下执行如下命令: + +``` +dnf update +``` diff --git "a/content/zh/docs/Administration/\344\275\277\347\224\250KAE\345\212\240\351\200\237\345\274\225\346\223\216.md" "b/docs/zh/docs/Administration/\344\275\277\347\224\250KAE\345\212\240\351\200\237\345\274\225\346\223\216.md" similarity index 96% rename from "content/zh/docs/Administration/\344\275\277\347\224\250KAE\345\212\240\351\200\237\345\274\225\346\223\216.md" rename to "docs/zh/docs/Administration/\344\275\277\347\224\250KAE\345\212\240\351\200\237\345\274\225\346\223\216.md" index da7e0e65396e5d3b6ec0186f2d591df1fd2e27ff..a38a7b85b745faef53b6c27f356f3455af37cd69 100644 --- "a/content/zh/docs/Administration/\344\275\277\347\224\250KAE\345\212\240\351\200\237\345\274\225\346\223\216.md" +++ "b/docs/zh/docs/Administration/\344\275\277\347\224\250KAE\345\212\240\351\200\237\345\274\225\346\223\216.md" @@ -80,12 +80,12 @@ KAE加速引擎主要有以下应用场景,如[表1](#table11915824163418)所 - TaiShan 200服务器,开启加速引擎功能 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 需要导入加速器许可证,具体操作请参考《[TaiShan 机架服务器 iBMC \(V500及以上\) 用户指南](https://support.huawei.com/enterprise/zh/doc/EDOC1100121687)》中“许可证管理”章节。 >- 物理机场景使用加速器需要关闭SMMU,具体操作请参考《[TaiShan 200服务器BIOS参数参考](https://support.huawei.com/enterprise/zh/doc/EDOC1100088653)》。 - CPU:Kunpeng 920 -- 操作系统:openEuler-20.03-LTS-aarch64-dvd.iso +- 操作系统:openEuler-21.03-aarch64-dvd.iso ##### KAE加速引擎软件说明 @@ -141,7 +141,7 @@ KAE加速引擎主要有以下应用场景,如[表1](#table11915824163418)所 3. 使用SSH远程登录工具,将所有加速引擎软件包拷贝到已建好的目录下。 4. 在存放加速引擎软件包目录下,使用rpm -ivh命令安装加速器引擎软件包。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >由于libkae包的安装依赖libwd包,所以libwd的安装必须先于libkae。 ``` @@ -286,7 +286,7 @@ hisi_zip-1.2.10-4.oe1.aarch64 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >使用KAE引擎加速后签名性能从724.1 sign/s提升到2819sign/s。 - 使用OpenSSL的软件算法测试异步RSA性能。 @@ -308,7 +308,7 @@ hisi_zip-1.2.10-4.oe1.aarch64 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >使用KAE引擎加速后异步RSA签名性能从735.7 sign/s提升到 54384.1sign/s。 - 使用OpenSSL的软件算法测试SM4 CBC模式性能。 @@ -336,7 +336,7 @@ hisi_zip-1.2.10-4.oe1.aarch64 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >使用KAE加速后SM4 CBC模式在输入数据块大小为8M时,从82312.53k/s提升到383317.33k/s。 - 使用OpenSSL的软件算法测试SM3模式性能。 @@ -363,7 +363,7 @@ hisi_zip-1.2.10-4.oe1.aarch64 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >使用KAE加速后SM3算法在输入数据块大小为8M时,从52428.80 k/s提升到668292.44k/s。 - 使用OpenSSL软件算法测试AES算法CBC模式异步性能。 @@ -392,7 +392,7 @@ hisi_zip-1.2.10-4.oe1.aarch64 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- AES仅支持数据长度为256KB及以下场景的异步使用。 >- 使用KAE加速后AES算法在输入数据块为100K大小时,从1123328.00k/s提升到3996774.40 k/s 。 @@ -411,15 +411,15 @@ hisi_zip-1.2.10-4.oe1.aarch64 命令和信息回显如下所示。 - ![](figures/zh-cn_image_0231143189.png) + ![](./figures/zh-cn_image_0231143189.png) - ![](figures/zh-cn_image_0231143191.png) + ![](./figures/zh-cn_image_0231143191.png) 5. 使用rpm -qa 命令查询是否升级成功。确认查询到的版本是最新的升级后版本。 - ![](figures/zh-cn_image_0231143193.png) + ![](./figures/zh-cn_image_0231143193.png) - ![](figures/zh-cn_image_0231143195.png) + ![](./figures/zh-cn_image_0231143195.png) 6. 重启系统或通过命令行手动卸载旧版本驱动,然后加载新版本驱动,并查看是否加载成功 @@ -466,16 +466,16 @@ hisi_zip-1.2.10-4.oe1.aarch64 3. 通过rpm -e 命令卸载加速引擎软件包。示例如下。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >由于存在依赖关系,卸载libwd前须先卸载libkae引擎软件包。 - ![](figures/zh-cn_image_0231143196.png) + ![](./figures/zh-cn_image_0231143196.png) - ![](figures/zh-cn_image_0231143197.png) + ![](./figures/zh-cn_image_0231143197.png) 4. 使用rpm -qa |grep 软件包名命令查询是否卸载成功。 - ![](figures/zh-cn_image_0231143198.png) + ![](./figures/zh-cn_image_0231143198.png) ## 日志查询 @@ -519,7 +519,7 @@ hisi_zip-1.2.10-4.oe1.aarch64 ## 加速引擎的应用 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >如果用户未购买引擎许可证,建议用户不要通过kae引擎调用相应算法,否则可能会影响openssl加密算法的性能。 ### KAE引擎使用示例代码 diff --git "a/content/zh/docs/Administration/\344\275\277\347\224\250LVM\347\256\241\347\220\206\347\241\254\347\233\230.md" "b/docs/zh/docs/Administration/\344\275\277\347\224\250LVM\347\256\241\347\220\206\347\241\254\347\233\230.md" similarity index 98% rename from "content/zh/docs/Administration/\344\275\277\347\224\250LVM\347\256\241\347\220\206\347\241\254\347\233\230.md" rename to "docs/zh/docs/Administration/\344\275\277\347\224\250LVM\347\256\241\347\220\206\347\241\254\347\233\230.md" index 3add822aacd8b9d070e747d11a9de35cb7c464bc..e8f7b0f66283ea81b15f7db3711d0dce1a1eb0fb 100644 --- "a/content/zh/docs/Administration/\344\275\277\347\224\250LVM\347\256\241\347\220\206\347\241\254\347\233\230.md" +++ "b/docs/zh/docs/Administration/\344\275\277\347\224\250LVM\347\256\241\347\220\206\347\241\254\347\233\230.md" @@ -61,10 +61,10 @@ LVM是逻辑卷管理(Logical Volume Manager)的简称,它是Linux环境 ## 安装 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >openEuler操作系统默认已安装LVM。可通过**rpm -qa | grep lvm2**命令查询,若打印信息中包含“lvm2”信息,则表示已安装LVM,可跳过本章节内;若无任何打印信息,则表示未安装,可参考本章节内容进行安装。 -1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)。 +1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)。 2. 清除缓存。 ``` @@ -274,7 +274,7 @@ vgextend [option] vgname pvname ... - vgname:要扩展容量的卷组名称。 - pvname:要加入到卷组中的物理卷名称。 -示例:将卷组vg1中添加物理卷/dev/sdb。 +示例:向卷组vg1中添加物理卷/dev/sdb。 ``` # vgextend vg1 /dev/sdb @@ -372,7 +372,7 @@ lvdisplay [option] [lvname] - lvname:指定要显示属性的逻辑卷对应的设备文件。如果省略,则显示所有的逻辑卷属性。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >逻辑卷对应的设备文件保存在卷组目录下,例如:在卷组vg1上创建一个逻辑卷lv1,则此逻辑卷对应的设备文件为/dev/vg1/lv1。 diff --git "a/docs/zh/docs/Administration/\345\217\257\344\277\241\350\256\241\347\256\227.md" "b/docs/zh/docs/Administration/\345\217\257\344\277\241\350\256\241\347\256\227.md" new file mode 100644 index 0000000000000000000000000000000000000000..ff7a25e8566b07804d0289278fd947ae88166ff4 --- /dev/null +++ "b/docs/zh/docs/Administration/\345\217\257\344\277\241\350\256\241\347\256\227.md" @@ -0,0 +1,639 @@ +# 可信计算 + + + +- [可信计算](#可信计算) + - [可信计算基础](#可信计算基础) + - [可信计算](#可信计算-1) + - [内核完整性度量(IMA)](#内核完整性度量ima) + - [概述](#概述) + - [约束限制](#约束限制) + - [使用场景](#使用场景) + - [操作指导](#操作指导) + - [FAQ](#faq) + - [附录](#附录) + + + + +## 可信计算基础 + +### 可信计算 + +不同国际组织对可信(Trusted)做了不同的定义。 + +1. 可信计算组织(TCG)的定义: + + 一个实体是可信的,它的行为总是以预期的方式达到预期的目标。 + +2. 国际标准化组织与国际电子技术委员会定义(1999): + + 参与计算的组件、操作或过程在任意的条件下是可预测的,并能够抵御病毒和一定程度的物理干扰。 + +3. IEEE Computer Society Technical Committee on Dependable Computing 定义: + + 所谓可信,是指计算机系统所提供的服务是可被论证其是可信赖的,可信赖主要是指系统的可靠性和可用性。 + +简而言之,可信就是系统按照预定的设计和策略运行,不做其他事情。 + +一个可信计算系统由信任根、可信硬件平台、可信操作系统和可信应用组成,它的基本思想是首先创建一个安全信任根(TCB),然后建立从硬件平台、操作系统到应用的信任链,在这条信任链上从根开始,前一级认证后一级,实现信任的逐级扩展,从而实现一个安全可信的计算环境。 + +![](./figures/trusted_chain.png) + +相比于传统安全机制的“头痛医头,脚痛医脚”,发现一个病毒消灭一个病毒,可信计算采用的是白名单机制,即只允许经过认证的内核、内核模块、应用程序等在系统上运行,如果发现程序已发生更改(或本来就是一个未知的程序),就拒绝其执行。 + +## 内核完整性度量(IMA) + +### 概述 + +#### IMA + +IMA,全称 Integrity Measurement Architecture(完整性度量架构),是内核中的一个子系统,能够基于自定义策略对通过 execve()、mmap() 和 open() 系统调用访问的文件进行度量,度量结果可被用于**本地/远程证明**,或者和已有的参考值比较以**控制对文件的访问**。 + +根据 IMA wiki 的定义,内核完整性子系统的功能可以被分为三部分: + +- 度量(measure):检测对文件的意外或恶意修改,无论远程还是本地。 +- 评估(appraise):度量文件并与一个存储在扩展属性中的参考值作比较,控制本地文件完整性。 +- 审计(audit):将度量结果写到系统日志中,用于审计。 + +可以看到,相比于 IMA 度量作为一个“只记录不干涉”的观察员,IMA 评估更像是一位严格的保安人员,它的职责是拒绝对所有“人证不一”的程序的访问。 + +#### EVM + +EVM,全称 Extended Verification Module(扩展验证模块),它的作用就是将系统当中某个文件的安全扩展属性,包括 security.ima 、security.selinux 等合起来计算一个哈希值,然后使用 TPM 中存的密钥或其他可信环境中的密钥对其进行签名,签名之后的值存在 security.evm 中,这个签名后的值是不能被篡改的,如果被篡改,再次访问的时候就会验签失败。 + +总而言之,EVM 的作用就是通过对安全扩展属性计算摘要和签名并将其存储在 security.evm 中,提供对安全扩展属性的离线保护。 + +#### IMA Digest Lists + +IMA Digest Lists(IMA 摘要列表扩展)是 openEuler 对内核原生完整性保护机制的增强,它取代了原生 IMA 机制为文件完整性提供保护。 + +“摘要列表”(digest lists)是一种特殊格式的二进制数据文件,它与 rpm 包一一对应,记录了 rpm 包中受保护文件(即可执行文件和动态库文件)的哈希值。 + +当正确配置启动参数后,内核将维护一个哈希表(对用户空间不可见),并通过 securityfs 对外提供更新哈希表的接口(digest_list_data 和 digest_list_data_del)。摘要列表在构建阶段经过私钥签名,通过接口上传到内核时,需经过内核中的公钥验证。 + +![](./figures/ima_digest_list_update.png) + +在开启 IMA 评估的情况下,每当访问一个可执行文件或动态库文件,就会调用内核中的钩子,计算文件内容和扩展属性的哈希值,并在内核哈希表中进行搜索,如果匹配就允许文件的执行,否则就拒绝访问。 + +![1599719649188](./figures/ima_verification.png) + +相比内核社区原生 IMA 机制,openEuler 内核提供的 IMA 摘要列表扩展从安全性、性能、易用性三个方面进行了改良,助力完整性保护机制在生产环境下落地: + +- **具备完整的信任链,安全性好** + + 原生 IMA 机制要求在现网环境下预先生成并标记文件扩展属性,访问文件时将文件扩展属性作为参考值,信任链不完整。 + + IMA 摘要列表扩展将文件参考摘要值保存在内核空间中,构建阶段通过摘要列表的形式携带在发布的 rpm 包中,安装 rpm 包的同时导入摘要列表并执行验签,确保了参考值来自于软件发行商,实现了完整的信任链。 + +- **惊艳的性能** + + 由于 TPM 芯片是一种低速芯片,因此 PCR 扩展操作成为了 IMA 度量场景的性能瓶颈。摘要列表扩展在确保安全性的前提下,减少了不必要的 PCR 扩展操作,相比原生 IMA 性能提升高达 65%。 + + IMA 评估场景下,摘要列表扩展将签名验证统一移动到启动阶段进行,避免每次访问文件时都执行验签,相比原生 IMA 评估场景提升运行阶段文件访问的性能约 20%。 + +- **快速部署,平滑升级** + + 原生 IMA 机制在初次部署或每次更新软件包时,都需要切换到 fix 模式手动标记文件扩展属性后再重启进入 enforce 模式,才能正常访问安装的程序。 + + 摘要列表扩展可实现安装完成后开箱即用,且允许直接在 enforce 模式下安装或升级 rpm 包,无需重启和手动标记即可使用,实现了用户感知最小化,适合现网环境下的快速部署和平滑升级。 + +需要注意的是,IMA 摘要列表扩展将原生 IMA 的验签过程提前到启动阶段进行,也引入了一个假设,即内核空间的内存无法被篡改,这就使得 IMA 也依赖于其他安全机制(内核模块安全启动和内存动态度量)以保护内核内存的完整性。 + +但无论社区原生 IMA 机制还是 IMA 摘要列表扩展,都只是可信计算信任链中的一环,无法孤立地保证系统的安全性,安全自始至终都是一个构建纵深防御的系统工程。 + +### 约束限制 + +1. 当前 IMA 评估模式仅支持保护系统中的不可变文件(包括可执行文件和动态库文件)。 +2. IMA 提供的是应用层的完整性度量,它的安全性依赖于之前环节的可信。 +3. 当前阶段 IMA 不支持第三方应用摘要列表的导入。 +4. 启动日志中可能存在 `Unable to open file: /etc/keys/x509_ima.der` 字样,该报错来自于开源社区,不影响 IMA 摘要列表特性的使用。 +5. ARM 版本中 IMA 开启日志模式可能存在一些 audit 报错信息,这是由于 modprobe 在摘要列表未导入时加载内核模块所致,不影响正常功能。 + +### 使用场景 + +#### IMA measurement + +IMA 度量的目的是检测对系统文件的意外或恶意修改,度量结果可被用于本地证明或远程证明。 + +如果系统中存在 TPM 芯片,度量结果将被扩展到 TPM 芯片的指定 PCR 寄存器中,由于 PCR 扩展的单向性以及 TPM 芯片的硬件安全性,用户无法修改已被扩展的度量结果,这就确保了度量结果的真实性。 + +IMA 度量的文件范围和触发条件可以由用户通过 IMA 策略自行配置。 + +默认情况下 IMA 不启用,但系统会前往 `/etc/ima/` 路径下寻找 ima-policy 策略文件,如果找到,就会按照策略在启动时度量系统中的文件。如果不想手动编写策略文件,也可以在启动参数中配置 `ima_policy=tcb` 使用默认策略(更多策略参数请参考附录“IMA启动参数”章节)。 + +系统当前加载的 IMA 策略可以在 `/sys/kernel/security/ima/policy` 文件中查看,IMA 度量日志则位于`/sys/kernel/security/ima/ascii_runtime_measurements` 文件中,如下所示: + +```shell +$ head /sys/kernel/security/ima/ascii_runtime_measurements +10 ddee6004dc3bd4ee300406cd93181c5a2187b59b ima-ng sha1:9797edf8d0eed36b1cf92547816051c8af4e45ee boot_aggregate +10 180ecafba6fadbece09b057bcd0d55d39f1a8a52 ima-ng sha1:db82919bf7d1849ae9aba01e28e9be012823cf3a /init +10 ac792e08a7cf8de7656003125c7276968d84ea65 ima-ng sha1:f778e2082b08d21bbc59898f4775a75e8f2af4db /bin/bash +10 0a0d9258c151356204aea2498bbca4be34d6bb05 ima-ng sha1:b0ab2e7ebd22c4d17d975de0d881f52dc14359a7 /lib64/ld-2.27.so +10 0d6b1d90350778d58f1302d00e59493e11bc0011 ima-ng sha1:ce8204c948b9fe3ae67b94625ad620420c1dc838 /etc/ld.so.cache +10 d69ac2c1d60d28b2da07c7f0cbd49e31e9cca277 ima-ng sha1:8526466068709356630490ff5196c95a186092b8 /lib64/libreadline.so.7.0 +10 ef3212c12d1fbb94de9534b0bbd9f0c8ea50a77b ima-ng sha1:f80ba92b8a6e390a80a7a3deef8eae921fc8ca4e /lib64/libc-2.27.so +10 f805861177a99c61eabebe21003b3c831ccf288b ima-ng sha1:261a3cd5863de3f2421662ba5b455df09d941168 /lib64/libncurses.so.6.1 +10 52f680881893b28e6f0ce2b132d723a885333500 ima-ng sha1:b953a3fa385e64dfe9927de94c33318d3de56260 /lib64/libnss_files-2.27.so +10 4da8ce3c51a7814d4e38be55a2a990a5ceec8b27 ima-ng sha1:99a9c095c7928ecca8c3a4bc44b06246fc5f49de /etc/passwd +``` + +每一条记录从左到右分别是: + +1. PCR:用于扩展度量结果的 PCR 寄存器,默认是 10,只在系统装了 TPM 芯片的情况下有意义。 +2. 模板哈希值:最终被用于扩展的哈希值,组合了文件内容哈希和文件路径的长度和值。 +3. 模板:扩展度量值的模板,如 ima-ng。 +4. 文件内容哈希值:被度量的文件内容的哈希值。 +5. 文件路径:被度量的文件路径。 + +#### IMA appraisal + +IMA 评估的目的是通过与标准参考值的比较,控制对本地文件的访问。 + +IMA 首先使用安全扩展属性 security.ima 和 security.evm 存储文件完整性度量的参考值: + +- security.ima:存储文件内容的哈希值; +- security.evm:存储文件扩展属性的哈希值签名。 + +访问受保护文件时,将会触发内核中的钩子,依次验证文件扩展属性和内容的完整性: + +1. 使用内核 keyring 中的公钥对文件 security.evm 扩展属性中的签名值验签,与当前文件扩展属性的哈希值比较,如果匹配就证明文件的扩展属性是完整的(包括 security.ima)。 +2. 在文件扩展属性完整的前提下,将文件 security.ima 扩展属性的内容与当前文件内容的摘要值比较,如果匹配就允许对文件的访问。 + +同样,IMA 评估的文件范围和触发条件也可以由用户通过 IMA 策略自行配置。 + +#### IMA Digest Lists + +IMA 摘要列表扩展当前提供对以下三种启动参数组合的支持: + +* IMA measurement 度量模式: + + ```shell + ima_policy=exec_tcb ima_digest_list_pcr=11 + ``` + +* IMA appraisal 日志模式 + IMA measurement 度量模式: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=log evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + +* IMA appraisal 强制模式 + IMA measurement 度量模式: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=enforce-evm evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + +### 操作指导 + +#### 原生 IMA 场景初次部署 + +第一次启动时,需要在启动参数中配置: + +```shell +ima_appraise=fix ima_policy=appraise_tcb +``` + +`fix` 模式会允许系统在没有参考值的情况下启动,`appraise_tcb` 对应了一种 IMA 策略,具体可参考附录中的“IMA 启动参数”章节。 + +接下来,你需要访问所有需要被校验的文件,从而为它们添加 IMA 扩展属性: + +```shell +$ time find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; +``` + +该过程会花费一定时间,请耐心等待。命令执行完成后,你可以从受保护文件的扩展属性中看到参考值已被标记: + +```shell +$ getfattr -m - -d /sbin/init +# file: sbin/init +security.ima=0sAXr7Qmun5mkGDS286oZxCpdGEuKT +security.selinux="system_u:object_r:init_exec_t" +``` + +最后,配置以下启动参数并重新启动系统: + +```shell +ima_appraise=enforce ima_policy=appraise_tcb +``` + +#### 摘要列表场景初次部署 + +1. 配置内核参数进入 log 模式。 + + 编辑 `/boot/efi/EFI/euleros/grub.cfg` 文件,加入以下参数: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=log evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + + 使用 `reboot` 重启系统进入 log 模式,该模式下已开启完整性校验,但不会因校验失败而无法启动。 + +2. 安装依赖包。 + + 使用 yum 安装 digest-list-tools 和 ima-evm-utils,确认不低于以下版本: + + ```shell + $ yum install digest-list-tools ima-evm-utils + $ rpm -qa | grep digest-list-tools + digest-list-tools-0.3.93-1.oe1.x86_64 + $ rpm -qa | grep ima-evm-utils + ima-evm-utils-1.2.1-9.oe1.x86_64 + ``` + +3. 如果安装了 plymouth 包,需要编辑 `/usr/libexec/plymouth/plymouth-populate-initrd` 脚本文件,在第 147 行的 cp 命令后增加 `-a`: + + ```shell + ... + ddebug "Installing $_src" + cp -a --sparse=always -pfL "$PLYMOUTH_SYSROOT$_src" "${initdir}/$target" + } + ``` + +4. 执行 `dracut` 重新生成 initrd: + + ```shell + $ dracut -f -e xattr + ``` + + 编辑 `/boot/efi/EFI/euleros/grub.cfg` 文件,将 ima_appraise=log 改为 ima_appraise=enforce-evm: + + ```shell + ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sha256 ima_appraise=enforce-evm evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest + ``` + + 使用 reboot 重启即可完成初次部署。 + +#### 在 OBS 上进行摘要列表构建 + +OBS 全称 Open Build Service,是一种编译系统,最早在 openSUSE 用于软件包的构建,能够支持多架构的分布式编译。 + +进行摘要列表构建之前,首先确保您的工程包含以下 rpm 包,且来自 openEuler: + +* digest-list-tools +* pesign-obs-integration +* selinux-policy +* rpm +* openEuler-rpm-config + +在交付件工程中增加 Project Config: + +```shell +Preinstall: pesign-obs-integration digest-list-tools selinux-policy-targeted +Macros: +%__brp_digest_list /usr/lib/rpm/openEuler/brp-digest-list %{buildroot} +:Macros +``` + +* 在 Preinstall 中新增 digest-list-tools 用于生成摘要列表,pesign-obs-integration 用于生成摘要列表的签名,新增 selinux-policy-targeted 用于确保生成摘要列表时构建环境内 SELinux 标签正确。 +* 在 Macros 中定义宏 %__brp_digest_list,rpm 将在构建阶段通过这个宏执行命令为编译完成的二进制文件生成摘要列表。这个宏可以作为一个开关控制工程中的摘要列表是否生成。 + +配置完成后,OBS 会自动执行全量构建,正常情况下构建完成后,软件包中会新增以下两个文件: + +* /etc/ima/digest_lists/0-metadata_list-compact-[包名]-[版本号] +* /etc/ima/digest_lists.tlv/0-metadata_list-compact_tlv-[包名]-[版本号] + +#### 在 Koji 上进行摘要列表构建 + +Koji 是 Fedora 社区的编译系统,openEuler 社区将在后续支持,敬请期待。 + +### FAQ + +1. 为什么进入 enforce 模式后系统无法启动或启动后命令无法执行/服务不正常? + + enforce 模式下 IMA 会对文件访问做控制,如果访问文件的内容或扩展属性不完整,就会被拒绝访问,当影响启动的关键命令无法执行时,就会造成系统无法启动。 + + 请确认是否存在以下问题: + + * **摘要列表是否被加入到 initrd 中?** + + 初次部署时是否执行了 dracut 命令将摘要列表加入内核?如果摘要列表没有加入 initrd,启动阶段就无法导入摘要列表,从而导致启动失败。 + + * **是否使用官方提供的 rpm 包?** + + 如果使用的是非 openEuler 官方提供的 rpm 包,rpm 包可能没有携带摘要列表,或者对摘要列表签名的私钥与内核中的验签公钥不匹配,从而导致摘要列表没有被导入内核。 + + 如果原因还不明确,可以进入 log 模式启动,从错误日志中寻找原因: + + ```shell + $ dmesg | grep appraise + ``` + +2. 为什么 enforce 模式下没有对系统文件做访问控制? + + 系统没有按照预期对文件执行访问控制,首先查看启动参数中的 IMA 策略是否已被正确配置: + + ```shell + $ cat /proc/cmdline + ...ima_policy=exec_tcb|appraise_exec_tcb|appraise_exec_immutable... + ``` + + 其次查看当前内核中 IMA 策略是否已生效: + + ```shell + $ cat /sys/kernel/security/ima/policy + ``` + + 如果 policy 文件是空的,证明策略没有设置成功,系统也就不会进行访问控制。 + +3. 初次部署完成后,安装/升级/卸载软件包后还需要手动执行 dracut 生成 initrd 吗? + + 不需要。rpm 包提供的 digest_list.so 插件能够在 rpm 包粒度提供摘要列表的自动更新,可以实现用户对摘要列表的无感知。 + +### 附录 + +#### IMA securityfs 接口说明 + +原生 IMA 提供的 securityfs 接口如下: + +> 注:以下接口路径都位于 `/sys/kernel/security/` 目录下。 + +| 路径 | 权限 | 说明 | +| ------------------------------ | ---- | ---------------------------------------- | +| ima/policy | 600 | IMA 策略接口 | +| ima/ascii_runtime_measurement | 440 | ascii 码形式表示的 IMA 度量结果 | +| ima/binary_runtime_measurement | 440 | 二进制形式表示的 IMA 度量结果 | +| ima/runtime_measurement_count | 440 | 度量结果数量统计 | +| ima/violations | 440 | IMA 度量结果冲突数 | +| evm | 660 | EVM 模式,即校验文件扩展属性完整性的方式 | + +其中,`/sys/kernel/security/evm` 的取值有以下三种: + +* 0:EVM 未初始化; +* 1:使用 HMAC(对称加密)方式校验扩展属性完整性; +* 2:使用公钥验签(非对称加密)方式校验扩展属性完整性; +* 6:关闭扩展属性完整性校验(openEuler 使用此方式)。 + +IMA 摘要列表扩展额外提供的 securityfs 接口如下: + +| 路径 | 权限 | 说明 | +| ------------------------ | ---- | --------------------------------------- | +| ima/digests_count | 440 | 显示系统哈希表中的总摘要数量(IMA+EVM) | +| ima/digest_list_data | 200 | 摘要列表新增接口 | +| ima/digest_list_data_del | 200 | 摘要列表删除接口 | + +#### IMA 策略语法 + +每条 IMA 策略语句都必须以 action 关键字代表的**动作**开头,后接**筛选条件**: + +- action:表示该条策略具体的动作,一条策略只能选一个 action。 + + > 注:实际书写时**可忽略 action 字样**,直接书写 dont_measure,不需要写成 action=dont_measure。 + +- func:表示被度量或鉴定的文件类型,常和 mask 匹配使用,一条策略只能选一个 func。 + + - FILE_CHECK 只能同 MAY_EXEC、MAY_WRITE、MAY_READ 匹配使用。 + - MODULE_CHECK、MMAP_CHECK、BPRM_CHECK 只能同 MAY_EXEC 匹配使用。 + - 匹配关系以外的组合不会产生效果。 + +- mask:表示文件在做什么操作时将被度量或鉴定,一条策略只能选一个 mask。 + +- fsmagic:表示文件系统类型的十六进制魔数,定义在 `/usr/include/linux/magic.h` 文件中。 + + > 注:默认情况下度量所有文件系统,除非使用 dont_measure/dont_appraise 标记不度量某文件系统。 + +- fsuuid:表示系统设备 uuid 的 16 位的十六进制字符串。 + +- objtype:表示文件类型,一条策略只能选一个文件类型。 + + > 注:objtype 相比 func 而言,划分的粒度更细,比如 obj_type=nova_log_t 表示 nova log 类型的文件。 + +- uid:表示哪个用户(用用户 id 表示)对文件进行操作,一条策略只能选一个 uid。 + +- fowner:表示文件的属主(用用户 id 表示)是谁,一条策略只能选一个 fowner。 + +关键字的具体取值及说明如下: + +| 关键字 | 值 | 说明 | +| ------------- | ------------------ | ------------------------------------------------------------ | +| action | measure | 开启 IMA 度量 | +| | dont_measure | 禁用 IMA 度量 | +| | appraise | 开启 IMA 评估 | +| | dont_appraise | 禁用 IMA 评估 | +| | audit | 开启审计 | +| func | FILE_CHECK | 将要被打开的文件 | +| | MODULE_CHECK | 将要被装载的内核模块文件 | +| | MMAP_CHECK | 将要被映射到进程内存空间的动态库文件 | +| | BRPM_CHECK | 将要被执行的文件(不含通过 `/bin/hash` 等程序打开的脚本文件) | +| | POLICY_CHECK | 将要被作为补充 IMA 策略装载的文件 | +| | FIRMWARE_CHECK | 将要被加载到内存中的固件 | +| | DIGEST_LIST_CHECK | 将要被加载到内核中的摘要列表文件 | +| | KEXEC_KERNEL_CHECK | 将要切换的 kexec 内核 | +| mask | MAY_EXEC | 执行文件 | +| | MAY_WRITE | 写文件。不建议使用,受限于 echo、vim 等开源机制(修改本质是新建临时文件再重命名),并不是每次修改都会触发 MAY_WRITE 的 IMA 度量。 | +| | MAY_READ | 读文件 | +| | MAY_APPEND | 扩展文件属性 | +| fsmagic | fsmagic=xxx | 表示文件系统类型的十六进制魔数 | +| fsuuid | fsuuid=xxx | 表示系统设备 uuid 的 16 位的十六进制字符串 | +| fowner | fowner=xxx | 文件属主的用户 id | +| uid | uid=xxx | 操作文件的用户 id | +| obj_type | obj_type=xxx_t | 表示文件的类型(基于 SELinux 标签) | +| pcr | pcr=\ | 选择 TPM 中用于扩展度量值的 PCR(默认为 10) | +| appraise_type | imasig | 基于签名进行 IMA 评估 | +| | meta_immutable | 基于签名进行文件扩展属性的评估(支持摘要列表) | + +> 注:PATH_CHECK 等同于 FILE_CHECK,FILE_MMAP 等同于 MMAP_CHECK,不在本表提及。 + +#### IMA 原生启动参数 + +原生 IMA 的内核启动参数列表如下: + +| 参数名称 | 取值 | 功能 | +| ---------------- | ------------ | ------------------------------------------------------------ | +| ima_appraise | off | 关闭 IMA 评估模式,在访问文件时不进行完整性校验,也不为文件生成新的参考值。 | +| | enforce | 开启 IMA 评估强制模式,在访问文件时进行完整性校验,即计算文件摘要值并与参考值比对,如果比对失败就拒绝对文件的访问。IMA 会为新文件生成新的参考值。 | +| | fix | 开启 IMA 修复模式,在该模式下允许更新受保护文件的参考值。 | +| | log | 开启 IMA 评估日志模式,在访问文件时进行完整性校验,但即使校验失败也允许执行命令,只进行日志记录。 | +| ima_policy | tcb | 度量所有文件执行、动态库映射、内核模块导入以及设备驱动加载,此外,root 用户读文件的行为也会被度量。 | +| | appraise_tcb | 对所有 root 属主的文件进行评估。 | +| | secure_boot | 对所有内核模块导入、硬件驱动加载、kexec 内核切换以及 IMA 策略进行评估,前提是这些文件都具有 IMA 签名, | +| ima_tcb | 无 | 等价于 ima_policy=tcb | +| ima_appraise_tcb | 无 | 等价于 ima_policy=appraise_tcb | +| ima_hash | sha1/md5/... | IMA 摘要算法,默认为 sha1 | +| ima_template | ima | IMA 度量扩展模板 | +| | ima-ng | IMA 度量扩展模板 | +| | ima-sig | IMA 度量扩展模板 | +| integrity_audit | 0 | 基础完整性审计信息(默认) | +| | 1 | 额外完整性审计信息 | + +> 注:ima_policy 参数可以同时指定多个值,例如 ima_policy=tcb|appraise_tcb,启动后系统的 IMA 策略就是这两种参数对应的策略的总和。 + +启动参数 `ima_policy=tcb` 对应的 IMA 策略为: + +``` +# PROC_SUPER_MAGIC = 0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC = 0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC = 0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC = 0x01021994 +dont_measure fsmagic=0x1021994 +# DEVPTS_SUPER_MAGIC=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BINFMTFS_MAGIC=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUX_MAGIC=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# SMACK_MAGIC=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC=0x27e0eb +dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC=0x63677270 +dont_measure fsmagic=0x63677270 +# NSFS_MAGIC=0x6e736673 +dont_measure fsmagic=0x6e736673 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=MAY_READ uid=0 +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +``` + +启动参数 `ima_policy=tcb_appraise` 对应的 IMA 策略为: + +``` +# PROC_SUPER_MAGIC = 0x9fa0 +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC = 0x62656572 +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC = 0x64626720 +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC = 0x01021994 +dont_appraise fsmagic=0x1021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC=0x1cd1 +dont_appraise fsmagic=0x1cd1 +# BINFMTFS_MAGIC=0x42494e4d +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC=0x73636673 +dont_appraise fsmagic=0x73636673 +# SELINUX_MAGIC=0xf97cff8c +dont_appraise fsmagic=0xf97cff8c +# SMACK_MAGIC=0x43415d53 +dont_appraise fsmagic=0x43415d53 +# NSFS_MAGIC=0x6e736673 +dont_appraise fsmagic=0x6e736673 +# CGROUP_SUPER_MAGIC=0x27e0eb +dont_appraise fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC=0x63677270 +dont_appraise fsmagic=0x63677270 +appraise fowner=0 +``` + +启动参数 `ima_policy=secure_boot` 对应的 IMA 策略为: + +``` +appraise func=MODULE_CHECK appraise_type=imasig +appraise func=FIRMWARE_CHECK appraise_type=imasig +appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig +appraise func=POLICY_CHECK appraise_type=imasig +``` + +#### IMA 摘要列表启动参数 + +IMA 摘要列表特性额外引入的内核启动参数如下: + +| 参数名称 | 取值 | 功能 | +| ------------------------ | ----------------------- | ------------------------------------------------------------ | +| integrity | 0 | IMA 特性总开关关闭(默认) | +| | 1 | IMA 特性总开关打开 | +| ima_appraise | off | 关闭 IMA 评估模式 | +| | enforce-evm | IMA 评估强制模式,在访问文件时进行完整性校验并进行访问控制 | +| ima_appraise_digest_list | digest | 当 EVM 被禁用时,使用摘要列表进行 IMA appraise,摘要列表同时保护文件内容和扩展属性 | +| | digest-nometadata | 在EVM摘要值不存在的情况下,仅基于IMA摘要值进行完整性校验(不保护文件扩展属性) | +| evm | fix | 允许任何对扩展属性的修改(即使修改会导致扩展属性完整性校验失败) | +| | ignore | 只有在扩展属性不存在或不正确的情况下才允许修改 | +| ima_policy | exec_tcb | IMA 度量策略,详见下文策略说明。 | +| | appraise_exec_tcb | IMA 评估策略,详见下文策略说明。 | +| | appraise_exec_immutable | IMA 评估策略,详见下文策略说明。 | +| ima_digest_list_pcr | 11 | 使用 PCR 11 替代 PCR 10,仅使用摘要列表进行度量 | +| | +11 | 依然保留 PCR 10 的度量,在有TPM芯片时也往TPM芯片写度量结果 | +| initramtmpfs | 无 | 添加对 tmpfs 的支持 | + +启动参数 `ima_policy=exec_tcb` 对应的 IMA 策略为: + +``` +dont_measure fsmagic=0x9fa0 +dont_measure fsmagic=0x62656572 +dont_measure fsmagic=0x64626720 +dont_measure fsmagic=0x1cd1 +dont_measure fsmagic=0x42494e4d +dont_measure fsmagic=0x73636673 +dont_measure fsmagic=0xf97cff8c +dont_measure fsmagic=0x43415d53 +dont_measure fsmagic=0x27e0eb +dont_measure fsmagic=0x63677270 +dont_measure fsmagic=0x6e736673 +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +measure func=POLICY_CHECK +measure func=DIGEST_LIST_CHECK +measure parser +``` + +启动参数 `ima_policy=appraise_exec_tcb` 对应的 IMA 策略为: + +``` +appraise func=MODULE_CHECK appraise_type=imasig +appraise func=FIRMWARE_CHECK appraise_type=imasig +appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig +appraise func=POLICY_CHECK appraise_type=imasig +appraise func=DIGEST_LIST_CHECK appraise_type=imasig +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 +dont_appraise fsmagic=0x64626720 +dont_appraise fsmagic=0x858458f6 +dont_appraise fsmagic=0x1cd1 +dont_appraise fsmagic=0x42494e4d +dont_appraise fsmagic=0x73636673 +dont_appraise fsmagic=0xf97cff8c +dont_appraise fsmagic=0x43415d53 +dont_appraise fsmagic=0x6e736673 +dont_appraise fsmagic=0x27e0eb +dont_appraise fsmagic=0x63677270 +``` + +启动参数 `ima_policy=appraise_exec_immutable` 对应的 IMA 策略为: + +``` +appraise func=BPRM_CHECK appraise_type=imasig appraise_type=meta_immutable +appraise func=MMAP_CHECK +appraise parser appraise_type=imasig +``` + +#### IMA 内核编译选项详解 + +原生 IMA 提供的编译选项如下: + +| 编译选项 | 功能 | +| -------------------------------- | --------------------------- | +| CONFIG_INTEGRITY | IMA/EVM 总编译开关 | +| CONFIG_INTEGRITY_SIGNATURE | 使能 IMA 签名校验 | +| CONFIG_INTEGRITY_ASYMMETRIC_KEYS | 使能 IMA 非对称签名校验 | +| CONFIG_INTEGRITY_TRUSTED_KEYRING | 使能 IMA/EVM 密钥环 | +| CONFIG_INTEGRITY_AUDIT | 编译 IMA audit 审计模块 | +| CONFIG_IMA | IMA 总编译开关 | +| CONFIG_IMA_WRITE_POLICY | 允许在运行阶段更新 IMA 策略 | +| CONFIG_IMA_MEASURE_PCR_IDX | 允许指定 IMA 度量 PCR 序号 | +| CONFIG_IMA_LSM_RULES | 允许配置 LSM 规则 | +| CONFIG_IMA_APPRAISE | IMA 评估总编译开关 | +| IMA_APPRAISE_BOOTPARAM | 启用 IMA 评估启动参数 | +| CONFIG_EVM | EVM 总编译开关 | + +IMA 摘要列表扩展额外提供的编译选项如下: + +| 编译选项 | 功能 | +| ------------------ | ------------------------- | +| CONFIG_DIGEST_LIST | 开启 IMA 摘要列表特性开关 | + +#### IMA 性能参考数据 + +下图对比了不开启 IMA、开启原生 IMA、开启 IMA 摘要列表特性时的性能: + +![img](./figures/ima_performance.gif) diff --git "a/content/zh/docs/Administration/\345\237\272\347\241\200\351\205\215\347\275\256.md" "b/docs/zh/docs/Administration/\345\237\272\347\241\200\351\205\215\347\275\256.md" similarity index 95% rename from "content/zh/docs/Administration/\345\237\272\347\241\200\351\205\215\347\275\256.md" rename to "docs/zh/docs/Administration/\345\237\272\347\241\200\351\205\215\347\275\256.md" index 316b2356e1af95e44845e63a785082a96d0ab422..fbb068949460dcd281dc648e53f4cc4e664bcc0c 100644 --- "a/content/zh/docs/Administration/\345\237\272\347\241\200\351\205\215\347\275\256.md" +++ "b/docs/zh/docs/Administration/\345\237\272\347\241\200\351\205\215\347\275\256.md" @@ -1,470 +1,492 @@ -# 基础配置 - - -- [基础配置](#基础配置) - - [设置语言环境](#设置语言环境) - - [显示当前语言环境状态](#显示当前语言环境状态) - - [列出可用的语言环境](#列出可用的语言环境) - - [设置语言环境](#设置语言环境-1) - - [设置键盘](#设置键盘) - - [显示当前设置](#显示当前设置) - - [列出可用的键盘布局](#列出可用的键盘布局) - - [设置键盘布局](#设置键盘布局) - - [设置日期和时间](#设置日期和时间) - - [使用timedatectl命令设置](#使用timedatectl命令设置) - - [使用date命令设置](#使用date命令设置) - - [使用hwclock命令设置](#使用hwclock命令设置) - - [设置kdump](#设置kdump) - - [设置kdump预留内存](#设置kdump预留内存) - - [预留内存推荐值](#预留内存推荐值) - - [禁用网络相关驱动](#禁用网络相关驱动) - - - - -## 设置语言环境 - -您可以通过localectl修改系统的语言环境,对应的参数设置保存在/etc/locale.conf文件中。这些参数会在系统启动过程中被systemd的守护进程读取。 - -### 显示当前语言环境状态 - -显示当前语言环境,命令如下: - -``` -$ localectl status -``` - -例如显示系统当前的设置,命令和输出如下: - -``` -$ localectl status - System Locale: LANG=zh_CN.UTF-8 - VC Keymap: cn - X11 Layout: cn -``` - -### 列出可用的语言环境 - -显示当前可用的语言环境,命令如下: - -``` -$ localectl list-locales -``` - -例如显示当前系统中所有可用的中文环境,命令和输出如下: - -``` -$ localectl list-locales | grep zh -zh_CN.UTF-8 -``` - -### 设置语言环境 - -要设置语言环境,在root权限下执行如下命令,其中 _locale_ 是您要设置的语言类型,取值范围可通过**localectl list-locales**获取,请根据实际情况修改。 - -``` -# localectl set-locale LANG=locale -``` - -例如设置为简体中文语言环境,在root权限下执行如下命令: - -``` -# localectl set-locale LANG=zh_CN.UTF-8 -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->修改后需要重新登录或者在root权限下执行`source /etc/locale.conf`命令刷新配置文件,使修改生效。 - - -## 设置键盘 - -您可以通过localectl修改系统的键盘设置,对应的参数设置保存在/etc/locale.conf文件中。这些参数,会在系统启动的早期被systemd的守护进程读取。 - -### 显示当前设置 - -显示当前键盘设置,命令如下: - -``` -$ localectl status -``` - -例如显示系统当前的设置,命令和输出如下: - -``` -$ localectl status - System Locale: LANG=zh_CN.UTF-8 - VC Keymap: cn - X11 Layout: cn -``` - -### 列出可用的键盘布局 - -显示当前可用的键盘布局,命令如下: - -``` -$ localectl list-keymaps -``` - -例如显示系统当前的中文键盘布局,命令和输出如下: - -``` -$ localectl list-keymaps | grep cn -cn -``` - -### 设置键盘布局 - -设置键盘布局,在root权限下执行如下命令,其中 _map_ 是您想要设置的键盘类型,取值范围可通过**localectl list-keymaps**获取,请根据实际情况修改: - -``` -# localectl set-keymap map -``` - -此时设置的键盘布局同样也会应用到图形界面中。 - -设置完成后,查看当前状态: - -``` -$ localectl status - System Locale: LANG=zh_CN.UTF-8 - VC Keymap: cn - X11 Layout: us -``` - -## 设置日期和时间 - -本节介绍如何通过timedatectl、date、hwclock命令来设置系统的日期、时间和时区等。 - - - -### 使用timedatectl命令设置 - -#### 显示日期和时间 - -显示当前的日期和时间,命令如下: - -``` -$ timedatectl -``` - -例如显示系统当前的日期和时间,命令和输出如下: - -``` -$ timedatectl - Local time: Mon 2019-09-30 04:05:00 EDT - Universal time: Mon 2019-09-30 08:05:00 UTC - RTC time: Mon 2019-09-30 08:05:00 - Time zone: America/New_York (EDT, -0400) -System clock synchronized: no - NTP service: inactive - RTC in local TZ: no -``` - -#### 通过远程服务器进行时间同步 - -您可以启用NTP远程服务器进行系统时钟的自动同步。是否启用NTP,可在root权限下执行如下命令进行设置。其中 _boolean_ 可取值yes和no,分别表示启用和不启用NTP进行系统时钟自动同步,请根据实际情况修改。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->若启用了NTP远程服务器进行系统时钟自动同步,则不能手动修改日期和时间。若需要手动修改日期或时间,则需确保已经关闭NTP系统时钟自动同步。可执行**timedatectl set-ntp** no命令进行关闭。 - -``` -# timedatectl set-ntp boolean -``` - -例如开启自动远程时间同步,命令如下: - -``` -# timedatectl set-ntp yes -``` - -#### 修改日期 - ->![](public_sys-resources/icon-note.gif) **说明:** ->修改日期前,请确保已经关闭NTP系统时钟自动同步。 - -修改当前的日期,在root权限下执行如下命令,其中 _YYYY_ 代表年份,_MM_ 代表月份,_DD_ 代表某天,请根据实际情况修改: - -``` -# timedatectl set-time YYYY-MM-DD -``` - -例如修改当前的日期为2019年8月14号,命令如下: - -``` -# timedatectl set-time '2019-08-14' -``` - -#### 修改时间 - ->![](public_sys-resources/icon-note.gif) **说明:** ->修改时间前,请确保已经关闭NTP系统时钟自动同步。 - -修改当前的时间,在root权限下执行如下命令,其中 _HH_ 代表小时,_MM_ 代表分钟,_SS_ 代表秒,请根据实际情况修改: - -``` -# timedatectl set-time HH:MM:SS -``` - -例如修改当前的时间为15点57分24秒,命令如下: - -``` -# timedatectl set-time 15:57:24 -``` - -#### 修改时区 - -显示当前可用时区,命令如下: - -``` -$ timedatectl list-timezones -``` - -要修改当前的时区,在root权限下执行如下命令,其中 _time\_zone_ 是您想要设置的时区,请根据实际情况修改: - -``` -# timedatectl set-timezone time_zone -``` - -例如修改当前的时区,首先查询所在地域的可用时区,此处以Asia为例: - -``` -# timedatectl list-timezones | grep Asia -Asia/Aden -Asia/Almaty -Asia/Amman -Asia/Anadyr -Asia/Aqtau -Asia/Aqtobe -Asia/Ashgabat -Asia/Baghdad -Asia/Bahrain -…… - -Asia/Seoul -Asia/Shanghai -Asia/Singapore -Asia/Srednekolymsk -Asia/Taipei -Asia/Tashkent -Asia/Tbilisi -Asia/Tehran -Asia/Thimphu -Asia/Tokyo -``` - -然后修改当前的时区为“Asia/Shanghai”,命令如下: - -``` -# timedatectl set-timezone Asia/Shanghai -``` - -### 使用date命令设置 - -#### 显示当前的日期和时间 - -显示当前的日期和时间,命令如下: - -``` -$ date -``` - -默认情况下,date命令显示本地时间。要显示UTC时间,添加\-\-utc或-u参数: - -``` -$ date --utc -``` - -要自定义对应的输出信息格式,添加 +"format" 参数: - -``` -$ date +"format" -``` - -**表 1** 参数说明 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

格式参数

-

说明

-

%H

-

小时以HH格式(例如 17)。

-

%M

-

分钟以MM格式(例如 37)。

-

%S

-

秒以SS格式(例如 25)。

-

%d

-

日期以DD格式(例如 15)。

-

%m

-

月份以MM格式(例如 07)。

-

%Y

-

年份以YYYY格式(例如 2019)。

-

%Z

-

时区缩写(例如CEST)。

-

%F

-

日期整体格式为YYYY-MM-DD(例如 2019-7-15),等同%Y-%m-%d。

-

%T

-

时间整体格式为HH:MM:SS(例如 18:30:25),等同%H:%M:%S。

-
- -实际使用示例如下: - -- 显示当前的日期和本地时间。 - - ``` - $ date - 2019年 08月 17日 星期六 17:26:34 CST - ``` - -- 显示当前的日期和UTC时间。 - - ``` - $ date --utc - 2019年 08月 17日 星期六 09:26:18 UTC - ``` - -- 自定义date命令的输出。 - - ``` - $ date +"%Y-%m-%d %H:%M" - 2019-08-17 17:24 - ``` - - -#### 修改时间 - -要修改当前的时间,添加\-\-set或者-s参数。在root权限下执行如下命令,其中 _HH_ 代表小时,_MM_ 代表分钟,_SS_ 代表秒,请根据实际情况修改: - -``` -# date --set HH:MM:SS -``` - -默认情况下, date命令设置本地时间。要设置UTC时间,添加\-\-utc或-u参数: - -``` -# date --set HH:MM:SS --utc -``` - -例如修改当前的时间为23点26分00秒,在root权限下执行如下命令: - -``` -# date --set 23:26:00 -``` - -#### 修改日期 - -修改当前的日期,添加\-\-set或者-s参数。在root权限下执行如下命令,其中 _YYYY_ 代表年份,_MM_ 代表月份,_DD_ 代表某天,请根据实际情况修改: - -``` -# date --set YYYY-MM-DD -``` - -例如修改当前的日期为2019年11月2日,命令如下: - -``` -# date --set 2019-11-02 -``` - -### 使用hwclock命令设置 - -可以使用 hwclock 命令设置硬件时钟RTC \(Real Time Clock\) 。 - -#### 硬件时钟和系统时钟 - -Linux 将时钟分为: - -- 系统时钟 \(System Clock\) :当前Linux Kernel中的时钟。 -- 硬件时钟 RTC:主板上由电池供电的主板硬件时钟,该时钟可以在BIOS的 "Standard BIOS Feature" 项中进行设置。 - -当Linux启动时,会读取硬件时钟,并根据硬件时间来设置系统时间。 - -#### 显示日期和时间 - -显示当前硬件的日期和时间,在root权限下执行如下命令: - -``` -# hwclock -``` - -例如显示当前硬件的日期和时间,命令和输出如下: - -``` -# hwclock -2019-08-26 10:18:42.528948+08:00 -``` - -#### 设置日期和时间 - -修改当前硬件的日期和时间,在root权限下执行如下命令,其中 _dd_ 表示日,_mm_ 表示月份,_yyyy_ 表示年份,_HH_ 表示小时,_MM_ 表示分钟,请根据实际情况修改: - -``` -# hwclock --set --date "dd mm yyyy HH:MM" -``` - -例如修改当前的时间为2019年10月21日21点17分,命令如下: - -``` -# hwclock --set --date "21 Oct 2019 21:17" --utc -``` - -## 设置kdump -本节介绍如何设置kdump预留内存及kdump配置文件参数修改。 - - - -### 设置kdump预留内存 -#### 预留内存参数格式 - -kdump预留内存参数必须添加到内核启动参数中,配置文件为/boot/efi/EFI/openEuler/grub.cfg,openEuler发布版本中默认已经添加,可以根据实际使用情况调整。添加和修改启动参数后,重启系统生效。kdump预留内存参数格式如下: - -| 内核启动参数 | 描述 | 默认值 | 备注 | -|--------------------|-------------------------------------------|---------------|------------------------------------------------------------| -| crashkernel=x | 在4G以下的物理内存预留x大小的内存给kdump使用。 | x86版本默认配置512M | 该配置方法只在4G以下内存预留,必须保证4G以下连续可用内存足够预留。 | -| crashkernel=x@y | 在y起始地址预留x大小的内存给kdump使用。 | 未使用 | 需要确保y起始地址的x大小的内存未被其他模块预留。 | -| crashkernel=x,high | 在4G以下的物理内存中预留256M内存,在4G以上预留x大小内存给kdump使用。 | arm64版本默认配置1024M,high | 需要确保4G以下有256M连续可用的物理内存,4G以上有连续的x大小的连续物理内存。实际预留内存大小为256M+x。 | -| crashkernel=x,low crashkernel=y,high | 在4G以下的物理内存中预留x大小,在4G以上预留y大小内存给kdump使用。 | 未使用 | 需要确保4G以下有连续的x大小物理内存,4G以上有连续的y大小物理内存。 | - - -### 预留内存推荐值 -| 推荐方案 | 预留参数 | 参数说明 | -|------|------------------------|----------------------------------------------| -| 通用方案 | crashkernel=2048M,high | 4G以下预留256M,4G以上预留2048M内存给kdump使用。共256+2048M。 | -| 经济方案 | crashkernel=1024M,high | 4G以下预留256M,4G以上预留1024M内存给kdump使用。共256+1024M。 推荐系统512G内存以内的场景,并不使用网络转储kdump文件。对于虚拟机场景,可以适当减少内存预留值,推荐虚拟机设置为crashkernel=512M或者crashkernel=256M,high | ->![](public_sys-resources/icon-note.gif) **说明:** ->不通过网络转储kdump文件时,需要设置kdump文件系统不打包网络相关驱动。网络驱动加载需要申请较大内存,可能导致预留内存不足,kdump失败。因此建议禁用网络相关驱动。 - - -### 禁用网络相关驱动 -kdump配置文件(/etc/kdump.conf)中,dracut参数可以设置裁剪的驱动模块,可以将网络驱动配置到裁剪驱动列表中,让kdump文件系统中不加载该驱动,修改配置文件后,重启kdump服务生效。dracut参数配置如下所示: - -`dracut_args --omit-drivers "mdio-gpi usb_8dev et1011c rt2x00usb bcm-phy-lib mac80211_hwsim rtl8723be rndis_host hns3_cae amd vrf rtl8192cu mt76x02-lib int51x1 ppp_deflate team_mode_loadbalance smsc911x aweth bonding mwifiex_usb hnae dnet rt2x00pci vaser_pci hdlc_ppp marvell rtl8xxxu mlxsw_i2c ath9k_htc rtl8150 smc91x cortina at803x rockchip cxgb4 spi_ks8995 mt76x2u smsc9420 mdio-cavium bnxt_en ch9200 dummy macsec ice mt7601u rtl8188ee ixgbevf net1080 liquidio_vf be2net mlxsw_switchx2 gl620a xilinx_gmii2rgmii ppp_generic rtl8192de sja1000_platform ath10k_core cc770_platform realte igb c_can_platform c_can ethoc dm9601 smsc95xx lg-vl600 ifb enic ath9 mdio-octeon ppp_mppe ath10k_pci cc770 team_mode_activebackup marvell10g hinic rt2x00lib mlx4_en iavf broadcom igc c_can_pci alx rtl8192se rtl8723ae microchip lan78xx atl1c rtl8192c-common almia ax88179_178a qed netxen_nic brcmsmac rt2800usb e1000 qla3xxx mdio-bitbang qsemi mdio-mscc-miim plx_pci ipvlan r8152 cx82310_eth slhc mt76x02-usb ems_pci xen-netfront usbnet pppoe mlxsw_minimal mlxsw_spectrum cdc_ncm rt2800lib rtl_usb hnae3 ath9k_common ath9k_hw catc mt76 hns_enet_drv ppp_async huawei_cdc_ncm i40e rtl8192ce dl2 qmi_wwan mii peak_usb plusb can-dev slcan amd-xgbe team_mode_roundrobin ste10Xp thunder_xcv pptp thunder_bgx ixgbe davicom icplus tap tun smsc75xx smsc dlci hns_dsaf mlxsw_core rt2800mmi softing uPD60620 vaser_usb dp83867 brcmfmac mwifiex_pcie mlx4_core micrel team macvlan bnx2 virtio_net rtl_pci zaurus hns_mdi libcxgb hv_netvsc nicvf mt76x0u teranetics mlxfw cdc_eem qcom-emac pppox mt76-usb sierra_net i40evf bcm87xx mwifiex pegasus rt2x00mmi sja1000 ena hclgevf cnic cxgb4vf ppp_synctty iwlmvm team_mode_broadcast vxlan vsockmon hdlc_cisc rtl8723-common bsd_comp fakelb dp83822 dp83tc811 cicada fm10 8139t sfc hs geneve hclge xgene-enet-v2 cdc_mbim hdlc asix netdevsim rt2800pci team_mode_random lxt ems_usb mlxsw_pci sr9700 mdio-thunder mlxsw_switchib macvtap atlantic cdc_ether mcs7830 nicpf mdi peak_pci atl1e cdc_subset ipvtap btcoexist mt76x0-common veth slip iwldvm bcm7xxx vitesse netconsole epic100 myri10ge r8169 qede microchip_t1 liquidi bnx2x brcmutil mwifiex_sdi mlx5_core rtlwifi vmxnet3 nlmon hns3 hdlc_raw esd_usb2 atl2 mt76x2-common iwlwifi mdio-bcm-unimac national ath rtwpci rtw88 nfp rtl8821ae fjes thunderbolt-net 8139cp atl1 mscc vcan dp83848 dp83640 hdlc_fr e1000e ipheth net_failover aquantia rtl8192ee igbvf rocker intel-xway tg3" --omit "ramdisk network ifcfg qemu-net" --install "chmod" --nofscks` +# 基础配置 + + +- [基础配置](#基础配置) + - [设置语言环境](#设置语言环境) + - [显示当前语言环境状态](#显示当前语言环境状态) + - [列出可用的语言环境](#列出可用的语言环境) + - [设置语言环境](#设置语言环境-1) + - [设置键盘](#设置键盘) + - [显示当前设置](#显示当前设置) + - [列出可用的键盘布局](#列出可用的键盘布局) + - [设置键盘布局](#设置键盘布局) + - [设置日期和时间](#设置日期和时间) + - [使用timedatectl命令设置](#使用timedatectl命令设置) + - [使用date命令设置](#使用date命令设置) + - [使用hwclock命令设置](#使用hwclock命令设置) + - [设置kdump](#设置kdump) + - [设置kdump预留内存](#设置kdump预留内存) + - [预留内存推荐值](#预留内存推荐值) + - [禁用网络相关驱动](#禁用网络相关驱动) + - [设置磁盘调度算法](#设置磁盘调度算法) + - [临时修改调度策略](#临时修改调度策略) + - [永久设置调度策略](#永久设置调度策略) + + + + +## 设置语言环境 + +您可以通过localectl修改系统的语言环境,对应的参数设置保存在/etc/locale.conf文件中。这些参数会在系统启动过程中被systemd的守护进程读取。 + +### 显示当前语言环境状态 + +显示当前语言环境,命令如下: + +``` +$ localectl status +``` + +例如显示系统当前的设置,命令和输出如下: + +``` +$ localectl status + System Locale: LANG=zh_CN.UTF-8 + VC Keymap: cn + X11 Layout: cn +``` + +### 列出可用的语言环境 + +显示当前可用的语言环境,命令如下: + +``` +$ localectl list-locales +``` + +例如显示当前系统中所有可用的中文环境,命令和输出如下: + +``` +$ localectl list-locales | grep zh +zh_CN.UTF-8 +``` + +### 设置语言环境 + +要设置语言环境,在root权限下执行如下命令,其中 _locale_ 是您要设置的语言类型,取值范围可通过**localectl list-locales**获取,请根据实际情况修改。 + +``` +# localectl set-locale LANG=locale +``` + +例如设置为简体中文语言环境,在root权限下执行如下命令: + +``` +# localectl set-locale LANG=zh_CN.UTF-8 +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>修改后需要重新登录或者在root权限下执行`source /etc/locale.conf`命令刷新配置文件,使修改生效。 + + +## 设置键盘 + +您可以通过localectl修改系统的键盘设置,对应的参数设置保存在/etc/locale.conf文件中。这些参数,会在系统启动的早期被systemd的守护进程读取。 + +### 显示当前设置 + +显示当前键盘设置,命令如下: + +``` +$ localectl status +``` + +例如显示系统当前的设置,命令和输出如下: + +``` +$ localectl status + System Locale: LANG=zh_CN.UTF-8 + VC Keymap: cn + X11 Layout: cn +``` + +### 列出可用的键盘布局 + +显示当前可用的键盘布局,命令如下: + +``` +$ localectl list-keymaps +``` + +例如显示系统当前的中文键盘布局,命令和输出如下: + +``` +$ localectl list-keymaps | grep cn +cn +``` + +### 设置键盘布局 + +设置键盘布局,在root权限下执行如下命令,其中 _map_ 是您想要设置的键盘类型,取值范围可通过**localectl list-keymaps**获取,请根据实际情况修改: + +``` +# localectl set-keymap map +``` + +此时设置的键盘布局同样也会应用到图形界面中。 + +设置完成后,查看当前状态: + +``` +$ localectl status + System Locale: LANG=zh_CN.UTF-8 + VC Keymap: cn + X11 Layout: us +``` + +## 设置日期和时间 + +本节介绍如何通过timedatectl、date、hwclock命令来设置系统的日期、时间和时区等。 + + + +### 使用timedatectl命令设置 + +#### 显示日期和时间 + +显示当前的日期和时间,命令如下: + +``` +$ timedatectl +``` + +例如显示系统当前的日期和时间,命令和输出如下: + +``` +$ timedatectl + Local time: Mon 2019-09-30 04:05:00 EDT + Universal time: Mon 2019-09-30 08:05:00 UTC + RTC time: Mon 2019-09-30 08:05:00 + Time zone: America/New_York (EDT, -0400) +System clock synchronized: no + NTP service: inactive + RTC in local TZ: no +``` + +#### 通过远程服务器进行时间同步 + +您可以启用NTP远程服务器进行系统时钟的自动同步。是否启用NTP,可在root权限下执行如下命令进行设置。其中 _boolean_ 可取值yes和no,分别表示启用和不启用NTP进行系统时钟自动同步,请根据实际情况修改。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>若启用了NTP远程服务器进行系统时钟自动同步,则不能手动修改日期和时间。若需要手动修改日期或时间,则需确保已经关闭NTP系统时钟自动同步。可执行**timedatectl set-ntp** no命令进行关闭。 + +``` +# timedatectl set-ntp boolean +``` + +例如开启自动远程时间同步,命令如下: + +``` +# timedatectl set-ntp yes +``` + +#### 修改日期 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>修改日期前,请确保已经关闭NTP系统时钟自动同步。 + +修改当前的日期,在root权限下执行如下命令,其中 _YYYY_ 代表年份,_MM_ 代表月份,_DD_ 代表某天,请根据实际情况修改: + +``` +# timedatectl set-time YYYY-MM-DD +``` + +例如修改当前的日期为2019年8月14号,命令如下: + +``` +# timedatectl set-time '2019-08-14' +``` + +#### 修改时间 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>修改时间前,请确保已经关闭NTP系统时钟自动同步。 + +修改当前的时间,在root权限下执行如下命令,其中 _HH_ 代表小时,_MM_ 代表分钟,_SS_ 代表秒,请根据实际情况修改: + +``` +# timedatectl set-time HH:MM:SS +``` + +例如修改当前的时间为15点57分24秒,命令如下: + +``` +# timedatectl set-time 15:57:24 +``` + +#### 修改时区 + +显示当前可用时区,命令如下: + +``` +$ timedatectl list-timezones +``` + +要修改当前的时区,在root权限下执行如下命令,其中 _time\_zone_ 是您想要设置的时区,请根据实际情况修改: + +``` +# timedatectl set-timezone time_zone +``` + +例如修改当前的时区,首先查询所在地域的可用时区,此处以Asia为例: + +``` +# timedatectl list-timezones | grep Asia +Asia/Aden +Asia/Almaty +Asia/Amman +Asia/Anadyr +Asia/Aqtau +Asia/Aqtobe +Asia/Ashgabat +Asia/Baghdad +Asia/Bahrain +…… + +Asia/Seoul +Asia/Shanghai +Asia/Singapore +Asia/Srednekolymsk +Asia/Taipei +Asia/Tashkent +Asia/Tbilisi +Asia/Tehran +Asia/Thimphu +Asia/Tokyo +``` + +然后修改当前的时区为“Asia/Shanghai”,命令如下: + +``` +# timedatectl set-timezone Asia/Shanghai +``` + +### 使用date命令设置 + +#### 显示当前的日期和时间 + +显示当前的日期和时间,命令如下: + +``` +$ date +``` + +默认情况下,date命令显示本地时间。要显示UTC时间,添加\-\-utc或-u参数: + +``` +$ date --utc +``` + +要自定义对应的输出信息格式,添加 +"format" 参数: + +``` +$ date +"format" +``` + +**表 1** 参数说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

格式参数

+

说明

+

%H

+

小时以HH格式(例如 17)。

+

%M

+

分钟以MM格式(例如 37)。

+

%S

+

秒以SS格式(例如 25)。

+

%d

+

日期以DD格式(例如 15)。

+

%m

+

月份以MM格式(例如 07)。

+

%Y

+

年份以YYYY格式(例如 2019)。

+

%Z

+

时区缩写(例如CEST)。

+

%F

+

日期整体格式为YYYY-MM-DD(例如 2019-7-15),等同%Y-%m-%d。

+

%T

+

时间整体格式为HH:MM:SS(例如 18:30:25),等同%H:%M:%S。

+
+ +实际使用示例如下: + +- 显示当前的日期和本地时间。 + + ``` + $ date + 2019年 08月 17日 星期六 17:26:34 CST + ``` + +- 显示当前的日期和UTC时间。 + + ``` + $ date --utc + 2019年 08月 17日 星期六 09:26:18 UTC + ``` + +- 自定义date命令的输出。 + + ``` + $ date +"%Y-%m-%d %H:%M" + 2019-08-17 17:24 + ``` + + +#### 修改时间 + +要修改当前的时间,添加\-\-set或者-s参数。在root权限下执行如下命令,其中 _HH_ 代表小时,_MM_ 代表分钟,_SS_ 代表秒,请根据实际情况修改: + +``` +# date --set HH:MM:SS +``` + +默认情况下, date命令设置本地时间。要设置UTC时间,添加\-\-utc或-u参数: + +``` +# date --set HH:MM:SS --utc +``` + +例如修改当前的时间为23点26分00秒,在root权限下执行如下命令: + +``` +# date --set 23:26:00 +``` + +#### 修改日期 + +修改当前的日期,添加\-\-set或者-s参数。在root权限下执行如下命令,其中 _YYYY_ 代表年份,_MM_ 代表月份,_DD_ 代表某天,请根据实际情况修改: + +``` +# date --set YYYY-MM-DD +``` + +例如修改当前的日期为2019年11月2日,命令如下: + +``` +# date --set 2019-11-02 +``` + +### 使用hwclock命令设置 + +可以使用 hwclock 命令设置硬件时钟RTC \(Real Time Clock\) 。 + +#### 硬件时钟和系统时钟 + +Linux 将时钟分为: + +- 系统时钟 \(System Clock\) :当前Linux Kernel中的时钟。 +- 硬件时钟 RTC:主板上由电池供电的主板硬件时钟,该时钟可以在BIOS的 "Standard BIOS Feature" 项中进行设置。 + +当Linux启动时,会读取硬件时钟,并根据硬件时间来设置系统时间。 + +#### 显示日期和时间 + +显示当前硬件的日期和时间,在root权限下执行如下命令: + +``` +# hwclock +``` + +例如显示当前硬件的日期和时间,命令和输出如下: + +``` +# hwclock +2019-08-26 10:18:42.528948+08:00 +``` + +#### 设置日期和时间 + +修改当前硬件的日期和时间,在root权限下执行如下命令,其中 _dd_ 表示日,_mm_ 表示月份,_yyyy_ 表示年份,_HH_ 表示小时,_MM_ 表示分钟,请根据实际情况修改: + +``` +# hwclock --set --date "dd mm yyyy HH:MM" +``` + +例如修改当前的时间为2019年10月21日21点17分,命令如下: + +``` +# hwclock --set --date "21 Oct 2019 21:17" --utc +``` + +## 设置kdump +本节介绍如何设置kdump预留内存及kdump配置文件参数修改。 + + + +### 设置kdump预留内存 +#### 预留内存参数格式 + +kdump预留内存参数必须添加到内核启动参数中,配置文件为/boot/efi/EFI/openEuler/grub.cfg,openEuler发布版本中默认已经添加,可以根据实际使用情况调整。添加和修改启动参数后,重启系统生效。kdump预留内存参数格式如下: + +| 内核启动参数 | 描述 | 默认值 | 备注 | +|--------------------|-------------------------------------------|---------------|------------------------------------------------------------| +| crashkernel=x | 在4G以下的物理内存预留x大小的内存给kdump使用。 | x86版本默认配置512M | 该配置方法只在4G以下内存预留,必须保证4G以下连续可用内存足够预留。 | +| crashkernel=x@y | 在y起始地址预留x大小的内存给kdump使用。 | 未使用 | 需要确保y起始地址的x大小的内存未被其他模块预留。 | +| crashkernel=x,high | 在4G以下的物理内存中预留256M内存,在4G以上预留x大小内存给kdump使用。 | arm64版本默认配置1024M,high | 需要确保4G以下有256M连续可用的物理内存,4G以上有连续的x大小的连续物理内存。实际预留内存大小为256M+x。 | +| crashkernel=x,low crashkernel=y,high | 在4G以下的物理内存中预留x大小,在4G以上预留y大小内存给kdump使用。 | 未使用 | 需要确保4G以下有连续的x大小物理内存,4G以上有连续的y大小物理内存。 | + + +### 预留内存推荐值 +| 推荐方案 | 预留参数 | 参数说明 | +|------|------------------------|----------------------------------------------| +| 通用方案 | crashkernel=2048M,high | 4G以下预留256M,4G以上预留2048M内存给kdump使用。共256+2048M。 | +| 经济方案 | crashkernel=1024M,high | 4G以下预留256M,4G以上预留1024M内存给kdump使用。共256+1024M。 推荐系统512G内存以内的场景,并不使用网络转储kdump文件。对于虚拟机场景,可以适当减少内存预留值,推荐虚拟机设置为crashkernel=512M或者crashkernel=256M,high | +>![](./public_sys-resources/icon-note.gif) **说明:** +>不通过网络转储kdump文件时,需要设置kdump文件系统不打包网络相关驱动。网络驱动加载需要申请较大内存,可能导致预留内存不足,kdump失败。因此建议禁用网络相关驱动。 + + +### 禁用网络相关驱动 +kdump配置文件(/etc/kdump.conf)中,dracut参数可以设置裁剪的驱动模块,可以将网络驱动配置到裁剪驱动列表中,让kdump文件系统中不加载该驱动,修改配置文件后,重启kdump服务生效。dracut参数配置如下所示: + +`dracut_args --omit-drivers "mdio-gpi usb_8dev et1011c rt2x00usb bcm-phy-lib mac80211_hwsim rtl8723be rndis_host hns3_cae amd vrf rtl8192cu mt76x02-lib int51x1 ppp_deflate team_mode_loadbalance smsc911x aweth bonding mwifiex_usb hnae dnet rt2x00pci vaser_pci hdlc_ppp marvell rtl8xxxu mlxsw_i2c ath9k_htc rtl8150 smc91x cortina at803x rockchip cxgb4 spi_ks8995 mt76x2u smsc9420 mdio-cavium bnxt_en ch9200 dummy macsec ice mt7601u rtl8188ee ixgbevf net1080 liquidio_vf be2net mlxsw_switchx2 gl620a xilinx_gmii2rgmii ppp_generic rtl8192de sja1000_platform ath10k_core cc770_platform realte igb c_can_platform c_can ethoc dm9601 smsc95xx lg-vl600 ifb enic ath9 mdio-octeon ppp_mppe ath10k_pci cc770 team_mode_activebackup marvell10g hinic rt2x00lib mlx4_en iavf broadcom igc c_can_pci alx rtl8192se rtl8723ae microchip lan78xx atl1c rtl8192c-common almia ax88179_178a qed netxen_nic brcmsmac rt2800usb e1000 qla3xxx mdio-bitbang qsemi mdio-mscc-miim plx_pci ipvlan r8152 cx82310_eth slhc mt76x02-usb ems_pci xen-netfront usbnet pppoe mlxsw_minimal mlxsw_spectrum cdc_ncm rt2800lib rtl_usb hnae3 ath9k_common ath9k_hw catc mt76 hns_enet_drv ppp_async huawei_cdc_ncm i40e rtl8192ce dl2 qmi_wwan mii peak_usb plusb can-dev slcan amd-xgbe team_mode_roundrobin ste10Xp thunder_xcv pptp thunder_bgx ixgbe davicom icplus tap tun smsc75xx smsc dlci hns_dsaf mlxsw_core rt2800mmi softing uPD60620 vaser_usb dp83867 brcmfmac mwifiex_pcie mlx4_core micrel team macvlan bnx2 virtio_net rtl_pci zaurus hns_mdi libcxgb hv_netvsc nicvf mt76x0u teranetics mlxfw cdc_eem qcom-emac pppox mt76-usb sierra_net i40evf bcm87xx mwifiex pegasus rt2x00mmi sja1000 ena hclgevf cnic cxgb4vf ppp_synctty iwlmvm team_mode_broadcast vxlan vsockmon hdlc_cisc rtl8723-common bsd_comp fakelb dp83822 dp83tc811 cicada fm10 8139t sfc hs geneve hclge xgene-enet-v2 cdc_mbim hdlc asix netdevsim rt2800pci team_mode_random lxt ems_usb mlxsw_pci sr9700 mdio-thunder mlxsw_switchib macvtap atlantic cdc_ether mcs7830 nicpf mdi peak_pci atl1e cdc_subset ipvtap btcoexist mt76x0-common veth slip iwldvm bcm7xxx vitesse netconsole epic100 myri10ge r8169 qede microchip_t1 liquidi bnx2x brcmutil mwifiex_sdi mlx5_core rtlwifi vmxnet3 nlmon hns3 hdlc_raw esd_usb2 atl2 mt76x2-common iwlwifi mdio-bcm-unimac national ath rtwpci rtw88 nfp rtl8821ae fjes thunderbolt-net 8139cp atl1 mscc vcan dp83848 dp83640 hdlc_fr e1000e ipheth net_failover aquantia rtl8192ee igbvf rocker intel-xway tg3" --omit "ramdisk network ifcfg qemu-net" --install "chmod" --nofscks` + +## 设置磁盘调度算法 +本节介绍如何设置磁盘调度算法。 + + + +### 临时修改调度策略 + +例如将所有IO调度算法修改为mq-deadline,此修改重启后会失效。 +``` +echo mq-deadline > /sys/block/sd*/queue/scheduler +``` + +### 永久设置调度策略 + +可以通过在内核启动配置文件grub.cfg中的kernel行追加:elevator=mq-deadline,重启后生效。 +``` +linux /vmlinuz-4.19.90-2003.4.0.0036.oe1.x86_64 root=/dev/mapper/openeuler-root ro resume=/dev/mapper/openeuler-swap rd.lvm.lv=openeuler/root rd.lvm.lv=openeuler/swap quiet crashkernel=512M elevator=mq-deadline +``` diff --git "a/content/zh/docs/Administration/\346\220\255\345\273\272FTP\346\234\215\345\212\241\345\231\250.md" "b/docs/zh/docs/Administration/\346\220\255\345\273\272FTP\346\234\215\345\212\241\345\231\250.md" similarity index 99% rename from "content/zh/docs/Administration/\346\220\255\345\273\272FTP\346\234\215\345\212\241\345\231\250.md" rename to "docs/zh/docs/Administration/\346\220\255\345\273\272FTP\346\234\215\345\212\241\345\231\250.md" index f77d385e17dec27ef5d1fccce199932bca11d848..d1cbc9f4337f20bf1a976623d797d9225cc3fa6b 100644 --- "a/content/zh/docs/Administration/\346\220\255\345\273\272FTP\346\234\215\345\212\241\345\231\250.md" +++ "b/docs/zh/docs/Administration/\346\220\255\345\273\272FTP\346\234\215\345\212\241\345\231\250.md" @@ -92,7 +92,7 @@ FTP的正常工作需要使用到多个网络端口,服务器端会使用到 tcp6 0 0 :::21 :::* LISTEN 19716/vsftpd ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >如果没有**netstat**命令,可以执行**dnf install net-tools**命令安装后再使用**netstat**命令。 - 停止vsftpd服务 @@ -173,7 +173,7 @@ FTP的正常工作需要使用到多个网络端口,服务器端会使用到 ### 默认配置说明 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >文档中的配置内容仅供参考,请用户根据实际情况(例如安全加固需要)进行修改。 openEuler系统中 ,vsftpd默认不开放匿名用户,使用vim命令查看主配置文件,其内容如下: @@ -390,7 +390,7 @@ ftp> bye 221 Goodbye. ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >如果没有**ftp**命令,可以在root权限下执行**dnf install ftp**命令安装后再使用**ftp**命令。 @@ -488,7 +488,7 @@ ftp> ftp> mget *.* ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 此时每下载一个文件,都会有提示信息。如果要屏蔽提示信息,则在 **mget \*.\*** 命令前先执行**prompt off** >- 文件都被下载到Linux主机的当前目录下。比如,在/home/myopenEuler/下运行的ftp命令,则文件都下载到/home/myopenEuler/下。 diff --git "a/content/zh/docs/Administration/\346\220\255\345\273\272repo\346\234\215\345\212\241\345\231\250.md" "b/docs/zh/docs/Administration/\346\220\255\345\273\272repo\346\234\215\345\212\241\345\231\250.md" similarity index 82% rename from "content/zh/docs/Administration/\346\220\255\345\273\272repo\346\234\215\345\212\241\345\231\250.md" rename to "docs/zh/docs/Administration/\346\220\255\345\273\272repo\346\234\215\345\212\241\345\231\250.md" index dcc2d240f784cbf274403312525b67d3ae6da91f..fa3c25766e812ba079e41befd2e16fa57320aeef 100644 --- "a/content/zh/docs/Administration/\346\220\255\345\273\272repo\346\234\215\345\212\241\345\231\250.md" +++ "b/docs/zh/docs/Administration/\346\220\255\345\273\272repo\346\234\215\345\212\241\345\231\250.md" @@ -1,400 +1,400 @@ -# 搭建repo服务器 - ->![](public_sys-resources/icon-note.gif) **说明:** ->openEuler提供了多种repo源供用户在线使用,各repo源含义可参考[系统安装](../Releasenotes/系统安装.md)。若用户无法在线获取openEuler repo源,则可使用openEuler提供的ISO发布包创建为本地openEuler repo源。本章节中以openEuler-20.03-LTS-aarch64-dvd.iso发布包为例,请根据实际需要的ISO发布包进行修改。 - - - -- [搭建repo服务器](#搭建repo服务器) - - [概述](#概述) - - [创建/更新本地repo源](#创建更新本地repo源) - - [获取ISO发布包](#获取iso发布包) - - [挂载ISO创建repo源](#挂载iso创建repo源) - - [创建本地repo源](#创建本地repo源) - - [更新repo源](#更新repo源) - - [部署远端repo源](#部署远端repo源) - - [nginx安装与配置](#nginx安装与配置) - - [启动nginx服务](#启动nginx服务) - - [repo源部署](#repo源部署) - - [使用repo源](#使用repo源) - - [repo配置为yum源(软件源)](#repo配置为yum源软件源) - - [repo优先级](#repo优先级) - - [dnf相关命令](#dnf相关命令) - - - -## 概述 - -将openEuler提供的ISO发布包openEuler-20.03-LTS-aarch64-dvd.iso创建为repo源,如下以使用nginx进行repo源部署,提供http服务为例进行说明。 - -## 创建/更新本地repo源 - -使用mount挂载,将openEuler的ISO发布包openEuler-20.03-LTS-aarch64-dvd.iso创建为repo源,并能够对repo源进行更新。 -### 获取ISO发布包 - -请从如下网址获取openEuler的ISO发布包: - -[https://repo.openeuler.org/openEuler-20.03-LTS/ISO/](https://repo.openeuler.org/openEuler-20.03-LTS/ISO/) - -### 挂载ISO创建repo源 - -在root权限下使用mount命令挂载ISO发布包。 - -示例如下: - -``` -# mount /home/openEuler/openEuler-20.03-LTS-aarch64-dvd.iso /mnt/ -``` - -挂载好的mnt目录如下: - -``` -. -│── boot.catalog -│── docs -│── EFI -│── images -│── Packages -│── repodata -│── TRANS.TBL -└── RPM-GPG-KEY-openEuler -``` - -其中,Packages为rpm包所在的目录,repodata为repo源元数据所在的目录,RPM-GPG-KEY-openEuler为openEuler的签名公钥。 - -### 创建本地repo源 - -可以拷贝ISO发布包中相关文件至本地目录以创建本地repo源,示例如下: - -``` -# mount /home/openEuler/openEuler-20.03-LTS-aarch64-dvd.iso /mnt/ -$ mkdir -p ~/srv/repo/ -$ cp -r /mnt/Packages ~/srv/repo/ -$ cp -r /mnt/repodata ~/srv/repo/ -$ cp -r /mnt/RPM-GPG-KEY-openEuler ~/srv/repo/ -``` - -从而本地repo目录如下: - -``` -. -│── Packages -│── repodata -└── RPM-GPG-KEY-openEuler -``` - -Packages为rpm包所在的目录,repodata为repo源元数据所在的目录,RPM-GPG-KEY-openEuler为openEuler的签名公钥。 - -### 更新repo源 - -更新repo源有两种方式: - -- 通过新版本的ISO更新已有的repo源,与创建repo源的方式相同,即挂载ISO发布包或重新拷贝ISO发布包至本地目录。 - -- 在repo源的Packages目录下添加rpm包,然后通过createrepo命令更新repo源 - - ``` - $ createrepo --update --workers=10 ~/srv/repo - ``` - - 其中,\-\-update表示更新,\-\-workers表示线程数,可自定义。 - - >![](public_sys-resources/icon-note.gif) **说明:** - >若命令打印信息为“createrepo:未找到命令”,则表示未安装createrepo软件,可在root权限下执行**dnf install createrepo**进行安装。 - - -## 部署远端repo源 - -安装openEuler操作系统,在openEuler上通过nginx部署repo源。 -### nginx安装与配置 - -1. 请自行下载nginx工具并在root权限下安装nginx。 -2. 安装nginx之后,在root权限下配置/etc/nginx/nginx.conf。 - - >![](public_sys-resources/icon-note.gif) **说明:** - >文档中的配置内容仅供参考,请用户根据实际情况(例如安全加固需要)进行配置。 - - ``` - user nginx; - worker_processes auto; # 建议设置为core-1 - error_log /var/log/nginx/error.log warn; # log存放位置 - pid /var/run/nginx.pid; - - events { - worker_connections 1024; - } - - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - sendfile on; - keepalive_timeout 65; - - server { - listen 80; - server_name localhost; # 服务器名(url) - client_max_body_size 4G; - root /usr/share/nginx/repo; # 服务默认目录 - - location / { - autoindex on; # 开启访问目录下层文件 - autoindex_exact_size on; - autoindex_localtime on; - } - - } - - } - ``` - - -### 启动nginx服务 - -1. 在root权限下通过systemd启动nginx服务: - - ``` - # systemctl enable nginx - # systemctl start nginx - ``` - -2. nginx是否启动成功可通过下面命令查看: - - ``` - $ systemctl status nginx - ``` - - - [图1](#zh-cn_topic_0151920971_fd25e3f1d664b4087ae26631719990a71)表示nginx服务启动成功 - - **图 1** nginx服务启动成功 - ![](figures/nginx服务启动成功.png "nginx服务启动成功") - - - 若nginx服务启动失败,查看错误信息: - - ``` - $ systemctl status nginx.service --full - ``` - - **图 2** nginx服务启动失败 - ![](figures/nginx服务启动失败.png "nginx服务启动失败") - - 如[图2](#zh-cn_topic_0151920971_f1f9f3d086e454b9cba29a7cae96a4c54)所示nginx服务创建失败,是由于目录/var/spool/nginx/tmp/client\_body创建失败,在root权限下手动进行创建,类似的问题也这样处理: - - ``` - # mkdir -p /var/spool/nginx/tmp/client_body - # mkdir -p /var/spool/nginx/tmp/proxy - # mkdir -p /var/spool/nginx/tmp/fastcgi - # mkdir -p /usr/share/nginx/uwsgi_temp - # mkdir -p /usr/share/nginx/scgi_temp - ``` - - -### repo源部署 - -1. 在root权限下创建nginx配置文件/etc/nginx/nginx.conf中指定的目录/usr/share/nginx/repo: - - ``` - # mkdir -p /usr/share/nginx/repo - ``` - -2. 在root权限下修改目录/usr/share/nginx/repo的权限: - - ``` - # chmod -R 755 /usr/share/nginx/repo - ``` - -3. 设置防火墙规则,开启nginx设置的端口(此处为80端口),在root权限下通过firewall设置端口开启: - - ``` - # firewall-cmd --add-port=80/tcp --permanent - # firewall-cmd --reload - ``` - - 在root权限下查询80端口是否开启成功,输出为yes则表示80端口开启成功: - - ``` - # firewall-cmd --query-port=80/tcp - ``` - - 也可在root权限下通过iptables来设置80端口开启: - - ``` - # iptables -I INPUT -p tcp --dport 80 -j ACCEPT - ``` - -4. nginx服务设置好之后,即可通过ip直接访问网页,如[图3](#zh-cn_topic_0151921017_fig1880404110396): - - **图 3** nginx部署成功 - ![](figures/nginx部署成功.png "nginx部署成功") - -5. 通过下面几种方式将repo源放入到/usr/share/nginx/repo下: - - 在root权限下拷贝镜像中相关文件至/usr/share/nginx/repo下,并修改目录权限。 - - ``` - # mount /home/openEuler/openEuler-20.03-LTS-aarch64-dvd.iso /mnt/ - # cp -r /mnt/Packages /usr/share/nginx/repo - # cp -r /mnt/repodata /usr/share/nginx/repo - # cp -r /mnt/RPM-GPG-KEY-openEuler /usr/share/nginx/repo - # chmod -R 755 /usr/share/nginx/repo - ``` - - openEuler-20.03-LTS-aarch64-dvd.iso存放在/home/openEuler目录下。 - - - 使用root在/usr/share/nginx/repo下创建repo源的软链接。 - - ``` - # ln -s /mnt /usr/share/nginx/repo/os - ``` - - /mnt为已经创建好的repo源,/usr/share/nginx/repo/os将指向/mnt。 - - - -## 使用repo源 - -repo可配置为yum源,yum(全称为 Yellow dog Updater, Modified)是一个Shell前端软件包管理器。基于RPM包管理,能够从指定的服务器自动下载RPM包并且安装,可以自动处理依赖性关系,并且一次安装所有依赖的软体包,无须繁琐地一次次下载和安装。 -### repo配置为yum源(软件源) - -构建好的repo可以配置为yum源使用,在/etc/yum.repos.d/目录下使用root权限创建\*\*\*.repo的配置文件(必须以.repo为扩展名),分为本地和http服务器配置yum源两种方式: - -- 配置本地yum源 - - 在/etc/yum.repos.d目录下创建openEuler.repo文件,使用构建的本地repo源作为yum源,openEuler.repo的内容如下: - - ``` - [base] - name=base - baseurl=file:///home/openEuler/srv/repo - enabled=1 - gpgcheck=1 - gpgkey=file:///home/openEuler/srv/repo/RPM-GPG-KEY-openEuler - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - > - \[*repoid*\]中的repoid为软件仓库(repository)的ID号,所有.repo配置文件中的各repoid不能重复,必须唯一。示例中repoid设置为**base**。 - > - name为软件仓库描述的字符串。 - > - baseurl为软件仓库的地址。 - > - enabled为是否启用该软件源仓库,可选值为1和0。默认值为1,表示启用该软件源仓库。 - > - gpgcheck可设置为1或0,1表示进行gpg(GNU Private Guard)校验,0表示不进行gpg校验,gpgcheck可以确定rpm包的来源是有效和安全的。 - > - gpgkey为验证签名用的公钥。 - -- 配置http服务器yum源 - - 在/etc/yum.repos.d目录下创建openEuler.repo文件。 - - - 若使用用户部署的http服务端的repo源作为yum源,openEuler.repo的内容如下: - - ``` - [base] - name=base - baseurl=http://192.168.139.209/ - enabled=1 - gpgcheck=1 - gpgkey=http://192.168.139.209/RPM-GPG-KEY-openEuler - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - >“192.168.139.209”为示例地址,请用户根据实际情况进行配置。 - - - 若使用openEuler提供的openEuler repo源作为yum源,以AArch64架构的OS repo源为例,openEuler.repo的内容如下: - - ``` - [base] - name=base - baseurl=http://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/ - enabled=1 - gpgcheck=1 - gpgkey=http://repo.openeuler.org/openEuler-20.03-LTS/OS/aarch64/RPM-GPG-KEY-openEuler - ``` - - - -### repo优先级 - -当有多个repo源时,可通过在.repo文件的priority参数设置repo的优先级(如果不设置,默认优先级是99,当相同优先级的源中存在相同rpm包时,会安装最新的版本)。其中,1为最高优先级,99为最低优先级,如给openEuler.repo配置优先级为2: - -``` -[base] -name=base -baseurl=http://192.168.139.209/ -enabled=1 -priority=2 -gpgcheck=1 -gpgkey=http://192.168.139.209/RPM-GPG-KEY-openEuler -``` - -### dnf相关命令 - -dnf命令在安装升级时能够自动解析包的依赖关系,一般的使用方式如下: - -``` -dnf -``` - -常用的命令如下: - -- 安装,需要在root权限下执行。 - - ``` - # dnf install - ``` - -- 升级,需要在root权限下执行。 - - ``` - # dnf update - ``` - -- 回退,需要在root权限下执行。 - - ``` - # dnf downgrade - ``` - -- 检查更新 - - ``` - $ dnf check-update - ``` - -- 卸载,需要在root权限下执行。 - - ``` - # dnf remove - ``` - -- 查询 - - ``` - $ dnf search - ``` - -- 本地安装,需要在root权限下执行。 - - ``` - # dnf localinstall - ``` - -- 查看历史记录 - - ``` - $ dnf history - ``` - -- 清除缓存目录 - - ``` - $ dnf clean all - ``` - -- 更新缓存 - - ``` - $ dnf makecache - ``` - +# 搭建repo服务器 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>openEuler提供了多种repo源供用户在线使用,各repo源含义可参考[系统安装](./../Releasenotes/系统安装.md)。若用户无法在线获取openEuler repo源,则可使用openEuler提供的ISO发布包创建为本地openEuler repo源。本章节中以openEuler-21.03-aarch64-dvd.iso发布包为例,请根据实际需要的ISO发布包进行修改。 + + + +- [搭建repo服务器](#搭建repo服务器) + - [概述](#概述) + - [创建/更新本地repo源](#创建更新本地repo源) + - [获取ISO发布包](#获取iso发布包) + - [挂载ISO创建repo源](#挂载iso创建repo源) + - [创建本地repo源](#创建本地repo源) + - [更新repo源](#更新repo源) + - [部署远端repo源](#部署远端repo源) + - [nginx安装与配置](#nginx安装与配置) + - [启动nginx服务](#启动nginx服务) + - [repo源部署](#repo源部署) + - [使用repo源](#使用repo源) + - [repo配置为yum源(软件源)](#repo配置为yum源软件源) + - [repo优先级](#repo优先级) + - [dnf相关命令](#dnf相关命令) + + + +## 概述 + +将openEuler提供的ISO发布包openEuler-21.03-aarch64-dvd.iso创建为repo源,如下以使用nginx进行repo源部署,提供http服务为例进行说明。 + +## 创建/更新本地repo源 + +使用mount挂载,将openEuler的ISO发布包openEuler-21.03-aarch64-dvd.iso创建为repo源,并能够对repo源进行更新。 +### 获取ISO发布包 + +请从如下网址获取openEuler的ISO发布包: + +[https://repo.openeuler.org/openEuler-21.03/ISO/](https://repo.openeuler.org/openEuler-21.03/ISO/) + +### 挂载ISO创建repo源 + +在root权限下使用mount命令挂载ISO发布包。 + +示例如下: + +``` +# mount /home/openEuler/openEuler-21.03-aarch64-dvd.iso /mnt/ +``` + +挂载好的mnt目录如下: + +``` +. +│── boot.catalog +│── docs +│── EFI +│── images +│── Packages +│── repodata +│── TRANS.TBL +└── RPM-GPG-KEY-openEuler +``` + +其中,Packages为rpm包所在的目录,repodata为repo源元数据所在的目录,RPM-GPG-KEY-openEuler为openEuler的签名公钥。 + +### 创建本地repo源 + +可以拷贝ISO发布包中相关文件至本地目录以创建本地repo源,示例如下: + +``` +# mount /home/openEuler/openEuler-21.03-aarch64-dvd.iso /mnt/ +$ mkdir -p ~/srv/repo/ +$ cp -r /mnt/Packages ~/srv/repo/ +$ cp -r /mnt/repodata ~/srv/repo/ +$ cp -r /mnt/RPM-GPG-KEY-openEuler ~/srv/repo/ +``` + +从而本地repo目录如下: + +``` +. +│── Packages +│── repodata +└── RPM-GPG-KEY-openEuler +``` + +Packages为rpm包所在的目录,repodata为repo源元数据所在的目录,RPM-GPG-KEY-openEuler为openEuler的签名公钥。 + +### 更新repo源 + +更新repo源有两种方式: + +- 通过新版本的ISO更新已有的repo源,与创建repo源的方式相同,即挂载ISO发布包或重新拷贝ISO发布包至本地目录。 + +- 在repo源的Packages目录下添加rpm包,然后通过createrepo命令更新repo源 + + ``` + $ createrepo --update --workers=10 ~/srv/repo + ``` + + 其中,\-\-update表示更新,\-\-workers表示线程数,可自定义。 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >若命令打印信息为“createrepo:未找到命令”,则表示未安装createrepo软件,可在root权限下执行**dnf install createrepo**进行安装。 + + +## 部署远端repo源 + +安装openEuler操作系统,在openEuler上通过nginx部署repo源。 +### nginx安装与配置 + +1. 请自行下载nginx工具并在root权限下安装nginx。 +2. 安装nginx之后,在root权限下配置/etc/nginx/nginx.conf。 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >文档中的配置内容仅供参考,请用户根据实际情况(例如安全加固需要)进行配置。 + + ``` + user nginx; + worker_processes auto; # 建议设置为core-1 + error_log /var/log/nginx/error.log warn; # log存放位置 + pid /var/run/nginx.pid; + + events { + worker_connections 1024; + } + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + sendfile on; + keepalive_timeout 65; + + server { + listen 80; + server_name localhost; # 服务器名(url) + client_max_body_size 4G; + root /usr/share/nginx/repo; # 服务默认目录 + + location / { + autoindex on; # 开启访问目录下层文件 + autoindex_exact_size on; + autoindex_localtime on; + } + + } + + } + ``` + + +### 启动nginx服务 + +1. 在root权限下通过systemd启动nginx服务: + + ``` + # systemctl enable nginx + # systemctl start nginx + ``` + +2. nginx是否启动成功可通过下面命令查看: + + ``` + $ systemctl status nginx + ``` + + - [图1](#zh-cn_topic_0151920971_fd25e3f1d664b4087ae26631719990a71)表示nginx服务启动成功 + + **图 1** nginx服务启动成功 + ![](./figures/nginx_start_success.png) + + - 若nginx服务启动失败,查看错误信息: + + ``` + $ systemctl status nginx.service --full + ``` + + **图 2** nginx服务启动失败 + ![](./figures/nginx_start_failed.png) + + 如[图2](#zh-cn_topic_0151920971_f1f9f3d086e454b9cba29a7cae96a4c54)所示nginx服务创建失败,是由于目录/var/spool/nginx/tmp/client\_body创建失败,在root权限下手动进行创建,类似的问题也这样处理: + + ``` + # mkdir -p /var/spool/nginx/tmp/client_body + # mkdir -p /var/spool/nginx/tmp/proxy + # mkdir -p /var/spool/nginx/tmp/fastcgi + # mkdir -p /usr/share/nginx/uwsgi_temp + # mkdir -p /usr/share/nginx/scgi_temp + ``` + + +### repo源部署 + +1. 在root权限下创建nginx配置文件/etc/nginx/nginx.conf中指定的目录/usr/share/nginx/repo: + + ``` + # mkdir -p /usr/share/nginx/repo + ``` + +2. 在root权限下修改目录/usr/share/nginx/repo的权限: + + ``` + # chmod -R 755 /usr/share/nginx/repo + ``` + +3. 设置防火墙规则,开启nginx设置的端口(此处为80端口),在root权限下通过firewall设置端口开启: + + ``` + # firewall-cmd --add-port=80/tcp --permanent + # firewall-cmd --reload + ``` + + 在root权限下查询80端口是否开启成功,输出为yes则表示80端口开启成功: + + ``` + # firewall-cmd --query-port=80/tcp + ``` + + 也可在root权限下通过iptables来设置80端口开启: + + ``` + # iptables -I INPUT -p tcp --dport 80 -j ACCEPT + ``` + +4. nginx服务设置好之后,即可通过ip直接访问网页,如[图3](#zh-cn_topic_0151921017_fig1880404110396): + + **图 3** nginx部署成功 + ![](./figures/nginx_deployed_success.png) + +5. 通过下面几种方式将repo源放入到/usr/share/nginx/repo下: + - 在root权限下拷贝镜像中相关文件至/usr/share/nginx/repo下,并修改目录权限。 + + ``` + # mount /home/openEuler/openEuler-21.03-aarch64-dvd.iso /mnt/ + # cp -r /mnt/Packages /usr/share/nginx/repo + # cp -r /mnt/repodata /usr/share/nginx/repo + # cp -r /mnt/RPM-GPG-KEY-openEuler /usr/share/nginx/repo + # chmod -R 755 /usr/share/nginx/repo + ``` + + openEuler-21.03-aarch64-dvd.iso存放在/home/openEuler目录下。 + + - 使用root在/usr/share/nginx/repo下创建repo源的软链接。 + + ``` + # ln -s /mnt /usr/share/nginx/repo/os + ``` + + /mnt为已经创建好的repo源,/usr/share/nginx/repo/os将指向/mnt。 + + + +## 使用repo源 + +repo可配置为yum源,yum(全称为 Yellow dog Updater, Modified)是一个Shell前端软件包管理器。基于RPM包管理,能够从指定的服务器自动下载RPM包并且安装,可以自动处理依赖性关系,并且一次安装所有依赖的软体包,无须繁琐地一次次下载和安装。 +### repo配置为yum源(软件源) + +构建好的repo可以配置为yum源使用,在/etc/yum.repos.d/目录下使用root权限创建\*\*\*.repo的配置文件(必须以.repo为扩展名),分为本地和http服务器配置yum源两种方式: + +- 配置本地yum源 + + 在/etc/yum.repos.d目录下创建openEuler.repo文件,使用构建的本地repo源作为yum源,openEuler.repo的内容如下: + + ``` + [base] + name=base + baseurl=file:///home/openEuler/srv/repo + enabled=1 + gpgcheck=1 + gpgkey=file:///home/openEuler/srv/repo/RPM-GPG-KEY-openEuler + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + > - \[*repoid*\]中的repoid为软件仓库(repository)的ID号,所有.repo配置文件中的各repoid不能重复,必须唯一。示例中repoid设置为**base**。 + > - name为软件仓库描述的字符串。 + > - baseurl为软件仓库的地址。 + > - enabled为是否启用该软件源仓库,可选值为1和0。默认值为1,表示启用该软件源仓库。 + > - gpgcheck可设置为1或0,1表示进行gpg(GNU Private Guard)校验,0表示不进行gpg校验,gpgcheck可以确定rpm包的来源是有效和安全的。 + > - gpgkey为验证签名用的公钥。 + +- 配置http服务器yum源 + + 在/etc/yum.repos.d目录下创建openEuler.repo文件。 + + - 若使用用户部署的http服务端的repo源作为yum源,openEuler.repo的内容如下: + + ``` + [base] + name=base + baseurl=http://192.168.139.209/ + enabled=1 + gpgcheck=1 + gpgkey=http://192.168.139.209/RPM-GPG-KEY-openEuler + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >“192.168.139.209”为示例地址,请用户根据实际情况进行配置。 + + - 若使用openEuler提供的openEuler repo源作为yum源,以AArch64架构的OS repo源为例,openEuler.repo的内容如下: + + ``` + [base] + name=base + baseurl=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/ + enabled=1 + gpgcheck=1 + gpgkey=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/RPM-GPG-KEY-openEuler + ``` + + + +### repo优先级 + +当有多个repo源时,可通过在.repo文件的priority参数设置repo的优先级(如果不设置,默认优先级是99,当相同优先级的源中存在相同rpm包时,会安装最新的版本)。其中,1为最高优先级,99为最低优先级,如给openEuler.repo配置优先级为2: + +``` +[base] +name=base +baseurl=http://192.168.139.209/ +enabled=1 +priority=2 +gpgcheck=1 +gpgkey=http://192.168.139.209/RPM-GPG-KEY-openEuler +``` + +### dnf相关命令 + +dnf命令在安装升级时能够自动解析包的依赖关系,一般的使用方式如下: + +``` +dnf +``` + +常用的命令如下: + +- 安装,需要在root权限下执行。 + + ``` + # dnf install + ``` + +- 升级,需要在root权限下执行。 + + ``` + # dnf update + ``` + +- 回退,需要在root权限下执行。 + + ``` + # dnf downgrade + ``` + +- 检查更新 + + ``` + $ dnf check-update + ``` + +- 卸载,需要在root权限下执行。 + + ``` + # dnf remove + ``` + +- 查询 + + ``` + $ dnf search + ``` + +- 本地安装,需要在root权限下执行。 + + ``` + # dnf localinstall + ``` + +- 查看历史记录 + + ``` + $ dnf history + ``` + +- 清除缓存目录 + + ``` + $ dnf clean all + ``` + +- 更新缓存 + + ``` + $ dnf makecache + ``` + diff --git "a/content/zh/docs/Administration/\346\220\255\345\273\272web\346\234\215\345\212\241\345\231\250.md" "b/docs/zh/docs/Administration/\346\220\255\345\273\272web\346\234\215\345\212\241\345\231\250.md" similarity index 98% rename from "content/zh/docs/Administration/\346\220\255\345\273\272web\346\234\215\345\212\241\345\231\250.md" rename to "docs/zh/docs/Administration/\346\220\255\345\273\272web\346\234\215\345\212\241\345\231\250.md" index b0878f072c7e5585f45877ba0756ea253b75a119..47a06bc374adce4ce9442eb593b1a7a6778dbe88 100644 --- "a/content/zh/docs/Administration/\346\220\255\345\273\272web\346\234\215\345\212\241\345\231\250.md" +++ "b/docs/zh/docs/Administration/\346\220\255\345\273\272web\346\234\215\345\212\241\345\231\250.md" @@ -39,7 +39,7 @@ openEuler系统中的web服务器版本是Apache HTTP服务器2.4版本,即htt # dnf install httpd ``` - 更多关于管理服务的内容,请参见[管理服务](管理服务.html)。 + 更多关于管理服务的内容,请参见[管理服务](./管理服务.html)。 - 启动、停止和重启httpd服务,需要使用root权限。 @@ -60,7 +60,7 @@ openEuler系统中的web服务器版本是Apache HTTP服务器2.4版本,即htt ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >假如正在运行的Apache HTTP服务器作为一个安全服务器,系统开机启动后需要密码,这个密码使用的是加密的私有SSL密钥。 #### 停止服务 @@ -157,7 +157,7 @@ $ systemctl is-active httpd Syntax OK ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 在修改配置文件之前,请先备份原始文件,以便出现问题时能够快速恢复配置文件。 >- 需要重启web服务,才能使修改后的配置文件生效。 @@ -198,7 +198,7 @@ httpd服务是一个模块化的应用,它和许多动态共享对象DSO(Dyn ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >**httpd 的常用命令** > >- httpd -v : 查看httpd的版本号。 @@ -316,7 +316,7 @@ Nginx 是一款轻量级的 Web 服务器/反向代理服务器及电子邮件 ### 安装 -1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)。 +1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)。 2. 清除缓存。 ``` @@ -352,7 +352,7 @@ Nginx 是一款轻量级的 Web 服务器/反向代理服务器及电子邮件 - 为了能够使用nginx服务,请确保您的系统中已经安装nginx服务。若未安装,可参考[安装](#安装)进行安装。 - 更多关于管理服务的内容,请参见[管理服务](管理服务.html)。 + 更多关于管理服务的内容,请参见[管理服务](./管理服务.html)。 - 启动、停止和重启nginx服务,需要使用root权限。 @@ -373,7 +373,7 @@ Nginx 是一款轻量级的 Web 服务器/反向代理服务器及电子邮件 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >假如正在运行的nginx服务器作为一个安全服务器,系统开机启动后需要密码,这个密码使用的是加密的私有SSL密钥。 #### 停止服务 @@ -466,7 +466,7 @@ $ systemctl is-active nginx 如果回显信息中有“syntax is ok”,说明配置文件语法正确。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 在修改配置文件之前,请先备份原始文件,以便出现问题时能够快速恢复配置文件。 >- 需要重启web服务,才能使修改后的配置文件生效。 diff --git "a/content/zh/docs/Administration/\346\220\255\345\273\272\346\225\260\346\215\256\345\272\223\346\234\215\345\212\241\345\231\250.md" "b/docs/zh/docs/Administration/\346\220\255\345\273\272\346\225\260\346\215\256\345\272\223\346\234\215\345\212\241\345\231\250.md" similarity index 95% rename from "content/zh/docs/Administration/\346\220\255\345\273\272\346\225\260\346\215\256\345\272\223\346\234\215\345\212\241\345\231\250.md" rename to "docs/zh/docs/Administration/\346\220\255\345\273\272\346\225\260\346\215\256\345\272\223\346\234\215\345\212\241\345\231\250.md" index a6a66a23842316b8a1329110c09784b8b207e0c1..01125487a5d37d270abd5ace14492b9a83081f8b 100644 --- "a/content/zh/docs/Administration/\346\220\255\345\273\272\346\225\260\346\215\256\345\272\223\346\234\215\345\212\241\345\231\250.md" +++ "b/docs/zh/docs/Administration/\346\220\255\345\273\272\346\225\260\346\215\256\345\272\223\346\234\215\345\212\241\345\231\250.md" @@ -28,7 +28,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1](#table62020913417)所示。 **图 1** PostgreSql架构 -![](figures/PostgreSql架构.png "PostgreSql架构") +![](./figures/PostgreSql_architecture.png) **表 1** PostgreSql中的主要进程说明 @@ -105,11 +105,11 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 ### 配置环境 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >以下环境配置仅为参考示例,具体配置视实际需求做配置 #### 关闭防火墙并取消开机自启动 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >测试环境下通常会关闭防火墙以避免部分网络因素影响,视实际需求做配置。 1. 在root权限下停止防火墙。 @@ -124,7 +124,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 # systemctl disable firewalld ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >执行disable命令关闭防火墙的同时,也取消了开机自启动。 @@ -139,7 +139,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 #### 创建组和用户 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >服务器环境下,为了系统安全,通常会为进程分配单独的用户,以实现权限隔离。本章节创建的组和用户都是操作系统层面的,不是数据库层面的。 1. 在root权限下创建PostgreSQL用户(组)。 @@ -161,7 +161,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 #### 搭建数据盘 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 测试极限性能时,建议单独挂载IO性能更优的NVME SSD存储介质创建PostgreSQL测试实例,避免磁盘IO对性能测试结果的影响,本文以单独挂载NVME SSD为例,参考步骤1\~步骤4。 >- 非性能测试时,在root权限下执行以下命令,创建数据目录即可。然后跳过本小节: > \# mkdir /data @@ -197,7 +197,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 ### 安装、运行和卸载 #### 安装 -1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)。 +1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)。 2. 清除缓存。 ``` @@ -226,7 +226,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 #### 运行 ##### 初始化数据库 ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >此步骤在postgres用户下操作。 1. 切换到已创建的PostgreSQL用户。 @@ -258,7 +258,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 命令执行后,打印信息如下图所示,PostgreSQL相关进程已经正常启动了。 - ![](figures/postgres.png) + ![](./figures/postgres.png) ##### 登录数据库 @@ -269,9 +269,9 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 $ /usr/bin/psql -U postgres ``` - ![](figures/登录.png) + ![](./figures/login.png) - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >初次登录数据库,无需密码。 @@ -283,7 +283,7 @@ PostgreSQL的架构如[图1](#fig26022387391)所示,主要进程说明如[表1 postgres=#alter user postgres with password '123456'; ``` - ![](figures/zh-cn_image_0230050789.png) + ![](./figures/zh-cn_image_0230050789.png) ##### 退出数据库 @@ -702,7 +702,7 @@ postgres=# \l; 可以使用DROP DATABASE语句或dropdb来删除数据库。dropdb是对DROP DATABASE命令的封装,需要在shell界面执行,而不是在数据库界面。 ->![](public_sys-resources/icon-caution.gif) **注意:** +>![](./public_sys-resources/icon-caution.gif) **注意:** >删除数据库要谨慎操作,一旦删除,数据库中的所有表和数据都会删除。 ``` @@ -797,7 +797,7 @@ MariaDB数据库管理系统是MySQL的一个分支,主要由开源社区在 MariaDB的架构如[图2](#fig13492418164520)所示。 **图 2** MariaDB逻辑架构 -![](figures/MariaDB逻辑架构.png "MariaDB逻辑架构") +![](./figures/logical_architectureofMariaDB.png) 当Mariadb接受到Sql语句时,其详细的执行过程如下: @@ -819,11 +819,11 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 ### 配置环境 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >以下环境配置仅为参考示例,具体配置视实际需求做配置 #### 关闭防火墙并取消开机自启动 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >测试环境下通常会关闭防火墙以避免部分网络因素影响,视实际需求做配置。 1. 在root权限下停止防火墙。 @@ -838,7 +838,7 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 # systemctl disable firewalld ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >执行disable命令关闭防火墙的同时,也取消了开机自启动。 @@ -853,7 +853,7 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 #### 创建组和用户 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >服务器环境下,为了系统安全,通常会为进程分配单独的用户,以实现权限隔离。本章节创建的组和用户都是操作系统层面的,不是数据库层面的。 1. 在root权限下创建MySQL用户(组)。 @@ -877,7 +877,7 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 #### 搭建数据盘 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 进行性能测试时,数据目录使用单独硬盘,需要对硬盘进行格式化并挂载,参考方法一或者方法二 >- 非性能测试时,在root权限下执行以下命令,创建数据目录即可。然后跳过本小节: > \#mkdir /data @@ -916,15 +916,15 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 其中,/dev/nvme0n1p1为示例,具体名称以实际情况为准。 - ![](figures/搭建数据盘.png) + ![](./figures/creat_datadisk1.png) ##### 方法二:在root权限下使用LVM进行磁盘管理 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >此步骤需要安装镜像中的lvm2相关包,步骤如下: > ->1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)。如果已经执行,则可跳过此步。 +>1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)。如果已经执行,则可跳过此步。 >2. 在root权限下执行命令安装lvm2。 > **\# yum install lvm2** @@ -966,7 +966,7 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 其中,/dev/datavg/datalv为示例,具体名称以实际情况为准。 - ![](figures/D1376B2A-D036-41C4-B852-E8368F363B5E.png) + ![](./figures/D1376B2A-D036-41C4-B852-E8368F363B5E.png) #### 创建数据库目录并且授权 @@ -984,7 +984,7 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 ### 安装、运行和卸载 #### 安装 -1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)。 +1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)。 2. 清除缓存。 ``` @@ -1034,7 +1034,7 @@ MariaDB的架构如[图2](#fig13492418164520)所示。 命令执行后提示输入密码。密码为[2](#li197143190587)中设置的密码。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >执行 **\\q** 或者 **exit** 可退出数据库。 @@ -1169,7 +1169,7 @@ SET PASSWORD FOR 'username'@'hostname' = PASSWORD('newpassword'); - FOR 'username'@'hostname':FOR字句,可选项,指定欲修改密码的用户名及主机名。 - PASSWORD\('newpassword'\):表示使用函数PASSWORD\(\)设置新口令,即新口令必须传递到函数PASSWORD\(\)中进行加密。 ->![](public_sys-resources/icon-caution.gif) **注意:** +>![](./public_sys-resources/icon-caution.gif) **注意:** >PASSWORD\(\)函数为单向加密函数,一旦加密后不能解密出原明文。 在SET PASSWORD语句中,若不加上FOR子句,表示修改当前用户的密码。 @@ -1194,7 +1194,7 @@ FOR字句中必须以'username'@'hostname'的格式给定,username为账户的 DROP USER 'username1'@'hostname1' [,'username2'@'hostname2']…; ``` ->![](public_sys-resources/icon-caution.gif) **注意:** +>![](./public_sys-resources/icon-caution.gif) **注意:** >用户的删除不会影响他们之前所创建的表、索引或其他数据库对象,因为数据库并不会记录创建了这些对象的账号。 DROP USER语句可用于删除一个或多个数据库账号,并删除其原有权限。 @@ -1320,7 +1320,7 @@ USE databasename; 可以使用DROP DATABASE语句来删除数据库。 ->![](public_sys-resources/icon-caution.gif) **注意:** +>![](./public_sys-resources/icon-caution.gif) **注意:** >删除数据库要谨慎操作,一旦删除,数据库中的所有表和数据都会删除。 ``` @@ -1416,7 +1416,7 @@ mysqldump [options] -all-databases > outputfile 可以在root权限下使用mysql命令恢复数据库。 -备份一个或多个表: +恢复一个或多个表: ``` mysql -h hostname -P portnumber -u username -ppassword databasename < infile @@ -1450,11 +1450,11 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 ### 配置环境 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >以下环境配置仅为参考示例,具体配置视实际需求做配置 #### 关闭防火墙并取消开机自启动 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >测试环境下通常会关闭防火墙以避免部分网络因素影响,视实际需求做配置。 1. 在root权限下停止防火墙。 @@ -1469,7 +1469,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 # systemctl disable firewalld ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >执行disable命令关闭防火墙的同时,也取消了开机自启动。 @@ -1484,7 +1484,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 #### 创建组和用户 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >服务器环境下,为了系统安全,通常会为进程分配单独的用户,以实现权限隔离。本章节创建的组和用户都是操作系统层面的,不是数据库层面的。 1. 在root权限下创建MySQL用户(组)。 @@ -1508,7 +1508,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 #### 搭建数据盘 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 进行性能测试时,数据目录使用单独硬盘,需要对硬盘进行格式化并挂载,参考方法一或者方法二 >- 非性能测试时,在root权限下执行以下命令,创建数据目录即可。然后跳过本小节: > \# mkdir /data @@ -1547,14 +1547,14 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 其中,/dev/nvme0n1p1为示例,具体名称以实际情况为准。 - ![](figures/搭建数据盘-0.png) + ![](./figures/creat_datadisk.png) ##### 方法二:在root权限下使用LVM进行磁盘管理 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >此步骤需要安装镜像中的lvm2相关包,步骤如下: ->1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)。如果已经执行,则可跳过此步。 +>1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)。如果已经执行,则可跳过此步。 >2. 执行命令安装lvm2。 > **\#yum install lvm2** @@ -1596,7 +1596,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 其中,/dev/datavg/datalv为示例,具体名称以实际情况为准。 - ![](figures/D1376B2A-D036-41C4-B852-E8368F363B5E-1.png) + ![](./figures/D1376B2A-D036-41C4-B852-E8368F363B5E-1.png) #### 创建数据库目录并且授权 @@ -1614,7 +1614,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 ### 安装、运行和卸载 #### 安装 -1. 配置本地yum源,详细信息请参考[搭建repo服务器](搭建repo服务器.html)章节。 +1. 配置本地yum源,详细信息请参考[搭建repo服务器](./搭建repo服务器.html)章节。 2. 清除缓存。 ``` @@ -1630,13 +1630,13 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 4. 在root权限下安装MySQL服务器。 ``` - # dnf install mysql + # dnf install mysql-server ``` 5. 查看安装后的rpm包。 ``` - $ rpm -qa | grep mysql + $ rpm -qa | grep mysql-server ``` @@ -1677,9 +1677,9 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 $ cat /etc/my.cnf ``` - ![](figures/zh-cn_image_0231563132.png) + ![](./figures/zh-cn_image_0231563132.png) - >![](public_sys-resources/icon-caution.gif) **注意:** + >![](./public_sys-resources/icon-caution.gif) **注意:** >其中basedir为软件安装路径,请根据实际情况修改。 3. 在root权限下修改/etc/my.cnf文件的组和用户为mysql:mysql @@ -1695,7 +1695,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 # echo export PATH=$PATH:/usr/local/mysql/bin >> /etc/profile ``` - >![](public_sys-resources/icon-caution.gif) **注意:** + >![](./public_sys-resources/icon-caution.gif) **注意:** >其中PATH中的“/usr/local/mysql/bin“路径,为MySQL软件安装目录下的bin文件的绝对路径。请根据实际情况修改。 2. 在root权限下使环境变量配置生效。 @@ -1706,7 +1706,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 3. 在root权限下初始化数据库。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >本步骤倒数第2行中有初始密码,请注意保存,登录数据库时需要使用。 ``` @@ -1720,7 +1720,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 4. 启动数据库。 - >![](public_sys-resources/icon-caution.gif) **注意:** + >![](./public_sys-resources/icon-caution.gif) **注意:** >如果第一次启动数据库服务,以root用户启动数据库,则启动时会提示缺少mysql.log文件而导致失败。使用mysql用户启动之后,会在/data/mysql/log目录下生成mysql.log文件,再次使用root用户启动则不会报错。 1. 在root权限下修改文件权限。 @@ -1745,7 +1745,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 5. 登录数据库。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 提示输入密码时,请输入[3](#li15634560582)产生的初始密码。 >- 如果采用官网RPM安装方式,则mysql文件在/usr/bin目录下。登录数据库的命令根据实际情况修改。 @@ -1753,7 +1753,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 $ /usr/local/mysql/bin/mysql -uroot -p -S /data/mysql/run/mysql.sock ``` - ![](figures/zh-cn_image_0231563134.png) + ![](./figures/zh-cn_image_0231563134.png) 6. 配置数据库帐号密码。 1. 登录数据库以后,修改通过root用户登录数据库的密码。 @@ -1775,7 +1775,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 mysql> flush privileges; ``` - ![](figures/zh-cn_image_0231563135.png) + ![](./figures/zh-cn_image_0231563135.png) 7. 退出数据库。 @@ -1785,7 +1785,7 @@ MySQL所使用的SQL语言是用于访问数据库的最常用标准化语言。 mysql> exit ``` - ![](figures/zh-cn_image_0231563136.png) + ![](./figures/zh-cn_image_0231563136.png) #### 卸载 @@ -1941,7 +1941,7 @@ FOR字句中必须以'username'@'hostname'的格式给定,username为账户的 DROP USER 'username1'@'hostname1' [,'username2'@'hostname2']…; ``` ->![](public_sys-resources/icon-caution.gif) **注意:** +>![](./public_sys-resources/icon-caution.gif) **注意:** >用户的删除不会影响他们之前所创建的表、索引或其他数据库对象,因为数据库并不会记录创建了这些对象的账号。 DROP USER语句可用于删除一个或多个数据库账号,并删除其原有权限。 @@ -2067,7 +2067,7 @@ USE databasename; 可以使用DROP DATABASE语句来删除数据库。 ->![](public_sys-resources/icon-caution.gif) **注意:** +>![](./public_sys-resources/icon-caution.gif) **注意:** >删除数据库要谨慎操作,一旦删除,数据库中的所有表和数据都会删除。 ``` @@ -2163,7 +2163,7 @@ mysqldump [options] -all-databases > outputfile 可以在root权限下使用mysql命令恢复数据库。 -备份一个或多个表: +恢复一个或多个表: ``` mysql -h hostname -P portnumber -u username -ppassword databasename < infile diff --git "a/content/zh/docs/Administration/\346\220\255\345\273\272\346\234\215\345\212\241.md" "b/docs/zh/docs/Administration/\346\220\255\345\273\272\346\234\215\345\212\241.md" similarity index 100% rename from "content/zh/docs/Administration/\346\220\255\345\273\272\346\234\215\345\212\241.md" rename to "docs/zh/docs/Administration/\346\220\255\345\273\272\346\234\215\345\212\241.md" diff --git "a/content/zh/docs/Administration/\346\237\245\347\234\213\347\263\273\347\273\237\344\277\241\346\201\257.md" "b/docs/zh/docs/Administration/\346\237\245\347\234\213\347\263\273\347\273\237\344\277\241\346\201\257.md" similarity index 82% rename from "content/zh/docs/Administration/\346\237\245\347\234\213\347\263\273\347\273\237\344\277\241\346\201\257.md" rename to "docs/zh/docs/Administration/\346\237\245\347\234\213\347\263\273\347\273\237\344\277\241\346\201\257.md" index c96e6112cdf7d80a9728c91607f194c1e810d926..ad0a369592ea7ba663cc5af3ceba0ca65a91372d 100644 --- "a/content/zh/docs/Administration/\346\237\245\347\234\213\347\263\273\347\273\237\344\277\241\346\201\257.md" +++ "b/docs/zh/docs/Administration/\346\237\245\347\234\213\347\263\273\347\273\237\344\277\241\346\201\257.md" @@ -1,46 +1,46 @@ -# 查看系统信息 - -- 查看系统信息,命令如下: - - ``` - $ cat /etc/os-release - ``` - - 例如,命令和输出如下: - - ``` - $ cat /etc/os-release - NAME="openEuler" - VERSION="20.09" - ID="openEuler" - VERSION_ID="20.09" - PRETTY_NAME="openEuler 20.09" - ANSI_COLOR="0;31" - ``` - - -- 查看系统相关的资源信息。 - - 查看CPU信息,命令如下: - - ``` - $ lscpu - ``` - - 查看内存信息,命令如下: - - ``` - $ free - ``` - - 查看磁盘信息,命令如下: - - ``` - $ fdisk -l - ``` - -- 查看系统资源实时信息,命令如下: - - ``` - $ top - ``` +# 查看系统信息 + +- 查看系统信息,命令如下: + + ``` + $ cat /etc/os-release + ``` + + 例如,命令和输出如下: + + ``` + $ cat /etc/os-release + NAME="openEuler" + VERSION="21.03" + ID="openEuler" + VERSION_ID="21.03" + PRETTY_NAME="openEuler 21.03" + ANSI_COLOR="0;31" + ``` + + +- 查看系统相关的资源信息。 + + 查看CPU信息,命令如下: + + ``` + $ lscpu + ``` + + 查看内存信息,命令如下: + + ``` + $ free + ``` + + 查看磁盘信息,命令如下: + + ``` + $ fdisk -l + ``` + +- 查看系统资源实时信息,命令如下: + + ``` + $ top + ``` diff --git "a/content/zh/docs/Administration/\347\256\241\347\220\206\346\234\215\345\212\241.md" "b/docs/zh/docs/Administration/\347\256\241\347\220\206\346\234\215\345\212\241.md" similarity index 98% rename from "content/zh/docs/Administration/\347\256\241\347\220\206\346\234\215\345\212\241.md" rename to "docs/zh/docs/Administration/\347\256\241\347\220\206\346\234\215\345\212\241.md" index 4ad3fba84371272ea948a9ef2a52d4af97faf311..9ad11554dbbc02828fb74e04f65b703e2af51382 100644 --- "a/content/zh/docs/Administration/\347\256\241\347\220\206\346\234\215\345\212\241.md" +++ "b/docs/zh/docs/Administration/\347\256\241\347\220\206\346\234\215\345\212\241.md" @@ -53,148 +53,89 @@ systemd开启和监督整个系统是基于unit的概念。unit是由一个与 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

unit名称

后缀名

描述

Service unit

.service

系统服务。

Target unit

.target

一组systemd units。

Automount unit

.automount

文件系统挂载点。

Device unit

.device

内核识别的设备文件。

Mount unit

.mount

文件系统挂载点。

Path unit

.path

在一个文件系统中的文件或目录。

Scope unit

.scope

外部创建的进程。

Slice unit

.slice

一组用于管理系统进程分层组织的units。

Snapshot unit

-

.snapshot

-

systemd manager的保存状态。

-

Socket unit

.socket

一个进程间通信的Socket。

Swap unit

.swap

swap设备或者swap文件。

Timer unit

.timer

systemd计时器。
@@ -205,37 +146,25 @@ systemd开启和监督整个系统是基于unit的概念。unit是由一个与 - - - - - - - - - - - -

路径

描述

/usr/lib/systemd/system/

随安装的RPM产生的systemd units。

/run/systemd/system/

在运行时创建systemd units。

/etc/systemd/system/

由系统管理员创建和管理的systemd units。
@@ -795,7 +724,7 @@ Give root password for maintenance (or press Control-D to continue): ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >用户需要重启系统,从救援模式进入正常模式。 ### 切换到紧急模式 @@ -814,7 +743,7 @@ Give root password for maintenance (or press Control-D to continue): ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >用户需要重启系统,从紧急模式进入正常模式。 ## 关闭、暂停和休眠系统 diff --git "a/content/zh/docs/Administration/\347\256\241\347\220\206\347\224\250\346\210\267\345\222\214\347\224\250\346\210\267\347\273\204.md" "b/docs/zh/docs/Administration/\347\256\241\347\220\206\347\224\250\346\210\267\345\222\214\347\224\250\346\210\267\347\273\204.md" similarity index 96% rename from "content/zh/docs/Administration/\347\256\241\347\220\206\347\224\250\346\210\267\345\222\214\347\224\250\346\210\267\347\273\204.md" rename to "docs/zh/docs/Administration/\347\256\241\347\220\206\347\224\250\346\210\267\345\222\214\347\224\250\346\210\267\347\273\204.md" index f207145e2f27c81a56a4999da2bc1637ef2d19a2..5d5663d5d228511a8047c8482fe441d6a4f8ba03 100644 --- "a/content/zh/docs/Administration/\347\256\241\347\220\206\347\224\250\346\210\267\345\222\214\347\224\250\346\210\267\347\273\204.md" +++ "b/docs/zh/docs/Administration/\347\256\241\347\220\206\347\224\250\346\210\267\345\222\214\347\224\250\346\210\267\347\273\204.md" @@ -52,7 +52,7 @@ useradd [options] username # useradd userexample ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >没有任何提示,表明用户建立成功。这时并没有设置用户的口令,请使用passwd命令修改用户的密码,没有设置密码的新账号不能登录系统。 @@ -69,7 +69,7 @@ uid=502(userexample) gid=502(userexample) groups=502(userexample) # passwd userexample ``` -修改用户密码时需要满足密码复杂度要求,密码的复杂度的要求如下: +建议在修改用户密码时满足密码复杂度要求,密码的复杂度的要求如下: 1. 口令长度至少8个字符。 2. 口令至少包含大写字母、小写字母、数字和特殊字符中的任意3种。 @@ -101,7 +101,7 @@ Retype new password: passwd: all authentication tokens updated successfully. ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >若打印信息中出现“BAD PASSWORD: The password fails the dictionary check - it is too simplistic/sytematic”,表示设置的密码过于简单,建议设置复杂度较高的密码。 ### 修改用户账号 @@ -171,7 +171,7 @@ usermod -e MM/DD/YY username 如果想同时删除该用户的主目录以及其中所有内容,要使用-r参数递归删除。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >不建议直接删除已经进入系统的用户,如果需要强制删除,请使用 userdel -f _Test_ 命令。 ### 管理员账户授权 @@ -223,7 +223,7 @@ sudo /usr/sbin/useradd newuserl 这一句说明ted1主机上的newuser1具有以root用户权限执行useradd,userdel命令的功能。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 可以在一行定义多个别名,中间用冒号 \(:\) 隔开。 >- 可在命令或命令别名之前加上感叹号 \(!\),使该命令或命令别名无效。 >- 有两个关键词:ALL和NOPASSWD。ALL意味着“所有”(所有文件、所有主机或所有命令),NOPASSWD意味着不用密码。 @@ -312,7 +312,7 @@ groupmod -n newgroupname oldgroupname # groupdel Test ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >groupdel不能直接删除用户的主组,如果需要强制删除用户主组,请使用 groupdel -f _Test_ 命令。 ### 将用户加入用户组或从用户组中移除 diff --git "a/content/zh/docs/Administration/\347\256\241\347\220\206\350\277\233\347\250\213.md" "b/docs/zh/docs/Administration/\347\256\241\347\220\206\350\277\233\347\250\213.md" similarity index 98% rename from "content/zh/docs/Administration/\347\256\241\347\220\206\350\277\233\347\250\213.md" rename to "docs/zh/docs/Administration/\347\256\241\347\220\206\350\277\233\347\250\213.md" index e966f9c0d46a438942975c562345ec3b1bc4d99b..a0df8539f2f0b639d27dd96b10312a129c8178a0 100644 --- "a/content/zh/docs/Administration/\347\256\241\347\220\206\350\277\233\347\250\213.md" +++ "b/docs/zh/docs/Administration/\347\256\241\347\220\206\350\277\233\347\250\213.md" @@ -1,350 +1,350 @@ -# 管理进程 - -操作系统管理多个用户的请求和多个任务。大多数系统都只有一个CPU和一个主要存储,但一个系统可能有多个二级存储磁盘和多个输入/输出设备。操作系统管理这些资源并在多个用户间共享资源,当用户提出一个请求时,造成好像系统被用户独占的假象。实际上操作系统监控着一个等待执行的任务队列,这些任务包括用户任务、操作系统任务、邮件和打印任务等。本章节将从用户的角度讲述如何控制进程。 - - -- [管理进程](#管理进程) - - [查看进程](#查看进程) - - [who命令](#who命令) - - [ps命令](#ps命令) - - [top命令](#top命令) - - [kill命令](#kill命令) - - [调度启动进程](#调度启动进程) - - [定时运行一批程序(at)](#定时运行一批程序at) - - [周期性运行一批程序(cron)](#周期性运行一批程序cron) - - [挂起/恢复进程](#挂起恢复进程) - - -## 查看进程 - -Linux是一个多任务系统,经常需要对这些进程进行一些调配和管理。要进行管理,首先就要知道现在的进程情况:有哪些进程、进程的状态如何等。Linux提供了多种命令来了解进程的状况。 - -### who命令 - -who命令主要用于查看当前系统中的用户情况。如果用户想和其他用户建立即时通讯,比如使用talk命令,那么首先要确定的就是该用户确实在线上,不然talk进程就无法建立起来。又如,系统管理员希望监视每个登录的用户此时此刻的所作所为,也要使用who命令。who命令应用起来非常简单,可以比较准确地掌握用户的情况,所以使用非常广泛。 - -例如查看系统中的用户及其状态。使用如下: - -``` -$ who -admin tty1 Jul 28 15:55 -admin pts/0 Aug 5 15:46 (192.168.0.110) -admin pts/2 Jul 29 19:52 (192.168.0.110) -root pts/3 Jul 30 12:07 (192.168.0.110) -root pts/4 Jul 31 10:29 (192.168.0.144) -root pts/5 Jul 31 14:52 (192.168.0.11) -root pts/6 Aug 6 10:12 (192.168.0.234) -root pts/8 Aug 6 11:34 (192.168.0.234) -``` - -### ps命令 - -ps命令是最基本又非常强大的进程查看命令。使用该命令可以确定有哪些进程正在运行和运行的状态、进程是否结束、进程有没有僵尸、哪些进程占用了过多的资源等,大部分进程信息都是可以通过执行该命令得到的。 - -ps命令最常用的还是用来监控后台进程的工作情况,因为后台进程是不与屏幕、键盘这些标准输入/输出设备进行通信的,所以如果需要检测其状况,就可使用ps命令。ps命令的常见选项如[表1](#zh-cn_topic_0151921029_t34619d964a3d41ad8694189ec383359c)所示。 - -**表 1** 选项说明 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

选项

-

描述

-

-e

-

显示所有进程。

-

-f

-

全格式。

-

-h

-

不显示标题。

-

-l

-

使用长格式。

-

-w

-

宽行输出。

-

-a

-

显示终端上的所有进程,包括其他用户的进程。

-

-r

-

只显示正在运行的进程。

-

-x

-

显示没有控制终端的进程。

-
- -例如显示系统中终端上的所有进行进程。命令如下: - -``` -$ ps -a - PID TTY TIME CMD -12175 pts/6 00:00:00 bash -24526 pts/0 00:00:00 vsftpd -29478 pts/5 00:00:00 ps -32461 pts/0 1-01:58:33 sh -``` - -### top命令 - -top命令和ps命令的基本作用是相同的,显示系统当前的进程和其他状况,但是top是一个动态显示过程,即可以通过用户按键来不断刷新进程的当前状态,如果在前台执行该命令,它将独占前台,直到用户终止该程序为止。其实top命令提供了实时的对系统处理器的状态监视。它将显示系统中CPU的任务列表。该命令可以按CPU使用、内存使用和执行时间对任务进行排序,而且该命令的很多特性都可以通过交互式命令或者在定制文件中进行设定。 - -top命令输出的实例如[图1](#zh-cn_topic_0151921029_f289234fcdbac453796200d80e9889cd1)所示: - -**图 1** top显示 -![](figures/top显示.png "top显示") - -### kill命令 - -当需要中断一个前台进程的时候,通常足使用“Ctrl+c”组合键,而对于后台进程不能用组合键来终止,这时就可以使用kill命令。该命令可以终止前台和后台进程。终止后台进程的原因包括:该进程占用CPU的时间过多、该进程已经死锁等。 - -kill命令是通过向进程发送指定的信号来结束进程的。如果没有指定发送的信号,那么默认值为TERM信号。TERM信号将终止所有不能捕获该信号的进程。至于那些可以捕获该信号的进程可能就需要使用KILL信号(它的编号为9),而该信号不能被捕捉。 - -kill命令的浯法格式有以下两种方式: - -``` -kill [-s 信号 | -p] [-a] 进程号… -kill -l [信号] -``` - -其中进程号可以通过ps命令的输出得到。-s选项是给程序发送指定的信号,详细的信号可以用“kill -l”命令查看;-p选项只显示指定进程的ID号。 - -杀死pid为1409的进程,在root权限下执行如下命令: - -``` -# kill -9 1409 -``` - -显示所有的信号及其编号对应关系,示例如下: - -``` -$ kill -l - 1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP - 6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1 -11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM -16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP -21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU 25) SIGXFSZ -26) SIGVTALRM 27) SIGPROF 28) SIGWINCH 29) SIGIO 30) SIGPWR -31) SIGSYS 34) SIGRTMIN 35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3 -38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8 -43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13 -48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12 -53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7 -58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2 -63) SIGRTMAX-1 64) SIGRTMAX -``` - -## 调度启动进程 - -有时候需要对系统进行一些比较费时而且占用资源的维护工作,这些工作适合在深夜进行,这时候用户就可以事先进行调度安排,指定任务运行的时间或者场合,到时候系统会自动完成这些任务。要使用自动启动进程的功能,就需要掌握以下几个启动命令。 - - - -### 定时运行一批程序(at) - -#### at命令 - -用户使用at命令在指定时刻执行指定的命令序列。该命令至少需要指定一个命令和一个执行时间。at命令可以只指定时间,也可以时间和日期一起指定。 - -at命令的语法格式如下: - -``` - at [-V] [-q 队列] [-f 文件名] [-mldbv] 时间 - at -c 作业 [作业…] -``` - -#### 设置时间 - -at允许使用一套相当复杂的时间指定方法,比如: - -- 接受在当天的hh:mm(小时:分钟)式的时间指定。如果该时间已经过去,那么就放存第二天执行。 -- 使用midnight(深夜)、noon(中午)、teatime(饮茶时间,一般是下午4点)等比较模糊的词语来指定时间。 -- 采用12小时计时制,即在时间后面加上AM(上午)或者PM(下午)来说明是上午还是下午。 -- 指定命令执行的具体日期,指定格式为month day(月日)或者mm/dd/yy(月/日/年)或者dd.mm.yy(日.月.年)。指定的日期必须跟在指定时间的后面。 - -上面介绍的都是绝对计时法,其实还可以使用相对计时法,这对于安排不久就要执行的命令是很有好处的。指定格式为now+count time-units,now就是当前时间,time-units是时间单位,这里可以是minutes(分钟)、hours(小时)、days(天)、weeks(星期)。count是时间的数量,究竟是几天,还是几小时等。还有一种计时方法就是直接使用today(今天)、tomorrow(明天)来指定完成命令的时间。下面通过一些例子来说明具体用法。 - -例如指定在今天下午4:30执行某个命令。假设现在时间是中午12:30,2019年6月7日,可用命令格式如下: - -``` - at 4:30pm - at 16:30 - at 16:30 today - at now+4 hours - at now+ 240 minutes - at 16:30 7.6.19 - at 16:30 6/7/19 - at 16:30 Jun 7 -``` - -以上这些命令表达的意义是完全一样的,所以在安排时间的时候完全可以根据个人喜好和具体情况自由选择。一般采用绝对时间的24小时计时法可以避免由于用户自己的疏忽造成计时错误,例如上例可以写成:at 16:30 6/7/19。 - -#### 执行权限 - -对于at命令来说,需要定时执行的命令是从标准输入或者使用-f选项指定的文件中读取并执行的。如果at命令是从一个使用su命令切换到用户shell中执行的,那么当前用户被认为是执行用户,所有的错误和输出结果都会送给这个用户。但是如果有邮件送出的话,收到邮件的将是原来的用户,也就是登录时shell的所有者。 - -例如在6月8日上午10点执行slocate -u命令。在root权限下执行命令如下: - -``` -# at 10:00 6/8/19 -at> slocate -u -at> -[1]+ Stopped at 10:00 6/8/19 -``` - -上面的结果中,输入at命令之后,会出现提示符at\>,提示用户输入命令,在此输入了slocate -u,然后按回车键。还可以输入多条命令,当所有要执行的命令输入结束后,按Ctrl+d键结束at命令。 - -在任何情况下,管理员账户都可以使用这个命令。对于其他用户来说,是否可以使用就取决于/etc/at.allow和/etc/at.deny文件。 - -### 周期性运行一批程序(cron) - -前面介绍at命令都会在一定时间内完成一定任务,但是它只能执行一次。也就是说,当指定了运行命令后,系统在指定时间完成任务,以后就不再执行了。但是在很多情况下需要周期性重复执行一些命令,这时候就需要使用cron命令来完成任务。 - -#### 运行机制 - -首先cron命令会搜索/var/spool/cron目录,寻找以/etc/passwd文件中的用户名命名的crontab文件,被找到的这种文件将装入内存。比如一个用户名为userexample的用户,对应的crontab文件应该是/var/spool/cron/userexample,即以该用户命名的crontab文件存放在/var/spool/cron目录下面。 - -cron命令还将搜索/etc/crontab文件,这个文件是用不同的格式写成的。cron启动以后,它将首先检查是否有用户设置了crontab文件,如果没有就转入睡眠状态,释放系统资源。所以该后台进程占用资源极少,它每分钟被换醒一次,查看当前是否有需要运行的命令。 - -命令执行结束后,任何输出都将作为邮件发送给crontab的所有者,或者是/etc/crontab文件中MAILTO环境变量中指定的用户。这是cron的工作原理,但是cron命令的执行不需要用户干涉,用户只需要修改crontab中要执行的命令。 - -#### crontab命令 - -crontab命令用于安装、删除或者显示用于驱动cron后台进程的表格。用户把需要执行的命令序列放到crontab文件中以获得执行,而且每个用户都可以有自己的crontab文件。 - -crontab命令的常用方法如下: - -- crontab -u //设置某个用户的cron服务,root用户在执行crontab时需要此参数。 -- crontab -l //列出某个用户cron服务的详细内容。 -- crontab -r //删除某个用户的cron服务。 -- crontab -e //编辑某个用户的cron服务。 - -例如root查看自己的cron设置。命令如下: - -``` -# crontab -u root -l -``` - -#### crontab文件 - -在crontab文件中输入需要执行的命令和时间。该文件中每行都包括6个域,其中前5个域是指定命令被执行的时间,最后一个域是要被执行的命令。每个域之间使用空格或者制表符分隔。格式如下: - -``` -minute hour day-of-month month-of-year day-of-week commands -``` - -对于每一项的说明如所示。 - -**表 2** 参数说明 - - - - - - - - - - - - - - - - - - - - - - - - - -

参数

-

描述

-

minute

-

分钟(0~59)。

-

hour

-

小时(0~23)。

-

day-of-month

-

一个月的第几天(1~31)。

-

month-of-year

-

一年的第几个月(1~12)。

-

day-of-week

-

一周的星期几(0~6),0代表星期天。

-

commands

-

需要执行的命令。

-
- -这些项都不能为空,必须指定值。除了数字还有几个特殊的符号“\*”、“/”和“-”、“,”。其中,\*代表所有的取值范围内的数字,/代表每的意思,“\*/5”表示每5个单位,“-”代表从某个数字到某个数字,“,”分开几个离散时数字。对于要执行的命令,调用的时候需要写出命令的完整路径。 - -例如晚上18点到22点之间每两个小时,在/tmp/test.txt文件中加入sleepy文本。在crontab文件中对应的行如下: - -``` -* 18-22/2 * * * echo "sleepy" >> /tmp/test.txt -``` - -每次编辑完某个用户的cron设置后,cron自动在/var/spool/cron下生成一个与此用户同名的文件。此用户的cron信息都记录在这个文件中,这个文件是不可以直接编辑的,只可以用crontab -e来编辑。用户也可以另外建立一个文件,使用“cron文件名”命令导入cron设置。 - -假设有个用户名为userexample,它需要为自己创建的一个crontab文件。步骤如下: - -1. 首先可以使用任何文本编辑器建立一个新文件,并将向该文件加入需要运行的命令和要定期执行的时间,假设该文件为 \~/userexample.cron。 -2. 然后在root权限下使用crontab命令安装这个文件,使用crontab命令使之成为该用户的crontab文件。命令如下: - - ``` - # crontab -u userexample ~/userexample.cron - ``` - - -这样crontab文件就建立好了,可以转到/var/spool/cron目录下面查看,发现多了一个userexample文件。这个文件就是所需的crontab文件。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->cron启动后,每过一分钟读一次crontab文件,检查是否要执行里面的命令。因此该文件被修改后不需要重新启动cron服务。 - -#### 编辑配置文件 - -cron服务每分钟不仅要读一次/var/spool/cron内的所有文件,还需要读一次/etc/crontab,因此通过配置这个文件也能得到cron的服务。用crontab配置是针对某个用户的,而编辑/etc/crontab是针对系统的任务。此文件的文件格式如下: - -``` -SHELL=/bin/sh -PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin -MAILTO=root //如果出现错误,或者有数据输出,数据作为邮件发给这个账号 -HOME=/ -# run-parts -01 * * * * root run-parts /etc/cron.hourly //每个小时执行一次/etc/cron.hourly里的脚本 -02 4 * * * root run-parts /etc/cron.daily //每天执行一次/etc/cron.daily里的脚本 -22 4 * * 0 root run-parts /etc/cron.weekly //每周执行一次/etc/cron.weekly里的脚本 -42 4 1 * * root run-parts /etc/cron.monthly //每月执行一次/etc/cron.monthly里的脚本 -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->如果去掉run-parts参数,其后面就是运行的某个脚本名,而不是目录名。 - -## 挂起/恢复进程 - -作业控制允许进程挂起并可以在需要时恢复进程的运行,被挂起的作业恢复后将从中止处开始继续运行。只要在键盘上按Ctrl+Z键,即可挂起当前的前台作业。在键盘上按Ctrl+Z键后,将挂起当前执行的命令cat。使用jobs命令可以显示shell的作业清单,包括具体的作业、作业号以及作业当前所处的状态。 - -恢复进程执行时,有两种选择:用fg命令将挂起的作业放回到前台执行;用bg命令将挂起的作业放到后台执行。灵活使用上述命令,将给自己带来很大的方便。 - +# 管理进程 + +操作系统管理多个用户的请求和多个任务。大多数系统都只有一个CPU和一个主要存储,但一个系统可能有多个二级存储磁盘和多个输入/输出设备。操作系统管理这些资源并在多个用户间共享资源,当用户提出一个请求时,造成好像系统被用户独占的假象。实际上操作系统监控着一个等待执行的任务队列,这些任务包括用户任务、操作系统任务、邮件和打印任务等。本章节将从用户的角度讲述如何控制进程。 + + +- [管理进程](#管理进程) + - [查看进程](#查看进程) + - [who命令](#who命令) + - [ps命令](#ps命令) + - [top命令](#top命令) + - [kill命令](#kill命令) + - [调度启动进程](#调度启动进程) + - [定时运行一批程序(at)](#定时运行一批程序at) + - [周期性运行一批程序(cron)](#周期性运行一批程序cron) + - [挂起/恢复进程](#挂起恢复进程) + + +## 查看进程 + +Linux是一个多任务系统,经常需要对这些进程进行一些调配和管理。要进行管理,首先就要知道现在的进程情况:有哪些进程、进程的状态如何等。Linux提供了多种命令来了解进程的状况。 + +### who命令 + +who命令主要用于查看当前系统中的用户情况。如果用户想和其他用户建立即时通讯,比如使用talk命令,那么首先要确定的就是该用户确实在线上,不然talk进程就无法建立起来。又如,系统管理员希望监视每个登录的用户此时此刻的所作所为,也要使用who命令。who命令应用起来非常简单,可以比较准确地掌握用户的情况,所以使用非常广泛。 + +例如查看系统中的用户及其状态。使用如下: + +``` +$ who +admin tty1 Jul 28 15:55 +admin pts/0 Aug 5 15:46 (192.168.0.110) +admin pts/2 Jul 29 19:52 (192.168.0.110) +root pts/3 Jul 30 12:07 (192.168.0.110) +root pts/4 Jul 31 10:29 (192.168.0.144) +root pts/5 Jul 31 14:52 (192.168.0.11) +root pts/6 Aug 6 10:12 (192.168.0.234) +root pts/8 Aug 6 11:34 (192.168.0.234) +``` + +### ps命令 + +ps命令是最基本又非常强大的进程查看命令。使用该命令可以确定有哪些进程正在运行和运行的状态、进程是否结束、进程有没有僵尸、哪些进程占用了过多的资源等,大部分进程信息都是可以通过执行该命令得到的。 + +ps命令最常用的还是用来监控后台进程的工作情况,因为后台进程是不与屏幕、键盘这些标准输入/输出设备进行通信的,所以如果需要检测其状况,就可使用ps命令。ps命令的常见选项如[表1](#zh-cn_topic_0151921029_t34619d964a3d41ad8694189ec383359c)所示。 + +**表 1** 选项说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

选项

+

描述

+

-e

+

显示所有进程。

+

-f

+

全格式。

+

-h

+

不显示标题。

+

-l

+

使用长格式。

+

-w

+

宽行输出。

+

-a

+

显示终端上的所有进程,包括其他用户的进程。

+

-r

+

只显示正在运行的进程。

+

-x

+

显示没有控制终端的进程。

+
+ +例如显示系统中终端上的所有进行进程。命令如下: + +``` +$ ps -a + PID TTY TIME CMD +12175 pts/6 00:00:00 bash +24526 pts/0 00:00:00 vsftpd +29478 pts/5 00:00:00 ps +32461 pts/0 1-01:58:33 sh +``` + +### top命令 + +top命令和ps命令的基本作用是相同的,显示系统当前的进程和其他状况,但是top是一个动态显示过程,即可以通过用户按键来不断刷新进程的当前状态,如果在前台执行该命令,它将独占前台,直到用户终止该程序为止。其实top命令提供了实时的对系统处理器的状态监视。它将显示系统中CPU的任务列表。该命令可以按CPU使用、内存使用和执行时间对任务进行排序,而且该命令的很多特性都可以通过交互式命令或者在定制文件中进行设定。 + +top命令输出的实例如[图1](#zh-cn_topic_0151921029_f289234fcdbac453796200d80e9889cd1)所示: + +**图 1** top显示 +![](./figures/top_display.png) + +### kill命令 + +当需要中断一个前台进程的时候,通常足使用“Ctrl+c”组合键,而对于后台进程不能用组合键来终止,这时就可以使用kill命令。该命令可以终止前台和后台进程。终止后台进程的原因包括:该进程占用CPU的时间过多、该进程已经死锁等。 + +kill命令是通过向进程发送指定的信号来结束进程的。如果没有指定发送的信号,那么默认值为TERM信号。TERM信号将终止所有不能捕获该信号的进程。至于那些可以捕获该信号的进程可能就需要使用KILL信号(它的编号为9),而该信号不能被捕捉。 + +kill命令的浯法格式有以下两种方式: + +``` +kill [-s 信号 | -p] [-a] 进程号… +kill -l [信号] +``` + +其中进程号可以通过ps命令的输出得到。-s选项是给程序发送指定的信号,详细的信号可以用“kill -l”命令查看;-p选项只显示指定进程的ID号。 + +杀死pid为1409的进程,在root权限下执行如下命令: + +``` +# kill -9 1409 +``` + +显示所有的信号及其编号对应关系,示例如下: + +``` +$ kill -l + 1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP + 6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1 +11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM +16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP +21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU 25) SIGXFSZ +26) SIGVTALRM 27) SIGPROF 28) SIGWINCH 29) SIGIO 30) SIGPWR +31) SIGSYS 34) SIGRTMIN 35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3 +38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8 +43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13 +48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12 +53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7 +58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2 +63) SIGRTMAX-1 64) SIGRTMAX +``` + +## 调度启动进程 + +有时候需要对系统进行一些比较费时而且占用资源的维护工作,这些工作适合在深夜进行,这时候用户就可以事先进行调度安排,指定任务运行的时间或者场合,到时候系统会自动完成这些任务。要使用自动启动进程的功能,就需要掌握以下几个启动命令。 + + + +### 定时运行一批程序(at) + +#### at命令 + +用户使用at命令在指定时刻执行指定的命令序列。该命令至少需要指定一个命令和一个执行时间。at命令可以只指定时间,也可以时间和日期一起指定。 + +at命令的语法格式如下: + +``` + at [-V] [-q 队列] [-f 文件名] [-mldbv] 时间 + at -c 作业 [作业…] +``` + +#### 设置时间 + +at允许使用一套相当复杂的时间指定方法,比如: + +- 接受在当天的hh:mm(小时:分钟)式的时间指定。如果该时间已经过去,那么就放存第二天执行。 +- 使用midnight(深夜)、noon(中午)、teatime(饮茶时间,一般是下午4点)等比较模糊的词语来指定时间。 +- 采用12小时计时制,即在时间后面加上AM(上午)或者PM(下午)来说明是上午还是下午。 +- 指定命令执行的具体日期,指定格式为month day(月日)或者mm/dd/yy(月/日/年)或者dd.mm.yy(日.月.年)。指定的日期必须跟在指定时间的后面。 + +上面介绍的都是绝对计时法,其实还可以使用相对计时法,这对于安排不久就要执行的命令是很有好处的。指定格式为now+count time-units,now就是当前时间,time-units是时间单位,这里可以是minutes(分钟)、hours(小时)、days(天)、weeks(星期)。count是时间的数量,究竟是几天,还是几小时等。还有一种计时方法就是直接使用today(今天)、tomorrow(明天)来指定完成命令的时间。下面通过一些例子来说明具体用法。 + +例如指定在今天下午4:30执行某个命令。假设现在时间是中午12:30,2019年6月7日,可用命令格式如下: + +``` + at 4:30pm + at 16:30 + at 16:30 today + at now+4 hours + at now+ 240 minutes + at 16:30 7.6.19 + at 16:30 6/7/19 + at 16:30 Jun 7 +``` + +以上这些命令表达的意义是完全一样的,所以在安排时间的时候完全可以根据个人喜好和具体情况自由选择。一般采用绝对时间的24小时计时法可以避免由于用户自己的疏忽造成计时错误,例如上例可以写成:at 16:30 6/7/19。 + +#### 执行权限 + +对于at命令来说,需要定时执行的命令是从标准输入或者使用-f选项指定的文件中读取并执行的。如果at命令是从一个使用su命令切换到用户shell中执行的,那么当前用户被认为是执行用户,所有的错误和输出结果都会送给这个用户。但是如果有邮件送出的话,收到邮件的将是原来的用户,也就是登录时shell的所有者。 + +例如在6月8日上午10点执行slocate -u命令。在root权限下执行命令如下: + +``` +# at 10:00 6/8/19 +at> slocate -u +at> +[1]+ Stopped at 10:00 6/8/19 +``` + +上面的结果中,输入at命令之后,会出现提示符at\>,提示用户输入命令,在此输入了slocate -u,然后按回车键。还可以输入多条命令,当所有要执行的命令输入结束后,按Ctrl+d键结束at命令。 + +在任何情况下,管理员账户都可以使用这个命令。对于其他用户来说,是否可以使用就取决于/etc/at.allow和/etc/at.deny文件。 + +### 周期性运行一批程序(cron) + +前面介绍at命令都会在一定时间内完成一定任务,但是它只能执行一次。也就是说,当指定了运行命令后,系统在指定时间完成任务,以后就不再执行了。但是在很多情况下需要周期性重复执行一些命令,这时候就需要使用cron命令来完成任务。 + +#### 运行机制 + +首先cron命令会搜索/var/spool/cron目录,寻找以/etc/passwd文件中的用户名命名的crontab文件,被找到的这种文件将装入内存。比如一个用户名为userexample的用户,对应的crontab文件应该是/var/spool/cron/userexample,即以该用户命名的crontab文件存放在/var/spool/cron目录下面。 + +cron命令还将搜索/etc/crontab文件,这个文件是用不同的格式写成的。cron启动以后,它将首先检查是否有用户设置了crontab文件,如果没有就转入睡眠状态,释放系统资源。所以该后台进程占用资源极少,它每分钟被换醒一次,查看当前是否有需要运行的命令。 + +命令执行结束后,任何输出都将作为邮件发送给crontab的所有者,或者是/etc/crontab文件中MAILTO环境变量中指定的用户。这是cron的工作原理,但是cron命令的执行不需要用户干涉,用户只需要修改crontab中要执行的命令。 + +#### crontab命令 + +crontab命令用于安装、删除或者显示用于驱动cron后台进程的表格。用户把需要执行的命令序列放到crontab文件中以获得执行,而且每个用户都可以有自己的crontab文件。 + +crontab命令的常用方法如下: + +- crontab -u //设置某个用户的cron服务,root用户在执行crontab时需要此参数。 +- crontab -l //列出某个用户cron服务的详细内容。 +- crontab -r //删除某个用户的cron服务。 +- crontab -e //编辑某个用户的cron服务。 + +例如root查看自己的cron设置。命令如下: + +``` +# crontab -u root -l +``` + +#### crontab文件 + +在crontab文件中输入需要执行的命令和时间。该文件中每行都包括6个域,其中前5个域是指定命令被执行的时间,最后一个域是要被执行的命令。每个域之间使用空格或者制表符分隔。格式如下: + +``` +minute hour day-of-month month-of-year day-of-week commands +``` + +对于每一项的说明如所示。 + +**表 2** 参数说明 + + + + + + + + + + + + + + + + + + + + + + + + + +

参数

+

描述

+

minute

+

分钟(0~59)。

+

hour

+

小时(0~23)。

+

day-of-month

+

一个月的第几天(1~31)。

+

month-of-year

+

一年的第几个月(1~12)。

+

day-of-week

+

一周的星期几(0~6),0代表星期天。

+

commands

+

需要执行的命令。

+
+ +这些项都不能为空,必须指定值。除了数字还有几个特殊的符号“\*”、“/”和“-”、“,”。其中,\*代表所有的取值范围内的数字,/代表每的意思,“\*/5”表示每5个单位,“-”代表从某个数字到某个数字,“,”分开几个离散时数字。对于要执行的命令,调用的时候需要写出命令的完整路径。 + +例如晚上18点到22点之间每两个小时,在/tmp/test.txt文件中加入sleepy文本。在crontab文件中对应的行如下: + +``` +* 18-22/2 * * * echo "sleepy" >> /tmp/test.txt +``` + +每次编辑完某个用户的cron设置后,cron自动在/var/spool/cron下生成一个与此用户同名的文件。此用户的cron信息都记录在这个文件中,这个文件是不可以直接编辑的,只可以用crontab -e来编辑。用户也可以另外建立一个文件,使用“cron文件名”命令导入cron设置。 + +假设有个用户名为userexample,它需要为自己创建的一个crontab文件。步骤如下: + +1. 首先可以使用任何文本编辑器建立一个新文件,并将向该文件加入需要运行的命令和要定期执行的时间,假设该文件为 \~/userexample.cron。 +2. 然后在root权限下使用crontab命令安装这个文件,使用crontab命令使之成为该用户的crontab文件。命令如下: + + ``` + # crontab -u userexample ~/userexample.cron + ``` + + +这样crontab文件就建立好了,可以转到/var/spool/cron目录下面查看,发现多了一个userexample文件。这个文件就是所需的crontab文件。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>cron启动后,每过一分钟读一次crontab文件,检查是否要执行里面的命令。因此该文件被修改后不需要重新启动cron服务。 + +#### 编辑配置文件 + +cron服务每分钟不仅要读一次/var/spool/cron内的所有文件,还需要读一次/etc/crontab,因此通过配置这个文件也能得到cron的服务。用crontab配置是针对某个用户的,而编辑/etc/crontab是针对系统的任务。此文件的文件格式如下: + +``` +SHELL=/bin/sh +PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin +MAILTO=root //如果出现错误,或者有数据输出,数据作为邮件发给这个账号 +HOME=/ +# run-parts +01 * * * * root run-parts /etc/cron.hourly //每个小时执行一次/etc/cron.hourly里的脚本 +02 4 * * * root run-parts /etc/cron.daily //每天执行一次/etc/cron.daily里的脚本 +22 4 * * 0 root run-parts /etc/cron.weekly //每周执行一次/etc/cron.weekly里的脚本 +42 4 1 * * root run-parts /etc/cron.monthly //每月执行一次/etc/cron.monthly里的脚本 +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>如果去掉run-parts参数,其后面就是运行的某个脚本名,而不是目录名。 + +## 挂起/恢复进程 + +作业控制允许进程挂起并可以在需要时恢复进程的运行,被挂起的作业恢复后将从中止处开始继续运行。只要在键盘上按Ctrl+Z键,即可挂起当前的前台作业。在键盘上按Ctrl+Z键后,将挂起当前执行的命令cat。使用jobs命令可以显示shell的作业清单,包括具体的作业、作业号以及作业当前所处的状态。 + +恢复进程执行时,有两种选择:用fg命令将挂起的作业放回到前台执行;用bg命令将挂起的作业放到后台执行。灵活使用上述命令,将给自己带来很大的方便。 + diff --git "a/content/zh/docs/Administration/\351\205\215\347\275\256\347\275\221\347\273\234.md" "b/docs/zh/docs/Administration/\351\205\215\347\275\256\347\275\221\347\273\234.md" similarity index 96% rename from "content/zh/docs/Administration/\351\205\215\347\275\256\347\275\221\347\273\234.md" rename to "docs/zh/docs/Administration/\351\205\215\347\275\256\347\275\221\347\273\234.md" index 9da7a61e63c1da6388f52e3dd4a2c1bd40172e65..0bc0efb4bae88f746ea3522a2b0825abbe8a4908 100644 --- "a/content/zh/docs/Administration/\351\205\215\347\275\256\347\275\221\347\273\234.md" +++ "b/docs/zh/docs/Administration/\351\205\215\347\275\256\347\275\221\347\273\234.md" @@ -1,1333 +1,1365 @@ -# 配置网络 - - -- [配置网络](#配置网络) - - [配置 IP](#配置-ip) - - [使用nmcli命令](#使用nmcli命令) - - [使用ip命令](#使用ip命令) - - [通过ifcfg文件配置网络](#通过ifcfg文件配置网络) - - [配置主机名](#配置主机名) - - [简介](#简介) - - [使用hostnamectl配置主机名](#使用hostnamectl配置主机名) - - [使用nmcli配置主机名](#使用nmcli配置主机名) - - [配置网络绑定](#配置网络绑定) - - [使用nmcli](#使用nmcli) - - [使用命令行](#使用命令行) - - [IPv6使用差异说明(vs IPv4)](#ipv6使用差异说明vs-ipv4) - - [约束限制](#约束限制) - - [配置说明](#配置说明) - - [FAQ](#faq) - - - - -## 配置 IP - - -### 使用nmcli命令 - ->![](public_sys-resources/icon-note.gif) **说明:** ->使用nmcli命令配置的网络配置可以立即生效且系统重启后配置也不会丢失。 - - - -#### nmcli介绍 - -nmcli是NetworkManager的一个命令行工具,它提供了使用命令行配置由NetworkManager管理网络连接的方法。nmcli命令的基本格式为: - -``` - nmcli [OPTIONS] OBJECT { COMMAND | help } -``` - -其中,OBJECT选项可以是general、networking、radio、connection或device等。在日常使用中,最常使用的是-t, \-\-terse(用于脚本)、-p, \-\-pretty选项(用于用户)及-h, \-\-help选项,用户可以使用“ nmcli help”获取更多参数及使用信息。 - -``` -$ nmcli help -``` - -常用命令使用举例如下: - -- 显示NetworkManager状态: - - ``` - $ nmcli general status - ``` - -- 显示所有连接: - - ``` - $ nmcli connection show - ``` - -- 只显示当前活动连接,如下所示添加 -a, \-\-active: - - ``` - $ nmcli connection show --active - ``` - -- 显示由NetworkManager识别到设备及其状态: - - ``` - $ nmcli device status - ``` - -- 使用nmcli工具启动和停止网络接口,在root权限下执行如下命令: - - ``` - # nmcli connection up id enp3s0 - # nmcli device disconnect enp3s0 - ``` - - -#### 设置网络连接 - -列出目前可用的网络连接: - -``` -$ nmcli con show - - -NAME UUID TYPE DEVICE -enp4s0 5afce939-400e-42fd-91ee-55ff5b65deab ethernet enp4s0 -enp3s0 c88d7b69-f529-35ca-81ab-aa729ac542fd ethernet enp3s0 -virbr0 ba552da6-f014-49e3-91fa-ec9c388864fa bridge virbr0 -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->输出结果中的NAME字段代表连接ID(名称)。 - -添加一个网络连接会生成相应的配置文件,并与相应的设备关联。检查可用的设备,方法如下: - -``` -$ nmcli dev status - -DEVICE TYPE STATE CONNECTION -enp3s0 ethernet connected enp3s0 -enp4s0 ethernet connected enp4s0 -virbr0 bridge connected virbr0 -lo loopback unmanaged -- -virbr0-nic tun unmanaged -- -``` - - -##### 配置动态IP连接 - -###### 配置IP - -要使用 DHCP 分配网络时,可以使用动态IP配置添加网络配置文件,命令格式如下: - -``` -nmcli connection add type ethernet con-name connection-name ifname interface-name -``` - -例如创建名为net-test的动态连接配置文件,在root权限下使用以下命令: - -``` -# nmcli connection add type ethernet con-name net-test ifname enp3s0 -Connection 'net-test' (a771baa0-5064-4296-ac40-5dc8973967ab) successfully added. -``` - -NetworkManager 会将参数 connection.autoconnect 设定为 yes,并将设置保存到 “/etc/sysconfig/network-scripts/ifcfg-net-test”文件中,在该文件中会将 ONBOOT 设置为 yes。 - -###### 激活连接并检查状态 - -在root权限下使用以下命令激活网络连接: - -``` -# nmcli con up net-test -Connection successfully activated (D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/5) -``` - -检查这些设备及连接的状态,使用以下命令: - -``` -$ nmcli device status - -DEVICE TYPE STATE CONNECTION -enp4s0 ethernet connected enp4s0 -enp3s0 ethernet connected net-test -virbr0 bridge connected virbr0 -lo loopback unmanaged -- -virbr0-nic tun unmanaged -- -``` - -##### 配置静态IP连接 - -###### 配置IP - -添加静态 IPv4 配置的网络连接,可使用以下命令: - -``` -nmcli connection add type ethernet con-name connection-name ifname interface-name ip4 address gw4 address -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->如果要添加 IPv6 地址和网关信息,使用 ip6 和 gw6 选项。 - -例如创建名为 net-static的静态连接配置文件,在root权限下使用以下命令: - -``` -# nmcli con add type ethernet con-name net-static ifname enp3s0 ip4 192.168.0.10/24 gw4 192.168.0.254 -``` - -还可为该设备同时指定 IPv6 地址和网关,示例如下: - -``` -# nmcli con add type ethernet con-name test-lab ifname enp3s0 ip4 192.168.0.10/24 gw4 192.168.0.254 ip6 abbe::**** gw6 2001:***::* -Connection 'net-static' (63aa2036-8665-f54d-9a92-c3035bad03f7) successfully added. -``` - -NetworkManager 会将其内部参数 ipv4.method 设定为 manual,将 connection.autoconnect 设定为yes,并将设置写入 /etc/sysconfig/network-scripts/ifcfg-my-office 文件,其中会将对应 BOOTPROTO 设定为 none,将 ONBOOT 设定为 yes。 - -设定两个 IPv4 DNS 服务器地址,在root权限下使用以下命令: - -``` -# nmcli con mod net-static ipv4.dns "*.*.*.* *.*.*.*" -``` - -设置两个 IPv6 DNS 服务器地址,在root权限下使用以下命令: - -``` -# nmcli con mod net-static ipv6.dns "2001:4860:4860::**** 2001:4860:4860::****" -``` - -###### 激活连接并检查状态 - -激活新的网络连接,在root权限下使用以下命令: - -``` -# nmcli con up net-static ifname enp3s0 -Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6) -``` - -检查这些设备及连接的状态,使用以下命令: - -``` -$ nmcli device status - -DEVICE TYPE STATE CONNECTION -enp4s0 ethernet connected enp4s0 -enp3s0 ethernet connected net-static -virbr0 bridge connected virbr0 -lo loopback unmanaged -- -virbr0-nic tun unmanaged -- -``` - -查看配置的连接详情,使用以下命令(使用 -p, \-\-pretty 选项在输出结果中添加标题和分段): - -``` -$ nmcli -p con show net-static -=============================================================================== -Connection profile details (net-static ) -=============================================================================== -connection.id: net-static -connection.uuid: b9f18801-6084-4aee-af28-c8f0598ff5e1 -connection.stable-id: -- -connection.type: 802-3-ethernet -connection.interface-name: enp3s0 -connection.autoconnect: yes -connection.autoconnect-priority: 0 -connection.autoconnect-retries: -1 (default) -connection.multi-connect: 0 (default) -connection.auth-retries: -1 -connection.timestamp: 1578988781 -connection.read-only: no -connection.permissions: -- -connection.zone: -- -connection.master: -- -connection.slave-type: -- -connection.autoconnect-slaves: -1 (default) -connection.secondaries: -- -connection.gateway-ping-timeout: 0 -connection.metered: unknown -connection.lldp: default -connection.mdns: -1 (default) -connection.llmnr: -1 (default) -``` - -##### 添加 Wi-Fi 连接 - -使用以下命令查看可用 Wi-Fi 访问点: - -``` -$ nmcli dev wifi list -``` - -使用以下命令生成使用的静态 IP 配置,但允许自动 DNS 地址分配的 Wi-Fi 连接: - -``` -$ nmcli con add con-name Wifi ifname wlan0 type wifi ssid MyWifi ip4 192.168.100.101/24 gw4 192.168.100.1 -``` - -请使用以下命令设定 WPA2 密码,例如 “answer”: - -``` -$ nmcli con modify Wifi wifi-sec.key-mgmt wpa-psk -$ nmcli con modify Wifi wifi-sec.psk answer -``` - -使用以下命令更改 Wi-Fi 状态: - -``` -$ nmcli radio wifi [ on | off ] -``` - -##### 更改属性 - -请使用以下命令检查具体属性,比如 mtu: - -``` -$ nmcli connection show id 'Wifi ' | grep mtu -802-11-wireless.mtu: auto -``` - -使用如下命令更改设置的属性: - -``` -$ nmcli connection modify id 'Wifi ' 802-11-wireless.mtu 1350 -``` - -使用如下命令确认更改: - -``` -$ nmcli connection show id 'Wifi ' | grep mtu -802-11-wireless.mtu: 1350 -``` - -#### 配置静态路由 - -- 使用nmcli命令为网络连接配置静态路由,使用命令如下: - - ``` - $ nmcli connection modify enp3s0 +ipv4.routes "192.168.122.0/24 10.10.10.1" - ``` - - -- 使用编辑器配置静态路由,使用如下命令: - - ``` - $ nmcli con edit type ethernet con-name enp3s0 - ===| nmcli interactive connection editor |=== - Adding a new '802-3-ethernet' connection - Type 'help' or '?' for available commands. - Type 'describe [.]' for detailed property description. - You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6, dcb - nmcli> set ipv4.routes 192.168.122.0/24 10.10.10.1 - nmcli> - nmcli> save persistent - Saving the connection with 'autoconnect=yes'. That might result in an immediate activation of the connection. - Do you still want to save? [yes] yes - Connection 'enp3s0' (1464ddb4-102a-4e79-874a-0a42e15cc3c0) successfully saved. - nmcli> quit - ``` - - -### 使用ip命令 - ->![](public_sys-resources/icon-note.gif) **说明:** ->使用ip命令配置的网络配置可以立即生效但系统重启后配置会丢失。 - - - -#### 配置IP地址 - -使用ip命令为接口配置地址,命令格式如下,其中 _interface-name_ 为网卡名称。 - -``` -ip addr [ add | del ] address dev interface-name -``` - -##### 配置静态地址 -在root权限下,配置设置IP地址,使用示例如下: - -``` -# ip address add 192.168.0.10/24 dev enp3s0 -``` - -查看配置结果,在root权限使用如下命令: - -``` -# ip addr show dev enp3s0 -2: enp3s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 - link/ether 52:54:00:aa:ad:4a brd ff:ff:ff:ff:ff:ff - inet 192.168.202.248/16 brd 192.168.255.255 scope global dynamic noprefixroute enp3s0 - valid_lft 9547sec preferred_lft 9547sec - inet 192.168.0.10/24 scope global enp3s0 - valid_lft forever preferred_lft forever - inet6 fe80::32e8:cc22:9db2:f4d4/64 scope link noprefixroute - valid_lft forever preferred_lft forever -``` - -##### 配置多个地址 -ip 命令支持为同一接口分配多个地址,可在root权限下重复多次使用 ip 命令实现分配多个地址。使用示例如下: - -``` -# ip address add 192.168.2.223/24 dev enp4s0 -# ip address add 192.168.4.223/24 dev enp4s0 -# ip addr - -3: enp4s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 - link/ether 52:54:00:aa:da:e2 brd ff:ff:ff:ff:ff:ff - inet 192.168.203.12/16 brd 192.168.255.255 scope global dynamic noprefixroute enp4s0 - valid_lft 8389sec preferred_lft 8389sec - inet 192.168.2.223/24 scope global enp4s0 - valid_lft forever preferred_lft forever - inet 192.168.4.223/24 scope global enp4s0 - valid_lft forever preferred_lft forever - inet6 fe80::1eef:5e24:4b67:f07f/64 scope link noprefixroute - valid_lft forever preferred_lft forever -``` - -#### 配置静态路由 - -如果需要静态路由,可使用 ip route add 命令在路由表中添加,使用 ip route del 命令删除。最常使用的 ip route 命令格式如下: - -``` -ip route [ add | del | change | append | replace ] destination-address -``` - -在root权限下使用 ip route 命令显示当前的 IP 路由表。示例如下: - -``` -# ip route - -default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 -default via 192.168.0.1 dev enp4s0 proto dhcp metric 101 -192.168.0.0/16 dev enp3s0 proto kernel scope link src 192.168.202.248 metric 100 -192.168.0.0/16 dev enp4s0 proto kernel scope link src 192.168.203.12 metric 101 -192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown -``` - -在主机地址中添加一个静态路由,在 root 权限下,使用以下命令格式: - -``` -ip route add 192.168.2.1 via 10.0.0.1 [dev interface-name] -``` - -其中 192.168.2.1 是用点分隔的十进制符号中的 IP 地址,10.0.0.1 是下一个跃点,_interface-name_ 是进入下一个跃点的退出接口。 - -要在网络中添加一个静态路由,即代表 IP 地址范围的 IP 地址,请在root权限下运行以下命令格式: - -``` -ip route add 192.168.2.0/24 via 10.0.0.1 [dev interface-name] -``` - -其中 192.168.2.1 是目标网络的 IP 地址,10.0.0.1 是网络前缀,_interface-name_ 为网卡名称。 - -### 通过ifcfg文件配置网络 - ->![](public_sys-resources/icon-note.gif) **说明:** ->通过ifcfg文件配置的网络配置不会立即生效,需要在root权限下执行**systemctl reload NetworkManager**命令以重启网络服务后才生效。 - -#### 配置静态网络 - -以enp4s0网络接口进行静态网络设置为例,通过在root权限下修改ifcfg文件实现,在/etc/sysconfig/network-scripts/目录中生成名为ifcfg-enp4s0的文件中,修改参数配置,示例如下: - -``` -TYPE=Ethernet -PROXY_METHOD=none -BROWSER_ONLY=no -BOOTPROTO=none -IPADDR=192.168.0.10 -PREFIX=24 -DEFROUTE=yes -IPV4_FAILURE_FATAL=no -IPV6INIT=yes -IPV6_AUTOCONF=yes -IPV6_DEFROUTE=yes -IPV6_FAILURE_FATAL=no -IPV6_ADDR_GEN_MODE=stable-privacy -NAME=enp4s0static -UUID=08c3a30e-c5e2-4d7b-831f-26c3cdc29293 -DEVICE=enp4s0 -ONBOOT=yes -``` - -#### 配置动态网络 - -要通过ifcfg文件为em1接口配置动态网络,请按照如下操作在/etc/sysconfig/network-scripts/目录中生成名为 ifcfg-em1 的文件,示例如下: - -``` -DEVICE=em1 -BOOTPROTO=dhcp -ONBOOT=yes -``` - -要配置一个向DHCP服务器发送不同的主机名的接口,请在ifcfg文件中新增一行内容,如下所示: - -``` -DHCP_HOSTNAME=hostname -``` - -要配置忽略由DHCP服务器发送的路由,防止网络服务使用从DHCP服务器接收的DNS服务器更新/etc/resolv.conf。请在ifcfg文件中新增一行内容,如下所示: - -``` -PEERDNS=no -``` - -要配置一个接口使用具体DNS服务器,请将参数PEERDNS=no,并在ifcfg文件中添加以下行: - -``` -DNS1=ip-address -DNS2=ip-address -``` - -其中ip-address是DNS服务器的地址。这样就会让网络服务使用指定的DNS服务器更新/etc/resolv.conf。 - -#### 配置默认网关 - -在确定默认网关时,首先解析 /etc/sysconfig/network 文件,然后解析 ifcfg 文件 ,将最后读取的 GATEWAY 的取值作为路由表中的默认路由。 - -在动态网络环境中,使用 NetworkManager 管理主机时,建议设置为由 DHCP 来分配。 - -## 配置主机名 - - -### 简介 - -hostname有三种类型:static、transient和pretty。 - -- static:静态主机名,可由用户自行设置,并保存在/etc/hostname 文件中。 -- transient:动态主机名,由内核维护,初始是 static 主机名,默认值为“localhost”。可由DHCP或mDNS在运行时更改。 -- pretty:灵活主机名,允许使用自由形式(包括特殊/空白字符)进行设置。静态/动态主机名遵从域名的通用限制。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->static和transient主机名只能包含a-z、A-Z、0-9、“-”、“\_”和“.”,不能在开头或结尾处使用句点,不允许使用两个相连的句点,大小限制为 64 个字符。 - -### 使用hostnamectl配置主机名 - -#### 查看所有主机名 -查看当前的主机名,使用如下命令: - -``` -$ hostnamectl status -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->如果命令未指定任何选项,则默认使用status选项。 - -#### 设定所有主机名 -在root权限下,设定系统中的所有主机名,使用如下命令: - -``` -# hostnamectl set-hostname name -``` - -#### 设定特定主机名 -在root权限下,通过不同的参数来设定特定主机名,使用如下命令: - -``` -# hostnamectl set-hostname name [option...] -``` - -其中option可以是\-\-pretty、\-\-static、\-\-transient中的一个或多个选项。 - -如果\-\-static或\-\-transient与\-\-pretty选项一同使用时,则会将static和transient主机名简化为pretty主机名格式,使用“-”替换空格,并删除特殊字符。 - -当设定pretty主机名时,如果主机名中包含空格或单引号,需要使用引号。命令示例如下: - -``` -# hostnamectl set-hostname "Stephen's notebook" --pretty -``` - -#### 清除特定主机名 -要清除特定主机名,并将其还原为默认形式,在root权限下,使用如下命令: - -``` -# hostnamectl set-hostname "" [option...] -``` - -其中 "" 是空白字符串,option是\-\-pretty、\-\-static和\-\-transient中的一个或多个选项。 - -#### 远程更改主机名 -在远程系统中运行hostnamectl命令时,要使用-H,\-\-host 选项,在root权限下使用如下命令: - -``` -# hostnamectl set-hostname -H [username]@hostname new_hostname -``` - -其中hostname是要配置的远程主机,username为自选项,new\_hostname为新主机名。hostnamectl会通过SSH连接到远程系统。 - -### 使用nmcli配置主机名 - -查询static主机名,使用如下命令: - -``` -$ nmcli general hostname -``` - -在root权限下,将static主机名设定为host-server,使用如下命令: - -``` -# nmcli general hostname host-server -``` - -要让系统hostnamectl感知到static主机名的更改,在root权限下,重启hostnamed服务,使用如下命令: - -``` -# systemctl restart systemd-hostnamed -``` - -## 配置网络绑定 - - -### 使用nmcli - -- 创建名为mybond0的绑定,使用示例如下: - - ``` - $ nmcli con add type bond con-name mybond0 ifname mybond0 mode active-backup - ``` - -- 添加从属接口,使用示例如下: - - ``` - $ nmcli con add type bond-slave ifname enp3s0 master mybond0 - ``` - - 要添加其他从属接口,重复上一个命令,并在命令中使用新的接口,使用示例如下: - - ``` - $ nmcli con add type bond-slave ifname enp4s0 master mybond0 - Connection 'bond-slave-enp4s0' (05e56afc-b953-41a9-b3f9-0791eb49f7d3) successfully added. - ``` - -- 要启动绑定,则必须首先启动从属接口,使用示例如下: - - ``` - $ nmcli con up bond-slave-enp3s0 - Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/14) - ``` - - ``` - $ nmcli con up bond-slave-enp4s0 - Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15) - ``` - - 现在可以启动绑定,使用示例如下: - - ``` - $ nmcli con up mybond0 - Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/16) - ``` - - -### 使用命令行 - - - -#### 检查是否已安装Bonding内核模块 - -在系统中默认已加载相应模块。要载入绑定模块,可在root权限下使用如下命令: - -``` -# modprobe --first-time bonding -``` - -显示该模块的信息,可在root权限下使用如下命令: - -``` -# modinfo bonding -``` - -更多命令请在root权限下使用modprobe \-\-help查看。 - -#### 创建频道绑定接口 - -要创建绑定接口,可在root权限下通过在 /etc/sysconfig/network-scripts/ 目录中创建名为 ifcfg-bondN 的文件(使用接口号码替换 N,比如 0)。 - -根据要绑定接口类型的配置文件来编写相应的内容,比如网络接口。接口配置文件示例如下: - -``` -DEVICE=bond0 -NAME=bond0 -TYPE=Bond -BONDING_MASTER=yes -IPADDR=192.168.1.1 -PREFIX=24 -ONBOOT=yes -BOOTPROTO=none -BONDING_OPTS="bonding parameters separated by spaces" -``` - -#### 创建从属接口 - -创建频道绑定接口后,必须在从属接口的配置文件中添加 MASTER 和 SLAVE 指令。 - -例如将两个网络接口enp3s0 和 enp4s0 以频道方式绑定,其配置文件示例分别如下: - -``` -TYPE=Ethernet -NAME=bond-slave-enp3s0 -UUID=3b7601d1-b373-4fdf-a996-9d267d1cac40 -DEVICE=enp3s0 -ONBOOT=yes -MASTER=bond0 -SLAVE=yes -``` - -``` -TYPE=Ethernet -NAME=bond-slave-enp4s0 -UUID=00f0482c-824f-478f-9479-abf947f01c4a -DEVICE=enp4s0 -ONBOOT=yes -MASTER=bond0 -SLAVE=yes -``` - -#### 激活频道绑定 - -要激活绑定,则需要启动所有从属接口。请在root权限下,运行以下命令: - -``` -# ifup enp3s0 -Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7) -``` - -``` -# ifup enp4s0 -Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8) -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->对于已经处于“up”状态的接口,请首先使用“ifdown _enp3s0_ ”命令修改状态为down,其中 _enp3s0_ 为实际网卡名称。 - -完成后,启动所有从属接口以便启动绑定(不将其设定为 “down”)。 - -要让 NetworkManager 感知到系统所做的修改,在每次修改后,请在root权限下,运行以下命令: - -``` -# nmcli con load /etc/sysconfig/network-scripts/ifcfg-device -``` - -查看绑定接口的状态,请在root权限下运行以下命令: - -``` -# ip link show - -1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 -2: enp3s0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 - link/ether 52:54:00:aa:ad:4a brd ff:ff:ff:ff:ff:ff -3: enp4s0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 - link/ether 52:54:00:aa:da:e2 brd ff:ff:ff:ff:ff:ff -4: virbr0: mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 - link/ether 86:a1:10:fb:ef:07 brd ff:ff:ff:ff:ff:ff -5: virbr0-nic: mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000 - link/ether 52:54:00:29:35:4c brd ff:ff:ff:ff:ff:ff -``` - -#### 创建多个绑定 - -系统会为每个绑定创建一个频道绑定接口,包括 BONDING\_OPTS 指令。使用这个配置方法可让多个绑定设备使用不同的配置。请按照以下操作创建多个频道绑定接口: - -- 创建多个 ifcfg-bondN 文件,文件中包含 BONDING\_OPTS 指令,让网络脚本根据需要创建绑定接口。 -- 创建或编辑要绑定的现有接口配置文件,添加 SLAVE 指令。 -- 使用 MASTER 指令工具在频道绑定接口中分配要绑定的接口,即从属接口。 - -以下是频道绑定接口配置文件示例: - -``` -DEVICE=bondN -NAME=bondN -TYPE=Bond -BONDING_MASTER=yes -IPADDR=192.168.1.1 -PREFIX=24 -ONBOOT=yes -BOOTPROTO=none -BONDING_OPTS="bonding parameters separated by spaces" -``` - -在这个示例中,使用绑定接口的号码替换 N。例如要创建两个接口,则需要使用正确的 IP 地址创建两个配置文件 ifcfg-bond0 和 ifcfg-bond1。 - -## IPv6使用差异说明(vs IPv4) - - - -### 约束限制 - -- chrony支持全局地址(global address),不支持链路本地地址(link-local address)。 -- Firefox支持通过http/https协议访问全局地址(global address),不支持链路本地地址(link-local address)。 - -### 配置说明 -#### 设置接口设备MTU值 - -##### 概述 - -IPv6场景中会发现整个路由路径中的最小mtu的值作为当前链接的PMTU的值,源端根据PMTU的值确定是否进行分片发送,而在整个路径中的其它设备将不再需要进行分片处理,从而可以降低中间路由设备的负载大小。其中IPv6 PMTU设置的最小值为1280。 - -##### 设置接口设备的mtu - -如果在配置了IPv6地址的接口上设置mtu的值小于1280(IPv6 PMTU设置的最小值),则会导致该接口的IPv6地址被删除。并且无法再次添加IPv6地址。所以在IPv6场景中,对接口设备的mtu的配置一定要大于等于1280。 -请在root权限下运行如下命令查看具体现象: - -``` -# ip addr show enp3s0 -3: enp3s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx - inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 - valid_lft 38663sec preferred_lft 38663sec - inet6 2001:222::2/64 scope global - valid_lft forever preferred_lft forever -``` - -``` -# ip link set dev enp3s0 mtu 1200 -# ip addr show enp3s0 -3: enp3s0: mtu 1200 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx - inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 - valid_lft 38642sec preferred_lft 38642sec -``` - -``` -# ip addr add 2001:222::2/64 dev enp3s0 -RTNETLINK answers: No buffer space available -``` - -``` -# ip link set dev enp3s0 mtu 1500 -# ip addr show enp3s0 -3: enp3s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx - inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 - valid_lft 38538sec preferred_lft 38538sec -``` - -``` -# ip addr add 2001:222::2/64 dev enp3s0 -# ip addr show enp3s0 -3: enp3s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx - inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 - valid_lft 38531sec preferred_lft 38531sec - inet6 2001:222::2/64 scope global - valid_lft forever preferred_lft forever -``` - -#### 有状态自动配置IPv6地址 - -##### 概述 - -IPv6与IPv4都可以在root权限下通过DHCP的方式获得IP地址。IPv6地址有两种配置方式:无状态自动配置和有状态自动配置。 - -- 无状态自动配置 - - 不需要DHCP服务进行管理,设备根据网络RA(路由公告)获得网络前缀,或者link-local地址为固定fe80::。而接口ID则根据ifcfg配置IPV6\_ADDR\_GEN\_MODE的具体设置来进行自动获得: - - 1. IPv6\_ADDR\_GEN\_MODE="stable-privacy" 则根据设备及网络环境来确定一个随机接口ID。 - 2. IPv6\_ADDR\_GEN\_MODE="EUI64" 则根据设备MAC地址来确定接口ID。 - -- 有状态自动配置:需要DHCP服务器进行管理分配,服从DHCPv6协议来从DHCPv6服务器端租赁IPv6地址。 - - 在有状态自动配置IPv6地址时,DHCPv6服务端可以通过客户端设置的vendor class将客户端进行分类,不同类别分配不同地址段的IPv6地址。在IPv4场景中,客户端可以直接用dhclient的-V选项来设置vendor-class-identifier,DHCP服务端在配置文件中根据vendor-class-identifier来对客户端进行分类处理。而IPv6场景中,如果使用同样的方法对客户端分类,则分类并不会生效。 - - ``` - dhclient -6 -V - ``` - - 这是由于DHCPv6和DHCP协议存在较大差异,DHCPv6的可选项中使用vendor-class-option替代了DHCP中的vendor-class-identifier。而dhclient的-V选项并不能设置vendor-class-option。 - - -##### 有状态自动配置IPv6地址时dhclient设置vendor class方法 - -- 在客户端使用配置文件方式添加对vendor class的设置,使用方法如下: - - 客户端配置文件(/etc/dhcp/dhclient6.conf),文件位置可以自定义,在使用时需要通过dhclient -cf选项来指定配置文件: - - ``` - option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; - interface "enp3s0" { - send dhcp6.vendor-class ; - } - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - >- \,32位整型数字,企业标识号,企业通过IANA注册。 - >- \,16位整型数字,vendor class字符串长度。 - >- \,要设置的vendor class字符串,例如:“HWHW”。 - - 客户端使用方法: - - ``` - dhclient -6 -cf /etc/dhcp/dhclient6.conf - ``` - - -- DHCPv6服务端配置文件(/etc/dhcp/dhcpd6.conf),需要dhcpd -cf选项来指定该配置文件: - - ``` - option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; - subnet6 fc00:4:12:ffff::/64 { - class "hw" { - match if substring ( option dhcp6.vendor-class, 6, 10 ) = "HWHW"; - } - pool6 { - allow members of "hw"; - range6 fc00:4:12:ffff::ff10 fc00:4:12:ffff::ff20; - } - pool6 { - allow unknown clients; - range6 fc00:4:12:ffff::100 fc00:4:12:ffff::120; - } - } - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - >substring \( option dhcp6.vendor-class, 6, 10 \) 其中子字符串的开始位置为6,因为前面包含4个字节的和2个字节的。而子字符串的结束位置位:6+。这里vendor class string为“HWHW”,字符串的长度为4,所以子字符串的结束位置为6+4=10。用户可以根据实际需要来确定及相应的。 - - 服务端使用方法: - - ``` - dhcpd -6 -cf /etc/dhcp/dhcpd6.conf - ``` - - -#### 内核支持socket相关系统调用 - -##### 概述 - -IPv6地址长度扩展到128比特,所以有足够的IPv6地址可供分配使用。同时IPv6头相比IPv4头进行了简化,并增强了IPv6的自动配置功能。IPv6地址分为单播地址,组播地址和任意播地址。常用的单播地址又包含:链路本地地址(link-local address),唯一本地地址(Unique local address)和全局地址(global address)。由于IPv6的全局地址十分充足,唯一本地地址一般不被使用(其前身为站点本地地址(site-local address),已于2004年被废弃)。当前主要使用的单播地址为:链路本地地址(link-local address)和全局地址(global address)。当前内核支持socket系统调用,在使用单播地址的链路本地地址和全局地址时存在差异。 - -##### link-local地址和global地址在socket调用时的差异 - -RFC 2553: Basic Socket Interface Extensions for IPv6 定义sockaddr\_in6的数据结构如下; - -``` -struct sockaddr_in6 { - uint8_t sin6_len; /* length of this struct */ - sa_family_t sin6_family; /* AF_INET6 */ - in_port_t sin6_port; /* transport layer port # */ - uint32_t sin6_flowinfo; /* IPv6 flow information */ - struct in6_addr sin6_addr; /* IPv6 address */ - uint32_t sin6_scope_id; /* set of interfaces for a scope */ -}; -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->sin6\_scope\_id: 32位整型,对于链路本地地址(link-local address),对于链路范围的sin6\_addr,它可以用来标识指定的接口索引号。如果是站点范围的sin6\_addr,则用来作为站点的标识符(站点本地地址已被抛弃)。 - -在使用link-local地址进行socket通信时,在构造目的地址时,需要制定该地址所对应的接口索引号。一般可以通过if\_nametoindex函数将接口名转化为接口索引号。具体方式如下, - -``` -int port = 1234; -int sk_fd; -int iff_index = 0; -char iff_name[100] = "enp3s0"; -char * ll_addr[100] = "fe80::123:456:789"; -struct sockaddr_in6 server_addr; - -memset(&server_addr,0,sizeof(structsockaddr_in6)); -iff_index=if_nametoindex(iff_name); - -server_addr.sin6_family=AF_INET6; -server_addr.sin6_port=htons(port); -server_addr.sin6_scope_id=iff_index; -inet_pton(AF_INET6, ll_addr, &(server_addr.sin6_addr)); - -sk_fd=socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); -connect(sk_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr_in6)); -``` - -#### IPv4的dhclient守护进程持久化配置 - -##### 概述 - -通过NetworkManager服务来管理网络服务时,如果接口ifcfg-配置文件中配置了DHCP方式获得IP地址,则相应地NetworkManager服务会拉起dhclient守护进程来通过DHCP协议方式来从DHCP服务器获取IP地址。 - -dhclient提供了"-1"选项来决定dhclient进程在未获得DHCP服务响应时,是会不断持久化尝试请求地址还是会尝试时间超时后退出。针对IPv4的dhclient守护进程,可以在ifcfg-配置文件中设置PERSISTENT\_DHCLIENT来决定是否设置IPv4的dhclient进程的持久化。 - -##### 约束限制 - -1. 当dhclient进程在运行中被杀死,network服务无法自动将其拉起,可靠性需要用户自己保障。 -2. 配置了持久化选项PERSISTENT\_DHCLIENT,需要确保有相应的DHCP服务器。如果在拉起network时无可用DHCP服务器,dhclient进程不断尝试发送请求包但无回应,则会导致network服务卡死直到network服务超时失败。由于network服务在拉起多个网卡的IPv4 dhclient进程时,是通过串行的方式来拉起的。如果有网卡配置了持久化而DHCP服务器没有准备好,则会导致network服务在给该网卡获取IPv4地址超时卡死,进而导致后续网卡无法获得IPv4/IPv6地址。 - -以上两种约束限制是特殊的应用场景,需要用户自己进行可靠性保障。 - -##### IPv4 DHCP和IPv6 DHCPv6方式获取地址的配置差异 - -可以通过配置接口ifcfg-参数来分别实现IPv4和IPv6通过DHCP/DHCPv6协议来动态获取IP地址,具体配置说明如下; - -``` -BOOTPROTO=none|bootp|dhcp -DHCPV6C=yes|no -PERSISTENT_DHCLIENT=yes|no|1|0 -``` - -- BOOTPROTO: none表示静态配置IPv4地址,bootp|dhcp则会拉起DHCP dhclient来动态获取IPv4地址。 -- DHCPV6C: no表示静态配置IPv6地址,yes则会拉起DHCPv6 dhclient来动态获取IPv6地址。 -- PERSISTENT\_DHCLIENT:no|0表示IPv4的dhclient进程配置为“非持久化”,当dhclient向DHCP服务器发送一次请求报文而无响应,则会间隔一段时间后退出,退出值为2。yes|1则表示IPv4的dhclient进程配置为“持久化”,dhclient会向DHCP服务器反复发送请求报文。**如果没有配置PERSISTENT\_DHCLIENT项,则IPv4的dhclient会默认设置为“持久化”**。 - - >![](public_sys-resources/icon-note.gif) **说明:** - >PERSISTENT\_DHCLIENT配置只针对IPv4生效,对IPv6相关dhclient -6进程不生效,IPv6默认不进行持久化配置。 - - -#### iproute相关命令配置IPv4与IPv6时的差异说明 - -##### 概述 - -由于IPv4和IPv6是两个不同的协议标准,iproute相关命令在使用方法上存在一定的差异。本章节主要梳理iproute包中用户经常使用到命令在IPv4和IPv6使用方面的差异,从而可以更好地指导用户使用iproute包中相关命令。 - -iproute相关命令均需要在root权限下运行。 - -##### IPv6地址的生命周期 - - - - - - - - - - - - - - - - - - - -

IPv6状态

-

解释

-

tentative

-

临时状态:刚添加地址还处于地址重复检测DAD过程

-

preferred

-

首选状态:完成DAD过程,没有收到相应的NA报文,表示该地址没有冲突。

-

deprecated

-

弃用状态:地址有一定的使用时限(valid_lft和preferred_lft),preferred_lft到期后地址会变化deprecated状态。

-

该状态下的地址不能用于创建新的连接,但是原有的连接可以继续使用。

-

invalid

-

无效状态:使用时限超过preferred_lft一段时间后仍然没有成功进行租约续约,则valid_lft时间到后地址状态会被设置为invalid,表示该地址不可以再被使用。

-
- -其它说明: - -- preferred\_lft:preferred lifetime,地址为首选状态的寿命,preferred\_lft没有到期的地址可以用于正常通信使用,若有多个preferred地址则按照内核具体机制选择地址。 -- valid\_lft: valid lifetime,地址有效的寿命,在\[preferred\_lft, valid\_lft\]时间段内该地址不能被用于新建连接,已经创建的连接继续有效。 - -##### ip link 命令 - -命令: - -``` -ip link set IFNAME mtu MTU -``` - -IPv6中PMTU的最小值为1280,如果mtu值设置小于1280则会导致IPv6地址丢失。其它设备无法ping通该IPv6地址。 - -##### ip addr命令 - -1. 命令: - - ``` - ip [-6] addr add IFADDR dev IFNAME - ``` - - 添加IPv6地址可以选择添加-6选项也可以不添加,ip addr命令会根据具体地址类型来判断是ipv4地址还是IPv6地址。 - - 如果指定“-6”选项,但是IFADDR 是ipv4地址则会有错误返回。 - -2. 命令: - - ``` - ip [-6] addr add IFADDR dev IFNAME [home|nodad] - ``` - - \[home|nodad\] 选项只针对IPv6地址有效。 - - - home:将该地址指定为RFC 6275中定义的家庭地址。(这是移动节点从家庭链路获取的地址, 是移动节点的永久地址,如果移动节点保持在相同的归属链路中,则各种实体之间的通信照常进行。) - - nodad:配置该项(仅限IPv6)添加此地址时不执行重复地址检测DAD(RFC 4862)。如果一台设备上多个接口通过nodad配置了多个相同的IPv6地址,则会按照接口顺序使用该IPv6地址。同一个接口上不能添加一个nodad一个非nodad的相同IPv6地址。因为两个地址是一样的,所以会报“RTNETLINK answers: File exists”。 - -3. 命令: - - ``` - ip [-6] addr del IFADDR dev IFNAME - ``` - - 删除IPv6地址可以选择添加-6选项也可以不添加,ip addr del命令会根据具体地址类型来判断是ipv4地址还是IPv6地址。 - -4. 命令: - - ``` - ip [-6] addr show dev IFNAME [tentative|-tentative|deprecated|-deprecated|dadfailed|-dadfailed|temporary] - ``` - - - 不指定-6选项,则会同时打印IPv4和IPv6地址。指定-6选项则只打印IPv6地址。 - - \[tentative|-tentative|deprecated|-deprecated|dadfailed|-dadfailed|temporary\],这些选项只针对IPv6,可以根据IPv6地址状态对地址进行筛选查看。 - 1. tentative:(仅限IPv6)仅列出尚未通过重复地址检测的地址。 - 2. -tentative:(仅限IPv6)仅列出当前未处于重复地址检测过程中的地址。 - 3. deprecated:(仅限IPv6)仅列出已弃用的地址。 - 4. -deprecated:(仅限IPv6)仅列出未弃用的地址。 - 5. dadfailed:(仅限IPv6)仅列出重复地址检测失败的地址。 - 6. -dadfailed:(仅限IPv6)仅列出未重复地址检测失败的地址。 - 7. temporary:(仅限IPv6)仅列出临时地址 - - - -##### ip route命令 - -1. 命令: - - ``` - ip [-6] route add ROUTE [mtu lock MTU] - ``` - - - -6选项:添加IPv6路由可以选择添加-6选项也可以不添加,ip route命令会根据具体地址类型来判断是IPv4地址还是IPv6地址。 - - - mtu lock MTU:锁定路由的MTU值。如果不锁定MTU,则MTU的值则可能在PMTUD过程中被内核改变。如果锁定MTU,则不会尝试PMTUD,所有IPv4包都将不设置DF位发出,IPv6包则会按照MTU进行分段处理。 - -2. 命令: - - ``` - ip [-6] route del ROUTE - ``` - - 删除IPv6路由可以选择添加-6选项也可以不添加,ip route命令会根据具体地址类型来判断是IPv4地址还是IPv6地址。 - - -##### ip rule命令 - -1. 命令: - - ``` - ip [-6] rule list - ``` - - -6选项:设置-6选项打印IPv6的策略路由,不设置-6选项打印IPv4的策略路由。所以需要根据具体协议类型来配置-6选项。 - -2. 命令: - - ``` - ip [-6] rule [add|del] [from|to] ADDR table TABLE pref PREF - ``` - - -6选项:IPv6相关的策略路由表项需要设置-6选项,否则会报错:“Error: Invalid source address.”。相应地,IPv4相关的策略路由表项不可以设置-6选项,否则会报错:“Error: Invalid source address.”。 - - -#### NetworkManager服务配置差异说明 - -##### 概述 - -NetworkManager服务使用ifup/ifdown的逻辑接口定义进行高级网络设置。其参数大多数都是在/etc/sysconfig/network和/etc/sysconfig/network-scripts/ifcfg-两个配置文件设置。前者为全局设置,后者为指定网卡的设置,当两者有冲突时,后者生效。 - -##### 配置差异说明 - -其中在/etc/sysconfig/network下的配置差异有: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IPv4

-

IPv6

-

含义说明

-

NA

-

IPV6FORWARDING=yes|no

-

IPv6转发,默认不转发。

-

NA

-

IPV6_AUTOCONF=yes|no

-

IPv6转发打开是no,否则是yes。

-

NA

-

IPV6_ROUTER=yes|no

-

IPv6转发打开是yes,否则是no。

-

NA

-

IPV6_AUTOTUNNEL=yes|no

-

指定Tunnel为自动隧道模式,默认是no。

-

GATEWAY

-

IPV6_DEFAULTGW=<IPv6 address[%interface]> (optional)

-

在IPv6中设置默认网关。

-

NA

-

IPV6_DEFAULTDEV=<interface> (optional)

-

指定默认转发的网卡。

-

NA

-

IPV6_RADVD_PIDFILE=<pid-file> (optional)

-

默认ipv6_radvd_pid路径:/var/run/radvd/radvd.pid。

-

NA

-

IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP (optional)

-

radvd默认触发动作。

-
- -而在/etc/sysconfig/network-scripts/ifcfg-下的差异主要有: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IPv4

-

IPv6

-

含义说明

-

IPADDRn

-

IPV6ADDR=<IPv6 address>[/<prefix length>]

-

ip地址。

-

PREFIXn

-

NA

-

网络前缀,网络别名和ppp无效,优先级高于NETMASK。

-

NETMASKn

-

NA

-

子网掩码,仅用于别名和ppp。

-

GATEWAY

-

IPV6_DEFAULTGW=<IPv6 address[%interface]> (optional)

-

默认网关。

-

MTU

-

IPV6_MTU=<MTU of link> (optional)

-

默认MTU。

-

IPV4_FAILURE_FATAL=yes|no

-

IPV6_FAILURE_FATAL

-

默认值是no。若设置为yes,dhclient失败ifup-eth会直接退出。

-

NA

-

IPV6_PRIVACY=rfc3041

-

默认禁用。

-

NA

-

IPV6INIT=yes|no

-

默认开启IPv6。

-

NA

-

IPV6FORWARDING=yes|no

-

默认关闭,已废弃。

-
- -### FAQ -#### iscsi-initiator-utils不支持登录fe80 IPv6地址 - -##### 问题现象 - -客户端通过IPv6登录iscsi服务端时,使用如“iscsiadm -m node -p ipv6address -l”的命令格式登录,如果是全局地址(global address),直接替换将命令范例中的“ipv6address”替换为全局地址即可;但如果是链路本地地址(link-local address,fe80开头的IPv6地址)则无法使用,因为iscsi-initiator-utils目前机制还不支持用链路本地地址(link-local address)地址登录iscsi服务端。 - -##### 原因分析 - -如果使用格式如“iscsiadm -m node -p fe80::xxxx -l”登录,会登录超时返回,这是因为使用链路本地地址必须指定接口,否则使用iscsi\_io\_tcp\_connect函数调用connect函数会失败,并且产生标准错误码22。 - -如果使用格式如“iscsiadm -m node -p fe80::xxxx%enp3s0 -l”登录时,iscsi\_addr\_match函数会将地址“fe80::xxxx%enp3s0”与服务端返回的node信息中的地址“fe80::xxxx”对比,对比结果不匹配,导致登录失败。 - -因此,**iscsi-initiator-utils目前机制还不支持用链路本地地址(link-local address)登录iscsi服务端**。 - -#### 网卡down掉之后,IPv6地址丢失 - -##### 问题现象 - -通过ip link down+up网卡或ifconfig down+up网卡命令,将网卡down掉之后再上线,查看网卡上配置的ip地址,发现ipv4地址不丢失,而配置的IPv6地址丢失。 - -##### 原因分析 - -内核中的处理逻辑为如果网卡设置为down状态,会清空所有IPv4及IPv6地址,将网卡重新up之后,ipv4地址自动恢复,网卡上自动配置的IPv6链路本地地址也会恢复,但是其他IPv6地址默认会丢失。如果需要保留这些IPv6地址,可以通过“sysctl -w net.ipv6.conf.<网卡名\>.keep\_addr\_on\_down=1”来实现。 - -#### bond口已具有多个IPv6地址时,添加或删除IPv6地址耗时过久 - -##### 问题现象 - -下列方式配置或删除(包括flush)IPv6地址方式,X为动态变化的低16位,并且配置在bond口时,耗时会随已配置的IPv6地址数量成数倍增加。例如由4个物理网卡组成的bond口添加IPv6地址时,单线程添加删除3000 IPv6地址均需大概5分钟,而普通物理网卡耗时在10秒内。 - -``` -ip a add/del 192:168::18:X/64 dev DEVICE -``` - -##### 原因分析 - -bond口在添加IPv6地址时,会生成IPv6组播地址,并进行同步到所有的物理网卡上,此耗时会随IPv6数量增加而增加,导致耗时过长。 - -##### 解决方法 - -IPv6的组播地址是由IPv6地址的低24位与33-33-ff组合生成,组播地址过多会导致添加删除耗时增加,如果生成的组播地址为少量,耗时不会受此影响。 - -建议添加IPv6地址时,可保持低24位一致,保持高位变动,单网卡中仅需一个网段的一个地址即可与外部正常通信,此配置更符合常规使用。 - -#### Rsyslog在IPv4和IPv6混合使用场景中日志传输延迟 - -##### 问题现象 - -rsyslog客户端配置文件同时配置IPv4和IPv6地址,且端口配置相同的情况下,服务端收集log时会概率性出现日志打印延迟。 - -##### 原因分析 - -延迟是因为rsyslog内部存在缓冲队列机制,默认情况下需要缓冲区队列达到一定数量才会写入文件。 - -##### 解决方法 - -可在root权限下通过配置Direct模式,关闭缓冲队列机制解决该问题。在rsyslog远程传输服务端的/etc/rsyslog.d目录下新增的远程传输配置文件中,最开头增加如下配置: - -``` -$ActionQueueType Direct -$MainMsgQueueType Direct -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->- Direct模式减少队列大小为1,所以在队列中会保留1条日志到下次日志打印; ->- Direct模式会降低服务器端的rsyslog性能。 +# 配置网络 + + +- [配置网络](#配置网络) + - [配置 IP](#配置-ip) + - [使用nmcli命令](#使用nmcli命令) + - [使用ip命令](#使用ip命令) + - [通过ifcfg文件配置网络](#通过ifcfg文件配置网络) + - [配置主机名](#配置主机名) + - [简介](#简介) + - [使用hostnamectl配置主机名](#使用hostnamectl配置主机名) + - [使用nmcli配置主机名](#使用nmcli配置主机名) + - [配置网络绑定](#配置网络绑定) + - [使用nmcli](#使用nmcli) + - [使用命令行](#使用命令行) + - [IPv6使用差异说明(vs IPv4)](#ipv6使用差异说明vs-ipv4) + - [约束限制](#约束限制) + - [配置说明](#配置说明) + - [FAQ](#faq) + + + + +## 配置 IP + + +### 使用nmcli命令 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>使用nmcli命令配置的网络配置可以立即生效且系统重启后配置也不会丢失。 + + + +#### nmcli介绍 + +nmcli是NetworkManager的一个命令行工具,它提供了使用命令行配置由NetworkManager管理网络连接的方法。nmcli命令的基本格式为: + +``` + nmcli [OPTIONS] OBJECT { COMMAND | help } +``` + +其中,OBJECT选项可以是general、networking、radio、connection或device等。在日常使用中,最常使用的是-t, \-\-terse(用于脚本)、-p, \-\-pretty选项(用于用户)及-h, \-\-help选项,用户可以使用“ nmcli help”获取更多参数及使用信息。 + +``` +$ nmcli help +``` + +常用命令使用举例如下: + +- 显示NetworkManager状态: + + ``` + $ nmcli general status + ``` + +- 显示所有连接: + + ``` + $ nmcli connection show + ``` + +- 只显示当前活动连接,如下所示添加 -a, \-\-active: + + ``` + $ nmcli connection show --active + ``` + +- 显示由NetworkManager识别到设备及其状态: + + ``` + $ nmcli device status + ``` + +- 使用nmcli工具启动和停止网络接口,在root权限下执行如下命令: + + ``` + # nmcli connection up id enp3s0 + # nmcli device disconnect enp3s0 + ``` + + +#### 设备管理 + +##### 连接到设备 + +使用如下命令,NetworkManager将连接到对应网络设备,尝试找到合适的连接配置,并激活配置。 + +``` +$nmcli device connect "$IFNAME" +``` +>如果不存在相应的配置连接,NetworkManager将创建并激活具有默认设置的新配置文件。 + +##### 断开设备连接 + +使用如下命令,NetworkManager将断开设备连接,并防止设备自动激活。 + + +``` +$nmcli device disconnect "$IFNAME" +``` + + +#### 设置网络连接 + +列出目前可用的网络连接: + +``` +$ nmcli con show + + +NAME UUID TYPE DEVICE +enp4s0 5afce939-400e-42fd-91ee-55ff5b65deab ethernet enp4s0 +enp3s0 c88d7b69-f529-35ca-81ab-aa729ac542fd ethernet enp3s0 +virbr0 ba552da6-f014-49e3-91fa-ec9c388864fa bridge virbr0 +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>输出结果中的NAME字段代表连接ID(名称)。 + +添加一个网络连接会生成相应的配置文件,并与相应的设备关联。检查可用的设备,方法如下: + +``` +$ nmcli dev status + +DEVICE TYPE STATE CONNECTION +enp3s0 ethernet connected enp3s0 +enp4s0 ethernet connected enp4s0 +virbr0 bridge connected virbr0 +lo loopback unmanaged -- +virbr0-nic tun unmanaged -- +``` + + +##### 配置动态IP连接 + +###### 配置IP + +要使用 DHCP 分配网络时,可以使用动态IP配置添加网络配置文件,命令格式如下: + +``` +nmcli connection add type ethernet con-name connection-name ifname interface-name +``` + +例如创建名为net-test的动态连接配置文件,在root权限下使用以下命令: + +``` +# nmcli connection add type ethernet con-name net-test ifname enp3s0 +Connection 'net-test' (a771baa0-5064-4296-ac40-5dc8973967ab) successfully added. +``` + +NetworkManager 会将参数 connection.autoconnect 设定为 yes,并将设置保存到 “/etc/sysconfig/network-scripts/ifcfg-net-test”文件中,在该文件中会将 ONBOOT 设置为 yes。 + +###### 激活连接并检查状态 + +在root权限下使用以下命令激活网络连接: + +``` +# nmcli con up net-test +Connection successfully activated (D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/5) +``` + +检查这些设备及连接的状态,使用以下命令: + +``` +$ nmcli device status + +DEVICE TYPE STATE CONNECTION +enp4s0 ethernet connected enp4s0 +enp3s0 ethernet connected net-test +virbr0 bridge connected virbr0 +lo loopback unmanaged -- +virbr0-nic tun unmanaged -- +``` + +##### 配置静态IP连接 + +###### 配置IP + +添加静态 IPv4 配置的网络连接,可使用以下命令: + +``` +nmcli connection add type ethernet con-name connection-name ifname interface-name ip4 address gw4 address +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>如果要添加 IPv6 地址和网关信息,使用 ip6 和 gw6 选项。 + +例如创建名为 net-static的静态连接配置文件,在root权限下使用以下命令: + +``` +# nmcli con add type ethernet con-name net-static ifname enp3s0 ip4 192.168.0.10/24 gw4 192.168.0.254 +``` + +还可为该设备同时指定 IPv6 地址和网关,示例如下: + +``` +# nmcli con add type ethernet con-name test-lab ifname enp3s0 ip4 192.168.0.10/24 gw4 192.168.0.254 ip6 abbe::**** gw6 2001:***::* +Connection 'net-static' (63aa2036-8665-f54d-9a92-c3035bad03f7) successfully added. +``` + +NetworkManager 会将其内部参数 ipv4.method 设定为 manual,将 connection.autoconnect 设定为yes,并将设置写入 /etc/sysconfig/network-scripts/ifcfg-my-office 文件,其中会将对应 BOOTPROTO 设定为 none,将 ONBOOT 设定为 yes。 + +设定两个 IPv4 DNS 服务器地址,在root权限下使用以下命令: + +``` +# nmcli con mod net-static ipv4.dns "*.*.*.* *.*.*.*" +``` + +设置两个 IPv6 DNS 服务器地址,在root权限下使用以下命令: + +``` +# nmcli con mod net-static ipv6.dns "2001:4860:4860::**** 2001:4860:4860::****" +``` + +###### 激活连接并检查状态 + +激活新的网络连接,在root权限下使用以下命令: + +``` +# nmcli con up net-static ifname enp3s0 +Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6) +``` + +检查这些设备及连接的状态,使用以下命令: + +``` +$ nmcli device status + +DEVICE TYPE STATE CONNECTION +enp4s0 ethernet connected enp4s0 +enp3s0 ethernet connected net-static +virbr0 bridge connected virbr0 +lo loopback unmanaged -- +virbr0-nic tun unmanaged -- +``` + +查看配置的连接详情,使用以下命令(使用 -p, \-\-pretty 选项在输出结果中添加标题和分段): + +``` +$ nmcli -p con show net-static +=============================================================================== +Connection profile details (net-static ) +=============================================================================== +connection.id: net-static +connection.uuid: b9f18801-6084-4aee-af28-c8f0598ff5e1 +connection.stable-id: -- +connection.type: 802-3-ethernet +connection.interface-name: enp3s0 +connection.autoconnect: yes +connection.autoconnect-priority: 0 +connection.autoconnect-retries: -1 (default) +connection.multi-connect: 0 (default) +connection.auth-retries: -1 +connection.timestamp: 1578988781 +connection.read-only: no +connection.permissions: -- +connection.zone: -- +connection.master: -- +connection.slave-type: -- +connection.autoconnect-slaves: -1 (default) +connection.secondaries: -- +connection.gateway-ping-timeout: 0 +connection.metered: unknown +connection.lldp: default +connection.mdns: -1 (default) +connection.llmnr: -1 (default) +``` + +##### 添加 Wi-Fi 连接 + +有两种方式添加Wi-Fi 连接。 + +**方法1,通过网络接口连接wifi** + +连接到由SSID或BSSID指定的wifi网络。命令如下,该命令找到匹配的连接或创建一个连接,然后在设备上激活它。 + +``` +$ nmcli device wifi connect "$SSID" password "$PASSWORD" ifname "$IFNAME" +$ nmcli --ask device wifi connect "$SSID" +``` + +**方法2,通过配置文件连接Wi-Fi** + +1,使用以下命令查看可用 Wi-Fi 访问点: + +``` +$ nmcli dev wifi list +``` +2,使用以下命令生成使用的静态 IP 配置,但允许自动 DNS 地址分配的 Wi-Fi 连接: + +``` +$ nmcli con add con-name Wifi ifname wlan0 type wifi ssid MyWifi ip4 192.168.100.101/24 gw4 192.168.100.1 +``` +3,请使用以下命令设定 WPA2 密码,例如 “answer”: + +``` +$ nmcli con modify Wifi wifi-sec.key-mgmt wpa-psk +$ nmcli con modify Wifi wifi-sec.psk answer +``` +4,使用以下命令更改 Wi-Fi 状态: + +``` +$ nmcli radio wifi [ on | off ] +``` + + +##### 更改属性 + +请使用以下命令检查具体属性,比如 mtu: + +``` +$ nmcli connection show id 'Wifi ' | grep mtu +802-11-wireless.mtu: auto +``` + +使用如下命令更改设置的属性: + +``` +$ nmcli connection modify id 'Wifi ' 802-11-wireless.mtu 1350 +``` + +使用如下命令确认更改: + +``` +$ nmcli connection show id 'Wifi ' | grep mtu +802-11-wireless.mtu: 1350 +``` + +#### 配置静态路由 + +- 使用nmcli命令为网络连接配置静态路由,使用命令如下: + + ``` + $ nmcli connection modify enp3s0 +ipv4.routes "192.168.122.0/24 10.10.10.1" + ``` + + +- 使用编辑器配置静态路由,使用如下命令: + + ``` + $ nmcli con edit type ethernet con-name enp3s0 + ===| nmcli interactive connection editor |=== + Adding a new '802-3-ethernet' connection + Type 'help' or '?' for available commands. + Type 'describe [.]' for detailed property description. + You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6, dcb + nmcli> set ipv4.routes 192.168.122.0/24 10.10.10.1 + nmcli> + nmcli> save persistent + Saving the connection with 'autoconnect=yes'. That might result in an immediate activation of the connection. + Do you still want to save? [yes] yes + Connection 'enp3s0' (1464ddb4-102a-4e79-874a-0a42e15cc3c0) successfully saved. + nmcli> quit + ``` + + +### 使用ip命令 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>使用ip命令配置的网络配置可以立即生效但系统重启后配置会丢失。 + + + +#### 配置IP地址 + +使用ip命令为接口配置地址,命令格式如下,其中 _interface-name_ 为网卡名称。 + +``` +ip addr [ add | del ] address dev interface-name +``` + +##### 配置静态地址 +在root权限下,配置设置IP地址,使用示例如下: + +``` +# ip address add 192.168.0.10/24 dev enp3s0 +``` + +查看配置结果,在root权限使用如下命令: + +``` +# ip addr show dev enp3s0 +2: enp3s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether 52:54:00:aa:ad:4a brd ff:ff:ff:ff:ff:ff + inet 192.168.202.248/16 brd 192.168.255.255 scope global dynamic noprefixroute enp3s0 + valid_lft 9547sec preferred_lft 9547sec + inet 192.168.0.10/24 scope global enp3s0 + valid_lft forever preferred_lft forever + inet6 fe80::32e8:cc22:9db2:f4d4/64 scope link noprefixroute + valid_lft forever preferred_lft forever +``` + +##### 配置多个地址 +ip 命令支持为同一接口分配多个地址,可在root权限下重复多次使用 ip 命令实现分配多个地址。使用示例如下: + +``` +# ip address add 192.168.2.223/24 dev enp4s0 +# ip address add 192.168.4.223/24 dev enp4s0 +# ip addr + +3: enp4s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether 52:54:00:aa:da:e2 brd ff:ff:ff:ff:ff:ff + inet 192.168.203.12/16 brd 192.168.255.255 scope global dynamic noprefixroute enp4s0 + valid_lft 8389sec preferred_lft 8389sec + inet 192.168.2.223/24 scope global enp4s0 + valid_lft forever preferred_lft forever + inet 192.168.4.223/24 scope global enp4s0 + valid_lft forever preferred_lft forever + inet6 fe80::1eef:5e24:4b67:f07f/64 scope link noprefixroute + valid_lft forever preferred_lft forever +``` + +#### 配置静态路由 + +如果需要静态路由,可使用 ip route add 命令在路由表中添加,使用 ip route del 命令删除。最常使用的 ip route 命令格式如下: + +``` +ip route [ add | del | change | append | replace ] destination-address +``` + +在root权限下使用 ip route 命令显示当前的 IP 路由表。示例如下: + +``` +# ip route + +default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 +default via 192.168.0.1 dev enp4s0 proto dhcp metric 101 +192.168.0.0/16 dev enp3s0 proto kernel scope link src 192.168.202.248 metric 100 +192.168.0.0/16 dev enp4s0 proto kernel scope link src 192.168.203.12 metric 101 +192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown +``` + +在主机地址中添加一个静态路由,在 root 权限下,使用以下命令格式: + +``` +ip route add 192.168.2.1 via 10.0.0.1 [dev interface-name] +``` + +其中 192.168.2.1 是用点分隔的十进制符号中的 IP 地址,10.0.0.1 是下一个跃点,_interface-name_ 是进入下一个跃点的退出接口。 + +要在网络中添加一个静态路由,即代表 IP 地址范围的 IP 地址,请在root权限下运行以下命令格式: + +``` +ip route add 192.168.2.0/24 via 10.0.0.1 [dev interface-name] +``` + +其中 192.168.2.1 是目标网络的 IP 地址,10.0.0.1 是网络前缀,_interface-name_ 为网卡名称。 + +### 通过ifcfg文件配置网络 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>通过ifcfg文件配置的网络配置不会立即生效,需要在root权限下执行**systemctl reload NetworkManager**命令以重启网络服务后才生效。 + +#### 配置静态网络 + +以enp4s0网络接口进行静态网络设置为例,通过在root权限下修改ifcfg文件实现,在/etc/sysconfig/network-scripts/目录中生成名为ifcfg-enp4s0的文件中,修改参数配置,示例如下: + +``` +TYPE=Ethernet +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=none +IPADDR=192.168.0.10 +PREFIX=24 +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=enp4s0static +UUID=08c3a30e-c5e2-4d7b-831f-26c3cdc29293 +DEVICE=enp4s0 +ONBOOT=yes +``` + +#### 配置动态网络 + +要通过ifcfg文件为em1接口配置动态网络,请按照如下操作在/etc/sysconfig/network-scripts/目录中生成名为 ifcfg-em1 的文件,示例如下: + +``` +DEVICE=em1 +BOOTPROTO=dhcp +ONBOOT=yes +``` + +要配置一个向DHCP服务器发送不同的主机名的接口,请在ifcfg文件中新增一行内容,如下所示: + +``` +DHCP_HOSTNAME=hostname +``` + +要配置忽略由DHCP服务器发送的路由,防止网络服务使用从DHCP服务器接收的DNS服务器更新/etc/resolv.conf。请在ifcfg文件中新增一行内容,如下所示: + +``` +PEERDNS=no +``` + +要配置一个接口使用具体DNS服务器,请将参数PEERDNS=no,并在ifcfg文件中添加以下行: + +``` +DNS1=ip-address +DNS2=ip-address +``` + +其中ip-address是DNS服务器的地址。这样就会让网络服务使用指定的DNS服务器更新/etc/resolv.conf。 + +#### 配置默认网关 + +在确定默认网关时,首先解析 /etc/sysconfig/network 文件,然后解析 ifcfg 文件 ,将最后读取的 GATEWAY 的取值作为路由表中的默认路由。 + +在动态网络环境中,使用 NetworkManager 管理主机时,建议设置为由 DHCP 来分配。 + +## 配置主机名 + + +### 简介 + +hostname有三种类型:static、transient和pretty。 + +- static:静态主机名,可由用户自行设置,并保存在/etc/hostname 文件中。 +- transient:动态主机名,由内核维护,初始是 static 主机名,默认值为“localhost”。可由DHCP或mDNS在运行时更改。 +- pretty:灵活主机名,允许使用自由形式(包括特殊/空白字符)进行设置。静态/动态主机名遵从域名的通用限制。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>static和transient主机名只能包含a-z、A-Z、0-9、“-”、“\_”和“.”,不能在开头或结尾处使用句点,不允许使用两个相连的句点,大小限制为 64 个字符。 + +### 使用hostnamectl配置主机名 + +#### 查看所有主机名 +查看当前的主机名,使用如下命令: + +``` +$ hostnamectl status +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>如果命令未指定任何选项,则默认使用status选项。 + +#### 设定所有主机名 +在root权限下,设定系统中的所有主机名,使用如下命令: + +``` +# hostnamectl set-hostname name +``` + +#### 设定特定主机名 +在root权限下,通过不同的参数来设定特定主机名,使用如下命令: + +``` +# hostnamectl set-hostname name [option...] +``` + +其中option可以是\-\-pretty、\-\-static、\-\-transient中的一个或多个选项。 + +如果\-\-static或\-\-transient与\-\-pretty选项一同使用时,则会将static和transient主机名简化为pretty主机名格式,使用“-”替换空格,并删除特殊字符。 + +当设定pretty主机名时,如果主机名中包含空格或单引号,需要使用引号。命令示例如下: + +``` +# hostnamectl set-hostname "Stephen's notebook" --pretty +``` + +#### 清除特定主机名 +要清除特定主机名,并将其还原为默认形式,在root权限下,使用如下命令: + +``` +# hostnamectl set-hostname "" [option...] +``` + +其中 "" 是空白字符串,option是\-\-pretty、\-\-static和\-\-transient中的一个或多个选项。 + +#### 远程更改主机名 +在远程系统中运行hostnamectl命令时,要使用-H,\-\-host 选项,在root权限下使用如下命令: + +``` +# hostnamectl set-hostname -H [username]@hostname new_hostname +``` + +其中hostname是要配置的远程主机,username为自选项,new\_hostname为新主机名。hostnamectl会通过SSH连接到远程系统。 + +### 使用nmcli配置主机名 + +查询static主机名,使用如下命令: + +``` +$ nmcli general hostname +``` + +在root权限下,将static主机名设定为host-server,使用如下命令: + +``` +# nmcli general hostname host-server +``` + +要让系统hostnamectl感知到static主机名的更改,在root权限下,重启hostnamed服务,使用如下命令: + +``` +# systemctl restart systemd-hostnamed +``` + +## 配置网络绑定 + + +### 使用nmcli + +- 创建名为mybond0的绑定,使用示例如下: + + ``` + $ nmcli con add type bond con-name mybond0 ifname mybond0 mode active-backup + ``` + +- 添加从属接口,使用示例如下: + + ``` + $ nmcli con add type bond-slave ifname enp3s0 master mybond0 + ``` + + 要添加其他从属接口,重复上一个命令,并在命令中使用新的接口,使用示例如下: + + ``` + $ nmcli con add type bond-slave ifname enp4s0 master mybond0 + Connection 'bond-slave-enp4s0' (05e56afc-b953-41a9-b3f9-0791eb49f7d3) successfully added. + ``` + +- 要启动绑定,则必须首先启动从属接口,使用示例如下: + + ``` + $ nmcli con up bond-slave-enp3s0 + Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/14) + ``` + + ``` + $ nmcli con up bond-slave-enp4s0 + Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15) + ``` + + 现在可以启动绑定,使用示例如下: + + ``` + $ nmcli con up mybond0 + Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/16) + ``` + + +### 使用命令行 + + + +#### 检查是否已安装Bonding内核模块 + +在系统中默认已加载相应模块。要载入绑定模块,可在root权限下使用如下命令: + +``` +# modprobe --first-time bonding +``` + +显示该模块的信息,可在root权限下使用如下命令: + +``` +# modinfo bonding +``` + +更多命令请在root权限下使用modprobe \-\-help查看。 + +#### 创建频道绑定接口 + +要创建绑定接口,可在root权限下通过在 /etc/sysconfig/network-scripts/ 目录中创建名为 ifcfg-bondN 的文件(使用接口号码替换 N,比如 0)。 + +根据要绑定接口类型的配置文件来编写相应的内容,比如网络接口。接口配置文件示例如下: + +``` +DEVICE=bond0 +NAME=bond0 +TYPE=Bond +BONDING_MASTER=yes +IPADDR=192.168.1.1 +PREFIX=24 +ONBOOT=yes +BOOTPROTO=none +BONDING_OPTS="bonding parameters separated by spaces" +``` + +#### 创建从属接口 + +创建频道绑定接口后,必须在从属接口的配置文件中添加 MASTER 和 SLAVE 指令。 + +例如将两个网络接口enp3s0 和 enp4s0 以频道方式绑定,其配置文件示例分别如下: + +``` +TYPE=Ethernet +NAME=bond-slave-enp3s0 +UUID=3b7601d1-b373-4fdf-a996-9d267d1cac40 +DEVICE=enp3s0 +ONBOOT=yes +MASTER=bond0 +SLAVE=yes +``` + +``` +TYPE=Ethernet +NAME=bond-slave-enp4s0 +UUID=00f0482c-824f-478f-9479-abf947f01c4a +DEVICE=enp4s0 +ONBOOT=yes +MASTER=bond0 +SLAVE=yes +``` + +#### 激活频道绑定 + +要激活绑定,则需要启动所有从属接口。请在root权限下,运行以下命令: + +``` +# ifup enp3s0 +Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7) +``` + +``` +# ifup enp4s0 +Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8) +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>对于已经处于“up”状态的接口,请首先使用“ifdown _enp3s0_ ”命令修改状态为down,其中 _enp3s0_ 为实际网卡名称。 + +完成后,启动所有从属接口以便启动绑定(不将其设定为 “down”)。 + +要让 NetworkManager 感知到系统所做的修改,在每次修改后,请在root权限下,运行以下命令: + +``` +# nmcli con load /etc/sysconfig/network-scripts/ifcfg-device +``` + +查看绑定接口的状态,请在root权限下运行以下命令: + +``` +# ip link show + +1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 +2: enp3s0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 + link/ether 52:54:00:aa:ad:4a brd ff:ff:ff:ff:ff:ff +3: enp4s0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 + link/ether 52:54:00:aa:da:e2 brd ff:ff:ff:ff:ff:ff +4: virbr0: mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 + link/ether 86:a1:10:fb:ef:07 brd ff:ff:ff:ff:ff:ff +5: virbr0-nic: mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000 + link/ether 52:54:00:29:35:4c brd ff:ff:ff:ff:ff:ff +``` + +#### 创建多个绑定 + +系统会为每个绑定创建一个频道绑定接口,包括 BONDING\_OPTS 指令。使用这个配置方法可让多个绑定设备使用不同的配置。请按照以下操作创建多个频道绑定接口: + +- 创建多个 ifcfg-bondN 文件,文件中包含 BONDING\_OPTS 指令,让网络脚本根据需要创建绑定接口。 +- 创建或编辑要绑定的现有接口配置文件,添加 SLAVE 指令。 +- 使用 MASTER 指令工具在频道绑定接口中分配要绑定的接口,即从属接口。 + +以下是频道绑定接口配置文件示例: + +``` +DEVICE=bondN +NAME=bondN +TYPE=Bond +BONDING_MASTER=yes +IPADDR=192.168.1.1 +PREFIX=24 +ONBOOT=yes +BOOTPROTO=none +BONDING_OPTS="bonding parameters separated by spaces" +``` + +在这个示例中,使用绑定接口的号码替换 N。例如要创建两个接口,则需要使用正确的 IP 地址创建两个配置文件 ifcfg-bond0 和 ifcfg-bond1。 + +## IPv6使用差异说明(vs IPv4) + + + +### 约束限制 + +- chrony支持全局地址(global address),不支持链路本地地址(link-local address)。 +- Firefox支持通过http/https协议访问全局地址(global address),不支持链路本地地址(link-local address)。 + +### 配置说明 +#### 设置接口设备MTU值 + +##### 概述 + +IPv6场景中会发现整个路由路径中的最小mtu的值作为当前链接的PMTU的值,源端根据PMTU的值确定是否进行分片发送,而在整个路径中的其它设备将不再需要进行分片处理,从而可以降低中间路由设备的负载大小。其中IPv6 PMTU设置的最小值为1280。 + +##### 设置接口设备的mtu + +如果在配置了IPv6地址的接口上设置mtu的值小于1280(IPv6 PMTU设置的最小值),则会导致该接口的IPv6地址被删除。并且无法再次添加IPv6地址。所以在IPv6场景中,对接口设备的mtu的配置一定要大于等于1280。 +请在root权限下运行如下命令查看具体现象: + +``` +# ip addr show enp3s0 +3: enp3s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx + inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 + valid_lft 38663sec preferred_lft 38663sec + inet6 2001:222::2/64 scope global + valid_lft forever preferred_lft forever +``` + +``` +# ip link set dev enp3s0 mtu 1200 +# ip addr show enp3s0 +3: enp3s0: mtu 1200 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx + inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 + valid_lft 38642sec preferred_lft 38642sec +``` + +``` +# ip addr add 2001:222::2/64 dev enp3s0 +RTNETLINK answers: No buffer space available +``` + +``` +# ip link set dev enp3s0 mtu 1500 +# ip addr show enp3s0 +3: enp3s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx + inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 + valid_lft 38538sec preferred_lft 38538sec +``` + +``` +# ip addr add 2001:222::2/64 dev enp3s0 +# ip addr show enp3s0 +3: enp3s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 52:54:00:62:xx:xx brd ff:ff:ff:ff:xx:xx + inet 10.41.125.236/16 brd 10.41.255.255 scope global noprefixroute dynamic enp3s0 + valid_lft 38531sec preferred_lft 38531sec + inet6 2001:222::2/64 scope global + valid_lft forever preferred_lft forever +``` + +#### 有状态自动配置IPv6地址 + +##### 概述 + +IPv6与IPv4都可以在root权限下通过DHCP的方式获得IP地址。IPv6地址有两种配置方式:无状态自动配置和有状态自动配置。 + +- 无状态自动配置 + + 不需要DHCP服务进行管理,设备根据网络RA(路由公告)获得网络前缀,或者link-local地址为固定fe80::。而接口ID则根据ifcfg配置IPV6\_ADDR\_GEN\_MODE的具体设置来进行自动获得: + + 1. IPv6\_ADDR\_GEN\_MODE="stable-privacy" 则根据设备及网络环境来确定一个随机接口ID。 + 2. IPv6\_ADDR\_GEN\_MODE="EUI64" 则根据设备MAC地址来确定接口ID。 + +- 有状态自动配置:需要DHCP服务器进行管理分配,服从DHCPv6协议来从DHCPv6服务器端租赁IPv6地址。 + + 在有状态自动配置IPv6地址时,DHCPv6服务端可以通过客户端设置的vendor class将客户端进行分类,不同类别分配不同地址段的IPv6地址。在IPv4场景中,客户端可以直接用dhclient的-V选项来设置vendor-class-identifier,DHCP服务端在配置文件中根据vendor-class-identifier来对客户端进行分类处理。而IPv6场景中,如果使用同样的方法对客户端分类,则分类并不会生效。 + + ``` + dhclient -6 -V + ``` + + 这是由于DHCPv6和DHCP协议存在较大差异,DHCPv6的可选项中使用vendor-class-option替代了DHCP中的vendor-class-identifier。而dhclient的-V选项并不能设置vendor-class-option。 + + +##### 有状态自动配置IPv6地址时dhclient设置vendor class方法 + +- 在客户端使用配置文件方式添加对vendor class的设置,使用方法如下: + + 客户端配置文件(/etc/dhcp/dhclient6.conf),文件位置可以自定义,在使用时需要通过dhclient -cf选项来指定配置文件: + + ``` + option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; + interface "enp3s0" { + send dhcp6.vendor-class ; + } + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >- \,32位整型数字,企业标识号,企业通过IANA注册。 + >- \,16位整型数字,vendor class字符串长度。 + >- \,要设置的vendor class字符串,例如:“HWHW”。 + + 客户端使用方法: + + ``` + dhclient -6 -cf /etc/dhcp/dhclient6.conf + ``` + + +- DHCPv6服务端配置文件(/etc/dhcp/dhcpd6.conf),需要dhcpd -cf选项来指定该配置文件: + + ``` + option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; + subnet6 fc00:4:12:ffff::/64 { + class "hw" { + match if substring ( option dhcp6.vendor-class, 6, 10 ) = "HWHW"; + } + pool6 { + allow members of "hw"; + range6 fc00:4:12:ffff::ff10 fc00:4:12:ffff::ff20; + } + pool6 { + allow unknown clients; + range6 fc00:4:12:ffff::100 fc00:4:12:ffff::120; + } + } + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >substring \( option dhcp6.vendor-class, 6, 10 \) 其中子字符串的开始位置为6,因为前面包含4个字节的和2个字节的。而子字符串的结束位置位:6+。这里vendor class string为“HWHW”,字符串的长度为4,所以子字符串的结束位置为6+4=10。用户可以根据实际需要来确定及相应的。 + + 服务端使用方法: + + ``` + dhcpd -6 -cf /etc/dhcp/dhcpd6.conf + ``` + + +#### 内核支持socket相关系统调用 + +##### 概述 + +IPv6地址长度扩展到128比特,所以有足够的IPv6地址可供分配使用。同时IPv6头相比IPv4头进行了简化,并增强了IPv6的自动配置功能。IPv6地址分为单播地址,组播地址和任意播地址。常用的单播地址又包含:链路本地地址(link-local address),唯一本地地址(Unique local address)和全局地址(global address)。由于IPv6的全局地址十分充足,唯一本地地址一般不被使用(其前身为站点本地地址(site-local address),已于2004年被废弃)。当前主要使用的单播地址为:链路本地地址(link-local address)和全局地址(global address)。当前内核支持socket系统调用,在使用单播地址的链路本地地址和全局地址时存在差异。 + +##### link-local地址和global地址在socket调用时的差异 + +RFC 2553: Basic Socket Interface Extensions for IPv6 定义sockaddr\_in6的数据结构如下; + +``` +struct sockaddr_in6 { + uint8_t sin6_len; /* length of this struct */ + sa_family_t sin6_family; /* AF_INET6 */ + in_port_t sin6_port; /* transport layer port # */ + uint32_t sin6_flowinfo; /* IPv6 flow information */ + struct in6_addr sin6_addr; /* IPv6 address */ + uint32_t sin6_scope_id; /* set of interfaces for a scope */ +}; +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>sin6\_scope\_id: 32位整型,对于链路本地地址(link-local address),对于链路范围的sin6\_addr,它可以用来标识指定的接口索引号。如果是站点范围的sin6\_addr,则用来作为站点的标识符(站点本地地址已被抛弃)。 + +在使用link-local地址进行socket通信时,在构造目的地址时,需要制定该地址所对应的接口索引号。一般可以通过if\_nametoindex函数将接口名转化为接口索引号。具体方式如下, + +``` +int port = 1234; +int sk_fd; +int iff_index = 0; +char iff_name[100] = "enp3s0"; +char * ll_addr[100] = "fe80::123:456:789"; +struct sockaddr_in6 server_addr; + +memset(&server_addr,0,sizeof(structsockaddr_in6)); +iff_index=if_nametoindex(iff_name); + +server_addr.sin6_family=AF_INET6; +server_addr.sin6_port=htons(port); +server_addr.sin6_scope_id=iff_index; +inet_pton(AF_INET6, ll_addr, &(server_addr.sin6_addr)); + +sk_fd=socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); +connect(sk_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr_in6)); +``` + +#### IPv4的dhclient守护进程持久化配置 + +##### 概述 + +通过NetworkManager服务来管理网络服务时,如果接口ifcfg-配置文件中配置了DHCP方式获得IP地址,则相应地NetworkManager服务会拉起dhclient守护进程来通过DHCP协议方式来从DHCP服务器获取IP地址。 + +dhclient提供了"-1"选项来决定dhclient进程在未获得DHCP服务响应时,是会不断持久化尝试请求地址还是会尝试时间超时后退出。针对IPv4的dhclient守护进程,可以在ifcfg-配置文件中设置PERSISTENT\_DHCLIENT来决定是否设置IPv4的dhclient进程的持久化。 + +##### 约束限制 + +1. 当dhclient进程在运行中被杀死,network服务无法自动将其拉起,可靠性需要用户自己保障。 +2. 配置了持久化选项PERSISTENT\_DHCLIENT,需要确保有相应的DHCP服务器。如果在拉起network时无可用DHCP服务器,dhclient进程不断尝试发送请求包但无回应,则会导致network服务卡死直到network服务超时失败。由于network服务在拉起多个网卡的IPv4 dhclient进程时,是通过串行的方式来拉起的。如果有网卡配置了持久化而DHCP服务器没有准备好,则会导致network服务在给该网卡获取IPv4地址超时卡死,进而导致后续网卡无法获得IPv4/IPv6地址。 + +以上两种约束限制是特殊的应用场景,需要用户自己进行可靠性保障。 + +##### IPv4 DHCP和IPv6 DHCPv6方式获取地址的配置差异 + +可以通过配置接口ifcfg-参数来分别实现IPv4和IPv6通过DHCP/DHCPv6协议来动态获取IP地址,具体配置说明如下; + +``` +BOOTPROTO=none|bootp|dhcp +DHCPV6C=yes|no +PERSISTENT_DHCLIENT=yes|no|1|0 +``` + +- BOOTPROTO: none表示静态配置IPv4地址,bootp|dhcp则会拉起DHCP dhclient来动态获取IPv4地址。 +- DHCPV6C: no表示静态配置IPv6地址,yes则会拉起DHCPv6 dhclient来动态获取IPv6地址。 +- PERSISTENT\_DHCLIENT:no|0表示IPv4的dhclient进程配置为“非持久化”,当dhclient向DHCP服务器发送一次请求报文而无响应,则会间隔一段时间后退出,退出值为2。yes|1则表示IPv4的dhclient进程配置为“持久化”,dhclient会向DHCP服务器反复发送请求报文。**如果没有配置PERSISTENT\_DHCLIENT项,则IPv4的dhclient会默认设置为“持久化”**。 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >PERSISTENT\_DHCLIENT配置只针对IPv4生效,对IPv6相关dhclient -6进程不生效,IPv6默认不进行持久化配置。 + + +#### iproute相关命令配置IPv4与IPv6时的差异说明 + +##### 概述 + +由于IPv4和IPv6是两个不同的协议标准,iproute相关命令在使用方法上存在一定的差异。本章节主要梳理iproute包中用户经常使用到命令在IPv4和IPv6使用方面的差异,从而可以更好地指导用户使用iproute包中相关命令。 + +iproute相关命令均需要在root权限下运行。 + +##### IPv6地址的生命周期 + + + + + + + + + + + + + + + + + + + +

IPv6状态

+

解释

+

tentative

+

临时状态:刚添加地址还处于地址重复检测DAD过程

+

preferred

+

首选状态:完成DAD过程,没有收到相应的NA报文,表示该地址没有冲突。

+

deprecated

+

弃用状态:地址有一定的使用时限(valid_lft和preferred_lft),preferred_lft到期后地址会变化deprecated状态。

+

该状态下的地址不能用于创建新的连接,但是原有的连接可以继续使用。

+

invalid

+

无效状态:使用时限超过preferred_lft一段时间后仍然没有成功进行租约续约,则valid_lft时间到后地址状态会被设置为invalid,表示该地址不可以再被使用。

+
+ +其它说明: + +- preferred\_lft:preferred lifetime,地址为首选状态的寿命,preferred\_lft没有到期的地址可以用于正常通信使用,若有多个preferred地址则按照内核具体机制选择地址。 +- valid\_lft: valid lifetime,地址有效的寿命,在\[preferred\_lft, valid\_lft\]时间段内该地址不能被用于新建连接,已经创建的连接继续有效。 + +##### ip link 命令 + +命令: + +``` +ip link set IFNAME mtu MTU +``` + +IPv6中PMTU的最小值为1280,如果mtu值设置小于1280则会导致IPv6地址丢失。其它设备无法ping通该IPv6地址。 + +##### ip addr命令 + +1. 命令: + + ``` + ip [-6] addr add IFADDR dev IFNAME + ``` + + 添加IPv6地址可以选择添加-6选项也可以不添加,ip addr命令会根据具体地址类型来判断是ipv4地址还是IPv6地址。 + + 如果指定“-6”选项,但是IFADDR 是ipv4地址则会有错误返回。 + +2. 命令: + + ``` + ip [-6] addr add IFADDR dev IFNAME [home|nodad] + ``` + + \[home|nodad\] 选项只针对IPv6地址有效。 + + - home:将该地址指定为RFC 6275中定义的家庭地址。(这是移动节点从家庭链路获取的地址, 是移动节点的永久地址,如果移动节点保持在相同的归属链路中,则各种实体之间的通信照常进行。) + - nodad:配置该项(仅限IPv6)添加此地址时不执行重复地址检测DAD(RFC 4862)。如果一台设备上多个接口通过nodad配置了多个相同的IPv6地址,则会按照接口顺序使用该IPv6地址。同一个接口上不能添加一个nodad一个非nodad的相同IPv6地址。因为两个地址是一样的,所以会报“RTNETLINK answers: File exists”。 + +3. 命令: + + ``` + ip [-6] addr del IFADDR dev IFNAME + ``` + + 删除IPv6地址可以选择添加-6选项也可以不添加,ip addr del命令会根据具体地址类型来判断是ipv4地址还是IPv6地址。 + +4. 命令: + + ``` + ip [-6] addr show dev IFNAME [tentative|-tentative|deprecated|-deprecated|dadfailed|-dadfailed|temporary] + ``` + + - 不指定-6选项,则会同时打印IPv4和IPv6地址。指定-6选项则只打印IPv6地址。 + - \[tentative|-tentative|deprecated|-deprecated|dadfailed|-dadfailed|temporary\],这些选项只针对IPv6,可以根据IPv6地址状态对地址进行筛选查看。 + 1. tentative:(仅限IPv6)仅列出尚未通过重复地址检测的地址。 + 2. -tentative:(仅限IPv6)仅列出当前未处于重复地址检测过程中的地址。 + 3. deprecated:(仅限IPv6)仅列出已弃用的地址。 + 4. -deprecated:(仅限IPv6)仅列出未弃用的地址。 + 5. dadfailed:(仅限IPv6)仅列出重复地址检测失败的地址。 + 6. -dadfailed:(仅限IPv6)仅列出未重复地址检测失败的地址。 + 7. temporary:(仅限IPv6)仅列出临时地址 + + + +##### ip route命令 + +1. 命令: + + ``` + ip [-6] route add ROUTE [mtu lock MTU] + ``` + + - -6选项:添加IPv6路由可以选择添加-6选项也可以不添加,ip route命令会根据具体地址类型来判断是IPv4地址还是IPv6地址。 + + - mtu lock MTU:锁定路由的MTU值。如果不锁定MTU,则MTU的值则可能在PMTUD过程中被内核改变。如果锁定MTU,则不会尝试PMTUD,所有IPv4包都将不设置DF位发出,IPv6包则会按照MTU进行分段处理。 + +2. 命令: + + ``` + ip [-6] route del ROUTE + ``` + + 删除IPv6路由可以选择添加-6选项也可以不添加,ip route命令会根据具体地址类型来判断是IPv4地址还是IPv6地址。 + + +##### ip rule命令 + +1. 命令: + + ``` + ip [-6] rule list + ``` + + -6选项:设置-6选项打印IPv6的策略路由,不设置-6选项打印IPv4的策略路由。所以需要根据具体协议类型来配置-6选项。 + +2. 命令: + + ``` + ip [-6] rule [add|del] [from|to] ADDR table TABLE pref PREF + ``` + + -6选项:IPv6相关的策略路由表项需要设置-6选项,否则会报错:“Error: Invalid source address.”。相应地,IPv4相关的策略路由表项不可以设置-6选项,否则会报错:“Error: Invalid source address.”。 + + +#### NetworkManager服务配置差异说明 + +##### 概述 + +NetworkManager服务使用ifup/ifdown的逻辑接口定义进行高级网络设置。其参数大多数都是在/etc/sysconfig/network和/etc/sysconfig/network-scripts/ifcfg-两个配置文件设置。前者为全局设置,后者为指定网卡的设置,当两者有冲突时,后者生效。 + +##### 配置差异说明 + +其中在/etc/sysconfig/network下的配置差异有: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

IPv4

+

IPv6

+

含义说明

+

NA

+

IPV6FORWARDING=yes|no

+

IPv6转发,默认不转发。

+

NA

+

IPV6_AUTOCONF=yes|no

+

IPv6转发打开是no,否则是yes。

+

NA

+

IPV6_ROUTER=yes|no

+

IPv6转发打开是yes,否则是no。

+

NA

+

IPV6_AUTOTUNNEL=yes|no

+

指定Tunnel为自动隧道模式,默认是no。

+

GATEWAY

+

IPV6_DEFAULTGW=<IPv6 address[%interface]> (optional)

+

在IPv6中设置默认网关。

+

NA

+

IPV6_DEFAULTDEV=<interface> (optional)

+

指定默认转发的网卡。

+

NA

+

IPV6_RADVD_PIDFILE=<pid-file> (optional)

+

默认ipv6_radvd_pid路径:/var/run/radvd/radvd.pid。

+

NA

+

IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP (optional)

+

radvd默认触发动作。

+
+ +而在/etc/sysconfig/network-scripts/ifcfg-下的差异主要有: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

IPv4

+

IPv6

+

含义说明

+

IPADDRn

+

IPV6ADDR=<IPv6 address>[/<prefix length>]

+

ip地址。

+

PREFIXn

+

NA

+

网络前缀,网络别名和ppp无效,优先级高于NETMASK。

+

NETMASKn

+

NA

+

子网掩码,仅用于别名和ppp。

+

GATEWAY

+

IPV6_DEFAULTGW=<IPv6 address[%interface]> (optional)

+

默认网关。

+

MTU

+

IPV6_MTU=<MTU of link> (optional)

+

默认MTU。

+

IPV4_FAILURE_FATAL=yes|no

+

IPV6_FAILURE_FATAL

+

默认值是no。若设置为yes,dhclient失败ifup-eth会直接退出。

+

NA

+

IPV6_PRIVACY=rfc3041

+

默认禁用。

+

NA

+

IPV6INIT=yes|no

+

默认开启IPv6。

+

NA

+

IPV6FORWARDING=yes|no

+

默认关闭,已废弃。

+
+ +### FAQ +#### iscsi-initiator-utils不支持登录fe80 IPv6地址 + +##### 问题现象 + +客户端通过IPv6登录iscsi服务端时,使用如“iscsiadm -m node -p ipv6address -l”的命令格式登录,如果是全局地址(global address),直接替换将命令范例中的“ipv6address”替换为全局地址即可;但如果是链路本地地址(link-local address,fe80开头的IPv6地址)则无法使用,因为iscsi-initiator-utils目前机制还不支持用链路本地地址(link-local address)地址登录iscsi服务端。 + +##### 原因分析 + +如果使用格式如“iscsiadm -m node -p fe80::xxxx -l”登录,会登录超时返回,这是因为使用链路本地地址必须指定接口,否则使用iscsi\_io\_tcp\_connect函数调用connect函数会失败,并且产生标准错误码22。 + +如果使用格式如“iscsiadm -m node -p fe80::xxxx%enp3s0 -l”登录时,iscsi\_addr\_match函数会将地址“fe80::xxxx%enp3s0”与服务端返回的node信息中的地址“fe80::xxxx”对比,对比结果不匹配,导致登录失败。 + +因此,**iscsi-initiator-utils目前机制还不支持用链路本地地址(link-local address)登录iscsi服务端**。 + +#### 网卡down掉之后,IPv6地址丢失 + +##### 问题现象 + +通过ip link down+up网卡或ifconfig down+up网卡命令,将网卡down掉之后再上线,查看网卡上配置的ip地址,发现ipv4地址不丢失,而配置的IPv6地址丢失。 + +##### 原因分析 + +内核中的处理逻辑为如果网卡设置为down状态,会清空所有IPv4及IPv6地址,将网卡重新up之后,ipv4地址自动恢复,网卡上自动配置的IPv6链路本地地址也会恢复,但是其他IPv6地址默认会丢失。如果需要保留这些IPv6地址,可以通过“sysctl -w net.ipv6.conf.<网卡名\>.keep\_addr\_on\_down=1”来实现。 + +#### bond口已具有多个IPv6地址时,添加或删除IPv6地址耗时过久 + +##### 问题现象 + +下列方式配置或删除(包括flush)IPv6地址方式,X为动态变化的低16位,并且配置在bond口时,耗时会随已配置的IPv6地址数量成数倍增加。例如由4个物理网卡组成的bond口添加IPv6地址时,单线程添加删除3000 IPv6地址均需大概5分钟,而普通物理网卡耗时在10秒内。 + +``` +ip a add/del 192:168::18:X/64 dev DEVICE +``` + +##### 原因分析 + +bond口在添加IPv6地址时,会生成IPv6组播地址,并进行同步到所有的物理网卡上,此耗时会随IPv6数量增加而增加,导致耗时过长。 + +##### 解决方法 + +IPv6的组播地址是由IPv6地址的低24位与33-33-ff组合生成,组播地址过多会导致添加删除耗时增加,如果生成的组播地址为少量,耗时不会受此影响。 + +建议添加IPv6地址时,可保持低24位一致,保持高位变动,单网卡中仅需一个网段的一个地址即可与外部正常通信,此配置更符合常规使用。 + +#### Rsyslog在IPv4和IPv6混合使用场景中日志传输延迟 + +##### 问题现象 + +rsyslog客户端配置文件同时配置IPv4和IPv6地址,且端口配置相同的情况下,服务端收集log时会概率性出现日志打印延迟。 + +##### 原因分析 + +延迟是因为rsyslog内部存在缓冲队列机制,默认情况下需要缓冲区队列达到一定数量才会写入文件。 + +##### 解决方法 + +可在root权限下通过配置Direct模式,关闭缓冲队列机制解决该问题。在rsyslog远程传输服务端的/etc/rsyslog.d目录下新增的远程传输配置文件中,最开头增加如下配置: + +``` +$ActionQueueType Direct +$MainMsgQueueType Direct +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- Direct模式减少队列大小为1,所以在队列中会保留1条日志到下次日志打印; +>- Direct模式会降低服务器端的rsyslog性能。 diff --git a/docs/zh/docs/ApplicationDev/FAQ.md b/docs/zh/docs/ApplicationDev/FAQ.md new file mode 100644 index 0000000000000000000000000000000000000000..8125fbab883efb8e46b2723ad8be0b34932858e7 --- /dev/null +++ b/docs/zh/docs/ApplicationDev/FAQ.md @@ -0,0 +1,26 @@ +# FAQ + + +- [FAQ](#faq) + - [部分依赖java-devel的应用程序自编译失败](#部分依赖java-devel的应用程序自编译失败) + + + +## 部分依赖java-devel的应用程序自编译失败 + +### 问题描述 + +部分依赖java-devel的应用程序会出现使用rpmbuild命令自编译失败的问题。 + +### 原因分析 + +为了提供更新的openjdk特性和对广大java应用程序的兼容,openEuler同时提供了openjdk-1.8.0、openjdk-11等多个版本的openjdk。部分应用程序在编译时需要依赖java-devel包,安装java-devel包时系统会默认安装更高版本的java-11-openjdk,从而导致这些应用的编译失败。 + +### 解决方法 + +用户需手动使用如下命令安装java-1.8.0-openjdk后再使用rpmbuild命令进行自编译。 + +``` +# yum install java-1.8.0-openjdk + +``` diff --git a/content/zh/docs/ApplicationDev/application-development.md b/docs/zh/docs/ApplicationDev/application-development.md similarity index 95% rename from content/zh/docs/ApplicationDev/application-development.md rename to docs/zh/docs/ApplicationDev/application-development.md index 21d1513b77eeacb2a4fe6da5049bb2796fe4fb2c..5db4ab6fcf5d75747f057ff31f3cb82e73607f02 100644 --- a/content/zh/docs/ApplicationDev/application-development.md +++ b/docs/zh/docs/ApplicationDev/application-development.md @@ -29,13 +29,13 @@ -

+

![](./figures/zh-cn_image_0229243712.png)

用于传递设备或环境安全警示信息,若不避免,可能会导致设备损坏、数据丢失、设备性能降低或其它不可预知的结果。

“注意”不涉及人身伤害。

-

+

![](./figures/zh-cn_image_0229243671.png)

用于突出重要/关键信息、最佳实践和小窍门等。

“说明”不是安全警示信息,不涉及人身、设备及环境伤害。

@@ -80,12 +80,12 @@

表示从两个或多个选项中选取一个或者不选。

-

{ x | y | ... }*

+

{ x | y | ... }\*

表示从两个或多个选项中选取多个,最少选取一个,最多选取所有选项。

-

[ x | y | ... ]*

+

[ x | y | ... ]\*

表示从两个或多个选项中选取一个、多个或者不选。

diff --git "a/content/zh/docs/ApplicationDev/figures/Branch-Confirmation\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/Branch-Confirmationpage.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/Branch-Confirmation\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/Branch-Confirmationpage.png diff --git "a/content/zh/docs/ApplicationDev/figures/Create-Package\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/Create-Packagepage.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/Create-Package\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/Create-Packagepage.png diff --git "a/content/zh/docs/ApplicationDev/figures/RPM\350\275\257\344\273\266\345\214\205\344\270\213\350\275\275\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/RPM_package_download.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/RPM\350\275\257\344\273\266\345\214\205\344\270\213\350\275\275\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/RPM_package_download.png diff --git "a/content/zh/docs/ApplicationDev/figures/Repositories\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/Repositoriespage.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/Repositories\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/Repositoriespage.png diff --git "a/content/zh/docs/ApplicationDev/figures/\345\210\240\351\231\244\345\255\220\345\267\245\347\250\213\344\270\255\350\275\257\344\273\266\345\214\205.png" b/docs/zh/docs/ApplicationDev/figures/delete_package.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/\345\210\240\351\231\244\345\255\220\345\267\245\347\250\213\344\270\255\350\275\257\344\273\266\345\214\205.png" rename to docs/zh/docs/ApplicationDev/figures/delete_package.png diff --git "a/content/zh/docs/ApplicationDev/figures/Add-file\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/filepage.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/Add-file\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/filepage.png diff --git "a/content/zh/docs/ApplicationDev/figures/\345\210\233\345\273\272\350\275\257\344\273\266\345\214\205\344\277\241\346\201\257\345\241\253\345\206\231\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/setting_software_info.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/\345\210\233\345\273\272\350\275\257\344\273\266\345\214\205\344\277\241\346\201\257\345\241\253\345\206\231\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/setting_software_info.png diff --git "a/content/zh/docs/ApplicationDev/figures/succeeded\347\232\204\351\241\265\351\235\242.png" b/docs/zh/docs/ApplicationDev/figures/succeededpage.png similarity index 100% rename from "content/zh/docs/ApplicationDev/figures/succeeded\347\232\204\351\241\265\351\235\242.png" rename to docs/zh/docs/ApplicationDev/figures/succeededpage.png diff --git a/content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243671.png b/docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243671.png similarity index 100% rename from content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243671.png rename to docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243671.png diff --git a/content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243702.png b/docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243702.png similarity index 100% rename from content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243702.png rename to docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243702.png diff --git a/content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243704.png b/docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243704.png similarity index 100% rename from content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243704.png rename to docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243704.png diff --git a/content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243712.png b/docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243712.png similarity index 100% rename from content/zh/docs/ApplicationDev/figures/zh-cn_image_0229243712.png rename to docs/zh/docs/ApplicationDev/figures/zh-cn_image_0229243712.png diff --git a/content/zh/docs/Container/public_sys-resources/icon-caution.gif b/docs/zh/docs/ApplicationDev/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/Container/public_sys-resources/icon-caution.gif rename to docs/zh/docs/ApplicationDev/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/Container/public_sys-resources/icon-danger.gif b/docs/zh/docs/ApplicationDev/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/Container/public_sys-resources/icon-danger.gif rename to docs/zh/docs/ApplicationDev/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/Container/public_sys-resources/icon-note.gif b/docs/zh/docs/ApplicationDev/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/Container/public_sys-resources/icon-note.gif rename to docs/zh/docs/ApplicationDev/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/Container/public_sys-resources/icon-notice.gif b/docs/zh/docs/ApplicationDev/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/Container/public_sys-resources/icon-notice.gif rename to docs/zh/docs/ApplicationDev/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/Container/public_sys-resources/icon-tip.gif b/docs/zh/docs/ApplicationDev/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/Container/public_sys-resources/icon-tip.gif rename to docs/zh/docs/ApplicationDev/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/Container/public_sys-resources/icon-warning.gif b/docs/zh/docs/ApplicationDev/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/Container/public_sys-resources/icon-warning.gif rename to docs/zh/docs/ApplicationDev/public_sys-resources/icon-warning.gif diff --git "a/content/zh/docs/ApplicationDev/\344\275\277\347\224\250GCC\347\274\226\350\257\221.md" "b/docs/zh/docs/ApplicationDev/\344\275\277\347\224\250GCC\347\274\226\350\257\221.md" similarity index 99% rename from "content/zh/docs/ApplicationDev/\344\275\277\347\224\250GCC\347\274\226\350\257\221.md" rename to "docs/zh/docs/ApplicationDev/\344\275\277\347\224\250GCC\347\274\226\350\257\221.md" index 6a987cb35038cf518d4e999e0a4a6844171d61a6..994fdee00a8f058f7b5a3efef701601573f456a7 100644 --- "a/content/zh/docs/ApplicationDev/\344\275\277\347\224\250GCC\347\274\226\350\257\221.md" +++ "b/docs/zh/docs/ApplicationDev/\344\275\277\347\224\250GCC\347\274\226\350\257\221.md" @@ -311,7 +311,7 @@ $ gcc main.c libtest.so -o app.out $ export LD\_LIBRARY\_PATH=libraryDIR:$LD\_LIBRARY\_PATH - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >LD\_LIBRARY\_PATH为动态库的环境变量。当运行动态库时,若动态库不在缺省文件夹(/lib 和/usr/lib)下,则需要指定环境变量LD\_LIBRARY\_PATH。 - 把动态库所在路径libaryDIR增加 /etc/ld.so.conf中然后执行ldconfig或者以动态库所在路径libaryDIR为参数执行ldconfig。 diff --git "a/content/zh/docs/ApplicationDev/\344\275\277\347\224\250JDK\347\274\226\350\257\221.md" "b/docs/zh/docs/ApplicationDev/\344\275\277\347\224\250JDK\347\274\226\350\257\221.md" similarity index 100% rename from "content/zh/docs/ApplicationDev/\344\275\277\347\224\250JDK\347\274\226\350\257\221.md" rename to "docs/zh/docs/ApplicationDev/\344\275\277\347\224\250JDK\347\274\226\350\257\221.md" diff --git "a/content/zh/docs/ApplicationDev/\344\275\277\347\224\250make\347\274\226\350\257\221.md" "b/docs/zh/docs/ApplicationDev/\344\275\277\347\224\250make\347\274\226\350\257\221.md" similarity index 100% rename from "content/zh/docs/ApplicationDev/\344\275\277\347\224\250make\347\274\226\350\257\221.md" rename to "docs/zh/docs/ApplicationDev/\344\275\277\347\224\250make\347\274\226\350\257\221.md" diff --git "a/content/zh/docs/ApplicationDev/\345\274\200\345\217\221\347\216\257\345\242\203\345\207\206\345\244\207.md" "b/docs/zh/docs/ApplicationDev/\345\274\200\345\217\221\347\216\257\345\242\203\345\207\206\345\244\207.md" similarity index 92% rename from "content/zh/docs/ApplicationDev/\345\274\200\345\217\221\347\216\257\345\242\203\345\207\206\345\244\207.md" rename to "docs/zh/docs/ApplicationDev/\345\274\200\345\217\221\347\216\257\345\242\203\345\207\206\345\244\207.md" index a08946a37e886d5c20ac895c0020585773ea8fd4..bcb696eb5d6260fa61777c10b6c9f6e28540ba6c 100644 --- "a/content/zh/docs/ApplicationDev/\345\274\200\345\217\221\347\216\257\345\242\203\345\207\206\345\244\207.md" +++ "b/docs/zh/docs/ApplicationDev/\345\274\200\345\217\221\347\216\257\345\242\203\345\207\206\345\244\207.md" @@ -115,7 +115,7 @@ 操作系统要求为openEuler操作系统。 -openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({{< relref "../Installation/Installation.md" >}}),其中“软件选择”页面的“已选环境的附加选项”中将“开发工具”勾选。 +openEuler操作系统具体安装方法请参考[安装指南](./../Installation/Installation.md),其中“软件选择”页面的“已选环境的附加选项”中将“开发工具”勾选。 ## 配置openEuler yum源(软件源) @@ -123,8 +123,8 @@ openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({ ### 通过直接获取在线的openEuler repo源配置在线yum源 ->![](public_sys-resources/icon-note.gif) **说明:** ->openEuler提供了多种repo源供用户在线使用,各repo源含义可参考[系统安装]({{< relref "../Releasenotes/系统安装.md" >}})。本操作以AArch64架构的OS repo源为例将其配置为yum源。 +>![](./public_sys-resources/icon-note.gif) **说明:** +>openEuler提供了多种repo源供用户在线使用,各repo源含义可参考[系统安装](./../Releasenotes/系统安装.md)。本操作以AArch64架构的OS repo源为例将其配置为yum源。 1. 进入到yum源目录并查看目录下的.repo配置文件。 @@ -146,16 +146,16 @@ openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({ ``` [osrepo] name=osrepo - baseurl=http://repo.openeuler.org/openEuler-20.09/OS/aarch64/ + baseurl=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/ enabled=1 gpgcheck=1 - gpgkey=http://repo.openeuler.org/openEuler-20.09/OS/aarch64/RPM-GPG-KEY-openEuler + gpgkey=http://repo.openeuler.org/openEuler-21.03/OS/aarch64/RPM-GPG-KEY-openEuler ``` **** - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** > - \[*repoid*\]中的repoid为软件仓库(repository)的ID号,所有.repo配置文件中的各repoid不能重复,必须唯一。示例中repoid设置为**osrepo**。 > - name为软件仓库描述的字符串。 > - baseurl为软件仓库的地址。 @@ -165,23 +165,23 @@ openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({ ### 通过挂载ISO创建本地openEuler repo源配置本地yum源 ->![](public_sys-resources/icon-note.gif) **说明:** ->openEuler提供了多种ISO发布包,各ISO发布包含义可参考[系统安装]({{< relref "../Releasenotes/系统安装.md" >}})。本操作以openEuler-20.09-aarch64-dvd.iso发布包和openEuler-20.09-aarch64-dvd.iso.sha256sum校验文件为例,请根据实际需要的ISO发布包和校验文件进行修改。 +>![](./public_sys-resources/icon-note.gif) **说明:** +>openEuler提供了多种ISO发布包,各ISO发布包含义可参考[系统安装](./../Releasenotes/系统安装.md)。本操作以openEuler-21.03-aarch64-dvd.iso发布包和openEuler-21.03-aarch64-dvd.iso.sha256sum校验文件为例,请根据实际需要的ISO发布包和校验文件进行修改。 1. 下载ISO发布包。 - 通过跨平台文件传输工具下载ISO镜像 1. 登录openEuler社区,网址为:[https://openeuler.org](https://openeuler.org)。 2. 单击“下载”,进入下载页面。 3. 单击“获取ISO:”后面的“Link”,显示版本列表。 - 4. 选择需要下载的版本,如openEuler 20.09,则单击“openEuler-20.09”,进入下载列表。 + 4. 选择需要下载的版本,如openEuler 21.03,则单击“openEuler-21.03”,进入下载列表。 5. 单击“ISO”,进入ISO下载列表。 - aarch64:AArch64架构的ISO。 - x86\_64:x86\_64架构的ISO。 - source:openEuler源码ISO。 6. 单击“aarch64”。 - 7. 单击“openEuler-20.09-aarch64-dvd.iso”,将openEuler发布包下载到本地。 - 8. 单击“openEuler-20.09-aarch64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 + 7. 单击“openEuler-21.03-aarch64-dvd.iso”,将openEuler发布包下载到本地。 + 8. 单击“openEuler-21.03-aarch64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 9. 登录openEuler操作系统,新建用于存放发布包和检验文件的目录,如“~/iso”。 ``` @@ -194,15 +194,15 @@ openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({ 1. 登录openEuler社区,网址为:[https://openeuler.org](https://openeuler.org)。 2. 单击“下载”,进入下载页面。 3. 单击“获取ISO:”后面的“Link”,显示版本列表。 - 4. 选择需要下载的版本,如openEuler 20.03 LTS,则单击“openEuler-20.09”,进入下载列表。 + 4. 选择需要下载的版本,如openEuler 21.03,则单击“openEuler-21.03”,进入下载列表。 5. 单击“ISO”,进入ISO下载列表。 - aarch64:AArch64架构的ISO。 - x86\_64:x86\_64架构的ISO。 - source:openEuler源码ISO。 6. 单击“aarch64”。 - 7. 右键单击“openEuler-20.09-aarch64-dvd.iso”,单击“复制链接地址”,将openEuler发布包地址记录好。 - 8. 右键单击“openEuler-20.09-aarch64-dvd.iso.sha256sum”,单击“复制链接地址”,将openEuler校验文件地址记录好。 + 7. 右键单击“openEuler-21.03-aarch64-dvd.iso”,单击“复制链接地址”,将openEuler发布包地址记录好。 + 8. 右键单击“openEuler-21.03-aarch64-dvd.iso.sha256sum”,单击“复制链接地址”,将openEuler校验文件地址记录好。 9. 登录openEuler操作系统,新建用于存放发布包和检验文件的目录,如“~/iso”,并切换到该目录。 ``` @@ -222,13 +222,13 @@ openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({ 1. 获取校验文件中的校验值。 ``` - $ cat openEuler-20.09-aarch64-dvd.iso.sha256sum + $ cat openEuler-21.03-aarch64-dvd.iso.sha256sum ``` 2. 计算openEuler发布包的sha256校验值。 ``` - $ sha256sum openEuler-20.09-aarch64-dvd.iso + $ sha256sum openEuler-21.03-aarch64-dvd.iso ``` 命令执行完成后,输出校验值。 @@ -244,7 +244,7 @@ openEuler操作系统具体安装方法请参考[openEuler 20.09 安装指南]({ 示例如下: ``` - # mount /home/iso/openEuler-20.09-aarch64-dvd.iso /mnt/ + # mount /home/iso/openEuler-21.03-aarch64-dvd.iso /mnt/ ``` 挂载好的mnt目录如下: diff --git "a/content/zh/docs/ApplicationDev/\346\236\204\345\273\272RPM\345\214\205.md" "b/docs/zh/docs/ApplicationDev/\346\236\204\345\273\272RPM\345\214\205.md" similarity index 97% rename from "content/zh/docs/ApplicationDev/\346\236\204\345\273\272RPM\345\214\205.md" rename to "docs/zh/docs/ApplicationDev/\346\236\204\345\273\272RPM\345\214\205.md" index e8251e05948a8ccce8c978014fc84e26a71ca12c..1aeafe23a1a380985c7abdab2374d08bd05751c5 100644 --- "a/content/zh/docs/ApplicationDev/\346\236\204\345\273\272RPM\345\214\205.md" +++ "b/docs/zh/docs/ApplicationDev/\346\236\204\345\273\272RPM\345\214\205.md" @@ -510,7 +510,7 @@ OBS使用工程组织软件包。基础的权限控制、相关的存仓库和 #### 构建已有软件包 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 若为首次使用,请首先在OBS网页注册个人账号。 >- 该方法需要拷贝修改后的代码,因此,请在执行下述操作前完成代码修改并提交到正确的代码路径。代码路径会在\_service文件中指定。 @@ -523,7 +523,7 @@ OBS使用工程组织软件包。基础的权限控制、相关的存仓库和 5. 单击“Branch package”,在弹出的确认页面单击“Accept”确认创建子工程,如[图1](#fig77646143214)所示。 **图 1** Branch Confirmation页面 - ![](figures/Branch-Confirmation页面.png "Branch-Confirmation页面") + ![](./figures/Branch-Confirmationpage.png) 6. 单击“\_service”文件进入编辑页面,修改\_service内容后点击“Save”保存该文件。\_service内容示例如下,其中 _userCodeURL_、 _userCommitID_ 分别为用户代码托管路径、用户代码提交版本号或分支。 @@ -541,14 +541,14 @@ OBS使用工程组织软件包。基础的权限控制、相关的存仓库和 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >单击“Save”保存\_service文件后,OBS服务会根据\_service文件描述,从指定的url下载源码到OBS对应工程的软件目录下并替换原有文件,例如上述例子中 “openEuler:Mainline”工程的kernel目录。 7. 文件拷贝并替换完成后,OBS会自动开始构建RPM软件包。等待构建完成,并查看右侧状态栏的构建状态。 - succeeded:构建成功。用户可以单击“succeeded”查看构建日志,如[图2](#fig10319114217337)所示。 **图 2** succeeded的页面 - ![](figures/succeeded的页面.png "succeeded的页面") + ![](./figures/succeededpage.png) - failed:构建失败。请单击“failed”查看错误日志进行问题定位后重新构建。 - unresolvable:未进行构建,可能由于缺失依赖。 @@ -567,23 +567,23 @@ OBS使用工程组织软件包。基础的权限控制、相关的存仓库和 5. 单击“Delete package”,删除新创建子工程中的软件包,如[图3](#fig18306181103615)所示。 **图 3** 删除子工程中软件包 - ![](figures/删除子工程中软件包.png "删除子工程中软件包") + ![](./figures/delete_package.png) - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >通过已有软件创建新工程是为了继承环境等依赖,而不需要实际的文件,所以这里需要把这些文件删除。 6. 单击“Create Package”,在弹出的页面输入软件包名称、标题和软件包描述,然后单击“Create”创建软件包,分别如[图4](#fig6762111693811)、[图5](#fig18351153518389)所示。 **图 4** Create Package页面 - ![](figures/Create-Package页面.png "Create-Package页面") + ![](./figures/Create-Packagepage.png) **图 5** 创建软件包信息填写页面 - ![](figures/创建软件包信息填写页面.png "创建软件包信息填写页面") + ![](./figures/setting_software_info.png) 7. 在页面中单击“Add file”上传spec文件和需要编译的文件(在spec文件中指定),如[图6](#fig1475845284011)所示。 **图 6** Add file页面 - ![](figures/Add-file页面.png "Add-file页面") + ![](./figures/filepage.png) 8. 文件上传成功后,OBS会自动开始构建RPM软件包。等待构建完成,并查看右侧状态栏的构建状态。 - succeed:构建成功。用户可以单击“succeeded”查看构建日志。 @@ -601,15 +601,15 @@ RPM软件包构建完成后,通过网页端获取对应RPM软件包的方法 2. 单击“All Projects”找到所需软件包的对应工程,例如“openEuler:Mainline”。 3. 在工程下单击所需软件包的包名,进入该软件包详请页面。例如上述例子中的kernel页面。 -1. 选择Repositories页签进入软件包的软件仓库管理页面,在Publish Flag中通过单击选择“Enable”开启(状态由![](figures/zh-cn_image_0229243704.png)变为![](figures/zh-cn_image_0229243702.png))对应的RPM软件包下载功能,如[图7](#fig17480830144217)所示。 +1. 选择Repositories页签进入软件包的软件仓库管理页面,在Publish Flag中通过单击选择“Enable”开启(状态由![](./figures/zh-cn_image_0229243704.png)变为![](./figures/zh-cn_image_0229243702.png))对应的RPM软件包下载功能,如[图7](#fig17480830144217)所示。 **图 7** Repositories页面 - ![](figures/Repositories页面.png "Repositories页面") + ![](./figures/Repositoriespage.png) 2. 单击Repository列的构建工程名称,进入RPM软件包下载页面,单击RPM软件包右侧的“Download”即可下载对应RPM软件包,如[图8](#fig12152145615438)所示。 **图 8** RPM软件包下载页面 - ![](figures/RPM软件包下载页面.png "RPM软件包下载页面") + ![](./figures/RPM_package_download.png) ### 使用osc构建软件包 @@ -630,7 +630,7 @@ RPM软件包构建完成后,通过网页端获取对应RPM软件包的方法 # dnf install osc build ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >编译RPM软件包的过程中会依赖build。 2. 配置osc。 @@ -711,25 +711,31 @@ RPM软件包构建完成后,通过网页端获取对应RPM软件包的方法 $ osc addremove * ``` -2. 修改源代码和spec文件,并将对应软件包的所有修改同步到OBS服务器。参考命令如下,-m参数后的信息为提交记录。 +2. 修改源代码和spec文件,并执行如下命令更新文件。 + + ``` + $ osc up + ``` + +3. 将对应软件包的所有修改同步到OBS服务器。参考命令如下,-m参数后的信息为提交记录。 ``` $ osc ci -m "commit log" ``` -3. 获取当前工程的仓库名称和架构,参考命令如下: +4. 获取当前工程的仓库名称和架构,参考命令如下: ``` $ osc repos home:testUser:branches:openEuler:Mainline ``` -4. 修改提交成功后,OBS会自动开始编译软件包。可以通过如下命令,查看对应仓库的编译日志,其中 _standard_aarch64_ 、 _aarch64_ 分别为查询所得仓库名称和架构。 +5. 修改提交成功后,OBS会自动开始编译软件包。可以通过如下命令,查看对应仓库的编译日志,其中 _standard_aarch64_ 、 _aarch64_ 分别为查询所得仓库名称和架构。 ``` $ osc buildlog standard_aarch64 aarch64 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >用户也可以通过网页端打开自己创建的对应工程,查看构建日志。 @@ -785,7 +791,7 @@ RPM软件包构建完成后,通过网页端获取对应RPM软件包的方法 $ osc buildlog standard_aarch64 aarch64 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >用户也可以通过网页端打开自己创建的对应工程,查看构建日志。 @@ -804,5 +810,5 @@ $ osc getbinaries home:testUser:branches:openEuler:Mainline my-first-obs-package - _standard\_aarch64_ :仓库名称 - _aarch64_ :仓库架构名称 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >使用osc构建的软件包也可以在网页端获取,获取方式请参见[获取软件包](#获取软件包)。 diff --git "a/content/zh/docs/Container/CRI\346\216\245\345\217\243.md" "b/docs/zh/docs/Container/CRI\346\216\245\345\217\243.md" similarity index 99% rename from "content/zh/docs/Container/CRI\346\216\245\345\217\243.md" rename to "docs/zh/docs/Container/CRI\346\216\245\345\217\243.md" index 26b0321a4da95e83bf5b7b2e65d1c5fe10280ab4..9283ab8500c01ef0312d500da2a11632f9575ec3 100644 --- "a/content/zh/docs/Container/CRI\346\216\245\345\217\243.md" +++ "b/docs/zh/docs/Container/CRI\346\216\245\345\217\243.md" @@ -45,7 +45,7 @@ CRI API 接口是由kubernetes 推出的容器运行时接口,CRI定义了容 ISulad使用的为pass使用的1.14版本API描述文件,与官方API略有出入,以本文档描述的接口为准。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >CRI接口websocket流式服务,服务端侦听地址为127.0.0.1,端口为10350,端口可通过命令行--websocket-server-listening-port参数接口或者daemon.json配置文件进行配置。 ## 接口 diff --git "a/content/zh/docs/Container/Docker\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/Docker\345\256\271\345\231\250.md" similarity index 91% rename from "content/zh/docs/Container/Docker\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/Docker\345\256\271\345\231\250.md" index c6d46c4ffb1d9f71dd6be3be7947412bfcd0d66b..07b0b5833155d630566cd03b73f66148baea5e73 100644 --- "a/content/zh/docs/Container/Docker\345\256\271\345\231\250.md" +++ "b/docs/zh/docs/Container/Docker\345\256\271\345\231\250.md" @@ -1,9 +1,9 @@ -# Docker容器 - -Docker是一个开源的Linux容器引擎项目, 用以实现应用的快速打包、部署和交付。Docker的英文本意是码头工人,码头工人的工作就是将商品打包到container\(集装箱\)并且搬运container、装载container。 对应到Linux中,Docker就是将app打包到container,通过container实现app在各种平台上的部署、运行。Docker通过Linux Container技术将app变成一个标准化的、可移植的、自管理的组件,从而实现应用的“一次构建,到处运行”。Docker技术特点就是:应用快速发布、部署简单、管理方便,应用密度更高。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->Docker容器的安装和使用需要root权限。 - - - +# Docker容器 + +Docker是一个开源的Linux容器引擎项目, 用以实现应用的快速打包、部署和交付。Docker的英文本意是码头工人,码头工人的工作就是将商品打包到container\(集装箱\)并且搬运container、装载container。 对应到Linux中,Docker就是将app打包到container,通过container实现app在各种平台上的部署、运行。Docker通过Linux Container技术将app变成一个标准化的、可移植的、自管理的组件,从而实现应用的“一次构建,到处运行”。Docker技术特点就是:应用快速发布、部署简单、管理方便,应用密度更高。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>Docker容器的安装和使用需要root权限。 + + + diff --git "a/content/zh/docs/Container/cgroup\350\267\257\345\276\204\345\217\257\351\205\215\347\275\256.md" "b/docs/zh/docs/Container/cgroup\350\267\257\345\276\204\345\217\257\351\205\215\347\275\256.md" similarity index 99% rename from "content/zh/docs/Container/cgroup\350\267\257\345\276\204\345\217\257\351\205\215\347\275\256.md" rename to "docs/zh/docs/Container/cgroup\350\267\257\345\276\204\345\217\257\351\205\215\347\275\256.md" index 97bc19b7ff48e23587c93512b5dffc8391cc1d67..d737c0cd97db19684ae5821a30045bc5e51ef071 100644 --- "a/content/zh/docs/Container/cgroup\350\267\257\345\276\204\345\217\257\351\205\215\347\275\256.md" +++ "b/docs/zh/docs/Container/cgroup\350\267\257\345\276\204\345\217\257\351\205\215\347\275\256.md" @@ -1,11 +1,11 @@ -# cgroup路径可配置 -## 功能描述 - -系统容器提供在宿主机上进行容器资源隔离和预留的能力。通过\--cgroup-parent参数,可以将容器使用的cgroup目录指定到某个特定目录下,从而达到灵活分配宿主机资源的目的。例如可以设置容器a、b、c的cgroup父路径为/lxc/cgroup1,容器d、e、f的cgroup父路径为/lxc/cgroup2,这样通过cgroup路径将容器分为两个group,实现容器cgroup组层面的资源隔离。 - -## 参数说明 - - +# cgroup路径可配置 +## 功能描述 + +系统容器提供在宿主机上进行容器资源隔离和预留的能力。通过\--cgroup-parent参数,可以将容器使用的cgroup目录指定到某个特定目录下,从而达到灵活分配宿主机资源的目的。例如可以设置容器a、b、c的cgroup父路径为/lxc/cgroup1,容器d、e、f的cgroup父路径为/lxc/cgroup2,这样通过cgroup路径将容器分为两个group,实现容器cgroup组层面的资源隔离。 + +## 参数说明 + + -

命令

参数

@@ -22,11 +22,11 @@
- -除了通过命令行指定单个系统容器对应的cgroup父路径外,还可通过修改iSulad容器引擎启动配置文件,指定所有容器的cgroup路径。 - - + + +除了通过命令行指定单个系统容器对应的cgroup父路径外,还可通过修改iSulad容器引擎启动配置文件,指定所有容器的cgroup路径。 + + -

配置文件路径

配置项

@@ -43,53 +43,53 @@
- -## 约束限制 - -- 如果daemon端和客户端都设置了cgroup parent参数,最终以客户端指定的\--cgroup-parent生效。 -- 如果已启动容器A,然后启动容器B,容器B的cgroup父路径指定为容器A的cgroup路径,在删除容器的时候需要先删除容器B再删除容器A,否则会导致cgroup资源残留。 - -## 使用示例 - -启动系统容器,指定--cgroup-parent参数: - -``` -[root@localhost ~]# isula run -tid --cgroup-parent /lxc/cgroup123 --system-container --external-rootfs /root/myrootfs none init -115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -``` - -查看容器init进程的cgroup信息: - -``` -[root@localhost ~]# isula inspect -f "{{json .State.Pid}}" 11 -22167 -[root@localhost ~]# cat /proc/22167/cgroup -13:blkio:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -12:perf_event:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -11:cpuset:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -10:pids:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -9:rdma:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -8:devices:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -7:hugetlb:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -6:memory:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -5:net_cls,net_prio:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -4:cpu,cpuacct:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -3:files:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -2:freezer:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -1:name=systemd:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e/init.scope -0::/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e -``` - -可以看到容器的cgroup父路径被设置为/sys/fs/cgroup//lxc/cgroup123 - -同时,对于所有容器cgroup父路径的设置可以配置一下容器daemon文件,例如: - -``` -{ - "cgroup-parent": "/lxc/cgroup123", -} -``` - -然后重启容器引擎,配置生效。 - + + +## 约束限制 + +- 如果daemon端和客户端都设置了cgroup parent参数,最终以客户端指定的\--cgroup-parent生效。 +- 如果已启动容器A,然后启动容器B,容器B的cgroup父路径指定为容器A的cgroup路径,在删除容器的时候需要先删除容器B再删除容器A,否则会导致cgroup资源残留。 + +## 使用示例 + +启动系统容器,指定--cgroup-parent参数: + +``` +[root@localhost ~]# isula run -tid --cgroup-parent /lxc/cgroup123 --system-container --external-rootfs /root/myrootfs none init +115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +``` + +查看容器init进程的cgroup信息: + +``` +[root@localhost ~]# isula inspect -f "{{json .State.Pid}}" 11 +22167 +[root@localhost ~]# cat /proc/22167/cgroup +13:blkio:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +12:perf_event:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +11:cpuset:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +10:pids:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +9:rdma:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +8:devices:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +7:hugetlb:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +6:memory:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +5:net_cls,net_prio:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +4:cpu,cpuacct:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +3:files:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +2:freezer:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +1:name=systemd:/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e/init.scope +0::/lxc/cgroup123/115878a4dfc7c5b8c62ef8a4b44f216485422be9a28f447a4b9ecac4609f332e +``` + +可以看到容器的cgroup父路径被设置为/sys/fs/cgroup//lxc/cgroup123 + +同时,对于所有容器cgroup父路径的设置可以配置一下容器daemon文件,例如: + +``` +{ + "cgroup-parent": "/lxc/cgroup123", +} +``` + +然后重启容器引擎,配置生效。 + diff --git a/content/zh/docs/Container/container.md b/docs/zh/docs/Container/container.md similarity index 97% rename from content/zh/docs/Container/container.md rename to docs/zh/docs/Container/container.md index 72e34041ee1ac1eeebcdb11b258e6d5dac3d27f6..c86353b2a248e0fa2233e64b712164bc2c68c82a 100644 --- a/content/zh/docs/Container/container.md +++ b/docs/zh/docs/Container/container.md @@ -1,18 +1,18 @@ -## 概述 - -openEuler软件包中同时提供了轻量化容器引擎iSulad与docker engine两种容器引擎。 - -同时根据不同使用场景,提供多种容器形态,包括: - -- 适合大部分通用场景的普通容器 -- 适合强隔离与多租户场景的安全容器 -- 适合使用systemd管理容器内业务场景的系统容器 - -本文档提供容器引擎的安装和使用方法以及各个容器形态的部署使用方法。 - -## 读者对象 - -本文档主要适用于使用openEuler并需要安装容器的用户。用户需要具备以下经验和技能: - -- 熟悉Linux基本操作 +## 概述 + +openEuler软件包中同时提供了轻量化容器引擎iSulad与docker engine两种容器引擎。 + +同时根据不同使用场景,提供多种容器形态,包括: + +- 适合大部分通用场景的普通容器 +- 适合强隔离与多租户场景的安全容器 +- 适合使用systemd管理容器内业务场景的系统容器 + +本文档提供容器引擎的安装和使用方法以及各个容器形态的部署使用方法。 + +## 读者对象 + +本文档主要适用于使用openEuler并需要安装容器的用户。用户需要具备以下经验和技能: + +- 熟悉Linux基本操作 - 对容器有一定了解 \ No newline at end of file diff --git a/docs/zh/docs/Container/figures/isula-build_arch.png b/docs/zh/docs/Container/figures/isula-build_arch.png new file mode 100644 index 0000000000000000000000000000000000000000..911a9ae6f46988586ab49f15de282948f5470c37 Binary files /dev/null and b/docs/zh/docs/Container/figures/isula-build_arch.png differ diff --git a/content/zh/docs/Container/figures/kata-arch.png b/docs/zh/docs/Container/figures/kata-arch.png similarity index 100% rename from content/zh/docs/Container/figures/kata-arch.png rename to docs/zh/docs/Container/figures/kata-arch.png diff --git a/content/zh/docs/Container/figures/zh-cn_image_0183048952.png b/docs/zh/docs/Container/figures/zh-cn_image_0183048952.png similarity index 100% rename from content/zh/docs/Container/figures/zh-cn_image_0183048952.png rename to docs/zh/docs/Container/figures/zh-cn_image_0183048952.png diff --git a/content/zh/docs/Container/figures/zh-cn_image_0221924926.png b/docs/zh/docs/Container/figures/zh-cn_image_0221924926.png similarity index 100% rename from content/zh/docs/Container/figures/zh-cn_image_0221924926.png rename to docs/zh/docs/Container/figures/zh-cn_image_0221924926.png diff --git a/content/zh/docs/Container/figures/zh-cn_image_0221924927.png b/docs/zh/docs/Container/figures/zh-cn_image_0221924927.png similarity index 100% rename from content/zh/docs/Container/figures/zh-cn_image_0221924927.png rename to docs/zh/docs/Container/figures/zh-cn_image_0221924927.png diff --git "a/content/zh/docs/Container/figures/\345\256\211\345\205\250\345\256\271\345\231\250\344\270\216\345\221\250\350\276\271\347\273\204\344\273\266\347\232\204\345\205\263\347\263\273.png" b/docs/zh/docs/Container/figures/zh_cn_image_0221924928.png similarity index 100% rename from "content/zh/docs/Container/figures/\345\256\211\345\205\250\345\256\271\345\231\250\344\270\216\345\221\250\350\276\271\347\273\204\344\273\266\347\232\204\345\205\263\347\263\273.png" rename to docs/zh/docs/Container/figures/zh_cn_image_0221924928.png diff --git "a/content/zh/docs/Container/iSula\345\256\271\345\231\250\345\274\225\346\223\216.md" "b/docs/zh/docs/Container/iSula\345\256\271\345\231\250\345\274\225\346\223\216.md" similarity index 91% rename from "content/zh/docs/Container/iSula\345\256\271\345\231\250\345\274\225\346\223\216.md" rename to "docs/zh/docs/Container/iSula\345\256\271\345\231\250\345\274\225\346\223\216.md" index 51486cb5ee2f391e11455f67c81d9a47aede5d60..3386c47f47f6dfa6374eea93d6e38dd19360eb4b 100644 --- "a/content/zh/docs/Container/iSula\345\256\271\345\231\250\345\274\225\346\223\216.md" +++ "b/docs/zh/docs/Container/iSula\345\256\271\345\231\250\345\274\225\346\223\216.md" @@ -1,11 +1,11 @@ -# iSula容器引擎 - -iSula通用容器引擎相比Docker,是一种新的容器解决方案,提供统一的架构设计来满足CT和IT领域的不同需求。相比Golang编写的Docker,轻量级容器使用C/C++实现,具有轻、灵、巧、快的特点,不受硬件规格和架构的限制,底噪开销更小,可应用领域更为广泛。 - -容器统一架构如[图1](#zh-cn_topic_0182207099_fig10763114141217)所示。 - -**图 1** 容器统一架构 - - -![](figures/zh-cn_image_0183048952.png) - +# iSula容器引擎 + +iSula通用容器引擎相比Docker,是一种新的容器解决方案,提供统一的架构设计来满足CT和IT领域的不同需求。相比Golang编写的Docker,轻量级容器使用C/C++实现,具有轻、灵、巧、快的特点,不受硬件规格和架构的限制,底噪开销更小,可应用领域更为广泛。 + +容器统一架构如[图1](#zh-cn_topic_0182207099_fig10763114141217)所示。 + +**图 1** 容器统一架构 + + +![](./figures/zh-cn_image_0183048952.png) + diff --git "a/docs/zh/docs/Container/isula-build\346\236\204\345\273\272\345\267\245\345\205\267.md" "b/docs/zh/docs/Container/isula-build\346\236\204\345\273\272\345\267\245\345\205\267.md" new file mode 100644 index 0000000000000000000000000000000000000000..6e70fe44133a830ccfa30e44180b87135e900e2b --- /dev/null +++ "b/docs/zh/docs/Container/isula-build\346\236\204\345\273\272\345\267\245\345\205\267.md" @@ -0,0 +1,1017 @@ +# 容器镜像构建 + + + +* [安装](#安装) + * [环境准备](#环境准备) + * [安装isula-build](#安装isula-build) +* [配置与管理服务](#配置与管理服务) + * [配置服务](#配置服务) + * [管理服务](#管理服务) + * [通过 systemd 管理(推荐方式)](#通过-systemd-管理推荐方式) + * [直接运行 isula-build 服务端](#直接运行-isula-build-服务端) +* [使用指南](#使用指南) + * [前提条件](#前提条件) + * [总体说明](#总体说明) + * [ctr-img: 容器镜像管理](#ctr-img-容器镜像管理) + * [build: 容器镜像构建](#build-容器镜像构建) + * [image: 查看本地持久化构建镜像](#image-查看本地持久化构建镜像) + * [import: 导入容器基础镜像](#import-导入容器基础镜像) + * [load: 导入层叠镜像](#load-导入层叠镜像) + * [rm: 删除本地持久化镜像](#rm-删除本地持久化镜像) + * [save: 导出层叠镜像](#save-导出层叠镜像) + * [tag: 给本地持久化镜像打标签](#tag-给本地持久化镜像打标签) + * [pull: 拉取镜像到本地](#pull-拉取镜像到本地) + * [push: 将本地镜像推送到远程仓库](#push-将本地镜像推送到远程仓库) + * [info: 查看运行环境与系统信息](#info-查看运行环境与系统信息) + * [login: 登录远端镜像仓库](#login-登录远端镜像仓库) + * [logout: 退出远端镜像仓库](#logout-退出远端镜像仓库) + * [version: 版本查询](#version-版本查询) + * [manifest: manifest列表管理(实验特性)](#manifest-manifest列表管理) + * [create: manifest列表创建](#create-manifest列表创建) + * [annotate: manifest列表更新](#annotate-manifest列表更新) + * [inspect: manifest列表查询](#inspect-manifest列表查询) + * [push: 将manifest列表推送到远程仓库](#push-将manifest列表推送到远程仓库) +* [直接集成容器引擎](#直接集成容器引擎) + * [与iSulad集成](#与isulad集成) + * [与Docker集成](#与docker集成) +* [附录](#附录) + * [命令行参数说明](#命令行参数说明) + * [通信矩阵](#通信矩阵) + * [文件与权限](#文件与权限) + + + +## 概述 + +isula-build是iSula容器团队推出的容器镜像构建工具,支持通过Dockerfile文件快速构建容器镜像。 + +isula-build采用服务端/客户端模式,其中,isula-build为客户端,提供了一组命令行工具,用于镜像构建及管理等;isula-builder为服务端,用于处理客户端管理请求,作为守护进程常驻后台。 + +![isula-build architecure](./figures/isula-build_arch.png) + +说明: + +- isula-build当前仅支持Docker镜像。 + +## 安装 + +### 环境准备 + +为了确保isula-build成功安装,需满足以下软件硬件要求。 + +- 支持的机器架构:x86_64 和 AArch64 +- 支持的操作系统:openEuler +- 用户具有root权限。 + +#### 安装isula-build + +使用isula-build构建容器镜像,需要先安装以下软件包。 + + + +**(推荐)方法一:使用yum安装** + +1. 配置openEuler yum源。 + +2. 使用root权限,登录目标服务器,安装isula-build。 + + ``` + sudo yum install -y isula-build + ``` + + + +**方法二:使用rpm包安装** + +1. 从openEuler yum源中获取isula-build对应安装包isula-build-*.rpm。例如isula-build-0.9.5-6.oe1.x86_64.rpm。 + +2. 将获取的rpm软件包上传至目标服务器的任一目录,例如 /home/。 + +3. 使用root权限,登录目标服务器,参考如下命令安装isula-build。 + + ``` + sudo rpm -ivh /home/isula-build-*.rpm + ``` + +> **说明:** +> 安装完成后,需要手工启动isula-build服务。启动请参见"管理服务"。 + +## 配置与管理服务 + +### 配置服务 + +在安装完 isula-build 软件包之后,systemd 管理服务会以 isula-build 软件包自带的 isula-build 服务端默认配置启动 isula-build 服务。如果 isula-build 服务端的默认配置文件不能满足用户的需求,可以参考如下介绍进行定制化配置。需要注意的是,修改完默认配置之后,需要重启 isula-build 服务端使新配置生效,具体操作可参考下一章节。 + +目前 isula-build 服务端包含如下配置文件: + +- /etc/isula-build/configuration.toml:isula-builder 总体配置文件,用于设置 isula-builder 日志级别、持久化目录和运行时目录、OCI runtime等。其中各参数含义如下: + +| 配置项 | 是否可选 | 配置项含义 | 配置项取值 | +| --------- | -------- | --------------------------------- | ----------------------------------------------- | +| debug | 可选 | 设置是否打开debug日志 | true:打开debug日志
false:关闭debug日志 | +| loglevel | 可选 | 设置日志级别 | debug
info
warn
error | +| run_root | 必选 | 设置运行时数据根目录 | 运行时数据根目录路径,例如/var/run/isula-build/ | +| data_root | 必选 | 设置本地持久化目录 | 本地持久化目录路径,例如/var/lib/isula-build/ | +| runtime | 可选 | 设置runtime种类,目前仅支持runc | runc | +| group | 可选 | 设置本地套接字isula_build.sock文件属组使得加入该组的非特权用户可以操作isula-build | isula | + + +- /etc/isula-build/storage.toml: 本地持久化存储的配置文件,包含所使用的存储驱动的配置。 + +| 配置项 | 是否可选 | 配置项含义 | +| ------ | -------- | ------------------------------ | +| driver | 可选 | 存储驱动类型,目前支持overlay2 | + + 更多设置可参考 [containers-storage.conf.5.md](https://github.com/containers/storage/blob/master/docs/containers-storage.conf.5.md)。 + + +- /etc/isula-build/registries.toml : 针对各个镜像仓库的配置文件。 + +| 配置项 | 是否可选 | 配置项含义 | +| ------------------- | -------- | ------------------------------------------------------------ | +| registries.search | 可选 | 镜像仓库搜索域,在此list的镜像仓库可以被感知,不在此列的不被感知。 | +| registries.insecure | 可选 | 可访问的不安全镜像仓库地址,在此列表中的镜像仓库将不会通过鉴权,不推荐使用。 | + + 更多设置可参考 [containers-registries.conf.5.md](https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md)。 + +- /etc/isula-build/policy.json:镜像pull/push策略文件。注:当前不支持对其进行配置 + +> ![](./public_sys-resources/icon-note.gif) **说明:** +> +> - isula-build 支持最大 1MiB 的上述配置文件。 +> - isula-build 不支持将持久化工作目录 dataroot 配置在内存盘上,比如 tmpfs。 +> - isula-build 目前仅支持使用overlay2为底层 graphdriver。 +> - 在设置--group参数前,需保证本地OS已经创建了对应的用户组,且非特权用户已经加入该组。重启isula-builder之后即可使该非特权用户使用isula-build功能。同时,为了保持权限一致性,isula-build的配置文件目录/etc/isula-build的数组也会被设置为--group指定的组。 + + + +### 管理服务 + +目前 openEuler 采用 systemd 管理软件服务,isula-build 软件包已经自带了 systemd 的服务文件,用户安装完 isula-build 软件包之后可以直接通过 systemd 工具对它进行服务启停等操作。用户同样可以手动启动 isula-build 服务端软件。需要注意的是,同一个节点上不可以同时启动多个 isula-build 服务端软件。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>同一个节点上不可以同时启动多个 isula-build 服务端软件。 + +#### 通过 systemd 管理(推荐方式) + +用户可以通过如下 systemd 的标准指令控制 isula-build 服务的启动、停止、重启等动作: + +- 启动 isula-build 服务: + + ```sh + sudo systemctl start isula-build.service + ``` + +- 停止 isula-build 服务: + + ```sh + sudo systemctl stop isula-build.service + ``` + +- 重启 isula-builder 服务: + + ```sh + sudo systemctl restart isula-build.service + ``` + +isula-build 软件包安装的 systemd 服务文件保存在 `/usr/lib/systemd/system/isula-build.service`。如果用户需要修改 isula-build 服务的 systemd 配置,可以修改该文件,执行如下命令使配置生效,之后再根据上面提到的 systemd 管理指令重启 isula-build 服务 + +```sh +sudo systemctl daemon-reload +``` + +#### 直接运行 isula-build 服务端 + +您也可以通过执行 isula-build 服务端命令( isula-builder)的方式启动服务。其中,服务端启动配置,可通过isula-builder命令支持的 flags 设置。isula-build 服务端目前支持的 flags 如下: + +- -D, --debug: 是否开启调测模式。 +- --log-level: 日志级别,支持 “debug”, “info”, “warn” or “error”,默认为 “info”。 +- --dataroot: 本地持久化路径,默认为”/var/lib/isula-build/“。 +- --runroot: 运行时路径,默认为”/var/run/isula-build/“。 +- --storage-driver:底层存储驱动类型。 +- --storage-opt: 底层存储驱动配置。 +- --group: 设置本地套接字isula_build.sock文件属组使得加入该组的非特权用户可以操作isula-build,默认为“isula”。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>当命令行启动参数中传递了与配置文件相同的配置选项时,优先使用命令行参数启动。 + +启动 isula-build 服务。例如指定本地持久化路径/var/lib/isula-build,且不开启调试的参考命令如下: + +```sh +sudo isula-builder --dataroot "/var/lib/isula-build" --debug=false +``` + +## 使用指南 + +### 前提条件 + +isula-build 构建 Dockerfile 内的 RUN 指令时依赖可执行文件 runc ,需要 isula-build 的运行环境上预装好 runc。安装方式视用户使用场景而定,如果用户不需要使用完整的 docker-engine 工具链,则可以仅安装 docker-runc rpm包: + +```sh +sudo yum install -y docker-runc +``` + +如果用户需要使用完整的 docker-engine 工具链,则可以安装 docker-engine rpm包,默认包含可执行文件 runc : + +```sh +sudo yum install -y docker-engine +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>用户需保证OCI runtime(runc)可执行文件的安全性,避免被恶意替换。 + + + +### 总体说明 + +isula-build 客户端提供了一系列命令用于构建和管理容器镜像,当前 isula-build 包含的命令行指令如下: + +- ctr-img,容器镜像管理。ctr-img又包含如下子命令: + - build,根据给定dockerfile构建出容器镜像。 + - images,列出本地容器镜像。 + - import,导入容器基础镜像。 + - load,导入层叠镜像。 + - rm,删除本地容器镜像。 + - save,导出层叠镜像至本地磁盘。 + - tag,给本地容器镜像打tag。 + - pull,拉取镜像到本地。 + - push,推送本地镜像到远程仓库。 +- info,查看isula-build的运行环境和系统信息。 +- login,登录远端容器镜像仓库。 +- logout,退出远端容器镜像仓库。 +- version,查看isula-build和isula-builder的版本号。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>isula-build completion 和 isula-builder completion 命令用于生成bash命令补全脚本。该命令为命令行框架隐式提供,不会显示在help信息中。 + + + +以下按照上述维度依次详细介绍这些命令行指令的使用。 + + + + +### ctr-img: 容器镜像管理 + +isula-build 将所有容器镜像管理相关命令划分在子命令 `ctr-img` 下,命令原型为: + +``` +isula-build ctr-img [command] +``` + +#### build: 容器镜像构建 + +ctr-img 的子命令 build 用于构建容器镜像,命令原型为: + +``` +isula-build ctr-img build [flags] +``` + +其中 build 包含如下 flags: + +- --build-arg:string列表,构建过程中需要用到的变量。 +- --build-static:KeyValue值,构建二进制一致性。目前包含如下Key值: + - build-time:string,使用固定时间戳来构建容器镜像;时间戳格式为“YYYY-MM-DD HH-MM-SS”。 +- -f, --filename:string,Dockerfile的路径,不指定则是使用当前路径的Dockerfile文件。 +- --iidfile:string,输出 image ID 到本地文件。 +- -o, --output:string,镜像导出的方式和路径。 +- --proxy:布尔值,继承主机侧环境的proxy环境变量(默认为true)。 +- --tag:string,设置构建成功的镜像的tag值。 +- --cap-add:string列表,构建过程中RUN指令所需要的权限。 + +**以下为各个 flags 的详解。** + +**\--build-arg** + +从命令行接受参数作为Dockerfile中的参数,用法: + +```sh +$ echo "This is bar file" > bar.txt +$ cat Dockerfile_arg +FROM busybox +ARG foo +ADD ${foo}.txt . +RUN cat ${foo}.txt +$ sudo isula-build ctr-img build --build-arg foo=bar -f Dockerfile_arg +STEP 1: FROM busybox +Getting image source signatures +Copying blob sha256:8f52abd3da461b2c0c11fda7a1b53413f1a92320eb96525ddf92c0b5cde781ad +Copying config sha256:e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b +Writing manifest to image destinationStoring signatures +STEP 2: ARG foo +STEP 3: ADD ${foo}.txt . +STEP 4: RUN cat ${foo}.txt +This is bar file +Getting image source signatures +Copying blob sha256:6194458b07fcf01f1483d96cd6c34302ffff7f382bb151a6d023c4e80ba3050a +Copying blob sha256:6bb56e4a46f563b20542171b998cb4556af4745efc9516820eabee7a08b7b869 +Copying config sha256:39b62a3342eed40b41a1bcd9cd455d77466550dfa0f0109af7a708c3e895f9a2 +Writing manifest to image destination +Storing signatures +Build success with image id: 39b62a3342eed40b41a1bcd9cd455d77466550dfa0f0109af7a708c3e895f9a2 +``` + +**\--build-static** + +指定为静态构建,即使用isula-build构建容器镜像时消除所有时间戳和其他构建因素(例如容器ID、hostname等)的差异。最终构建出满足静态要求的容器镜像。 + +在使用isula-build进行容器镜像构建时,假如给 build 子命令一个固定的时间戳,并在限定如下条件的时候: + +- 构建环境前后保持一致。 +- 构建Dockerfile前后保持一致。 +- 构建产生的中间数据前后保持一致。 +- 构建命令相同。 +- 第三方库版本一致。 + +对于容器镜像构建,isula-build支持相同的Dockerfile。如果构建环境相同,则多次构建生成的镜像内容和镜像ID相同。 + +--build-static接受k=v形式的键值对选项,当前支持的选项有: + +- build-time:字符串类型。构建静态镜像的固定时间戳,格式为“YYYY-MM-DD HH-MM-SS”。时间戳影响diff层创建修改时间的文件属性。 + + 使用示例如下: + + ```sh + $ sudo isula-build ctr-img build -f Dockerfile --build-static='build-time=2020-05-23 10:55:33' . + ``` + + 以此方式,同一环境多次构建出来的容器镜像和镜像ID均会保持一致。 + +**\--iidfile** + +将构建的镜像ID输出到文件,用法: + +``` +isula-build ctr-img build --iidfile filename +``` + +例如,将容器镜像ID输出到testfile的参考命令如下: + + ```sh +$ sudo isula-build ctr-img build -f Dockerfile_arg --iidfile testfile + ``` + + 查看testfile中的容器镜像ID: + + ```sh +$ cat testfile +76cbeed38a8e716e22b68988a76410eaf83327963c3b29ff648296d5cd15ce7b + ``` + + + +**\-o, --output** + +目前 -o, --output 支持如下形式: + +- `isulad:image:tag`:将构建成功的镜像直接推送到 iSulad。比如:`-o isulad:busybox:latest`。同时需要注意如下约束: + + - isula-build 和 iSulad 必须在同一个节点上 + - tag必须配置 + - isula-build client端需要将构建成功的镜像暂存成 `/var/tmp/isula-build-tmp-%v.tar` 再导入至 iSulad,用户需要保证 `/var/tmp/` 目录有足够磁盘空间 + +- `docker-daemon:image:tag`:将构建成功的镜像直接推送到 Docker daemon。比如:`-o docker-daemon:busybox:latest`。同时需要注意如下约束: +- isula-build 和 docker 必须在同一个节点上 + - tag必须配置 + +- `docker://registry.example.com/repository:tag`:将构建成功的镜像直接推送到远端镜像仓库。比如:`-o docker://localhost:5000/library/busybox:latest`。 + +- `docker-archive:/:image:tag`:将构建成功的镜像以Docker image的格式保存至本地。比如:`-o docker-archive:/root/image.tar:busybox:latest`。 + +除去各个flags之外,build子命令的命令行最后还会接收一个argument,该argument类型是string,意义为context,即该Dockerfile构建环境的上下文。该参数默认值为isula-build被执行的当前路径。该路径会影响 .dockerignore 和 Dockerfile的ADD/COPY指令 所检索的路径。 + +**\--proxy** + +选择构建时RUN指令启动的容器是否从环境上继承proxy相关环境变量”http_proxy”,“https_proxy”,“ftp_proxy”,“no_proxy”,“HTTP_PROXY”,“HTTPS_PROXY”,“FTP_PROXY”,“NO_PROXY”,默认为true。 + +当用户在Dockerfile配置proxy相关ARG或ENV,将覆盖所继承的环境变量。 + +注意:若client与daemon不在同一个终端运行,所能继承的环境变量为daemon所在终端的环境变量。 + +**\--tag** + +设置镜像构建成功之后,该镜像在本地磁盘存储时的tag。 + +**\--cap-add** + +添加构建过程中RUN指令所需权限,用法: + +``` +isula-build ctr-img build --cap-add ${CAP} +``` + +使用举例: + +```sh +$ sudo isula-build ctr-img build --cap-add CAP_SYS_ADMIN --cap-add CAP_SYS_PTRACE -f Dockerfile +``` + +> **说明:** +> +> - isula-build最大支持并发构建100个容器镜像。 +> - isula-build支持Dockerfile最大为1MiB。 +> - isula-build支持 .dockerignore 最大为 1MiB。 +> - 用户需保证Dockerfile文件的权限为仅当前用户可读写,避免别的用户进行篡改。 +> - 构建时,RUN指令会启动容器在容器内进行构建,目前 isula-build 仅支持使用主机网络。 +> - isula-build 导出的镜像压缩格式,目前仅支持tar.gz格式。 +> - isula-build 在每一个镜像构建stage完成后做一次提交,而不是每执行 Dockerfile的一行就提交一次。 +> - isula-build 暂不支持构建缓存。 +> - isula-build 仅在构建RUN指令时会启动构建容器。 +> - 目前不支持docker镜像格式的history功能。 +> - isula-build 的stage name支持以数字开头。 +> - isula-build 的stage name最长可为64个字符。 +> - isula-build 暂不支持对单次Dockerfile的构建进行资源限制。如有资源限制需求,可通过对 isula-builder 服务端配置资源限额的方式进行限制。 +> - isula-build 目前不支持Dockerfile里的ADD指令提供的数据来源是远端url。 +> - isula-build 使用docker-archive类型导出的本地tar包未经压缩。如有需求,用户可以手动进行压缩。 + + + +#### image: 查看本地持久化构建镜像 + +可通过images命令查看当前本地持久化存储的镜像: + +```sh +$ sudo isula-build ctr-img images +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +REPOSITORY TAG IMAGE ID CREATED SIZE +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +localhost:5000/library/alpine latest a24bb4013296 2020-20-19 19:59:197 5.85 MB + 39b62a3342ee 2020-20-38 38:66:387 1.45 MB +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +``` + +**说明**:通过`isula-build ctr-img images`查看的镜像大小与`docker images`的显示上有一定差异。这是因为统计镜像大小时,isula-build是直接计算每层tar包大小之和,而docker是通过解压tar遍历diff目录计算文件大小之和,因此存在统计上的差异。 + + + +#### import: 导入容器基础镜像 + +openEuler会随版本发布一个容器基础镜像,比如openEuler-docker.x86_64.tar.xz。可以通过`ctr-img import`指令将它导入到 isula-build。 + +命令原型如下: + +``` +isula-build ctr-img import [flags] +``` + +使用举例: + +```sh +$ sudo isula-build ctr-img import ./openEuler-docker.x86_64.tar.xz openeuler:21.03 +Import success with image id: "aac8223a40e9c37558477671c4d66692c8ee5d37b28d947e10010911dd0549d8" +$ sudo isula-build ctr-img images +--------------- ----------- ----------------- ------------------------ ------------ + REPOSITORY TAG IMAGE ID CREATED SIZE +--------------- ----------- ----------------- ------------------------ ------------ + openeuler 21.03 aac8223a40e9 2021-04-02 00:56:46 210 MB +--------------- ----------- ----------------- ------------------------ ------------ +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>isula-build 支持导入最大1GiB的容器基础镜像。 + + + +#### load: 导入层叠镜像 + +层叠镜像指的是通过 docker save 或 isula-build ctr-img save 等指令,将一个构建完成的镜像保存至本地之后,镜像压缩包内是一层一层 layer.tar 的镜像包。可以通过 ctr-img load 指令将它导入至 isula-build。 + +命令原型如下: + +``` +isula-build ctr-img load [flags] +``` + +目前支持的 flags 为: + +- -i, --input:本地tar包的路径 + +使用举例如下: + +```sh +$ sudo isula-build ctr-img load -i ubuntu.tarGetting image source signatures +Copying blob sha256:cf612f747e0fbcc1674f88712b7bc1cd8b91cf0be8f9e9771235169f139d507c +Copying blob sha256:f934e33a54a60630267df295a5c232ceb15b2938ebb0476364192b1537449093 +Copying blob sha256:943edb549a8300092a714190dfe633341c0ffb483784c4fdfe884b9019f6a0b4 +Copying blob sha256:e7ebc6e16708285bee3917ae12bf8d172ee0d7684a7830751ab9a1c070e7a125 +Copying blob sha256:bf6751561805be7d07d66f6acb2a33e99cf0cc0a20f5fd5d94a3c7f8ae55c2a1 +Copying blob sha256:c1bd37d01c89de343d68867518b1155cb297d8e03942066ecb44ae8f46b608a3 +Copying blob sha256:a84e57b779297b72428fc7308e63d13b4df99140f78565be92fc9dbe03fc6e69 +Copying blob sha256:14dd68f4c7e23d6a2363c2320747ab88986dfd43ba0489d139eeac3ac75323b2 +Copying blob sha256:a2092d776649ea2301f60265f378a02405539a2a68093b2612792cc65d00d161 +Copying blob sha256:879119e879f682c04d0784c9ae7bc6f421e206b95d20b32ce1cb8a49bfdef202 +Copying blob sha256:e615448af51b848ecec00caeaffd1e30e8bf5cffd464747d159f80e346b7a150 +Copying blob sha256:f610bd1e9ac6aa9326d61713d552eeefef47d2bd49fc16140aa9bf3db38c30a4 +Copying blob sha256:bfe0a1336d031bf5ff3ce381e354be7b2bf310574cc0cd1949ad94dda020cd27 +Copying blob sha256:f0f15db85788c1260c6aa8ad225823f45c89700781c4c793361ac5fa58d204c7 +Copying config sha256:c07ddb44daa97e9e8d2d68316b296cc9343ab5f3d2babc5e6e03b80cd580478e +Writing manifest to image destination +Storing signatures +Loaded image as c07ddb44daa97e9e8d2d68316b296cc9343ab5f3d2babc5e6e03b80cd580478e +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +> +>- isula-build load命令仅支持导入包含单个层叠镜像的镜像压缩文件。 +>- isula-build 支持导入最大50G的容器层叠镜像。 + + + +#### rm: 删除本地持久化镜像 + +可通过rm命令删除当前本地持久化存储的镜像。命令原型为: + +``` +isula-build ctr-img rm IMAGE [IMAGE...] [FLAGS] +``` + +目前支持的 flags 为: + +- -a, --all:删除所有本地持久化存储的镜像。 +- -p, --prune:删除所有没有tag的本地持久化存储的镜像。 + +使用示例如下: + +```sh +$ sudo isula-build ctr-img rm -p +Deleted: sha256:78731c1dde25361f539555edaf8f0b24132085b7cab6ecb90de63d72fa00c01d +Deleted: sha256:eeba1bfe9fca569a894d525ed291bdaef389d28a88c288914c1a9db7261ad12c +``` + + + +#### save: 导出层叠镜像 + +可通过save命令导出层叠镜像到本地磁盘。命令原型如下: + +``` +isula-build ctr-img save [REPOSITORY:TAG]|imageID -o xx.tar +``` + +以下示例通过 `image/tag` 的形式将镜像进行导出: + +```sh +$ sudo isula-build ctr-img save busybox:latest -o busybox.tar +Getting image source signatures +Copying blob sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a +Copying blob sha256:824082a6864774d5527bda0d3c7ebd5ddc349daadf2aa8f5f305b7a2e439806f +Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef +Copying config sha256:21c3e96ac411242a0e876af269c0cbe9d071626bdfb7cc79bfa2ddb9f7a82db6 +Writing manifest to image destination +Storing signatures +Save success with image: busybox:latest +``` + +以下示例通过 `ImageID` 的形式将镜像进行导出: + +```sh +$ sudo isula-build ctr-img save 21c3e96ac411 -o busybox.tar +Getting image source signatures +Copying blob sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a +Copying blob sha256:824082a6864774d5527bda0d3c7ebd5ddc349daadf2aa8f5f305b7a2e439806f +Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef +Copying config sha256:21c3e96ac411242a0e876af269c0cbe9d071626bdfb7cc79bfa2ddb9f7a82db6 +Writing manifest to image destination +Storing signatures +Save success with image: 21c3e96ac411 +``` + +以下示例导出多个镜像到同一个tarball: +```sh +$ sudo isula-build ctr-img save busybox:latest nginx:latest -o all.tar +Getting image source signatures +Copying blob sha256:eb78099fbf7fdc70c65f286f4edc6659fcda510b3d1cfe1caa6452cc671427bf +Copying blob sha256:29f11c413898c5aad8ed89ad5446e89e439e8cfa217cbb404ef2dbd6e1e8d6a5 +Copying blob sha256:af5bd3938f60ece203cd76358d8bde91968e56491daf3030f6415f103de26820 +Copying config sha256:b8efb18f159bd948486f18bd8940b56fd2298b438229f5bd2bcf4cedcf037448 +Writing manifest to image destination +Storing signaturesGetting image source signatures +Copying blob sha256:e2d6930974a28887b15367769d9666116027c411b7e6c4025f7c850df1e45038 +Copying config sha256:a33de3c85292c9e65681c2e19b8298d12087749b71a504a23c576090891eedd6 +Writing manifest to image destination +Storing signatures +Save success with image: [busybox:latest nginx:latest] +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +> +>- save 导出的镜像默认格式为未压缩的tar格式,如有需求,用户可以再save之后手动压缩。 +>- 在导出镜像时,需要写明镜像的完整性,格式为IMAGE_NAME:IMAGE_TAG。 + + +#### tag: 给本地持久化镜像打标签 + +可使用tag命令给本地持久化的容器镜像打tag。命令原型如下: + +``` +isula-build ctr-img tag / busybox:latest +``` + +使用举例: + +```sh +$ sudo isula-build ctr-img images +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +REPOSITORY TAG IMAGE ID CREATED SIZE +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +alpine latest a24bb4013296 2020-05-29 21:19:46 5.85 MB +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +$ sudo isula-build ctr-img tag a24bb4013296 alpine:v1 +$ sudo isula-build ctr-img images +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +REPOSITORY TAG IMAGE ID CREATED SIZE +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +alpine latest a24bb4013296 2020-05-29 21:19:46 5.85 MB +alpine v1 a24bb4013296 2020-05-29 21:19:46 5.85 MB +---------------------------------------------- ----------- ----------------- -------------------------- ------------ +``` + +#### pull: 拉取镜像到本地 + +可通过pull命令拉取远程镜像仓库中的镜像到本地。命令原型如下: + +``` +isula-build ctr-img pull REPOSITORY[:TAG] +``` + +使用示例: + +```sh +$ sudo isula-build ctr-img pull example-registry/library/alpine:latest +Getting image source signatures +Copying blob sha256:8f52abd3da461b2c0c11fda7a1b53413f1a92320eb96525ddf92c0b5cde781ad +Copying config sha256:e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b +Writing manifest to image destination +Storing signatures +Pull success with image: example-registry/library/alpine:latest +``` + +#### push: 将本地镜像推送到远程仓库 + +可通过push命令将本地镜像推送到远程仓库。命令原型如下: + +``` +isula-build ctr-img push REPOSITORY[:TAG] +``` + +使用示例: + +```sh +$ sudo isula-build ctr-img push example-registry/library/mybusybox:latest +Getting image source signatures +Copying blob sha256:d2421964bad195c959ba147ad21626ccddc73a4f2638664ad1c07bd9df48a675 +Copying config sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f +Writing manifest to image destination +Storing signatures +Push success with image: example-registry/library/mybusybox:latest +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +> +>- 推送镜像时,需要先登录对应的镜像仓库。 + + +### info: 查看运行环境与系统信息 + +可以通过“isula-build info”指令查看 isula-build 目前的运行环境与系统信息。命令原型如下: + +``` + isula-build info [flags] +``` + +支持如下Flags: + +- -H, --human-readable 布尔值,以常用内存表示格式打印内存信息,使用1000次幂 +- -V, --verbose 布尔值,显示运行时内存占用信息 + +使用示例: + +```sh +$ sudo isula-build info -HV + General: + MemTotal: 7.63 GB + MemFree: 757 MB + SwapTotal: 8.3 GB + SwapFree: 8.25 GB + OCI Runtime: runc + DataRoot: /var/lib/isula-build/ + RunRoot: /var/run/isula-build/ + Builders: 0 + Goroutines: 12 + Store: + Storage Driver: overlay + Backing Filesystem: extfs + Registry: + Search Registries: + oepkgs.net + Insecure Registries: + localhost:5000 + oepkgs.net + Runtime: + MemSys: 68.4 MB + HeapSys: 63.3 MB + HeapAlloc: 7.41 MB + MemHeapInUse: 8.98 MB + MemHeapIdle: 54.4 MB + MemHeapReleased: 52.1 MB +``` + +### login: 登录远端镜像仓库 + +用户可以运行 login 命令来登录远程镜像仓库。命令原型如下: + +``` + isula-build login SERVER [FLAGS] +``` + +目前支持的flag有: + +``` + Flags: + -p, --password-stdin Read password from stdin + -u, --username string Username to access registry +``` + +通过stdin输入密码。以下示例通过通过管道将creds.txt里的密码传给isula-build的stdin进行输入: + +```sh + $ cat creds.txt | sudo isula-build login -u cooper -p mydockerhub.io + Login Succeeded +``` + +通过交互式输入密码: + +```sh + $ sudo isula-build login mydockerhub.io -u cooper + Password: + Login Succeeded +``` + +### logout: 退出远端镜像仓库 + +用户可以运行 logout 命令来登出远程镜像仓库。命令原型如下: + +``` + isula-build logout [SERVER] [FLAGS] +``` + +目前支持的flag有: + +``` + Flags: + -a, --all Logout all registries +``` + +使用示例如下: + +```sh + $ sudo isula-build logout -a + Removed authentications +``` + +### version: 版本查询 + +可通过version命令查看当前版本信息: + +```sh + $ sudo isula-build version + Client: + Version: 0.9.5-6 + Go Version: go1.15.7 + Git Commit: b82408f + Built: Tue Mar 30 11:08:00 2021 + OS/Arch: linux/amd64 + + Server: + Version: 0.9.5 + Go Version: go1.15.5 + Git Commit: 64dbad50 + Built: Mon Apr 12 20:30:31 2021 + OS/Arch: linux/amd64 +``` +### manifest: manifest列表管理 + +manifest列表包含不同系统架构对应的镜像信息,通过使用manifest列表,用户可以在不同的架构中使用相同的manifest(例如openeuler:latest)获取对应架构的镜像,manifest包含create、annotate、inspect和push子命令。 +> **说明:** +> +> - manifest为实验特性,使用时需开启客户端和服务端的实验选项,方式详见客户端总体说明和配置服务章节。 + + +#### create: manifest列表创建 + +manifest的子命令create用于创建manifest列表,命令原型为: + +``` +isula-build manifest create MANIFEST_LIST MANIFEST [MANIFEST...] +``` + +用户可以指定manifest列表的名称以及需要加入到列表中的远程镜像,若不指定任何远程镜像,则会创建一个空的manifest列表。 + +使用示例如下: + +```sh +$ sudo isula-build manifest create openeuler localhost:5000/openeuler_x86:latest localhost:5000/openeuler_aarch64:latest +``` + +#### annotate: manifest列表更新 + +manifest的子命令annotate用于更新manifest列表,命令原型为: + +``` +isula-build manifest annotate MANIFEST_LIST MANIFEST [flags] +``` + +用户可以指定需要更新的manifest列表以及其中的镜像,通过flags指定需要更新的选项,此命令也可用于添加新的镜像到列表中。 + +其中annotate包含如下flags: + +- --arch: string,重写镜像适用架构 +- --os: string,重写镜像适用系统 +- --os-features: string列表,指定镜像需要的OS特性,很少使用 +- --variant: string,指定列表中记录镜像的变量 + +使用示例如下: + +```sh +$ sudo isula-build manifest annotate --os linux --arch arm64 openeuler:latest localhost:5000/openeuler_aarch64:latest +``` + +#### inspect: manifest列表查询 + +manifest子命令inspect用于查询manifest列表信息,命令原型为: + +``` +isula-build manifest inspect MANIFEST_LIST +``` + +使用示例如下: + +```sh +$ sudo isula-build manifest inspect openeuler:latest +{ + "schemaVersion": 2, + "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", + "manifests": [ + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "size": 527, + "digest": "sha256:bf510723d2cd2d4e3f5ce7e93bf1e52c8fd76831995ac3bd3f90ecc866643aff", + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "size": 527, + "digest": "sha256:f814888b4bb6149bd39ba8375a1932fb15071b4dbffc7f76c7b602b06abbb820", + "platform": { + "architecture": "arm64", + "os": "linux" + } + } + ] +} +``` + +#### push: 将manifest列表推送到远程仓库 + +manifest子命令push用于将manifest列表推送到远程仓库,命令原型为: + +``` +isula-build manifest push MANIFEST_LIST DESTINATION +``` + +使用示例如下: + +```sh +$ sudo isula-build manifest push openeuler:latest localhost:5000/openeuler:latest +``` + +## 直接集成容器引擎 + +isula-build可以与iSulad和docker集成,将构建好的容器镜像导入到容器引擎的本地存储中。 + +### 与iSulad集成 + +支持将构建成功的镜像直接导出到iSulad。 + +命令行举例: + +```sh +$ sudo isula-build ctr-img build -f Dockerfile -o isulad:busybox:2.0 +``` + +通过在-o参数中指定iSulad,将构建好的容器镜像导出到iSulad,可以通过isula images查询: + +```sh +$ sudo isula images +isula images +REPOSITORY TAG IMAGE ID CREATED SIZE +busybox 2.0 2d414a5cad6d 2020-08-01 06:41:36 5.577 MB +``` + +> ![](./public_sys-resources/icon-note.gif) **说明:** +> - 要求isula-build和iSulad在同一节点。 +> - 直接导出镜像到iSulad时,isula-build client端需要将构建成功的镜像暂存成 `/var/lib/isula-build/tmp/[buildid]/isula-build-tmp-%v.tar` 再导入至 iSulad,用户需要保证 /var/lib/isula-build/tmp/ 目录有足够磁盘空间;同时如果在导出过程中 isula-build client进程被KILL或Ctrl+C终止,需要依赖用户手动清理 `/var/lib/isula-build/tmp/[buildid]/isula-build-tmp-%v.tar` 文件。 + +### 与Docker集成 + +支持将构建成功的镜像直接导出到Docker daemon。 + +命令行举例: + +```sh +$ sudo isula-build ctr-img build -f Dockerfile -o docker-daemon:busybox:2.0 +``` + +通过在-o参数中指定docker-daemon,将构建好的容器镜像导出到docker, 可以通过docker images查询。 + +```sh +$ sudo docker images +REPOSITORY TAG IMAGE ID CREATED SIZE +busybox 2.0 2d414a5cad6d 2 months ago 5.22MB +``` + +> ![](./public_sys-resources/icon-note.gif) **说明:** +> +> - 要求isula-build和Docker在同一节点。 + +## 附录 + + +### 命令行参数说明 + +**表1** ctr-img build 命令参数列表 + +| **命令** | **参数** | **说明** | +| ------------- | -------------- | ------------------------------------------------------------ | +| ctr-img build | --build-arg | string列表,构建过程中需要用到的变量 | +| | --build-static | KV值,构建二进制一致性。目前包含如下K值:- build-time:string,使用固定时间戳来构建容器镜像;时间戳格式为“YYYY-MM-DD HH-MM-SS” | +| | -f, --filename | string,Dockerfile的路径,不指定则是使用当前路径的Dockerfile文件 | +| | --iidfile | string,输出 image ID 到本地文件 | +| | -o, --output | string,镜像导出的方式和路径 | +| | --proxy | 布尔值,继承主机侧环境的proxy环境变量(默认为true) | +| | --tag | string,给构建的镜像添加tag | +| | --cap-add | string列表,构建过程中RUN指令所需要的权限 | + +**表2** ctr-img load 命令参数列表 + +| **命令** | **参数** | **说明** | +| ------------ | ----------- | --------------------------------- | +| ctr-img load | -i, --input | string,需要导入的本地tar包的路径 | + +**表3** ctr-img rm 命令参数列表 + +| **命令** | **参数** | **说明** | +| ---------- | ----------- | --------------------------------------------- | +| ctr-img rm | -a, --all | 布尔值,删除所有本地持久化存储的镜像 | +| | -p, --prune | 布尔值,删除所有没有tag的本地持久化存储的镜像 | + +**表4** ctr-img save 命令参数列表 + +| **命令** | **参数** | **说明** | +| ------------ | ------------ | ---------------------------------- | +| ctr-img save | -o, --output | string,镜像导出后在本地的存储路径 | + +**表5** login 命令参数列表 + +| **命令** | **参数** | **说明** | +| -------- | -------------------- | ------------------------------------------------------- | +| login | -p, --password-stdin | 布尔值,是否通过stdin读入密码;或采用交互式界面输入密码 | +| | -u, --username | string,登陆镜像仓库所使用的用户名 | + +**表6** logout 命令参数列表 + +| **命令** | **参数** | **说明** | +| -------- | --------- | ------------------------------------ | +| logout | -a, --all | 布尔值,是否登出所有已登陆的镜像仓库 | + +### 通信矩阵 + +isula-build两个组件进程之间通过unix socket套接字文件进行通信,无端口通信。 + +### 文件与权限 + +- isula-build 所有的操作均需要使用 root 权限。如需使用非特权用户操作,则需要配置--group参数 + +- isula-build 运行涉及文件权限如下表所示: + +| **文件路径** | **文件/文件夹权限** | **说明** | +| ------------------------------------------- | ------------------- | ------------------------------------------------------------ | +| /usr/bin/isula-build | 551 | 命令行工具二进制文件。 | +| /usr/bin/isula-builder | 550 | 服务端isula-builder进程二进制文件。 | +| /usr/lib/systemd/system/isula-build.service | 640 | systemd配置文件,用于管理isula-build服务。 | +| /etc/isula-build | 650 | isula-builder 配置文件根目录 | +| /etc/isula-build/configuration.toml | 600 | isula-builder 总配置文件,包含设置 isula-builder 日志级别、持久化目录和运行时目录、OCI runtime等。 | +| /etc/isula-build/policy.json | 600 | 签名验证策略文件的语法文件。 | +| /etc/isula-build/registries.toml | 600 | 针对各个镜像仓库的配置文件,含可用的镜像仓库列表、镜像仓库黑名单。 | +| /etc/isula-build/storage.toml | 600 | 本地持久化存储的配置文件,包含所使用的存储驱动的配置。 | +| /etc/isula-build/isula-build.pub | 444 | 非对称加密公钥文件 | +| /var/run/isula_build.sock | 660 | 服务端isula-builder的本地套接字。 | +| /var/lib/isula-build | 700 | 本地持久化目录。 | +| /var/run/isula-build | 700 | 本地运行时目录。 | +| /var/lib/isula-build/tmp/[buildid]/isula-build-tmp-*.tar | 644 | 镜像导出至iSulad时的本地暂存目录。 | + + diff --git "a/content/zh/docs/Container/namespace\345\214\226\345\206\205\346\240\270\345\217\202\346\225\260\345\217\257\345\206\231.md" "b/docs/zh/docs/Container/namespace\345\214\226\345\206\205\346\240\270\345\217\202\346\225\260\345\217\257\345\206\231.md" similarity index 99% rename from "content/zh/docs/Container/namespace\345\214\226\345\206\205\346\240\270\345\217\202\346\225\260\345\217\257\345\206\231.md" rename to "docs/zh/docs/Container/namespace\345\214\226\345\206\205\346\240\270\345\217\202\346\225\260\345\217\257\345\206\231.md" index ab34a713fb0b997cc055fbade3220571e13ffcca..74e4f950a65614579fc534ab9ce57d77fcbce2d9 100644 --- "a/content/zh/docs/Container/namespace\345\214\226\345\206\205\346\240\270\345\217\202\346\225\260\345\217\257\345\206\231.md" +++ "b/docs/zh/docs/Container/namespace\345\214\226\345\206\205\346\240\270\345\217\202\346\225\260\345\217\257\345\206\231.md" @@ -1,20 +1,20 @@ -# namespace化内核参数可写 - -## 功能描述 - -对于运行在容器内的业务,如数据库,大数据,包括普通应用,有对部分内核参数进行设置和调整的需求,以满足最佳的业务运行性能和可靠性。内核参数要么不允许修改,要么全部允许修改(特权容器): - -在不允许用户在容器内修改时,只提供了--sysctl外部接口,而且容器内不能灵活修改参数值。 - -在允许用户在容器内修改时,部分内核参数是全局有效的,某个容器修改后,会影响主机上所有的程序,安全性降低。 - -   - -系统容器提供--ns-change-opt参数,可以指定namespace化的内核参数在容器内动态设置,当前仅支持net、ipc。 - -## 参数说明 - - +# namespace化内核参数可写 + +## 功能描述 + +对于运行在容器内的业务,如数据库,大数据,包括普通应用,有对部分内核参数进行设置和调整的需求,以满足最佳的业务运行性能和可靠性。内核参数要么不允许修改,要么全部允许修改(特权容器): + +在不允许用户在容器内修改时,只提供了--sysctl外部接口,而且容器内不能灵活修改参数值。 + +在允许用户在容器内修改时,部分内核参数是全局有效的,某个容器修改后,会影响主机上所有的程序,安全性降低。 + +   + +系统容器提供--ns-change-opt参数,可以指定namespace化的内核参数在容器内动态设置,当前仅支持net、ipc。 + +## 参数说明 + + -

命令

参数

@@ -46,45 +46,45 @@
- -## 约束限制 - -- 如果容器启动同时指定了--privileged(特权容器)和--ns-change-opt,则--ns-change-opt不生效。 - -## 使用示例 - -启动容器, 指定--ns-change-opt=net: - -``` -[root@localhost ~]# isula run -tid --ns-change-opt net --system-container --external-rootfs /root/myrootfs none init -4bf44a42b4a14fdaf127616c90defa64b4b532b18efd15b62a71cbf99ebc12d2 -[root@localhost ~]# isula exec -it 4b mount | grep /proc/sys -proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime) -proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime) -proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime) -``` - -可以看到容器内/proc/sys/net挂载点为rw,说明net相关的namespace化的内核参数具有读写权限。 - -再启动一个容器,指定--ns-change-opt=ipc: - -``` -[root@localhost ~]# isula run -tid --ns-change-opt ipc --system-container --external-rootfs /root/myrootfs none init -c62e5e5686d390500dab2fa76b6c44f5f8da383a4cbbeac12cfada1b07d6c47f -[root@localhost ~]# isula exec -it c6 mount | grep /proc/sys -proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime) -proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/shmmax type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/shmmni type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/shmall type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/shm_rmid_forced type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/msgmax type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/msgmni type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/msgmnb type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/kernel/sem type proc (rw,nosuid,nodev,noexec,relatime) -proc on /proc/sys/fs/mqueue type proc (rw,nosuid,nodev,noexec,relatime) -``` - -可以看到容器内ipc相关的内核参数挂载点为rw,说明ipc相关的namespace化的内核参数具有读写权限。 - + + +## 约束限制 + +- 如果容器启动同时指定了--privileged(特权容器)和--ns-change-opt,则--ns-change-opt不生效。 + +## 使用示例 + +启动容器, 指定--ns-change-opt=net: + +``` +[root@localhost ~]# isula run -tid --ns-change-opt net --system-container --external-rootfs /root/myrootfs none init +4bf44a42b4a14fdaf127616c90defa64b4b532b18efd15b62a71cbf99ebc12d2 +[root@localhost ~]# isula exec -it 4b mount | grep /proc/sys +proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime) +proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime) +proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime) +``` + +可以看到容器内/proc/sys/net挂载点为rw,说明net相关的namespace化的内核参数具有读写权限。 + +再启动一个容器,指定--ns-change-opt=ipc: + +``` +[root@localhost ~]# isula run -tid --ns-change-opt ipc --system-container --external-rootfs /root/myrootfs none init +c62e5e5686d390500dab2fa76b6c44f5f8da383a4cbbeac12cfada1b07d6c47f +[root@localhost ~]# isula exec -it c6 mount | grep /proc/sys +proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime) +proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/shmmax type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/shmmni type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/shmall type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/shm_rmid_forced type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/msgmax type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/msgmni type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/msgmnb type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/kernel/sem type proc (rw,nosuid,nodev,noexec,relatime) +proc on /proc/sys/fs/mqueue type proc (rw,nosuid,nodev,noexec,relatime) +``` + +可以看到容器内ipc相关的内核参数挂载点为rw,说明ipc相关的namespace化的内核参数具有读写权限。 + diff --git a/content/zh/docs/Installation/public_sys-resources/icon-caution.gif b/docs/zh/docs/Container/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/Installation/public_sys-resources/icon-caution.gif rename to docs/zh/docs/Container/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/Installation/public_sys-resources/icon-danger.gif b/docs/zh/docs/Container/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/Installation/public_sys-resources/icon-danger.gif rename to docs/zh/docs/Container/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/Installation/public_sys-resources/icon-note.gif b/docs/zh/docs/Container/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/Installation/public_sys-resources/icon-note.gif rename to docs/zh/docs/Container/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/Installation/public_sys-resources/icon-notice.gif b/docs/zh/docs/Container/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/Installation/public_sys-resources/icon-notice.gif rename to docs/zh/docs/Container/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/Installation/public_sys-resources/icon-tip.gif b/docs/zh/docs/Container/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/Installation/public_sys-resources/icon-tip.gif rename to docs/zh/docs/Container/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/Installation/public_sys-resources/icon-warning.gif b/docs/zh/docs/Container/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/Installation/public_sys-resources/icon-warning.gif rename to docs/zh/docs/Container/public_sys-resources/icon-warning.gif diff --git "a/content/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\347\275\221\347\273\234.md" "b/docs/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\347\275\221\347\273\234.md" similarity index 95% rename from "content/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\347\275\221\347\273\234.md" rename to "docs/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\347\275\221\347\273\234.md" index e6b1cc316d0cb8ee4a113f020bc45630a3bf9c65..9365d47a3bb909383b25c8fad7ded3b02ed0ae4b 100644 --- "a/content/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\347\275\221\347\273\234.md" +++ "b/docs/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\347\275\221\347\273\234.md" @@ -46,14 +46,14 @@

必选

-

设置网卡的主机端名字。支持字母、数字、下划线“_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个宿主机上device不能重复。

+

设置网卡的主机端名字。支持字母、数字、下划线“\_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个宿主机上device不能重复。

name

必选

-

设置网卡的容器内名称。支持字母、数字、下划线“_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个Sandbox内name不能重复。

+

设置网卡的容器内名称。支持字母、数字、下划线“\_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个Sandbox内name不能重复。

IPAddresses

@@ -114,7 +114,7 @@ null ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >当网卡添加成功时,如果为其指定了IP地址,则kata会为新添加的网卡添加一条destination为同网段地址的默认路由,如上例中添加网卡之后容器内有如下路由被添加: >``` >[root@6ec7a98 /]# ip route @@ -194,7 +194,7 @@ - gateway:设置路由的下一跳网关。设置"dest":"default"时,gateway必选;其他情况可选。 - device:必选。设置路由对应的网卡名称,最长支持15字符。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >如果为容器内的回环设备lo添加路由时,路由配置文件中的"device"字段对应的设备名称为"lo"。 4. **删除指定路由** @@ -225,7 +225,7 @@ null ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 输入字段中dest为必选,device/gateway均为可选。kata根据不同字段进行模糊匹配,删除对应的路由规则。例如指定了dest为某个IP,则所有该IP的规则都会被删除。 >- 如果删除的是容器内回环设备lo的路由时,路由配置文件中的"device"字段对应的设备名称为"lo"。 @@ -235,7 +235,7 @@ $ cat ./test-iface.json | kata-runtime kata-network del-iface 6ec7a98 - ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >删除网卡时,仅根据网卡容器内名称(name字段)来删除。即便填写其他字段,kata也不会使用。 kata-runtime kata-network del-iface删除网卡命令执行返回结果说明: @@ -314,7 +314,7 @@ kata-runtime kata-ipvs ipvsadm --restore - < <规则文件路径> ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >单条添加时默认使用NAT模式,批量导入时添加真实服务器需手动添加-m参数使用NAT模式。 >规则文件内容示例: >-A -t 10.10.11.12:100 -s rr -p 3000 @@ -334,7 +334,7 @@ kata-runtime kata-ipvs ipvsadm --parameters "--set 100 100 200" ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >1. 每个容器支持iptables规则数量最大为20000条(5k service,3个server/service),add-service和add-server都算作规则。 >2. 批量导入前需清空已有规则。 >3. 不存在并发测试场景。 diff --git "a/content/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\350\265\204\346\272\220.md" "b/docs/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\350\265\204\346\272\220.md" similarity index 98% rename from "content/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\350\265\204\346\272\220.md" rename to "docs/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\350\265\204\346\272\220.md" index 55aa35dfaaefe14d7d0afc5507bf98745601f98e..f0856085a8c84257048b870cd811577390165ec4 100644 --- "a/content/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\350\265\204\346\272\220.md" +++ "b/docs/zh/docs/Container/\344\270\272\345\256\211\345\205\250\345\256\271\345\231\250\351\205\215\347\275\256\350\265\204\346\272\220.md" @@ -45,7 +45,7 @@ Socket(s): 4 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >CPU个数可以设置的最大值为当前OS上可供运行的CPU值(除去隔离核),最小值为0.5个CPU。 2. 配置容器CPU运行资源 @@ -98,7 +98,7 @@ 3. 配置CPU热插拔功能 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >安全容器CPU热插拔功能需要虚拟化组件qemu支持CPU热插拔。 kata-runtime配置文件config.toml中**enable\_cpu\_memory\_hotplug**选项负责开启和禁用CPU和内存热插拔。默认取值为false,表示禁用CPU和内存热插拔功能;取值为true,表示开启CPU和内存热插拔功能。 @@ -157,7 +157,7 @@    - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >由于pause容器只是一个占位容器没有工作负载,所以轻量级虚机启动时默认分配的1个CPU可以被其它容器共享,因此上面例子中启动的新容器只需要再热插3个CPU到轻量级虚机中即可。 - 当停止热插了CPU的容器后,启动容器时热插进去的CPU也会被拔出。 @@ -187,7 +187,7 @@ Swap: 0 0 0 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 如果没有通过--annotation com.github.containers.virtcontainers.sandbox\_mem显示地设置轻量级虚机的内存大小,则轻量级虚机默认使用的内存大小为1GB。 >- 安全容器一个Pod的最小内存规格是1GB,支持的最大内存规格是256GB。如果用户分配的内存规格超过256GB,可能会出现未定义的错误,安全容器暂不支持超过256GB的大内存场景。 @@ -216,7 +216,7 @@ 同配置CPU热插拔功能一样,MEM的热插功能也是由kata-runtime配置文件config.toml中**enable\_cpu\_memory\_hotplug**选项配置,用法参见[3](#限制CPU资源.md#zh-cn_topic_0183903699_li2167326144011)。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >内存资源当前只支持热插,不支持内存热拔。 kata-runtime中复用了**-m**选项实现了MEM热插的功能,通过统计Pod中所有容器的**-m**选项的和,然后确定需要热插多少内存到轻量级虚机中,例如, @@ -255,7 +255,7 @@ Swap: 0 0 0 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >由于pause容器只是一个占位容器没有工作负载,所以轻量级虚机启动时分配的内存可以被其它容器共享使用,因此上面例子中启动的新容器只需要再热插3GB的内存到轻量级虚机中即可。 @@ -334,7 +334,7 @@ docker run -tid --runtime kata-runtime --network none --annotation io.kubernetes.docker.type=podsandbox --files-limit bash ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 如果**--files-limit**选项的取值小于安全容器默认设置的最小值1024且不为0时,安全容器qemu进程最多可以打开的文件描述符数量会被设置为最小值1024。 >- 如果**--files-limit**选项的取值为0时,安全容器qemu进程最多可以打开的文件描述符数量为系统可以打开文件描述符的最大值/proc/sys/fs/file-max除以400后得到的默认值。 >- 如果启动安全容器时没有显示指定**--files-limit**可以打开的文件描述符的上限,安全容器qemu进程可以打开的文件描述符数量的上限和系统默认值保持一致。 diff --git "a/content/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227-1.md" "b/docs/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227-1.md" similarity index 93% rename from "content/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227-1.md" rename to "docs/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227-1.md" index 2efb60fa790ddcf4c7b4d56646680ff91db30cd6..36943fc57b1829a1629916b8d7f691d4a76f6b66 100644 --- "a/content/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227-1.md" +++ "b/docs/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227-1.md" @@ -16,5 +16,5 @@ isula create/run [OPTIONS] [COMMAND] [ARG...] - COMMAND:系统容器启动后执行的命令。 - ARG:系统容器启动后执行命令对应的参数。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >系统容器的使用需要root权限。 diff --git "a/docs/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227.md" "b/docs/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227.md" new file mode 100644 index 0000000000000000000000000000000000000000..8a9147aa3754ec51b829cc39be0d568921c3c9bb --- /dev/null +++ "b/docs/zh/docs/Container/\344\275\277\347\224\250\346\214\207\345\215\227.md" @@ -0,0 +1,5 @@ +# 使用指南 + +本章介绍iSula容器引擎的使用方法。 +>![](./public_sys-resources/icon-note.gif) **说明:** +>iSulad的所有使用操作均需要使用root权限。 diff --git "a/content/zh/docs/Container/\344\275\277\347\224\250\346\226\271\346\263\225-1.md" "b/docs/zh/docs/Container/\344\275\277\347\224\250\346\226\271\346\263\225-1.md" similarity index 63% rename from "content/zh/docs/Container/\344\275\277\347\224\250\346\226\271\346\263\225-1.md" rename to "docs/zh/docs/Container/\344\275\277\347\224\250\346\226\271\346\263\225-1.md" index 3df844abdc6d73e07372440ee141020c273a2c03..d72a36cfbb143542b48c4ae537063aa86b74aad7 100644 --- "a/content/zh/docs/Container/\344\275\277\347\224\250\346\226\271\346\263\225-1.md" +++ "b/docs/zh/docs/Container/\344\275\277\347\224\250\346\226\271\346\263\225-1.md" @@ -1,6 +1,6 @@ # 使用方法 本章介绍安全容器的使用方法。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >安全容器的使用需要root权限。 diff --git "a/content/zh/docs/Container/\345\205\261\344\272\253\345\206\205\345\255\230\351\200\232\351\201\223.md" "b/docs/zh/docs/Container/\345\205\261\344\272\253\345\206\205\345\255\230\351\200\232\351\201\223.md" similarity index 98% rename from "content/zh/docs/Container/\345\205\261\344\272\253\345\206\205\345\255\230\351\200\232\351\201\223.md" rename to "docs/zh/docs/Container/\345\205\261\344\272\253\345\206\205\345\255\230\351\200\232\351\201\223.md" index 159542efcb7f7bec800d96159ec79e41909892fc..ec3b77a3bb5c4264a83d3321ab7d58555bff8718 100644 --- "a/content/zh/docs/Container/\345\205\261\344\272\253\345\206\205\345\255\230\351\200\232\351\201\223.md" +++ "b/docs/zh/docs/Container/\345\205\261\344\272\253\345\206\205\345\255\230\351\200\232\351\201\223.md" @@ -1,12 +1,12 @@ -# 共享内存通道 - -## 功能描述 - -系统容器提供容器与主机进程通过共享内存进行通信的功能,通过在容器创建时配置\--host-channel参数,可以在容器与主机之间共享同一tmpfs,从而达到主机与容器间通信的功能。 - -## 参数说明 - - +# 共享内存通道 + +## 功能描述 + +系统容器提供容器与主机进程通过共享内存进行通信的功能,通过在容器创建时配置\--host-channel参数,可以在容器与主机之间共享同一tmpfs,从而达到主机与容器间通信的功能。 + +## 参数说明 + + -

命令

参数

@@ -28,29 +28,29 @@
- -## 约束限制 - -- 宿主机上挂载的tmpfs的生命周期为从容器启动到容器删除,容器删除并解除对空间的占用后会移除这片空间。 -- 容器删除时会将宿主机上挂载tmpfs的路径删除,所以不允许使用宿主机上已存在的目录。 -- 为了宿主机上非root用户运行的进程能够与容器内进行通信,宿主机上tmpfs挂载的权限为1777。 - -## 使用示例 - -创建容器时指定\--host-channel参数: - -``` -[root@localhost ~]# isula run --rm -it --host-channel /testdir:/testdir:rw:32M --system-container --external-rootfs /root/myrootfs none init -root@3b947668eb54:/# dd if=/dev/zero of=/testdir/test.file bs=1024 count=64K -dd: error writing '/testdir/test.file': No space left on device -32769+0 records in -32768+0 records out -33554432 bytes (34 MB, 32 MiB) copied, 0.0766899 s, 438 MB/s -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->- 使用--host-channel大小限制时,若在容器内创建共享文件,则会受到容器内的内存配额限制(在容器内存使用达到极限时可能会产生oom)。 ->- 若用户在主机端创建共享文件,则不受容器内的内存配额限制。 ->- 若用户需要在容器内创建共享文件,且业务为内存密集型,可以通过设置容器内存配额为在原本基础上加上--host-channel配置的大小来消除影响。 - + + +## 约束限制 + +- 宿主机上挂载的tmpfs的生命周期为从容器启动到容器删除,容器删除并解除对空间的占用后会移除这片空间。 +- 容器删除时会将宿主机上挂载tmpfs的路径删除,所以不允许使用宿主机上已存在的目录。 +- 为了宿主机上非root用户运行的进程能够与容器内进行通信,宿主机上tmpfs挂载的权限为1777。 + +## 使用示例 + +创建容器时指定\--host-channel参数: + +``` +[root@localhost ~]# isula run --rm -it --host-channel /testdir:/testdir:rw:32M --system-container --external-rootfs /root/myrootfs none init +root@3b947668eb54:/# dd if=/dev/zero of=/testdir/test.file bs=1024 count=64K +dd: error writing '/testdir/test.file': No space left on device +32769+0 records in +32768+0 records out +33554432 bytes (34 MB, 32 MiB) copied, 0.0766899 s, 438 MB/s +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 使用--host-channel大小限制时,若在容器内创建共享文件,则会受到容器内的内存配额限制(在容器内存使用达到极限时可能会产生oom)。 +>- 若用户在主机端创建共享文件,则不受容器内的内存配额限制。 +>- 若用户需要在容器内创建共享文件,且业务为内存密集型,可以通过设置容器内存配额为在原本基础上加上--host-channel配置的大小来消除影响。 + diff --git "a/content/zh/docs/Container/\345\212\250\346\200\201\345\212\240\350\275\275\345\206\205\346\240\270\346\250\241\345\235\227.md" "b/docs/zh/docs/Container/\345\212\250\346\200\201\345\212\240\350\275\275\345\206\205\346\240\270\346\250\241\345\235\227.md" similarity index 97% rename from "content/zh/docs/Container/\345\212\250\346\200\201\345\212\240\350\275\275\345\206\205\346\240\270\346\250\241\345\235\227.md" rename to "docs/zh/docs/Container/\345\212\250\346\200\201\345\212\240\350\275\275\345\206\205\346\240\270\346\250\241\345\235\227.md" index d5c65f9e4ea5c4b5047863f2acaba8ff08772c0e..0c6b898f04273d31bb1cac263b68a138095cc69d 100644 --- "a/content/zh/docs/Container/\345\212\250\346\200\201\345\212\240\350\275\275\345\206\205\346\240\270\346\250\241\345\235\227.md" +++ "b/docs/zh/docs/Container/\345\212\250\346\200\201\345\212\240\350\275\275\345\206\205\346\240\270\346\250\241\345\235\227.md" @@ -1,12 +1,12 @@ -# 动态加载内核模块 - -## 功能描述 - -容器内业务可能依赖某些内核模块,可通过设置环境变量的方式,在系统容器启动前动态加载容器中业务需要的内核模块到宿主机,此特性需要配合syscontainer-hooks一起使用,具体使用可参看"容器资源动态管理(syscontainer-tools)"章节。 - -## 参数说明 - - +# 动态加载内核模块 + +## 功能描述 + +容器内业务可能依赖某些内核模块,可通过设置环境变量的方式,在系统容器启动前动态加载容器中业务需要的内核模块到宿主机,此特性需要配合syscontainer-hooks一起使用,具体使用可参看"容器资源动态管理(syscontainer-tools)"章节。 + +## 参数说明 + + -

命令

参数

@@ -23,31 +23,31 @@
- -## 约束限制 - -- 如果加载的内核模块是未经过验证的,或者跟宿主机已有模块冲突的场景,会导致宿主机出现不可预知问题,在做加载内核模块时需要谨慎操作。 -- 动态加载内核模块通过将需要加载的内核模块传递给容器,此功能是依靠syscontainer-tools捕获到容器启动的环境变量实现,依赖syscontainer-tools的正确安装部署。 -- 加载的内核模块需要手动进行删除。 - -## 使用示例 - -启动系统容器时,指定-e KERNEL\_MODULES参数,待系统容器启动后,可以看到ip\_vs模块被成功加载到内核中。 - -``` -[root@localhost ~]# lsmod | grep ip_vs -[root@localhost ~]# isula run -tid -e KERNEL_MODULES=ip_vs,ip_vs_wrr --hook-spec /etc/syscontainer-tools/hookspec.json --system-container --external-rootfs /root/myrootfs none init -ae18c4281d5755a1e153a7bff6b3b4881f36c8e528b9baba8a3278416a5d0980 -[root@localhost ~]# lsmod | grep ip_vs -ip_vs_wrr 16384 0 -ip_vs 176128 2 ip_vs_wrr -nf_conntrack 172032 7 xt_conntrack,nf_nat,nf_nat_ipv6,ipt_MASQUERADE,nf_nat_ipv4,nf_conntrack_netlink,ip_vs -nf_defrag_ipv6 20480 2 nf_conntrack,ip_vs -libcrc32c 16384 3 nf_conntrack,nf_nat,ip_vs -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->- 宿主机需要安装syscontainer-tools。 ->- 需要指定--hooks-spec为syscontainer hooks。 - + + +## 约束限制 + +- 如果加载的内核模块是未经过验证的,或者跟宿主机已有模块冲突的场景,会导致宿主机出现不可预知问题,在做加载内核模块时需要谨慎操作。 +- 动态加载内核模块通过将需要加载的内核模块传递给容器,此功能是依靠syscontainer-tools捕获到容器启动的环境变量实现,依赖syscontainer-tools的正确安装部署。 +- 加载的内核模块需要手动进行删除。 + +## 使用示例 + +启动系统容器时,指定-e KERNEL\_MODULES参数,待系统容器启动后,可以看到ip\_vs模块被成功加载到内核中。 + +``` +[root@localhost ~]# lsmod | grep ip_vs +[root@localhost ~]# isula run -tid -e KERNEL_MODULES=ip_vs,ip_vs_wrr --hook-spec /etc/syscontainer-tools/hookspec.json --system-container --external-rootfs /root/myrootfs none init +ae18c4281d5755a1e153a7bff6b3b4881f36c8e528b9baba8a3278416a5d0980 +[root@localhost ~]# lsmod | grep ip_vs +ip_vs_wrr 16384 0 +ip_vs 176128 2 ip_vs_wrr +nf_conntrack 172032 7 xt_conntrack,nf_nat,nf_nat_ipv6,ipt_MASQUERADE,nf_nat_ipv4,nf_conntrack_netlink,ip_vs +nf_defrag_ipv6 20480 2 nf_conntrack,ip_vs +libcrc32c 16384 3 nf_conntrack,nf_nat,ip_vs +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 宿主机需要安装syscontainer-tools。 +>- 需要指定--hooks-spec为syscontainer hooks。 + diff --git "a/content/zh/docs/Container/\345\215\207\347\272\247.md" "b/docs/zh/docs/Container/\345\215\207\347\272\247.md" similarity index 94% rename from "content/zh/docs/Container/\345\215\207\347\272\247.md" rename to "docs/zh/docs/Container/\345\215\207\347\272\247.md" index b9ffd7f394b64640a1b98cd2461ad41a4fdb2fa1..c93a36cbeb91dde4ffd6d783f1608b2bec9a6a64 100644 --- "a/content/zh/docs/Container/\345\215\207\347\272\247.md" +++ "b/docs/zh/docs/Container/\345\215\207\347\272\247.md" @@ -8,7 +8,7 @@ - 若为不同大版本之间的升级,例如从1.x.x版本升级到2.x.x版本,请先保存当前的配置文件/etc/isulad/daemon.json,并卸载已安装的iSulad软件包,然后安装待升级的iSulad软件包,随后恢复配置文件。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 可通过** sudo rpm -qa |grep iSulad** 或 **isula version** 命令确认当前iSulad的版本号。 >- 相同大版本之间,如果希望手动升级,请下载iSulad及其所有依赖库的RPM包进行升级,参考命令如下: > ``` diff --git "a/content/zh/docs/Container/\345\215\270\350\275\275.md" "b/docs/zh/docs/Container/\345\215\270\350\275\275.md" similarity index 100% rename from "content/zh/docs/Container/\345\215\270\350\275\275.md" rename to "docs/zh/docs/Container/\345\215\270\350\275\275.md" diff --git "a/content/zh/docs/Container/\345\221\275\344\273\244\350\241\214\345\217\202\350\200\203.md" "b/docs/zh/docs/Container/\345\221\275\344\273\244\350\241\214\345\217\202\350\200\203.md" similarity index 100% rename from "content/zh/docs/Container/\345\221\275\344\273\244\350\241\214\345\217\202\350\200\203.md" rename to "docs/zh/docs/Container/\345\221\275\344\273\244\350\241\214\345\217\202\350\200\203.md" diff --git "a/content/zh/docs/Container/\345\256\211\345\205\250\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/\345\256\211\345\205\250\345\256\271\345\231\250.md" similarity index 89% rename from "content/zh/docs/Container/\345\256\211\345\205\250\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/\345\256\211\345\205\250\345\256\271\345\231\250.md" index 59dfe5bf88d08372051bf6863ebc7a19312655fd..76e33373445909d664bdaf2ac05dd58ee40be6fb 100644 --- "a/content/zh/docs/Container/\345\256\211\345\205\250\345\256\271\345\231\250.md" +++ "b/docs/zh/docs/Container/\345\256\211\345\205\250\345\256\271\345\231\250.md" @@ -7,7 +7,7 @@ 安全容器是使用虚拟化层进行容器间的隔离,同一个主机上不同的容器间运行互相不受影响。 **图 1** 安全容器架构 -![](figures/kata-arch.png) +![](./figures/kata-arch.png) 安全容器与Kubernetes中的Pod概念紧密联系,Kubernetes为容器调度管理平台的开源生态标准,它定义了一组容器操作相关接口(Container Runtime Interface 简称CRI)。 @@ -20,8 +20,8 @@ 安全容器与周边组件的关系如[图2](#fig17734185518269)所示。 **图 2** 安全容器与周边组件的关系 -![](figures/安全容器与周边组件的关系.png "安全容器与周边组件的关系") +![](./figures/zh_cn_image_0221924928.png) ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >安全容器的安装和使用需要使用root权限。 diff --git "a/content/zh/docs/Container/\345\256\211\345\205\250\346\200\247\345\222\214\351\232\224\347\246\273\346\200\247.md" "b/docs/zh/docs/Container/\345\256\211\345\205\250\346\200\247\345\222\214\351\232\224\347\246\273\346\200\247.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\211\345\205\250\346\200\247\345\222\214\351\232\224\347\246\273\346\200\247.md" rename to "docs/zh/docs/Container/\345\256\211\345\205\250\346\200\247\345\222\214\351\232\224\347\246\273\346\200\247.md" index 200736c81e65491a747287f965ca92f53ea6ff4d..a7e3676cf7e1eade5c0366b1bc6a0f7778ef724e 100644 --- "a/content/zh/docs/Container/\345\256\211\345\205\250\346\200\247\345\222\214\351\232\224\347\246\273\346\200\247.md" +++ "b/docs/zh/docs/Container/\345\256\211\345\205\250\346\200\247\345\222\214\351\232\224\347\246\273\346\200\247.md" @@ -46,7 +46,7 @@ user namespace是将容器的root映射到主机的普通用户,使得容器 ### 使用指导 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >指定--user-remap参数前,请先将rootfs下所有目录和文件的uid和gid做整体偏移,偏移量为--user-remap指定uid和gid的偏移量。 >例如将dev目录的uid和gid整体uid和gid偏移100000的参考命令为: >chown 100000:100000 dev @@ -184,7 +184,7 @@ exit - Alice可以执行任何container操作:\{"name":"policy\_5","users":\["alice"\],"actions":\["container"\]\}。 - Alice可以执行任何container操作,但请求的种类只能是get:\{"name":"policy\_5","users":\["alice"\],"actions":\["container"\], "readonly":true \}。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 配置中匹配action支持正则表达式。 >- users不支持正则表达式。 >- users不能有重复用户,即同一用户不能被多条规则匹配。 diff --git "a/content/zh/docs/Container/\345\256\211\345\205\250\347\211\271\346\200\247.md" "b/docs/zh/docs/Container/\345\256\211\345\205\250\347\211\271\346\200\247.md" similarity index 98% rename from "content/zh/docs/Container/\345\256\211\345\205\250\347\211\271\346\200\247.md" rename to "docs/zh/docs/Container/\345\256\211\345\205\250\347\211\271\346\200\247.md" index 2b42fa30891ad70be07fdea0620f7c9fe89f0d09..9c7701ba978e0d052be1fa1f5482e50324560c31 100644 --- "a/content/zh/docs/Container/\345\256\211\345\205\250\347\211\271\346\200\247.md" +++ "b/docs/zh/docs/Container/\345\256\211\345\205\250\347\211\271\346\200\247.md" @@ -31,7 +31,7 @@ seccomp(**secure computing** **mode**)是linux kernel从2.6.23版本开始 isula run -itd --security-opt seccomp=/path/to/seccomp/profile.json rnd-dockerhub.huawei.com/official/busybox ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >1. 创建容器时通过--security-opt将配置文件传给容器时,采用默认配置文件(/etc/isulad/seccomp\_default.json)。 >2. 创建容器时--security-opt设置为unconfined时,对容器不过滤系统调用。 >3. “/path/to/seccomp/profile.json”需要是绝对路径。 @@ -117,7 +117,7 @@ isula run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json rnd-dock } ``` ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >- defaultAction、syscalls:对应的action的类型是一样的,但其值是不能一样的,目的就是让所有的syscal都有一个默认的action,并且如果syscalls数组中有明确的定义,就以syscalls中的为准,由于defaultAction、action的值不一样,就能保证action不会有冲突。当前支持的action有: > "SCMP\_ACT\_ERRNO":禁止,并打印错误信息。 > "SCMP\_ACT\_ALLOW":允许。 @@ -196,7 +196,7 @@ SELinux\(Security-Enhanced Linux\)是一个Linux内核的安全模块,提供 - 引入SELinux会影响性能,设置SELinux之前需要对场景进行评估,确定必要时打开daemon端SELinux开关并设置容器SELinux配置 - 对挂载卷进行标签配置时,源目录不允许为/、/usr、/etc、/tmp、/home、/run、/var、/root以及/usr的子目录。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 目前iSulad不支持对容器的文件系统打标签,确保容器文件系统及配置目录打上容器可访问标签,需使用chcon命令对其打上标签。 >- 若iSulad启用SELinux访问控制,建议daemon启动前对/var/lib/isulad目录打上标签,容器容器创建时目录下生产的文件及文件夹将默认继承其标签,例如: > ``` diff --git "a/content/zh/docs/Container/\345\256\211\350\243\205-\345\215\207\347\272\247\344\270\216\345\215\270\350\275\275.md" "b/docs/zh/docs/Container/\345\256\211\350\243\205-\345\215\207\347\272\247\344\270\216\345\215\270\350\275\275.md" similarity index 100% rename from "content/zh/docs/Container/\345\256\211\350\243\205-\345\215\207\347\272\247\344\270\216\345\215\270\350\275\275.md" rename to "docs/zh/docs/Container/\345\256\211\350\243\205-\345\215\207\347\272\247\344\270\216\345\215\270\350\275\275.md" diff --git "a/content/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256-2.md" "b/docs/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256-2.md" similarity index 100% rename from "content/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256-2.md" rename to "docs/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256-2.md" diff --git "a/content/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256.md" "b/docs/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256.md" rename to "docs/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256.md" index ba1a4f3a5434cc5ca2b683eae10c1f446cf03b3a..1549b7ea98dec2d8652ee9a08d7fcbded84b07d3 100644 --- "a/content/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256.md" +++ "b/docs/zh/docs/Container/\345\256\211\350\243\205\344\270\216\351\205\215\347\275\256.md" @@ -1,6 +1,6 @@ # 安装与配置 本章介绍iSulad的安装、安装后配置,以及升级和卸载的方法。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >iSulad的安装、升级、卸载均需要使用root权限。 @@ -43,7 +43,7 @@ iSulad 安装完成后,可以根据需要进行相关配置。 轻量级容器引擎(iSulad)服务端daemon为isulad,isulad可以通过配置文件进行配置,也可以通过命令行的方式进行配置,例如:isulad --xxx,优先级从高到低是:命令行方式\>配置文件\>代码中默认配置。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >如果采用systemd管理iSulad进程,修改/etc/sysconfig/iSulad文件中的OPTIONS字段,等同于命令行方式进行配置。 - **命令行方式** @@ -489,7 +489,7 @@ iSulad 安装完成后,可以根据需要进行相关配置。 } ``` - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >默认配置文件/etc/isulad/daemon.json仅供参考,请根据实际需要进行配置 @@ -504,14 +504,14 @@ iSulad 安装完成后,可以根据需要进行相关配置。 -

*

+

\*

/etc/default/isulad/

存放isulad的OCI配置文件和钩子模板文件,文件夹下的配置文件权限设置为0640,sysmonitor检查脚本权限为0550

-

*

+

\*

/etc/isulad/

@@ -532,35 +532,35 @@ iSulad 安装完成后,可以根据需要进行相关配置。

存放isulad的PID,同时也是一个文件锁防止启动多个isulad实例

-

*

+

\*

/run/lxc/

文件锁文件,isula运行过程创建的文件

-

*

+

\*

/var/run/isulad/

实时通讯缓存文件,isulad运行过程创建的文件

-

*

+

\*

/var/run/isula/

实时通讯缓存文件,isula运行过程创建的文件

-

*

+

\*

/var/lib/lcr/

LCR 组件临时目录

-

*

+

\*

/var/lib/isulad/

@@ -592,7 +592,7 @@ iSulad 安装完成后,可以根据需要进行相关配置。 - 日志文件管理: - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >日志功能对接: iSulad由systemd管理,日志也由systemd管理,然后传输给rsyslogd。rsyslog默认会对写日志速度有限制,可以通过修改/etc/rsyslog.conf文件,增加"$imjournalRatelimitInterval 0"配置项,然后重启rsyslogd的服务即可。 - 命令行参数解析限制 @@ -786,7 +786,7 @@ iSulad采用C/S模式进行设计,在默认情况,iSulad守护进程isulad 如果需要采用单向认证方式进行通讯,则服务端采用模式2,客户端采用模式2。 ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >- 采用RPM安装方式时,服务端配置可通过/etc/isulad/daemon.json以及/etc/sysconfig/iSulad配置修改 >- 相比非认证或者单向认证方式,双向认证具备更高的安全性,推荐使用双向认证的方式进行通讯 >- GRPC开源组件日志不由iSulad进行接管,如果需要查看GRPC相关日志,请按需设置GRPC\_VERBOSITY和GRPC\_TRACE环境变量 diff --git "a/content/zh/docs/Container/\345\256\211\350\243\205\346\214\207\345\257\274.md" "b/docs/zh/docs/Container/\345\256\211\350\243\205\346\214\207\345\257\274.md" similarity index 84% rename from "content/zh/docs/Container/\345\256\211\350\243\205\346\214\207\345\257\274.md" rename to "docs/zh/docs/Container/\345\256\211\350\243\205\346\214\207\345\257\274.md" index fbcd663a6015c6b18d9b3b7e887ac5b045549b08..fcf2db30db8519b5fad347b79784a77788e783b0 100644 --- "a/content/zh/docs/Container/\345\256\211\350\243\205\346\214\207\345\257\274.md" +++ "b/docs/zh/docs/Container/\345\256\211\350\243\205\346\214\207\345\257\274.md" @@ -1,31 +1,31 @@ -# 安装指导 - ->![](public_sys-resources/icon-note.gif) **说明:** ->系统容器的安装需要使用root权限。 - -1. 首先需要安装iSulad容器引擎。 - - ``` - # yum install iSulad - ``` - -2. 安装系统容器依赖包。 - - ``` - # yum install syscontainer-tools authz lxcfs-tools lxcfs - ``` - -3. 查看iSulad是否已经启动。 - - ``` - # systemctl status isulad - ``` - -4. 开启lxcfs和authz服务。 - - ``` - # systemctl start lxcfs - # systemctl start authz - ``` - - +# 安装指导 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>系统容器的安装需要使用root权限。 + +1. 首先需要安装iSulad容器引擎。 + + ``` + # yum install iSulad + ``` + +2. 安装系统容器依赖包。 + + ``` + # yum install syscontainer-tools authz lxcfs-tools lxcfs + ``` + +3. 查看iSulad是否已经启动。 + + ``` + # systemctl status isulad + ``` + +4. 开启lxcfs和authz服务。 + + ``` + # systemctl start lxcfs + # systemctl start authz + ``` + + diff --git "a/content/zh/docs/Container/\345\256\211\350\243\205\351\205\215\347\275\256-3.md" "b/docs/zh/docs/Container/\345\256\211\350\243\205\351\205\215\347\275\256-3.md" similarity index 98% rename from "content/zh/docs/Container/\345\256\211\350\243\205\351\205\215\347\275\256-3.md" rename to "docs/zh/docs/Container/\345\256\211\350\243\205\351\205\215\347\275\256-3.md" index 12d586d56f7a819ae6437f0321f5d018d24970a3..4a061007ea07524a3a1034cdc0b970a1d254d4cd 100644 --- "a/content/zh/docs/Container/\345\256\211\350\243\205\351\205\215\347\275\256-3.md" +++ "b/docs/zh/docs/Container/\345\256\211\350\243\205\351\205\215\347\275\256-3.md" @@ -52,12 +52,12 @@ cat /etc/docker/daemon.json 用户需要明白重新指定各种运行目录和文件(包括--graph、--exec-root等),可能会存在目录冲突,或文件属性变换,对应用的正常使用造成影响。 ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >用户指定的目录或文件应为docker专用,避免冲突导致的文件属性变化带来安全问题。 - 以--graph为例,当我们使用/new/path/作为daemon新的Root Dir时,如果/new/path/下已经存在文件,且目录或文件名与docker需要使用的目录或文件名冲突(例如: containers、hooks、tmp等目录)时,docker可能会更新原有目录或文件的属性,包括属主、权限等为自己的属主和权限。 ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >从docker-17.05开始,--graph参数被标记为Deprecated,用新的参数--data-root替代。 ### daemon自带网络配置 @@ -66,13 +66,13 @@ cat /etc/docker/daemon.json - Docker network create 并发创建网络的时候,可以创建具有相同名字的两个网络。原因是docker network是通过id来区分的,name只是个便于识别的别名而已,不保证唯一性。 - Docker在桥接bridge网络模式下,Docker容器是通过宿主机上的NAT模式,建立与宿主机之外世界的通信。Docker Daemon在启动一个容器时,每在宿主机上映射一个端口都会启动一个docker-proxy进程来实现访问代理。建议用户在使用这种userland-proxy时,只映射必须的端口,减少docker-proxy进行端口映射所消耗的资源。 -### daemon-umask配置.md">daemon umask配置 +### daemon-umask配置 容器主进程和exec进程的默认umask为0022,为了满足安全性需求,避免容器受到攻击,修改runc的实现,将默认umask修改为0027。修改后others群组将无法访问新建文件或目录。 docker启动容器时的默认umask值为0027,可以在dockerd启动时,使用--exec-opt native.umask=normal参数将容器启动时的umask修改为0022。 ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >如果docker create/run也配置了native.umask参数,则以docker create/run中的配置为准。 详细的配置见[docker create](#create.md#ZH-CN_TOPIC_0184808242)和[docker run](#run.md#ZH-CN_TOPIC_0184808254)章节的参数说明。 @@ -145,7 +145,7 @@ docker支持配置audit,但不是强制的。例如: [root@localhost signal]# auditctl -l | grep docker -w /var/lib/docker/ -p rwxa -k docker ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >-p \[r|w|x|a\] 和-w一起使用,观察用户对这个目录的读、写、执行或者属性变化(如时间戳变化)。这样的话,在/var/lib/docker目录下的任何文件、目录操作,都会打印日志到audit.log中,从而会有太多的日志往audit.log中记录,会严重地影响auditd, 比如内存、cpu占用等,进而影响os的运行。例如:每次执行"ls /var/lib/docker/containers"都会有类似如下日志记录到/var/log/audit/audit.log中。 ``` @@ -162,7 +162,7 @@ type=SYSCALL msg=audit(1517656451.457:8097): arch=c000003e syscall=257 success=y docker run -itd --security-opt seccomp=unconfined busybox:latest ``` -### 禁止修改docker-daemon的私有目录.md">禁止修改docker daemon的私有目录 +### 禁止修改docker-daemon的私有目录 不允许对Docker用的根目录(默认/var/lib/docker)和运行时目录(默认/run/docker)以及其文件作任何修改,包括在该目录下删除文件,添加文件,对目录或者文件做软/硬链接,修改文件的属性/权限,修改文件的内容等,如果确实需要做修改,后果自负。 @@ -441,7 +441,7 @@ Error response from daemon: oci runtime error: container with id exists: xxxxxx - 构建缓存,构建缓存信息会在重启后删除。 - containerd保存的元数据,由于启动容器会重建containerd元数据,重启节点会清理containerd中保存的元数据。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >用户若选择采用手动清理恢复环境的方式,可通过配置环境变量“DISABLE\_CRASH\_FILES\_DELETE=true”屏蔽daemon掉电重启时db文件清理功能。 diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\345\201\245\345\272\267\347\212\266\346\200\201\346\243\200\346\237\245.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\345\201\245\345\272\267\347\212\266\346\200\201\346\243\200\346\237\245.md" similarity index 100% rename from "content/zh/docs/Container/\345\256\271\345\231\250\345\201\245\345\272\267\347\212\266\346\200\201\346\243\200\346\237\245.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\345\201\245\345\272\267\347\212\266\346\200\201\346\243\200\346\237\245.md" diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\345\206\205reboot-shutdown.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\345\206\205reboot-shutdown.md" similarity index 98% rename from "content/zh/docs/Container/\345\256\271\345\231\250\345\206\205reboot-shutdown.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\345\206\205reboot-shutdown.md" index 14508d324269ffafe4592db409c74aee17837129..fed94bfad7f1cb583826e4c20847dd8aaf351105 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\345\206\205reboot-shutdown.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\345\206\205reboot-shutdown.md" @@ -1,12 +1,12 @@ -# 容器内reboot/shutdown - -## 功能描述 - -系统容器支持在容器内执行reboot和shutdown命令。执行reboot命令效果同重启容器一致;执行shutdown命令效果同停止容器一致。 - -## 参数说明 - - +# 容器内reboot/shutdown + +## 功能描述 + +系统容器支持在容器内执行reboot和shutdown命令。执行reboot命令效果同重启容器一致;执行shutdown命令效果同停止容器一致。 + +## 参数说明 + + -

命令

参数

@@ -25,55 +25,55 @@
- -## 约束限制 - -- shutdown功能,依赖于不同的OS,以实际容器运行环境对应OS为准。 -- 执行“shutdown -h now”命令关闭系统时,不能多次占用console。例如“isula run -ti”命令打开一个console,在另一个host bash中isula attach该容器,会打开另一个console,此时执行shutdown会失败。 - -## 使用示例 - -- 容器启动时指定\--restart on-reboot参数,示例如下: - - ``` - [root@localhost ~]# isula run -tid --restart on-reboot --system-container --external-rootfs /root/myrootfs none init - 106faae22a926e22c828a0f2b63cf5c46e5d5986ea8a5b26de81390d0ed9714f - ``` - - -- 进入容器执行reboot命令: - - ``` - [root@localhost ~]# isula exec -it 10 bash - [root@localhost /]# reboot - ``` - - 查看容器是否重启: - - ``` - [root@localhost ~]# isula exec -it 10 ps aux - USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND - root 1 0.1 0.0 21588 9504 ? Ss 12:11 0:00 init - root 14 0.1 0.0 27024 9376 ? Ss 12:11 0:00 /usr/lib/system - root 17 0.0 0.0 18700 5876 ? Ss 12:11 0:00 /usr/lib/system - dbus 22 0.0 0.0 9048 3624 ? Ss 12:11 0:00 /usr/bin/dbus-d - root 26 0.0 0.0 8092 3012 ? Rs+ 12:13 0:00 ps aux - ``` - -- 进入容器执行shutdown命令: - - ``` - [root@localhost ~]# isula exec -it 10 bash - [root@localhost /]# shutdown -h now - [root@localhost /]# [root@localhost ~]# - ``` - - 检查容器是否停止: - - ``` - [root@localhost ~]# isula exec -it 10 bash - Error response from daemon: Exec container error;Container is not running:106faae22a926e22c828a0f2b63cf5c46e5d5986ea8a5b26de81390d0ed9714f - ``` - - + + +## 约束限制 + +- shutdown功能,依赖于不同的OS,以实际容器运行环境对应OS为准。 +- 执行“shutdown -h now”命令关闭系统时,不能多次占用console。例如“isula run -ti”命令打开一个console,在另一个host bash中isula attach该容器,会打开另一个console,此时执行shutdown会失败。 + +## 使用示例 + +- 容器启动时指定\--restart on-reboot参数,示例如下: + + ``` + [root@localhost ~]# isula run -tid --restart on-reboot --system-container --external-rootfs /root/myrootfs none init + 106faae22a926e22c828a0f2b63cf5c46e5d5986ea8a5b26de81390d0ed9714f + ``` + + +- 进入容器执行reboot命令: + + ``` + [root@localhost ~]# isula exec -it 10 bash + [root@localhost /]# reboot + ``` + + 查看容器是否重启: + + ``` + [root@localhost ~]# isula exec -it 10 ps aux + USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND + root 1 0.1 0.0 21588 9504 ? Ss 12:11 0:00 init + root 14 0.1 0.0 27024 9376 ? Ss 12:11 0:00 /usr/lib/system + root 17 0.0 0.0 18700 5876 ? Ss 12:11 0:00 /usr/lib/system + dbus 22 0.0 0.0 9048 3624 ? Ss 12:11 0:00 /usr/bin/dbus-d + root 26 0.0 0.0 8092 3012 ? Rs+ 12:13 0:00 ps aux + ``` + +- 进入容器执行shutdown命令: + + ``` + [root@localhost ~]# isula exec -it 10 bash + [root@localhost /]# shutdown -h now + [root@localhost /]# [root@localhost ~]# + ``` + + 检查容器是否停止: + + ``` + [root@localhost ~]# isula exec -it 10 bash + Error response from daemon: Exec container error;Container is not running:106faae22a926e22c828a0f2b63cf5c46e5d5986ea8a5b26de81390d0ed9714f + ``` + + diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\345\274\225\346\223\216-4.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\345\274\225\346\223\216-4.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\271\345\231\250\345\274\225\346\223\216-4.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\345\274\225\346\223\216-4.md" index a230e281993e13fb393c217bbce61dde05a1d314..1741c561a9434ae2a973e997ddcd8d7d59eb26c9 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\345\274\225\346\223\216-4.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\345\274\225\346\223\216-4.md" @@ -125,11 +125,7 @@ docker命令支持多个参数选项,对于参数选项有以下约定:

设置运行时执行选项。

例如支持native.umask选项:

-
# 启动的容器umask值为0022 
---exec-opt native.umask=normal 
-
-# 启动的容器umask值为0027(默认值)
---exec-opt  native.umask=secure
+
# 启动的容器umask值为0022 --exec-opt native.umask=normal # 启动的容器umask值为0027(默认值)--exec-opt  native.umask=secure

注意如果docker create/run也配置了native.umask参数则以docker create/run中的配置为准。

diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-3.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-3.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-3.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-3.md" index 65e7d9a39a25be5d622e281a186159cafdb619ed..02e00cf5715d2c0768d035ccda20e25f368414f3 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-3.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-3.md" @@ -575,7 +575,7 @@ CONTAINER ID IMAGE COMMAND CREATED } ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 容器内健康检查的状态信息最多保存5条。会保存最后得到的5条记录。 >- 容器内健康检查相关配置同时最多只能有一条生效。Dockerfile中配置的靠后的条目会覆盖靠前的;容器创建时的配置会覆盖镜像中的。 >- 在Dockerfile中可以通过 HEALTHCHECK NONE来取消引用的镜像中的健康检查配置。在容器运行时可以通过配置--no-healthcheck来取消镜像中的健康检查配置。不允许在启动时同时配置健康检查相关选项与--no-healthcheck选项。 diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-4.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-4.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-4.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-4.md" index 9f9f5c15d95632319573d095b2a74399259b31e9..23b7f49276f5739e2525259eb331e28fdd3856d4 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-4.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206-4.md" @@ -1079,7 +1079,7 @@ b15976967abb busybox:latest "bash" 34 seconds ago $ sudo docker restart busybox ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >容器在restart过程中,如果容器内存在D状态或Z状态的进程,可能会导致容器重启失败,这需要进一步分析导致容器内进程D状态或Z状态的原因,待容器内进程D状态或Z状态解除后,再进行容器restart操作。 ## rm diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206.md" index 6d25ee645462cd89a5720dd2113c98053f4f29b0..358c1d3bef43a0f9b079ecfee484fa31ec832326 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\347\256\241\347\220\206.md" @@ -49,7 +49,7 @@ create命令支持参数参考下表。

说明

-

create

+

create

  

--annotation

@@ -232,7 +232,7 @@ create命令支持参数参考下表。

--mount

-

挂载主机目录到容器中

+

挂载主机目录/卷/文件系统到容器中

--no-healthcheck

@@ -301,6 +301,11 @@ create命令支持参数参考下表。

挂载一个卷

+

--volumes-from=[]

+ +

使用指定的容器的挂载配置

+ + @@ -743,12 +748,12 @@ run命令支持参数参考下表。 - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >第一种情况,先挂载/home/test1,然后挂载/home/test2,这种情况会导致/home/test1的内容覆盖掉原来/mnt下面的内容,这样可能导致/mnt下面不存在abc目录,这样会导致挂载/home/test2到/mnt/abc失败。 >第二种情况,先挂载/home/test2,然后挂载/home/test1。这种情况,第二次的挂载会把/mnt的内容替换为/home/test1的内容,这样第一次挂载的/home/test2到/mnt/abc的内容就看不到了。 >因此,不支持第一种使用方式;第二种使用用户需要了解这种数据无法访问的风险 - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >- 高并发场景(并发启动200容器)下,glibc的内存管理机制会导致内存空洞以及虚拟内存较大(例如10GB)的问题。该问题是高并发场景下glibc内存管理机制的限制,而不是内存泄露,不会导致内存消耗无限增大。可以通过设置MALLOC\_ARENA\_MAX环境变量来减少虚拟内存的问题,而且可以增大减少物理内存的概率。但是这个环境变量会导致iSulad的并发性能下降,需要用户根据实际情况做配置。 > ``` > 参考实践情况,平衡性能和内存,可以设置MALLOC_ARENA_MAX为4。(在arm64服务器上面对iSulad的性能影响在10%以内) @@ -1244,7 +1249,7 @@ inspect命令支持参数参考下表。 ### 约束限制 -- 轻量级容器不支持format为“\{\{.State\}\}”的格式化输出,支持“\{\{json .State\}\}”的json格式化输出。当inspect镜像时,不支持-f参数。 +- 轻量级容器不支持format为“\{ \{.State\} \}”的格式化输出,支持“\{ \{json .State\} \}”的json格式化输出。当inspect镜像时,不支持-f参数。 ### 示例 diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\345\212\250\346\200\201\347\256\241\347\220\206.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\345\212\250\346\200\201\347\256\241\347\220\206.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\345\212\250\346\200\201\347\256\241\347\220\206.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\345\212\250\346\200\201\347\256\241\347\220\206.md" index c09fa4af20f3643963297e7a371796c88cf78262..5ab7230555dceebb3c97339c67f29bdee5687168 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\345\212\250\346\200\201\347\256\241\347\220\206.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\345\212\250\346\200\201\347\256\241\347\220\206.md" @@ -253,7 +253,7 @@ container\_id:容器id。 Add network interface to container 2aaca5c1af7c (eth3,eth1) done ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >添加虚拟网卡或物理网卡时,请确保网卡处于空闲状态,添加正在使用的网卡会导致系统网络断开。 diff --git "a/content/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\347\256\241\347\220\206.md" "b/docs/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\347\256\241\347\220\206.md" similarity index 99% rename from "content/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\347\256\241\347\220\206.md" rename to "docs/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\347\256\241\347\220\206.md" index 20223d146e428ef50ec37117298c54a0f9aefedc..7e5c4ddb366c17997e4cf6fc7d31595b001ab152 100644 --- "a/content/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\347\256\241\347\220\206.md" +++ "b/docs/zh/docs/Container/\345\256\271\345\231\250\350\265\204\346\272\220\347\256\241\347\220\206.md" @@ -166,7 +166,7 @@ create/run时可以指定下列参数。 isula run -tid --cpuset-cpus 0,2-3 busybox sh ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >是否设置成功,请参见“查询单个容器信息”章节。 ## 限制运行时的内存 @@ -457,7 +457,7 @@ overlay 10.0M 10.0M 0 100% / 使用限额功能的isulad切换数据盘时,需要保证被切换的数据盘使用\`prjquota\`选项挂载,且/var/lib/isulad/storage/overlay2目录的挂载方式与/var/lib/isulad相同。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >切换数据盘时需要保证/var/lib/isulad/storage/overlay2的挂载点被卸载。 @@ -529,7 +529,7 @@ isula run -ti --files-limit 1024 busybox bash 根因是lxc和runc启动过程的原理不一样,lxc创建cgroup子组后先设置files.limit值,再将容器进程的PID写入该子组的cgroup.procs文件,此时该进程已经打开超过1个句柄,因而写入报错导致启动失败。runc创建cgroup子组后先将容器进程的PID写入该子组的cgroup.procs文件,再设置files.limit值,此时由于该子组内的进程已经打开超过1个句柄,因而写入files.limit不会生效,内核也不会报错,容器启动成功。 -## 限制容器内可以创建的进程-线程数.md">限制容器内可以创建的进程/线程数 +## 限制容器内可以创建的进程-线程数 ### 描述 diff --git "a/content/zh/docs/Container/\346\214\207\345\256\232rootfs\345\210\233\345\273\272\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/\346\214\207\345\256\232rootfs\345\210\233\345\273\272\345\256\271\345\231\250.md" similarity index 97% rename from "content/zh/docs/Container/\346\214\207\345\256\232rootfs\345\210\233\345\273\272\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/\346\214\207\345\256\232rootfs\345\210\233\345\273\272\345\256\271\345\231\250.md" index 7a5ab73002b37ece92515761b5b5742557ae6443..dd6a08280d086eaabbe4e98baf9428e663fcf03d 100644 --- "a/content/zh/docs/Container/\346\214\207\345\256\232rootfs\345\210\233\345\273\272\345\256\271\345\231\250.md" +++ "b/docs/zh/docs/Container/\346\214\207\345\256\232rootfs\345\210\233\345\273\272\345\256\271\345\231\250.md" @@ -1,12 +1,12 @@ -# 指定rootfs创建容器 - -## 功能描述 - -系统容器不同于普通容器,普通容器需要指定一个容器镜像来启动,而系统容器通过参数 \--external-rootfs 指定一个本地的根文件系统rootfs(Root File System)来启动,rootfs包含了容器运行时依赖的操作系统环境。 - -## 参数说明 - - +# 指定rootfs创建容器 + +## 功能描述 + +系统容器不同于普通容器,普通容器需要指定一个容器镜像来启动,而系统容器通过参数 \--external-rootfs 指定一个本地的根文件系统rootfs(Root File System)来启动,rootfs包含了容器运行时依赖的操作系统环境。 + +## 参数说明 + + -

命令

参数

@@ -23,24 +23,24 @@
- -## 约束限制 - -- 参数--external-rootfs指定的rootfs目录必须为绝对路径,不能为相对路径。 -- 参数--external-rootfs指定的rootfs目录必须为一个完整运行的操作系统环境,否则容器会启动失败。 -- 容器删除时,不会删除--external-rootfs指定的rootfs目录。 -- 不支持在x86环境上运行基于arm rootfs的容器,也不支持在arm环境上运行基于x86 rootfs的容器。 -- 同一份rootfs,不建议启动多个容器实例,即同一份rootfs只供一个生命周期内的容器实例使用。 - -## 使用示例 - -假设本地rootfs的路径为/root/myrootfs,那么启动一个系统容器的命令如下: - -``` -# isula run -tid --system-container --external-rootfs /root/myrootfs none init -``` - ->![](public_sys-resources/icon-note.gif) **说明:** ->rootfs为自定义的文件系统,请用户自行准备。例如容器镜像的tar包解压后,即为一个rootfs。 - + + +## 约束限制 + +- 参数--external-rootfs指定的rootfs目录必须为绝对路径,不能为相对路径。 +- 参数--external-rootfs指定的rootfs目录必须为一个完整运行的操作系统环境,否则容器会启动失败。 +- 容器删除时,不会删除--external-rootfs指定的rootfs目录。 +- 不支持在x86环境上运行基于arm rootfs的容器,也不支持在arm环境上运行基于x86 rootfs的容器。 +- 同一份rootfs,不建议启动多个容器实例,即同一份rootfs只供一个生命周期内的容器实例使用。 + +## 使用示例 + +假设本地rootfs的路径为/root/myrootfs,那么启动一个系统容器的命令如下: + +``` +# isula run -tid --system-container --external-rootfs /root/myrootfs none init +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>rootfs为自定义的文件系统,请用户自行准备。例如容器镜像的tar包解压后,即为一个rootfs。 + diff --git "a/content/zh/docs/Container/\346\224\257\346\214\201CNI\347\275\221\347\273\234.md" "b/docs/zh/docs/Container/\346\224\257\346\214\201CNI\347\275\221\347\273\234.md" similarity index 99% rename from "content/zh/docs/Container/\346\224\257\346\214\201CNI\347\275\221\347\273\234.md" rename to "docs/zh/docs/Container/\346\224\257\346\214\201CNI\347\275\221\347\273\234.md" index a5444e4e8ed3b52005b1ef851998c10d045731c5..825ea5a7fd604ea8ae531932ae3e842d8d63d10f 100644 --- "a/content/zh/docs/Container/\346\224\257\346\214\201CNI\347\275\221\347\273\234.md" +++ "b/docs/zh/docs/Container/\346\224\257\346\214\201CNI\347\275\221\347\273\234.md" @@ -123,7 +123,7 @@ Pod配置中和网络相关的还有port\_mappings项,用于设置Pod的端口 StopPodSandbox的时候,会调用退出CNI网络的接口,清理网络相关的资源。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >1. 在调用RemovePodSandbox接口之前,至少要调用一次StopPodSandbox接口 >2. StopPodSandbox调用CNI接口失败,可能导致的网络资源残留。 diff --git "a/content/zh/docs/Container/\346\224\257\346\214\201OCI-hooks.md" "b/docs/zh/docs/Container/\346\224\257\346\214\201OCI-hooks.md" similarity index 100% rename from "content/zh/docs/Container/\346\224\257\346\214\201OCI-hooks.md" rename to "docs/zh/docs/Container/\346\224\257\346\214\201OCI-hooks.md" diff --git "a/content/zh/docs/Container/\346\234\200\345\244\247\345\217\245\346\237\204\346\225\260\351\231\220\345\210\266.md" "b/docs/zh/docs/Container/\346\234\200\345\244\247\345\217\245\346\237\204\346\225\260\351\231\220\345\210\266.md" similarity index 98% rename from "content/zh/docs/Container/\346\234\200\345\244\247\345\217\245\346\237\204\346\225\260\351\231\220\345\210\266.md" rename to "docs/zh/docs/Container/\346\234\200\345\244\247\345\217\245\346\237\204\346\225\260\351\231\220\345\210\266.md" index d17c211009369ef71b3d8c4482bcc054f065428a..4de230203107c3f2b4a9c11c9b8a2349a400c2bb 100644 --- "a/content/zh/docs/Container/\346\234\200\345\244\247\345\217\245\346\237\204\346\225\260\351\231\220\345\210\266.md" +++ "b/docs/zh/docs/Container/\346\234\200\345\244\247\345\217\245\346\237\204\346\225\260\351\231\220\345\210\266.md" @@ -1,12 +1,12 @@ -# 最大句柄数限制 - -## 功能描述 - -系统容器支持对容器内使用文件句柄数进行限制,文件句柄包括普通文件句柄和网络套接字,启动容器时,可以通过指定--files-limit参数限制容器内打开的最大句柄数。 - -## 参数说明 - - +# 最大句柄数限制 + +## 功能描述 + +系统容器支持对容器内使用文件句柄数进行限制,文件句柄包括普通文件句柄和网络套接字,启动容器时,可以通过指定--files-limit参数限制容器内打开的最大句柄数。 + +## 参数说明 + + -

命令

参数

@@ -24,33 +24,33 @@
- -## 约束限制 - -- 如果\--files-limit指定的值太小,可能会导致系统容器无法通过exec执行命令,报"open too many files"错误,所以files limit的值应该设置大一些。 -- 文件句柄包括普通文件句柄和网络套接字。 - -## 使用示例 - -使用\--files-limit限制容器内打开文件句柄数需要内核支持files cgroup,可以执行以下命令查看: - -``` -[root@localhost ~]# cat /proc/1/cgroup | grep files -10:files:/ -``` - -结果显示files,说明内核支持files cgroup。 - -容器启动指定--files-limit参数,并检查files.limit参数是否成功写入: - -``` -[root@localhost ~]# isula run -tid --files-limit 1024 --system-container --external-rootfs /tmp/root-fs empty init 01e82fcf97d4937aa1d96eb8067f9f23e4707b92de152328c3fc0ecb5f64e91d -[root@localhost ~]# isula exec -it 01e82fcf97d4 bash -[root@localhost ~]# cat /sys/fs/cgroup/files/files.limit -1024 - -``` - -可以看出,容器内文件句柄数被成功限制。 - + + +## 约束限制 + +- 如果\--files-limit指定的值太小,可能会导致系统容器无法通过exec执行命令,报"open too many files"错误,所以files limit的值应该设置大一些。 +- 文件句柄包括普通文件句柄和网络套接字。 + +## 使用示例 + +使用\--files-limit限制容器内打开文件句柄数需要内核支持files cgroup,可以执行以下命令查看: + +``` +[root@localhost ~]# cat /proc/1/cgroup | grep files +10:files:/ +``` + +结果显示files,说明内核支持files cgroup。 + +容器启动指定--files-limit参数,并检查files.limit参数是否成功写入: + +``` +[root@localhost ~]# isula run -tid --files-limit 1024 --system-container --external-rootfs /tmp/root-fs empty init 01e82fcf97d4937aa1d96eb8067f9f23e4707b92de152328c3fc0ecb5f64e91d +[root@localhost ~]# isula exec -it 01e82fcf97d4 bash +[root@localhost ~]# cat /sys/fs/cgroup/files/files.limit +1024 + +``` + +可以看出,容器内文件句柄数被成功限制。 + diff --git "a/docs/zh/docs/Container/\346\234\254\345\234\260\345\215\267\347\256\241\347\220\206.md" "b/docs/zh/docs/Container/\346\234\254\345\234\260\345\215\267\347\256\241\347\220\206.md" new file mode 100644 index 0000000000000000000000000000000000000000..ddc063c6816585cb65822ff18568af2f998040a5 --- /dev/null +++ "b/docs/zh/docs/Container/\346\234\254\345\234\260\345\215\267\347\256\241\347\220\206.md" @@ -0,0 +1,199 @@ +# 本地卷管理 + +- [本地卷管理](#本地卷管理) + - [概述](#概述) + - [注意事项](#注意事项) + - [使用方法](#使用方法) + - [使用-v参数挂载数据](#使用-v参数挂载数据) + - [**命令格式**](#命令格式) + - [**功能描述**](#功能描述) + - [**参数说明**](#参数说明) + - [**示例**](#示例) + - [使用--mount参数挂载数据](#使用--mount参数挂载数据) + - [**命令格式**](#命令格式-1) + - [**功能描述**](#功能描述-1) + - [**参数说明**](#参数说明-1) + - [**示例**](#示例-1) + - [复用其他容器中的挂载配置](#复用其他容器中的挂载配置) + - [**命令格式**](#命令格式-2) + - [**功能描述**](#功能描述-2) + - [**参数说明**](#参数说明-2) + - [**示例**](#示例-2) + - [使用镜像中的匿名卷](#使用镜像中的匿名卷) + - [卷的查询](#卷的查询) + - [**命令格式**](#命令格式-3) + - [**功能描述**](#功能描述-3) + - [**参数说明**](#参数说明-3) + - [**示例**](#示例-3) + - [卷的删除](#卷的删除) + - [**命令格式**](#命令格式-4) + - [**功能描述**](#功能描述-4) + - [**参数说明**](#参数说明-4) + - [**示例**](#示例-4) + - [注意事项](#注意事项-1) + - [冲突合并规则](#冲突合并规则) + - [iSula和Docker的差异](#isula和docker的差异) + +## 概述 + +iSula 管理的容器销毁后,容器内自身所有的数据都会被销毁。如果用户希望容器销毁后依然保留数据,则需要有一种持久化数据的机制。iSula 允许将主机上的文件、目录或卷在容器运行时挂载到容器内。用户可以将需要持久化的数据写入容器内的挂载点。则容器销毁后,主机上的文件、目录、卷依然保留。如果用户需要销毁主机上的文件、目录、卷,可以手动删除文件、目录或者执行 iSula 的相关命令删除卷。对于卷的管理目前 iSula 只支持本地卷,本地卷又分为有名卷和匿名卷。由用户指定名称生产的卷叫有名卷,用户没有指定卷名称,由 iSula 自动生成卷名(一个64位的随机数)的卷为匿名卷。 + +本章介绍通过 iSula 管理本地卷的使用方法。 + +## 注意事项 +- 卷名称长度2-64个字符,符合正则表达式:^[a-zA-Z0-9][a-zA-Z0-9_.-]{1,63}$,即卷名称首字符必须为字母或者数字,从第二个字符开始可以为字母、数字或者"_"、"."、"-"这几个字符。 +- 创建容器时,如果卷对应的容器内的挂载点存在数据,则默认会拷贝到卷里。如果拷贝过程中出现了 iSula 崩溃重启或者系统掉电之类的异常,则卷内的数据可能是不完整的,这时需要手动删除卷或者卷内数据,确保数据的正确完整。 + +## 使用方法 + +### 使用-v参数挂载数据 + +#### **命令格式** +```shell +isula run -v [SRC:]DST[:MODE,MODE...] IMAGE +``` + +#### **功能描述** +使用 create / run 创建并运行容器时,使用 -v/--volume 参数将主机上的文件、目录或者卷挂载到容器内用于数据持久化。 + +#### **参数说明** +- SRC: 用于挂载的文件、目录或者卷在主机上的路径,当值为绝对路径时,表示挂载主机上的文件或者文件夹。当值为卷名时,表示挂载卷。当省略该项时,表示挂载匿名卷。当文件夹或者卷不存在时,iSula会先创建一个新的文件夹/卷,再进行挂载操作。 +- DST: 容器内的挂载路径,必须为绝对路径。 +- MODE: 当挂载的源是目录或者文件时,合法的参数是ro/rw/z/Z/private/rprivate/slave/rslave/shared/rshared。同类型的参数只能配置一个。当挂载的源是卷时,合法的参数是ro/rw/z/Z/nocopy,同类型的参数只能配置一个。多个属性之间使用","连接。参数含义如下: + +| 参数 | 参数含义 | +| -------- | -----------------------------------------------| +| ro | 容器内挂载点挂载为只读属性 | +| rw | 容器内挂载点挂载为读写属性 | +| z | 如果开启了SELinux,则挂载时添加SELinux共享标签 | +| Z | 如果开启了SELinux,则挂载时添加SELinux私有标签 | +| private | 容器内挂载点挂载为私有传播属性 | +| rprivate | 容器内挂载点递归挂载为私有传播属性 | +| slave | 容器内挂载点挂载为从属传播属性 | +| rslave | 容器内挂载点递归挂载为从属传播属性 | +| shared | 容器内挂载点挂载为共享传播属性 | +| rshared | 容器内挂载点递归挂载为共享传播属性 | +| nocopy | 不拷贝挂载点内的数据,该参数不进行配置时默认会拷贝数据。另外,如果卷里已经有数据了,也不会进行拷贝 | + + +#### **示例** +基于 busybox 运行容器并创建/挂载名称为 vol 的卷到容器的 /vol 目录,同时配置挂载点为只读,并且如果容器中对应挂载点有数据也不进行拷贝。 +```shell +isula run -v vol:/vol:ro,nocopy busybox +``` + +### 使用--mount参数挂载数据 + +#### **命令格式** +```shell +isula run --mount [type=TYPE,][src=SRC,]dst=DST[,KEY=VALUE] busybox +``` + +#### **功能描述** +使用 create / run 创建并运行容器时,使用 --mount 参数将主机上的文件、目录、卷或者文件系统挂载到容器内用于数据持久化。 + +#### **参数说明** +- type: 挂载到容器中的数据的类型,类型可以是 bind、volume、squashfs, 省略该项时默认为volume类型。 +- src: 用于挂载的文件、目录或者卷在主机上的路径。当值为绝对路径时,表示挂载主机上的文件或者目录。当值为卷名时,表示挂载卷。当省略该项时,表示匿名卷。当文件夹或者卷不存在时,iSula会先创建一个新的文件/卷,再进行挂载操作。该项的关键字 src 也可以写成 source。 +- dst: 容器内的挂载路径,必须为绝对路径。该项的关键字 dst 也可以写成 destination 或者 target。 +- KEY=VALUE: 表示 --mount 的参数,可以取如下值: + +| KEY 值 | VALUE | +| ------------------------------ | --------------------------------------------------------------------------- | +| selinux-opts/bind-selinux-opts | z或者Z。z表示如果开启了SElinux,则挂载时添加SElinux共享标签;Z表示如果开启了SElinux,则挂载时添加SElinux私有标签 | +| ro/readonly | 0/false 表示挂载成读写属性,1/true 表示挂载成只读属性。该项的值可以省略表示挂载成只读。该项只在 type=bind 时支持配置该参数 | +| volume-nocopy | 不拷贝挂载点内的数据,该参数不进行配置时默认会拷贝数据。另外,如果卷里已经有数据了,也不会进行拷贝。只在 type=volume 时支持该参数 | + +#### **示例** +基于 busybox 运行容器并创建/挂载名称为 vol 的卷到容器的 /vol 目录,同时配置挂载点为只读,并且如果容器中对应挂载点有数据也不进行拷贝。 +```shell +isula run --mount type=volume,src=vol,dst=/vol,ro=true,volume-nocopy=true busybox +``` + +### 复用其他容器中的挂载配置 + +#### **命令格式** +```shell +isula run --volumes-from CON1[:MODE] busybox +``` + +#### **功能描述** +使用 create / run 创建并运行容器时,使用 --volumes-from 参数表示挂载点配置包括CON1容器的挂载点配置。可以配置多个 --volumes-from 参数。 + +#### **参数说明** +- CON1: 被复用挂载点的容器的名称或者ID。 +- MODE: 值为ro表示复用的挂载点挂载为只读属性,值为rw表示复用的挂载点挂载为读写属性。 + +#### **示例** +假设已经有名称为 container1 的容器配置了卷 vol1 到容器目录 /vol1,名称为 container2 的容器配置了卷 vol2 到容器目录 /vol2。现在运行一个新的容器复用 container1 和 container2 的挂载配置,即卷 vol1 挂载到容器的 /vol1 目录,vol2 挂载到容器的 /vol2 目录。 +```shell +isula run --volumes-from container1 --volumes-from container2 busbyox +``` + +### 使用镜像中的匿名卷 + +使用镜像中的匿名卷不需要用户做任何配置。如果镜像中配置了匿名卷,则在运行容器时 iSula 会自动创建一个匿名卷并挂载到镜像中指定的路径供用户使用。用户可以往容器中的匿名卷挂载点写入数据进行数据持久化。 + +### 卷的查询 + +#### **命令格式** +```shell +isula volume ls [OPTIONS] +``` + +#### **功能描述** +查询 iSula 管理的所有卷。 + +#### **参数说明** +OPTIONS 可选参数: +- -q,--quit: 如果不加这个参数,默认只会查询到卷的驱动信息和卷的名称,添加该参数表示只查询卷的名称。 + +#### **示例** +查询 iSula 管理的所有卷,只返回卷名称。 +```shell +isula volume ls -q +``` + +### 卷的删除 + +#### **命令格式** +``` +isula volume rm [OPTIONS] VOLUME [VOLUME...] +isula volume prune [OPTIONS] +``` + +#### **功能描述** +- rm 命令:删除指定的卷,如果卷被容器使用了,则会删除失败。 +- prune 命令:删除所有未被容器使用的卷。 + +#### **参数说明** +prune 命令的 OPTIONS 可选参数: +- -f,--force: 表示不弹出“确认是否要删除”的提示,默认会有风险提示,需要输入 y 才能继续执行。 + +#### **示例** +删除卷 vol1 和卷 vol2 +```shell +isula volume rm vol1 vol2 +``` +删除所有未被使用的卷,不弹出风险提示,格式如下: +```shell +isula volume prune -f +``` + +### 注意事项 + +#### 冲突合并规则 +如果卷的挂载点有冲突,则按照如下规则处理: +- -v 和 --mount 的配置冲突,则返回失败。 +- --volumes-from 里获取的配置,如果和 -v/--mount 配置有冲突,则丢弃。 +- 镜像中的匿名卷配置,如果和 -v/--mount/--volumes-from 配置有冲突,则丢弃。 + +#### iSula和Docker的差异 +| iSula行为 | Docker行为 | +| ------------------------------------------- | ------------------------------------------- | +| 卷名称最长64个字符 | 卷名称长度没有限制 | +| --mount 参数,如果挂载的源不存在,则会创建 | --mount 参数,如果挂载的源不存在,则会报错 | +| --mount 参数,支持 bind-selinux-opts 和 selinux-opts 参数配置 z/Z | --mount 参数,不支持 bind-selinux-opts 和 selinux-opts 参数 | +| 挂载点冲突合并规则,不做特殊处理 | 挂载点冲突合并规则,将 -v 指定的匿名卷当成镜像中的匿名卷一样处理 | +| volume prune 命令,提示回收了多少空间 | volume prune 命令,不会提示回收了多少空间 | +| -v/--mount/--volumes-from 配置在 hostconfig 中,匿名卷配置在 config 中 | -v 配置的匿名卷放在 config 配置中,其他配置在 hostconfig 中 | diff --git "a/content/zh/docs/Container/\346\237\245\350\257\242\344\277\241\346\201\257.md" "b/docs/zh/docs/Container/\346\237\245\350\257\242\344\277\241\346\201\257.md" similarity index 100% rename from "content/zh/docs/Container/\346\237\245\350\257\242\344\277\241\346\201\257.md" rename to "docs/zh/docs/Container/\346\237\245\350\257\242\344\277\241\346\201\257.md" diff --git "a/content/zh/docs/Container/\347\211\271\346\235\203\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/\347\211\271\346\235\203\345\256\271\345\231\250.md" similarity index 100% rename from "content/zh/docs/Container/\347\211\271\346\235\203\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/\347\211\271\346\235\203\345\256\271\345\231\250.md" diff --git "a/content/zh/docs/Container/\347\216\257\345\242\203\345\217\230\351\207\217\346\214\201\344\271\205\345\214\226.md" "b/docs/zh/docs/Container/\347\216\257\345\242\203\345\217\230\351\207\217\346\214\201\344\271\205\345\214\226.md" similarity index 98% rename from "content/zh/docs/Container/\347\216\257\345\242\203\345\217\230\351\207\217\346\214\201\344\271\205\345\214\226.md" rename to "docs/zh/docs/Container/\347\216\257\345\242\203\345\217\230\351\207\217\346\214\201\344\271\205\345\214\226.md" index 22d36c8ab32d16d7812596ba14d792c34379f0c0..1127d322cf4670ae291e7b20812efe0f573c5c18 100644 --- "a/content/zh/docs/Container/\347\216\257\345\242\203\345\217\230\351\207\217\346\214\201\344\271\205\345\214\226.md" +++ "b/docs/zh/docs/Container/\347\216\257\345\242\203\345\217\230\351\207\217\346\214\201\344\271\205\345\214\226.md" @@ -1,12 +1,12 @@ -# 环境变量持久化 - -## 功能描述 - -系统容器支持通过指定--env-target-file接口参数将env变量持久化到容器rootfs目录下的配置文件中。 - -## 参数说明 - - +# 环境变量持久化 + +## 功能描述 + +系统容器支持通过指定--env-target-file接口参数将env变量持久化到容器rootfs目录下的配置文件中。 + +## 参数说明 + + -

命令

参数

@@ -23,26 +23,26 @@
- -## 约束限制 - -- --env-target-file指定的目标文件如果存在的话,大小不能超过10MB。 -- --env-target-file指定的参数为rootfs目录下的绝对路径。 -- 如果--env和目标文件里面的env出现冲突,以--env指定值的参数为准。 - -## 使用示例 - -启动系统容器,指定env环境变量和--env-target-file参数: - -``` -[root@localhost ~]# isula run -tid -e abc=123 --env-target-file /etc/environment --system-container --external-rootfs /root/myrootfs none init -b75df997a64da74518deb9a01d345e8df13eca6bcc36d6fe40c3e90ea1ee088e -[root@localhost ~]# isula exec b7 cat /etc/environment -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -TERM=xterm -abc=123 -``` - -可以看到容器的env变量(abc=123)已经持久化到/etc/environment配置文件中。 - + + +## 约束限制 + +- --env-target-file指定的目标文件如果存在的话,大小不能超过10MB。 +- --env-target-file指定的参数为rootfs目录下的绝对路径。 +- 如果--env和目标文件里面的env出现冲突,以--env指定值的参数为准。 + +## 使用示例 + +启动系统容器,指定env环境变量和--env-target-file参数: + +``` +[root@localhost ~]# isula run -tid -e abc=123 --env-target-file /etc/environment --system-container --external-rootfs /root/myrootfs none init +b75df997a64da74518deb9a01d345e8df13eca6bcc36d6fe40c3e90ea1ee088e +[root@localhost ~]# isula exec b7 cat /etc/environment +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +TERM=xterm +abc=123 +``` + +可以看到容器的env变量(abc=123)已经持久化到/etc/environment配置文件中。 + diff --git "a/content/zh/docs/Container/\347\233\221\346\216\247\345\256\211\345\205\250\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/\347\233\221\346\216\247\345\256\211\345\205\250\345\256\271\345\231\250.md" similarity index 96% rename from "content/zh/docs/Container/\347\233\221\346\216\247\345\256\211\345\205\250\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/\347\233\221\346\216\247\345\256\211\345\205\250\345\256\271\345\231\250.md" index 35acb6ad27a8156a9c537f7dd2bb6453cd0084f7..7e7785a55e798b064c4186b983228e9fbaec12ea 100644 --- "a/content/zh/docs/Container/\347\233\221\346\216\247\345\256\211\345\205\250\345\256\271\345\231\250.md" +++ "b/docs/zh/docs/Container/\347\233\221\346\216\247\345\256\211\345\205\250\345\256\271\345\231\250.md" @@ -1,144 +1,144 @@ -# 监控安全容器 - -## 描述 - -kata events命令用于显示指定容器状态。包括但不限于容器内存、CPU、Pid、 Blkio、大页内存、网络等信息。 - -## 用法 - -``` -kata-runtime events [command options] -``` - -## 参数 - -- \-- interval value:设置查询周期。如果不使用该参数,默认查询周期为5秒。 -- \--stats: 显示容器信息并退出查询。 - -## 前置条件 - -要查询的容器状态必须为running,否则报错:Container ID \(\) does not exist。 - -该命令只支持查询监控一个容器的状态 - -## 示例 - -- 每隔三秒显示容器状态。 - - ``` - $ kata-runtime events --interval 3s 5779b2366f47 - { - "data": { - "blkio": {}, - "cpu": { - "throttling": {}, - "usage": { - "kernel": 130000000, - "percpu": [ - 214098440 - ], - "total": 214098440, - "user": 10000000 - } - }, - "hugetlb": {}, - "intel_rdt": {}, - "interfaces": [ - { - "name": "lo", - "rx_bytes": 0, - "rx_dropped": 0, - "rx_errors": 0, - "rx_packets": 0, - "tx_bytes": 0, - "tx_dropped": 0, - "tx_errors": 0, - "tx_packets": 0 - } - ], - "memory": { - "cache": 827392, - "kernel": { - "failcnt": 0, - "limit": 9223372036854771712, - "max": 421888, - "usage": 221184 - }, - "kernelTCP": { - "failcnt": 0, - "limit": 0 - }, - "raw": { - "active_anon": 49152, - "active_file": 40960, - "cache": 827392, - "dirty": 0, - "hierarchical_memory_limit": 9223372036854771712, - "hierarchical_memsw_limit": 9223372036854771712, - "inactive_anon": 0, - "inactive_file": 839680, - "mapped_file": 540672, - "pgfault": 6765, - "pgmajfault": 0, - "pgpgin": 12012, - "pgpgout": 11803, - "rss": 4096, - "rss_huge": 0, - "shmem": 32768, - "swap": 0, - "total_active_anon": 49152, - "total_active_file": 40960, - "total_cache": 827392, - "total_dirty": 0, - "total_inactive_anon": 0, - "total_inactive_file": 839680, - "total_mapped_file": 540672, - "total_pgfault": 6765, - "total_pgmajfault": 0, - "total_pgpgin": 12012, - "total_pgpgout": 11803, - "total_rss": 4096, - "total_rss_huge": 0, - "total_shmem": 32768, - "total_swap": 0, - "total_unevictable": 0, - "total_writeback": 0, - "unevictable": 0, - "writeback": 0 - }, - "swap": { - "failcnt": 0, - "limit": 9223372036854771712, - "max": 34201600, - "usage": 1204224 - }, - "usage": { - "failcnt": 0, - "limit": 9223372036854771712, - "max": 34201600, - "usage": 1204224 - } - }, - "pids": { - "current": 1 - }, - "tcp": {}, - "tcp6": {}, - "udp": {}, - "udp6": {} - }, - "id": "5779b2366f47cd1468ebb1ba7c52cbdde3c7d3a5f2af3eefadc8356700fc860b", - "type": "stats" - } - ``` - - -- 显示容器状态并立即返回 - - ``` - kata-runtime events --stats - ``` - - 该命令返回内容的格式与上一条相同,区别为只显示一次信息后便退出。 - - +# 监控安全容器 + +## 描述 + +kata events命令用于显示指定容器状态。包括但不限于容器内存、CPU、Pid、 Blkio、大页内存、网络等信息。 + +## 用法 + +``` +kata-runtime events [command options] +``` + +## 参数 + +- \-- interval value:设置查询周期。如果不使用该参数,默认查询周期为5秒。 +- \--stats: 显示容器信息并退出查询。 + +## 前置条件 + +要查询的容器状态必须为running,否则报错:Container ID \(\) does not exist。 + +该命令只支持查询监控一个容器的状态 + +## 示例 + +- 每隔三秒显示容器状态。 + + ``` + $ kata-runtime events --interval 3s 5779b2366f47 + { + "data": { + "blkio": {}, + "cpu": { + "throttling": {}, + "usage": { + "kernel": 130000000, + "percpu": [ + 214098440 + ], + "total": 214098440, + "user": 10000000 + } + }, + "hugetlb": {}, + "intel_rdt": {}, + "interfaces": [ + { + "name": "lo", + "rx_bytes": 0, + "rx_dropped": 0, + "rx_errors": 0, + "rx_packets": 0, + "tx_bytes": 0, + "tx_dropped": 0, + "tx_errors": 0, + "tx_packets": 0 + } + ], + "memory": { + "cache": 827392, + "kernel": { + "failcnt": 0, + "limit": 9223372036854771712, + "max": 421888, + "usage": 221184 + }, + "kernelTCP": { + "failcnt": 0, + "limit": 0 + }, + "raw": { + "active_anon": 49152, + "active_file": 40960, + "cache": 827392, + "dirty": 0, + "hierarchical_memory_limit": 9223372036854771712, + "hierarchical_memsw_limit": 9223372036854771712, + "inactive_anon": 0, + "inactive_file": 839680, + "mapped_file": 540672, + "pgfault": 6765, + "pgmajfault": 0, + "pgpgin": 12012, + "pgpgout": 11803, + "rss": 4096, + "rss_huge": 0, + "shmem": 32768, + "swap": 0, + "total_active_anon": 49152, + "total_active_file": 40960, + "total_cache": 827392, + "total_dirty": 0, + "total_inactive_anon": 0, + "total_inactive_file": 839680, + "total_mapped_file": 540672, + "total_pgfault": 6765, + "total_pgmajfault": 0, + "total_pgpgin": 12012, + "total_pgpgout": 11803, + "total_rss": 4096, + "total_rss_huge": 0, + "total_shmem": 32768, + "total_swap": 0, + "total_unevictable": 0, + "total_writeback": 0, + "unevictable": 0, + "writeback": 0 + }, + "swap": { + "failcnt": 0, + "limit": 9223372036854771712, + "max": 34201600, + "usage": 1204224 + }, + "usage": { + "failcnt": 0, + "limit": 9223372036854771712, + "max": 34201600, + "usage": 1204224 + } + }, + "pids": { + "current": 1 + }, + "tcp": {}, + "tcp6": {}, + "udp": {}, + "udp6": {} + }, + "id": "5779b2366f47cd1468ebb1ba7c52cbdde3c7d3a5f2af3eefadc8356700fc860b", + "type": "stats" + } + ``` + + +- 显示容器状态并立即返回 + + ``` + kata-runtime events --stats + ``` + + 该命令返回内容的格式与上一条相同,区别为只显示一次信息后便退出。 + + diff --git "a/content/zh/docs/Container/\347\256\241\347\220\206\345\256\211\345\205\250\345\256\271\345\231\250\347\232\204\347\224\237\345\221\275\345\221\250\346\234\237.md" "b/docs/zh/docs/Container/\347\256\241\347\220\206\345\256\211\345\205\250\345\256\271\345\231\250\347\232\204\347\224\237\345\221\275\345\221\250\346\234\237.md" similarity index 96% rename from "content/zh/docs/Container/\347\256\241\347\220\206\345\256\211\345\205\250\345\256\271\345\231\250\347\232\204\347\224\237\345\221\275\345\221\250\346\234\237.md" rename to "docs/zh/docs/Container/\347\256\241\347\220\206\345\256\211\345\205\250\345\256\271\345\231\250\347\232\204\347\224\237\345\221\275\345\221\250\346\234\237.md" index 17648bbfddb7319853dd551af9a320e892548515..dce9e2e799bc6bd71df97264fe3839feca7505dc 100644 --- "a/content/zh/docs/Container/\347\256\241\347\220\206\345\256\211\345\205\250\345\256\271\345\231\250\347\232\204\347\224\237\345\221\275\345\221\250\346\234\237.md" +++ "b/docs/zh/docs/Container/\347\256\241\347\220\206\345\256\211\345\205\250\345\256\271\345\231\250\347\232\204\347\224\237\345\221\275\345\221\250\346\234\237.md" @@ -34,7 +34,7 @@ isula run -tid --runtime kata-runtime --network none busybox ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >安全容器网络使用仅支持CNI网络,不支持CNM网络,不支持使用-p和--expose暴露容器端口,使用安全容器时需指定参数--net=none。 4. 启动一个Pod @@ -99,7 +99,7 @@ docker rm -f docker exec -ti ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >1. 如遇到docker exec -ti进入容器的同时,另一终端执行docker restart或者docker stop命令造成exec界面卡住的情况,可使用Ctrl+P+Q退出docker exec操作界面。 >2. 如果使用-d参数则命令在后台执行,不会打印错误信息,其退出码也不能作为命令执行是否正确的判断依据。 diff --git "a/content/zh/docs/Container/\347\263\273\347\273\237\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/\347\263\273\347\273\237\345\256\271\345\231\250.md" similarity index 99% rename from "content/zh/docs/Container/\347\263\273\347\273\237\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/\347\263\273\347\273\237\345\256\271\345\231\250.md" index f9432195d79c18e57e4f49fe5094a2be80aea1c4..9990642dc705743d0b96b5dd53930e30b3984431 100644 --- "a/content/zh/docs/Container/\347\263\273\347\273\237\345\256\271\345\231\250.md" +++ "b/docs/zh/docs/Container/\347\263\273\347\273\237\345\256\271\345\231\250.md" @@ -1,2 +1,2 @@ -# 系统容器 +# 系统容器 系统容器主要应对在重计算、高性能、大并发的场景下,重型应用和业务云化的问题。相比较虚拟机技术,系统容器可直接继承物理机特性,同时具备性能更优良,较少overhead的优点。从系统资源分配来看,系统容器在有限资源上相比虚拟机可分配更多计算单元,降低成本,通过系统容器可以构建产品的差异化竞争力,提供计算密度更高,价格更便宜,性能更优良的的计算单元实例。 \ No newline at end of file diff --git "a/content/zh/docs/Container/\347\273\237\350\256\241\344\277\241\346\201\257-4.md" "b/docs/zh/docs/Container/\347\273\237\350\256\241\344\277\241\346\201\257-4.md" similarity index 100% rename from "content/zh/docs/Container/\347\273\237\350\256\241\344\277\241\346\201\257-4.md" rename to "docs/zh/docs/Container/\347\273\237\350\256\241\344\277\241\346\201\257-4.md" diff --git "a/content/zh/docs/Container/\351\200\232\350\277\207systemd\345\220\257\345\212\250\345\256\271\345\231\250.md" "b/docs/zh/docs/Container/\351\200\232\350\277\207systemd\345\220\257\345\212\250\345\256\271\345\231\250.md" similarity index 98% rename from "content/zh/docs/Container/\351\200\232\350\277\207systemd\345\220\257\345\212\250\345\256\271\345\231\250.md" rename to "docs/zh/docs/Container/\351\200\232\350\277\207systemd\345\220\257\345\212\250\345\256\271\345\231\250.md" index 401fe4720d49081620d8808d069728b6c042be46..a70e8dc59002233c3ddddb0a67c315f919c28b0d 100644 --- "a/content/zh/docs/Container/\351\200\232\350\277\207systemd\345\220\257\345\212\250\345\256\271\345\231\250.md" +++ "b/docs/zh/docs/Container/\351\200\232\350\277\207systemd\345\220\257\345\212\250\345\256\271\345\231\250.md" @@ -1,12 +1,12 @@ -# 通过systemd启动容器 - -## 功能描述 - -系统容器与普通容器最大的差异就在于容器启动的init进程,普通容器无法通过systemd启动系统服务,而系统容器具备这个能力,通过在启动容器时指定\--system-contianer参数可以使能systemd服务。 - -## 参数说明 - - +# 通过systemd启动容器 + +## 功能描述 + +系统容器与普通容器最大的差异就在于容器启动的init进程,普通容器无法通过systemd启动系统服务,而系统容器具备这个能力,通过在启动容器时指定\--system-contianer参数可以使能systemd服务。 + +## 参数说明 + + -

命令

参数

@@ -23,66 +23,66 @@
- -## 约束限制 - -- systemd服务需要调用一些特殊系统调用,包括mount、umount2、unshare、reboot以及name\_to\_handle\_at,所以在不开启特权容器标签的情况下,系统容器打开了调用上述接口的权限。 -- 系统容器都是init启动,init进程不响应表示正常退出的SIGTERM信号,stop默认在10s之后才会强制杀死容器。如果需要快速结束,可以手动指定stop的超时时间。 -- \--system-container必须配合\--external-rootfs参数一起使用。 -- 系统容器内支持运行各类服务,服务的启停通过systemctl来管理,服务之间可能会出现相互依赖关系导致异常情况下某些服务进程出现D/Z状态,使得容器无法正常退出。 -- 系统容器内的某些服务进程可能会影响其它操作结果,例如容器内若运行了NetworkManager服务,可能会影响向容器添加网卡的行为(网卡添加成功然后被NetworkManger停掉),导致不可预期的结果。 -- 系统容器和主机暂时无法实现udev事件隔离,所以fstab配置也暂不支持。 -- systemd服务可能和libcgroup提供的cgconfig服务在功能上出现冲突,建议在容器内去掉libcgroup相关的包或者配置cgconfig服务的Delegate值为no。 - -## 使用示例 - -- 指定\--system-container和\--external-rootfs参数启动系统容器。 - - ``` - [root@localhost ~]# isula run -tid -n systest01 --system-container --external-rootfs /root/myrootfs none init - ``` - -- 执行以上命令后容器成功运行,通过exec进容器查看进程信息,可看到systemd服务已启动。 - - ``` - [root@localhost ~]# isula exec -it systest01 bash - [root@localhost /]# ps -ef - UID PID PPID C STIME TTY TIME CMD - root 1 0 2 06:49 ? 00:00:00 init - root 14 1 2 06:49 ? 00:00:00 /usr/lib/systemd/systemd-journal - root 16 1 0 06:49 ? 00:00:00 /usr/lib/systemd/systemd-network - dbus 23 1 0 06:49 ? 00:00:00 /usr/bin/dbus-daemon --system -- - root 25 0 0 06:49 ? 00:00:00 bash - root 59 25 0 06:49 ? 00:00:00 ps –ef - ``` - - -- 容器内执行systemctl命令查看服务状态,可看到服务被systemd管理。 - - ``` - [root@localhost /]# systemctl status dbus - ● dbus.service - D-Bus System Message Bus - Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: - disabled) - Active: active (running) since Mon 2019-07-22 06:49:38 UTC; 2min 5 - 8s ago - Docs: man:dbus-daemon(1) - Main PID: 23 (dbus-daemon) - CGroup: /system.slice/dbus.service - └─23 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidf - ile --systemd-activation --syslog-only - - Jul 22 06:49:38 localhost systemd[1]: Started D-Bus System Message Bus. - ``` - -- 容器内通过systemctl stop/start服务,可看到服务被systemd管理。 - - ``` - [root@localhost /]# systemctl stop dbus - Warning: Stopping dbus.service, but it can still be activated by: - dbus.socket - [root@localhost /]# systemctl start dbus - ``` - - + + +## 约束限制 + +- systemd服务需要调用一些特殊系统调用,包括mount、umount2、unshare、reboot以及name\_to\_handle\_at,所以在不开启特权容器标签的情况下,系统容器打开了调用上述接口的权限。 +- 系统容器都是init启动,init进程不响应表示正常退出的SIGTERM信号,stop默认在10s之后才会强制杀死容器。如果需要快速结束,可以手动指定stop的超时时间。 +- \--system-container必须配合\--external-rootfs参数一起使用。 +- 系统容器内支持运行各类服务,服务的启停通过systemctl来管理,服务之间可能会出现相互依赖关系导致异常情况下某些服务进程出现D/Z状态,使得容器无法正常退出。 +- 系统容器内的某些服务进程可能会影响其它操作结果,例如容器内若运行了NetworkManager服务,可能会影响向容器添加网卡的行为(网卡添加成功然后被NetworkManger停掉),导致不可预期的结果。 +- 系统容器和主机暂时无法实现udev事件隔离,所以fstab配置也暂不支持。 +- systemd服务可能和libcgroup提供的cgconfig服务在功能上出现冲突,建议在容器内去掉libcgroup相关的包或者配置cgconfig服务的Delegate值为no。 + +## 使用示例 + +- 指定\--system-container和\--external-rootfs参数启动系统容器。 + + ``` + [root@localhost ~]# isula run -tid -n systest01 --system-container --external-rootfs /root/myrootfs none init + ``` + +- 执行以上命令后容器成功运行,通过exec进容器查看进程信息,可看到systemd服务已启动。 + + ``` + [root@localhost ~]# isula exec -it systest01 bash + [root@localhost /]# ps -ef + UID PID PPID C STIME TTY TIME CMD + root 1 0 2 06:49 ? 00:00:00 init + root 14 1 2 06:49 ? 00:00:00 /usr/lib/systemd/systemd-journal + root 16 1 0 06:49 ? 00:00:00 /usr/lib/systemd/systemd-network + dbus 23 1 0 06:49 ? 00:00:00 /usr/bin/dbus-daemon --system -- + root 25 0 0 06:49 ? 00:00:00 bash + root 59 25 0 06:49 ? 00:00:00 ps –ef + ``` + + +- 容器内执行systemctl命令查看服务状态,可看到服务被systemd管理。 + + ``` + [root@localhost /]# systemctl status dbus + ● dbus.service - D-Bus System Message Bus + Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: + disabled) + Active: active (running) since Mon 2019-07-22 06:49:38 UTC; 2min 5 + 8s ago + Docs: man:dbus-daemon(1) + Main PID: 23 (dbus-daemon) + CGroup: /system.slice/dbus.service + └─23 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidf + ile --systemd-activation --syslog-only + + Jul 22 06:49:38 localhost systemd[1]: Started D-Bus System Message Bus. + ``` + +- 容器内通过systemctl stop/start服务,可看到服务被systemd管理。 + + ``` + [root@localhost /]# systemctl stop dbus + Warning: Stopping dbus.service, but it can still be activated by: + dbus.socket + [root@localhost /]# systemctl start dbus + ``` + + diff --git "a/content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-3.md" "b/docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-3.md" similarity index 100% rename from "content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-3.md" rename to "docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-3.md" diff --git "a/content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-4.md" "b/docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-4.md" similarity index 100% rename from "content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-4.md" rename to "docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206-4.md" diff --git "a/content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206.md" "b/docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206.md" similarity index 95% rename from "content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206.md" rename to "docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206.md" index f89089da77ba00f09e2892adc50a9e7a179289b9..f57540fd221f5632f7f185f9217f3836839b8d58 100644 --- "a/content/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206.md" +++ "b/docs/zh/docs/Container/\351\225\234\345\203\217\347\256\241\347\220\206.md" @@ -1,420 +1,420 @@ -# 镜像管理 - - - -- [镜像管理](#镜像管理) - - [docker镜像管理](#docker镜像管理) - - [登录到镜像仓库](#登录到镜像仓库) - - [从镜像仓库退出登录](#从镜像仓库退出登录) - - [从镜像仓库拉取镜像](#从镜像仓库拉取镜像) - - [删除镜像](#删除镜像) - - [加载镜像](#加载镜像) - - [列出镜像](#列出镜像) - - [检视镜像](#检视镜像) - - [双向认证](#双向认证) - - [embedded镜像管理](#embedded镜像管理) - - [加载镜像](#加载镜像-1) - - [列出镜像](#列出镜像-1) - - [检视镜像](#检视镜像-1) - - [删除镜像](#删除镜像-1) - - - - -## docker镜像管理 - -### 登录到镜像仓库 - -#### 描述 - -isula login命令用于登录到镜像仓库。登录成功后可以使用isula pull命令从该镜像仓库拉取镜像。如果镜像仓库不需要密码,则拉取镜像前不需要执行该命令。 - -#### 用法 - -``` -isula login [OPTIONS] SERVER -``` - -#### 参数 - -login命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表1 表1-20 login命令参数列表" 。 - -#### 示例 - -``` -$ isula login -u abc my.csp-edge.com:5000 - -Login Succeeded -``` - -### 从镜像仓库退出登录 - -#### 描述 - -isula logout命令用于从镜像仓库退出登录。退出登录成功后再执行isula pull命令从该镜像仓库拉取镜像会因为未认证而拉取失败。 - -#### 用法 - -``` -isula logout SERVER -``` - -#### 参数 - -logout命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表2 logout命令参数列表"。 - -#### 示例 - -``` -$ isula logout my.csp-edge.com:5000 -Logout Succeeded -``` - -### 从镜像仓库拉取镜像 - -#### 描述 - -从镜像仓库拉取镜像到本地。 - -#### 用法 - -``` -isula pull [OPTIONS] NAME[:TAG|@DIGEST] -``` - -#### 参数 - -login命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表3 pull命令参数列表"。 - -#### 示例 - -``` -$ isula pull localhost:5000/official/busybox -Image "localhost:5000/official/busybox" pulling -Image "localhost:5000/official/busybox@sha256:bf510723d2cd2d4e3f5ce7e93bf1e52c8fd76831995ac3bd3f90ecc866643aff" pulled -``` - -### 删除镜像 - -#### 描述 - -删除一个或多个镜像。 - -#### 用法 - -``` -isula rmi [OPTIONS] IMAGE [IMAGE...] -``` - -#### 参数 - -rmi命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表4 rmi命令参数列表"。 - -#### 示例 - -``` -$ isula rmi rnd-dockerhub.huawei.com/official/busybox -Image "rnd-dockerhub.huawei.com/official/busybox" removed -``` - -### 加载镜像 - -#### 描述 - -从一个tar包加载镜像。该tar包必须是使用docker save命令导出的tar包或格式一致的tar包。 - -#### 用法 - -``` -isula load [OPTIONS] -``` - -#### 参数 - -load命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表5 load命令参数列表"。 - -#### 示例 - -``` -$ isula load -i busybox.tar -Load image from "/root/busybox.tar" success -``` - -### 列出镜像 - -#### 描述 - -列出当前环境中所有镜像。 - -#### 用法 - -``` -isula images -``` - -#### 参数 - -images命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表6 images命令参数列表"。 - -#### 示例 - -``` -$ isula images -REF IMAGE ID CREATED SIZE -rnd-dockerhub.huawei.com/official/busybox:latest e4db68de4ff2 2019-06-15 08:19:54 1.376 MB -``` - -### 检视镜像 - -#### 描述 - -返回该镜像的配置信息。可以使用-f参数过滤出需要的信息。 - -#### 用法 - -``` -isula inspect [options] CONTAINER|IMAGE [CONTAINER|IMAGE...] -``` - -#### 参数 - -inspect命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表7 inspect命令参数列表"。 - -#### 示例 - -``` -$ isula inspect -f "{{json .image.id}}" rnd-dockerhub.huawei.com/official/busybox -"e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b" -``` - -### 双向认证 - -#### 描述 - -开启该功能后isulad和镜像仓库之间的通信采用https通信,isulad和镜像仓库都会验证对方的合法性。 - -#### 用法 - -要支持该功能,需要镜像仓库支持该功能,同时isulad也需要做相应的配置: - -1. 修改isulad的配置\(默认路径/etc/isulad/daemon.json\),将配置里的use-decrypted-key项配置为false。 -2. 需要将相关的证书放置到/etc/isulad/certs.d目录下对应的镜像仓库命名的文件夹下,证书具体的生成方法见docker的官方链接: - - [https://docs.docker.com/engine/security/certificates/](https://docs.docker.com/engine/security/certificates/) - - [https://docs.docker.com/engine/security/https/](https://docs.docker.com/engine/security/https/) - - -1. 执行systemctl restart isulad重启isulad。 - -#### 参数 - -可以在/etc/isulad/daemon.json中配置参数,也可以在启动isulad时携带参数: - -``` -isulad --use-decrypted-key=false -``` - -#### 示例 - -配置use-decrypted-key参数为false - -``` -$ cat /etc/isulad/daemon.json -{ - "group": "isulad", - "graph": "/var/lib/isulad", - "state": "/var/run/isulad", - "engine": "lcr", - "log-level": "ERROR", - "pidfile": "/var/run/isulad.pid", - "log-opts": { - "log-file-mode": "0600", - "log-path": "/var/lib/isulad", - "max-file": "1", - "max-size": "30KB" - }, - "log-driver": "stdout", - "hook-spec": "/etc/default/isulad/hooks/default.json", - "start-timeout": "2m", - "storage-driver": "overlay2", - "storage-opts": [ - "overlay2.override_kernel_check=true" - ], - "registry-mirrors": [ - "docker.io" - ], - "insecure-registries": [ - "rnd-dockerhub.huawei.com" - ], - "pod-sandbox-image": "", - "image-opt-timeout": "5m", - "native.umask": "secure", - "network-plugin": "", - "cni-bin-dir": "", - "cni-conf-dir": "", - "image-layer-check": false, - "use-decrypted-key": false, - "insecure-skip-verify-enforce": false -} -``` - -将证书放到对应的目录下 - -``` -$ pwd -/etc/isulad/certs.d/my.csp-edge.com:5000 -$ ls -ca.crt tls.cert tls.key -``` - -重启isulad - -``` -$ systemctl restart isulad -``` - -执行pull命令从仓库下载镜像 - -``` -$ isula pull my.csp-edge.com:5000/busybox -Image "my.csp-edge.com:5000/busybox" pulling -Image "my.csp-edge.com:5000/busybox@sha256:f1bdc62115dbfe8f54e52e19795ee34b4473babdeb9bc4f83045d85c7b2ad5c0" pulled -``` - -## embedded镜像管理 - -### 加载镜像 - -#### 描述 - -根据embedded镜像的manifest加载镜像。注意--type的值必须填写embedded。 - -#### 用法 - -``` -isula load [OPTIONS] --input=FILE --type=TYPE -``` - -#### 参数 - -load命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表5 load命令参数列表"。 - -#### 示例 - -``` -$ isula load -i test.manifest --type embedded -Load image from "/root/work/bugfix/tmp/ci_testcase_data/embedded/img/test.manifest" success -``` - -### 列出镜像 - -#### 描述 - -列出当前环境中所有镜像。 - -#### 用法 - -``` -isula images [OPTIONS] -``` - -#### 参数 - -images命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表6 images命令参数列表"。 - -#### 示例 - -``` -$ isula images -REF IMAGE ID CREATED SIZE -test:v1 9319da1f5233 2018-03-01 10:55:44 1.273 MB -``` - -### 检视镜像 - -#### 描述 - -返回该镜像的配置信息。可以使用-f参数过滤出需要的信息。 - -#### 用法 - -``` -isula inspect [options] CONTAINER|IMAGE [CONTAINER|IMAGE...] -``` - -#### 参数 - -inspect命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表7 inspect命令参数列表"。 - -#### 示例 - -``` -$ isula inspect -f "{{json .created}}" test:v1 -"2018-03-01T15:55:44.322987811Z" -``` - -### 删除镜像 - -#### 描述 - -删除一个或多个镜像。 - -#### 用法 - -``` -isula rmi [OPTIONS] IMAGE [IMAGE...] -``` - -#### 参数 - -rmi命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表4 rmi命令参数列表"。 - -#### 示例 - -``` -$ isula rmi test:v1 -Image "test:v1" removed -``` - -### 添加名称 - -#### 描述 - -给镜像添加一个名称。 - -#### 用法 - -``` -isula tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG] -``` - -#### 参数 - -tag命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表8 tag命令参数列表"。 - -#### 示例 - -``` -$ isula tag test:v1 test:v2 -``` - -### 导入镜像 - -#### 描述 - -将tar格式的rootfs导入生成一个新的镜像,该tar包必须是通过export命令导出的tar包。 - -#### 用法 - -``` -isula export [command options] [ID|NAME] -``` - -#### 参数 - -export命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表9 export命令参数列表"。 - -#### 示例 - -``` -$ isula export -o test.tar containername -``` +# 镜像管理 + + + +- [镜像管理](#镜像管理) + - [docker镜像管理](#docker镜像管理) + - [登录到镜像仓库](#登录到镜像仓库) + - [从镜像仓库退出登录](#从镜像仓库退出登录) + - [从镜像仓库拉取镜像](#从镜像仓库拉取镜像) + - [删除镜像](#删除镜像) + - [加载镜像](#加载镜像) + - [列出镜像](#列出镜像) + - [检视镜像](#检视镜像) + - [双向认证](#双向认证) + - [embedded镜像管理](#embedded镜像管理) + - [加载镜像](#加载镜像-1) + - [列出镜像](#列出镜像-1) + - [检视镜像](#检视镜像-1) + - [删除镜像](#删除镜像-1) + + + + +## docker镜像管理 + +### 登录到镜像仓库 + +#### 描述 + +isula login命令用于登录到镜像仓库。登录成功后可以使用isula pull命令从该镜像仓库拉取镜像。如果镜像仓库不需要密码,则拉取镜像前不需要执行该命令。 + +#### 用法 + +``` +isula login [OPTIONS] SERVER +``` + +#### 参数 + +login命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表1 表1-20 login命令参数列表" 。 + +#### 示例 + +``` +$ isula login -u abc my.csp-edge.com:5000 + +Login Succeeded +``` + +### 从镜像仓库退出登录 + +#### 描述 + +isula logout命令用于从镜像仓库退出登录。退出登录成功后再执行isula pull命令从该镜像仓库拉取镜像会因为未认证而拉取失败。 + +#### 用法 + +``` +isula logout SERVER +``` + +#### 参数 + +logout命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表2 logout命令参数列表"。 + +#### 示例 + +``` +$ isula logout my.csp-edge.com:5000 +Logout Succeeded +``` + +### 从镜像仓库拉取镜像 + +#### 描述 + +从镜像仓库拉取镜像到本地。 + +#### 用法 + +``` +isula pull [OPTIONS] NAME[:TAG|@DIGEST] +``` + +#### 参数 + +login命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表3 pull命令参数列表"。 + +#### 示例 + +``` +$ isula pull localhost:5000/official/busybox +Image "localhost:5000/official/busybox" pulling +Image "localhost:5000/official/busybox@sha256:bf510723d2cd2d4e3f5ce7e93bf1e52c8fd76831995ac3bd3f90ecc866643aff" pulled +``` + +### 删除镜像 + +#### 描述 + +删除一个或多个镜像。 + +#### 用法 + +``` +isula rmi [OPTIONS] IMAGE [IMAGE...] +``` + +#### 参数 + +rmi命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表4 rmi命令参数列表"。 + +#### 示例 + +``` +$ isula rmi rnd-dockerhub.huawei.com/official/busybox +Image "rnd-dockerhub.huawei.com/official/busybox" removed +``` + +### 加载镜像 + +#### 描述 + +从一个tar包加载镜像。该tar包必须是使用docker save命令导出的tar包或格式一致的tar包。 + +#### 用法 + +``` +isula load [OPTIONS] +``` + +#### 参数 + +load命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表5 load命令参数列表"。 + +#### 示例 + +``` +$ isula load -i busybox.tar +Load image from "/root/busybox.tar" success +``` + +### 列出镜像 + +#### 描述 + +列出当前环境中所有镜像。 + +#### 用法 + +``` +isula images +``` + +#### 参数 + +images命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表6 images命令参数列表"。 + +#### 示例 + +``` +$ isula images +REF IMAGE ID CREATED SIZE +rnd-dockerhub.huawei.com/official/busybox:latest e4db68de4ff2 2019-06-15 08:19:54 1.376 MB +``` + +### 检视镜像 + +#### 描述 + +返回该镜像的配置信息。可以使用-f参数过滤出需要的信息。 + +#### 用法 + +``` +isula inspect [options] CONTAINER|IMAGE [CONTAINER|IMAGE...] +``` + +#### 参数 + +inspect命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表7 inspect命令参数列表"。 + +#### 示例 + +``` +$ isula inspect -f "{{json .image.id}}" rnd-dockerhub.huawei.com/official/busybox +"e4db68de4ff27c2adfea0c54bbb73a61a42f5b667c326de4d7d5b19ab71c6a3b" +``` + +### 双向认证 + +#### 描述 + +开启该功能后isulad和镜像仓库之间的通信采用https通信,isulad和镜像仓库都会验证对方的合法性。 + +#### 用法 + +要支持该功能,需要镜像仓库支持该功能,同时isulad也需要做相应的配置: + +1. 修改isulad的配置\(默认路径/etc/isulad/daemon.json\),将配置里的use-decrypted-key项配置为false。 +2. 需要将相关的证书放置到/etc/isulad/certs.d目录下对应的镜像仓库命名的文件夹下,证书具体的生成方法见docker的官方链接: + - [https://docs.docker.com/engine/security/certificates/](https://docs.docker.com/engine/security/certificates/) + - [https://docs.docker.com/engine/security/https/](https://docs.docker.com/engine/security/https/) + + +1. 执行systemctl restart isulad重启isulad。 + +#### 参数 + +可以在/etc/isulad/daemon.json中配置参数,也可以在启动isulad时携带参数: + +``` +isulad --use-decrypted-key=false +``` + +#### 示例 + +配置use-decrypted-key参数为false + +``` +$ cat /etc/isulad/daemon.json +{ + "group": "isulad", + "graph": "/var/lib/isulad", + "state": "/var/run/isulad", + "engine": "lcr", + "log-level": "ERROR", + "pidfile": "/var/run/isulad.pid", + "log-opts": { + "log-file-mode": "0600", + "log-path": "/var/lib/isulad", + "max-file": "1", + "max-size": "30KB" + }, + "log-driver": "stdout", + "hook-spec": "/etc/default/isulad/hooks/default.json", + "start-timeout": "2m", + "storage-driver": "overlay2", + "storage-opts": [ + "overlay2.override_kernel_check=true" + ], + "registry-mirrors": [ + "docker.io" + ], + "insecure-registries": [ + "rnd-dockerhub.huawei.com" + ], + "pod-sandbox-image": "", + "image-opt-timeout": "5m", + "native.umask": "secure", + "network-plugin": "", + "cni-bin-dir": "", + "cni-conf-dir": "", + "image-layer-check": false, + "use-decrypted-key": false, + "insecure-skip-verify-enforce": false +} +``` + +将证书放到对应的目录下 + +``` +$ pwd +/etc/isulad/certs.d/my.csp-edge.com:5000 +$ ls +ca.crt tls.cert tls.key +``` + +重启isulad + +``` +$ systemctl restart isulad +``` + +执行pull命令从仓库下载镜像 + +``` +$ isula pull my.csp-edge.com:5000/busybox +Image "my.csp-edge.com:5000/busybox" pulling +Image "my.csp-edge.com:5000/busybox@sha256:f1bdc62115dbfe8f54e52e19795ee34b4473babdeb9bc4f83045d85c7b2ad5c0" pulled +``` + +## embedded镜像管理 + +### 加载镜像 + +#### 描述 + +根据embedded镜像的manifest加载镜像。注意--type的值必须填写embedded。 + +#### 用法 + +``` +isula load [OPTIONS] --input=FILE --type=TYPE +``` + +#### 参数 + +load命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表5 load命令参数列表"。 + +#### 示例 + +``` +$ isula load -i test.manifest --type embedded +Load image from "/root/work/bugfix/tmp/ci_testcase_data/embedded/img/test.manifest" success +``` + +### 列出镜像 + +#### 描述 + +列出当前环境中所有镜像。 + +#### 用法 + +``` +isula images [OPTIONS] +``` + +#### 参数 + +images命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表6 images命令参数列表"。 + +#### 示例 + +``` +$ isula images +REF IMAGE ID CREATED SIZE +test:v1 9319da1f5233 2018-03-01 10:55:44 1.273 MB +``` + +### 检视镜像 + +#### 描述 + +返回该镜像的配置信息。可以使用-f参数过滤出需要的信息。 + +#### 用法 + +``` +isula inspect [options] CONTAINER|IMAGE [CONTAINER|IMAGE...] +``` + +#### 参数 + +inspect命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表7 inspect命令参数列表"。 + +#### 示例 + +``` +$ isula inspect -f "{{json .created}}" test:v1 +"2018-03-01T15:55:44.322987811Z" +``` + +### 删除镜像 + +#### 描述 + +删除一个或多个镜像。 + +#### 用法 + +``` +isula rmi [OPTIONS] IMAGE [IMAGE...] +``` + +#### 参数 + +rmi命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表4 rmi命令参数列表"。 + +#### 示例 + +``` +$ isula rmi test:v1 +Image "test:v1" removed +``` + +### 添加名称 + +#### 描述 + +给镜像添加一个名称。 + +#### 用法 + +``` +isula tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG] +``` + +#### 参数 + +tag命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表8 tag命令参数列表"。 + +#### 示例 + +``` +$ isula tag test:v1 test:v2 +``` + +### 导入镜像 + +#### 描述 + +将tar格式的rootfs导入生成一个新的镜像,该tar包必须是通过export命令导出的tar包。 + +#### 用法 + +``` +isula export [command options] [ID|NAME] +``` + +#### 参数 + +export命令支持参数请参见"附录 > 命令行参数说明" 章节的 "表9 export命令参数列表"。 + +#### 示例 + +``` +$ isula export -o test.tar containername +``` diff --git "a/content/zh/docs/Container/\351\231\204\345\275\225-2.md" "b/docs/zh/docs/Container/\351\231\204\345\275\225-2.md" similarity index 100% rename from "content/zh/docs/Container/\351\231\204\345\275\225-2.md" rename to "docs/zh/docs/Container/\351\231\204\345\275\225-2.md" diff --git "a/content/zh/docs/Container/\351\231\204\345\275\225-3.md" "b/docs/zh/docs/Container/\351\231\204\345\275\225-3.md" similarity index 99% rename from "content/zh/docs/Container/\351\231\204\345\275\225-3.md" rename to "docs/zh/docs/Container/\351\231\204\345\275\225-3.md" index 0e73dca0d1fbe538ba4ae637e6c434d9676cd229..f8d0043c04700d1d09f8ef600e0578374378186e 100644 --- "a/content/zh/docs/Container/\351\231\204\345\275\225-3.md" +++ "b/docs/zh/docs/Container/\351\231\204\345\275\225-3.md" @@ -5,7 +5,7 @@ ## configuration-toml配置说明 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >configuration.toml配置文件中各个字段的取值以kata-containers-.rpm包中的configuration.toml文件为准,不支持用户对配置文件中的字段任意取值。 ``` @@ -126,14 +126,14 @@ experimental :开启实验特性,不支持用户自定义配置

设置网卡的主机端名称

-

必选。支持字母、数字、下划线“_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个宿主机上device不能重复。

+

必选。支持字母、数字、下划线“\_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个宿主机上device不能重复。

name

设置网卡的容器内名称

-

必选。支持字母、数字、下划线“_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个Sandbox内name不能重复。

+

必选。支持字母、数字、下划线“\_”、“-” 以及“.”字符,必须以字母开头,且长度不超过15。需要确保同一个Sandbox内name不能重复。

IPAddresses

diff --git "a/content/zh/docs/Container/\351\231\204\345\275\225.md" "b/docs/zh/docs/Container/\351\231\204\345\275\225.md" similarity index 100% rename from "content/zh/docs/Container/\351\231\204\345\275\225.md" rename to "docs/zh/docs/Container/\351\231\204\345\275\225.md" diff --git a/docs/zh/docs/Installation/FAQ-1.md b/docs/zh/docs/Installation/FAQ-1.md new file mode 100644 index 0000000000000000000000000000000000000000..359d8c23fe65b0a24fbad4b89396fee9e7b20511 --- /dev/null +++ b/docs/zh/docs/Installation/FAQ-1.md @@ -0,0 +1,54 @@ +# FAQ + + +- [FAQ](#faq) + - [树莓派启动失败](#树莓派启动失败) + - [nmcli 命令连接 WIFI 失败](#nmcli-命令连接-wifi-失败) + + + +## 树莓派启动失败 + +### 问题现象 + +将 openEuler 发布的树莓派镜像刷写入 SD 卡后,树莓派启动失败。 + +### 原因分析 + +刷写 openEuler 发布的树莓派镜像后,树莓派启动失败,大致有以下几种情况: + +1. 下载的镜像文件不完整,请确保该镜像通过完整性校验。 +2. 镜像写入 SD 卡过程中出现问题,多出现在 Windows 环境下使用应用软件刷写镜像到 SD 卡的情况。 + +### 解决方法 + +将完整的镜像重新刷写入 SD 卡。 + +## nmcli 命令连接 WIFI 失败 + +### 问题现象 + +执行 `nmcli dev wifi connect SSID password PWD` 命令连接 WIFI 失败。例如提示 `Error: Connection activation failed: (7) Secrets were required, but not provided.` 等错误。 + +### 原因分析 + +执行的命令缺少密码。注意,如果密码中包含特殊字符,需要使用单引号将密码括起来。如果使用 nmcli 命令行连接 WIFI 失败,建议使用 nmtui 字符界面进行连接。 + +### 解决方法 + +执行 `nmtui` 命令进入到 nmtui 字符界面,按照以下步骤连接 WIFI。 + +1. 选择 `Edit a connection`,按 `Enter` 进入编辑网络连接窗口。 +2. 按下键盘右方向键选择 `Add`,按 `Enter` 进入新建网络连接窗口。 +3. 连接类型选择 `Wi-Fi` ,然后按下键盘右方向键选择 `Create`,按 `Enter` 进入 WIFI 编辑连接信息的界面。 +4. WIFI 连接信息界面主要需要编辑以下内容,其他信息根据实际情况而定。编辑结束后选择 `OK`,按 `Enter` 完成编辑并回退到编辑网络连接窗口。 + 1. `Profile name` 栏输入该 WIFI 连接的名称,这里可以使用默认名称,如 `Wi-Fi connection 1`; + 2. `Device` 栏输入要使用的无线网卡接口,这里输入 `wlan0`; + 3. `SSID` 栏输入要连接的 WIFI 的 SSID; + 4. `Security` 栏选择 WIFI 密码加密方式,这里根据实际情况选择,例如选择 `WPA & WPA2 Personal`; + 5. `Password` 栏输入 WIFI 密码。 + +5. 选择 `Back` 回退到最初的 nmtui 字符界面。 +6. 选择 `Activate a connection`,按 `Enter` 进入激活网络连接窗口。 +7. 查看添加的 WIFI 连接是否已激活(已激活的连接名称前有 `*` 标记)。如果未激活,选择该 WIFI 连接,然后按下键盘右方向键选择 `Activate`,按 `Enter` 激活该连接。待激活完成后,选择 `Back`,按 `Enter` 退出该激活界面,回退到最初的 nmtui 字符界面。 +8. 选择 `Quit`,然后按下键盘右方向键选择 `OK`,按 `Enter` 退出 nmtui 字符界面。 \ No newline at end of file diff --git a/content/zh/docs/Installation/FAQ.md b/docs/zh/docs/Installation/FAQ.md similarity index 77% rename from content/zh/docs/Installation/FAQ.md rename to docs/zh/docs/Installation/FAQ.md index 07a428057c41869e9b8ead8489e8b4d764cb543f..277485bc497d5275bd66f57761e527d326e5f344 100644 --- a/content/zh/docs/Installation/FAQ.md +++ b/docs/zh/docs/Installation/FAQ.md @@ -1,17 +1,5 @@ # FAQ - -- [FAQ](#faq) - - [安装openEuler时选择第二盘位为安装目标,操作系统无法启动](#安装openeuler时选择第二盘位为安装目标操作系统无法启动) - - [网络配置约束限制](#网络配置约束限制) - - [openEuler开机后进入emergency模式](#openeuler开机后进入emergency模式) - - [系统中存在无法激活的逻辑卷组时,重装系统失败](#系统中存在无法激活的逻辑卷组时重装系统失败) - - [选择安装源出现异常](#选择安装源出现异常) - - [如何手动开启kdump服务](#如何手动开启kdump服务) - - [多块磁盘组成逻辑卷安装系统后,再次安装不能只选其中一块磁盘](#多块磁盘组成逻辑卷安装系统后再次安装不能只选其中一块磁盘) - - [x86物理机UEFI模式由于security boot安全选项问题无法安装](#x86物理机uefi模式由于security-boot安全选项问题无法安装) - - ## 安装openEuler时选择第二盘位为安装目标,操作系统无法启动 @@ -35,30 +23,6 @@ - 当系统处于安装过程中,在选择磁盘(选择第一块或者两块都选择)后,指定引导程序安装到第一块盘sda中。 - 当系统已经安装完成,若BIOS支持选择从哪个磁盘启动,则可以通过修改BIOS中磁盘启动顺序,尝试重新启动系统。 -## 网络配置约束限制 - -NetworkManager、network两个服务均是网络服务管理包,两个服务之间存在部分功能重叠。 - -- 如果使用NetworkManager管理服务,则必须使用nmcli命令或修改配置文件来配置网络(如IP、路由等),而不能使用ip/ifconfig/route命令来配置。 - - >![](public_sys-resources/icon-note.gif) **说明:** - >在开启NetworkManager服务的场景下,使用ip/ifconfig/route等命令配置网络,则一段时间后配置会被NetworkManager覆盖,导致 ip/ifconfig/route配置不生效。 - - 查看NetworkManager 服务是否开启: - - ``` - systemctl status NetworkManager - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - >nmcli命令使用参考“nmcli \--help”或者“man nmcli”。 - -- 如果要使用ip/ifconfig/route等命令来管理网络,请先关闭NetworkManager服务,使用如下命令: - - ``` - systemctl stop NetworkManager - ``` - ## openEuler开机后进入emergency模式 @@ -66,7 +30,7 @@ NetworkManager、network两个服务均是网络服务管理包,两个服务 openEuler系统开机后进入emergency模式,如下图所示: -![](figures/zh-cn_image_0229291264.jpg) +![](./figures/zh-cn_image_0229291264.jpg) ### 原因分析 @@ -79,7 +43,7 @@ openEuler系统开机后进入emergency模式,如下图所示: 1. 用户直接输入root账号的密码,登录系统。 2. 使用fsck工具,检测并修复文件系统,然后重启。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >fsck(file system check)用来检查和维护不一致的文件系统。若系统掉电或磁盘发生问题,可利用fsck命令对文件系统进行检查。 用户可以通过“fsck.ext3 -h”、“fsck.ext4 -h”命令查看fsck的使用方法。 @@ -167,7 +131,7 @@ UUID=afcc811f-4b20-42fc-9d31-7307a8cfe0df /boot ext4 defaults,x-systemd.device-t 执行systemctl status kdump命令,显示状态信息如下,提示无预留内存。 -![](figures/zh-cn_image_0229291280.png) +![](./figures/zh-cn_image_0229291280.png) ### 原因分析 @@ -187,7 +151,7 @@ kdump服务需要系统预留一段内存用于运行kdump内核,而当前系 若回显如下,即kdump的状态为active,说明kdump已使能,操作结束。 - ![](figures/zh-cn_image_0229291272.png) + ![](./figures/zh-cn_image_0229291272.png) ### 参数说明 @@ -254,7 +218,7 @@ kdump内核预留内存参数说明如下: 在安装系统时,如果之前的系统选择多块磁盘组成逻辑卷进行安装,再次安装时,如果只选择了其中的一块或几块磁盘,没有全部选择,在保存配置时提示配置错误,如[图1](#fig115949762617)所示。 **图 1** 配置错误提示 -![](figures/配置错误提示.png "配置错误提示") +![](./figures/Configuration_error_prompt.png) ### 原因分析 @@ -270,7 +234,7 @@ kdump内核预留内存参数说明如下: vgs ``` - ![](figures/zh-cn_image_0231657950.png) + ![](./figures/zh-cn_image_0231657950.png) 2. 执行如下命令,删除卷组。 @@ -284,7 +248,7 @@ kdump内核预留内存参数说明如下: systemctl restart anaconda ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >图形模式下也可以按“Ctrl+Alt+F6”回到图形界面,点击[图1](#fig115949762617)右下角的“Refresh”刷新存储配置生效。 @@ -295,7 +259,7 @@ kdump内核预留内存参数说明如下: x86物理机安装系统时,由于设置了BIOS选项security boot 为enable(默认是disable),导致系统一直停留在“No bootable device”提示界面,无法继续安装,如[图2](#fig115949762617)所示。 **图 2** “No bootable device”提示界面 -![](figures/No-bootable-device-提示界面.png "No-bootable-device-提示界面") +![](./figures/No-bootable-device.png) ### 原因分析 @@ -307,16 +271,70 @@ x86物理机安装系统时,由于设置了BIOS选项security boot 为enable 1. 系统启动时,按“F11”,输入密码“Admin@9000”进入BIOS。 - ![](figures/BIOS.png) + ![](./figures/BIOS.png) 2. 选择进入Administer Secure Boot。 - ![](figures/security.png) + ![](./figures/security.png) 3. 设置Enforce Secure Boot为Disabled。 - ![](figures/选择.png) + ![](./figures/select.png) - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >设置security boot为disable之后,保存退出,重新安装即可。 +## 安装openEuler时,软件选择页面选择“服务器-性能工具”,安装后messages日志有pmie_check报错信息 + +### 问题现象 + +安装系统时软件选择勾选服务器-性能工具,会安装pcp相关软件包,正常安装并重启后,/var/log/messages日志文件中会产生报错:pmie_check failed in /usr/share/pcp/lib/pmie。 + +### 原因分析 + +anaconda不支持在chroot环境中安装selinux策略模块,当安装pcp-selinux时,postin脚本安装pcp相关selinux策略模块执行失败,从而导致重启后产生报错。 + +### 解决办法 + +完成安装并重启后,以下方法选择其一。 + +1. 执行如下命令,安装selinux策略模块pcpupstream + ``` + /usr/libexec/pcp/bin/selinux-setup /var/lib/pcp/selinux install "pcpupstream" + ``` + +2. 重新安装pcp-selinux + ``` + sudo dnf reinstall pcp-selinux + ``` + +## 在两块已经安装了系统的磁盘上进行重复选择,并自定义分区时,安装失败 + +### 问题现象 +用户在安装操作系统过程中,存在两块都已经安装过的磁盘,此时如果先选择一块盘,进行自定义分区,然后点击取消按钮,再选择第二块盘,并进行自定义分区时,会出现安装失败。 + +![](./figures/cancle_disk.png) +![](./figures/custom_paratition.png) + +### 原因分析 +用户存在两次选择磁盘的操作,当前点击取消后,再选择第二块磁盘,磁盘信息不正确,导致安装失败。 + +### 解决方法 +直接选择目标磁盘进行自定义分区,请勿频繁取消操作,如果一定要进行取消重选建议重新安装。 + +### issue访问链接 +https://gitee.com/src-openeuler/anaconda/issues/I29P84?from=project-issue + +## 安装LSI MegaRAID卡的物理机kdump无法生成vmcore + +### 问题现象 +部署好kdump服务后,手动执行`echo c > /proc/sysrq-trigger`命令或由于kernel故障导致kernel宕机,触发kdump启动second kernel过程中,MegaRAID驱动报错“BRCM Debug mfi stat 0x2d,data len requested/completed 0x200/0x0”,报错信息如下图,最终导致无法生成vmcore。 + +![](./figures/Megaraid_IO_Request_uncompleted.png) + +### 原因分析 +由于默认配置了reset_devices启动参数,second kernel启动过程中会触发设备复位(reset_devices)操作,设备复位操作导致MegaRAID控制器或磁盘状态故障,转储vmcore文件时访问MegaRAID卡的磁盘报错,进而无法生成vmcore。 + +### 解决方法 +在物理机`etc/sysconfig/kdump`文件中将second kernel默认启动参数`reset_devices`删除,可以规避second kernel启动过程中由于MegaRAID卡驱动复位设备所致IO请求未完成问题,以成功生成vmcore。 +![](./figures/reset_devices.png) \ No newline at end of file diff --git a/docs/zh/docs/Installation/figures/Advanced_User_Configuration.png b/docs/zh/docs/Installation/figures/Advanced_User_Configuration.png new file mode 100644 index 0000000000000000000000000000000000000000..38e85407a1e51c2244e9da75d59b997a6784341b Binary files /dev/null and b/docs/zh/docs/Installation/figures/Advanced_User_Configuration.png differ diff --git "a/content/zh/docs/Installation/figures/\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205\345\256\214\346\210\220.png" b/docs/zh/docs/Installation/figures/Automatic_installation_complete.png similarity index 100% rename from "content/zh/docs/Installation/figures/\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205\345\256\214\346\210\220.png" rename to docs/zh/docs/Installation/figures/Automatic_installation_complete.png diff --git a/content/zh/docs/Installation/figures/BIOS.png b/docs/zh/docs/Installation/figures/BIOS.png similarity index 100% rename from content/zh/docs/Installation/figures/BIOS.png rename to docs/zh/docs/Installation/figures/BIOS.png diff --git "a/content/zh/docs/Installation/figures/\345\205\211\351\251\261\345\233\276\346\240\207.png" b/docs/zh/docs/Installation/figures/CD-ROM_drive_icon.png similarity index 100% rename from "content/zh/docs/Installation/figures/\345\205\211\351\251\261\345\233\276\346\240\207.png" rename to docs/zh/docs/Installation/figures/CD-ROM_drive_icon.png diff --git a/docs/zh/docs/Installation/figures/Configuration_error_prompt.png b/docs/zh/docs/Installation/figures/Configuration_error_prompt.png new file mode 100644 index 0000000000000000000000000000000000000000..c5802a2b7a750eed8429ec06c7e4919a3d161a9e Binary files /dev/null and b/docs/zh/docs/Installation/figures/Configuration_error_prompt.png differ diff --git "a/content/zh/docs/Installation/figures/\347\243\201\347\233\230\345\212\240\345\257\206\345\217\243\344\273\244.png" b/docs/zh/docs/Installation/figures/Disk_encryption_password.png similarity index 100% rename from "content/zh/docs/Installation/figures/\347\243\201\347\233\230\345\212\240\345\257\206\345\217\243\344\273\244.png" rename to docs/zh/docs/Installation/figures/Disk_encryption_password.png diff --git "a/content/zh/docs/Installation/figures/\351\225\234\345\203\217\345\257\271\350\257\235\346\241\206.png" b/docs/zh/docs/Installation/figures/Image_dialog_box.png similarity index 100% rename from "content/zh/docs/Installation/figures/\351\225\234\345\203\217\345\257\271\350\257\235\346\241\206.png" rename to docs/zh/docs/Installation/figures/Image_dialog_box.png diff --git a/docs/zh/docs/Installation/figures/Installation_source.png b/docs/zh/docs/Installation/figures/Installation_source.png new file mode 100644 index 0000000000000000000000000000000000000000..ff7673d543021beaab4dfbb26bed5f4dc902f85b Binary files /dev/null and b/docs/zh/docs/Installation/figures/Installation_source.png differ diff --git a/docs/zh/docs/Installation/figures/Installation_wizard.png b/docs/zh/docs/Installation/figures/Installation_wizard.png new file mode 100644 index 0000000000000000000000000000000000000000..350936cd80af6661f39716dc0c9a49f281600c62 Binary files /dev/null and b/docs/zh/docs/Installation/figures/Installation_wizard.png differ diff --git a/docs/zh/docs/Installation/figures/Keyboard_layout.png b/docs/zh/docs/Installation/figures/Keyboard_layout.png new file mode 100644 index 0000000000000000000000000000000000000000..de7aa17615caad81e9b64b56880e20c57e51de8f Binary files /dev/null and b/docs/zh/docs/Installation/figures/Keyboard_layout.png differ diff --git a/docs/zh/docs/Installation/figures/Manual_partitioning.png b/docs/zh/docs/Installation/figures/Manual_partitioning.png new file mode 100644 index 0000000000000000000000000000000000000000..b546431e4f911c34b8f426cfeff207648c9ba318 Binary files /dev/null and b/docs/zh/docs/Installation/figures/Manual_partitioning.png differ diff --git a/docs/zh/docs/Installation/figures/Manual_partitioning1.png b/docs/zh/docs/Installation/figures/Manual_partitioning1.png new file mode 100644 index 0000000000000000000000000000000000000000..b546431e4f911c34b8f426cfeff207648c9ba318 Binary files /dev/null and b/docs/zh/docs/Installation/figures/Manual_partitioning1.png differ diff --git a/docs/zh/docs/Installation/figures/Megaraid_IO_Request_uncompleted.png b/docs/zh/docs/Installation/figures/Megaraid_IO_Request_uncompleted.png new file mode 100644 index 0000000000000000000000000000000000000000..9f5a9e0f03055c59148830c8f8894196acd6861f Binary files /dev/null and b/docs/zh/docs/Installation/figures/Megaraid_IO_Request_uncompleted.png differ diff --git a/docs/zh/docs/Installation/figures/NetworkandHostName.png b/docs/zh/docs/Installation/figures/NetworkandHostName.png new file mode 100644 index 0000000000000000000000000000000000000000..a57933aee20470e3337daf93f7b3d03cd4956b74 Binary files /dev/null and b/docs/zh/docs/Installation/figures/NetworkandHostName.png differ diff --git "a/content/zh/docs/Installation/figures/No-bootable-device-\346\217\220\347\244\272\347\225\214\351\235\242.png" b/docs/zh/docs/Installation/figures/No-bootable-device-page.png similarity index 100% rename from "content/zh/docs/Installation/figures/No-bootable-device-\346\217\220\347\244\272\347\225\214\351\235\242.png" rename to docs/zh/docs/Installation/figures/No-bootable-device-page.png diff --git a/docs/zh/docs/Installation/figures/No-bootable-device.png b/docs/zh/docs/Installation/figures/No-bootable-device.png new file mode 100644 index 0000000000000000000000000000000000000000..944c658d621f00b18e4aa75eaca420d76c08715c Binary files /dev/null and b/docs/zh/docs/Installation/figures/No-bootable-device.png differ diff --git "a/content/zh/docs/Installation/figures/\345\210\206\345\214\272\346\211\251\345\256\271.png" b/docs/zh/docs/Installation/figures/Partition_expansion.png similarity index 100% rename from "content/zh/docs/Installation/figures/\345\210\206\345\214\272\346\211\251\345\256\271.png" rename to docs/zh/docs/Installation/figures/Partition_expansion.png diff --git a/docs/zh/docs/Installation/figures/Target_installation_position.png b/docs/zh/docs/Installation/figures/Target_installation_position.png new file mode 100644 index 0000000000000000000000000000000000000000..097093d6eccb18c1677dd43287973eb0e9ff378a Binary files /dev/null and b/docs/zh/docs/Installation/figures/Target_installation_position.png differ diff --git a/docs/zh/docs/Installation/figures/cancle_disk.png b/docs/zh/docs/Installation/figures/cancle_disk.png new file mode 100644 index 0000000000000000000000000000000000000000..ff0e9a143fc14dc725d0b1e770bd54ce874aeec6 Binary files /dev/null and b/docs/zh/docs/Installation/figures/cancle_disk.png differ diff --git "a/content/zh/docs/Installation/figures/\351\200\211\346\213\251.png" b/docs/zh/docs/Installation/figures/choice.png similarity index 100% rename from "content/zh/docs/Installation/figures/\351\200\211\346\213\251.png" rename to docs/zh/docs/Installation/figures/choice.png diff --git a/docs/zh/docs/Installation/figures/choicelanguage.png b/docs/zh/docs/Installation/figures/choicelanguage.png new file mode 100644 index 0000000000000000000000000000000000000000..c8179bc440701e48bd2a81cf37a1f51219869616 Binary files /dev/null and b/docs/zh/docs/Installation/figures/choicelanguage.png differ diff --git a/docs/zh/docs/Installation/figures/choosesoftware.png b/docs/zh/docs/Installation/figures/choosesoftware.png new file mode 100644 index 0000000000000000000000000000000000000000..dc0717e22c853300e21e9a737e4467ffb852e1d5 Binary files /dev/null and b/docs/zh/docs/Installation/figures/choosesoftware.png differ diff --git a/docs/zh/docs/Installation/figures/confignetwork1.png b/docs/zh/docs/Installation/figures/confignetwork1.png new file mode 100644 index 0000000000000000000000000000000000000000..23906761004a28cf69b8f59f3fc628ee4a3462c7 Binary files /dev/null and b/docs/zh/docs/Installation/figures/confignetwork1.png differ diff --git a/docs/zh/docs/Installation/figures/createuser.png b/docs/zh/docs/Installation/figures/createuser.png new file mode 100644 index 0000000000000000000000000000000000000000..6872687b4f7e0aca8d6a114027f9642efc4c478e Binary files /dev/null and b/docs/zh/docs/Installation/figures/createuser.png differ diff --git a/docs/zh/docs/Installation/figures/custom_paratition.png b/docs/zh/docs/Installation/figures/custom_paratition.png new file mode 100644 index 0000000000000000000000000000000000000000..0f46bc9fcfbf57cd986661029c6b2c037dac2919 Binary files /dev/null and b/docs/zh/docs/Installation/figures/custom_paratition.png differ diff --git a/docs/zh/docs/Installation/figures/dateandtime.png b/docs/zh/docs/Installation/figures/dateandtime.png new file mode 100644 index 0000000000000000000000000000000000000000..a491c79eaa5a6fa09ce81933e3e6c1704b69afba Binary files /dev/null and b/docs/zh/docs/Installation/figures/dateandtime.png differ diff --git a/docs/zh/docs/Installation/figures/installation_overview.png b/docs/zh/docs/Installation/figures/installation_overview.png new file mode 100644 index 0000000000000000000000000000000000000000..9ff938c46139ea0cf89877335d6f3407c40752f8 Binary files /dev/null and b/docs/zh/docs/Installation/figures/installation_overview.png differ diff --git a/docs/zh/docs/Installation/figures/installation_procedure.png b/docs/zh/docs/Installation/figures/installation_procedure.png new file mode 100644 index 0000000000000000000000000000000000000000..569b21319a82438c940a2e208241445877a1f350 Binary files /dev/null and b/docs/zh/docs/Installation/figures/installation_procedure.png differ diff --git a/docs/zh/docs/Installation/figures/installsource.png b/docs/zh/docs/Installation/figures/installsource.png new file mode 100644 index 0000000000000000000000000000000000000000..64ec216579b7dbd9a6994d9e08a55d633c15d1f2 Binary files /dev/null and b/docs/zh/docs/Installation/figures/installsource.png differ diff --git a/docs/zh/docs/Installation/figures/languagesupport.png b/docs/zh/docs/Installation/figures/languagesupport.png new file mode 100644 index 0000000000000000000000000000000000000000..77a9c02c19169c26dcbf67eb0e112b677ad61e5c Binary files /dev/null and b/docs/zh/docs/Installation/figures/languagesupport.png differ diff --git a/docs/zh/docs/Installation/figures/reset_devices.png b/docs/zh/docs/Installation/figures/reset_devices.png new file mode 100644 index 0000000000000000000000000000000000000000..70cc2e0138dd48950f4704bd3f1160448d5058a1 Binary files /dev/null and b/docs/zh/docs/Installation/figures/reset_devices.png differ diff --git "a/content/zh/docs/Installation/figures/\351\207\215\345\220\257\345\233\276\346\240\207.png" b/docs/zh/docs/Installation/figures/restart_icon.png similarity index 100% rename from "content/zh/docs/Installation/figures/\351\207\215\345\220\257\345\233\276\346\240\207.png" rename to docs/zh/docs/Installation/figures/restart_icon.png diff --git "a/content/zh/docs/Quickstart/figures/\351\207\215\345\220\257\345\233\276\346\240\207.png" b/docs/zh/docs/Installation/figures/restarticon.png similarity index 100% rename from "content/zh/docs/Quickstart/figures/\351\207\215\345\220\257\345\233\276\346\240\207.png" rename to docs/zh/docs/Installation/figures/restarticon.png diff --git a/docs/zh/docs/Installation/figures/root_password.png b/docs/zh/docs/Installation/figures/root_password.png new file mode 100644 index 0000000000000000000000000000000000000000..567ecf60a32013843e5a4317376917ec9883bbae Binary files /dev/null and b/docs/zh/docs/Installation/figures/root_password.png differ diff --git a/content/zh/docs/Installation/figures/security.png b/docs/zh/docs/Installation/figures/security.png similarity index 100% rename from content/zh/docs/Installation/figures/security.png rename to docs/zh/docs/Installation/figures/security.png diff --git a/docs/zh/docs/Installation/figures/select.png b/docs/zh/docs/Installation/figures/select.png new file mode 100644 index 0000000000000000000000000000000000000000..0e40f5fd8d73dbcbad6bdcec5d56d3883d54023a Binary files /dev/null and b/docs/zh/docs/Installation/figures/select.png differ diff --git a/docs/zh/docs/Installation/figures/select_software.png b/docs/zh/docs/Installation/figures/select_software.png new file mode 100644 index 0000000000000000000000000000000000000000..dc0717e22c853300e21e9a737e4467ffb852e1d5 Binary files /dev/null and b/docs/zh/docs/Installation/figures/select_software.png differ diff --git a/docs/zh/docs/Installation/figures/selectlanguage.png b/docs/zh/docs/Installation/figures/selectlanguage.png new file mode 100644 index 0000000000000000000000000000000000000000..c8179bc440701e48bd2a81cf37a1f51219869616 Binary files /dev/null and b/docs/zh/docs/Installation/figures/selectlanguage.png differ diff --git a/docs/zh/docs/Installation/figures/sourceftp.png b/docs/zh/docs/Installation/figures/sourceftp.png new file mode 100644 index 0000000000000000000000000000000000000000..68952b624f2c934a31ceebdff05ef46483007b2e Binary files /dev/null and b/docs/zh/docs/Installation/figures/sourceftp.png differ diff --git a/docs/zh/docs/Installation/figures/sourcenfs.png b/docs/zh/docs/Installation/figures/sourcenfs.png new file mode 100644 index 0000000000000000000000000000000000000000..5814e2005d76374ade91528b41bb76f88cc61060 Binary files /dev/null and b/docs/zh/docs/Installation/figures/sourcenfs.png differ diff --git a/docs/zh/docs/Installation/figures/startparam.png b/docs/zh/docs/Installation/figures/startparam.png new file mode 100644 index 0000000000000000000000000000000000000000..b197f4d492213513edf84a99cdb14f186630a828 Binary files /dev/null and b/docs/zh/docs/Installation/figures/startparam.png differ diff --git a/docs/zh/docs/Installation/figures/target_install_position.png b/docs/zh/docs/Installation/figures/target_install_position.png new file mode 100644 index 0000000000000000000000000000000000000000..7f98f41f9819cb8826939d1a4fb605e26b171401 Binary files /dev/null and b/docs/zh/docs/Installation/figures/target_install_position.png differ diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291229.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291229.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291229.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291229.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291236.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291236.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291236.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291236.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291243.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291243.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291243.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291243.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291247.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291247.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291247.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291247.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291264.jpg b/docs/zh/docs/Installation/figures/zh-cn_image_0229291264.jpg similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291264.jpg rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291264.jpg diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291270.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291270.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291270.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291270.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291272.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291272.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291272.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291272.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291280.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291280.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291280.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291280.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229291286.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229291286.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229291286.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229291286.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0229420473.png b/docs/zh/docs/Installation/figures/zh-cn_image_0229420473.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0229420473.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0229420473.png diff --git a/content/zh/docs/Installation/figures/zh-cn_image_0231657950.png b/docs/zh/docs/Installation/figures/zh-cn_image_0231657950.png similarity index 100% rename from content/zh/docs/Installation/figures/zh-cn_image_0231657950.png rename to docs/zh/docs/Installation/figures/zh-cn_image_0231657950.png diff --git a/content/zh/docs/Installation/installation.md b/docs/zh/docs/Installation/installation.md similarity index 100% rename from content/zh/docs/Installation/installation.md rename to docs/zh/docs/Installation/installation.md diff --git a/content/zh/docs/Quickstart/public_sys-resources/icon-caution.gif b/docs/zh/docs/Installation/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/Quickstart/public_sys-resources/icon-caution.gif rename to docs/zh/docs/Installation/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/Quickstart/public_sys-resources/icon-danger.gif b/docs/zh/docs/Installation/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/Quickstart/public_sys-resources/icon-danger.gif rename to docs/zh/docs/Installation/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/Quickstart/public_sys-resources/icon-note.gif b/docs/zh/docs/Installation/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/Quickstart/public_sys-resources/icon-note.gif rename to docs/zh/docs/Installation/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/Quickstart/public_sys-resources/icon-notice.gif b/docs/zh/docs/Installation/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/Quickstart/public_sys-resources/icon-notice.gif rename to docs/zh/docs/Installation/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/Quickstart/public_sys-resources/icon-tip.gif b/docs/zh/docs/Installation/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/Quickstart/public_sys-resources/icon-tip.gif rename to docs/zh/docs/Installation/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/Quickstart/public_sys-resources/icon-warning.gif b/docs/zh/docs/Installation/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/Quickstart/public_sys-resources/icon-warning.gif rename to docs/zh/docs/Installation/public_sys-resources/icon-warning.gif diff --git "a/content/zh/docs/Installation/\344\275\277\347\224\250kickstart\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205.md" "b/docs/zh/docs/Installation/\344\275\277\347\224\250kickstart\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205.md" similarity index 88% rename from "content/zh/docs/Installation/\344\275\277\347\224\250kickstart\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205.md" rename to "docs/zh/docs/Installation/\344\275\277\347\224\250kickstart\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205.md" index ccf0fcdc377b462e1f9c5428b37e703e588b3176..1aaa8fa662c1c16e6e5414830d0ee9b66ae76deb 100644 --- "a/content/zh/docs/Installation/\344\275\277\347\224\250kickstart\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205.md" +++ "b/docs/zh/docs/Installation/\344\275\277\347\224\250kickstart\350\207\252\345\212\250\345\214\226\345\256\211\350\243\205.md" @@ -80,7 +80,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 - 物理机/虚拟机(虚拟机创建可参考对应厂商的资料)。包括使用kickstart工具进行自动化安装的计算机和被安装的计算机。 - httpd:存放kickstart文件。 -- ISO: openEuler-20.09-beta-aarch64-dvd.iso +- ISO: openEuler-21.03-aarch64-dvd.iso ### 操作步骤 @@ -88,11 +88,11 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 **环境准备** ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >安装之前,请确保http服务器的防火墙处于关闭状态。关闭防火墙可参照如下命令: >``` >iptables -F ->``` +>``` 1. httpd的安装与服务启动。 @@ -156,17 +156,19 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 ===================================== ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >密码密文生成方式: - >\# python3 - >Python 3.7.0 \(default, Apr 1 2019, 00:00:00\) - >\[GCC 7.3.0\] on linux + >``` + ># python3 + >Python 3.7.0 (default, Apr 1 2019, 00:00:00) + >[GCC 7.3.0] on linux >Type "help", "copyright", "credits" or "license" for more information. - >\>\>\> import crypt - >\>\>\> passwd = crypt.crypt\("myPasswd"\) - >\>\>\> print\(passwd\) + >>>> import crypt + >>>> passwd = crypt.crypt("myPasswd") + >>>> print (passwd) >$6$63c4tDmQGn5SDayV$mZoZC4pa9Jdt6/ALgaaDq6mIExiOO2EjzomB.Rf6V1BkEMJDcMddZeGdp17cMyc9l9ML9ldthytBEPVcnboR/0 - + >``` + 3. 将ISO镜像文件挂载到需要安装openEuler计算机的光驱上。 另外,也可以选择NFS等网络安装,kickstart文件中需要指定安装源位置(默认是cdrom)。 @@ -175,18 +177,18 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 **安装系统** 1. 启动系统进入安装选择界面。 - 1. 在“[启动安装](安装指导.html#启动安装)”中的“安装引导界面”中选择“Install openEuler 20.09-beta”,并按下“e”键。 + 1. 在“[启动安装](./安装指导.html#启动安装)”中的“安装引导界面”中选择“Install openEuler 21.03”,并按下“e”键。 2. 启动参数中追加“inst.ks=http://server ip/ks/openEuler-ks.cfg”。 - ![](figures/半自动-new.png) + ![](./figures/startparam.png) 3. 按“Ctrl+x”,开始系统的自动安装。 2. 确认系统安装完毕。 - 系统安装完毕以后会自动重启,然后再次进入到安装界面,此时关闭计算机,调整启动顺序(优先从硬盘启动)。 + 系统安装完毕以后会自动重启,如果优先从光驱启动,会再次进入到安装界面,此时关闭计算机,调整启动顺序(优先从硬盘启动)。 - ![](figures/自动化安装完成.png) + ![](./figures/Automatic_installation_complete.png) ## 全自动化安装指导 @@ -199,7 +201,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 - httpd:存放kickstart文件。 - tftp:提供vmlinuz和initrd文件。 - dhcpd/pxe:提供DHCP服务。 -- ISO:openEuler-20.09-beta-aarch64-dvd.iso。 +- ISO:openEuler-21.03-aarch64-dvd.iso。 ### 操作步骤 @@ -207,11 +209,11 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 **环境准备** ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >安装之前,请确保http服务器的防火墙处于关闭状态。关闭防火墙可参照如下命令: >``` >iptables -F ->``` +>``` 1. httpd的安装与服务启动。 @@ -249,7 +251,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 3. 安装源的制作。 ``` - # mount openEuler-20.09-beta-aarch64-dvd.iso /mnt + # mount openEuler-21.03-aarch64-dvd.iso /mnt # cp -r /mnt/* /var/www/html/openEuler/ ``` @@ -271,7 +273,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 # System language lang zh_CN.UTF-8 #Use http installation source - url --url=http://192.168.122.1/openEuler/ + url --url=http://192.168.122.1/openEuler/ %post #enable kdump sed -i "s/ ro / ro crashkernel=1024M,high /" /boot/efi/EFI/openEuler/grub.cfg @@ -279,7 +281,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 ... ``` -5. 修改pxe配置文件grub.cfg, 可参考如下内容。 +5. 修改pxe配置文件grub.cfg, 可参考如下内容(注意:openEuler当前不支持bls格式的cfg文件)。 ``` # cp -r /mnt/images/pxeboot/* /var/lib/tftpboot/ @@ -314,8 +316,8 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 ### BEGIN /etc/grub.d/10_linux ### - menuentry 'Install openEuler 20.09-beta' --class red --class gnu-linux --class gnu --class os { - set root=(tftp,192.168.122.1) + menuentry 'Install openEuler 21.03 ' --class red --class gnu-linux --class gnu --class os { + set root=(tftp,192.168.1.1) linux /vmlinuz ro inst.geoloc=0 console=ttyAMA0 console=tty0 rd.iscsi.waitnet=0 inst.ks=http://192.168.122.1/ks/openEuler-ks.cfg initrd /initrd.img } @@ -351,14 +353,14 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议 1. 在“Start boot option”界面按下“F2”选择从网络pxe启动,开始自动化安装。 - ![](figures/zh-cn_image_0229291270.png) + ![](./figures/zh-cn_image_0229291270.png) - ![](figures/zh-cn_image_0229291286.png) + ![](./figures/zh-cn_image_0229291286.png) - ![](figures/zh-cn_image_0229291247.png) + ![](./figures/zh-cn_image_0229291247.png) 2. 进入系统全自动化安装界面。 3. 确认系统安装完毕。 - ![](figures/自动化安装完成.png) + ![](./figures/Automatic_installation_complete.png) diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207-1.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207-1.md" similarity index 86% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207-1.md" rename to "docs/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207-1.md" index 41f27886ddf0917cd3a694d068872ef1f493dac7..b8bf8e8464ba55bdb38550e43da19ac2677463a4 100644 --- "a/content/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207-1.md" +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207-1.md" @@ -19,16 +19,14 @@ 在安装开始前,您需要获取 openEuler 发布的树莓派镜像及其校验文件。 -1. 登录[openEuler社区](https://openeuler.org)网站。 -2. 单击“下载”。 -3. 单击“获取ISO:”后面的“Link”,显示版本列表。 -4. 单击“openEuler-20.09”,进入 openEuler 20.09 版本下载列表。 -5. 单击“RaspberryPi”,进入树莓派镜像的下载列表。 +1. 登录[openEuler社区](https://openeuler.org/zh/download/)网站。 +2. 单击卡片 openEuler 21.03 上的“下载”按钮。 +3. 单击“raspi_img”,进入树莓派镜像的下载列表。 - aarch64:AArch64 架构的镜像。 -6. 单击“aarch64”,进入树莓派 AArch64 架构镜像的下载列表。 -7. 单击“openEuler-20.09-RaspberryPi.aarch64.img.xz”,将 openEuler 发布的树莓派镜像下载到本地。 -8. 单击“openEuler-20.09-RaspberryPi.aarch64.img.xz.sha256sum”,将 openEuler 发布的树莓派镜像的校验文件下载到本地。 +4. 单击“aarch64”,进入树莓派 AArch64 架构镜像的下载列表。 +5. 单击“openEuler-21.03-raspi-aarch64.img.xz”,将 openEuler 发布的树莓派镜像下载到本地。 +6. 单击“openEuler-21.03-raspi-aarch64.img.xz.sha256sum”,将 openEuler 发布的树莓派镜像的校验文件下载到本地。 ## 镜像完整性校验 @@ -42,9 +40,9 @@ 在校验镜像文件的完整性之前,需要准备如下文件: -镜像文件:openEuler-20.09-RaspberryPi.aarch64.img.xz +镜像文件:openEuler-21.03-raspi-aarch64.img.xz -校验文件:openEuler-20.09-RaspberryPi.aarch64.img.xz.sha256sum +校验文件:openEuler-21.03-raspi-aarch64.img.xz.sha256sum ### 操作指导 @@ -53,13 +51,13 @@ 1. 获取校验文件中的校验值。执行命令如下: ``` - $ cat openEuler-20.09-RaspberryPi.aarch64.img.xz.sha256sum + $ cat openEuler-21.03-raspi-aarch64.img.xz.sha256sum ``` 2. 计算文件的 sha256 校验值。执行命令如下: ``` - $ sha256sum openEuler-20.09-RaspberryPi.aarch64.img.xz + $ sha256sum openEuler-21.03-raspi-aarch64.img.xz ``` 命令执行完成后,输出校验值。 @@ -95,7 +93,7 @@ openEuler 树莓派版本镜像所需的最小硬件要求如[表1](#tff48b99c9b

树莓派版本

-
  • 树莓派 3B
  • 树莓派 3B+
  • 树莓派 4B
+
  • 树莓派 3B
  • 树莓派 3B+
  • 树莓派 4B
  • 树莓派 400

-

diff --git "a/docs/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207.md" new file mode 100644 index 0000000000000000000000000000000000000000..af1db522be0d1157e761c81785e7983dd2eca1ac --- /dev/null +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\207\206\345\244\207.md" @@ -0,0 +1,128 @@ +# 安装准备 + +介绍安装前需要考虑软硬件兼容性状况,以及相关的配置和准备工作。 + + +## 获取安装源 + +在安装开始前,您需要获取openEuler的发布包和校验文件。 + +请按以下步骤获取openEuler的发布包和校验文件: + +1. 登录[openEuler社区](https://openeuler.org/zh/)网站。 +2. 单击“下载”进入页签,进入版本下载页面。 +3. 单击卡片 openEuler 21.03 上的“获取ISO”,显示ISO下载列表。 + - aarch64:AArch64架构的ISO。 + - x86\_64:x86\_64架构的ISO。 + - source:openEuler源码ISO。 +4. 根据实际待安装环境的架构选择需要下载的 openEuler 的发布包和校验文件。 + - 若为AArch64架构。 + 1. 单击“aarch64”。 + 2. 若选择本地安装,分别将发布包 “openEuler-21.03-aarch64-dvd.iso”和校验文件“openEuler-21.03-aarch64-dvd.iso.sha256sum”下载到本地。 + 3. 若选择网络安装,分别将发布包 “openEuler-21.03-netinst-aarch64-dvd.iso”和校验文件“openEuler-21.03-netinst-aarch64-dvd.iso.sha256sum”下载到本地。 + + - 若为x86\_64架构。 + 1. 单击“x86\_64”。 + 2. 若选择本地安装,分别将发布包 “openEuler-21.03-x86\_64-dvd.iso”和校验文件“openEuler-21.03-x86\_64-dvd.iso.sha256sum”下载到本地。 + 3. 若选择网络安装,分别将发布包 “openEuler-21.03-netinst-x86\_64-dvd.iso ”和校验文件“openEuler-21.03-netinst-x86\_64-dvd.iso.sha256sum”下载到本地。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +> - 网络安装方式的 ISO 发布包较小,在有网络的安装环境可以选择网络安装方式。 +> - AArch64架构的发布包支持UEFI模式,x86\_64架构的发布包支持UEFI模式和Legacy模式。 + +## 发布包完整性校验 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>本章节以AArch64架构的发布包完整性校验为例,x86\_64架构的发布包完整性校验的操作方法相同。 + +### 简介 + +为了防止软件包在传输过程中由于网络原因或者存储设备原因出现下载不完整的问题,在获取到软件包后,需要对软件包的完整性进行校验,通过了校验的软件包才能部署。 + +这里通过对比校验文件中记录的校验值和手动方式计算的iso文件校验值,判断软件包是否完成。若两个值相同,说明iso文件完整,否则,iso完整性被破坏,请重新获取iso发布包。 + +### 前提条件 + +在校验发布包完整性之前,需要准备如下文件: + +iso文件:openEuler-21.03-aarch64-dvd.iso + +校验文件:openEuler-21.03-aarch64-dvd.iso.sha256sum + +### 操作指导 + +文件完整性校验操作步骤如下: + +1. 获取校验文件中的校验值。执行命令如下: + + ``` + $ cat openEuler-21.03-aarch64-dvd.iso.sha256sum + ``` + +2. 计算文件的sha256校验值。执行命令如下: + + ``` + $ sha256sum openEuler-21.03-aarch64-dvd.iso + ``` + + 命令执行完成后,输出校验值。 + +3. 对比步骤1和步骤2计算的校验值是否一致。 + + 如果校验值一致说明iso文件完整性没有破坏,如果校验值不一致则可以确认文件完整性已被破坏,需要重新获取。 + +## 物理机的安装要求 + +若需要在物理机环境上安装openEuler操作系统,则物理机需要满足如下的硬件兼容性和最小硬件要求。 + +### 硬件兼容支持 + +openEuler安装时,应注意硬件兼容性方面的问题,当前已支持的服务器类型如[表1](#table14948632047)所示。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +> +>- TaiShan 200服务器基于华为鲲鹏920处理器。 +>- 当前仅支持华为TaiShan服务器和FusionServer Pro 机架服务器,后续将逐步增加对其他厂商服务器的支持。 + +**表 1** 支持的服务器类型 +| 服务器形态 | 服务器名称 | 服务器型号 | +| :---- | :---- | :---- | +| 机架服务器 | TaiShan 200 | 2280均衡型 | +| 机架服务器 | FusionServer Pro 机架服务器 | FusionServer Pro 2288H V5
说明:
服务器要求配置Avago 3508 RAID控制卡和启用LOM-X722网卡| + +### 最小硬件要求 + +openEuler所需的最小硬件要求如[表2](#tff48b99c9bf24b84bb602c53229e2541)所示。 + +**表 2** 最小硬件要求 + +| 部件名称 | 最小硬件要求 | +| :---- | :---- | +| 架构 | AArch64或x86_64 | +| CPU | 2个CPU | +| 内存 | 不小于4GB(为了获得更好的应用体验,建议不小于8GB) | +| 硬盘 | 不小于32GB(为了获得更好的应用体验,建议不小于120GB) | + +## 虚拟机的安装要求 + +若需要在虚拟机环境上安装openEuler操作系统,则虚拟机需要满足如下的虚拟化平台兼容性和最小虚拟化要求。 + +### 虚拟化平台兼容性 + +openEuler安装时,应注意虚拟化平台兼容性的问题,当前已支持的虚拟化平台为: + +- openEuler自有的虚拟化组件(HostOS为openEuler,虚拟化组件为发布包中的qemu、KVM)创建的虚拟化平台。 +- 华为公有云的x86虚拟化平台。 + +### 最小虚拟化空间要求 + +openEuler所需的最小虚拟化空间要求如[表3](#tff48b99c9bf24b84bb602c53229e2541)所示。 + +**表 3** 最小虚拟化空间要求 + +| 部件名称 | 最小虚拟化空间要求 | +| :---- | :---- | +| 架构 | AArch64或x86_64 | +| CPU | 2个CPU | +| 内存 | 不小于4GB(为了获得更好的应用体验,建议不小于8GB) | +| 硬盘 | 不小于32GB(为了获得更好的应用体验,建议不小于120GB) | diff --git "a/docs/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\234\215\345\212\241\345\231\250.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\234\215\345\212\241\345\231\250.md" new file mode 100644 index 0000000000000000000000000000000000000000..256a1f0899d9030ac421b6cc4dbc00d88f7821d3 --- /dev/null +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\234\215\345\212\241\345\231\250.md" @@ -0,0 +1,3 @@ +# 安装在服务器 + +本文是介绍 openEuler 操作系统安装在服务器的方法,使用本手册的用户需要具备基础的 Linux 系统管理知识。 \ No newline at end of file diff --git "a/docs/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\240\221\350\216\223\346\264\276.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\240\221\350\216\223\346\264\276.md" new file mode 100644 index 0000000000000000000000000000000000000000..72f5e0c176383b7ccedbf937240d6263b082355e --- /dev/null +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\345\234\250\346\240\221\350\216\223\346\264\276.md" @@ -0,0 +1,3 @@ +# 安装在树莓派 + +本文是介绍 openEuler 操作系统安装在树莓派的方法,使用本手册的用户需要具备基础的 Linux 系统管理知识。 \ No newline at end of file diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274-1.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274-1.md" similarity index 89% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274-1.md" rename to "docs/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274-1.md" index 73ea046de2099e3662fcb3f365b7df861e9f2929..8755c52a55b9aa03950adfd608a0d0938ccb2116 100644 --- "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274-1.md" +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274-1.md" @@ -1,6 +1,6 @@ # 安装指导 -本章介绍将“[树莓派镜像刷写入 SD 卡](安装方式介绍-1.html)”后,启用树莓派的主要过程。 +本章介绍将“[树莓派镜像刷写入 SD 卡](./安装方式介绍-1.html)”后,启用树莓派的主要过程。 - [安装指导](#安装指导) @@ -24,15 +24,11 @@ 1. 本地登录 - 树莓派连接显示器(树莓派视频输出接口为 Micro HDMI)、键盘、鼠标后,启动树莓派,可以看到树莓派启动日志输出到显示器上。待树莓派启动成功,输入用户名(root)和密码(openEuler12#$)登录。 + 树莓派连接显示器(树莓派视频输出接口为 Micro HDMI)、键盘、鼠标后,启动树莓派,可以看到树莓派启动日志输出到显示器上。待树莓派启动成功,输入用户名(root)和密码(openeuler)登录。 2. ssh 远程登录 - 树莓派默认采用 DHCP 的方式自动获取 IP。如果树莓派连接已知路由器,可登录路由器查看,新增的 IP 即为树莓派 IP。 - - **图 1** 获取 IP - ![](figures/获取IP.png "获取 IP") - - 从上图看到,树莓派对应 IP 为:192.168.31.109,使用命令 `ssh root@192.168.1.109` 后输入密码 `openEuler12#$`,即可远程登录树莓派。 + + 树莓派默认采用 DHCP 的方式自动获取 IP。如果树莓派连接已知路由器,可登录路由器查看,新增的 IP 即为树莓派 IP。例如,树莓派对应 IP 为:192.168.31.109,使用命令 `ssh root@192.168.31.109` 后输入密码 `openeuler`,即可远程登录树莓派。 ## 配置系统 @@ -67,7 +63,7 @@ 这里我们需要将根目录分区 `/dev/mmcblk0p3` 进行扩容。 -2. 在 root 权限下执行 `fdisk /dev/mmcblk0` 命令进入到交互式命令行界面,按照以下步骤扩展分区,如[图3](#zh-cn_topic_0151920806_f6ff7658b349942ea87f4521c0256c315)所示。 +2. 在 root 权限下执行 `fdisk /dev/mmcblk0` 命令进入到交互式命令行界面,按照以下步骤扩展分区,如[图 1](#zh-cn_topic_0151920806_f6ff7658b349942ea87f4521c0256c315)所示。 1. 输入 `p`,查看分区信息。 @@ -80,15 +76,15 @@ 6. 输入 `3` 或直接按 `Enter`,创建序号为 `3` 的分区,即 `/dev/mmcblk0p3` 分区。 7. 输入新分区的起始扇区号,即第 `1` 步中记录的起始扇区号,示例中为 `1593344`。 - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >请勿直接按“Enter”或使用默认参数。 8. 按 `Enter`,使用默认的最后一个扇区号作为新分区的终止扇区号。 9. 输入 `N`,不修改扇区标记。 10. 输入 `w`,保存分区设置并退出交互式命令行界面。 - **图 3** 分区扩容 - ![](figures/分区扩容.png "分区扩容") + **图 1** 分区扩容 + ![](./figures/Partition_expansion.png) 3. 在 root 权限下执行 `fdisk -l` 命令查看磁盘分区信息,以确保磁盘分区正确。命令和回显如下: @@ -110,7 +106,7 @@ 4. 在 root 权限下执行 `resize2fs /dev/mmcblk0p3`,增大未加载的文件系统大小。 5. 执行 `df -lh` 命令查看磁盘空间信息,以确保根目录分区已扩展。 - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >如果根目录分区未扩展,可执行 `reboot` 命令重启树莓派之后再在 root 权限下执行 `resize2fs /dev/mmcblk0p3`。 ### 连接 WIFI diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274.md" similarity index 57% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274.md" rename to "docs/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274.md" index e120f9e6650022b6922f41cadd53cae795781790..fcd2be65859cebf435414bfa970436407b9eba8e 100644 --- "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274.md" +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\214\207\345\257\274.md" @@ -1,324 +1,313 @@ -# 安装指导 - -本章以光盘安装为例介绍安装openEuler,其他安装方式除在启动安装时的引导方式不同外,待启动安装后则安装流程相同,在此不再说明。 - - -- [安装指导](#安装指导) - - [启动安装](#启动安装) - - [使用光盘引导安装](#使用光盘引导安装) - - [安装引导界面](#安装引导界面) - - [图形化模式安装](#图形化模式安装) - - [设置安装程序语言](#设置安装程序语言) - - [进入安装界面](#进入安装界面) - - [设置键盘](#设置键盘) - - [设置系统语言](#设置系统语言) - - [设置时间和日期](#设置时间和日期) - - [设置安装源](#设置安装源) - - [选择安装软件](#选择安装软件) - - [设置安装目的地](#设置安装目的地) - - [存储配置](#存储配置) - - [设置网络和主机名](#设置网络和主机名) - - [设置根密码](#设置根密码) - - [密码复杂度](#密码复杂度) - - [创建用户](#创建用户) - - [开始安装](#开始安装) - - [安装过程](#安装过程) - - [安装完成](#安装完成) - - - -## 启动安装 - -### 使用光盘引导安装 - -在服务器的光驱中加载openEuler安装镜像,重启服务器,具体步骤如下。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->在安装开始前,需要保证服务器启动选项为光驱优先。安装步骤以BMC挂载虚拟光驱进行光盘安装的操作举例。通过物理光驱安装的操作简单,启动安装后的流程相同,在此不再说明。 - -1. 在虚拟界面工具栏中,单击虚拟光驱工具如下图所示。 - - **图 1** 光驱图标 - ![](figures/光驱图标.png "光驱图标") - - 弹出镜像对话框,如下图所示。 - - **图 2** 镜像对话框 - ![](figures/镜像对话框.png "镜像对话框") - -2. 在镜像对话框中,选择“镜像文件”, 并单击“浏览”。弹出“打开”对话框。 -3. 选择镜像文件,单击“打开”。然后在镜像对话框中,单击“连接”。当“连接”显示为“断开”后,表示虚拟光驱已连接到服务器。 -4. 在工具栏中,单击重启工具重启设备,如下图所示。 - - **图 3** 重启图标 - ![](figures/重启图标.png "重启图标") - - -### 安装引导界面 - -系统使用引导介质完成引导后会显示引导菜单。该引导菜单除启动安装程序外还提供一些选项。安装系统时,默认采用“Test this media & install openEuler 20.09-beta”方式进行安装。如果要选择默认选项之外的选项,请使用键盘中的“↑”和“↓”方向键进行选择,并在选项为高亮状态时按“Enter”。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->- 如果60秒内未按任何键,系统将从默认选项“Test this media & install openEuler 20.09-beta”自动进入安装界面。 ->- 安装物理机时,如果使用键盘上下键无法选择启动选项,按“Enter”键无响应,可以单击BMC界面上的鼠标控制图标“![](figures/zh-cn_image_0229420473.png)”,设置“键鼠复位”。 - -**图 4** 安装引导界面 -![](figures/安装引导界面.png "安装引导界面") - -安装引导选项说明如下: - -- Install openEuler 20.09-beta —— 在您的服务器上使用图形用户界面模式安装。 - -- Test this media & install openEuler 20.09-beta —— 默认选项,在您的服务器上使用图形用户界面模式安装,但在启动安装程序前会进行安装介质的完整性检查。 - -- Troubleshooting —— 问题定位模式,系统无法正常安装时使用。进入问题定位模式后,有如下两个选项。 - - Install openEuler 20.09-beta in basic graphics mode —— 简单图形安装模式,该模式下在系统启动并运行之前不启动视频驱动程序。 - - Rescue the openEuler system —— 救援模式,用于修复系统。该模式下输出定向到VNC或BMC(Baseboard Management Controller)端,串口不可用。 - -在安装引导界面,按“e”进入已选选项的参数编辑界面,按“c”进入命令行模式。 - -### 图形化模式安装 - -在“安装引导界面”中选择“Test this media & install openEuler 20.09-beta”进入图形化模式安装。 - -可以通过键盘操作图形化安装程序。 - -- “Tab”、“shift Tab”:界面控件(按钮、区域框、复选框等)间的移动。 -- “↑”、“↓”方向键:列表里的移动。 -- “←”、“→”方向键:水平工具条和表条间移动。 -- “空格”、“Enter”:选择或删除高亮显示的选项、展开或折叠下拉菜单。 -- “Alt”+“快捷键”:选择快捷键所在的控件,其中快捷键可通过按住Alt高亮(加下划线)显示。 - -## 设置安装程序语言 - -启动安装后,在进入安装程序主界面之前,系统会提示用户设置安装过程中使用的语言。当前默认为英语,用户可根据实际情况进行调整,如[图5](#zh-cn_topic_0186390093_zh-cn_topic_0122145864_fig144630179151)所示,选择“中文”。 - -**图 5** 选择语言 -![](figures/选择语言.png "选择语言") - -完成设置后,单击“继续”,进入安装设置主界面。 - -如果您想退出安装,可以单击“退出”并在弹出的“您确定要退出安装程序吗?”对话框中单击“是”重新进入“安装引导界面”。 - -## 进入安装界面 - -系统安装程序正常启动后,会进入[图6](#zh-cn_topic_0186390094_zh-cn_topic_0122145883_fig5969171592212)所示的安装设置主界面。用户可以进行时间、语言、安装源、网络、安装位置等相关设置。 - -部分配置项会有告警符号,用户完成该选项配置后,告警符号消失。当界面上不存在告警符号时,用户才能单击“开始安装”进行系统安装。 - -如果您想退出安装,可以单击“退出”并在弹出的“您确定要退出安装程序吗?”对话框中单击“是”重新进入“安装引导界面”。 - -**图 6** 安装概览 -![](figures/安装概览.png "安装概览") - -## 设置键盘 - -在“安装概览”页面中选择“键盘”,用户可以在系统中添加或者删除多个键盘布局。 - -- 要查看键盘布局,请在左侧选框中单击选中该键盘布局,然后单击下面的“键盘”按钮。 -- 要测试键盘布局,请在左侧选框中添加键盘布局,然后在右上角键盘图标处进行点击切换为目标键盘,单击右侧文本框内部,输入文本以确认所选键盘布局可正常工作。 - -**图 7** 键盘布局 -![](figures/键盘布局.png "键盘布局") - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - -## 设置系统语言 - -在“安装概览”页面中选择“语言支持”,设置系统的语言。如[图8](#zh-cn_topic_0186390098_zh-cn_topic_0122145772_fig187301927172619)所示,用户也可根据实际情况进行调整,选择“中文”。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->若选择“中文”,系统安装完成后,使用VNC登录不支持中文显示,使用串口登录支持中文显示,使用SSH登录时是否支持中文显示与使用的SSH客户端有关。若选择“English”,则无影响。 - -**图 8** 语言支持 -![](figures/语言支持.png "语言支持") - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - -## 设置时间和日期 - -在“安装概览”页面中选择“时间和日期”,设置系统的时区、日期、时间等。 - -设置时区时,用户可通过鼠标在地图上单击指定的城市,也可以通过页面顶部的“地区”和“城市”下拉菜单中进行选择,如[图9](#zh-cn_topic_0186390096_zh-cn_topic_0122145900_fig1260162652312)所示。 - -如果您所在城市没有出现在地图或下拉菜单中,请选择同一时区中离您最近的城市。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->- 手动设置时区时,请先关闭右上角“网络时间”同步开关。 ->- 如需使用网络时间,请保证网络能连通远程NTP服务器,设置网络具体请参见“[设置网络和主机名](#设置网络和主机名)”。 - -**图 9** 日期和时间 -![](figures/日期和时间.png "日期和时间") - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - -## 设置安装源 - -在“安装概览”页面中选择“安装源”,指定安装源的位置。 - -当使用完整光盘安装,安装程序会自动探测并显示安装源信息,用户直接使用默认配置即可,不需要进行设置,如[图10](#zh-cn_topic_0186390100_zh-cn_topic_0144427079_fig93633295132)所示。 - -**图 10** 安装源 -![](figures/安装源.png "安装源") - -当使用网络https源进行安装的时候,如果https服务器使用的是私有证书,则需要在安装引导界面按“e”进入已选选项的参数编辑界面,在参数中增加inst.noverifyssl参数,如[图11](#fig113517811415)所示。 - -**图 11** 增加inst.noverifyssl参数 -![](figures/增加inst-noverifyssl参数.png "增加inst-noverifyssl参数") - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->安装过程中,如果“设置安装源”有疑问,可参考“[选择安装源出现异常](FAQ.html#选择安装源出现异常)”。 - -## 选择安装软件 - -在“安装概览”页面中选择“软件选择”,指定需要安装的软件包。 - -用户需要根据实际的业务需求,在左侧选择一个“最小安装”,在右侧选择安装环境的附加选项,如[图12](#zh-cn_topic_0186390261_zh-cn_topic_0122145865_fig03031519101414)所示。 - -**图 12** 软件选择 -![](figures/软件选择.png "软件选择") - ->![](public_sys-resources/icon-note.gif) **说明:** ->- 在最小安装的环境下,并非安装源中所有的包都会安装。如果用户需要使用的包未安装,可将安装源挂载到本地制作repo源,通过DNF工具单独安装。 ->- 选择“虚拟化主机”时会默认安装虚拟化组件qemu、libvirt、edk2,且可在附件选项处选择是否安装ovs等组件。 - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - -## 设置安装目的地 - -在“安装概览”页面中选择“安装目的地”,设置操作系统的安装磁盘及分区。 - -在[图13](#fig1195417125015)所示的页面中您可以看到计算机中的本地可用存储设备。 - ->![](public_sys-resources/icon-notice.gif) **须知:** ->在选择您需要安装的设备时,建议不要选择NVMe SSD存储介质作为操作系统的安装磁盘。 - -**图 13** 安装目标位置 -![](figures/安装目标位置.png "安装目标位置") - -### 存储配置 - -在“安装目标位置”界面,您需要进行存储配置以便对系统分区。您可以手动配置分区,也可以选择让安装程序自动分区。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->- 在进行分区时,出于系统性能和安全的考虑,建议您划分如下单独分区:/boot、/var、/var/log 、/var/log/audit、/home、/tmp。 ->- 系统如果配置了swap分区,当系统的物理内存不够用时,会使用swap分区。虽然 swap分区可以增大物理内存大小的限制,但是如果由于内存不足使用到swap分区,会增加系统的响应时间,性能变差。因此在物理内存充足或者性能敏感的系统中,不建议配置swap分区。 ->- 如果需要拆分逻辑卷组则需要选择“自定义”进行手动分区,并在“手动分区”界面单击“卷组”区域中的“修改”按钮重新配置卷组。 - -**自动** - -如果是在未使用过的存储设备中执行全新安装,或者不需要保留该存储设备中任何数据,建议选择“自动”进行自动分区。 - -若您需要对数据进行加密,您可以在“安装目标位置”界面选择“加密我的数据”,并单击左上角“完成”,出现如[图14](#fig_setcode)所示的“磁盘加密口令”对话框。请分别在“口令”和“确认”中输入相同的加密口令,且口令需要符合密码复杂度,具体请参考[密码复杂度](#密码复杂度)。设置完成后,请单击“保存口令”返回“安装概览”页面。 - ->![](figures/zh-cn_image_0229291229.png) ->若口令丢失,将无法找回,且无法访问所有加密的分区以及其中的数据。请妥善保管口令。 - -**图 14** 磁盘加密口令 -![](figures/磁盘加密口令.png "磁盘加密口令") - -**自定义** - -若用户需进行手动分区,选择“自定义”按钮,并单击左上角“完成”,出现手动分区界面。 - -在“手动分区”界面可以通过如下两种方式进行分区,分区完成后如[图15](#fig1277151815248)所示。 - -- 自动创建:在界面单击“点击这里自动创建它们”,系统会根据可用的存储空间,自动分出4个挂载点:/boot 、/、/boot/efi、swap。 - -- 手动创建:单击“![](figures/zh-cn_image_0229291243.png)”添加新挂载点,建议每个挂载点的期望容量不超过可用空间。 - - >![](public_sys-resources/icon-note.gif) **说明:** - >若设置的挂载点期望容量超过了可用空间,系统将剩余的可用空间全部分配给该挂载点。 - -**图 15** 手动分区 -![](figures/手动分区.png "手动分区") - -若您需要对数据进行加密,您可以在需要加密的挂载点的“设备类型”区域中选择“加密”,并单击左上角“完成”,出现如[图14](#fig_setcode)所示的“磁盘加密口令”对话框。请分别在“口令”和“确认”中输入相同的加密口令,且口令需要符合密码复杂度,具体请参考[密码复杂度](#密码复杂度)。设置完成后,请单击“保存口令”返回“手动分区”界面。 - ->![](figures/zh-cn_image_0229291229.png) ->若口令丢失,将无法找回,且无法访问所有加密的分区以及其中的数据。请妥善保管口令。 - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - -## 设置网络和主机名 - -在“安装概览”页面中选择“网络和主机名”,设置系统的网络功能。 - -安装程序会自动探测可本地访问的接口。探测到的接口列在左侧方框中,右侧显示相应的接口详情,如[图16](#zh-cn_topic_0186390264_zh-cn_topic_0122145831_fig123700157297)所示。用户可以通过页面右上角的开关,来开启或者关闭网络接口。用户还可以单击“配置”以配置选中的接口。 - -用户可在页面下方“主机名”字段输入主机名。主机名可以是完全限定域名(FQDN),其格式为hostname.domainname;也可以是简要主机名,其格式为hostname。 - -**图 16** 网络和主机名 -![](figures/网络和主机名.png "网络和主机名") - -设置完成后,请单击左上角“完成”返回“安装概览”页面。 - -## 设置根密码 - -在“安装概览”页面中选择“根密码”,弹出设置“ROOT密码”界面,如[图17](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1323165793018)所示,根据[密码复杂度](#密码复杂度)输入密码并再次输入密码进行确认。 - ->![](public_sys-resources/icon-note.gif) **说明:** -> ->- root帐户是用来执行关键系统管理任务,不建议您在日常工作及系统访问时使用root帐户。 -> ->- 在“ROOT密码”界面若选择“锁定root帐户”则root帐户将禁用。 - -**图 17** root密码 -![](figures/root密码.png "root密码") - -### 密码复杂度 - -用户设置的root用户密码或新创建用户的密码均需要满足密码复杂度要求,否则会导致密码设置或用户创建失败。设置密码的复杂度的要求如下: - -1. 口令长度至少8个字符。 -2. 口令至少包含大写字母、小写字母、数字和特殊字符中的任意3种。 -3. 口令不能和账号一样。 -4. 口令不能使用字典词汇。 - - >![](public_sys-resources/icon-note.gif) **说明:** - > 在已装好的openEuler环境中,可以通过`cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt`命令导出字典库文件dictionary.txt,用户可以查询密码是否在该字典中。 - -完成设置后,单击左上角的“完成”返回“安装概览”页面。 - -## 创建用户 - -在“安装概览”页面中选择“创建用户”,弹出“创建用户”的界面如[图18](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319)所示。输入用户名,并设置密码。另外您还可以通过“高级”选项设置用户主目录、用户组等,如[图19](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig128716531312)所示。 - -**图 18** 创建用户 -![](figures/创建用户.png "创建用户") - -**图 19** 高级用户配置 -![](figures/高级用户配置.png "高级用户配置") - -完成设置后,单击左上角的“完成”返回“安装概览”页面。 - - -## 开始安装 - -在安装界面上完成所有必填选项的配置后,界面上的警告会消失。此时,用户可以单击“开始安装”进行系统安装。 - -**图 20** 开始安装 -![](figures/开始安装.png "开始安装") - -## 安装过程 - -开始安装后会出现进度页面,显示安装进度及所选软件包写入系统的进度,如[图21](zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1590863119306)所示。 - ->![](figures/zh-cn_image_0229291229.png) ->若系统安装过程中,单击“退出”,或复位、下电服务器,则安装过程被中断,系统将不可用,需要重新进行安装。 - -**图 21** 安装过程 -![](figures/安装过程.png "安装过程") - - -## 安装完成 - -此刻,openEuler已完成安装,如[图22](#zh-cn_topic_0186390267_zh-cn_topic_0122145917_fig1429512116338)所示。单击“重启系统”后,系统将重新启动。 - -**图 22** 完成安装 -![](figures/完成安装.png "完成安装") - -- 如果当前使用物理光盘安装操作系统,且在重启过程中安装光盘没有自动弹出,请手动取出光盘,则可以直接进入openEuler命令行登录界面。 -- 如果当前使用虚拟光驱安装操作系统,则需要修改服务器的启动项为“硬盘”,然后重启服务器,则可以直接进入openEuler命令行登录界面。 +# 安装指导 + +本章以光盘安装为例介绍安装openEuler,其他安装方式除在启动安装时的引导方式不同外,待启动安装后则安装流程相同,在此不再说明。 + + +## 启动安装 + +### 使用光盘引导安装 + +在服务器的光驱中加载openEuler安装镜像,重启服务器,具体步骤如下。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>在安装开始前,需要保证服务器启动选项为光驱优先。安装步骤以BMC挂载虚拟光驱进行光盘安装的操作举例。通过物理光驱安装的操作简单,启动安装后的流程相同,在此不再说明。 + +1. 在虚拟界面工具栏中,单击虚拟光驱工具如下图所示。 + + **图 1** 光驱图标 + ![](./figures/CD-ROM_drive_icon.png) + + 弹出镜像对话框,如下图所示。 + + **图 2** 镜像对话框 + ![](./figures/Image_dialog_box.png) + +2. 在镜像对话框中,选择“镜像文件”, 并单击“浏览”。弹出“打开”对话框。 +3. 选择镜像文件,单击“打开”。然后在镜像对话框中,单击“连接”。当“连接”显示为“断开”后,表示虚拟光驱已连接到服务器。 +4. 在工具栏中,单击重启工具重启设备,如下图所示。 + + **图 3** 重启图标 + ![](./figures/restarticon.png) + + +### 安装引导界面 + +系统使用引导介质完成引导后会显示引导菜单。该引导菜单除启动安装程序外还提供一些选项。安装系统时,默认采用“Test this media & install openEuler 21.03”方式进行安装。如果要选择默认选项之外的选项,请使用键盘中的“↑”和“↓”方向键进行选择,并在选项为高亮状态时按“Enter”。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 如果60秒内未按任何键,系统将从默认选项“Test this media & install openEuler 21.03”自动进入安装界面。 +>- 安装物理机时,如果使用键盘上下键无法选择启动选项,按“Enter”键无响应,可以单击BMC界面上的鼠标控制图标“![](./figures/zh-cn_image_0229420473.png)”,设置“键鼠复位”。 + +**图 4** 安装引导界面 +![](./figures/Installation_wizard.png) + +安装引导选项说明如下: + +- Install openEuler 21.03 —— 在您的服务器上使用图形用户界面模式安装。 + +- Test this media & install openEuler 21.03 —— 默认选项,在您的服务器上使用图形用户界面模式安装,但在启动安装程序前会进行安装介质的完整性检查。 + +- Troubleshooting —— 问题定位模式,系统无法正常安装时使用。进入问题定位模式后,有如下两个选项。 + - Install openEuler 21.03 in basic graphics mode —— 简单图形安装模式,该模式下在系统启动并运行之前不启动视频驱动程序。 + - Rescue the openEuler system —— 救援模式,用于修复系统。该模式下输出定向到VNC或BMC(Baseboard Management Controller)端,串口不可用。 + +在安装引导界面,按“e”进入已选选项的参数编辑界面,按“c”进入命令行模式。 + +### 图形化模式安装 + +在“安装引导界面”中选择“Test this media & install openEuler 21.03”进入图形化模式安装。 + +可以通过键盘操作图形化安装程序。 + +- “Tab”、“shift Tab”:界面控件(按钮、区域框、复选框等)间的移动。 +- “↑”、“↓”方向键:列表里的移动。 +- “←”、“→”方向键:水平工具条和表条间移动。 +- “空格”、“Enter”:选择或删除高亮显示的选项、展开或折叠下拉菜单。 +- “Alt”+“快捷键”:选择快捷键所在的控件,其中快捷键可通过按住Alt高亮(加下划线)显示。 + +## 设置安装程序语言 + +启动安装后,在进入安装程序主界面之前,系统会提示用户设置安装过程中使用的语言。当前默认为英语,用户可根据实际情况进行调整,如[图5](#zh-cn_topic_0186390093_zh-cn_topic_0122145864_fig144630179151)所示,选择“中文”。 + +**图 5** 选择语言 +![](./figures/selectlanguage.png) + +完成设置后,单击“继续”,进入安装设置主界面。 + +如果您想退出安装,可以单击“退出”并在弹出的“您确定要退出安装程序吗?”对话框中单击“是”重新进入“安装引导界面”。 + +## 进入安装界面 + +系统安装程序正常启动后,会进入[图6](#zh-cn_topic_0186390094_zh-cn_topic_0122145883_fig5969171592212)所示的安装设置主界面。用户可以进行时间、语言、安装源、网络、安装位置等相关设置。 + +部分配置项会有告警符号,用户完成该选项配置后,告警符号消失。当界面上不存在告警符号时,用户才能单击“开始安装”进行系统安装。 + +如果您想退出安装,可以单击“退出”并在弹出的“您确定要退出安装程序吗?”对话框中单击“是”重新进入“安装引导界面”。 + +**图 6** 安装概览 +![](./figures/installation_overview.png) + +## 设置键盘 + +在“安装概览”页面中选择“键盘”,用户可以在系统中添加或者删除多个键盘布局。 + +- 要查看键盘布局,请在左侧选框中单击选中该键盘布局,然后单击下面的“键盘”按钮。 +- 要测试键盘布局,请在左侧选框中添加键盘布局,然后在右上角键盘图标处进行点击切换为目标键盘,单击右侧文本框内部,输入文本以确认所选键盘布局可正常工作。 + +**图 7** 键盘布局 +![](./figures/Keyboard_layout.png) + +设置完成后,请单击左上角“完成”返回“安装概览”页面。 + +## 设置系统语言 + +在“安装概览”页面中选择“语言支持”,设置系统的语言。如[图8](#zh-cn_topic_0186390098_zh-cn_topic_0122145772_fig187301927172619)所示,用户也可根据实际情况进行调整,选择“中文”。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>若选择“中文”,系统安装完成后,使用VNC登录不支持中文显示,使用串口登录支持中文显示,使用SSH登录时是否支持中文显示与使用的SSH客户端有关。若选择“English”,则无影响。 + + +**图 8** 语言支持 +![](./figures/languagesupport.png) + +设置完成后,请单击左上角“完成”返回“安装概览”页面。 + +## 设置时间和日期 + +在“安装概览”页面中选择“时间和日期”,设置系统的时区、日期、时间等。 + +设置时区时,用户可通过鼠标在地图上单击指定的城市,也可以通过页面顶部的“地区”和“城市”下拉菜单中进行选择,如[图9](#zh-cn_topic_0186390096_zh-cn_topic_0122145900_fig1260162652312)所示。 + +如果您所在城市没有出现在地图或下拉菜单中,请选择同一时区中离您最近的城市。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 手动设置时区时,请先关闭右上角“网络时间”同步开关。 +>- 如需使用网络时间,请保证网络能连通远程NTP服务器,设置网络具体请参见“[设置网络和主机名](#设置网络和主机名)”。 + +**图 9** 日期和时间 +![](./figures/dateandtime.png) + +设置完成后,请单击左上角“完成”返回“安装概览”页面。 + +## 设置安装源 + +在“安装概览”页面中选择“安装源”,指定安装源的位置。 + +* 当使用完整光盘安装,安装程序会自动探测并显示安装源信息,用户直接使用默认配置即可,不需要进行设置,如[图10](#zh-cn_topic_0186390100_zh-cn_topic_0144427079_fig93633295132)所示。 + + **图 10** 安装源 + ![](./figures/Installation_source.png) + +* 当使用网络源进行安装的时候,需设置网络源的 URL。 + + - http 或 https 方式 + + http 或 https 方式的安装源如下图所示。 + + ![](./figures/installsource.png) + + 如果https服务器使用的是私有证书,则需要在安装引导界面按“e”进入已选选项的参数编辑界面,在参数中增加 inst.noverifyssl 参数。 + + 输入框内容以实际版本发布的安装源地址为准,如https://repo.openeuler.org/openEuler-21.03/OS/x86_64/ ,其中openEuler-21.03 为版本号,x86_64 为CPU 架构,可根据实际情况输入。 + + - ftp 方式 + + ftp 方式的安装源如下图所示,输入框内容根据的 ftp 地址输入。 + + ![](./figures/sourceftp.png) + + ftp服务器需要用户自己搭建,将openEuler-21.03-x86_64-dvd.iso镜像进行挂载,挂载出的文件拷贝到ftp的共享目录中。其中x86_64为CPU 架构,可根据实际情况使用镜像。 + + - nfs 方式 + + nfs 方式的安装源如下图所示,输入框内容根据的 nfs 地址输入。 + + ![](./figures/sourcenfs.png) + + nfs服务器需要用户自己搭建,将openEuler-21.03-x86_64-dvd.iso镜像进行挂载,挂载出的文件拷贝到nfs的共享目录中。其中x86_64为CPU 架构,可根据实际情况使用镜像。 + + +安装过程中,如果“设置安装源”有疑问,可参考“[选择安装源出现异常](./FAQ.html#选择安装源出现异常)”。 + +设置完成后,请单击左上角“完成”返回“安装概览”页面。 + +## 选择安装软件 + +在“安装概览”页面中选择“软件选择”,指定需要安装的软件包。 + +用户需要根据实际的业务需求,在左侧选择一个“最小安装”,在右侧选择安装环境的附加选项,如[图11](#zh-cn_topic_0186390261_zh-cn_topic_0122145865_fig03031519101414)所示。 + +**图 11** 软件选择 +![](./figures/choosesoftware.png) + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 在最小安装的环境下,并非安装源中所有的包都会安装。如果用户需要使用的包未安装,可将安装源挂载到本地制作repo源,通过DNF工具单独安装。 +>- 选择“虚拟化主机”时会默认安装虚拟化组件qemu、libvirt、edk2,且可在附件选项处选择是否安装ovs等组件。 + +设置完成后,请单击左上角“完成”返回“安装概览”页面。 + +## 设置安装目的地 + +在“安装概览”页面中选择“安装目的地”,设置操作系统的安装磁盘及分区。 + +在[图12](#fig1195417125015)所示的页面中您可以看到计算机中的本地可用存储设备。 + + +**图 12** 安装目标位置 +![](./figures/Target_installation_position.png) + +### 存储配置 + +在“安装目标位置”界面,您需要进行存储配置以便对系统分区。您可以手动配置分区,也可以选择让安装程序自动分区。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 在进行分区时,出于系统性能和安全的考虑,建议您划分如下单独分区:/boot、/var、/var/log 、/var/log/audit、/home、/tmp。 +>- 系统如果配置了swap分区,当系统的物理内存不够用时,会使用swap分区。虽然 swap分区可以增大物理内存大小的限制,但是如果由于内存不足使用到swap分区,会增加系统的响应时间,性能变差。因此在物理内存充足或者性能敏感的系统中,不建议配置swap分区。 +>- 如果需要拆分逻辑卷组则需要选择“自定义”进行手动分区,并在“手动分区”界面单击“卷组”区域中的“修改”按钮重新配置卷组。 + +**自动** + +如果是在未使用过的存储设备中执行全新安装,或者不需要保留该存储设备中任何数据,建议选择“自动”进行自动分区。设置完成后,请单击“完成”返回“安装概览”页面。 + +**自定义** + +若用户需进行手动分区,选择“自定义”按钮,并单击左上角“完成”,出现手动分区界面。 + +在“手动分区”界面可以通过如下两种方式进行分区,分区完成后如[图13](#fig1277151815248)所示。 + +- 自动创建:在界面单击“点击这里自动创建它们”,系统会根据可用的存储空间,自动分出4个挂载点:/boot 、/、/boot/efi、swap。 + +- 手动创建:单击“![](./figures/zh-cn_image_0229291243.png)”添加新挂载点,建议每个挂载点的期望容量不超过可用空间。 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >若设置的挂载点期望容量超过了可用空间,系统将剩余的可用空间全部分配给该挂载点。 + +**图 13** 手动分区 +![](./figures/Manual_partitioning.png) + +>![](./public_sys-resources/icon-note.gif) **说明:** +> 如果选择非 UEFI 引导,则不需要 /boot/efi 分区。若选择 UEFI 引导,则必须有 /boot/efi 分区。 + +设置完成后,请单击左上角”完成“按钮,弹出“更改摘要”对话框,提示更改产生的变更信息。 + +点击“接受更改”,返回“安装概览”页面。 + +## 设置网络和主机名 + +在“安装概览”页面中选择“网络和主机名”,设置系统的网络功能。 + +安装程序会自动探测可本地访问的接口。探测到的接口列在左侧方框中,右侧显示相应的接口详情,如[图14](#zh-cn_topic_0186390264_zh-cn_topic_0122145831_fig123700157297)所示。用户可以通过页面右上角的开关,来开启或者关闭网络接口。开关默认是关闭状态,若设置安装源选择的是在网络上安装,需要开启开关。用户还可以单击“配置”以配置选中的接口。勾选“自动以优先级连接”选项,即可将该网卡设置为开机自启动,如[图15](#zh-cn_topic_0186390264_zh-cn_topic_0122145831_fig6)所示。 + +用户可在页面下方“主机名”字段输入主机名。主机名可以是完全限定域名(FQDN),其格式为hostname.domainname;也可以是简要主机名,其格式为hostname。 + +**图 14** 网络和主机名 +![](./figures/NetworkandHostName.png) + +**图 15** 配置网络 +![](./figures/confignetwork1.png) + +设置完成后,请单击左上角“完成”返回“安装概览”页面。 + +## 设置根密码 + +在“安装概览”页面中选择“根密码”,弹出设置“ROOT密码”界面,如[图16](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1323165793018)所示,根据[密码复杂度](#密码复杂度)输入密码并再次输入密码进行确认。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +> +>- root帐户是用来执行关键系统管理任务,不建议您在日常工作及系统访问时使用root帐户。 +> +>- 在“ROOT密码”界面若选择“锁定root帐户”则root帐户将禁用。 + +**图 16** root密码 +![](./figures/root_password.png) + +### 密码复杂度 + +用户设置的root用户密码或新创建用户的密码均需要满足密码复杂度要求,否则会导致密码设置或用户创建失败。设置密码的复杂度的要求如下: + +1. 口令长度至少8个字符。 +2. 口令至少包含大写字母、小写字母、数字和特殊字符中的任意3种。 +3. 口令不能和账号一样。 +4. 口令不能使用字典词汇。 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >在已装好的openEuler环境中,可以通过`cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt`命令导出字典库文件dictionary.txt,用户可以查询密码是否在该字典中。 + +完成设置后,单击左上角的“完成”返回“安装概览”页面。 + +## 创建用户 + +在“安装概览”页面中选择“创建用户”,弹出“创建用户”的界面如[图17](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319)所示。输入用户名,并设置密码。另外您还可以通过“高级”选项设置用户主目录、用户组等,如[图18](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig128716531312)所示。 + +**图 17** 创建用户 +![](./figures/createuser.png) + +**图 18** 高级用户配置 +![](./figures/Advanced_User_Configuration.png) + +完成设置后,单击左上角的“完成”返回“安装概览”页面。 + + +## 开始安装 + +在安装界面上完成所有必填选项的配置后,界面上的警告会消失。此时,用户可以单击“开始安装”进行系统安装。 + +## 安装过程 + +开始安装后会出现进度页面,显示安装进度及所选软件包写入系统的进度,如[图19](./zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1590863119306)所示。 + +>![](./figures/zh-cn_image_0229291229.png) +>若系统安装过程中,单击“退出”,或复位、下电服务器,则安装过程被中断,系统将不可用,需要重新进行安装。 + +**图 19** 安装过程 +![](./figures/installation_procedure.png) + + +## 安装完成 + +安装过程执行完成后,openEuler完成安装,单击“重启”后,系统将重新启动。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +> - 如果当前使用物理光盘安装操作系统,且在重启过程中安装光盘没有自动弹出,请手动取出光盘,则可以直接进入openEuler命令行登录界面。 +> - 如果当前使用虚拟光驱安装操作系统,则需要修改服务器的启动项为“硬盘”,然后重启服务器,则可以直接进入openEuler命令行登录界面。 + diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215-1.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215-1.md" similarity index 71% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215-1.md" rename to "docs/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215-1.md" index 65fffe05b708b975c7396619ec86397ca8964f73..587f9bb93a7aa6aea6686ef4c629d78bfb30d204 100644 --- "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215-1.md" +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215-1.md" @@ -1,9 +1,9 @@ # 安装方式介绍 ->![](public_sys-resources/icon-notice.gif) **须知:** +>![](./public_sys-resources/icon-notice.gif) **须知:** >- 硬件仅支持树莓派 3B/3B+/4B。 >- 采用刷写镜像到 SD 卡方式安装。本章节提供 Windows/Linux/Mac 上刷写镜像的操作方法。 ->- 本章节使用的镜像是参考“[安装准备](安装准备-1.html)”获取 openEuler 的树莓派版本镜像。 +>- 本章节使用的镜像是参考“[安装准备](./安装准备-1.html)”获取 openEuler 的树莓派版本镜像。 @@ -35,10 +35,7 @@ 若 SD 卡之前未安装过镜像,盘符只有一个。在 “Select card” 中选择需要格式化的 SD 卡对应盘符。 - 若 SD 卡之前安装过镜像,盘符会有一个或多个。如下图所示,该 SD 卡对应三个盘符:E、G、H。在 “Select card” 中选择需要格式化的 SD 卡对应 boot 分区盘符 E。 - - **图 1** 盘符 - ![](figures/盘符.png "盘符") + 若 SD 卡之前安装过镜像,盘符会有一个或多个。例如,SD 卡对应三个盘符:E、G、H。在 “Select card” 中选择需要格式化的 SD 卡对应 boot 分区盘符 E。 3. 在 “Formatting options” 中选择格式化方式。默认为 “Qick format”。 4. 单击“Format”开始格式化。界面通过进度条显示格式化进度。 @@ -46,10 +43,10 @@ ### 写入 SD 卡 ->![](public_sys-resources/icon-notice.gif) **须知:** ->如果获取的是压缩后的镜像文件“openEuler-20.09-RaspberryPi.aarch64.img.xz”,需要先将压缩文件解压得到 “openEuler-20.09-RaspberryPi.aarch64.img”镜像文件。 +>![](./public_sys-resources/icon-notice.gif) **须知:** +>如果获取的是压缩后的镜像文件“openEuler-21.03-raspi-aarch64.img.xz”,需要先将压缩文件解压得到 “openEuler-21.03-raspi-aarch64.img”镜像文件。 -请按照以下步骤将“openEuler-20.09-RaspberryPi.aarch64.img”镜像文件写入 SD 卡: +请按照以下步骤将“openEuler-21.03-raspi-aarch64.img”镜像文件写入 SD 卡: 1. 下载并安装刷写镜像的工具,以下操作以 Win32 Disk Imager 工具为例。 2. 右键选择“以管理员身份运行”,打开 Win32 Disk Imager。 @@ -77,12 +74,12 @@ ### 写入 SD 卡 -1. 如果获取的是压缩后的镜像,需要先执行 `xz -d openEuler-20.09-RaspberryPi.aarch64.img.xz` 命令将压缩文件解压得到“openEuler-20.09-RaspberryPi.aarch64.img”镜像文件;否则,跳过该步骤。 -2. 将镜像 `openEuler-20.09-RaspberryPi.aarch64.img` 刷写入 SD 卡,在 root 权限下执行以下命令: +1. 如果获取的是压缩后的镜像,需要先执行 `xz -d openEuler-21.03-raspi-aarch64.img.xz` 命令将压缩文件解压得到“openEuler-21.03-raspi-aarch64.img”镜像文件;否则,跳过该步骤。 +2. 将镜像 `openEuler-21.03-raspi-aarch64.img` 刷写入 SD 卡,在 root 权限下执行以下命令: - `dd bs=4M if=openEuler-20.09-RaspberryPi.aarch64.img of=/dev/sdb` + `dd bs=4M if=openEuler-21.03-raspi-aarch64.img of=/dev/sdb` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >一般情况下,将块大小设置为 4M。如果写入失败或者写入的镜像无法使用,可以尝试将块大小设置为 1M 重新写入,但是设置为 1M 比较耗时。 ## Mac 下刷写镜像 @@ -104,10 +101,10 @@ ### 写入 SD 卡 -1. 如果获取的是压缩后的镜像,需要先执行 `xz -d openEuler-20.09-RaspberryPi.aarch64.img.xz` 命令将压缩文件解压得到“openEuler-20.09-RaspberryPi.aarch64.img”镜像文件;否则,跳过该步骤。 -2. 将镜像 `openEuler-20.09-RaspberryPi.aarch64.img` 刷入 SD 卡,在 root 权限下执行以下命令: +1. 如果获取的是压缩后的镜像,需要先执行 `xz -d openEuler-21.03-raspi-aarch64.img.xz` 命令将压缩文件解压得到“openEuler-21.03-raspi-aarch64.img”镜像文件;否则,跳过该步骤。 +2. 将镜像 `openEuler-21.03-raspi-aarch64.img` 刷入 SD 卡,在 root 权限下执行以下命令: - `dd bs=4m if=openEuler-20.09-RaspberryPi.aarch64.img of=/dev/sdb` + `dd bs=4m if=openEuler-21.03-raspi-aarch64.img of=/dev/sdb` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >一般情况下,将块大小设置为 4m。如果写入失败或者写入的镜像无法使用,可以尝试将块大小设置为 1m 重新写入,但是设置为 1m 比较耗时。 diff --git "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215.md" "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215.md" similarity index 85% rename from "content/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215.md" rename to "docs/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215.md" index d8d0dfc4ac471a4c83255ba38e7eacc1d417cbdc..15395a687026e36e1f9b7584c13f4512e2c0ed94 100644 --- "a/content/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215.md" +++ "b/docs/zh/docs/Installation/\345\256\211\350\243\205\346\226\271\345\274\217\344\273\213\347\273\215.md" @@ -1,209 +1,209 @@ -# 安装方式介绍 - ->![](public_sys-resources/icon-notice.gif) **须知:** ->- 硬件服务器仅支持Taishan 200服务器和FusionServer Pro 机架服务器,具体支持的服务器型号可参考“[硬件兼容支持](安装准备.html#硬件兼容支持)”;虚拟化平台仅支持openEuler自有的虚拟化组件(HostOS为openEuler,虚拟化组件为发布包中的qemu、KVM)创建的虚拟化平台和华为公有云的x86虚拟化平台。 ->- 安装方式当前仅支持光盘、USB盘安装、网络安装、qcow2镜像安装和私有镜像安装。其中仅华为公有云的x86虚拟化平台支持私有镜像安装。 - - -- [安装方式介绍](#安装方式介绍) - - [通过光盘安装](#通过光盘安装) - - [准备安装源](#准备安装源) - - [启动安装](#启动安装) - - [通过USB盘安装](#通过usb盘安装) - - [准备安装源](#准备安装源-1) - - [启动安装](#启动安装-1) - - [使用PXE通过网络安装](#使用pxe通过网络安装) - - [通过qcow2镜像安装](#通过qcow2镜像安装) - - [制作qcow2镜像](#制作qcow2镜像) - - [启动安装](#启动安装-2) - - [通过私有镜像安装](#通过私有镜像安装) - - [制作私有镜像](#制作私有镜像) - - [启动安装](#启动安装-3) - - - -## 通过光盘安装 - -本节介绍如何使用或者制作光盘安装源,并介绍相应的操作步骤,指导用户进行安装。 - -### 准备安装源 - -如果您获取的是系统安装光盘,那么可以直接使用光盘安装系统。如果您获取的是系统ISO镜像,可以通过刻录软件将系统的ISO镜像刻录到DVD中,使用刻录完成的DVD安装系统。 - -### 启动安装 - -根据以下步骤启动安装程序: - ->![](public_sys-resources/icon-note.gif) **说明:** ->您需要先设置您的系统优先从光盘进行启动引导。以BIOS为例,您需要将“Boot Type Order”中的“CD/DVD-ROM Drive”选项调整到首位。 - -1. 断开所有安装不需要的驱动器,比如USB。 -2. 启动您的计算机系统。 -3. 在计算机中插入安装光盘。 -4. 重启计算机系统。 - -在短暂的延迟后会出现图形化引导界面,该界面包含不同引导选项。如果您在一分钟内未进行任何操作,安装程序将自动以默认选项开始运行。 - -## 通过USB盘安装 - -本节介绍如何制作USB盘安装源,并介绍基本的操作步骤,指导用户进行安装。 - -### 准备安装源 - -您需要注意USB盘容量的大小,它必须有足够的的空间放下整个镜像,建议USB盘空间大于16G。 - -1. 将USB盘连接到该系统中,并执行 dmesg 命令查看相关的日志信息。在该日志的最后可以看到刚刚连接的USB盘所生成的一组信息,应类似如下: - - ``` - [ 170.171135] sd 5:0:0:0: [sdb] Attached SCSI removable disk - ``` - - >![](public_sys-resources/icon-note.gif) **说明:** - >连接的USB盘名称以sdb进行举例。 - -2. 切换为root用户。使用su命令,需要输入相应的密码。 - - ``` - $ su - root - ``` - -3. 确保USB盘没有被挂载。使用如下命令进行查询: - - ``` - # findmnt /dev/sdb - ``` - - - 如果执行此命令后无输出,表明未挂载,可以继续执行下一步。 - - - 如果输出以下信息,表明USB盘已经自动挂载。 - - ``` - # findmnt /dev/sdb - TARGET SOURCE FSTYPE OPTIONS - /mnt/iso /dev/sdb iso9660 ro,relatime - ``` - - 此时,您需要使用umount命令卸载该设备。 - - ``` - # umount /mnt/iso - ``` - -4. 使用dd命令将ISO安装镜像直接写入USB盘: - - ``` - # dd if=/path/to/image.iso of=/dev/device bs=blocksize - ``` - - 使用您下载的ISO镜像文件的完整路径替换 /path/to/image.iso,使用之前由 dmesg 命令给出的设备名称替换device,同时设置合理的块大小(例如:512k)替换 blocksize,这样可以加快写入进度。 - - 例如:如果该ISO镜像文件位于 /home/testuser/Downloads/openEuler-20.09-beta-aarch64-dvd.iso,同时探测到的设备名称为sdb,则该命令如下: - - ``` - # dd if=/home/testuser/Downloads/openEuler-20.09-beta-aarch64-dvd.iso of=/dev/sdb bs=512k - ``` - -5. 等待镜像写入完成,拔掉USB盘。 - - 镜像写入过程中不会有进度显示,当\#号再次出现时,表明写入完成。退出root账户,拔掉USB盘。此时,您可以使用该USB盘作为系统的安装源。 - - -### 启动安装 - -请根据以下步骤启动安装程序: - ->![](public_sys-resources/icon-note.gif) **说明:** ->您需要先设置您的系统优先从USB进行启动引导。以BIOS为例,您需要将“Boot Type Order”中的USB选项调整到首位。 - -1. 断开所有安装不需要的驱动器。 -2. 打开您的计算机系统。 -3. 在计算机中插入USB盘。 -4. 重启计算机系统。 - -在短暂的延迟后会出现图形化引导页面,该页面包含不同引导选项。如果您在一分钟内未进行任何操作,安装程序将自动开始安装。 - -## 使用PXE通过网络安装 - -要使用 PXE 引导,您需要正确配置服务器以及您的计算机需支持 PXE 的网络接口。 - -如果目标硬件安装有支持PXE的网络接口卡,我们可以配置它从其他网络系统的文件而不是本地介质(如光盘)来引导计算机并执行Anaconda安装程序。 - -对于PXE网络安装,客户机通过支持PXE的网卡,向网络发送请求DHCP信息的广播,请求IP地址等信息。DHCP服务器给客户机提供一个IP地址和其他网络信息如域名服务器、ftp服务器(它提供启动安装程序所必须的文件)的IP地址或主机名,以及服务器上文件的位置。 - ->![](public_sys-resources/icon-note.gif) **说明:** ->此处不详细讨论tftp、DHCP、http等服务器配置,相关详细配置请参考“[全自动化安装指导](使用kickstart自动化安装.html#全自动化安装指导)”。 - -## 通过qcow2镜像安装 - -本节介绍如何使用或者制作qcow2镜像,并介绍相应的操作步骤,指导用户进行安装。 - -### 制作qcow2镜像 - -1. 安装qemu-img软件包。 - - ``` - # dnf install -y qemu-img - ``` - -2. 使用qemu-img工具的create命令,创建镜像文件,命令格式为: - - ``` - $ qemu-img create -f -o - ``` - - 其中,各参数含义如下: - - - _imgFormat_ :镜像格式,取值为raw, qcow2等。 - - _fileOption_ :文件选项,用于设置镜像文件的特性,如指定后端镜像文件,压缩,加密等特性。 - - _fileName_ :文件名称。 - - _diskSize_ :磁盘大小,用于指定块磁盘设备的大小,支持的单位有K、M、G、T,分别代表KiB、MiB、GiB、TiB。 - - 例如,创建一个磁盘设备大小为32GB、格式为qcow2的镜像文件openEuler-imge.qcow2,命令和回显如下: - - ``` - $ qemu-img create -f qcow2 openEuler-image.qcow2 32G - Formatting 'openEuler-image.qcow2', fmt=qcow2 size=34359738368 cluster_size=65536 lazy_refcounts=off refcount_bits=16 - ``` - - -### 启动安装 - -根据以下步骤启动安装程序: - -1. 准备qcow2镜像文件。 -2. 准备虚拟机网络。 -3. 准备UEFI引导工具集EDK II。 -4. 准备虚拟机XML配置文件。 -5. 创建虚拟机。 -6. 启动虚拟机。 - -各步骤详细的操作请参考《[openEuler 20.09 beta 虚拟化用户指南](../Virtualization/virtualization.html)》。 - -## 通过私有镜像安装 - -本节介绍如何使用或者制作私有镜像,并介绍相应的操作步骤,指导用户进行安装。 - -### 制作私有镜像 - -制作私有镜像的方法请参见[《镜像服务用户指南》](https://support.huaweicloud.com/usermanual-ims/zh-cn_topic_0013901628.html)。 - -### 启动安装 - -华为公有云的x86虚拟化平台的启动请参见[ 弹性云服务器 ECS的用户指南](https://support.huaweicloud.com/wtsnew-ecs/index.html)。 - - - - - - - - - - - - - - - - - +# 安装方式介绍 + +>![](./public_sys-resources/icon-notice.gif) **须知:** +>- 硬件服务器仅支持Taishan 200服务器和FusionServer Pro 机架服务器,具体支持的服务器型号可参考“[硬件兼容支持](./安装准备.html#硬件兼容支持)”;虚拟化平台仅支持openEuler自有的虚拟化组件(HostOS为openEuler,虚拟化组件为发布包中的qemu、KVM)创建的虚拟化平台和华为公有云的x86虚拟化平台。 +>- 安装方式当前仅支持光盘、USB盘安装、网络安装、qcow2镜像安装和私有镜像安装。其中仅华为公有云的x86虚拟化平台支持私有镜像安装。 + + +- [安装方式介绍](#安装方式介绍) + - [通过光盘安装](#通过光盘安装) + - [准备安装源](#准备安装源) + - [启动安装](#启动安装) + - [通过USB盘安装](#通过usb盘安装) + - [准备安装源](#准备安装源-1) + - [启动安装](#启动安装-1) + - [使用PXE通过网络安装](#使用pxe通过网络安装) + - [通过qcow2镜像安装](#通过qcow2镜像安装) + - [制作qcow2镜像](#制作qcow2镜像) + - [启动安装](#启动安装-2) + - [通过私有镜像安装](#通过私有镜像安装) + - [制作私有镜像](#制作私有镜像) + - [启动安装](#启动安装-3) + + + +## 通过光盘安装 + +本节介绍如何使用或者制作光盘安装源,并介绍相应的操作步骤,指导用户进行安装。 + +### 准备安装源 + +如果您获取的是系统安装光盘,那么可以直接使用光盘安装系统。如果您获取的是系统ISO镜像,可以通过刻录软件将系统的ISO镜像刻录到DVD中,使用刻录完成的DVD安装系统。 + +### 启动安装 + +根据以下步骤启动安装程序: + +>![](./public_sys-resources/icon-note.gif) **说明:** +>您需要先设置您的系统优先从光盘进行启动引导。以BIOS为例,您需要将“Boot Type Order”中的“CD/DVD-ROM Drive”选项调整到首位。 + +1. 断开所有安装不需要的驱动器,比如USB。 +2. 启动您的计算机系统。 +3. 在计算机中插入安装光盘。 +4. 重启计算机系统。 + +在短暂的延迟后会出现图形化引导界面,该界面包含不同引导选项。如果您在一分钟内未进行任何操作,安装程序将自动以默认选项开始运行。 + +## 通过USB盘安装 + +本节介绍如何制作USB盘安装源,并介绍基本的操作步骤,指导用户进行安装。 + +### 准备安装源 + +您需要注意USB盘容量的大小,它必须有足够的的空间放下整个镜像,建议USB盘空间大于16G。 + +1. 将USB盘连接到该系统中,并执行 dmesg 命令查看相关的日志信息。在该日志的最后可以看到刚刚连接的USB盘所生成的一组信息,应类似如下: + + ``` + [ 170.171135] sd 5:0:0:0: [sdb] Attached SCSI removable disk + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >连接的USB盘名称以sdb进行举例。 + +2. 切换为root用户。使用su命令,需要输入相应的密码。 + + ``` + $ su - root + ``` + +3. 确保USB盘没有被挂载。使用如下命令进行查询: + + ``` + # findmnt /dev/sdb + ``` + + - 如果执行此命令后无输出,表明未挂载,可以继续执行下一步。 + + - 如果输出以下信息,表明USB盘已经自动挂载。 + + ``` + # findmnt /dev/sdb + TARGET SOURCE FSTYPE OPTIONS + /mnt/iso /dev/sdb iso9660 ro,relatime + ``` + + 此时,您需要使用umount命令卸载该设备。 + + ``` + # umount /mnt/iso + ``` + +4. 使用dd命令将ISO安装镜像直接写入USB盘: + + ``` + # dd if=/path/to/image.iso of=/dev/device bs=blocksize + ``` + + 使用您下载的ISO镜像文件的完整路径替换 /path/to/image.iso,使用之前由 dmesg 命令给出的设备名称替换device,同时设置合理的块大小(例如:512k)替换 blocksize,这样可以加快写入进度。 + + 例如:如果该ISO镜像文件位于 /home/testuser/Downloads/openEuler-21.03-aarch64-dvd.iso,同时探测到的设备名称为sdb,则该命令如下: + + ``` + # dd if=/home/testuser/Downloads/openEuler-21.03-aarch64-dvd.iso of=/dev/sdb bs=512k + ``` + +5. 等待镜像写入完成,拔掉USB盘。 + + 镜像写入过程中不会有进度显示,当\#号再次出现时,表明写入完成。退出root账户,拔掉USB盘。此时,您可以使用该USB盘作为系统的安装源。 + + +### 启动安装 + +请根据以下步骤启动安装程序: + +>![](./public_sys-resources/icon-note.gif) **说明:** +>您需要先设置您的系统优先从USB进行启动引导。以BIOS为例,您需要将“Boot Type Order”中的USB选项调整到首位。 + +1. 断开所有安装不需要的驱动器。 +2. 打开您的计算机系统。 +3. 在计算机中插入USB盘。 +4. 重启计算机系统。 + +在短暂的延迟后会出现图形化引导页面,该页面包含不同引导选项。如果您在一分钟内未进行任何操作,安装程序将自动开始安装。 + +## 使用PXE通过网络安装 + +要使用 PXE 引导,您需要正确配置服务器以及您的计算机需支持 PXE 的网络接口。 + +如果目标硬件安装有支持PXE的网络接口卡,我们可以配置它从其他网络系统的文件而不是本地介质(如光盘)来引导计算机并执行Anaconda安装程序。 + +对于PXE网络安装,客户机通过支持PXE的网卡,向网络发送请求DHCP信息的广播,请求IP地址等信息。DHCP服务器给客户机提供一个IP地址和其他网络信息如域名服务器、ftp服务器(它提供启动安装程序所必须的文件)的IP地址或主机名,以及服务器上文件的位置。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>此处不详细讨论tftp、DHCP、http等服务器配置,相关详细配置请参考“[全自动化安装指导](./使用kickstart自动化安装.html#全自动化安装指导)”。 + +## 通过qcow2镜像安装 + +本节介绍如何使用或者制作qcow2镜像,并介绍相应的操作步骤,指导用户进行安装。 + +### 制作qcow2镜像 + +1. 安装qemu-img软件包。 + + ``` + # dnf install -y qemu-img + ``` + +2. 使用qemu-img工具的create命令,创建镜像文件,命令格式为: + + ``` + $ qemu-img create -f -o + ``` + + 其中,各参数含义如下: + + - _imgFormat_ :镜像格式,取值为raw, qcow2等。 + - _fileOption_ :文件选项,用于设置镜像文件的特性,如指定后端镜像文件,压缩,加密等特性。 + - _fileName_ :文件名称。 + - _diskSize_ :磁盘大小,用于指定块磁盘设备的大小,支持的单位有K、M、G、T,分别代表KiB、MiB、GiB、TiB。 + + 例如,创建一个磁盘设备大小为32GB、格式为qcow2的镜像文件openEuler-imge.qcow2,命令和回显如下: + + ``` + $ qemu-img create -f qcow2 openEuler-image.qcow2 32G + Formatting 'openEuler-image.qcow2', fmt=qcow2 size=34359738368 cluster_size=65536 lazy_refcounts=off refcount_bits=16 + ``` + + +### 启动安装 + +根据以下步骤启动安装程序: + +1. 准备qcow2镜像文件。 +2. 准备虚拟机网络。 +3. 准备UEFI引导工具集EDK II。 +4. 准备虚拟机XML配置文件。 +5. 创建虚拟机。 +6. 启动虚拟机。 + +各步骤详细的操作请参考《[虚拟化用户指南](./../Virtualization/virtualization.html)》。 + +## 通过私有镜像安装 + +本节介绍如何使用或者制作私有镜像,并介绍相应的操作步骤,指导用户进行安装。 + +### 制作私有镜像 + +制作私有镜像的方法请参见[《镜像服务用户指南》](https://support.huaweicloud.com/usermanual-ims/zh-cn_topic_0013901628.html)。 + +### 启动安装 + +华为公有云的x86虚拟化平台的启动请参见[ 弹性云服务器 ECS的用户指南](https://support.huaweicloud.com/wtsnew-ecs/index.html)。 + + + + + + + + + + + + + + + + + diff --git "a/content/zh/docs/Installation/\346\233\264\345\244\232\350\265\204\346\272\220.md" "b/docs/zh/docs/Installation/\346\233\264\345\244\232\350\265\204\346\272\220.md" similarity index 100% rename from "content/zh/docs/Installation/\346\233\264\345\244\232\350\265\204\346\272\220.md" rename to "docs/zh/docs/Installation/\346\233\264\345\244\232\350\265\204\346\272\220.md" diff --git a/docs/zh/docs/KernelLiveUpgrade/KernelLiveUpgrade.md b/docs/zh/docs/KernelLiveUpgrade/KernelLiveUpgrade.md new file mode 100644 index 0000000000000000000000000000000000000000..d82b48ce00d235fe5d7195cc190f928e47eec4bf --- /dev/null +++ b/docs/zh/docs/KernelLiveUpgrade/KernelLiveUpgrade.md @@ -0,0 +1,16 @@ +# 内核热升级用户指南 + +本文档介绍openEuler系统内核热升级特性的安装部署和使用方法,openEuler的内核热替换特性通过快速重启内核和程序热迁移实现,我们提供了一个用户态工具以自动化这一过程。 + +本文档适用于使用openEuler系统并希望了解和使用内核热升级的社区开发者、开源爱好者以及相关合作伙伴。使用人员需要具备基础的Linux操作系统知识。 + + + +## 使用场景 + +内核热升级的目标,是实现在秒级的端到端时延下,实现进程运行现场的保存和恢复。 + +使用场景通常符合以下两个条件: +1. 内核由于漏洞修复,版本更新等原因,需要重新启动 +2. 运行在内核之上的业务能够在内核重启后快速恢复状态 + diff --git "a/docs/zh/docs/KernelLiveUpgrade/\344\275\277\347\224\250\346\226\271\346\263\225.md" "b/docs/zh/docs/KernelLiveUpgrade/\344\275\277\347\224\250\346\226\271\346\263\225.md" new file mode 100644 index 0000000000000000000000000000000000000000..a70a6f9c792499b5944596817e9e43d8a5991d20 --- /dev/null +++ "b/docs/zh/docs/KernelLiveUpgrade/\344\275\277\347\224\250\346\226\271\346\263\225.md" @@ -0,0 +1,107 @@ +# 使用方法 + + + +- [命令用法](#命令用法) +- [的使用限制](#使用限制) +- [加速特性说明及使用](#加速特性说明及使用) +- [产生的日志信息](#产生的日志信息) + + +## 命令用法 + ++ nvwa help + + 打印帮助信息,打印的信息如下: + ``` + NAME: + nvwa - a tool used for openEuler kernel update. + + USAGE: + nvwa [global options] command [command options] [arguments...] + + VERSION: + 0.1 + + COMMANDS: + update specify kernel version for nvwa to update + init init nvwa running environment + help, h Shows a list of commands or help for one command + + GLOBAL OPTIONS: + --help, -h show help (default: false) + --version, -v print the version (default: false) + ``` + ++ nvwa update + + 热升级到内核某一版本,nvwa会去/boot目录下寻找内核镜像和ramfs,kernel的命名格式需为vmlinuz-, rootfs命名格式需为initramfs-.img + + 需要注意的是,升级过程有可能会失败,如果失败,部分被dump的进程或者服务,将停止运行。 + ++ nvwa init + + 清除nvwa产生的现场信息以及对systemd的配置修改,用于nvwa执行前或者执行失败后,对现场进行清理 + +## 使用限制 + +1. 对于需要通过nvwa保存的service,其配置中需要设置标准输出(StandardOutput)和错误输出(StandardError),以redis为例: + + ``` + [Unit] + Description=Redis persistent key-value database + After=network.target + [Service] + ExecStart=/usr/bin/redis-server /etc/redis.conf --supervised systemd + Type=notify + User=redis + Group=redis + RuntimeDirectory=redis + RuntimeDirectoryMode=0755 + StandardOutput=file:/root/log1.log + StandardError=file:/root/log2.log + [Install] + WantedBy=multi-user.target + ``` + +2. 使用加速特性需要修改cmdline以及分配合适的内存,参见[此处](#nvwa加速特性说明及使用) + +3. 运行过程中需要关闭SELINUX + + 理论上,仅需要在执行nvwa update之后和系统重启nvwa恢复现场这段时间前需要关闭。稳妥起见,建议全程关闭SELINUX。 + +## 加速特性说明及使用 + +1. cpu park(加速内核重启过程) + + cpu park,是在使用kexec过程,使cpu进入一种忙等的状态,更快的响应主核发送的中断请求,减少状态的变化。 + + 使用cpu park,需要在cmdline中加入"cpuparkmem=0x200000000",其中0x200000000是一段未被其他程序使用的内存起始地址,cpuparkmem将占用从该地址开始,size为1M左右的内存空间。 + + 需要注意的是,在内存允许的情况下,此处的地址选择,建议范围在4G(0x100000000)之后,前4G通常被系统各组件预留,容易冲突。 + +2. quick kexec(加速内核启动过程) + + quick kexec,是对kexec加载镜像过程中的一种加速。 + + 使用quick kexec,需要在配置文件中使能相关选项,更多信息参考<<安装与部署>>(配置介绍) + +3. pin_memory(加速现场保存恢复过程) + + pin memory,是对criu进行现场保存恢复过程中的一种加速。 + + 使用pin memory,需要在配置文件中使能相关选项,更多信息参考<<安装与部署>>(配置介绍) + + +## 产生的日志信息 + +内核热升级工具产生的日志分为两部分: + ++ 运行过程产生的日志 + + 通过service nvwa status查看 + ++ 保留现场过程中产生的日志 + + 日志位于criu_dir指定的路径对应命名的进程/服务文件夹中 + diff --git "a/docs/zh/docs/KernelLiveUpgrade/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" "b/docs/zh/docs/KernelLiveUpgrade/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" new file mode 100644 index 0000000000000000000000000000000000000000..a24e5630e09f94925fc42e66fde73bb4892bfdff --- /dev/null +++ "b/docs/zh/docs/KernelLiveUpgrade/\345\256\211\350\243\205\344\270\216\351\203\250\347\275\262.md" @@ -0,0 +1,177 @@ +# 安装与部署 +本章介绍如何安装和部署内核热升级工具。 + + +- [安装与部署](#安装与部署) + - [软硬件要求](#软硬件要求) + - [硬件要求](#硬件要求) + - [软件要求](#软件要求) + - [环境准备](#环境准备) + - [安装内核热升级工具](#安装内核热升级工具) + - [部署内核热升级工具](#部署内核热升级工具) + - [配置介绍](#配置介绍) + - [使能内核热升级工具](#使能内核热升级工具) + + +## 软硬件要求 + +### 硬件要求 + +- 当前仅支持arm64架构 + +### 软件要求 + +- 操作系统:openEuler 21.03 + +## 环境准备 + +- 安装openEuler系统,安装方法参考 《openEuler 21.03 安装指南》 + +- 安装内核热升级工具需要使用root权限 + +## 安装内核热升级工具 + +本章介绍内核热升级工具的安装方法 + +安装内核热升级工具的操作步骤如下: + +1. 挂载openEuler的iso文件 + + ``` + # mount openEuler-21.03-aarch64-dvd.iso /mnt + ``` + +2. 配置本地yum源 + + ``` + # vim /etc/yum.repos.d/local.repo + ``` + + 配置内容如下所示: + + ``` + [local] + name=local + baseurl=file:///mnt + gpgcheck=1 + enabled=1 + ``` + +3. 将RPM数字签名的GPG公钥导入系统 + + ``` + # rpm --import /mnt/RPM-GPG-KEY-openEuler + ``` + + +4. 安装内核热升级工具 + + ``` + # yum install nvwa -y + ``` + +5. 验证是否安装成功。命令和回显如下表示安装成功 + + ``` + # rpm -qa | grep nvwa + nvwa-xxx + ``` + + +## 部署内核热升级工具 + +本章介绍内核热升级工具的配置部署: + +### 配置介绍 + +内核热升级工具的配置文件位于/etc/nvwa,配置文件包括: +- nvwa-restore.yaml + + 该配置文件用于指导内核热升级工具在内核热升级过程中如何保存和恢复现场,具体配置如下: + + + pids + + pids用于指明nvwa热升级过程中需要保留和恢复的进程,此处的进程通过进程号(pid)进行标识,需要注意的是,nvwa管理的进程在nvwa服务启动后,会被自动恢复。 + + + services + + services用于指明nvwa热升级过程中需要保留和恢复的服务。与pids的区别在于,内核热升级工具可以直接保存和恢复进程的状态,对于服务,内核热升级工具则需要依赖systemd进行相关操作。此处的服务名称,应该使用systemd中使用的服务名称。需要注意的是,对于nvwa管理的服务,是否要在nvwa启动时自动恢复,取决于systemd中有没有使能该服务,且当前支持的服务类型只有notify和oneshot。 + + + restore_net + + restore_net用于指明是否需要内核热升级工具保存和恢复网络配置,如果网络配置有误,有可能导致恢复后网络不可用,默认关闭。 + + + enable_quick_kexec + + enable_quick_kexec用于指明是否需要使能quick kexec特性,quick kexec是nvwa社区推出的,加速内核重启过程的一个特性。使用该特性,需要在cmdline中,加入"quickkexec=128M"。128指分配给quick kexec特性的内存大小,该内存将用于在升级过程中加载kernel和initramfs,因此大小需要大于升级过程中涉及到的kernel,initramfs大小之和。该特性默认关闭。 + + + enable_pin_memory + + enable_pin_memory用于指明是否需要使能pin memory特性,pin memory是nvwa社区推出的,加速进程保存恢复过程的一个特性。使用该特性,需要在cmdline中,加入"max_pin_pid_num=10 redirect_space_size=2M pinmemory=200M@0x640000000"。 + + 其中,max_pin_pid_num代表支持pin memory恢复的最大进程数目,redirect_space_size代表pin memory过程中重定向物理页所需要的预留内存空间,建议配置为pin memory总预留内存的1/100,pinmemory指明这段内存的起点和大小。从0x640000000开始的200M空间,是pin memory使用的全部内存空间,这段空间不应该被其他程序使用。 + +- nvwa-restore.yaml的配置示例 +``` +pids: + - 14109 +services: + - redis +restore_net: false +enable_quick_kexec: true +enable_pin_memory: true +``` + +- nvwa-server.yaml + + 该文件包含了内核热升级工具运行过程中,需要使用到的配置信息,具体如下: + + + criu_dir + + 用于指明内核热升级工具在保存现场过程中,存储产生的信息文件夹路径。需要注意的是,这些信息可能会占用较大的磁盘空间。 + + + criu_exe + + 用于指明内核热升级工具使用的criu可执行文件路径,除非是对criu进行调测,一般不建议修改。 + + + kexec_exe + + 用于指明内核热升级工具使用的kexec可执行文件路径,除非是对kexec进行调测,一般不建议修改。 + + + systemd_etc + + 用于指明覆盖systemd配置过程中,使用到的文件夹路径。该路径由systemd决定,一般不需要修改。 + + + log_dir + + 存放内核热升级工具产生的log信息,log模块当前未启用。内核热升级工具日志信息的查看,参考其他章节<<使用方法>> + +- nvwa-server.yaml的配置示例 + +``` +criu_dir: /var/nvwa/running/ +criu_exe: /usr/sbin/criu +kexec_exe: /usr/sbin/kexec +systemd_etc: /etc/systemd/system/ +log_dir: /etc/nvwa/log/ +``` + +## 使能内核热升级工具 + +内核热升级工具的运行依赖配置文件,配置文件修改后应该重新运行内核热升级工具程序。 + +安装成功后,可以通过systemd的相关命令来操作内核热升级工具 + ++ 使能nvwa + + systemctl enable nvwa + ++ 启动nvwa + + systemctl start nvwa + ++ 查看nvwa日志 + + service nvwa status + ++ 更多用法参考systemd用法 diff --git "a/docs/zh/docs/KernelLiveUpgrade/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" "b/docs/zh/docs/KernelLiveUpgrade/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" new file mode 100644 index 0000000000000000000000000000000000000000..1257541035305dd8c618f0c0658b80969c0350b4 --- /dev/null +++ "b/docs/zh/docs/KernelLiveUpgrade/\345\270\270\350\247\201\351\227\256\351\242\230\344\270\216\350\247\243\345\206\263\346\226\271\346\263\225.md" @@ -0,0 +1,27 @@ +1. 执行nvwa update后未升级 + + 原因:保留现场或者内核替换过程中出现错误。 + + 解决方法:查看日志,找出错误原因。 + +2. 开启加速特性后,nvwa执行命令失败 + + 原因:nvwa提供了诸多加速特性,包括quick kexec,pin memory,cpu park等等。这些特性都涉及到cmdline的配置和内存的分配,在选取内存时,通过cat /proc/iomemory确保选取的内存没有与其他程序冲突。必要时,通过dmesg查看使能特性后是否存在错误日志。 + +3. 热升级后,相关现场未被恢复 + + 原因:首先检查nvwa服务是否运行,运行情况下,可能存在两种情况,一种是服务恢复失败,一种是进程恢复失败。 + + 解决方法:通过service nvwa status查看nvwa的日志,如果是服务启动失败,首先确认是否使能了该服务,再通过systemd查看对应服务的日志。进一步的日志,去criu_dir指定的路径对应命名的进程/服务文件夹中。其中dump.log为保存现场产生的日志,restore.log为恢复现场产生的。 + +4. 恢复失败,日志显示Can't fork for 948: File exists + + 原因:内核热升级工具在恢复程序过程中,发现程序的pid已经被占用。 + + 解决方法:当前内核没有提供保留pid的机制,相关策略正在开发,预计会在将来的内核版本中解决这一限制,当前仅能手动重启相关进程。 + +5. 使用nvwa去保存和恢复简单程序(hello world),显示失败或者程序未在执行 + + 原因: criu使用存在诸多限制 + + 解决办法:查看nvwa的日志,如果显示是criu相关的错误,去相应的目录下检查dump.log或者restore.log,criu相关的使用限制,可以参考[wiki](https://criu.org/What_cannot_be_checkpointed) \ No newline at end of file diff --git a/docs/zh/docs/Kubernetes/Kubernetes.md b/docs/zh/docs/Kubernetes/Kubernetes.md new file mode 100644 index 0000000000000000000000000000000000000000..3b40e344098fe00a936ce40fa0a6eca1be4fee01 --- /dev/null +++ b/docs/zh/docs/Kubernetes/Kubernetes.md @@ -0,0 +1,14 @@ +# Kubernetes 集群部署指南 + +**声明:本文档仅适用于实验和学习环境,不适用于商用环境** + +本文档介绍在 openEuler 操作系统上,通过二进制部署 K8S 集群的一个参考方法。 + +说明:本文所有操作均使用 `root`权限执行。 + +## 集群状态 + +本文所使用的集群状态如下: + +- 集群结构:6 个 `openEuler 21.03`系统的虚拟机,3 个 master 和 3 个 node 节点 +- 物理机:`openEuler 21.03 `的 `x86/ARM`服务器 \ No newline at end of file diff --git "a/docs/zh/docs/Kubernetes/\345\207\206\345\244\207\350\231\232\346\213\237\346\234\272.md" "b/docs/zh/docs/Kubernetes/\345\207\206\345\244\207\350\231\232\346\213\237\346\234\272.md" new file mode 100644 index 0000000000000000000000000000000000000000..d31a437dd3d4ee13af88dd7609583e32654d0e6c --- /dev/null +++ "b/docs/zh/docs/Kubernetes/\345\207\206\345\244\207\350\231\232\346\213\237\346\234\272.md" @@ -0,0 +1,157 @@ +# 准备虚拟机 + + +本章介绍使用 virt manager 安装虚拟机的方法,如果您已经准备好虚拟机,可以跳过本章节。 + +## 安装依赖工具 + +安装虚拟机,会依赖相关工具,安装依赖并使能 libvirtd 服务的参考命令如下(如果需要代理,请先配置代理): + +```bash +$ dnf install virt-install virt-manager libvirt-daemon-qemu edk2-aarch64.noarch virt-viewer +$ systemctl start libvirtd +$ systemctl enable libvirtd +``` + +## 准备虚拟机磁盘文件 + +```bash +$ dnf install -y qemu-img +$ virsh pool-define-as vmPool --type dir --target /mnt/vm/images/ +$ virsh pool-build vmPool +$ virsh pool-start vmPool +$ virsh pool-autostart vmPool +$ virsh vol-create-as --pool vmPool --name master0.img --capacity 200G --allocation 1G --format qcow2 +$ virsh vol-create-as --pool vmPool --name master1.img --capacity 200G --allocation 1G --format qcow2 +$ virsh vol-create-as --pool vmPool --name master2.img --capacity 200G --allocation 1G --format qcow2 +$ virsh vol-create-as --pool vmPool --name node1.img --capacity 300G --allocation 1G --format qcow2 +$ virsh vol-create-as --pool vmPool --name node2.img --capacity 300G --allocation 1G --format qcow2 +$ virsh vol-create-as --pool vmPool --name node3.img --capacity 300G --allocation 1G --format qcow2 +``` + +## 打开 VNC 防火墙端口 + +**方法一** + +1. 查询端口 + + ```shell + $ netstat -lntup | grep qemu-kvm + ``` + +2. 打开 VNC 的防火墙端口。假设端口从 5900 开始,参考命令如下: + + ```shell + $ firewall-cmd --zone=public --add-port=5900/tcp + $ firewall-cmd --zone=public --add-port=5901/tcp + $ firewall-cmd --zone=public --add-port=5902/tcp + $ firewall-cmd --zone=public --add-port=5903/tcp + $ firewall-cmd --zone=public --add-port=5904/tcp + $ firewall-cmd --zone=public --add-port=5905/tcp + ``` + + + +**方法二** + +直接关闭防火墙 + +```shell +$ systemctl stop firewalld +``` + + + +## 准备虚拟机配置文件 + +创建虚拟机需要虚拟机配置文件。假设配置文件为 master.xml ,以虚拟机 hostname 为 k8smaster0 的节点为例,参考配置如下: + +```bash + cat master.xml + + + k8smaster0 + 8 + 8 + + hvm + /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw + /var/lib/libvirt/qemu/nvram/k8smaster0.fd + + + + + + + + + 1 + + destroy + restart + restart + + /usr/libexec/qemu-kvm + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +由于虚拟机相关配置必须唯一,新增虚拟机需要适配修改如下内容,保证虚拟机的唯一性: + +- name:虚拟机 hostname,建议尽量小写。例中为 `k8smaster0` +- nvram:nvram的句柄文件路径,需要全局唯一。例中为 `/var/lib/libvirt/qemu/nvram/k8smaster0.fd` +- disk 的 source file:虚拟机磁盘文件路径。例中为 `/mnt/vm/images/master0.img` +- interface 的 mac address:interface 的 mac 地址。例中为 `52:54:00:00:00:80` + + + +## 安装虚拟机 + +1. 创建并启动虚拟机 + + ```shell + $ virsh define master.xml + $ virsh start k8smaster0 + ``` + +2. 获取虚拟机的 VNC 端口号 + + ```shell + $ virsh vncdisplay k8smaster0 + ``` + +3. 使用虚拟机链接工具,例如 VNC Viewer 远程链接虚拟机,并根据提示依次选择配置,完成系统安装 + +4. 设置虚拟机 hostname,例如设置为 k8smaster0 + + ```shell + $ hostnamectl set-hostname k8smaster0 + ``` diff --git "a/docs/zh/docs/Kubernetes/\345\207\206\345\244\207\350\257\201\344\271\246.md" "b/docs/zh/docs/Kubernetes/\345\207\206\345\244\207\350\257\201\344\271\246.md" new file mode 100644 index 0000000000000000000000000000000000000000..9ac080a5e893eb1a69eeddd6529835d344ab1e3c --- /dev/null +++ "b/docs/zh/docs/Kubernetes/\345\207\206\345\244\207\350\257\201\344\271\246.md" @@ -0,0 +1,388 @@ + +# 准备证书 + + +**声明:本文使用的证书为自签名,不能用于商用环境** + +部署集群前,需要生成集群各组件之间通信所需的证书。本文使用开源 CFSSL 作为验证部署工具,以便用户了解证书的配置和集群组件之间证书的关联关系。用户可以根据实际情况选择合适的工具,例如 OpenSSL 。 + +## 编译安装 CFSSL + +编译安装 CFSSL 的参考命令如下(需要互联网下载权限,需要配置代理的请先完成配置), + +```bash +$ wget --no-check-certificate https://github.com/cloudflare/cfssl/archive/v1.5.0.tar.gz +$ tar -zxf v1.5.0.tar.gz +$ cd cfssl-1.5.0/ +$ make -j6 +$ cp bin/* /usr/local/bin/ +``` + +## 生成根证书 + +编写 CA 配置文件,例如 ca-config.json: + +```bash +$ cat ca-config.json | jq +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "kubernetes": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "8760h" + } + } + } +} +``` + +编写 CA CSR 文件,例如 ca-csr.json: + +```bash +$ cat ca-csr.json | jq +{ + "CN": "Kubernetes", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "HangZhou", + "O": "openEuler", + "OU": "WWW", + "ST": "BinJiang" + } + ] +} +``` + +生成 CA 证书和密钥: +```bash +$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca +``` + +得到如下证书: + +```bash +ca.csr ca-key.pem ca.pem +``` + +## 生成 admin 账户证书 + +admin 是 K8S 用于系统管理的一个账户,编写 admin 账户的 CSR 配置,例如 admin-csr.json: +```bash +cat admin-csr.json | jq +{ + "CN": "admin", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "HangZhou", + "O": "system:masters", + "OU": "Containerum", + "ST": "BinJiang" + } + ] +} +``` + +生成证书: +```bash +$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin +``` + +结果如下: +```bash +admin.csr admin-key.pem admin.pem +``` + +## 生成 service-account 账户证书 + +编写 service-account 账户的 CSR 配置文件,例如 service-account-csr.json: +```bash +cat service-account-csr.json | jq +{ + "CN": "service-accounts", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "HangZhou", + "O": "Kubernetes", + "OU": "openEuler k8s install", + "ST": "BinJiang" + } + ] +} +``` + +生成证书: +```bash +$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes service-account-csr.json | cfssljson -bare service-account +``` + +结果如下: +```bash +service-account.csr service-account-key.pem service-account.pem +``` + +## 生成 kube-controller-manager 组件证书 + +编写 kube-controller-manager 的 CSR 配置: +```bash +{ + "CN": "system:kube-controller-manager", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "HangZhou", + "O": "system:kube-controller-manager", + "OU": "openEuler k8s kcm", + "ST": "BinJiang" + } + ] +} +``` + +生成证书: +```bash +$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager +``` + +结果如下: +```bash +kube-controller-manager.csr kube-controller-manager-key.pem kube-controller-manager.pem +``` + +## 生成 kube-proxy 证书 + +编写 kube-proxy 的 CSR 配置: +```bash +{ + "CN": "system:kube-proxy", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "HangZhou", + "O": "system:node-proxier", + "OU": "openEuler k8s kube proxy", + "ST": "BinJiang" + } + ] +} +``` + +生成证书: +```bash +$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy +``` + +结果如下: +```bash +kube-proxy.csr kube-proxy-key.pem kube-proxy.pem +``` + +## 生成 kube-scheduler 证书 + +编写 kube-scheduler 的 CSR 配置: +```bash +{ + "CN": "system:kube-scheduler", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "L": "HangZhou", + "O": "system:kube-scheduler", + "OU": "openEuler k8s kube scheduler", + "ST": "BinJiang" + } + ] +} +``` + +生成证书: +```bash +$ cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler +``` + +结果如下: +```bash +kube-scheduler.csr kube-scheduler-key.pem kube-scheduler.pem +``` + +## 生成 kubelet 证书 + +由于证书涉及到 kubelet 所在机器的 hostname 和 IP 地址信息,因此每个 node 节点配置不尽相同,所以编写脚本完成,生成脚本如下: +```bash +$ cat node_csr_gen.bash + +#!/bin/bash + +nodes=(k8snode1 k8snode2 k8snode3) +IPs=("192.168.122.157" "192.168.122.158" "192.168.122.159") + +for i in "${!nodes[@]}"; do + +cat > "${nodes[$i]}-csr.json" < 17h v1.20.2 +k8snode2 Ready 19m v1.20.2 +k8snode3 Ready 12m v1.20.2 +``` + +## 部署 coredns + +coredns可以部署到node节点或者master节点,本文这里部署到节点`k8snode1`。 + +### 编写 coredns 配置文件 + +```bash +$ cat /etc/kubernetes/pki/dns/Corefile +.:53 { + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + endpoint https://192.168.122.154:6443 + tls /etc/kubernetes/pki/ca.pem /etc/kubernetes/pki/admin-key.pem /etc/kubernetes/pki/admin.pem + kubeconfig /etc/kubernetes/pki/admin.kubeconfig default + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + forward . /etc/resolv.conf { + max_concurrent 1000 + } + cache 30 + loop + reload + loadbalance +} +``` + +说明: + +- 监听53端口; +- 设置kubernetes插件配置:证书、kube api的URL; + +### 准备 systemd 的 service 文件 + +```bash +cat /usr/lib/systemd/system/coredns.service +[Unit] +Description=Kubernetes Core DNS server +Documentation=https://github.com/coredns/coredns +After=network.target + +[Service] +ExecStart=bash -c "KUBE_DNS_SERVICE_HOST=10.32.0.10 coredns -conf /etc/kubernetes/pki/dns/Corefile" + +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target +``` + +### 启动服务 + +```bash +$ systemctl enable coredns +$ systemctl start coredns +``` + +### 创建 coredns 的 Service 对象 + +```bash +$ cat coredns_server.yaml +apiVersion: v1 +kind: Service +metadata: + name: kube-dns + namespace: kube-system + annotations: + prometheus.io/port: "9153" + prometheus.io/scrape: "true" + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "CoreDNS" +spec: + clusterIP: 10.32.0.10 + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP +``` + +### 创建 coredns 的 endpoint 对象 + +```bash +$ cat coredns_ep.yaml +apiVersion: v1 +kind: Endpoints +metadata: + name: kube-dns + namespace: kube-system +subsets: + - addresses: + - ip: 192.168.122.157 + ports: + - name: dns-tcp + port: 53 + protocol: TCP + - name: dns + port: 53 + protocol: UDP + - name: metrics + port: 9153 + protocol: TCP +``` + +### 确认 coredns 服务 + +```bash +# 查看service对象 +$ kubectl get service -n kube-system kube-dns +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +kube-dns ClusterIP 10.32.0.10 53/UDP,53/TCP,9153/TCP 51m +# 查看endpoint对象 +$ kubectl get endpoints -n kube-system kube-dns +NAME ENDPOINTS AGE +kube-dns 192.168.122.157:53,192.168.122.157:53,192.168.122.157:9153 52m +``` \ No newline at end of file diff --git "a/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" "b/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" new file mode 100644 index 0000000000000000000000000000000000000000..410f35a191b4f62c13d3e86be3919891af5de791 --- /dev/null +++ "b/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" @@ -0,0 +1,353 @@ +# 部署控制面组件 + + +## 准备所有组件的 kubeconfig + +### kube-proxy + +```bash +$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://192.168.122.154:6443 --kubeconfig=kube-proxy.kubeconfig +$ kubectl config set-credentials system:kube-proxy --client-certificate=/etc/kubernetes/pki/kube-proxy.pem --client-key=/etc/kubernetes/pki/kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig +$ kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig +$ kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig +``` + +### kube-controller-manager + +```bash +$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-controller-manager.kubeconfig +$ kubectl config set-credentials system:kube-controller-manager --client-certificate=/etc/kubernetes/pki/kube-controller-manager.pem --client-key=/etc/kubernetes/pki/kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig +$ kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig +$ kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig +``` + +### kube-scheduler + +```bash +$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-scheduler.kubeconfig +$ kubectl config set-credentials system:kube-scheduler --client-certificate=/etc/kubernetes/pki/kube-scheduler.pem --client-key=/etc/kubernetes/pki/kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig +$ kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig +$ kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig +``` + +### admin + +```bash +$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=admin.kubeconfig +$ kubectl config set-credentials admin --client-certificate=/etc/kubernetes/pki/admin.pem --client-key=/etc/kubernetes/pki/admin-key.pem --embed-certs=true --kubeconfig=admin.kubeconfig +$ kubectl config set-context default --cluster=openeuler-k8s --user=admin --kubeconfig=admin.kubeconfig +$ kubectl config use-context default --kubeconfig=admin.kubeconfig +``` + +### 获得相关 kubeconfig 配置文件 + +```bash +admin.kubeconfig kube-proxy.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig +``` + +## 生成密钥提供者的配置 + +api-server 启动时需要提供一个密钥对`--encryption-provider-config=/etc/kubernetes/pki/encryption-config.yaml`,本文通过 urandom 生成一个: + +```bash +$ cat generate.bash +#!/bin/bash + +ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64) + +cat > encryption-config.yaml < - [快速入门](#快速入门) @@ -87,7 +87,7 @@

硬盘

-

为了获得更好的应用体验,建议不小于120GB)

+

为了获得更好的应用体验,建议不小于120GB

支持IDE、SATA、SAS等接口的硬盘。

@@ -100,13 +100,10 @@ 请按以下步骤获取openEuler的发布包和校验文件: -> ![](public_sys-resources/icon-note.gif) **说明:** -> AArch64架构的发布包支持UEFI模式,x86\_64架构的发布包支持UEFI模式和Legacy模式。 - 1. 登录[openEuler社区](https://openeuler.org)网站。 2. 单击“下载”。 3. 单击“获取ISO:”后面的“Link”,显示版本列表。 -4. 单击“openEuler-20.09-beta”,进入openEuler 20.09 beta版本下载列表。 +4. 单击“openEuler-21.03”,进入openEuler 21.03版本下载列表。 5. 单击“ISO”,进入ISO下载列表。 - aarch64:AArch64架构的ISO。 - x86\_64:x86\_64架构的ISO。 @@ -115,13 +112,13 @@ 6. 根据实际待安装环境的架构选择需要下载的openEuler的发布包和校验文件。 - 若为AArch64架构。 1. 单击“aarch64”。 - 2. 单击“openEuler-20.09-beta-aarch64-dvd.iso”,将openEuler发布包下载到本地。 - 3. 单击“openEuler-20.09-beta-aarch64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 + 2. 单击“openEuler-21.03-aarch64-dvd.iso”,将openEuler发布包下载到本地。 + 3. 单击“openEuler-21.03-aarch64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 - 若为x86\_64架构。 1. 单击“x86\_64”。 - 2. 单击“openEuler-20.09-beta-x86\_64-dvd.iso”,将openEuler发布包下载到本地。 - 3. 单击“openEuler-20.09-beta-x86\_64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 + 2. 单击“openEuler-21.03-x86\_64-dvd.iso”,将openEuler发布包下载到本地。 + 3. 单击“openEuler-21.03-x86\_64-dvd.iso.sha256sum”,将openEuler校验文件下载到本地。 @@ -132,13 +129,13 @@ 1. 获取校验文件中的校验值。执行命令如下: ``` - $ cat openEuler-20.09-beta-aarch64-dvd.iso.sha256sum + $ cat openEuler-21.03-aarch64-dvd.iso.sha256sum ``` 2. 计算文件的sha256校验值。执行命令如下: ``` - $ sha256sum openEuler-20.09-beta-aarch64-dvd.iso + $ sha256sum openEuler-21.03-aarch64-dvd.iso ``` 命令执行完成后,输出校验值。 @@ -156,7 +153,7 @@ 将“引导介质有效期”和“引导介质”分别设置为“单次有效”和“光驱”,并单击“保存”以保存配置。如[图1](#fig1011938131018)所示。 **图 1** 设置系统启动项 - ![](figures/设置系统启动项.png "设置系统启动项") + ![](./figures/Setting_the_System_Boot_Option.png) 3. 在上方标题栏中,选择“远程控制”,在左侧导航树中选择“远程控制”,显示“远程控制”界面。 @@ -165,30 +162,30 @@ 4. 在虚拟界面工具栏中,单击虚拟光驱工具如下图所示。 **图 2** 光驱图标 - ![](figures/光驱图标.png "光驱图标") + ![](./figures/CD-ROM_drive_icon.png) 弹出镜像对话框,如下图所示。 **图 3** 镜像对话框 - ![](figures/镜像对话框.png "镜像对话框") + ![](./figures/Image_dialog_box.png) 5. 在镜像对话框中,选择“镜像文件”, 并单击“浏览”。弹出“打开”对话框。 6. 选择镜像文件,单击“打开”。然后在镜像对话框中,单击“连接”。当“连接”显示为“断开”后,表示虚拟光驱已连接到服务器。 7. 在工具栏中,单击重启工具重启设备,如下图所示。 **图 4** 重启图标 - ![](figures/重启图标.png "重启图标") + ![](./figures/restarticon.png) 8. 设备重启后进入到openEuler操作系统安装引导界面,如[图5](#fig1648754873314)所示。 - >![](public_sys-resources/icon-note.gif) **说明:** - >- 如果60秒内未按任何键,系统将从默认选项“Test this media & install openEuler 20.09-beta”自动进入安装界面。 - >- 安装物理机时,如果使用键盘上下键无法选择启动选项,按“Enter”键无响应,可以单击BMC界面上的鼠标控制图标“![](figures/zh-cn_image_0229420473.png)”,设置“键鼠复位”。 + >![](./public_sys-resources/icon-note.gif) **说明:** + >- 如果60秒内未按任何键,系统将从默认选项“Test this media & install openEuler 21.03”自动进入安装界面。 + >- 安装物理机时,如果使用键盘上下键无法选择启动选项,按“Enter”键无响应,可以单击BMC界面上的鼠标控制图标“![](./figures/zh-cn_image_0229420473.png)”,设置“键鼠复位”。 **图 5** 安装引导界面 - + ![](./figures/Installation_wizard.png) -9. 在安装引导界面,按“Enter”,进入默认选项“Test this media & install openEuler 20.09-beta”的图形化安装界面。 +9. 在安装引导界面,按“Enter”,进入默认选项“Test this media & install openEuler 21.03”的图形化安装界面。 ## 安装 @@ -197,25 +194,25 @@ 1. 设置安装语言,默认为英语,用户可根据实际情况进行调整,如[图6](#fig874344811484)所示,选择“中文”。 **图 6** 选择语言 - + ![](./figures/selectlanguage.png) -2. 在安装概览界面,根据实际情况设置各配置项。 +2. 在安装概览界面,根据实际情况设置各配置项。 - 配置项有告警符号的,表示用户必须完成该选项配置后,告警符号消失,才能进行下一步操作。 - 配置项无告警符号的,表示该配置项已有默认配置。 - 所有配置项均无告警符号时用户才能单击“开始安装”进行系统安装。 **图 7** 安装概览 - + ![](./figures/Installation_Overview.png) 1. 选择“软件选择”,设置“软件选择”配置项。 用户需要根据实际的业务需求,在左侧选择一个“最小安装”,在右侧选择安装环境的附加选项,如[图8](#fig1133717611109)所示。 **图 8** 软件选择 - + ![](./figures/choosesoftware.png) - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 在最小安装的环境下,并非安装源中所有的包都会安装。如果用户需要使用的包未安装,可将安装源挂载到本地制作repo源,通过DNF工具单独安装。 >- 选择“虚拟化主机”时会默认安装虚拟化组件qemu、libvirt、edk2,且可在附件选项处选择是否安装ovs等组件。 @@ -225,28 +222,26 @@ 在安装位置页面中,您可以选择计算机中的本地可用存储设备。 - >![](public_sys-resources/icon-notice.gif) **须知:** + >![](./public_sys-resources/icon-notice.gif) **须知:** >在选择您需要安装的设备时,建议不要选择NVMe SSD存储介质作为操作系统的安装磁盘。 您还需要进行存储配置以便对系统分区。您可以手动配置分区,也可以选择让安装程序自动分区。如果是在未使用过的存储设备中执行全新安装,或者不需要保留该存储设备中任何数据,建议选择“自动”进行自动分区。如[图9](#fig153381468101)所示。 - - 若您需要对数据进行加密,若您选择“自动”进行自动分区时,则可以在“安装目标位置”界面选择“加密我的数据”;若您选择“自定义”进行手动分区时,则可以在“手动分区”界面中单击需要加密的挂载点并在“设备类型”区域中选择“加密”。然后单击左上角“完成”,设置磁盘加密口令。磁盘加密口令需要符合密码复杂度,具体请参考[密码复杂度](#密码复杂度)。 **图 9** 安装目标位置 - + ![](./figures/Target_installation_position.png) - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 在进行分区时,出于系统性能和安全的考虑,建议您划分如下单独分区:/boot、/var、/var/log 、/var/log/audit、/home、/tmp。 >- 系统如果配置了swap分区,当系统的物理内存不够用时,会使用swap分区。虽然 swap分区可以增大物理内存大小的限制,但是如果由于内存不足使用到swap分区,会增加系统的响应时间,性能变差。因此在物理内存充足或者性能敏感的系统中,不建议配置swap分区。 >- 如果需要拆分逻辑卷组则需要选择“自定义”进行手动分区,并在“手动分区”界面单击“卷组”区域中的“修改”按钮重新配置卷组。 设置完成后,请单击左上角“完成”返回“安装概览”页面。 - + 3. 选择“根密码”,设置“根密码”配置项。 在“ROOT密码”页面中,如[图10](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1323165793018)所示,根据[密码复杂度](#密码复杂度)输入密码并再次输入密码进行确认。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** > >- root帐户是用来执行关键系统管理任务,不建议您在日常工作及系统访问时使用root帐户。 > @@ -264,11 +259,11 @@ 4. 口令不能使用字典词汇。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** > 在已装好的openEuler环境中,可以通过`cracklib-unpacker /usr/share/cracklib/pw_dict > dictionary.txt`命令导出字典库文件dictionary.txt,用户可以查询密码是否在该字典中。 **图 10** root密码 - ![](figures/root密码.png "root密码") + ![](./figures/root_password.png) 设置完成后,单击左上角的“完成”返回“安装概览”页面。 @@ -277,10 +272,10 @@ 在创建用户的界面如[图11](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319)所示。输入用户名,并设置密码,其中密码复杂度要求与root密码复杂度要求一致。另外您还可以通过“高级”选项设置用户主目录、用户组等,如[图12](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig128716531312)所示。 **图 11** 创建用户 - + ![](./figures/createuser.png) **图 12** 高级用户配置 - ![](figures/高级用户配置.png "高级用户配置") + ![](./figures/Advanced_User_Configuration.png "高级用户配置") 完成设置后,单击左上角的“完成”返回“安装概览”页面。 @@ -289,20 +284,17 @@ 3. 单击“开始安装”进行系统安装,如[图13](#fig1717019357392)所示。 **图 13** 开始安装 - + ![](./figures/Installation_Procedure.png) +4. 安装完成后重启系统。 -6. 安装完成后重启系统。 + openEuler完成安装后,单击“重启”按钮,系统将重新启动。 - openEuler完成安装,如[图14](#zh-cn_topic_0186390267_zh-cn_topic_0122145917_fig1429512116338)所示。单击“重启”后,系统将重新启动。 - - **图 14** 完成安装 - + ## 查看系统信息 -系统安装完成并重启后直接进入系统命令行登录界面,输入安装过程中设置的用户和密码,进入openEuler操作系统,查看如下系统信息。若需要进行系统管理和配置操作,请参考《[openEuler 20.09 beta 管理员指南](../Administration/administration.html)》。 - +系统安装完成并重启后直接进入系统命令行登录界面,输入安装过程中设置的用户和密码,进入openEuler操作系统,查看如下系统信息。若需要进行系统管理和配置操作,请参考《[管理员指南](https://openeuler.org/zh/docs/21.03/docs/Administration/administration.html)》。 - 查看系统信息,命令如下: ``` @@ -312,12 +304,12 @@ 例如,命令和输出如下: ``` - $ cat /etc/os-release + # cat /etc/os-release NAME="openEuler" - VERSION="20.09" + VERSION="21.03" ID="openEuler" - VERSION_ID="20.09" - PRETTY_NAME="openEuler 20.09" + VERSION_ID="21.03" + PRETTY_NAME="openEuler 21.03" ANSI_COLOR="0;31" ``` diff --git "a/content/zh/docs/Releasenotes/CVE\346\274\217\346\264\236.md" "b/docs/zh/docs/Releasenotes/CVE\346\274\217\346\264\236.md" similarity index 100% rename from "content/zh/docs/Releasenotes/CVE\346\274\217\346\264\236.md" rename to "docs/zh/docs/Releasenotes/CVE\346\274\217\346\264\236.md" diff --git a/docs/zh/docs/Releasenotes/README.md b/docs/zh/docs/Releasenotes/README.md new file mode 100644 index 0000000000000000000000000000000000000000..5468a01cd6f31b279dd51db445bf45befc42c3c1 --- /dev/null +++ b/docs/zh/docs/Releasenotes/README.md @@ -0,0 +1,43 @@ +# 组件分类 + +**应用和基础服务** + 包括Application && Base-service + +**编程语言和编译器** + 包括Programming-language && Compiler && sig-golang && sig-perl-modules && sig-python-modules + +**运行时和中间件** + 包括Runtime && sig-ai-bigdata && sig-ROS && DB + +**虚拟化和容器** + 包括Virt && oVirt && iSulad && Docker && sig-android-middleware + +**集群管理** + 包括sig-Ha && sig-Kubernetes + +**内核** + 包括Kernel + +**安全** + 包括SIG-Security_facility && sig-bounds_checking_function + +**硬件和芯片使能** + sig-RaspberryPi && sig-RISC-V && sig-Compatibility-Infra + +**文件系统** + 包括Storage & sig-ceph + +**计算和加速库** + 包括Computing && kae + +**网络** + 包括Network && dpdk && sig-REDF + +**桌面** + 包括Desktop && sig-mate-desktop && sig-UKUI && xfce && GNOME && sig-DDE + +**系统工具** + 包括System-tool && A-Tune && dev-utils && sig-EasyLife + +**其它** + 包括other && private \ No newline at end of file diff --git a/content/zh/docs/Virtualization/public_sys-resources/icon-caution.gif b/docs/zh/docs/Releasenotes/public_sys-resources/icon-caution.gif similarity index 100% rename from content/zh/docs/Virtualization/public_sys-resources/icon-caution.gif rename to docs/zh/docs/Releasenotes/public_sys-resources/icon-caution.gif diff --git a/content/zh/docs/Virtualization/public_sys-resources/icon-danger.gif b/docs/zh/docs/Releasenotes/public_sys-resources/icon-danger.gif similarity index 100% rename from content/zh/docs/Virtualization/public_sys-resources/icon-danger.gif rename to docs/zh/docs/Releasenotes/public_sys-resources/icon-danger.gif diff --git a/content/zh/docs/Virtualization/public_sys-resources/icon-note.gif b/docs/zh/docs/Releasenotes/public_sys-resources/icon-note.gif similarity index 100% rename from content/zh/docs/Virtualization/public_sys-resources/icon-note.gif rename to docs/zh/docs/Releasenotes/public_sys-resources/icon-note.gif diff --git a/content/zh/docs/Virtualization/public_sys-resources/icon-notice.gif b/docs/zh/docs/Releasenotes/public_sys-resources/icon-notice.gif similarity index 100% rename from content/zh/docs/Virtualization/public_sys-resources/icon-notice.gif rename to docs/zh/docs/Releasenotes/public_sys-resources/icon-notice.gif diff --git a/content/zh/docs/Virtualization/public_sys-resources/icon-tip.gif b/docs/zh/docs/Releasenotes/public_sys-resources/icon-tip.gif similarity index 100% rename from content/zh/docs/Virtualization/public_sys-resources/icon-tip.gif rename to docs/zh/docs/Releasenotes/public_sys-resources/icon-tip.gif diff --git a/content/zh/docs/Virtualization/public_sys-resources/icon-warning.gif b/docs/zh/docs/Releasenotes/public_sys-resources/icon-warning.gif similarity index 100% rename from content/zh/docs/Virtualization/public_sys-resources/icon-warning.gif rename to docs/zh/docs/Releasenotes/public_sys-resources/icon-warning.gif diff --git a/docs/zh/docs/Releasenotes/release_notes.md b/docs/zh/docs/Releasenotes/release_notes.md new file mode 100644 index 0000000000000000000000000000000000000000..dd24f65173859f137a6c12855273da276911ccfd --- /dev/null +++ b/docs/zh/docs/Releasenotes/release_notes.md @@ -0,0 +1,3 @@ +# 发行说明 + +本文档是 openEuler 21.03 版本的发行说明。 \ No newline at end of file diff --git a/docs/zh/docs/Releasenotes/zh-cn_bookmap_0225720059.md b/docs/zh/docs/Releasenotes/zh-cn_bookmap_0225720059.md new file mode 100644 index 0000000000000000000000000000000000000000..5d775e30182a7156ece2c9bb4a4e0f4afa6fe288 --- /dev/null +++ b/docs/zh/docs/Releasenotes/zh-cn_bookmap_0225720059.md @@ -0,0 +1,14 @@ +# 版本发行说明 + +- [法律声明](./法律声明.md) +- [用户须知](./用户须知.md) +- [简介](./简介.md) +- [系统安装](./系统安装.md) +- [关键特性](./关键特性.md) +- [已知问题](./已知问题.md) +- [已修复问题](./已修复问题.md) +- [CVE漏洞](./CVE漏洞.md) +- [源代码](./源代码.md) +- [参与贡献](./参与贡献.md) +- [致谢](./致谢.md) + diff --git "a/docs/zh/docs/Releasenotes/\345\205\263\351\224\256\347\211\271\346\200\247.md" "b/docs/zh/docs/Releasenotes/\345\205\263\351\224\256\347\211\271\346\200\247.md" new file mode 100644 index 0000000000000000000000000000000000000000..bc9fc7cac1f62d5756f8772efc3878db53baf74e --- /dev/null +++ "b/docs/zh/docs/Releasenotes/\345\205\263\351\224\256\347\211\271\346\200\247.md" @@ -0,0 +1,172 @@ +# 关键特性 + +## 全新的5.10内核 +深度优化调度、IO、内存管理,提供Arm64、x86、RISC-V等更多算力支持。 + +- **调度器优化**,优化了 CFS Task 的公平性,新增 numa aware 异步调用机制,在 NVDIMM 初始化方面有明显的提升;优化 SCHED_IDLE 的调度策略,显著改善高优先级任务的调度延迟,降低对其他任务的干扰。 + +- **numa balancing 机制优化**,带来更好的亲和性、更高的使用率和更少的无效迁移。 + +- **CPU 隔离机制增强**,支持中断隔离,支持 unbound kthreads 隔离,增强 CPU 核的隔离性,可以更好的避免业务间的相互干扰。 + +- **cgroup单线程迁移性能优化**,消除对 thread group 读写信号量的依赖;引入Time Namespaces 使容器迁移更方便。 + +- **系统容器限制容器内使用文件句柄数能力支持**,文件句柄包括普通文件句柄和网络套接字,启动容器时,可以通过指定`--files-limit`参数限制容器内打开的最大句柄数。 + +- **PSI 能力支持**,PSI (Pressure Stall Information)提供了一种评估系统资源如 CPU、Memory、IO 压力的方法。准确的检测方法可以帮助资源使用者确定合适的工作量,同时也可以帮助系统制定高效的资源调度策略,最大化利用系统资源,最大化改善用户体验。 + +- **进程间通信优化**,pipe/epoll_wait 唤醒机制优化,解决唤醒多个等待线程的性能问题。 + +- **内存管理增强**,精细化内存控制、统计,异构内存,热插拔、内存初始化等功能均有改善,并提供更有效的用户控制接口; 热点锁及信号量优化,激进内存规整和碎片整理,优化vmap/vmalloc机制,显著提升内存申请效率提升; KASAN、kmemleak、slub_debug、oom等内存维测特性增强,提升内存问题定位及解决效率。 + +- **Early Departure Time模型切换**,解决了原来发包过程中TCP框架的限制,根据调度策略给数据包设置EDT时间戳,避免大的队列缓存带来的时延,带来tcp性能的较大提高。 + +- **MultiPath TCP 支持**,可在移动与数据场景提升性能和可靠性,支持在负载均衡场景多条子流并行传输。 + +- **日志 fast commit 方法引入**,EXT4 引入了新的、更轻量级的日志方法 `-fast commit`,可以大大加快 `fsync` 等耗时较长的操作,带来更好的性能。 + +- **支持dm writecache 特性**,提升 SSD 大块顺序写性能,提高 DDR 持久性内存的性能。 + +- **支持 io_uring**, io_uring 是一个新的异步IO框架和实现,支持 polling 模式,在polling模式下,性能提升显著,与spdk接近,在队列深度较高时性能更好。 + +- **支持 ILP32**, 在鲲鹏920 Arm64 环境上支持 32 位的应用程序。 + +- **IMA 商用增强**,在开源 IMA 方案基础上,增强安全性、提升性能、提高易用性,助力商用落地。 + +- **支持 per task 栈检查**,增强对 ROP 攻击的防护能力。 + +- **MPAM资源管控**,支持 Arm64架构Cache QoS 以及内存带宽控制技术。 + +- **支持基于 SEDI 的 NMI 机制和基于 PMU 的 NMI 机制**,使能 hard lockup 检测;使能 perf nmi,能更精确的进行性能分析。 + +- **Arm64 平台支持虚拟机 CPU 热插拔**,提高资源配置的灵活性。 + +- **Arm64 kdump 增强**, 支持对 4G 以上地址的内存预留,使 kdump 能预留更多的内存空间,支持更大内存的机器。 + +- **支持 Raspberry PI 系列板卡**,树莓派的支持已经合入原生的 openEuler 21.03 内核,可以直接使用 openEuler 21.03 内核源码调试。 + +- **RISC-V 平台支持 KVM 虚拟化** + +- **支持 1822 智能网卡** + +## 内核热升级(NVWA) +NVWA是一种 OS 漏洞修复及升级解决方案,实现内核快速热替换,业务不感知。 + +- **Cpu Park、Quick Kexec 特性**加速系统启停,减少宕机时间,增加系统可用性。 + +- **Pin Memory、Pmem 特性**保证业务进程快速准确恢复,提升业务韧性。 + +- **NVWA控制器**提供 gRPC 通信接口,容易使用。 + +## 内存分级扩展 +支持多种内存、存储介质扩展系统内存容量,降低内存使用成本。 + +- **冷热页面识别**,通过内核态的内存页面忙闲统计机制,精确识别进程内存页面访问冷热分布。 + +- **淘汰策略可配置**,提供配置接口,可定制内存页面冷热分级策略。 + +- **平滑扩展**,冷页面自动换出到扩展内存,部署在其上的软件不需要改变和适配编程方式的情况下兼容的运行。 + +- **多介质扩展支持**,支持SCM、XL Flash、NVMe SSD等多种介质作为扩展内存,根据介质自身访问速度指定内存冷热分层方案,达到扩展内存并减少性能损失的目的。 + + +## 虚拟化功能和可维测能力增强 +增加热迁移 Pro 能力扩展,提升可维可测能力。 +- **热迁移Pro特性**,增强热迁移 multifd 支持 TLS,保障迁移过程数据安全;支持热迁移数据并行压缩,提升迁移性能;增加数据页面访问频率统计,支撑热迁移数据提前预测。 + +- **性能调试工具(vmtop)**, 可以实时动态查看虚拟机的资源使用情况,包括CPU使用率,内存使用率等信息。新增扩展支持x86_64架构。 + +- **IO悬挂支持**,IO发生错误时默认自动重试,超时会上报告警。 + +- **RISC-V架构支持虚拟化热迁移** + +## 轻量虚拟运行时(Stratovirt) +增加弹性内存、大页功能、系统调用过滤功能,增强IO子系统提升性能和稳定性。 + +- **弹性内存支持**,根据工作负载的内存需求,实现内存的分配和回收, virtio-balloon内存回收速度达3GB/秒。 + +- **大页支持**,在轻量级框架下提供大页的支持,可为轻量级虚拟机提供连续的物理内存页面,提高虚拟机内存访问效率。 + +- **系统调用过滤**,简化设备模型,增加系统调用过滤支持,最简配置下仅需使用35个系统调用,有效减小系统攻击面。 + +- **IO子系统增强**,支持多通道并发IO能力支持,提升性能;支持IO-QOS能力,提升虚拟机IO流量管理的灵活性和稳定性。 + +## 内核热升级 +内核热升级是一种 OS 漏洞修复及升级解决方案,实现内核快速热替换,业务不感知。 +- **Cpu Park、Quick Kexec 特性**加速系统启停,减少宕机时间,增加系统可用性。 +- **Pin Memory、Pmem 特性**保证业务进程快速准确恢复,提升业务韧性。 +- **内核热升级控制器**提供 gRPC 通信接口,容易使用。 + +## 分级内存管理框架 +支持多种内存、存储介质统一管理,系统容量平滑扩展。 +- **冷热页面识别**,通过内核态的内存页面忙闲统计机制,精确识别进程内存页面访问冷热分布。 +- **淘汰策略可配置**,提供配置接口,可定制内存页面冷热分级策略。 +- **平滑扩展**,冷页面自动换出到扩展内存,部署在其上的软件不需要改变和适配编程方式的情况下兼容的运行。 +- **多介质扩展支持**,支持SCM、XL Flash、NVMe SSD等多种介质作为扩展内存,根据介质自身访问速度指定内存冷热分层方案,达到扩展内存并减少性能损失的目的。 + +## 虚拟化功能和可维测能力增强 +增加热迁移 Pro 能力扩展,提升可维可测能力。 +- **热迁移Pro特性**,增强热迁移 multifd 支持 TLS,保障迁移过程数据安全;支持热迁移数据并行压缩,提升迁移性能;增加数据页面访问频率统计,支撑热迁移数据提前预测。 +- **性能调试工具(vmtop)**, 可以实时动态查看虚拟机的资源使用情况,包括CPU使用率,内存使用率等信息。新增扩展支持x86_64架构。 +- **IO悬挂支持**,IO发生错误时默认自动重试,超时会上报告警。 +- **RISC-V架构支持虚拟化热迁移** + +## 轻量虚拟运行时(Stratovirt) +增加弹性内存、大页功能、系统调用过滤功能,增强IO子系统提升性能和稳定性。 +- **弹性内存支持**,根据工作负载的内存需求,实现内存的分配和回收, virtio-balloon内存回收速度达3GB/秒。 +- **大页支持**,在轻量级框架下提供大页的支持,可为轻量级虚拟机提供连续的物理内存页面,提高虚拟机内存访问效率。 +- **系统调用过滤**,简化设备模型,增加系统调用过滤支持,最简配置下仅需使用35个系统调用,有效减小系统攻击面。 +- **IO子系统增强**,支持多通道并发IO能力支持,提升性能;支持IO-QOS能力,提升虚拟机IO流量管理的灵活性和稳定性。 +>>>>>>> 40a1a0c3452b246a0e86c1c0b8967669c93deeb5 + +## OpenStack Victoria集成 + +简单、可大规模扩展、丰富、标准统一的云管理操作系统。更多特性,请参考OpenStack Victoria官方发行说明。 +<<<<<<< HEAD + +- **集成openStack Vicoria版本**,使能基础设施即服务(IaaS)解决方案。 + +- **增强块存储服务能力**,增加容量扩展、快照和虚拟机镜像克隆等高级功能。 + +- **增强容器化部署和网络能力**,与容器能更好的集成。 + +- **增加扩展服务支持**,支持控制面板管理、裸机部署、云资源追踪等扩展服务。 + +## Kubernetes 1.20 集成 + +用于自动部署,扩展和管理容器化应用程序的云原生操作系统它更多特性,请参考Kubernetes 1.20官方发行说明。 + +- **自动上线和回滚**,Kubernetes 会自动将应用或其配置的更改后的实例上线,同时监视应用程序运行状况,失败就会回滚之前所作更改。 + +- **服务发现和负载均衡**,服务发现和基于容器IP和DNS名称的负载均衡机支持。 + +- **存储编排**,支持多种存储后端的自动挂载,如本地存储、NFS、iSCSI、Gluster、Ceph等网络存储系统。 + +- **水平扩展**,支持命令行、UI手动操作扩展,以及基于 CPU 使用情况自动扩展方式。 + +## HA 高可用集群方案 + +麒麟软件贡献的高可用集群方案,故障秒级切换,为用户提供业务连续性保障、数据持续保护、灾难恢复的高可用环境。 + +- **支持多种保护模式**,双机热备、双机互备、多机备份(N+M)等多种保护模式支持,满足业务应用各种保护需求。 + +- **物理机场景和云场景双支持**,既可以在虚拟机池中进行配置高可用,也可以对物理服务器节点进行高可用保护。 + +- **支持网络(包括单心跳和双心跳模式)等心跳方式**,全方位监控共享数据资源,在极端情况下保障数据的一致性。 + +- **资源损耗低**,可在线部署,同时确保被保护应用的资源使用安全。 + +- **支持主流系统服务及应用软件**,如nginx、httpd、mariaDB等,支持二次开发。 + +- **支持HA-WEB人机交互接口**,如用户登录、集群状态展示、资源控制等。 + +- **支持HA-API机机交互接口**,如后端集群控制、资源管理、集群状态监控、资源状态监控等。 + +## 更多桌面环境的支持 + +提供更多的开发桌面选择,更好的开发体验。 +<<<<<<< HEAD + +- **Xfce桌面支持**,Xfce是一款轻量级 Linux 桌面,与主流UI相比对资源占用小。 + +- **DDE桌面支持**,是统信软件旗下的一款linux桌面环境,具有美观,易用,高效等特点。 diff --git "a/content/zh/docs/Releasenotes/\345\217\202\344\270\216\350\264\241\347\214\256.md" "b/docs/zh/docs/Releasenotes/\345\217\202\344\270\216\350\264\241\347\214\256.md" similarity index 62% rename from "content/zh/docs/Releasenotes/\345\217\202\344\270\216\350\264\241\347\214\256.md" rename to "docs/zh/docs/Releasenotes/\345\217\202\344\270\216\350\264\241\347\214\256.md" index e14ad24e2bf3f670106ed94079d8af84e65fb389..ba43d4adf9454a49ef1b39b5b01b98899c82a6ea 100644 --- "a/content/zh/docs/Releasenotes/\345\217\202\344\270\216\350\264\241\347\214\256.md" +++ "b/docs/zh/docs/Releasenotes/\345\217\202\344\270\216\350\264\241\347\214\256.md" @@ -1,16 +1,16 @@ # 参与贡献 -作为openEuler用户,你可以通过多种方式协助openEuler社区。参与社区贡献的方法请参见[社区贡献](https://openeuler.org/zh/developer.html),这里简单列出部分方式供参考。 +作为openEuler用户,你可以通过多种方式协助openEuler社区。参与社区贡献的方法请参见[贡献攻略](https://openeuler.org/zh/community/contribution/),这里简单列出部分方式供参考。 ## 特别兴趣小组 -openEuler将拥有共同兴趣的人们聚在一起,组成了不同的特别兴趣小组(SIG)。当前已有的SIG请参见[SIG列表](https://openeuler.org/zh/sig.html)。 +openEuler将拥有共同兴趣的人们聚在一起,组成了不同的特别兴趣小组(SIG)。当前已有的SIG请参见[SIG列表](https://openeuler.org/zh/sig/sig-list/)。 我们欢迎并鼓励你加入已有的SIG或创建新的SIG,创建方法请参见[SIG管理指南](https://gitee.com/openeuler/community/blob/master/zh/technical-committee/governance/README.md)。 ## 邮件列表和任务 -欢迎你积极地帮助用户解决在[邮件列表](https://openeuler.org/zh/community/mails.html)和issue任务(包括[代码仓任务](https://gitee.com/organizations/openeuler/issues)和[软件包仓任务](https://gitee.com/organizations/src-openeuler/issues)) 中提出的问题。另外,我们也欢迎你提出问题。这些都将帮助openEuler社区更好地发展。 +欢迎你积极地帮助用户解决在[邮件列表](https://openeuler.org/zh/community/mailing-list/)和issue任务(包括[代码仓任务](https://gitee.com/organizations/openeuler/issues)和[软件包仓任务](https://gitee.com/organizations/src-openeuler/issues)) 中提出的问题。另外,我们也欢迎你提出问题。这些都将帮助openEuler社区更好地发展。 ## 文档 @@ -18,5 +18,5 @@ openEuler将拥有共同兴趣的人们聚在一起,组成了不同的特别 ## IRC -openEuler也在IRC开辟了频道,作为提供社区支持和交互的额外渠道。详情请参见[openEuler IRC](https://openeuler.org/zh/community/irc.html)。 +openEuler也在IRC开辟了频道,作为提供社区支持和交互的额外渠道。详情请参见[openEuler IRC](https://gitee.com/openeuler/community/blob/master/zh/communication/IRCs.md)。 diff --git "a/docs/zh/docs/Releasenotes/\345\267\262\344\277\256\345\244\215\351\227\256\351\242\230.md" "b/docs/zh/docs/Releasenotes/\345\267\262\344\277\256\345\244\215\351\227\256\351\242\230.md" new file mode 100644 index 0000000000000000000000000000000000000000..8061fdf106d89a8e312f9049642b04e5360c6142 --- /dev/null +++ "b/docs/zh/docs/Releasenotes/\345\267\262\344\277\256\345\244\215\351\227\256\351\242\230.md" @@ -0,0 +1,234 @@ +# 已修复问题 + +完整问题清单请参见[完整问题清单](https://gitee.com/organizations/src-openeuler/issues)。 + +完整的内核提交记录请参见[提交记录](https://gitee.com/openeuler/kernel/commits/openEuler-21.03。 + +已修复问题请参见[表1](#table249714911433)。 + +**表 1** 修复问题列表 + +| ISSUE |问题描述 | +|:--- |:---- | +| [I385CW](https://gitee.com/open_euler/dashboard?issue_id=I385CW) | 【21.03】安装mod_fcgid报错,存在warning和fail | +| [I38NM0](https://gitee.com/open_euler/dashboard?issue_id=I38NM0) | 同一个enclave重复销毁2次,出现段错误| +| [I38NO8](https://gitee.com/open_euler/dashboard?issue_id=I38NO8) | 同一个enclave重复创建2次,无具体报错信息| +| [I38PJ8](https://gitee.com/open_euler/dashboard?issue_id=I38PJ8) | infinite loop in htmlParseChunk found by fuzz | +| [I38QDA](https://gitee.com/open_euler/dashboard?issue_id=I38QDA) | stack overflow found by honggfuzz| +| [I38SNU](https://gitee.com/open_euler/dashboard?issue_id=I38SNU) | 【21.03】selinux规则导致系统服务启动失败 | +| [I38SON](https://gitee.com/open_euler/dashboard?issue_id=I38SON) |当依赖sdk的edl目录权限异常,codegen工具无法正常提示| +| [I38T6R](https://gitee.com/open_euler/dashboard?issue_id=I38T6R) | 未指定edl文件或将edl文件增加在--search-path 后面,提示信息不明确 | +| [I38WFT](https://gitee.com/open_euler/dashboard?issue_id=I38WFT) | 在openEuler 21.03每日构建版本中启动pacemaker服务失败,升级libqb软件包版本后解决。 | +| [I38XEC](https://gitee.com/open_euler/dashboard?issue_id=I38XEC) | [21.03]安装最小化完成后,rsyslog.service服务启动失败| +| [I38XHF](https://gitee.com/open_euler/dashboard?issue_id=I38XHF) |【21.03】虚拟机启动或重启irqbalance,偶现超时失败| +| [I38XPQ](https://gitee.com/open_euler/dashboard?issue_id=I38XPQ) | 【21.03】物理机/虚拟机启动或重启lm_sensors,必现失败| +| [I38XQ2](https://gitee.com/open_euler/dashboard?issue_id=I38XQ2) | 【21.03】【arm/x86】dnf --downloadonly参数并未下载软件包| +| [I38XRJ](https://gitee.com/open_euler/dashboard?issue_id=I38XRJ) | 【21.03】虚拟机启动或重启tcsd.service,必现失败| +| [I38XSC](https://gitee.com/open_euler/dashboard?issue_id=I38XSC) | 【21.03】虚拟机启动或重启rdisc,必现失败| +| [I38ZCF](https://gitee.com/open_euler/dashboard?issue_id=I38ZCF ) |[21.03]arm/x86 /etc/openEuler-latest下显示的kernelversion与实际kernel版本不一致| +| [I38ZTE](https://gitee.com/open_euler/dashboard?issue_id=I38ZTE) | 【21.03】安装hibernate-jpa-2.0-api-javadoc和hibernate-jpa-2.0-api-help存在文件冲突| +| [I391F2](https://gitee.com/open_euler/dashboard?issue_id=I391F2) | 【21.03】安装freeradius-posgresql和freeradius-mysql存在文件冲突| +| [I391PG](https://gitee.com/open_euler/dashboard?issue_id=I391PG) | [21.03]x86/arm版本netinst镜像以及x86标准镜像启动引导界面出现20.03字样| +| [I3927G](https://gitee.com/open_euler/dashboard?issue_id=I3927G) | 【21.03】【x86】安装nvml、nvml-help与pmdk的子包存在文件冲突| +| [I392CF](https://gitee.com/open_euler/dashboard?issue_id=I392CF) | 【21.03】安装firebird存在warning信息| +| [I392HC](https://gitee.com/open_euler/dashboard?issue_id=I392HC) | 【openEuler 21.03】【stratovirt】指定-daemonize参数启动虚拟机,同样的配置启动两次,第二次启动失败命令返回值仍为0| +| [I392JK](https://gitee.com/open_euler/dashboard?issue_id=I392JK) | 【21.03】【arm/x86】python3-wheel两个问题| +| [I392KT](https://gitee.com/open_euler/dashboard?issue_id=I392KT) | 【openEuler 21.03】【stratovirt】命令行启动虚拟机,-drive指定设备配置的iothread如果不存在,提示错误,但是返回值仍为0| +| [I393DJ](https://gitee.com/open_euler/dashboard?issue_id=I393DJ ) | 【21.03】arm 物理机安装最小化,软件选择勾选所有插件,安装成功进入系统后输入reboot,日志出现call trace| +| [I393JS](https://gitee.com/open_euler/dashboard?issue_id=I393JS ) | 【21.03】【x86】安装linux-sgx-driver有错误信息| +| [I393MX](https://gitee.com/open_euler/dashboard?issue_id=I393MX) | 【21.03】安装iavf存在错误信息| +| [I393NF](https://gitee.com/open_euler/dashboard?issue_id=I393NF) | 【21.03】安装sgx-dcap-pccs有失败信息| +| [I393PF](https://gitee.com/open_euler/dashboard?issue_id=I393PF) | 【21.03】用dnf info查看sgx-dcap-pccs的源码包为sgx-dcap-pccs,而不是linux-sgx| +| [I393U6](https://gitee.com/open_euler/dashboard?issue_id=I393U6 ) | 【21.03】卸载fprintd有异常信息| +| [I395AI](https://gitee.com/open_euler/dashboard?issue_id=I395AI) | 【openEuler 21.03】【stratovirt】config_guidebook.md中virtio-net设备热插提供的命令有误| +| [I396YM](https://gitee.com/open_euler/dashboard?issue_id=I396YM) | 【21.03】虚拟机关闭authz,查询服务状态为failed| +| [I3980L](https://gitee.com/open_euler/dashboard?issue_id=I3980L) | 35357端口已废弃,默认端口需要修改为5000| +| [I398PU](https://gitee.com/open_euler/dashboard?issue_id=I398PU) | 【21.03】x86/arm irqbalance 服务报错Can't open PID file /run/irqbalance.pid| +| [I399FI](https://gitee.com/open_euler/dashboard?issue_id=I399FI) | 缺少配置文件| +| [I399L1](https://gitee.com/open_euler/dashboard?issue_id=I399L1) | horizon的HTTPD配置文件不可用| +| [I399MW](https://gitee.com/open_euler/dashboard?issue_id=I399MW) | spec 和 package 重复| +| [I39A55](https://gitee.com/open_euler/dashboard?issue_id=I39A55) | 创建enclave,进行随机数生成或加解密或大量打印中销毁,出现段错误| +| [I39AEY](https://gitee.com/open_euler/dashboard?issue_id=I39AEY) | [21.03]arm/x86 执行powertop2tuned new_profile_name --force时报错| +| [I39AFM](https://gitee.com/open_euler/dashboard?issue_id=I39AFM) | 【21.03】arm物理机系统日志报错 could not open '/sys/module/ib_cm/holders'| +| [I39AH8](https://gitee.com/open_euler/dashboard?issue_id=I39AH8) | 【21.03】arm/x86环境systemd-xdg-autostart-generator 报错startup phases are not supported| +| [I39AJJ](https://gitee.com/open_euler/dashboard?issue_id=I39AJJ) | 【21.03】arm物理机出现内核报错hisi_sec2 0000:75:00.0: fail to alloc uacce| +| [I39ALG](https://gitee.com/open_euler/dashboard?issue_id=I39ALG) | 【21.03】arm(TaiShan 2280 V2)物理机出现内核报错 cma: cma_alloc: alloc failed| +| [I39AM8](https://gitee.com/open_euler/dashboard?issue_id=I39AM8) | 【21.03】arm(TaiShan 2280 V2)物理机出现内核报错swapper/0: page allocation failure| +| [I39ANR](https://gitee.com/open_euler/dashboard?issue_id=I39ANR) | 【21.03】base源安装openslp,因缺少二进制文件,导致slpd服务启动失败| +| [I39ET0](https://gitee.com/open_euler/dashboard?issue_id=I39ET0) | 【21.03】【arm/x86】oemaker构建标准iso时报错 | +| [I39EVJ](https://gitee.com/open_euler/dashboard?issue_id=I39EVJ ) |NULL pointer dereference in cil_fill_ipaddr| +| [I39GGV](https://gitee.com/open_euler/dashboard?issue_id=I39GGV) | 【21.03】虚拟机启动或重启php-fpm.service,必现告警| +| [I39H0X](https://gitee.com/open_euler/dashboard?issue_id=I39H0X) | 【21.03】源里面缺少maven-script导致一些包自编译失败| +| [I39HQB](https://gitee.com/open_euler/dashboard?issue_id=I39HQB) | 【21.03】kernel本地编译失败| +| [I39IB4](https://gitee.com/open_euler/dashboard?issue_id=I39IB4) | 【21.03】X86物理机,安装时,网卡与主机名设置界面的网卡名展示为rename| +| [I39IFV](https://gitee.com/open_euler/dashboard?issue_id=I39IFV) |【21.03】nginx的服务文件中出现redhat字样| +| [I39KLF](https://gitee.com/open_euler/dashboard?issue_id=I39KLF) | placement httpd配置不可用| +| [I39LM9](https://gitee.com/open_euler/dashboard?issue_id=I39LM9) | 【openEuler 21.03-RC1】【vmtop】终端页面被刷新问题| +| [I39LMD](https://gitee.com/open_euler/dashboard?issue_id=I39LMD) | 【openEuler 21.03-RC1】【vmtop】缺少参数解析和报错信息| +| [I39MI9](https://gitee.com/open_euler/dashboard?issue_id=I39MI9) | 【21.03】缺少maven-plugins-pom导致部分src包本地编译失败 | +| [I39N4Y](https://gitee.com/open_euler/dashboard?issue_id=I39N4Y) | 【21.03】缺少totem-pl-parser-devel、pkgconfig(totem-plparser)导致部分源码包本地编译失败| +| [I39NDA](https://gitee.com/open_euler/dashboard?issue_id=I39NDA) | 【21.03】缺少gimp-devel导致xsane本地编译失败| +| [I39NWJ](https://gitee.com/open_euler/dashboard?issue_id=I39NWJ) | 【21.03】本地编译gnulib失败| +| [I39OT1](https://gitee.com/open_euler/dashboard?issue_id=I39OT1 ) |PR需要同步到21.03分支 Fix iscsiadm segfault when exiting | +| [I39OZA](https://gitee.com/open_euler/dashboard?issue_id=I39OZA) | 【openEuler 21.03】【虚拟化】"热迁移支持zstd压缩算法"未编入21.03版本| +| [I39PTI](https://gitee.com/open_euler/dashboard?issue_id=I39PTI) | 安装secGear相关rpm包, 没带签名工具和codegen工具,无法正常编译 | +| [I39Q0V](https://gitee.com/open_euler/dashboard?issue_id=I39Q0V) | 【21.03】添加普通用户,启动用户对应的user@id.serice,出现Failed to migrate controller cgroups | +| [I39RTQ](https://gitee.com/open_euler/dashboard?issue_id=I39RTQ) | 对数据库初始化的回显进行优化| +| [I39S7T](https://gitee.com/open_euler/dashboard?issue_id=I39S7T) | installdep、builddep、bedepend 多次查询同一个包不存在的包时,未记录日志| +| [I39SCE](https://gitee.com/open_euler/dashboard?issue_id=I39SCE) | 【21.03】strongswan开启后查看日志“opening triplet file failed”| +| [I39SYV](https://gitee.com/open_euler/dashboard?issue_id=I39SYV) | 【21.03】缺少springframework-context-support导致gemini-blueprint本地编译失败 | +| [I39T5C](https://gitee.com/open_euler/dashboard?issue_id=I39T5C) | 【21.03】物理机启动过程报错rdma-init-kernel: Failed to add sysattr match| +| [I39T7I](https://gitee.com/open_euler/dashboard?issue_id=I39T7I ) | selfdepend 查询多包时,某个包不存在,未记录日志| +| [I39T9E](https://gitee.com/open_euler/dashboard?issue_id=I39T9E) | 安装secGear相关的rpm包, 没带edl文件,无法正常编译| +| [I39T9T](https://gitee.com/open_euler/dashboard?issue_id=I39T9T) | 【21.03】【arm/x86】systemctl启动rsyslog服务命令和rsyslogd同时执行,系统报错| +| [I39THU](https://gitee.com/open_euler/dashboard?issue_id=I39THU) | 【21.03】x86物理机启动过程报错rdma-ndd: set Node Description failed on i40iw0 | +| [I39TLM](https://gitee.com/open_euler/dashboard?issue_id=I39TLM) | 【21.03】【arm/x86】sos包下的命令都无法执行,报配置文件/etc/sos/sos.conf路径不存在 | +| [I39TTG](https://gitee.com/open_euler/dashboard?issue_id=I39TTG) |【21.03】【arm/x86】cppcheck包下的cppcheck-htmlreport 命令执行报错 | +| [I39TTT](https://gitee.com/open_euler/dashboard?issue_id=I39TTT) | 安装完secGear相关rpm包后,编译时提示sgx_sign:command not found,需再source下sgx,建议打包直接链接| +| [I39TZM](https://gitee.com/open_euler/dashboard?issue_id=I39TZM) | 【21.03】本地编译openEuler-latest-release失败| +| [I39U52](https://gitee.com/open_euler/dashboard?issue_id=I39U52) | 【21.03】使用parted分区,partuuid重复| +| [I39U8C](https://gitee.com/open_euler/dashboard?issue_id=I39U8C) | 【21.03】arm/x86物理机出现内核报错integrity: Unable to open file: /etc/keys/x509_ima.der (-2)| +| [I39W2T](https://gitee.com/open_euler/dashboard?issue_id=I39W2T ) | [21.03] xfs文件系统下无法修改文件的时间戳超过2038年| +| [I39W4K](https://gitee.com/open_euler/dashboard?issue_id=I39W4K ) | 安装secGear相关的rpm包,划分了secGear/host_inc目录,代码生成工具也需要适配,不然会报错找不到文件| +| [I39WJX](https://gitee.com/open_euler/dashboard?issue_id=I39WJX) | 普通用户初始化时没有捕获异常| +| [I39Y6E](https://gitee.com/open_euler/dashboard?issue_id=I39Y6E) | 安装完secGear相关rpm包后,cmake报错| +| [I3A028](https://gitee.com/open_euler/dashboard?issue_id=I3A028) | 【21.03】虚拟机关闭atuned,查询服务状态为failed| +| [I3A0UX](https://gitee.com/open_euler/dashboard?issue_id=I3A0UX) | 【21.03】augeas本地编译失败| +| [I3A0WO](https://gitee.com/open_euler/dashboard?issue_id=I3A0WO) | 【21.03】ceph本地编译失败| +| [I3A103](https://gitee.com/open_euler/dashboard?issue_id=I3A103) | 【21.03】本地编译coreutils失败| +| [I3A11P](https://gitee.com/open_euler/dashboard?issue_id=I3A11P) | 本地编译createrepo_c失败| +| [I3A16L](https://gitee.com/open_euler/dashboard?issue_id=I3A16L) | 【21.03】本地编译devhelp| +| [I3A1AI](https://gitee.com/open_euler/dashboard?issue_id=I3A1AI) | 签名加密后的文件建议还是按照600,其他类似| +| [I3A1TC](https://gitee.com/open_euler/dashboard?issue_id=I3A1TC) | [21.03]x86 执行长稳用例后卡死产生crash文件| +| [I3A2BR](https://gitee.com/open_euler/dashboard?issue_id=I3A2BR) | 【21.03】nginx start 查看日志出现”Failed to parse PID from file /run/nginx.pid“| +| [I3A3KM](https://gitee.com/open_euler/dashboard?issue_id=I3A3KM) | 【openEuler 21.03】【虚拟化】5.10.0-4.0.0内核未合入cpu_custom相关补丁| +| [I3A3X0](https://gitee.com/open_euler/dashboard?issue_id=I3A3X0) | 【21.03】系统安装完成后,重启anaconda,日志中出现Error setting audit daemon pid (Permission denied)| +| [I3A50O](https://gitee.com/open_euler/dashboard?issue_id=I3A50O) | 【21.03】虚拟机重启atune-engine,服务启动失败| +| [I3A554](https://gitee.com/open_euler/dashboard?issue_id=I3A554) | 【openEuler 21.03】【虚拟化】openEuler 21.03 版本在ARM服务器启动后会占用大量内存| +| [I3A5VT](https://gitee.com/open_euler/dashboard?issue_id=I3A5VT) | 【openEuler 21.03】【虚拟化】TLS热迁移时产生少量的内存泄露| +| [I3A5YC](https://gitee.com/open_euler/dashboard?issue_id=I3A5YC) | 【21.03】speech-dispatcher服务启动失败| +| [I3A600](https://gitee.com/open_euler/dashboard?issue_id=I3A600) | 执行命令/usr/sbin/sfcbd,失败| +| [I3A66H](https://gitee.com/open_euler/dashboard?issue_id=I3A66H) |[21.03]arm执行长稳用例一段时间后,系统报出异常信息| +| [I3A6CP](https://gitee.com/open_euler/dashboard?issue_id=I3A6CP) | 宏openEuler的值被修改成21.03,导致两个基础包本地编译失败| +| [I3A6FU](https://gitee.com/open_euler/dashboard?issue_id=I3A6FU) | [21.03]x86/arm执行ltp时,有如下用例semctl09/proc01/tpci报错出现异常| +| [I3A84O](https://gitee.com/open_euler/dashboard?issue_id=I3A84O) |创建enclave,设置flags为0时,结果报错 | +| [I3A89D](https://gitee.com/open_euler/dashboard?issue_id=I3A89D) | 【21.03】nghttpx.service服务启动失败| +| [I3A8GH](https://gitee.com/open_euler/dashboard?issue_id=I3A8GH ) | enclave销毁后再重新创建,出现段错误| +| [I3A8IJ](https://gitee.com/open_euler/dashboard?issue_id=I3A8IJ) | 【21.03】spice-webdavd.service服务重启失败| +| [I3A8OS](https://gitee.com/open_euler/dashboard?issue_id=I3A8OS) | 【21.03】vma服reload后,状态变成inactive| +| [I3A8X9](https://gitee.com/open_euler/dashboard?issue_id=I3A8X9) | [21.03] named-sdb-chroot,named-chroot以及named服务启动后报错误日志| +| [I3A8YF](https://gitee.com/open_euler/dashboard?issue_id=I3A8YF) | [21.03] slapd.service启动后查看状态,报错误日志:auxpropfunc error no mechanism available| +| [I3A8Z8](https://gitee.com/open_euler/dashboard?issue_id=I3A8Z8) | [21.03] sm-client.service启动后查看状态sm-client.service: Failed to...| +| [I3A8ZA](https://gitee.com/open_euler/dashboard?issue_id=I3A8ZA) | [21.03] sendmail.service启动后查看状态,报错误日志:auxpropfunc error no mechanism available| +| [I3A936](https://gitee.com/open_euler/dashboard?issue_id=I3A936) | 【21.03】bacular-dir、bacular-fd、bacula-sd 服务启动成功后,stop后服务状态变成failed| +| [I3ABFW](https://gitee.com/open_euler/dashboard?issue_id=I3ABFW) | 包升级导致接口变更| +| [I3AS0I](https://gitee.com/open_euler/dashboard?issue_id=I3AS0I) | [RC1]aarch64架构xfce图形界面执行glade触发coredump,x86_64架构下正常| +| [I3AT8N](https://gitee.com/open_euler/dashboard?issue_id=I3AT8N) | [21.03]arm/x86 selinux开启导致systemd-resolved.service启动不成功,以及导致nfs/smb服务启动后重启机器后服务启动不了| +| [I3AXP2](https://gitee.com/open_euler/dashboard?issue_id=I3AXP2) | 反复创建enclave、生成随机数、销毁enclave 这个流程,执行报错| +| [I3B0IH](https://gitee.com/open_euler/dashboard?issue_id=I3B0IH) | [21.03]x86物理机cpu0进行下线操作之后,无法进行上线操作| +| [I2433Y](https://gitee.com/open_euler/dashboard?issue_id=I2433Y) | [pkgship] /usr/share/doc/pkgship/README.md文件没有更新| +| [I38NK4](https://gitee.com/open_euler/dashboard?issue_id=I38NK4) | enclave销毁后使用出现段错误| +| [I3A2CO](https://gitee.com/open_euler/dashboard?issue_id=I3A2CO) | 安装后基础命令sealert不可用| +| [I3A8AW](https://gitee.com/open_euler/dashboard?issue_id=I3A8AW) | 【21.03】x86虚拟机,安装过程中点击按钮响应异常| +| [I3AAEM](https://gitee.com/open_euler/dashboard?issue_id=I3AAEM) | [pkgship] 使用自动安装部署脚本安装启动elasticsearch报错| +| [I3AEG7](https://gitee.com/open_euler/dashboard?issue_id=I3AEG7) | matplotlib在21.03版本运行失败| +| [I3AHWR](https://gitee.com/open_euler/dashboard?issue_id=I3AHWR) | [pkgship] 初始化数据库时经常会失败| +| [I3AITX](https://gitee.com/open_euler/dashboard?issue_id=I3AITX) | 【21.03】用dnf info apache-zookeeper查看到的source信息与源码包名不一致| +| [I3AIVF](https://gitee.com/open_euler/dashboard?issue_id=I3AIVF) | 【21.03】卸载mailman有fail信息| +| [I3AIZP](https://gitee.com/open_euler/dashboard?issue_id=I3AIZP) | 【openEuler 21.03】kernel rpm包安装失败 报错需要headers| +| [I3AJ2L](https://gitee.com/open_euler/dashboard?issue_id=I3AJ2L) | [pkgship] 当配置文件中的init_conf_path设为非yaml文件时,命令行执行报错| +| [I3AJ33](https://gitee.com/open_euler/dashboard?issue_id=I3AJ33) | 【21.03】系统启动后,网卡状态未开启,无ip| +| [I3AJ36](https://gitee.com/open_euler/dashboard?issue_id=I3AJ36) | [pkgship] 初始化命令指定不存在的文件路径时,命令抛出代码异常| +| [I3AJ5Q](https://gitee.com/open_euler/dashboard?issue_id=I3AJ5Q) | 【21.03】由于不能正确识别安装在raid盘的系统,导致lvm2.pvscan服务报错| +| [I3AJZ3](https://gitee.com/open_euler/dashboard?issue_id=I3AJZ3) | 【21.03】spice-webdavd缺少依赖包avahi,启动服务失败| +| [I3AK1K](https://gitee.com/open_euler/dashboard?issue_id=I3AK1K ) | [pkgship] 当配置数据库优先级相同时,初始化后的数据库没有按照字母排序| +| [I3AKM2](https://gitee.com/open_euler/dashboard?issue_id=I3AKM2) | [21.03] x86/arm 创建/dev/cgroup目录,执行mount -t cgroup -o memory ltp_cgroup /dev/cgroup/失败| +| [I3AKUR](https://gitee.com/open_euler/dashboard?issue_id=I3AKUR) | 【openEuler 21.03】【iscsi】新版本配置启动network_disk磁盘报错Unknown driver 'iscsi'| +| [I3ALZ6](https://gitee.com/open_euler/dashboard?issue_id=I3ALZ6) | 【openEuler 21.03】【io悬挂】配置io悬挂,retry_interval、retry_timeout配置为-1时,qemu命令行启动虚拟机仍成功,未防呆| +| [I3AM39](https://gitee.com/open_euler/dashboard?issue_id=I3AM39) | 【openEuler 21.03】虚拟机start后,立即通过virsh dump命令 dump core失败| +| [I3AM4T](https://gitee.com/open_euler/dashboard?issue_id=I3AM4T) | 【openEuler 21.03】qemu进程的cgroup信息中缺少了memory的信息| +| [I3AMMG](https://gitee.com/open_euler/dashboard?issue_id=I3AMMG) | 【openEuler 21.03】使用virsh schedinfo设置emulator_quota为18446744073709551失败| +| [[I3AMTA](https://gitee.com/open_euler/dashboard?issue_id=I3AMTA) | [pkgship] 初始化openEuler20.09数据库时,ES会出现超时现象| +| [I3AMVH](https://gitee.com/open_euler/dashboard?issue_id=I3AMVH) | 【21.03】arm/x86 开启selinux,导致部分服务启动失败| +| [I3AMW5](https://gitee.com/open_euler/dashboard?issue_id=I3AMW5) | [pkgship] 自动安装部署redis/elasticsearch过程中取消交互| +| [I3AN14](https://gitee.com/open_euler/dashboard?issue_id=I3AN14) | [pkgship] 在未启动服务进行查询时,应提示用户启动pkgship服务而不是uwsgi服务| +| [I3ANFP](https://gitee.com/open_euler/dashboard?issue_id=I3ANFP) | [pkgship] 配置不存在的本地repo源执行初始化时,初始化提示成功| +| [I3AP8U](https://gitee.com/open_euler/dashboard?issue_id=I3AP8U) | [pkgship] 查询pkgship bedepend不允许同时传参-install/-build| +| [I3AR58](https://gitee.com/open_euler/dashboard?issue_id=I3AR58) | [21.03] x86/arm 安装完lxcfs后启动lxcfs服务失败,缺少加载fuse模块| +| [I3AR6K](https://gitee.com/open_euler/dashboard?issue_id=I3AR6K) | 【21.03】【arm/x86】radeapclient的-q参数问题| +| [I3ARDX](https://gitee.com/open_euler/dashboard?issue_id=I3ARDX) | [pkgship] 配置客户端请求查询服务端时,提示启动本地pkgship服务| +| [I3ARHT](https://gitee.com/open_euler/dashboard?issue_id=I3ARHT) | [pkgship] 配置远端redis无法访问时,显示启动服务成功,实际上没有启动| +| [I3ARNO](https://gitee.com/open_euler/dashboard?issue_id=I3ARNO) | [21.03]物理机格式化mkfs.ext3 1.1T的磁盘,会卡住| +| [I3AROU](https://gitee.com/open_euler/dashboard?issue_id=I3AROU) | [pkgship] 本地查询访问没有限流措施| +| [I3ART8](https://gitee.com/open_euler/dashboard?issue_id=I3ART8) | [pkgship] 修改日志路径后启动服务,日志转储文件中的路径没有对应改变| +| [I3ARZH](https://gitee.com/open_euler/dashboard?issue_id=I3ARZH) | [pkgship] 配置文件中被删除的log_name在手动添加赋值后可以生效| +| [I3ASPJ](https://gitee.com/open_euler/dashboard?issue_id=I3ASPJ) | 【openEuler 21.03】【虚拟化】zstd压缩迁移可设置的压缩级别范围与文档不符| +| [I3AUO2](https://gitee.com/open_euler/dashboard?issue_id=I3AUO2) | 基线版本未添加cpuparkmem, 执行kexec -l 添加cpuparkmem进行预留内存失败| +| [I3AVDX](https://gitee.com/open_euler/dashboard?issue_id=I3AVDX) | [pkgship] 配置query_ip_addr为不存在的ip地址时,启动服务失败| +| [I3AVO6](https://gitee.com/open_euler/dashboard?issue_id=I3AVO6) | 【21.03】arm虚拟机出现内核报错:ERROR: Endpoint drop flag = 0, add flag = 1...| +| [I3AW41](https://gitee.com/open_euler/dashboard?issue_id=I3AW41) | [pkgship] remote_host配置非法地址时,命令回显抛出代码异常| +| [I3AWPM](https://gitee.com/open_euler/dashboard?issue_id=I3AWPM) | [21.03] arm 内核不支持files cgroup| +| [I3AX0D](https://gitee.com/open_euler/dashboard?issue_id=I3AX0D) | 反复执行内核替换(-q -l交替),会概率性出现-q加载内核失败的情况| +| [I3AZUU](https://gitee.com/open_euler/dashboard?issue_id=I3AZUU) | 当用户登录系统时,口令连续输错3次,不会锁定账户| +| [I3AZYM](https://gitee.com/open_euler/dashboard?issue_id=I3AZYM) | [21.03 RC2] podman stats命令执行报错| +| [I3B0ZW](https://gitee.com/open_euler/dashboard?issue_id=I3B0ZW ) | sudo文件语法错误,无法使用| +| [I3B17Q](https://gitee.com/open_euler/dashboard?issue_id=I3B17Q) | 【21.03】arm物理机 从usb启动,报错blk_update_request: I/O error| +| [I3B2B2](https://gitee.com/open_euler/dashboard?issue_id=I3B2B2) | [21.03] 未做热插拔操作,偶现盘符漂移现象| +| [I3B3BD](https://gitee.com/open_euler/dashboard?issue_id=I3B3BD) | 【21.03】TaiShan 200 (Model 2280) arm物理机出现内核报错 hisi_sec2 : Failed to enable PASID| +| [I3B3G0](https://gitee.com/open_euler/dashboard?issue_id=I3B3G0) | [pkgship] 修改配置文件中的database_engine_type值后,命令行抛出异常没有处理| +| [I3B3IP](https://gitee.com/open_euler/dashboard?issue_id=I3B3IP) | [pkgship] 配置文件中的[REDIS]的参数项的赋值缺少校验| +| [I3B3J7](https://gitee.com/open_euler/dashboard?issue_id=I3B3J7) | 加解密大内存,建议给出规格| +| [I3B48M](https://gitee.com/open_euler/dashboard?issue_id=I3B48M) | 【21.03】arm/x86安装base镜像所有包后,开启selinux,重启后,出现异常| +| [I3B4PB](https://gitee.com/open_euler/dashboard?issue_id=I3B4PB) | 【21.03】物理机偶现出现内核报错 usbhid: probe of 1-1.1:1.1 failed with error -110| +| [I3B4VE](https://gitee.com/open_euler/dashboard?issue_id=I3B4VE ) | 【ARM】【21.03】nvwa操作时 kexec相关日志未记录| +| [I3B4XH](https://gitee.com/open_euler/dashboard?issue_id=I3B4XH) | 【ARM】【21.03】nvwa操作时如需要更换端口,修改service文件配置的方式不合理| +| [I3B4XU](https://gitee.com/open_euler/dashboard?issue_id=I3B4XU) | 【ARM】【21.03】nvwa update进行恢复时,如出现PID占用会导致恢复失败| +| [I3B4ZE](https://gitee.com/open_euler/dashboard?issue_id=I3B4ZE) | 【ARM】【21.03】nvwa 服务需要支持restart时更新配置| +| [I3B514](https://gitee.com/open_euler/dashboard?issue_id=I3B514) | 【21.03】x86物理机出现内核报错xhci_hcd: ERROR: unexpected command completion code 0x11| +| [I3B5Z4](https://gitee.com/open_euler/dashboard?issue_id=I3B5Z4) | [21.03] quick-start文档出现20.03字段| +| [I3B60G](https://gitee.com/open_euler/dashboard?issue_id=I3B60G) | [21.03]缺少对应图片| +| [I3B85Z](https://gitee.com/open_euler/dashboard?issue_id=I3B85Z) | 【21.03】x86物理机出现内核报错:ERROR: unexpected command completion code 0x11| +| [I3B8JG](https://gitee.com/open_euler/dashboard?issue_id=I3B8JG) | [21.03] quick-start的英文文档中版本不正确| +| [I3B8NK](https://gitee.com/open_euler/dashboard?issue_id=I3B8NK) | [21.03]中文安装指导文档中缺少对应图片| +| [I3BC45](https://gitee.com/open_euler/dashboard?issue_id=I3BC45) | [21.03]物理机格式化mkfs.ext3 1.1T的磁盘,会卡住| +| [I3BD57](https://gitee.com/open_euler/dashboard?issue_id=I3BD57) | 21.03安全编译选项扫描问题| +| [I3BFEO](https://gitee.com/open_euler/dashboard?issue_id=I3BFEO) | inspector启动service文件缺少--config-file选项;缺少默认配置文件| +| [I3BGE4](https://gitee.com/open_euler/dashboard?issue_id=I3BGE4) | 【21.03】【arm/x86】radsqlrelay -P参数无效| +| [I3BMBV](https://gitee.com/open_euler/dashboard?issue_id=I3BMBV) | 【ARM】【21.03】建议处理nvwa二进制无使用选项| +| [I3BMHR](https://gitee.com/open_euler/dashboard?issue_id=I3BMHR) | 【21.03】samba-tool命令执行出错| +| [I3BMJF](https://gitee.com/open_euler/dashboard?issue_id=I3BMJF) | 【ARM】【21.03】建议手册对于server.yaml中用户无需关注的配置项加强说明避免误改| +| [I3BQDY](https://gitee.com/open_euler/dashboard?issue_id=I3BQDY) | 安装linux-sgx-driver,之后remove,发现isgx进程还在| +| [I3BQH3](https://gitee.com/open_euler/dashboard?issue_id=I3BQH3) | 【ARM】【21.03】使用syatemctl enable nvwa时有异常打印:File * already exists| +| [I3BW4X](https://gitee.com/open_euler/dashboard?issue_id=I3BW4X) |【openEuler 21.03】设置cgroup下cpu.cfs_quota_us为18446744073709551报错| +| [I3C6MP](https://gitee.com/open_euler/dashboard?issue_id=I3C6MP) | codegen 报错信息permission denied拼错了| +| [I3BHF2](https://gitee.com/open_euler/dashboard?issue_id=I3BHF2) | 【ARM】【21.03】nvwa服务仅支持后台守护进程的热迁移且需要关闭selinux| +| [I3BJIJ](https://gitee.com/open_euler/dashboard?issue_id=I3BJIJ) |[pkgship] 初始化校验文件失败时,初始化进度条会一直运行| +| [I3BMKM](https://gitee.com/open_euler/dashboard?issue_id=I3BMKM) | 【21.03】安装i40e有错误信息| +| [I3BOC4](https://gitee.com/open_euler/dashboard?issue_id=I3BOC4) | openEuler 21.03运行SPEC2017子项502.gcc卡死 | +| [I3BPQ8](https://gitee.com/open_euler/dashboard?issue_id=I3BPQ8) | [21.03]Administration/管理用户和用户组.md用户密码修改部分,需要修改| +| [I3BQ2Z](https://gitee.com/open_euler/dashboard?issue_id=I3BQ2Z) | [pkgship] 服务关闭的情况下,可以执行初始化| +| [I3BQDX](https://gitee.com/open_euler/dashboard?issue_id=I3BQDX) | [21.03]Administration/使用DNF管理软件包.md创建本地软件源仓库部分,需要修改| +| [I3BQE3](https://gitee.com/open_euler/dashboard?issue_id=I3BQE3) | 【21.03】group安装时提示找不到某些包| +| [I3BQVH](https://gitee.com/open_euler/dashboard?issue_id=I3BQVH) | [21.03]Administration/使用LVM管理硬盘.md扩展卷组部分,需要修改| +| [I3BQW6](https://gitee.com/open_euler/dashboard?issue_id=I3BQW6) | 21.03】在自定义分区处删除/分区,页面显示删除成功,实际/未删除| +| [I3BRDW](https://gitee.com/open_euler/dashboard?issue_id=I3BRDW) | 【openEuler 21.03】virsh update-devcie更新设备时,提示错误,设备更新失败| +| [I3BT7H](https://gitee.com/open_euler/dashboard?issue_id=I3BT7H) | 【ARM】【21.03】dump服务失败的情况下,/etc/nvwa/running下无dump失败日志| +| [I3BT8M](https://gitee.com/open_euler/dashboard?issue_id=I3BT8M) | [pkgship] pkginfo的接口实现和设计文档不符| +| [I3BTUX](https://gitee.com/open_euler/dashboard?issue_id=I3BTUX) | [21.03]arm/x86 passwd可以使用字典词汇作为口令,与官网手册描述不符| +| [I3BU08](https://gitee.com/open_euler/dashboard?issue_id=I3BU08) |[21.03]arm/x86 执行ltp用例失败memcg_stat_test/memcg_use_hierarchy| +| [I3BU3W](https://gitee.com/open_euler/dashboard?issue_id=I3BU3W) | [21.03]x86/arm未删除pkcs11-register.desktop文件导致systemd-xdg-autostart-generator报错| +| [I3BUAQ](https://gitee.com/open_euler/dashboard?issue_id=I3BUAQ) | 【21.03】本地编译atlas失败| +| [I3BVKD](https://gitee.com/open_euler/dashboard?issue_id=I3BVKD) | 【21.03】本地编译lapack失败| +| [I3BVX5](https://gitee.com/open_euler/dashboard?issue_id=I3BVX5) | [21.03] sendmail.service启动后查看状态,报错误日志:Can't open PID file /run/sendmail.pid| +| [I3BWCP](https://gitee.com/open_euler/dashboard?issue_id=I3BWCP) | [21.03]arm/x86 glibc的问题导致ltp的semctl09失败| +| [I3BYW0](https://gitee.com/open_euler/dashboard?issue_id=I3BYW0) | 【21.03】安装cloud-init,重启系统后查看cloud-init服务出现error日志Unable to render networking| +| [I3BYW2](https://gitee.com/open_euler/dashboard?issue_id=I3BYW2) | 【21.03】本地编译secGear失败| +| [I3C00V](https://gitee.com/open_euler/dashboard?issue_id=I3C00V) | pkgship文档描述存在问题| +| [I3C2ES](https://gitee.com/open_euler/dashboard?issue_id=I3C2ES) | 【21.03】物理机rasdaemon服务出现rasdaemon: Can't register mce handler,以及diskerror_eventstore| +| [I3C2JT](https://gitee.com/open_euler/dashboard?issue_id=I3C2JT) | 【21.03】x86,mariadb启动后,查看状态出现error日志Server GSSAPI error| +| [I3C5A9](https://gitee.com/open_euler/dashboard?issue_id=I3C5A9) |【openEuler 21.03】libvirt组件使用src包,在openEuler上arm架构下编译失败| +| [I3C5LD](https://gitee.com/open_euler/dashboard?issue_id=I3C5LD) | 启动etmemd,执行etmem migrate start操作会出现core| +| [I3CBT0](https://gitee.com/open_euler/dashboard?issue_id=I3CBT0 ) | [21.03]arm kdump启动失败| +| [I3CBXD](https://gitee.com/open_euler/dashboard?issue_id=I3CBXD) | 【21.03】卸载grub2的子包有报错信息| +| [I3CDJQ](https://gitee.com/open_euler/dashboard?issue_id=I3CDJQ) | 【21.03】使用rpmbuild本地编译失败| +| [I3CEO1](https://gitee.com/open_euler/dashboard?issue_id=I3CEO1) | 【21.03】使用rpmbuild本地编译失败| \ No newline at end of file diff --git "a/docs/zh/docs/Releasenotes/\345\267\262\347\237\245\351\227\256\351\242\230.md" "b/docs/zh/docs/Releasenotes/\345\267\262\347\237\245\351\227\256\351\242\230.md" new file mode 100644 index 0000000000000000000000000000000000000000..7d63e22c28756ffaae0aa6a8c72c4291eefd900b --- /dev/null +++ "b/docs/zh/docs/Releasenotes/\345\267\262\347\237\245\351\227\256\351\242\230.md" @@ -0,0 +1,11 @@ +# 已知问题 + +| ISSUE |问题描述 | +|:--- |:---- | +| [I39AN0](https://gitee.com/openeuler/community/issues/I26ZLO?from=project-issue) | 【21.03】arm物理机出现内核报错ACPI CPPC: Failed to find PCC channel for subspace 0 | +| [I39MQQ](https://gitee.com/open_euler/dashboard?issue_id=I39MQQ) | 【21.03】RC1版本 字符界面login处使用上下方向键后导致输入异常,无法正常进行用户登录| +| [I3A8YY](https://gitee.com/open_euler/dashboard?issue_id=I3A8YY) | 【21.03】nfs-blkmap服务停止状态failed | +| [I3AB65](https://gitee.com/open_euler/dashboard?issue_id=I3AB65) | 【21.03】SCAP Security guide 不支持对opss(通用操作系统保护配置文件)的检查 | +| [I3A52C](https://gitee.com/open_euler/dashboard?issue_id=I3A52C) | 【21.03】samba服务启动失败 | +| [I3EAS1](https://gitee.com/open_euler/dashboard?issue_id=I3EAS1) | 【21.03】arm/x86 的megaraid卡类型物理机上echo c > /proc/sysrq-trigger后kdump无法生成vmcore | + diff --git "a/content/zh/docs/Releasenotes/\346\263\225\345\276\213\345\243\260\346\230\216.md" "b/docs/zh/docs/Releasenotes/\346\263\225\345\276\213\345\243\260\346\230\216.md" similarity index 96% rename from "content/zh/docs/Releasenotes/\346\263\225\345\276\213\345\243\260\346\230\216.md" rename to "docs/zh/docs/Releasenotes/\346\263\225\345\276\213\345\243\260\346\230\216.md" index 9769a3f5cfcd23d6e98b030f9b933935330b23b4..b979850e64fe63b3d481b1ef252b2ab552ee6c3e 100644 --- "a/content/zh/docs/Releasenotes/\346\263\225\345\276\213\345\243\260\346\230\216.md" +++ "b/docs/zh/docs/Releasenotes/\346\263\225\345\276\213\345\243\260\346\230\216.md" @@ -1,6 +1,6 @@ # 法律声明 -**版权所有 © 2020 openEuler社区。** +**版权所有 © 2021 openEuler社区。** 您对“本文档”的复制、使用、修改及分发受知识共享\(Creative Commons\)署名—相同方式共享4.0国际公共许可协议\(以下简称“CC BY-SA 4.0”\)的约束。为了方便用户理解,您可以通过访问[https://creativecommons.org/licenses/by-sa/4.0/](https://creativecommons.org/licenses/by-sa/4.0/) 了解CC BY-SA 4.0的概要 \(但不是替代\)。CC BY-SA 4.0的完整协议内容您可以访问如下网址获取:[https://creativecommons.org/licenses/by-sa/4.0/legalcode](https://creativecommons.org/licenses/by-sa/4.0/legalcode)。 diff --git "a/content/zh/docs/Releasenotes/\346\272\220\344\273\243\347\240\201.md" "b/docs/zh/docs/Releasenotes/\346\272\220\344\273\243\347\240\201.md" similarity index 100% rename from "content/zh/docs/Releasenotes/\346\272\220\344\273\243\347\240\201.md" rename to "docs/zh/docs/Releasenotes/\346\272\220\344\273\243\347\240\201.md" diff --git "a/content/zh/docs/Releasenotes/\347\224\250\346\210\267\351\241\273\347\237\245.md" "b/docs/zh/docs/Releasenotes/\347\224\250\346\210\267\351\241\273\347\237\245.md" similarity index 32% rename from "content/zh/docs/Releasenotes/\347\224\250\346\210\267\351\241\273\347\237\245.md" rename to "docs/zh/docs/Releasenotes/\347\224\250\346\210\267\351\241\273\347\237\245.md" index f612df3f64d1e43279f0a7cbbb27b04128bcff22..32d54bb06014fb2dacf263113986f5d82a77911b 100644 --- "a/content/zh/docs/Releasenotes/\347\224\250\346\210\267\351\241\273\347\237\245.md" +++ "b/docs/zh/docs/Releasenotes/\347\224\250\346\210\267\351\241\273\347\237\245.md" @@ -1,6 +1,4 @@ # 用户须知 -- openEuler版本号计数规则由openEuler x.x变更为以年月为版本号,以便用户了解版本发布时间,例如openEuler 20.09表示发布时间为2020年9月。 -- [Python核心团队](https://www.python.org/dev/peps/pep-0373/#update)已经于2020年1月停止对Python 2的维护。2020年,openEuler 20.09 LTS仅修复Python 2的致命CVE,并将于2020年12月31日全面停止维护。请您尽快切换到Python 3。 - -* [Python核心团队](https://www.python.org/dev/peps/pep-0373/#update)已经于2020年1月停止对Python 2的维护。2020年,openEuler 20.03 LTS仅修复Python 2的致命CVE,并将于2020年12月31日全面停止维护。请您尽快切换到Python 3。 \ No newline at end of file +- openEuler版本号计数规则由openEuler x.x变更为以年月为版本号,以便用户了解版本发布时间,例如openEuler 21.03表示发布时间为2021年3月。 +- [Python核心团队](https://www.python.org/dev/peps/pep-0373/#update)已经于2020年1月停止对Python 2的维护。2021年,openEuler 21.03 仅修复Python 2的致命CVE,已于2020年12月31日全面停止维护。请您尽快切换到Python 3。 \ No newline at end of file diff --git "a/content/zh/docs/Releasenotes/\347\256\200\344\273\213.md" "b/docs/zh/docs/Releasenotes/\347\256\200\344\273\213.md" similarity index 99% rename from "content/zh/docs/Releasenotes/\347\256\200\344\273\213.md" rename to "docs/zh/docs/Releasenotes/\347\256\200\344\273\213.md" index a93e39988321b9f901e74f729323f23828cb2196..5d32c5e38bc6012d6d1f0afb1c1e7f1fbda8fc0c 100644 --- "a/content/zh/docs/Releasenotes/\347\256\200\344\273\213.md" +++ "b/docs/zh/docs/Releasenotes/\347\256\200\344\273\213.md" @@ -1,4 +1,4 @@ -# 简介 - -openEuler是一款开源操作系统。当前openEuler内核源于Linux,支持鲲鹏及其它多种处理器,能够充分释放计算芯片的潜能,是由全球开源贡献者构建的高效、稳定、安全的开源操作系统,适用于数据库、大数据、云计算、人工智能等应用场景。同时,openEuler是一个面向全球的操作系统开源社区,通过社区合作,打造创新平台,构建支持多处理器架构、统一和开放的操作系统,推动软硬件应用生态繁荣发展。 - +# 简介 + +openEuler是一款开源操作系统。当前openEuler内核源于Linux,支持鲲鹏及其它多种处理器,能够充分释放计算芯片的潜能,是由全球开源贡献者构建的高效、稳定、安全的开源操作系统,适用于数据库、大数据、云计算、人工智能等应用场景。同时,openEuler是一个面向全球的操作系统开源社区,通过社区合作,打造创新平台,构建支持多处理器架构、统一和开放的操作系统,推动软硬件应用生态繁荣发展。 + diff --git "a/content/zh/docs/Releasenotes/\347\263\273\347\273\237\345\256\211\350\243\205.md" "b/docs/zh/docs/Releasenotes/\347\263\273\347\273\237\345\256\211\350\243\205.md" similarity index 95% rename from "content/zh/docs/Releasenotes/\347\263\273\347\273\237\345\256\211\350\243\205.md" rename to "docs/zh/docs/Releasenotes/\347\263\273\347\273\237\345\256\211\350\243\205.md" index 7788d15a0a44c493ae690387e9ea496a7ad6d27a..a7c2c74f46c3235d68798b08f3a4175fad16f9c9 100644 --- "a/content/zh/docs/Releasenotes/\347\263\273\347\273\237\345\256\211\350\243\205.md" +++ "b/docs/zh/docs/Releasenotes/\347\263\273\347\273\237\345\256\211\350\243\205.md" @@ -2,7 +2,7 @@ ## 发布件 -openEuler发布件包括[ISO发布包](http://repo.openeuler.org/openEuler-20.09-LTS/ISO/)、[虚拟机镜像](http://repo.openeuler.org/openEuler-20.09-LTS/virtual_machine_img/)、[容器镜像](http://repo.openeuler.org/openEuler-20.09-LTS/docker_img/)和[repo源](http://repo.openeuler.org/openEuler-20.09-LTS/)。ISO发布包请参见[表1](#table8396719144315)。容器清单参见[表3](#table1276911538154)。repo源方便在线使用,repo源目录请参见[表4](#table953512211576)。 +openEuler发布件包括[ISO发布包](http://repo.openeuler.org/openEuler-21.03/ISO/)、[虚拟机镜像](http://repo.openeuler.org/openEuler-21.03/virtual_machine_img/)、[容器镜像](http://repo.openeuler.org/openEuler-21.03/docker_img/)和[repo源](http://repo.openeuler.org/openEuler-21.03/)。ISO发布包请参见[表1](#table8396719144315)。容器清单参见[表3](#table1276911538154)。repo源方便在线使用,repo源目录请参见[表4](#table953512211576)。 **表 1** 发布ISO列表 @@ -13,37 +13,37 @@ openEuler发布件包括[ISO发布包](http://repo.openeuler.org/openEuler-20.09 -

openEuler-20.09-LTS-aarch64-dvd.iso

+

openEuler-21.03-aarch64-dvd.iso

AArch64架构的基础安装ISO,包含了运行最小系统的核心组件

-

openEuler-20.09-LTS-everything-aarch64-dvd.iso

+

openEuler-21.03-everything-aarch64-dvd.iso

AArch64架构的全量安装ISO,包含了运行完整系统所需的全部组件

-

openEuler-20.09-LTS-debuginfo-aarch64-dvd.iso

+

openEuler-21.03-debuginfo-aarch64-dvd.iso

AArch64架构下openEuler的调试ISO,包含了调试所需的符号表信息

-

openEuler-20.09-LTS-x86_64-dvd.iso

+

openEuler-21.03-x86_64-dvd.iso

x86_64架构的基础安装ISO,包含了运行最小系统的核心组件

-

openEuler-20.09-LTS-everything-x86_64-dvd.iso

+

openEuler-21.03-everything-x86_64-dvd.iso

x86_64架构的全量安装ISO,包含了运行完整系统所需的全部组件

-

openEuler-20.09-LTS-debuginfo-x86_64-dvd.iso

+

openEuler-21.03-debuginfo-x86_64-dvd.iso

x86_64架构下openEuler的调试ISO,包含了调试所需的符号表信息

-

openEuler-20.09-LTS-source-dvd.iso

+

openEuler-21.03-source-dvd.iso

openEuler源码ISO

@@ -60,12 +60,12 @@ openEuler发布件包括[ISO发布包](http://repo.openeuler.org/openEuler-20.09 -

openEuler-20.09-LTS.aarch64.qcow2.xz

+

openEuler-21.03.aarch64.qcow2.xz

AArch64架构下openEuler虚拟机镜像

-

openEuler-20.09-LTS.x86_64.qcow2.xz

+

openEuler-21.03.x86_64.qcow2.xz

x86_64架构下openEuler虚拟机镜像

@@ -73,7 +73,7 @@ openEuler发布件包括[ISO发布包](http://repo.openeuler.org/openEuler-20.09 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >虚拟机镜像root用户默认密码为:openEuler12\#$,首次登录后请及时修改。 **表 3** 容器镜像列表 @@ -162,7 +162,7 @@ openEuler发布件包括[ISO发布包](http://repo.openeuler.org/openEuler-20.09 ## 最小硬件要求 -安装 openEuler 20.09 LTS 所需的最小硬件要求如[表5](#zh-cn_topic_0182825778_tff48b99c9bf24b84bb602c53229e2541)所示。 +安装 openEuler 21.03 所需的最小硬件要求如[表5](#zh-cn_topic_0182825778_tff48b99c9bf24b84bb602c53229e2541)所示。 **表 5** 最小硬件要求 @@ -224,7 +224,7 @@ openEuler已验证支持的服务器和各部件典型配置请参见[表6](#zh-

内存

-

32G*4 2933MHz

+

32G\*4 2933MHz

RAID卡

diff --git "a/content/zh/docs/Releasenotes/\350\207\264\350\260\242.md" "b/docs/zh/docs/Releasenotes/\350\207\264\350\260\242.md" similarity index 100% rename from "content/zh/docs/Releasenotes/\350\207\264\350\260\242.md" rename to "docs/zh/docs/Releasenotes/\350\207\264\350\260\242.md" diff --git "a/docs/zh/docs/SecHarden/SELinux\351\205\215\347\275\256.md" "b/docs/zh/docs/SecHarden/SELinux\351\205\215\347\275\256.md" new file mode 100644 index 0000000000000000000000000000000000000000..9eb41b74329032ca7eb532ef2ef2f8ac87515d1f --- /dev/null +++ "b/docs/zh/docs/SecHarden/SELinux\351\205\215\347\275\256.md" @@ -0,0 +1,66 @@ +# SELinux配置 + +## 概述 + +自主访问控制DAC(Discretionary Access Control)基于用户、组和其他权限,决定一个资源是否能被访问的因素是某个资源是否拥有对应用户的权限,它不能使系统管理员创建全面和细粒度的安全策略。SELinux(Security-Enhanced Linux)是Linux内核的一个模块,也是Linux的一个安全子系统。SELinux的实现了强制访问控制MAC(Mandatory Access Control ),每个进程和系统资源都有一个特殊的安全标签,资源能否被访问除了DAC规定的原则外,还需要判断每一类进程是否拥有对某一类资源的访问权限。 + +openEuler默认使用SELinux提升系统安全性。SELinux分为三种模式: + +- permissive:SELinux仅打印告警而不强制执行。 +- enforcing:SELinux安全策略被强制执行。 +- disabled:不加载SELinux安全策略。 + +## 配置说明 +openEuler默认开启SELinux,且默认模式为enforcing,用户可以通过修改/etc/selinux/config中配置项SELINUX的值变更SELinux模式。 + +- 关闭SELinux策略的配置如下: + + ``` + SELINUX=disabled + ``` + +- 使用permissive策略的配置如下: + + ``` + SELINUX=permissive + ``` + + +>![](./public_sys-resources/icon-note.gif) **说明:** +>disabled与另两种模式切换时需重启系统生效。 +>``` +># reboot +>``` + +## SELinux相关命令 + +- 查询SELinux模式。例如下述查询的SELinux模式为Permissive: + + ``` + # getenforce + Permissive + ``` + +- 设置SELinux模式,0表示permissive模式,1表示enforcing模式,例如设置为enforcing模式的命令如下。该命令不能设置disabled模式,且系统重启后,恢复到/etc/selinux/config中设置的模式。 + + ``` + # setenforce 1 + ``` + +- 查询运行SELinux的系统状态。SELinux status表示SELinux的状态,enabled表示启用SELinux,disabled表示关闭SELinux。Current mode表示SELinux当前的安全策略。 + + ``` + # sestatus + SELinux status: enabled + SELinuxfs mount: /sys/fs/selinux + SELinux root directory: /etc/selinux + Loaded policy name: targeted + Current mode: enforcing + Mode from config file: enforcing + Policy MLS status: enabled + Policy deny_unknown status: allowed + Memory protection checking: actual (secure) + Max kernel policy version: 31 + ``` + + diff --git a/content/zh/docs/Virtualization/figures/zh-cn_image_0218587435.png b/docs/zh/docs/SecHarden/figures/zh-cn_image_0221925211.png similarity index 100% rename from content/zh/docs/Virtualization/figures/zh-cn_image_0218587435.png rename to docs/zh/docs/SecHarden/figures/zh-cn_image_0221925211.png diff --git a/content/zh/docs/Virtualization/figures/zh-cn_image_0218587436.png b/docs/zh/docs/SecHarden/figures/zh-cn_image_0221925212.png similarity index 100% rename from content/zh/docs/Virtualization/figures/zh-cn_image_0218587436.png rename to docs/zh/docs/SecHarden/figures/zh-cn_image_0221925212.png diff --git a/docs/zh/docs/SecHarden/public_sys-resources/icon-caution.gif b/docs/zh/docs/SecHarden/public_sys-resources/icon-caution.gif new file mode 100644 index 0000000000000000000000000000000000000000..6e90d7cfc2193e39e10bb58c38d01a23f045d571 Binary files /dev/null and b/docs/zh/docs/SecHarden/public_sys-resources/icon-caution.gif differ diff --git a/docs/zh/docs/SecHarden/public_sys-resources/icon-danger.gif b/docs/zh/docs/SecHarden/public_sys-resources/icon-danger.gif new file mode 100644 index 0000000000000000000000000000000000000000..6e90d7cfc2193e39e10bb58c38d01a23f045d571 Binary files /dev/null and b/docs/zh/docs/SecHarden/public_sys-resources/icon-danger.gif differ diff --git a/docs/zh/docs/SecHarden/public_sys-resources/icon-note.gif b/docs/zh/docs/SecHarden/public_sys-resources/icon-note.gif new file mode 100644 index 0000000000000000000000000000000000000000..6314297e45c1de184204098efd4814d6dc8b1cda Binary files /dev/null and b/docs/zh/docs/SecHarden/public_sys-resources/icon-note.gif differ diff --git a/docs/zh/docs/SecHarden/public_sys-resources/icon-notice.gif b/docs/zh/docs/SecHarden/public_sys-resources/icon-notice.gif new file mode 100644 index 0000000000000000000000000000000000000000..86024f61b691400bea99e5b1f506d9d9aef36e27 Binary files /dev/null and b/docs/zh/docs/SecHarden/public_sys-resources/icon-notice.gif differ diff --git a/docs/zh/docs/SecHarden/public_sys-resources/icon-tip.gif b/docs/zh/docs/SecHarden/public_sys-resources/icon-tip.gif new file mode 100644 index 0000000000000000000000000000000000000000..93aa72053b510e456b149f36a0972703ea9999b7 Binary files /dev/null and b/docs/zh/docs/SecHarden/public_sys-resources/icon-tip.gif differ diff --git a/docs/zh/docs/SecHarden/public_sys-resources/icon-warning.gif b/docs/zh/docs/SecHarden/public_sys-resources/icon-warning.gif new file mode 100644 index 0000000000000000000000000000000000000000..6e90d7cfc2193e39e10bb58c38d01a23f045d571 Binary files /dev/null and b/docs/zh/docs/SecHarden/public_sys-resources/icon-warning.gif differ diff --git a/docs/zh/docs/SecHarden/secHarden.md b/docs/zh/docs/SecHarden/secHarden.md new file mode 100644 index 0000000000000000000000000000000000000000..c600efce0c96f2ab49969d3a0ee47160acdf02c9 --- /dev/null +++ b/docs/zh/docs/SecHarden/secHarden.md @@ -0,0 +1,5 @@ +# 安全加固指南 + +本文档给出openEuler的加固介绍和加固方法,指导用户进行安全加固。 + +本文档主要适用于需要对openEuler进行安全加固的管理员。管理员需要熟悉操作系统安全架构和安全技术。 \ No newline at end of file diff --git "a/docs/zh/docs/SecHarden/\345\206\205\346\240\270\345\217\202\346\225\260.md" "b/docs/zh/docs/SecHarden/\345\206\205\346\240\270\345\217\202\346\225\260.md" new file mode 100644 index 0000000000000000000000000000000000000000..b6952879671a669d724615cd74e42e38ab5104eb --- /dev/null +++ "b/docs/zh/docs/SecHarden/\345\206\205\346\240\270\345\217\202\346\225\260.md" @@ -0,0 +1,230 @@ +# 内核参数 + +- [内核参数](#内核参数) + - [加固内核参数](#加固内核参数) + + + +## 加固内核参数 + +### 说明 + +内核参数决定配置和应用特权的状态。内核提供用户可配置的系统控制,这一系统控制可微调或配置,该功能特性可通过控制各种可配置的内核参数,来提高操作系统的安全特性。比如:通过微调或配置网络选项,可有效提高系统的安全性。 + +### 实现 + +1. 将[表3](#zh-cn_topic_0152100187_t69b5423c26644b26abe94d88d38878eb)中的加固项写入/etc/sysctl.conf文件中。 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >写入方式如下: + >``` + >net.ipv4.icmp_echo_ignore_broadcasts = 1 + >net.ipv4.conf.all.rp_filter = 1 + >net.ipv4.conf.default.rp_filter = 1 + >``` + + **表 3** 内核参数加固策略说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

加固项

+

加固项说明

+

加固建议

+

openEuler默认是否已加固为建议值

+

net.ipv4.icmp_echo_ignore_broadcasts

+

是否接受ICMP广播报文。加固策略为不接受。

+

1

+

+

net.ipv4.conf.all.rp_filter

+

验证数据包使用的实际源地址是否与路由表相关,以及使用该特定源IP地址的数据包是否通过接口获取其响应。加固策略为启用该项。

+

1

+

+

net.ipv4.conf.default.rp_filter

+

1

+

+

net.ipv4.ip_forward

+

IP Forwarding可阻止未授权的IP数据包渗透至网络。加固策略为禁用该特性。

+

0

+

+

net.ipv4.conf.all.accept_source_route

+

accept_source_route指允许数据包的发送者指定数据包的发送路径,以及返回给发送者的数据包所走的路径。加固策略为禁用该特性。

+

0

+

+

net.ipv4.conf.default.accept_source_route

+

0

+

+

net.ipv4.conf.all.accept_redirects

+

是否发送ICMP重定向报文。加固策略为禁止发送。

+

0

+

+

net.ipv4.conf.default.accept_redirects

+

0

+

+

net.ipv6.conf.all.accept_redirects

+

0

+

+

net.ipv6.conf.default.accept_redirects

+

0

+

+

net.ipv4.conf.all.send_redirects

+

是否将ICMP重定向报文发送至其他主机。只有当主机作为路由时,应启用该策略。加固策略为禁用该项。

+

0

+

+

net.ipv4.conf.default.send_redirects

+

0

+

+

net.ipv4.icmp_ignore_bogus_error_responses

+

忽略伪造的ICMP数据包,不会将其记录到日志,将节省大量的硬盘空间。加固策略为启用该项。

+

1

+

+

net.ipv4.tcp_syncookies

+

SYN Attack是一种通过占用系统资源迫使系统重启的DoS攻击。加固策略为开启TCP-SYN cookie保护。

+

1

+

+

kernel.dmesg_restrict

+

加固dmesg信息,仅允许管理员查看。

+

1

+

+

kernel.sched_autogroup_enabled

+

该选项决定内核是否对线程进行自动分组调度。开启后调度组之间互相竞争时间片,调度组内的线程再竞争调度组分配到的时间片。加固策略为不启用该项。

+

0

+

+

kernel.sysrq

+

禁用魔术键。

+
说明:

建议禁用魔术键,避免由于直接发送命令到内核对系统造成影响,增强内核安全性。

+
+

0

+

+

net.ipv4.conf.all.secure_redirects

+

设置系统是接收来自任何主机的ICMP重定向消息还是从默认网关列表中的网关处接收ICMP重定向消息。加固策略为采用前者。

+

0

+

+

net.ipv4.conf.default.secure_redirects

+

0

+

+
+ +2. 加载sysctl.conf文件中设置的内核参数。 + + ``` + sysctl -p /etc/sysctl.conf + ``` + + +### 其它安全建议 + +- net.ipv4.icmp\_echo\_ignore\_all:忽略ICMP请求。 + + 出于安全考虑,建议开启此项(当前默认值为0,开启将值设为1)。 + + 但开启后会忽略所有接收到的icmp echo请求的包\(会导致机器无法ping通\),建议用户根据实际组网场景决定是否开启此项。 + +- net.ipv4.conf.all.log\_martians/net.ipv4.conf.default.log\_martians:对于仿冒/源路由/重定向数据包开启日志记录。 + + 出于安全考虑,建议开启此项(当前默认值为0,开启将值设为1)。 + + 但是开启后会记录带有不允许的地址的数据到内核日志中,存在冲日志风险,建议用户根据实际使用场景决定是否开启此项。 + +- net.ipv4.tcp\_timestamps:关闭tcp\_timestamps。 + + 出于安全考虑,建议关闭tcp\_timestamps(当前默认值为1,关闭将值设为0)。 + + 但是关闭此项会影响TCP超时重发的性能,建议用户根据实际使用场景决定是否关闭此项。 + +- net.ipv4.tcp\_max\_syn\_backlog:决定了SYN\_RECV状态队列的数量。 + + 该参数决定了SYN\_RECV状态队列的数量,超过这个数量,系统将不再接受新的TCP连接请求,一定程度上可以防止系统资源耗尽。建议由用户根据实际使用场景配置合适的值。 \ No newline at end of file diff --git "a/docs/zh/docs/SecHarden/\345\212\240\345\233\272\346\214\207\345\257\274.md" "b/docs/zh/docs/SecHarden/\345\212\240\345\233\272\346\214\207\345\257\274.md" new file mode 100644 index 0000000000000000000000000000000000000000..b2a8312d288f8bba8cd72b1239b61126b0875887 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\345\212\240\345\233\272\346\214\207\345\257\274.md" @@ -0,0 +1,5 @@ +# 加固指导 + +用户可以通过修改加固策略配置文件或加固脚本进行系统加固。本节介绍各加固项的含义以及openEuler是否已默认加固,并给出加固方法,指导用户进行安全加固。 + + diff --git "a/docs/zh/docs/SecHarden/\345\256\211\345\205\250\345\212\240\345\233\272\345\267\245\345\205\267.md" "b/docs/zh/docs/SecHarden/\345\256\211\345\205\250\345\212\240\345\233\272\345\267\245\345\205\267.md" new file mode 100644 index 0000000000000000000000000000000000000000..3e3450cbb1c8a4cf585799700dfa6df1e8d87a84 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\345\256\211\345\205\250\345\212\240\345\233\272\345\267\245\345\205\267.md" @@ -0,0 +1,131 @@ +# 安全加固工具 + + +- [安全加固工具](#安全加固工具) + - [加固操作](#加固操作) + - [加固生效](#加固生效) + + +## 加固操作 + +### 概述 + +安全加固工具会根据usr-security.conf设置加固策略,使用加固工具设置加固策略需要用户修改usr-security.conf。本节介绍usr-security.conf的修改规则。用户可配置的加固项请参见[加固指导](https://openeuler.org/zh/docs/21.03/docs/SecHarden/%E5%8A%A0%E5%9B%BA%E6%8C%87%E5%AF%BC.html)对应内容。 + +### 注意事项 + +- 修改配置后,需要重启安全加固服务使配置生效。重启方法请参见[加固生效](#加固生效)对应内容。 +- 用户修改加固配置时,仅修改/etc/openEuler\_security/usr-security.conf文件,不建议修改/etc/openEuler\_security/security.conf。security.conf中为基本加固项,仅运行一次。 +- 当重启安全加固服务使配置生效后,在usr-security.conf中删除对应加固项并重启安全加固服务并不能清除之前的配置。 +- 安全加固操作记录在日志文件/var/log/openEuler-security.log中。 + +### 配置格式 + +usr-security.conf中的每一行代表一项配置,根据配置内容的不同有不同配置格式,这里给出各类配置的格式说明。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>- 所有配置项以执行ID开头,执行ID仅为了方便用户识别配置内容,取值为正整数,由用户自行定义。 +>- 配置项的各内容之间使用@作为分隔符。 +>- 若实际配置内容中包含@,需要使用@@表示以和分隔符区分,例如实际内容为xxx@yyy,则配置为xxx@@yyy。目前不支持@位于配置内容的开头和结尾。 + +- d:注释 + + 格式:执行ID@d@对象文件@匹配项 + + 功能:将对象文件中以匹配项开头(行首可以有空格)的行注释(在行首添加\#)。 + + 示例:执行ID为401,注释/etc/sudoers文件中以%wheel开头的行。 + + ``` + 401@d@/etc/sudoers@%wheel + ``` + + +- m:替换 + + 格式:执行ID@m@对象文件@匹配项@替换目标值 + + 功能:将对象文件中以匹配项开头(行首可以有空格)的行替换为“匹配项加替换目标值 ”。若匹配行开头有空格,替换后将删除这些空格。 + + 示例:执行ID为101,将/etc/ssh/sshd\_config文件中以Protocol 开头的行替换为Protocol 2。匹配和替换时也会考虑Protocol后的空格。 + + ``` + 101@m@/etc/ssh/sshd_config@Protocol @2 + ``` + +- sm:精确修改 + + 格式:执行ID@sm@对象文件@匹配项@替换目标值 + + 功能:将对象文件中以匹配项开头(行首可以有空格)的行替换为“匹配项加替换目标值 ”。若匹配行开头有空格,替换后将保留这些空格,这是sm和m的区别。 + + 示例:执行ID为201,将/etc/audit/hzqtest文件中以size开头的行替换为size 2048。 + + ``` + 201@sm@/etc/audit/hzqtest@size@ 2048 + ``` + + +- M:修改子项 + + 格式:执行ID@M@对象文件@匹配项@匹配子项\[@匹配子项的值\] + + 功能:匹配对象文件中以匹配项开头(行首可以有空格)的行,并将该行中以匹配子项开始的内容替换为“匹配子项和匹配子项的值”,其中匹配子项的值可选。 + + 示例:执行ID为101,找到file文件中以key开头的行,并将这些行中以key2开始的内容替换为key2value2。 + + ``` + 101@M@file@key@key2@value2 + ``` + +- systemctl:管理服务 + + 格式:执行ID@systemctl@对象服务@具体操作 + + 功能:使用systemctl管理对象服务,具体操作可取值为start、stop、restart、disable等systemctl所有可用的命令。 + + 示例:执行ID为218,停止cups.service服务,等同于systemctl stop cups.service的配置行。 + + ``` + 218@systemctl@cups.service@stop + ``` + +- 其他命令 + + 格式:执行ID@命令@对象文件 + + 功能:执行对应命令,即执行命令行“命令 对象文件”。 + + 示例一:执行ID为402,使用rm -f命令删除文件/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem。 + + ``` + 402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem + ``` + + 示例二:执行ID为215,使用touch命令创建文件/etc/cron.allow。 + + ``` + 215@touch @/etc/cron.allow + ``` + + 示例三:执行ID为214,使用chown命令将文件/etc/at.allow的属主改为root:root。 + + ``` + 214@chown root:root @/etc/at.allow + ``` + + 示例四:执行ID为214,使用chmod命令去除文件/etc/at.allow属主所在群组及其他非属主用户的rwx权限。 + + ``` + 214@chmod og-rwx @/etc/at.allow + ``` + + +## 加固生效 + +完成修改usr-security.conf文件后,请运行如下命令使新添加的配置生效。 + +``` +systemctl restart openEuler-security.service +``` + diff --git "a/docs/zh/docs/SecHarden/\346\216\210\346\235\203\350\256\244\350\257\201.md" "b/docs/zh/docs/SecHarden/\346\216\210\346\235\203\350\256\244\350\257\201.md" new file mode 100644 index 0000000000000000000000000000000000000000..4f9fb5f5cd874944401a82728e156be6b61c8ea9 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\346\216\210\346\235\203\350\256\244\350\257\201.md" @@ -0,0 +1,155 @@ +# 授权认证 + +- [授权认证](#授权认证) + - [设置网络远程登录的警告信息](#设置网络远程登录的警告信息) + - [禁止通过Ctrl+Alt+Del重启系统](#禁止通过Ctrl+Alt+Del重启系统) + - [设置终端的自动退出时间](#设置终端的自动退出时间) + - [设置用户的默认umask值为077](#设置用户的默认umask值为077) + - [设置GRUB2加密口令](#设置GRUB2加密口令) + - [安全单用户模式](#安全单用户模式) + - [禁止交互式启动](#禁止交互式启动) + + +## 设置网络远程登录的警告信息 + +### 说明 + +设置网络远程登录的警告信息,用于在登录进入系统之前向用户提示警告信息,明示非法侵入系统可能受到的惩罚,吓阻潜在的攻击者。同时也可以隐藏系统架构及其他系统信息,避免招致对系统的目标性攻击。 + +### 实现 + +该设置可以通过修改/etc/issue.net文件的内容实现。将/etc/issue.net文件原有内容替换为如下信息(openEuler默认已设置): + +``` +Authorized users only. All activities may be monitored and reported. +``` + +## 禁止通过Ctrl+Alt+Del重启系统 + +### 说明 + +操作系统默认能够通过“Ctrl+Alt+Del”进行重启,建议禁止该项特性,防止因为误操作而导致数据丢失。 + +### 实现 + +禁止通过“Ctrl+Alt+Del”重启系统的操作步骤如下: + +1. 删除两个ctrl-alt-del.target文件,参考命令如下: + + ``` + rm -f /etc/systemd/system/ctrl-alt-del.target + rm -f /usr/lib/systemd/system/ctrl-alt-del.target + ``` + +2. 修改/etc/systemd/system.conf文件,将\#CtrlAltDelBurstAction=reboot-force修改为CtrlAltDelBurstAction=none。 +3. 重启systemd,使修改生效,参考命令如下: + + ``` + systemctl daemon-reexec + ``` + +## 设置终端的自动退出时间 + +### 说明 + +无人看管的终端容易被侦听或被攻击,可能会危及系统安全。因此建议设置终端在停止运行一段时间后能够自动退出。 + +### 实现 + +自动退出时间由/etc/profile文件的TMOUT字段(单位为秒)控制,在/etc/profile的尾部添加如下配置: + +``` +export TMOUT=300 +``` + +## 设置用户的默认umask值为077 + +### 说明 + +umask值用于为用户新创建的文件和目录设置缺省权限。如果umask的值设置过小,会使群组用户或其他用户的权限过大,给系统带来安全威胁。因此设置所有用户默认的umask值为0077,即用户创建的目录默认权限为700,文件的默认权限为600。umask值代表的是权限的“补码”,umask值和权限的换算方法请参见[umask值含义](#umask值含义)。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>openEuler默认已设置用户的默认umask值为022。 + +### 实现 + +1. 分别在/etc/bashrc文件和/etc/profile.d/目录下的所有文件中加入“umask 0077”。 + + ``` + echo "umask 0077" >> $FILE + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >_$FILE_ 为具体的文件名,例如:echo "umask 0077" \>\> /etc/bashrc + +2. 设置/etc/bashrc文件和/etc/profile.d/目录下所有文件的属主为root,群组为root。 + + ``` + chown root.root $FILE + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >_$FILE_ 为具体的文件名,例如:chown root.root /etc/bashrc + + +## 设置GRUB2加密口令 + +### 说明 + +GRUB是GRand UnifiedBootloader的缩写,它是一个操作系统启动管理器,用来引导不同系统(如Windows、Linux),GRUB2是GRUB的升级版。 + +系统启动时,可以通过GRUB2界面修改系统的启动参数。为了确保系统的启动参数不被任意修改,需要对GRUB2界面进行加密,仅在输入正确的GRUB2口令时才能修改启动参数。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>GRUB2默认设置的口令为openEuler\#12,建议用户首次登录时修改默认密码并定期更新,避免密码泄露后,启动选项被篡改,导致系统启动异常。 + +### 实现 + +1. 使用grub2-mkpasswd-pbkdf2命令生成加密的口令 + + >![](./public_sys-resources/icon-note.gif) **说明:** + >GRUB2加密算法使用sha512。 + + ``` + # grub2-mkpasswd-pbkdf2 + Enter password: + Reenter password: + PBKDF2 hash of your password is + grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08 + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >在Enter password和Reenter password输入相同的口令。 + >grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08为openEuler\#12经过grub2-mkpasswd-pbkdf2加密后的输出,每次输出的密文不同。 + +2. 使用vi工具打开/boot/efi/EFI/openEuler/grub.cfg的开始位置追加如下字段: + + ``` + set superusers="root" + password_pbkdf2 root grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08 + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >- superusers字段用于设置GRUB2的超级管理员的账户名。 + >- password\_pbkdf2字段后的参数,第1个参数为GRUB2的账户名,第2个为该账户的加密口令。 + + +## 安全单用户模式 + +### 说明 + +单用户模式是以root权限进入系统,如不设置密码,将存在较大安全隐患。 + +### 实现 + +该设置可以通过修改/etc/sysconfig/init文件内容实现。将SINGLE选项配置为SINGLE=/sbin/sulogin。 + +## 禁止交互式启动 + +### 说明 + +使用交互式引导,控制台用户可以禁用审计、防火墙或其他服务,削弱了系统安全性。用户可以禁止使用交互式引导,提升安全性。openEuler默认已禁止。 + +### 实现 + +该设置可以通过修改/etc/sysconfig/init文件内容实现。将PROMPT选项配置为PROMPT=no。 \ No newline at end of file diff --git "a/docs/zh/docs/SecHarden/\346\223\215\344\275\234\347\263\273\347\273\237\345\212\240\345\233\272\346\246\202\350\277\260.md" "b/docs/zh/docs/SecHarden/\346\223\215\344\275\234\347\263\273\347\273\237\345\212\240\345\233\272\346\246\202\350\277\260.md" new file mode 100644 index 0000000000000000000000000000000000000000..a107aefc61f960ff8fad2264186149bdf6a58d94 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\346\223\215\344\275\234\347\263\273\347\273\237\345\212\240\345\233\272\346\246\202\350\277\260.md" @@ -0,0 +1,137 @@ + +# 操作系统加固概述 + +介绍对openEuler系统进行加固的目的和加固方案。 + + +- [操作系统加固概述](#操作系统加固概述) + - [加固目的](#加固目的) + - [加固方案](#加固方案) + - [加固影响](#加固影响) + + + +## 须知 + +由于安全加固对系统至关重要,因此只有root用户允许修改并应用安全加固策略。 + +## 加固目的 + +操作系统作为信息系统的核心,承担着管理硬件资源和软件资源的重任,是整个信息系统安全的基础。操作系统之上的各种应用,要想获得信息的完整性、机密性、可用性和可控性,必须依赖于操作系统。脱离了对操作系统的安全保护,仅依靠其他层面的防护手段来阻止黑客和病毒等对网络信息系统的攻击,是无法满足安全需求的。 + +因此,需要对操作系统进行安全加固,构建动态、完整的安全体系,增强产品的安全性,提升产品的竞争力。 + +## 加固方案 + +本章描述openEuler的安全加固方案,包括加固方式和加固内容。 + +### 加固方式 + +用户可以通过手动修改加固配置或执行相关命令对系统进行加固,也可以通过加固工具批量修改加固项。openEuler的安全加固工具security tool以openEuler-security.service服务的形式运行。系统首次启动时会自动运行该服务去执行默认加固策略,且自动设置后续开机不启动该服务。 + +用户可以通过修改security.conf,使用安全加固工具实现个性化安全加固的效果。 + +### 加固内容 + +openEuler系统加固内容主要分为以下5个部分: + +- 系统服务 +- 文件权限 +- 内核参数 +- 授权认证 +- 账号口令 + +## 加固影响 + +对文件权限、账户口令等安全加固,可能造成用户使用习惯变更,从而影响系统的易用性。影响系统易用性的常见加固项请参见[表1](#zh-cn_topic_0152100325_ta4a48f54ff2849ada7845e2380209917)。 + +**表 1** 加固影响说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

加固项

+

建议加固

+

易用性影响

+

openEuler默认是否设置了该加固项

+

字符界面等待超时限制

+

当字符界面长时间处在空闲状态,字符界面会自动退出。

+
说明:

当用户通过SSH登录,超时时间由/etc/profile文件的TMOUT字段和/etc/ssh/sshd_config文件的ClientAliveInterval字段两个值中较小的值决定。建议加固为300秒。

+
+

用户长时间不操作字符界面,字符界面会自动退出。

+

+

口令复杂度限制

+

口令长度最小为8位,口令至少包含大写字母、小写字母、数字和特殊字符中的3种。

+

系统中所有用户不能设置简单的口令,口令必须符合复杂度要求。

+

+

限定登录失败时的尝试次数

+

当用户登录系统时,口令连续输错3次,账户将被锁定60秒,锁定期间不能登录系统。

+

用户不能随意登录系统,账户被锁定后必须等待60秒。

+

+

用户默认umask值限制

+

设置所有用户的默认umask值为077,使用户创建文件的默认权限为600、目录权限为700。

+

用户需要按照需求修改指定文件或目录的权限。

+

+

口令有效期

+

口令有效期的设置通过修改/etc/login.defs文件实现,加固默认值为口令最大有效期90天,两次修改口令的最小间隔时间为0,口令过期前开始提示天数为7。

+

口令过期后用户重新登录时,提示口令过期并强制要求修改,不修改则无法进入系统。

+

+

su权限限制

+

su命令用于在不同账户之间切换。为了增强系统安全性,有必要对su命令的使用权进行控制,只允许root和wheel群组的账户使用su命令,限制其他账户使用。

+

普通账户执行su命令失败,必须加入wheel群组才可以su成功。

+

+

禁止root账户直接SSH登录系统

+

设置/etc/ssh/sshd_config文件的PermitRootLogin字段的值为no,用户无法使用root账户直接SSH登录系统。

+

用户需要先使用普通账户SSH登录后,再切换至root账户。

+

+

SSH强加密算法

+

SSH服务的MACs和Ciphers配置,禁止对CBC、MD5、SHA1算法的支持,修改为CTR、SHA2算法。

+

当前windows下使用的部分低版本的Xshell、PuTTY不支持aes128-ctr、aes192-ctr、aes256-ctr、hmac-sha2-256、hmac-sha2-512算法,可能会出现无法通过SSH登录系统的情况,请使用最新的PuTTY(0.63版本以上)、Xshell(5.0版本及以上版本)登录。

+

+
+ diff --git "a/docs/zh/docs/SecHarden/\346\226\207\344\273\266\346\235\203\351\231\220.md" "b/docs/zh/docs/SecHarden/\346\226\207\344\273\266\346\235\203\351\231\220.md" new file mode 100644 index 0000000000000000000000000000000000000000..7082755dcb20d44e369ea326f72366210cee92a9 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\346\226\207\344\273\266\346\235\203\351\231\220.md" @@ -0,0 +1,239 @@ +# 文件权限 + +- [文件权限](#文件权限) + - [设置文件的权限和属主](#设置文件的权限和属主) + - [删除无主文件](#删除无主文件) + - [处理空链接文件](#处理空链接文件) + - [设置守护进程的umask值](#设置守护进程的umask值) + - [为全局可写目录添加粘滞位属性](#为全局可写目录添加粘滞位属性) + - [删除非授权文件的全局可写属性](#删除非授权文件的全局可写属性) + - [限制at命令的使用权限](#限制at命令的使用权限) + - [限制cron命令的使用权限](#限制cron命令的使用权限) + - [限制sudo命令的使用权限](#限制sudo命令的使用权限) + + + +## 设置文件的权限和属主 + +### 说明 + +Linux将所有对象都当作文件来处理,即使一个目录也被看作是包含有多个其他文件的大文件。因此,Linux中最重要的就是文件和目录的安全性。文件和目录的安全性主要通过权限和属主来保证。 + +openEuler默认对系统中的常用目录、可执行文件和配置文件设置了权限和属主。 + +### 实现 + +以/bin目录为例,修改文件权限和文件属主的操作如下: + +- 修改文件权限。例如将/bin目录权限设置为755。 + + ``` + chmod 755 /bin + ``` + +- 修改文件属主。例如将/bin目录的拥有者和群组设置为root:root。 + + ``` + chown root:root /bin + ``` + + +## 删除无主文件 + +### 说明 + +系统管理员在删除用户/群组时,存在着忘记删除该用户/该群组所拥有文件的问题。如果后续新创建的用户/群组与被删除的用户/群组同名,则新用户/新群组会拥有部分不属于其权限的文件,建议将此类文件删除。 + +### 实现 + +删除用户ID不存在的文件 + +1. 查找用户ID不存在的文件。 + + ``` + find / -nouser + ``` + +2. 删除查找到的文件。其中 filename 为用户ID不存在文件的文件名。 + + ``` + rm -f filename + ``` + + +删除群组ID不存在的文件 + +1. 查找群主ID不存在的文件。 + + ``` + find / -nogroup + ``` + +2. 删除查找到的文件。其中 filename 为用户ID不存在文件的文件名。 + + ``` + rm -f filename + ``` + + +## 处理空链接文件 + +### 说明 + +无指向的空链接文件,可能会被恶意用户利用,影响系统安全性。建议用户删除无效的空链接文件,提高系统安全性。 + +### 特殊场景 + +openEuler系统安装完成后,可能存在空链接文件,这些空链接文件可能有对应用途(有些空链接文件是预制的,会被其他组件依赖)。请用户根据实际环境进行处理,处理方式请参见[实现](#zh-cn_topic_0152100319_s1b24647cdd834a8eaca3032611baf072)。 + +例如,openEuler支持UEFI和legacy BIOS两种安装模式,两种引导场景支持的grub相关包默认都安装,当用户选择legacy BIOS模式安装时,形成空链接文件“/etc/grub2-efi.cfg”;当用户选择UEFI模式安装时,会形成空链接文件“/etc/grub2.cfg”,需要用户根据实际情况处理空链接。 + +### 实现 + +1. 通过如下命令查找系统中的空链接文件。 + + ``` + find dirname -type l -follow 2>/dev/null + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + > dirname为搜索目录的名称,通常需要关注系统关键目录:/bin、/boot、/usr、/lib64、/lib、/var等。 + +2. 如果此类文件无实际作用,可通过如下命令删除。 + + ``` + rm -f filename + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >filename为[步骤1](#zh-cn_topic_0152100319_l4dc74664c4fb400aaf91fb314c4f9da6)找出的文件名。 + + +## 设置守护进程的umask值 + +### 说明 + +umask值用来为新创建的文件和目录设置缺省权限。如果没有设定umask值,则生成的文件具有全局可写权限,存在一定的风险。守护进程负责系统上某个服务,让系统可以接受来自用户或者是网络客户的要求。为了提高守护进程所创建文件和目录的安全性,建议设置其umask值为0027。umask值代表的是权限的“补码”,umask值和权限的换算方法请参见 "附录 > umask值含义" 。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>openEuler默认已设置守护进程的umask值为0022。 + +### 实现 + +在配置文件/etc/sysconfig/init中新增一行:umask 0027。 + +## 为全局可写目录添加粘滞位属性 + +### 说明 + +任意用户可以删除、修改全局可写目录中的文件和目录,为了确保全局可写目录中的文件和目录不会被任意删除,需要为全局可写目录添加粘滞位属性。 + +### 实现 + +1. 搜索全局可写目录。 + + ``` + find / -type d -perm -0002 ! -perm -1000 -ls | grep -v proc + ``` + +2. 为全局可写目录添加粘滞位属性。dirname 为实际查找到的目录名。 + + ``` + chmod +t dirname + ``` + + +## 删除非授权文件的全局可写属性 + +### 说明 + +全局可写文件可被系统中的任意用户修改,影响系统完整性。 + +### 实现 + +1. 列举系统中所有的全局可写文件。 + + ``` + find / -type d \( -perm -o+w \) | grep -v procfind / -type f \( -perm -o+w \) | grep -v proc + ``` + +2. 查看步骤1列举的所有文件\(粘滞位位的文件和目录可以排除在外\),删除文件或去掉其全局可写权限。使用以下命令去掉权限,其中filename为对应文件名: + + ``` + chmod o-w filename + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >可通过如下命令确定对应文件或目录是否设置了粘滞位,若回显中包含T标记,则为粘滞位文件或目录。命令中的filename为需要查询文件或目录的名称。 + >``` + >ls -l filename + >``` + + +## 限制at命令的使用权限 + +### 说明 + +at命令用于创建在指定时间自动执行的任务。为避免任意用户通过at命令安排工作,造成系统易受攻击,需要指定可使用该命令的用户。 + +### 实现 + +1. 删除/etc/at.deny文件。 + + ``` + rm -f /etc/at.deny + ``` + +2. 将/etc/at.allow的文件属主改为root:root。 + + ``` + chown root:root /etc/at.allow + ``` + +3. 控制/etc/at.allow的文件权限,仅root可操作。 + + ``` + chmod og-rwx /etc/at.allow + ``` + + +## 限制cron命令的使用权限 + +### 说明 + +cron命令用于创建例行性任务。为避免任意用户通过cron命令安排工作,造成系统易受攻击,需要指定可使用该命令的用户。 + +### 实现 + +1. 删除/etc/cron.deny文件。 + + ``` + rm -f /etc/cron.deny + ``` + +2. 将/etc/cron.allow的文件属主改为root:root。 + + ``` + chown root:root /etc/cron.allow + ``` + +3. 控制/etc/cron.allow的文件权限,仅root可操作。 + + ``` + chmod og-rwx /etc/cron.allow + ``` + + +## 限制sudo命令的使用权限 + +### 说明 + +sudo命令用于普通用户以root权限执行命令。为了增强系统安全性,有必要对sudo命令的使用权进行控制,只允许root使用sudo命令,限制其他帐户使用。openEuler默认未限制非root用户使用sudo命令的权限。 + +### 实现 + +sudo命令的使用控制通过修改/etc/sudoers文件实现,需要注释掉如下配置行: + +``` +#%wheel ALL=(ALL) ALL +``` diff --git "a/docs/zh/docs/SecHarden/\347\263\273\347\273\237\346\234\215\345\212\241.md" "b/docs/zh/docs/SecHarden/\347\263\273\347\273\237\346\234\215\345\212\241.md" new file mode 100644 index 0000000000000000000000000000000000000000..13049d47053fe826043ebc9ac44208a944f88424 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\347\263\273\347\273\237\346\234\215\345\212\241.md" @@ -0,0 +1,467 @@ +# 系统服务 + +- [系统服务](#系统服务) + - [加固SSH服务](#加固SSH服务) + + +## 加固SSH服务 + +### 说明 + +SSH(Secure Shell)是目前较可靠,专为远程登录会话和其他网络服务提供安全性保障的协议。利用SSH协议可以有效防止远程管理过程中的信息泄露问题。透过SSH可以对所有传输的数据进行加密,并防止DNS欺骗和IP欺骗。OpenSSH是SSH协议的免费开源实现。 + +加固SSH服务,是指修改SSH服务中的配置来设置系统使用OpenSSH协议时的算法、认证等参数,从而提高系统的安全性。[表1](#zh-cn_topic_0152100390_ta2fdb8e4931b4c1a8f502b3c7d887b95)中详细说明了各加固项含义、建议加固值及其默认策略。 + +### 实现 + +服务端加固操作如下: + +1. 打开服务端SSH服务的配置文件/etc/ssh/sshd\_config,在该文件中修改或添加对应加固项及其加固值。 +2. 保存/etc/ssh/sshd\_config文件。 +3. 重启SSH服务,命令如下: + + ``` + systemctl restart sshd + ``` + + +客户端加固操作如下: + +1. 打开客户端SSH服务的配置文件/etc/ssh/ssh\_config,在该文件中修改或添加对应加固项及其加固值。 +2. 保存/etc/ssh/ssh\_config文件。 +3. 重启SSH服务,命令如下: + + ``` + systemctl restart sshd + ``` + + +### 加固项说明 + +- 服务端加固策略 + + SSH服务的所有加固项均保存在配置文件/etc/ssh/sshd\_config中,服务端各加固项的含义、加固建议以及openEuler默认是否已经加固为建议加固值请参见[表1](#zh-cn_topic_0152100390_ta2fdb8e4931b4c1a8f502b3c7d887b95)。 + + **表 1** SSH服务端加固项说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

加固项

+

加固项说明

+

加固建议

+

openEuler默认是否已加固为建议值

+

Protocol

+

设置使用SSH协议的版本

+

2

+

+

SyslogFacility

+

设置SSH服务的日志类型。加固策略将其设置为“AUTH”,即认证类日志

+

AUTH

+

+

LogLevel

+

设置记录sshd日志消息的层次

+

VERBOSE

+

+

X11Forwarding

+

设置使用SSH登录后,能否使用图形化界面

+

no

+

+

MaxAuthTries

+

最大认证尝试次数

+

3

+

+

PubkeyAuthentication

+

设置是否允许公钥认证。

+

yes

+

+

RSAAuthentication

+

设置是否允许只有RSA安全验证

+

yes

+

+

IgnoreRhosts

+

设置是否使用rhosts文件和shosts文件进行验证。rhosts文件和shosts文件用于记录可以访问远程计算机的计算机名及关联的登录名

+

yes

+

+

RhostsRSAAuthentication

+

设置是否使用基于rhosts的RSA算法安全验证。rhosts文件记录可以访问远程计算机的计算机名及关联的登录名

+

no

+

+

HostbasedAuthentication

+

设置是否使用基于主机的验证。基于主机的验证是指已信任客户机上的任何用户都可以使用SSH连接

+

no

+

+

PermitRootLogin

+

+

是否允许root账户直接使用SSH登录系统

+
说明:

若需要直接使用root账户通过SSH登录系统,请修改/etc/ssh/sshd_config文件的PermitRootLogin字段的值为yes。

+
+

no

+

+

PermitEmptyPasswords

+

设置是否允许用口令为空的账号登录

+

no

+

+

PermitUserEnvironment

+

设置是否解析 ~/.ssh/environment和~/.ssh/authorized_keys中设定的环境变量

+

no

+

+

Ciphers

+

设置SSH数据传输的加密算法

+

aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

+

+

ClientAliveCountMax

+

设置超时次数。服务器发出请求后,客户端没有响应的次数达到一定值,连接自动断开

+

0

+

+

Banner

+

指定登录SSH前后显示的提示信息的文件

+

/etc/issue.net

+

+

MACs

+

设置SSH数据校验的哈希算法

+

hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com

+

+

StrictModes

+

设置SSH在接收登录请求之前是否检查用户HOME目录和rhosts文件的权限和所有权

+

yes

+

+

UsePAM

+

使用PAM登录认证

+

yes

+

+

AllowTcpForwarding

+

设置是否允许TCP转发

+

no

+

+

Subsystem sftp /usr/libexec/openssh/sftp-server

+

sftp日志记录级别,记录INFO级别以及认证日志。

+

-l INFO -f AUTH

+

+

AllowAgentForwarding

+

设置是否允许SSH Agent转发

+

no

+

+

GatewayPorts

+

设置是否允许连接到转发客户端端口

+

no

+

+

PermitTunnel

+

Tunnel设备是否允许使用

+

no

+

+

KexAlgorithms

+

设置SSH密钥交换算法

+

curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group-exchange-sha256

+ 		  

LoginGraceTime

+

限制用户必须在指定的时限内认证成功,0 表示无限制。默认值是 60 秒。

+

60

+

+
+ + >![](./public_sys-resources/icon-note.gif) **说明:** + >默认情况下,登录SSH前后显示的提示信息保存在/etc/issue.net文件中,/etc/issue.net默认信息为“Authorized users only. All activities may be monitored and reported.”。 + + +- 客户端加固策略 + + SSH服务的所有加固项均保存在配置文件/etc/ssh/ssh\_config中,客户端各加固项的含义、加固建议以及openEuler默认是否已经加固为建议加固值请参见[表2](#zh-cn_topic_0152100390_tb289c5a6f1c7420ab4339187f9018ea4)。 + + **表 2** SSH客户端加固项说明 + + + + + + + + + + + + + + + + + + + +

加固项

+

加固项说明

+

加固建议

+

openEuler默认是否已加固为建议值

+

KexAlgorithms

+

设置SSH密钥交换算法

+

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

+

+

VerifyHostKeyDNS

+

是否使用DNS或者SSHFP资源记录验证HostKey

+

ask

+

+
+ + >![](./public_sys-resources/icon-note.gif) **说明:** + >对于使用dh算法进行密钥交换的第三方客户端和服务端工具,要求允许建立连接的最低长度为2048bits。 + + +### 其他安全建议 + +- SSH服务仅侦听指定IP地址 + + 出于安全考虑,建议用户在使用SSH服务时,仅在必需的IP上进行绑定侦听,而不是侦听0.0.0.0,可修改/etc/ssh/sshd\_config文件中的ListenAddress配置项。 + + 1. 打开并修改/etc/ssh/sshd\_config文件 + + ``` + vi /etc/ssh/sshd_config + ``` + + 修改内容如下,表示绑定侦听IP为 _192.168.1.100_,用户可根据实际情况修改需要侦听的IP + + ``` + ... + ListenAddress 192.168.1.100 + ... + ``` + + 2. 重启SSH服务 + + ``` + systemctl restart sshd.service + ``` + + + +- 限制SFTP用户向上跨目录访问 + + SFTP是FTP over SSH的安全FTP协议,对于访问SFTP的用户建议使用专用账号,只能上传或下载文件,不能用于SSH登录,同时对SFTP可以访问的目录进行限定,防止目录遍历攻击,具体配置如下: + + >![](./public_sys-resources/icon-note.gif) **说明:** + >sftpgroup为示例用户组,sftpuser为示例用户名。 + + 1. 创建SFTP用户组 + + ``` + groupadd sftpgroup + ``` + + 2. 创建SFTP根目录 + + ``` + mkdir /sftp + ``` + + 3. 修改SFTP根目录属主和权限 + + ``` + chown root:root /sftp + chmod 755 /sftp + ``` + + 4. 创建SFTP用户 + + ``` + useradd -g sftpgroup -s /sbin/nologin sftpuser + ``` + + 5. 设置SFTP用户的口令 + + ``` + passwd sftpuser + ``` + + 6. 创建SFTP用户上传目录 + + ``` + mkdir /sftp/sftpuser + ``` + + 7. 修改SFTP用户上传目录属主和权限 + + ``` + chown root:root /sftp/sftpuser + chmod 777 /sftp/sftpuser + ``` + + 8. 修改/etc/ssh/sshd\_config文件 + + ``` + vi /etc/ssh/sshd_config + ``` + + 修改内容如下: + + ``` + #Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH + Subsystem sftp internal-sftp -l INFO -f AUTH + ... + + Match Group sftpgroup + ChrootDirectory /sftp/%u + ForceCommand internal-sftp + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >- %u代表当前sftp用户的用户名,这是一个通配符,用户原样输入即可。 + >- 以下内容必须加在/etc/ssh/sshd\_config文件的末尾。 + > ``` + > Match Group sftpgroup + > ChrootDirectory /sftp/%u + > ForceCommand internal-sftp + > ``` + + 9. 重启SSH服务 + + ``` + systemctl restart sshd.service + ``` + + + +- SSH远程执行命令 + + OpenSSH通用机制,在远程执行命令时,默认不开启tty,如果执行需要密码的命令,密码会明文回显。出于安全考虑,建议用户增加-t选项,确保密码输入安全。如下: + + ``` + ssh -t testuser@192.168.1.100 su + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >192.168.1.100为示例IP,testuser为示例用户。 + diff --git "a/docs/zh/docs/SecHarden/\350\264\246\346\210\267\345\217\243\344\273\244.md" "b/docs/zh/docs/SecHarden/\350\264\246\346\210\267\345\217\243\344\273\244.md" new file mode 100644 index 0000000000000000000000000000000000000000..3466ee9c29cc37411146f9696ee235dd73ea3d57 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\350\264\246\346\210\267\345\217\243\344\273\244.md" @@ -0,0 +1,330 @@ +# 账户口令 + +- [账户口令](#账户口令) + - [屏蔽系统帐户](#屏蔽系统帐户) + - [限制使用su命令的帐户](#限制使用su命令的帐户) + - [设置口令复杂度](#设置口令复杂度) + - [设置口令有效期](#设置口令有效期) + - [设置口令的加密算法](#设置口令的加密算法) + - [登录失败超过三次后锁定](#登录失败超过三次后锁定) + - [加固su命令](#加固su命令) + + +## 屏蔽系统帐户 + +### 说明 + +除了用户帐户外,其他账号称为系统账户。系统账户仅系统内部使用,禁止用于登录系统或其他操作,因此屏蔽系统账户。 + +### 实现 + +将系统帐户的Shell修改为/sbin/nologin。 + +``` +usermod -L -s /sbin/nologin $systemaccount +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +> $systemaccount 指系统帐户。 + +## 限制使用su命令的帐户 + +### 说明 + +su命令用于在不同帐户之间切换。为了增强系统安全性,有必要对su命令的使用权进行控制,只允许root和wheel群组的帐户使用su命令,限制其他帐户使用。 + +### 实现 + +su命令的使用控制通过修改/etc/pam.d/su文件实现,配置如下: + +``` +auth required pam_wheel.so use_uid +``` + +**表 1** pam\_wheel.so配置项说明 + + + + + + + + + + +

配置项

+

说明

+

use_uid

+

基于当前帐户的uid。

+
+ +## 设置口令复杂度 + +### 说明 + +用户可以通过修改对应配置文件设置口令的复杂度要求,建议用户根据实际情况设置口令复杂度。 + +### 实现 + +口令复杂度通过/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中的pam\_pwquality.so和pam\_pwhistory.so模块实现。用户可以通过修改这两个模块中的配置项修改口令复杂度要求。 + +### 设置举例 + +这里给出一个配置口令复杂度的例子,供用户参考。 + +**密码复杂度要求** + +1. 口令长度至少8个字符。 +2. 口令必须包含如下至少3种字符的组合: + + -至少一个小写字母 + + -至少一个大写字母 + + -至少一个数字 + + -至少一个特殊字符:\`\~!@\#$%^&\*\(\)-\_=+\\|\[\{\}\];:'",<.\>/?和空格 + +3. 口令不能和帐号或者帐号的倒写一样。 +4. 不能修改为过去5次使用过的旧口令。 + +**配置实现** + +在/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中添加如下配置内容: + +``` +password requisite pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0 +password required pam_pwhistory.so use_authtok remember=5 enforce_for_root +``` + +**配置项说明** + +pam\_pwquality.so和pam\_pwhistory.so的配置项请分别参见[表2](#table201221044172117)和[表3](#table1212544452120)。 + +**表 2** pam\_pwquality.so配置项说明 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

配置项

+

说明

+

minlen=8

+

口令长度至少包含8个字符

+

minclass=3

+

口令至少包含大写字母、小写字母、数字和特殊字符中的任意3种

+

ucredit=0

+

口令包含任意个大写字母

+

lcredit=0

+

口令包含任意个小写字母

+

dcredit=0

+

口令包含任意个数字

+

ocredit=0

+

口令包含任意个特殊字符

+

retry=3

+

每次修改最多可以尝试3次

+

enforce_for_root

+

本设置对root帐户同样有效

+
+ +**表 3** pam\_pwhistory.so配置项说明 + + + + + + + + + + + + + +

配置项

+

说明

+

remember=5

+

口令不能修改为过去5次使用过的旧口令

+

enforce_for_root

+

本设置对root帐户同样有效

+
+ +## 设置口令有效期 + +### 说明 + +出于系统安全性考虑,建议设置口令有效期限,且口令到期前通知用户更改口令。 + +### 实现 + +口令有效期的设置通过修改/etc/login.defs文件实现,加固项如[表7](#zh-cn_topic_0152100281_t77b5d0753721450c81911c18b74e82eb)所示。表中所有的加固项都在文件/etc/login.defs中。表中字段直接通过修改配置文件完成。 + +**表 4** login.defs配置项说明所示 + + + + + + + + + + + + + + + + + + + + + + + + +

加固项

+

加固项说明

+

建议加固

+

openEuler默认是否已加固为建议值

+

PASS_MAX_DAYS

+

口令最大有效期

+

90

+

+

PASS_MIN_DAYS

+

两次修改口令的最小间隔时间

+

0

+

+

PASS_WARN_AGE

+

口令过期前开始提示天数

+

7

+

+
+ +>![](./public_sys-resources/icon-note.gif) **说明:** +>login.defs是设置用户帐号限制的文件,可配置口令的最大过期天数、最大长度约束等。该文件里的配置对root用户无效。如果/etc/shadow文件里有相同的选项,则以/etc/shadow配置为准,即/etc/shadow的配置优先级高于/etc/login.defs。口令过期后用户重新登录时,提示口令过期并强制要求修改,不修改则无法进入系统。 + +## 设置口令的加密算法 + +### 说明 + +出于系统安全考虑,口令不允许明文存储在系统中,应该加密保护。在不需要还原口令的场景,必须使用不可逆算法加密。设置口令的加密算法为sha512,openEuler默认已设置。通过上述设置可以有效防范口令泄露,保证口令安全。 + +### 实现 + +口令的加密算法设置通过修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件实现,添加如下配置: + +``` +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +``` + +**表 5** pam\_unix.so配置项说明 + + + + + + + + + + +

配置项

+

说明

+

sha512

+

使用sha512算法对口令加密。

+
+ +## 登录失败超过三次后锁定 + +### 说明 + +为了保障用户系统的安全,建议用户设置口令出错次数的阈值(建议3次),以及由于口令尝试被锁定用户的自动解锁时间(建议300秒)。 + +用户锁定期间,任何输入被判定为无效,锁定时间不因用户的再次输入而重新计时;解锁后,用户的错误输入记录被清空。通过上述设置可以有效防范口令被暴力破解,增强系统的安全性。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>openEuler默认口令出错次数的阈值为3次,系统被锁定后自动解锁时间为60秒。 + +### 实现 + +口令复杂度的设置通过修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件实现,设置口令最大的出错次数3次,系统锁定后的解锁时间为300秒的配置如下: + +``` +auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300 +auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300 +``` + +**表 6** pam\_faillock.so配置项说明 + + + + + + + + + + + + + + + + + + + +

配置项

+

说明

+

authfail

+

捕获用户登录失败的事件。

+

deny=3

+

用户连续登录失败次数超过3次即被锁定。

+

unlock_time=300

+

普通用户自动解锁时间为300秒(即5分钟)。

+

even_deny_root

+

同样限制root帐户。

+
+ +## 加固su命令 + +### 说明 + +为了增强系统安全性,防止使用“su”切换用户时将当前用户环境变量带入其他环境,openEuler默认已做配置。总是在使用su切换用户时初始化PATH。 + +### 实现 + +通过修改/etc/login.defs实现,配置如下: + +``` +ALWAYS_SET_PATH=yes +``` diff --git "a/docs/zh/docs/SecHarden/\351\231\204\345\275\225.md" "b/docs/zh/docs/SecHarden/\351\231\204\345\275\225.md" new file mode 100644 index 0000000000000000000000000000000000000000..e5711922813d45488e7fc299c724c80259caad80 --- /dev/null +++ "b/docs/zh/docs/SecHarden/\351\231\204\345\275\225.md" @@ -0,0 +1,38 @@ +# 附录 + +介绍文件权限的含义和umask值的含义。 + + + +- [附录](#附录) + - [文件和目录权限含义](#文件和目录权限含义) + - [umask值含义](#umask值含义) + + + + + +## 文件和目录权限含义 + +Linux系统中文件和目录权限用于限定谁能通过何种方式对文件和目录进行访问和操作。文件和目录的访问权限分为只读,只写和可执行三种。 + +有三种不同类型的用户可对文件和目录进行访问: + +- 文件所有者:文件的创建者。 +- 同组用户:与文件所有者在同一个属组的用户。 +- 其他用户:与文件所有者不在同一个属组的用户。 + +文件和目录的权限含义通过以下例子说明: + +假设/usr/src的权限为755,将每位数字转化为二进制后为:111101101,含义如下: + +- 左侧三个bit位111表示文件所有者的权限依次为:可读、可写、可执行。 +- 中间三个bit位101表示同组用户的权限依次为:可读、不可写、可执行。 +- 右侧三个bit位101表示其他用户的权限依次为:可读、不可写、可执行。 + +## umask值含义 + +当用户新创建文件或目录时,该文件或目录具有一个缺省权限。该缺省权限由umask值来指定。 + +umask值代表的是权限的“补码”,即用缺省最大权限值减去umask值得到实际权限值。文件的缺省最大权限为可读可写,目录的缺省最大权限为可读可写可执行。即一个文件的实际缺省权限为666减去umask值。目录的实际缺省权限为777减去umask值。 + diff --git a/docs/zh/docs/StratoVirt/StratoVirtGuide.md b/docs/zh/docs/StratoVirt/StratoVirtGuide.md new file mode 100644 index 0000000000000000000000000000000000000000..f4a7fc9fb1c17a06728a1d5f91eecee87e4e654d --- /dev/null +++ b/docs/zh/docs/StratoVirt/StratoVirtGuide.md @@ -0,0 +1,4 @@ +# StratoVirt用户指南 + +本文档介绍Stratovirt虚拟化,并给出基于openEuler安装StratoVirt的方法,以及StratoVirt虚拟化的使用指导。让用户了解Stratovirt,并指导用户和管理员安装和使用StratoVirt。 + diff --git "a/docs/zh/docs/StratoVirt/StratoVirt\344\273\213\347\273\215.md" "b/docs/zh/docs/StratoVirt/StratoVirt\344\273\213\347\273\215.md" new file mode 100644 index 0000000000000000000000000000000000000000..72e75abf4f54e7b43f82e86009b22366e33cefd6 --- /dev/null +++ "b/docs/zh/docs/StratoVirt/StratoVirt\344\273\213\347\273\215.md" @@ -0,0 +1,25 @@ +# StratoVirt介绍 + + +## 概述 + +StratoVirt是计算产业中面向云数据中心的企业级虚拟化平台,实现了一套架构统一支持虚拟机、容器、Serverless三种场景。StratoVirt在轻量低噪、软硬协同、Rust语言级安全等方面具备关键技术竞争优势。 +StratoVirt在架构设计和接口上预留了组件化拼装的能力和接口,StratoVirt可以按需灵活组装高级特性直至演化到支持标准虚拟化,在特性需求、应用场景和轻快灵巧之间找到最佳的平衡点。 + + + +## 架构说明 + +StratoVirt核心架构自顶向下分为三层: + +- OCI兼容接口:兼容QMP(QEMU Machine Protocol)协议,具有完备的OCI兼容能力。 +- BootLoader:抛弃传统BIOS+GRUB的启动模式,实现了更轻更快的Bootloader。 +- MicroVM:虚拟化层,充分利用软硬协同能力,精简化设备模型;低时延资源伸缩能力。 + +整体架构视图如**图1**所示。 + +**图1** StratoVirt整体架构图 + +![](./figures/StratoVirt_architecture.png) + + diff --git a/docs/zh/docs/StratoVirt/figures/StratoVirt_architecture.png b/docs/zh/docs/StratoVirt/figures/StratoVirt_architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..fd1a07a5458b2b2a61ca062d8ec68d533dd6df20 Binary files /dev/null and b/docs/zh/docs/StratoVirt/figures/StratoVirt_architecture.png differ diff --git a/docs/zh/docs/StratoVirt/figures/zh-cn_image_0218587436.png b/docs/zh/docs/StratoVirt/figures/zh-cn_image_0218587436.png new file mode 100644 index 0000000000000000000000000000000000000000..a32856aa08e459ed0f51f8fcf4c2f51511c12095 Binary files /dev/null and b/docs/zh/docs/StratoVirt/figures/zh-cn_image_0218587436.png differ diff --git a/docs/zh/docs/StratoVirt/figures/zh-cn_image_note.png b/docs/zh/docs/StratoVirt/figures/zh-cn_image_note.png new file mode 100644 index 0000000000000000000000000000000000000000..8d5a343524e14d11a3e2a94be4066fbb2d20599e Binary files /dev/null and b/docs/zh/docs/StratoVirt/figures/zh-cn_image_note.png differ diff --git a/docs/zh/docs/StratoVirt/figures/zh-cn_image_to_know.png b/docs/zh/docs/StratoVirt/figures/zh-cn_image_to_know.png new file mode 100644 index 0000000000000000000000000000000000000000..d245d48dc07e2b01734e21ec1952e89fa9269bdb Binary files /dev/null and b/docs/zh/docs/StratoVirt/figures/zh-cn_image_to_know.png differ diff --git "a/docs/zh/docs/StratoVirt/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" "b/docs/zh/docs/StratoVirt/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" new file mode 100644 index 0000000000000000000000000000000000000000..86301af21593070428c442036464af45ed471a86 --- /dev/null +++ "b/docs/zh/docs/StratoVirt/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" @@ -0,0 +1,153 @@ +# 准备环境 + + +## 使用说明 + +- StratoVirt仅支持运行于x86_64和AArch64处理器架构下并启动相同架构的Linux虚拟机。 +- 建议在 openEuler 21.03 版本编译、调测和部署该版本 StratoVirt。 +- StratoVirt支持以非root权限运行。 + +## 环境要求 + +运行StratoVirt需要具备如下环境: + +- /dev/vhost-vsock设备(用于实现mmio) +- nmap工具 +- Kernel镜像和rootfs镜像 + + + +## 准备设备和工具 + +- StratoVirt运行需要实现mmio设备,所以运行之前确保存在设备`/dev/vhost-vsock` + + 查看该设备是否存在: + + ``` + $ ls /dev/vhost-vsock + /dev/vhost-vsock + ``` + + 若该设备不存在,请执行如下命令生成/dev/vhost-vsock设备。 + + ``` + $ modprobe vhost_vsock + ``` + + +- 为了能够使用QMP命令,需要安装nmap工具,在配置yum源的前提下,可执行如下命令安装nmap。 + + ``` + # yum install nmap + ``` + +## 准备镜像 + +### 制作kernel镜像 + +当前版本的StratoVirt仅支持x86_64和AArch64平台的PE格式内核镜像。此格式内核映像可通过以下方法生成。 + +1. 获取openEuler的kernel源代码,参考命令如下: + + ``` + $ git clone https://gitee.com/openeuler/kernel + $ cd kernel + ``` + +2. 查看并切换kernel的版本到4.19,参考命令如下: + + ``` + $ git checkout kernel-4.19 + ``` + +3. 配置并编译Linux kernel。可使用推荐配置([获取配置文件](https://gitee.com/openeuler/stratovirt/tree/master/docs/kernel_config)),将其复制到kernel路径下并重命名为`.config`。也可通过以下命令进行交互,根据提示完成kernel配置。 + + ``` + $ make menuconfig + ``` + +4. 使用下面的命令制作并转换kernel镜像为PE格式,转化后的镜像为vmlinux.bin。 + + ``` + $ make -j vmlinux && objcopy -O binary vmlinux vmlinux.bin + ``` + +5. 如果想在x86平台使用bzImzge格式的kernel,可以使用如下命令进行编译。 + + ``` + $ make -j bzImage + ``` + + + ​ + +## 制作rootfs镜像 + +rootfs镜像是一种文件系统镜像,在StratoVirt启动时可以装载带有init的ext4格式的镜像。下面是制作ext4 rootfs镜像的简单方法。 + +1. 准备一个大小合适的文件(例如在/home中创建10GiB空间大小的文件)。 + + ``` + $ cd /home + $ dd if=/dev/zero of=./rootfs.ext4 bs=1G count=10 + ``` + +2. 在此文件上创建空的ext4文件系统。 + + ``` + $ mkfs.ext4 ./rootfs.ext4 + ``` + +3. 挂载文件镜像。创建/mnt/rootfs,使用root权限,将rootfs.ext4挂载到/mnt/rootfs目录。 + + ``` + $ mkdir /mnt/rootfs + # 返回刚刚创建文件系统的目录(如/home) + $ cd /home + $ sudo mount ./rootfs.ext4 /mnt/rootfs && cd /mnt/rootfs + ``` + +4. 获取对应处理器架构的最新alpine-mini rootfs。 + + - 如果是AArch64处理器架构,参考命令如下: + + ``` + $ wget http://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/aarch64/alpine-minirootfs-3.12.0-aarch64.tar.gz + $ tar -zxvf alpine-minirootfs-3.12.0-aarch64.tar.gz + $ rm alpine-minirootfs-3.12.0-aarch64.tar.gz + ``` + + + - 如果是x86_64处理器架构,参考命令如下: + + ``` + $ wget http://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz + $ tar -zxvf alpine-minirootfs-3.12.0-x86_64.tar.gz + $ rm alpine-minirootfs-3.12.0-x86_64.tar.gz + ``` + + +5. 为ext4文件镜像制作一个简单的/sbin/init,参考命令如下: + + ``` + $ rm sbin/init; touch sbin/init && cat > sbin/init < { "return": { "running": true,"singlestep": false,"status": "running" } +``` + + + +### 查询拓扑 + +使用query-cpus命令查询所有CPU的拓扑结构。 + +- 用法: + +**{ "execute": "query-cpus" }** + +- 示例: + +``` +<- { "execute": "query-cpus" } +-> {"return":[{"CPU":0,"arch":"x86","current":true,"halted":false,"props":{"core-id":0,"socket-id":0,"thread-id":0},"qom_path":"/machine/unattached/device[0]","thread_id":8439},{"CPU":1,"arch":"x86","current":true,"halted":false,"props":{"core-id":0,"socket-id":1,"thread-id":0},"qom_path":"/machine/unattached/device[1]","thread_id":8440}]} +``` + +### 查询vCPU上线情况 + +使用query-hotpluggable-cpus命令查询所有vCPU的online/offline情况。 + +- 用法: + +**{ "execute": "query-hotpluggable-cpus" }** + +- 示例: + +``` +<- { "execute": "query-hotpluggable-cpus" } +-> {"return":[{"props":{"core-id":0,"socket-id":0,"thread-id":0},"qom-path":"/machine/unattached/device[0]","type":"host-x86-cpu","vcpus-count":1},{"props":{"core-id":0,"socket-id":1,"thread-id":0},"qom-path":"/machine/unattached/device[1]","type":"host-x86-cpu","vcpus-count":1}]} +``` + +其中,online的vCPU具有`qom-path`项,offline的vCPU则没有。 + + + +## 管理虚拟机生命周期 + +### 简介 + +StratoVirt可以对虚拟机进行启动、暂停、恢复、退出等生命周期进行管理。 + +### 创建并启动虚拟机 + +根据虚拟机配置可知,可以通过命令行参数或json文件指定虚拟机配置,并在主机通过stratovirt命令创建并启动虚拟机。 + +- 使用命令行参数给出虚拟机配置,创建并启动虚拟机的命令如下: + +``` +$ /path/to/stratovirt -[参数1] [参数选项] -[参数2] [参数选项] ... +``` + + + +- 使用json文件给出虚拟机配置,创建并启动虚拟机的命令如下: + +``` +$ /path/to/stratovirt \ + -config /path/to/json \ + -api-channel unix:/path/to/socket +``` + +其中,/path/to/json为json配置文件的路径。/path/to/socket为用户指定的socket文件(如/tmp/stratovirt.socket),使用上述命令会自动创建socket文件。为确保虚拟机能够正常启动,在创建socket文件前确保该文件不存在。 + + + +> ![](./figures/zh-cn_image_0218587436.png) +> +> 虚拟机启动后,内部会有eth0和eth1两张网卡。这两张网卡预留用于网卡热插拔。热插的第一张网卡是eth0,热插的第二张网卡是eth1,目前只支持热插2张virtio-net网卡。 + + + +### 连接虚拟机 + +StratoVirt当前采用QMP管理虚拟机,暂停、恢复、退出虚拟机等操作需要通过QMP连接到虚拟机进行管理。 + +在主机上打开新的命令行窗口B,并使用root权限进行api-channel连接,参考命令如下: + +``` +# ncat -U /path/to/socket +``` + +连接建立后,会收到来自StratoVirt的问候消息,如下所示: + +``` +{"QMP":{"version":{"qemu":{"micro":1,"minor":0,"major":4},"package":""},"capabilities":[]}} +``` + +现在,可以在窗口B中输入QMP命令来管理虚拟机。 + + + +> ![](./figures/zh-cn_image_0218587436.png) +> +> QMP提供了stop、cont、quit和query-status等来管理和查询虚拟机状态。 +> +> 管理虚拟机的QMP命令均在窗口B中进行输入。符号:`<-`表示命令输入,`->`表示QMP结果返回。 + + + + + +### 暂停虚拟机 + +QMP提供了stop命令用于暂停虚拟机,即暂停虚拟机所有的vCPU。命令格式如下: + +**{"execute":"stop"}** + +**示例:** + +使用stop暂停该虚拟机的命令和回显如下: + +``` +<- {"execute":"stop"} +-> {"event":"STOP","data":{},"timestamp":{"seconds":1583908726,"microseconds":162739}} +-> {"return":{}} +``` + + + + + +### 恢复虚拟机 + +QMP提供了cont命令用于恢复处于暂停状态suspend的虚拟机,即恢复虚拟机所有vCPU的运行。命令格式如下: + +**{"execute":"cont"}** + +**示例:** + +使用cont恢复该虚拟机的命令和回显如下: + +``` +<- {"execute":"cont"} +-> {"event":"RESUME","data":{},"timestamp":{"seconds":1583908853,"microseconds":411394}} +-> {"return":{}} +``` + + + + + +### 退出虚拟机 + +QMP提供了quit命令用于退出虚拟机,即退出StratoVirt进程。命令格式如下: + +**{"execute":"quit"}** + +**示例:** + +``` +<- {"execute":"quit"} +-> {"return":{}} +-> {"event":"SHUTDOWN","data":{"guest":false,"reason":"host-qmp-quit"},"timestamp":{"ds":1590563776,"microseconds":519808}} +``` + + + +## 管理虚拟机资源 + +### 热插拔磁盘 + +StratoVirt支持在虚拟机运行过程中调整磁盘数量,即在不中断业务前提下,增加或删除虚拟机磁盘。 + +#### 热插磁盘 + +**用法:** + +``` +{"execute": "blockdev-add", "arguments": {"node-name": "drive-0", "file": {"driver": "file", "filename": "/path/to/block"}, "cache": {"direct": true}, "read-only": false}} +{"execute": "device_add", "arguments": {"id": "drive-0", "driver": "virtio-blk-mmio", "addr": "0x1"}} +``` + +**参数** + +- blockdev-add中的node-name要和device_add中的id一致,如上都是drive-0。 + +- /path/to/block是被热插磁盘的镜像路径,不能是启动rootfs的磁盘镜像。 +- 对于addr来说,它从0x0开始与虚拟机的vda映射,0x1与vdb映射,以此类推。为了兼容QMP协议,"addr"也可以用"lun"代替,但是lun=0与客户机的vdb映射。 +- 由于stratovirt支持的最大virtio-blk磁盘数量是6个,热插磁盘时请注意规格约束。 + + +**示例** + +``` +<- {"execute": "blockdev-add", "arguments": {"node-name": "drive-0", "file": {"driver": "file", "filename": "/path/to/block"}, "cache": {"direct": true}, "read-only": false}} +-> {"return": {}} +<- {"execute": "device_add", "arguments": {"id": "drive-0", "driver": "virtio-blk-mmio", "addr": "0x1"}} +-> {"return": {}} +``` + + + +#### 热拔磁盘 + +**用法:** + +**{"execute": "device_del", "arguments": {"id":"drive-0"}}** + +**参数:** + +id 为热拔磁盘的ID号。 + +**示例** + +``` +<- {"execute": "device_del", "arguments": {"id": "drive-0"}} +-> {"event":"DEVICE_DELETED","data":{"device":"drive-0","path":"drive-0"},"timestamp":{"seconds":1598513162,"microseconds":367129}} +-> {"return": {}} +``` + + + +### 热插拔网卡 + +StratoVirt支持在虚拟机运行过程中调整网卡数量,即在不中断业务前提下,给虚拟机增加或删除网卡。 + +#### 热插网卡 + +**准备工作(需要使用root权限)** + +1. 创建并启用Linux网桥,例如网桥名为 qbr0 的参考命令如下: + +```shell +# brctl addbr qbr0 +# ifconfig qbr0 up +``` + +2. 创建并启用 tap 设备,例如设备名为 tap0 的参考命令如下: + +```shell +# ip tuntap add tap0 mode tap +# ifconfig tap0 up +``` + +3. 添加 tap 设备到网桥: + +```shell +# brctl addif qbr0 tap0 +``` + + +**用法** + +``` +{"execute":"netdev_add", "arguments":{"id":"net-0", "ifname":"tap0"}} +{"execute":"device_add", "arguments":{"id":"net-0", "driver":"virtio-net-mmio", "addr":"0x0"}} +``` + +**参数** + +- netdev_add中的id应该和device_add中的id一致,ifname是后端的tap设备名称。 + +- 对于addr来说,它从0x0开始与虚拟机的eth0映射,0x1和虚拟机的eth1映射。 + +- 由于stratovirt支持的最大virtio-net数量为2个,热插网卡时请注意规格约束。 + + +**示例** + +``` +<- {"execute":"netdev_add", "arguments":{"id":"net-0", "ifname":"tap0"}} +-> {"return": {}} +<- {"execute":"device_add", "arguments":{"id":"net-0", "driver":"virtio-net-mmio", "addr":"0x0"}} +-> {"return": {}} +``` + +其中,addr:0x0,对应虚拟机内部的eth0。 + +#### 热拔网卡 + +**用法** + +**{"execute": "device_del", "arguments": {"id": "net-0"}}** + +**参数** + +id:网卡的ID号,例如net-0。 + +**示例** + +``` +<- {"execute": "device_del", "arguments": {"id": "net-0"}} +-> {"event":"DEVICE_DELETED","data":{"device":"net-0","path":"net-0"},"timestamp":{"seconds":1598513339,"microseconds":97310}} +-> {"return": {}} +``` + + + +## Ballon设备使用 + +使用balloon设备可以从虚拟机回收空闲的内存。Balloon通过qmp命令来调用。qmp命令使用如下: + +**用法:** + +``` +{"execute": "balloon", "arguments": {"value": 2147483648‬}} +``` + +**参数:** + +- value: 想要设置的guest内存大小值,单位为字节。如果该值大于虚拟机启动时配置的内存值,则以启动时配置的内存值为准。 + +**示例:** + +启动时配置的内存大小为4GiB,在虚拟机内部通过free命令查询虚拟机空闲内存大于2GiB,那么可以通过qmp命令设置guest内存大小为2147483648字节。 + +``` +<- {"execute": "balloon", "arguments": {"value": 2147483648‬}} +-> {"return": {}} +``` + +查询虚拟机的当前实际内存: + +``` +<- {"execute": "query-balloon"} +-> {"return":{"actual":2147483648}} +``` + diff --git "a/docs/zh/docs/StratoVirt/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" "b/docs/zh/docs/StratoVirt/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" new file mode 100644 index 0000000000000000000000000000000000000000..7c6328ae2cde29d3657082459f3d7899730f0b44 --- /dev/null +++ "b/docs/zh/docs/StratoVirt/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" @@ -0,0 +1,621 @@ +# 虚拟机配置 + +## 基本配置 + +### 概述 + +不同于Libvirt通过xml文件配置虚拟机的方式,StratoVirt可以通过命令行参数指定配置,也可以通过json文件进行配置。配置包括虚拟机CPU、内存、磁盘等信息。这里给出两种方式的具体操作方法。 + +> ![](./figures/zh-cn_image_0218587436.png) +> +> 同时使用命令行配置和json文件配置时,以命令行配置为准。 +> +> 本文中的/path/to/socket为用户自定义路径下的socket文件。 + + + + + +### 规格说明 + +- 虚拟机CPU个数:[1, 254] +- 虚拟机内存大小:[256M, 512G] +- 虚拟机磁盘个数(包括热插的磁盘):[0, 6] +- 虚拟机网卡个数(包括热插的网卡):[0, 2] +- 虚拟机console设备仅支持单路连接 +- x86_64平台,最多可以配置11个mmio设备;但是除了磁盘和网卡,建议最多配置2个其他设备; AArch64平台,最多可以配置160个mmio设备;但是除了磁盘和网卡,建议最多配置12个其他设备。 + +### 最小配置 + +StratoVirt能够运行的最小配置为: + +- PE格式或bzImage格式(仅x86_64)的Linux内核镜像 +- 将rootfs镜像设置成virtio-blk设备,并添加到内核参数中 +- 使用api-channel来控制StratoVirt +- 如果要使用ttyS0登录,添加一个串口到启动命令行,并将ttyS0添加到内核参数中 + + + +### 命令行配置 + +**概述** + +命令行配置即通过命令行参数直接指定虚拟机配置内容。 + +**命令格式** + +使用cmdline配置的命令格式如下: + +**$ /path/to/stratovirt** *-[参数1] [参数选项] -[参数2] [参数选项] ...* + +**使用说明** + +1. 首先,为确保可以创建api-channel需要的socket,可以参考如下命令清理环境: + + ``` + $ rm [参数] [用户自定义socket文件路径] + ``` + + +2. 然后,运行cmdline命令。 + + ``` + $ /path/to/stratovirt -[参数1] [参数选项] -[参数2] [参数选项] ... + ``` + + +**参数说明** + +cmdline命令行配置参数请参见下表: + +表1 :命令行配置参数说明 + +| 参数 | 参数选项 | 说明 | +| ---------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | +| -name | *VMname* | 配置虚拟机名称(字符长度:1-255字符) | +| -machine | `[type=vm_type]` `[,dump-guest-core=on]` `[,mem-share=off]` | 配置虚拟机类型,[详细说明](#虚拟机类型) | +| -kernel | /path/to/vmlinux.bin | 配置内核镜像 | +| -append | console=ttyS0 root=/dev/vda reboot=k panic=1 rw | 配置内核命令行参数 | +| -initrd | /path/to/initrd.img | 配置initrd文件 | +| -smp | [cpus=]个数 | 配置cpu个数,范围[1, 254] | +| -m | 内存大小(字节单位)、内存大小M(M单位)、内存大小G(G单位) | 配置内存大小,范围[256M, 512G] | +| -drive | id=rootfs,file=/path/to/rootfs[,readonly=false,direct=true,serial=serial_num,iothread=iothread1,iops=200] | 配置virtio-blk设备,[详细说明](#磁盘配置) | +| -netdev | id=iface_id,netdev=tap0[,mac=mac_address,iothread=iothread2] | 配置virtio-net设备,[详细说明](#net配置) | +| -chardev | id=console_id,path=/path/to/socket | 配置virtio-console,[详细说明](#console) | +| -device | vsock,id=vsock_id,guest-cid=3 | 配置vhost-vsock,[详细说明](#vsock) | +| -api-channel | unix:/path/to/socket | 配置api-channel,运行前须保证socket文件不存在 | +| -serial | stdio | 配置串口设备 | +| -D | /path/to/logfile | 配置日志文件 | +| -pidfile | /path/to/pidfile | 配置pid文件,必须和-daemonize一起使用。运行前须保证pid文件不存在 | +| -disable-seccomp | NA | 关闭Seccomp,默认打开 | +| -daemonize | NA | 开启进程daemon化 | +| -iothread | id="iothread1" | 配置iothread线程,[详细说明](#iothread配置) | +| -balloon | deflate-on-oom=true | 配置balloon设备,[详细说明](#balloon配置) | +| -mem-path | /dev/hugepages | 配置内存大页,[详细说明](#大页配置) | + + + +**配置示例** + +1. 删除socket文件,确保可以创建api-channel。 + + ``` + $ rm -f /tmp/stratovirt.socket + ``` + + +2. 运行StratoVirt。 + + ``` + $ /path/to/stratovirt \ + -kernel /path/to/vmlinux.bin \ + -append console=ttyS0 root=/dev/vda rw reboot=k panic=1 \ + -drive file=/home/rootfs.ext4,id=rootfs,readonly=false \ + -api-channel unix:/tmp/stratovirt.socket \ + -serial stdio + ``` + + 运行成功后,将根据指定的配置参数创建并启动虚拟机。 + + + +### json配置 + + + +**概述** + +使用json文件配置即在运行StratoVirt创建虚拟机时,读取给定的json文件,该文件中包含了对虚拟机的相关配置。 + +**命令格式** + +使用json文件配置虚拟机的命令格式如下,其中 /path/to/json 为对应文件的路径。 + +**$ /path/to/stratovirt -config** */path/to/json -[参数] [参数选项]* + +**使用说明** + +1. 编写json文件,将虚拟机配置写入该文件。 + +2. 执行StratoVirt创建虚拟机。 + + ``` + $ /path/to/stratovirt -config /path/to/json -[参数] [参数选项] + ``` + +**参数说明** + +json文件中可配置字段及含义请参见下表: + +**表2**:配置文件的字段 + +| 配置参数 | 配置参数选项 | 说明 | +| -------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | +| boot-source | "kernel_image_path": "/path/to/vmlinux.bin","boot_args": "console=ttyS0 reboot=k panic=1 pci=off tsc=reliable ipv6.disable=1 root=/dev/vda quiet","initrd_fs_path": "/path/to/initrd.img" | 配置内核镜像和内核参数, 参数`initrd_fs_path`可选。 | +| machine-config | "type": "MicroVm","vcpu_count": 4,"mem_size": 805306368,"dump_guest_core": false,"mem-share": false,"mem_path":"/path/to/backend" | 配置虚拟cpu和内存大小,参数 `dump_guest_core`,`mem-path`和 `mem-share`可选,。 | +| drive | "drive_id": "rootfs","path_on_host": "/path/to/rootfs.ext4","read_only": false,"direct": true,"serial_num": "xxxxx","iothread": "iothread1","iops": 200 | 配置virtio-blk磁盘 ,参数`serial_num`,`iothread`和`iops`可选。 | +| net | "iface_id": "net0","host_dev_name": "tap0","mac": "xx:xx:xx:xx:xx:xx","iothread": "iothread1" | 配置virtio-net网卡,参数`mac`和`iothread` 可选。 | +| console | "console_id": "charconsole0","socket_path": "/path/to/socket" | 配置virtio-console串口,运行前须保证socket文件不存在 | +| vsock | "vsock_id": "vsock0","guest_cid": 3 | 配置virtio-vsock设备 | +| serial | "stdio": true | 配置串口设备 | +| iothread | "id": "iothread1" | 配置iothread的id,用来创建名为"iothread1"的线程。 | +| balloon | "deflate_on_oom": true | 配置balloon的auto deflate特性 | + + + +使用json运行的参数请参见下表: + +表3:使用json运行的参数 + +| 参数 | 参数选项 | 说明 | +| ---------------- | -------------------- | ------------------------------------------------------------ | +| -config | /path/to/json | 配置文件的路径 | +| -api-channel | unix:/path/to/socket | 配置api-channel,运行前须保证socket文件不存在 | +| -D | /path/to/logfile | 配置日志文件 | +| -pidfile | /path/to/pidfile | 配置pid文件,必须配合daemonize使用。运行前须保证pid文件不存在 | +| -disable-seccomp | NA | 关闭Seccomp,默认打开 | +| -daemonize | NA | 开启进程daemon化 | + + + +**配置示例:** + +1. 创建json文件,例如/home/config.json,其内容如下: + +``` +{ + "boot-source": { + "kernel_image_path": "/path/to/vmlinux.bin", + "boot_args": "console=ttyS0 reboot=k panic=1 pci=off tsc=reliable ipv6.disable=1 root=/dev/vda quiet rw" + }, + "machine-config": { + "type": "MicroVm", + "vcpu_count": 2, + "mem_size": 268435456 + }, + "drive": [ + { + "drive_id": "rootfs", + "path_on_host": "/path/to/rootfs", + "serial_num": "11111111", + "direct": true, + "read_only": false, + "iops": 200000, + "iothread": "iothread2" + } + ], + "net": [ + { + "iface_id": "net0", + "host_dev_name": "tap0", + "mac": "0e:90:df:9f:a8:88", + "iothread": "iothread1" + } + ], + "console": [ + { + "console_id": "charconsole0", + "socket_path": "/path/to/console.socket" + } + ], + "serial": { + "stdio": true + }, + "vsock": { + "vsock_id": "vsock-123321132", + "guest_cid": 4 + }, + "iothread": [ + {"id": "iothread1"}, + {"id": "iothread2"} + ] +} + +``` + + + +2. 运行StratoVirt,读取json文件配置创建并启动虚拟机。 + +``` +$ /path/to/stratovirt \ + -config /home/config.json \ + -api-channel unix:/tmp/stratovirt.socket +``` + +执行成功后,虚拟机创建并启动成功。 + + + +## 配置说明: + +### 虚拟机类型 + +通过-machine参数来指定启动的虚拟机的类型。 + +参数说明 + +- type:启动虚拟机的类型(当前只支持“MicroVm”类型,可选配置,默认为"MicroVM“类型)。 +- dump-guest-core:进程panic时,是否dump虚拟机内存(可选配置)。 +- mem-share:是否与其他进程共享内存(可选配置)。 + + + +### 磁盘配置 + +虚拟机磁盘配置包含以下配置项 + +- drive_id: 磁盘的id。 +- path_on_host: 磁盘的路径。 +- serial_num: 磁盘的串号(可选配置)。 +- read_only: 是否只读(可选配置)。 +- direct: 是否以“O_DIRECT”模式打开(可选配置)。 +- iothread: 配置iothread属性(可选配置)。 +- iops: 配置磁盘QoS,以限制磁盘的io操作(可选配置)。 + + + +下面对iops和iothread两个配置项进行详细说明: + +#### iops:磁盘QoS + +##### 简介 + +QoS(Quality of Service)是服务质量的意思。在云场景中,单主机内会启动多台虚拟机,当某台虚拟机对磁盘访问压力大时,由于同主机的磁盘访问总带宽有限,这会挤占其他虚拟机的访问带宽,从而造成对其他虚拟机IO影响。为了降低影响,可以为虚拟机配置QoS属性,限制它们对磁盘访问的速率,从而降低对彼此的影响。 + + + +##### 注意事项 + +- 当前QoS支持配置磁盘的iops。 +- iops的设定范围是[0, 1000000],0为不限速;实际iops不会超过设定值,并且不会超过后端磁盘实际性能的上限。 +- 只能限制平均iops,无法限速瞬时的突发流量。 + + + +##### 配置方式 + +用法: + +**命令行** + +``` +-drive xxx,iops=200 +``` + +参数: + +- iops:当配置了iops后,本磁盘在虚拟机内部的IO下发速度,不会超过此配置值。 +- xxx:表示磁盘的其他设置。 + +json配置 + +``` +{ + ... + "drive": [ + { + "drive_id": "rootfs", + "path_on_host": "/path/to/block", + ... + "iops": 200 + } + ], + ... +} +``` + + + +#### iothread: + +iothread配置细节见[iothread配置](#iothread配置) + + + + + +### 网卡配置 + +虚拟机网卡的配置包含以下配置项 + +- iface_id:唯一的设备id。 +- host_dev_name:host上的tap设备名。 +- mac:设置虚拟机mac地址(可选配置)。 +- iothread:配置磁盘的iothread属性(可选配置)。 + +网卡iothread配置详见[iothread配置](#iothread配置) + + + +### Console设备配置 + +virtio-console是通用的串口设备,用于guest和host之间传送数据。console设备的配置有如下配置项: + +- console_id: 唯一的设备id +- socket_path:virtio console文件路径 + +在启动stratovirt之前请确保console文件不存在。 + + + +### vsock设备配置 + +vsock也是host和guest间通信的设备,类似于console,但具有更好的性能。配置项: + +- vsock_id: 唯一的设备id。 +- guest_cid: 唯一的context id。 + + + + + +### 大页配置 + +#### 概述 + +StratoVirt支持为虚拟机配置内存大页,相比传统的4K内存分页模式,大页内存可以有效减少TLB Miss次数和缺页中断次数,能够显著提升内存密集型业务性能。 + + + +#### 注意事项 + + - 指定的大页挂载的目录,必须是绝对路径。 + - 仅支持在启动时配置。 + - 仅支持静态大页。 + - 使用大页前, 在Host上需要配置好大页。 + - 使用大页特性, 指定虚拟机内存规格必须是**大页页面大小的整数倍**。 + +#### 互斥特性 + +- 如果配置大页,balloon特性失效。 + + +#### 配置方式 + +##### 配置Host上大页 + +###### 挂载 + +将大页文件系统挂载到指定目录上,其中`/path/to/hugepages`为用户自定义的空目录。 + +``` +$ mount -t hugetlbfs hugetlbfs /path/to/hugepages +``` + + +###### 设置大页数目 + +* 设置静态大页数目, `num`为指定的大页数目 + + ``` + $ sysctl vm.nr_hugepages=num + ``` + +* 查询大页统计信息 + + ``` + $ cat /proc/meminfo | grep Hugepages + ``` + + 如果需要查看其它页面大小的大页统计信息, 可以查看`/sys/kernel/mm/hugepages/hugepages-*/`目录下相关信息。 + + +
+ +![img](./figures/zh-cn_image_to_know.png) + +1. 请根据大页使用情况,配置StratoVirt内存规格和大页。如果大页资源不足,虚拟机会启动失败。 + + + +#### 启动StratoVirt时添加大页配置 + + + + +- 命令行 + + ``` + -mem-path /page/to/hugepages + ``` + + 其中`/page/to/hugepages`为大页文件系统挂载的目录,仅支持绝对路径。 + + +- Json文件 + + ```json + { + "machine-config": { + "mem_path": "/page/to/hugepages", + ... + }, + ... + } + ``` + + 其中`/page/to/hugepages`为大页文件系统挂载的目录,仅支持绝对路径。 + +
+ +![img](./figures/zh-cn_image_note.png) + +1. **典型配置:**指定StratoVirt命令行中的mem-path项为:**大页文件系统挂载的目录**。 推荐使用典型配置使用StratoVirt大页特性。 + + + +### 配置iothread + +#### 简介 + +当StratoVirt启动了带iothread配置的虚拟机后,会在主机上启动独立于主线程的单独线程,这些单独线程可以用来处理设备的IO请求,一方面提升设备的IO性能,另一方面降低对管理面消息处理的影响。 + +#### 注意事项 + +- 支持配置最多8个iothread线程 +- 支持磁盘和网卡配置iothread属性 +- iothread线程会占用主机CPU资源,在虚拟机内部大IO压力情况下,单个iothread占用的CPU资源取决于磁盘的访问速度,例如普通的SATA盘会占用20%以内CPU资源。 + + + +#### 创建iothread线程 + +用法: + +**命令行:** + +```shell +-iothread id=iothread1 -iothread id=iothread2 +``` + +**json:** + +```json +"iothread": [ + {"id": "iothread1"}, + {"id": "iothread2"} + ] +``` + +参数: + +- id:用于标识此iothread线程,该id可以被设置到磁盘或网卡的iothread属性。当启动参数配置了iothread线程信息,虚拟机启动后会在主机上启动相应id名的线程。 + + + +#### 配置磁盘或网卡的iothread属性 + +用法: + +**命令行配置** + +``` +# 磁盘 +-drive xxx,iothread=iothread1 +# 网卡 +-netdev xxx,iothread=iothread2 +``` + +​ 参数: + +1. iothread:设置成iothread线程的id,指明处理本设备IO的线程。 +2. xxx: 表示磁盘或者网卡的其他配置 + + + +**json配置** + +```json +# 磁盘 +{ + ... + "drive": [ + { + "drive_id": "rootfs", + "path_on_host": "/path/to/block", + ... + "iothread": "iothread1", + } + ], + ... +} +# 网卡 +{ + ... + "net": [ + { + "iface_id": "tap0", + "host_dev_name": "tap0", + "mac": "12:34:56:78:9A:BC", + "iothread": "iothread1" + } + ] +} +``` + + + + + +### 配置balloon设备 + +#### 简介 + +在虚拟机运行过程中,由虚拟机里的balloon驱动来动态占用或释放内存,从而动态改变这台虚拟机当前可用内存,达到内存弹性的效果。 + + + +#### 注意事项 + +- 启用balloon前须确保guest和host的页面大小相同。 +- guest内核须开启balloon特性支持。 +- 开启内存弹性时,有可能造成虚拟机内部轻微卡顿、内存性能下降。 + + + +#### 互斥特性 + +- 大页内存互斥。 +- 在x86下,由于中断数量有限,所以balloon设备和其他virtio的数量(默认使用6个block设备,2个net设备和1个串口设备)总和不得超过11个。 + + + +#### 规格 + +- 每个VM只能配置1个balloon设备。 + + + +#### 配置方式 + +- 命令行 + +``` +-balloon deflate-on-oom=true +``` + +- json文件 + + ```json + { + "balloon": { + "deflate_on_oom": true + }, + ... + } + ``` + + + +![img](./figures/zh-cn_image_0218587436.png) + +1. deflate-on-oom的取值为bool类型,表示是否开启auto deflate特性。开启时,如果balloon已经回收部分内存,当guest需要内存时,balloon设备会自动放气,归还内存给guest。不开启则不会自动归还。 +2. 使用qmp命令回收虚拟机内存时,应确保回收后虚拟机仍然有足够的内存来保持最基本的运行。否则可能会出现一些操作超时,以及导致虚拟机内部无法申请到空闲内存等现象。 +3. 如果虚拟机内部开启内存大页,balloon不能回收大页占用内存。 + + + +![img](./figures/zh-cn_image_to_know.png) + +- deflate-on-oom=false时,当Guest中内存不足时,balloon不会自动放气并归还内存,可能会引起Guest内部OOM,进程被Kill,甚至虚拟机无法正常运行。 \ No newline at end of file diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP1.png b/docs/zh/docs/Virtualization/figures/CertEnrollP1.png new file mode 100644 index 0000000000000000000000000000000000000000..536e0618a3ab5b70937292205242a08237e34712 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP1.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP2.png b/docs/zh/docs/Virtualization/figures/CertEnrollP2.png new file mode 100644 index 0000000000000000000000000000000000000000..0557c8782960188dbe9d84a1d0e66c9b45d2b303 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP2.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP3.png b/docs/zh/docs/Virtualization/figures/CertEnrollP3.png new file mode 100644 index 0000000000000000000000000000000000000000..326fcf1e8d5e3c795ebcde286d8e0fef14bec7d1 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP3.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP4.png b/docs/zh/docs/Virtualization/figures/CertEnrollP4.png new file mode 100644 index 0000000000000000000000000000000000000000..bc77c038e1e3a5ec30d7ba4f805ca937792e9327 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP4.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP5.png b/docs/zh/docs/Virtualization/figures/CertEnrollP5.png new file mode 100644 index 0000000000000000000000000000000000000000..0f22b3cbd84f7c93f74898a926bc3e32f231667f Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP5.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP6.png b/docs/zh/docs/Virtualization/figures/CertEnrollP6.png new file mode 100644 index 0000000000000000000000000000000000000000..08235013ca71f1ec51e9af2f143629d1a6132fe9 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP6.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP7.png b/docs/zh/docs/Virtualization/figures/CertEnrollP7.png new file mode 100644 index 0000000000000000000000000000000000000000..f934521d59dd4a75449fcb2ca8abc54045b9102b Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP7.png differ diff --git a/docs/zh/docs/Virtualization/figures/CertEnrollP8.png b/docs/zh/docs/Virtualization/figures/CertEnrollP8.png new file mode 100644 index 0000000000000000000000000000000000000000..9a8158e3378bf25dee05b892cc60f424542455d7 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/CertEnrollP8.png differ diff --git a/docs/zh/docs/Virtualization/figures/OSBootFlow.png b/docs/zh/docs/Virtualization/figures/OSBootFlow.png new file mode 100644 index 0000000000000000000000000000000000000000..f9c03c86df145636015efaeab4dc076f62754cd9 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/OSBootFlow.png differ diff --git a/docs/zh/docs/Virtualization/figures/SecureBootFlow.png b/docs/zh/docs/Virtualization/figures/SecureBootFlow.png new file mode 100644 index 0000000000000000000000000000000000000000..e76a800931ed6da2af3515d3d9d44388e3d11c01 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/SecureBootFlow.png differ diff --git "a/content/zh/docs/Virtualization/figures/KVM\346\236\266\346\236\204\345\233\276.png" b/docs/zh/docs/Virtualization/figures/kvm-architecture.png similarity index 100% rename from "content/zh/docs/Virtualization/figures/KVM\346\236\266\346\236\204\345\233\276.png" rename to docs/zh/docs/Virtualization/figures/kvm-architecture.png diff --git "a/content/zh/docs/Virtualization/figures/\347\212\266\346\200\201\350\275\254\346\215\242\345\233\276.png" b/docs/zh/docs/Virtualization/figures/status-transition-diagram.png similarity index 100% rename from "content/zh/docs/Virtualization/figures/\347\212\266\346\200\201\350\275\254\346\215\242\345\233\276.png" rename to docs/zh/docs/Virtualization/figures/status-transition-diagram.png diff --git a/docs/zh/docs/Virtualization/figures/virtual-network-structure.png b/docs/zh/docs/Virtualization/figures/virtual-network-structure.png new file mode 100644 index 0000000000000000000000000000000000000000..97dee6e7c46c78257ee6b7bfedfd71740c4f5cbe Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/virtual-network-structure.png differ diff --git "a/content/zh/docs/Virtualization/figures/\350\231\232\346\213\237\345\214\226\346\236\266\346\236\204.png" b/docs/zh/docs/Virtualization/figures/virtualized-architecture.png similarity index 100% rename from "content/zh/docs/Virtualization/figures/\350\231\232\346\213\237\345\214\226\346\236\266\346\236\204.png" rename to docs/zh/docs/Virtualization/figures/virtualized-architecture.png diff --git a/docs/zh/docs/Virtualization/figures/zh-cn_image_0218587435.png b/docs/zh/docs/Virtualization/figures/zh-cn_image_0218587435.png new file mode 100644 index 0000000000000000000000000000000000000000..d245d48dc07e2b01734e21ec1952e89fa9269bdb Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/zh-cn_image_0218587435.png differ diff --git a/docs/zh/docs/Virtualization/figures/zh-cn_image_0218587436.png b/docs/zh/docs/Virtualization/figures/zh-cn_image_0218587436.png new file mode 100644 index 0000000000000000000000000000000000000000..a32856aa08e459ed0f51f8fcf4c2f51511c12095 Binary files /dev/null and b/docs/zh/docs/Virtualization/figures/zh-cn_image_0218587436.png differ diff --git a/docs/zh/docs/Virtualization/public_sys-resources/icon-caution.gif b/docs/zh/docs/Virtualization/public_sys-resources/icon-caution.gif new file mode 100644 index 0000000000000000000000000000000000000000..6e90d7cfc2193e39e10bb58c38d01a23f045d571 Binary files /dev/null and b/docs/zh/docs/Virtualization/public_sys-resources/icon-caution.gif differ diff --git a/docs/zh/docs/Virtualization/public_sys-resources/icon-danger.gif b/docs/zh/docs/Virtualization/public_sys-resources/icon-danger.gif new file mode 100644 index 0000000000000000000000000000000000000000..6e90d7cfc2193e39e10bb58c38d01a23f045d571 Binary files /dev/null and b/docs/zh/docs/Virtualization/public_sys-resources/icon-danger.gif differ diff --git a/docs/zh/docs/Virtualization/public_sys-resources/icon-note.gif b/docs/zh/docs/Virtualization/public_sys-resources/icon-note.gif new file mode 100644 index 0000000000000000000000000000000000000000..6314297e45c1de184204098efd4814d6dc8b1cda Binary files /dev/null and b/docs/zh/docs/Virtualization/public_sys-resources/icon-note.gif differ diff --git a/docs/zh/docs/Virtualization/public_sys-resources/icon-notice.gif b/docs/zh/docs/Virtualization/public_sys-resources/icon-notice.gif new file mode 100644 index 0000000000000000000000000000000000000000..86024f61b691400bea99e5b1f506d9d9aef36e27 Binary files /dev/null and b/docs/zh/docs/Virtualization/public_sys-resources/icon-notice.gif differ diff --git a/docs/zh/docs/Virtualization/public_sys-resources/icon-tip.gif b/docs/zh/docs/Virtualization/public_sys-resources/icon-tip.gif new file mode 100644 index 0000000000000000000000000000000000000000..93aa72053b510e456b149f36a0972703ea9999b7 Binary files /dev/null and b/docs/zh/docs/Virtualization/public_sys-resources/icon-tip.gif differ diff --git a/docs/zh/docs/Virtualization/public_sys-resources/icon-warning.gif b/docs/zh/docs/Virtualization/public_sys-resources/icon-warning.gif new file mode 100644 index 0000000000000000000000000000000000000000..6e90d7cfc2193e39e10bb58c38d01a23f045d571 Binary files /dev/null and b/docs/zh/docs/Virtualization/public_sys-resources/icon-warning.gif differ diff --git a/content/zh/docs/Virtualization/virtualization.md b/docs/zh/docs/Virtualization/virtualization.md similarity index 88% rename from content/zh/docs/Virtualization/virtualization.md rename to docs/zh/docs/Virtualization/virtualization.md index 936a54e96cdab99468bf904bb7fd53e74d1c2fc3..5f142177dc7c72662e9bfce0c105c4ef9a83ec22 100644 --- a/content/zh/docs/Virtualization/virtualization.md +++ b/docs/zh/docs/Virtualization/virtualization.md @@ -1 +1,3 @@ +# 虚拟化用户指南 + 本文档给出虚拟化介绍,并给出基于openEuler的虚拟化安装方法以及如何使用虚拟化,让用户了解虚拟化,并指导用户和管理员安装和使用虚拟化。 \ No newline at end of file diff --git "a/content/zh/docs/Virtualization/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" "b/docs/zh/docs/Virtualization/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" similarity index 88% rename from "content/zh/docs/Virtualization/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" rename to "docs/zh/docs/Virtualization/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" index a8f6b5340b4e8409187aabab0a618890f04f89f3..c6764eb9e5ccabb5c28cbdcb712c4a917ed758a6 100644 --- "a/content/zh/docs/Virtualization/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" +++ "b/docs/zh/docs/Virtualization/\345\207\206\345\244\207\344\275\277\347\224\250\347\216\257\345\242\203.md" @@ -45,7 +45,7 @@ ``` -### 修改镜像磁盘空间大小 +### 修改镜像磁盘空间大小 当虚拟机需要更大的磁盘空间时,可以使用qemu-img工具,修改虚拟机镜像磁盘空间的大小,修改方法如下。 @@ -115,8 +115,8 @@ 本节给出搭建Linux网桥和Open vSwitch网桥的方法,使虚拟机连接到网络,用户可以根据情况选择搭建网桥的类型。 -**图 1** 虚拟网络结构图 -![](figures/虚拟网络结构图.png "虚拟网络结构图") +**图 1** 虚拟网络结构图 +![](./figures/virtual-network-structure.png) ### 搭建Linux网桥 @@ -174,7 +174,6 @@ Open vSwitch网桥,具有更便捷的自动化编排能力。搭建Open vSwitc 1. 安装Open vSwitch组件。 ``` - # yum install -y openvswitch-kmod # yum install -y openvswitch ``` @@ -187,35 +186,9 @@ Open vSwitch网桥,具有更便捷的自动化编排能力。搭建Open vSwitc **二、确认安装是否成功** -确认Open vSwitch组件是否安装成功,需要检查openvswitch-kmod和openvswitch这两个组件是否安装成功。 +确认Open vSwitch组件是否安装成功。 -1. 确认openvswitch-kmod组件是否安装成功。若安装成功,可以看到软件包相关信息,命令和回显如下: - - ``` - $ rpm -qi openvswitch-kmod - Name : openvswitch-kmod - Version : 2.11.1 - Release : 1.oe3 - Architecture: aarch64 - Install Date: Thu 15 Aug 2019 05:07:49 PM CST - Group : System Environment/Daemons - Size : 15766774 - License : GPLv2 - Signature : (none) - Source RPM : openvswitch-kmod-2.11.1-1.oe3.src.rpm - Build Date : Thu 08 Aug 2019 04:33:08 PM CST - Build Host : armbuild10b175b113b44 - Relocations : (not relocatable) - Vendor : OpenSource Security Ralf Spenneberg - URL : http://www.openvswitch.org/ - Summary : Open vSwitch Kernel Modules - Description : - Open vSwitch provides standard network bridging functions augmented with - support for the OpenFlow protocol for remote per-flow control of - traffic. This package contains the kernel modules. - ``` - -2. 确认openvswitch组件是否安装成功。若安装成功,可以看到软件包相关信息,命令和回显如下: +1. 确认openvswitch组件是否安装成功。若安装成功,可以看到软件包相关信息,命令和回显如下: ``` $ rpm -qi openvswitch @@ -241,7 +214,7 @@ Open vSwitch网桥,具有更便捷的自动化编排能力。搭建Open vSwitc traffic. ``` -3. 查看Open vSwitch服务是否启动成功。若服务处于“Active”状态,说明服务启动成功,可以正常使用Open vSwitch提供的命令行工具,命令和回显如下: +2. 查看Open vSwitch服务是否启动成功。若服务处于“Active”状态,说明服务启动成功,可以正常使用Open vSwitch提供的命令行工具,命令和回显如下: ``` $ systemctl status openvswitch diff --git "a/content/zh/docs/Virtualization/\345\256\211\350\243\205\350\231\232\346\213\237\345\214\226.md" "b/docs/zh/docs/Virtualization/\345\256\211\350\243\205\350\231\232\346\213\237\345\214\226.md" similarity index 96% rename from "content/zh/docs/Virtualization/\345\256\211\350\243\205\350\231\232\346\213\237\345\214\226.md" rename to "docs/zh/docs/Virtualization/\345\256\211\350\243\205\350\231\232\346\213\237\345\214\226.md" index c8ab1946b98e428ef417ec4283560a9556783606..f91cada8b018646b9ee032a3268c0460ae0d33c7 100644 --- "a/content/zh/docs/Virtualization/\345\256\211\350\243\205\350\231\232\346\213\237\345\214\226.md" +++ "b/docs/zh/docs/Virtualization/\345\256\211\350\243\205\350\231\232\346\213\237\345\214\226.md" @@ -29,7 +29,7 @@ #### 前提条件 -- 已经配置yum源。配置方式请参见《openEuler 20.03 LTS 管理员指南》。 +- 已经配置yum源。配置方式请参见《openEuler 21.03 管理员指南》。 - 安装操作需要root用户权限。 #### 安装步骤 @@ -53,7 +53,7 @@ ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >KVM模块已经集成在openEuler内核中,因此不需要单独安装。 ### 验证安装是否成功 diff --git "a/docs/zh/docs/Virtualization/\345\267\245\345\205\267\344\275\277\347\224\250\346\214\207\345\215\227.md" "b/docs/zh/docs/Virtualization/\345\267\245\345\205\267\344\275\277\347\224\250\346\214\207\345\215\227.md" new file mode 100644 index 0000000000000000000000000000000000000000..8fca0867e1a35834fd0dac206977d6ba5a905efa --- /dev/null +++ "b/docs/zh/docs/Virtualization/\345\267\245\345\205\267\344\275\277\347\224\250\346\214\207\345\215\227.md" @@ -0,0 +1,175 @@ +# 工具使用指南 + +- [vmtop使用指南](#vmtop使用指南) + +## vmtop使用指南 + +### 概述 +vmtop 是运行在宿主机host上的用户态工具。使用vmtop可以实时动态地查看虚拟机资源的使用情况,例如CPU占用率、内存占用率、vCPU陷入陷出次数等。因此,可以使用vmtop作为虚拟化问题定位和性能调优的工具。 + +#### 多架构支持 +当前vmtop支持AArch64和x86_64处理器架构。 + +#### 显示项说明 +不同处理器架构的操作系统,vmtop的显示项存在差异,这里给出各个显示项的含义及其是否在对应架构呈现。 +说明:以下采样差是指指定时间间隔内获取的两次数据的差值。 + +##### **AArch64和x86_64架构共有显示项** +- VM/task-name: 虚拟机/进程名称 +- DID: 虚拟机id +- PID: 虚拟机qemu进程的pid +- %CPU: 进程的CPU占用率 +- EXTsum: kvm exit总次数(采样差) +- S: 进程状态 +- P: 进程所占用的物理CPU号 +- %ST: 被抢占时间与cpu运行时间的比 +- %GUE: 虚拟机内部占用时间与CPU运行时间的比 +- %HYP: 虚拟化开销占比 + +##### 仅AArch64架构的显示项 +- EXThvc: hvc-exit次数(采样差) +- EXTwfe: wfe-exit次数(采样差) +- EXTwfi: wfi-exit次数(采样差) +- EXTmmioU: mmioU-exit次数(采样差) +- EXTmmioK: mmioK-exit次数(采样差) +- EXTfp: fp-exit次数(采样差) +- EXTirq: irq-exit次数(采样差) +- EXTsys64: sys64 exit次数(采样差) +- EXTmabt: mem abort exit次数(采样差) + + +##### 仅x86_64架构的显示项 +- PFfix: 缺页次数(采样差) +- PFgu: 向guest OS注入缺页次数(采样差) +- INvlpg: 冲刷tlb某项次数(tlb其中一项,并不固定) +- EXTio: io VM-exit次数(采样差) +- EXTmmio: mmio VM-exit次数(采样差) +- EXThalt: halt VM-exit次数(采样差) +- EXTsig: 信号处理引起的VM-exit次数(采样差) +- EXTirq: 中断引起的VM-exit次数(采样差) +- EXTnmiW: 处理不可屏蔽中断引起的VM-exit次数(采样差) +- EXTirqW: interruptwindow机制,开启中断使能时exit,以便注入中断(采样差) +- IrqIn: 注入irq中断次数(采样差) +- NmiIn: 注入nmi中断次数(采样差) +- TLBfl: 冲刷整个tlb次数(采样差) +- HostReL: 重载主机状态次数(采样差) +- Hyperv: 模拟Guest操作系统辅助虚拟化调用hypercal的处理次数(采样差) +- EXTcr: 访问CR寄存器退出次数(采样差) +- EXTrmsr: 读msr退出次数(采样差) +- EXTwmsr: 写msr退出次数(采样差) +- EXTapic: 写apic次数(采样差) +- EXTeptv: Ept缺页退出次数(采样差) +- EXTeptm: Ept错误退出次数(采样差) +- EXTpau: Vcpu暂停退出次数(采样差) + +### 使用方法 +vmtop是一款命令行工具,直接以命令行的方式运行 vmtop 即可。 +另外,vmtop还提供了不同可选选项,用于查询不同信息。 + +#### 语法格式 +```sh +vmtop [选项] +``` + +#### 选项说明 +- -d: 设置显示刷新的时间间隔,单位:秒 +- -H: 显示虚拟机的线程信息 +- -n: 设置显示刷新的次数,刷新完成后退出 +- -b: Batch模式显示,可以用于重定向到文件 +- -h: 显示帮助信息 +- -v: 显示版本 +- -p: 监控指定id的虚拟机 + +#### 快捷键 +在vmtop运行状态下使用的快捷键 +- H: 显示或关闭虚拟机线程信息,默认显示该信息 +- up/down: 向上/向下移动显示的虚拟机列表 +- left/right: 向左/向右移动显示的信息,从而显示因屏幕宽度被隐藏的列 +- f: 进入监控项编辑模式,选择要开启的监控项 +- q: 退出vmtop进程 + +### 示例 +在host上直接以命令行的方式运行vmtop +```sh +vmtop +``` +输出如下: +```sh +vmtop - 2020-09-14 09:54:48 - 1.0 +Domains: 1 running + + DID VM/task-name PID %CPU EXThvc EXTwfe EXTwfi EXTmmioU EXTmmioK EXTfp EXTirq EXTsys64 EXTmabt EXTsum S P %ST %GUE %HYP + 2 example 4054916 13.0 0 0 1206 10 0 144 62 174 0 1452 S 106 0.0 99.7 16.0 +``` +可以看到,host上只有一台名称为“example”的虚拟机,ID为2,CPU占用率是13.0%,在1秒内的陷入陷出总次数是1452,虚拟机进程占用的物理CPU为106号CPU,虚拟机内部占用时间与CPU运行时间的比是99.7%。 + +1.显示虚拟机线程信息 +按下‘H’后可以显示线程信息: +```sh +vmtop - 2020-09-14 10:11:27 - 1.0 +Domains: 1 running + + DID VM/task-name PID %CPU EXThvc EXTwfe EXTwfi EXTmmioU EXTmmioK EXTfp EXTirq EXTsys64 EXTmabt EXTsum S P %ST %GUE %HYP + 2 example 4054916 13.0 0 0 1191 17 4 120 76 147 0 1435 S 119 0.0 123.7 4.0 + |_ qemu-kvm 4054916 0.0 0 0 0 0 0 0 0 0 0 0 S 119 0.0 0.0 0.0 + |_ qemu-kvm 4054928 0.0 0 0 0 0 0 0 0 0 0 0 S 119 0.0 0.0 0.0 + |_ signalfd_com 4054929 0.0 0 0 0 0 0 0 0 0 0 0 S 120 0.0 0.0 0.0 + |_ IO mon_iothr 4054932 0.0 0 0 0 0 0 0 0 0 0 0 S 117 0.0 0.0 0.0 + |_ CPU 0/KVM 4054933 3.0 0 0 280 6 4 28 19 41 0 350 S 105 0.0 27.9 0.0 + |_ CPU 1/KVM 4054934 3.0 0 0 260 0 0 16 12 36 0 308 S 31 0.0 20.0 0.0 + |_ CPU 2/KVM 4054935 3.0 0 0 341 0 0 44 20 26 0 387 R 108 0.0 27.9 4.0 + |_ CPU 3/KVM 4054936 5.0 0 0 310 11 0 32 25 44 0 390 S 103 0.0 47.9 0.0 + |_ memory_lock 4054940 0.0 0 0 0 0 0 0 0 0 0 0 S 126 0.0 0.0 0.0 + |_ vnc_worker 4054944 0.0 0 0 0 0 0 0 0 0 0 0 S 118 0.0 0.0 0.0 + |_ worker 4143738 0.0 0 0 0 0 0 0 0 0 0 0 S 120 0.0 0.0 0.0 +``` +example虚拟机有11个线程,其中包括vCPU线程、vnc_worker、IO mon_iotreads等等,每个线程同样会显示详细CPU占用、陷入陷出等信息。 + +2.选择监控项 +按下‘f’进入监控项编辑模式: +```sh +field filter - select which field to be showed +Use up/down to navigate, use space to set whether chosen filed to be showed +'q' to quit to normal display + + * DID + * VM/task-name + * PID + * %CPU + * EXThvc + * EXTwfe + * EXTwfi + * EXTmmioU + * EXTmmioK + * EXTfp + * EXTirq + * EXTsys64 + * EXTmabt + * EXTsum + * S + * P + * %ST + * %GUE + * %HYP +``` +当前所有监控项都默认显示,通过up/down键选择,用space键来设置对应显示项是否显示/隐藏,按‘q’键退出。 +将%ST、%GUE、%HYP设置为隐藏后,输出如下: +```sh +vmtop - 2020-09-14 10:23:25 - 1.0 +Domains: 1 running + + DID VM/task-name PID %CPU EXThvc EXTwfe EXTwfi EXTmmioU EXTmmioK EXTfp EXTirq EXTsys64 EXTmabt EXTsum S P + 2 example 4054916 12.0 0 0 1213 14 1 144 68 168 0 1464 S 125 + |_ qemu-kvm 4054916 0.0 0 0 0 0 0 0 0 0 0 0 S 125 + |_ qemu-kvm 4054928 0.0 0 0 0 0 0 0 0 0 0 0 S 119 + |_ signalfd_com 4054929 0.0 0 0 0 0 0 0 0 0 0 0 S 120 + |_ IO mon_iothr 4054932 0.0 0 0 0 0 0 0 0 0 0 0 S 117 + |_ CPU 0/KVM 4054933 2.0 0 0 303 6 0 29 10 35 0 354 S 98 + |_ CPU 1/KVM 4054934 4.0 0 0 279 0 0 39 17 49 0 345 S 1 + |_ CPU 2/KVM 4054935 3.0 0 0 283 0 0 33 20 40 0 343 S 122 + |_ CPU 3/KVM 4054936 3.0 0 0 348 8 1 43 21 44 0 422 S 110 + |_ memory_lock 4054940 0.0 0 0 0 0 0 0 0 0 0 0 S 126 + |_ vnc_worker 4054944 0.0 0 0 0 0 0 0 0 0 0 0 S 118 + |_ worker 1794 0.0 0 0 0 0 0 0 0 0 0 0 S 126 +``` +%ST、%GUE、%HYP将不会出现在显示界面上。 diff --git "a/content/zh/docs/Virtualization/\346\234\200\344\275\263\345\256\236\350\267\265.md" "b/docs/zh/docs/Virtualization/\346\234\200\344\275\263\345\256\236\350\267\265.md" similarity index 57% rename from "content/zh/docs/Virtualization/\346\234\200\344\275\263\345\256\236\350\267\265.md" rename to "docs/zh/docs/Virtualization/\346\234\200\344\275\263\345\256\236\350\267\265.md" index 9626b4e460a7c35d0cdffa0164f84529251dc2e6..f2c310fea6a823cab161b5db057f1ff9bb27a3b2 100644 --- "a/content/zh/docs/Virtualization/\346\234\200\344\275\263\345\256\236\350\267\265.md" +++ "b/docs/zh/docs/Virtualization/\346\234\200\344\275\263\345\256\236\350\267\265.md" @@ -1,20 +1,5 @@ # 最佳实践 - - -- [最佳实践](#最佳实践) - - [性能最佳实践](#性能最佳实践) - - [halt-polling](#halt-polling) - - [IOThread配置](#IOThread配置) - - [裸设备映射](#裸设备映射) - - [kworker隔离绑定](#kworker隔离绑定) - - [内存大页](#内存大页) - - [安全最佳实践](#安全最佳实践) - - [Libvirt鉴权](#Libvirt鉴权) - - [qemu-ga](#qemu-ga) - - [sVirt保护](#sVirt保护) - - ## 性能最佳实践 @@ -24,7 +9,7 @@ 在计算资源充足的情况下,为使虚拟机获得接近物理机的性能,可以使用halt-polling特性。没有使用halt-polling特性时,当vCPU空闲退出后,主机会把CPU资源分配给其他进程使用。当主机开启halt-polling特性时,虚拟机vCPU处于空闲时会polling一段时间,polling的时间由具体配置决定。若该vCPU在polling期间被唤醒,可以不从主机侧调度而继续运行,减少了调度流程的开销,从而在一定程度上提高了虚拟机系统的性能。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >halt-polling的机制保证虚拟机的vCPU线程的及时响应,但在虚拟机空载的时候,主机侧也会polling,导致主机看到vCPU所在CPU占用率比较高,而实际虚拟机内部CPU占用率并不高。 #### 操作指导 @@ -222,6 +207,89 @@ kworker是Linux内核实现的per-CPU线程,用来执行系统中的workqueue # echo never > /sys/kernel/mm/transparent_hugepage/enabled ``` +### PV-qspinlock + +#### 概述 + +PV-qspinlock主要是针对虚拟化CPU超分场景自旋锁的优化,允许hypervisor将处于锁上下文中的vCPU置于block状态,并在锁释放后将对应的vCPU唤醒,在超分场景下能够更好地利用pCPU资源,对于编译的应用场景有一定的优化,可以减少编译应用的时长。 + +#### 操作指导 + +修改虚拟机/boot/efi/EFI/openEuler/grub.cfg配置文件,在命令行启动参数添加arm_pvspin,重启虚拟机后生效。PV-qspinlock生效后,虚拟机内部使用dmesg命令可以查到如下日志打印: + +``` +[ 0.000000] arm-pv: PV qspinlocks enabled +``` + +>![](./public_sys-resources/icon-note.gif) **说明:** +>PV-qspinlock仅限于宿主机和虚拟机操作系统均为openEuler 20.09及以上版本支持,且虚拟机内核编译选项需要配置CONFIG_PARAVIRT_SPINLOCKS=y(openEuler默认配置)。 + +### Guest-Idle-Haltpoll + +#### 概述 + +为了保证公平性及降低功耗,当虚拟机vCPU空闲时,虚拟机将执行WFx/HLT指令退出到宿主机中,并触发上下文切换。宿主机将决定在物理CPU上调度其他进程或vCPU,或进入节能模式。但是,虚拟机和宿主机之间的切换、额外的上下文切换以及唤醒IPI中断开销较大,在频繁睡眠和唤醒的业务中该问题尤为突出。Guest-Idle-Haltpoll技术是指当虚拟机vCPU空闲时,不立刻执行WFx/HLT并发生VM-exit,而是在虚拟机内部轮询(polling)一段时间。在该时间段内,其他共享LLC的vCPU在该vCPU上的任务被唤醒不需要发送IPI中断,减少了发送和接收处理IPI的开销及虚拟机陷出(VM-exit)的开销,从而降低任务唤醒的时延。 + +>![](./public_sys-resources/icon-note.gif) **说明:** +>由于vCPU在虚拟机内部执行idle-haltpoll会增加vCPU在宿主机的CPU开销,所以开启该特性建议vCPU在宿主机独占物理核。 + +#### 操作指导 + +Guest-Idle-Haltpoll特性默认关闭,这里给出开启该特性的操作指导。 +1. 使能Guest-Idle-Haltpoll特性。 + - 若宿主机处理器架构为x86,可以在宿主机的虚拟机XML中配置“hint-dedicated”使能该特性,通过虚拟机XML配置将vCPU独占物理核的状态传递给虚拟机。vCPU独占物理核的状态由宿主机保证。 + + ``` + + ... + + + ... + + + + ... + + ``` + + 或者在虚拟机内核启动参数中配置“cpuidle\_haltpoll.force=Y”强制开启,该方法不依赖宿主机配置vCPU独占物理核。 + ``` + cpuidle_haltpoll.force=Y + ``` + + - 若宿主机处理器架构为AArch64,只支持在虚拟机内核启动参数中配置“cpuidle\_haltpoll.force=Y haltpoll.enable=Y”的方式使能该特性。 + + ``` + cpuidle_haltpoll.force=Y haltpoll.enable=Y + ``` + +2. 确认Guest-Idle-Haltpoll特性是否生效。在虚拟机中执行如下命令,若返回haltpoll,说明特性已经生效。 + + ``` + # cat /sys/devices/system/cpu/cpuidle/current_driver + ``` + +3. (可选)配置Guest-Idle-Haltpoll参数。 + 虚拟机的/sys/module/haltpoll/parameters/路径下提供了如下配置文件,用于调整配置参数,用户可以根据业务特点选择调整。 + + - guest\_halt\_poll\_ns: 全局参数,指vCPU空闲后polling的最大时长,默认值为200000(单位ns)。 + - guest\_halt\_poll\_shrink: 当唤醒事件发生在全局guest\_halt\_poll\_ns时间之后,用于收缩当前vCPU guest\_halt\_poll\_ns的除数因子,默认值为2。 + - guest\_halt\_poll\_grow: 当唤醒事件发生在当前vCPU guest\_halt\_poll\_ns之后且在全局guest\_halt\_poll\_ns之前,用于扩展当前vCPU guest\_halt\_poll\_ns的乘数因子,默认值为2。 + - guest\_halt\_poll\_grow\_start: 当系统空闲时,每个vCPU的guest\_halt\_poll\_ns最终会达到零。该参数用于设置当前vCPU guest\_halt\_poll\_ns的初始值,以便vCPU polling时长的收缩和扩展。默认值为50000(单位ns)。 + - guest\_halt\_poll\_allow\_shrink: 允许每个vCPU guest\_halt\_poll\_ns收缩的开关,默认值是Y(Y表示允许收缩,N表示禁止收缩)。 + + 可以使用root权限,参考如下命令修改参数值。其中 _value_ 表示需要设置的参数值, _configFile_ 为对应的配置文件。 + + ``` + # echo value > /sys/module/haltpoll/parameters/configFile + ``` + + 例如设置全局guest\_halt\_poll\_ns为200000ns的命令如下: + + ``` + # echo 200000 > /sys/module/haltpoll/parameters/guest_halt_poll_ns + ``` + ## 安全最佳实践 @@ -317,7 +385,7 @@ qemu-ga(Qemu Guest Agent)它是运行在虚拟机内部的守护进程,它 在一些对安全要求较高的使用场景,为了防止虚拟机内部信息泄露,qemu-ga提供了黑名单功能,用户可以通过黑名单选择性屏蔽qemu-ga提供的部分功能。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >qemu-ga对应的安装包是qemu-guest-agent-xx.rpm,openEuler默认不安装。xx为实际版本号。 #### 操作方法 @@ -368,7 +436,7 @@ qemu-ga(Qemu Guest Agent)它是运行在虚拟机内部的守护进程,它 root 727 1 0 08:17 ? 00:00:00 /usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=guest-file-open guest-file-close guest-file-read guest-file-write guest-file-seek guest-file-flush -F/etc/qemu-ga/fsfreeze-hook ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >更多关于qemu-ga的资料可以参见[https://wiki.qemu.org/Features/GuestAgent](https://wiki.qemu.org/Features/GuestAgent)。 @@ -434,3 +502,152 @@ system_u:system_r:svirt_t:s0:c200,c947 11359 ? 00:03:59 qemu-kvm system_u:system_r:svirt_t:s0:c427,c670 13790 ? 19:02:07 qemu-kvm ``` +### 虚拟机可信启动 + +#### 概述 + +可信启动包含度量启动和远程证明。其中虚拟化组件主要提供度量启动功能,远程证明由用户自己在虚拟机中安装相关软件(RA client)及搭建远程证明服务器(RA server)进行使能。 + +度量启动的两个基本要素是信任根和信任链,其基本思想是首先在计算机系统中建立一个信任根,信任根的可信性由物理安全、技术安全和管理安全共同确保,即CRTM(Core Root of Trust for Measurement)。然后建立一条信任链,从信任根开始到BIOS/BootLoader、操作系统、再到应用,一级度量认证一级,一级信任一级,最终把这种信任扩展到整个系统。上述过程看起来如同一根链条一样环环相扣,因此称之为“信任链”。 + +CRTM是度量启动的根,是系统启动的首个组件,没有其它代码来检查CRTM本身的完整性。所以,作为信任链的起点,必须保证它是绝对可信的信任源。因此,技术上需要将CRTM设计成一段只读或更新严格受限的代码,抵御BIOS攻击,防止远程注入恶意代码或在操作系统上层修改启动代码。通常物理主机中由CPU中的微码作为CRTM,在虚拟化环境中,一般选择vBIOS的sec部分为CRTM。 + +启动过程中,前一个部件度量(计算HASH值)后一个部件,然后把度量值扩展入可信存储区例如TPM的PCR中。CRTM度量BootLoader把度量值扩展到PCR中,BootLoader度量OS把度量值扩展到PCR中。 + + +#### 配置vTPM设备,使能度量启动 + +**一、安装swtpm和libtpms软件** + +swtpm提供了一个可集成到虚拟化环境中的TPM仿真器(TPM1.2和TPM2.0)。到目前为止,他已经集成到了QEMU中,同时也作为RunC中的原型系统。swtpm是利用libtpms来提供TPM1.2和TPM2.0的模拟功能。 +目前openEuler 21.03 版本中提供了libtpms和swtpm的源,可以直接使用yum命令安装。 + +``` +# yum install libtpms swtpm swtpm-devel swtpm-tools + +``` + + +**二、虚拟机配置vTPM设备** + +1. AArch64虚拟机配置文件中添加如下配置: + + ``` + + ... + + ... + + + + ... + + ... + + ``` + + x86虚拟机配置文件中添加如下配置: + + ``` + + ... + + ... + + + + ... + + ... + + ``` + >![](public_sys-resources/icon-note.gif) **说明:** + >目前,openEuler 20.09 版本 AArch64 架构上的虚拟机可信启动不支持 ACPI 特性,所以虚拟机请勿配置ACPI特性,否则启动虚拟机后无法识别vTPM设备。 + +2. 创建虚拟机。 + + ``` + # virsh define MeasuredBoot.xml + ``` +3. 启动虚拟机 + + 启动虚拟机前需要使用chmod命令给目录/var/lib/swtpm-localca/赋予如下权限,否则libvirt无法拉起swtpm。 + + ``` + # chmod -R 777 /var/lib/swtpm-localca/ + # + # virsh start MeasuredbootVM + ``` + + +**三、确认度量启动使能成功** + +度量启动功能使能与否由vBIOS决定,目前 openEuler 21.03 版本中的vBIOS已经具备了度量启动的能力。若宿主机采用其他版本的edk2组件,请确认其是否支持度量启动功能。 + +使用root用户登陆虚拟机,确认虚拟机中是否安装了tpm驱动,tpm2-tss协议栈及tpm2-tools工具。 +openEuler 21.03 版本中默认安装了tpm驱动(tpm_tis.ko),tpm2-tss协议栈和tpm2-tools工具。若使用其他操作系统,可以使用如下命令检查是否安装了驱动和相关工具。 + + +``` +# lsmod |grep tpm +# tpm_tis 16384 0 +# +# yum list installed | grep -E 'tpm2-tss|tpm2-tools' +# +# yum install tpm2-tss tpm2-tools +``` +可以使用tpm2_pcrread(低版本tpm2_tools中使用tpm2_pcrlist)命令列出所有的pcr值。 + +``` +# tpm2_pcrread +sha1 : + 0 : fffdcae7cef57d93c5f64d1f9b7f1879275cff55 + 1 : 5387ba1d17bba5fdadb77621376250c2396c5413 + 2 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 + 3 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 + 4 : e5d40ace8bb38eb170c61682eb36a3020226d2c0 + 5 : 367f6ea79688062a6df5f4737ac17b69cd37fd61 + 6 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 + 7 : 518bd167271fbb64589c61e43d8c0165861431d8 + 8 : af65222affd33ff779780c51fa8077485aca46d9 + 9 : 5905ec9fb508b0f30b2abf8787093f16ca608a5a + 10 : 0000000000000000000000000000000000000000 + 11 : 0000000000000000000000000000000000000000 + 12 : 0000000000000000000000000000000000000000 + 13 : 0000000000000000000000000000000000000000 + 14 : 0000000000000000000000000000000000000000 + 15 : 0000000000000000000000000000000000000000 + 16 : 0000000000000000000000000000000000000000 + 17 : ffffffffffffffffffffffffffffffffffffffff + 18 : ffffffffffffffffffffffffffffffffffffffff + 19 : ffffffffffffffffffffffffffffffffffffffff + 20 : ffffffffffffffffffffffffffffffffffffffff + 21 : ffffffffffffffffffffffffffffffffffffffff + 22 : ffffffffffffffffffffffffffffffffffffffff + 23 : 0000000000000000000000000000000000000000 +sha256 : + 0 : d020873038268904688cfe5b8ccf8b8d84c1a2892fc866847355f86f8066ea2d + 1 : 13cebccdb194dd916f2c0c41ec6832dfb15b41a9eb5229d33a25acb5ebc3f016 + 2 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 + 3 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 + 4 : 07f9074ccd4513ef1cafd7660f9afede422b679fd8ad99d25c0659eba07cc045 + 5 : ba34c80668f84407cd7f498e310cc4ac12ec6ec43ea8c93cebb2a688cf226aff + 6 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 + 7 : 65caf8dd1e0ea7a6347b635d2b379c93b9a1351edc2afc3ecda700e534eb3068 + 8 : f440af381b644231e7322babfd393808e8ebb3a692af57c0b3a5d162a6e2c118 + 9 : 54c08c8ba4706273f53f90085592f7b2e4eaafb8d433295b66b78d9754145cfc + 10 : 0000000000000000000000000000000000000000000000000000000000000000 + 11 : 0000000000000000000000000000000000000000000000000000000000000000 + 12 : 0000000000000000000000000000000000000000000000000000000000000000 + 13 : 0000000000000000000000000000000000000000000000000000000000000000 + 14 : 0000000000000000000000000000000000000000000000000000000000000000 + 15 : 0000000000000000000000000000000000000000000000000000000000000000 + 16 : 0000000000000000000000000000000000000000000000000000000000000000 + 17 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 18 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 19 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 20 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 21 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 22 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + 23 : 0000000000000000000000000000000000000000000000000000000000000000 +``` diff --git "a/content/zh/docs/Virtualization/\347\203\255\350\277\201\347\247\273\350\231\232\346\213\237\346\234\272.md" "b/docs/zh/docs/Virtualization/\347\203\255\350\277\201\347\247\273\350\231\232\346\213\237\346\234\272.md" similarity index 68% rename from "content/zh/docs/Virtualization/\347\203\255\350\277\201\347\247\273\350\231\232\346\213\237\346\234\272.md" rename to "docs/zh/docs/Virtualization/\347\203\255\350\277\201\347\247\273\350\231\232\346\213\237\346\234\272.md" index 0796679de5acc7e9e5e913044922d0c479e9419b..e0ae48c4e70a3b01a89ba46907105d102945090f 100644 --- "a/content/zh/docs/Virtualization/\347\203\255\350\277\201\347\247\273\350\231\232\346\213\237\346\234\272.md" +++ "b/docs/zh/docs/Virtualization/\347\203\255\350\277\201\347\247\273\350\231\232\346\213\237\346\234\272.md" @@ -52,9 +52,26 @@ ### 前提条件 - 进行热迁移之前要确保源端和目的端主机之间的网络是互通的,并且源端和目的获得资源权限是对等的,即两端同时能够访问到相同的存储资源和网络资源。 - - 在执行虚拟机热迁移前应当对虚拟机进行健康检查,并确保目的端主机有足够的CPU、内存和存储资源。 +### 热迁移脏页率预测(可选) + +用户在迁移前可以使用dirtyrate功能,获取热迁移的内存脏页变化速率,根据虚拟机内存使用情况评估虚拟机是否适合迁移或配置合理的迁移参数。 + +使用方法: + +例如,指定名为openEulerVM的虚拟机,计算时间为1s: + +``` +virsh qemu-monitor-command openEulerVM '{"execute":"calc-dirty-rate", "arguments": {"calc-time": 1}} +``` + +间隔1s后,查询脏页变化速率: + +``` +virsh qemu-monitor-command openEulerVM '{"execute":"query-dirty-rate"}' +``` + ### 设置热迁移参数(可选) 在执行热迁移之前,可以通过使用 virsh migrate-setmaxdowntime命令来指定虚拟机热迁移过程中能够容忍的最大停机时间,这是一个可选的配置项。 @@ -79,6 +96,52 @@ # virsh migrate-getspeed openEulerVM 500 ``` +用户可以使用migrate-set-parameters来设置热迁移时相关的参数,与热迁移压缩的参数如下所示: + +1. compress-level: 压缩级别,默认:1 +2. compress-threads: 压缩线程数目,默认:8 +3. compress-wait-thread: 是否等待压缩线程,默认:true +4. decompress-threads: 解压缩线程数目,默认:2 +5. compress-method: 压缩算法选择(zlib、zstd),默认:zlib + +例如,指定名为_openEulerVM_的虚拟机热迁算法为zstd,其余参数采用默认设置。 + +``` +# virsh qemu-monitor-command openeulerVM '{ "execute": "migrate-set-parameters", "arguments": {"compress-method": "zstd"}}' +``` + +用户可以使用query-migrate-parameters来查询热迁移时相关的参数。 +``` +# virsh qemu-monitor-command openeulerVM '{ "execute": "query-migrate-parameters"}' --pretty + +{ + "return": { + "xbzrle-cache-size": 67108864, + "cpu-throttle-initial": 20, + "announce-max": 550, + "decompress-threads": 2, + "compress-threads": 8, + "compress-level": 1, + "compress-method": "zstd", + "multifd-channels": 2, + "announce-initial": 50, + "block-incremental": false, + "compress-wait-thread": true, + "downtime-limit": 300, + "tls-authz": "", + "announce-rounds": 5, + "announce-step": 100, + "tls-creds": "", + "max-cpu-throttle": 99, + "max-postcopy-bandwidth": 0, + "tls-hostname": "", + "max-bandwidth": 33554432, + "x-checkpoint-delay": 20000, + "cpu-throttle-increment": 10 + }, + "id": "libvirt-18" +} +``` ### 热迁移操作(共享存储场景) @@ -102,7 +165,7 @@ # virsh migrate --live --unsafe openEulerVM qemu+ssh:///system ``` - 其中,为目的主机IP地址,热迁移之前需要进行ssh认证以获取目的端主机管理源权限。 + 其中,为目的主机IP地址,热迁移之前需要进行ssh认证以获取目的端主机管理员权限。 另外,virsh migrate命令还有--auto-converge和--timeout子选项来保证迁移的顺利完成。 @@ -146,3 +209,35 @@ 3. 热迁移完成后命令返回,虚拟机在目的端主机行正常运行,存储设备也被迁移到目的主机上。 +### 热迁移操作(加密传输) + +1. 简介 + +​ 为了能够更好的对虚拟机热迁移过程中数据的加密,openEuler提供了使用TLS对迁移数据进行加密的特性。几乎QEMU中所有的网络服务都能够使用TLS对会话数据进行加密操作,同时也可以使用X509证书对客户端进行简单的身份认证。 + +2. 应用场景 + +​ 典型应用场景为要求热迁移过程中虚拟机数据在源端和目的端进行传输时保证数据的安全性。 + +3. 注意事项 + +​ 在使用TLS对虚拟机进行热迁移前,需要申请证书,然后在源端和目的端分别设置证书。使用TLS功能前需要打开对端认证配置项,需在/etc/libvirt/qemu.conf文件中设置migrate_tls_x509_verify = 1。 + +​ 单通道TLS热迁移的业务中断时长、迁移时长会有明显增长,迁移带宽上限100~200MB/s,可能导致迁移失败。 + +​ 支持使用multiFd进行多通道TLS迁移,但会增加CPU开销(多开2个迁移线程),可能影响虚拟机运行;建议通过设置热迁移线程CPU亲和性将热迁移线程享受的CPU资源与虚拟机进程绑定的CPU资源隔离,迁移每台虚拟机建议绑定2个CPU。 + +4. 使用方法 + +单通道热迁移加密传输命令 + +``` +virsh migrate --live --unsafe --tls --domain openEulerVM --desturi qemu+tcp:///system --migrateuri tcp:// +``` + +多通道热迁移加密传输命令 + +``` +virsh migrate --live --unsafe --parallel --tls --domain openEulerVM --desturi qemu+tcp:///system --migrateuri tcp:// +``` + diff --git "a/content/zh/docs/Virtualization/\347\256\241\347\220\206\347\263\273\347\273\237\350\265\204\346\272\220.md" "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\347\263\273\347\273\237\350\265\204\346\272\220.md" similarity index 70% rename from "content/zh/docs/Virtualization/\347\256\241\347\220\206\347\263\273\347\273\237\350\265\204\346\272\220.md" rename to "docs/zh/docs/Virtualization/\347\256\241\347\220\206\347\263\273\347\273\237\350\265\204\346\272\220.md" index fdbab66cedfa539d53f0869f2d509daf2bfb8610..918b3b1aca14926e3c3e84655ad225d004208871 100644 --- "a/content/zh/docs/Virtualization/\347\256\241\347\220\206\347\263\273\347\273\237\350\265\204\346\272\220.md" +++ "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\347\263\273\347\273\237\350\265\204\346\272\220.md" @@ -1,28 +1,15 @@ # 管理系统资源 -使用libvirt命令来管理虚拟机的系统资源,如vCPU、虚拟内存资源等。 + +## 总体说明 + +openEuler 虚拟化使用libvirt命令来管理虚拟机的系统资源,如vCPU、虚拟内存资源等。 在开始前: - 确保主机上运行了libvirtd守护进程。 - 用virsh list --all命令确认虚拟机已经被定义。 - -- [管理系统资源](#管理系统资源) - - [管理虚拟CPU](#管理虚拟CPU) - - [CPU份额](#CPU份额) - - [绑定QEMU进程至物理CPU](#绑定QEMU进程至物理CPU) - - [调整虚拟CPU绑定关系](#调整虚拟CPU绑定关系) - - [CPU热插](#CPU热插) - - [管理虚拟内存](#管理虚拟内存) - - [NUMA简介](#NUMA简介) - - [配置Host NUMA](#配置Host-NUMA) - - [配置Guest NUMA](#配置Guest-NUMA) - - [内存热插](#内存热插) - - - - ## 管理虚拟CPU @@ -213,57 +200,87 @@ QEMU主进程绑定特性是将QEMU主进程绑定到特定的物理CPU范围内 #### 概述 -在线调整(热插)虚拟机CPU是指在虚拟机处于运行状态下,为虚拟机热插CPU而不影响虚拟机正常运行的方案。当虚拟机内部业务压力不断增大,会出现所有CPU均处于较高负载的情形。为了不影响虚拟机内的正常业务运行,可以使用CPU在线调整(热插)特性,在不关闭虚拟机情况下增加虚拟机的CPU数目,提升虚拟机的计算能力。 +在线增加(热插)虚拟机CPU是指在虚拟机处于运行状态下,为虚拟机热插CPU而不影响虚拟机正常运行的方案。当虚拟机内部业务压力不断增大,会出现所有CPU均处于较高负载的情形。为了不影响虚拟机内的正常业务运行,可以使用CPU热插功能(在不关闭虚拟机情况下增加虚拟机的CPU数目),提升虚拟机的计算能力。 #### 约束限制 -- 创建虚拟机的时候,指定的主板类型(machine)需为virt-4.1版本及以上。 -- 在配置Guest NUMA的场景中,必须把属于同一个socket的vcpu配置在同一vNode中,否则在热插CPU后可能导致虚拟机softlockup,进而可能导致panic。 -- 迁移、休眠唤醒、快照过程中均不支持虚拟机CPU热插。 +- 如果处理器为AArch64架构,创建虚拟机时指定的虚拟机芯片组类型\(machine\)需为virt-4.1或virt更高版本。如果处理器为x86\_64架构,创建虚拟机时指定的虚拟机芯片组类型\(machine\)需为pc-i440fx-1.5或pc更高版本。 +- 在配置Guest NUMA的场景中,必须把属于同一个socket的vcpu配置在同一vNode中,否则热插CPU后可能导致虚拟机softlockup,进而可能导致虚拟机panic。 +- 虚拟机在迁移、休眠唤醒、快照过程中均不支持CPU热插。 +- 虚拟机CPU热插是否自动上线取决于虚拟机操作系统自身逻辑,虚拟化层不保证热插CPU自动上线。 - CPU热插同时受限于Hypervisor和GuestOS支持的最大CPU数目。 - 虚拟机启动、关闭、重启过程中可能出现热插CPU失效的情况,但再次重启会生效。 -- 热插虚拟机CPU的时候,如果新增CPU数目不是虚拟机CPU拓扑配置项中Cores的整数倍,可能会导致虚拟机内部看到的CPU拓扑是混乱的,强烈建议每次新增的CPU数目为Cores的整数倍。 +- 热插虚拟机CPU的时候,如果新增CPU数目不是虚拟机CPU拓扑配置项中Cores的整数倍,可能会导致虚拟机内部看到的CPU拓扑是混乱的,建议每次新增的CPU数目为Cores的整数倍。 - 若需要热插CPU在线生效且在虚拟机重启后仍有效,virsh setvcpus接口中需要同时传入--config和--live选项, 将热插CPU动作持久化。 #### 操作步骤 -- 创建虚拟机时配置指定的模板 +**一、配置虚拟机XML** - 配置指定虚拟机当前的CPU数目和所支持热插的最大CPU数目上限,同时指定machine类型为virt-4.1及以上 (目前virt machine类型最高为4.1)。 +1. 使用CPU热插功能,需要在创建虚拟机时配置虚拟机当前的CPU数目、虚拟机所支持的最大CPU数目,以及虚拟机芯片组类型(对于AArch64架构,需为virt-4.1及以上版本。对于x86\_64架构,需为pc-i440fx-1.5及以上版本)。这里以AArch64架构虚拟机为例,配置模板如下: ``` - n - - hvm - + + ... + n + + hvm + + ... + ``` - 其中,m为虚拟机当前CPU数目,n为虚拟机支持热插到的最大CPU数目,且满足n大于或等于m。例如,配一个虚拟机当前CPU数目为4,最大支持的热插CPU上限为64的XML配置为: + + >![](./public_sys-resources/icon-note.gif) **说明:** + >- placement的值必须是static。 + >- m为虚拟机当前CPU数目,即虚拟机启动后默认的CPU数目。n为虚拟机支持热插到的最大CPU数目,该值不能超过Hypervisor支持的虚拟机最大CPU规格及GuestOS支持的最大CPU规格。n大于或等于m。 + + 例如,配一个虚拟机当前CPU数目为4,最大支持的热插CPU上限为64的XML配置为: ``` - 64 - - hvm - + + …… + 64 + + hvm + + …… ``` - >![](public_sys-resources/icon-note.gif) **说明:** - > placement的值必须是static;当前CPU数目是虚拟机启动后默认的CPU数目;热插CPU数目上限是虚拟机CPU热插能到达的上限值,该值不能超过Hypervisor支持的虚拟机最大CPU规格及GuestOS支持的最大CPU规格。 -- 使用virsh命令执行虚拟机CPU热插操作 - virsh进行虚拟机CPU热插操作的命令为virsh setvcpus,具体格式如下: +**二、热插并上线CPU** + +1. 如果热插CPU后需要自动上线热插的CPU,可以使用root权限在虚拟机内部创建udev rules文件/etc/udev/rules.d/99-hotplug-cpu.rules,并在其中定义udev规则,内容参考如下: ``` - virsh setvcpus [--config] [--live] + # automatically online hot-plugged cpu + ACTION=="add", SUBSYSTEM=="cpu", ATTR{online}="1" + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >如果没有使用udev rules自动上线热插CPU,可以在热插CPU后,使用root权限,参考如下命令手动上线: + >``` + >for i in `grep -l 0 /sys/devices/system/cpu/cpu*/online` + >do + > echo 1 > $i + >done + >``` - domain: 参数,必填。指定虚拟机名称。 - count: 参数,必填。指定目标CPU数量。 - --config: 选项,选填。下次启动时仍有效。 - --live: 选项,选填。在线生效。 +2. 利用virsh工具进行虚拟机CPU热插操作。例如给虚拟机openEulerVM热插CPU到6,且在线生效的参考命令如下: + + ``` + virsh setvcpus openEulerVM 6 --live ``` - >![](public_sys-resources/icon-note.gif) **说明:** - > CPU上线依赖虚拟机内部操作,故CPU热插后需要Guest内部实现CPU自动上线或手动上线。 + >![](./public_sys-resources/icon-note.gif) **说明:** + >virsh setvcpus 进行虚拟机CPU热插操作的格式如下: + >``` + >virsh setvcpus [--config] [--live] + >``` + >- domain: 参数,必填。指定虚拟机名称。 + >- count: 参数,必填。指定目标CPU数目,即热插后虚拟机CPU数目。 + >- --config: 选项,选填。虚拟机下次启动时仍有效。 + >- --live: 选项,选填。在线生效。 ## 管理虚拟内存 @@ -315,7 +332,7 @@ NUMA(Non Uniform Memory Access Architecture) 模式是一种分布式存储 假设虚拟机的vCPU也绑定在NODE0的物理CPU上,就可以避免由于vCPU访问远端内存带来的性能下降。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- 分配给虚拟机的内存不要超过该NUMA节点剩余的可用内存,否则可能导致虚拟机启动失败。 >- 建议虚拟机内存和vCPU都绑定在同一NUMA节点,避免vCPU访问远端内存造成性能下降。例如将上例中vCPU也绑定在NUMA node 0上。 @@ -350,7 +367,7 @@ NUMA(Non Uniform Memory Access Architecture) 模式是一种分布式存储 ``` ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 项提供虚拟机内部呈现NUMA拓扑功能,“cell id”表示vNode编号,“cpus”表示vCPU编号,“memory”表示对应vNode上的内存大小。 >- 如果希望通过Guest NUMA提供更好的性能,则需要配置,使vCPU和对应的内存分布在同一个物理NUMA NODE上: > - 中的“cellid”和中的“cell id”是对应的;“mode”可以配置为“strict”(严格从指定node上申请内存,内存不够则失败)、“preferred”(优先从某一node上申请内存,如果不够则从其他node上申请)、“interleave”(从指定的node上交叉申请内存);“nodeset”表示指定物理NUMA NODE。 @@ -365,13 +382,13 @@ NUMA(Non Uniform Memory Access Architecture) 模式是一种分布式存储 #### 约束限制 -- 创建虚拟机的时候,指定的主板类型(machine)需为virt-4.1版本及以上。 +- 创建虚拟机的时候,AArch64平台上指定的主板类型(machine)需为virt-4.1或更高virt以上,x86平台上指定的主板类型需要为pc-i440fx-1.5以上版本。 - 内存热插特性依赖于Guest NUMA,虚拟机必须配置Guest NUMA,否则无法完成内存热插流程。 - 热插内存时候必须指定新增内存所属的Gust NUMA node编号,否则内存热插失败。 - 虚拟机内核必须支持内存热插能力,否则虚拟机无法识别新增内存或者无法上线内存。 - 配置使用大页的虚拟机,热插内存的容量必须是系统hugepagesz的整数倍,否则会导致热插失败。 - 热插内存的大小必须为Guest物理内存块大小block_size_bytes的整数倍,否则无法正常上线。在Guest内部执行lsmem可以获取block_size_bytes大小。 -- 配置n个virtio-net网卡后,最大可热插次数取值为min{max_slot, 64 - n},原因是要给网卡预留slot。 +- 配置n个virtio-net网卡后,最大可热插次数取值为min{max_slot, 64 - n},因为要给网卡预留slot。 - vhost-user设备和内存热插特性互斥。配置了vhost-user设备的虚拟机不支持内存热插;内存热插后,不支持虚拟机热插vhost-user设备。 - 如果虚拟机操作系统为Linux系列,请确保初始内存大于等于4GB。 - 如果虚拟机操作系统为Windows类型,第一次热插内存必须指定到Guest NUMA node0上,否则热插内存无法被虚拟机识别。 @@ -381,53 +398,67 @@ NUMA(Non Uniform Memory Access Architecture) 模式是一种分布式存储 #### 操作步骤 -在虚拟机创建时候配可热插内存最大范围,预留槽位号,并配置Guest NUMA拓扑结构。 +**一、配置虚拟机XML** + +1. 使用内存热插功能,需要在创建虚拟机时配置可热插内存的最大范围、预留槽位号,并配置Guest NUMA拓扑结构。 + + 例如,为虚拟机配置32GiB初始内存,预留256个槽位号,最大支持1TiB内存上限,2个NUMA node的配置为: -- 创建虚拟机,预留内存热插槽位 ``` - 32 - 1024 - - - - - + + 32 + 1024 + + + + + - + + .... ``` - 上述xml表示为虚拟机配置32G初始内存,预留256个槽位号,最大支持1TB内存上限,2个NUMA node的配置为: - >![](public_sys-resources/icon-note.gif) **说明:** - >其中: - >- maxMemory字段中slots号表示预留的内存插槽,最大为256; - >- maxMemory表示虚拟机支持的最大物理内存上限; - >- Guest NUMA配置请参考配置Guest NUMA相关章节。 -- 准备内存描述xml文件 +>![](./public_sys-resources/icon-note.gif) **说明:** +>其中: +>maxMemory字段中slots号表示预留的内存插槽,最大取值为256。 +>maxMemory表示虚拟机支持的最大物理内存上限。 +>Guest NUMA配置请参见“配置Guest NUMA”相关章节。 + +**二、热插并上线内存** + +1. 如果热插内存后需要自动上线热插的内存,可以使用root权限在虚拟机内部创建udev rules文件/etc/udev/rules.d/99-hotplug-memory.rules,并在其中定义udev规则,内容参考如下: + + ``` + # automatically online hot-plugged memory + ACTION=="add", SUBSYSTEM=="memory", ATTR{state}="online" + ``` + +2. 根据需要热插的内存大小和虚拟机Guest NUMA Node创建内存描述xml文件。 + + 例如,热插1GiB内存到NUMA node0上: + ``` - + 1024 0 - - ``` - -- 使用virsh attach-device接口为虚拟机热插内存 - ``` - # virsh attach-device openEulerVM memory.xml --live - ``` - 上述命令行中memory.xml是热插内存的描述文件,可选参数--live表示在线生效,也可以加--config表示将热插内存持久化到虚拟机xml文件中。 - -- 热插内存上线 - - 使用shell脚本来完成内存上线的方法为: - ``` - for i in `grep -l offline /sys/devices/system/memory/memory*/state` - do - echo online > $i - done - ``` - 也可以使用udev rules自动完成内存上线。编辑udev rules创建文件/etc/udev/rules.d/99-hotplug-memory.rules - ``` - # automatically online hot-plugged memoryACTION=="add", SUBSYSTEM=="memory", ATTR{state}="online" - ``` + + + ``` + +3. 使用virsh attach-device命令为虚拟机热插内存。其中openEulerVM为虚拟机名称,memory.xml为热插内存的描述文件,--live表示热插内存在线生效,也可以使用--config 将热插内存持久化到虚拟机xml文件中。 + + ``` + # virsh attach-device openEulerVM memory.xml --live + ``` + + >![](./public_sys-resources/icon-note.gif) **说明:** + >如果没有使用udev rules自动上线热插内存,也可以使用root权限,参考如下命令手动上线: + >``` + >for i in `grep -l offline /sys/devices/system/memory/memory*/state` + >do + > echo online > $i + >done + >``` + diff --git "a/content/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272.md" "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272.md" similarity index 78% rename from "content/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272.md" rename to "docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272.md" index 0cc5312a72d3b9d1ca0f2aa9034454eaf726e821..af14e672076f11f073211f43f5580e5960b9e117 100644 --- "a/content/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272.md" +++ "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272.md" @@ -10,6 +10,9 @@ - [登录虚拟机](#登录虚拟机) - [使用VNC密码登录](#使用VNC密码登录) - [配置VNC TLS登录](#配置VNC-TLS登录) + - [虚拟机安全启动](#虚拟机安全启动) + - [总体介绍](#总体介绍) + - [安全启动实践](#安全启动实践) ## 虚拟机生命周期 @@ -36,7 +39,7 @@ 虚拟机不同状态之间可以相关转换,但必须满足一定规则。虚拟机不同状态之间的转换常用规则如[图1](#fig671014583483)所示。 **图 1** 状态转换图 -![](figures/状态转换图.png "状态转换图") +![](./figures/status-transition-diagram.png) #### 虚拟机标识 @@ -71,7 +74,7 @@ ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >可通过virsh命令查询虚拟机Id和UUID,操作方法请参见[查询虚拟机信息](#查询虚拟机信息)章节内容。 ### 管理命令 @@ -223,7 +226,7 @@ virsh # virsh undefine ``` - 其中为销毁虚拟机的策略,可取值: + 其中\为销毁虚拟机的策略,可取值: nvram:销毁虚拟机的同时删除其对应的nvram文件。 @@ -268,12 +271,16 @@ virsh edit命令通过编辑“domain”对应的XML配置文件,完成对虚 3. 修改虚拟机配置文件。 4. 保存虚拟机配置文件并退出。 -5. 重启虚拟机使配置修改生效。 +5. 关闭虚拟机。 ``` - # virsh reboot openEulerVM + # virsh shutdown openEulerVM ``` +6. 启动虚拟机使配置修改生效。 + ``` + # virsh start openEulerVM + ``` ## 查询虚拟机信息 @@ -454,7 +461,7 @@ Libvirt组件提供了一组查询虚拟机状态信息的命令,包括虚拟 Target Source --------------------------------------------------------------------- sda /home/openeuler/vm/openEuler_aarch64.qcow2 - sdb /home/openeuler/vm/openEuler-20.03-LTS-aarch64-dvd.iso + sdb /home/openeuler/vm/openEuler-20.09-aarch64-dvd.iso ``` - 使用virsh domiflist查询虚拟机网卡信息,从查询结果可知,虚拟机有1张网卡,对应的后端是vnet0在主机br0网桥上,MAC地址为00:05:fe:d4:f1:cc。 @@ -499,7 +506,7 @@ Libvirt组件提供了一组查询虚拟机状态信息的命令,包括虚拟 - 虚拟机的VNC侦听端口,该端口一般在客户机启动时自动分配,一般为5900 + x(x为正整数,按照虚拟机启动的顺序递增,且5900对用户不可见)。 - 如果VNC设置了密码,还需要获取虚拟机的VNC密码。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >为虚拟机VNC配置密码,需要编辑虚拟机XML配置文件,即为graphics元素新增一个passwd属性,属性的值为要配置的密码。例如,将虚拟机的VNC密码配置为n8VfjbFK的XML配置参考如下: >``` > @@ -517,7 +524,7 @@ Libvirt组件提供了一组查询虚拟机状态信息的命令,包括虚拟 :3 ``` - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >登录 VNC 需要配置防火墙规则,允许 VNC 端口的连接。参考命令如下,其中X为数值“5900 + 端口号” ,例如本例中为5903。 >``` >firewall-cmd --zone=public --add-port=X/tcp @@ -526,13 +533,13 @@ Libvirt组件提供了一组查询虚拟机状态信息的命令,包括虚拟 2. 打开VncViewer软件,输入主机IP和端口号。格式为“主机IP:端口号”,例如:“10.133.205.53:3”。 3. 单击“确定”输入VNC密码(可选),登录到虚拟机VNC进行操作。 -### 配置VNC-TLS登录.md">配置VNC TLS登录 +### 配置VNC-TLS登录 #### 概述 VNC服务端和客户端默认采用明文方式进行数据传输,因此通信内容可能被第三方截获。为了提升安全性,openEuler支持VNC服务端配置TLS模式进行加密认证。TLS(Tansport Layer Security)即传输层安全,可以实现VNC服务端和客户端之间加密通信,从而防止通信内容被第三方截获。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- 使用TLS加密认证模式需要VNC客户端支持TLS模式(例如TigerVNC),否则无法连接到VNC客户端。 >- TLS加密认证模式配置粒度为主机服务器级别,开启该特性后,主机上正在运行的所有虚拟机对应的VNC客户端都将开启TLS加密认证模式。 @@ -551,7 +558,7 @@ VNC开启TLS加密认证模式的操作步骤如下: 2. 为VNC创建证书和私钥文件。此处以GNU TLS为例进行说明。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >使用GNU TLS,请提前安装好gnu-utils软件包。 1. 制作证书颁发机构CA(Certificate Authority)的证书文件。 @@ -643,8 +650,157 @@ VNC开启TLS加密认证模式的操作步骤如下: 5. 将生成的客户端证书ca-cert.pem,client-cert.pem和client-key.pem拷贝到VNC客户端。配置VNC客户端的TLS证书后即可使用VNC TLS登录。 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >- VNC客户端证书的配置请参见各客户端对应的使用说明,由用户自行配置。 >- 登录虚拟机的方式请参见“使用VNC密码登录”。 +## 虚拟机安全启动 + +### 总体介绍 + +#### 概述 + +安全启动(Secure Boot)就是利用公私钥对启动部件进行签名和验证。启动过程中,前一个部件验证后一个部件的数字签名,验证通过后,运行后一个部件,验证不通过则启动失败。安全启动的作用是检测设备启动阶段固件(Fireware)以及软件是否被篡改,防止恶意软件侵入和修改。通过安全启动可以保证系统启动过程中各个部件的完整性,防止没有经过认证的部件被加载运行,从而防止对系统及用户数据产生安全威胁。安全启动是在UEFI启动方式上实现的,Legacy启动方式不支持安全启动。根据UEFI规定,主板出厂的时候可以内置一些可靠的公钥。任何想要在这块主板上加载的操作系统或者硬件驱动程序,都必须通过这些公钥的认证。物理机上的安全启动由物理BIOS完成,虚拟机的安全启动通过软件模拟。虚拟机安全启动流程与host安全启动流程一致,都遵循开源UEFI规范。虚拟化平台上的UEFI由edk组件提供,虚拟机启动时qemu将UEFI镜像映射到内存中,为虚拟机模拟固件启动流程,安全启动正是虚拟机启动过程中edk提供的一个安全保护能力,用来保护虚拟机OS内核不被篡改。安全启动验签顺序:UEFI BIOS->shim->grub->vmlinuz(依次验签通过并加载)。 + +| 中文 | 英文 | 缩略语 | 中文定义/描述 | +| :-----| :----- | :----- | :----- | +| 安全启动 | Secure boot | Secure boot | 安全启动就是启动过程中,前一个部件验证后一个部件的数字签名,验证通过后,运行后一个部件,验证不通过就停下来。通过安全启动可以保证系统启动过程中各个部件的完整性。 | +| 平台密钥 | Platform key | PK | OEM厂商所有,必须为 RSA 2048 或更强,PK为平台拥有者和平台固件之间建立可信关系。平台拥有者将PK的公钥部分PKpub注册到平台固件中,平台拥有者可以使用PK的私有部分PKpriv来改变平台的拥有权或者注册KEK密钥。 | +| 密钥交换密钥 | Key exchange key | KEK | KEK为平台固件和OS之间创建可信关系。每一个操作系统和与平台固件通信的第三方应用在平台固件中注册KEK密钥的公共部分KEKpub。 | +| 签名数据库 | Database white list | DB | 存储验证shim、grub、vmlinuz等组件的密钥。 | +| 签名吊销数据库 | Database black list | DBx | 存储吊销的密钥。 | + +#### 功能说明 + +本次实现的虚拟机安全启动特性基于edk开源项目。非安全启动模式下,Linux基本流程如下: + +**图 1** 系统启动流程图 + +![](./figures/OSBootFlow.png) + +安全启动模式下UEFI BIOS启动后加载的首个组件是系统镜像中的shim,shim与UEFI BIOS进行交互获取存储在UEFI BIOS变量db里面的密钥对grub进行验证,加载grub后同样调用密钥和认证接口对kernel进行验证。Linux启动流程如下: + +**图 2** 安全启动流程图 + +![](./figures/SecureBootFlow.png) + +从整体处理流程上来看,安全启动特性包含多个关键场景,根据场景分析和系统分解,安全启动特性涉及以下几个子系统:UEFI BIOS校验shim,shim校验grub,grub校验kernel。UEFI BIOS对shim进行验证,验证通过则启动shim,不通过则提示错误,无法启动。Shim需要在镜像编译制作过程中使用私钥进行签名,公钥证书导入UEFI BIOS变量区DB中。Shim启动后验证启动grub,验证通过则启动grub,不通过则提示错误,无法启动。Grub需要在镜像编译制作过程中进行签名,使用和shim一样的公私钥对。Grub启动后检查调用shim注册在UEFI BIOS的认证接口和密钥对kernel进行验证,通过则启动内核,不通过则提示错误,grub需要在镜像编译制作过程中进行签名,使用和shim一样的公私钥对。 + +#### 约束限制 + +* 在不支持安全启动的UEFI BIOS上运行,对现有功能没有影响,业务无感知。 +* 安全启动特性依赖UEFI BIOS,必须在UEFI支持此功能的条件下才能发挥作用。 +* 在UEFI BIOS开启安全启动的情况下,如果相关部件没有签名或签名不正确,则无法正常启动系统。 +* 在UEFI BIOS关闭安全启动的情况下,启动过程的验证功能都会被关闭。 +* 安全启动验证链后半段,即shim->grub->kernel引导内核启动这部分的验证链由操作系统镜像实现,若操作系统不支持引导内核安全启动过程,则虚拟机安全启动失败。 +* 当前不提供x86架构使用nvram文件配置虚拟机安全启动 + +### 安全启动实践 + +虚拟机安全启动依赖于UEFI BIOS的实现,UEFI BIOS镜像通过edk rpm包安装,本节以AArch64为例对虚拟机安全启动进行配置。 + +#### 虚拟机配置 + +edk rpm包中的组件安装于/usr/share/edk2/aarch64目录下,包括`QEMU_EFI-pflash.raw`和`vars-template-pflash.raw`。虚拟机启动UEFI BIOS部分xml配置如下: + +``` + + hvm + /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw + /path/to/QEMU-VARS.fd + +``` + +其中/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw为UEFI BIOS镜像路径。/usr/share/edk2/aarch64/vars-template-pflash.raw为nvram镜像模板路径,/path/to/QEMU-VARS.fd为当前虚拟机nvram镜像文件路径,用于保存UEFI BIOS系统中的环境变量。 + +#### 证书导入 + +虚拟机安全启动时的证书从BIOS界面导入,在证书导入前需要将证书文件导入到虚拟机中。可以通过挂载磁盘的方式将证书文件所在目录挂载到虚拟机中,例如制作包含证书的镜像,并在虚拟机的配置文件xml中配置挂载该镜像: + +制作证书文件镜像 + +``` +dd of='/path/to/data.img' if='/dev/zero' bs=1M count=64 +mkfs.vfat -I /path/to/data.img +mkdir /path/to/mnt +mount path/to/data.img /path/to/mnt/ +cp -a /path/to/certificates/* /path/to/mnt/ +umount /path/to/mnt/ +``` +其中,/path/to/certificates/为证书文件所在路径,/path/to/data.img为证书文件镜像所在路径,/path/to/mnt/为镜像挂载路径。 + +在虚拟机xml文件中配置挂载该镜像 + +``` + + + + + + + + + +``` + +启动虚拟机,导入PK证书,流程如下(KEK证书,DB证书导入方式相同): + +虚拟机启动后,点击F2进入bios界面 + +**图 1** 进入bios界面 + +![](./figures/CertEnrollP1.png) + +**图 2** 进入Device Manager + +![](./figures/CertEnrollP2.png) + +**图 3** 进入Custom Secure Boot Options + +![](./figures/CertEnrollP3.png) + +**图 4** 进入PK Options + +![](./figures/CertEnrollP4.png) + +**图 5** Enroll PK + +![](./figures/CertEnrollP5.png) + +在File Explorer界面可以看到很多磁盘目录,其中包括我们通过磁盘挂载的证书文件目录 + +**图 6** File Explorer + +![](./figures/CertEnrollP6.png) + +在磁盘目录中选择要导入的PK证书 + +**图 7** 进入证书所在磁盘 + +![](./figures/CertEnrollP7.png) + +**图 8** 选择Commit Changes and Exit保存导入证书 + +![](./figures/CertEnrollP8.png) + +导入证书后,UEFI BIOS将证书信息以及安全启动属性写入nvram配置文件/path/to/QEMU-VARS.fd中,虚拟机下一次启动时会从/path/to/QEMU-VARS.fd文件中读取相关配置并初始化证书信息以及安全启动属性,自动导入证书并开启安全启动。同样,我们可以将/path/to/QEMU-VARS.fd作为其他相同配置虚拟机的UEFI BIOS启动配置模板文件,通过修改nvram template字段使其他虚拟机启动时自动导入证书并开启安全启动选项,虚拟机xml配置修改如下: + +``` + + hvm + /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw + + +``` + +#### 安全启动观测 + +正确配置虚拟机并导入PK、KEK、DB证书后,虚拟机将以安全启动的方式运行。可以通过在虚拟机配置文件xml中配置串口日志文件观测虚拟机是否为安全启动,串口日志文件的配置方式如: + +``` + + + +``` +虚拟机加载系统镜像成功后,当串口日志文件中出现"UEFI Secure Boot is enabled"信息时,表明虚拟机当前为安全启动。 diff --git "a/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272\345\217\257\347\273\264\346\212\244\346\200\247.md" "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272\345\217\257\347\273\264\346\212\244\346\200\247.md" new file mode 100644 index 0000000000000000000000000000000000000000..5b90254e7e63a43aab3a553a2adacc879912463e --- /dev/null +++ "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\231\232\346\213\237\346\234\272\345\217\257\347\273\264\346\212\244\346\200\247.md" @@ -0,0 +1,23 @@ +# 管理虚拟机可维护性 + +## 虚拟机NMI Watchdog + +### 概述 + +NMI Watchdog是一种用来检测Linux出现hardlockup(硬死锁)的机制。通过产生NMI不可屏蔽中断,从而在Linux内核关闭中断的代码区间也能打断代码的执行,进一步检测内核是否出现硬死锁。当前ARM架构不支持原生NMI中断,通过使能基于中断优先级的Pseudo-NMI,将PMI(Performance Monitoring Interrupt)中断配置为NMI中断,实现NMI Watchdog(即PMU Watchdog)。 + +### 注意事项 + +- 虚拟机内部OS需要支持Pseudo-NMI并配置相应内核参数 +- 虚拟机上PMU Watchdog的配置方式与host上相同,无需对xml文件进行其他配置 +- 同样作为NMI Watchdog,SDEI Watchdog的优先级高于PMU Watchdog,因此要禁用SDEI Watchdog才会使能PMU Watchdog;虚拟机不支持SDEI Watchdog,因此要注意通过配置内核参数将其禁用 + +### 操作步骤 + +针对ARM架构虚拟机配置NMI Watchdog的操作步骤如下: +1. 在虚拟机的引导配置文件grub.cfg中添加如下参数:nmi_watchdog=1 pmu_nmi_enable hardlockup_cpu_freq=auto irqchip.gicv3_pseudo_nmi=1 disable_sdei_nmi_watchdog +2. 检查虚拟机内部PMU Watchdog是否加载成功,如果加载成功,内核dmesg日志打印类似如下内容 + + ``` + [2.1173222] NMI watchdog: CPU0 freq probed as 2399999942 HZ. + ``` \ No newline at end of file diff --git "a/content/zh/docs/Virtualization/\347\256\241\347\220\206\350\256\276\345\244\207.md" "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\256\276\345\244\207.md" similarity index 97% rename from "content/zh/docs/Virtualization/\347\256\241\347\220\206\350\256\276\345\244\207.md" rename to "docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\256\276\345\244\207.md" index ead838eec1a2ac6427abc6f3d504109217f853f9..ff37f3956bf0c26b6e7b65d44f316513b574b54d 100644 --- "a/content/zh/docs/Virtualization/\347\256\241\347\220\206\350\256\276\345\244\207.md" +++ "b/docs/zh/docs/Virtualization/\347\256\241\347\220\206\350\256\276\345\244\207.md" @@ -274,7 +274,7 @@ PCI直通是指将host上的物理PCI设备直接呈现给一台虚拟机,供

PCI设备呈现的Guest内bdf号。

-

[0x03-0x1e](slot范围)

+

[0x03-0x1e](./slot范围)

说明:

  • domain为域信息,bus为总线号,slot为插槽号,function为功能
  • 除了slot插槽号,这里其余均默认为0。
  • 第一个slot插槽号0x00被系统占用,第二个slot号0x01被IDE控制器和USB控制器占用,第三个slot号0x02被video占用。
  • 最后一个slot号0x1f被pvchannel占用。
@@ -282,7 +282,7 @@ PCI直通是指将host上的物理PCI设备直接呈现给一台虚拟机,供 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >VFIO直通方式的最小直通单位是iommu\_group,host根据硬件上的ACS位,来划分iommu\_group。同一个iommu\_group中的设备只允许直通给同一台虚拟机(一个PCI设备上的若干个function,如果属于同一个iommu\_group,只允许直通给一个虚拟机使用)。 ### SR-IOV直通 @@ -291,7 +291,7 @@ PCI直通是指将host上的物理PCI设备直接呈现给一台虚拟机,供 SR-IOV(Single Root I/O Virtualizaiton)是一种基于硬件的虚拟化解决方案,通过SR-IOV技术可以将一个PF(Physical Function)虚拟成多个VF(Virtual Function),每个VF都可以单独被直通给一个虚拟机,极大地提升了硬件资源利用率和虚拟机的I/O性能。一种典型的应用场景就是网卡SR-IOV设备直通,利用SR-IOV技术可以将一个物理网卡(PF)虚拟成多个VF网卡,再把VF直通给虚拟机使用。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >- SR-IOV需要物理硬件支持,使用SR-IOV前请确保要直通的硬件设备支持该能力,并且Host侧的设备驱动程序工作在SR-IOV模式下。 >- 查询网卡具体型号的办法如下: >例如下述回显,第一列为网卡的PCI号,19e5:1822为网卡的厂商号设备号。 @@ -447,7 +447,7 @@ SR-IOV(Single Root I/O Virtualizaiton)是一种基于硬件的虚拟化解 - >![](public_sys-resources/icon-note.gif) **说明:** + >![](./public_sys-resources/icon-note.gif) **说明:** >关闭SR-IOV功能。 >在虚拟机使用完毕后(虚拟机关机,所有的VF均没有在使用中的时候),若要关闭SR-IOV功能。执行操作如下: >这里以Hi1822网卡(eth0对应PF的网口名称)为例: @@ -461,8 +461,7 @@ SR-IOV(Single Root I/O Virtualizaiton)是一种基于硬件的虚拟化解 在鲲鹏服务器上,需要把主机Host上的HPRE加速器的VF直通给虚拟机,供虚拟机内部业务使用。 **表 1** HPRE加速器说明 - -| | 说明 | +| 项目 | 说明 | |-------------|-----------------------------------------------------------------------------------------------------| | 设备名称 | Hi1620 on-chip RSA/DH security algorithm accelerator (HPRE engine) | | 功能 | 模幂运算、RSA密钥对运算、DH计算、部分大数辅助运算(模幂、模乘、取模、乘法、模逆、素数测试、互质测试) | @@ -472,7 +471,7 @@ SR-IOV(Single Root I/O Virtualizaiton)是一种基于硬件的虚拟化解 | 最大VF数量 | 一个HPRE PF最多支持创建63个VF | ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >当虚拟机正在使用VF设备时,不允许卸载Host上的驱动,加速器不支持热插拔。 >VF操作(VFNUMS为0表示关闭VF,hpre_num用来标识具体的加速器设备): >``` @@ -555,8 +554,8 @@ USB设备的XML描述: ``` --
,其中,m表示该USB设备在主机上的bus地址,n表示device ID编号。 --
表示该USB设备要挂载到虚拟机指定的USB控制器。其中x表示控制器ID,与虚拟机所配置的USB控制器index编号相对应,y表示port地址。用户配置直通USB设备的时候需要配置这个字段,确保设备挂载的控制器与预期相符。 +- \
,其中,m表示该USB设备在主机上的bus地址,n表示device ID编号。 +- \
表示该USB设备要挂载到虚拟机指定的USB控制器。其中x表示控制器ID,与虚拟机所配置的USB控制器index编号相对应,y表示port地址。用户配置直通USB设备的时候需要配置这个字段,确保设备挂载的控制器与预期相符。 #### 配置方法 @@ -624,7 +623,7 @@ USB设备的XML描述: 虚拟机在使用过程中可能由于病毒对系统的破坏、系统文件被误删除或误格式化等原因造成虚拟机系统损坏导致系统无法启动。为了使损坏的系统快速恢复,openEuler提供了存储快照功能。openEuler可以在用户不感知的情况下制作虚拟机在某一时刻的快照(制作通常指需要几秒钟),该快照能帮助用户将磁盘快速恢复到某一时刻的状态,例如系统损坏后能快速恢复系统,从而提升系统可靠性。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >当前存储快照只支持raw、qcow2格式镜像,不支持block块设备。 ### 操作步骤 diff --git "a/content/zh/docs/Virtualization/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" "b/docs/zh/docs/Virtualization/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" similarity index 91% rename from "content/zh/docs/Virtualization/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" rename to "docs/zh/docs/Virtualization/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" index 9988f532a1c95fa71b2c3e5ada56d7eb41b81def..b91b225ae14d1561d2e15c9ac663ca63ec954324 100644 --- "a/content/zh/docs/Virtualization/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" +++ "b/docs/zh/docs/Virtualization/\350\231\232\346\213\237\346\234\272\351\205\215\347\275\256.md" @@ -102,12 +102,30 @@ XML配置文件的基本格式如下,其中label代表具体标签名,attrib - cpu:虚拟处理器模式。 - 属性mode:表示虚拟CPU的模式,属性值host-passthrough表示虚拟CPU的架构和特性与主机保持一致。 + 属性mode:表示虚拟CPU的模式。 + + - host-passthrough:表示虚拟CPU的架构和特性与主机保持一致。 + + - custom:表示虚拟CPU的架构和特性由此cpu元素控制。 子元素topology:元素cpu的子元素,用于描述虚拟CPU模式的拓扑结构。 - - 子元素topology的属性socket、cores、threads分别描述了虚拟机具有多少个cpu socket,每个cpu socket中包含多少个处理核心(core),每个处理器核心具有多少个超线程(thread),属性值为正整数且三者的乘积等于虚拟CPU的个数。 + - 子元素topology的属性socket、cores、threads分别描述了虚拟机具有多少个cpu socket,每个cpu socket中包含多少个处理核心(core),每个处理器核心具有多少个超线程(threads),属性值为正整数且三者的乘积等于虚拟CPU的个数。 + - ARM架构支持虚拟超线程, 虚拟CPU热插与虚拟超线程功能互斥。 + + 子元素model:元素cpu的子元素,当mode为custom时用于描述CPU的模型。 + + 子元素feature:元素cpu的子元素,当mode为custom时用于描述某一特性的使能情况。其中,属性name表示特性的名称,属性policy表示这一特性的使能控制策略: + + - force:表示强制使能该特性,无论主机CPU是否支持该特性。 + + - require:表示使能该特性,当主机CPU不支持该特性并且hypervisor不支持模拟该特性时,创建虚拟机失败。 + - optional:表示该特性的使能情况与主机上该特性的使能情况保持一致。 + + - disable:禁用该特性。 + + - forbid:禁用该特性,当主机支持该特性时创建虚拟机失败。 #### 配置示例 @@ -125,6 +143,21 @@ XML配置文件的基本格式如下,其中label代表具体标签名,attrib ``` +虚拟内存为8GiB,虚拟CPU个数为4,处理模式为custom,model为Kunpeng-920,且禁用pmull特性的配置如下: + +``` + + ... + 4 + 8 + + Kunpeng-920 + + + ... + +``` + ## 配置虚拟设备 虚拟机XML配置文件使用devices元素配置虚拟设备,包括存储设备、网络设备、总线、鼠标等,本节介绍常用的虚拟设备如何配置。 @@ -160,6 +193,7 @@ XML配置文件使用disk元素配置存储设备,disk常见的属性如[表1]

block:块设备

file:文件设备

dir: 目录路径

+

network:网络磁盘

device

@@ -192,6 +226,11 @@ XML配置文件使用disk元素配置存储设备,disk常见的属性如[表1]

file:对应file类型,值为对应文件的完全限定路径。

dev:对应block类型,值为对应主机设备的完全限定路径。

dir:对应dir类型,值为用作磁盘目录的完全限定路径。

+

protocol:使用的协议。

+

name: rbd磁盘名称,格式为:$pool/$volume

+

host name:mon地址

+

port:mon地址的端口

+

driver

@@ -202,6 +241,10 @@ XML配置文件使用disk元素配置存储设备,disk常见的属性如[表1]

io:磁盘IO模式,支持“native”和“threads”选项。

cache:磁盘的cache模式,可选项有“none”、“writethrough”、“writeback”、“directsync”等。

iothread:指定为磁盘分配的IO线程。

+

error_policy:IO写错误发生时的处理策略,可选项有“stop”、“report”、“ignore”、“enospace"、"retry"等。

+

rerror_policy:IO读错误发生时的处理策略,可选项有“stop”、“report”、“ignore”、“enospac”、“retry"等。

+

retry_interval:IO错误重试间隔,范围为0-MAX_INT,单位为毫秒,仅error_policy=“retry”或rerror_policy=“retry”时可配置。

+

retry_timeout:IO错误重试超时时间,范围为0-MAX_INT,单位为毫秒,仅error_policy=“retry”或rerror_policy=“retry”时可配置。

target

@@ -233,7 +276,7 @@ XML配置文件使用disk元素配置存储设备,disk常见的属性如[表1] 按照“准备虚拟机镜像”操作完成虚拟机镜像准备后,可以使用如下XML配置文件示例,为虚拟机配置虚拟磁盘。 -例如,该示例为虚拟机配置了两个IO线程,一个块磁盘设备和一个光盘设备,第一个IO线程分配给块磁盘设备使用。该块磁盘设备的后端介质为qcow2格式,且被作为优先启动盘。 +例如,该示例为虚拟机配置了两个IO线程,一个块磁盘设备,一个光盘设备和一个rbd磁盘,第一个IO线程分配给块磁盘设备使用。该块磁盘设备的后端介质为qcow2格式,且被作为优先启动盘。 ``` @@ -248,10 +291,17 @@ XML配置文件使用disk元素配置存储设备,disk常见的属性如[表1] - + + + + + + + + ... @@ -375,7 +425,7 @@ XML配置文件中使用元素“interface”,其属性“type”表示虚拟 PCIe总线是一种典型的树结构,具有比较好的扩展性,总线之间通过控制器关联,这里以PCIe总线为例介绍如何为虚拟机配置总线拓扑。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >总线的配置相对比较繁琐,若不需要精确控制设备拓扑结构,可以使用libvirt自动生成的缺省总线配置。 #### 元素介绍 @@ -577,7 +627,7 @@ controller:控制器元素,表示一个总线。 例如,在下面的示例中,配置了虚拟机的模拟器路径,pty串口、virtio媒体设备、USB写字板、USB键盘以及VNC图形设备。 ->![](public_sys-resources/icon-note.gif) **说明:** +>![](./public_sys-resources/icon-note.gif) **说明:** >graphics的type配置为VNC时,建议配置属性passwd,即使用VNC登录时的密码。 ``` @@ -748,7 +798,7 @@ x86\_64架构支持BIOS和UEFI两种启动方式,如果不配置loader,则 - + diff --git "a/content/zh/docs/Virtualization/\350\256\244\350\257\206\350\231\232\346\213\237\345\214\226.md" "b/docs/zh/docs/Virtualization/\350\256\244\350\257\206\350\231\232\346\213\237\345\214\226.md" similarity index 96% rename from "content/zh/docs/Virtualization/\350\256\244\350\257\206\350\231\232\346\213\237\345\214\226.md" rename to "docs/zh/docs/Virtualization/\350\256\244\350\257\206\350\231\232\346\213\237\345\214\226.md" index 0f66103873ba477981c238a88442a5a128e3fbb3..988bf7f8a38ee656cd9ef293ebad10130d55beb7 100644 --- "a/content/zh/docs/Virtualization/\350\256\244\350\257\206\350\231\232\346\213\237\345\214\226.md" +++ "b/docs/zh/docs/Virtualization/\350\256\244\350\257\206\350\231\232\346\213\237\345\214\226.md" @@ -1,90 +1,90 @@ -# 认识虚拟化 - -## 简介 - -在计算机技术中,虚拟化是一种资源管理技术,它将计算机的各种实体资源(处理器、内存、磁盘、网络适配器等)予以抽象,转换后呈现并可供分割、组合为一个或多个计算机配置环境。这种资源管理技术打破了实体结构不可分割的障碍,使这些资源在虚拟化后不受现有资源的架设方式、地域或物理配置限制,从而让用户可以更好地应用计算机硬件资源,提高资源利用率。 - -虚拟化使得一台物理服务器上可以运行多台虚拟机,虚拟机共享物理机的处理器、内存、I/O资源等,但逻辑上虚拟机之间是互相隔离的。在虚拟化技术中,通常将这个物理服务器称为宿主机,宿主机上运行的虚拟机也叫客户机,虚拟机内部运行的操作系统称为客户机操作系统。在宿主机和虚拟机之间存在一层叫虚拟化层的软件,用于实现虚拟硬件的模拟,通常这个虚拟化层被称为虚拟机监视器,如下图所示: - -**图 1** 虚拟化架构 -![](figures/虚拟化架构.png "虚拟化架构") - -## 虚拟化架构 - -当前的主流虚拟化技术按照VMM(Virtual Machine Monitor)实现结构不同分为两种: - -- Hypervisor模型 - - 在这种模型中,VMM被看做是一个完备的操作系统,同时还具备虚拟化功能,VMM直接管理所有的物理资源,包括处理器,内存和I/O设备等。 - -- 宿主模型 - - 这种模型中,物理资源是由宿主机操作系统管理,宿主机操作系统是传统的操作系统,如Linux,Windows等,宿主机操作系统不提供虚拟化能力,提供虚拟化能力的VMM作为系统的一个驱动或者软件运行在宿主操作系统上,VMM通过调用host OS的服务获得资源,实现处理器,内存和I/O设备的模拟,这种模型的虚拟化实现有KVM、Virtual Box等。 - - -KVM(Kernel-based Virtual Machine)即基于内核的虚拟机,是Linux的一个内核模块,该内核模块使Linux成为一个hypervisor。KVM架构如[图2](#fig310953013541)所示。KVM本身未模拟任何硬件设备,它用于使能硬件提供的虚拟化能力,比如Intel VT-x, AMD-V, ARM virtualization extensions等。主板、内存及I/O等设备的模拟由用户态的QEMU完成。用户态QEMU配合内核KVM模块共同完成虚拟机的硬件模拟,客户操作系统运行在QEMU和KVM模拟的硬件上。 - -**图 2** KVM架构图 -![](figures/KVM架构图.png "KVM架构图") - -## 虚拟化组件 - -openEuler软件包中提供的虚拟化相关组件: - -- KVM:提供核心的虚拟化基础设施,使Linux系统成为一个hypervisor,支持多个虚拟机同时在该主机上运行。 -- QEMU:模拟处理器并提供一组设备模型,配合KVM实现基于硬件的虚拟化模拟加速。 -- Libvirt:为管理虚拟机提供工具集,主要包含统一、稳定、开放的应用程序接口(API)、守护进程 (Libvirtd)和一个默认命令行管理工具(virsh)。 -- Open vSwitch:为虚拟机提供虚拟网络的工具集,支持编程扩展,以及标准的管理接口和协议(如NetFlow, sFlow,IPFIX, RSPAN, CLI, LACP, 802.1ag)。 - -## 虚拟化特点 - -业界普遍认可虚拟化有以下特点: - -- 分区 - - 虚拟化可以对一台物理服务器进行软件逻辑分割,实现运行多台不同规格的虚拟机(虚拟服务器)。 - - -- 隔离 - - 虚拟化能够模拟虚拟硬件,为虚拟机运行完整操作系统提供硬件条件,每个虚拟机内部操作系统都是独立的,互相隔离的。例如一台虚拟机的操作系统由于故障或者受到恶意破坏而崩溃,其他虚拟机内部的操作系统和应用不会受到任何影响。 - - -- 封装性 - - 以虚拟机为粒度封装,优秀的封装性使得虚拟机比物理机更灵活,可以实现虚拟机的热迁移、快照、克隆等功能,实现数据中心的快速部署和自动化运维。 - - -- 硬件无关 - - 经过虚拟化层的抽象后,虚拟机与底层的硬件没有直接的绑定关系,可以在其他服务器上不加修改地运行虚拟机。 - - -## 虚拟化优势 - -虚拟化为数据中心的基础设施带来了众多优势: - -- 灵活性和可扩展性 - - 用户可以根据需求进行动态资源分配和回收,满足动态变化的业务需求,同时也可以根据不同的产品需求,规划不同的虚拟机规格,在不改变物理资源配置的情况下进行规模调整。 - - -- 更高的可用性和更好的运维手段 - - 虚拟化提供热迁移,快照,热升级,容灾自动恢复等运维手段,可以在不影响用户的情况下对物理资源进行删除、升级或变更,提高了业务连续性,同时可以实现自动化运维。 - - -- 提高安全性 - - 虚拟化提供了操作系统级的隔离,同时实现基于硬件提供的处理器操作特权级控制,相比简单的共享机制具有更高的安全性,可实现对数据和服务进行可控和安全的访问。 - - -- 更高的资源利用率 - - 虚拟化可支持实现物理资源和资源池的动态共享,提高资源利用率。 - - -## openEuler虚拟化 - -openEuler提供了支持AArch64和x86_64处理器架构的KVM虚拟化组件。 - +# 认识虚拟化 + +## 简介 + +在计算机技术中,虚拟化是一种资源管理技术,它将计算机的各种实体资源(处理器、内存、磁盘、网络适配器等)予以抽象,转换后呈现并可供分割、组合为一个或多个计算机配置环境。这种资源管理技术打破了实体结构不可分割的障碍,使这些资源在虚拟化后不受现有资源的架设方式、地域或物理配置限制,从而让用户可以更好地应用计算机硬件资源,提高资源利用率。 + +虚拟化使得一台物理服务器上可以运行多台虚拟机,虚拟机共享物理机的处理器、内存、I/O资源等,但逻辑上虚拟机之间是互相隔离的。在虚拟化技术中,通常将这个物理服务器称为宿主机,宿主机上运行的虚拟机也叫客户机,虚拟机内部运行的操作系统称为客户机操作系统。在宿主机和虚拟机之间存在一层叫虚拟化层的软件,用于实现虚拟硬件的模拟,通常这个虚拟化层被称为虚拟机监视器,如下图所示: + +**图 1** 虚拟化架构 +![](./figures/virtualized-architecture.png) + +## 虚拟化架构 + +当前的主流虚拟化技术按照VMM(Virtual Machine Monitor)实现结构不同分为两种: + +- Hypervisor模型 + + 在这种模型中,VMM被看做是一个完备的操作系统,同时还具备虚拟化功能,VMM直接管理所有的物理资源,包括处理器,内存和I/O设备等。 + +- 宿主模型 + + 这种模型中,物理资源是由宿主机操作系统管理,宿主机操作系统是传统的操作系统,如Linux,Windows等,宿主机操作系统不提供虚拟化能力,提供虚拟化能力的VMM作为系统的一个驱动或者软件运行在宿主操作系统上,VMM通过调用host OS的服务获得资源,实现处理器,内存和I/O设备的模拟,这种模型的虚拟化实现有KVM、Virtual Box等。 + + +KVM(Kernel-based Virtual Machine)即基于内核的虚拟机,是Linux的一个内核模块,该内核模块使Linux成为一个hypervisor。KVM架构如[图2](#fig310953013541)所示。KVM本身未模拟任何硬件设备,它用于使能硬件提供的虚拟化能力,比如Intel VT-x, AMD-V, ARM virtualization extensions等。主板、内存及I/O等设备的模拟由用户态的QEMU完成。用户态QEMU配合内核KVM模块共同完成虚拟机的硬件模拟,客户操作系统运行在QEMU和KVM模拟的硬件上。 + +**图 2** KVM架构图 +![](./figures/kvm-architecture.png) + +## 虚拟化组件 + +openEuler软件包中提供的虚拟化相关组件: + +- KVM:提供核心的虚拟化基础设施,使Linux系统成为一个hypervisor,支持多个虚拟机同时在该主机上运行。 +- QEMU:模拟处理器并提供一组设备模型,配合KVM实现基于硬件的虚拟化模拟加速。 +- Libvirt:为管理虚拟机提供工具集,主要包含统一、稳定、开放的应用程序接口(API)、守护进程 (Libvirtd)和一个默认命令行管理工具(virsh)。 +- Open vSwitch:为虚拟机提供虚拟网络的工具集,支持编程扩展,以及标准的管理接口和协议(如NetFlow, sFlow,IPFIX, RSPAN, CLI, LACP, 802.1ag)。 + +## 虚拟化特点 + +业界普遍认可虚拟化有以下特点: + +- 分区 + + 虚拟化可以对一台物理服务器进行软件逻辑分割,实现运行多台不同规格的虚拟机(虚拟服务器)。 + + +- 隔离 + + 虚拟化能够模拟虚拟硬件,为虚拟机运行完整操作系统提供硬件条件,每个虚拟机内部操作系统都是独立的,互相隔离的。例如一台虚拟机的操作系统由于故障或者受到恶意破坏而崩溃,其他虚拟机内部的操作系统和应用不会受到任何影响。 + + +- 封装性 + + 以虚拟机为粒度封装,优秀的封装性使得虚拟机比物理机更灵活,可以实现虚拟机的热迁移、快照、克隆等功能,实现数据中心的快速部署和自动化运维。 + + +- 硬件无关 + + 经过虚拟化层的抽象后,虚拟机与底层的硬件没有直接的绑定关系,可以在其他服务器上不加修改地运行虚拟机。 + + +## 虚拟化优势 + +虚拟化为数据中心的基础设施带来了众多优势: + +- 灵活性和可扩展性 + + 用户可以根据需求进行动态资源分配和回收,满足动态变化的业务需求,同时也可以根据不同的产品需求,规划不同的虚拟机规格,在不改变物理资源配置的情况下进行规模调整。 + + +- 更高的可用性和更好的运维手段 + + 虚拟化提供热迁移,快照,热升级,容灾自动恢复等运维手段,可以在不影响用户的情况下对物理资源进行删除、升级或变更,提高了业务连续性,同时可以实现自动化运维。 + + +- 提高安全性 + + 虚拟化提供了操作系统级的隔离,同时实现基于硬件提供的处理器操作特权级控制,相比简单的共享机制具有更高的安全性,可实现对数据和服务进行可控和安全的访问。 + + +- 更高的资源利用率 + + 虚拟化可支持实现物理资源和资源池的动态共享,提高资源利用率。 + + +## openEuler虚拟化 + +openEuler提供了支持AArch64和x86_64处理器架构的KVM虚拟化组件。 + diff --git "a/docs/zh/docs/Virtualization/\351\205\215\347\275\256\347\243\201\347\233\230IO\346\202\254\346\214\202.md" "b/docs/zh/docs/Virtualization/\351\205\215\347\275\256\347\243\201\347\233\230IO\346\202\254\346\214\202.md" new file mode 100644 index 0000000000000000000000000000000000000000..d65bc57b30483eb659f8228d68f57d77a9e6b516 --- /dev/null +++ "b/docs/zh/docs/Virtualization/\351\205\215\347\275\256\347\243\201\347\233\230IO\346\202\254\346\214\202.md" @@ -0,0 +1,105 @@ +# 配置磁盘IO悬挂 + + +- [配置磁盘IO悬挂](#配置磁盘IO悬挂) + - [总体介绍](#总体介绍) + - [概述](#概述) + - [应用场景](#应用场景) + - [注意事项和约束限制](#注意事项和约束限制) + - [磁盘IO悬挂配置](#磁盘IO悬挂配置) + - [Qemu命令行配置](#Qemu命令行配置) + - [xml配置方式](#xml配置方式) + + + +## 总体介绍 + +### 概述 + +存储故障(比如存储断链)场景下,物理磁盘的IO错误,通过虚拟化层传给虚拟机前端,虚拟机内部收到IO错误,可能导致虚拟机内部的用户文件系统变成read-only状态,需要重启虚拟机或者用户手动恢复,这给用户带来额外的工作量。 + +这种情况下,虚拟化平台提供了一种磁盘IO悬挂的能力,即当存储故障时,虚拟机IO下发到主机侧时将IO悬挂住,在悬挂时间内不对虚拟机内部返回IO错误,这样虚拟机内部的文件系统就不会因为IO错误而变为只读状态,而是呈现为Hang住;同时虚拟机后端按指定的悬挂间隔对IO进行重试。如果存储故障在悬挂时间内恢复正常,悬挂住的IO即可恢复落盘,虚拟机内部文件系统自动恢复运行,不需要重启虚拟机;如果存储故障在悬挂时间内未能恢复正常,则上报错误给虚拟机内部,通知给用户。 + +### 应用场景 + +使用可能会发生存储面链路断链的云盘作为虚拟磁盘后端的场景。 + +### 注意事项和约束限制 + +- 磁盘IO悬挂仅支持virtio-blk或virtio-scsi类型的虚拟磁盘。 + +- 磁盘IO悬挂的虚拟磁盘后端一般为可能会发生存储面链路断链的云盘。 + +- 磁盘IO悬挂可对读写IO错误分别使能,同一磁盘的读写IO错误重试间隔和超时时间使用相同配置。 + +- 磁盘IO悬挂重试间隔不包含主机侧实际读写IO的开销,即两次IO重试操作实际间隔会大于配置的IO错误重试间隔。 + +- 磁盘IO悬挂无法区分IO错误的具体类型(如存储断链、扇区坏道、预留冲突等),只要硬件返回IO错误,都会进行悬挂处理。 + +- 磁盘IO悬挂时,虚拟机内部IO不会返回,fdisk等访问磁盘的系统命令会卡住,虚拟机内部依赖该命令返回的业务也会一直卡住。 + +- 磁盘IO悬挂时,IO无法正常落盘,可能会导致虚拟机无法优雅关机,需要强制关机。 + +- 磁盘IO悬挂时,无法读取磁盘数据,会造成虚拟机无法正常重启,需要先将虚拟机强制关机,等待存储故障恢复后在重新启动虚拟机。 + +- 存储故障发生后,虽然存在磁盘IO悬挂,依然解决不了以下问题: + + 1. 存储相关高级特性执行失败 + + 高级特性包括:虚拟磁盘热插、虚拟磁盘热拔、创建虚拟磁盘、虚拟机启动、虚拟机关机、虚拟机强制关机、虚拟机休眠、虚拟机唤醒、虚拟机存储热迁移、虚拟机存储热迁移取消、虚拟机创建存储快照、虚拟机存储快照合并、查询虚拟机磁盘容量、磁盘在线扩容、插入虚拟光驱、弹出虚拟机光驱。 + + 2. 虚拟机生命周期执行失败 + +- 配置了磁盘IO悬挂的虚拟机发起热迁移时,应该在目的端磁盘的XML配置中带上与源端相同的磁盘IO悬挂配置。 + +## 磁盘IO悬挂配置 + +### Qemu命令行配置 + +磁盘IO悬挂功能通过在虚拟磁盘设备上指定`werror=retry` `rerror=retry`进行使能,使用`retry_interval`和`retry_timeout`进行重试策略的配置。`retry_interval`为IO错误重试的间隔,配置范围为0-MAX_LONG,单位为毫秒,未配置时使用默认值1000ms;`retry_timeout`为IO错误重试超时时间,配置范围为0-MAX_LONG,0值表示不会发生超时,单位为毫秒,未配置时使用默认值0。 + +virtio-blk磁盘的磁盘IO悬挂配置如下: + +```shell +-drive file=/path/to/your/storage,format=raw,if=none,id=drive-virtio-disk0,cache=none,aio=native \ +-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,\ +drive=drive-virtio-disk0,id=virtio-disk0,write-cache=on,\ +werror=retry,rerror=retry,retry_interval=2000,retry_timeout=10000 +``` + +virtio-scsi磁盘的磁盘IO悬挂配置如下: + +```shell +-drive file=/path/to/your/storage,format=raw,if=none,id=drive-scsi0-0-0-0,cache=none,aio=native \ +-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\ +device_id=drive-scsi0-0-0-0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,write-cache=on,\ +werror=retry,rerror=retry,retry_interval=2000,retry_timeout=10000 +``` + +### xml配置方式 + +磁盘IO悬挂功能通过在磁盘xml配置中指定`error_policy='retry'` `rerror_policy='retry'`进行使能。主要是配置上`retry_interval`和`retry_timeout`的值。`retry_interval`为IO错误重试的间隔,配置范围为0-MAX_LONG,单位为毫秒,未配置时使用默认值1000ms;`retry_timeout`为IO错误重试超时时间,配置范围为0-MAX_LONG,0值表示不会发生超时,单位为毫秒,未配置时使用默认值0。 + +virtio-blk磁盘的磁盘IO悬挂xml配置如下: + +```xml + + + + + + +``` + +virtio-scsi磁盘的磁盘IO悬挂xml配置如下: + +```xml + + + + + +
+ +``` + diff --git "a/content/zh/docs/Virtualization/\351\231\204\345\275\225.md" "b/docs/zh/docs/Virtualization/\351\231\204\345\275\225.md" similarity index 100% rename from "content/zh/docs/Virtualization/\351\231\204\345\275\225.md" rename to "docs/zh/docs/Virtualization/\351\231\204\345\275\225.md" diff --git a/themes/project/layouts/partials/docs/inject/body.html b/docs/zh/docs/desktop/.keep similarity index 100% rename from themes/project/layouts/partials/docs/inject/body.html rename to docs/zh/docs/desktop/.keep diff --git a/docs/zh/docs/desktop/DDE-User-Manual.md b/docs/zh/docs/desktop/DDE-User-Manual.md new file mode 100644 index 0000000000000000000000000000000000000000..1d3b69ba2a939617bb40fd1bdc6dc3856a7edd1e --- /dev/null +++ b/docs/zh/docs/desktop/DDE-User-Manual.md @@ -0,0 +1,872 @@ +# DDE桌面环境用户手册 + +## 概述 + +DDE桌面环境是一款美观易用、安全可靠的图形化操作界面。桌面环境主要由桌面、任务栏、启动器、控制中心等组成,是您使用该操作系统的基础,主界面如下图所示。 + +![1|desk](./figures/43.jpg) + +### 欢迎 + +初次进入DDE桌面环境,会自动打开欢迎程序。您可以观看视频了解系统功能,选择桌面样式和图标主题,进一步了解该系统。 + +![welcome](./figures/64.png) + +## 桌面 + +桌面是您登录后看到的主屏幕区域。在桌面上,您可以新建文件/文件夹、排列文件、打开终端、设置壁纸和屏保等,还可以通过启动器 [发送到桌面](#设置快捷方式) 向桌面添加应用的快捷方式。 + +![0|rightbuttonmenu](./figures/41.png) + +### 新建文件夹/文档 + +在桌面新建文件夹或文档,也可以对文件进行常规操作,和在文件管理器中一样。 + +- 在桌面上,单击鼠标右键,单击 **新建文件夹**,输入新建文件夹的名称。 +- 在桌面上,单击鼠标右键,单击 **新建文档**,选择新建文档的类型,输入新建文档的名称。 + +在桌面文件或文件夹上,单击鼠标右键,您可以使用文件管理器的相关功能: + +| 功能 | 说明 | +| ----------- | -------------------------------------------------------- | +| 打开方式 | 选定系统默认打开方式,也可以选择其他关联应用程序来打开。 | +| 剪切 | 移动文件或文件夹。 | +| 复制 | 复制文件或文件夹。 | +| 重命名 | 重命名文件或文件夹。 | +| 删除 | 删除文件或文件夹。 | +| 创建链接 | 创建一个快捷方式。 | +| 标记信息 | 添加标记信息,以对文件或文件夹进行标签化管理。 | +| 压缩/解压缩 | 压缩文件或文件夹,或对压缩文件进行解压。 | +| 属性 | 查看文件或文件夹的基本信息,共享方式,及其权限。 | + +### 设置排列方式 + +您可以对桌面上的图标按照需要进行排序。 + +1. 在桌面上,单击鼠标右键。 +2. 单击 **排序方式**,您可以: + - 单击 **名称**,将按文件的名称顺序显示。 + - 单击 **大小**,将按文件的大小顺序显示。 + - 单击 **类型**,将按文件的类型顺序显示。 + - 单击 **修改时间**,文件将按最近一次的修改日期顺序显示。 + +> ![tips](./figures/icon125-o.svg)窍门:*您也可以勾选 **自动排列**,桌面图标将从上往下,从左往右按照当前排序规则排列,有图标被删除时后面的图标会自动向前填充。* + +### 调整图标大小 + +1. 在桌面上,单击鼠标右键。 +2. 单击 **图标大小**。 +3. 选择一个合适的图标大小。 + +> ![tips](./figures/icon125-o.svg)窍门:*您也可以用 **Ctrl** + ![=](./figures/icon134-o.svg)/![-](./figures/icon132-o.svg) 鼠标滚动来调整桌面和启动器中的图标大小。* + +### 设置显示器 + +从这里快速进入控制中心设置显示器的缩放比例、分辨率和亮度等。 + +1. 在桌面上,单击鼠标右键。 +2. 单击 **显示设置**,快速进入控制中心的显示设置界面。 + +> ![notes](./figures/icon99-o.svg)说明:*关于显示的设置,具体操作请参阅 [显示设置](#显示设置) 。* + + ### 更改壁纸 + +您可以选择一些精美、时尚的壁纸来美化桌面,让您的电脑显示与众不同。 + + +1. 在桌面上,单击鼠标右键。 +2. 单击 **壁纸与屏保**,在桌面底部预览所有壁纸。 +3. 选择某一壁纸后,壁纸就会在桌面和锁屏中生效。 +4. 您可以单击 **仅设置桌面** 和 **仅设置锁屏** 来控制壁纸的生效范围。 + +![1|wallpaper](./figures/63.jpg) + +              + +> ![tips](./figures/icon125-o.svg)窍门: *您还可以在图片查看器中设置您喜欢的图片为桌面壁纸。* + +### 剪贴板 + +剪贴板展示当前用户登录系统后复制和剪切的所有文本、图片和文件。使用剪贴板可以快速复制其中的某项内容。注销或关机后,剪贴板会自动清空。 + +1. 使用快捷键 **Ctrl** + **Alt** + **V** 唤出剪贴板。 +2. 双击剪贴板内的某一区块,会快速复制当前内容, 且当前区块会被移动到剪贴板顶部。 +3. 选择目标位置粘贴。 +4. 鼠标移入剪贴板的某一区块,单击上方的![close](./figures/icon57-o.svg),删除当前内容;单击顶部的 **全部清除**,清空剪贴板。 + +![1|clipboard](./figures/40.png) + +## 任务栏 + +任务栏是指位于桌面底部的长条,主要由启动器、应用程序图标、托盘区、系统插件等组成。在任务栏,您可以打开启动器、显示桌面、进入工作区,对其上的应用程序进行打开、新建、关闭、强制退出等操作,还可以设置输入法,调节音量,连接网络,查看日历,进入关机界面等。 + +### 认识任务栏图标 + +任务栏图标包括启动器图标、应用程序图标、托盘区图标、系统插件图标等。 + +![1|fashion](./figures/45.png) + +| 图标 | 说明 | 图标 | 说明 | +| ------------------------------------------- | :------------------------------------------ | ------------------------------------------------ | ------------------------------------- | +| ![launcher](./figures/icon66-o.svg) | 启动器 - 点击查看所有已安装的应用。 | ![deepin-toggle-desktop](./figures/icon69-o.svg) | 显示桌面。 | +| ![dde-file-manager](./figures/icon63-o.svg) | 文件管理器 - 点击查看磁盘中的文件、文件夹。 | ![dde-calendar](./figures/icon62-o.svg) | 日历 - 查看日期、新建日程。 | +| ![controlcenter](./figures/icon58-o.svg) | 控制中心 - 点击进入系统设置。 | ![notification](./figures/icon101-o.svg) | 通知中心 - 显示所有系统和应用的通知。 | +| ![onboard](./figures/icon103-o.svg) | 屏幕键盘 - 点击使用虚拟键盘。 | ![shutdown](./figures/icon122-o.svg) | 电源 - 点击进入关机界面。 | +| ![trash](./figures/icon126-o.svg) | 回收站。 | | | + +              + +> ![tips](./figures/icon125-o.svg)窍门:*在高效模式下,单击任务栏最右侧可显示桌面。将鼠标指针移到任务栏上已打开窗口的图标时,会显示相应的预览窗口。* + +### 切换显示模式 + +任务栏提供两种显示模式:时尚模式和高效模式,显示不同的图标大小和应用窗口激活效果。 + + +![1|fashion](./figures/46.png) + +![1|efficient](./figures/63.png) + +              + +您可以通过以下操作来切换显示模式: + +1. 右键单击任务栏。 +2. 在 **模式** 子菜单中选择一种显示模式。 + +### 设置任务栏位置 + +您可以将任务栏放置在桌面的任意方向。 + +1. 右键单击任务栏。 +2. 在 **位置** 子菜单中选择一个方向。 + +### 调整任务栏高度 + +鼠标拖动任务栏边缘,改变任务栏高度。 + +### 显示/隐藏插件 + +1. 右键单击任务栏。 +2. 在 **插件** 子菜单中勾选或取消勾选 **回收站、电源、显示桌面、屏幕键盘、通知中心、时间**,可以设置这些插件在任务栏上的显示和隐藏效果。 + +### 查看通知 + +当有系统或应用通知时,会在桌面上方弹出通知消息。若有按钮,单击按钮执行对应操作;若无按钮,单击关闭此消息。 + +![message](./figures/51.png) + +              + +您还可以单击任务栏上的 ![notification](./figures/icon101-o.svg), 打开通知中心,查看所有通知。 + +### 查看日期时间 + +- 鼠标指针悬停在任务栏的时间上,查看当前日期、星期和时间。 +- 单击时间,打开日历。 + +### 进入关机界面 + +您可以单击任务栏上的 ![shutdown](./figures/icon136-o.svg) 进入关机界面,也可以在启动器的小窗口模式中单击 ![poweroff_normal](./figures/icon136-o.svg)。 + +| 功能 | 说明 | +| ---------------------------------------------------------- | ------------------------------------------------------- | +| 关机![poweroff_normal](./figures/icon136-o.svg) | 关闭电脑。 | +| 重启![reboot_normal](./figures/icon110-o.svg) | 关机后再次重新运行您的电脑。 | +| 锁定![lock_normal](./figures/icon90-o.svg) | 锁定电脑,或按下键盘上的 **Super** + **L** 组合键锁定。 | +| 切换用户![userswitch_normal](./figures/icon128-o.svg) | 选择另一个用户帐户登录。 | +| 注销![logout_normal](./figures/icon92-o.svg) | 清除当前登录用户的信息。 | +| 系统监视器![deepin-system-monitor](./figures/icon68-o.svg) | 快速启动系统监视器。 | + +              + +> ![notes](./figures/icon99-o.svg)说明:*当系统存在多个帐户时才显示 ![userswitch_normal](./figures/icon128-o.svg)。* + + +### 回收站 + +电脑中临时被删除的所有文件您都可以在回收站中找到,回收站中的文件可以被恢复或清空。 + +#### 还原文件 + +对于已删除的文件,您可以进入回收站进行还原,或使用 **Ctrl** + **Z** 还原刚删除的文件。 + +1. 在回收站中,选择要恢复的文件。 +2. 单击鼠标右键,选择 **还原**。 +3. 还原文件到原来的存储路径下。 + +> ![attention](./figures/icon52-o.svg)注意:*如果原来所在的文件夹已经删除,还原文件时会自动新建文件夹*。 + +#### 清空回收站 + +在回收站中,单击 **清空**,将彻底删除回收站的所有内容。 + +## 启动器 + +启动器 ![launcher](./figures/icon66-o.svg) 帮助您管理系统中已安装的所有应用,在启动器中使用分类导航或搜索功能可以快速找到您需要的应用程序。 + +> ![tips](./figures/icon125-o.svg)窍门:*您可以进入启动器查看新安装的应用。新安装应用的旁边会出现一个小蓝点提示*。 + +### 切换模式 + +启动器有全屏和小窗口两种模式。单击启动器界面右上角的图标来切换模式。 + +两种模式均支持搜索应用、设置快捷方式等操作。 + +小窗口模式还支持快速打开文件管理器,控制中心和进入关机界面等功能。 + +![1|fullscreen](./figures/47.jpg)![1|ini](./figures/52.png) + + +### 排列应用 + +在全屏模式下,系统默认按照安装时间排列所有应用。 + +- 将鼠标悬停在应用图标上,按住鼠标左键不放,将应用图标拖拽到指定的位置自由排列。 +- 单击启动器界面左上角分类图标![category](./figures/icon56-o.svg)进行排列。 + +![1|sortapp](./figures/60.jpg) + +              + +在小窗口模式下,默认按照使用频率排列应用。 + +### 查找应用 + +在启动器中,您可以滚动鼠标滚轮或切换分类导航查找应用。 + +如果知道应用名称,直接在搜索框中输入关键字,快速定位到需要的应用。 + +### 设置快捷方式 + +快捷方式提供了一种简单快捷地启动应用的方法。 + +#### 创建快捷方式 + +将应用发送到桌面或任务栏上,方便您的后续操作。 + +在启动器中,右键单击应用图标,您可以: + +- 单击 **发送到桌面**,在桌面创建快捷方式。 + +- 单击 **发送到任务栏**,将应用固定到任务栏。 + +![0|sendto](./figures/58.png) + +> ![notes](./figures/icon99-o.svg)说明:*您还可以从启动器拖拽应用图标到任务栏上放置。但是当应用处于运行状态时您将无法拖拽固定,此时您可以右键单击任务栏上的应用图标,选择 **驻留** 将应用固定到任务栏,以便下次使用时从任务栏上快速打开。* + +#### 删除快捷方式 + +您既可以在桌面直接删除应用的快捷方式,也可以在任务栏和启动器中删除。 + +**从任务栏上删除** + +- 在任务栏上,按住鼠标左键不放,将应用图标拖拽到任务栏以外的区域移除快捷方式。 +- 当应用处于运行状态时您将无法拖拽移除,此时可以右键单击任务栏上的应用图标,选择 **移除驻留** 将应用从任务栏上移除。 + +**从启动器中删除** + +在启动器中,右键单击应用图标,您可以: + +- 单击 **从桌面上移除**,删除桌面快捷方式。 +- 单击 **从任务栏上移除**,将固定到任务栏上的应用移除。 + +> ![notes](./figures/icon99-o.svg)说明:*以上操作,只会删除应用的快捷方式,而不会卸载应用。* + +### 运行应用 + +对于已经创建了桌面快捷方式或固定到任务栏上的应用,您可以通过以下途径来打开应用。 + +- 双击桌面图标,或右键单击桌面图标选择 **打开**。 +- 直接单击任务栏上的应用图标,或右键单击任务栏上的应用图标选择 **打开**。 + +在启动器中,直接单击应用图标打开,或右键单击应用图标选择 **打开**。 + +> ![tips](./figures/icon125-o.svg)窍门:*对于经常使用的应用,您可以在启动器中,右键单击应用图标选择 **开机自动启动**。* + + +## 控制中心 + +DDE桌面操作系统通过控制中心来管理系统的基本设置,包括帐户管理、网络设置、日期和时间、个性化设置、显示设置、系统信息查看等。当您进入桌面环境后,单击任务栏上的 ![controlcenter](./figures/icon58-o.svg) 即可打开控制中心窗口。 + +### 首页介绍 + +控制中心首页主要展示各个设置模块,方便日常查看和快速设置。 + +![2|dcchomepage](./figures/42.png) + +              + +打开控制中心的某一设置模块后,可以通过左侧导航栏快速切换到另一设置模块。 + +![2|cc-navigation](./figures/39.png) + + + +#### 标题栏 + +标题栏包含返回按钮,搜索框,主菜单及窗口按钮。 + +- 返回按钮:若要返回首页,单击 ![back](./figures/icon53-o.svg)。 +- 搜索框:输入关键字后,回车,搜索相应设置。 +- 主菜单:单击![menu](./figures/icon83-o.svg) 进入主菜单。在主菜单中,您可以设置窗口主题,查看版本,或退出控制中心。 + +### 帐户设置 + +在安装系统时您已经创建了一个帐户。在这里,您可以修改帐户设置或创建一个新帐户。 + +![0|account](./figures/38.png) + +#### 创建新帐户 + +1. 在控制中心首页,单击 ![account_normal](./figures/icon49-o.svg)。 +2. 单击![add](./figures/icon50-o.svg)。 +3. 输入用户名、密码和重复密码。 +4. 单击 **创建**。 +5. 在授权对话框输入当前帐户的密码,新帐户就会添加到帐户列表中。 + + + +#### 更改头像 + +1. 在控制中心首页,单击 ![account_normal](./figures/icon49-o.svg)。 +2. 单击列表中的帐户。 +3. 单击帐户头像,选择一个头像或添加本地头像,头像就替换完成了。 + +#### 设置全名 + +帐户全名会显示在帐户列表和系统登录界面,可根据需要设置。 + +1. 在控制中心首页,单击 ![account_normal](./figures/icon49-o.svg)。 +2. 单击列表中的帐户。 +3. 单击 **设置全名** 后的 ![edit](./figures/icon75-o.svg),输入帐户全名。 + + +#### 修改密码 + +1. 在控制中心首页,单击 ![account_normal](./figures/icon49-o.svg)。 +2. 单击当前帐户。 +3. 单击 **修改密码**,进入修改密码页面。 +4. 输入当前密码、新密码和重复密码。 + + +#### 删除帐户 + +1. 在控制中心首页,单击 ![account_normal](./figures/icon49-o.svg)。 +2. 单击其他未登录的帐户。 +3. 单击 **删除帐户** 。 +4. 在弹出的确认界面中单击 **删除**。 + +> ![attention](./figures/icon52-o.svg)注意: *已登录的帐户无法被删除。* + +#### 权限设置 + +除安装时的第一个帐户是管理员权限外,后面所添加的所有帐户都是普通用户。一个帐户可以在多个用户组内。 + +##### 设置组 + +添加或修改帐户时,可以: + +- 选择系统内已有的组。 +- 选择当前用户同名的组。 +- 选择之前添加帐户时和其他用户同名的组。 + +### 显示设置 + +设置显示器的分辨率、亮度、屏幕方向等,让您的电脑显示到达最佳状态。 + +![0|video](./figures/44.png) + +#### 单屏设置 + +##### 更改分辨率 + +1. 在控制中心首页,单击 ![display_normal](./figures/icon72-o.svg)。 +2. 单击 **分辨率**,进入分辨率设置界面。 +3. 在列表中选择合适的分辨率参数。 +4. 单击 **保存**。 + +##### 调节亮度 + +1. 在控制中心首页,单击 ![display_normal](./figures/icon72-o.svg)。 +2. 单击 **亮度**,进入亮度设置界面。 + + - 拖动亮度条滑块,调节屏幕亮度。 + - 打开 **自动调节色温** 开关,开启进入护眼模式,自动调节色温。 + - 打开 **手动调节** 亮度开关,可以调节屏幕亮度 。 + +##### 设置屏幕刷新率 + +1. 在控制中心首页,单击 ![display_normal](./figures/icon72-o.svg)。 +2. 单击 **刷新率**。 +3. 选择一个合适的刷新率,单击 **保存**。 + +##### 改变屏幕方向 + +1. 在控制中心首页,单击 ![display_normal](./figures/icon72-o.svg)。 +2. 单击 ![rotate](./figures/icon112-o.svg) 。 +3. 每单击一下鼠标左键,屏幕逆时针旋转90°。 +4. 要还原为之前的屏幕方向,单击鼠标右键退出;要使用当前屏幕方向,请按下组合键 **Ctrl** + **S** 保存。 + +#### 多屏设置 + +多屏显示,让您的视野无限延伸!使用VGA、HDMI、EDP等线缆将您的电脑和另一台显示器、投影仪等连接起来,同时在多个屏幕显示您电脑上的内容。 + +1. 在控制中心首页,单击 ![display_normal](./figures/icon72-o.svg)。 +2. 单击 **多屏显示模式**。 +3. 选择一种显示模式。 + - **复制 **将主屏的显示内容复制到其他屏幕。 + - **扩展** 将主屏的显示内容扩展到其他屏幕,扩大桌面区域。 + - **自定义** 设置显示模式,主屏、分辨率、刷新率和屏幕旋转方向。 + +在多屏环境下,按下 **Super** + **P **调出多屏显示模式的OSD。 + +详细操作方法如下。 + +1. 按住 **Super** 不放,再按下 **P** 或鼠标单击来进行模式选择。 +2. 松开按键,确认选择,模式生效。 + +> ![notes](./figures/icon99-o.svg)说明:*当多屏显示模式为扩展模式时,仅主屏支持桌面图标显示、操作右键菜单等功能,而副屏不支持。* + + +##### 自定义设置 + +1. 在控制中心首页,单击 ![display_normal](./figures/icon72-o.svg)。 +2. 单击 **多屏显示模式** > **自定义**。 +3. 单击 “识别”,查看屏幕名称。 +4. 选择“合并”或“拆分”,然后对多个屏幕进行设置,如主屏、分辨率、刷新率,旋转屏幕等。 +5. 单击 **保存**。 + +> ![notes](./figures/icon99-o.svg)说明:*合并即复制模式,拆分即扩展模式。* + + + +### 默认程序设置 + +当安装有多个功能相似的应用程序时,可以选择其中的一个应用作为对应文件类型的默认启动程序。 + +![0|default](./figures/39.png) + +#### 设置默认程序 + +1. 右键单击文件,选择 **打开方式** > **选择默认程序**。 +2. 选择一个应用,自动勾选"设为默认",单击 **确定**。 +3. 该应用将自动添加到控制中心的默认程序列表。 + +#### 更改默认程序 + +1. 在控制中心首页,单击 ![default_applications_normal](./figures/icon70-o.svg)。 +2. 选择一个文件类型进入默认程序列表。 +3. 在列表中选择另一个应用程序。 + +#### 添加默认程序 + +1. 在控制中心首页,单击 ![default_applications_normal](./figures/icon70-o.svg)。 +2. 选择文件类型进入默认程序列表。 +3. 单击列表下的![add](./figures/icon50-o.svg),选择desktop文件(一般在/usr/share/applications),或特定的二进制文件。 +4. 该程序将添加到列表,并自动设置为默认程序。 + +#### 删除默认程序 + +在默认程序列表中,您只能删除自己添加的应用程序,不能删除系统已经安装的应用。要删除系统已经安装的应用,只能卸载应用。卸载后该应用将自动从默认程序列表中删除。 + +可用以下方法删除自己添加的默认程序。 + +1. 在控制中心首页,单击 ![default_applications_normal](./figures/icon70-o.svg)。 +2. 选择文件类型进入默认程序列表。 +3. 单击程序后面的![close](./figures/icon57-o.svg),删除默认程序。 + +### 个性化设置 + +在这里,您可以设置系统主题、活动用色、字体等,改变桌面和窗口的外观,设置成您喜欢的显示风格。 + +![0|personalise](./figures/56.png) + +#### 设置窗口主题 + +1. 在控制中心首页,单击 ![personalization_normal](./figures/icon105-o.svg)。 +2. 单击 **通用**,选择一种窗口主题。 +3. 该主题即为系统窗口主题。 + +> ![tips](./figures/icon125-o.svg)窍门:*自动主题表示根据当前时区的时间,根据日出日落的时间自动更换窗口主题。日出后是浅色,日落后是深色。* + +#### 更改活动用色 + +活动用色是指选中某一选项时的强调色。 + +1. 在控制中心首页,单击 ![personalization_normal](./figures/icon105-o.svg)。 +2. 单击 **通用**。 +3. 单击 **活动用色** 下的一种颜色,可实时查看该颜色效果。 + +#### 设置图标主题 + +1. 在控制中心首页,单击 ![personalization_normal](./figures/icon105-o.svg)。 +2. 单击 **图标主题**,选择一款图标样式。 + +#### 设置光标主题 + +1. 在控制中心首页,单击 ![personalization_normal](./figures/icon105-o.svg)。 +2. 单击 **光标主题**,选择一款光标样式。 + +#### 更改系统字体 + +1. 在控制中心首页,单击 ![personalization_normal](./figures/icon105-o.svg)。 +2. 单击 **字体**,进入设置字体界面。 +3. 设置系统字号和字体。 + +### 网络设置 + +登录系统后,您需要连接网络,才能接收邮件、浏览新闻、下载文件、聊天、网上购物等。 + +> ![tips](./figures/icon125-o.svg)窍门:*您可以单击任务栏托盘区的网络图标,查看当前网络状态。* + +![0|network](./figures/54.png) + +#### 有线网络 + +有线网络安全快速稳定,是最常见的网络连接方式。当您设置好路由器后,把网线两端分别插入电脑和路由器,即可连接有线网络。 + +1. 将网线插入电脑上的网络插孔。 +2. 将网线的另一端插入路由器或网络端口。 +3. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +4. 单击 **有线网络**,进入有线网络设置界面。 +5. 打开 **有线网卡**,开启有线网络连接功能。 +6. 当网络连接成功后,桌面右上角将弹出“已连接有线连接”的提示信息。 + +您还可以在有线网络的设置界面,编辑或新建有线网络设置。 + +#### 移动网络 + +当您处于一个没有网络信号的地方时,可以使用无线上网卡来上网。在有电话信号覆盖的任何地方,无线上网卡通过运营商的移动数据网络接入宽带服务。 + +1. 将移动网卡插入电脑上的USB接口中。 +2. 电脑将根据移动网卡和运营商信息,自动适配并自动连接网络。 +3. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +4. 单击 **移动网络**,查看详细设置信息。 + +#### 拨号网络 + +拨号上网(DSL)是指通过本地电话拨号连接到网络的连接方式。配置好调制解调器,把电话线插入电脑的网络接口,创建宽带拨号连接,输入运营商提供的用户名和密码,即可拨号连接到Internet上。 + +##### 新建拨号连接 + +1. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +2. 单击 **DSL**,单击 ![add](./figures/icon50-o.svg)。 +3. 输入宽带名称、帐户、密码。 +4. 单击 **保存**,系统自动创建宽带连接并尝试连接。 + +#### VPN + +VPN即虚拟专用网络,其主要功能是在公用网络上建立专用网络,进行加密通讯。无论您是在外地出差还是在家中办公,只要能上网就能利用VPN访问企业的内网资源。您还可以使用VPN加速访问其他国家的网站。 + +1. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +2. 单击 **VPN**,选择 ![add](./figures/icon50-o.svg) 或 ![import](./figures/icon84-o.svg)。 +3. 选择VPN协议类型,并输入名称、网关、帐号、密码等信息。(导入VPN会自动填充信息) +4. 单击 **保存**,系统自动尝试连接VPN网络。 +5. 您可以将VPN设置导出,备用或共享给其他用户。 + +> ![notes](./figures/icon99-o.svg)说明:*打开 **仅用于相对应的网络上的资源** 开关,可以不将VPN设置为默认路由,只在特定的网络资源上生效。* + +#### 系统代理 + +1. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +2. 单击 **系统代理**,进入系统代理界面。 + + - 单击 **无**,关闭代理服务器功能。 + - 单击 **手动**,输入代理服务器的地址和端口信息。 + - 单击 **自动**,输入URL,系统将自动配置代理服务器的信息。 + +#### 应用代理 + +1. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +2. 单击 **应用代理**。 +3. 设置应用代理参数。 +4. 单击 **保存**。 + +> ![notes](./figures/icon99-o.svg)说明:*应用代理设置成功后,打开启动器,右键单击应用图标,可以选择 **使用代理**。* + + +#### 网络详情 + +在网络详情界面,您可以查看MAC、IP地址、网关和其他网络信息。 + +1. 在控制中心首页,单击 ![network_normal](./figures/icon97-o.svg)。 +2. 单击 **网络详情**,进入网络信息界面。 +3. 查看当前有线网络或无线网络的信息。 + +### 声音设置 + +输入输出设备声音的设置(如设置扬声器和麦克风),让您听得更舒适,录音更清晰。 + +![0|sound](./figures/61.png) + + +#### 输出设备 + +1. 在控制中心首页,单击 ![sound_normal](./figures/icon116-o.svg)。 +2. 单击 **输出**,进入输出设备配置界面,您可以: + - 在输出设备后面的下拉框中选择输出设备类型。 + - 通过拖曳滑块调节输出音量和左/右声道平衡。 + - 打开 **音量增强**,音量的可调节区间由0~100% 转变为0~150%。 + +#### 输入设备 + +1. 在控制中心首页,单击 ![sound_normal](./figures/icon116-o.svg)。 +2. 单击 **输入**,进入输入设备配置界面,您可以: + - 在输入设备后面的下拉框中选择输入设备类型。 + - 通过拖曳滑块调节输入音量。 + - 打开 **开启** 按钮,还可以设置 **噪音抑制** 功能。 + +> ![tips](./figures/icon125-o.svg)窍门:*通常,需要调大输入音量,确保能够听到声源的声音,但是音量不宜过大,因为这会导致声音失真。可以对着麦克风以正常说话的音量讲话,并观察反馈音量的变化,变化较明显,则说明输入音量合适。* + +#### 系统音效 + +1. 在控制中心首页,单击 ![sound_normal](./figures/icon116-o.svg)。 +2. 单击 **系统音效**,勾选选项,开启某一事件发生时的声音效果。 + +> ![tips](./figures/icon125-o.svg)窍门:*您可以单击试听音效。* + + +### 时间日期 + +正确选择您所在的时区,一般即可显示正确的日期和时间。您也可以手动修改时间和日期。 + +![0|time](./figures/62.png) + +#### 修改时区 + +在您安装系统时,已选择了系统时区。若要修改系统时区,请按如下步骤设置。 + +1. 在控制中心首页,单击 ![time](./figures/icon124-o.svg)。 +2. 单击 **时区列表**。 +3. 单击 **修改系统时区**, 通过搜索或单击地图选择时区。 +4. 单击 **确定**。 + +#### 添加时区 + +您可以同时使用多个时区,以便查看另一时区的时间。 + +1. 在控制中心首页,单击 ![time](./figures/icon124-o.svg)。 +2. 单击 **时区列表**。 +3. 单击![add](./figures/icon50-o.svg),通过搜索或单击地图选择时区。 +4. 单击 **添加**。 + +#### 删除时区 + +1. 在控制中心首页,单击 ![time](./figures/icon124-o.svg)。 +2. 单击 **时区列表**。 +3. 单击时区列表后面的 **编辑**。 +4. 单击 ![delete](./figures/icon71-o.svg),删除已添加的时区。 + +#### 修改时间和日期 + +默认情况下,系统通过网络自动同步该时区的本地时间和日期。您也可以手动修改时间和日期。手动设置后,自动同步功能会被关闭。 + +1. 在控制中心首页,单击 ![time](./figures/icon124-o.svg)。 +2. 单击 **时间设置** 。 + - 开启或关闭自动同步配置。 + - 设置正确的时间和日期。 +3. 单击 **确定**。 + +#### 设置时间日期格式 + +支持即时设置时间日期的格式。 + +1. 在控制中心首页,单击 ![time](./figures/icon124-o.svg)。 +2. 单击 **格式设置**,可以设置星期、长短日期、长短时间等格式。 + +### 电源管理 + +对系统电源进行一些设置,让系统更安全。 + +![0|power](./figures/57.png) + +              + +#### 设置显示器关闭时间 + +1. 在控制中心首页,单击 ![power_normal](./figures/icon107-o.svg)。 +2. 单击 **使用电源**。 +3. 选择关闭显示器的时间。 + +#### 设置自动锁屏时间 + +1. 在控制中心首页,单击 ![power_normal](./figures/icon107-o.svg)。 +2. 单击 **使用电源**。 +3. 选择自动锁屏的时间。 + +#### 设置电源按钮 + +1. 在控制中心首页,单击 ![power_normal](./figures/icon107-o.svg)。 +2. 单击 **使用电源**。 +3. 选择电源按钮 **关机**、**关闭显示器** 或 **无任何操作**,更改电源设置。 + +更改设置后会即时生效,同时系统通知用户已修改电源设置。 + +### 鼠标 + +鼠标是计算机的常用输入设备。使用鼠标,可以使操作更加简便快捷。 + +![0|mouse](./figures/53.png) + +#### 通用设置 + +1. 在控制中心首页,单击 ![mouse_touchpad_normal](./figures/icon94-o.svg)。 +2. 单击 **通用**。 +3. 开启 **左手模式**,调节鼠标和触控板的**滚动速度**,**双击速度**。 + +> ![notes](./figures/icon99-o.svg)说明:*开启左手模式后,鼠标的左右键功能互换。* + +#### 鼠标设置 + +插入或连接鼠标后,在控制中心进行相关设置,让其更符合您的使用习惯。 + +1. 在控制中心首页,单击 ![mouse_touchpad_normal](./figures/icon94-o.svg)。 +2. 单击 **鼠标**。 +3. 调节 **指针速度**, 控制鼠标移动时指针移动的速度。 +4. 单击 **自然滚动** / **鼠标加速** 开关,开启相应功能。 + +> ![notes](./figures/icon99-o.svg)说明: +> +> - *开启鼠标加速,提高了指针精确度,鼠标指针在屏幕上的移动距离会根据移动速度的加快而增加。可以根据使用情况开启或关闭。* +> - *自然滚动开启后,鼠标滚轮向下滚动,内容会向下滚动;鼠标滚轮向上滚动,内容会向上滚动。* + +### 键盘和语言 + +在此模块,您可以设置键盘属性,以便符合您的输入习惯,还可以根据国家和语言调整键盘布局,设置系统语言,以及自定义快捷键。 + +![0|keyboard](./figures/59.png) + +#### 键盘属性 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **通用**。 +3. 调节 **重复延迟**/**重复速度**。 +4. 单击“请在此测试”,按下键盘上的任意字符不松开,查看调节效果。 +5. 单击 **启用数字键盘**/**大写锁定提示** 开关,开启相应功能。 + +#### 键盘布局 + +设置键盘布局,可以为当前语言自定义键盘。按下键盘上的按键时,键盘布局会控制哪些字符显示在屏幕上。更改键盘布局后,屏幕上的字符可能与键盘按键上的字符不相符。 + +一般在安装系统时,就已经设置了键盘布局,您也可以添加其他的键盘布局。 + +![layout](./figures/50.png) + +##### 添加键盘布局 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **键盘布局**,进入键盘布局界面。 +3. 单击![add](./figures/icon50-o.svg),单击某一键盘布局即可添加到列表。 + +##### 删除键盘布局 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **键盘布局**,进入键盘布局界面。 +3. 单击”键盘布局“后的 **编辑**。 +4. 单击 ![delete](./figures/icon71-o.svg),删除该键盘布局。 + +##### 切换键盘布局 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **键盘布局**,进入键盘布局界面。 +3. 选择一个键盘布局进行切换。 +4. 切换成功后,该键盘布局将标记为已选择。 + +> ![tips](./figures/icon125-o.svg)窍门:*您也可以选择一组或多组快捷键,按顺序切换已添加的键盘布局。选择 **切换方式**, 让切换后的键盘布局应用于整个系统或当前应用。* + +#### 系统语言 + +系统语言默认为您安装系统时所选择的语言,可以随时更改。 + +##### 添加系统语言 + +您可以添加多个语言到系统语言列表,以便切换系统语言。 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **系统语言**,进入系统语言界面。 +3. 单击 ![add](./figures/icon50-o.svg) 进入语言列表。 +4. 选择语言,该语言将自动添加到系统语言列表。 + +##### 切换系统语言 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **系统语言**,进入系统语言界面。 +3. 选择要切换的语言,系统将自动开始安装语言包。 +4. 语言包安装完成后,需要注销后重新登录,以便设置生效。 + +> ![attention](./figures/icon52-o.svg)注意:*更改系统语言后,键盘布局可能也会发生改变。重新登录时,请确保使用正确的键盘布局来输入密码。* + + +#### 快捷键 + +快捷键列表显示了系统所有的快捷键。您可以在这里查看、修改和自定义快捷键。 + +![0|shortcut](./figures/59.png) + +##### 查看快捷键 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **快捷键**,进入快捷键设置界面。 +3. 搜索或查看默认的系统快捷键、窗口快捷键和工作区快捷键。 + +##### 修改快捷键 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **快捷键**,进入快捷键设置界面。 +3. 单击需要修改的快捷键。 +4. 使用键盘输入新的快捷键。 + +> ![tips](./figures/icon125-o.svg)窍门:*若要禁用快捷键,请按下键盘上的 ![Backspace](./figures/icon54-o.svg)。若要取消修改快捷键,按下键盘上 **Esc** 键, 或单击下方的”恢复默认”按钮。* + +##### 自定义快捷键 + +您可以为常用的应用自定义一个快捷键。 + +1. 在控制中心首页,单击 ![keyboard_normal](./figures/icon86-o.svg)。 +2. 单击 **快捷键**。 +3. 单击![add](./figures/icon50-o.svg),进入添加快捷键界面。 +4. 输入快捷键名称、命令和快捷键。 +5. 单击 **添加**。 +6. 添加成功后,单击”自定义快捷键“后的 **编辑**。 +7. 单击某个快捷键后 ![delete](./figures/icon71-o.svg), 删除自定义的快捷键。 + +> ![tips](./figures/icon125-o.svg)窍门:*若要修改快捷键,单击输入新的快捷键即可。若要修改自定义快捷键的名称和命令,单击“自定义快捷键”后的 **编辑** ,单击快捷键名称后的 ![edit](./figures/icon75-o.svg),进入修改页面。* + + +### 系统信息 + +您可以查看系统版本、版本授权和电脑硬件等信息,以及该系统的一些协议。 + +![0|info](./figures/48.png) + +#### 关于本机 + +1. 在控制中心首页,单击 ![system_info_normal](./figures/icon120-o.svg)。 +2. 在 **关于本机** 下,您可以查看当前系统版本、版本授权及电脑硬件信息; +3. 若系统未激活,可在此页面单击 **激活**,进行系统激活。 + +#### 版本协议 + +1. 在控制中心首页,单击 ![system_info_normal](./figures/icon120-o.svg)。 +2. 在 **版本协议** 下,查看系统版本协议。 + +#### 最终用户许可协议 + +1. 在控制中心首页,单击 ![system_info_normal](./figures/icon120-o.svg)。 +2. 在 **最终用户许可协议** 下,查看最终用户许可协议。 + + + +## 键盘交互 + +您可以使用键盘在各个界面区域内切换,并选择对象,执行操作。 + +| 按键 | 功能 | +| :----------------------------------------------------------- | :----------------------------------------------------------- | +| **Tab** | 在不同区域或对话框按钮之间切换。 | +| ![Up](./figures/icon127-o.svg) ![Down](./figures/icon73-o.svg) ![Left](./figures/icon88-o.svg) ![Right](./figures/icon111-o.svg) | 在同区域内对不同的对象进行选择。使用 ![Right](./figures/icon111-o.svg) 进入下级菜单,使用 ![Left](./figures/icon88-o.svg) 返回上级菜单。使用![Up](./figures/icon127-o.svg)![Down](./figures/icon73-o.svg) 键进行上下切换 。 | +| **Enter** | 执行选定对象。 | +| **Space** | 在文件管理器中,预览选定对象;在影院和音乐中,开始/暂停播放;在下拉列表中,展开下拉选项(也可使用回车键)。 | +| **Ctrl**+**M** | 打开右键菜单。 | + diff --git a/docs/zh/docs/desktop/Install_XFCE.md b/docs/zh/docs/desktop/Install_XFCE.md new file mode 100644 index 0000000000000000000000000000000000000000..1163a39c84dfcc1ebe3f15af53397b558ef08d52 --- /dev/null +++ b/docs/zh/docs/desktop/Install_XFCE.md @@ -0,0 +1,65 @@ +# 在 openEuler 上安装 XFCE +XFCE是一款轻量级 Linux 桌面,当前版本已经将所有部件从 GTK2 更新到 GTK3,从D-Dbus Glib更新到GDBus,大部分组件支持Object Introspection(简称 GI,用于产生与解析 C 程序库 API 元信息,以便于动态语言(或托管语言)绑定基于 C + GObject 的程序库)。优化用户体验,加入新特性,并修补大量BUG。与其它UI界面(GNOME、KDE)相比,XFCE占用的内存和CPU使用量非常小,给用户带来亲切和高效的使用体验。 + +XFCE支持x86_64和aarch64两种架构。 + +安装时,建议新建一个管理员用户。 + +1. [下载](https://openeuler.org/zh/download/)openEuler ISO镜像并安装系统,更新软件源(需要配置Everything源,以及EPOL源,下面命令是在最小化安装系统的情况下安装XFCE) +``` +sudo dnf update +``` + +2. 安装字库 +``` +sudo dnf install dejavu-fonts liberation-fonts gnu-*-fonts google-*-fonts +``` + +3. 安装Xorg +``` +sudo dnf install xorg-* +``` + +4. 安装XFCE及组件 +``` +sudo dnf install xfwm4 xfdesktop xfce4-* xfce4-*-plugin network-manager-applet +``` + +5. 安装登录管理器 +``` +sudo dnf install lightdm lightdm-gtk +``` + +6. 设置默认桌面为XFCE +通过root权限用户设置 +``` +echo 'user-session=xfce' >> /etc/lightdm/lightdm.conf.d/60-lightdm-gtk-greeter.conf +``` + +7. 使用登录管理器登录XFCE +``` +sudo systemctl start lightdm +``` +登录管理器启动后,在右上角左侧选择"xfce-session" +输入用户名、密码登录 + +8. 设置开机自启动图形界面 +``` +sudo systemctl enable lightdm +sudo systemctl set-default graphical.target +``` +如果默认默认安装了gdm,建议停用gdm +``` +systemctl disable gdm +``` +重启验证 +``` +sudo reboot +``` + +9. FAQ + +Q:为什么lightdm登录界面背景是黑色的? +A:登录界面是黑色的是因为lghtdm-gtk默认配置文件/etc/lightdm/lightdm-gtk-greeter.conf中没有设置background。 +可以在该配置文件最后的[greeter]段中设置 background=/usr/share/backgrounds/xfce/xfce-blue.jpg +然后systemctl restart lightdm 就可以看到背景了。 diff --git a/docs/zh/docs/desktop/UKUIuserguide.md b/docs/zh/docs/desktop/UKUIuserguide.md new file mode 100755 index 0000000000000000000000000000000000000000..8eac8f1cfc1458c26ead0d8e4109f696cfc67e5b --- /dev/null +++ b/docs/zh/docs/desktop/UKUIuserguide.md @@ -0,0 +1,393 @@ +# UKUI 用户指南 + + +## 概述 + +桌面是用户进行图形界面操作的基础,UKUI(UbuntuKylin UI)提供了多个功能部件,包括任务栏、开始菜单等,本文主要描述 UKUI 的使用。 + +主界面如下图所示。 + +![图 1 桌面主界面-big](./figures/1.png) + +## 桌面 + +### 桌面图标 + +系统默认放置了计算机、回收站、个人三个图标,鼠标左键双击即可打开页面,功能如下表。 + + +| 图标 | 说明 | +| :------------ | :------------ | +| ![](./figures/icon1.png) | 计算机:显示连接到本机的驱动器和硬件| +| ![](./figures/icon2.png) | 回收站:显示除移的文件| +| ![](./figures/icon3.png) | 主文件夹:显示个人主目录| + + +另外,右键单击“计算机”,选择“属性”,可显示当前系统版本、内核版本等相关信息。 + +![图 2 “计算机”-“属性”-big](./figures/2.png) + +### 右键菜单 + +在桌面空白处单击鼠标右键,出现的菜单如下图所示,为用户提供了一些快捷功能。 + +![图 3 右键菜单](./figures/3.png) + +部分选项说明如表 2。 + +| 选项 | 说明| +| :------------ | :------------ | +| 新 建 | 可新建文件夹、文本文档、WPS文件 | +| 视图类型 | 提供四种视图类型:小图标、中图标、大图标、超大图标 | +| 排序方式 | 提供根据文件名称、文件类型、文件大小、修改日期排列的四种方式| + +
+ +## 任务栏 + +### 基本功能 + +任务栏位于底部,包括开始菜单、多视图切换、文件浏览器、Firefox网络浏览器、WPS、托盘菜单。 + +![图 4 任务栏](./figures/4.png) + +| 组件 | 说明 | +| :------------ | :------------ | +|![](./figures/icon4.png)| 开始菜单,用于弹出系统菜单,可查找应用和文件 | +|![](./figures/icon5.png)| 多视图切换,可在多个工作区互不干扰进行操作| +|![](./figures/icon6.png)| 文件浏览器,可浏览和管理系统中的文件| +|![](./figures/icon7.png)| Firefox网页浏览器,提供便捷安全的上网方式| +|![](./figures/icon8.png)| WPS办公套件,可以实现办公软件最常用的文字、表格、演示等多种功能| +|窗口显示区 |横条中间空白部分;显示正在运行的程序或打开的文档,可进行关闭窗口、窗口置顶操作。| +|![](./figures/icon9.png)| 托盘菜单,包含了对声音、麒麟天气、网络连接、输入法、通知中心、日期、夜间模式的设置| +|显示桌面| 按钮位于最右侧;最小化桌面的所有窗口,返回桌面;再次单击将恢复窗口| + +
+ +#### 多视图切换 + +点击任务栏“![](./figures/icon10-o.png)”图标,即可进入如下图所示界面,在多个工作区内选择当下需要工作的操作区。 + +![图 5 多视图切换-big](./figures/5.png) + +#### 预览窗口 + +用户将鼠标移动到任务栏的应用图标上,会对该应用打开的窗口进行小窗口预览,悬停在指定窗口如下图所示为悬停状态,该窗口会微微呈现毛玻璃效果(左),其余窗口为默认状态(右)。 + +![图 6 任务栏预览窗口](./figures/6.png) + +用户通过鼠标右键点击任务栏的应用图标,可关闭该应用。 + +![图 7 任务栏右键预览](./figures/7.png) + +#### 侧边栏 + +侧边栏位于整个桌面的右侧,点击任务栏托盘菜单中的“![](./figures/icon11-o.png)”图标打开收纳菜单,点击侧边栏“![](./figures/icon12-o.png)”图标,弹出侧边栏如下图所示。 + +侧边栏由两部分构成:通知中心、剪切板和小插件。 + +![图 8 侧边栏无消息状态-big](./figures/8.png) + +##### 通知中心 + +通知中心将会显示重要的近期最新的重要信息列表,选择右上角“清空”可将信息列表清空;用户可通过选择右上角“设置”跳转进入控制面板的通知设置界面,能设置显示信息的应用,以及信息的数量。 + +![图 9 通知中心-big](./figures/9.png) + +右侧工作区可设置为按应用折叠的模式。 + +![图 10 按应用折叠通知消息-big](./figures/10.png) + +侧边栏右上角“![](./figures/icon13-o.png)”图标可收纳不重要信息,可以打开不重要的和已被设置为收纳的应用软件信息,消息超过999+后显示成![](./figures/icon14-o.png)的形式表示无穷大。 + +![图 11 消息收纳箱](./figures/11.png) + +##### 剪切板 + +剪切板可保存近期选择复制或剪切的内容,同时可通过表上说明的图标进行相应操作。 + +其中点击“![](./figures/icon15-o.png)”图标,可对剪切板的内容进行编辑。 + +|图标| 说明| 图标 |说明 | +| :------------ | :------------ | :------------ | :------------ | +|![](./figures/icon16.png)| 复制剪切板上的该内容 |![](./figures/icon18.png)| 编辑剪切板上的该内容 | +|![](./figures/icon17.png)| 删除剪切板上的该内容 | | | + +
+ +![图 12 剪切板](./figures/12.png) + +![图 13 编辑选中实的剪切板内容](./figures/13.png) + +剪切板的第二个标签为小插件,插件包含:闹钟、笔记本、用户反馈,可供用户快捷选择。 + +![图 14 小插件](./figures/14.png) + +#### 托盘菜单 + +##### 收纳菜单 + +点击任务栏托盘菜单中的“![](./figures/icon19-o.png)”图标打开收纳菜单,收纳菜单中可收纳麒麟天气、输入法、蓝牙、u盘等小工具。 + +![图 15 收纳菜单](./figures/15.png) + +##### 输入法 + +任务栏输入法默认为搜狗输入法,使用快捷键“Ctrl+Space”可切换出来,“Shift”按键切换中英文模式。 + +![图 16 输入法](./figures/16.png) + +##### U盘 + +U盘插入主机后,自动读取U盘数据,点击任务栏中U盘“![](./figures/icon26-o.png)”图标弹窗如下图所示。 + +需要卸载U盘时仅需点击弹出“![](./figures/icon27-o.png)”图标即可。 + +![图 17 U盘状态窗口](./figures/17.png) + +##### 电源 + +没有检测到电源设备时,用户通过点击鼠标左键任务栏中电源“![](./figures/icon28-o.png)”图标。 + +![图 18 无电源设备](./figures/18.png) + +若检测到接入的电源设备,用户通过点击鼠标左键任务栏中电源“![](./figures/icon29-o.png)”图标。 + +![图 19 电源管理器窗口](./figures/19.png) + +用户通过点击鼠标右键任务栏中电源“![](./figures/icon30-o.png)”图标,弹出电源管理器设置菜单,设置调整屏幕亮度、设置电源和休眠两项。 + +![图 20 电源管理器设置](./figures/20.png) + +若电源管理器弹出“电池电量不足”的弹窗后,用户可点击开启节能模式,电源管理器则即刻将本机设为节能模式运行。 + +![图 21 电池电量不足开启节能模式](./figures/21.png) + +##### 网络 + +用户通过鼠标左键点击任务栏上的网络“![](./figures/icon31-o.png)”图标,可根据需要选择有线和无线两种网络连接方式。 + +|图标 |说明| 图标 |说明 | +| :------------ | :------------ | :------------ | :------------ | +|![](./figures/icon32.png)| 网络已连接 |![](./figures/icon37.png)| 网络未连接 | +|![](./figures/icon33.png)| 网络连接受限 |![](./figures/icon38.png)| 网络已上锁 | +|![](./figures/icon34.png)| 网络正在连接 |![](./figures/icon39.png)| Wifi已连接 | +|![](./figures/icon35.png)| Wifi未连接 |![](./figures/icon40.png)| Wifi连接受限 | +|![](./figures/icon36.png)| Wifi已上锁 |![](./figures/icon41.png)| Wifi正在连接 | + +
+ +![图 22 网络连接界面](./figures/22.png) + +- 有线网络 + + 在有线网络连接界面,点击有线网络方案即可展开,查看网络的详细信息。 + + ![图 23 有线网络连接](./figures/23.png) + +- 无线网络 + + 无线网络连接,点击右上角开关按钮打开无线网络连接,并在可用无线网络列表中选择需要连接的WiFi,并键入密码即可通过WiFi上网。 + + ![图 24 无线网络连接](./figures/24.png) + +- 网络设置窗口 + + 用户通过鼠标右键点击任务栏上的网络“![](./figures/icon42-o.png)”图标,弹出网络设置菜单。 + + ![图 25 有线网络设置](./figures/25.png) + + 点击设置网络,即刻进入网络设置窗口。 + + ![图 26 网络设置窗口](./figures/26.png) + +##### 音量 + +用户通过鼠标左键点击任务栏上的音量“![](./figures/icon43-o.png)”图标,打开声音界面。 + +- mini模式 + + 音量min模式,仅显示扬声器的音量。 + + ![图 27 音量min模式](./figures/27.png) + +- 按设备 + 音量按设备标签包括输出设备、输入设备。 + + ![图 28 按设备音量列表](./figures/28.png) +- 按应用 + 音量按应用标签包括系统音量、其他应用音量。 + + ![图 29 按应用音量列表](./figures/29.png) + +##### 日历 + +用户通过鼠标左键点击任务栏上的时间日期弹出日历窗口,查看日历、月历、年历窗口。 + +用户可通过筛选年 > 月 > 日查看一日信息,会以大字显示当日日期,并有当日的时间、星期、节气、农历,点击下方宜忌勾选可查看。 + +![图 30 日历查看-big](./figures/30.png) + +##### 夜间模式 + +用户通过鼠标左键点击任务栏上的夜间模式“![](./figures/icon44-o.png)”图标,可设置为夜间模式。 + +#### 高级设置 + +右键单击任务栏,出现的菜单。 + +![图 31 任务栏右键菜单](./figures/31.png) + +用户可对任务栏的布局进行设定,在“设置任务栏”中可进行相关设置。 + +
+ +## 窗口 + +### 窗口管理器 + +窗口管理器为用户提供了如表所示的功能。 + +|功能 |说明 | +| :--------| :----------| +|窗口标题栏| 显示当前窗口的标题名称 | +|最小化/最大化/关闭 |标题栏右侧的三个图标按钮,分别对应最小化窗口、最大化窗口、关闭窗口的功能 | +|侧边滑动 |在窗口右侧提供滑动条,可上下滚动查看页面 | +|窗口堆叠| 允许窗口之间产生重叠 | +|窗口拖拽 |在窗口标题栏长按鼠标左键,可移动窗口到任意位置 | +|窗口大小调整 |将鼠标移至窗口四角,长按左键,可任意调整窗口大小 | + +
+ +### 窗口切换 + +用户有三种方式可以切换: + +* 在任务栏上点击窗口标题; + +* 在桌面上点击不同窗口; + +* 使用快捷键< Alt > + < Tab >; + +
+ +## 开始菜单 + +### 基本功能 + +单击“开始菜单”按钮,菜单具备滑动条功能。 + +![图 32 开始菜单主界面](./figures/32.png) + +#### 右侧分类菜单 + +用户将鼠标停留在开始菜单右侧,会出现一个右侧预展开的提示栏,点击展开,即在右侧默认显示三个分类:“常用软件”、“字母分类”、“功能分类”,其中: + +* 所有软件:列出所有软件,近期使用过的软件将会在此页面置顶显示。 + +* 字母分类:列出系统根据首字母进行分类显示所有软件。 + +* 功能分类:列出系统根据功能进行分类显示所有软件。 + +用户可通过点击右上角开始菜单的全屏图标,查看全屏菜单。 + +![图 33 全屏开始菜单-big](./figures/33.png) + +#### 右侧功能键 + +右下侧显示用户头像、计算机、设置和电源四个选项。 + +##### 用户头像 + +点击“![](./figures/icon45-o.png)”图标,进入控制面板查看用户信息。 + +##### 计算机 + +点击“![](./figures/icon46-o.png)”图标进入计算机:个人主文件夹。 + +##### 设置 + +点击“![](./figures/icon47-o.png)”图标进入控制面板。 + +##### 电源 + +###### 锁定屏幕 + +当用户暂时不需要使用计算机时,可以选择锁屏(不会影响系统当前的运行状态),防止误操作;用户返回后,输入密码即可重新进入系统。 + +在默认设置下,系统在一段空闲时间后,将自动锁定屏幕。 + +锁屏界面如下图所示。 + +![图 34 锁屏界面-big](./figures/34.png) + +###### 切换用户和注销 + +当要选择其他用户登录使用计算机时,可选择“注销”或“切换用户”。 + +此时,系统会关闭所有正在运行的应用;所以,在执行此操作前,请先保存当前工作。 + +###### 关机与重启 + +有两种操作方式: + +1)“开始菜单” > “电源” > “关机” + +会弹出对话框,用户可根据需要选择重启或关机。 + +![图 35 关闭系统对话框-big](./figures/35.png) + +2)“开始菜单” > “关机” 按钮右边菜单 > “关机”/“重启” + +系统将直接关机/重启,不再弹出对话框。 + +### 高级设置 + +右键单击开始菜单图标,提供锁屏、切换用户、注销、重启、关闭五个快捷选项。 + +### 应用 + +用户可以在搜索框中,通过关键字搜索应用。如下图所示,可输入中文,如:搜索用户手册,查询结果会随着输入自动显示出来。 + +![图 36 搜索应用](./figures/36.png) + +通过右键点击开始菜单中的某个应用,弹出右键菜单,可将选中应用固定到“所有软件”、任务栏,可添加该应用到桌面方式,可快捷卸载该应用。 + +![图 37 应用的右键菜单](./figures/37.png) + +各个选项说明如下表。 + +|选项 |说明 | +| :------| :-------- +|固定到所有用软件 |将选中软件在所有软件列表中置顶 | +|固定到任务栏 |在任务栏上生成应用的图标 | +|添加到桌面快捷方式| 在桌面生成应用的快捷方式图标 | +|卸载| 卸载软件 | + +
+ +## 常见问题 + +### 锁屏后无法登录系统 +* 通过Ctrl + Alt + F1切换到字符终端。 + +* 输入用户名和密码后登录。 + +* 执行命令“sudo rm -rf ~/.Xauthority”。 + +* 通过Ctrl + Alt + F7切回图形界面,输入用户密码登录。 + +
+ +## 附录 + +### 快捷键 + +|快捷键 |功能 | +| :------ | :----- | +|F5| 刷新桌面 | +|F1 |打开用户手册 | +|Alt + Tab |切换窗口 | +|win |打开开始菜单 | +|Ctrl + Alt + L| 锁屏 | +|Ctrl + Alt + Delete| 注销 | \ No newline at end of file diff --git a/docs/zh/docs/desktop/Xfce_userguide.md b/docs/zh/docs/desktop/Xfce_userguide.md new file mode 100755 index 0000000000000000000000000000000000000000..04501095ca4b568a86846ab70b830b58036ae0ac --- /dev/null +++ b/docs/zh/docs/desktop/Xfce_userguide.md @@ -0,0 +1,247 @@ +# Xfce 用户指南 + + +## 一 概述 + +Xfce是运行在类Unix操作系统中的一款轻量级桌面环境。Xfce提供了多个功能部件,包括 所有应用程序 等,本文主要描述 Xfce 的使用。 + +界面如下图所示。 + +![图 1 桌面主界面-big](./figures/xfce-1.png) + +
+ +## 二 桌面 + +### 2.1 桌面图标 + +系统默认放置了文件系统、主文件夹、挂载目录等图标,鼠标左键双击即可打开页面。 + +![图 2 主界面默认图标-big](./figures/xfce-2.png) + +### 2.2 右键菜单 + +在桌面空白处单击鼠标右键,出现的菜单如下图所示,为用户提供了一些快捷功能。 + +![图 3 右键菜单](./figures/xfce-3.png) + +部分选项说明如表。 + +| 选项 | 说明| +| :------------ | :------------ | +| 在新窗口中打开 | 打开对应登录用户的Desktop目录 | +| 创建启动器 | 启动器的自行创建 | +| 创建URL链接 | URL链接的自行创建 | +| 创建文件夹 | 新建文件夹 | +| 创建文档 | 新建文本文档 | +| Open Terminal Here | 新建终端 | +| 排列桌面图标 | 自动排列桌面图标 | +| 桌面设置 | 提供关于背景、菜单、图标的设置 | +| 属性 | 提供关于Desktop的一般、徽标、权限等属性设置 | +| 应用程序 | 所有应用程序 | + +
+ +## 三 任务栏 + +### 3.1 基本功能 + +任务栏位于顶部,包括所有应用程序菜单、窗口显示区、多视图切换、托盘菜单。 + +![图 4 任务栏](./figures/xfce-4.png) + +| 组件 | 说明 | +| :------------ | :------------ | +| 所有应用程序 | 用于弹出所有程序以及设置,可查找应用和设置。| +| 窗口显示区 | 横条中间空白部分;显示正在运行的程序或打开的文档,可进行最小化、最大化、关闭窗口、窗口置顶等操作。| +| 多视图切换 | 可在多个工作区互不干扰进行操作。 | +| 托盘 | 包含了对网络连接、声音、电源、通知中心、日历、登录用户动作的设置。| + +#### 3.1.1 所有应用程序 + +![图 5 所有应用程序-big](./figures/xfce-5.png) + +#### 3.1.2 窗口显示区 + +![图 6 窗口显示区-big](./figures/xfce-6.png) + +#### 3.1.3 多视图切换 + +点击任务栏“![](./figures/xfce-7.png)”中的每个区域图标,即可进入对应的工作区域。 + +例如,通过鼠标在多个工作区内切换选择当下需要工作的操作区。 + +![图 7 多视图切换-big](./figures/xfce-71.png) + +#### 3.1.4 托盘 + +![图 8 托盘菜单-big](./figures/xfce-8.png) + +##### 3.1.4.1 网络 + +用户通过鼠标左键点击任务栏上的网络“![](./figures/xfce-81.png)”图标,可根据需要选择网络连接方式。 + +![图 9 网络连接界面](./figures/xfce-811.png) + +网络设置窗口 + +用户通过鼠标右键点击任务栏上的网络“![](./figures/xfce-81.png)”图标,弹出网络设置菜单。 + +![图 10 网络设置](./figures/xfce-812.png) + +点击 编辑连接,即刻进入网络设置窗口。 + +![图 11 网络设置窗口](./figures/xfce-813.png) + +双击 指定的网络连接 ,例如enp1s0,进入该连接的设置界面。 + +![图 12 有线网络设置窗口](./figures/xfce-814.png) + +##### 3.1.4.2 音量 + +用户通过鼠标左键点击任务栏上的音量“![](./figures/xfce-82.png)”图标,打开声音界面。 + +![图 13 音量设置窗口](./figures/xfce-821.png) + +##### 3.1.4.3 电源 + +用户通过点击鼠标左键任务栏中电源“![](./figures/xfce-83.png)”图标。 + +![图 14 电源设备](./figures/xfce-831.png) + +用户通过点击 电源管理器设置 进行 显示、节点 等配置。 + +![图 15 电源管理器设置](./figures/xfce-832.png) + +##### 3.1.4.4 通知中心 + +用户通过点击鼠标左键任务栏中通知“![](./figures/xfce-84.png)”图标。 + +![图 16 通知中心-big](./figures/xfce-841.png) + +用户可通过选择“请勿打扰”关闭通知。 + +通知中心将会显示重要的近期最新的重要信息列表,选择“清除日志”可将信息列表清空。 + +用户可通过选择“通知设置”跳转进入控制面板的通知设置界面,能设置显示信息的应用,以及信息的数量。 + +![图 17 通知中心-big](./figures/xfce-842.png) + +##### 3.1.4.5 日历 + +用户通过鼠标左键点击任务栏上的时间日期弹出日历窗口,查看日历、月历、年历窗口。 + +用户可通过筛选年 > 月 > 日查看一日信息。 + +![图 18 日历-big](./figures/xfce-85.png) + +用户通过鼠标右键点击任务栏上的时间日期,点击 属性 进行时间设置。 + +![图 19 日期设置-big](./figures/xfce-851.png) + +#### 3.1.4.6 高级设置 + +右键单击任务栏,出现的菜单中点击 面板。 + +![图 20 任务栏右键菜单](./figures/xfce-86.png) + +用户可对任务栏的布局进行设定,可进行项目的添加、删除等相关设置。 + +![图 21 任务栏右键菜单](./figures/xfce-861.png) + + +##### 3.1.4.7 登录用户动作 + +用户通过鼠标左键点击任务栏上的登录用户,查看相关动作。 + +![图 22 登录用户动作](./figures/xfce-87.png) + +###### 3.1.4.7.1 锁屏 + +当用户暂时不需要使用计算机时,可以选择锁屏(不会影响系统当前的运行状态),防止误操作;用户返回后,输入密码即可重新进入系统。 + +在默认设置下,系统在一段空闲时间后,将自动锁定屏幕。 + +###### 3.1.4.7.2 切换用户 + +选择其他用户登录使用计算机时,可选择“切换用户”。 + +此时,系统会关闭所有正在运行的应用;所以,在执行此操作前,请先保存当前工作。 + +###### 3.1.4.7.3 挂起 + +处于环保节能考虑,可选择“挂起”。 + +此时,相关数据读入内存,注意不能切换电源。 + +###### 3.1.4.7.3 关机 + +用户选择关闭计算机时,可以选择“关机”。 + +在执行此操作前,建议先保存当前工作。 + +###### 3.1.4.7.3 注销 + +选择退出本次图形界面登录时,可选择“注销”。 + +此时,系统会关闭所有正在运行的应用;所以,在执行此操作前,请先保存当前工作。 + +
+ +## 四 快捷操作栏 + +### 4.1 基本功能 + +快捷操作栏位于底部,包括所有显示桌面、终端、文件管理器、网络浏览器、应用程序查找、用户家目录。 + +![图 23 快捷操作栏](./figures/xfce-9.png) + +| 组件 | 说明 | +| :------------ | :------------ | +| 显示桌面 | 最小化桌面的所有窗口,返回桌面;再次单击将恢复窗口 | +| 终端 | 快速打开一个终端 | +| 文件管理器 | 快速打开一个文件管理器 | +| 网络浏览器 | 快速打开一个网络浏览器 | +| 应用程序查找 | 快速打开应用程序查找窗口 | +| 用户家目录 | 快速打开登录用户的家目录 | + +#### 4.1.1 显示桌面 + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-91.png)”图标,执行 显示桌面 相关操作。 + +![图 24 显示桌面-big](./figures/xfce-911.png) + +#### 4.1.2 终端 + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-92.png)”图标,打开一个终端。 + +![图 25 终端-big](./figures/xfce-921.png) + +#### 4.1.3 文件管理器 + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-93.png)”图标,打开一个文件管理器。 + +![图 26 文件管理器-big](./figures/xfce-931.png) + +#### 4.1.4 网络浏览器 + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-94.png)”图标,打开一个网络浏览器。 + +![图 27 网络浏览器-big](./figures/xfce-941.png) + +#### 4.1.5 应用程序查找 + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-95.png)”图标,打开一个应用程序查找界面。 + +![图 28 应用程序查找-big](./figures/xfce-951.png) + +#### 4.1.6 用户家目录 + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-96.png)”图标,点击 打开文件,打开一个用户家目录界面。 + +![图 29 用户家目录-big](./figures/xfce-961.png) + +用户通过鼠标左键点击快捷操作栏上的“![](./figures/xfce-96.png)”图标,点击 在终端中打开,打开一个终端,当前目录为用户家目录。 + +![图 30 用户家目录-big](./figures/xfce-962.png) + diff --git a/docs/zh/docs/desktop/dde.md b/docs/zh/docs/desktop/dde.md new file mode 100644 index 0000000000000000000000000000000000000000..df26ec97326e1b6d7eea35d749711fa14789cac7 --- /dev/null +++ b/docs/zh/docs/desktop/dde.md @@ -0,0 +1,3 @@ +# DDE 用户指南 + +本节主要描述 DDE 桌面环境的安装和使用。 \ No newline at end of file diff --git a/docs/zh/docs/desktop/desktop.md b/docs/zh/docs/desktop/desktop.md new file mode 100644 index 0000000000000000000000000000000000000000..7e0892abdd28c29d4ebeae5d12ed1f43ce5b9c4b --- /dev/null +++ b/docs/zh/docs/desktop/desktop.md @@ -0,0 +1,4 @@ +# 桌面环境用户指南 + +本文介绍两种常用的桌面环境的安装和使用方法,它们提供美观易用、安全可靠的图形化操作界面,给用户带来更好的体验。 + diff --git a/themes/project/layouts/partials/docs/inject/footer.html b/docs/zh/docs/desktop/figures/.keep similarity index 100% rename from themes/project/layouts/partials/docs/inject/footer.html rename to docs/zh/docs/desktop/figures/.keep diff --git a/docs/zh/docs/desktop/figures/1.png b/docs/zh/docs/desktop/figures/1.png new file mode 100755 index 0000000000000000000000000000000000000000..40af4242eebb440a76c749a8d970d50cd7b89bf4 Binary files /dev/null and b/docs/zh/docs/desktop/figures/1.png differ diff --git a/docs/zh/docs/desktop/figures/10.png b/docs/zh/docs/desktop/figures/10.png new file mode 100755 index 0000000000000000000000000000000000000000..e588ffbe3d8d7b66d92ae8f2b4bcec7c80d0592c Binary files /dev/null and b/docs/zh/docs/desktop/figures/10.png differ diff --git a/docs/zh/docs/desktop/figures/11.png b/docs/zh/docs/desktop/figures/11.png new file mode 100755 index 0000000000000000000000000000000000000000..1989a5bb08155f920363e154e68bb148715c7e9e Binary files /dev/null and b/docs/zh/docs/desktop/figures/11.png differ diff --git a/docs/zh/docs/desktop/figures/12.png b/docs/zh/docs/desktop/figures/12.png new file mode 100755 index 0000000000000000000000000000000000000000..cb6346161182d2cfeaf3818d5ec518ddb11c732e Binary files /dev/null and b/docs/zh/docs/desktop/figures/12.png differ diff --git a/docs/zh/docs/desktop/figures/13.png b/docs/zh/docs/desktop/figures/13.png new file mode 100755 index 0000000000000000000000000000000000000000..0a7def1fb66c90da62acde799eaffca97e3b5396 Binary files /dev/null and b/docs/zh/docs/desktop/figures/13.png differ diff --git a/docs/zh/docs/desktop/figures/14.png b/docs/zh/docs/desktop/figures/14.png new file mode 100755 index 0000000000000000000000000000000000000000..3a27a66d57e284775420d467f90dcc02889bbffe Binary files /dev/null and b/docs/zh/docs/desktop/figures/14.png differ diff --git a/docs/zh/docs/desktop/figures/15.png b/docs/zh/docs/desktop/figures/15.png new file mode 100755 index 0000000000000000000000000000000000000000..370bea32abcaa8a2b06a1a61c1455d4b35f43474 Binary files /dev/null and b/docs/zh/docs/desktop/figures/15.png differ diff --git a/docs/zh/docs/desktop/figures/16.png b/docs/zh/docs/desktop/figures/16.png new file mode 100755 index 0000000000000000000000000000000000000000..812ee462669c5263ef4bffc49ca4f9b6af4541c6 Binary files /dev/null and b/docs/zh/docs/desktop/figures/16.png differ diff --git a/docs/zh/docs/desktop/figures/17.png b/docs/zh/docs/desktop/figures/17.png new file mode 100755 index 0000000000000000000000000000000000000000..36e524b806874fa3788f5e4dcd78350686281107 Binary files /dev/null and b/docs/zh/docs/desktop/figures/17.png differ diff --git a/docs/zh/docs/desktop/figures/18.png b/docs/zh/docs/desktop/figures/18.png new file mode 100755 index 0000000000000000000000000000000000000000..51b32442980aa60646f77dabd53ade74f55891fe Binary files /dev/null and b/docs/zh/docs/desktop/figures/18.png differ diff --git a/docs/zh/docs/desktop/figures/19.png b/docs/zh/docs/desktop/figures/19.png new file mode 100755 index 0000000000000000000000000000000000000000..c9457d09aa9f1662b2c9e4550cdbdb9f57dd020e Binary files /dev/null and b/docs/zh/docs/desktop/figures/19.png differ diff --git a/docs/zh/docs/desktop/figures/2.png b/docs/zh/docs/desktop/figures/2.png new file mode 100755 index 0000000000000000000000000000000000000000..97917cc245484a43bec8562757d920a06f123121 Binary files /dev/null and b/docs/zh/docs/desktop/figures/2.png differ diff --git a/docs/zh/docs/desktop/figures/20.png b/docs/zh/docs/desktop/figures/20.png new file mode 100755 index 0000000000000000000000000000000000000000..b0943189920d7a541d35da27340593ea93f92a17 Binary files /dev/null and b/docs/zh/docs/desktop/figures/20.png differ diff --git a/docs/zh/docs/desktop/figures/21.png b/docs/zh/docs/desktop/figures/21.png new file mode 100755 index 0000000000000000000000000000000000000000..e590c22c0ea28906b5f4ea7ccbc6ab11e47ad173 Binary files /dev/null and b/docs/zh/docs/desktop/figures/21.png differ diff --git a/docs/zh/docs/desktop/figures/22.png b/docs/zh/docs/desktop/figures/22.png new file mode 100755 index 0000000000000000000000000000000000000000..03a548b1ffb1f0ad53cfa5387af2721af90bca81 Binary files /dev/null and b/docs/zh/docs/desktop/figures/22.png differ diff --git a/docs/zh/docs/desktop/figures/23.png b/docs/zh/docs/desktop/figures/23.png new file mode 100755 index 0000000000000000000000000000000000000000..834c492094715cde1c02c91752ecabfe7921ed62 Binary files /dev/null and b/docs/zh/docs/desktop/figures/23.png differ diff --git a/docs/zh/docs/desktop/figures/24.png b/docs/zh/docs/desktop/figures/24.png new file mode 100755 index 0000000000000000000000000000000000000000..1881e868b74a60888b319576fa38fb4af92ba75c Binary files /dev/null and b/docs/zh/docs/desktop/figures/24.png differ diff --git a/docs/zh/docs/desktop/figures/25.png b/docs/zh/docs/desktop/figures/25.png new file mode 100755 index 0000000000000000000000000000000000000000..f38839725d27a3486984d152e5d9de305364fbd2 Binary files /dev/null and b/docs/zh/docs/desktop/figures/25.png differ diff --git a/docs/zh/docs/desktop/figures/26.png b/docs/zh/docs/desktop/figures/26.png new file mode 100755 index 0000000000000000000000000000000000000000..6d7957119133ecb98b1b6b104e54a3a4647ec2a5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/26.png differ diff --git a/docs/zh/docs/desktop/figures/27.png b/docs/zh/docs/desktop/figures/27.png new file mode 100755 index 0000000000000000000000000000000000000000..3e4733717fdc5172d6479b393005219e65e96df4 Binary files /dev/null and b/docs/zh/docs/desktop/figures/27.png differ diff --git a/docs/zh/docs/desktop/figures/28.png b/docs/zh/docs/desktop/figures/28.png new file mode 100755 index 0000000000000000000000000000000000000000..a77772e818e3f6c11acac3b9cfa18bad14a0a48c Binary files /dev/null and b/docs/zh/docs/desktop/figures/28.png differ diff --git a/docs/zh/docs/desktop/figures/29.png b/docs/zh/docs/desktop/figures/29.png new file mode 100755 index 0000000000000000000000000000000000000000..c4f58ffe5855295268298448744e5aadbdc55276 Binary files /dev/null and b/docs/zh/docs/desktop/figures/29.png differ diff --git a/docs/zh/docs/desktop/figures/3.png b/docs/zh/docs/desktop/figures/3.png new file mode 100755 index 0000000000000000000000000000000000000000..fbb76b336957020ed6867d908e0a8bdcfc953c52 Binary files /dev/null and b/docs/zh/docs/desktop/figures/3.png differ diff --git a/docs/zh/docs/desktop/figures/30.png b/docs/zh/docs/desktop/figures/30.png new file mode 100755 index 0000000000000000000000000000000000000000..d91adefba1753959e90ccf4aa1501ac08d7144bd Binary files /dev/null and b/docs/zh/docs/desktop/figures/30.png differ diff --git a/docs/zh/docs/desktop/figures/31.png b/docs/zh/docs/desktop/figures/31.png new file mode 100755 index 0000000000000000000000000000000000000000..0abef09ab438f5f8cfb68090993f55c493b8c15e Binary files /dev/null and b/docs/zh/docs/desktop/figures/31.png differ diff --git a/docs/zh/docs/desktop/figures/32.png b/docs/zh/docs/desktop/figures/32.png new file mode 100755 index 0000000000000000000000000000000000000000..d567cfbacc07a9eb46ff2c54a68432f45e034e94 Binary files /dev/null and b/docs/zh/docs/desktop/figures/32.png differ diff --git a/docs/zh/docs/desktop/figures/33.png b/docs/zh/docs/desktop/figures/33.png new file mode 100755 index 0000000000000000000000000000000000000000..7b5896e2884520672c0bd88d68471b45a09c56fe Binary files /dev/null and b/docs/zh/docs/desktop/figures/33.png differ diff --git a/docs/zh/docs/desktop/figures/34.png b/docs/zh/docs/desktop/figures/34.png new file mode 100755 index 0000000000000000000000000000000000000000..81bc9480fbbd81a97c559d7a6a74274deeab2bd1 Binary files /dev/null and b/docs/zh/docs/desktop/figures/34.png differ diff --git a/docs/zh/docs/desktop/figures/35.png b/docs/zh/docs/desktop/figures/35.png new file mode 100755 index 0000000000000000000000000000000000000000..ab2399847a643a87279337704e23fea7609bb211 Binary files /dev/null and b/docs/zh/docs/desktop/figures/35.png differ diff --git a/docs/zh/docs/desktop/figures/36.png b/docs/zh/docs/desktop/figures/36.png new file mode 100755 index 0000000000000000000000000000000000000000..536981609b9ae5d32be56bec612f2b3446146184 Binary files /dev/null and b/docs/zh/docs/desktop/figures/36.png differ diff --git a/docs/zh/docs/desktop/figures/37.png b/docs/zh/docs/desktop/figures/37.png new file mode 100755 index 0000000000000000000000000000000000000000..e39aa03587642dc1f8622fff515b05a9a3085b28 Binary files /dev/null and b/docs/zh/docs/desktop/figures/37.png differ diff --git a/docs/zh/docs/desktop/figures/38.png b/docs/zh/docs/desktop/figures/38.png new file mode 100644 index 0000000000000000000000000000000000000000..838f5ff0616a83cdf42edb053f4e72b93bfa644e Binary files /dev/null and b/docs/zh/docs/desktop/figures/38.png differ diff --git a/docs/zh/docs/desktop/figures/39.png b/docs/zh/docs/desktop/figures/39.png new file mode 100644 index 0000000000000000000000000000000000000000..12a379403d73a47b2fa564120a28fdb58d188963 Binary files /dev/null and b/docs/zh/docs/desktop/figures/39.png differ diff --git a/docs/zh/docs/desktop/figures/4.png b/docs/zh/docs/desktop/figures/4.png new file mode 100755 index 0000000000000000000000000000000000000000..5078e36aca713706d2cf08a3ebecdc3769951899 Binary files /dev/null and b/docs/zh/docs/desktop/figures/4.png differ diff --git a/docs/zh/docs/desktop/figures/40.png b/docs/zh/docs/desktop/figures/40.png new file mode 100755 index 0000000000000000000000000000000000000000..bf419894eab852b45604966c62fafa71f051c4df Binary files /dev/null and b/docs/zh/docs/desktop/figures/40.png differ diff --git a/docs/zh/docs/desktop/figures/41.png b/docs/zh/docs/desktop/figures/41.png new file mode 100755 index 0000000000000000000000000000000000000000..f94b0ee72e0d4e9277e9b44b4268cfbdb8402104 Binary files /dev/null and b/docs/zh/docs/desktop/figures/41.png differ diff --git a/docs/zh/docs/desktop/figures/42.png b/docs/zh/docs/desktop/figures/42.png new file mode 100644 index 0000000000000000000000000000000000000000..3182e551c4e4b03885bad6339f1de514b3f55f8c Binary files /dev/null and b/docs/zh/docs/desktop/figures/42.png differ diff --git a/docs/zh/docs/desktop/figures/43.jpg b/docs/zh/docs/desktop/figures/43.jpg new file mode 100644 index 0000000000000000000000000000000000000000..26e9244f58ea9800081fd61ae135477f05b21b40 Binary files /dev/null and b/docs/zh/docs/desktop/figures/43.jpg differ diff --git a/docs/zh/docs/desktop/figures/44.png b/docs/zh/docs/desktop/figures/44.png new file mode 100644 index 0000000000000000000000000000000000000000..c3abaecd6e053272d81e0ad9bd183c6858b4f3c5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/44.png differ diff --git a/docs/zh/docs/desktop/figures/45.png b/docs/zh/docs/desktop/figures/45.png new file mode 100755 index 0000000000000000000000000000000000000000..86b051acde857c88479714414f721a7f59cca483 Binary files /dev/null and b/docs/zh/docs/desktop/figures/45.png differ diff --git a/docs/zh/docs/desktop/figures/46.png b/docs/zh/docs/desktop/figures/46.png new file mode 100755 index 0000000000000000000000000000000000000000..d8ec41c87628bf28c9905523f99ae93aebd13614 Binary files /dev/null and b/docs/zh/docs/desktop/figures/46.png differ diff --git a/docs/zh/docs/desktop/figures/47.jpg b/docs/zh/docs/desktop/figures/47.jpg new file mode 100755 index 0000000000000000000000000000000000000000..bf95f03c8ea0f84a878bc63af20972c9da71bc04 Binary files /dev/null and b/docs/zh/docs/desktop/figures/47.jpg differ diff --git a/docs/zh/docs/desktop/figures/48.png b/docs/zh/docs/desktop/figures/48.png new file mode 100644 index 0000000000000000000000000000000000000000..ef21fa1ce1e2e9848a8dca16e692de673df7c6d7 Binary files /dev/null and b/docs/zh/docs/desktop/figures/48.png differ diff --git a/docs/zh/docs/desktop/figures/49.png b/docs/zh/docs/desktop/figures/49.png new file mode 100644 index 0000000000000000000000000000000000000000..3b77668e5a4d1bdb3043c473dff9b36fa7144714 Binary files /dev/null and b/docs/zh/docs/desktop/figures/49.png differ diff --git a/docs/zh/docs/desktop/figures/5.png b/docs/zh/docs/desktop/figures/5.png new file mode 100755 index 0000000000000000000000000000000000000000..2976a745cfaede26594d6daa01cfc18d18b1de8b Binary files /dev/null and b/docs/zh/docs/desktop/figures/5.png differ diff --git a/docs/zh/docs/desktop/figures/50.png b/docs/zh/docs/desktop/figures/50.png new file mode 100644 index 0000000000000000000000000000000000000000..b86a55fe4363f56fc18befc9d27025a75ca427ad Binary files /dev/null and b/docs/zh/docs/desktop/figures/50.png differ diff --git a/docs/zh/docs/desktop/figures/51.png b/docs/zh/docs/desktop/figures/51.png new file mode 100755 index 0000000000000000000000000000000000000000..d427ac871dba9c32eb4ffe736d5352f8408da533 Binary files /dev/null and b/docs/zh/docs/desktop/figures/51.png differ diff --git a/docs/zh/docs/desktop/figures/52.png b/docs/zh/docs/desktop/figures/52.png new file mode 100644 index 0000000000000000000000000000000000000000..0ca0a2db05c70bc25f9bb59e82d074f671cfc74e Binary files /dev/null and b/docs/zh/docs/desktop/figures/52.png differ diff --git a/docs/zh/docs/desktop/figures/53.png b/docs/zh/docs/desktop/figures/53.png new file mode 100644 index 0000000000000000000000000000000000000000..76fbc34a1d5621b83c2d8c93222766acad33350d Binary files /dev/null and b/docs/zh/docs/desktop/figures/53.png differ diff --git a/docs/zh/docs/desktop/figures/54.png b/docs/zh/docs/desktop/figures/54.png new file mode 100644 index 0000000000000000000000000000000000000000..49ecae6f8941a118223f3765c23015df074c4983 Binary files /dev/null and b/docs/zh/docs/desktop/figures/54.png differ diff --git a/docs/zh/docs/desktop/figures/56.png b/docs/zh/docs/desktop/figures/56.png new file mode 100644 index 0000000000000000000000000000000000000000..36fee795bfe593b6246c8d6c2bddea9386b06f45 Binary files /dev/null and b/docs/zh/docs/desktop/figures/56.png differ diff --git a/docs/zh/docs/desktop/figures/57.png b/docs/zh/docs/desktop/figures/57.png new file mode 100644 index 0000000000000000000000000000000000000000..539d06b77b058a933cb154c43641d498050986e0 Binary files /dev/null and b/docs/zh/docs/desktop/figures/57.png differ diff --git a/docs/zh/docs/desktop/figures/58.png b/docs/zh/docs/desktop/figures/58.png new file mode 100755 index 0000000000000000000000000000000000000000..396ca16d873e54505bcdbd41d669366eea7f5dee Binary files /dev/null and b/docs/zh/docs/desktop/figures/58.png differ diff --git a/docs/zh/docs/desktop/figures/59.png b/docs/zh/docs/desktop/figures/59.png new file mode 100644 index 0000000000000000000000000000000000000000..9b1de98ac4fe686937ca844d3e9481548a79ce63 Binary files /dev/null and b/docs/zh/docs/desktop/figures/59.png differ diff --git a/docs/zh/docs/desktop/figures/6.png b/docs/zh/docs/desktop/figures/6.png new file mode 100755 index 0000000000000000000000000000000000000000..275c23872f2353f007371672714902babcc3db53 Binary files /dev/null and b/docs/zh/docs/desktop/figures/6.png differ diff --git a/docs/zh/docs/desktop/figures/60.jpg b/docs/zh/docs/desktop/figures/60.jpg new file mode 100755 index 0000000000000000000000000000000000000000..033c88aaadd04f7d4058ec2eb5b2c70498319bf7 Binary files /dev/null and b/docs/zh/docs/desktop/figures/60.jpg differ diff --git a/docs/zh/docs/desktop/figures/61.png b/docs/zh/docs/desktop/figures/61.png new file mode 100644 index 0000000000000000000000000000000000000000..8df17062963a3baf92318a12ec34b1378122687b Binary files /dev/null and b/docs/zh/docs/desktop/figures/61.png differ diff --git a/docs/zh/docs/desktop/figures/62.png b/docs/zh/docs/desktop/figures/62.png new file mode 100644 index 0000000000000000000000000000000000000000..ec312d6c0c22018c1745dd866da71ce9be47fbda Binary files /dev/null and b/docs/zh/docs/desktop/figures/62.png differ diff --git a/docs/zh/docs/desktop/figures/63.jpg b/docs/zh/docs/desktop/figures/63.jpg new file mode 100755 index 0000000000000000000000000000000000000000..504f7cf59768f6fd1cd73a115d01fbc4e15a02e1 Binary files /dev/null and b/docs/zh/docs/desktop/figures/63.jpg differ diff --git a/docs/zh/docs/desktop/figures/63.png b/docs/zh/docs/desktop/figures/63.png new file mode 100755 index 0000000000000000000000000000000000000000..86b051acde857c88479714414f721a7f59cca483 Binary files /dev/null and b/docs/zh/docs/desktop/figures/63.png differ diff --git a/docs/zh/docs/desktop/figures/64.png b/docs/zh/docs/desktop/figures/64.png new file mode 100755 index 0000000000000000000000000000000000000000..cbbd2ede047e735c3766e08b04595f08cd72f5b2 Binary files /dev/null and b/docs/zh/docs/desktop/figures/64.png differ diff --git a/docs/zh/docs/desktop/figures/7.png b/docs/zh/docs/desktop/figures/7.png new file mode 100755 index 0000000000000000000000000000000000000000..4d397959ac7f6d166ef5a3b7084bd5c3c93b475f Binary files /dev/null and b/docs/zh/docs/desktop/figures/7.png differ diff --git a/docs/zh/docs/desktop/figures/8.png b/docs/zh/docs/desktop/figures/8.png new file mode 100755 index 0000000000000000000000000000000000000000..8ade274092d7b3e461c96d7909a9d89d3a944f09 Binary files /dev/null and b/docs/zh/docs/desktop/figures/8.png differ diff --git a/docs/zh/docs/desktop/figures/9.png b/docs/zh/docs/desktop/figures/9.png new file mode 100755 index 0000000000000000000000000000000000000000..f7b2215404929346f1a814b0b1d6d482559c08b5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/9.png differ diff --git a/docs/zh/docs/desktop/figures/HA-add-resource.png b/docs/zh/docs/desktop/figures/HA-add-resource.png new file mode 100644 index 0000000000000000000000000000000000000000..ac24895a1247828d248132f6c789ad8ef51a57e4 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-add-resource.png differ diff --git a/docs/zh/docs/desktop/figures/HA-apache-show.png b/docs/zh/docs/desktop/figures/HA-apache-show.png new file mode 100644 index 0000000000000000000000000000000000000000..c216500910f75f2de1108f6b618c5c08f4df8bae Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-apache-show.png differ diff --git a/docs/zh/docs/desktop/figures/HA-apache-suc.png b/docs/zh/docs/desktop/figures/HA-apache-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..23a7aaa702e3e68190ff7e01a5a673aee2c92409 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-apache-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-api.png b/docs/zh/docs/desktop/figures/HA-api.png new file mode 100644 index 0000000000000000000000000000000000000000..f825fe005705d30809d12df97958cff0e5a80135 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-api.png differ diff --git a/docs/zh/docs/desktop/figures/HA-clone-suc.png b/docs/zh/docs/desktop/figures/HA-clone-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..4b6099ccc88d4f6f907a0c4563e729ab2a4dece1 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-clone-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-clone.png b/docs/zh/docs/desktop/figures/HA-clone.png new file mode 100644 index 0000000000000000000000000000000000000000..1b09ab73849494f4ffd759fa612ae3c241bd9c1d Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-clone.png differ diff --git a/docs/zh/docs/desktop/figures/HA-corosync.png b/docs/zh/docs/desktop/figures/HA-corosync.png new file mode 100644 index 0000000000000000000000000000000000000000..c4d93242e65c503b6e1b6a457e2517f647984a66 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-corosync.png differ diff --git a/docs/zh/docs/desktop/figures/HA-firstchoice-cmd.png b/docs/zh/docs/desktop/figures/HA-firstchoice-cmd.png new file mode 100644 index 0000000000000000000000000000000000000000..a265bab07f1d8e46d9d965975be180a8de6c9eb2 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-firstchoice-cmd.png differ diff --git a/docs/zh/docs/desktop/figures/HA-firstchoice.png b/docs/zh/docs/desktop/figures/HA-firstchoice.png new file mode 100644 index 0000000000000000000000000000000000000000..bd982ddcea55c629c0257fca86051a9ffa77e7b4 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-firstchoice.png differ diff --git a/docs/zh/docs/desktop/figures/HA-group-new-suc.png b/docs/zh/docs/desktop/figures/HA-group-new-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..437fd01ee83a9a1f65c12838fe56eea8435f6759 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-group-new-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-group-new-suc2.png b/docs/zh/docs/desktop/figures/HA-group-new-suc2.png new file mode 100644 index 0000000000000000000000000000000000000000..4fb933bd761f9808de95a324a50226ff041ebd4f Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-group-new-suc2.png differ diff --git a/docs/zh/docs/desktop/figures/HA-group-new.png b/docs/zh/docs/desktop/figures/HA-group-new.png new file mode 100644 index 0000000000000000000000000000000000000000..9c914d0cc2e14f3220fc4346175961f129efb37b Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-group-new.png differ diff --git a/docs/zh/docs/desktop/figures/HA-group-suc.png b/docs/zh/docs/desktop/figures/HA-group-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..2338580343833ebab08627be3a2efbcdb48aef9e Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-group-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-group.png b/docs/zh/docs/desktop/figures/HA-group.png new file mode 100644 index 0000000000000000000000000000000000000000..6897817665dee90c0f8c47c6a3cb4bb09db52d78 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-group.png differ diff --git a/docs/zh/docs/desktop/figures/HA-home-page.png b/docs/zh/docs/desktop/figures/HA-home-page.png new file mode 100644 index 0000000000000000000000000000000000000000..c9a7a82dc412250d4c0984b3876c6f93c6aca789 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-home-page.png differ diff --git a/docs/zh/docs/desktop/figures/HA-login.png b/docs/zh/docs/desktop/figures/HA-login.png new file mode 100644 index 0000000000000000000000000000000000000000..65d0ae11ec810da7574ec72bebf6e1b020c94a0d Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-login.png differ diff --git a/docs/zh/docs/desktop/figures/HA-mariadb-suc.png b/docs/zh/docs/desktop/figures/HA-mariadb-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..6f6756c945121715edc623bd9a848bc48ffeb4ca Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-mariadb-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-mariadb.png b/docs/zh/docs/desktop/figures/HA-mariadb.png new file mode 100644 index 0000000000000000000000000000000000000000..d29587c8609b9d6aefeb07170901361b5ef8402d Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-mariadb.png differ diff --git a/docs/zh/docs/desktop/figures/HA-nfs-suc.png b/docs/zh/docs/desktop/figures/HA-nfs-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..c0ea6af79e91649f1ad7d97ab6c2a0069a4f4fb8 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-nfs-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-nfs.png b/docs/zh/docs/desktop/figures/HA-nfs.png new file mode 100644 index 0000000000000000000000000000000000000000..f6917938eec2e0431a9891c067475dd0b21c1bd9 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-nfs.png differ diff --git a/docs/zh/docs/desktop/figures/HA-pacemaker.png b/docs/zh/docs/desktop/figures/HA-pacemaker.png new file mode 100644 index 0000000000000000000000000000000000000000..7681f963f67d2b803fef6fb2c3247384136201f8 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-pacemaker.png differ diff --git a/docs/zh/docs/desktop/figures/HA-pcs-status.png b/docs/zh/docs/desktop/figures/HA-pcs-status.png new file mode 100644 index 0000000000000000000000000000000000000000..fb150fba9f6258658702b35caacf98076d1fd109 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-pcs-status.png differ diff --git a/docs/zh/docs/desktop/figures/HA-pcs.png b/docs/zh/docs/desktop/figures/HA-pcs.png new file mode 100644 index 0000000000000000000000000000000000000000..283670d7c3d0961ee1cb41345c2b2a013d7143b0 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-pcs.png differ diff --git a/docs/zh/docs/desktop/figures/HA-refresh.png b/docs/zh/docs/desktop/figures/HA-refresh.png new file mode 100644 index 0000000000000000000000000000000000000000..c2678c0c2945acbabfbeae0d5de8924a216bbf31 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-refresh.png differ diff --git a/docs/zh/docs/desktop/figures/HA-vip-suc.png b/docs/zh/docs/desktop/figures/HA-vip-suc.png new file mode 100644 index 0000000000000000000000000000000000000000..313ce56e14f931c78dad4349ed57ab3fd7907f50 Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-vip-suc.png differ diff --git a/docs/zh/docs/desktop/figures/HA-vip.png b/docs/zh/docs/desktop/figures/HA-vip.png new file mode 100644 index 0000000000000000000000000000000000000000..d8b417df2e64527d3b29d0289756dfbb01bf66ec Binary files /dev/null and b/docs/zh/docs/desktop/figures/HA-vip.png differ diff --git a/docs/zh/docs/desktop/figures/icon1.png b/docs/zh/docs/desktop/figures/icon1.png new file mode 100755 index 0000000000000000000000000000000000000000..9bac00355cf4aa57d32287fd4271404f6fd3fd4d Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon1.png differ diff --git a/docs/zh/docs/desktop/figures/icon10-o.png b/docs/zh/docs/desktop/figures/icon10-o.png new file mode 100755 index 0000000000000000000000000000000000000000..d6c56d1a64c588d86f8fe510c74e5a7c4cb810d4 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon10-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon101-o.svg b/docs/zh/docs/desktop/figures/icon101-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..af1c5d3dc0277a6ea59e71efb6ca97bdfc782e8e --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon101-o.svg @@ -0,0 +1,3 @@ + + + diff --git a/docs/zh/docs/desktop/figures/icon103-o.svg b/docs/zh/docs/desktop/figures/icon103-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..c06c885725c569ab8db1fe7d595a7c65f18c5142 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon103-o.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon105-o.svg b/docs/zh/docs/desktop/figures/icon105-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..36c49949fa569330b761c2d65518f36c10435508 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon105-o.svg @@ -0,0 +1,111 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon107-o.svg b/docs/zh/docs/desktop/figures/icon107-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..fb5a3ea756f6ccb7b3e5c31122a433347a908c96 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon107-o.svg @@ -0,0 +1,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon11-o.png b/docs/zh/docs/desktop/figures/icon11-o.png new file mode 100755 index 0000000000000000000000000000000000000000..47a1f2cb7f99b583768c7cbd7e05a57f302dbe8a Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon11-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon110-o.svg b/docs/zh/docs/desktop/figures/icon110-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..7958e3f192061592e002e1e8a1bad06ffa86742c --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon110-o.svg @@ -0,0 +1,12 @@ + + + + reboot_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon111-o.svg b/docs/zh/docs/desktop/figures/icon111-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..097d16a08d305a8b3f3b2268ab1ea8342e799377 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon111-o.svg @@ -0,0 +1,13 @@ + + + + Right + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon112-o.svg b/docs/zh/docs/desktop/figures/icon112-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e51628c2b8b10495f3410d219814286696ea2fd5 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon112-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon116-o.svg b/docs/zh/docs/desktop/figures/icon116-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..4d79cd6dbbbfd3969f4e0ad0ad88e27398853505 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon116-o.svg @@ -0,0 +1,72 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon12-o.png b/docs/zh/docs/desktop/figures/icon12-o.png new file mode 100755 index 0000000000000000000000000000000000000000..f1f0f59dd3879461a0b5bc0632693a4a4124def3 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon12-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon120-o.svg b/docs/zh/docs/desktop/figures/icon120-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e895c347d16a200aea46b00428b0b9f1a3c94246 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon120-o.svg @@ -0,0 +1,49 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon122-o.svg b/docs/zh/docs/desktop/figures/icon122-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..7fb014b5fd6097ca37a84d0b6a27dc982d675c8a --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon122-o.svg @@ -0,0 +1,3 @@ + + + diff --git a/docs/zh/docs/desktop/figures/icon124-o.svg b/docs/zh/docs/desktop/figures/icon124-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..960c0ec096c925213f8953398f0e8e5db3cdaed3 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon124-o.svg @@ -0,0 +1,55 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon125-o.svg b/docs/zh/docs/desktop/figures/icon125-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..011c05f4b8f296867cd408a339230323fcbb28dd --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon125-o.svg @@ -0,0 +1,9 @@ + + + tips + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon126-o.svg b/docs/zh/docs/desktop/figures/icon126-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e0a43b6b8beb434090ac0dd3a8fd68c023f11fce --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon126-o.svg @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon127-o.svg b/docs/zh/docs/desktop/figures/icon127-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..bed95d35334a8d0151211054236c0bacddcc0dd3 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon127-o.svg @@ -0,0 +1,13 @@ + + + + Up + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon128-o.svg b/docs/zh/docs/desktop/figures/icon128-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..aa727f3f5d5883b3fb83a79c4b98e8b5bfe4ade6 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon128-o.svg @@ -0,0 +1,12 @@ + + + + userswitch_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon13-o.png b/docs/zh/docs/desktop/figures/icon13-o.png new file mode 100755 index 0000000000000000000000000000000000000000..c05a981b29d8ad11c6682f796f79b4cafd0f088b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon13-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon132-o.svg b/docs/zh/docs/desktop/figures/icon132-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..588ba9d98864ba67a562fa9179f29405f7687aa0 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon132-o.svg @@ -0,0 +1,15 @@ + + + + - + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon133-o.svg b/docs/zh/docs/desktop/figures/icon133-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..886d90a83e33497d134bdb3dcc864a5c2df53f20 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon133-o.svg @@ -0,0 +1,13 @@ + + + + + + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon134-o.svg b/docs/zh/docs/desktop/figures/icon134-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..784cf383eb0e8f5c7a57a602047be50ad0a3bc05 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon134-o.svg @@ -0,0 +1,15 @@ + + + + = + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon135-o.svg b/docs/zh/docs/desktop/figures/icon135-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..cea628a8f5eb92d10661b690242b6de41ca64816 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon135-o.svg @@ -0,0 +1,15 @@ + + + + ~ + Created with Sketch. + + + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon136-o.svg b/docs/zh/docs/desktop/figures/icon136-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..24aa139ab2fefaee20935551f1af5aef473719ed --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon136-o.svg @@ -0,0 +1,12 @@ + + + + poweroff_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon14-o.png b/docs/zh/docs/desktop/figures/icon14-o.png new file mode 100755 index 0000000000000000000000000000000000000000..b21deee4d98593d93fb5f72158d2d78f3d3f1cb9 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon14-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon15-o.png b/docs/zh/docs/desktop/figures/icon15-o.png new file mode 100755 index 0000000000000000000000000000000000000000..1827a20e9da4d28e35e8ab2eae739b2fec37b385 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon15-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon16.png b/docs/zh/docs/desktop/figures/icon16.png new file mode 100755 index 0000000000000000000000000000000000000000..f271594dda9d3ad0f038c9d719dd68c3e82c59f1 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon16.png differ diff --git a/docs/zh/docs/desktop/figures/icon17.png b/docs/zh/docs/desktop/figures/icon17.png new file mode 100755 index 0000000000000000000000000000000000000000..dbe58b89347c857920bce25f067fbd11c308e502 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon17.png differ diff --git a/docs/zh/docs/desktop/figures/icon18.png b/docs/zh/docs/desktop/figures/icon18.png new file mode 100755 index 0000000000000000000000000000000000000000..1827a20e9da4d28e35e8ab2eae739b2fec37b385 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon18.png differ diff --git a/docs/zh/docs/desktop/figures/icon19-o.png b/docs/zh/docs/desktop/figures/icon19-o.png new file mode 100755 index 0000000000000000000000000000000000000000..47a1f2cb7f99b583768c7cbd7e05a57f302dbe8a Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon19-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon2.png b/docs/zh/docs/desktop/figures/icon2.png new file mode 100755 index 0000000000000000000000000000000000000000..9101e4b386df065a87d422bc5a0b287528ea5ec7 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon2.png differ diff --git a/docs/zh/docs/desktop/figures/icon20.png b/docs/zh/docs/desktop/figures/icon20.png new file mode 100755 index 0000000000000000000000000000000000000000..4de3c7c695893539967245ea5e269b26e2b735be Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon20.png differ diff --git a/docs/zh/docs/desktop/figures/icon21.png b/docs/zh/docs/desktop/figures/icon21.png new file mode 100755 index 0000000000000000000000000000000000000000..e7b4320b6ce1fd4adb52525ba2c60983ffb2eed3 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon21.png differ diff --git a/docs/zh/docs/desktop/figures/icon22.png b/docs/zh/docs/desktop/figures/icon22.png new file mode 100755 index 0000000000000000000000000000000000000000..43bfa96965ad13e0a34ead3cb1102a76b9346a23 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon22.png differ diff --git a/docs/zh/docs/desktop/figures/icon23.png b/docs/zh/docs/desktop/figures/icon23.png new file mode 100755 index 0000000000000000000000000000000000000000..aee221ddaa81d06fa7bd5b89a624da90cd1e53da Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon23.png differ diff --git a/docs/zh/docs/desktop/figures/icon24.png b/docs/zh/docs/desktop/figures/icon24.png new file mode 100755 index 0000000000000000000000000000000000000000..a9e5d700431ca1666fe9eda2cefce5dd2f83bdcd Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon24.png differ diff --git a/docs/zh/docs/desktop/figures/icon25.png b/docs/zh/docs/desktop/figures/icon25.png new file mode 100755 index 0000000000000000000000000000000000000000..3de0f9476bbee9e89c3b759afbed968f17b5bbcc Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon25.png differ diff --git a/docs/zh/docs/desktop/figures/icon26-o.png b/docs/zh/docs/desktop/figures/icon26-o.png new file mode 100755 index 0000000000000000000000000000000000000000..2293a893caf6d89c3beb978598fe7f281e68e7d5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon26-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon27-o.png b/docs/zh/docs/desktop/figures/icon27-o.png new file mode 100755 index 0000000000000000000000000000000000000000..abbab8e40f7e3ca7c2a6f28ff78f08f15117828e Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon27-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon28-o.png b/docs/zh/docs/desktop/figures/icon28-o.png new file mode 100755 index 0000000000000000000000000000000000000000..e40d45fc0a9d2af93280ea14e01512838bb3c3dc Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon28-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon29-o.png b/docs/zh/docs/desktop/figures/icon29-o.png new file mode 100755 index 0000000000000000000000000000000000000000..e40d45fc0a9d2af93280ea14e01512838bb3c3dc Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon29-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon3.png b/docs/zh/docs/desktop/figures/icon3.png new file mode 100755 index 0000000000000000000000000000000000000000..930ee8909e89e3624c581f83d713af271cd96c75 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon3.png differ diff --git a/docs/zh/docs/desktop/figures/icon30-o.png b/docs/zh/docs/desktop/figures/icon30-o.png new file mode 100755 index 0000000000000000000000000000000000000000..e40d45fc0a9d2af93280ea14e01512838bb3c3dc Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon30-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon31-o.png b/docs/zh/docs/desktop/figures/icon31-o.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon31-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon32.png b/docs/zh/docs/desktop/figures/icon32.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon32.png differ diff --git a/docs/zh/docs/desktop/figures/icon33.png b/docs/zh/docs/desktop/figures/icon33.png new file mode 100755 index 0000000000000000000000000000000000000000..88ed145b25f6f025ad795ceb012500e0944cb54c Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon33.png differ diff --git a/docs/zh/docs/desktop/figures/icon34.png b/docs/zh/docs/desktop/figures/icon34.png new file mode 100755 index 0000000000000000000000000000000000000000..8247f52a3424c81b451ceb318f4a7979a5eddece Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon34.png differ diff --git a/docs/zh/docs/desktop/figures/icon35.png b/docs/zh/docs/desktop/figures/icon35.png new file mode 100755 index 0000000000000000000000000000000000000000..7c656e9030b94809a57c7e369921e6a585f3574c Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon35.png differ diff --git a/docs/zh/docs/desktop/figures/icon36.png b/docs/zh/docs/desktop/figures/icon36.png new file mode 100755 index 0000000000000000000000000000000000000000..7d29d173e914dfff48245d3d3a4d42575ce2d1db Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon36.png differ diff --git a/docs/zh/docs/desktop/figures/icon37.png b/docs/zh/docs/desktop/figures/icon37.png new file mode 100755 index 0000000000000000000000000000000000000000..58be4c621b6638115153e361801deb9ee06634d8 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon37.png differ diff --git a/docs/zh/docs/desktop/figures/icon38.png b/docs/zh/docs/desktop/figures/icon38.png new file mode 100755 index 0000000000000000000000000000000000000000..0c861ccb891f4fb5e533eb7f7151a8fce1571f17 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon38.png differ diff --git a/docs/zh/docs/desktop/figures/icon39.png b/docs/zh/docs/desktop/figures/icon39.png new file mode 100755 index 0000000000000000000000000000000000000000..b1ba1f347452d0cd1c06c6c51d2cdf5aea5e490b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon39.png differ diff --git a/docs/zh/docs/desktop/figures/icon4.png b/docs/zh/docs/desktop/figures/icon4.png new file mode 100755 index 0000000000000000000000000000000000000000..548dc8b648edb73ff1dd8a0266e8479203e72ca0 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon4.png differ diff --git a/docs/zh/docs/desktop/figures/icon40.png b/docs/zh/docs/desktop/figures/icon40.png new file mode 100755 index 0000000000000000000000000000000000000000..9c29dd1e9a1bf22c36abf51cb18fa9e47b455fab Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon40.png differ diff --git a/docs/zh/docs/desktop/figures/icon41.png b/docs/zh/docs/desktop/figures/icon41.png new file mode 100755 index 0000000000000000000000000000000000000000..9e8aea527a2119433fffec5a8800ebfa4fa5062f Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon41.png differ diff --git a/docs/zh/docs/desktop/figures/icon42-o.png b/docs/zh/docs/desktop/figures/icon42-o.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon42-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon42.png b/docs/zh/docs/desktop/figures/icon42.png new file mode 100755 index 0000000000000000000000000000000000000000..25959977f986f433ddf3d66935f8d2c2bc6ed86b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon42.png differ diff --git a/docs/zh/docs/desktop/figures/icon43-o.png b/docs/zh/docs/desktop/figures/icon43-o.png new file mode 100755 index 0000000000000000000000000000000000000000..284bdd551baf25beb4143013402e77a1a4c60ccb Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon43-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon44-o.png b/docs/zh/docs/desktop/figures/icon44-o.png new file mode 100755 index 0000000000000000000000000000000000000000..810f4d784ee140dbf562e67a0d3fd391272626a5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon44-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon45-o.png b/docs/zh/docs/desktop/figures/icon45-o.png new file mode 100755 index 0000000000000000000000000000000000000000..3e528ce2c98284f020ae4912a853f5864526396b Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon45-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon46-o.png b/docs/zh/docs/desktop/figures/icon46-o.png new file mode 100755 index 0000000000000000000000000000000000000000..ec6a3ca0fe57016f3685981ed518493ceea1c855 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon46-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon47-o.png b/docs/zh/docs/desktop/figures/icon47-o.png new file mode 100755 index 0000000000000000000000000000000000000000..6eeaba98d908775bd363a8ffcec27c3b6a214013 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon47-o.png differ diff --git a/docs/zh/docs/desktop/figures/icon49-o.svg b/docs/zh/docs/desktop/figures/icon49-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..72ffb173fdb95e1aff5b0001b08ed6b71122b7f2 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon49-o.svg @@ -0,0 +1,178 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon5.png b/docs/zh/docs/desktop/figures/icon5.png new file mode 100755 index 0000000000000000000000000000000000000000..e4206b7b584bf0702c7cb2f03a3a41e20bfba844 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon5.png differ diff --git a/docs/zh/docs/desktop/figures/icon50-o.svg b/docs/zh/docs/desktop/figures/icon50-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..05026802be4718205065d6369e14cc0b6ef05bc7 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon50-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon52-o.svg b/docs/zh/docs/desktop/figures/icon52-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..23149c05873259cd39721b8ee9c3ab7db86d64c5 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon52-o.svg @@ -0,0 +1,9 @@ + + + attention + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon53-o.svg b/docs/zh/docs/desktop/figures/icon53-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..50e33489ce984b0acfd621da4a8ef837fdf048c1 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon53-o.svg @@ -0,0 +1,11 @@ + + + + previous + Created with Sketch. + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon54-o.svg b/docs/zh/docs/desktop/figures/icon54-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..3b599aef4b822c707d2f646405bb00837aed96fd --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon54-o.svg @@ -0,0 +1,18 @@ + + + + Backspace + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon56-o.svg b/docs/zh/docs/desktop/figures/icon56-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..9f13b6861e3858deec8d57a5301c934acc247069 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon56-o.svg @@ -0,0 +1,19 @@ + + + + Slice 1 + Created with Sketch. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon57-o.svg b/docs/zh/docs/desktop/figures/icon57-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e6fbfa1381b76ab3fcd45652b33267a7f6c69bb7 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon57-o.svg @@ -0,0 +1,11 @@ + + + + titlebutton/close_normal + Created with Sketch. + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon58-o.svg b/docs/zh/docs/desktop/figures/icon58-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..9746dcacfc8e5d4c4b63233801e37418a190fc8f --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon58-o.svg @@ -0,0 +1,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon6.png b/docs/zh/docs/desktop/figures/icon6.png new file mode 100755 index 0000000000000000000000000000000000000000..88ced3587e9a42b145fe11393726f40aba9d1b2c Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon6.png differ diff --git a/docs/zh/docs/desktop/figures/icon62-o.svg b/docs/zh/docs/desktop/figures/icon62-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..09f61b446669df2e05a3351d40d8c30879c7b035 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon62-o.svg @@ -0,0 +1,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon63-o.svg b/docs/zh/docs/desktop/figures/icon63-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..06c03ed99260ffadc681475dad35610aedf67f83 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon63-o.svg @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon66-o.svg b/docs/zh/docs/desktop/figures/icon66-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..5793b3846b7fe6a5758379591215b16c7f9e1b52 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon66-o.svg @@ -0,0 +1,43 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon68-o.svg b/docs/zh/docs/desktop/figures/icon68-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..a7748052dfa436116d8742dca28f7d90865231ed --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon68-o.svg @@ -0,0 +1,23 @@ + + + + deepin-system-monitor + Created with Sketch. + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon69-o.svg b/docs/zh/docs/desktop/figures/icon69-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e21dfd00a32a44ee1c8e3882b4ca8239be04690f --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon69-o.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon7.png b/docs/zh/docs/desktop/figures/icon7.png new file mode 100755 index 0000000000000000000000000000000000000000..05fe8aa38c84ca0c0c99b0b005ddec2f2ba42f4a Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon7.png differ diff --git a/docs/zh/docs/desktop/figures/icon70-o.svg b/docs/zh/docs/desktop/figures/icon70-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..b5787a7ffa5ed9519a48c6937c60927fd11fd455 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon70-o.svg @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon71-o.svg b/docs/zh/docs/desktop/figures/icon71-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..669a21f143b06cb45ea3f45f7f071809f2cbc8a8 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon71-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon72-o.svg b/docs/zh/docs/desktop/figures/icon72-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..79067ed9b9ff7912e1742183b461fa056601b9cc --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon72-o.svg @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon73-o.svg b/docs/zh/docs/desktop/figures/icon73-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..cf6292387f5e790db6ebd66184aabcbb39257ee7 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon73-o.svg @@ -0,0 +1,13 @@ + + + + Down + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon75-o.svg b/docs/zh/docs/desktop/figures/icon75-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..ef6823ccc19858f57374f0b78ad31514e8311be3 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon75-o.svg @@ -0,0 +1,3 @@ + + + diff --git a/docs/zh/docs/desktop/figures/icon8.png b/docs/zh/docs/desktop/figures/icon8.png new file mode 100755 index 0000000000000000000000000000000000000000..01543c3e0f5e96a023b4e1f0859a03e3a0dafd56 Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon8.png differ diff --git a/docs/zh/docs/desktop/figures/icon83-o.svg b/docs/zh/docs/desktop/figures/icon83-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..35dd6eacc54a933dc9ebc3f3010edfa7363fecc0 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon83-o.svg @@ -0,0 +1,84 @@ + + + + + + image/svg+xml + + img_upload + + + + + + img_upload + Created with Sketch. + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon84-o.svg b/docs/zh/docs/desktop/figures/icon84-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..9bd11b9e7b45b506dd7e1c87d09d545d8f48af06 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon84-o.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon86-o.svg b/docs/zh/docs/desktop/figures/icon86-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..5da20233309c43d4fc7b315f441cde476c835c67 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon86-o.svg @@ -0,0 +1,66 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon88-o.svg b/docs/zh/docs/desktop/figures/icon88-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..c2570c26575fd14cb5e9d9fe77831d2e8f6c9333 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon88-o.svg @@ -0,0 +1,13 @@ + + + + Left + Created with Sketch. + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon9.png b/docs/zh/docs/desktop/figures/icon9.png new file mode 100755 index 0000000000000000000000000000000000000000..a07c9ab8e51decd9a3bca8c969d2ae95bd68512c Binary files /dev/null and b/docs/zh/docs/desktop/figures/icon9.png differ diff --git a/docs/zh/docs/desktop/figures/icon90-o.svg b/docs/zh/docs/desktop/figures/icon90-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..79b5e0a141f7969a8f77ae61f4c240de7187afe9 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon90-o.svg @@ -0,0 +1,12 @@ + + + + lock_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon92-o.svg b/docs/zh/docs/desktop/figures/icon92-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..21341b64a832e1935252aa82e7a4e0b083c16eae --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon92-o.svg @@ -0,0 +1,12 @@ + + + + logout_normal + Created with Sketch. + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/icon94-o.svg b/docs/zh/docs/desktop/figures/icon94-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..a47044149a02101dbd24a3fdb2f3ead77efca6c1 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon94-o.svg @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon97-o.svg b/docs/zh/docs/desktop/figures/icon97-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..4f4670de29d8c86885b5aa806b2c8cdc6fc16dcb --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon97-o.svg @@ -0,0 +1,84 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/zh/docs/desktop/figures/icon99-o.svg b/docs/zh/docs/desktop/figures/icon99-o.svg new file mode 100755 index 0000000000000000000000000000000000000000..e9a3aa60a51404c9390bfbea8d8ff09edc0e2e32 --- /dev/null +++ b/docs/zh/docs/desktop/figures/icon99-o.svg @@ -0,0 +1,11 @@ + + + notes + + + + + + + + \ No newline at end of file diff --git a/docs/zh/docs/desktop/figures/xfce-1.png b/docs/zh/docs/desktop/figures/xfce-1.png new file mode 100644 index 0000000000000000000000000000000000000000..9fe068d7b158bcaa0dbbf9e5b542b74fccc921f7 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-1.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-2.png b/docs/zh/docs/desktop/figures/xfce-2.png new file mode 100644 index 0000000000000000000000000000000000000000..9228ba39c19b583210832f5062d9f3d3826584d1 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-2.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-3.png b/docs/zh/docs/desktop/figures/xfce-3.png new file mode 100644 index 0000000000000000000000000000000000000000..a14a320fbb7f38ce4eaacaa5113ece87ddc87085 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-3.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-4.png b/docs/zh/docs/desktop/figures/xfce-4.png new file mode 100644 index 0000000000000000000000000000000000000000..14196902de432dc86002a89a4481bf183540efb5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-4.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-5.png b/docs/zh/docs/desktop/figures/xfce-5.png new file mode 100644 index 0000000000000000000000000000000000000000..2019975fa4ffa0c13e77dae8439fe4afcf915cf7 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-5.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-6.png b/docs/zh/docs/desktop/figures/xfce-6.png new file mode 100644 index 0000000000000000000000000000000000000000..ea0ec07b4dca2b22dacb5ba4c06350e821cf6723 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-6.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-7.png b/docs/zh/docs/desktop/figures/xfce-7.png new file mode 100644 index 0000000000000000000000000000000000000000..d43d55fc1887cdf3b5e9644a0cf6a33730de4506 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-7.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-71.png b/docs/zh/docs/desktop/figures/xfce-71.png new file mode 100644 index 0000000000000000000000000000000000000000..79e35dd1096bd6fcba416a07a8a6689ac4ff5df4 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-71.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-8.png b/docs/zh/docs/desktop/figures/xfce-8.png new file mode 100644 index 0000000000000000000000000000000000000000..1550743ad0cad39cd27897d69024927cabab5d19 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-8.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-81.png b/docs/zh/docs/desktop/figures/xfce-81.png new file mode 100644 index 0000000000000000000000000000000000000000..3534bc5c4d7a173d230219412353772b717ccceb Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-81.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-811.png b/docs/zh/docs/desktop/figures/xfce-811.png new file mode 100644 index 0000000000000000000000000000000000000000..5f3f5d7e43296006f15c5e403989d3bfeae29cca Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-811.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-812.png b/docs/zh/docs/desktop/figures/xfce-812.png new file mode 100644 index 0000000000000000000000000000000000000000..d46ac75fd91ef4dda88b60ce514b41dc41ab7ed3 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-812.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-813.png b/docs/zh/docs/desktop/figures/xfce-813.png new file mode 100644 index 0000000000000000000000000000000000000000..20fb89f9d3b64f1e91e1ed90f5f96d8e21cc6d5d Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-813.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-814.png b/docs/zh/docs/desktop/figures/xfce-814.png new file mode 100644 index 0000000000000000000000000000000000000000..5dd242f737115b352898c7cf6564e15503ba1506 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-814.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-82.png b/docs/zh/docs/desktop/figures/xfce-82.png new file mode 100644 index 0000000000000000000000000000000000000000..f2e5a4c1b0223f051d7de988e740493f9ace8872 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-82.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-821.png b/docs/zh/docs/desktop/figures/xfce-821.png new file mode 100644 index 0000000000000000000000000000000000000000..c5c1f3567dccda3d0d49ae445612d5b9ba27e09a Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-821.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-83.png b/docs/zh/docs/desktop/figures/xfce-83.png new file mode 100644 index 0000000000000000000000000000000000000000..32ce47754669aa66080f523f052ee6f87cb651a5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-83.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-831.png b/docs/zh/docs/desktop/figures/xfce-831.png new file mode 100644 index 0000000000000000000000000000000000000000..2c8b68eba3d60416b52b26612b149221142c0d9a Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-831.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-832.png b/docs/zh/docs/desktop/figures/xfce-832.png new file mode 100644 index 0000000000000000000000000000000000000000..2932aaacf71fa53f1d0c10340df3aebcc016e991 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-832.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-84.png b/docs/zh/docs/desktop/figures/xfce-84.png new file mode 100644 index 0000000000000000000000000000000000000000..e0435c2edf9f68d193cff036215f32c259d378f0 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-84.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-841.png b/docs/zh/docs/desktop/figures/xfce-841.png new file mode 100644 index 0000000000000000000000000000000000000000..c2c06346d4a296bfbe7836139cd943baa1ce6ea5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-841.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-842.png b/docs/zh/docs/desktop/figures/xfce-842.png new file mode 100644 index 0000000000000000000000000000000000000000..101bf6923e3780617d33dde04b92232ca7f87b42 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-842.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-85.png b/docs/zh/docs/desktop/figures/xfce-85.png new file mode 100644 index 0000000000000000000000000000000000000000..21b39638fe4c83e0da5cdc69ecad9b7a22718a55 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-85.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-851.png b/docs/zh/docs/desktop/figures/xfce-851.png new file mode 100644 index 0000000000000000000000000000000000000000..481d6925b4a3c0da5a008b2b595313997fb7a3cc Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-851.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-86.png b/docs/zh/docs/desktop/figures/xfce-86.png new file mode 100644 index 0000000000000000000000000000000000000000..35e8a99e31e4a49eb64b24cfbab825111e40f709 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-86.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-861.png b/docs/zh/docs/desktop/figures/xfce-861.png new file mode 100644 index 0000000000000000000000000000000000000000..b57b1727b178be264122abd792df558efb1a633d Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-861.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-87.png b/docs/zh/docs/desktop/figures/xfce-87.png new file mode 100644 index 0000000000000000000000000000000000000000..49c8464ad8592e892bcc45cabed5cd95d2f14802 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-87.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-9.png b/docs/zh/docs/desktop/figures/xfce-9.png new file mode 100644 index 0000000000000000000000000000000000000000..f6402b34a929e520c27318fe16eb509d31c17131 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-9.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-91.png b/docs/zh/docs/desktop/figures/xfce-91.png new file mode 100644 index 0000000000000000000000000000000000000000..0cdc4824cb3cc1035f5d04863bb5f3eb4d83292b Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-91.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-911.png b/docs/zh/docs/desktop/figures/xfce-911.png new file mode 100644 index 0000000000000000000000000000000000000000..4d6c564e9a74d187d50ebd3f3c05dcb5d1bd5fa0 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-911.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-92.png b/docs/zh/docs/desktop/figures/xfce-92.png new file mode 100644 index 0000000000000000000000000000000000000000..a79f2473d27759c79ecdddcdee380b357babcac1 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-92.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-921.png b/docs/zh/docs/desktop/figures/xfce-921.png new file mode 100644 index 0000000000000000000000000000000000000000..57ed5964cadcc4f5fdfb0810c7a063ea8c5da3ae Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-921.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-93.png b/docs/zh/docs/desktop/figures/xfce-93.png new file mode 100644 index 0000000000000000000000000000000000000000..62d98b23d682341e2b0ee835561c6f52b7fd70b9 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-93.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-931.png b/docs/zh/docs/desktop/figures/xfce-931.png new file mode 100644 index 0000000000000000000000000000000000000000..c7bf69e5f12ea3d6b386c2521b25eea4d67ddccd Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-931.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-94.png b/docs/zh/docs/desktop/figures/xfce-94.png new file mode 100644 index 0000000000000000000000000000000000000000..09118f9047af97152aae746274d6df4f539b5564 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-94.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-941.png b/docs/zh/docs/desktop/figures/xfce-941.png new file mode 100644 index 0000000000000000000000000000000000000000..40929ec09596763782d7ad20f4d6212310b67186 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-941.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-95.png b/docs/zh/docs/desktop/figures/xfce-95.png new file mode 100644 index 0000000000000000000000000000000000000000..bf970f67c835941961ffcc77632079564c2a9ef5 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-95.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-951.png b/docs/zh/docs/desktop/figures/xfce-951.png new file mode 100644 index 0000000000000000000000000000000000000000..835e819b530e821d733005191e57a4038a542ff8 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-951.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-96.png b/docs/zh/docs/desktop/figures/xfce-96.png new file mode 100644 index 0000000000000000000000000000000000000000..0115dd146cb01ecc61a78c1db55be121ff1e0820 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-96.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-961.png b/docs/zh/docs/desktop/figures/xfce-961.png new file mode 100644 index 0000000000000000000000000000000000000000..ce5b5f45527290c8c17e4b8795207f2e57e18a36 Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-961.png differ diff --git a/docs/zh/docs/desktop/figures/xfce-962.png b/docs/zh/docs/desktop/figures/xfce-962.png new file mode 100644 index 0000000000000000000000000000000000000000..57ed5964cadcc4f5fdfb0810c7a063ea8c5da3ae Binary files /dev/null and b/docs/zh/docs/desktop/figures/xfce-962.png differ diff --git a/docs/zh/docs/desktop/ha.md b/docs/zh/docs/desktop/ha.md new file mode 100644 index 0000000000000000000000000000000000000000..f03d1cf42d7fdeeecd41c312ce27e452d596e424 --- /dev/null +++ b/docs/zh/docs/desktop/ha.md @@ -0,0 +1,3 @@ +# HA 用户指南 + +本节主要描述HA的安装和使用。 \ No newline at end of file diff --git a/docs/zh/docs/desktop/installha.md b/docs/zh/docs/desktop/installha.md new file mode 100644 index 0000000000000000000000000000000000000000..edb57cbf1dd9fb3d3239f2ebf92487f7fe7d7170 --- /dev/null +++ b/docs/zh/docs/desktop/installha.md @@ -0,0 +1,177 @@ +# HA的安装与部署 + +本文介绍如何安装和部署HA高可用集群。 + + +## 安装与部署 + +### 环境准备 + +需要至少两台安装了openEuler 21.03 的物理机/虚拟机(现以两台为例),安装方法参考《安装指南》。 + +### 修改主机名称及/etc/hosts文件 + +**注:两台主机均需要进行以下操作,现以其中一台为例,下文中使用的IP仅供参考。** + +在使用HA软件之前,需要确认修改主机名并将所有主机名写入/etc/hosts文件中。 +1. 修改主机名 + ``` + # hostnamectl set-hostname ha1 + ``` + +2. 编辑`/etc/hosts`文件并写入以下字段 + ``` + 172.30.30.65 ha1 + 172.30.30.66 ha2 + ``` + +### 配置yum源 +成功安装系统后,会默认配置好yum源,文件位置存放在`/etc/yum.repos.d/openEuler.repo`文件中,HA软件包会用到以下源: +``` +[OS] +name=OS +baseurl=http://repo.openeuler.org/openEuler-21.03/OS/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://repo.openeuler.org/openEuler-21.03/OS/$basearch/RPM-GPG-KEY-openEuler + +[everything] +name=everything +baseurl=http://repo.openeuler.org/openEuler-21.03/everything/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://repo.openeuler.org/openEuler-21.03/everything/$basearch/RPM-GPG-KEY-openEuler + +[EPOL] +name=EPOL +baseurl=http://repo.openeuler.org/openEuler-21.03/EPOL/$basearch/ +enabled=1 +gpgcheck=1 +gpgkey=http://repo.openeuler.org/openEuler-21.03/OS/$basearch/RPM-GPG-KEY-openEuler +``` + +### 安装HA软件包组件 +``` +# yum install -y corosync pacemaker pcs fence-agents fence-virt corosync-qdevice sbd drbd drbd-utils +``` + +### 设置hacluster用户密码 +``` +# passwd hacluster +``` + +### 修改`/etc/corosync/corosync.conf`文件 +``` +totem { + version: 2 + cluster_name: hacluster + crypto_cipher: none + crypto_hash: none +} +logging { + fileline: off + to_stderr: yes + to_logfile: yes + logfile: /var/log/cluster/corosync.log + to_syslog: yes + debug: on + logger_subsys { + subsys: QUORUM + debug: on + } +} +quorum { + provider: corosync_votequorum + expected_votes: 2 + two_node: 1 + } +nodelist { + node { + name: ha1 + nodeid: 1 + ring0_addr: 172.30.30.65 + } + node { + name: ha2 + nodeid: 2 + ring0_addr: 172.30.30.66 + } + } +``` +### 管理服务 + +#### 关闭防火墙 + +1. 执行如下命令,关闭防火墙。 + ``` + # systemctl stop firewalld + ``` +2. 修改`/etc/selinux/config`文件中SELINUX状态为disabled。 + ``` + # SELINUX=disabled + ``` + +#### 管理pcs服务 +1. 启动pcs服务: + ``` + # systemctl start pcsd + ``` + +2. 查询pcs服务状态: + ``` + # systemctl status pcsd + ``` + + 若回显为如下,则服务启动成功。 + + ![](./figures/HA-pcs.png) + +#### 管理pacemaker服务 +1. 启动pacemaker服务: + ``` + # systemctl start pacemaker + ``` + +2. 查询pacemaker服务状态: + ``` + # systemctl status pacemaker + ``` + + 若回显为如下,则服务启动成功。 + + ![](./figures/HA-pacemaker.png) + +#### 管理corosync服务 +1. 启动corosync服务: + ``` + # systemctl start corosync + ``` + +2. 查询corosync服务状态: + ``` + # systemctl status corosync + ``` + + 若回显为如下,则服务启动成功。 + + ![](./figures/HA-corosync.png) + +### 节点鉴权 +**注:任选一个节点上执行即可** +``` +# pcs host auth ha1 ha2 +``` + +### 访问前端管理平台 + +上述服务启动成功后,打开浏览器(建议使用:Chrome,Firfox),在浏览器导航栏中输入`https://localhost:2224`即可。 +- 以下界面为原生管理平台 + +![](./figures/HA-login.png) + +若安装社区新开发的管理平台请参考文档`https://gitee.com/openeuler/ha-api/blob/master/docs/build.md` +- 以下为社区新开发的管理平台 + +![](./figures/HA-api.png) + +想了解如何快速使用HA高可用集群,以及添加一个实例。请参考[HA的使用实例文档](./HA的使用实例.md)。 \ No newline at end of file diff --git a/docs/zh/docs/desktop/ukui.md b/docs/zh/docs/desktop/ukui.md new file mode 100644 index 0000000000000000000000000000000000000000..d017c9b37f36171667f87a486a578ff12bedfb2c --- /dev/null +++ b/docs/zh/docs/desktop/ukui.md @@ -0,0 +1,3 @@ +# UKUI 用户指南 + +本节主要描述 UKUI 桌面环境的安装和使用。 \ No newline at end of file diff --git a/docs/zh/docs/desktop/usecase.md b/docs/zh/docs/desktop/usecase.md new file mode 100644 index 0000000000000000000000000000000000000000..d1c7e0433e4d05f3833d09592a2a8e1f263625c7 --- /dev/null +++ b/docs/zh/docs/desktop/usecase.md @@ -0,0 +1,217 @@ +# HA使用实例 + +本章介绍如何快速使用HA高可用集群,以及添加一个实例。若不了解怎么安装,请参考[HA的安装与部署文档](./HA的安装与部署.md)。 + + +## 快速使用指南 + +以下操作均以社区新开发的管理平台为例。 + +### 登陆页面 +用户名为`hacluster`,密码为该用户在主机上设置的密码。 + +![](./figures/HA-api.png) + +### 主页面 +登录系统后显示主页面,主页面由四部分组成:侧边导航栏、顶部操作区、资源节点列表区以及节点操作浮动区。 + +以下将详细介绍这四部分的特点与使用方法。 + +![](./figures/HA-home-page.png) + +#### 导航栏 +侧边导航栏由两部分组成:高可用集群软件名称和 logo 以及系统导航。系统导航由三项组成:【系统】、【集群配置】和【工具】。【系统】是默认选项,也是主页面的对应项,主要展示系统中所有资源的相关信息以及操作入口;【集群配置】下设【首选项配置】和【心跳配置】两项;【工具】下设【日志下载】和【集群快捷操作】两项,点击后以弹出框的形式出现。 + +#### 顶部操作区 +登录用户是静态显示,鼠标滑过用户图标,出现操作菜单项,包括【刷新设置】和【退出登录】两项,点击【刷新设置】,弹出【刷新设置】对话框,包含【刷新设置】选项,可以设置系统的自动刷新模式,包括【不自动刷新】、【每 5 秒刷新】和【每 10 秒刷新】三种选择,默认选择【不自动刷新】、【退出登录】即可注销本次登录,系统将自动跳到登录页面,此时,如果希望继续访问系统,则需要重新进行登录。 + +![](./figures/HA-refresh.png) + +#### 资源节点列表区 +资源节点列表集中展现系统中所有资源的【资源名】、【状态】、【资源类型】、【服务】、【运行节点】等资源信息,以及系统中所有的节点和节点的运行情况等节点信息。同时提供资源的【添加】、【编辑】、【启动】、【停止】、【清理】、【迁移】、【回迁】、【删除】和【关系】操作。 + +#### 节点操作浮动区 +节点操作浮动区域默认是收起的状态,每当点击资源节点列表表头中的节点时,右侧会弹出节点操作扩展区域,如图所示,该区域由收起按钮、节点名称、停止和备用四个部分组成,提供节点的【停止】和【备用】操作。点击区域左上角的箭头,该区域收起。 + +### 首选项配置 +以下操作均可用命令行配置,现只做简单示例,若想使用更多命令可以使用``pcs --help``进行查询。 + +- 命令行方式 + ``` + # pcs property set stonith-enabled=false + # pcs property set no-quorum-policy=ignore + ``` + 执行如下命令,可以查看全部配置。 + ``` + pcs property + ``` + ![](./figures/HA-firstchoice-cmd.png) + +- 图形界面方式 + 点击侧边导航栏中的【首选项配置】按钮,弹出【首选项配置】对话框。将No Quorum Policy和Stonith Enabled由默认状态改为如下对应状态;修改完成后,点击【确定】按钮完成配置。 + + ![](./figures/HA-firstchoice.png) + +### 添加资源 + +#### 添加普通资源 + +1. 点击【添加普通资源】,弹出【创建资源】对话框。 + 其中资源的所有必填配置项均在【基本】页面内,选择【基本】页面内的【资源类型】后会进一步给出该类资源的其他必填配置项以及选填配置项。 + +2. 填写资源配置信息。 + 对话框右侧会出现灰色文字区域,对当前的配置项进行解释说明。全部必填项配置完毕后,点击【确定】按钮即可创建普通资源,点击【取消】按钮,取消本次添加动作。 + 【实例属性】、【元属性】或者【操作属性】页面中的选填配置项为选填项,不配置不会影响资源的创建过程,可以根据场景需要可选择修改,否则将按照系统默认值处理。 + +下面以Apache为例,分别以命令行方式和图形界面方式介绍添加资源的方法。 + +- 命令行方式 + ``` + # pcs resource create httpd ocf:heartbeat:apache + ``` + 查看资源运行状态 + ``` + # pcs status + ``` + + ![](./figures/HA-pcs-status.png) + +- 图形界面方式 +1. 填写资源名称和资源类型,如下图所示。 + ![](./figures/HA-add-resource.png) +2. 回显为如下,则资源添加成功并启动,运行于其中一个节点上,例如ha1。 + + ![](./figures/HA-apache-suc.png) +3. 访问apache界面成功。 + + ![](./figures/HA-apache-show.png) + +#### 添加组资源 + +>**须知:** +> 添加组资源时,集群中需要至少存在一个普通资源。 + +1. 点击【添加组资源】,弹出【创建资源】对话框。 + 【基本】页面内均为必填项,填写完毕后,点击【确定】按钮,即可完成资源的添加,点击【取消】按钮,取消本次添加动作。 + + ![](./figures/HA-group.png) + + >**注意:** + > 组资源的启动是按照子资源的顺序启动的,所以选择子资源时需要注意按照顺序选择。 + +2. 回显如下,资源添加成功。 + + ![](./figures/HA-group-suc.png) + +#### 添加克隆资源 + +1. 点击【添加克隆资源】,弹出【创建资源】对话框。 + 【基本】页面内填写克隆对象,资源名称会自动生成,填写完毕后,点击【确定】按钮,即可完成资源的添加,点击【取消】按钮,取消本次添加动作。 + + ![](./figures/HA-clone.png) + +2. 回显如下,资源添加成功。 + + ![](./figures/HA-clone-suc.png) + +### 编辑资源 + +- 启动资源:资源节点列表中选中一个目标资源,要求:该资源处于非运行状态。对该资源执行启动动作。 +- 停止资源:资源节点列表中选中一个目标资源,要求:该资源处于运行状态。对该资源执行停止操作。 +- 清理资源:资源节点列表中选中一个目标资源,对该资源执行清理操作。 +- 迁移资源:资源节点列表中选中一个目标资源,要求:该资源为处于运行状态的普通资源或者组资源,执行迁移操作可以将资源迁移到指定节点上运行。 +- 回迁资源:资源节点列表中选中一个目标资源,要求:该资源已经完成迁移动作,执行回迁操作,可以清除该资源的迁移设置,资源重新迁回到原来的节点上运行。 +点击按钮后,列表中该资源项的变化状态与启动资源时一致。 +- 删除资源:资源节点列表中选中一个目标资源,对该资源执行删除操作。 + +### 设置资源关系 + +资源关系即为目标资源设定限制条件,资源的限制条件分为三种:资源位置、资源协同和资源顺序。 +- 资源位置:设置集群中的节点对于该资源的运行级别,由此确定启动或者切换时资源在哪个节点上运行,运行级别按照从高到低的顺序依次为:Master Node、Slave 1。 +- 资源协同:设置目标资源与集群中的其他资源是否运行在同一节点上,同节点资源表示该资源与目标资源必须运行在相同节点上,互斥节点资源表示该资源与目标资源不能运行在相同的节点上。 +- 资源顺序:设置目标资源与集群中的其他资源启动时的先后顺序,前置资源是指目标资源运行之前,该资源必须已经运行;后置资源是指目标资源运行之后,该资源才能运行。 + +## 高可用mysql实例配置 + +### 配置虚拟IP + +1. 在首页中点击“添加”,再选择添加普通资源,并按如下进行配置。 + + ![](./figures/HA-vip.png) + +2. 资源创建成功并启动,运行于其中一个节点上,例如ha1。 +3. 可以ping通并连接,登录后可正常执行各种操作;资源切换到ha2运行;能够正常访问。如下图所示。 + ![](./figures/HA-vip-suc.png) + +### 配置NFS存储 + +另找一台机器作为nfs服务端进行配置,操作步骤如下: + +1. 安装软件包 + + ``` + # yum install -y nfs-utils rpcbind + ``` +2. 关闭防火墙 + ``` + # systemctl stop firewalld && systemctl disable firewalld + ``` +3. 修改/etc/selinux/config文件中SELINUX状态为disabled + ``` + # SELINUX=disabled + ``` +4. 启动服务 + ``` + # systemctl start rpcbind && systemctl enable rpcbind + # systemctl start nfs-server && systemctl enable nfs-server + ``` +5. 服务端创建一个共享目录 + ``` + # mkdir -p /test + ``` +6. 修改NFS配置文件 + ``` + # vim /etc/exports + # /test *(rw,no_root_squash) + ``` +7. 重新加载服务 + ``` + # systemctl reload nfs + ``` + +8. 客户端安装软件包,需要先安装mysql,可以将nfs挂载到mysql数据路径。 + ``` + # yum install -y nfs-utils mariadb-server + ``` +9. 在首页中依次点击“添加”,“添加普通资源”,并按如下进行配置NFS资源。 + + ![](./figures/HA-nfs.png) + +10. 资源创建成功并启动,运行于其中一个节点上,例如ha1;nfs成功挂载到`/var/lib/mysql`路径下。资源切换到ha2运行;nfs从ha1节点取消挂载,并自动在ha2节点上挂载成功。如下图所示。 + ![](./figures/HA-nfs-suc.png) + +### 配置mysql + +1. 在首页中依次点击“添加”,“添加普通资源”,并按如下进行配置mysql资源。 + + ![](./figures/HA-mariadb.png) + +2. 若回显为如下,则资源添加成功。 + + ![](./figures/HA-mariadb-suc.png) + +### 添加上述资源为组资源 + +1. 按资源启动顺序添加三个资源 + + 在首页中依次点击“添加”,“添加组资源”,并按如下进行配置组资源。 + + ![](./figures/HA-group-new.png) + +2. 组资源创建成功并启动,若回显与上述三个普通资源成功现象一致,则资源添加成功。 + + ![](./figures/HA-group-new-suc.png) + +3. 将ha1节点备用,成功迁移到ha2节点,运行正常。 + + ![](./figures/HA-group-new-suc2.png) \ No newline at end of file diff --git a/docs/zh/docs/desktop/xfce.md b/docs/zh/docs/desktop/xfce.md new file mode 100644 index 0000000000000000000000000000000000000000..907ba3a8edc4367941558cfea6cbd8fc3ccf0a67 --- /dev/null +++ b/docs/zh/docs/desktop/xfce.md @@ -0,0 +1,3 @@ +# Xfce 用户指南 + +本节主要描述 Xfce 桌面环境的安装和使用。 \ No newline at end of file diff --git "a/docs/zh/docs/desktop/\345\256\211\350\243\205DDE.md" "b/docs/zh/docs/desktop/\345\256\211\350\243\205DDE.md" new file mode 100644 index 0000000000000000000000000000000000000000..7cdeeccca4c140588b3f16f171897a3076d08af8 --- /dev/null +++ "b/docs/zh/docs/desktop/\345\256\211\350\243\205DDE.md" @@ -0,0 +1,31 @@ +# 在 openEuler 上安装 DDE +#### 简介 + +DDE是统信软件团队研发的一款功能强大的桌面环境。包含数十款功能强大的桌面应用,是真正意义上的自主自研桌面产品。 + +#### 安装方法 + +1. [下载](https://openeuler.org/zh/download/)openEuler ISO镜像并安装系统 +2. 更新软件源 +```bash +sudo dnf update +``` +3. 安装DDE +```bash +sudo dnf install dde +``` +4. 设置以图形界面的方式启动 +```bash +sudo systemctl set-default graphical.target +``` +5. 重启 +```bash +sudo reboot +``` +6. 在重启完成后,使用安装过程中创建的用户或openeuler用户登陆桌面 + + > dde桌面无法使用root账号登陆 + > dde内置了openeuler用户,此用户的密码为openeuler + +现在您可以尽情的使用dde桌面了。 + diff --git "a/docs/zh/docs/desktop/\345\256\211\350\243\205UKUI.md" "b/docs/zh/docs/desktop/\345\256\211\350\243\205UKUI.md" new file mode 100644 index 0000000000000000000000000000000000000000..4ae812be83a09c88d9a0b36afbf2421b9124e27e --- /dev/null +++ "b/docs/zh/docs/desktop/\345\256\211\350\243\205UKUI.md" @@ -0,0 +1,22 @@ +# 在 openEuler 上安装 UKUI + +UKUI是麒麟软件团队历经多年打造的一款Linux 桌面,主要基于 GTK 和 QT开发。与其它UI界面相比,UKUI更加注重易用性和敏捷度,各元件相依性小,可以不依赖其它套件而独自运行,给用户带来亲切和高效的使用体验。 + +UKUI支持x86_64和aarch64两种架构。 + +安装时,建议新建一个管理员用户。 + +1.下载 openEuler 镜像并安装系统。 +``` +sudo dnf update +``` +2.安装UKUI。 +``` +sudo dnf install ukui +``` +3.在确认正常安装后,如果希望以图形界面的方式启动,请在命令行运行以下代码,并重启(`reboot`)。 +``` +systemctl set-default graphical.target +``` +目前UKUI版本还在不断的更新,最新的安装方法请查阅: +[https://gitee.com/openkylin/ukui-issues](https://gitee.com/openkylin/ukui-issues) diff --git a/docs/zh/docs/secGear/figures/architecture.png b/docs/zh/docs/secGear/figures/architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..9f2f15ebaa8404ae10cd770b514b7efa78c7538d Binary files /dev/null and b/docs/zh/docs/secGear/figures/architecture.png differ diff --git a/docs/zh/docs/secGear/secGear.md b/docs/zh/docs/secGear/secGear.md new file mode 100644 index 0000000000000000000000000000000000000000..c2bbd422a3a315005adfed7768acb1f6439a8377 --- /dev/null +++ b/docs/zh/docs/secGear/secGear.md @@ -0,0 +1,3 @@ +# secGear 开发指南 + +本文档介绍如何使用 secGear 统一机密计算编程框架开发应用程序,以及所包含工具的使用方法。 \ No newline at end of file diff --git "a/docs/zh/docs/secGear/\344\275\277\347\224\250secGear\345\267\245\345\205\267.md" "b/docs/zh/docs/secGear/\344\275\277\347\224\250secGear\345\267\245\345\205\267.md" new file mode 100644 index 0000000000000000000000000000000000000000..a7145c5b4546b4219dbc98915eebb03d613714e7 --- /dev/null +++ "b/docs/zh/docs/secGear/\344\275\277\347\224\250secGear\345\267\245\345\205\267.md" @@ -0,0 +1,161 @@ +# 使用 secGear 工具 + +secGear 提供了一套工具集,方便用户开发应用程序。本章介绍相关工具及其使用方法。 + +## 代码生成工具 codegener + +### 简介 + +secGear codegener 是基于 intel SGX SDK edger8r 开发的工具,用于解析 EDL 文件生成中间 C 代码,即辅助生成安全测与非安全侧文件互相调用的代码。 + +secGear codegener 定义的 EDL 文件格式与 intel SGX SDK edger8r 相同,但是不支持 Intel 的完整语法定义: + +- 只能在方法中使用 public,不加 public 的函数声明默认为 private +- 不支持从非安全侧到安全侧,以及安全侧到非安全侧的 Switchless Calls +- OCALL(Outside call) 不支持部分调用模式(如 cdecl,stdcall,fastcall) + +EDL 文件语法为类 C 语言语法,这里主要描述与 C 语言的差异部分: + +| 成员 | 含义 | +| ----------------------- | ------------------------------------------------------------ | +| include "my_type.h" | 使用外部包含文件中定义的类型 | +| trusted | 声明 TA(Trusted Application)侧可用安全函数 | +| untrusted | 声明 TA 侧可用不安全函数 | +| return_type | 定义返回值类型 | +| parameter_type | 定义参数类型 | +| [in , size = len] | 对ecall而言,表示该参数需要将数据从非安全侧传入安全侧,ocall反之(指针类型需要使用此参数,其中 size 表示实际使用的 buffer) | +| [out, size = len] | 对ecall而言,表示该参数需要将数据从安全侧传出到非安全侧,ocall反之(指针类型需要使用此参数,其中 size 表示实际使用的 buffer) | + + + +### 使用说明 + +#### **命令格式** + +codegen 的命令格式如下: + +- x86_64 架构: + +**codegen_x86_64** < --trustzone | --sgx > [--trusted-dir | **--untrusted-dir** | --trusted | --untrusted ] edlfile + +ARM 架构: + +**codegen_arm64** < --trustzone | --sgx > [--trusted-dir | **--untrusted-dir** | --trusted | --untrusted ] edlfile + +#### **参数说明** + +各参数含义如下: + +| **参数** | 是否可选 | 参数含义 | +| ---------------------- | -------- | ------------------------------------------------------------ | +| --trustzone \| --sgx | 必选 | 只在当前运行命令目录下生成机密计算架构对应接口函数,不加参数默认生成 SGX 接口函数 | +| --search-path | 可选 | 用于指定被转译的edl文件所依赖文件的搜索路径 | +| --use-prefix | 可选 | 用于给代理函数名称加上前缀,前缀名为edl的文件名 | +| --header-only | 可选 | 指定代码生成工具只生成头文件 | +| --trusted-dir | 可选 | 指定生成安全侧辅助代码所在目录,不指定该参数默认为当前路径 | +| --untrusted-dir | 可选 | 指定生成非安全侧函数辅助代码所在目录 | +| --trusted | 可选 | 生成安全侧辅助代码 | +| --untrusted | 可选 | 生成非安全侧辅助代码 | +| edlfile | 必选 | 需要转译的 EDL 文件,例如 hello.edl | + + + +#### 示例 + +- 转译 *helloworld.edl* ,在 *enclave-directory* 下生成安全侧辅助代码,*host-directory* 下生成非安全辅助代码的命令示例如下: + +```shell +$ codegen_x86_64 --sgx --trusted-dir enclave-directory --untrusted-dir host-directory helloworld.edl +``` + +- 转译 *helloworld.edl* ,在当前目录生成安全侧辅助代码,不生成非安全辅助代码的命令示例如下: + +```shell +$ codegen_x86_64 --sgx --trusted helloworld.edl +``` + +- 转译 *helloworld.edl* ,在当前目录生成非安全侧辅助代码,不生成安全辅助代码的命令示例如下: + +```shell +$ codegen_x86_64 --sgx --untrusted helloworld.edl +``` + +- 转译 *helloworld.edl* ,在 当前目录生成安全侧和非安全侧辅助代码的命令示例如下: + +```shell +$ codegen_x86_64 --sgx helloworld.edl +``` + + + +## 签名工具 sign_tool + +### 简介 + +secGear sign_tool 是一款命令行工具,包含编译工具链和签名工具,用于 enclave 签名。sign_tool 有两种签名形式: + +- 单步签名:仅适用于 debug 调试模式 +- 两步签名:商用场景。需要从第三方平台或者独立的安全设备获取签名私钥,对 envlave 进行签名 + + + +### 使用指导 + +#### **命令格式** + +sign_tool 包含 sign 指令(对 enclave 进行签名)和 digest 指令(生成摘要值)。命令格式为: + +**sign_tool.sh -d** [sign | digest] **-x** **-i** **-p** **-s** [OPTIONS] **–o** + +#### **参数说明** + +| sign 指令参数 | 参数含义 | 是否必选 | +| -------------- | -------------------------------------------------------------| -------------------------------------------- | +| -a | api_level,标识 iTrustee TA 的 GP API version,默认为 1 | 可选 | +| -c | 配置文件 | 可选 | +| -d | 指定签名工具要进行的操作( sign 或者 digest ) | 单步仅执行sign,两步需要先执行digest,再执行sign | +| -e | 设备的公钥证书,用于保护加密 rawdata 的 AES key (iTrustee必需) | 仅 iTrustee 类型必选 | +| -f | OTRP_FLAG,是否支持 OTRP 标准协议,默认为 0 | 可选 | +| -i | 待签名的库文件 | 必选 | +| -k | 单步签名所需私钥(pem文件) | 仅 SGX 类型必选 | +| -m | 安全配置文件 mainfest.txt,由用户自行配置 | 仅 iTrustee 类型必选 | +| -o | 输出文件 | 必选 | +| -p | 两步签名所需的签名服务器公钥证书(pem文件) | 必选 | +| -s | 两步签名所需的已签名摘要值 | 必选 | +| -t | TA_TYPA,标识 iTrustee 的 TA 二进制格式,默认为 1 | 可选 | +| -x | encalve type(sgx 或 trustzone) | 必选 | +| -h | 打印帮助信息 | 可选 | + + + +#### **单步签名** + +enclave 类型为 SGX,给 test.enclave 签名,输出签名文件 signed.enclave 的示例如下: + +```shell +$ sign_tool.sh –d sign –x sgx –i test.enclave -k private_test.pem –o signed.enclave +``` + + + +#### **两步签名** + +以 SGX 为例,两步签名的操作步骤如下: + +1. 生成摘要值 + + 使用 sign_tool 签名,生成摘要值 digest.data 和临时中间文件 signdata(该文件在生成签名文件时使用,并在签名后自动删除)。参考命令如下: + + ```shell + $ sign_tool.sh –d digest –x sgx –i input –o digest.data + ``` + +2. 将 digest.data 发送至签名机构或平台,并获取对应签名。 + +3. 使用获取的签名生成签名后的动态库 signed.enclave。 + + ```shell + $ sign_tool.sh –d sign –x sgx–i input –p pub.pem –s signature –o signed.enclave + ``` + +说明:为发布 Intel SGX 支持的正式版本应用,需要申请 Intel 白名单。流程请参考 Intel 文档:https://software.intel.com/content/www/us/en/develop/download/overview-on-signing-and-whitelisting-for-intel-software-guard-extensions-enclaves.html \ No newline at end of file diff --git "a/docs/zh/docs/secGear/\345\256\211\350\243\205secGear.md" "b/docs/zh/docs/secGear/\345\256\211\350\243\205secGear.md" new file mode 100644 index 0000000000000000000000000000000000000000..79b42ebe903f90da14f70629e24dc07e2dcb5d86 --- /dev/null +++ "b/docs/zh/docs/secGear/\345\256\211\350\243\205secGear.md" @@ -0,0 +1,35 @@ +# 安装 secGear + + +## 环境要求 + +当前 secGear 仅支持以下软硬件,后续会逐步支持更多的软硬件。 + +- 处理器:当前 secGear 仅支持 x86_64 处理器架构,且该处理器需要支持 Intel SGX (Intel Software Guard Extensions)功能 + +- 操作系统:openEuler 21.03 或更高版本 + + +## 安装指导 + +使用 secGear 机密计算编程框架,需要安装 secGear、secGear-devel 开发包。安装前,请确保已经配置了openEuler yum 源。 + +1. 使用 root 权限,安装 secGear 组件,参考命令如下: + + ```shell + #yum install secGear + #yum install secGear-devel + ``` + + + +2. 查看安装是否成功。参考命令和回显如下表示安装成功。 + + ```shell + #rpm -q secGear + secGear-1.0-1.oe1.x86_64 + #rpm -q secGear-devel + secGear-devel-1.0-1.oe1.x86_64 + ``` + + diff --git "a/docs/zh/docs/secGear/\345\274\200\345\217\221secGear\345\272\224\347\224\250\347\250\213\345\272\217.md" "b/docs/zh/docs/secGear/\345\274\200\345\217\221secGear\345\272\224\347\224\250\347\250\213\345\272\217.md" new file mode 100644 index 0000000000000000000000000000000000000000..b018cd4663d70953b22f5fc097c5066dd6b60fda --- /dev/null +++ "b/docs/zh/docs/secGear/\345\274\200\345\217\221secGear\345\272\224\347\224\250\347\250\213\345\272\217.md" @@ -0,0 +1,444 @@ +# secGear 开发指南 + + +这里给出使用 secGear 开发一个 C 语言程序 helloworld 的例子,方便用户理解使用 secGear 开发应用程序。 + +## 目录结构说明 + +使用 secGear 开发的应用程序,遵循统一的目录结构如下: + +``` +├── helloworld +│ ├── CMakeLists.txt +│ ├── enclave +│ │ ├── CMakeLists.txt +│ │ ├── Enclave.config.xml +│ │ ├── Enclave.lds +│ │ ├── hello.c +│ │ ├── manifest.txt.in +│ │ └── rsa_public_key_cloud.pem +│ ├── helloworld.edl +│ └── host +│ ├── CMakeLists.txt +│ └── main.c +``` + +## 快速入门 + +1. 创建程序工作目录 helloworld,并在 helloworld 目录下新建 enclave 和 host + +2. 编写 EDL(Encalve Definition Language)文件 + + 为了确保开发代码的一致性,secGear 提供了 secgear_urts.h 和 secgear_tstdc.edl 用于屏蔽底层 Intel SGX 和 ARM iTrustee 之间的差异。因此,使用到 C 语言函数库时,EDL 文件默认需要导入 secgear_urts.h 和 secgear_tstdc.edl。helloworld.edl 文件参考如下: + + ```c + enclave { + include "secgear_urts.h" + from "secgear_tstdc.edl" import *; + trusted { + public int get_string([out, size=32]char *buf); + }; + }; + ``` + + 说明:EDL 语法详细信息请参见 Intel SGX 开发指南中对应内容。 + +3. 编写顶层文件 CMakeLists.txt + + 编写顶层文件 CMakeLists.txt,置于 helloworld 工作目录下,用于配置编译时的处理器架构、所需的 EDL 文件等信息。 + + 其中,EDL_FILE 是 EDL 文件,需用户指定,例子中为 helloworld.edl。DPATH 是安全侧加载动态库,配置如例子中所示。 + + ```c + cmake_minimum_required(VERSION 3.12 FATAL_ERROR) + project(HelloWorld C) + set(CMAKE_C_STANDARD 99) + set(CURRENT_ROOT_PATH ${CMAKE_CURRENT_SOURCE_DIR}) + set(EDL_FILE helloworld.edl) + set(LOCAL_ROOT_PATH "$ENV{CC_SDK}") + set(SECGEAR_INSTALL_PATH /lib64/) + if(CC_GP) + set(CODETYPE trustzone) + set(CODEGEN codegen_arm64) + execute_process(COMMAND uuidgen -r OUTPUT_VARIABLE UUID) + string(REPLACE "\n" "" UUID ${UUID}) + add_definitions(-DPATH="/data/${UUID}.sec") + endif() + if(CC_SGX) + set(CODETYPE sgx) + set(CODEGEN codegen_x86_64) + add_definitions(-DPATH="${CMAKE_CURRENT_BINARY_DIR}/enclave/enclave.signed.so") + endif() + add_subdirectory(${CURRENT_ROOT_PATH}/enclave) + add_subdirectory(${CURRENT_ROOT_PATH}/host) + ``` + + + +4. 编写非安全侧代码和 CMakeLists.txt + + 4.1 编写 main.c + + 编写非安全侧 main.c,置于 host目录。enclave.h 为 secGear 头文件,helloworld_u.h 为辅助代码生成工具生成的头文件。使用 cc_enclave_create 创建安全区 enclave 上下文,cc_enclave_destroy 销毁安全区上下文。 + get_string 为 EDL 文件中定义 trusted 的安全侧函数,注意这里与 EDL 中定义的 get_string 有差别,多出两个参数 context 为安全区上下文,retval 为 EDL 中get_string 的返回值。 + res 为 get_string 调用成功标志。 + + ```c + #include + #include "enclave.h" + #include "helloworld_u.h" + + #define BUF_LEN 32 + + int main() + { + int retval = 0; + char *path = PATH; + char buf[BUF_LEN]; + cc_enclave_t *context = NULL; + cc_enclave_result_t res; + res = cc_enclave_create(path, AUTO_ENCLAVE_TYPE, 0, SECGEAR_DEBUG_FLAG, NULL, 0, &context); + ... + + res = get_string(context, &retval, buf); + if (res != CC_SUCCESS || retval != (int)CC_SUCCESS) { + printf("Ecall enclave error\n"); + } else { + printf("%s\n", buf); + } + + if (context != NULL) { + res = cc_enclave_destroy(context); + ... + } + return res; + } + ``` + + 4.2 编写非安全侧 CMakeLists.txt + + ```c + # 设置编译环境变量 + #set auto code prefix + set(PREFIX helloworld) + #set host exec name + set(OUTPUT secgear_helloworld) + #set host src code + set(SOURCE_FILE ${CMAKE_CURRENT_SOURCE_DIR}/main.c) + + # 使用代码生成工具生成辅助代码。CODEGEN 和 CODETYPE 变量也在顶层 CMakeLists.txt 中定义。--search-path 用于指定 helloword.edl 中导入依赖的其他 EDL 文件路径 + #set auto code + if(CC_GP) + set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) + add_custom_command(OUTPUT ${AUTO_FILES} + DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} + COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp) + endif() + + if(CC_SGX) + set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_u.c) + add_custom_command(OUTPUT ${AUTO_FILES} + DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} + COMMAND ${CODEGEN} --${CODETYPE} --untrusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include) + endif() + + # 设置编译选项和链接选项 + set(CMAKE_C_FLAGS "-fstack-protector-all -W -Wall -Werror -Wextra -Werror=array-bounds -D_FORTIFY_SOURCE=2 -O2 -ftrapv -fPIE") + set(CMAKE_EXE_LINKER_FLAGS "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack") + + # 编译链接引用目录 + if(CC_GP) + if(${CMAKE_VERSION} VERSION_LESS "3.13.0") + link_directories(${SECGEAR_INSTALL_PATH}) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES}) + target_include_directories(${OUTPUT} PRIVATE + /usr/include/secGear/host_inc + /usr/include/secGear/host_inc/gp + ${CMAKE_CURRENT_BINARY_DIR}) + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${OUTPUT} PRIVATE ${SECGEAR_INSTALL_PATH}) + endif() + target_link_libraries(${OUTPUT} secgear) + endif() + if(CC_SGX) + if(${CMAKE_VERSION} VERSION_LESS "3.13.0") + link_directories(${SECGEAR_INSTALL_PATH} ${SGXSDK}/lib64) + endif() + set(SGX_MODE HW) + if(${SGX_MODE} STREQUAL HW) + set(Urts_Library_Name sgx_urts) + else() + set(Urts_Library_Name sgx_urts_sim) + endif() + add_executable(${OUTPUT} ${SOURCE_FILE} ${AUTO_FILES} ${LOCAL_ROOT_PATH}/src/host_src/sgx/sgx_log.c) + target_include_directories(${OUTPUT} PRIVATE + /usr/include/secGear/host_inc + /usr/include/secGear/host_inc/sgx + ${CMAKE_CURRENT_BINARY_DIR}) + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${OUTPUT} PRIVATE ${SECGEAR_INSTALL_PATH} ${SGXSDK}/lib64) + endif() + target_link_libraries(${OUTPUT} secgear ${Urts_Library_Name}) + endif() + + # 指定二进制安装目录 + set_target_properties(${OUTPUT} PROPERTIES SKIP_BUILD_RPATH TRUE) + if(CC_GP) + install(TARGETS ${OUTPUT} + RUNTIME + DESTINATION /vendor/bin/ + PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ) + endif() + if(CC_SGX) + install(TARGETS ${OUTPUT} + RUNTIME + DESTINATION ${CMAKE_BINARY_DIR}/bin/ + PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ) + endif() + ``` + + + +5. 编写安全侧代码、CMakeLists.txt 和配置文件,放在 enclave 目录 + + 5.1 编写安全侧代码 hello.c + + 编写安全侧代码 hello.c,置于 enclave 目录。其中,helloworld_t.h 为辅助代码生成工具,通过 EDL 文件生成的安全侧头文件。 + + ```c + #include + #include + #include "helloworld_t.h" + + #define TA_HELLO_WORLD "secGear hello world!" + #define BUF_MAX 32 + int get_string(char *buf) + { + strncpy(buf, TA_HELLO_WORLD, strlen(TA_HELLO_WORLD) + 1); + return 0; + } + ``` + + 5.2 编写安全侧 CMakeLists.txt + + ``` + #set auto code prefix + set(PREFIX helloworld) + + #set sign key + set(PEM Enclave_private.pem) + + #set sign tool + set(SIGN_TOOL ${LOCAL_ROOT_PATH}/tools/sign_tool/sign_tool.sh) + + #set enclave src code + set(SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/hello.c) + + #set log level + set(PRINT_LEVEL 3) + add_definitions(-DPRINT_LEVEL=${PRINT_LEVEL}) + + # WHITE_LIS_X 设置 itrustee 白名单,只有这些路径的主机二进制文件可以调用此安全映像,并且最多可以配置 8 个列表路径。WHITE_LIST_OWNER 设置用户,此用户将应用于所有白名单路径。DEVICEPEM 公钥由itrustee 使用,并用于通过动态生成的 aes 密钥加密安全侧的安全动态库。 + if(CC_GP) + #set signed output + set(OUTPUT ${UUID}.sec) + #set itrustee device key + set(DEVICEPEM ${CMAKE_CURRENT_SOURCE_DIR}/rsa_public_key_cloud.pem) + #set whilelist. default: /vendor/bin/teec_hello + set(WHITE_LIST_0 /vendor/bin/helloworld) + set(WHITE_LIST_OWNER root) + set(WHITE_LIST_1 /vendor/bin/secgear_helloworld) + set(WHITELIST WHITE_LIST_0 WHITE_LIST_1) + + set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_args.h) + add_custom_command(OUTPUT ${AUTO_FILES} + DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} + COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/gp) + endif() + + # SGX 安全侧动态库签名 + if(CC_SGX) + set(OUTPUT enclave.signed.so) + set(AUTO_FILES ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.h ${CMAKE_CURRENT_BINARY_DIR}/${PREFIX}_t.c) + add_custom_command(OUTPUT ${AUTO_FILES} + DEPENDS ${CURRENT_ROOT_PATH}/${EDL_FILE} + COMMAND ${CODEGEN} --${CODETYPE} --trusted ${CURRENT_ROOT_PATH}/${EDL_FILE} --search-path ${LOCAL_ROOT_PATH}/inc/host_inc/sgx --search-path ${SGXSDK}/include) + endif() + + # 设置编译选项 + set(COMMON_C_FLAGS "-W -Wall -Werror -fno-short-enums -fno-omit-frame-pointer -fstack-protector \ + -Wstack-protector --param ssp-buffer-size=4 -frecord-gcc-switches -Wextra -nostdinc -nodefaultlibs \ + -fno-peephole -fno-peephole2 -Wno-main -Wno-error=unused-parameter \ + -Wno-error=unused-but-set-variable -Wno-error=format-truncation=") + + set(COMMON_C_LINK_FLAGS "-Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack -Wl,-nostdlib -nodefaultlibs -nostartfiles") + + # itrustee 需生成 manifest.txt。指定 itrustee 编译选项和头文件、链接文件的搜索路径 + if(CC_GP) + configure_file("${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt.in" "${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt") + + set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -march=armv8-a ") + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s -fPIC") + set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-s") + + set(ITRUSTEE_TEEDIR ${iTrusteeSDK}/) + set(ITRUSTEE_LIBC ${iTrusteeSDK}/thirdparty/open_source/musl/libc) + + if(${CMAKE_VERSION} VERSION_LESS "3.13.0") + link_directories(${CMAKE_BINARY_DIR}/lib/) + endif() + + add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES}) + + target_include_directories( ${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/gp + ${LOCAL_ROOT_PATH}/inc/enclave_inc + ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp + ${ITRUSTEE_TEEDIR}/include/TA + ${ITRUSTEE_TEEDIR}/include/TA/huawei_ext + ${ITRUSTEE_LIBC}/arch/aarch64 + ${ITRUSTEE_LIBC}/ + ${ITRUSTEE_LIBC}/arch/arm/bits + ${ITRUSTEE_LIBC}/arch/generic + ${ITRUSTEE_LIBC}/arch/arm + ${LOCAL_ROOT_PATH}/inc/enclave_inc/gp/itrustee) + + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${PREFIX} PRIVATE + ${CMAKE_BINARY_DIR}/lib/) + endif() + + foreach(WHITE_LIST ${WHITELIST}) + add_definitions(-D${WHITE_LIST}="${${WHITE_LIST}}") + endforeach(WHITE_LIST) + add_definitions(-DWHITE_LIST_OWNER="${WHITE_LIST_OWNER}") + + target_link_libraries(${PREFIX} -lsecgear_tee) + + add_custom_command(TARGET ${PREFIX} + POST_BUILD + COMMAND bash ${SIGN_TOOL} -d sign -x trustzone -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -m ${CMAKE_CURRENT_SOURCE_DIR}/manifest.txt + -e ${DEVICEPEM} -o ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT}) + + install(FILES ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${OUTPUT} + DESTINATION /data + PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + + endif() + + if(CC_SGX) + set(SGX_DIR ${SGXSDK}) + set(CMAKE_C_FLAGS "${COMMON_C_FLAGS} -m64 -fvisibility=hidden") + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS} -s") + set(LINK_LIBRARY_PATH ${SGX_DIR}/lib64) + + if(CC_SIM) + set(Trts_Library_Name sgx_trts_sim) + set(Service_Library_Name sgx_tservice_sim) + else() + set(Trts_Library_Name sgx_trts) + set(Service_Library_Name sgx_tservice) + endif() + + set(Crypto_Library_Name sgx_tcrypto) + + set(CMAKE_SHARED_LINKER_FLAGS "${COMMON_C_LINK_FLAGS} -Wl,-z,defs -Wl,-pie -Bstatic -Bsymbolic -eenclave_entry \ + -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/Enclave.lds") + + if(${CMAKE_VERSION} VERSION_LESS "3.13.0") + link_directories(${LINK_LIBRARY_PATH}) + endif() + + add_library(${PREFIX} SHARED ${SOURCE_FILES} ${AUTO_FILES}) + + target_include_directories(${PREFIX} PRIVATE + ${CMAKE_CURRENT_BINARY_DIR} + ${SGX_DIR}/include/tlibc + ${SGX_DIR}/include/libcxx + ${SGX_DIR}/include + ${LOCAL_ROOT_PATH}/inc/host_inc + ${LOCAL_ROOT_PATH}/inc/host_inc/sgx) + + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_directories(${PREFIX} PRIVATE + ${LINK_LIBRARY_PATH}) + endif() + + target_link_libraries(${PREFIX} -Wl,--whole-archive ${Trts_Library_Name} -Wl,--no-whole-archive + -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l${Crypto_Library_Name} -l${Service_Library_Name} -Wl,--end-group) + add_custom_command(TARGET ${PREFIX} + POST_BUILD + COMMAND umask 0177 + COMMAND openssl genrsa -3 -out ${PEM} 3072 + COMMAND bash ${SIGN_TOOL} -d sign -x sgx -i ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/lib${PREFIX}.so -k ${PEM} -o ${OUTPUT} -c ${CMAKE_CURRENT_SOURCE_DIR}/Enclave.config.xml) + endif() + + set_target_properties(${PREFIX} PROPERTIES SKIP_BUILD_RPATH TRUE) + ``` + + + +6. 编写配置文件 + + 针对使用 Intel SGX 的 x86_64 处理器架构,请编写 Enclave.config.xml 和 Enclave.lds 文件,置于安全侧 enclave 目录。文件的具体配置格式请参见 SGX 官方文档。 + + Enclave.config.xml 参考: + + ```c + + 0 + 0 + 0x40000 + 0x100000 + 10 + 1 + + 0 + 0 + 0xFFFFFFFF + + ``` + + Enclave.lds 参考: + + ```c + enclave.so + { + global: + g_global_data_sim; + g_global_data; + enclave_entry; + g_peak_heap_used; + local: + *; + }; + ``` + + 将设备公钥文件 rsa_public_key_cloud.pem 复制到 enclave 目录。此处的设备公钥用于使用临时生成的 aes 密钥对安全区动态库进行加密。 + + 说明:rsa_public_key_cloud.pem 文件下载路径:https://gitee.com/openeuler/secGear/blob/master/examples/helloworld/enclave/rsa_public_key_cloud.pem + + + +7. 编译程序 + + SGX 版本编译命令如下,编译后将生成可执行程序 secgear_helloworld + + ```shell + cmake -DCMAKE_BUILD_TYPE=debug -DCC_SGX=ON -DSGXSDK="PATH" ./ && make + ``` + + + +8. 执行程序 + + ```c + $ ./secgear_helloworld + Create secgear enclave + secgear hello world! + ``` + + diff --git "a/docs/zh/docs/secGear/\346\216\245\345\217\243\345\217\202\350\200\203.md" "b/docs/zh/docs/secGear/\346\216\245\345\217\243\345\217\202\350\200\203.md" new file mode 100644 index 0000000000000000000000000000000000000000..9963adf01b16a8b93f79e386c9f08a920209b8c2 --- /dev/null +++ "b/docs/zh/docs/secGear/\346\216\245\345\217\243\345\217\202\350\200\203.md" @@ -0,0 +1,290 @@ +# 接口说明 + +secGear 机密计算统一编程框架分为安全侧和非安全侧,这里给出用户开发应用程序所需的接口。除这些接口外,安全侧还继承了 ARM TrustZone 和 Intel SGX 的开源 POSIC 接口。 + +## cc_enclave_create + +创建 enclave 接口 + +**功能**: + +初始化接口,函数根据不同 type,调用不同的 TEE 创建函数,完成不同 TEE 方案关于 enclave 上下文初始化,由非安全侧调用 + +**函数声明:** + +cc_enclave_result_t cc_enclave_create(const char* path, enclave_type_t type, uint32_t version,uint32_t flags,const enclave_features_t* features,uint32_t features_count, + cc_enclave_t ** enclave); + +**参数:** + +- Path:入参,要加载的 enclave 路径 +- Type:入参,用来指定 TEE 解决方案, 如 SGX_ENCLAVE_TYPE、GP_ENCLAVE_TYPE、AUTO_ENCLAVE_TYPE +- version:入参,指定的 enclave engine 的版本,目前只有一个版本,取值为 0。 +- Flags:入参,标志位,说明这个 enclave 运行状态,例如调试状态 SECGEAR_DEBUG_FLAG、模拟状态 SECGEAR_SIMULATE_FLAG(目前不支持) +- features:入参,用于设置一些关于 enclave 支持的特性,例如 SGX 的 PCL、 switchless 等。目前不支持,请设置为 NULL +- features_count:入参,入参 features 特性结构体的数量。目前不支持,请设置为 0 +- enclave:出参,创建的 enclave 上下文 + +**返回值:** + +- CE_SUCCESS:认证信息验证成功 +- CE_ERROR_INVALID_PARAMETER:输入参数有误 +- CE_ERROR_OUT_OF_MEMORY:无可用内存 +- CC_FAIL:通用错误 +- CC_ERROR_UNEXPECTED:不可预期错误 +- CC_ERROR_ENCLAVE_MAXIMUM:单个 app 创建的 enclave 数量达到最 +- CC_ERROR_INVALID_PATH:安全二进制路径无效 +- CC_ERROR_NO_FIND_REGFUNC:enclave 引擎搜索失败 + + + +## cc_enclave_destroy + +销毁 enclave 接口 + +**功能**: + +调用不同 TEE 的退出函数,释放已经创建的 enclave 实体,由非安全侧调用 + +**函数声明:** + +cc_enclave_result_t cc_enclave_destroy (cc_enclave_t ** enclave); + +**参数:** + +- enclave:入参,已经创建 enclave 的上下文 + +**返回值:** + +- CE_SUCCESS:认证信息验证成功 +- CE_ERROR_INVALID_PARAMETER:输入参数有误 +- CE_ERROR_OUT_OF_MEMORY:无可用内存 +- CC_ERROR_NO_FIND_UNREGFUNC:enclave引擎搜索失败 +- CC_FAIL:通用错误 +- CC_ERROR_UNEXPECTED:不可预期错误 + + + +## cc_enclave_generate_random + +随机数生成 + +**功能**: + +用于在安全侧生成密码安全的随机数 + +**函数声明:** + +cc_enclave_result_t cc_enclave_generate_random(void *buffer, size_t size) + +**参数:** + +- *buffer:入参,生成随机数的缓冲区 +- size:入参,缓冲区的长度 + +**返回值:** + +- CE_OK:认证信息验证成功 +- CE_ERROR_INVALID_PARAMETER:输入参数有误 +- CE_ERROR_OUT_OF_MEMORY:无可用内存 + + + +## cc_enclave_seal_data + +数据持久化 + +**功能**: + +用于加密 enclave 内部数据,使数据可以在 enclave 外部持久化存储,由安全侧调用 + +**函数声明:** + +cc_enclave_result_t cc_enclave_seal_data(uint8_t *seal_data, uint32_t seal_data_len, + +​ cc_enclave_sealed_data_t *sealed_data, uint32_t sealed_data_len, + +​ uint8_t *additional_text, uint32_t additional_text_len) + +**参数:** + +- seal_data:入参,需要加密的数据 +- seal_data_len:入参,需要加密数据的长度 +- sealed_data:出参,加密后的数据处理句柄 +- sealed_data_len:出参,加密后的密文长度 +- additional_text:入参,加密所需的附加消息 +- additional_text_len:入参,附加消息长度 + +**返回值:** + +- CE_SUCCESS:数据加密成功 +- CE_ERROR_INVALID_PARAMETER:输入参数有误 +- CE_ERROR_OUT_OF_MEMORY:无可用内存 +- CC_ERROR_SHORT_BUFFER:传入的buffer过小 +- CC_ERROR_GENERIC:底层硬件通用错误 + +## cc_enclave_unseal_data + +数据解密 + +**功能**: + +用于解密 enclave 密封过的数据,用于将外部持久化数据重新导回 enclave 环境中,由安全侧调用 + +**函数声明:** + +cc_enclave_result_t cc_enclave_unseal_data(cc_enclave_sealed_data_t *sealed_data, + + uint8_t *decrypted_data, uint32_t *decrypted_data_len, + + uint8_t *additional_text, uint32_t *additional_text_len) + +**参数:** + +- sealed_data:入参,已加密数据的句柄 +- decrypted_data:出参,解密之后的密文数据buffer +- decrypted_data_len:出参,解密后密文长度 +- additional_text:出参,解密后附加消息 +- additional_text_len:出参,解密后附加消息长度 + +**返回值:** + +- CE_SUCCESS:数据解密成功 +- CE_ERROR_INVALID_PARAMETER:输入参数有误 +- CE_ERROR_OUT_OF_MEMORY:无可用内存 +- CC_ERROR_SHORT_BUFFER:传入的buffer过小 +- CC_ERROR_GENERIC:底层硬件通用错误 + +## cc_enclave_get_sealed_data_size + +获取加密数据的大小 + +**功能**: + +用于 sealed_data 数据的大小,主要用于分配解密后的数据空间,由安全侧与非安全侧皆可调用 + +**函数声明:** + +uint32_t cc_enclave_get_sealed_data_size(const uint32_t add_len, const uint32_t seal_data_len); + +**参数:** + +- add_len:入参,附加消息长度 +- sealed_data_len:入参,加密信息的长度 + +**返回值:** + +- UINT32_MAX:参数错误或函数执行错误 +- others:函数执行成功,返回值为当前 sealed_data 结构的大小 + +## cc_enclave_get_encrypted_text_size + +获取加密消息的长度 + +**功能**: + +获取加密数数据中加密消息的长度,由安全侧调用 + +**函数声明:** + +uint32_t cc_enclave_get_encrypted_text_size(const cc_enclave_sealed_data_t *sealed_data); + +**参数:** + +- sealed_data:入参,加密数据的句柄 + +**返回值:** + +- UINT32_MAX:参数错误或函数执行错误 +- others:函数执行成功,返回值为当前 sealed_data 中加密消息的长度 + + + +## cc_enclave_get_add_text_size + +获取附加消息的长度 + +**功能**: + +获取加密数数据中附加消息的长度,由安全侧调用 + +**函数声明:** + +uint32_t cc_enclave_get_add_text_size(const cc_enclave_sealed_data_t *sealed_data); + +**参数:** + +- sealed_data:入参,加密数据的句柄 + +**返回值:** + +- UINT32_MAX:参数错误或函数执行错误 +- others:函数执行成功,返回值为当前sealed_data中附加消息的长度 + + + +## cc_enclave_memory_in_enclave + +安全内存检查 + +**功能**: + +用于校验指定长度的内存地址是否都属于安全侧内存,由安全侧调用 + +**函数声明:** + +bool cc_enclave_memory_in_enclave(const void *addr, size_t size) + +**参数:** + +- *addr:入参,指定需要校验的内存地址 +- size:入参,自内存地址起需要校验的长度 + +**返回值:** + +- true:指定区域内存都在安全区范围内 +- false:指定区域的内存有部分或者全部不在安全范围内 + +## cc_enclave_memory_out_enclave + +安全内存检查 + +**功能**: + +用于校验指定长度的内存地址是否都属于非安全侧内存,由安全侧调用 + +**函数声明:** + +bool cc_enclave_memory_out_enclave(const void *addr, size_t size) + +**参数:** + +- *addr:入参,指定需要校验的内存地址 +- size:入参,自内存地址起需要校验的长度 + +**返回值:** + +- true:指定区域内存都在非安全区 +- false:指定区域的内存有部分或者全部在安全区 + +## PrintInfo + +消息打印 + +**功能**: + +用于安全侧日志的打印,本接口输出安全侧用户想打印的信息,输入日志保存在非安全侧/var/log/secgear/secgear.log中 + +**函数声明:** + +void PrintInfo(int level, const char *fmt, ...); + +**参数:** + +- level:入参,日志打印等级,可选项为PRINT_ERROR, PRINT_WARNING, PRINT_STRACE, PRINT_DEBUG +- fmt: 入参,需要输出的字符创 + + +**返回值:** + +- 无 \ No newline at end of file diff --git "a/docs/zh/docs/secGear/\350\256\244\350\257\206secGear.md" "b/docs/zh/docs/secGear/\350\256\244\350\257\206secGear.md" new file mode 100644 index 0000000000000000000000000000000000000000..4a56acb0f2de80efe486ba06e21a137f7d78f4dd --- /dev/null +++ "b/docs/zh/docs/secGear/\350\256\244\350\257\206secGear.md" @@ -0,0 +1,19 @@ +### 概述 + +随着云计算的快速发展,越来越多的企业把计算业务部署到云上,对数据的保护变得更加复杂,同时,数据泄露是云计算面临的重大安全问题。因此,如何保障用户数据在云上的安全变得尤为重要。当前对数据的保护通常注重离线存储安全和网络传输安全,缺乏对数据运行时的安全防护。为了保障云端数据运行时的安全性,方便开发者开发云上应用,openEuler 推出了 secGear 。 + +secGear 是统一机密计算编程框架,提供了易用的开发套件,包括安全区(使用 secGear 编程会将系统区分为安全区域和非安全区域) 生命周期管理、安全开发库、代码辅助生成工具、代码构建与签名工具、安全能力和安全服务组件实现方案。可用于信任环、密态数据库、多方计算、AI安全保护等多种场景。 + +本文档介绍 secGear 的使用方法,以便指导开发者基于 secGear 开发应用程序,从而更好地保护数据。 + +### 架构介绍 + +![](./figures/architecture.png) + +如图所示,secGear 主题包含三个层级(当前仅开源基础层 Base Layer,服务层和中间件层逐步开源): + +- 服务层:提供完整的运行在安全侧的安全服务。 + +- 中间件层:提供一套协议接口,满足用户基本安全应用。 + +- 基础层:提供丰富的 enclave 开发接口或工具,并且在安全侧支持 C POSIX APIs 和标准 OpenSSL 接口,用户基于这些接口可以自由开发安全应用程序 。 \ No newline at end of file diff --git a/docs/zh/docs/thirdparty_migration/OpenStack-victoria.md b/docs/zh/docs/thirdparty_migration/OpenStack-victoria.md new file mode 100644 index 0000000000000000000000000000000000000000..c0e529b7843242300b89e033596214612d7ebac1 --- /dev/null +++ b/docs/zh/docs/thirdparty_migration/OpenStack-victoria.md @@ -0,0 +1,1746 @@ + + +# OpenStack-Victoria 部署指南 + +## OpenStack 简介 + +OpenStack 是一个社区,也是一个项目。它提供了一个部署云的操作平台或工具集,为组织提供可扩展的、灵活的云计算。 + +作为一个开源的云计算管理平台,OpenStack 由nova、cinder、neutron、glance、keystone、horizon等几个主要的组件组合起来完成具体工作。OpenStack 支持几乎所有类型的云环境,项目目标是提供实施简单、可大规模扩展、丰富、标准统一的云计算管理平台。OpenStack 通过各种互补的服务提供了基础设施即服务(IaaS)的解决方案,每个服务提供 API 进行集成。 + +openEuler 21.03 版本的官方 yum 源已经支持 Openstack-Victoria 版本,用户可以配置好官方 yum 源后根据此文档进行 OpenStack 部署。 + + +## 准备环境 +### 环境配置 + +在`/etc/hosts`中添加controller信息,例如节点IP是`10.0.0.11`,则新增: + +```shell +10.0.0.11 controller +``` + +### 安装 SQL DataBase + +1. 执行如下命令,安装软件包。 + + ```plain + # yum install mariadb mariadb-server python-PyMySQL + ``` +2. 执行如下命令,创建并编辑 `/etc/my.cnf.d/openstack.cnf` 文件。 + ``` + vim /etc/my.cnf.d/openstack.cnf + ``` + 复制如下内容到文件,其中 bind-address 设置为控制节点的管理IP地址。 + ``` + [mysqld] + bind-address = 10.0.0.11 + default-storage-engine = innodb + innodb_file_per_table = on + max_connections = 4096 + collation-server = utf8_general_ci + character-set-server = utf8 + ``` + +3. 启动 DataBase 服务,并为其配置开机自启动: + + ``` + # systemctl enable mariadb.service + # systemctl start mariadb.service + ``` + +### 安装 RabbitMQ + +1. 执行如下命令,安装软件包。 + + ``` + #yum install rabbitmq-server + ``` + +2. 启动 RabbitMQ 服务,并为其配置开机自启动。 + + ``` + #systemctl enable rabbitmq-server.service + #systemctl start rabbitmq-server.service + ``` +3. 添加 OpenStack用户。 + + ``` + #rabbitmqctl add_user openstack RABBIT_PASS + ``` +4. 替换 RABBIT_PASS,为OpenStack用户设置密码 + +5. 设置openstack用户权限,允许进行配置、写、读: + + ``` + #rabbitmqctl set_permissions openstack ".*" ".*" ".*" + ``` + +### 安装 Memcached + +1. 执行如下命令,安装依赖软件包。 + + ``` + #yum install memcached python3-memcached + ``` +2. 执行如下命令,编辑 `/etc/sysconfig/memcached` 文件。 + + ``` + #vim /etc/sysconfig/memcached + OPTIONS="-l 127.0.0.1,::1,controller" + ``` + OPTIONS 修改为实际环境中控制节点的管理IP地址。 + +3. 执行如下命令,启动 Memcached 服务,并为其配置开机启动。 + + ``` + # systemctl enable memcached.service + # systemctl start memcached.service + ``` + +## 安装 OpenStack + +### 安装 Keystone + +1. 以 root 用户访问数据库,创建 keystone 数据库并授权。 + + ``` + # mysql -u root -p + MariaDB [(none)]> CREATE DATABASE keystone; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; + MariaDB [(none)]> exit + ``` + 替换 KEYSTONE_DBPASS,为 Keystone 数据库设置密码 + +2. 执行如下命令,安装软件包。 + + ``` + #yum install openstack-keystone httpd mod_wsgi + ``` +3. 配置keystone,编辑 `/etc/keystone/keystone.conf` 文件。在[database]部分,配置数据库入口。在[token]部分,配置token provider + + ``` + # vim /etc/keystone/keystone.conf + [database] + connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone + [token] + provider = fernet + ``` + 替换KEYSTONE_DBPASS为Keystone数据库的密码 + +4. 执行如下命令,同步数据库。 + + ``` + su -s /bin/sh -c "keystone-manage db_sync" keystone + ``` +5. 执行如下命令,初始化Fernet密钥仓库。 + + ``` + # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone + # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone + ``` +6. 执行如下命令,启动身份服务。 + + ``` + # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ + --bootstrap-admin-url http://controller:5000/v3/ \ + --bootstrap-internal-url http://controller:5000/v3/ \ + --bootstrap-public-url http://controller:5000/v3/ \ + --bootstrap-region-id RegionOne + ``` + 替换 ADMIN_PASS,为 admin 用户设置密码。 + +7. 编辑 `/etc/httpd/conf/httpd.conf` 文件,配置Apache HTTP server + + ``` + #vim /etc/httpd/conf/httpd.conf + ``` + + 配置 ServerName 项引用控制节点,如下所示。 + ``` + ServerName controller + ``` + + 如果 ServerName 项不存在则需要创建。 + +8. 执行如下命令,为 `/usr/share/keystone/wsgi-keystone.conf` 文件创建链接。 + + ``` + #ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ + + #vim /etc/httpd/conf.d/wsgi-keystone.conf + ``` + +9. 完成安装,执行如下命令,启动Apache HTTP服务。 + + ``` + # systemctl enable httpd.service + # systemctl start httpd.service + ``` + +10. 执行如下命令,设置环境变量。 + + ``` + $ export OS_USERNAME=admin + $ export OS_PASSWORD=ADMIN_PASS + $ export OS_PROJECT_NAME=admin + $ export OS_USER_DOMAIN_NAME=Default + $ export OS_PROJECT_DOMAIN_NAME=Default + $ export OS_AUTH_URL=http://controller:5000/v3 + $ export OS_IDENTITY_API_VERSION=3 + ``` + 替换 ADMIN_PASS 为 keystone-manage bootstrap 命令中设置的密码 + +11. 分别执行如下命令,创建domain, projects, users, roles。 + + 创建domain ‘example’: + + ``` + $ openstack domain create --description "An Example Domain" example + ``` + + 注:domain ‘default’在 keystone-manage bootstrap 时已创建 + + 创建project ‘service’: + + ``` + $ openstack project create --domain default --description "Service Project" service + ``` + + 创建(non-admin)project ’myproject‘,user ’myuser‘ 和 role ’myrole‘,为‘myproject’和‘myuser’添加角色‘myrole’: + + ``` + $ openstack project create --domain default --description "Demo Project" myproject + $ openstack user create --domain default --password-prompt myuser + $ openstack role create myrole + $ openstack role add --project myproject --user myuser myrole + ``` +12. 验证 + + 取消临时环境变量OS_AUTH_URL和OS_PASSWORD: + + ``` + $ unset OS_AUTH_URL OS_PASSWORD + ``` + + 为admin用户请求token: + + ``` + $ openstack --os-auth-url http://controller:5000/v3 \ + --os-project-domain-name Default --os-user-domain-name Default \ + --os-project-name admin --os-username admin token issue + ``` + + 为myuser用户请求token: + + ``` + $ openstack --os-auth-url http://controller:5000/v3 \ + --os-project-domain-name Default --os-user-domain-name Default \ + --os-project-name myproject --os-username myuser token issue + ``` + +13. 创建 OpenStack client 环境脚本 + + 分别为admin和demo用户创建环境变量脚本: + + ``` + # vim admin-openrc + export OS_PROJECT_DOMAIN_NAME=Default + export OS_USER_DOMAIN_NAME=Default + export OS_PROJECT_NAME=admin + export OS_USERNAME=admin + export OS_PASSWORD=ADMIN_PASS + export OS_AUTH_URL=http://controller:5000/v3 + export OS_IDENTITY_API_VERSION=3 + export OS_IMAGE_API_VERSION=2 + # + ``` + ``` + # vim demo-openrc + export OS_PROJECT_DOMAIN_NAME=Default + export OS_USER_DOMAIN_NAME=Default + export OS_PROJECT_NAME=myproject + export OS_USERNAME=myuser + export OS_PASSWORD=DEMO_PASS + export OS_AUTH_URL=http://controller:5000/v3 + export OS_IDENTITY_API_VERSION=3 + export OS_IMAGE_API_VERSION=2 + ``` + 替换ADMIN_PASS为admin用户的密码 + + 替换DEMO_PASS为myuser用户的密码 + + 运行脚本加载环境变量: + + ``` + $ source admin-openrc + ``` + +### Glance安装 + +1. 创建数据库、服务凭证和 API 端点 + + 创建数据库: + + 以 root 用户访问数据库,创建 glance 数据库并授权。 + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE glance; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \ + IDENTIFIED BY 'GLANCE_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \ + IDENTIFIED BY 'GLANCE_DBPASS'; + MariaDB [(none)]> exit + ``` + + 替换 GLANCE_DBPASS,为 glance 数据库设置密码。 + + ``` + $ source admin-openrc + ``` + + 执行以下命令,分别完成创建 glance 服务凭证、创建glance用户和添加‘admin’角色到用户‘glance’。 + + ``` + $ openstack user create --domain default --password-prompt glance + $ openstack role add --project service --user glance admin + $ openstack service create --name glance --description "OpenStack Image" image + ``` + 创建镜像服务API端点: + + ``` + $ openstack endpoint create --region RegionOne image public http://controller:9292 + $ openstack endpoint create --region RegionOne image internal http://controller:9292 + $ openstack endpoint create --region RegionOne image admin http://controller:9292 + ``` + +2. 安装和配置 + + 安装软件包: + + ``` + #yum install openstack-glance openstack-glance-api + ``` + 配置glance: + + 编辑 /etc/glance/glance-api.conf 文件: + + 在[database]部分,配置数据库入口 + + 在[keystone_authtoken] [paste_deploy]部分,配置身份认证服务入口 + + 在[glance_store]部分,配置本地文件系统存储和镜像文件的位置 + + ``` + # vim /etc/glance/glance-api.conf + [database] + # ... + connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000 + auth_url = http://controller:5000 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = Default + user_domain_name = Default + project_name = service + username = glance + password = GLANCE_PASS + [paste_deploy] + # ... + flavor = keystone + [glance_store] + # ... + stores = file,http + default_store = file + filesystem_store_datadir = /var/lib/glance/images/ + ``` + + 其中,替换 GLANCE_DBPASS 为 glance 数据库的密码,替换 GLANCE_PASS 为 glance 用户的密码。 + + 同步数据库: + + ``` + su -s /bin/sh -c "glance-manage db_sync" glance + ``` + 启动镜像服务: + + ``` + # systemctl enable openstack-glance-api.service + # systemctl start openstack-glance-api.service + ``` +3. 验证 + + 下载镜像 + ``` + $ source admin-openrc + # 注意:如果您使用的环境是鲲鹏架构,请下载arm64版本的镜像。 + $ wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img + ``` + + 向Image服务上传镜像: + + ``` + $ glance image-create --name "cirros" --file cirros-0.4.0-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility=public + ``` + + 确认镜像上传并验证属性: + + ``` + $ glance image-list + ``` +### Placement安装 + +1. 创建数据库、服务凭证和 API 端点 + + 创建数据库: + + 作为 root 用户访问数据库,创建 placement 数据库并授权。 + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE placement; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' \ + IDENTIFIED BY 'PLACEMENT_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' \ + IDENTIFIED BY 'PLACEMENT_DBPASS'; + MariaDB [(none)]> exit + ``` + 替换 PLACEMENT_DBPASS,为 placement 数据库设置密码 + + ``` + $ source admin-openrc + ``` + 执行如下命令,创建 placement 服务凭证、创建 placement 用户以及添加‘admin’角色到用户‘placement’。 + + 创建Placement API服务 + + ``` + $ openstack user create --domain default --password-prompt placement + $ openstack role add --project service --user placement admin + $ openstack service create --name placement --description "Placement API" placement + ``` + 创建placement服务API端点: + + ``` + $ openstack endpoint create --region RegionOne placement public http://controller:8778 + $ openstack endpoint create --region RegionOne placement internal http://controller:8778 + $ openstack endpoint create --region RegionOne placement admin http://controller:8778 + ``` +2. 安装和配置 + + 安装软件包: + + ``` + yum install openstack-placement-api + ``` + 配置placement: + + 编辑 /etc/placement/placement.conf 文件: + + 在[placement_database]部分,配置数据库入口 + + 在[api] [keystone_authtoken]部分,配置身份认证服务入口 + + ``` + # vim /etc/placement/placement.conf + [placement_database] + # ... + connection = mysql+pymysql://placement:PLACEMENT_DBPASS@controller/placement + [api] + # ... + auth_strategy = keystone + [keystone_authtoken] + # ... + auth_url = http://controller:5000/v3 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = Default + user_domain_name = Default + project_name = service + username = placement + password = PLACEMENT_PASS + ``` + 其中,替换 PLACEMENT_DBPASS 为 placement 数据库的密码,替换 PLACEMENT_PASS 为 placement 用户的密码。 + + 同步数据库: + + ``` + #su -s /bin/sh -c "placement-manage db sync" placement + ``` + 启动httpd服务: + + ``` + #systemctl restart httpd + ``` +3. 验证 + + 执行如下命令,执行状态检查: + ``` + $ . admin-openrc + $ placement-status upgrade check + ``` + + 安装osc-placement,列出可用的资源类别及特性: + + ``` + $ yum install python3-osc-placement + $ openstack --os-placement-api-version 1.2 resource class list --sort-column name + $ openstack --os-placement-api-version 1.6 trait list --sort-column name + ``` +### Nova 安装 + +1. 创建数据库、服务凭证和 API 端点 + + 创建数据库: + + 作为root用户访问数据库,创建nova、nova_api、nova_cell0 数据库并授权 + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE nova_api; + MariaDB [(none)]> CREATE DATABASE nova; + MariaDB [(none)]> CREATE DATABASE nova_cell0; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' \ + IDENTIFIED BY 'NOVA_DBPASS'; + MariaDB [(none)]> exit + ``` + 替换NOVA_DBPASS,为nova数据库设置密码 + + 执行如下命令,完成创建nova服务凭证、创建nova用户以及添加‘admin’角色到用户‘nova’。 + + ``` + $ . admin-openrc + $ openstack user create --domain default --password-prompt nova + $ openstack role add --project service --user nova admin + $ openstack service create --name nova --description "OpenStack Compute" compute + ``` + + 创建计算服务API端点: + + ``` + $ openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1 + $ openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1 + $ openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1 + ``` + +2. 安装和配置 + + 安装软件包: + + ``` + # yum install openstack-nova-api openstack-nova-conductor \ + openstack-nova-novncproxy openstack-nova-scheduler openstack-nova-compute + ``` + + 配置nova: + + 编辑 /etc/nova/nova.conf 文件: + + 在[default]部分,启用计算和元数据的API,配置RabbitMQ消息队列入口,配置my_ip; + + 在[api_database] [database]部分,配置数据库入口; + + 在[api] [keystone_authtoken]部分,配置身份认证服务入口; + + 在[vnc]部分,启用并配置远程控制台入口; + + 在[glance]部分,配置镜像服务API的地址; + + 在[oslo_concurrency]部分,配置lock path; + + 在[placement]部分,配置placement服务的入口。 + + ``` + # vim /etc/nova/nova.conf + [DEFAULT] + # ... + enabled_apis = osapi_compute,metadata + transport_url = rabbit://openstack:RABBIT_PASS@controller:5672/ + my_ip = 10.0.0.11 + [api_database] + # ... + connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova_api + [database] + # ... + connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova + [api] + # ... + auth_strategy = keystone + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000/ + auth_url = http://controller:5000/ + memcached_servers = controller:11211 + auth_type = password + project_domain_name = Default + user_domain_name = Default + project_name = service + username = nova + password = NOVA_PASS + [vnc] + enabled = true + # ... + server_listen = $my_ip + server_proxyclient_address = $my_ip + novncproxy_base_url = http://controller:6080/vnc_auto.html + [glance] + # ... + api_servers = http://controller:9292 + [oslo_concurrency] + # ... + lock_path = /var/lib/nova/tmp + [placement] + # ... + region_name = RegionOne + project_domain_name = Default + project_name = service + auth_type = password + user_domain_name = Default + auth_url = http://controller:5000/v3 + username = placement + password = PLACEMENT_PASS + [neutron] + # ... + auth_url = http://controller:5000 + auth_type = password + project_domain_name = default + user_domain_name = default + region_name = RegionOne + project_name = service + username = neutron + password = NEUTRON_PASS + ``` + + 替换RABBIT_PASS为RabbitMQ中openstack账户的密码; + + 配置my_ip为控制节点的管理IP地址; + + 替换NOVA_DBPASS为nova数据库的密码; + + 替换NOVA_PASS为nova用户的密码; + + 替换PLACEMENT_PASS为placement用户的密码; + + 替换NEUTRON_PASS为neutron用户的密码; + + 同步nova-api数据库: + + ``` + su -s /bin/sh -c "nova-manage api_db sync" nova + ``` + 注册cell0数据库: + + ``` + su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova + ``` + 创建cell1 cell: + + ``` + su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova + ``` + 同步nova数据库: + + ``` + su -s /bin/sh -c "nova-manage db sync" nova + ``` + 验证cell0和cell1注册正确: + + ``` + su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova + ``` + 确定是否支持虚拟机硬件加速(x86架构): + + ``` + $ egrep -c '(vmx|svm)' /proc/cpuinfo + ``` + + 如果返回值为0则不支持硬件加速,需要配置libvirt使用QEMU而不是KVM: + + ``` + # vim /etc/nova/nova.conf + [libvirt] + # ... + virt_type = qemu + ``` + 如果返回值为1或更大的值,则支持硬件加速,不需要进行额外的配置 + + 启动计算服务及其依赖项,并配置其开机启动: + + ``` + # systemctl enable \ + openstack-nova-api.service \ + openstack-nova-scheduler.service \ + openstack-nova-conductor.service \ + openstack-nova-novncproxy.service + # systemctl start \ + openstack-nova-api.service \ + openstack-nova-scheduler.service \ + openstack-nova-conductor.service \ + openstack-nova-novncproxy.service + ``` + ``` + # systemctl enable libvirtd.service openstack-nova-compute.service + # systemctl start libvirtd.service openstack-nova-compute.service + ``` + 添加计算节点到cell数据库: + + 确认计算节点存在: + + ``` + $ . admin-openrc + $ openstack compute service list --service nova-compute + ``` + 注册计算节点: + + ``` + #su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova + ``` +3. 验证 + + ``` + $ . admin-openrc + ``` + 列出服务组件,验证每个流程都成功启动和注册: + + ``` + $ openstack compute service list + ``` + + 列出身份服务中的API端点,验证与身份服务的连接: + + ``` + $ openstack catalog list + ``` + + 列出镜像服务中的镜像,验证与镜像服务的连接: + + ``` + $ openstack image list + ``` + + 检查cells和placement API是否运作成功,以及其他必要条件是否已具备。 + + ``` + #nova-status upgrade check + ``` + +### Neutron安装 + +1. 创建数据库、服务凭证和 API 端点 + + 创建数据库: + + 作为root用户访问数据库,创建 neutron 数据库并授权。 + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE neutron; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ + IDENTIFIED BY 'NEUTRON_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ + IDENTIFIED BY 'NEUTRON_DBPASS'; + MariaDB [(none)]> exit + ``` + 替换NEUTRON_DBPASS,为neutron数据库设置密码。 + + ``` + $ . admin-openrc + ``` + 执行如下命令,完成创建 neutron 服务凭证、创建neutron用户和添加‘admin’角色到‘neutron’用户操作。 + + 创建neutron服务 + + ``` + $ openstack user create --domain default --password-prompt neutron + $ openstack role add --project service --user neutron admin + $ openstack service create --name neutron --description "OpenStack Networking" network + ``` + 创建网络服务API端点: + + ``` + $ openstack endpoint create --region RegionOne network public http://controller:9696 + $ openstack endpoint create --region RegionOne network internal http://controller:9696 + $ openstack endpoint create --region RegionOne network admin http://controller:9696 + ``` +2. 安装和配置 Self-service 网络 + + 安装软件包: + + ``` + # yum install openstack-neutron openstack-neutron-ml2 \ + openstack-neutron-linuxbridge ebtables ipset + ``` + 配置neutron: + + 编辑 /etc/neutron/neutron.conf 文件: + + 在[database]部分,配置数据库入口; + + 在[default]部分,启用ml2插件和router插件,允许ip地址重叠,配置RabbitMQ消息队列入口; + + 在[default] [keystone]部分,配置身份认证服务入口; + + 在[default] [nova]部分,配置网络来通知计算网络拓扑的变化; + + 在[oslo_concurrency]部分,配置lock path。 + + ``` + # vim /etc/neutron/neutron.conf + [database] + # ... + connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron + [DEFAULT] + # ... + core_plugin = ml2 + service_plugins = router + allow_overlapping_ips = true + transport_url = rabbit://openstack:RABBIT_PASS@controller + auth_strategy = keystone + notify_nova_on_port_status_changes = true + notify_nova_on_port_data_changes = true + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000 + auth_url = http://controller:5000 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = default + user_domain_name = default + project_name = service + username = neutron + password = NEUTRON_PASS + [nova] + # ... + auth_url = http://controller:5000 + auth_type = password + project_domain_name = default + user_domain_name = default + region_name = RegionOne + project_name = service + username = nova + password = NOVA_PASS + [oslo_concurrency] + # ... + lock_path = /var/lib/neutron/tmp + ``` + + 替换NEUTRON_DBPASS为neutron数据库的密码; + + 替换RABBIT_PASS为RabbitMQ中openstack账户的密码; + + 替换NEUTRON_PASS为neutron用户的密码; + + 替换NOVA_PASS为nova用户的密码。 + + 配置ML2插件: + + 编辑 /etc/neutron/plugins/ml2/ml2_conf.ini 文件: + + 在[ml2]部分,启用 flat、vlan、vxlan 网络,启用网桥及 layer-2 population 机制,启用端口安全扩展驱动; + + 在[ml2_type_flat]部分,配置 flat 网络为 provider 虚拟网络; + + 在[ml2_type_vxlan]部分,配置 VXLAN 网络标识符范围; + + 在[securitygroup]部分,配置允许 ipset。 + + ``` + # vim /etc/neutron/plugins/ml2/ml2_conf.ini + [ml2] + # ... + type_drivers = flat,vlan,vxlan + tenant_network_types = vxlan + mechanism_drivers = linuxbridge,l2population + extension_drivers = port_security + [ml2_type_flat] + # ... + flat_networks = provider + [ml2_type_vxlan] + # ... + vni_ranges = 1:1000 + [securitygroup] + # ... + enable_ipset = true + ``` + 配置 Linux bridge 代理: + + 编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件: + + 在[linux_bridge]部分,映射 provider 虚拟网络到物理网络接口; + + 在[vxlan]部分,启用 vxlan 覆盖网络,配置处理覆盖网络的物理网络接口 IP 地址,启用 layer-2 population; + + 在[securitygroup]部分,允许安全组,配置 linux bridge iptables 防火墙驱动。 + + ``` + # vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini + [linux_bridge] + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME + [vxlan] + enable_vxlan = true + local_ip = OVERLAY_INTERFACE_IP_ADDRESS + l2_population = true + [securitygroup] + # ... + enable_security_group = true + firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + ``` + 替换PROVIDER_INTERFACE_NAME为物理网络接口; + + 替换OVERLAY_INTERFACE_IP_ADDRESS为控制节点的管理IP地址。 + + 配置Layer-3代理: + + 编辑 /etc/neutron/l3_agent.ini 文件: + + 在[default]部分,配置接口驱动为linuxbridge + + ``` + # vim /etc/neutron/l3_agent.ini + [DEFAULT] + # ... + interface_driver = linuxbridge + ``` + 配置DHCP代理: + + 编辑 /etc/neutron/dhcp_agent.ini 文件: + + 在[default]部分,配置linuxbridge接口驱动、Dnsmasq DHCP驱动,启用隔离的元数据。 + + ``` + # vim /etc/neutron/dhcp_agent.ini + [DEFAULT] + # ... + interface_driver = linuxbridge + dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq + enable_isolated_metadata = true + ``` + 配置metadata代理: + + 编辑 /etc/neutron/metadata_agent.ini 文件: + + 在[default]部分,配置元数据主机和shared secret。 + + ``` + # vim /etc/neutron/metadata_agent.ini + [DEFAULT] + # ... + nova_metadata_host = controller + metadata_proxy_shared_secret = METADATA_SECRET + ``` + 替换METADATA_SECRET为合适的元数据代理secret。 + +3. 配置计算服务 + + 编辑 /etc/nova/nova.conf 文件: + + 在[neutron]部分,配置访问参数,启用元数据代理,配置secret。 + + ``` + # vim /etc/nova/nova.conf + [neutron] + # ... + auth_url = http://controller:5000 + auth_type = password + project_domain_name = default + user_domain_name = default + region_name = RegionOne + project_name = service + username = neutron + password = NEUTRON_PASS + service_metadata_proxy = true + metadata_proxy_shared_secret = METADATA_SECRET + ``` + 替换NEUTRON_PASS为neutron用户的密码; + + 替换METADATA_SECRET为合适的元数据代理secret。 + +4. 完成安装 + + 添加链接: + + ``` + #ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini + ``` + 同步数据库: + + ``` + # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ + --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron + ``` + 重启计算API服务: + + ``` + #systemctl restart openstack-nova-api.service + ``` + 启动网络服务并配置开机启动: + + ``` + # systemctl enable neutron-server.service \ + neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ + neutron-metadata-agent.service + # systemctl start neutron-server.service \ + neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ + neutron-metadata-agent.service + # systemctl enable neutron-l3-agent.service + # systemctl start neutron-l3-agent.service + ``` +5. 验证 + + 列出代理验证 neutron 代理启动成功: + + ``` + $ openstack network agent list + ``` +### Cinder 安装 + + +1. 创建数据库、服务凭证和 API 端点 + + 创建数据库: + + 作为root用户访问数据库,创建cinder数据库并授权。 + + ``` + $ mysql -u root -p + MariaDB [(none)]> CREATE DATABASE cinder; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' \ + IDENTIFIED BY 'CINDER_DBPASS'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' \ + IDENTIFIED BY 'CINDER_DBPASS'; + MariaDB [(none)]> exit + ``` + 替换CINDER_DBPASS,为cinder数据库设置密码。 + + ``` + $ source admin-openrc + ``` + + 创建cinder服务凭证: + + 创建cinder用户 + + 添加‘admin’角色到用户‘cinder’ + + 创建cinderv2和cinderv3服务 + + ``` + $ openstack user create --domain default --password-prompt cinder + $ openstack role add --project service --user cinder admin + $ openstack service create --name cinderv2 --description "OpenStack Block Storage" volumev2 + $ openstack service create --name cinderv3 --description "OpenStack Block Storage" volumev3 + ``` + 创建块存储服务API端点: + + ``` + $ openstack endpoint create --region RegionOne volumev2 public http://controller:8776/v2/%s + $ openstack endpoint create --region RegionOne volumev2 internal http://controller:8776/v2/%s + $ openstack endpoint create --region RegionOne volumev2 admin http://controller:8776/v2/%s + $ openstack endpoint create --region RegionOne volumev3 public http://controller:8776/v3/%s + $ openstack endpoint create --region RegionOne volumev3 internal http://controller:8776/v3/%s + $ openstack endpoint create --region RegionOne volumev3 admin http://controller:8776/v3/%s + ``` +2. 安装和配置控制节点 + + 安装软件包: + + ``` + #yum install openstack-cinder + ``` + 配置cinder: + + 编辑 /etc/cinder/cinder.conf 文件: + + 在[database]部分,配置数据库入口; + + 在[DEFAULT]部分,配置RabbitMQ消息队列入口,配置my_ip; + + 在[DEFAULT] [keystone_authtoken]部分,配置身份认证服务入口; + + 在[oslo_concurrency]部分,配置lock path。 + + ``` + # vim /etc/cinder/cinder.conf + [database] + # ... + connection = mysql+pymysql://cinder:CINDER_DBPASS@controller/cinder + [DEFAULT] + # ... + transport_url = rabbit://openstack:RABBIT_PASS@controller + auth_strategy = keystone + my_ip = 10.0.0.11 + [keystone_authtoken] + # ... + www_authenticate_uri = http://controller:5000 + auth_url = http://controller:5000 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = default + user_domain_name = default + project_name = service + username = cinder + password = CINDER_PASS + [oslo_concurrency] + # ... + lock_path = /var/lib/cinder/tmp + ``` + 替换CINDER_DBPASS为cinder数据库的密码; + + 替换RABBIT_PASS为RabbitMQ中openstack账户的密码; + + 配置my_ip为控制节点的管理IP地址; + + 替换CINDER_PASS为cinder用户的密码; + + 同步数据库: + + ``` + su -s /bin/sh -c "cinder-manage db sync" cinder + ``` + 配置计算使用块存储: + + 编辑 /etc/nova/nova.conf 文件。 + + ``` + # vim /etc/nova/nova.conf + [cinder] + os_region_name = RegionOne + ``` + 完成安装: + + 重启计算API服务 + + ``` + systemctl restart openstack-nova-api.service + ``` + 启动块存储服务 + + ``` + # systemctl enable openstack-cinder-api.service openstack-cinder-scheduler.service + # systemctl start openstack-cinder-api.service openstack-cinder-scheduler.service + ``` +3. 安装和配置存储节点 + + 安装软件包: + + ``` + yum install lvm2 device-mapper-persistent-data targetcli python-keystone + ``` + 启动服务: + + ``` + # systemctl enable lvm2-lvmetad.service + # systemctl start lvm2-lvmetad.service + ``` + 创建LVM物理卷 /dev/sdb: + + ``` + pvcreate /dev/sdb + ``` + 创建LVM卷组 cinder-volumes: + + ``` + vgcreate cinder-volumes /dev/sdb + ``` + 编辑 /etc/lvm/lvm.conf 文件: + + 在devices部分,添加过滤以接受/dev/sdb设备拒绝其他设备。 + + devices { + + ... + + filter = [ "a/sdb/", "r/.*/"] + + 编辑 /etc/cinder/cinder.conf 文件: + + 在[lvm]部分,使用LVM驱动、cinder-volumes卷组、iSCSI协议和适当的iSCSI服务配置LVM后端。 + + 在[DEFAULT]部分,启用LVM后端,配置镜像服务API的位置。 + + ``` + [lvm] + volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver + volume_group = cinder-volumes + target_protocol = iscsi + target_helper = lioadm + [DEFAULT] + # ... + enabled_backends = lvm + glance_api_servers = http://controller:9292 + ``` + 完成安装: + + ``` + # systemctl enable openstack-cinder-volume.service target.service + # systemctl start openstack-cinder-volume.service target.service + ``` +4. 安装和配置备份服务 + + 编辑 /etc/cinder/cinder.conf 文件: + + 在[DEFAULT]部分,配置备份选项 + + ``` + [DEFAULT] + # ... + # 注意: openEuler 21.03中没有提供OpenStack Swift软件包,需要用户自行安装。或者使用其他的备份后端,例如,NFS。NFS已经过测试验证,可以正常使用。 + backup_driver = cinder.backup.drivers.swift.SwiftBackupDriver + backup_swift_url = SWIFT_URL + ``` + 替换SWIFT_URL为对象存储服务的URL,该URL可以通过对象存储API端点找到: + + ``` + $ openstack catalog show object-store + ``` + 完成安装: + + ``` + # systemctl enable openstack-cinder-backup.service + # systemctl start openstack-cinder-backup.service + ``` +5. 验证 + + 列出服务组件验证每个步骤成功: + ``` + $ source admin-openrc + $ openstack volume service list + ``` + + 注:目前暂未对swift组件进行支持,有条件的同学可以配置对接ceph。 + +### horizon 安装 + +1. 安装软件包 + + ```plain + yum install openstack-horizon + ``` +2. 修改文件`/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py` + + 修改变量 + + ```plain + ALLOWED_HOSTS = ['*', ] + OPENSTACK_HOST = "controller" + OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST + ``` + 新增变量 + ```plain + OPENSTACK_API_VERSIONS = { + "identity": 3, + "image": 2, + "volume": 3, + } + WEBROOT = "/dashboard/" + COMPRESS_OFFLINE = True + OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "default" + OPENSTACK_KEYSTONE_DEFAULT_ROLE = "admin" + LOGIN_URL = '/dashboard/auth/login/' + LOGOUT_URL = '/dashboard/auth/logout/' + ``` +3. 在/usr/share/openstack-dashboard目录下执行 + ```plain + ./manage.py compress + ``` +4. 重启 httpd 服务 + ```plain + systemctl restart httpd + ``` +5. 验证 + 打开浏览器,输入网址http://,登录 horizon。 + +### Tempest 安装 + +Tempest是OpenStack的集成测试服务,如果用户需要全面自动化测试已安装的OpenStack环境的功能,则推荐使用该组件。否则,可以不用安装 + +1. 安装Tempest + ``` + yum install openstack-tempest + ``` +2. 初始化目录 + + ``` + tempest init mytest + ``` +3. 修改配置文件。 + + ``` + cd mytest + vi etc/tempest.conf + ``` + tempest.conf中需要配置当前OpenStack环境的信息,具体内容可以参考[官方示例](https://docs.openstack.org/tempest/latest/sampleconf.html) + +4. 执行测试 + + ``` + tempest run + ``` + +### Ironic 安装 + +Ironic是OpenStack的裸金属服务,如果用户需要进行裸机部署则推荐使用该组件。否则,可以不用安装。 + +1. 设置数据库 + + 裸金属服务在数据库中存储信息,创建一个**ironic**用户可以访问的**ironic**数据库,替换**IRONIC_DBPASSWORD**为合适的密码 + + ``` + # mysql -u root -p MariaDB [(none)]> CREATE DATABASE ironic CHARACTER SET utf8; + + MariaDB [(none)]> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'localhost' \ + IDENTIFIED BY 'IRONIC_DBPASSWORD'; + + MariaDB [(none)]> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'%' \ + IDENTIFIED BY 'IRONIC_DBPASSWORD'; + ``` + +2. 组件安装与配置 + + ##### 创建服务用户认证 + + 1、创建Bare Metal服务用户 + + ``` + $ openstack user create --password IRONIC_PASSWORD \ + --email ironic@example.com ironic + $ openstack role add --project service --user ironic admin + $ openstack service create --name ironic --description \ + "Ironic baremetal provisioning service" baremetal + + $ openstack service create --name ironic-inspector --description "Ironic inspector baremetal provisioning service" baremetal-introspection + $ openstack user create --password IRONIC_INSPECTOR_PASSWORD --email ironic_inspector@example.com ironic_inspector + $ openstack role add --project service --user ironic-inspector admin + ``` + + 2、创建Bare Metal服务访问入口 + + ``` + $ openstack endpoint create --region RegionOne baremetal admin http://$IRONIC_NODE:6385 + $ openstack endpoint create --region RegionOne baremetal public http://$IRONIC_NODE:6385 + $ openstack endpoint create --region RegionOne baremetal internal http://$IRONIC_NODE:6385 + $ openstack endpoint create --region RegionOne baremetal-introspection internal http://172.20.19.13:5050/v1 + $ openstack endpoint create --region RegionOne baremetal-introspection public http://172.20.19.13:5050/v1 + $ openstack endpoint create --region RegionOne baremetal-introspection admin http://172.20.19.13:5050/v1 + ``` + + ##### 配置ironic-api服务 + + 配置文件路径/etc/ironic/ironic.conf + + 1、通过**connection**选项配置数据库的位置,如下所示,替换**IRONIC_DBPASSWORD**为**ironic**用户的密码,替换**DB_IP**为DB服务器所在的IP地址: + + ``` + [database] + + # The SQLAlchemy connection string used to connect to the + # database (string value) + + connection = mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic + ``` + + 2、通过以下选项配置ironic-api服务使用RabbitMQ消息代理,替换**RPC_\***为RabbitMQ的详细地址和凭证 + + ``` + [DEFAULT] + + # A URL representing the messaging driver to use and its full + # configuration. (string value) + + transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/ + ``` + + 用户也可自行使用json-rpc方式替换rabbitmq + + 3、配置ironic-api服务使用身份认证服务的凭证,替换**PUBLIC_IDENTITY_IP**为身份认证服务器的公共IP,替换**PRIVATE_IDENTITY_IP**为身份认证服务器的私有IP,替换**IRONIC_PASSWORD**为身份认证服务中**ironic**用户的密码: + + ``` + [DEFAULT] + + # Authentication strategy used by ironic-api: one of + # "keystone" or "noauth". "noauth" should not be used in a + # production environment because all authentication will be + # disabled. (string value) + + auth_strategy=keystone + + [keystone_authtoken] + # Authentication type to load (string value) + auth_type=password + # Complete public Identity API endpoint (string value) + www_authenticate_uri=http://PUBLIC_IDENTITY_IP:5000 + # Complete admin Identity API endpoint. (string value) + auth_url=http://PRIVATE_IDENTITY_IP:5000 + # Service username. (string value) + username=ironic + # Service account password. (string value) + password=IRONIC_PASSWORD + # Service tenant name. (string value) + project_name=service + # Domain name containing project (string value) + project_domain_name=Default + # User's domain name (string value) + user_domain_name=Default + ``` + + 4、创建裸金属服务数据库表 + + ``` + $ ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema + ``` + + 5、重启ironic-api服务 + + ``` + sudo systemctl restart openstack-ironic-api + ``` + + ##### 配置ironic-conductor服务 + + 1、替换**HOST_IP**为conductor host的IP + + ``` + [DEFAULT] + + # IP address of this host. If unset, will determine the IP + # programmatically. If unable to do so, will use "127.0.0.1". + # (string value) + + my_ip=HOST_IP + ``` + + 2、配置数据库的位置,ironic-conductor应该使用和ironic-api相同的配置。替换**IRONIC_DBPASSWORD**为**ironic**用户的密码,替换DB_IP为DB服务器所在的IP地址: + + ``` + [database] + + # The SQLAlchemy connection string to use to connect to the + # database. (string value) + + connection = mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic + ``` + + 3、通过以下选项配置ironic-api服务使用RabbitMQ消息代理,ironic-conductor应该使用和ironic-api相同的配置,替换**RPC_\***为RabbitMQ的详细地址和凭证 + + ``` + [DEFAULT] + + # A URL representing the messaging driver to use and its full + # configuration. (string value) + + transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/ + ``` + + 用户也可自行使用json-rpc方式替换rabbitmq + + 4、配置凭证访问其他OpenStack服务 + + 为了与其他OpenStack服务进行通信,裸金属服务在请求其他服务时需要使用服务用户与OpenStack Identity服务进行认证。这些用户的凭据必须在与相应服务相关的每个配置文件中进行配置。 + + ``` + [neutron] - 访问Openstack网络服务 + [glance] - 访问Openstack镜像服务 + [swift] - 访问Openstack对象存储服务 + [cinder] - 访问Openstack块存储服务 + [inspector] - 访问Openstack裸金属introspection服务 + [service_catalog] - 一个特殊项用于保存裸金属服务使用的凭证,该凭证用于发现注册在Openstack身份认证服务目录中的自己的API URL端点 + ``` + + 简单起见,可以对所有服务使用同一个服务用户。为了向后兼容,该用户应该和ironic-api服务的[keystone_authtoken]所配置的为同一个用户。但这不是必须的,也可以为每个服务创建并配置不同的服务用户。 + + 在下面的示例中,用户访问openstack网络服务的身份验证信息配置为: + + ``` + 网络服务部署在名为RegionOne的身份认证服务域中,仅在服务目录中注册公共端点接口 + + 请求时使用特定的CA SSL证书进行HTTPS连接 + + 与ironic-api服务配置相同的服务用户 + + 动态密码认证插件基于其他选项发现合适的身份认证服务API版本 + ``` + + ``` + [neutron] + + # Authentication type to load (string value) + auth_type = password + # Authentication URL (string value) + auth_url=https://IDENTITY_IP:5000/ + # Username (string value) + username=ironic + # User's password (string value) + password=IRONIC_PASSWORD + # Project name to scope to (string value) + project_name=service + # Domain ID containing project (string value) + project_domain_id=default + # User's domain id (string value) + user_domain_id=default + # PEM encoded Certificate Authority to use when verifying + # HTTPs connections. (string value) + cafile=/opt/stack/data/ca-bundle.pem + # The default region_name for endpoint URL discovery. (string + # value) + region_name = RegionOne + # List of interfaces, in order of preference, for endpoint + # URL. (list value) + valid_interfaces=public + ``` + + 默认情况下,为了与其他服务进行通信,裸金属服务会尝试通过身份认证服务的服务目录发现该服务合适的端点。如果希望对一个特定服务使用一个不同的端点,则在裸金属服务的配置文件中通过endpoint_override选项进行指定: + + ``` + [neutron] ... endpoint_override = + ``` + + 5、配置允许的驱动程序和硬件类型 + + 通过设置enabled_hardware_types设置ironic-conductor服务允许使用的硬件类型: + + ``` + [DEFAULT] enabled_hardware_types = ipmi + ``` + + 配置硬件接口: + + ``` + enabled_boot_interfaces = pxe enabled_deploy_interfaces = direct,iscsi enabled_inspect_interfaces = inspector enabled_management_interfaces = ipmitool enabled_power_interfaces = ipmitool + ``` + + 配置接口默认值: + + ``` + [DEFAULT] default_deploy_interface = direct default_network_interface = neutron + ``` + + 如果启用了任何使用Direct deploy的驱动,必须安装和配置镜像服务的Swift后端。Ceph对象网关(RADOS网关)也支持作为镜像服务的后端。 + + 6、重启ironic-conductor服务 + + ``` + sudo systemctl restart openstack-ironic-conductor + ``` + + ##### 配置ironic-inspector服务 + + 配置文件路径/etc/ironic-inspector/inspector.conf + + 1、创建数据库 + + ``` + # mysql -u root -p + + MariaDB [(none)]> CREATE DATABASE ironic_inspector CHARACTER SET utf8; + + MariaDB [(none)]> GRANT ALL PRIVILEGES ON ironic_inspector.* TO 'ironic_inspector'@'localhost' \ IDENTIFIED BY 'IRONIC_INSPECTOR_DBPASSWORD'; + MariaDB [(none)]> GRANT ALL PRIVILEGES ON ironic_inspector.* TO 'ironic_inspector'@'%' \ + IDENTIFIED BY 'IRONIC_INSPECTOR_DBPASSWORD'; + ``` + + 2、通过**connection**选项配置数据库的位置,如下所示,替换**IRONIC_INSPECTOR_DBPASSWORD**为**ironic_inspector**用户的密码,替换**DB_IP**为DB服务器所在的IP地址: + + ``` + [database] + backend = sqlalchemy + connection = mysql+pymysql://ironic_inspector:IRONIC_INSPECTOR_DBPASSWORD@DB_IP/ironic_inspector + ``` + + 3、配置消息度列通信地址 + + ``` + [DEFAULT] transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/ + ``` + + 4、设置keystone认证 + + ``` + [DEFAULT] + + auth_strategy = keystone + + [ironic] + + api_endpoint = http://IRONIC_API_HOST_ADDRRESS:6385 + auth_type = password + auth_url = http://PUBLIC_IDENTITY_IP:5000 + auth_strategy = keystone + ironic_url = http://IRONIC_API_HOST_ADDRRESS:6385 + os_region = RegionOne + project_name = service + project_domain_name = default + user_domain_name = default + username = IRONIC_SERVICE_USER_NAME + password = IRONIC_SERVICE_USER_PASSWORD + ``` + + 5、配置ironic inspector dnsmasq服务 + + ``` + # 配置文件地址:/etc/ironic-inspector/dnsmasq.conf + port=0 + interface=enp3s0 #替换为实际监听网络接口 + dhcp-range=172.20.19.100,172.20.19.110 #替换为实际dhcp地址范围 + bind-interfaces + enable-tftp + + dhcp-match=set:efi,option:client-arch,7 + dhcp-match=set:efi,option:client-arch,9 + dhcp-match=aarch64, option:client-arch,11 + dhcp-boot=tag:aarch64,grubaa64.efi + dhcp-boot=tag:!aarch64,tag:efi,grubx64.efi + dhcp-boot=tag:!aarch64,tag:!efi,pxelinux.0 + + tftp-root=/tftpboot #替换为实际tftpboot目录 + log-facility=/var/log/dnsmasq.log + ``` + + 6、启动服务 + + ``` + $ systemctl enable --now openstack-ironic-inspector.service + $ systemctl enable --now openstack-ironic-inspector-dnsmasq.service + ``` + +3. deploy ramdisk镜像制作 + + 目前ramdisk镜像支持通过ironic python agent builder来进行制作,这里介绍下使用这个工具构建ironic使用的deploy镜像的完整过程。 + + ##### 安装 ironic-python-agent-builder + + 1. 本地安装python3,并且将本地的python切换到python3,然后解决下切换之后的问题(如yum源无法使用的问题): + + ``` + yum install python36 + ``` + + 2. 安装工具: + + ``` + pip install ironic-python-agent-builder + ``` + + 3. 修改以下文件中的python解释器: + + ``` + /usr/bin/yum /usr/libexec/urlgrabber-ext-down + ``` + + 4. 安装其它必须的工具: + + ``` + yum install git + ``` + + 由于`DIB`依赖`semanage`命令,所以在制作镜像之前确定该命令是否可用:`semanage --help`,如果提示无此命令,安装即可: + + ``` + # 先查询需要安装哪个包 + [root@localhost ~]# yum provides /usr/sbin/semanage + 已加载插件:fastestmirror + Loading mirror speeds from cached hostfile + * base: mirror.vcu.edu + * extras: mirror.vcu.edu + * updates: mirror.math.princeton.edu + policycoreutils-python-2.5-34.el7.aarch64 : SELinux policy core python utilities + 源 :base + 匹配来源: + 文件名 :/usr/sbin/semanage + # 安装 + [root@localhost ~]# yum install policycoreutils-python + ``` + + ##### 制作镜像 + + 经过测试目前centos只支持8版本,而且centos8-minimal缺少部分网卡驱动,导致Dell的物理机启动之后所有的网卡都是down状态,所以我们这次使用centos8。添加如下环境变量: + + ``` + export DIB_PYTHON_VERSION=3 \ + export DIB_RELEASE=8 \ + export DIB_YUM_MINIMAL_CREATE_INTERFACES + ``` + + 如果是`arm`架构,还需要添加: + + ``` + export ARCH=aarch64 + ``` + + ###### 普通镜像 + + 基本用法: + + ``` + usage: ironic-python-agent-builder [-h] [-r RELEASE] [-o OUTPUT] [-e ELEMENT] + [-b BRANCH] [-v] [--extra-args EXTRA_ARGS] + distribution + + positional arguments: + distribution Distribution to use + + optional arguments: + -h, --help show this help message and exit + -r RELEASE, --release RELEASE + Distribution release to use + -o OUTPUT, --output OUTPUT + Output base file name + -e ELEMENT, --element ELEMENT + Additional DIB element to use + -b BRANCH, --branch BRANCH + If set, override the branch that is used for ironic- + python-agent and requirements + -v, --verbose Enable verbose logging in diskimage-builder + --extra-args EXTRA_ARGS + Extra arguments to pass to diskimage-builder + ``` + + 举例说明: + + ``` + ironic-python-agent-builder centos -o /mnt/ironic-agent-ssh -b origin/stable/rocky + ``` + + ###### 允许ssh登陆 + + 初始化环境变量,然后制作镜像: + + ``` + export DIB_DEV_USER_USERNAME=ipa \ + export DIB_DEV_USER_PWDLESS_SUDO=yes \ + export DIB_DEV_USER_PASSWORD='123' + ironic-python-agent-builder centos -o /mnt/ironic-agent-ssh -b origin/stable/rocky -e selinux-permissive -e devuser + ``` + + ###### 指定代码仓库 + + 初始化对应的环境变量,然后制作镜像: + + ``` + # 指定仓库地址以及版本 + DIB_REPOLOCATION_ironic_python_agent=git@172.20.2.149:liuzz/ironic-python-agent.git + DIB_REPOREF_ironic_python_agent=origin/develop + + # 直接从gerrit上clone代码 + DIB_REPOLOCATION_ironic_python_agent=https://review.opendev.org/openstack/ironic-python-agent + DIB_REPOREF_ironic_python_agent=refs/changes/43/701043/1 + ``` + + 参考:[source-repositories](https://docs.openstack.org/diskimage-builder/latest/elements/source-repositories/README.html)。 + + 指定仓库地址及版本验证成功。 \ No newline at end of file diff --git a/docs/zh/docs/thirdparty_migration/thidrparty.md b/docs/zh/docs/thirdparty_migration/thidrparty.md new file mode 100644 index 0000000000000000000000000000000000000000..9fcf83bffb4f3d79c4a22a2ed4a47e6b655b2e52 --- /dev/null +++ b/docs/zh/docs/thirdparty_migration/thidrparty.md @@ -0,0 +1,6 @@ +# 第三方软件安装指南 + +本文档介绍 openEuler 支持第三方软件 OpenStack 的移植与部署方法,以指导用户快速了解并使用其功能。 + +本文档适用于使用 openEuler 系统并希望了解和使用第三方软件的社区开发者、开源爱好者以及合作伙伴。使用人员需要具备基本的 Linux 操作系统知识。 + diff --git a/content/zh/docs/userguide/images/Maintainer.jpg b/docs/zh/docs/userguide/images/Maintainer.jpg similarity index 100% rename from content/zh/docs/userguide/images/Maintainer.jpg rename to docs/zh/docs/userguide/images/Maintainer.jpg diff --git a/content/zh/docs/userguide/images/PatchTracking.jpg b/docs/zh/docs/userguide/images/PatchTracking.jpg similarity index 100% rename from content/zh/docs/userguide/images/PatchTracking.jpg rename to docs/zh/docs/userguide/images/PatchTracking.jpg diff --git a/docs/zh/docs/userguide/images/packagemanagement.png b/docs/zh/docs/userguide/images/packagemanagement.png new file mode 100644 index 0000000000000000000000000000000000000000..6d314e2c6ad6bafd321d9f76cd6aa5f17a8cb394 Binary files /dev/null and b/docs/zh/docs/userguide/images/packagemanagement.png differ diff --git "a/content/zh/docs/userguide/\346\246\202\350\277\260.md" b/docs/zh/docs/userguide/overview.md similarity index 77% rename from "content/zh/docs/userguide/\346\246\202\350\277\260.md" rename to docs/zh/docs/userguide/overview.md index 74490c61e7f085f49758d903630e79fcb1949a00..b3944e8c3520ebd0f2f9719f1f031c80060536de 100644 --- "a/content/zh/docs/userguide/\346\246\202\350\277\260.md" +++ b/docs/zh/docs/userguide/overview.md @@ -1,2 +1,3 @@ -本文主要介绍在openEuler 发行版本过程中使用到的工具集,主要包含工具的介绍,安装以及使用等方面内容。 +# 工具集用户指南 +本文主要介绍在openEuler 发行版本过程中使用到的工具集,主要包含工具的介绍,安装以及使用等方面内容。 \ No newline at end of file diff --git "a/content/zh/docs/userguide/\350\241\245\344\270\201\345\267\245\345\205\267.md" b/docs/zh/docs/userguide/patch-tracking.md similarity index 53% rename from "content/zh/docs/userguide/\350\241\245\344\270\201\345\267\245\345\205\267.md" rename to docs/zh/docs/userguide/patch-tracking.md index fcef036b2d38c89832d60ba8bae32f2c3d7540ec..4e9f1e05fe9f8a2288dfcc41b82d3881c80ca74f 100644 --- "a/content/zh/docs/userguide/\350\241\245\344\270\201\345\267\245\345\205\267.md" +++ b/docs/zh/docs/userguide/patch-tracking.md @@ -1,45 +1,63 @@ -补丁跟踪 -=== - - -# 简介 +# patch-tracking + + + +- [patch-tracking](#patch-tracking) + - [简介](#简介) + - [架构](#架构) + - [C/S架构](#cs架构) + - [核心流程](#核心流程) + - [数据结构](#数据结构) + - [工具部署](#工具部署) + - [软件下载](#软件下载) + - [安装工具](#安装工具) + - [生成证书](#生成证书) + - [配置参数](#配置参数) + - [启动补丁跟踪服务](#启动补丁跟踪服务) + - [工具使用](#工具使用) + - [FAQ](#faq) + - [访问 api.github.com Connection refused 异常](#访问-apigithubcom-connection-refused-异常) + + + +## 简介 在 openEuler 发行版开发过程,需要及时更新上游社区各个软件包的最新代码,修改功能 bug 及安全问题,确保发布的 openEuler 发行版尽可能避免缺陷和漏洞。 本工具对软件包进行补丁管理,主动监控上游社区提交,自动生成补丁,并自动提交 issue 给对应的 maintainer,同时自动验证补丁基础功能,减少验证工作量支持 maintainer 快速决策。 -# 架构 +## 架构 -## C/S架构 +### C/S架构 -补丁跟踪采用 C/S 架构。 +patch-tracking采用 C/S 架构。 服务端(patch-tracking) :负责执行补丁跟踪任务,包括:维护跟踪项,识别上游仓库分支代码变更并形成补丁文件,向 Gitee 提交 issue 及 PR,同时 patch-tracking 提供 RESTful 接口,用于对跟踪项进行增删改查操作。 客户端:即命令行工具(patch-tracking-cli),通过调用 patch-tracking 的 RESTful 接口,实现对跟踪项的增删改查操作。 -## 核心流程 +### 核心流程 -* 补丁跟踪服务流程 +1, 补丁跟踪服务流程 -**主要步骤:** +主要步骤: -1. 命令行工具写入跟踪项。 -2. 自动从跟踪项配置的上游仓库(例如Github)获取补丁文件。 +1. 通过命令行工具添加跟踪项。 +2. 自动从跟踪项配置的上游仓库(例如GitHub)获取补丁文件。 3. 创建临时分支,将获取到的补丁文件提交到临时分支。 -4. 自动提交issue到对应项目,并生成关联 issue 的 PR。 +4. 自动提交 issue 到对应仓库,并生成关联 issue 的 PR。 -PatchTracking +![PatchTracking](./images/PatchTracking.jpg) -* Maintainer对提交的补丁处理流程 +2, Maintainer对提交的补丁处理流程 -**主要步骤:** -1. Maintainer分析临时分支中的补丁文件,判断是否合入。 -2. 执行构建,构建成功后判断是否合入PR。 +主要步骤: +1. Maintainer 分析 PR。 +2. 执行 CI,执行成功后判断是否合入 PR。 -![Maintainer](images/Maintainer.jpg) +![Maintainer](./images/Maintainer.jpg) -## 数据结构 +### 数据结构 * Tracking表 @@ -62,32 +80,54 @@ | 2 | repo | 包源码在Gitee的仓库地址 | String | - | NO | | 3 | branch | 包源码在Gitee的仓库分支 | String | - | NO | -# 工具部署 +## 工具部署 -## 环境要求 +### 软件下载 ->* 安装 Python 3.7及以上版本 ->* 已安装 pip3。 +Repo 源地址:https://repo.openeuler.org/ -## 安装依赖 +rpm 包获取地址:https://build.openeuler.org/package/show/openEuler:21.03/patch-tracking -执行如下命令安装依赖包。 -```shell script -yum install -y gcc python3-devel openssl-devel -pip3 install flask flask-sqlalchemy flask-apscheduler requests flask_httpauth -pip3 install -I uwsgi -``` +### 安装工具 + +方法1:从repo源安装 + +1. 使用 dnf 挂载 repo源(需要 21.03 或更新的 repo 源,具体方法参考[应用开发指南](https://openeuler.org/zh/docs/21.03docs/ApplicationDev/%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87.html)),然后执行如下指令下载以及安装 patch-tracking 及其依赖。 + +2. 执行以下命令安装`patch-tracking`。 + + ```shell script + dnf install patch-tracking + ``` + +方法2:直接使用rpm安装 -## 安装工具 +1. 首先安装相关依赖。 -执行如下命令安装工具包(其中”x.x.x”表示版本号,请用实际情况代替)。 + ```shell script + dnf install python3-uWSGI python3-flask python3-Flask-SQLAlchemy python3-Flask-APScheduler python3-Flask-HTTPAuth python3-requests python3-pandas + ``` + +2. 以`patch-tracking-1.0.0-1.oe1.noarch.rpm`为例,执行如下命令安装。 + + ```shell script + rpm -ivh patch-tracking-1.0.0-1.oe1.noarch.rpm + ``` + + +### 生成证书 +执行如下命令生成证书。 ```shell script -rpm -ivh patch-tracking-xxx.rpm +openssl req -x509 -days 3650 -subj "/CN=self-signed" \ +-nodes -newkey rsa:4096 -keyout self-signed.key -out self-signed.crt ``` -## 配置参数 +将生成的 `self-signed.key` 和 `self-signed.crt` 文件拷贝到 __/etc/patch-tracking__ 目录。 + + +### 配置参数 在配置文件中对相应参数进行配置,配置文件路径为 `/etc/patch-tracking/settings.conf`。 @@ -127,19 +167,19 @@ rpm -ivh patch-tracking-xxx.rpm ​ 执行如下指令,获取口令的哈希值,其中Test@123为设置的口令。 -``` -[root]# generate_password Test@123 -pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2b28e9e34bfbbae -``` + ``` + [root]# generate_password Test@123 + pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2b28e9e34bfbbae + ``` -> `口令值`需要满足如下复杂度要求: -> -> * 长度大于等于6个字符 -> * 必须包含大写字母、小写字母、数字、特殊字符(~!@#%^*-_=+) + > `口令值`需要满足如下复杂度要求: + > + > * 长度大于等于6个字符 + > * 必须包含大写字母、小写字母、数字、特殊字符(~!@#%^*-_=+) - 将口令的哈希值`pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2b28e9e34bfbbae`配置到`PASSWORD = ""`引号中。 + 将口令的哈希值`pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2b28e9e34bfbbae`配置到`PASSWORD = ""`引号中。 -## 启动补丁跟踪服务 +### 启动补丁跟踪服务 可以使用以下两种方式启动服务。 @@ -155,13 +195,13 @@ pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2 /usr/bin/patch-tracking ``` -# 工具使用 +## 工具使用 -## 添加跟踪项 +1,添加跟踪项 将需要跟踪的软件仓库和分支与其上游开源软件仓库与分支关联起来,可以通过以下三种方式实现。 -### 命令行直接添加 +* 命令行直接添加 参数含义: >--user :POST接口需要进行认证的用户名,同settings.conf中的USER参数 \ @@ -172,17 +212,17 @@ pbkdf2:sha256:150000$w38eLeRm$ebb5069ba3b4dda39a698bd1d9d7f5f848af3bd93b11e0cde2 --branch :需要进行跟踪的仓库的分支名称 \ --scm_repo :被跟踪的上游仓库的仓库名称,github格式:组织/仓库 \ --scm_branch: 被跟踪的上游仓库的仓库的分支 \ ---enable :是否自动跟踪该仓库 +--enabled :是否自动跟踪该仓库 例如: ```shell script -patch-tracking-cli --server 127.0.0.1:5001 --user admin --password Test@123 --version_control github --repo testPatchTrack/testPatch1 --branch master --scm_repo BJMX/testPatch01 --scm_branch test --enable true +patch-tracking-cli add --server 127.0.0.1:5001 --user admin --password Test@123 --version_control github --repo testPatchTrack/testPatch1 --branch master --scm_repo BJMX/testPatch01 --scm_branch test --enabled true ``` -### 指定文件添加 +* 指定文件添加 参数含义: ->--server :启动Patch Tracking服务的URL,例如:127.0.0.1:5001 \ +>--server :启动Patch Tracking服务的URL,例如:127.0.0.1:5001 \ --user :POST接口需要进行认证的用户名,同settings.conf中的USER参数 \ --password :POST接口需要进行认证的口令,为settings.conf中的PASSWORD哈希值对应的实际的口令字符串 \ --file :yaml文件路径 @@ -191,7 +231,7 @@ patch-tracking-cli --server 127.0.0.1:5001 --user admin --password Test@123 --ve 例如: ```shell script -patch-tracking-cli --server 127.0.0.1:5001 --user admin --password Test@123 --file tracking.yaml +patch-tracking-cli add --server 127.0.0.1:5001 --user admin --password Test@123 --file tracking.yaml ``` yaml文件内容格式如下,冒号左边的内容不可修改,右边内容根据实际情况填写。 @@ -210,9 +250,9 @@ scm_repo :被跟踪的上游仓库的仓库名称,github格式:组织/仓 scm_branch :被跟踪的上游仓库的仓库的分支 \ repo :需要进行跟踪的仓库名称,格式:组织/仓库 \ branch :需要进行跟踪的仓库的分支名称 \ -enable :是否自动跟踪该仓库 +enabled :是否自动跟踪该仓库 -### 指定目录添加 +* 指定目录添加 在指定的目录,例如`test_yaml`下放入多个`xxx.yaml`文件,执行如下命令,记录指定目录下所有yaml文件的跟踪项。 @@ -223,32 +263,65 @@ enable :是否自动跟踪该仓库 --dir :存放yaml文件目录的路径 ```shell script -patch-tracking-cli --server 127.0.0.1:5001 --user admin --password Test@123 --dir /home/Work/test_yaml/ +patch-tracking-cli add --server 127.0.0.1:5001 --user admin --password Test@123 --dir /home/Work/test_yaml/ ``` -## 查询跟踪项 +2, 查询跟踪项 +参数含义: +>--server :必选参数,启动Patch Tracking服务的URL,例如:127.0.0.1:5001 \ +--table :必选参数,需要查询的表 \ +--repo :可选参数,需要查询的repo;如果没有该参数查询表中所有内容 \ +--branch :可选参数,需要查询的branch ```shell script -curl -k https:///tracking +patch-tracking-cli query --server SERVER --table tracking ``` 例如: ```shell script -curl -k https://127.0.0.1:5001/tracking +patch-tracking-cli query --server 127.0.0.1:5001 --table tracking ``` -## 查询生成的 Issue 列表 +3, 查询生成的 Issue ```shell script -curl -k https:///issue +patch-tracking-cli query --server SERVER --table issue ``` 例如: ```shell script -curl -k https://127.0.0.1:5001/issue +patch-tracking-cli query --server 127.0.0.1:5001 --table issue ``` -## 码云查看 issue 及 PR +4, 删除跟踪项 + +```shell script +patch-tracking-cli delete --server SERVER --user USER --password PWD --repo REPO [--branch BRANCH] +``` +例如: +```shell script +patch-tracking-cli delete --server 127.0.0.1:5001 --user admin --password Test@123 --repo testPatchTrack/testPatch1 --branch master +``` + +> 可以删除指定repo和branch的单条数据;也可直接删除指定repo下所有branch的数据。 + + +5, 码云查看 issue 及 PR 登录Gitee上进行跟踪的软件项目,在该项目的Issues和Pull Requests页签下,可以查看到名为`[patch tracking] TIME`,例如` [patch tracking] 20200713101548`的条目,该条目即是刚生成的补丁文件的issue和对应PR。 +## FAQ + +### 访问 api.github.com Connection refused 异常 + +#### 问题描述 + +patch-tracking 运行过程中,可能会出现如下报错: +``` + 9月 21 22:00:10 localhost.localdomain patch-tracking[36358]: 2020-09-21 22:00:10,812 - patch_tracking.util.github_api - WARNING - HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /user (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused')) +``` + +#### 原因分析 + +以上问题是 patch-tracking 与 GitHub API 服务之间网络访问不稳定导致,请确保在与 GitHub API 服务之间网络稳定的环境中(如华为云任一国际站点)运行 patch-tracking。 + diff --git a/docs/zh/docs/userguide/pkgship.md b/docs/zh/docs/userguide/pkgship.md new file mode 100644 index 0000000000000000000000000000000000000000..857a51a601a91bb5358d1cc3e2c05c9806bc9ced --- /dev/null +++ b/docs/zh/docs/userguide/pkgship.md @@ -0,0 +1,420 @@ +# pkgship + + + +- [pkgship](#pkgship) + - [介绍](#介绍) + - [架构](#架构) + - [软件下载](#软件下载) + - [运行环境](#运行环境) + - [安装工具](#安装工具) + - [配置参数](#配置参数) + - [服务启动和停止](#服务启动和停止) + - [工具使用](#工具使用) + - [日志查看和转储](#日志查看和转储) + + + +## 介绍 + +pkgship是一款管理OS软件包依赖关系,提供依赖和被依赖关系完整图谱的查询工具,pkgship提供软件包依赖查询、生命周期管理、补丁查询等功能。 + +1. 软件包依赖查询:方便社区人员在软件包引入、更新和删除的时候了解软件的影响范围。 +2. 补丁查询:方便社区人员了解openEuler软件包的补丁情况以及提取补丁内容,详细内容请参见[patch-tracking](../patch-tracking/README.md)。 + +## 架构 + +系统采用flask-restful开发,架构如下图所示。 + +![avatar](./images/packagemanagement.png) + +## 软件下载 + +* Repo源挂载正式发布地址: +* 源码获取地址: +* RPM包版本获取地址: + +## 运行环境 + +- 硬件配置: + +| 配置项 | 推荐规格 | +| -------- | ----------- | +| CPU | 8核 | +| 内存 | 32G,最小4G | +| 网络带宽 | 300M | +| I/O | 375MB/sec | + +- 软件配置: + +| 软件名 | 版本和规格 | +| ------------- | ------------------------------------------ | +| Elasticsearch | 版本7.10.1;单机部署可用;有能力可部署集群 | +| Redis | 建议5.0.4及以上;建议大小配置为内存的3/4 | +| Python | 版本 3.8及以上 | + +## 安装工具 + +**1、pkgship工具安装** + + 工具安装可通过以下两种方式中的任意一种实现。 + +* 方法一,通过dnf挂载repo源实现。 + 先使用dnf挂载pkgship软件在所在repo源(具体方法可参考[应用开发指南](https://openeuler.org/zh/docs/20.09/docs/ApplicationDev/%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87.html)),然后执行如下指令下载以及安装pkgship及其依赖。 + + ```bash + dnf install pkgship + ``` + +* 方法二,通过安装rpm包实现。 + 先下载pkgship的rpm包,然后执行如下命令进行安装(其中“x.x-x”表示版本号,请用实际情况代替)。 + + ```bash + rpm -ivh pkgship-x.x-x.oe1.noarch.rpm + ``` + + 或者 + + ```bash + dnf install pkgship-x.x-x.oe1.noarch.rpm + ``` + +**2、Elasticsearch和Redis安装** + + 如果环境没有安装Elasticsearch或者Redis,可以在pkgship安装之后执行自动化安装脚本。 + + 脚本路径默认为: + +``` +/etc/pkgship/auto_install_pkgship_requires.sh +``` + + 执行方法为 + +``` +/bin/bash auto_install_pkgship_requires.sh elasticsearch +``` + + 或者 + +``` + /bin/bash auto_install_pkgship_requires.sh redis +``` + +>**说明:** +>以rpm包方式安装Elasticsearch默认为无密码模式,且pkgship需使用无密码设置的Elasticsearch,因此,当前建议Elasticsearch和pkgship需安装在同一服务器,通过网络隔离提高安全性。后续版本将支持Elasticsearch设置用户名密码。 + +**3、安装后添加用户** + +在安装pkgship软件后,会自动创建名为pkgshipuser的用户和名为pkgshipuser的用户组,无需手动创建,后续服务启动和运行时,都会以该用户角色操作。 + +## 配置参数 + +1.在配置文件中对相应参数进行配置,系统的默认配置文件存放在 /etc/pkgship/packge.ini,请根据实际情况进行配置更改。 + +``` +vim /etc/pkgship/package.ini +``` + +```ini +[SYSTEM-系统配置] +; 初始化数据库时导入的yaml文件存放位置,该yaml中记录导入的sqlite文件位置 +init_conf_path=/etc/pkgship/conf.yaml + +; 若部署为客户端-服务端方式,服务端需保证query_ip_addr为本机ip或者(0.0.0.0), +; 客户端可通过query_ip_addr和query_port访问服务端,或者通过设置映射的remote_host访问服务端 + +; 服务查询端口 +query_port=8090 + +; 服务查询ip +query_ip_addr=127.0.0.1 + +; 远程服务的地址,命令行可以直接调用远程服务来完成数据请求 +remote_host=https://api.openeuler.org/pkgmanage + +; 初始化和下载临时文件存放目录,不会长时间占用,建议可用空间至少1G +temporary_directory=/opt/pkgship/tmp/ + +[LOG-日志] +; 业务日志存放路径 +log_path=/var/log/pkgship/ + +; 打印日志级别,支持如下: +; INFO DEBUG WARNING ERROR CRITICAL +log_level=INFO + +; 单个业务日志文件最大容量,超过该值会自动压缩转储,默认为30M +max_bytes=31457280 + +; 备份日志保留的最大数量,默认为30 +backup_count=30 + +[UWSGI-Web服务器配置] +; 操作日志路径 +daemonize=/var/log/pkgship-operation/uwsgi.log +; 前后端传输数据大小 +buffer-size=65536 +; 网络连接超时时间 +http-timeout=600 +; 服务响应时间 +harakiri=600 + +[REDIS-缓存配置] +; Redis缓存服务器的地址可以是已发布的可以正常访问的域或IP地址 +;链接地址默认为127.0.0.1 +redis_host=127.0.0.1 + +;Redis缓存服务器的端口,默认为6379 +redis_port=6379 + +;Redis服务器一次允许的最大连接数 +redis_max_connections=10 + +[DATABASE-数据库] +;数据库访问地址,建议设置为本机地址 +database_host=127.0.0.1 + +;数据库访问端口,默认为9200 +database_port=9200 + +``` + +2.创建初始化数据库的yaml配置文件: +conf.yaml 文件默认存放在 /etc/pkgship/ 路径下,pkgship会通过该配置读取要建立的数据库名称以及需要导入的sqlite文件,也支持配置sqlite文件所在的repo地址。conf.yaml 示例如下所示。 + +```yaml +dbname: oe20.03 #数据库名称 +src_db_file: /etc/pkgship/repo/openEuler-20.09/src #源码包所在的本地路径 +bin_db_file: /etc/pkgship/repo/openEuler-20.09/bin #二进制包所在的本地路径 +priority: 1 #数据库优先级 + +dbname: oe20.09 +src_db_file: https://repo.openeuler.org/openEuler-20.09/source #源码包所在的repo源 +bin_db_file: https://repo.openeuler.org/openEuler-20.09/everything/aarch64 #二进制包所在的repo源 +priority: 2 +``` + + + +> 如需更改存放路径,请更改package.ini下的 init_conf_path 选项。 +> +> 不支持直接配置sqlite文件路径。 +> +> dbname请使用小写字母或者数字,不支持大写字母。 + +## 服务启动和停止 + +pkgship启动和停止方式有两种,systemctl方式和pkgshipd方式,其中systemctl方式启动可以有异常停止自启动的机制。两种方式的执行命令为: + +```shell +systemctl start pkgship.service 启动服务 + +systemctl stop pkgship.service 停止服务 + +systemctl restart pkgship.service 重启服务 +``` + +```sh +pkgshipd start 启动服务 + +pkgshipd stop 停止服务 +``` + +> 每次起停周期内仅支持一种方式,不允许两种操作同时使用。 +> +> pkgshipd启动方式只允许在pkgshipuser用户下操作。 + +## 工具使用 + +1. 数据库初始化。 + + > 使用场景:服务启动后,为了能查询对应的数据库(比如oe20.03,oe20.09)中的包信息及包依赖关系,需要将这些数据库通过createrepo生成的sqlite(分为源码库和二进制库)导入进服务内,生成对应的包信息json体然后插入Elasticsearch对应的数据库中。数据库名为根据conf.yaml中配置的dbname生成的dbname-source/binary。 + + ```bash + pkgship init [-filepath path] + ``` + + > 参数说明: + > -filepath:指定初始化配置文件config.yaml的路径,可以使用相对路径和绝对路径,不带参数则使用默认配置初始化,可选参数。 + +2. 单包查询。 + + 用户可查询源码包或者二进制包(packagename)在指定数据库表(database)中的具体信息。 + + > 使用场景:用户可查询源码包或者二进制包在指定数据库中的具体信息。 + + ```bash + pkgship pkginfo $packageName $database [-s] + ``` + + > 参数说明: + > packagename:指定要查询的软件包名,必传参数。 + > database:指定具体的数据库名称,必传参数。 + > + > -s: 指定`-s`将查询的是`src`源码包信息;若未指定 默认查询`bin`二进制包信息,可选参数。 + +3. 所有包查询。 + + 查询数据库下包含的所有包的信息。 + + > 使用场景:用户可查询指定数据库下包含的所有软件包信息。 + + ```bash + pkgship list $database [-s] + ``` + + > 参数说明: + > database:指定具体的数据库名称,必传参数。 + > -s: 指定`-s`将查询的是`src`源码包信息;若未指定 默认查询`bin`二进制包信息,可选参数。 + +4. 安装依赖查询。 + + 查询二进制包(binaryName)的安装依赖。 + + > 使用场景:用户需要安装某个二进制包A时,需要将该二进制包A的安装依赖B,及B的安装依赖C等等,直至所有的安装依赖全部安装到系统才能成功安装二进制包A。因此,在用户安装二进制包A之前,可能会需要查询二进制包A的所有安装依赖。该命令提供了此功能,允许用户根据平台默认的优先级在多个数据库之间进行查询;同时也支持用户自定义数据库查询优先级。 + + ```bash + pkgship installdep [$binaryName $binaryName1 $binaryName2...] [-dbs] [db1 db2...] [-level] $level + ``` + + > 参数说明: + > binaryName:需要查询安装的依赖的二进制包名字,支持传多个;必传参数。 + > + > -dbs: 指定需要查询的database优先级,不传按照系统默认优先级搜索;可选参数。 + > + > -level:指定需要查询的依赖层级,不传默认为0,查询所有层级;可选参数。 + +5. 编译依赖查询。 + + 查询源码包(sourceName)的所有编译依赖。 + + > 使用场景:用户要编译某个源码包A的时候,需要安装源码包A的编译依赖B, 要成功安装编译依赖B需要获取B的所有安装依赖。因此,在用户编译源码包A之前,可能会需要查询源码包的编译依赖以及这些编译依赖的所有安装依赖。该命令提供了此功能,允许用户根据平台默认的优先级在多个数据库之间进行查询;同时也支持用户自定义数据库查询优先级。 + + ```bash + pkgship builddep [$sourceName $sourceName1 $sourceName2..] -dbs [db1 db2 ..] [-level] $level + ``` + + > 参数说明: + > sourceName:需要查询编译依赖的源码包名字,支持多个查询;必传参数。 + > + > -dbs: 指定需要查询的database优先级,不传按照系统默认优先级搜索;可选参数。 + > + > -level:指定需要查询的依赖层级,不传默认为0,查询所有层级;可选参数。 + +6. 自编译自安装依赖查询。 + + 查询指定二进制包(binaryName)或源码包(sourceName )的安装及编译依赖,其中[pkgName]为查询的二进制包或者源码包的名称。当查询二进制包时,可以查询到该二进制包的所有安装依赖以及该二进制包对应的源码包的编译依赖,及这些编译依赖的所有安装依赖;当查询源码包时,可以查询该源码包的编译依赖,及这些编译依赖的所有安装依赖,并且查询该源码包生成的所有二进制包的所有安装依赖。同时,配合对应参数使用,该命令也支持查询软件包的自编译依赖查询,和包含子包的依赖查询。 + + > 使用场景:如果开发者想在现有的版本库的基础上引入新的软件包,应同时引入该软件包的所有编译、安装依赖。该命令提供开发者一个同时查询这两种依赖关系的功能,能让开发者知晓该软件包会引入哪些其他的包,该命令支持查询二进制包和源码包。 + + ```bash + pkgship selfdepend [$pkgName1 $pkgName2 $pkgName3 ..] [-dbs] [db1 db2..] [-b] [-s] [-w] + ``` + + > 参数说明: + > + > pkgName:需要查询安装的依赖的软件包名字,支持传多个;必传参数。 + > + > -dbs: 指定需要查询的database优先级,不传按照系统默认优先级搜索;可选参数。 + > + > -b:指定`-b`表示查询的包是二进制,不指定默认查询源码包;可选参数。 + > + > -s: 指定-s表示查询软件包的所有安装依赖和所有编译依赖(即编译依赖的源码包的编译依赖),以及所有编译依赖的安装依赖;如果不增加-s参数表示只查询软件包的所有安装依赖和一层编译依赖,以及一层编译依赖的所有安装依赖;可选参数。 + > + > -w:指定-s表示引入某个二进制包的时候,查询结果会显示出该二进制包对应的源码包以及该源码包生成的所有二进制包;如果不指定-w参数表示引入某个二进制包的时候,查询结果只显示对应的源码包;可选参数。 + +7. 被依赖查询。 + 查询软件包(pkgName)在某数据库(dbName)中被哪些包所依赖。 + + > 使用场景:针对软件包A,在升级或删除的情况下会影响哪些软件包,可通过该命令查询。该命令会显示源码包A(若为源码包)生成的所有二进制包(若输入为二进制包,那此处即为输入的二进制包)被哪些源码包(比如B)编译依赖,被哪些二进制包(比如C1)安装依赖;以及B生成的二进制包及C1被哪些源码包(比如D)编译依赖,被哪些二进制包(比如E1)安装依赖,以此类推,遍历这些二进制包的被依赖。 + + ```bash + pkgship bedepend dbName [$pkgName1 $pkgName2 $pkgName3] [-w] [-b] [-install/build] + ``` + + > 参数说明: + > + > dbName:需要查询依赖关系的仓库,不支持多个;必选参数。 + > + > pkgName:待查询的软件包名称,支持多个;必选参数。 + > + > -w :当不指定-w 时,查询结果默认不包含对应源码包的子包;当命令后指定配置参数[-w] 时,不仅会查询二进制包C1的被依赖关系,还会进一步去查询C1对应的源码包C生成的其他二进制包(比如:C2,C3)的被依赖关系;可选参数。 + > + > -b:指定`-b`表示查询的包是二进制,默认查询源码包;可选参数。 + > + > -install/build:指定`-install`表示查询的是安装被依赖,指定`-build`表示查询的是编译被依赖,默认查全部, 不能`-install`和`-build`同时存在;可选参数。 + +8. 数据库信息。 + + > 使用场景,查看Elasticsearch中初始化了哪些数据库,该功能会按照优先级顺序返回已经初始化的数据库列表。 + + `pkgship dbs` + +9. 获取版本号。 + + > 使用场景:获取pkgship软件的版本号。 + + `pkgship -v` + +## 日志查看和转储 + + **日志查看** + + pkgship服务在运行时会产生两种日志,业务日志和操作日志。 + + 1、业务日志: + + 路径:/var/log/pkgship/log_info.log(支持在package.ini中通过log_path字段自定义路径)。 + + 功能:主要记录代码内部运行的日志,方便问题定位。 + + 权限:路径权限755,日志文件权限644,普通用户可以查看。 + +2、操作日志: + +路径:/var/log/pkgship-operation/uwsgi.log (支持在package.ini中通过daemonize字段自定义路径)。 + +功能:记录使用者操作信息,包括ip,访问时间,访问url,访问结果等,方便后续查阅以及记录攻击者信息。 + +权限:路径权限700,日志文件权限644,只有root和pkgshipuser可以查看。 + +**日志转储** + +1、业务日志转储: + +- 转储机制 + + 使用python自带的logging内置函数的转储机制,按照日志大小来备份。 + +> 配置项,package.ini中配置每个日志的容量和备份数量 +> +> ```ini +> ; Maximum capacity of each file, the unit is byte, default is 30M +> max_bytes=31457280 +> +> ; Number of old logs to keep;default is 30 +> backup_count=30 +> ``` + +- 转储过程 + + 当某次日志写入后,日志文件大小超过配置的日志容量时,会自动压缩转储,压缩后文件名为log_info.log.x.gz, x是数字,数字越小为越新的备份。 + + 当备份日志数量到达配置的备份数量之后,最早的备份日志会被删除掉,然后备份一个最新的压缩日志文件。 + + + +2、操作日志转储: + +- 转储机制 + + 使用脚本进行转储,按照时间转储,每日转储一次,共保留30天,不支持自定义配置。 + + > 脚本位置:/etc/pkgship/uwsgi_logrotate.sh + +- 转储过程 + + pkgship启动时转储脚本后台运行,从启动时,每隔1天进行转储压缩,共保留30份压缩文件,压缩文件名称为uwsgi.log-20201010x.zip, x为压缩时的小时数。 + + pkgship停止后转储脚本停止,不再进行转储,再次启动时,转储脚本重新执行。 \ No newline at end of file diff --git a/docs/zh/menu/index.md b/docs/zh/menu/index.md new file mode 100644 index 0000000000000000000000000000000000000000..83547cc2789de1cc145151550ad71be75937d4c0 --- /dev/null +++ b/docs/zh/menu/index.md @@ -0,0 +1,180 @@ +--- +headless: true +--- +- [法律声明]({{< relref "./docs/Releasenotes/法律声明.md" >}}) +- [发行说明]({{< relref "./docs/Releasenotes/release_notes.md" >}}) + - [用户须知]({{< relref "./docs/Releasenotes/用户须知.md" >}}) + - [简介]({{< relref "./docs/Releasenotes/简介.md" >}}) + - [系统安装]({{< relref "./docs/Releasenotes/系统安装.md" >}}) + - [关键特性]({{< relref "./docs/Releasenotes/关键特性.md" >}}) + - [已知问题]({{< relref "./docs/Releasenotes/已知问题.md" >}}) + - [已修复问题]({{< relref "./docs/Releasenotes/已修复问题.md" >}}) + - [CVE漏洞]({{< relref "./docs/Releasenotes/CVE漏洞.md" >}}) + - [源代码]({{< relref "./docs/Releasenotes/源代码.md" >}}) + - [参与贡献]({{< relref "./docs/Releasenotes/参与贡献.md" >}}) + - [致谢]({{< relref "./docs/Releasenotes/致谢.md" >}}) +- [快速入门]({{< relref "./docs/Quickstart/quick-start.md" >}}) +- [安装指南]({{< relref "./docs/Installation/installation.md" >}}) + - [安装在服务器]({{< relref "./docs/Installation/安装在服务器.md" >}}) + - [安装准备]({{< relref "./docs/Installation/安装准备.md" >}}) + - [安装方式介绍]({{< relref "./docs/Installation/安装方式介绍.md" >}}) + - [安装指导]({{< relref "./docs/Installation/安装指导.md" >}}) + - [使用kickstart自动化安装]({{< relref "./docs/Installation/使用kickstart自动化安装.md" >}}) + - [FAQ]({{< relref "./docs/Installation/FAQ.md" >}}) + - [安装在树莓派]({{< relref "./docs/Installation/安装在树莓派.md" >}}) + - [安装准备]({{< relref "./docs/Installation/安装准备-1.md" >}}) + - [安装方式介绍]({{< relref "./docs/Installation/安装方式介绍-1.md" >}}) + - [安装指导]({{< relref "./docs/Installation/安装指导-1" >}}) + - [FAQ]({{< relref "./docs/Installation/FAQ-1.md" >}}) + - [更多资源]({{< relref "./docs/Installation/更多资源.md" >}}) +- [管理员指南]({{< relref "./docs/Administration/administration.md" >}}) + - [查看系统信息]({{< relref "./docs/Administration/查看系统信息.md" >}}) + - [基础配置]({{< relref "./docs/Administration/基础配置.md" >}}) + - [管理用户和用户组]({{< relref "./docs/Administration/管理用户和用户组.md" >}}) + - [使用DNF管理软件包]({{< relref "./docs/Administration/使用DNF管理软件包.md" >}}) + - [管理服务]({{< relref "./docs/Administration/管理服务.md" >}}) + - [管理进程]({{< relref "./docs/Administration/管理进程.md" >}}) + - [管理内存]({{< relref "./docs/Administration/memory-management.md" >}}) + - [配置网络]({{< relref "./docs/Administration/配置网络.md" >}}) + - [使用LVM管理硬盘]({{< relref "./docs/Administration/使用LVM管理硬盘.md" >}}) + - [使用KAE加速引擎]({{< relref "./docs/Administration/使用KAE加速引擎.md" >}}) + - [搭建服务]({{< relref "./docs/Administration/搭建服务.md" >}}) + - [搭建repo服务器]({{< relref "./docs/Administration/搭建repo服务器.md" >}}) + - [搭建FTP服务器]({{< relref "./docs/Administration/搭建FTP服务器.md" >}}) + - [搭建web服务器]({{< relref "./docs/Administration/搭建web服务器.md" >}}) + - [搭建数据库服务器]({{< relref "./docs/Administration/搭建数据库服务器.md" >}}) + - [可信计算]({{< relref "./docs/Administration/可信计算.md" >}}) + - [FAQ]({{< relref "./docs/Administration/FAQ-54.md" >}}) +- [安全加固指南]({{< relref "./docs/SecHarden/secHarden.md" >}}) + - [操作系统加固概述]({{< relref "./docs/SecHarden/操作系统加固概述.md" >}}) + - [加固指导]({{< relref "./docs/SecHarden/加固指导.md" >}}) + - [账户口令]({{< relref "./docs/SecHarden/账户口令.md" >}}) + - [授权认证]({{< relref "./docs/SecHarden/授权认证.md" >}}) + - [系统服务]({{< relref "./docs/SecHarden/系统服务.md" >}}) + - [文件权限]({{< relref "./docs/SecHarden/文件权限.md" >}}) + - [内核参数]({{< relref "./docs/SecHarden/内核参数.md" >}}) + - [SELinux配置]({{< relref "./docs/SecHarden/SELinux配置.md" >}}) + - [安全加固工具]({{< relref "./docs/SecHarden/安全加固工具.md" >}}) + - [附录]({{< relref "./docs/SecHarden/附录.md" >}}) +- [虚拟化用户指南]({{< relref "./docs/Virtualization/virtualization.md" >}}) + - [认识虚拟化]({{< relref "./docs/Virtualization/认识虚拟化.md" >}}) + - [安装虚拟化]({{< relref "./docs/Virtualization/安装虚拟化.md" >}}) + - [准备使用环境]({{< relref "./docs/Virtualization/准备使用环境.md" >}}) + - [虚拟机配置]({{< relref "./docs/Virtualization/虚拟机配置.md" >}}) + - [管理虚拟机]({{< relref "./docs/Virtualization/管理虚拟机.md" >}}) + - [热迁移虚拟机]({{< relref "./docs/Virtualization/热迁移虚拟机.md" >}}) + - [管理系统资源]({{< relref "./docs/Virtualization/管理系统资源.md" >}}) + - [管理设备]({{< relref "./docs/Virtualization/管理设备.md" >}}) + - [管理虚拟机可维护性]({{< relref "./docs/Virtualization/管理虚拟机可维护性.md" >}}) + - [最佳实践]({{< relref "./docs/Virtualization/最佳实践.md" >}}) + - [工具使用指南]({{< relref "./docs/Virtualization/工具使用指南.md" >}}) + - [附录]({{< relref "./docs/Virtualization/附录.md" >}}) +- [StratoVirt用户指南]({{< relref "./docs/StratoVirt/StratoVirtGuide.md" >}}) + - [StratoVirt介绍]({{< relref "./docs/StratoVirt/StratoVirt介绍.md" >}}) + - [安装StratoVirt]({{< relref "./docs/StratoVirt/安装StratoVirt.md" >}}) + - [准备使用环境]({{< relref "./docs/StratoVirt/准备使用环境.md" >}}) + - [虚拟机配置]({{< relref "./docs/StratoVirt/虚拟机配置.md" >}}) + - [虚拟机管理]({{< relref "./docs/StratoVirt/虚拟机管理.md" >}}) + - [对接iSula安全容器]({{< relref "./docs/StratoVirt/对接iSula安全容器.md" >}}) +- [容器用户指南]({{< relref "./docs/Container/container.md" >}}) + - [iSula容器引擎]({{< relref "./docs/Container/iSula容器引擎.md" >}}) + - [安装、升级与卸载]({{< relref "./docs/Container/安装-升级与卸载.md" >}}) + - [安装与配置]({{< relref "./docs/Container/安装与配置.md" >}}) + - [升级]({{< relref "./docs/Container/升级.md" >}}) + - [卸载]({{< relref "./docs/Container/卸载.md" >}}) + - [使用指南]({{< relref "./docs/Container/使用指南.md" >}}) + - [容器管理]({{< relref "./docs/Container/容器管理.md" >}}) + - [支持CNI网络]({{< relref "./docs/Container/支持CNI网络.md" >}}) + - [特权容器]({{< relref "./docs/Container/特权容器.md" >}}) + - [CRI接口]({{< relref "./docs/Container/CRI接口.md" >}}) + - [镜像管理]({{< relref "./docs/Container/镜像管理.md" >}}) + - [容器健康状态检查]({{< relref "./docs/Container/容器健康状态检查.md" >}}) + - [查询信息]({{< relref "./docs/Container/查询信息.md" >}}) + - [安全特性]({{< relref "./docs/Container/安全特性.md" >}}) + - [支持OCI hooks]({{< relref "./docs/Container/支持OCI-hooks.md" >}}) + - [本地卷管理]({{< relref "./docs/Container/本地卷管理.md" >}}) + - [附录]({{< relref "./docs/Container/附录.md" >}}) + - [系统容器]({{< relref "./docs/Container/系统容器.md" >}}) + - [安装指导]({{< relref "./docs/Container/安装指导.md" >}}) + - [使用指南]({{< relref "./docs/Container/使用指南-1.md" >}}) + - [指定rootfs创建容器]({{< relref "./docs/Container/指定rootfs创建容器.md" >}}) + - [通过systemd启动容器]({{< relref "./docs/Container/通过systemd启动容器.md" >}}) + - [容器内reboot/shutdown]({{< relref "./docs/Container/容器内reboot-shutdown.md" >}}) + - [cgroup路径可配置]({{< relref "./docs/Container/cgroup路径可配置.md" >}}) + - [namespace化内核参数可写]({{< relref "./docs/Container/namespace化内核参数可写.md" >}}) + - [共享内存通道]({{< relref "./docs/Container/共享内存通道.md" >}}) + - [动态加载内核模块]({{< relref "./docs/Container/动态加载内核模块.md" >}}) + - [环境变量持久化]({{< relref "./docs/Container/环境变量持久化.md" >}}) + - [最大句柄数限制]({{< relref "./docs/Container/最大句柄数限制.md" >}}) + - [安全性和隔离性]({{< relref "./docs/Container/安全性和隔离性.md" >}}) + - [容器资源动态管理]({{< relref "./docs/Container/容器资源动态管理.md" >}}) + - [附录]({{< relref "./docs/Container/附录-2.md" >}}) + - [安全容器]({{< relref "./docs/Container/安全容器.md" >}}) + - [安装与配置]({{< relref "./docs/Container/安装与配置-2.md" >}}) + - [使用方法]({{< relref "./docs/Container/使用方法-1.md" >}}) + - [管理安全容器的生命周期]({{< relref "./docs/Container/管理安全容器的生命周期.md" >}}) + - [为安全容器配置资源]({{< relref "./docs/Container/为安全容器配置资源.md" >}}) + - [为安全容器配置网络]({{< relref "./docs/Container/为安全容器配置网络.md" >}}) + - [监控安全容器]({{< relref "./docs/Container/监控安全容器.md" >}}) + - [附录]({{< relref "./docs/Container/附录-3.md" >}}) + - [Docker容器]({{< relref "./docs/Container/Docker容器.md" >}}) + - [安装配置]({{< relref "./docs/Container/安装配置-3.md" >}}) + - [容器管理]({{< relref "./docs/Container/容器管理-3.md" >}}) + - [镜像管理]({{< relref "./docs/Container/镜像管理-3.md" >}}) + - [命令行参考]({{< relref "./docs/Container/命令行参考.md" >}}) + - [容器引擎]({{< relref "./docs/Container/容器引擎-4.md" >}}) + - [容器管理]({{< relref "./docs/Container/容器管理-4.md" >}}) + - [镜像管理]({{< relref "./docs/Container/镜像管理-4.md" >}}) + - [统计信息]({{< relref "./docs/Container/统计信息-4.md" >}}) + - [容器镜像构建]({{< relref "./docs/Container/isula-build构建工具.md" >}}) +- [A-Tune用户指南]({{< relref "./docs/A-Tune/A-Tune.md" >}}) + - [认识A-Tune]({{< relref "./docs/A-Tune/认识A-Tune.md" >}}) + - [安装与部署]({{< relref "./docs/A-Tune/安装与部署.md" >}}) + - [使用方法]({{< relref "./docs/A-Tune/使用方法.md" >}}) + - [常见问题与解决方法]({{< relref "./docs/A-Tune/常见问题与解决方法.md" >}}) + - [附录]({{< relref "./docs/A-Tune/附录.md" >}}) +- [内核热升级指南]({{< relref "./docs/KernelLiveUpgrade/KernelLiveUpgrade.md" >}}) + - [安装与部署]({{< relref "./docs/KernelLiveUpgrade/安装与部署.md" >}}) + - [使用方法]({{< relref "./docs/KernelLiveUpgrade/使用方法.md" >}}) + - [常见问题与解决方法]({{< relref "./docs/KernelLiveUpgrade/常见问题与解决方法.md" >}}) + - [附录]({{< relref "./docs/A-Tune/附录.md" >}}) +- [应用开发指南]({{< relref "./docs/ApplicationDev/application-development.md" >}}) + - [开发环境准备]({{< relref "./docs/ApplicationDev/开发环境准备.md" >}}) + - [使用GCC编译]({{< relref "./docs/ApplicationDev/使用GCC编译.md" >}}) + - [使用make编译]({{< relref "./docs/ApplicationDev/使用make编译.md" >}}) + - [使用JDK编译]({{< relref "./docs/ApplicationDev/使用JDK编译.md" >}}) + - [构建RPM包]({{< relref "./docs/ApplicationDev/构建RPM包.md" >}}) + - [FAQ]({{< relref "./docs/ApplicationDev/FAQ.md" >}}) +- [secGear开发指南]({{< relref "./docs/secGear/secGear.md" >}}) + - [认识secGear]({{< relref "./docs/secGear/认识secGear.md" >}}) + - [安装secGear]({{< relref "./docs/secGear/安装secGear.md" >}}) + - [开发secGear应用程序]({{< relref "./docs/secGear/开发secGear应用程序.md" >}}) + - [使用secGear工具]({{< relref "./docs/secGear/使用secGear工具.md" >}}) + - [接口参考]({{< relref "./docs/secGear/接口参考.md" >}}) +- [Kubernetes集群部署指南]({{< relref "./docs/Kubernetes/Kubernetes.md" >}}) + - [准备虚拟机]({{< relref "./docs/Kubernetes/准备虚拟机.md" >}}) + - [部署Kubernetes集群]({{< relref "./docs/Kubernetes/部署Kubernetes集群.md" >}}) + - [安装Kubernetes软件包]({{< relref "./docs/Kubernetes/安装Kubernetes软件包.md" >}}) + - [准备证书]({{< relref "./docs/Kubernetes/准备证书.md" >}}) + - [安装etcd]({{< relref "./docs/Kubernetes/安装etcd.md" >}}) + - [部署控制面组件]({{< relref "./docs/Kubernetes/部署控制面组件.md" >}}) + - [部署Node节点组件]({{< relref "./docs/Kubernetes/部署Node节点组件.md" >}}) + - [运行测试pod]({{< relref "./docs/Kubernetes/运行测试pod.md" >}}) +- [第三方软件安装指南]({{< relref "./docs/thirdparty_migration/thidrparty.md" >}}) + - [OpenStack-Victoria部署指南]({{< relref "./docs/thirdparty_migration/OpenStack-victoria.md" >}}) + - [HA 用户指南]({{< relref "./docs/desktop/ha.md" >}}) + - [部署 HA]({{< relref "./docs/desktop/installha.md" >}}) + - [HA 使用实例]({{< relref "./docs/desktop/usecase.md" >}}) +- [桌面环境用户指南]({{< relref "./docs/desktop/desktop.md" >}}) + - [UKUI]({{< relref "./docs/desktop/ukui.md" >}}) + - [安装 UKUI]({{< relref "./docs/desktop/安装UKUI.md" >}}) + - [UKUI 用户指南]({{< relref "./docs/desktop/UKUIuserguide.md" >}}) + - [DDE]({{< relref "./docs/desktop/dde.md" >}}) + - [安装 DDE]({{< relref "./docs/desktop/安装DDE.md" >}}) + - [DDE 用户指南]({{< relref "./docs/desktop/DDE-User-Manual.md" >}}) + - [XFCE]({{< relref "./docs/desktop/xfce.md" >}}) + - [安装 Xfce]({{< relref "./docs/desktop/Install_XFCE.md" >}}) + - [Xfce 用户指南]({{< relref "./docs/desktop/Xfce_userguide.md" >}}) +- [工具集用户指南]({{< relref "./docs/userguide/overview.md" >}}) + - [patch-tracking]({{< relref "./docs/userguide/patch-tracking.md" >}}) + - [pkgship]({{< relref "./docs/userguide/pkgship.md" >}}) \ No newline at end of file diff --git a/package.json b/package.json new file mode 100644 index 0000000000000000000000000000000000000000..909a6f70df873bedaef61403ce6b5ec24ad3dd5e --- /dev/null +++ b/package.json @@ -0,0 +1,16 @@ +{ + "name": "website-v2", + "version": "0.0.1", + "description": "", + "main": "index.js", + "scripts": { + "dev": "vuepress dev docs", + "build": "vuepress build docs" + }, + "keywords": [], + "author": "", + "license": "", + "dependencies": { + "vuepress": "^1.5.2" + } +} diff --git a/rdocs/en/openEuler 1.0 Installation Guide.pdf b/rdocs/en/openEuler 1.0 Installation Guide.pdf deleted file mode 100644 index 7a6a2cdb852d5f2502e13b5b8ce46a915072410f..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 1.0 Installation Guide.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS A-Tune User Guide.pdf b/rdocs/en/openEuler 20.03 LTS A-Tune User Guide.pdf deleted file mode 100644 index c5a43911b4fa7839ab5f5eb0bc38818c8bb8b34a..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS A-Tune User Guide.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS Administrator Guide.pdf b/rdocs/en/openEuler 20.03 LTS Administrator Guide.pdf deleted file mode 100644 index 2039b90984988ae4c8e0214ebd9f033fd8490ebd..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS Administrator Guide.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS Application Development Guide.pdf b/rdocs/en/openEuler 20.03 LTS Application Development Guide.pdf deleted file mode 100644 index 5c132a743d2c7b3a27c15397c7c3acdebc8a8d1e..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS Application Development Guide.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS Container User Guide.pdf b/rdocs/en/openEuler 20.03 LTS Container User Guide.pdf deleted file mode 100644 index 79804395bd8605d0e1566405e066b66b911aff6c..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS Container User Guide.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS Installation Guide.pdf b/rdocs/en/openEuler 20.03 LTS Installation Guide.pdf deleted file mode 100644 index 9e72c47cae20bb7f523d4423d1c87c492a1a9d51..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS Installation Guide.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS Release Description.pdf b/rdocs/en/openEuler 20.03 LTS Release Description.pdf deleted file mode 100644 index 0efe706b9efd66f89a25d84ad6fdb037ef341e06..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS Release Description.pdf and /dev/null differ diff --git a/rdocs/en/openEuler 20.03 LTS Virtualization User Guide.pdf b/rdocs/en/openEuler 20.03 LTS Virtualization User Guide.pdf deleted file mode 100644 index 45b7a82a4f2e40d6fa1f145e7fce50c8a9b91a7f..0000000000000000000000000000000000000000 Binary files a/rdocs/en/openEuler 20.03 LTS Virtualization User Guide.pdf and /dev/null differ diff --git "a/rdocs/zh/date20200101/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200101/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" deleted file mode 100644 index 576eb0a1f8cdcffd68ec60df3dce8c0e729f8e7f..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200101/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200101/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200101/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" deleted file mode 100644 index 032fae106298bef8d9f3dc2381c478904fd0236a..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200101/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200101/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200101/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index 5c9df30f521b0b5adf71044b7e87de4018b610b8..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200101/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200115/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200115/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" deleted file mode 100644 index b6e6ddd880a473f80821501031441927b99712f3..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200115/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200115/openEuler 1.0 \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" "b/rdocs/zh/date20200115/openEuler 1.0 \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" deleted file mode 100644 index 639ab676d80da674b1edc47480cbacd3b590a2ff..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200115/openEuler 1.0 \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200115/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200115/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" deleted file mode 100644 index 6bf63ab9e446c95e194af64ecf7308abc3ba74e2..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200115/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200115/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200115/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index be501ab13eee41e6cba3070ab220c0e9a47cbfdf..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200115/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200207Base/openEuler 1.0 Base \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" "b/rdocs/zh/date20200207Base/openEuler 1.0 Base \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" deleted file mode 100644 index c766d7b2eaf6da74e8fc525b595d5bb826b45774..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200207Base/openEuler 1.0 Base \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200207Base/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200207Base/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" deleted file mode 100644 index 15bf70973654b6207c6921b5e58756aac752f638..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200207Base/openEuler 1.0 \345\256\211\350\243\205\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200207Base/openEuler 1.0 \345\256\271\345\231\250\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200207Base/openEuler 1.0 \345\256\271\345\231\250\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index 41141857a5e3251a251f8e2cc3d17d1a3dea0525..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200207Base/openEuler 1.0 \345\256\271\345\231\250\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200207Base/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200207Base/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" deleted file mode 100644 index 9069a0f35cec4d4876826af08d71223f4790ce91..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200207Base/openEuler 1.0 \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/date20200207Base/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/date20200207Base/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index f42bf90865210637e48a83cecc6d427cf726035d..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/date20200207Base/openEuler 1.0 \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index e1b232819ded604e5156ba01f582bd2563e0f91f..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\215\207\347\272\247\346\214\207\345\257\274\344\271\246.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\215\207\347\272\247\346\214\207\345\257\274\344\271\246.pdf" deleted file mode 100644 index 04e04bb92dcdc7265fa18e147d1bd1c857bf1426..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\215\207\347\272\247\346\214\207\345\257\274\344\271\246.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\256\211\350\243\205\346\214\207\345\215\227.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\256\211\350\243\205\346\214\207\345\215\227.pdf" deleted file mode 100644 index 6c2b9eef6dea506d9cc731b4aa83054a3163e45c..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\256\211\350\243\205\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\256\271\345\231\250\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\256\271\345\231\250\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index ce957156f9c572455eaa16eb7f627258d7244cb4..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\256\271\345\231\250\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\272\224\347\224\250\345\274\200\345\217\221\346\214\207\345\215\227.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\272\224\347\224\250\345\274\200\345\217\221\346\214\207\345\215\227.pdf" deleted file mode 100644 index 7b120d4c9d07fbd2822b457b233c55e57d4cc4c3..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \345\272\224\347\224\250\345\274\200\345\217\221\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" deleted file mode 100644 index 39fcb1398029a87f3c2d499a9bbf1643f34e2f17..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \347\211\210\346\234\254\345\217\221\350\241\214\350\257\264\346\230\216.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" deleted file mode 100644 index 262ef388677ae150e2062085396e1aed6e1235c9..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \347\256\241\347\220\206\345\221\230\346\214\207\345\215\227.pdf" and /dev/null differ diff --git "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" "b/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" deleted file mode 100644 index 072b911c841e83f70865a171eb7df99f4357b874..0000000000000000000000000000000000000000 Binary files "a/rdocs/zh/openEuler 20.03 LTS_20200324/openEuler 20.03 LTS \350\231\232\346\213\237\345\214\226\347\224\250\346\210\267\346\214\207\345\215\227.pdf" and /dev/null differ diff --git a/themes/project/.travis.yml b/themes/project/.travis.yml deleted file mode 100644 index baaea454a3f0e7ee7f045783d88f4c10add3e56e..0000000000000000000000000000000000000000 --- a/themes/project/.travis.yml +++ /dev/null @@ -1,2 +0,0 @@ -language: generic -script: docker run --rm -it -v $(pwd)/exampleSite:/src -v $(pwd):/src/themes/hugo-book klakegg/hugo:ext-alpine --enableGitInfo=false diff --git a/themes/project/LICENSE b/themes/project/LICENSE deleted file mode 100644 index e7a669ab2fdc6f7401b8472af82b0444db0ec8ed..0000000000000000000000000000000000000000 --- a/themes/project/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2018 Alex Shpak - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/themes/project/README.md b/themes/project/README.md deleted file mode 100644 index 35f45040833b81f824c6a27836a57a88e765049d..0000000000000000000000000000000000000000 --- a/themes/project/README.md +++ /dev/null @@ -1,275 +0,0 @@ -# Hugo Book Theme - -[![Build Status](https://travis-ci.org/alex-shpak/hugo-book.svg?branch=master)](https://travis-ci.org/alex-shpak/hugo-book) -[![Hugo](https://img.shields.io/badge/hugo-0.55-blue.svg)](https://gohugo.io) -[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) - -### [Hugo](https://gohugo.io) documentation theme as simple as plain book - -![Screenshot](https://github.com/alex-shpak/hugo-book/blob/master/images/screenshot.png) - -- [Features](#features) -- [Installation](#installation) -- [Menu](#menu) -- [Configuration](#configuration) -- [Shortcodes](#shortcodes) -- [Contributing](#contributing) - -## Features - -- Clean simple design -- Mobile friendly -- Customisable -- Designed to not interfere with other layouts -- Zero initial configuration -- Handy shortcodes - -## Requirements - -- Hugo 0.55 or higher -- Hugo extended version, read more [here](https://gohugo.io/news/0.48-relnotes/) - -## Installation - -Navigate to your hugo project root and run: - -``` -git submodule add https://github.com/alex-shpak/hugo-book themes/book -``` - -Then run hugo (or set `theme = "book"`/`theme: book` in configuration file) - -``` -hugo server --minify --theme book -``` - -### Creating site from scratch - -Below is example how to create new site from scratch - -```sh -hugo new site mydocs; cd mydocs -git init -git submodule add https://github.com/alex-shpak/hugo-book themes/book -cp -R themes/book/exampleSite/content . -``` - -```sh -hugo server --minify --theme book -``` - -## Menu - -### File tree menu (default) - -By default theme will render pages from `content/docs` section as menu in a tree structure. -You can set `title` and `weight` in front matter of pages to adjust order and titles in menu. - -### Leaf bundle menu - -You can also use leaf bundle and content of it's `index.md` as menu. -Given you have this file structure - -``` -├── content -│ ├── docs -│ │ ├── page-one.md -│ │ └── page-two.md -│ └── posts -│ ├── post-one.md -│ └── post-two.md -``` - -Create file `content/docs/menu/index.md` with content - -```md -+++ -headless = true -+++ - -- [Book Example](/docs/) - - [Page One](/docs/page-one) - - [Page Two](/docs/page-two) -- [Blog](/posts) -``` - -And Enable it by settings `BookMenuBundle: /menu` in Site configuration - -- [Example menu](https://github.com/alex-shpak/hugo-book/blob/master/exampleSite/content/menu/index.md) -- [Example config file](https://github.com/alex-shpak/hugo-book/blob/master/exampleSite/config.yaml) -- [Leaf bundles](https://gohugo.io/content-management/page-bundles/) - -## Blog - -Simple blog supported for section `posts` - -## Configuration - -### Site Configuration - -There are few configuration options you can add to your `config.toml` file. -You can also see `yaml` example [here](https://github.com/alex-shpak/hugo-book/blob/master/exampleSite/config.yaml). - -```toml -# (Optional) Set this to true if you use capital letters in file names -disablePathToLower = true - -# (Optional) Set this to true to enable 'Last Modified by' date and git author -# information on 'doc' type pages. -enableGitInfo = true - -# (Optional) Theme is intended for documentation use, therefore it doesn't render taxonomy. -# You can remove related files with config below -disableKinds = ['taxonomy', 'taxonomyTerm'] - -[params] -# (Optional, default 6) Set how many table of contents levels to be showed on page. -# Use false to hide ToC, note that 0 will default to 6 (https://gohugo.io/functions/default/) -# You can also specify this parameter per page in front matter -BookToC = 3 - -# (Optional, default none) Set leaf bundle to render as side menu -# When not specified file structure and weights will be used -BookMenuBundle = '/menu' - -# (Optional, default docs) Specify section of content to render as menu -# You can also set value to "*" to render all sections to menu -BookSection = 'docs' - -# (Optional) This value is duplicate of $link-color for making active link highlight in menu bundle mode -# BookMenuBundleActiveLinkColor = '\#004ed0' - -# Set source repository location. -# Used for 'Last Modified' and 'Edit this page' links. -BookRepo = 'https://github.com/alex-shpak/hugo-book' - -# Enable 'Edit this page' links for 'doc' page type. -# Disabled by default. Uncomment to enable. Requires 'BookRepo' param. -# Path must point to 'content' directory of repo. -BookEditPath = 'edit/master/exampleSite/content' - -# (Optional, default January 2, 2006) Configure the date format used on the pages -# - In git information -# - In blog posts -BookDateFormat = 'Jan 2, 2006' - -# (Optional, default true) Enables search function with lunr.js, -# Index is built on fly, therefore it might slowdown your website. -BookSearch = true -``` - -### Page Configuration - -You can specify additional params per page in front matter - -```toml -# Set type to 'docs' if you want to render page outside of configured section or if you render section other than 'docs' -type = 'docs' - -# Set page weight to re-arrange items in file-tree menu (if BookMenuBundle not set) -weight = 10 - -# (Optional) Set to mark page as flat section in file-tree menu (if BookMenuBundle not set) -bookFlatSection = true - -# (Optional) Set true to hide page or section from side menu (if BookMenuBundle not set) -bookHidden = true - -# (Optional) Set how many levels of ToC to show. use 'false' to hide ToC completely -bookToC = 3 -``` - -### Partials - -There are few empty partials you can override in `layouts/partials/` - -| Partial | Placement | -| ----------------------------------------------- | -------------------------------------- | -| `layouts/partials/docs/inject/head.html` | Before closing `` tag | -| `layouts/partials/docs/inject/body.html` | Before closing `` tag | -| `layouts/partials/docs/inject/footer.html` | After page content | -| `layouts/partials/docs/inject/menu-before.html` | At the beginning of `