- A Certificate Authority is a trusted third-party organization that issues digital certificates such as SSL Certificates after verifying the information included in the Certificates.

SSL and TLS terms are often used in confusing ways:

• SSL (Secure Sockets Layer) is the original protocol implementation. SSLv3 is still allowed by Dovecot, but it’s rarely used. Some clients use SSL to mean that they’re going to connect to the imaps (993), pop3s (995) or smtps (465) port, although they’re still going to use TLSv1 protocol.
• TLS (Transport Layer Security) replaced the SSL protocol. TLSv1 protocol is used practically always nowadays. Some clients use TLS to mean that they’re going to use STARTTLS command after connecting to the standard imap (143), pop3 (110) or smtp port (25/587). Nothing would prevent using SSLv3 protocol after STARTTLS command.

Using two separate ports for plaintext and SSL connections was thought to be wasteful, so STARTTLS intended to deprecate the SSL ports (imaps, pop3s, smtps, etc). This never really happened, probably because of two reasons:

• Some admins don’t even know about STARTTLS.

• Some admins want to require SSL/TLS, but don’t realize that this is also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes and ssl=required settings).

• Some admins understand everything, but still prefer to allow only SSL ports. This could be because it makes it easier to ensure that no information is leaked, because SSL/TLS handshake happens immediately. Some clients unfortunately try to do plaintext authentication without STARTTLS, even when IMAP server has told the client that it won’t work.

Unfortunately there doesn’t seem to be any clear and simple way to refer to these different meanings.

SSL term is much more widely understood than TLS, so Dovecot configuration and this documentation only talks about SSL when in fact it means both SSL/TLS.

• Creating SSL certificates

• Configuring Dovecot to use SSL certificates

• Importing CAs and self-signed SSL certificates to clients

• SSL works pretty much the same universally, so for more information about SSL you can see for example Apache’s documentation.

• Dovecot uses OpenSSL, so whatever information you find about it applies also to Dovecot.

VMWARE ESXi 有很多改进，但是也有一些致命的缺陷。最近因为客户项目要部署上百台Dell R610服务器，但是却发现无法实现硬件级别的监控，确实很致命，如下搜索自网络，也有不少人碰到了同样的问题。

Stewart Wrote:

Folks,

Before getting in too deep with this I thought I’d ask the list to see
if others are experiencing a similar issue or have similar concerns.

Intermapper provides us with a single place to look to check that “our
world” is OK. “Our world” consists of network components, servers &
where possible, services. Polled maps with status denoted by colours are
a good thing. Alerts via Emails, snmp traps may get lost/be
undeliverable (& we do use them) – but a polled map tells the viewer
“how it is”. If the view of “our world” is less than optimal – then this
prompts our staff to use the best diagnostic tool – to look at the
problem in detail (often a proprietary tool).

Our VMWARE estate is included in this. Host VMWARE servers are polled &
information retrieved via SNMP eg Interface information, host resources
information, server status (RAID, FANS, Temp, Power Supplies, etc etc).

Our server team are moving from VMWARE ESX 4 to VMWARE ESXi 4.1 (as
VMWARE themselves are moving) & it would appear that in ESXi, VMWARE are
favouring CIM/WBEM rather than SNMP; as a result the information
available via SNMP is now much less. Although we get interface stats –
we have lost Host Resources & server status info (RAID etc). We use HP
servers – but the problem of retrieving info from management agents via
SNMP is also true for DELL, I believe.

So, for example, in the event of a RAID/Power supply problem that has
the potential to threaten a live service – we are now reliant on far
fewer sets of eyes (ie just the primary vmware admins running their
proprietary tool)

Is anyone else wrestling with this loss of visibility of critical
systems information ?

Regards


Stewart
–

Reply by: jfroot

Hi Stewart, we have a very similar concern/issue to you.

We use numerous Dell R610 servers in our environment. When they have Linux installed on them as the OS, it is quite easy to use Intermapper to monitor the system health by installing the Dell OMSA agent and using SNMP coupled with the Dell Server Probe. All hardware faults including Power Supplies, Disks, fans etc. wil trigger an alarm on the probe.

Recently we have started to roll-out an ESXi environment on Dell r610s. And here’s where we run into trouble. ESXi has no SNMP agent for hardware health that we can monitor. And, the Guest OS’s have no visibility into the hardware state. We are left with few options though. However none of them seem to work for us perfectly yet.

1) Use Vmware VCenter server to monitor ESXi hosts and send out SNMP traps to intermapper. This will only work if you are using VCenter server though. Additionally, the traps sent out are not well documented so a complex trap handler will likely have to be written.

2) Use the Dell iDRAC BMC(lom) to monitor hardware health via IPMI. This is what we are currently doing using the in-built IPMI probe. For us though it seems quite peoblematic:

a) It has periodic trouble authenticating that randomly occurs, which makes the box appear as down for a time.
b) It does not alarm on power supply failures; it shows 0 Volts but no alarm is triggered. I cannot test other hardware failures easily so am dubious on its detection abilities.
c) CPU temperatures are reported as -41 degrees. I assume this is just a sign error in the code.
d) The Dell BMC runs on a different IP than the ESXi host. As you cannot group devices of different IP addresses I have to have 2 boxes that infact represnt one host. 1 Box for the BMC and 1 Box for the ESXi OS.

3) Use the Dell BMC to send out traps to Intermapper for hardware events. After loading in a cacophony of MIBS and their dependencies from Dell the traps received are still not useful. The Dell MIB (DcAsfSrv.mib) uses the DESCRIPTION field for teh ASCII representation of what the trap is. Intermapper does not handle the DESCRIPTION field and merely reports SpecificTrap number.. which is useless unless you want to have a large table you would then look that up against. Someone could probably write a custom trap handler that would use the SpecificTrap number to set some ASCII.

These are all the options I’ve come up with so far. If you or anyone else has any ideas that may be better, please let me know. I still and not comfortable that we are monitoring system health in a reliable manner.

–
J

通过搜索发现是因为装系统的时候在flash里的 TTY flag位不正确了，参考链接： http://docs.sun.com/source/820-2853-11/RelNotes.html ，

If you create a Solaris Flash archive on a non-Sun SPARC Enterprise M4000/M5000 sun4u server and install it on a Sun SPARC Enterprise M4000/M5000 sun4u server, the console’s TTY flags will not be set correctly. This can cause the console to lose characters during stress.

然后通过如下命令重置后就好了。

Just after installing Solaris OS from a Solaris Flash archive, telnet into the Sun SPARC Enterprise M4000/M5000 server to reset the console’s TTY flags as follows:

   # sttydefs -r console
   # sttydefs -a console -i "9600 hupcl opost onlcr crtscts" -f "9600"

This procedure is required only once.

来自: http://www.drbd.org/docs/about/

来自: http://www.linbit.com/en/products-services/

The Distributed Replicated Block Device (DRBD) is a software-based, shared-nothing, replicated storage solution mirroring the content of block devices (hard disks, partitions, logical volumes etc.) between servers.

DRBD mirrors data

DFS 提供高效方便的分布式文件系统，但是不正当的使用会造成麻烦，甚至灾难，如下文章为系统管理者在使用DFS需要注意的地方

转载来自: http://www.kendalvandyke.com/2009/07/things-you-need-to-know-if-you-use-dfs.html

作者: Kendal Van Dyke

In addition to being a SQL DBA I’m also a network administrator, or at least I pretend to be. This is a bit off-topic from my usual SQL Server fare, but I figured my pain is your gain. Today, July 31, is System Administrator Appreciation Day . If you use DFS Replication in your company, give your sysadmin a gift by forwarding this on to him\her.

Background – What Is DFS Anyways?
DFS, or Distributed File System , is a feature built into Windows Server that allows you to organize multiple SMB shares into a single DFS share. Accessing the DFS share automatically redirects (under the covers) to one of the SMB shares that are part of the group. It’s a neat bit of technology that provides location transparency and redundancy simultaneously. Another part of DFS is the ability to replicate changes made to a file (or files) in one of the SMB shares to all of the other SMB shares in the group. Prior to Windows Server 2003 R2 this feature was called File Replication Service and, while it worked, it was less than efficient because any change to a file resulted in the entire file being copied (imagine making a 1 line change to a 100 MB file). Beginning with Server 2003 R2 it was renamed to DFS Replication . Along with it came some nice improvements which included scheduling, bandwidth throttling, and most importantly Remote Differential Compression which detects and replicates only the part of the file which changed and not the entire file.

DFS (and DFS replication) is really nifty when it works. My company uses it to keep content synchronized on servers across multiple datacenters. However, there are a few caveats that you need to be aware of. I’ll call them lessons learned, and unfortunately I had to learn them the hard way. I’m going to share them with you in the hopes that you won’t have to go through the same pain that I did.

Lesson #1 – Be Very Careful When Removing And Re-Adding Members To A DFS Replication Group
Let’s pretend you’ve got DFS Replication set up and you want to add a server (referred to as a member) into your group. You start with a blank target directory on the member and a short while after adding it to the group it gets populated with the files & folders from the other members in the group. At some point in the future you need to remove that member temporarily and then re-add it. Thinking you need to start with a blank target directory like the first time you wipe the directory clean and then add the member back to the group. A short time later you start to see the opposite of what you expect – instead of the member receiving the files & folders from the other members they start disappearing from every member in the group. What the heck happened?!?

It turns out that when you delete a member from a DFS replication group information about the member isn’t actually deleted from the DFS replication database. Instead, the member is marked with a 30-day tombstone flag. If the member is added back into the DFS replication group the flag is deleted and the original objects for the member are reused. Any changes made to the recently re-added member are then replicated to the other members. So deleting those files from the member before re-adding it? They get picked up and replicated to the other members.

This “feature” and 3 workarounds are documented in Microsoft KB article 961655 . Do yourself a favor and read it.

Lesson #2 – Back Up Your DFS Shares
Lesson #1 leads to lesson #2, which should a no brainer – Back up your DFS shares. DFS Replication will replicate all changes to files, including deletes. Would you like to explain to management how you just lost all your files permanently because someone mistakenly deleted all of them and you weren’t taking backups? I wouldn’t.

Lesson #3 – Recover Deleted Files In A Pinch
Suppose you didn’t learn from lesson #2, files got deleted by mistake, and you don’t have backups. All hope is not lost. It turns out that DFS Replication keeps a hidden, private folder which contains a copy of the deleted files. It’s limited in size so it’s not foolproof but it just might save you in a pinch.

Ned Pyle , a Technical Lead for the Directory Services team at Microsoft, posted a handy VB Script that you can use to restore data if you’re in disaster recovery mode. I’ve used it and it saved my butt. By the way, remember lesson #2 about backing up your DFS shares? (hint, hint)

Lesson #4 – Files With The Temporary Attribute Won’t Replicate
Filters can be applied to exclude files from replicating based on their extension (e.g. .BAK), but what about when a non-excluded file just won’t seem to replicate? It might have the temporary attribute set. DFS Replication won’t pick up changes to those files. You wouldn’t know that unless you found the single line mentioning it in this TechNet article (see if you can find the line!) or came across this post on the Microsoft Storage Team’s blog.

How do you fix that? One way is to use Robocopy to strip the temporary attribute off the file(s) when copying into the DFS share. The switch is: /A-:T

Lesson #5 – Monitor DFS Replication Performance
One big downside to DFS Replication is that unlike other Microsoft products there’s no shiny GUI to monitor DFS replication performance. That doesn’t mean it can’t be done – it just requires a little extra work. There’s a command line executable included with DFS called dfsradmin that will create an HTML report showing DFS Replication’s health status. There’s a nice writeup here and here on how to automate DFS replication health reports. I highly recommend that you take the time to read it and implement your own automated reports.

Conclusion
I hope that my lessons learned the hard way will save you some of the pain that I had to go through. Despite the hiccups that I’ve had with DFS I remain a big fan of using it to keep content synchronized across multiple locations. One last bit of advice – be sure to check out the File Cabinet blog from the Storage Team at Microsoft . It’s a fantastic resource for DFS information that’s helped me out many times and will no doubt help you too.

The cmdlet allows far more complex execution than Netdom. You can use items such as the organizational unit location of the computer account, credentials, and computer name in the command. Run the command Get-Help Add-Computer for all the syntax options.

NAME
Add-Computer

SYNOPSIS
Add the local computer to a domain or workgroup.


SYNTAX
Add-Computer [-DomainName] <string> [-Credential <PSCredential>] [-OUPath <string>] [-Server <string>] [-Unsecure] [-PassThru] [-Confirm] [-WhatIf] [<CommonParameters>]

Add-Computer [-WorkGroupName] <string> [-Credential <PSCredential>] [-PassThru] [-Confirm] [-WhatIf] [<CommonParameters>]


DESCRIPTION
The Add-Computer cmdlet adds the local computer to a domain or workgroup, or moves it from one domain to another. It also creates a domain account if the computer is added to the domain without an accou
nt.

You can use the parameters of this cmdlet to specify an organizational unit (OU) and domain controller or to perform an unsecure join.

To get the results of the command, use the Verbose and PassThru parameters.

RELATED LINKS
Online version: http://go.microsoft.com/fwlink/?LinkID=135194
Checkpoint-Computer
Remove-Computer
Restart-Computer
Restore-Computer
Stop-Computer
Test-Connection

REMARKS
To see the examples, type: “get-help Add-Computer -examples”.
For more information, type: “get-help Add-Computer -detailed”.
For technical information, type: “get-help Add-Computer -full”.

===============================================================

Heartbeat提供了高可用集群最基本的功能，例如，节点间的内部通信方式、集群合作管理机制、监控工具和失效切换功能等。但是Heartbeat仅仅是个HA软件，它仅能完成心跳监控和资源接管，不会监视它控制的资源或应用程序。要监控资源和应用程序是否运行正常，必须使用第三方的插件，例如ipfail、Mon和Ldirector等。Heartbeat自身包含了几个插件，分别是ipfail、Stonith和Ldirectord。

首先到http://www.linux-ha.org/wiki/Downloads中下载所需软件，分别是Heartbeat、Cluster Glue、Resource Agents。编译的顺序是：先Cluster Glue, 再Resource Agents，然后Heartbeat。另外需要确认安装了autoconf, automake,pkgconfig,libxslt-devel等包

===============================================================

环境

   Linux-master　　10.10.50.217
   Linux-slave　　10.10.50.151
   Linux-web-01　　10.10.50.197
   Linux-web-02　　10.10.50.215
   Virtual_IP:10.10.50.216

===============================================================

Heartbeat

编译安装的时候可能遇到一个问题是

./.libs/libplumb.so: undefined reference to `uuid_parse'
./.libs/libplumb.so: undefined reference to `uuid_generate'
./.libs/libplumb.so: undefined reference to `uuid_copy'
./.libs/libplumb.so: undefined reference to `uuid_is_null'
./.libs/libplumb.so: undefined reference to `uuid_unparse'
./.libs/libplumb.so: undefined reference to `uuid_clear'
./.libs/libplumb.so: undefined reference to `uuid_compare'
collect2: ld returned 1 exit status
gmake[2]: *** [ipctest] Error 1
gmake[2]: Leaving directory `/root/Reusable-Cluster-Components-glue-1.0.6/lib/clplumbing'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/root/Reusable-Cluster-Components-glue-1.0.6/lib'
make: *** [all-recursive] Error 1

　　解决方法：在configure时在后面加上LIBS=’/lib/libuuid.so.1′。这个问题在对三个包进行make的时候都会出现类似的错误，所以make三个包时都要用到，我在编译中没有遇到这个问题。

安装步骤

安装过程中会在INTERNET中校验一些xml文件，会耗费大量时间，要耐心等待。如果报错可能是网络引起，多试几次就行。

一、安装 Reusable-Cluster-Components-glue-1.0.6.tar.bz2

   #groupadd hacluster
   #groupadd haclient
   #useradd hacluster -g hacluster
   #tar -jxf Reusable-Cluster-Components-glue-1.0.6.tar.bz2
   #cd Reusable-Cluster-Components-glue-1.0.6
   #./autogen.sh
   #./configure
   #make
   #make install

这里编译的时候会遇到另外一个问题

cc1: warnings being treated as errors
main.c:64: warning: function declaration isn't a prototype
main.c:78: warning: function declaration isn't a prototype
gmake[2]: *** [main.o] Error 1
gmake[2]: Leaving directory
`/root/Reusable-Cluster-Components-glue-1.0.6/lib/stonith'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/root/Reusable-Cluster-Components-glue-1.0.6/lib'
make: *** [all-recursive] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.55884 (%build)

解决方法：编辑lib/stonith/main.c，将version相关的注释掉

   1、找到其64行，用/* ....*/注释掉。
   2、找到其76到81行 用/* ....*/注释掉。
   3、找到其390到 391 行，用/* ....*/注释掉。

二、安装 Cluster-Resource-Agents-agents-1.0.3

   #tar -jxf Cluster-Resource-Agents-agents-1.0.3.tar.bz2
   #cd Cluster-Resource-Agents-agents-1.0.3
   #./autogen.sh
   #./configure
   #make
   #make install

三、安装 Heartbeat-3-0-STABLE-3.0.3.tar.bz2

   # tar -jxf Heartbeat-3-0-STABLE-3.0.3.tar.bz2
   #cd Heartbeat-3-0-STABLE-3.0.3
   #./bootstrap
   #./ConfigureMe configure
   #make
   #make install

编辑配置文件

   # cp /usr/share/doc/ha.cf /etc/ha.d/

   #cp /usr/share/doc/haresources /etc/ha.d/
   #cp /usr/share/doc/authkeys /etc/ha.d/

heartbeat的配置文件有两个位置/etc/ha.d与/usr/etc/ha.d，将/usr/etc/ha.d中文件全部copy到/etc/ha.d中，删除/usr/etc/ha.d，然后使用命令ln -s /etc/ha.d /usr/etc/ha.d创建软连接

1、配置ha.cf

   debugfile /var/log/ha-debug：该文件保存heartbeat的调试信息
   
   logfile /var/log/ha-log：heartbeat的日志文件
   
   keepalive 2：心跳的时间间隔，默认时间单位为秒
   
   deadtime 30：超出该时间间隔未收到对方节点的心跳，则认为对方已经死亡。
   
   warntime 10：超出该时间间隔未收到对方节点的心跳，则发出警告并记录到日志中。
   
   initdead 120：在某些系统上，系统启动或重启之后需要经过一段时间网络才能正常工作，该选项用于解决这种情况产生的时间间隔。取值至少为deadtime的两倍。

   udpport 694：设置广播通信使用的端口，694为默认使用的端口号。
   
   baud 19200：设置串行通信的波特率。
   
   serial /dev/ttyS0：选择串行通信设备，用于双机使用串口线连接的情况。如果双机使用以太网连接，则应该关闭该选项。
   
   bcast eth0：设置广播通信所使用的网络接口卡。
   
   auto_failback on：heartbeat的两台主机分别为主节点和从节点。主节点在正常情况下占用资源并运行所有的服务，遇到故障时把资源交给从节点并由从节点运行服务。在该选项设为on的情况下，一旦主节点恢复运行，则自动获取资源并取代从节点，否则不取代从节点。

   ping ping-node1 ping-node2：指定ping node，ping node并不构成双机节点，它们仅仅用来测试网络连接。
   
   respawn hacluster /usr/lib/heartbeat/ipfail：指定与heartbeat一同启动和关闭的进程，该进程被自动监视，遇到故障则重新启动。最常用的进程是ipfail，该进程用于检测和处理网络故障，需要配合ping语句指定的ping
   node来检测网络连接。

2、 配置haresources文件

haresources文件用于指定双机系统的主节点、集群IP、子网掩码、广播地址以及启动的服务等。其配置语句格式如下：

node-name network-config <resource-group>
其中node-name指定双机系统的主节点，取值必须匹配ha.cf文件中node选项设置的主机名中的一个，node选项设置的另一个主机名成为从节点。network-config用于设置VIP（虚拟IP，也就是真正对外提供服务的IP）。resource-group用于设置heartbeat启动的服务，该服务最终由双机系统通过集群IP对外提供。

3、配置authkeys文件

authkeys文件用于heartbeat的鉴权设置，共有三种可用的鉴权方式：crc、md5和sha1。三种方式安全性依次提高，但同时占用的系统资源也依次扩大。crc安全性最低，适用于物理上比较安全的网络，sha1提供最为有效的鉴权方式，占用的系统资源也最多。

其配置语句格式如下：
auth <number>
<number> <authmethod> [<authkey>]
举例说明：
auth 1
1 sha1 key-for-sha1
其中键值key-for-sha1可以任意指定，number设置必须保证上下一致。

auth 2
2 crc
crc方式不需要指定键值。
最后，设置authkeys文件权限为600（即-rw——-），命令为：chmod 600 authkeys

===============================================================

LVS

安装步骤

   #tar zxvf ipvsadm-1.24.tar.gz
   #cd ipvsadm-1.24
   #./configure
   #make && make install
   #cp /usr/local/src/Cluster-Resource-Agents-agents-1.0.3/ldirectord/ldirectord.cf /etc/ha.d/

配置ldirectord.cf

# Global Directives
checktimeout=10
checkinterval=3
#fallback=127.0.0.1:80
autoreload=yes
#logfile="/var/log/ldirectord.log"
#logfile="local0"
#emailalert="admin@x.y.z"
#emailalertfreq=3600
#emailalertstatus=all
quiescent=no

# Sample for an http virtual service
virtual=10.10.50.216:80
        real=10.10.50.197:80 gate
        real=10.10.50.215:80 gate
        fallback=127.0.0.1:80 gate
        service=http
        scheduler=wlc
        #persistent=600
        #netmask=255.255.255.255
        protocol=tcp
        checktype=negotiate
        checkport=80
        request="check.html"
        receive="OKAY"
        #virtualhost=www.x.y.z

LVS脚本，在Linux-master、Linux-slave上运行

#!/bin/sh
#director.sh

VIP=10.10.50.216
RIP1=10.10.50.197
RIP2=10.10.50.215

. /etc/rc.d/init.d/functions

case "$1" in
    start)
       echo " start LVS  of DirectorServer"
       /sbin/ifconfig eth0:0 $VIP broadcast $VIP netmask 255.255.255.255 up
       /sbin/route add -host $VIP dev eth0:0
       /sbin/ipvsadm -C
       /sbin/ipvsadm -A -t $VIP:80 -s wlc
       /sbin/ipvsadm -a -t $VIP:80 -r $RIP1:80 -g
       /sbin/ipvsadm -a -t $VIP:80 -r $RIP2:80 -g
       /sbin/ipvsadm
        ;;
    stop)
        echo "close LVS Directorserver"
        ifconfig eth0:0 down
        /sbin/ipvsadm -C
        ;;
    *)
        echo "Usage: $0 {start|stop}"
        exit 1
esac

客户端脚本，在Linux-web-01、Linux-web-02上运行

#!/bin/sh
#realserver.sh

VIP=10.10.50.216

. /etc/rc.d/init.d/functions

case "$1" in
    start)
        echo "Tunl port starting"
        /sbin/ifconfig lo:0 $VIP netmask 255.255.255.255 broadcast $VIP up
        /sbin/route add -host $VIP dev lo:0
        echo "1" >/proc/sys/net/ipv4/conf/tunl0/arp_ignore
        echo "2" >/proc/sys/net/ipv4/conf/tunl0/arp_announce
        echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
        echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
        sysctl -p
        ;;
    stop)
        echo "Tunl port closing"
        ifconfig lo:0 down
        ;;
    *)
        echo "Usage: $0 {start|stop}"
        exit 1
esac

我这里客户端上的WEB程序选用的是Nginx，在客户端输入

   #echo "OKAY" > /usr/local/nginx/html/check.html

ipvsadm 的用法和格式如下：

   ipvsadm -A|E -t|u|f
   virutal-service-address:port [-s scheduler] [-p
   
   [timeout]] [-M netmask]
   
   ipvsadm -D -t|u|f virtual-service-address
   
   ipvsadm -C
   
   ipvsadm -R
   
   ipvsadm -S [-n]
   
   ipvsadm -a|e -t|u|f service-address:port -r real-server-address:port
   
   [-g|i|m] [-w weight]
   
   ipvsadm -d -t|u|f service-address -r server-address
   
   ipvsadm -L|l [options]
   
   ipvsadm -Z [-t|u|f service-address]
   
   ipvsadm --set tcp tcpfin udp
   
   ipvsadm --start-daemon state [--mcast-interface interface]
   
   ipvsadm --stop-daemon
   
   ipvsadm -h

命令选项解释：

   
   有两种命令选项格式，长的和短的，具有相同的意思。在实际使用时，两种都可
   
   以。
   
   -A --add-service 在内核的虚拟服务器表中添加一条新的虚拟服务器记录。也就是增加一台新的虚拟服务器。
   
   -E --edit-service 编辑内核虚拟服务器表中的一条虚拟服务器记录。
   
   -D --delete-service 删除内核虚拟服务器表中的一条虚拟服务器记录。
   
   -C --clear 清除内核虚拟服务器表中的所有记录。
   
   -R --restore 恢复虚拟服务器规则
   
   -S --save 保存虚拟服务器规则，输出为-R 选项可读的格式
   
   -a --add-server 在内核虚拟服务器表的一条记录里添加一条新的真实服务器记录。也就是在一个虚拟服务器中增加一台新的真实服务器
   
   -e --edit-server 编辑一条虚拟服务器记录中的某条真实服务器记录
   
   -d --delete-server 删除一条虚拟服务器记录中的某条真实服务器记录
   
   -L|-l --list 显示内核虚拟服务器表
   
   -Z --zero 虚拟服务表计数器清零（清空当前的连接数量等）
   
   --set tcp tcpfin udp 设置连接超时值
   
   --start-daemon 启动同步守护进程。他后面可以是master 或backup，用来说明LVS Router 是master 或是backup。在这个功能上也可以采用keepalived 的
   
   VRRP 功能。
   
   --stop-daemon 停止同步守护进程
   
   -h --help 显示帮助信息
   
   其他的选项:
   
   -t --tcp-service service-address 说明虚拟服务器提供的是tcp 的服务[vip:port] or [real-server-ip:port]
   
   -u --udp-service service-address 说明虚拟服务器提供的是udp 的服务[vip:port] or [real-server-ip:port]
   
   -f --fwmark-service fwmark 说明是经过iptables 标记过的服务类型。
   
   -s --scheduler scheduler 使用的调度算法，有这样几个选项
   
   rr|wrr|lc|wlc|lblc|lblcr|dh|sh|sed|nq,
   
   默认的调度算法是： wlc.
   
   -p --persistent [timeout] 持久稳固的服务。这个选项的意思是来自同一个客户的多次请求，将被同一台真实的服务器处理。timeout 的默认值为300 秒。
   
   -M --netmask netmask persistent granularity mask
   
   -r --real-server server-address 真实的服务器[Real-Server:port]
   
   -g --gatewaying 指定LVS 的工作模式为直接路由模式（也是LVS 默认的模式）
   
   -i --ipip 指定LVS 的工作模式为隧道模式
   
   -m --masquerading 指定LVS 的工作模式为NAT 模式
   
   -w --weight weight 真实服务器的权值
   
   --mcast-interface interface 指定组播的同步接口
   
   -c --connection 显示LVS 目前的连接 如：ipvsadm -L -c
   
   --timeout 显示tcp tcpfin udp 的timeout 值 如：ipvsadm -L --timeout
   
   --daemon 显示同步守护进程状态
   
   --stats 显示统计信息
   
   --rate 显示速率信息
   
   --sort 对虚拟服务器和真实服务器排序输出
   
   --numeric -n 输出IP 地址和端口的数字形式

===============================================================

启动服务

#/etc/init.d/heartbeat start

另外有两个比较有用的脚本

/usr/share/heartbeat/hb_standby　　#强制将资源漂移到备份节点

/usr/share/heartbeat/hb_takeover　　#强制将资源漂移到主节点

• ::/128 – The address with all zero bits is called the unspecified address (corresponding to 0.0.0.0 in IPv4).
  This address must never be assigned to an interface and is to be used only in software before the application has learned its host’s source address appropriate for a pending connection. Routers must not forward packets with the unspecified address.
  Applications may be listening on one or more specific interfaces for incoming connections, which are shown in listings of active internet connections by a specific IP address (and a port number, separated by a colon). When the unspecified address is shown it means that an application is listening for incoming connections on all available interfaces.

缺省路由/Default Route

• ::/0 – The default unicast route address (corresponding to 0.0.0.0 with netmask 0.0.0.0 in IPv4).

本地地址/Local addresses

• ::1/128 – The loopback address is a unicast localhost address. If an application in a host sends packets to this address, the IPv6 stack will loop these packets back on the same virtual interface (corresponding to 127.0.0.1 in IPv4).
• fe80::/10 – Addresses in the link-local prefix are only valid and unique on a single link. Within this prefix only one subnet is allocated (54 zero bits), yielding an effective format of fe80::/64. The least significant 64 bits are usually chosen as the interface hardware address constructed in modified EUI-64 format. A link-local address is required on every IPv6-enabled interface-in other words, applications may rely on the existence of a link-local address even when there is no IPv6 routing. These addresses are comparable to the auto-configuration addresses 169.254.0.0/16 of IPv4.

Unique local addresses

• fc00::/7 – Unique local addresses (ULA’s) are intended for local communication. They are routable only within a set of cooperating sites (analogous to the private address ranges 10/8, 172.16/12, and 192.168/16 of IPv4).The addresses include a 40-bit pseudorandom number in the routing prefix intended to minimize the risk of conflicts if sites merge or packets are misrouted into the Internet. Despite the restricted, local usage of these addresses, their address scope is global, i.e. they are expected to be globally unique.

Solicited-Node multicast addresses

• ff02::1:ff00:0/104 – The least significant 24 bits of the group ID are filled with the least significant 24 bits of the interface’s unicast or anycast address. These addresses allow link-layer address resolution via Neighbor Discovery Protocol (NDP) on the link without disturbing all nodes on the local network. A host is required to join a Solicited-Node multicast group for each of its configured unicast or anycast addresses.

IPv4 transition

• ::ffff:0:0/96 – This prefix designated an IPv4-mapped IPv6 address. With a few exceptions, this address type allows the transparent use of the Transport Layer protocols over IPv4 through the IPv6 networking application programming interface. Server applications only need to open a single listening socket to handle connections from clients using IPv6 or IPv4 protocols. IPv6 clients will be handled natively by default, and IPv4 clients appear as IPv6 clients at their IPv4-mapped IPv6 address. Transmission is handled similarly; established sockets may be used to transmit IPv4 or IPv6 datagram, based on the binding to an IPv6 address, or an IPv4-mapped address. (See also Transition mechanisms.)
• ::ffff:0:0:0/96 – A prefix used for IPv4-translated addresses which are used by the Stateless IP/ICMP Translation (SIIT) protocol.
• 2002::/16 – This prefix is used for 6to4 addressing. Here, an address from the IPv4 network 192.88.99.0/24 is also used.

Special Purpose Addresses

The IANA has been allocated a so-called ‘Sub-TLA ID’ address block which consists of 64 network prefixes in the range 2001:0000::/29 through 2001:01f8::/29. Three assignments from this block have been made:

• 2001::/32 – Used for Teredo tunneling (which also falls into the category of IPv6 transition mechanisms).
• 2001:2::/48 – Assigned to the Benchmarking Methodology Working Group (BMWG) for benchmarking IPv6 (corresponding to 198.18.0.0/15 for benchmarking IPv4).
• 2001:10::/28 – ORCHID (Overlay Routable Cryptographic Hash Identifiers). These are non-routed IPv6 addresses used for Cryptographic Hash Identifiers.

文档地址/Documentation

• 2001:db8::/32 – This prefix is used in documentation. The addresses should be used anywhere an example IPv6 address is given or model networking scenarios are described (corresponding to 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 in IPv4.)

如下为IANA的 Internet Protocol Version 6 Address Space , IANA更新日期: 2010-08-30

The "unspecified address", the "loopback address",
and the IPv6 Addresses with Embedded IPv4 Addresses are assigned
out of the 0000::/8 address block.

0000::/96 was previously defined as the "IPv4-compatible IPv6
address" prefix.  This definition has been deprecated by [RFC4291].

The "Well Known Prefix" 64:ff9b::/96 used in an algorithmic
mapping between IPv4 to IPv6 addresses is defined out of the
0000::/8 address block, per [RFC-ietf-behave-address-format].

0200::/7 was previously defined as an OSI NSAP-mapped prefix set
[RFC4548]. This definition has been deprecated as of December
2004 [RFC4048].

The IPv6 Unicast space encompasses the entire IPv6 address range
with the exception of FF00::/8. [RFC4291] IANA unicast address
assignments are currently limited to the IPv6 unicast address
range of 2000::/3. IANA assignments from this block are registered
in the IANA registry: [IANA registry ipv6-unicast-address-assignments
                  ].

FEC0::/10 was previously defined as a Site-Local scoped address
prefix. This definition has been deprecated as of September 2004
[RFC3879].

保留的IPv6子网anycast地址

IPv6地址中引入了anycast地址, 它被指定于一个或多个网络接口。如果数据包发向anycast地址, 它会被路由到有这个地址的最近接口处。

地址格式：每个子网中, 最高的128个接口标记值被保留用做子网anycast地址, 地址格式取决于用于这个子网中的IP地址类型(即子网前缀)。IPv6地址需要以EUI-64格式有64位接口标记, 在所有保留的子网anycast地址中全局/本地位必须为’0′, 说明接口标记不是全局唯一的。这种类型的IPv6地址通常使用前缀为：从001到111（不要将多播地址1111 1111包含在内）。这些保留的子网anycast地址结构如下：

对于其它IPv6地址类型, 接口标记可以不是EUI-64格式, 或者不是64位长的保留anycast地址如下构造：

其中子网前缀包括IPv6地址中除了接口标记域的所有域, 这里的接口标记域由7位anycast地址标记形成, 其它位全部是1；但是, 对于EUI-64格式的接口标记, 全局/本地位必须设置为0。保留每个子网的高位地址是为了避免和一些存在的正式或非正式使用的低位地址冲突。只为anycast标记保留128个标记意味着接口标记长度的最小值是8位, 这样可以使子网前缀和接口标准按字节界限对齐。

子网anycast地址列表

如下地址保留的子网anycast地址范围：

十进制	十六进制	描述
127	7F	保留
126	7E	机动IPv6 Home-Agents任播
0-125	00-7D	保留

参考链接:

• Internet Protocol Version 6 Address Space
• IPv6 Address

IP多播要比IP单播和广播更为高效。与单播不同，多播仅发送数据的一个副本。与广播不同，多播流量仅由正在侦听它的计算机进行接收和处理。

IP多播地址（Multicast, 也称为组地址）: D类地址: 在224.0.0.0到239.255.255.255范围内, 这是通过将前四个高序位设置为1110来定义的。在网络前缀或CIDR（Classless Inter-Domain Routing）表示法中，IP多播地址缩写为224.0.0.0/4。 从224.0.0.0到224.0.0.255 (224.0.0.0/24)范围的多播地址保留用于本地子网，而IP报头中的生存时间（Time to Live，TTL）可忽略，它们都不会被IP路由器转发。

在主机和服务器环境中，基本上只使用 224.0.0.0/4为多播地址。

参考链接:

• IP多播概述

参考链接: http://php.net/manual/en/function.header.php

参考链接: http://www.jonasjohn.de/snippets/php/headers.htm

如何查看网站的headers信息，例如: web-sniffer.net, 还有: LiveHTTPHeaders, ieHTTPHeaders , 关于http状态代码，请参考 HTTP1.1 状态代码: http://www.nixway.net/blog/archives/462 ,如下为一些通过 PHP生成HTTP header的例子:

// See related links for more status codes

// Use this header instruction to fix 404 headers
// produced by url rewriting...

header('HTTP/1.1 200 OK');

// Page was not found:
header('HTTP/1.1 404 Not Found');

// Access forbidden:

header('HTTP/1.1 403 Forbidden');

// The page moved permanently should be used for
// all redrictions, because search engines know
// what's going on and can easily update their urls.

header('HTTP/1.1 301 Moved Permanently');

// Server error
header('HTTP/1.1 500 Internal Server Error');

// Redirect to a new location:
header('Location: http://www.example.org/');

// Redriect with a delay:
header('Refresh: 10; url=http://www.example.org/');
print 'You will be redirected in 10 seconds';

// you can also use the HTML syntax:
// <meta http-equiv="refresh" content="10;http://www.example.org/ />

// override X-Powered-By value

header('X-Powered-By: PHP/4.4.0');
header('X-Powered-By: Brain/0.6b');

// content language (en = English)
header('Content-language: en');

// last modified (good for caching)
$time = time() - 60; // or filemtime($fn), etc
header('Last-Modified: '.gmdate('D, d M Y H:i:s', $time).' GMT');

// header for telling the browser that the content
// did not get changed
header('HTTP/1.1 304 Not Modified');

// set content length (good for caching):

header('Content-Length: 1234');

// Headers for an download:
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="example.zip"');
header('Content-Transfer-Encoding: binary');

   // load the file to send:

readfile('example.zip');

// Disable caching of the current document:

 header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate');

header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); // Date in the past

header('Pragma: no-cache');

// set content type:

header('Content-Type: text/html; charset=iso-8859-1');

header('Content-Type: text/html; charset=utf-8');

header('Content-Type: text/plain'); // plain text file

header('Content-Type: image/jpeg'); // JPG picture

header('Content-Type: application/zip'); // ZIP file

header('Content-Type: application/pdf'); // PDF file

header('Content-Type: audio/mpeg'); // Audio MPEG (MP3,...) file

header('Content-Type: application/x-shockwave-flash'); // Flash animation

// show sign in box

header('HTTP/1.1 401 Unauthorized');

header('WWW-Authenticate: Basic realm="Top Secret"');

print 'Text that will be displayed if the user hits cancel or ';

// Headers for an download:
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="example.zip"');
header('Content-Transfer-Encoding: binary');
// load the file to send:
readfile('example.zip');

本文由 nixway.net 整理