├── 00.硬件BIOS配置.md ├── 01.PVE系统安装.md ├── 02.PVE初始化配置.md ├── 03.PVE系统调整.md ├── 04.PVE创建模板虚拟机.md ├── 05.PVE制作虚拟机模板.md ├── 06.PVE制作DNS服务器.md ├── 07.PVE制作TS服务器.md ├── 08.PVE自动备份虚拟机.md ├── LICENSE ├── README.md ├── img ├── p00 │ ├── bios_boot_order.jpeg │ ├── bios_c_states.jpeg │ ├── bios_cpu.jpeg │ ├── bios_cpu_vmx.jpeg │ ├── bios_fast_boot.jpeg │ ├── bios_hardware_ac.jpeg │ ├── bios_hardware_monitor.jpeg │ ├── bios_pch.jpeg │ ├── bios_power.jpeg │ ├── bios_power_control.jpeg │ ├── bios_save.jpeg │ ├── bios_save_yeahhhh.jpeg │ ├── bios_smart_fan.jpeg │ ├── bios_smart_fan_config.jpeg │ ├── bios_turbo_max.jpeg │ └── bios_turbo_options.jpeg ├── p01 │ ├── pve_download_iso.jpeg │ ├── pve_email.jpeg │ ├── pve_etcher.jpeg │ ├── pve_eth.jpeg │ ├── pve_eula.jpeg │ ├── pve_first_boot.jpeg │ ├── pve_hd_choose.jpeg │ ├── pve_hd_fs.jpeg │ ├── pve_install_confirm.jpeg │ ├── pve_install_finish.jpeg │ ├── pve_ip.jpeg │ ├── pve_iso_hash.jpeg │ ├── pve_mobaxterm.png │ ├── pve_option.jpeg │ ├── pve_rufus.jpeg │ ├── pve_sys_info.jpeg │ ├── pve_termius.jpeg │ ├── pve_timezone.jpeg │ ├── pve_ventoy.jpeg │ ├── pve_ventoy_boot.jpeg │ ├── pve_ventoy_boot_mode.jpeg │ └── pve_win_terminal.png ├── p02 │ ├── pve_add_ipv6_dns.jpeg │ ├── pve_br_create.jpeg │ ├── pve_br_last_phyport.jpeg │ ├── pve_br_last_phyport_ipv6.jpeg │ ├── pve_br_nophyport.jpeg │ ├── pve_br_phyport.jpeg │ ├── pve_modify_vmbr0.jpeg │ ├── pve_net_default.jpeg │ ├── pve_net_preview.jpeg │ └── pve_net_schematization.png ├── p04 │ ├── download_generic_image_qcow2.jpeg │ ├── vm_boot.jpeg │ ├── vm_ci_details.jpeg │ ├── vm_ci_dns.jpeg │ ├── vm_ci_dns_ula.jpeg │ ├── vm_ci_network_slaac.jpeg │ ├── vm_ci_network_static.jpeg │ ├── vm_cloudinit.jpeg │ ├── vm_confirm.jpeg │ ├── vm_cpu.jpeg │ ├── vm_delete_cd.jpeg │ ├── vm_enable_hd.jpeg │ ├── vm_hardware_all.jpeg │ ├── vm_hd.jpeg │ ├── vm_hd_resize.jpeg │ ├── vm_hd_scale_up.jpeg │ ├── vm_id.jpeg │ ├── vm_mem.jpeg │ ├── vm_network_port.jpeg │ ├── vm_network_queue.jpeg │ ├── vm_notes.jpeg │ ├── vm_os.jpeg │ ├── vm_system.jpeg │ ├── vm_tablet.jpeg │ └── vm_unused_hd.jpeg ├── p05 │ ├── os_login.jpeg │ └── vm_to_template.jpeg ├── p06 │ ├── vm_clone.jpeg │ ├── vm_clone_autostart.jpeg │ ├── vm_clone_autostart_order.jpeg │ ├── vm_clone_ci_slaac.jpeg │ ├── vm_clone_ci_static.jpeg │ └── vm_clone_vmid.jpeg └── p08 │ ├── vm_job_advanced.jpeg │ ├── vm_job_keep.jpeg │ ├── vm_job_normal.jpeg │ ├── vm_job_notes.jpeg │ ├── vm_job_time.jpeg │ ├── vm_job_time_test.jpeg │ └── vm_new_backup_job.jpeg └── src ├── debian ├── debian_dns_20auto_upgrades.conf ├── debian_dns_50unattended_upgrades.conf ├── debian_dns_99_sysctl.conf ├── debian_dns_dnsmasq.conf ├── debian_dns_dnsmasq_cron.conf ├── debian_dns_smartdns.conf ├── debian_dns_smartdns_cron.conf ├── debian_dns_smartdns_plugin.conf ├── debian_sources.conf ├── debian_ts_20auto_upgrades.conf ├── debian_ts_50unattended_upgrades.conf ├── debian_ts_99_sysctl.conf ├── debian_ts_dnsmasq.conf ├── debian_ts_nftables.conf └── debian_ts_server_modules.conf └── pve ├── pve_20auto_upgrades.conf ├── pve_50unattended_upgrades.conf ├── pve_apt_daily_upgrade.conf ├── pve_cpufrequtils.conf ├── pve_cpupower.conf └── pve_cpupower_service.conf /00.硬件BIOS配置.md: -------------------------------------------------------------------------------- 1 | ## 1.虚拟化选项 2 | 3 | 进入 `Advanced` 菜单的子菜单 `CPU Configuration` : 4 | 5 | ![cpu设置](img/p00/bios_cpu.jpeg) 6 | 7 | 检查 `Intel (VMX) Virtualization Technology` 选项为 `Enabled` 状态: 8 | 9 | ![cpu设置-vmx](img/p00/bios_cpu_vmx.jpeg) 10 | 11 | ## 2. CPU 功耗 12 | 13 | 进入 `Advanced` 菜单的子菜单 `Power & Performance` : 14 | 15 | ![cpu功耗](img/p00/bios_power.jpeg) 16 | 17 | 进入 `CPU - Power Management Control` : 18 | 19 | ![cpu功耗控制](img/p00/bios_power_control.jpeg) 20 | 21 | 检查 `C states` , **默认** 选项为 `Enabled` 状态,如果遇到网卡 **无法跑满** 的情况,可以尝试将该选项关闭: 22 | 23 | ![c-states](img/p00/bios_c_states.jpeg) 24 | 25 | 再进入 `HDC Control` 菜单的子菜单 `View/Configure Turbo Options` : 26 | 27 | ![turbo选项](img/p00/bios_turbo_options.jpeg) 28 | 29 | 检查以下内容,适当调整以改变功耗墙: 30 | - `Power Limit 1 Override` 选项:`Enabled` 31 | - `Power Limit 1` 选项:`50000` 32 | - `Power Limit 1 Time Window` 选项:为最大 `128` 33 | 34 | ![turbo选项确认](img/p00/bios_turbo_max.jpeg) 35 | 36 | ## 3.温控风扇 37 | 38 | 进入 `Advanced` 菜单的子菜单 `Hardware Monitor` : 39 | 40 | ![硬件监控](img/p00/bios_hardware_monitor.jpeg) 41 | 42 | 进入 `Smart Fan Function` : 43 | 44 | ![风扇状态](img/p00/bios_smart_fan.jpeg) 45 | 46 | 可对温控风扇参数进行调整: 47 | 48 | ![风扇设置](img/p00/bios_smart_fan_config.jpeg) 49 | 50 | ## 4.来电自启 51 | 52 | 进入 `Chipset` 菜单的子菜单 `PCH-IO Configuration` : 53 | 54 | ![硬件监控](img/p00/bios_pch.jpeg) 55 | 56 | 确认 `State After G3` 选项为 `Power On` 状态: 57 | 58 | ![来电自启](img/p00/bios_hardware_ac.jpeg) 59 | 60 | ## 5.快速启动 61 | 62 | PVE 系统安装完成后,进入 `Boot` 菜单,将 `Fast Boot` 选项设置为 `Enabled` 状态: 63 | 64 | ![快速启动](img/p00/bios_fast_boot.jpeg) 65 | 66 | 调整系统启动顺序,将 `Proxmox` 设置为第一启动项,并关闭其他启动项内容: 67 | 68 | ![启动顺序](img/p00/bios_boot_order.jpeg) 69 | 70 | 最后保存 BIOS 设置 `Save Changes and Exit` : 71 | 72 | ![保存BIOS](img/p00/bios_save.jpeg) 73 | 74 | 使用键盘左右方向键选择 `yes` 并回车键执行保存: 75 | 76 | ![确认保存](img/p00/bios_save_yeahhhh.jpeg) -------------------------------------------------------------------------------- /01.PVE系统安装.md: -------------------------------------------------------------------------------- 1 | ## 0.前期准备 2 | 3 | PVE 系统正式安装之前,需要准备 PVE 的安装镜像和一些必要的配套工具。 4 | 5 | ### 0.1. PVE 镜像下载 6 | 7 | PVE 下载地址:[Proxmox Virtual Environment](https://www.proxmox.com/en/downloads/proxmox-virtual-environment/iso) 8 | 9 | 页面中有多个 PVE 相关文件,本文以目前最新的 `Proxmox VE 8.3-1 ISO Installer` 作为演示。 10 | 11 | 点击 `Proxmox VE 8.x ISO Installer` 链接,进入 PVE 下载页面。 12 | 13 | ![PVE下载页面](img/p01/pve_download_iso.jpeg) 14 | 15 | 下载 ISO 时请注意 `SHA256SUM` ,后续将使用该校验信息对下载下来的 ISO 进行校验,以确保 ISO 文件的完整性。 16 | 17 | ![下载PVE](img/p01/pve_iso_hash.jpeg) 18 | 19 | ### 0.2.启动盘制作工具 20 | 21 | 考虑到制作 PVE 启动盘时,所使用的操作系统可能有 Windows 、macOS 、Linux ,因此这里推荐几个常用的写盘工具。 22 | 23 | #### Ventoy 24 | 25 | 官方网站地址:https://www.ventoy.net/cn/index.html 26 | 27 | 强烈推荐的引导盘制作工具,优点是可以在一个 U 盘中放入复数个可引导的 ISO 文件。 28 | 29 | 免去了多次格式化 U 盘再写入 ISO 文件的操作,非常友好。 30 | 31 | 缺点是只支持 Windows 、Linux 。 32 | 33 | ![Ventoy写盘工具](img/p01/pve_ventoy.jpeg) 34 | 35 | #### Etcher 36 | 37 | 官方网站地址:https://etcher.balena.io/ 38 | 39 | 跨平台的写盘工具,开源,写盘速度很快,缺点是该软件体积较大,下载缓慢。 40 | 41 | 支持 Windows 、macOS 、Linux 。 42 | 43 | ![Etcher写盘工具](img/p01/pve_etcher.jpeg) 44 | 45 | #### Rufus 46 | 47 | 官方网站地址:https://rufus.ie/zh/ 48 | 49 | 轻便小巧的写盘工具,仅支持 Windows 。 50 | 51 | ![Rufus写盘工具](img/p01/pve_rufus.jpeg) 52 | 53 | ### 0.3.终端工具 54 | 55 | 考虑到配置 PVE 服务器、路由器、DNS 服务器时,需要在 CLI 中输入命令,因此这里推荐几个常用的终端工具。 56 | 57 | #### Windows Terminal 58 | 59 | 官方网站地址:https://aka.ms/terminal 60 | 61 | Microsoft 官方终端工具,可以在 Github 平台或 Microsoft 应用商店中进行下载。 62 | 63 | ![Windows Terminal](img/p01/pve_win_terminal.png) 64 | 65 | #### Termius 66 | 67 | 官方地址:https://termius.com/ 68 | 69 | 企业级终端工具,支持 Windows、macOS、Linux 系统以及移动端系统。 70 | 71 | ![Termius](img/p01/pve_termius.jpeg) 72 | 73 | #### MobaXterm 74 | 75 | 官方地址:https://mobaxterm.mobatek.net 76 | 77 | 功能强大的终端工具,仅支持 Windows 系统。 78 | 79 | ![MobaXterm](img/p01/pve_mobaxterm.png) 80 | 81 | ## 1. PVE 系统安装 82 | 83 | 由于机型不同,BIOS 的设置也不同,所以本文不演示具体如何将机器设置成从 U 盘启动。 84 | 85 | 在设置 BIOS 时需要注意以下几点: 86 | 87 | - 建议暂时关闭 **安全启动** 88 | 89 | - 确保打开硬件虚拟化支持 90 | 91 | - 确保设备来电自动启动 92 | 93 | - 对于不支持 `UEFI` 启动的设备,检查 `Legacy` 引导模式 94 | 95 | - 检查 CPU 的功耗设置(可选) 96 | 97 | ### 1.1.设备引导 98 | 99 | 使用 Ventoy 进行设备引导后,出现如下画面,选择 PVE 的安装 ISO 。 100 | 101 | ![Ventoy引导设备](img/p01/pve_ventoy_boot.jpeg) 102 | 103 | 使用 `Boot in normal mode` 选项进行启动,等待引导跑码完成后,即可进入 PVE 的安装界面。 104 | 105 | ![Ventoy引导模式](img/p01/pve_ventoy_boot_mode.jpeg) 106 | 107 | ### 1.2. PVE 安装选项 108 | 109 | 新版 PVE 安装程序支持纯键盘操作,常用快捷键如下。 110 | 111 | |键盘按键|作用|说明| 112 | |--|--|--| 113 | |Esc|返回|返回上一步骤| 114 | |Enter|确认|确认输入,激活选项或进入下一步骤| 115 | |方向键|导航|用于选项选择,或切换输入焦点| 116 | |Tab|导航|与方向键功能类似| 117 | |ALT + N|下一步|进入下一步骤| 118 | 119 | 使用 `方向键` 选择第一项 `Install Proxmox VE (Graphical)` 图形化安装界面,按键盘 `Enter` 进入下一步骤。 120 | 121 | ![PVE安装选项](img/p01/pve_option.jpeg) 122 | 123 | 设备将继续跑码,直到出现最终用户许可协议 EULA ,按键盘组合键 `ALT + N ` 进入下一步骤。 124 | 125 | ![PVE用户协议](img/p01/pve_eula.jpeg) 126 | 127 | ### 1.3. PVE 硬盘选项 128 | 129 | 此时会出现 `Target Harddisk` 选项,会显示出设备中存在的硬盘列表,可通过下拉框选择安装 PVE 的目标硬盘。 130 | 131 | ![PVE选择安装硬盘](img/p01/pve_hd_choose.jpeg) 132 | 133 | 点击硬盘列表右侧的 `Options` ,对 PVE 的硬盘安装参数进行一些调整。 134 | 135 | 推荐将 `Filesystem` 也就是硬盘的文件系统,设置成 `xfs` 。 136 | 137 | ![PVE文件系统](img/p01/pve_hd_fs.jpeg) 138 | 139 | ### 1.4. PVE 时区选项 140 | 141 | 此时 PVE 处于未联网的 “离线” 状态,因此不会从互联网中读取时区信息,需要手动设置时区。 142 | 143 | 在 `Contry` 处手动输入 `China` ,下方的 `Time zone` 将自动变更为 `Asia/Shanghai` 。 144 | 145 | ![PVE时区](img/p01/pve_timezone.jpeg) 146 | 147 | ### 1.5. PVE 账户与邮箱 148 | 149 | PVE 为最关键的虚拟化层,建议使用强密码,包含大小写字母、数字以及特殊符号。 150 | 151 | `Email` 必须为一个 “合法” 的邮箱地址,不然系统会判定邮箱地址不合法并拒绝继续安装。 152 | 153 | ![PVE邮箱设置](img/p01/pve_email.jpeg) 154 | 155 | ### 1.6. PVE 网络设置 156 | 157 | 默认情况下,PVE 会使用编号较小的第一个网口作为管理口。 158 | 159 | 而某些设备,其物理网口顺序与该页面显示的网口顺序 **不一致** ,因此保持默认设置即可。 160 | 161 | ![PVE管理网口设置](img/p01/pve_eth.jpeg) 162 | 163 | FQDN 为 PVE 的域,PVE 将使用 FQDN 中的二级域名作为其主机名。 164 | 165 | 演示中 FQDN 为 `node01.fox.internal` ,因此 PVE 的主机名为 `node01` 。 166 | 167 | 根据规划,PVE 的 IPv4 管理地址为 `172.16.1.254` 。 168 | 169 | 未来主路由的 IPv4 地址为 `172.16.1.1` ,因此均使用该地址作为 PVE 的网关地址和 DNS 地址。 170 | 171 | 当 PVE 安装完成后, 将使用 PVE 提供的 WEB 管理页面,进一步对该管理口的设置进行调整。 172 | 173 | |参数|值|说明| 174 | |--|--|--| 175 | |Hostname (FQDN)|`node01.fox.internal`|设置 PVE `域` 和 `主机名` | 176 | |IP Address (CIDR)|`172.16.1.254/24`|设置 PVE IPv4 地址| 177 | |Gateway|`172.16.1.1`|设置 PVE IPv4 网关| 178 | |DNS Server|`172.16.1.1`|设置 PVE IPv4 DNS | 179 | 180 | ![PVE管理IP地址](img/p01/pve_ip.jpeg) 181 | 182 | ### 1.7. PVE 参数确认 183 | 184 | 该页面会显示当前 PVE 的安装配置总览,确认无误后即可开始安装。 185 | 186 | ![PVE安装确认](img/p01/pve_install_confirm.jpeg) 187 | 188 | 安装完成后,PVE 会告知用户登录的 `IP 地址` 和 `端口` 。 189 | 190 | ![PVE安装完成](img/p01/pve_install_finish.jpeg) 191 | 192 | ## 2. PVE 安装后检查 193 | 194 | PVE 安装完成后会自动重启,等待系统重启完成会显示如下界面,并使用 `root` 账户进行登录,密码为刚才设置的管理密码。 195 | 196 | **注意:Linux 操作系统,在输入密码时是不显示任何字符信息的,输入完成后输入回车即可。** 197 | 198 | ![PVE首次重启](img/p01/pve_first_boot.jpeg) 199 | 200 | 登录系统后,使用一些命令来查看一些基本信息。 201 | 202 | ```bash 203 | ## 查看系统硬盘与挂载 204 | $ df -hT 205 | 206 | $ df -hiT 207 | 208 | $ cat /etc/fstab 209 | 210 | ## 查看系统代号 211 | $ cat /etc/os-release 212 | ``` 213 | 214 | 此处显示出 PVE 底层使用的是 Debian 的系统,代号为 `bookworm` ,该代号后续会使用到。 215 | 216 | ![PVE系统信息](img/p01/pve_sys_info.jpeg) 217 | 218 | 至此 PVE 的安装步骤已经完成。 219 | 220 | -------------------------------------------------------------------------------- /02.PVE初始化配置.md: -------------------------------------------------------------------------------- 1 | ## 1.更换软件源 2 | 3 | 在上一篇文章 [01.PVE系统安装](./01.PVE系统安装.md) 中,从刚装好的 PVE 系统中获取了系统的一些参数。 4 | 5 | ![PVE系统信息](img/p01/pve_sys_info.jpeg) 6 | 7 | 此处显示出 PVE 底层使用的是 Debian 的系统,代号为 `bookworm` 。 8 | 9 | 为了后续能对 PVE 系统进行升级,需要更换其镜像仓库,也就是大家熟知的软件源。 10 | 11 | 由于目前处于 **“离线”** 安装状态,因此更换完软件源后,在没有网络的情况下无法对系统更新。 12 | 13 | ### 1.1.系统软件源 14 | 15 | 使用终端工具登录到 PVE 服务器,首先对现有的软件源配置进行备份。 16 | 17 | ```bash 18 | ## 进入系统软件源配置目录 19 | $ cd /etc/apt 20 | 21 | ## 查看系统默认镜像配置 22 | $ cat sources.list 23 | 24 | ## 将默认软件源配置文件进行备份 25 | $ cp sources.list sources.list.bak 26 | ``` 27 | 28 | 系统默认镜像配置记录如下。 29 | 30 | ```bash 31 | deb http://ftp.debian.org/debian bookworm main contrib 32 | 33 | deb http://ftp.debian.org/debian bookworm-updates main contrib 34 | 35 | # security updates 36 | deb http://security.debian.org bookworm-security main contrib 37 | ``` 38 | 39 | 这里我将使用 [中国科技大(USTC)](http://mirrors.ustc.edu.cn/help/proxmox.html) 的镜像仓库进行替换,使用如下命令。 40 | 41 | **注意:该命令为两行,在输入时请逐行输入并回车执行。** 42 | 43 | ```bash 44 | ## 替换系统软件仓库 45 | 46 | $ sed -i 's|^deb http://ftp.debian.org|deb https://mirrors.ustc.edu.cn|g' /etc/apt/sources.list 47 | 48 | $ sed -i 's|^deb http://security.debian.org|deb https://mirrors.ustc.edu.cn/debian-security|g' /etc/apt/sources.list 49 | 50 | ``` 51 | 52 | 如果希望能更新 CPU 的 `microcode` ,则需要手动添加镜像 `non-free` 、 `non-free-firmware` 参数,完整系统源示例如下。 53 | 54 | ```bash 55 | deb https://mirrors.ustc.edu.cn/debian/ bookworm main contrib non-free non-free-firmware 56 | 57 | deb https://mirrors.ustc.edu.cn/debian/ bookworm-updates main contrib non-free non-free-firmware 58 | 59 | # security updates 60 | deb https://mirrors.ustc.edu.cn/debian-security/ bookworm-security main contrib non-free non-free-firmware 61 | ``` 62 | 63 | ### 1.2. PVE 软件源 64 | 65 | 默认情况下,PVE 额外启用了 2 个官方源,且为订阅收费制,因此需要替换为免费源。 66 | 67 | 首先创建 PVE 免费软件源,执行以下命令。 68 | 69 | ```bash 70 | ## 创建 PVE 免费软件源 71 | 72 | $ source /etc/os-release 73 | 74 | $ echo "deb https://mirrors.ustc.edu.cn/proxmox/debian/pve $VERSION_CODENAME pve-no-subscription" > /etc/apt/sources.list.d/pve-no-subscription.list 75 | ``` 76 | 77 | 对于 Proxmox Backup Server 和 Proxmox Mail Gateway,请将以上命令中的 `pve` 分别替换为 `pbs` 和 `pmg` 。 78 | 79 | 进一步创建 PVE Ceph 免费软件源,Ceph 软件源为 PVE 8 之后默认安装,执行以下命令。 80 | 81 | ```bash 82 | ## 创建 PVE Ceph 免费软件源脚本 83 | 84 | if [ -f /etc/apt/sources.list.d/ceph.list ]; then 85 | CEPH_CODENAME=`ceph -v | grep ceph | awk '{print $(NF-1)}'` 86 | source /etc/os-release 87 | echo "deb https://mirrors.ustc.edu.cn/proxmox/debian/ceph-$CEPH_CODENAME $VERSION_CODENAME no-subscription" > /etc/apt/sources.list.d/ceph-no-subscription.list 88 | fi 89 | ``` 90 | 91 | 最后,删除 PVE 官方付费软件源,执行以下命令。 92 | 93 | **注意:rm 为高风险命令,请正确使用,请勿手抖,请勿手抖。** 94 | 95 | ```bash 96 | ## 删除付费软件源 97 | $ rm -rvf /etc/apt/sources.list.d/pve-enterprise.list /etc/apt/sources.list.d/ceph.list 98 | ``` 99 | 100 | 创建完成后对其进行检查。 101 | 102 | ```bash 103 | ## 检查 PVE 免费源 104 | $ cat /etc/apt/sources.list.d/* 105 | ``` 106 | 107 | 如果输出结果中有 USTC 的镜像地址,则表示命令已经正确执行。 108 | 109 | ```bash 110 | #### PVE 免费软件源示例输出 111 | deb https://mirrors.ustc.edu.cn/proxmox/debian/ceph-quincy bookworm no-subscription 112 | deb https://mirrors.ustc.edu.cn/proxmox/debian/pve bookworm pve-no-subscription 113 | ``` 114 | 115 | ### 1.3. PVE CT 源 116 | 117 | 如果需要使用 Proxmox 网页端下载 CT Templates ,可替换 CT Templates 源。 118 | 119 | 由于该功能暂时未被使用,因此本文只做记录。 120 | 121 | ```bash 122 | ## 备份 CT Templates 源 123 | $ cp /usr/share/perl5/PVE/APLInfo.pm /usr/share/perl5/PVE/APLInfo.pm.bak 124 | 125 | ## 替换 CT Templates 链接 126 | $ sed -i 's|http://download.proxmox.com|https://mirrors.ustc.edu.cn/proxmox|g' /usr/share/perl5/PVE/APLInfo.pm 127 | 128 | ## 重启 PVE API 守护进程 129 | $ systemctl restart pvedaemon.service 130 | 131 | ## 更新 CT Templates 列表 132 | $ pveam update 133 | ``` 134 | 135 | ### 1.4.镜像同步 136 | 137 | 更换完成系统源之后,需要同步系统源数据。 138 | 139 | 考虑到 **“离线”** 安装时无法同步系统源,因此该步骤可以等到 PVE 正确连接 Internet 后再执行。 140 | 141 | ```bash 142 | ## 清理软件包 143 | $ apt clean && apt autoclean && apt autoremove --purge 144 | 145 | ## 同步软件源 146 | $ apt update 147 | 148 | ## 更新系统 149 | $ apt full-upgrade 150 | ``` 151 | 152 | ## 2.安装必要软件 153 | 154 | 安装软件前,同样需要让 PVE 能够访问外网。 155 | 156 | 安装 `iperf3` 后,系统将询问是否将其作为系统服务开机自启,选择 `no` 即可。 157 | 158 | 其中 `unattended-upgrades` 为系统自动更新服务,后续会对其进行配置。 159 | 160 | `linux-cpupower` 为 CPU 调度器的配置工具,后续会对 CPU 调度算法进行调整。 161 | 162 | ```bash 163 | ## 同步镜像仓库 164 | $ apt update 165 | 166 | ## 安装系统软件 167 | $ apt install btop lm-sensors tmux neovim unzip unattended-upgrades powermgmt-base sshguard 168 | 169 | ## 安装 CPU 调度调整工具 170 | $ apt install linux-cpupower 171 | 172 | ## 根据 CPU 厂商安装 CPU 微码工具 173 | $ apt install intel-microcode (amd64-microcode) 174 | 175 | ## 安装 Open vSwitch(可选) 176 | $ apt install openvswitch-switch 177 | 178 | ## 安装网络检测工具(可选) 179 | $ apt install iftop iperf3 iperf 180 | 181 | ## 更新 PCI 数据库 182 | $ update-pciids 183 | ``` 184 | 185 | ## 3.配置 PVE 网络 186 | 187 | 设置电脑的 IPv4 地址为静态地址,电脑 IPv4 地址段需要与 PVE 的地址段保持一致。 188 | 189 | 用网线将电脑的网口与 PVE 的管理网口,此时应该为编号最小的第一个网口,相连接。 190 | 191 | 访问 PVE 的 WEB 管理界面,对 PVE 的网络进行一些调整。 192 | 193 | 根据 **网络设备** 规划, PVE 中虚拟机规划如下。 194 | 195 | |系统|作用|说明| 196 | |--|--|--| 197 | |RouterOS|主路由|PPPoE 拨号上网| 198 | |Debian12|Linux 服务器|内网 DNS 服务器| 199 | |OpenWrt|旁路由|内网插件服务| 200 | 201 | 根据 **内部网络地址** 规划,PVE IP 地址规划如下。 202 | 203 | |地址类型|作用|值|说明| 204 | |--|--|--|--| 205 | |IPv4|管理地址|`172.16.1.254`|PVE IPv4 地址| 206 | ||网关地址|`172.16.1.1`|PVE IPv4 网关| 207 | ||DNS 地址|`172.16.1.1`|PVE IPv4 DNS 服务器| 208 | |IPv6|管理地址|`fdac::fe`|PVE IPv6 地址(可选)| 209 | ||网关地址|`-`|IPv6 网关将使用 `SLAAC` 自动配置| 210 | ||DNS 地址|`fdac::1`|PVE IPv6 DNS 服务器(可选)| 211 | 212 | ![PVE网络规划](img/p02/pve_net_schematization.png) 213 | 214 | 初次登录 PVE 的 WEB 管理后台,打开网络管理页面,此时只有一个 `vmbr0` 。 215 | 216 | 该 `vmbr0` 与列表中的第一个物理网口绑定,且在 `CIDR` 和 `网关` 处有 IP 地址参数,说明 `vmbr0` 为当前管理网口。 217 | 218 | ![PVE网桥最终设置显示](img/p02/pve_net_default.jpeg) 219 | 220 | 接下来将修改 PVE 网络配置,在修改完成前, **请不要点击 “应用配置”** ,否则会导致 PVE 无法访问。 221 | 222 | 在 PVE 内部网络设置完成后,将如图所示。 223 | 224 | ![PVE网桥最终设置显示](img/p02/pve_net_preview.jpeg) 225 | 226 | ### 3.1.修改 vmbr0 227 | 228 | 鼠标双击 `vmbr0` ,进入网桥配置界面。 229 | 230 | 删除 `IPv4/CIDR` 和 `网关` 信息,确保 `自动启动` 为勾选状态。 231 | 232 | 在备注处填写 `wan` ,然后点击 `OK` 按钮。 233 | 234 | ![修改vmbr0](img/p02/pve_modify_vmbr0.jpeg) 235 | 236 | ### 3.2.创建网桥 237 | 238 | 点击左上角的 `创建` 按钮,选择 `Linux Bridge` : 239 | 240 | ![创建物理接口网桥](img/p02/pve_br_create.jpeg) 241 | 242 | 因为 `vmbr0` 名称已被使用,因此名称填写 `vmbr1` 。 243 | 244 | 桥接端口填写顺序的第二个网卡名称,演示中为 `enp3s0` 。 245 | 246 | 确保 `自动启动` 为勾选状态,在备注处填写 `lan1` ,点击 `创建` 按钮。 247 | 248 | 然后,依次创建所有物理接口的内部网桥,直到最后一个网桥,即 PVE 的管理网口。 249 | 250 | ![指定物理接口](img/p02/pve_br_phyport.jpeg) 251 | 252 | ### 3.3.创建管理网口 253 | 254 | 在创建最后一个物理网口的网桥时,需要额外配置 `IPv4` 地址和对应的 `网关` 参数。 255 | 256 | ![最后的物理接口网桥](img/p02/pve_br_last_phyport.jpeg) 257 | 258 | 额外说明: 259 | 260 | 1. 如非特殊需求,通常情况下 PVE 系统无需使用 IPv6 网络。 261 | 262 | 2. 主路由未配置 IPv6 ULA 网段时,例如本文演示地址 `fdac::/64` ,无需填写 `IPv6/CIDR` 参数。 263 | 264 | 3. 通常情况下 IPv6 无需填写 `网关` 参数,IPv6 网关将通过 LLA IPv6 地址自动配置。 265 | 266 | ![最后的物理接口网桥](img/p02/pve_br_last_phyport_ipv6.jpeg) 267 | 268 | 在所有物理网口的 PVE 网桥创建完成后,可以点击 `应用配置` 按钮,此时页面会失去连接。 269 | 270 | 无需担心,只需要将电脑的网线从 PVE 物理机的第一个网口拔出,并插入到最后一个网口即可。 271 | 272 | 如果万一还是无法访问到 PVE,可以尝试使用网线 “拔插” 方法,挨个测试 PVE 网口的访问情况。 273 | 274 | ### 3.4.创建内部网桥 275 | 276 | 纯内部网桥,在没有内部路由系统提供额外桥接的情况下,无法直接通过物理网口进行访问。 277 | 278 | 只有在主路由(例如 RouterOS )安装完成并建立了内部网桥后,才可正常使用。 279 | 280 | 该纯内部网桥,其主要作用是通过 **主路由** 给内部其他虚拟机提供 **统一** 的网络访问接口。 281 | 282 | 创建纯内部网桥的方法,与创建物理网口网桥的方法基本一致,唯一区别是 `桥接端口` 参数为 **空** 即可。 283 | 284 | ![纯内部网桥](img/p02/pve_br_nophyport.jpeg) 285 | 286 | 当然,内部网桥的作用不仅如此,比如还可以作为内部级联路由的连接器。 287 | 288 | 例如,安装了 OPNsense 和 RouterOS 两个虚拟机,OPNsense 作为网关防火墙使用。 289 | 290 | 此时 RouterOS 作为二级路由系统,OPNsense 的 LAN 口需要与 RouterOS 的 WAN 口相连。 291 | 292 | 如果 OPNsense 和 RouterOS 均使用了绑定物理网口的 PVE 网桥,则需用网线在 PVE 服务器上连接两个物理网口。 293 | 294 | 浪费了宝贵的网线不说,还占用了网口,得不偿失。 295 | 296 | 而纯内部网桥则能很好的解决该问题,有了纯内部网桥,不论多少个虚拟机使用该网桥,只要 IP 地址段相同,即可相互访问。 297 | 298 | ## 4.配置 PVE DNS 299 | 300 | 在 PVE 系统的安装过程中,设置了 DNS 的 IPv4 地址 `172.16.1.1` ,但并未设置 DNS 的 IPv6 地址。 301 | 302 | 在 PVE 的 DNS 设置页面,手动添加 DNS IPv6 地址,即主路由 LAN 口 IPv6 ULA 地址。 303 | 304 | 同样,若 PVE 不使用 IPv6 网络或主路由未配置 IPv6 ULA 网段,本步骤可跳过。 305 | 306 | ![PVE添加IPv6DNS](img/p02/pve_add_ipv6_dns.jpeg) 307 | 308 | 至此,PVE 的初始化配置完成。 309 | 310 | -------------------------------------------------------------------------------- /03.PVE系统调整.md: -------------------------------------------------------------------------------- 1 | ## 0.必要条件 2 | 3 | 在上一篇文章 [02.PVE初始化配置](./02.PVE初始化配置.md) 中,已初始化了 PVE 系统,接下来需要对 PVE 系统进一步调整。 4 | 5 | 在 PVE 系统调整之前,请确认必要的软件包已经安装完成,本文后续命令均在 SSH 终端下执行。 6 | 7 | 关于 [Neovim](https://neovim.io/) 的基础使用方法,请参阅:[Neovim 基础教程](https://cn.bing.com/search?q=Neovim+%E5%9F%BA%E7%A1%80%E6%95%99%E7%A8%8B) 。 8 | 9 | ```bash 10 | ## 同步镜像仓库 11 | $ apt update 12 | 13 | ## 安装系统软件 14 | $ apt install btop lm-sensors tmux neovim unzip unattended-upgrades powermgmt-base sshguard 15 | 16 | ## 安装 CPU 调度调整工具 17 | $ apt install linux-cpupower 18 | 19 | ## 根据 CPU 厂商安装 CPU 微码工具 20 | $ apt install intel-microcode (amd64-microcode) 21 | 22 | ## 安装 Open vSwitch(可选) 23 | $ apt install openvswitch-switch 24 | 25 | ## 安装网络检测工具(可选) 26 | $ apt install iftop iperf3 iperf 27 | 28 | ## 更新 PCI 数据库 29 | $ update-pciids 30 | ``` 31 | 32 | ## 1.系统时区 33 | 34 | 如果在安装 PVE 系统时选错了时区,导致系统时间和北京时间不一致,可以执行以下命令修正。 35 | 36 | 输出结果如果和北京时间一致,则代表修改正确。 37 | 38 | ```bash 39 | ## 修改系统时区 40 | $ timedatectl set-timezone Asia/Shanghai 41 | 42 | ## 检查系统时间 43 | $ date -R 44 | 45 | #### 系统时间示例输出 46 | Mon, 20 Jan 2025 18:24:41 +0800 47 | ``` 48 | 49 | Debian 系统常用 `systemd-timesyncd.service` 来同步时间,而 PVE 系统使用 `chrony.service` 来同步时间。 50 | 51 | 为了使用国内的 NTP 服务器,需要对 `chrony.service` 进行配置,执行以下命令。 52 | 53 | ```bash 54 | ## 编辑 chrony 配置文件 55 | $ nvim /etc/chrony/chrony.conf 56 | ``` 57 | 58 | 在编辑器对话框中,将 `pool 2.debian.pool.ntp.org iburst` “注释” 掉,并添加国内的 NTP 服务器。 59 | 60 | ```bash 61 | ## chrony 配置项 62 | 63 | # Use Debian vendor zone. 64 | # pool 2.debian.pool.ntp.org iburst ## 在这行前面增加注释符 # 来注释 65 | 66 | # Use Custom vendor zone. 67 | pool ntp.aliyun.com iburst 68 | pool ntp.tencent.com iburst 69 | pool cn.pool.ntp.org iburst 70 | 71 | ``` 72 | 73 | 保存该配置文件后,需重启 `chrony.service` ,并再次检查系统 NTP 服务器地址。 74 | 75 | ```bash 76 | ## 重启 chrony.service 77 | $ systemctl restart chrony.service 78 | 79 | ## 检查系统 NTP 服务器 80 | $ chronyc sources -V 81 | 82 | #### 系统 NTP 服务器示例输出 83 | MS Name/IP address Stratum Poll Reach LastRx Last sample 84 | =============================================================================== 85 | ^* 203.107.6.88 2 6 17 0 -875us[-2496us] +/- 22ms 86 | ^- 106.55.184.199 2 6 17 3 -1331us[-1331us] +/- 50ms 87 | ^- time.neu.edu.cn 2 6 17 8 +935us[ +935us] +/- 23ms 88 | ^- 119.28.206.193 2 6 65 5 +33us[ +33us] +/- 65ms 89 | ^- electrode.felixc.at 2 6 17 11 -1320us[-1320us] +/- 126ms 90 | ^- dns1.synet.edu.cn 1 6 17 13 -44us[ -44us] +/- 22ms 91 | ``` 92 | 93 | ## 2. CPU 调度器 94 | 95 | 安装 `linux-cpupower` 后,需检查 CPU 当前调度器。 96 | 97 | ```bash 98 | ## 检查 CPU 当前调度器 99 | $ cpupower -c all frequency-info 100 | 101 | #### 设备 CPU - J4125 示例输出 102 | analyzing CPU 0: 103 | driver: intel_cpufreq 104 | CPUs which run at the same hardware frequency: 0 105 | CPUs which need to have their frequency coordinated by software: 0 106 | maximum transition latency: 20.0 us 107 | hardware limits: 800 MHz - 2.70 GHz 108 | available cpufreq governors: conservative ondemand userspace powersave performance schedutil 109 | current policy: frequency should be within 800 MHz and 2.70 GHz. 110 | The governor "performance" may decide which speed to use 111 | within this range. 112 | current CPU frequency: Unable to call hardware 113 | current CPU frequency: 2.60 GHz (asserted by call to kernel) 114 | boost state support: 115 | Supported: yes 116 | Active: yes 117 | 118 | #### 设备 CPU - N6005 示例输出 119 | analyzing CPU 0: 120 | driver: intel_pstate 121 | CPUs which run at the same hardware frequency: 0 122 | CPUs which need to have their frequency coordinated by software: 0 123 | maximum transition latency: Cannot determine or is not supported. 124 | hardware limits: 800 MHz - 3.30 GHz 125 | available cpufreq governors: performance powersave 126 | current policy: frequency should be within 800 MHz and 3.30 GHz. 127 | The governor "performance" may decide which speed to use 128 | within this range. 129 | current CPU frequency: Unable to call hardware 130 | current CPU frequency: 2.00 GHz (asserted by call to kernel) 131 | boost state support: 132 | Supported: yes 133 | Active: yes 134 | ``` 135 | 136 | 这里面主要关注两个点: 137 | 138 | - driver: `intel_cpufreq` 或 `intel_pstate` 139 | 140 | - current policy: `governor "ondemand"` 或 `governor "performance"` 141 | 142 | 还有另外一个命令可用来显示 CPU 当前调度器。 143 | 144 | ```bash 145 | ## 检查 CPU 当前调度器 146 | $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor 147 | 148 | #### 设备 CPU - J4125 示例输出 149 | performance 150 | 151 | #### 设备 CPU - N6005 示例输出 152 | performance 153 | ``` 154 | 155 | CPU 驱动一般不建议手动调整,而 `governor` 后面的参数表示 CPU 当前调度器设置。 156 | 157 | 接下来,需要了解 CPU 支持的调度器有哪些,执行以下命令。 158 | 159 | ```bash 160 | ## 检查 CPU 调度器支持情况 161 | $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors 162 | 163 | #### 设备 CPU - J4125 示例输出 164 | conservative ondemand userspace powersave performance schedutil 165 | 166 | #### 设备 CPU - N6005 示例输出 167 | performance powersave 168 | ``` 169 | 170 | 根据 CPU 所使用的驱动不同,可选调度器也不同,至于每种调度器有什么优劣,欢迎大家深度挖掘。 171 | 172 | - CPU 驱动为 `intel_cpufreq` 时,推荐使用 `schedutil` 调度器。 173 | 174 | - CPU 驱动为 `intel_pstate` 时,推荐使用 `powersave` 调度器。 175 | 176 | 本文使用 `powersave` 调度器为演示,使用 `neovim` 编辑器创建 `cpupower` 的配置文件。 177 | 178 | ```bash 179 | ## 创建 cpupower 默认配置文件 180 | $ nvim /etc/default/cpupower 181 | ``` 182 | 183 | 在配置文件中修改以下配置项,并保存。 184 | 185 | ```bash 186 | # This configuration file is customized by fox, 187 | # Optimize system CPU governors. 188 | 189 | CPUPOWER_START_OPTS="frequency-set -g powersave" 190 | CPUPOWER_STOP_OPTS="frequency-set -g performance" 191 | 192 | ``` 193 | 194 | 进一步创建 `cpupower` 服务配置文件,以满足系统自动化设置需求。 195 | 196 | ```bash 197 | ## 创建 cpupower.service 配置文件 198 | $ nvim /etc/systemd/system/cpupower.service 199 | ``` 200 | 201 | 在服务配置文件中修改以下配置项,并保存。 202 | 203 | ```bash 204 | # This configuration file is customized by fox, 205 | # Optimize for cpupower systemd service. 206 | 207 | [Unit] 208 | Description=Apply cpupower configuration 209 | ConditionVirtualization=!container 210 | After=syslog.target 211 | 212 | [Service] 213 | Type=oneshot 214 | EnvironmentFile=/etc/default/cpupower 215 | ExecStart=/usr/bin/cpupower $CPUPOWER_START_OPTS 216 | ExecStop=/usr/bin/cpupower $CPUPOWER_STOP_OPTS 217 | RemainAfterExit=yes 218 | 219 | [Install] 220 | WantedBy=multi-user.target 221 | 222 | ``` 223 | 224 | 由于修改了服务项,需要执行以下命令进行重载。 225 | 226 | ```bash 227 | ## 服务重载 228 | $ systemctl daemon-reload 229 | ``` 230 | 231 | 执行以下命令让 `cpupower` 服务开机自启动。 232 | 233 | ```bash 234 | ## 设置 cpupower 服务开机自启 235 | $ systemctl enable cpupower.service 236 | ``` 237 | 238 | 修改完成后,需重启 PVE 服务器,并再次查看 CPU 调度器,检验配置文件是否生效。 239 | 240 | 这里提供两个额外命令,方便实时查看 CPU 当前频率和温度状况。 241 | 242 | ```bash 243 | ## 查看 CPU 当前频率 244 | $ watch cat /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_cur_freq 245 | 246 | ## 查看内部温度 247 | $ watch -d sensors 248 | ``` 249 | 250 | ## 3. PVE 定时重启 251 | 252 | 有时需要让 PVE 服务器周期性的定时重启,则可执行以下命令。 253 | 254 | 参数表示每月 `1` 、 `16` 号的 `02:30` 执行系统重启命令。 255 | 256 | ```bash 257 | ## 查看系统定时任务 258 | $ crontab -l 259 | 260 | ## 编辑系统定时任务,编辑器选择 nano 261 | $ crontab -e 262 | ``` 263 | 264 | 在配置文件末尾,增加以下配置项。 265 | 266 | ```bash 267 | ## 定时任务配置项 268 | 269 | 30 2 1,16 * * /usr/sbin/reboot 270 | 271 | ``` 272 | 273 | ## 4. PVE 自动更新 274 | 275 | ### 4.1.系统定时器 276 | 277 | 配置系统自动更新之前,需检查系统当前定时器状态。 278 | 279 | 后续将手动调整该定时器的时间,使其每 `5` 天的 `01:30` 进行触发。 280 | 281 | ```bash 282 | ## 检查系统定时器 283 | $ systemctl status apt-daily-upgrade.timer 284 | 285 | #### 系统定时器示例输出 286 | ● apt-daily-upgrade.timer - Daily apt upgrade and clean activities 287 | Loaded: loaded (/lib/systemd/system/apt-daily-upgrade.timer; enabled; preset: enabled) 288 | Active: active (waiting) since Mon 2025-01-20 18:12:44 CST; 19min ago 289 | Trigger: Tue 2025-01-21 06:52:19 CST; 12h left 290 | Triggers: ● apt-daily-upgrade.service 291 | 292 | Jan 20 18:12:44 node01 systemd[1]: Started apt-daily-upgrade.timer - Daily apt upgrade and clean activities. 293 | ``` 294 | 295 | ### 4.2.配置更新策略 296 | 297 | 执行以下命令,启用系统自动更新。 298 | 299 | 执行命令后,使用 “左右” 方向键进行选择,“回车” 键进行确认。 300 | 301 | ```bash 302 | ## 配置自动更新策略 303 | $ dpkg-reconfigure -plow unattended-upgrades 304 | 305 | ## 选择 “是” 306 | 307 | ``` 308 | 309 | 进一步调整 `20auto-upgrades` 配置文件。 310 | 311 | ```bash 312 | ## 进入 apt 的配置目录 313 | $ cd /etc/apt/apt.conf.d 314 | 315 | ## 编辑 20auto-upgrades 配置文件 316 | $ nvim /etc/apt/apt.conf.d/20auto-upgrades 317 | ``` 318 | 319 | 删除里面全部内容,添加以下配置项,并保存。 320 | 321 | 配置文件中,用来控制更新周期的参数为 `APT::Periodic::Unattended-Upgrade` ,`5` 表示更新周期为 `5` 天。 322 | 323 | ```bash 324 | ## 系统更新周期配置项 325 | 326 | APT::Periodic::Update-Package-Lists "1"; 327 | APT::Periodic::Unattended-Upgrade "5"; 328 | APT::Periodic::AutocleanInterval "1"; 329 | APT::Periodic::CleanInterval "1"; 330 | 331 | ``` 332 | 333 | 进一步调整 `50unattended-upgrades` 配置文件。 334 | 335 | ```bash 336 | ## 编辑 50unattended-upgrades 配置文件 337 | $ nvim /etc/apt/apt.conf.d/50unattended-upgrades 338 | ``` 339 | 340 | 配置文件中,被修改的参数解释如下: 341 | 342 | - 启用了 Debian `bookworm-updates` 相关更新。 343 | 344 | - 增加并启用 PVE 自有仓库的更新。 345 | 346 | - 增加并启用 PVE Ceph 仓库的更新,请按需启用。 347 | 348 | - 自动修复被打断的 Dpkg 安装。 349 | 350 | - 自动移除无用的的内核包。 351 | 352 | - 自动移除因更新而出现的无用依赖包。 353 | 354 | - 自动移除以前的无用依赖包。 355 | 356 | - 自动重启:开启。 357 | 358 | - 自动重启时间:`02:30` 。 359 | 360 | 因为该配置文件很长,完整的配置文件可查看 [pve_50unattended_upgrades.conf](./src/pve/pve_50unattended_upgrades.conf) 以便对比。 361 | 362 | ```bash 363 | ## 删除以下行前面的注释符 // ,代表启用 364 | 365 | "origin=Debian,codename=${distro_codename}-updates"; 366 | 367 | ## 添加 PVE 系统更新项目 368 | 369 | "origin=Proxmox,codename=${distro_codename},label=Proxmox Debian Repository"; 370 | 371 | ## 按需添加 PVE Ceph 更新项目 372 | 373 | "origin=Proxmox,codename=${distro_codename},label=Proxmox Ceph Debian Repository"; 374 | 375 | ## 在配置文件末尾增加以下配置项,代表启用,并调整参数 376 | 377 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 378 | 379 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 380 | 381 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 382 | 383 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 384 | 385 | Unattended-Upgrade::Automatic-Reboot "true"; 386 | 387 | Unattended-Upgrade::Automatic-Reboot-Time "02:30"; 388 | 389 | ``` 390 | 391 | ### 4.3.重设触发器 392 | 393 | 系统自动更新配置文件修改完成后,需要重设自动更新定时器,执行以下命令。 394 | 395 | 完整的配置文件可查看 [pve_apt_daily_upgrade.conf](./src/pve/pve_apt_daily_upgrade.conf) 以便对比。 396 | 397 | ```bash 398 | ## 配置系统定时器 399 | $ systemctl edit apt-daily-upgrade.timer 400 | ``` 401 | 402 | 根据配置文件中的提示,在中间空白处填入以下配置项。 403 | 404 | ```bash 405 | ## 定时器配置项 406 | 407 | [Timer] 408 | OnCalendar= 409 | OnCalendar=01:30 410 | RandomizedDelaySec=0 411 | 412 | ``` 413 | 414 | 设置完成后,重启自动更新触发器。 415 | 416 | ```bash 417 | ## 重启触发器 418 | $ systemctl restart apt-daily-upgrade.timer 419 | 420 | ## 再次检查触发器状态 421 | $ systemctl status apt-daily-upgrade.timer 422 | 423 | #### 系统自动更新触发器示例输出 424 | ● apt-daily-upgrade.timer - Daily apt upgrade and clean activities 425 | Loaded: loaded (/lib/systemd/system/apt-daily-upgrade.timer; enabled; preset: enabled) 426 | Drop-In: /etc/systemd/system/apt-daily-upgrade.timer.d 427 | └─override.conf 428 | Active: active (waiting) since Mon 2025-01-20 18:43:03 CST; 7s ago 429 | Trigger: Tue 2025-01-21 01:30:00 CST; 6h left 430 | Triggers: ● apt-daily-upgrade.service 431 | 432 | Jan 20 18:43:03 node01 systemd[1]: Stopped apt-daily-upgrade.timer - Daily apt upgrade and clean activities. 433 | Jan 20 18:43:03 node01 systemd[1]: Stopping apt-daily-upgrade.timer - Daily apt upgrade and clean activities... 434 | Jan 20 18:43:03 node01 systemd[1]: Started apt-daily-upgrade.timer - Daily apt upgrade and clean activities. 435 | ``` 436 | 437 | ## 5.硬件直通 438 | 439 | ### 5.1.修改 Grub 440 | 441 | 参考官方文档 [qm_pci_passthrough](https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_pci_passthrough) 和 [Pci passthrough](https://pve.proxmox.com/wiki/Pci_passthrough) 开启 PVE 硬件直通功能。 442 | 443 | 使用终端工具登录到 PVE 服务器,编辑系统 `Grub` 的配置文件 `/etc/default/grub` 。 444 | 445 | ```bash 446 | ## 编辑 Grub 配置文件 447 | $ nvim /etc/default/grub 448 | ``` 449 | 450 | 在编辑器对话框中修改 `GRUB_CMDLINE_LINUX_DEFAULT` 参数,注意命令中间的空格。 451 | 452 | ```bash 453 | ## Intel 处理器添加参数 454 | 455 | GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt" 456 | 457 | ``` 458 | 459 | 根据官方文档的说明,AMD 处理器下硬件直通功能将会自动打开,否则需要手动修改 `Grub` 配置文件。 460 | 461 | ```bash 462 | ## AMD 处理器添加参数 463 | 464 | GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt" 465 | 466 | ``` 467 | 468 | 修改并保存后,需要更新系统 `Grub` 。 469 | 470 | ```bash 471 | ## 更新系统 Grub 472 | $ update-grub 473 | ``` 474 | 475 | ### 5.2.添加内核模块 476 | 477 | 修改系统 `/etc/modules` 配置文件,增加必要的系统模块。 478 | 479 | ```bash 480 | ## 编辑系统配置文件 481 | $ nvim /etc/modules 482 | ``` 483 | 484 | 在配置文件中添加以下配置项,并保存。 485 | 486 | ```bash 487 | ## 硬件直通配置项 488 | 489 | vfio 490 | vfio_iommu_type1 491 | vfio_pci 492 | 493 | ``` 494 | 495 | 执行以下命令更新 `initramfs` ,更新完成后,建议重启 PVE 服务器。 496 | 497 | ```bash 498 | ## 更新 initramfs 499 | $ update-initramfs -u -k all 500 | ``` 501 | 502 | ### 5.3.检查硬件直通 503 | 504 | PVE 服务器重启完成后,再次使用终端工具登录,并执行以下命令检查硬件直通状态。 505 | 506 | 主要查看 `IOMMU` 、 `Directed I/O` 或 `Interrupt Remapping` 的启用状态。 507 | 508 | ```bash 509 | ## 检查系统硬件直通状态 510 | $ dmesg | grep -e DMAR -e IOMMU -e AMD-Vi 511 | 512 | #### 设备 CPU - N6005 示例输出 513 | [ 0.017937] ACPI: DMAR 0x00000000746C2000 000088 (v02 INTEL EDK2 00000002 01000013) 514 | [ 0.017965] ACPI: Reserving DMAR table memory at [mem 0x746c2000-0x746c2087] 515 | [ 0.047812] DMAR: IOMMU enabled 516 | [ 0.116031] DMAR: Host address width 39 517 | [ 0.116032] DMAR: DRHD base: 0x000000fed90000 flags: 0x0 518 | [ 0.116038] DMAR: dmar0: reg_base_addr fed90000 ver 4:0 cap 1c0000c40660462 ecap 49e2ff0505e 519 | [ 0.116041] DMAR: DRHD base: 0x000000fed91000 flags: 0x1 520 | [ 0.116046] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c40660462 ecap f050da 521 | [ 0.116048] DMAR: RMRR base: 0x0000007b800000 end: 0x0000007fbfffff 522 | [ 0.116051] DMAR-IR: IOAPIC id 2 under DRHD base 0xfed91000 IOMMU 1 523 | [ 0.116052] DMAR-IR: HPET id 0 under DRHD base 0xfed91000 524 | [ 0.116053] DMAR-IR: Queued invalidation will be enabled to support x2apic and Intr-remapping. 525 | [ 0.117774] DMAR-IR: Enabled IRQ remapping in x2apic mode 526 | [ 1.746431] pci 0000:00:02.0: DMAR: Skip IOMMU disabling for graphics 527 | [ 2.290116] DMAR: No ATSR found 528 | [ 2.290117] DMAR: No SATC found 529 | [ 2.290118] DMAR: IOMMU feature fl1gp_support inconsistent 530 | [ 2.290119] DMAR: IOMMU feature pgsel_inv inconsistent 531 | [ 2.290120] DMAR: IOMMU feature nwfs inconsistent 532 | [ 2.290121] DMAR: IOMMU feature pds inconsistent 533 | [ 2.290122] DMAR: IOMMU feature eafs inconsistent 534 | [ 2.290123] DMAR: IOMMU feature prs inconsistent 535 | [ 2.290123] DMAR: IOMMU feature nest inconsistent 536 | [ 2.290124] DMAR: IOMMU feature mts inconsistent 537 | [ 2.290124] DMAR: IOMMU feature sc_support inconsistent 538 | [ 2.290125] DMAR: IOMMU feature dev_iotlb_support inconsistent 539 | [ 2.290126] DMAR: dmar0: Using Queued invalidation 540 | [ 2.290129] DMAR: dmar1: Using Queued invalidation 541 | [ 2.290568] DMAR: Intel(R) Virtualization Technology for Directed I/O 542 | ``` 543 | 544 | 检查系统 `IOMMU` 分组,执行以下命令。 545 | 546 | ```bash 547 | ## 检查 IOMMU group 548 | $ find /sys/kernel/iommu_groups/ -type l 549 | 550 | #### 设备 CPU - N6005 示例输出 551 | /sys/kernel/iommu_groups/7/devices/0000:00:1c.4 552 | /sys/kernel/iommu_groups/15/devices/0000:04:00.0 553 | /sys/kernel/iommu_groups/5/devices/0000:00:17.0 554 | /sys/kernel/iommu_groups/13/devices/0000:02:00.0 555 | /sys/kernel/iommu_groups/3/devices/0000:00:15.2 556 | /sys/kernel/iommu_groups/3/devices/0000:00:15.0 557 | /sys/kernel/iommu_groups/11/devices/0000:00:1f.0 558 | /sys/kernel/iommu_groups/11/devices/0000:00:1f.5 559 | /sys/kernel/iommu_groups/11/devices/0000:00:1f.3 560 | /sys/kernel/iommu_groups/11/devices/0000:00:1f.4 561 | /sys/kernel/iommu_groups/1/devices/0000:00:00.0 562 | /sys/kernel/iommu_groups/8/devices/0000:00:1c.5 563 | /sys/kernel/iommu_groups/16/devices/0000:05:00.0 564 | /sys/kernel/iommu_groups/6/devices/0000:00:1c.0 565 | /sys/kernel/iommu_groups/14/devices/0000:03:00.0 566 | /sys/kernel/iommu_groups/4/devices/0000:00:16.0 567 | /sys/kernel/iommu_groups/12/devices/0000:01:00.0 568 | /sys/kernel/iommu_groups/2/devices/0000:00:14.5 569 | /sys/kernel/iommu_groups/2/devices/0000:00:14.2 570 | /sys/kernel/iommu_groups/2/devices/0000:00:14.0 571 | /sys/kernel/iommu_groups/10/devices/0000:00:1c.7 572 | /sys/kernel/iommu_groups/0/devices/0000:00:02.0 573 | /sys/kernel/iommu_groups/9/devices/0000:00:1c.6 574 | ``` 575 | 576 | ## 6. BTRFS 调整 577 | 578 | **额外说明:** 579 | 580 | 1. 本节专为 `BTRFS` 单盘 `RAID0`(条带模式)安装的 PVE 系统设计,使用其他安装模式时,请跳过此节。 581 | 582 | 2. `BTRFS` 文件系统当前仍为技术预览状态,请谨慎操作。 583 | 584 | 3. 有关在 PVE 中使用 `BTRFS` 的详情,请参阅 [Proxmox VE - BTRFS](https://pve.proxmox.com/wiki/BTRFS) 。 585 | 586 | 安装 PVE 时,若使用了 `BTRFS` 单盘 `RAID0` 的安装模式,系统默认未启用 swap 和 zstd 压缩,需要手动开启。 587 | 588 | 通常情况下,内存与 swap 的 **推荐** 比例为 `1:1` 。本机具有 `16GB` 内存,因此设置 `16GB` swap 空间。 589 | 590 | 执行以下命令,在 `BTRFS` 文件系统中创建子卷,并配置激活 swapfile 。 591 | 592 | ```bash 593 | ## 创建用于存放交换文件的子卷 594 | $ btrfs subvolume create /swap 595 | 596 | ## 在子卷中创建 16GB 的交换文件 597 | $ btrfs filesystem mkswapfile --size 16g --uuid clear /swap/swapfile 598 | 599 | ## 激活交换文件 600 | $ swapon /swap/swapfile 601 | ``` 602 | 603 | 此时还需进一步修改系统的 `fstab` 配置文件,以启用 `BTRFS` 的 zstd 压缩功能并确保 swap 在系统启动时自动激活。 604 | 605 | ```bash 606 | ## 编辑 fstab 配置文件 607 | $ nvim /etc/fstab 608 | ``` 609 | 610 | `fstab` 为系统关键配置文件,直接影响系统启动,修改此文件时,请注意以下几点: 611 | 612 | - 仅修改根目录 `/` 对应的挂载选项,添加 `compress=zstd` 参数。 613 | 614 | - 在文件末尾新增一行,添加 swap 的自动挂载。 615 | 616 | - 请 **不要** 修改其余配置参数,尤其是设备的唯一标识符( `UUID` ),切勿修改。 617 | 618 | 修改完成后,示例如下。 619 | 620 | ```bash 621 | #### 系统 fstab 示例配置 622 | 623 | # 624 | 625 | UUID= / btrfs defaults,compress=zstd 0 1 626 | 627 | UUID= /boot/efi vfat defaults 0 1 628 | proc /proc proc defaults 0 0 629 | 630 | /swap/swapfile none swap defaults 0 0 631 | ``` 632 | 633 | ## 7.系统清理 634 | 635 | PVE 系统配置完成后,可执行以下命令,对系统进行清理。 636 | 637 | ```bash 638 | ## 清理系统软件包 639 | $ apt clean && apt autoclean && apt autoremove --purge 640 | 641 | ## 清理系统缓存 642 | $ bash -c 'find /var/cache/apt/ /var/lib/apt/lists/ /tmp/ -type f -print -delete' 643 | 644 | ## 清理系统日志 645 | $ bash -c 'find /var/log/ -type f -print -delete' 646 | 647 | ## 清理命令历史记录文件 648 | $ rm -rvf ~/.bash_history && history -c 649 | ``` 650 | 651 | 至此 PVE 的系统调整已经完成。 652 | -------------------------------------------------------------------------------- /04.PVE创建模板虚拟机.md: -------------------------------------------------------------------------------- 1 | ## 0.前期准备 2 | 3 | 将虚拟机制作成模板,可在后续新建虚拟机时快速从模板中创建,减少系统安装配置时间。 4 | 5 | 该虚拟机模板主要用作内网 DNS 服务器,由 `Adguard Home` 或 `SmartDNS` 提供 DNS 解析服务。 6 | 7 | 本文将使用 Debian 的云镜像 `debian-12-generic-amd64.qcow2` 作为模板虚拟机的镜像。 8 | 9 | 访问 [Debian Official Cloud Images](https://cloud.debian.org/images/cloud/) 官方网站,下载最新版 `Bookworm` 云镜像以及对应的校验文件。 10 | 11 | ![下载镜像](img/p04/download_generic_image_qcow2.jpeg) 12 | 13 | ## 1.创建虚拟机 14 | 15 | 登录 PVE 管理后台,点击页面右上角 `创建虚拟机` ,进入虚拟机创建流程。 16 | 17 | ### 1.1.常规 18 | 19 | 勾选底部 `高级` 选项,显示完整的配置参数,节点即 “本机” ,`VM ID` 和 `名称` 可自定义。 20 | 21 | ![虚拟机名称](img/p04/vm_id.jpeg) 22 | 23 | ### 1.2.操作系统 24 | 25 | 无需使用任何安装介质,客户机操作系统类别选择 `Linux` , 版本选择 `6.x - 2.6 Kernel` 即可。 26 | 27 | ![虚拟机操作系统](img/p04/vm_os.jpeg) 28 | 29 | ### 1.3.系统 30 | 31 | SCSI 控制器保持默认 `VirtIO SCSI single` ,机型可选 `q35` ,并勾选 `Qemu代理` 选项。 32 | 33 | ![虚拟机系统](img/p04/vm_system.jpeg) 34 | 35 | ### 1.4.磁盘 36 | 37 | 一般情况下,如果该虚拟机仅为 Adguard Home 服务器,`20G` 磁盘空间足够使用。 38 | 39 | 由于使用 Debian 云镜像制作虚拟机模板,此处删除所有 `磁盘` 。 40 | 41 | ![虚拟机磁盘](img/p04/vm_hd.jpeg) 42 | 43 | ### 1.5.CPU 44 | 45 | CPU `类别` 选择 `host` ,`插槽` 与 `核心` 数根据物理 CPU 核心数进行酌情设置。 46 | 47 | 若 PVE 服务器内有多颗物理 CPU ,则推荐勾选 `启用NUMA` 选项。 48 | 49 | ![虚拟机CPU](img/p04/vm_cpu.jpeg) 50 | 51 | ### 1.6.内存 52 | 53 | 内存一般 `2G` 足够使用,取消勾选 `Ballooning设备` 。 54 | 55 | ![虚拟机内存](img/p04/vm_mem.jpeg) 56 | 57 | ### 1.7.网络 58 | 59 | 在 [02.PVE初始化配置](./02.PVE初始化配置.md) 中,曾创建了一个没有桥接任何物理网口的内部网桥。 60 | 61 | 该内部网桥接口同属于主路由内部网桥成员接口。 62 | 63 | 因此,模板虚拟机的 `桥接` 参数可设置为该纯内部网桥。 64 | 65 | ![虚拟机网口](img/p04/vm_network_port.jpeg) 66 | 67 | 由于演示环境中暂未安装主路由系统,因此选择其他网桥接口替代。 68 | 69 | 通常情况下无需使用 PVE 内建防火墙,因此 **取消勾选** 网络设备的 `防火墙` 选项。 70 | 71 | 推荐在 `Multiqueue` 处根据前面设置的 CPU 核心数进行网卡多队列设置,设置比例为 1:1 。 72 | 73 | 即有 n 个 CPU 核心,此处多队列也设置为 n 。 74 | 75 | ![虚拟机网卡多队列](img/p04/vm_network_queue.jpeg) 76 | 77 | ### 1.8.确认 78 | 79 | 接下来查看设置总览,确认无误后即可点击 `完成` 。 80 | 81 | ![虚拟机确认](img/p04/vm_confirm.jpeg) 82 | 83 | ## 2.调整硬件参数 84 | 85 | ### 2.1.删除光驱 86 | 87 | 查看虚拟机详情页,在虚拟机 `硬件` 配置页面,移除其 `CD/DVD驱动器` 。 88 | 89 | ![虚拟机删除光驱](img/p04/vm_delete_cd.jpeg) 90 | 91 | ### 2.2.导入镜像文件 92 | 93 | 使用终端工具登录 PVE 服务器,并进入 `/tmp` 目录,执行以下命令创建一个目录。 94 | 95 | ```bash 96 | ## 创建存放 Debian 云镜像的临时目录 97 | $ mkdir -p /tmp/Debian 98 | 99 | ## 进入目录 100 | $ cd /tmp/Debian 101 | ``` 102 | 103 | 将 Debian 云镜像传输到该目录,并检查 `hash` 。 104 | 105 | ```bash 106 | ## 下载云镜像校验文件 107 | $ wget https://cloud.debian.org/images/cloud/bookworm/latest/SHA512SUMS 108 | 109 | ## 下载云镜像 110 | $ wget https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2 111 | 112 | ## 检查文件是否存在 113 | $ ls -lah 114 | 115 | ## 显示校验文件内容 116 | $ cat SHA512SUMS 117 | 118 | ## 计算文件 hash 119 | $ sha512sum debian-12-generic-amd64.qcow2 120 | ``` 121 | 122 | 确认无误后,将镜像文件导入刚才创建的虚拟机,命令中的 `VM ID` 需要根据实际情况替换,演示为 `1001` 。 123 | 124 | ```bash 125 | ## 将 qcow2 镜像导入虚拟机中 126 | $ qm importdisk 1001 debian-12-generic-amd64.qcow2 local-lvm 127 | 128 | #### 镜像导入示例输出 129 | unused0: successfully imported disk 'local-lvm:vm-1001-disk-0' 130 | ``` 131 | 132 | 磁盘导入成功后,虚拟机硬件列表中将显示一块未使用的磁盘设备,可鼠标 **双击** 该设备进行配置调整。 133 | 134 | ![虚拟机新磁盘](img/p04/vm_unused_hd.jpeg) 135 | 136 | 当宿主机使用 `SSD` 作为物理存储设备,并且虚拟磁盘采用 `精简置备` (Thin Provisioning) 模式时,可考虑开启以下选项: 137 | 138 | - `丢弃` (Discard) 选项,有助于存储空间回收。 139 | 140 | - `SSD仿真` (SSD Emulation) 选项,让虚拟机将虚拟磁盘视为 `SSD` 存储设备。 141 | 142 | 在弹出的对话框中,确认 `IO thread` 选项为 **勾选** 状态,并点击 `添加` 。 143 | 144 | ![虚拟机使用该磁盘](img/p04/vm_enable_hd.jpeg) 145 | 146 | 导入的镜像只有 `3G` 磁盘空间,为了后续方便使用,需要对磁盘进行扩容。 147 | 148 | 鼠标 **单击** 选中该磁盘,选择页面顶部 `磁盘操作` 菜单的子菜单 `调整大小` 。 149 | 150 | ![虚拟机磁盘扩容](img/p04/vm_hd_resize.jpeg) 151 | 152 | 在弹出的对话框中,给该磁盘增加 `21G` 磁盘空间。 153 | 154 | ![虚拟机磁盘增加18G](img/p04/vm_hd_scale_up.jpeg) 155 | 156 | ### 2.3.添加 CloudInit 157 | 158 | 为了能够正常使用 Cloud-Init 初始化系统,需要给模板虚拟机添加 `CloudInit设备` 。 159 | 160 | 点击顶部 `添加` 菜单,选择 `CloudInit设备` 。 161 | 162 | ![虚拟机添加ci](img/p04/vm_cloudinit.jpeg) 163 | 164 | `总线/设备` 选择 `SCSI` ,编号为 `1` ,`存储` 选择 `local-lvm` 。 165 | 166 | ![虚拟机ci参数](img/p04/vm_ci_details.jpeg) 167 | 168 | 虚拟机硬件设备修改完成后,如下图所示。 169 | 170 | ![虚拟机全部硬件](img/p04/vm_hardware_all.jpeg) 171 | 172 | ## 3.调整配置参数 173 | 174 | 进入左侧虚拟机 `选项` 页面,可以看到当前虚拟机的配置参数。 175 | 176 | 通常情况下,模板虚拟机的配置参数需要修改以下内容: 177 | 178 | 1. 开机自启动(模板无需修改,克隆的虚拟机需要修改) 179 | 180 | 2. 启动/关机顺序(模板无需修改,克隆的虚拟机需要修改) 181 | 182 | 3. 引导顺序(仅模板需要修改) 183 | 184 | 4. 使用平板指针(仅模板需要修改) 185 | 186 | ### 3.1.修改引导顺序 187 | 188 | 鼠标 **双击** `引导顺序` 选项,进入编辑界面。 189 | 190 | 在 `scsi0` 设备处,勾选前面的 “已启用” 复选框,并使用行首的排序功能,将该设备拖拽到第一个。 191 | 192 | 然后点击 `OK` 按钮。 193 | 194 | ![虚拟机引导顺序](img/p04/vm_boot.jpeg) 195 | 196 | ### 3.2.设置平板指针 197 | 198 | 关闭 `使用平板指针` 选项,可以一定程度上降低虚拟机的 CPU 使用率。 199 | 200 | ![虚拟机平板指针](img/p04/vm_tablet.jpeg) 201 | 202 | ## 4.设置 Cloud-Init 203 | 204 | 进入左侧虚拟机 `Cloud-Init` 页面,可以看到当前虚拟机的初始化参数。 205 | 206 | ### 4.1.自动配置 IPv6 207 | 208 | 根据之前的网络规划,内网的 IP 地址段为 `172.16.1.0/24` ,因此模板虚拟机的参数如下。 209 | 210 | |参数|值|说明| 211 | |--|--|--| 212 | |用户|`fox`|新系统的管理员账户| 213 | |密码|`********`|使用强密码| 214 | |DNS域|`fox.internal`|内网域名(可选)| 215 | |DNS服务器|`172.16.1.1`|本机 DNS 服务器| 216 | |SSH公钥|`无`|使用秘钥登录服务器,暂不使用| 217 | |Upgrade packages|`是`|启动时更新软件包,保持默认即可| 218 | |IP配置(net0)|`ip=172.16.1.250/24,gw=172.16.1.1,ip6=auto`|模板的 IP 设置| 219 | 220 | **额外说明:** 221 | 222 | 1. 修改 `Cloud-Init` 参数时,需要在虚拟机关机情况下修改才会生效。 223 | 224 | 2. `DNS服务器` 参数支持输入多个 IPv4 / IPv6 地址,使用空格隔开。 225 | 226 | 3. 当前 `DNS服务器` 参数为主路由 LAN 口 IPv4 地址,确保虚拟机能正常联网。 227 | 228 | ![CI网络配置](img/p04/vm_ci_dns.jpeg) 229 | 230 | `Cloud-Init` 的 `IP配置` ,IPv4 使用静态地址,IPv6 使用 `SLAAC` 自动配置,如下图所示。 231 | 232 | ![CI网络配置](img/p04/vm_ci_network_slaac.jpeg) 233 | 234 | ### 4.2.手动配置 IPv6 235 | 236 | 当主路由配置了 IPv6 ULA 网段,且希望指定内网 DNS 服务器的 IPv6 ULA 地址时,需要调整 `Cloud-Init` 参数。 237 | 238 | 本文 IPv6 ULA 演示地址为 `fdac::/64` ,`DNS服务器` 和 `IP配置` 参数调整如下。 239 | 240 | |参数|值|说明| 241 | |--|--|--| 242 | |DNS域|`fox.internal`|内网域名(可选)| 243 | |DNS服务器|`172.16.1.1 fdac::1`|本机 DNS 服务器| 244 | |IP配置(net0)|`ip=172.16.1.250/24,gw=172.16.1.1,ip6=fdac::fa/64`|模板的 IP 设置| 245 | 246 | `DNS服务器` 参数中需要加入主路由 LAN 口 IPv6 ULA 地址。 247 | 248 | ![CI网络配置](img/p04/vm_ci_dns_ula.jpeg) 249 | 250 | `IP配置` 参数,IPv4 使用静态地址,IPv6 同样使用静态地址,如下图所示。 251 | 252 | IPv6 使用静态地址后,并不影响虚拟机通过主路由获取公网 GUA IPv6 地址。 253 | 254 | ![CI网络配置](img/p04/vm_ci_network_static.jpeg) 255 | 256 | ## 5.设置备注信息 257 | 258 | 进入左侧虚拟机 `概要` 页面,修改虚拟机的备注信息。 259 | 260 | ```bash 261 | ### 服务器信息 262 | 263 | - 系统: Debian12 264 | 265 | - 用途: 内网 DNS 服务器 ( 模板 ) 266 | 267 | - 自启: 否 268 | 269 | - 用户: fox 270 | 271 | - IPv4: 172.16.1.250/24 272 | 273 | - IPv6: SLAAC 274 | 275 | ``` 276 | 277 | ![虚拟机备注](img/p04/vm_notes.jpeg) 278 | 279 | 至此,模板虚拟机创建完成,可将该虚拟机开机。 280 | 281 | -------------------------------------------------------------------------------- /05.PVE制作虚拟机模板.md: -------------------------------------------------------------------------------- 1 | ## 1.配置系统 2 | 3 | 在上一篇文章 [04.PVE创建模板虚拟机](./04.PVE创建模板虚拟机.md) 中,已经创建好了用于制作虚拟机模板的模板虚拟机。 4 | 5 | 并调整了模板虚拟机的硬件参数、配置参数,但还需对 Debian 系统进行调整。 6 | 7 | 此时将模板虚拟机开机后,使用 `Cloud-Init` 中设置的账号密码进行登录。 8 | 9 | ### 1.1.配置 SSH 10 | 11 | 因为 Debian 的云镜像默认使用 SSH 秘钥登录,因此切换到左侧菜单的 `控制台` 进行登录。 12 | 13 | ![登录Debian操作系统](img/p05/os_login.jpeg) 14 | 15 | 在虚拟机的命令行界面,使用 `vim` 编辑器编辑 `sshd` 服务的配置文件,执行以下命令。 16 | 17 | `vim` 编辑器常用操作如下: 18 | 19 | - 编辑文件,按下键盘 `i` 键,进入编辑模式。 20 | 21 | - 保存文件,按下键盘 `Esc` 键,退出编辑模式,再输入组合键 `:wq` 即可保存。 22 | 23 | ```bash 24 | ## 编辑 SSH 配置文件 25 | $ sudo vim /etc/ssh/sshd_config.d/10-server-sshd.conf 26 | ``` 27 | 28 | 在配置文件中添加以下配置项,并保存。 29 | 30 | ```bash 31 | ## SSH 配置项 32 | 33 | PasswordAuthentication yes 34 | PermitEmptyPasswords no 35 | UseDNS no 36 | 37 | ``` 38 | 39 | 修改完成后,需要重启 SSH 服务。 40 | 41 | ```bash 42 | ## 重启 ssh.service 43 | $ sudo systemctl restart ssh.service 44 | ``` 45 | 46 | ### 1.2.配置软件源 47 | 48 | 使用终端工具登录模板虚拟机,常用终端工具请参阅 [01.PVE系统安装](./01.PVE系统安装.md) 。 49 | 50 | 首先需要对 Debian 系统软件源进行修改,这里使用 [USTC](https://mirrors.ustc.edu.cn) 镜像站作为演示。 51 | 52 | 当系统版本发生变化时,请参考 USTC 镜像站的官方说明 [USTC Mirror Help - Debian](https://mirrors.ustc.edu.cn/help/debian.html) 。 53 | 54 | Debian12 云镜像的软件源配置采用了 `DEB822` 格式,新版 `sources.list` 配置文件内容如下。 55 | 56 | ```bash 57 | ## 查看镜像配置文件 58 | $ cat /etc/apt/sources.list 59 | 60 | #### 配置文件示例输出 61 | # See /etc/apt/sources.list.d/debian.sources 62 | ``` 63 | 64 | 进一步查看新配置文件 `debian.sources` 的内容,其配置包含 `3` 个部分。 65 | 66 | ```bash 67 | ## 查看新版镜像配置文件 68 | $ cat /etc/apt/sources.list.d/debian.sources 69 | 70 | #### 新版配置文件示例输出 (主体部分) 71 | Types: deb deb-src 72 | URIs: mirror+file:///etc/apt/mirrors/debian.list 73 | Suites: bookworm bookworm-updates bookworm-backports 74 | Components: main 75 | 76 | Types: deb deb-src 77 | URIs: mirror+file:///etc/apt/mirrors/debian-security.list 78 | Suites: bookworm-security 79 | Components: main 80 | 81 | ## 查看关联的配置文件 82 | $ cat /etc/apt/mirrors/debian.list 83 | 84 | #### 关联配置文件示例输出 (关联部分 1 ) 85 | https://deb.debian.org/debian 86 | 87 | ## 查看关联的配置文件 88 | $ cat /etc/apt/mirrors/debian-security.list 89 | 90 | #### 关联配置文件示例输出 (关联部分 2 ) 91 | https://deb.debian.org/debian-security 92 | ``` 93 | 94 | 因此,修改 Debian12 软件源的方式也有两种,本文将尝试使用第 `2` 种修改方案。 95 | 96 | 1. 删除当前软件源配置文件,重新启用常规 `sources.list` 配置文件的配置方案。 97 | 98 | 2. 根据当前软件源配置文件的语法规则,仅修改配置文件。 99 | 100 | 使用 `vim` 编辑器编辑 `debian.sources` 配置文件,执行以下命令。 101 | 102 | ```bash 103 | ## 编辑 debian.sources 配置文件 104 | $ sudo vim /etc/apt/sources.list.d/debian.sources 105 | ``` 106 | 107 | 删除里面全部内容,添加以下配置项,并保存。 108 | 109 | ```bash 110 | ## 系统软件源配置项 111 | 112 | Types: deb 113 | URIs: https://mirrors.ustc.edu.cn/debian 114 | Suites: bookworm bookworm-updates 115 | Components: main contrib non-free non-free-firmware 116 | Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 117 | 118 | Types: deb 119 | URIs: https://mirrors.ustc.edu.cn/debian-security 120 | Suites: bookworm-security 121 | Components: main contrib non-free non-free-firmware 122 | Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 123 | 124 | ``` 125 | 126 | 为了防止 `Cloud-Init` 服务意外修改软件源配置,需要添加文件保护,执行以下命令。 127 | 128 | ```bash 129 | ## 增加文件保护 130 | $ sudo chattr +i /etc/apt/sources.list.d/debian.sources 131 | 132 | ## 检查文件保护 133 | $ lsattr /etc/apt/sources.list.d/debian.sources 134 | 135 | #### 示例输出 136 | ----i---------e------- /etc/apt/sources.list.d/debian.sources 137 | ``` 138 | 139 | ### 1.3.安装软件 140 | 141 | 软件源设置完成后,需要更新系统,执行以下命令。 142 | 143 | ```bash 144 | ## 清理不必要的包 145 | $ sudo bash -c 'apt clean && apt autoclean && apt autoremove --purge' 146 | 147 | ## 更新软件源 148 | $ sudo apt update 149 | 150 | ## 更新系统 151 | $ sudo apt full-upgrade 152 | ``` 153 | 154 | 接下来安装系统必要软件,安装 `iperf3` 后,系统将询问是否将其作为系统服务开机自启,选择 `no` 即可。 155 | 156 | ```bash 157 | ## 安装系统软件 158 | $ sudo apt install qemu-guest-agent btop tmux logrotate cron neovim zsh git 159 | 160 | ## 安装系统自动更新工具 161 | $ sudo apt install unattended-upgrades powermgmt-base python3-gi 162 | 163 | ## 安装网络工具 164 | $ sudo apt install nftables sshguard lsof knot-dnsutils 165 | 166 | ## 安装网络检测工具(可选) 167 | $ sudo apt install iftop iperf3 iperf 168 | 169 | ## 写入磁盘 170 | $ sudo sync 171 | ``` 172 | 173 | ### 1.4.配置 ZSH 174 | 175 | `Zsh` 是比 `Bash` 好用的 `Shell` 程序,使用 `oh-my-zsh` 进行配置。 176 | 177 | ```bash 178 | ## 使用清华大学镜像站安装 oh-my-zsh 179 | $ cd && git clone --depth=1 https://mirrors.tuna.tsinghua.edu.cn/git/ohmyzsh.git 180 | 181 | $ cd ohmyzsh/tools && REMOTE=https://mirrors.tuna.tsinghua.edu.cn/git/ohmyzsh.git sh install.sh 182 | 183 | ## 询问是否切换默认 shell,输入 Y 184 | 185 | #### 示例输出 186 | Time to change your default shell to zsh: 187 | Do you want to change your default shell to zsh? [Y/n] y 188 | 189 | ## oh-my-zsh 安装后清理 190 | $ cd && rm -rvf ohmyzsh .bash_history .zsh_history .shell.pre-oh-my-zsh 191 | ``` 192 | 193 | ### 1.5.调整内核参数 194 | 195 | 由于该 Debian 虚拟机模板将用于克隆内网 DNS 服务器,因此需要调整内核参数来简单优化性能。 196 | 197 | 使用 `neovim` 编辑器编辑 **内核参数** 配置文件,执行以下命令。 198 | 199 | ```bash 200 | ## 编辑 内核参数 配置文件 201 | $ sudo nvim /etc/sysctl.d/99-sysctl.conf 202 | ``` 203 | 204 | 在配置文件中添加以下配置项,注意配置中间的空格。 205 | 206 | ```bash 207 | # This configuration file is customized by fox, 208 | # Optimize sysctl parameters for local DNS server. 209 | 210 | kernel.panic = 20 211 | kernel.panic_on_oops = 1 212 | 213 | net.core.default_qdisc = fq_codel 214 | 215 | # Other adjustable system parameters 216 | 217 | net.core.netdev_budget = 600 218 | net.core.netdev_budget_usecs = 20000 219 | 220 | net.core.somaxconn = 8192 221 | net.core.rmem_max = 26214400 222 | net.core.wmem_max = 655360 223 | 224 | net.ipv4.igmp_max_memberships = 256 225 | 226 | net.ipv4.tcp_challenge_ack_limit = 1000 227 | net.ipv4.tcp_fastopen = 3 228 | net.ipv4.tcp_fin_timeout = 30 229 | net.ipv4.tcp_keepalive_time = 120 230 | net.ipv4.tcp_max_syn_backlog = 512 231 | net.ipv4.tcp_notsent_lowat = 131072 232 | net.ipv4.tcp_rmem = 4096 87380 26214400 233 | net.ipv4.tcp_wmem = 4096 16384 655360 234 | 235 | net.ipv6.conf.all.use_tempaddr = 0 236 | net.ipv6.conf.default.use_tempaddr = 0 237 | 238 | ``` 239 | 240 | 保存该配置文件后,重启系统或者执行以下命令让配置生效。 241 | 242 | ```bash 243 | ## 让内核参数生效 244 | $ sudo sysctl --system 245 | ``` 246 | 247 | ### 1.6.调整系统时间 248 | 249 | 默认情况下 Debian 云镜像的系统时间需要调整,执行以下命令将系统时区设置为中国时区。 250 | 251 | ```bash 252 | ## 设置系统时区 253 | $ sudo timedatectl set-timezone Asia/Shanghai 254 | 255 | ## 检查系统时间 256 | $ date -R 257 | 258 | #### 系统时间示例输出 259 | Mon, 26 Jun 2023 16:16:16 +0800 260 | ``` 261 | 262 | Debian 云镜像默认使用 `systemd-timesyncd.service` 同步时间,且需要调整为使用国内 NTP 服务器。 263 | 264 | 调整 NTP 服务器参数,执行以下命令。 265 | 266 | ```bash 267 | ## 创建 NTP 配置目录 268 | $ sudo mkdir -p /etc/systemd/timesyncd.conf.d 269 | 270 | ## 创建 NTP 配置文件 271 | $ sudo nvim /etc/systemd/timesyncd.conf.d/10-server-ntp.conf 272 | ``` 273 | 274 | 在配置文件中添加以下配置项,并保存。 275 | 276 | ```bash 277 | # This configuration file is customized by fox, 278 | # Optimize system NTP server. 279 | 280 | [Time] 281 | NTP=ntp.aliyun.com ntp.tencent.com cn.pool.ntp.org 282 | 283 | ``` 284 | 285 | 保存该配置文件后,需重启 `systemd-timesyncd.service` 服务,并再次检查系统 NTP 服务器地址。 286 | 287 | ```bash 288 | ## 重启 systemd-timesyncd.service 289 | $ sudo systemctl restart systemd-timesyncd.service 290 | 291 | ## 检查系统 NTP 服务器 292 | $ sudo systemctl status systemd-timesyncd.service 293 | ``` 294 | 295 | 如果输出以下类似内容,则表示系统 NTP 服务设置正确。 296 | 297 | ```bash 298 | #### NTP 服务示例输出 299 | ● systemd-timesyncd.service - Network Time Synchronization 300 | Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; preset: enabled) 301 | Active: active (running) since Mon 2024-10-07 18:06:29 CST; 9s ago 302 | Docs: man:systemd-timesyncd.service(8) 303 | Main PID: 1706 (systemd-timesyn) 304 | Status: "Contacted time server 203.107.6.88:123 (ntp.aliyun.com)." 305 | Tasks: 2 (limit: 2315) 306 | Memory: 1.4M 307 | CPU: 113ms 308 | CGroup: /system.slice/systemd-timesyncd.service 309 | └─1706 /lib/systemd/systemd-timesyncd 310 | 311 | Oct 07 18:06:29 DNS01 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization... 312 | Oct 07 18:06:29 DNS01 systemd[1]: Started systemd-timesyncd.service - Network Time Synchronization. 313 | Oct 07 18:06:29 DNS01 systemd-timesyncd[1706]: Contacted time server 203.107.6.88:123 (ntp.aliyun.com). 314 | Oct 07 18:06:29 DNS01 systemd-timesyncd[1706]: Initial clock synchronization to Mon 2024-10-07 18:06:29.499548 CST. 315 | ``` 316 | 317 | ### 1.7.配置自动更新 318 | 319 | 配置 Debian 云镜像的系统自动更新,与配置 PVE 系统自动更新方法基本一致,参阅 [03.PVE系统调整](./03.PVE系统调整.md) 。 320 | 321 | 配置系统更新之前,先检查当前系统定时器状态。 322 | 323 | ```bash 324 | ## 检查系统定时器 325 | $ sudo systemctl status apt-daily-upgrade.timer 326 | ``` 327 | 328 | 配置系统自动更新策略,执行以下命令,使用键盘 `左右方向键` 进行选择,`回车键` 进行确认。 329 | 330 | ```bash 331 | ## 配置自动更新策略 332 | $ sudo dpkg-reconfigure -plow unattended-upgrades 333 | 334 | ## 选择 “是” 335 | 336 | ``` 337 | 338 | 进一步调整 `20auto-upgrades` 配置文件。 339 | 340 | ```bash 341 | ## 编辑 20auto-upgrades 配置文件 342 | $ sudo nvim /etc/apt/apt.conf.d/20auto-upgrades 343 | ``` 344 | 345 | 删除里面全部内容,添加以下配置项,并保存。 346 | 347 | 配置文件中,用来控制更新周期的参数为 `APT::Periodic::Unattended-Upgrade` ,`3` 表示更新周期为 `3` 天。 348 | 349 | ```bash 350 | ## 系统更新周期配置项 351 | 352 | APT::Periodic::Update-Package-Lists "1"; 353 | APT::Periodic::Unattended-Upgrade "3"; 354 | APT::Periodic::AutocleanInterval "1"; 355 | APT::Periodic::CleanInterval "1"; 356 | 357 | ``` 358 | 359 | 进一步调整 `50unattended-upgrades` 配置文件。 360 | 361 | ```bash 362 | ## 编辑 50unattended-upgrades 配置文件 363 | $ sudo nvim /etc/apt/apt.conf.d/50unattended-upgrades 364 | ``` 365 | 366 | 根据 “注释” 中相关说明,调整配置文件。 367 | 368 | 因为该配置文件很长,完整的配置文件可查看 [debian_dns_50unattended_upgrades.conf](./src/debian/debian_dns_50unattended_upgrades.conf) 以便对比。 369 | 370 | ```bash 371 | ## 删除以下行前面的注释符 // ,代表启用 372 | 373 | "origin=Debian,codename=${distro_codename}-updates"; 374 | 375 | ## 在配置文件末尾增加以下配置项,代表启用,并调整参数 376 | 377 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 378 | 379 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 380 | 381 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 382 | 383 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 384 | 385 | Unattended-Upgrade::Automatic-Reboot "true"; 386 | 387 | Unattended-Upgrade::Automatic-Reboot-Time "03:00"; 388 | 389 | ``` 390 | 391 | 系统自动更新配置文件修改完成后,需要重设自动更新定时器,执行以下命令。 392 | 393 | ```bash 394 | ## 配置系统定时器 395 | $ sudo systemctl edit apt-daily-upgrade.timer 396 | ``` 397 | 398 | 根据配置文件中的提示,在中间空白处填入以下配置项。 399 | 400 | ```bash 401 | ## 定时器配置项 402 | 403 | [Timer] 404 | OnCalendar= 405 | OnCalendar=02:00 406 | RandomizedDelaySec=0 407 | 408 | ``` 409 | 410 | 设置完成后,重启自动更新定时器并检查其状态,执行以下命令。 411 | 412 | 在输出结果中,看到系统自动更新的触发时间为 `02:00` 则表示设置正确。 413 | 414 | ```bash 415 | ## 重启触发器 416 | $ sudo systemctl restart apt-daily-upgrade.timer 417 | 418 | ## 再次检查触发器状态 419 | $ sudo systemctl status apt-daily-upgrade.timer 420 | ``` 421 | 422 | ### 1.8.配置定时任务 423 | 424 | 本步骤为可选操作,主要设置系统定时重启。 425 | 426 | ```bash 427 | ## 查看系统定时任务 428 | $ sudo crontab -l 429 | 430 | ## 编辑系统定时任务,编辑器选择 nano 431 | $ sudo crontab -e 432 | ``` 433 | 434 | 在配置文件末尾,增加以下配置项。 435 | 436 | ```bash 437 | ## 定时任务配置项 438 | 439 | 30 4 8,24 * * /usr/sbin/reboot 440 | 441 | ``` 442 | 443 | ### 1.9.清理系统 444 | 445 | Debian 模板虚拟机已经配置完成,在将其转换为模板前需要对系统进行清理。 446 | 447 | ```bash 448 | ## 清理系统软件包 449 | $ sudo bash -c 'apt clean && apt autoclean && apt autoremove --purge' 450 | 451 | ## 清理系统缓存 452 | $ sudo bash -c 'find /var/cache/apt/ /var/cache/smartdns/ /var/lib/apt/lists/ /tmp/ -type f -print -delete' 453 | 454 | ## 清理系统日志 455 | $ sudo bash -c 'find /var/log/ -type f -print -delete' 456 | 457 | ## 清理命令历史记录文件 458 | $ rm -rvf ~/.bash_history ~/.zsh_history ~/.zcompdump* && history -c 459 | 460 | ## 关闭系统 461 | $ sudo shutdown now 462 | ``` 463 | 464 | ## 2.虚拟机转为模板 465 | 466 | 在 Debian 模板虚拟机关机后,进入 PVE 的 WEB 管理界面。 467 | 468 | 在左侧虚拟机列表中,鼠标 **右键单击** Debian 模板虚拟机,在弹出的菜单中选择 `转换成模板` 。 469 | 470 | 需要说明的是,虚拟机 `转换成模板` 的操作是不可逆的。 471 | 472 | 如果某些 Debian 系统的配置项有问题,只能在用该模板克隆出来的新虚拟机中进行修改,或者删除并重新制作模板。 473 | 474 | ![虚拟机转模板](img/p05/vm_to_template.jpeg) 475 | 476 | 至此 Debian 虚拟机模板制作完成。 477 | 478 | -------------------------------------------------------------------------------- /06.PVE制作DNS服务器.md: -------------------------------------------------------------------------------- 1 | ## 1.克隆虚拟机 2 | 3 | 在上一篇文章 [05.PVE制作虚拟机模板](./05.PVE制作虚拟机模板.md) 中,已经制作好了虚拟机模板。 4 | 5 | 接下来将使用该模板克隆出新的虚拟机,并安装 Adguard Home 作为内网的 DNS 服务器。 6 | 7 | 鼠标 **右键单击** 虚拟机模板,在弹出的菜单中选择 `克隆` 。 8 | 9 | ![克隆虚拟机](img/p06/vm_clone.jpeg) 10 | 11 | 在弹出的虚拟机克隆对话框中,根据实际情况及下方表格内容,修改虚拟机参数。 12 | 13 | |参数|值|说明| 14 | |--|--|--| 15 | |目标节点|`node01`|当前 PVE 服务器节点| 16 | |VM ID|`201`|可自定义,不能与现存虚拟机 `VM ID` 相同| 17 | |名称|`DNS01`|可自定义,`Cloud-Init` 将使用该名称作为虚拟机 `hostname` | 18 | |模式|`完整克隆`|选择虚拟机的克隆模式| 19 | |目标存储|`local-lvm`|克隆出的虚拟机文件存储位置| 20 | 21 | 修改参数后,点击 `克隆` ,即可使用该模板克隆出新的虚拟机。 22 | 23 | ![克隆虚拟机参数](img/p06/vm_clone_vmid.jpeg) 24 | 25 | 26 | ## 2.调整 Cloud-Init 27 | 28 | 克隆出来的虚拟机的 `Cloud-Init` 参数默认与模板完全一致。 29 | 30 | 根据 **内部网络地址** 规划,内网 DNS 服务器 IPv4 地址规划如下: 31 | 32 | - `172.16.1.2/24` 33 | 34 | - `172.16.1.3/24` 35 | 36 | 因此需要调整新虚拟机的 `Cloud-Init` 参数。 37 | 38 | - `IP配置` 中的 IPv4 地址参数为 `172.16.1.2/24` ,网关保持 `172.16.1.1` 不变。 39 | 40 | - `IP配置` 中的 IPv6 地址参数为 `auto` ,网关保持为空。 41 | 42 | 需要注意的是,如果修改了 `用户` 参数,相当于新建了一个系统管理员,之前设置的 `oh-my-zsh` 需要在新管理员下重新设置。 43 | 44 | ![调整新虚拟机Cloud-Init](img/p06/vm_clone_ci_slaac.jpeg) 45 | 46 | 当主路由配置了 IPv6 ULA 网段,内网 DNS 服务器 IPv6 ULA 地址规划如下: 47 | 48 | - `fdac::2/64` 49 | 50 | - `fdac::3/64` 51 | 52 | 此时需进一步调整新虚拟机的 `Cloud-Init` 参数,让该虚拟机使用指定的 IPv6 ULA 地址,参数如下。 53 | 54 | ![调整新虚拟机Cloud-Init](img/p06/vm_clone_ci_static.jpeg) 55 | 56 | ## 3.调整配置参数 57 | 58 | 在 [04.PVE创建模板虚拟机](./04.PVE创建模板虚拟机.md) 中提到过,新虚拟机需要修改配置参数才能自动启动。 59 | 60 | 进入左侧虚拟机 `选项` 页面,将虚拟机 `开机自启动` 参数设置为 `是` 。 61 | 62 | ![克隆虚拟机自动启动](img/p06/vm_clone_autostart.jpeg) 63 | 64 | 鼠标 **双击** `启动/关机顺序` 选项,可调整虚拟机的自动开机参数。 65 | 66 | `启动/关机顺序` 为 `2` ,表示该虚拟机第 `2` 个启动,倒数第 `2` 个关机。 67 | 68 | `启动延时` 为 `15` ,表示该虚拟机启动后,延迟 `15` 秒再启动下一个虚拟机。 69 | 70 | ![克隆虚拟机自动启动顺序](img/p06/vm_clone_autostart_order.jpeg) 71 | 72 | ## 4.调整系统端口 73 | 74 | 设置完成后,将该虚拟机开机,使用终端工具登录,并执行以下命令检查端口占用。 75 | 76 | ```bash 77 | ## 检查 53 端口占用 78 | $ sudo lsof -n -i :53 79 | 80 | #### 端口占用示例输出 81 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 82 | systemd-r 1797 systemd-resolve 18u IPv4 23024 0t0 UDP 127.0.0.53:domain 83 | systemd-r 1797 systemd-resolve 19u IPv4 23025 0t0 TCP 127.0.0.53:domain (LISTEN) 84 | systemd-r 1797 systemd-resolve 20u IPv4 23026 0t0 UDP 127.0.0.54:domain 85 | systemd-r 1797 systemd-resolve 21u IPv4 23027 0t0 TCP 127.0.0.54:domain (LISTEN) 86 | ``` 87 | 88 | 当前系统 `53` 端口被 `systemd-resolved.service` 占用,会导致设置 DNS 服务时监听端口失败。 89 | 90 | 为了正常使用 `53` 端口,需要对 `systemd-resolved.service` 进行配置,执行以下命令。 91 | 92 | ```bash 93 | ## 创建 systemd-resolved 配置目录 94 | $ sudo mkdir -p /etc/systemd/resolved.conf.d 95 | 96 | ## 创建 systemd-resolved 配置文件 97 | $ sudo nvim /etc/systemd/resolved.conf.d/10-server-dns.conf 98 | ``` 99 | 100 | 在配置文件中添加以下配置项,并保存。 101 | 102 | ```bash 103 | # This configuration file is customized by fox, 104 | # Optimize system resolve parameters for local DNS server. 105 | 106 | [Resolve] 107 | DNS=127.0.0.1 108 | DNS=::1 109 | DNSStubListener=no 110 | 111 | ``` 112 | 113 | 保存该配置文件后,还需调整系统 `resolv.conf` 配置文件,执行以下命令。 114 | 115 | ```bash 116 | ## 创建 resolv.conf 软链接 117 | $ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf 118 | ``` 119 | 120 | 配置完成后,需重启 `systemd-resolved.service` 服务,并再次检查系统 `53` 端口占用。 121 | 122 | ```bash 123 | ## 重启 systemd-resolved.service 124 | $ sudo systemctl restart systemd-resolved.service 125 | ``` 126 | 127 | ## 5. Adguard Home 128 | 129 | `Adguard Home` 将采用 `snap` 形式安装,执行以下命令。 130 | 131 | ```bash 132 | ## 安装 Snap 133 | $ sudo apt install snapd 134 | 135 | ## 安装 Adguard Home 136 | $ sudo snap install adguard-home 137 | ``` 138 | 139 | ### 5.1.自动更新 140 | 141 | 查看 `Snap` 当前的更新策略,执行以下命令。 142 | 143 | ```bash 144 | ## 显示当前 Snap 自动更新设置 145 | $ sudo snap refresh --time 146 | ``` 147 | 148 | 将 `Snap` 自动更新时间设置为每天 `2:30-3:30` 和 `14:30-15:30` 两个时间段。 149 | 150 | ```bash 151 | ## 修改 Snap 自动更新时间 152 | $ sudo snap set system refresh.timer=2:30-3:30,14:30-15:30 153 | 154 | ## 其他 Snap 自动更新时间设置语法参考 155 | $ sudo snap set system refresh.timer=mon,2:30,,fri,2:30 156 | ``` 157 | 158 | ### 5.2.配置 Adguard Home 159 | 160 | 关于 `Adguard Home` 配置相关内容,请参阅 [Adguard Home 折腾手记](https://gitee.com/callmer/agh_toss_notes) 。 161 | 162 | ### 5.3.定时任务 163 | 164 | 本步骤为可选操作,主要用于设置 `Adguard Home` 定时重启。 165 | 166 | ```bash 167 | ## 查看系统定时任务 168 | $ sudo crontab -l 169 | 170 | ## 编辑系统定时任务,编辑器选择 nano 171 | $ sudo crontab -e 172 | ``` 173 | 174 | 在配置文件末尾,增加以下配置项。 175 | 176 | ```bash 177 | ## 定时任务配置项 178 | 179 | 30 4 * * * /usr/bin/snap restart adguard-home 180 | 181 | ``` 182 | 183 | ## 6. SmartDNS 184 | 185 | 若需使用 `SmartDNS` 代替 `Adguard Home` ,可使用 Debian 官方源进行安装,但其版本通常较为 “过时” 。 186 | 187 | 因此,更推荐使用其 Github 仓库中的最新稳定版进行安装,官方仓库请参阅 [pymumu/smartdns](https://github.com/pymumu/smartdns/releases) 。 188 | 189 | 多数情况下,`SmartDNS` 足以提供良好的 DNS 解析服务,但为了进一步优化 DNS 解析流程,推荐与 `Dnsmasq` 嵌套使用。 190 | 191 | ```bash 192 | ## 安装 Dnsmasq 193 | $ sudo apt install dnsmasq 194 | ``` 195 | 196 | 检查 `dnsmasq.service` 服务状态,确保该服务开机自启。 197 | 198 | ```bash 199 | ## 检查 dnsmasq.service 200 | $ sudo systemctl status dnsmasq.service 201 | 202 | ## 设置 dnsmasq.service 开机自启 203 | $ sudo systemctl enable dnsmasq.service 204 | 205 | ## 停止 dnsmasq.service 206 | $ sudo systemctl stop dnsmasq.service 207 | ``` 208 | 209 | 下载 `SmartDNS` 最新版本时,请根据系统架构选择合适的版本,执行以下命令。 210 | 211 | ```bash 212 | ## 创建存放 SmartDNS 安装包的临时目录 213 | $ mkdir -p /tmp/SmartDNS 214 | 215 | ## 进入目录 216 | $ cd /tmp/SmartDNS 217 | 218 | ## 下载 SmartDNS 安装包 219 | $ curl -LR -O https://github.com/pymumu/smartdns/releases/download/Release46.1/smartdns.1.2025.03.02-1533.x86_64-linux-all.tar.gz 220 | 221 | ## 解压缩 SmartDNS 安装包 222 | $ tar zxf smartdns.*.x86_64-linux-all.tar.gz 223 | 224 | ## 进入安装包目录 225 | $ cd smartdns 226 | 227 | ## 设置脚本可执行权限 228 | $ chmod +x ./install 229 | 230 | ## 安装 SmartDNS 231 | $ sudo ./install -i 232 | ``` 233 | 234 | 修改 `SmartDNS` 配置之前,需检查 `smartdns.service` 服务状态,确保该服务开机自启。 235 | 236 | ```bash 237 | ## 检查 smartdns.service 238 | $ sudo systemctl status smartdns.service 239 | 240 | ## 设置 smartdns.service 开机自启 241 | $ sudo systemctl enable smartdns.service 242 | ``` 243 | 244 | ### 6.1. SmartDNS 附加配置 245 | 246 | 本步骤为可选操作,通过安装 `SmartDNS` 附加配置文件,以达到屏蔽广告或加速中国境内域名解析速度的目的。 247 | 248 | 若需使用 `SmartDNS` 屏蔽广告,则需下载广告规则配置文件。 249 | 250 | ```bash 251 | ## 创建 SmartDNS 配置目录 252 | $ sudo mkdir -p /etc/smartdns.d 253 | 254 | ## 下载广告规则配置文件 255 | $ sudo curl -LR -o /etc/smartdns.d/anti-ad.smartdns.conf https://anti-ad.net/anti-ad-for-smartdns.conf 256 | ``` 257 | 258 | `SmartDNS` 的加速规则通过 `bash` 脚本安装,脚本生成的配置文件位于 `/etc/smartdns.d` 目录。 259 | 260 | 关于脚本的详细介绍,请参阅 [SmartDNS China List 安装脚本](https://gitee.com/callmer/smartdns_china_list_installer) 。 261 | 262 | ```bash 263 | ## 下载加速规则安装脚本 264 | $ sudo curl -LR -o /opt/smartdns-plugin.sh https://gitee.com/callmer/smartdns_china_list_installer/raw/main/smartdns_plugin.sh 265 | 266 | ## 设置脚本可执行权限 267 | $ sudo chmod +x /opt/smartdns-plugin.sh 268 | 269 | ## 设置脚本文件防篡改 270 | $ sudo chattr +i /opt/smartdns-plugin.sh 271 | 272 | ## 执行脚本 273 | $ sudo bash /opt/smartdns-plugin.sh 274 | ``` 275 | 276 | ### 6.2.定时任务 277 | 278 | 本步骤为可选操作,主要用于设置 `SmartDNS` 定时更新附加配置文件和定时重启。 279 | 280 | ```bash 281 | ## 编辑系统定时任务,编辑器选择 nano 282 | $ sudo crontab -e 283 | ``` 284 | 285 | 在配置文件末尾,增加以下配置项。 286 | 287 | ```bash 288 | ## 定时任务配置项 289 | 290 | 20 9 * * * /usr/bin/curl --retry-connrefused --retry 5 --retry-delay 5 --retry-max-time 60 -fsSLR -o /etc/smartdns.d/anti-ad.smartdns.conf https://anti-ad.net/anti-ad-for-smartdns.conf 291 | 292 | 30 9 * * * /usr/bin/systemctl restart smartdns.service 293 | 294 | ``` 295 | 296 | 若使用了 `SmartDNS` 加速规则的安装脚本,由于脚本自带服务重启功能,因此定时任务可修改如下。 297 | 298 | ```bash 299 | ## 定时任务配置项 300 | 301 | 20 9 * * * /usr/bin/curl --retry-connrefused --retry 5 --retry-delay 5 --retry-max-time 60 -fsSLR -o /etc/smartdns.d/anti-ad.smartdns.conf https://anti-ad.net/anti-ad-for-smartdns.conf 302 | 303 | 30 9 * * * /usr/bin/bash /opt/smartdns-plugin.sh 304 | ``` 305 | 306 | ### 6.3. SmartDNS 主配置 307 | 308 | `SmartDNS` 配置较为复杂,可按需制定各类 DNS 请求规则,建议先查阅官方提供的 [配置指导](https://pymumu.github.io/smartdns/config/basic-config/) 和 [配置选项](https://pymumu.github.io/smartdns/configuration/) 。 309 | 310 | 修改 `SmartDNS` 主配置文件之前,建议关闭 `SmartDNS` 并清理 DNS 缓存文件。 311 | 312 | ```bash 313 | ## 关闭 smartdns.service 314 | $ sudo systemctl stop smartdns.service 315 | 316 | ## 清理进程标识文件 317 | $ sudo rm -rvf /var/run/smartdns.pid /run/smartdns.pid 318 | ``` 319 | 320 | `SmartDNS` 的主配置文件一般位于 `/etc/smartdns` 目录下,修改配置文件之前,执行以下命令将其备份。 321 | 322 | ```bash 323 | ## 备份 SmartDNS 主配置文件 324 | $ sudo mv /etc/smartdns/smartdns.conf /etc/smartdns/smartdns.conf.bak 325 | ``` 326 | 327 | 使用 `neovim` 编辑器创建 `SmartDNS` 主配置文件,执行以下命令。 328 | 329 | ```bash 330 | ## 创建 SmartDNS 主配置文件 331 | $ sudo nvim /etc/smartdns/smartdns.conf 332 | ``` 333 | 334 | 在编辑器对话框中输入以下内容,并保存。 335 | 336 | **额外说明:** 337 | 338 | - `SmartDNS` 端口监听参数为 `6053@lo` ,请根据实际情况进行调整 339 | 340 | - 检查配置文件中关于本地域名及其上游 DNS 服务器相关配置,请根据实际情况进行调整 341 | 342 | ```bash 343 | # This configuration file is customized by fox, 344 | # Optimize SmartDNS parameters for local DNS server. 345 | # 346 | # For use common DNS server as upstream DNS server, 347 | # please modify 'server' parameter according to 348 | # your network environment. 349 | # 350 | # eg: 351 | # server 223.5.5.5 352 | # server 180.184.1.1 353 | # server 119.29.29.29 354 | # server 114.114.114.114 355 | # server 2402:4e00:: 356 | # server 2400:3200::1 357 | 358 | conf-file /etc/smartdns.d/*.conf 359 | 360 | log-level notice 361 | log-console yes 362 | 363 | bind [::]:6053@lo 364 | bind-tcp [::]:6053@lo 365 | 366 | cache-size 32768 367 | max-query-limit 1024 368 | max-reply-ip-num 16 369 | 370 | prefetch-domain yes 371 | 372 | serve-expired yes 373 | serve-expired-ttl 129600 374 | serve-expired-reply-ttl 30 375 | serve-expired-prefetch-time 28800 376 | 377 | rr-ttl-min 60 378 | rr-ttl-max 28800 379 | rr-ttl-reply-max 14400 380 | 381 | server-tcp 180.184.1.1 -bootstrap-dns 382 | server-tcp 114.114.114.114 -bootstrap-dns 383 | server-tcp 2400:3200::1 -bootstrap-dns 384 | 385 | server-tls dot.pub 386 | server-tls dns.alidns.com 387 | 388 | server-https https://doh.pub/dns-query 389 | server-https https://dns.alidns.com/dns-query 390 | 391 | ``` 392 | 393 | ### 6.4.配置 Dnsmasq 394 | 395 | `Dnsmasq` 的主配置文件一般位于 `/etc` 目录下,修改配置文件之前,执行以下命令。 396 | 397 | ```bash 398 | ## 创建 Dnsmasq 配置目录 399 | $ sudo mkdir -p /etc/dnsmasq.d 400 | ``` 401 | 402 | 使用 `neovim` 编辑器创建 `Dnsmasq` 主配置文件,执行以下命令。 403 | 404 | ```bash 405 | ## 创建 Dnsmasq 主配置文件 406 | $ sudo nvim /etc/dnsmasq.d/10-server-dnsmasq.conf 407 | ``` 408 | 409 | 在编辑器对话框中输入以下内容,并保存。 410 | 411 | **额外说明:** 412 | 413 | - 请根据系统内存使用情况,调整缓存参数 `cache-size` 414 | 415 | - 配置文件中内网域名为 `fox.internal` ,请根据实际情况进行调整 416 | 417 | - `Dnsmasq` 有且仅有 `SmartDNS` 作为上游 DNS 服务器 418 | 419 | ```bash 420 | # This configuration file is customized by fox, 421 | # Optimize dnsmasq parameters for local DNS server. 422 | 423 | # Main Config 424 | 425 | conf-dir=/etc/dnsmasq.d/,*.conf 426 | conf-file=/etc/dnsmasq.conf 427 | 428 | log-facility=/var/log/dnsmasq.log 429 | log-async=20 430 | 431 | cache-size=2048 432 | max-cache-ttl=7200 433 | fast-dns-retry=1800 434 | 435 | interface=eth0 436 | rebind-domain-ok=/fox.internal/ 437 | 438 | bind-dynamic 439 | bogus-priv 440 | domain-needed 441 | no-hosts 442 | no-negcache 443 | no-resolv 444 | no-round-robin 445 | rebind-localhost-ok 446 | stop-dns-rebind 447 | 448 | # DNS Filter 449 | 450 | server=/alt/ 451 | server=/bind/ 452 | server=/example/ 453 | server=/home.arpa/ 454 | server=/internal/ 455 | server=/invalid/ 456 | server=/lan/ 457 | server=/local/ 458 | server=/localhost/ 459 | server=/onion/ 460 | server=/test/ 461 | 462 | # DNS Server 463 | 464 | server=/fox.internal/172.16.1.1 465 | 466 | server=127.0.0.1#6053 467 | server=::1#6053 468 | 469 | ``` 470 | 471 | 至此,新虚拟机已配置完成,重启后即可作为内网 DNS 服务器使用。 472 | 473 | -------------------------------------------------------------------------------- /07.PVE制作TS服务器.md: -------------------------------------------------------------------------------- 1 | ## 0.前期准备 2 | 3 | 某些业务场景下需要构建安全可靠的网络隧道,来打通异地内网环境或从外部访问内网的私有资源。 4 | 5 | 经过实际测试,当 TS 服务器具有 IPv6 GUA 地址时,能稳定建立隧道。 6 | 7 | 本文将使用 Debian 云镜像以及 `Tailscale` 来制作内网组网服务器。 8 | 9 | 对于虚拟机创建部分,请参考 [04.PVE创建模板虚拟机](./04.PVE创建模板虚拟机.md) ,其他 `Cloud-Init` 相关参数如下。 10 | 11 | |参数|值|说明| 12 | |--|--|--| 13 | |虚拟机名称|`SVR01`| TS 服务器 `主机名` | 14 | |DNS 域|`fox.internal`| TS 服务器 `Cloud-Init` | 15 | |DNS 服务器|`172.16.1.1`| TS 服务器 `Cloud-Init` | 16 | |IPv4|`172.16.1.4/24`| TS 服务器 `Cloud-Init` | 17 | |IPv4 网关|`172.16.1.1`| TS 服务器 `Cloud-Init` | 18 | |IPv6|`SLAAC`| TS 服务器 `Cloud-Init` | 19 | 20 | ## 1.配置系统 21 | 22 | 由于 TS 服务器具备路由功能,所以在配置方法和系统参数方面与内网 DNS 服务器有一些区别。 23 | 24 | ### 1.1.配置 SSH 25 | 26 | 与配置内网 DNS 服务器时一样,首先需要调整系统的 SSH 登录权限参数。 27 | 28 | 在虚拟机的命令行界面,使用 `vim` 编辑器编辑 `sshd` 服务的配置文件,执行以下命令。 29 | 30 | ```bash 31 | ## 编辑 SSH 配置文件 32 | $ sudo vim /etc/ssh/sshd_config.d/10-server-sshd.conf 33 | ``` 34 | 35 | 在配置文件中添加以下配置项,并保存。 36 | 37 | ```bash 38 | ## SSH 配置项 39 | 40 | PasswordAuthentication yes 41 | PermitEmptyPasswords no 42 | UseDNS no 43 | 44 | ``` 45 | 46 | 修改完成后,需要重启 SSH 服务。 47 | 48 | ```bash 49 | ## 重启 ssh.service 50 | $ sudo systemctl restart ssh.service 51 | ``` 52 | 53 | ### 1.2.配置软件源 54 | 55 | 使用终端工具登录 TS 服务器,常用终端工具请参阅 [01.PVE系统安装](./01.PVE系统安装.md) 。 56 | 57 | 首先需要对 Debian 系统软件源进行修改,这里使用 [USTC](https://mirrors.ustc.edu.cn) 镜像站作为演示。 58 | 59 | 当系统版本发生变化时,请参考 USTC 镜像站的官方说明 [USTC Mirror Help - Debian](https://mirrors.ustc.edu.cn/help/debian.html) 。 60 | 61 | 使用 `vim` 编辑器编辑 `debian.sources` 配置文件,执行以下命令。 62 | 63 | ```bash 64 | ## 编辑 debian.sources 配置文件 65 | $ sudo vim /etc/apt/sources.list.d/debian.sources 66 | ``` 67 | 68 | 删除里面全部内容,添加以下配置项,并保存。 69 | 70 | ```bash 71 | ## 系统软件源配置项 72 | 73 | Types: deb 74 | URIs: https://mirrors.ustc.edu.cn/debian 75 | Suites: bookworm bookworm-updates 76 | Components: main contrib non-free non-free-firmware 77 | Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 78 | 79 | Types: deb 80 | URIs: https://mirrors.ustc.edu.cn/debian-security 81 | Suites: bookworm-security 82 | Components: main contrib non-free non-free-firmware 83 | Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 84 | 85 | ``` 86 | 87 | 为了防止 `Cloud-Init` 服务意外修改软件源配置,需要添加文件保护,执行以下命令。 88 | 89 | ```bash 90 | ## 增加文件保护 91 | $ sudo chattr +i /etc/apt/sources.list.d/debian.sources 92 | 93 | ## 检查文件保护 94 | $ lsattr /etc/apt/sources.list.d/debian.sources 95 | 96 | #### 示例输出 97 | ----i---------e------- /etc/apt/sources.list.d/debian.sources 98 | ``` 99 | 100 | 进一步添加 TS 签名密钥以及软件源,执行以下命令。 101 | 102 | ```bash 103 | ## 添加 TS 签名密钥 104 | $ curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null 105 | 106 | ## 添加 TS 软件源 107 | $ curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list 108 | ``` 109 | 110 | ### 1.3.安装软件 111 | 112 | 软件源设置完成后,需要更新系统,执行以下命令。 113 | 114 | ```bash 115 | ## 清理不必要的包 116 | $ sudo bash -c 'apt clean && apt autoclean && apt autoremove --purge' 117 | 118 | ## 更新软件源 119 | $ sudo apt update 120 | 121 | ## 更新系统 122 | $ sudo apt full-upgrade 123 | ``` 124 | 125 | 接下来安装系统必要软件,安装 `iperf3` 后,系统将询问是否将其作为系统服务开机自启,选择 `no` 即可。 126 | 127 | ```bash 128 | ## 安装系统软件 129 | $ sudo apt install qemu-guest-agent btop tmux logrotate cron neovim zsh git 130 | 131 | ## 安装系统自动更新工具 132 | $ sudo apt install unattended-upgrades powermgmt-base python3-gi 133 | 134 | ## 安装网络工具 135 | $ sudo apt install dnsmasq conntrack nftables sshguard lsof knot-dnsutils 136 | 137 | ## 安装 TS 138 | $ sudo apt install tailscale 139 | 140 | ## 安装网络检测工具(可选) 141 | $ sudo apt install iftop iperf3 iperf 142 | 143 | ## 写入磁盘 144 | $ sudo sync 145 | ``` 146 | 147 | ### 1.4.配置 ZSH 148 | 149 | `Zsh` 是比 `Bash` 好用的 `Shell` 程序,使用 `oh-my-zsh` 进行配置。 150 | 151 | ```bash 152 | ## 使用清华大学镜像站安装 oh-my-zsh 153 | $ cd && git clone --depth=1 https://mirrors.tuna.tsinghua.edu.cn/git/ohmyzsh.git 154 | 155 | $ cd ohmyzsh/tools && REMOTE=https://mirrors.tuna.tsinghua.edu.cn/git/ohmyzsh.git sh install.sh 156 | 157 | ## 询问是否切换默认 shell,输入 Y 158 | 159 | #### 示例输出 160 | Time to change your default shell to zsh: 161 | Do you want to change your default shell to zsh? [Y/n] y 162 | 163 | ## oh-my-zsh 安装后清理 164 | $ cd && rm -rvf ohmyzsh .bash_history .zsh_history .shell.pre-oh-my-zsh 165 | ``` 166 | 167 | ### 1.5.调整内核模块 168 | 169 | 使用 `neovim` 编辑器编辑 **内核模块** 配置文件,执行以下命令。 170 | 171 | ```bash 172 | ## 创建 内核模块 配置文件 173 | $ sudo nvim /etc/modules-load.d/10-server-modules.conf 174 | ``` 175 | 176 | 在配置文件中添加以下配置项,并保存。 177 | 178 | ```bash 179 | # This configuration file is customized by fox, 180 | # Optimize netfilter related modules at system boot. 181 | 182 | nf_conntrack 183 | 184 | ``` 185 | 186 | ### 1.6.调整内核参数 187 | 188 | 使用 `neovim` 编辑器编辑 **内核参数** 配置文件,执行以下命令。 189 | 190 | ```bash 191 | ## 编辑 内核参数 配置文件 192 | $ sudo nvim /etc/sysctl.d/99-sysctl.conf 193 | ``` 194 | 195 | 在配置文件中添加以下配置项,注意配置中间的空格。 196 | 197 | ```bash 198 | # This configuration file is customized by fox, 199 | # Optimize sysctl parameters for local TS server. 200 | 201 | kernel.panic = 20 202 | kernel.panic_on_oops = 1 203 | 204 | net.core.default_qdisc = fq_codel 205 | net.ipv4.tcp_congestion_control = bbr 206 | 207 | net.ipv4.ip_forward = 1 208 | 209 | net.ipv6.conf.all.forwarding = 1 210 | net.ipv6.conf.default.forwarding = 1 211 | 212 | # Other adjustable system parameters 213 | 214 | net.core.netdev_budget = 600 215 | net.core.netdev_budget_usecs = 20000 216 | 217 | net.core.rps_sock_flow_entries = 32768 218 | net.core.somaxconn = 8192 219 | net.core.rmem_max = 26214400 220 | net.core.wmem_max = 655360 221 | 222 | net.ipv4.conf.all.accept_redirects = 0 223 | net.ipv4.conf.default.accept_redirects = 0 224 | 225 | net.ipv4.conf.all.accept_source_route = 0 226 | net.ipv4.conf.default.accept_source_route = 0 227 | 228 | net.ipv4.conf.all.arp_ignore = 1 229 | net.ipv4.conf.default.arp_ignore = 1 230 | 231 | net.ipv4.conf.all.rp_filter = 2 232 | net.ipv4.conf.default.rp_filter = 2 233 | 234 | net.ipv4.conf.all.send_redirects = 0 235 | net.ipv4.conf.default.send_redirects = 0 236 | 237 | net.ipv4.igmp_max_memberships = 256 238 | 239 | net.ipv4.route.error_burst = 500 240 | net.ipv4.route.error_cost = 100 241 | 242 | net.ipv4.route.redirect_load = 2 243 | net.ipv4.route.redirect_silence = 2048 244 | 245 | net.ipv4.tcp_adv_win_scale = -2 246 | net.ipv4.tcp_challenge_ack_limit = 1000 247 | net.ipv4.tcp_fastopen = 3 248 | net.ipv4.tcp_fin_timeout = 30 249 | net.ipv4.tcp_keepalive_time = 120 250 | net.ipv4.tcp_max_syn_backlog = 512 251 | net.ipv4.tcp_notsent_lowat = 131072 252 | net.ipv4.tcp_rmem = 8192 262144 536870912 253 | net.ipv4.tcp_wmem = 4096 16384 536870912 254 | 255 | net.ipv6.conf.all.accept_redirects = 0 256 | net.ipv6.conf.default.accept_redirects = 0 257 | 258 | net.ipv6.conf.all.accept_source_route = 0 259 | net.ipv6.conf.default.accept_source_route = 0 260 | 261 | net.ipv6.conf.all.use_tempaddr = 0 262 | net.ipv6.conf.default.use_tempaddr = 0 263 | 264 | net.netfilter.nf_conntrack_acct = 1 265 | net.netfilter.nf_conntrack_checksum = 0 266 | net.netfilter.nf_conntrack_tcp_timeout_established = 7440 267 | 268 | ``` 269 | 270 | 保存该配置文件后,重启系统或者执行以下命令让配置生效。 271 | 272 | ```bash 273 | ## 让内核参数生效 274 | $ sudo sysctl --system 275 | ``` 276 | 277 | ### 1.7.调整系统时间 278 | 279 | 默认情况下 Debian 云镜像的系统时间需要调整,执行以下命令将系统时区设置为中国时区。 280 | 281 | ```bash 282 | ## 设置系统时区 283 | $ sudo timedatectl set-timezone Asia/Shanghai 284 | 285 | ## 检查系统时间 286 | $ date -R 287 | ``` 288 | 289 | Debian 云镜像默认使用 `systemd-timesyncd.service` 同步时间,且需要调整为使用国内 NTP 服务器。 290 | 291 | 调整 NTP 服务器参数,执行以下命令。 292 | 293 | ```bash 294 | ## 创建 NTP 配置目录 295 | $ sudo mkdir -p /etc/systemd/timesyncd.conf.d 296 | 297 | ## 创建 NTP 配置文件 298 | $ sudo nvim /etc/systemd/timesyncd.conf.d/10-server-ntp.conf 299 | ``` 300 | 301 | 在配置文件中添加以下配置项,并保存。 302 | 303 | ```bash 304 | # This configuration file is customized by fox, 305 | # Optimize system NTP server. 306 | 307 | [Time] 308 | NTP=ntp.aliyun.com ntp.tencent.com cn.pool.ntp.org 309 | 310 | ``` 311 | 312 | 保存该配置文件后,需重启 `systemd-timesyncd.service` 服务,并再次检查系统 NTP 服务器地址。 313 | 314 | ```bash 315 | ## 重启 systemd-timesyncd.service 316 | $ sudo systemctl restart systemd-timesyncd.service 317 | 318 | ## 检查系统 NTP 服务器 319 | $ sudo systemctl status systemd-timesyncd.service 320 | ``` 321 | 322 | ### 1.8.配置自动更新 323 | 324 | 配置系统自动更新策略,执行以下命令,使用键盘 `左右方向键` 进行选择,`回车键` 进行确认。 325 | 326 | ```bash 327 | ## 配置自动更新策略 328 | $ sudo dpkg-reconfigure -plow unattended-upgrades 329 | 330 | ## 选择 “是” 331 | 332 | ``` 333 | 334 | 进一步调整 `20auto-upgrades` 配置文件。 335 | 336 | ```bash 337 | ## 编辑 20auto-upgrades 配置文件 338 | $ sudo nvim /etc/apt/apt.conf.d/20auto-upgrades 339 | ``` 340 | 341 | 删除里面全部内容,添加以下配置项,并保存。 342 | 343 | 配置文件中,用来控制更新周期的参数为 `APT::Periodic::Unattended-Upgrade` ,`7` 表示更新周期为 `7` 天。 344 | 345 | ```bash 346 | ## 系统更新周期配置项 347 | 348 | APT::Periodic::Update-Package-Lists "1"; 349 | APT::Periodic::Unattended-Upgrade "7"; 350 | APT::Periodic::AutocleanInterval "1"; 351 | APT::Periodic::CleanInterval "1"; 352 | 353 | ``` 354 | 355 | 进一步调整 `50unattended-upgrades` 配置文件。 356 | 357 | ```bash 358 | ## 编辑 50unattended-upgrades 配置文件 359 | $ sudo nvim /etc/apt/apt.conf.d/50unattended-upgrades 360 | ``` 361 | 362 | 根据 “注释” 中相关说明,调整配置文件。 363 | 364 | 因为该配置文件很长,完整的配置文件可查看 [debian_ts_50unattended_upgrades.conf](./src/debian/debian_ts_50unattended_upgrades.conf) 以便对比。 365 | 366 | ```bash 367 | ## 删除以下行前面的注释符 // ,代表启用 368 | 369 | "origin=Debian,codename=${distro_codename}-updates"; 370 | 371 | ## 添加 TS 更新项目 372 | 373 | "origin=Tailscale,codename=${distro_codename},label=Tailscale"; 374 | 375 | ## 在配置文件末尾增加以下配置项,代表启用,并调整参数 376 | 377 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 378 | 379 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 380 | 381 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 382 | 383 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 384 | 385 | Unattended-Upgrade::Automatic-Reboot "true"; 386 | 387 | Unattended-Upgrade::Automatic-Reboot-Time "13:00"; 388 | 389 | ``` 390 | 391 | 系统自动更新配置文件修改完成后,需要重设自动更新定时器,执行以下命令。 392 | 393 | ```bash 394 | ## 配置系统定时器 395 | $ sudo systemctl edit apt-daily-upgrade.timer 396 | ``` 397 | 398 | 根据配置文件中的提示,在中间空白处填入以下配置项。 399 | 400 | ```bash 401 | ## 定时器配置项 402 | 403 | [Timer] 404 | OnCalendar= 405 | OnCalendar=12:00 406 | RandomizedDelaySec=0 407 | 408 | ``` 409 | 410 | 设置完成后,重启自动更新定时器并检查其状态,执行以下命令。 411 | 412 | 在输出结果中,看到系统自动更新的触发时间为 `02:00` 则表示设置正确。 413 | 414 | ```bash 415 | ## 重启触发器 416 | $ sudo systemctl restart apt-daily-upgrade.timer 417 | 418 | ## 再次检查触发器状态 419 | $ sudo systemctl status apt-daily-upgrade.timer 420 | ``` 421 | 422 | ### 1.9.配置防火墙 423 | 424 | 修改防火墙配置之前,需检查 `nftables.service` 服务状态,确保该服务开机自启。 425 | 426 | ```bash 427 | ## 检查 nftables.service 428 | $ sudo systemctl status nftables.service 429 | 430 | ## 设置 nftables.service 开机自启 431 | $ sudo systemctl enable nftables.service 432 | ``` 433 | 434 | 使用 `neovim` 编辑器修改 `nftables` 配置文件,执行以下命令。 435 | 436 | ```bash 437 | ## 备份 nftables 配置文件 438 | $ sudo mv /etc/nftables.conf /etc/nftables.conf.bak 439 | 440 | ## 创建新的 nftables 配置文件 441 | $ sudo nvim /etc/nftables.conf 442 | ``` 443 | 444 | 由于防火墙配置文件很长,因此请查阅文件 [debian_ts_nftables.conf](./src/debian/debian_ts_nftables.conf) 进行复制。 445 | 446 | 配置完成后,需重启 `nftables.service` 服务。 447 | 448 | ```bash 449 | ## 重启 nftables.service 450 | $ sudo systemctl restart nftables.service 451 | ``` 452 | 453 | ### 1.10.调整系统端口 454 | 455 | 为了正常使用 `53` 端口,需要对 `systemd-resolved.service` 进行配置,执行以下命令。 456 | 457 | ```bash 458 | ## 创建 systemd-resolved 配置目录 459 | $ sudo mkdir -p /etc/systemd/resolved.conf.d 460 | 461 | ## 创建 systemd-resolved 配置文件 462 | $ sudo nvim /etc/systemd/resolved.conf.d/10-server-dns.conf 463 | ``` 464 | 465 | 在配置文件中添加以下配置项,并保存。 466 | 467 | ```bash 468 | # This configuration file is customized by fox, 469 | # Optimize system resolve parameters for local TS server. 470 | 471 | [Resolve] 472 | DNS=127.0.0.1 473 | DNS=::1 474 | DNSStubListener=no 475 | 476 | ``` 477 | 478 | 保存该配置文件后,还需调整系统 `resolv.conf` 配置文件,执行以下命令。 479 | 480 | ```bash 481 | ## 创建 resolv.conf 软链接 482 | $ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf 483 | ``` 484 | 485 | 配置完成后,需重启 `systemd-resolved.service` 服务。 486 | 487 | ```bash 488 | ## 重启 systemd-resolved.service 489 | $ sudo systemctl restart systemd-resolved.service 490 | ``` 491 | 492 | ### 1.11.配置 Dnsmasq 493 | 494 | 检查 `dnsmasq.service` 服务状态,确保该服务开机自启。 495 | 496 | ```bash 497 | ## 检查 dnsmasq.service 498 | $ sudo systemctl status dnsmasq.service 499 | 500 | ## 设置 dnsmasq.service 开机自启 501 | $ sudo systemctl enable dnsmasq.service 502 | ``` 503 | 504 | `Dnsmasq` 的主配置文件一般位于 `/etc` 目录下,修改配置文件之前,执行以下命令。 505 | 506 | ```bash 507 | ## 创建 Dnsmasq 配置目录 508 | $ sudo mkdir -p /etc/dnsmasq.d 509 | ``` 510 | 511 | 使用 `neovim` 编辑器创建 `Dnsmasq` 主配置文件,执行以下命令。 512 | 513 | ```bash 514 | ## 创建 Dnsmasq 主配置文件 515 | $ sudo nvim /etc/dnsmasq.d/10-server-dnsmasq.conf 516 | ``` 517 | 518 | 在编辑器对话框中输入以下内容,并保存。 519 | 520 | **额外说明:** 521 | 522 | - 请根据系统内存使用情况,调整缓存参数 `cache-size` 523 | 524 | - 配置文件中内网域名为 `fox.internal` ,请根据实际情况进行调整 525 | 526 | - `Dnsmasq` 上游 DNS 服务器分为三类,请根据实际情况进行调整 527 | - `server=/ts.net/100.100.100.100` :TS 服务 `MagicDNS` 专用 DNS 服务器 528 | - `server=/fox.internal/172.16.1.1` :内网域名解析 DNS 服务器,通常为主路由地址 529 | - `server` 参数中的其他 DNS 服务器供 TS 服务器自身及其下游设备使用 530 | 531 | ```bash 532 | # This configuration file is customized by fox, 533 | # Optimize dnsmasq parameters for local TS server. 534 | 535 | # Main Config 536 | 537 | conf-dir=/etc/dnsmasq.d/,*.conf 538 | conf-file=/etc/dnsmasq.conf 539 | 540 | log-facility=/var/log/dnsmasq.log 541 | log-async=20 542 | 543 | cache-size=2048 544 | max-cache-ttl=7200 545 | fast-dns-retry=1800 546 | 547 | interface=eth0,tailscale0 548 | rebind-domain-ok=/fox.internal/ 549 | 550 | bind-dynamic 551 | bogus-priv 552 | domain-needed 553 | no-hosts 554 | no-negcache 555 | no-resolv 556 | no-round-robin 557 | rebind-localhost-ok 558 | stop-dns-rebind 559 | 560 | # DNS Filter 561 | 562 | server=/alt/ 563 | server=/bind/ 564 | server=/example/ 565 | server=/home.arpa/ 566 | server=/internal/ 567 | server=/invalid/ 568 | server=/lan/ 569 | server=/local/ 570 | server=/localhost/ 571 | server=/onion/ 572 | server=/test/ 573 | 574 | # DNS Server 575 | 576 | server=/ts.net/100.100.100.100 577 | 578 | server=/fox.internal/172.16.1.1 579 | 580 | server=172.16.1.1 581 | 582 | ``` 583 | 584 | 配置完成后,需重启 `dnsmasq.service` 服务。 585 | 586 | ```bash 587 | ## 重启 dnsmasq.service 588 | $ sudo systemctl restart dnsmasq.service 589 | ``` 590 | 591 | ## 2. Tailscale 592 | 593 | 根据不同的启动参数,TS 服务将具有不同的业务能力。 594 | 595 | ### 2.1.启动模式 596 | 597 | 若仅需 TS 组网功能,执行以下命令。 598 | 599 | ```bash 600 | ## TS 普通组网模式 601 | $ sudo tailscale up 602 | ``` 603 | 604 | 若需 TS 提供 `Exit Node` 功能,执行以下命令。 605 | 606 | ```bash 607 | ## TS Exit Node 模式 608 | $ sudo tailscale up --advertise-exit-node --reset 609 | 610 | ## TS Exit Node 模式,但不使用 MagicDNS 611 | $ sudo tailscale up --advertise-exit-node --accept-dns=false --reset 612 | ``` 613 | 614 | 若需 TS 提供内网路由功能并能访问内网私有服务,执行以下命令。 615 | 616 | **额外说明:** 617 | 618 | - 请根据内网网段,调整 TS 内网路由参数 `advertise-routes` 619 | 620 | ```bash 621 | ## TS 内网路由模式 622 | $ sudo tailscale up --advertise-exit-node --accept-routes --advertise-routes=172.16.1.0/24 --reset 623 | ``` 624 | 625 | 执行命令后,TS 将自动显示登录链接,只需根据链接进行登录操作即可。 626 | 627 | ### 2.2.自动更新 628 | 629 | 目前 TS 将跟随系统自动更新,若需额外开启 TS 的自动更新功能,执行以下命令。 630 | 631 | ```bash 632 | ## TS 开启自动更新 633 | $ sudo tailscale set --auto-update 634 | 635 | ## TS 关闭自动更新 636 | $ sudo tailscale set --auto-update=false 637 | ``` 638 | 639 | ### 2.3.定时任务 640 | 641 | 本步骤为可选操作,主要用于设置 TS 定时重启。 642 | 643 | ```bash 644 | ## 编辑系统定时任务,编辑器选择 nano 645 | $ sudo crontab -e 646 | ``` 647 | 648 | 在配置文件末尾,增加以下配置项。 649 | 650 | ```bash 651 | ## 定时任务配置项 652 | 653 | 30 10 * * * /usr/bin/systemctl restart tailscaled.service 654 | 655 | ``` 656 | 657 | 至此,TS 服务器已配置完成。 658 | 659 | -------------------------------------------------------------------------------- /08.PVE自动备份虚拟机.md: -------------------------------------------------------------------------------- 1 | ## 1.添加备份作业 2 | 3 | 在所有虚拟机创建并配置完成后,可以使用 PVE 自带的备份功能周期性的将虚拟机备份。 4 | 5 | 点击 PVE 的 `数据中心` ,在右侧菜单中选择 `备份` 功能。 6 | 7 | 点击顶部 `添加` 按钮,添加一个 `备份作业` 。 8 | 9 | ![添加备份作业](img/p08/vm_new_backup_job.jpeg) 10 | 11 | ### 1.1.常规选项 12 | 13 | 在弹出的 `创建:备份作业` 对话框中,勾选底部 `高级` 选项,`备份作业` 的各项参数如下。 14 | 15 | |参数|值|说明| 16 | |--|--|--| 17 | |节点|`node01`|选择当前 PVE 服务器节点| 18 | |存储|`local`|选择存放备份文件的路径| 19 | |计划|`*-01,16 03:30`|`备份作业` 执行的时间计划| 20 | |选择模式|`包括选中的VMs`|执行备份的虚拟机对象| 21 | |通知模式|`默认(自动)`|执行备份时的通知模式,保持默认即可| 22 | |发送邮箱至|`your_email@domain.com`|`备份作业` 邮件的收件人邮箱| 23 | |发送邮件|`总是`|发送 `备份作业` 邮件提醒的条件| 24 | |压缩|`ZSTD`|选择备份文件的压缩算法| 25 | |模式|`停止`|选择备份虚拟机的方式,推荐使用 `停止` | 26 | |启用|**勾选**|表示该 `备份作业` 为启用状态| 27 | |作业评论|`Backup Your Server :)`|`备份作业` 的备注信息,使用英文输入| 28 | 29 | **额外说明:** 30 | 31 | 1. 计划中的 `*-01,16 03:30` 表示每月 `1` 、`16` 号的 `03:30` 执行备份任务。 32 | 33 | 2. `备份作业` 在正确配置收件人邮箱之前,并不能发出邮件。 34 | 35 | 3. `停止` 模式表示备份时会将虚拟机置于关机状态,备份完成后再恢复至之前的状态。 36 | 37 | 4. 虚拟机列表中,勾选 `备份作业` 需要备份的虚拟机(可多选)。 38 | 39 | ![备份作业常规选项](img/p08/vm_job_normal.jpeg) 40 | 41 | ### 1.2.保留选项 42 | 43 | 该选项将控制备份文件的保留个数,选择保留最近 `3` 份备份文件。 44 | 45 | ![备份作业保留选项](img/p08/vm_job_keep.jpeg) 46 | 47 | ### 1.3.备注模板 48 | 49 | 该选项将按照设置的内容,自动重命名备份文件。 50 | 51 | 在 `备份日志` 右侧文本框中输入 `{{vmid}}_{{guestname}}_Auto_Backup` 。 52 | 53 | 点击 `创建` 按钮,`备份作业` 创建完成。 54 | 55 | ![备份作业备注选项](img/p08/vm_job_notes.jpeg) 56 | 57 | ### 1.4.高级选项 58 | 59 | 该选项提供 `备份作业` 进行时的高级可调参数,仅需勾选 `重复错过` 选项即可。 60 | 61 | ![备份作业高级选项](img/p08/vm_job_advanced.jpeg) 62 | 63 | ## 2.调度模拟器 64 | 65 | 在创建完成 `备份作业` 后,可以使用 `调度模拟器` 来模拟 `备份作业` 的执行时间。 66 | 67 | 鼠标 **单击** 选中一个 `备份作业` ,点击右上角的 `调度模拟器` 。 68 | 69 | ![备份作业调度模拟器](img/p08/vm_job_time_test.jpeg) 70 | 71 | `计划` 处将显示 `备份作业` 的执行时间参数,点击 `模拟` 按钮,在右侧将显示模拟的时间结果。 72 | 73 | 确认 `备份作业` 的执行时间周期是否符合预期。 74 | 75 | ![备份作业时间模拟](img/p08/vm_job_time.jpeg) 76 | 77 | 至此,虚拟机的自动备份已配置完成。 78 | 79 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Proxmox VE 折腾手记 2 | 3 | ## 介绍 4 | PVE 虚拟化平台的安装以及折腾手记。 5 | 6 | - PVE ISO 版本:8.3-1 (更新时间: 2024-11-21) 7 | 8 | - 演示机: 9 | - CPU:N6005 10 | - 内存:16GB DDR4 11 | - 网卡:I226-V 12 | - 硬盘:500GB NVMe 13 | 14 | - PVE 网络: 15 | - IPv4 网络 16 | - IP 地址:`172.16.1.254` 17 | - 子网掩码:`255.255.255.0` ( 即 `/24` ) 18 | - 网关:`172.16.1.1` 19 | - DNS:`172.16.1.1` 20 | - IPv6 网络 21 | - 首选 `SLAAC` 自动配置 22 | - IPv6 ULA 网络使用 `fdac::/64` 作为演示 23 | 24 | ### 系列章节 25 | 26 | 0. [硬件 BIOS 配置](./00.硬件BIOS配置.md) 27 | 1. [PVE 系统安装](./01.PVE系统安装.md) 28 | 2. [PVE 初始化配置](./02.PVE初始化配置.md) 29 | 3. [PVE 系统调整](./03.PVE系统调整.md) 30 | 4. [PVE 创建模板虚拟机](./04.PVE创建模板虚拟机.md) 31 | 5. [PVE 制作虚拟机模板](./05.PVE制作虚拟机模板.md) 32 | 6. [PVE 制作 DNS 服务器](./06.PVE制作DNS服务器.md) 33 | 7. [PVE 制作 TS 服务器](./07.PVE制作TS服务器.md) 34 | 8. [PVE 自动备份虚拟机](./08.PVE自动备份虚拟机.md) 35 | 36 | ### 文章说明 37 | 38 | 1. 本系列文章涉及的部分参数需要手动调整来符合切实使用需求。 39 | 2. 随着 PVE 系统的迭代更新,截图中的内容和实际页面显示可能存在差异。 40 | 3. 如需引用,请注明本文出处。 41 | -------------------------------------------------------------------------------- /img/p00/bios_boot_order.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_boot_order.jpeg -------------------------------------------------------------------------------- /img/p00/bios_c_states.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_c_states.jpeg -------------------------------------------------------------------------------- /img/p00/bios_cpu.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_cpu.jpeg -------------------------------------------------------------------------------- /img/p00/bios_cpu_vmx.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_cpu_vmx.jpeg -------------------------------------------------------------------------------- /img/p00/bios_fast_boot.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_fast_boot.jpeg -------------------------------------------------------------------------------- /img/p00/bios_hardware_ac.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_hardware_ac.jpeg -------------------------------------------------------------------------------- /img/p00/bios_hardware_monitor.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_hardware_monitor.jpeg -------------------------------------------------------------------------------- /img/p00/bios_pch.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_pch.jpeg -------------------------------------------------------------------------------- /img/p00/bios_power.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_power.jpeg -------------------------------------------------------------------------------- /img/p00/bios_power_control.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_power_control.jpeg -------------------------------------------------------------------------------- /img/p00/bios_save.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_save.jpeg -------------------------------------------------------------------------------- /img/p00/bios_save_yeahhhh.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_save_yeahhhh.jpeg -------------------------------------------------------------------------------- /img/p00/bios_smart_fan.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_smart_fan.jpeg -------------------------------------------------------------------------------- /img/p00/bios_smart_fan_config.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_smart_fan_config.jpeg -------------------------------------------------------------------------------- /img/p00/bios_turbo_max.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_turbo_max.jpeg -------------------------------------------------------------------------------- /img/p00/bios_turbo_options.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p00/bios_turbo_options.jpeg -------------------------------------------------------------------------------- /img/p01/pve_download_iso.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_download_iso.jpeg -------------------------------------------------------------------------------- /img/p01/pve_email.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_email.jpeg -------------------------------------------------------------------------------- /img/p01/pve_etcher.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_etcher.jpeg -------------------------------------------------------------------------------- /img/p01/pve_eth.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_eth.jpeg -------------------------------------------------------------------------------- /img/p01/pve_eula.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_eula.jpeg -------------------------------------------------------------------------------- /img/p01/pve_first_boot.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_first_boot.jpeg -------------------------------------------------------------------------------- /img/p01/pve_hd_choose.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_hd_choose.jpeg -------------------------------------------------------------------------------- /img/p01/pve_hd_fs.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_hd_fs.jpeg -------------------------------------------------------------------------------- /img/p01/pve_install_confirm.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_install_confirm.jpeg -------------------------------------------------------------------------------- /img/p01/pve_install_finish.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_install_finish.jpeg -------------------------------------------------------------------------------- /img/p01/pve_ip.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_ip.jpeg -------------------------------------------------------------------------------- /img/p01/pve_iso_hash.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_iso_hash.jpeg -------------------------------------------------------------------------------- /img/p01/pve_mobaxterm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_mobaxterm.png -------------------------------------------------------------------------------- /img/p01/pve_option.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_option.jpeg -------------------------------------------------------------------------------- /img/p01/pve_rufus.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_rufus.jpeg -------------------------------------------------------------------------------- /img/p01/pve_sys_info.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_sys_info.jpeg -------------------------------------------------------------------------------- /img/p01/pve_termius.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_termius.jpeg -------------------------------------------------------------------------------- /img/p01/pve_timezone.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_timezone.jpeg -------------------------------------------------------------------------------- /img/p01/pve_ventoy.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_ventoy.jpeg -------------------------------------------------------------------------------- /img/p01/pve_ventoy_boot.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_ventoy_boot.jpeg -------------------------------------------------------------------------------- /img/p01/pve_ventoy_boot_mode.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_ventoy_boot_mode.jpeg -------------------------------------------------------------------------------- /img/p01/pve_win_terminal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p01/pve_win_terminal.png -------------------------------------------------------------------------------- /img/p02/pve_add_ipv6_dns.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_add_ipv6_dns.jpeg -------------------------------------------------------------------------------- /img/p02/pve_br_create.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_br_create.jpeg -------------------------------------------------------------------------------- /img/p02/pve_br_last_phyport.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_br_last_phyport.jpeg -------------------------------------------------------------------------------- /img/p02/pve_br_last_phyport_ipv6.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_br_last_phyport_ipv6.jpeg -------------------------------------------------------------------------------- /img/p02/pve_br_nophyport.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_br_nophyport.jpeg -------------------------------------------------------------------------------- /img/p02/pve_br_phyport.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_br_phyport.jpeg -------------------------------------------------------------------------------- /img/p02/pve_modify_vmbr0.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_modify_vmbr0.jpeg -------------------------------------------------------------------------------- /img/p02/pve_net_default.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_net_default.jpeg -------------------------------------------------------------------------------- /img/p02/pve_net_preview.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_net_preview.jpeg -------------------------------------------------------------------------------- /img/p02/pve_net_schematization.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p02/pve_net_schematization.png -------------------------------------------------------------------------------- /img/p04/download_generic_image_qcow2.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/download_generic_image_qcow2.jpeg -------------------------------------------------------------------------------- /img/p04/vm_boot.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_boot.jpeg -------------------------------------------------------------------------------- /img/p04/vm_ci_details.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_ci_details.jpeg -------------------------------------------------------------------------------- /img/p04/vm_ci_dns.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_ci_dns.jpeg -------------------------------------------------------------------------------- /img/p04/vm_ci_dns_ula.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_ci_dns_ula.jpeg -------------------------------------------------------------------------------- /img/p04/vm_ci_network_slaac.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_ci_network_slaac.jpeg -------------------------------------------------------------------------------- /img/p04/vm_ci_network_static.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_ci_network_static.jpeg -------------------------------------------------------------------------------- /img/p04/vm_cloudinit.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_cloudinit.jpeg -------------------------------------------------------------------------------- /img/p04/vm_confirm.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_confirm.jpeg -------------------------------------------------------------------------------- /img/p04/vm_cpu.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_cpu.jpeg -------------------------------------------------------------------------------- /img/p04/vm_delete_cd.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_delete_cd.jpeg -------------------------------------------------------------------------------- /img/p04/vm_enable_hd.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_enable_hd.jpeg -------------------------------------------------------------------------------- /img/p04/vm_hardware_all.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_hardware_all.jpeg -------------------------------------------------------------------------------- /img/p04/vm_hd.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_hd.jpeg -------------------------------------------------------------------------------- /img/p04/vm_hd_resize.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_hd_resize.jpeg -------------------------------------------------------------------------------- /img/p04/vm_hd_scale_up.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_hd_scale_up.jpeg -------------------------------------------------------------------------------- /img/p04/vm_id.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_id.jpeg -------------------------------------------------------------------------------- /img/p04/vm_mem.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_mem.jpeg -------------------------------------------------------------------------------- /img/p04/vm_network_port.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_network_port.jpeg -------------------------------------------------------------------------------- /img/p04/vm_network_queue.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_network_queue.jpeg -------------------------------------------------------------------------------- /img/p04/vm_notes.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_notes.jpeg -------------------------------------------------------------------------------- /img/p04/vm_os.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_os.jpeg -------------------------------------------------------------------------------- /img/p04/vm_system.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_system.jpeg -------------------------------------------------------------------------------- /img/p04/vm_tablet.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_tablet.jpeg -------------------------------------------------------------------------------- /img/p04/vm_unused_hd.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p04/vm_unused_hd.jpeg -------------------------------------------------------------------------------- /img/p05/os_login.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p05/os_login.jpeg -------------------------------------------------------------------------------- /img/p05/vm_to_template.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p05/vm_to_template.jpeg -------------------------------------------------------------------------------- /img/p06/vm_clone.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p06/vm_clone.jpeg -------------------------------------------------------------------------------- /img/p06/vm_clone_autostart.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p06/vm_clone_autostart.jpeg -------------------------------------------------------------------------------- /img/p06/vm_clone_autostart_order.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p06/vm_clone_autostart_order.jpeg -------------------------------------------------------------------------------- /img/p06/vm_clone_ci_slaac.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p06/vm_clone_ci_slaac.jpeg -------------------------------------------------------------------------------- /img/p06/vm_clone_ci_static.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p06/vm_clone_ci_static.jpeg -------------------------------------------------------------------------------- /img/p06/vm_clone_vmid.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p06/vm_clone_vmid.jpeg -------------------------------------------------------------------------------- /img/p08/vm_job_advanced.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_job_advanced.jpeg -------------------------------------------------------------------------------- /img/p08/vm_job_keep.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_job_keep.jpeg -------------------------------------------------------------------------------- /img/p08/vm_job_normal.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_job_normal.jpeg -------------------------------------------------------------------------------- /img/p08/vm_job_notes.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_job_notes.jpeg -------------------------------------------------------------------------------- /img/p08/vm_job_time.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_job_time.jpeg -------------------------------------------------------------------------------- /img/p08/vm_job_time_test.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_job_time_test.jpeg -------------------------------------------------------------------------------- /img/p08/vm_new_backup_job.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CallMeR/pve_configuration_notes/500bb0363c8aa0e37c904ff15aebd7b8486b06de/img/p08/vm_new_backup_job.jpeg -------------------------------------------------------------------------------- /src/debian/debian_dns_20auto_upgrades.conf: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Unattended-Upgrade "3"; 3 | APT::Periodic::AutocleanInterval "1"; 4 | APT::Periodic::CleanInterval "1"; 5 | 6 | -------------------------------------------------------------------------------- /src/debian/debian_dns_50unattended_upgrades.conf: -------------------------------------------------------------------------------- 1 | // Unattended-Upgrade::Origins-Pattern controls which packages are 2 | // upgraded. 3 | // 4 | // Lines below have the format "keyword=value,...". A 5 | // package will be upgraded only if the values in its metadata match 6 | // all the supplied keywords in a line. (In other words, omitted 7 | // keywords are wild cards.) The keywords originate from the Release 8 | // file, but several aliases are accepted. The accepted keywords are: 9 | // a,archive,suite (eg, "stable") 10 | // c,component (eg, "main", "contrib", "non-free") 11 | // l,label (eg, "Debian", "Debian-Security") 12 | // o,origin (eg, "Debian", "Unofficial Multimedia Packages") 13 | // n,codename (eg, "jessie", "jessie-updates") 14 | // site (eg, "http.debian.net") 15 | // The available values on the system are printed by the command 16 | // "apt-cache policy", and can be debugged by running 17 | // "unattended-upgrades -d" and looking at the log file. 18 | // 19 | // Within lines unattended-upgrades allows 2 macros whose values are 20 | // derived from /etc/debian_version: 21 | // ${distro_id} Installed origin. 22 | // ${distro_codename} Installed codename (eg, "buster") 23 | Unattended-Upgrade::Origins-Pattern { 24 | // Codename based matching: 25 | // This will follow the migration of a release through different 26 | // archives (e.g. from testing to stable and later oldstable). 27 | // Software will be the latest available for the named release, 28 | // but the Debian release itself will not be automatically upgraded. 29 | "origin=Debian,codename=${distro_codename}-updates"; 30 | // "origin=Debian,codename=${distro_codename}-proposed-updates"; 31 | "origin=Debian,codename=${distro_codename},label=Debian"; 32 | "origin=Debian,codename=${distro_codename},label=Debian-Security"; 33 | "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; 34 | 35 | // Archive or Suite based matching: 36 | // Note that this will silently match a different release after 37 | // migration to the specified archive (e.g. testing becomes the 38 | // new stable). 39 | // "o=Debian,a=stable"; 40 | // "o=Debian,a=stable-updates"; 41 | // "o=Debian,a=proposed-updates"; 42 | // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; 43 | }; 44 | 45 | // Python regular expressions, matching packages to exclude from upgrading 46 | Unattended-Upgrade::Package-Blacklist { 47 | // The following matches all packages starting with linux- 48 | // "linux-"; 49 | 50 | // Use $ to explicitely define the end of a package name. Without 51 | // the $, "libc6" would match all of them. 52 | // "libc6$"; 53 | // "libc6-dev$"; 54 | // "libc6-i686$"; 55 | 56 | // Special characters need escaping 57 | // "libstdc\+\+6$"; 58 | 59 | // The following matches packages like xen-system-amd64, xen-utils-4.1, 60 | // xenstore-utils and libxenstore3.0 61 | // "(lib)?xen(store)?"; 62 | 63 | // For more information about Python regular expressions, see 64 | // https://docs.python.org/3/howto/regex.html 65 | }; 66 | 67 | // This option allows you to control if on a unclean dpkg exit 68 | // unattended-upgrades will automatically run 69 | // dpkg --force-confold --configure -a 70 | // The default is true, to ensure updates keep getting installed 71 | //Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 72 | 73 | // Split the upgrade into the smallest possible chunks so that 74 | // they can be interrupted with SIGTERM. This makes the upgrade 75 | // a bit slower but it has the benefit that shutdown while a upgrade 76 | // is running is possible (with a small delay) 77 | //Unattended-Upgrade::MinimalSteps "true"; 78 | 79 | // Install all updates when the machine is shutting down 80 | // instead of doing it in the background while the machine is running. 81 | // This will (obviously) make shutdown slower. 82 | // Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. 83 | // This allows more time for unattended-upgrades to shut down gracefully 84 | // or even install a few packages in InstallOnShutdown mode, but is still a 85 | // big step back from the 30 minutes allowed for InstallOnShutdown previously. 86 | // Users enabling InstallOnShutdown mode are advised to increase 87 | // InhibitDelayMaxSec even further, possibly to 30 minutes. 88 | //Unattended-Upgrade::InstallOnShutdown "false"; 89 | 90 | // Send email to this address for problems or packages upgrades 91 | // If empty or unset then no email is sent, make sure that you 92 | // have a working mail setup on your system. A package that provides 93 | // 'mailx' must be installed. E.g. "user@example.com" 94 | //Unattended-Upgrade::Mail ""; 95 | 96 | // Set this value to one of: 97 | // "always", "only-on-error" or "on-change" 98 | // If this is not set, then any legacy MailOnlyOnError (boolean) value 99 | // is used to chose between "only-on-error" and "on-change" 100 | //Unattended-Upgrade::MailReport "on-change"; 101 | 102 | // Remove unused automatically installed kernel-related packages 103 | // (kernel images, kernel headers and kernel version locked tools). 104 | //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 105 | 106 | // Do automatic removal of newly unused dependencies after the upgrade 107 | //Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 108 | 109 | // Do automatic removal of unused packages after the upgrade 110 | // (equivalent to apt-get autoremove) 111 | //Unattended-Upgrade::Remove-Unused-Dependencies "false"; 112 | 113 | // Automatically reboot *WITHOUT CONFIRMATION* if 114 | // the file /var/run/reboot-required is found after the upgrade 115 | //Unattended-Upgrade::Automatic-Reboot "false"; 116 | 117 | // Automatically reboot even if there are users currently logged in 118 | // when Unattended-Upgrade::Automatic-Reboot is set to true 119 | //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; 120 | 121 | // If automatic reboot is enabled and needed, reboot at the specific 122 | // time instead of immediately 123 | // Default: "now" 124 | //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; 125 | 126 | // Use apt bandwidth limit feature, this example limits the download 127 | // speed to 70kb/sec 128 | //Acquire::http::Dl-Limit "70"; 129 | 130 | // Enable logging to syslog. Default is False 131 | // Unattended-Upgrade::SyslogEnable "false"; 132 | 133 | // Specify syslog facility. Default is daemon 134 | // Unattended-Upgrade::SyslogFacility "daemon"; 135 | 136 | // Download and install upgrades only on AC power 137 | // (i.e. skip or gracefully stop updates on battery) 138 | // Unattended-Upgrade::OnlyOnACPower "true"; 139 | 140 | // Download and install upgrades only on non-metered connection 141 | // (i.e. skip or gracefully stop updates on a metered connection) 142 | // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; 143 | 144 | // Verbose logging 145 | // Unattended-Upgrade::Verbose "false"; 146 | 147 | // Print debugging information both in unattended-upgrades and 148 | // in unattended-upgrade-shutdown 149 | // Unattended-Upgrade::Debug "false"; 150 | 151 | // Allow package downgrade if Pin-Priority exceeds 1000 152 | // Unattended-Upgrade::Allow-downgrade "false"; 153 | 154 | // When APT fails to mark a package to be upgraded or installed try adjusting 155 | // candidates of related packages to help APT's resolver in finding a solution 156 | // where the package can be upgraded or installed. 157 | // This is a workaround until APT's resolver is fixed to always find a 158 | // solution if it exists. (See Debian bug #711128.) 159 | // The fallback is enabled by default, except on Debian's sid release because 160 | // uninstallable packages are frequent there. 161 | // Disabling the fallback speeds up unattended-upgrades when there are 162 | // uninstallable packages at the expense of rarely keeping back packages which 163 | // could be upgraded or installed. 164 | // Unattended-Upgrade::Allow-APT-Mark-Fallback "true"; 165 | 166 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 167 | 168 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 169 | 170 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 171 | 172 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 173 | 174 | Unattended-Upgrade::Automatic-Reboot "true"; 175 | 176 | Unattended-Upgrade::Automatic-Reboot-Time "03:00"; 177 | 178 | -------------------------------------------------------------------------------- /src/debian/debian_dns_99_sysctl.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize sysctl parameters for local DNS server. 3 | 4 | kernel.panic = 20 5 | kernel.panic_on_oops = 1 6 | 7 | net.core.default_qdisc = fq_codel 8 | 9 | # Other adjustable system parameters 10 | 11 | net.core.netdev_budget = 600 12 | net.core.netdev_budget_usecs = 20000 13 | 14 | net.core.somaxconn = 8192 15 | net.core.rmem_max = 26214400 16 | net.core.wmem_max = 655360 17 | 18 | net.ipv4.igmp_max_memberships = 256 19 | 20 | net.ipv4.tcp_challenge_ack_limit = 1000 21 | net.ipv4.tcp_fastopen = 3 22 | net.ipv4.tcp_fin_timeout = 30 23 | net.ipv4.tcp_keepalive_time = 120 24 | net.ipv4.tcp_max_syn_backlog = 512 25 | net.ipv4.tcp_notsent_lowat = 131072 26 | net.ipv4.tcp_rmem = 4096 87380 26214400 27 | net.ipv4.tcp_wmem = 4096 16384 655360 28 | 29 | net.ipv6.conf.all.use_tempaddr = 0 30 | net.ipv6.conf.default.use_tempaddr = 0 31 | 32 | -------------------------------------------------------------------------------- /src/debian/debian_dns_dnsmasq.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize dnsmasq parameters for local DNS server. 3 | 4 | # Main Config 5 | 6 | conf-dir=/etc/dnsmasq.d/,*.conf 7 | conf-file=/etc/dnsmasq.conf 8 | 9 | log-facility=/var/log/dnsmasq.log 10 | log-async=20 11 | 12 | cache-size=2048 13 | max-cache-ttl=7200 14 | fast-dns-retry=1800 15 | 16 | interface=eth0 17 | rebind-domain-ok=/fox.internal/ 18 | 19 | bind-dynamic 20 | bogus-priv 21 | domain-needed 22 | no-hosts 23 | no-negcache 24 | no-resolv 25 | no-round-robin 26 | rebind-localhost-ok 27 | stop-dns-rebind 28 | 29 | # DNS Filter 30 | 31 | server=/alt/ 32 | server=/bind/ 33 | server=/example/ 34 | server=/home.arpa/ 35 | server=/internal/ 36 | server=/invalid/ 37 | server=/lan/ 38 | server=/local/ 39 | server=/localhost/ 40 | server=/onion/ 41 | server=/test/ 42 | 43 | # DNS Server 44 | 45 | server=/fox.internal/172.16.1.1 46 | 47 | server=127.0.0.1#6053 48 | server=::1#6053 49 | 50 | -------------------------------------------------------------------------------- /src/debian/debian_dns_dnsmasq_cron.conf: -------------------------------------------------------------------------------- 1 | ## 下载加速规则安装脚本 2 | $ sudo curl -LR -o /opt/dnsmasq-plugin.sh https://gitee.com/felixonmars/dnsmasq-china-list/raw/master/install.sh 3 | 4 | ## 设置脚本可执行权限 5 | $ sudo chmod +x /opt/dnsmasq-plugin.sh 6 | 7 | ## 设置脚本文件防篡改 8 | $ sudo chattr +i /opt/dnsmasq-plugin.sh 9 | 10 | ## 执行脚本 11 | $ sudo bash /opt/dnsmasq-plugin.sh 12 | 13 | ## 设置 crontab 14 | 15 | 25 9 * * * /usr/bin/curl --retry-connrefused --retry 5 --retry-delay 5 --retry-max-time 60 -fsSLR -o /etc/dnsmasq.d/anti-ad.dnsmasq.conf https://anti-ad.net/anti-ad-for-dnsmasq.conf 16 | 17 | 35 9 * * * /usr/bin/bash /opt/dnsmasq-plugin.sh 18 | 19 | -------------------------------------------------------------------------------- /src/debian/debian_dns_smartdns.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize SmartDNS parameters for local DNS server. 3 | # 4 | # For use common DNS server as upstream DNS server, 5 | # please modify 'server' parameter according to 6 | # your network environment. 7 | # 8 | # eg: 9 | # server 223.5.5.5 10 | # server 180.184.1.1 11 | # server 119.29.29.29 12 | # server 114.114.114.114 13 | # server 2402:4e00:: 14 | # server 2400:3200::1 15 | 16 | conf-file /etc/smartdns.d/*.conf 17 | 18 | log-level notice 19 | log-console yes 20 | 21 | bind [::]:6053@lo 22 | bind-tcp [::]:6053@lo 23 | 24 | cache-size 32768 25 | max-query-limit 1024 26 | max-reply-ip-num 16 27 | 28 | prefetch-domain yes 29 | 30 | serve-expired yes 31 | serve-expired-ttl 129600 32 | serve-expired-reply-ttl 30 33 | serve-expired-prefetch-time 28800 34 | 35 | rr-ttl-min 60 36 | rr-ttl-max 28800 37 | rr-ttl-reply-max 14400 38 | 39 | server-tcp 180.184.1.1 -bootstrap-dns 40 | server-tcp 114.114.114.114 -bootstrap-dns 41 | server-tcp 2400:3200::1 -bootstrap-dns 42 | 43 | server-tls dot.pub 44 | server-tls dns.alidns.com 45 | 46 | server-https https://doh.pub/dns-query 47 | server-https https://dns.alidns.com/dns-query 48 | 49 | -------------------------------------------------------------------------------- /src/debian/debian_dns_smartdns_cron.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize SmartDNS crontab for local DNS server. 3 | 4 | 20 9 * * * /usr/bin/curl --retry-connrefused --retry 5 --retry-delay 5 --retry-max-time 60 -fsSLR -o /etc/smartdns.d/anti-ad.smartdns.conf https://anti-ad.net/anti-ad-for-smartdns.conf 5 | 6 | 30 9 * * * /usr/bin/systemctl restart smartdns.service 7 | 8 | 9 | ## Or when the smartdns plugin is installed 10 | 11 | 20 9 * * * /usr/bin/curl --retry-connrefused --retry 5 --retry-delay 5 --retry-max-time 60 -fsSLR -o /etc/smartdns.d/anti-ad.smartdns.conf https://anti-ad.net/anti-ad-for-smartdns.conf 12 | 13 | 30 9 * * * /usr/bin/bash /opt/smartdns-plugin.sh 14 | 15 | -------------------------------------------------------------------------------- /src/debian/debian_dns_smartdns_plugin.conf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | WORKDIR="$(mktemp -d)" 5 | CONFDIR="/etc/smartdns.d" 6 | SERVERS=(223.5.5.5 180.184.1.1 119.29.29.29 114.114.114.114 2402:4e00:: 2400:3200::1) 7 | GROUP=(flash) 8 | # Others: 223.6.6.6 119.28.28.28 9 | # Not using best possible CDN pop: 1.2.4.8 210.2.4.8 10 | # Broken?: 180.76.76.76 11 | 12 | CONF_WITH_SERVERS=(accelerated-domains.china google.china apple.china) 13 | CONF_WITH_GROUP=(dns-group.china) 14 | CONF_SIMPLE=(bogus-nxdomain.china) 15 | 16 | echo "Checking whether the configuration folder exists..." 17 | if [ ! -d "$CONFDIR" ]; then 18 | mkdir -p "$CONFDIR" 19 | fi 20 | 21 | echo "Downloading latest configurations..." 22 | git clone --depth=1 https://gitee.com/felixonmars/dnsmasq-china-list.git "$WORKDIR" 23 | #git clone --depth=1 https://pagure.io/dnsmasq-china-list.git "$WORKDIR" 24 | #git clone --depth=1 https://github.com/felixonmars/dnsmasq-china-list.git "$WORKDIR" 25 | #git clone --depth=1 https://bitbucket.org/felixonmars/dnsmasq-china-list.git "$WORKDIR" 26 | #git clone --depth=1 https://gitlab.com/felixonmars/dnsmasq-china-list.git "$WORKDIR" 27 | #git clone --depth=1 https://e.coding.net/felixonmars/dnsmasq-china-list.git "$WORKDIR" 28 | #git clone --depth=1 https://codehub.devcloud.huaweicloud.com/dnsmasq-china-list00001/dnsmasq-china-list.git "$WORKDIR" 29 | #git clone --depth=1 http://repo.or.cz/dnsmasq-china-list.git "$WORKDIR" 30 | 31 | echo "Removing old configurations..." 32 | for _conf in "${CONF_WITH_SERVERS[@]}" "${CONF_WITH_GROUP[@]}" "${CONF_SIMPLE[@]}"; do 33 | rm -f "$CONFDIR/$_conf"*.conf 34 | done 35 | 36 | echo "Installing new configurations..." 37 | for _conf in "${CONF_WITH_SERVERS[@]}" "${CONF_WITH_GROUP[@]}" "${CONF_SIMPLE[@]}"; do 38 | if [[ "${CONF_WITH_SERVERS[@]}" =~ $_conf ]]; then 39 | sed -En 's|^server=/([^/]*)/114.114.114.114$|\1|p' "$WORKDIR/$_conf.conf" | grep -Ev '^#' > "$WORKDIR/$_conf.step1.raw" 40 | sed -En "s/(.*)/nameserver \\/\\1\\/${GROUP[@]}/p" "$WORKDIR/$_conf.step1.raw" > "$WORKDIR/$_conf.step2.raw" 41 | cp "$WORKDIR/$_conf.step2.raw" "$CONFDIR/$_conf.smartdns.conf" 42 | fi 43 | 44 | if [[ "${CONF_WITH_GROUP[@]}" =~ $_conf ]]; then 45 | for _server in "${SERVERS[@]}"; do 46 | echo "server $_server -group ${GROUP[@]} -exclude-default-group" >> "$WORKDIR/$_conf.raw" 47 | done 48 | cp "$WORKDIR/$_conf.raw" "$CONFDIR/$_conf.smartdns.conf" 49 | fi 50 | 51 | if [[ "${CONF_SIMPLE[@]}" =~ $_conf ]]; then 52 | sed -e "s|=| |" "$WORKDIR/$_conf.conf" > "$WORKDIR/$_conf.raw" 53 | cp "$WORKDIR/$_conf.raw" "$CONFDIR/$_conf.smartdns.conf" 54 | fi 55 | done 56 | 57 | echo "Restarting smartdns service..." 58 | if hash systemctl 2>/dev/null; then 59 | systemctl restart smartdns 60 | elif hash service 2>/dev/null; then 61 | service smartdns restart 62 | elif hash rc-service 2>/dev/null; then 63 | rc-service smartdns restart 64 | elif hash busybox 2>/dev/null && [[ -d "/etc/init.d" ]]; then 65 | /etc/init.d/smartdns restart 66 | else 67 | echo "Now please restart smartdns since I don't know how to do it." 68 | fi 69 | 70 | echo "Cleaning up..." 71 | rm -r "$WORKDIR" 72 | 73 | -------------------------------------------------------------------------------- /src/debian/debian_sources.conf: -------------------------------------------------------------------------------- 1 | Types: deb 2 | URIs: https://mirrors.ustc.edu.cn/debian 3 | Suites: bookworm bookworm-updates 4 | Components: main contrib non-free non-free-firmware 5 | Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 6 | 7 | Types: deb 8 | URIs: https://mirrors.ustc.edu.cn/debian-security 9 | Suites: bookworm-security 10 | Components: main contrib non-free non-free-firmware 11 | Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg 12 | 13 | -------------------------------------------------------------------------------- /src/debian/debian_ts_20auto_upgrades.conf: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Unattended-Upgrade "7"; 3 | APT::Periodic::AutocleanInterval "1"; 4 | APT::Periodic::CleanInterval "1"; 5 | 6 | -------------------------------------------------------------------------------- /src/debian/debian_ts_50unattended_upgrades.conf: -------------------------------------------------------------------------------- 1 | // Unattended-Upgrade::Origins-Pattern controls which packages are 2 | // upgraded. 3 | // 4 | // Lines below have the format "keyword=value,...". A 5 | // package will be upgraded only if the values in its metadata match 6 | // all the supplied keywords in a line. (In other words, omitted 7 | // keywords are wild cards.) The keywords originate from the Release 8 | // file, but several aliases are accepted. The accepted keywords are: 9 | // a,archive,suite (eg, "stable") 10 | // c,component (eg, "main", "contrib", "non-free") 11 | // l,label (eg, "Debian", "Debian-Security") 12 | // o,origin (eg, "Debian", "Unofficial Multimedia Packages") 13 | // n,codename (eg, "jessie", "jessie-updates") 14 | // site (eg, "http.debian.net") 15 | // The available values on the system are printed by the command 16 | // "apt-cache policy", and can be debugged by running 17 | // "unattended-upgrades -d" and looking at the log file. 18 | // 19 | // Within lines unattended-upgrades allows 2 macros whose values are 20 | // derived from /etc/debian_version: 21 | // ${distro_id} Installed origin. 22 | // ${distro_codename} Installed codename (eg, "buster") 23 | Unattended-Upgrade::Origins-Pattern { 24 | // Codename based matching: 25 | // This will follow the migration of a release through different 26 | // archives (e.g. from testing to stable and later oldstable). 27 | // Software will be the latest available for the named release, 28 | // but the Debian release itself will not be automatically upgraded. 29 | "origin=Debian,codename=${distro_codename}-updates"; 30 | // "origin=Debian,codename=${distro_codename}-proposed-updates"; 31 | "origin=Debian,codename=${distro_codename},label=Debian"; 32 | "origin=Debian,codename=${distro_codename},label=Debian-Security"; 33 | "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; 34 | "origin=Tailscale,codename=${distro_codename},label=Tailscale"; 35 | 36 | // Archive or Suite based matching: 37 | // Note that this will silently match a different release after 38 | // migration to the specified archive (e.g. testing becomes the 39 | // new stable). 40 | // "o=Debian,a=stable"; 41 | // "o=Debian,a=stable-updates"; 42 | // "o=Debian,a=proposed-updates"; 43 | // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; 44 | }; 45 | 46 | // Python regular expressions, matching packages to exclude from upgrading 47 | Unattended-Upgrade::Package-Blacklist { 48 | // The following matches all packages starting with linux- 49 | // "linux-"; 50 | 51 | // Use $ to explicitely define the end of a package name. Without 52 | // the $, "libc6" would match all of them. 53 | // "libc6$"; 54 | // "libc6-dev$"; 55 | // "libc6-i686$"; 56 | 57 | // Special characters need escaping 58 | // "libstdc\+\+6$"; 59 | 60 | // The following matches packages like xen-system-amd64, xen-utils-4.1, 61 | // xenstore-utils and libxenstore3.0 62 | // "(lib)?xen(store)?"; 63 | 64 | // For more information about Python regular expressions, see 65 | // https://docs.python.org/3/howto/regex.html 66 | }; 67 | 68 | // This option allows you to control if on a unclean dpkg exit 69 | // unattended-upgrades will automatically run 70 | // dpkg --force-confold --configure -a 71 | // The default is true, to ensure updates keep getting installed 72 | //Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 73 | 74 | // Split the upgrade into the smallest possible chunks so that 75 | // they can be interrupted with SIGTERM. This makes the upgrade 76 | // a bit slower but it has the benefit that shutdown while a upgrade 77 | // is running is possible (with a small delay) 78 | //Unattended-Upgrade::MinimalSteps "true"; 79 | 80 | // Install all updates when the machine is shutting down 81 | // instead of doing it in the background while the machine is running. 82 | // This will (obviously) make shutdown slower. 83 | // Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. 84 | // This allows more time for unattended-upgrades to shut down gracefully 85 | // or even install a few packages in InstallOnShutdown mode, but is still a 86 | // big step back from the 30 minutes allowed for InstallOnShutdown previously. 87 | // Users enabling InstallOnShutdown mode are advised to increase 88 | // InhibitDelayMaxSec even further, possibly to 30 minutes. 89 | //Unattended-Upgrade::InstallOnShutdown "false"; 90 | 91 | // Send email to this address for problems or packages upgrades 92 | // If empty or unset then no email is sent, make sure that you 93 | // have a working mail setup on your system. A package that provides 94 | // 'mailx' must be installed. E.g. "user@example.com" 95 | //Unattended-Upgrade::Mail ""; 96 | 97 | // Set this value to one of: 98 | // "always", "only-on-error" or "on-change" 99 | // If this is not set, then any legacy MailOnlyOnError (boolean) value 100 | // is used to chose between "only-on-error" and "on-change" 101 | //Unattended-Upgrade::MailReport "on-change"; 102 | 103 | // Remove unused automatically installed kernel-related packages 104 | // (kernel images, kernel headers and kernel version locked tools). 105 | //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 106 | 107 | // Do automatic removal of newly unused dependencies after the upgrade 108 | //Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 109 | 110 | // Do automatic removal of unused packages after the upgrade 111 | // (equivalent to apt-get autoremove) 112 | //Unattended-Upgrade::Remove-Unused-Dependencies "false"; 113 | 114 | // Automatically reboot *WITHOUT CONFIRMATION* if 115 | // the file /var/run/reboot-required is found after the upgrade 116 | //Unattended-Upgrade::Automatic-Reboot "false"; 117 | 118 | // Automatically reboot even if there are users currently logged in 119 | // when Unattended-Upgrade::Automatic-Reboot is set to true 120 | //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; 121 | 122 | // If automatic reboot is enabled and needed, reboot at the specific 123 | // time instead of immediately 124 | // Default: "now" 125 | //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; 126 | 127 | // Use apt bandwidth limit feature, this example limits the download 128 | // speed to 70kb/sec 129 | //Acquire::http::Dl-Limit "70"; 130 | 131 | // Enable logging to syslog. Default is False 132 | // Unattended-Upgrade::SyslogEnable "false"; 133 | 134 | // Specify syslog facility. Default is daemon 135 | // Unattended-Upgrade::SyslogFacility "daemon"; 136 | 137 | // Download and install upgrades only on AC power 138 | // (i.e. skip or gracefully stop updates on battery) 139 | // Unattended-Upgrade::OnlyOnACPower "true"; 140 | 141 | // Download and install upgrades only on non-metered connection 142 | // (i.e. skip or gracefully stop updates on a metered connection) 143 | // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; 144 | 145 | // Verbose logging 146 | // Unattended-Upgrade::Verbose "false"; 147 | 148 | // Print debugging information both in unattended-upgrades and 149 | // in unattended-upgrade-shutdown 150 | // Unattended-Upgrade::Debug "false"; 151 | 152 | // Allow package downgrade if Pin-Priority exceeds 1000 153 | // Unattended-Upgrade::Allow-downgrade "false"; 154 | 155 | // When APT fails to mark a package to be upgraded or installed try adjusting 156 | // candidates of related packages to help APT's resolver in finding a solution 157 | // where the package can be upgraded or installed. 158 | // This is a workaround until APT's resolver is fixed to always find a 159 | // solution if it exists. (See Debian bug #711128.) 160 | // The fallback is enabled by default, except on Debian's sid release because 161 | // uninstallable packages are frequent there. 162 | // Disabling the fallback speeds up unattended-upgrades when there are 163 | // uninstallable packages at the expense of rarely keeping back packages which 164 | // could be upgraded or installed. 165 | // Unattended-Upgrade::Allow-APT-Mark-Fallback "true"; 166 | 167 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 168 | 169 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 170 | 171 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 172 | 173 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 174 | 175 | Unattended-Upgrade::Automatic-Reboot "true"; 176 | 177 | Unattended-Upgrade::Automatic-Reboot-Time "03:00"; 178 | 179 | -------------------------------------------------------------------------------- /src/debian/debian_ts_99_sysctl.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize sysctl parameters for local TS server. 3 | 4 | kernel.panic = 20 5 | kernel.panic_on_oops = 1 6 | 7 | net.core.default_qdisc = fq_codel 8 | net.ipv4.tcp_congestion_control = bbr 9 | 10 | net.ipv4.ip_forward = 1 11 | 12 | net.ipv6.conf.all.forwarding = 1 13 | net.ipv6.conf.default.forwarding = 1 14 | 15 | # Other adjustable system parameters 16 | 17 | net.core.netdev_budget = 600 18 | net.core.netdev_budget_usecs = 20000 19 | 20 | net.core.rps_sock_flow_entries = 32768 21 | net.core.somaxconn = 8192 22 | net.core.rmem_max = 26214400 23 | net.core.wmem_max = 655360 24 | 25 | net.ipv4.conf.all.accept_redirects = 0 26 | net.ipv4.conf.default.accept_redirects = 0 27 | 28 | net.ipv4.conf.all.accept_source_route = 0 29 | net.ipv4.conf.default.accept_source_route = 0 30 | 31 | net.ipv4.conf.all.arp_ignore = 1 32 | net.ipv4.conf.default.arp_ignore = 1 33 | 34 | net.ipv4.conf.all.rp_filter = 2 35 | net.ipv4.conf.default.rp_filter = 2 36 | 37 | net.ipv4.conf.all.send_redirects = 0 38 | net.ipv4.conf.default.send_redirects = 0 39 | 40 | net.ipv4.igmp_max_memberships = 256 41 | 42 | net.ipv4.route.error_burst = 500 43 | net.ipv4.route.error_cost = 100 44 | 45 | net.ipv4.route.redirect_load = 2 46 | net.ipv4.route.redirect_silence = 2048 47 | 48 | net.ipv4.tcp_adv_win_scale = -2 49 | net.ipv4.tcp_challenge_ack_limit = 1000 50 | net.ipv4.tcp_fastopen = 3 51 | net.ipv4.tcp_fin_timeout = 30 52 | net.ipv4.tcp_keepalive_time = 120 53 | net.ipv4.tcp_max_syn_backlog = 512 54 | net.ipv4.tcp_notsent_lowat = 131072 55 | net.ipv4.tcp_rmem = 8192 262144 536870912 56 | net.ipv4.tcp_wmem = 4096 16384 536870912 57 | 58 | net.ipv6.conf.all.accept_redirects = 0 59 | net.ipv6.conf.default.accept_redirects = 0 60 | 61 | net.ipv6.conf.all.accept_source_route = 0 62 | net.ipv6.conf.default.accept_source_route = 0 63 | 64 | net.ipv6.conf.all.use_tempaddr = 0 65 | net.ipv6.conf.default.use_tempaddr = 0 66 | 67 | net.netfilter.nf_conntrack_acct = 1 68 | net.netfilter.nf_conntrack_checksum = 0 69 | net.netfilter.nf_conntrack_tcp_timeout_established = 7440 70 | 71 | -------------------------------------------------------------------------------- /src/debian/debian_ts_dnsmasq.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize dnsmasq parameters for local TS server. 3 | 4 | # Main Config 5 | 6 | conf-dir=/etc/dnsmasq.d/,*.conf 7 | conf-file=/etc/dnsmasq.conf 8 | 9 | log-facility=/var/log/dnsmasq.log 10 | log-async=20 11 | 12 | cache-size=2048 13 | max-cache-ttl=7200 14 | fast-dns-retry=1800 15 | 16 | interface=eth0,tailscale0 17 | rebind-domain-ok=/fox.internal/ 18 | 19 | bind-dynamic 20 | bogus-priv 21 | domain-needed 22 | no-hosts 23 | no-negcache 24 | no-resolv 25 | no-round-robin 26 | rebind-localhost-ok 27 | stop-dns-rebind 28 | 29 | # DNS Filter 30 | 31 | server=/alt/ 32 | server=/bind/ 33 | server=/example/ 34 | server=/home.arpa/ 35 | server=/internal/ 36 | server=/invalid/ 37 | server=/lan/ 38 | server=/local/ 39 | server=/localhost/ 40 | server=/onion/ 41 | server=/test/ 42 | 43 | # DNS Server 44 | 45 | server=/ts.net/100.100.100.100 46 | 47 | server=/fox.internal/172.16.1.1 48 | 49 | server=172.16.1.1 50 | 51 | -------------------------------------------------------------------------------- /src/debian/debian_ts_nftables.conf: -------------------------------------------------------------------------------- 1 | #!/usr/sbin/nft -f 2 | 3 | # This configuration file is customized by fox, 4 | # Optimize nftables rules for local TS server. 5 | 6 | table inet router 7 | flush table inet router 8 | 9 | table inet router { 10 | 11 | # 12 | # Flowtable 13 | # 14 | 15 | flowtable ft { 16 | hook ingress priority filter; 17 | devices = { eth0 }; 18 | counter; 19 | } 20 | 21 | 22 | # 23 | # Filter rules 24 | # 25 | 26 | chain input { 27 | type filter hook input priority filter; policy drop; 28 | iif "lo" accept comment "defconf: accept traffic from loopback" 29 | ct state vmap { established : accept, related : accept } comment "defconf: handle inbound flows" 30 | tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "defconf: rate limit new TCP connections" 31 | iifname "eth0" jump input_lan comment "defconf: handle LAN IPv4 / IPv6 input traffic" 32 | iifname "tailscale0" jump input_tailscale comment "tsconf: handle TS IPv4 / IPv6 input traffic" 33 | } 34 | 35 | chain forward { 36 | type filter hook forward priority filter; policy drop; 37 | ct state established,related flow add @ft; 38 | ct state vmap { established : accept, related : accept } comment "defconf: handle forwarded flows" 39 | iifname "eth0" jump forward_lan comment "defconf: handle LAN IPv4 / IPv6 forward traffic" 40 | iifname "tailscale0" jump forward_tailscale comment "tsconf: handle TS IPv4 / IPv6 forward traffic" 41 | } 42 | 43 | chain output { 44 | type filter hook output priority filter; policy accept; 45 | oif "lo" accept comment "defconf: accept traffic towards loopback" 46 | ct state vmap { established : accept, related : accept } comment "defconf: handle outbound flows" 47 | oifname "eth0" jump output_lan comment "defconf: handle LAN IPv4 / IPv6 output traffic" 48 | oifname "tailscale0" jump output_tailscale comment "tsconf: handle TS IPv4 / IPv6 output traffic" 49 | } 50 | 51 | chain syn_flood { 52 | limit rate 50/second burst 100 packets return comment "defconf: accept new TCP connections below rate-limit" 53 | counter drop comment "defconf: drop excess new TCP connections" 54 | } 55 | 56 | chain input_lan { 57 | ct status dnat accept comment "lanconf: accept port redirect" 58 | jump accept_from_lan 59 | } 60 | 61 | chain forward_lan { 62 | jump accept_to_tailscale comment "tsconf: accept LAN to TS forwarding" 63 | ct status dnat accept comment "lanconf: accept port forwards" 64 | jump accept_to_lan 65 | } 66 | 67 | chain output_lan { 68 | jump accept_to_lan 69 | } 70 | 71 | chain accept_from_lan { 72 | iifname "eth0" accept comment "defconf: accept LAN IPv4 / IPv6 traffic" 73 | } 74 | 75 | chain accept_to_lan { 76 | meta nfproto ipv4 oifname "eth0" ct state invalid counter drop comment "defconf: prevent LAN NATv4 leakage" 77 | oifname "eth0" accept comment "defconf: accept LAN IPv4 / IPv6 traffic" 78 | } 79 | 80 | chain input_tailscale { 81 | jump accept_from_tailscale 82 | } 83 | 84 | chain forward_tailscale { 85 | jump accept_to_lan comment "tsconf: accept TS to LAN forwarding" 86 | jump accept_to_tailscale 87 | } 88 | 89 | chain output_tailscale { 90 | jump accept_to_tailscale 91 | } 92 | 93 | chain accept_from_tailscale { 94 | meta nfproto ipv4 iifname "tailscale0" counter accept comment "tsconf: accept TS IPv4 traffic" 95 | meta nfproto ipv6 iifname "tailscale0" counter accept comment "tsconf: accept TS IPv6 traffic" 96 | } 97 | 98 | chain accept_to_tailscale { 99 | meta nfproto ipv4 oifname "tailscale0" counter accept comment "tsconf: accept TS IPv4 traffic" 100 | meta nfproto ipv6 oifname "tailscale0" counter accept comment "tsconf: accept TS IPv6 traffic" 101 | } 102 | 103 | 104 | # 105 | # NAT rules 106 | # 107 | 108 | chain dstnat { 109 | type nat hook prerouting priority dstnat; policy accept; 110 | iifname { "eth0", "tailscale0" } meta l4proto { tcp, udp } th dport domain jump dstnat_lan comment "defconf: handle LAN IPv4 / IPv6 dstnat traffic" 111 | } 112 | 113 | chain srcnat { 114 | type nat hook postrouting priority srcnat; policy accept; 115 | oifname "eth0" jump srcnat_lan comment "defconf: handle LAN IPv4 / IPv6 srcnat traffic" 116 | } 117 | 118 | chain dstnat_lan { 119 | meta nfproto ipv4 meta l4proto { tcp, udp } th dport domain counter redirect to domain comment "lanconf: LAN IPv4 DNS redirect" 120 | meta nfproto ipv6 meta l4proto { tcp, udp } th dport domain counter redirect to domain comment "lanconf: LAN IPv6 DNS redirect" 121 | } 122 | 123 | chain srcnat_lan { 124 | meta nfproto ipv4 counter masquerade comment "defconf: masquerade LAN IPv4 traffic" 125 | } 126 | 127 | 128 | # 129 | # Mangle rules 130 | # 131 | 132 | chain mangle_postrouting { 133 | type filter hook postrouting priority mangle; policy accept; 134 | oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "defconf: zone LAN IPv4 / IPv6 egress MTU fixing" 135 | } 136 | 137 | chain mangle_forward { 138 | type filter hook forward priority mangle; policy accept; 139 | iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "defconf: zone LAN IPv4 / IPv6 ingress MTU fixing" 140 | } 141 | 142 | } 143 | 144 | -------------------------------------------------------------------------------- /src/debian/debian_ts_server_modules.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize netfilter related modules at system boot. 3 | 4 | nf_conntrack 5 | 6 | -------------------------------------------------------------------------------- /src/pve/pve_20auto_upgrades.conf: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Unattended-Upgrade "5"; 3 | APT::Periodic::AutocleanInterval "1"; 4 | APT::Periodic::CleanInterval "1"; 5 | 6 | -------------------------------------------------------------------------------- /src/pve/pve_50unattended_upgrades.conf: -------------------------------------------------------------------------------- 1 | // Unattended-Upgrade::Origins-Pattern controls which packages are 2 | // upgraded. 3 | // 4 | // Lines below have the format "keyword=value,...". A 5 | // package will be upgraded only if the values in its metadata match 6 | // all the supplied keywords in a line. (In other words, omitted 7 | // keywords are wild cards.) The keywords originate from the Release 8 | // file, but several aliases are accepted. The accepted keywords are: 9 | // a,archive,suite (eg, "stable") 10 | // c,component (eg, "main", "contrib", "non-free") 11 | // l,label (eg, "Debian", "Debian-Security") 12 | // o,origin (eg, "Debian", "Unofficial Multimedia Packages") 13 | // n,codename (eg, "jessie", "jessie-updates") 14 | // site (eg, "http.debian.net") 15 | // The available values on the system are printed by the command 16 | // "apt-cache policy", and can be debugged by running 17 | // "unattended-upgrades -d" and looking at the log file. 18 | // 19 | // Within lines unattended-upgrades allows 2 macros whose values are 20 | // derived from /etc/debian_version: 21 | // ${distro_id} Installed origin. 22 | // ${distro_codename} Installed codename (eg, "buster") 23 | Unattended-Upgrade::Origins-Pattern { 24 | // Codename based matching: 25 | // This will follow the migration of a release through different 26 | // archives (e.g. from testing to stable and later oldstable). 27 | // Software will be the latest available for the named release, 28 | // but the Debian release itself will not be automatically upgraded. 29 | "origin=Debian,codename=${distro_codename}-updates"; 30 | // "origin=Debian,codename=${distro_codename}-proposed-updates"; 31 | "origin=Debian,codename=${distro_codename},label=Debian"; 32 | "origin=Debian,codename=${distro_codename},label=Debian-Security"; 33 | "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; 34 | "origin=Proxmox,codename=${distro_codename},label=Proxmox Debian Repository"; 35 | // "origin=Proxmox,codename=${distro_codename},label=Proxmox Ceph Debian Repository"; 36 | 37 | // Archive or Suite based matching: 38 | // Note that this will silently match a different release after 39 | // migration to the specified archive (e.g. testing becomes the 40 | // new stable). 41 | // "o=Debian,a=stable"; 42 | // "o=Debian,a=stable-updates"; 43 | // "o=Debian,a=proposed-updates"; 44 | // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; 45 | }; 46 | 47 | // Python regular expressions, matching packages to exclude from upgrading 48 | Unattended-Upgrade::Package-Blacklist { 49 | // The following matches all packages starting with linux- 50 | // "linux-"; 51 | 52 | // Use $ to explicitely define the end of a package name. Without 53 | // the $, "libc6" would match all of them. 54 | // "libc6$"; 55 | // "libc6-dev$"; 56 | // "libc6-i686$"; 57 | 58 | // Special characters need escaping 59 | // "libstdc\+\+6$"; 60 | 61 | // The following matches packages like xen-system-amd64, xen-utils-4.1, 62 | // xenstore-utils and libxenstore3.0 63 | // "(lib)?xen(store)?"; 64 | 65 | // For more information about Python regular expressions, see 66 | // https://docs.python.org/3/howto/regex.html 67 | }; 68 | 69 | // This option allows you to control if on a unclean dpkg exit 70 | // unattended-upgrades will automatically run 71 | // dpkg --force-confold --configure -a 72 | // The default is true, to ensure updates keep getting installed 73 | //Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 74 | 75 | // Split the upgrade into the smallest possible chunks so that 76 | // they can be interrupted with SIGTERM. This makes the upgrade 77 | // a bit slower but it has the benefit that shutdown while a upgrade 78 | // is running is possible (with a small delay) 79 | //Unattended-Upgrade::MinimalSteps "true"; 80 | 81 | // Install all updates when the machine is shutting down 82 | // instead of doing it in the background while the machine is running. 83 | // This will (obviously) make shutdown slower. 84 | // Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. 85 | // This allows more time for unattended-upgrades to shut down gracefully 86 | // or even install a few packages in InstallOnShutdown mode, but is still a 87 | // big step back from the 30 minutes allowed for InstallOnShutdown previously. 88 | // Users enabling InstallOnShutdown mode are advised to increase 89 | // InhibitDelayMaxSec even further, possibly to 30 minutes. 90 | //Unattended-Upgrade::InstallOnShutdown "false"; 91 | 92 | // Send email to this address for problems or packages upgrades 93 | // If empty or unset then no email is sent, make sure that you 94 | // have a working mail setup on your system. A package that provides 95 | // 'mailx' must be installed. E.g. "user@example.com" 96 | //Unattended-Upgrade::Mail ""; 97 | 98 | // Set this value to one of: 99 | // "always", "only-on-error" or "on-change" 100 | // If this is not set, then any legacy MailOnlyOnError (boolean) value 101 | // is used to chose between "only-on-error" and "on-change" 102 | //Unattended-Upgrade::MailReport "on-change"; 103 | 104 | // Remove unused automatically installed kernel-related packages 105 | // (kernel images, kernel headers and kernel version locked tools). 106 | //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 107 | 108 | // Do automatic removal of newly unused dependencies after the upgrade 109 | //Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 110 | 111 | // Do automatic removal of unused packages after the upgrade 112 | // (equivalent to apt-get autoremove) 113 | //Unattended-Upgrade::Remove-Unused-Dependencies "false"; 114 | 115 | // Automatically reboot *WITHOUT CONFIRMATION* if 116 | // the file /var/run/reboot-required is found after the upgrade 117 | //Unattended-Upgrade::Automatic-Reboot "false"; 118 | 119 | // Automatically reboot even if there are users currently logged in 120 | // when Unattended-Upgrade::Automatic-Reboot is set to true 121 | //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; 122 | 123 | // If automatic reboot is enabled and needed, reboot at the specific 124 | // time instead of immediately 125 | // Default: "now" 126 | //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; 127 | 128 | // Use apt bandwidth limit feature, this example limits the download 129 | // speed to 70kb/sec 130 | //Acquire::http::Dl-Limit "70"; 131 | 132 | // Enable logging to syslog. Default is False 133 | // Unattended-Upgrade::SyslogEnable "false"; 134 | 135 | // Specify syslog facility. Default is daemon 136 | // Unattended-Upgrade::SyslogFacility "daemon"; 137 | 138 | // Download and install upgrades only on AC power 139 | // (i.e. skip or gracefully stop updates on battery) 140 | // Unattended-Upgrade::OnlyOnACPower "true"; 141 | 142 | // Download and install upgrades only on non-metered connection 143 | // (i.e. skip or gracefully stop updates on a metered connection) 144 | // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; 145 | 146 | // Verbose logging 147 | // Unattended-Upgrade::Verbose "false"; 148 | 149 | // Print debugging information both in unattended-upgrades and 150 | // in unattended-upgrade-shutdown 151 | // Unattended-Upgrade::Debug "false"; 152 | 153 | // Allow package downgrade if Pin-Priority exceeds 1000 154 | // Unattended-Upgrade::Allow-downgrade "false"; 155 | 156 | // When APT fails to mark a package to be upgraded or installed try adjusting 157 | // candidates of related packages to help APT's resolver in finding a solution 158 | // where the package can be upgraded or installed. 159 | // This is a workaround until APT's resolver is fixed to always find a 160 | // solution if it exists. (See Debian bug #711128.) 161 | // The fallback is enabled by default, except on Debian's sid release because 162 | // uninstallable packages are frequent there. 163 | // Disabling the fallback speeds up unattended-upgrades when there are 164 | // uninstallable packages at the expense of rarely keeping back packages which 165 | // could be upgraded or installed. 166 | // Unattended-Upgrade::Allow-APT-Mark-Fallback "true"; 167 | 168 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 169 | 170 | Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 171 | 172 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 173 | 174 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 175 | 176 | Unattended-Upgrade::Automatic-Reboot "true"; 177 | 178 | Unattended-Upgrade::Automatic-Reboot-Time "02:30"; 179 | 180 | -------------------------------------------------------------------------------- /src/pve/pve_apt_daily_upgrade.conf: -------------------------------------------------------------------------------- 1 | ### Editing /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf 2 | ### Anything between here and the comment below will become the new contents of the file 3 | 4 | [Timer] 5 | OnCalendar= 6 | OnCalendar=01:30 7 | RandomizedDelaySec=0 8 | 9 | ### Lines below this comment will be discarded 10 | 11 | ### /lib/systemd/system/apt-daily-upgrade.timer 12 | # [Unit] 13 | # Description=Daily apt upgrade and clean activities 14 | # After=apt-daily.timer 15 | # 16 | # [Timer] 17 | # OnCalendar=*-*-* 6:00 18 | # RandomizedDelaySec=60m 19 | # Persistent=true 20 | # 21 | # [Install] 22 | # WantedBy=timers.target 23 | 24 | -------------------------------------------------------------------------------- /src/pve/pve_cpufrequtils.conf: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ### BEGIN INIT INFO 3 | # Provides: cpufrequtils 4 | # Required-Start: $remote_fs loadcpufreq 5 | # Required-Stop: 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 8 | # Short-Description: set CPUFreq kernel parameters 9 | # Description: utilities to deal with CPUFreq Linux 10 | # kernel support 11 | ### END INIT INFO 12 | # 13 | 14 | DESC="CPUFreq Utilities" 15 | 16 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 | CPUFREQ_SET=/usr/bin/cpufreq-set 18 | CPUFREQ_INFO=/usr/bin/cpufreq-info 19 | CPUFREQ_OPTIONS="" 20 | 21 | # use lsb-base 22 | . /lib/lsb/init-functions 23 | 24 | # Which governor to use. Must be one of the governors listed in: 25 | # cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors 26 | # 27 | # and which limits to set. Both MIN_SPEED and MAX_SPEED must be values 28 | # listed in: 29 | # cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies 30 | # a value of 0 for any of the two variables will disabling the use of 31 | # that limit variable. 32 | # 33 | # WARNING: the correct kernel module must already be loaded or compiled in. 34 | # 35 | # Set ENABLE to "true" to let the script run at boot time. 36 | # 37 | # eg: ENABLE="true" 38 | # GOVERNOR="ondemand" 39 | # MAX_SPEED=1000 40 | # MIN_SPEED=500 41 | 42 | ENABLE="true" 43 | GOVERNOR="powersave" 44 | MAX_SPEED="0" 45 | MIN_SPEED="0" 46 | 47 | check_governor_avail() { 48 | info="/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors" 49 | if [ -f $info ] && grep -q "\<$GOVERNOR\>" $info ; then 50 | return 0; 51 | fi 52 | return 1; 53 | } 54 | 55 | [ -x $CPUFREQ_SET ] || exit 0 56 | 57 | if [ -f /etc/default/cpufrequtils ] ; then 58 | . /etc/default/cpufrequtils 59 | fi 60 | 61 | # if not enabled then exit gracefully 62 | [ "$ENABLE" = "true" ] || exit 0 63 | 64 | if [ -n "$MAX_SPEED" ] && [ $MAX_SPEED != "0" ] ; then 65 | CPUFREQ_OPTIONS="$CPUFREQ_OPTIONS --max $MAX_SPEED" 66 | fi 67 | 68 | if [ -n "$MIN_SPEED" ] && [ $MIN_SPEED != "0" ] ; then 69 | CPUFREQ_OPTIONS="$CPUFREQ_OPTIONS --min $MIN_SPEED" 70 | fi 71 | 72 | if [ -n "$GOVERNOR" ] ; then 73 | CPUFREQ_OPTIONS="$CPUFREQ_OPTIONS --governor $GOVERNOR" 74 | fi 75 | 76 | CPUS=$(cat /proc/stat|sed -ne 's/^cpu\([[:digit:]]\+\).*/\1/p') 77 | RETVAL=0 78 | case "$1" in 79 | start|force-reload|restart|reload) 80 | log_action_begin_msg "$DESC: Setting $GOVERNOR CPUFreq governor" 81 | if check_governor_avail ; then 82 | for cpu in $CPUS ; do 83 | log_action_cont_msg "CPU${cpu}" 84 | $CPUFREQ_SET --cpu $cpu $CPUFREQ_OPTIONS 2>&1 > /dev/null || \ 85 | RETVAL=$? 86 | done 87 | log_action_end_msg $RETVAL "" 88 | else 89 | log_action_cont_msg "disabled, governor not available" 90 | log_action_end_msg $RETVAL 91 | fi 92 | ;; 93 | stop) 94 | ;; 95 | *) 96 | echo "Usage: $0 {start|stop|restart|reload|force-reload}" 97 | exit 1 98 | esac 99 | 100 | exit 0 101 | 102 | -------------------------------------------------------------------------------- /src/pve/pve_cpupower.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize system CPU governors. 3 | 4 | CPUPOWER_START_OPTS="frequency-set -g powersave" 5 | CPUPOWER_STOP_OPTS="frequency-set -g performance" 6 | 7 | -------------------------------------------------------------------------------- /src/pve/pve_cpupower_service.conf: -------------------------------------------------------------------------------- 1 | # This configuration file is customized by fox, 2 | # Optimize for cpupower systemd service. 3 | 4 | [Unit] 5 | Description=Apply cpupower configuration 6 | ConditionVirtualization=!container 7 | After=syslog.target 8 | 9 | [Service] 10 | Type=oneshot 11 | EnvironmentFile=/etc/default/cpupower 12 | ExecStart=/usr/bin/cpupower $CPUPOWER_START_OPTS 13 | ExecStop=/usr/bin/cpupower $CPUPOWER_STOP_OPTS 14 | RemainAfterExit=yes 15 | 16 | [Install] 17 | WantedBy=multi-user.target 18 | 19 | --------------------------------------------------------------------------------