work1

1.配置桥接并验证 创建一个桥接设备和会话

[root@localhost ~]# nmcli connection add type bridge con-name br1 ifname br1
Connection 'br1' (391480bf-0801-474f-8710-98a3a9ebd989) successfully added.

配置软件桥接网卡的IP地址、网关和地址获取方式

[root@localhost ~]# nmcli c modify br1 ipv4.addresses 192.168.171.201/24
[root@localhost ~]# nmcli c modify br1 ipv4.addresses 192.168.231.201/24
[root@localhost ~]# nmcli c modify br1 ipv4.gateway 19.168.231.2
[root@localhost ~]# nmcli c modify br1 ipv4.method manual 

添加从设备和会话到桥接设备

[root@localhost ~]# nmcli c add type bridge-slave con-name br1-port1 ifname ens160 master br1
Connection 'br1-port1' (501f1bd6-6613-4ff2-bd92-60f2129c2abd) successfully added.

启动从设备会话

[root@localhost ~]# nmcli connection up br1-port1 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/29)
[root@localhost ~]# nmcli connection up br1-port2 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/29)

启动桥接会话

[root@localhost ~]# nmcli c up br1
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/30)

查看连接

[root@localhost ~]# nmcli c show 
NAME         UUID                                  TYPE      DEVICE 
team0        ee4cc44b-3444-42ba-98e4-2eac913f7974  team      team0  
br1          391480bf-0801-474f-8710-98a3a9ebd989  bridge    br1    
team0-port1  b26125c4-8c86-47be-9ccf-851b4a0fa5cb  ethernet  ens160 
team0-port2  626c56ee-372f-4936-af9e-c16747960381  ethernet  ens224 
br1-port1    501f1bd6-6613-4ff2-bd92-60f2129c2abd  ethernet  --     
br1-port2    535d24df-87f2-4331-8752-020ddb5fc997  ethernet  --     
ens160       5d67777e-20aa-43b2-8c28-770d956ad3b1  ethernet  --     

抓包查看

[root@localhost ~]# tcpdump icmp -i ens160
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
00:10:56.550745 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4166, length 40
00:10:56.550795 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4166, length 40
00:10:57.553440 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4167, length 40
00:10:57.553482 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4167, length 40
00:10:58.558396 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4168, length 40
00:10:58.558432 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4168, length 40
00:10:59.563603 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4169, length 40
00:10:59.563642 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4169, length 40

[root@localhost ~]# tcpdump icmp -i ens224
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens224, link-type EN10MB (Ethernet), capture size 262144 bytes
00:10:56.550732 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4166, length 40
00:10:56.551751 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4166, length 40
00:10:57.553518 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4167, length 40
00:10:57.553520 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4167, length 40
00:10:58.558387 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4168, length 40
00:10:58.558523 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4168, length 40
00:10:59.563595 IP 192.168.231.1 > localhost.localdomain: ICMP echo request, id 1, seq 4169, length 40
00:10:59.563726 IP localhost.localdomain > 192.168.231.1: ICMP echo reply, id 1, seq 4169, length 40

2.配置team多网卡绑定验证 新添加一块网卡

在linux上查看新添加的网卡设备

创建team0连接

[root@localhost ~]# nmcli connection add type team con-name team0 ifname team0 config '{"runner":{"name":"activebackup"}}'
Connection 'team0' (ee4cc44b-3444-42ba-98e4-2eac913f7974) successfully added.

查看team0连接

[root@localhost ~]# nmcli connection show 
NAME    UUID                                  TYPE      DEVICE 
team0   ee4cc44b-3444-42ba-98e4-2eac913f7974  team      team0  
ens160  5d67777e-20aa-43b2-8c28-770d956ad3b1  ethernet  ens160 
virbr0  cec274ee-72bc-4381-8149-19179e3cd490  bridge    virbr0 

修改team0的ip和网关

[root@localhost ~]# nmcli connection modify team0 ipv4.addresses 192.168.231.200/24
[root@localhost ~]# nmcli connection modify team0 ipv4.gateway 192.168.231.2/24

更改IP地址获取方式为手动

[root@localhost ~]# nmcli connection modify team0 ipv4.method manual

添加设备到team0

[root@localhost ~]# nmcli connection add type team-slave con-name team0-port1 ifname ens160 master team0
Connection 'team0-port1' (b26125c4-8c86-47be-9ccf-851b4a0fa5cb) successfully added.
[root@localhost ~]# nmcli c add type team-slave con-name team0-port2 ifname ens224 master team0
Connection 'team0-port2' (626c56ee-372f-4936-af9e-c16747960381) successfully added.

激活从设备

nmcli c up team0-port1
nmcli c up team0-port2
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)

激活主设备

[root@localhost ~]# nmcli c up team0
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)

查看启动后的team0状态

[root@localhost ~]# teamdctl team0 state
setup:
  runner: activebackup
ports:
  ens160
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
  ens224
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
runner:
  active port: ens224

这里发现team的主设备是ens224

ping测试

断掉主设备ens224之后

发现在切换设备是多出了一个延迟的包

查看team0状态

[root@localhost ~]# teamdctl team0 state
setup:
  runner: activebackup
ports:
  ens224
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
runner:
  active port: ens224

3.配置ssh免密登录(基于公钥的认证)

在windows上生成密钥

ssh-keygen -t rsa  

将pub公钥上传到SSH服务端/root/.ssh/authorized_keys

scp d://id_rsa.pub  root@192.168.231.128:/root/.ssh/authorized_keys

登录测试

未输入密码，直接登录

4.什么是对称加密，什么是非对称加密，以及对称加密和非对称加密存在的问题？

• 对称加密：用相同的密钥加密和解密文件

• 非对称加密：用算法生产公钥和私钥两个不同的密钥，在建立连接的过程中用对方传输过来的公钥进行加密，对方接受到自己公钥加密过的文件后用自己的私钥解密

• 对称加密算法问题：

  1. 要求提供一条安全的渠道使通讯双方在首次通讯时协商一个共同的密钥。直接的面对面协商可能是不现实而且难于实施的，所以双方可能需要借助于邮件和电话等其它相对不够安全的手段来进行协商；
  2. 密钥的数目难于管理。因为对于每一个合作者都需要使用不同的密钥，很难适应开放社会中大量的信息交流；
  3. 对称加密算法一般不能提供信息完整性的鉴别。它无法验证发送者和接受者的身份；
  4. 对称密钥的管理和分发工作是一件具有潜在危险的和烦琐的过程。对称加密是基于共同保守秘密来实现的，采用对称加密技术的贸易双方必须保证采用的是相同的密钥，保证彼此密钥的交换是安全可靠的，同时还要设定防止密钥泄密和更改密钥的程序。

• 非对称加密算法问题：

  对称加密解密的速度比较快，适合数据比较长时的使用。非对称加密和解密花费的时间长、速度相对较慢，只适合对少量数据的使用。