DevOps & verktyg
Serverhantering
Administration och övervakning av Linux-servrar i produktion
01 · Översikt
Vad sidan tar upp
Serveradministration från SSH-hantering till Docker-deployment, med säkerhet, övervakning, backup och prestanda. Konfigurationer och script är färdiga att anpassa.
02 · Konfiguration
Serverkonfiguration
SSH Key Management
Hantera SSH-nycklar för säker serveråtkomst.
# Generera ny SSH-nyckel
ssh-keygen -t ed25519 -C "your_email@example.com"
# Lägg till SSH-nyckel till ssh-agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
# Kopiera publik nyckel till server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server.com
# SSH config för enklare anslutning
# ~/.ssh/config
Host myserver
HostName server.example.com
User myuser
Port 22
IdentityFile ~/.ssh/id_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
# Anslut med alias
ssh myserver
# SSH tunnel för databas
ssh -L 5432:localhost:5432 myserver
# SOCKS proxy via SSH
ssh -D 8080 -C -q -N myserverNginx Configuration
Konfigurera Nginx som reverse proxy och webbserver.
# /etc/nginx/sites-available/app.conf
server {
listen 80;
server_name app.example.com;
# Redirect HTTP to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name app.example.com;
# SSL Configuration
ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000" always;
# Proxy Settings
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# Static files with caching
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
# Load balancing
upstream backend {
least_conn;
server backend1.example.com:3000 weight=3;
server backend2.example.com:3000 weight=2;
server backend3.example.com:3000 backup;
}Systemd Service Management
Skapa och hantera systemd-tjänster för applikationer.
# /etc/systemd/system/myapp.service
[Unit]
Description=My Node.js Application
Documentation=https://github.com/myuser/myapp
After=network.target
[Service]
Type=simple
User=nodeapp
Group=nodeapp
WorkingDirectory=/var/www/myapp
ExecStart=/usr/bin/node /var/www/myapp/server.js
Restart=always
RestartSec=10
# Environment variables
Environment=NODE_ENV=production
Environment=PORT=3000
EnvironmentFile=/etc/myapp/myapp.env
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/www/myapp/logs
# Resource limits
LimitNOFILE=65536
MemoryLimit=1G
CPUQuota=80%
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myapp
[Install]
WantedBy=multi-user.target
# Kommandon för att hantera tjänsten
sudo systemctl daemon-reload
sudo systemctl enable myapp.service
sudo systemctl start myapp.service
sudo systemctl status myapp.service
sudo systemctl restart myapp.service
sudo journalctl -u myapp.service -fDocker Deployment
Deploy applikationer med Docker och Docker Compose.
# docker-compose.yml
version: '3.8'
services:
app:
build:
context: .
dockerfile: Dockerfile
image: myapp:latest
container_name: myapp
restart: unless-stopped
ports:
- "3000:3000"
environment:
- NODE_ENV=production
- DATABASE_URL=postgresql://user:pass@db:5432/mydb
- REDIS_URL=redis://redis:6379
depends_on:
- db
- redis
networks:
- app-network
volumes:
- ./uploads:/app/uploads
- logs:/app/logs
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
db:
image: postgres:14-alpine
container_name: myapp-db
restart: unless-stopped
environment:
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
- POSTGRES_DB=mydb
volumes:
- postgres-data:/var/lib/postgresql/data
- ./init.sql:/docker-entrypoint-initdb.d/init.sql
networks:
- app-network
ports:
- "5432:5432"
redis:
image: redis:7-alpine
container_name: myapp-redis
restart: unless-stopped
command: redis-server --requirepass redispass
volumes:
- redis-data:/data
networks:
- app-network
nginx:
image: nginx:alpine
container_name: myapp-nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/nginx/ssl
- ./static:/usr/share/nginx/html
depends_on:
- app
networks:
- app-network
networks:
app-network:
driver: bridge
volumes:
postgres-data:
redis-data:
logs:
# Deployment script
#!/bin/bash
docker-compose pull
docker-compose down
docker-compose up -d
docker-compose logs -f03 · Drift
Övervakning & underhåll
System Monitoring Script
Bash-script för att övervaka systemresurser.
#!/bin/bash
# monitor.sh - System monitoring script
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color
# System info
echo -e "${GREEN}=== System Information ===${NC}"
echo "Hostname: $(hostname)"
echo "OS: $(lsb_release -d | cut -f2)"
echo "Kernel: $(uname -r)"
echo "Uptime: $(uptime -p)"
# CPU Usage
echo -e "\n${GREEN}=== CPU Usage ===${NC}"
cpu_usage=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1}')
echo "CPU Usage: ${cpu_usage}%"
# Memory Usage
echo -e "\n${GREEN}=== Memory Usage ===${NC}"
free -h | grep -E '^(Mem|Swap):'
# Disk Usage
echo -e "\n${GREEN}=== Disk Usage ===${NC}"
df -h | grep -E '^/dev/'
# Top Processes
echo -e "\n${GREEN}=== Top 5 Processes by CPU ===${NC}"
ps aux --sort=-%cpu | head -n 6
# Service Status
echo -e "\n${GREEN}=== Service Status ===${NC}"
services=("nginx" "mysql" "redis" "docker")
for service in "${services[@]}"; do
if systemctl is-active --quiet $service; then
echo -e "${service}: ${GREEN}running${NC}"
else
echo -e "${service}: ${RED}stopped${NC}"
fi
done
# Network Connections
echo -e "\n${GREEN}=== Active Connections ===${NC}"
ss -tulpn | grep LISTEN
# Disk I/O
echo -e "\n${GREEN}=== Disk I/O ===${NC}"
iostat -x 1 1 | grep -E '^(Device|sd|nvme)'Log Rotation Configuration
Konfigurera logrotate för att hantera loggfiler.
# /etc/logrotate.d/myapp
/var/log/myapp/*.log {
daily
rotate 14
compress
delaycompress
missingok
notifempty
create 0640 www-data www-data
sharedscripts
postrotate
# Notify app to reopen log files
kill -USR1 $(cat /var/run/myapp.pid) 2>/dev/null || true
endscript
}
# Nginx logs
/var/log/nginx/*.log {
daily
rotate 52
compress
delaycompress
missingok
notifempty
create 0640 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}Backup Script
Automatiserat backup-script med rsync.
#!/bin/bash
# backup.sh - Automated backup script
# Configuration
BACKUP_DIR="/backup"
SOURCE_DIRS="/var/www /etc /home"
DB_NAME="myapp"
DB_USER="postgres"
RETENTION_DAYS=7
REMOTE_HOST="backup.server.com"
REMOTE_DIR="/backups/$(hostname)"
# Create backup directory with timestamp
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_PATH="$BACKUP_DIR/$TIMESTAMP"
mkdir -p "$BACKUP_PATH"
# Log function
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$BACKUP_DIR/backup.log"
}
log "Starting backup..."
# Backup files
for dir in $SOURCE_DIRS; do
if [ -d "$dir" ]; then
log "Backing up $dir..."
rsync -avz --delete "$dir" "$BACKUP_PATH/"
fi
done
# Backup database
log "Backing up PostgreSQL database..."
pg_dump -U $DB_USER $DB_NAME | gzip > "$BACKUP_PATH/database.sql.gz"
# Create tarball
log "Creating archive..."
cd "$BACKUP_DIR"
tar -czf "$TIMESTAMP.tar.gz" "$TIMESTAMP/"
rm -rf "$BACKUP_PATH"
# Sync to remote server
log "Syncing to remote server..."
rsync -avz --delete "$BACKUP_DIR/" "$REMOTE_HOST:$REMOTE_DIR/"
# Clean old backups
log "Cleaning old backups..."
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +$RETENTION_DAYS -delete
log "Backup completed successfully!"
# Send notification
echo "Backup completed at $(date)" | mail -s "Backup Success" admin@example.com04 · Härdning
Säkerhet
Grundläggande härdning varje produktionsserver bör ha:
Firewall Configuration
Konfigurera UFW (Uncomplicated Firewall) för säkerhet
ufw allow 22/tcp && ufw allow 80/tcp && ufw allow 443/tcp && ufw enableFail2ban Setup
Skydda mot brute-force attacker
apt install fail2ban && systemctl enable fail2banAutomatic Updates
Aktivera automatiska säkerhetsuppdateringar
apt install unattended-upgrades && dpkg-reconfigure -plow unattended-upgradesSSH Hardening
Säkra SSH-konfiguration
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config05 · Mätning
Prestandaverktyg
- htop
- Interaktiv processövervakningVisuell översikt av CPU, minne och processer i realtid
- netdata
- Realtidsövervakning via webbDetaljerad systemövervakning med historik och alerts
- glances
- Cross-platform monitoring toolÖvervakning av CPU, minne, disk, nätverk i ett interface
- nmon
- Performance monitoringDetaljerad prestandaanalys och rapportering
06 · Arbetssätt
Praktiska råd
- Automatisera allt som går
- Använd Ansible, Terraform eller liknande för att undvika manuella fel.
- Övervaka proaktivt
- Sätt upp alerts för CPU, minne, disk och nätverksproblem innan de blir kritiska.
- Dokumentera din infrastruktur
- Håll en uppdaterad wiki med nätverksdiagram, lösenordshantering och runbooks.
- Testa din disaster recovery
- Testa backup-återställning och failover-procedurer regelbundet.