DevOps & verktyg

Serverhantering

Administration och övervakning av Linux-servrar i produktion

01 · Översikt

Vad sidan tar upp

Serveradministration från SSH-hantering till Docker-deployment, med säkerhet, övervakning, backup och prestanda. Konfigurationer och script är färdiga att anpassa.

4
Serverkonfigurationer
3
Övervakningsverktyg
4
Säkerhetsråd
4
Prestandaverktyg

02 · Konfiguration

Serverkonfiguration

SSH Key Management

Hantera SSH-nycklar för säker serveråtkomst.

Bash
# Generera ny SSH-nyckel
ssh-keygen -t ed25519 -C "your_email@example.com"

# Lägg till SSH-nyckel till ssh-agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

# Kopiera publik nyckel till server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server.com

# SSH config för enklare anslutning
# ~/.ssh/config
Host myserver
    HostName server.example.com
    User myuser
    Port 22
    IdentityFile ~/.ssh/id_ed25519
    ServerAliveInterval 60
    ServerAliveCountMax 3

# Anslut med alias
ssh myserver

# SSH tunnel för databas
ssh -L 5432:localhost:5432 myserver

# SOCKS proxy via SSH
ssh -D 8080 -C -q -N myserver

Nginx Configuration

Konfigurera Nginx som reverse proxy och webbserver.

Bash
# /etc/nginx/sites-available/app.conf
server {
    listen 80;
    server_name app.example.com;
    
    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name app.example.com;
    
    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    # Security Headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=31536000" always;
    
    # Proxy Settings
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    
    # Static files with caching
    location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

# Load balancing
upstream backend {
    least_conn;
    server backend1.example.com:3000 weight=3;
    server backend2.example.com:3000 weight=2;
    server backend3.example.com:3000 backup;
}

Systemd Service Management

Skapa och hantera systemd-tjänster för applikationer.

Bash
# /etc/systemd/system/myapp.service
[Unit]
Description=My Node.js Application
Documentation=https://github.com/myuser/myapp
After=network.target

[Service]
Type=simple
User=nodeapp
Group=nodeapp
WorkingDirectory=/var/www/myapp
ExecStart=/usr/bin/node /var/www/myapp/server.js
Restart=always
RestartSec=10

# Environment variables
Environment=NODE_ENV=production
Environment=PORT=3000
EnvironmentFile=/etc/myapp/myapp.env

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/www/myapp/logs

# Resource limits
LimitNOFILE=65536
MemoryLimit=1G
CPUQuota=80%

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myapp

[Install]
WantedBy=multi-user.target

# Kommandon för att hantera tjänsten
sudo systemctl daemon-reload
sudo systemctl enable myapp.service
sudo systemctl start myapp.service
sudo systemctl status myapp.service
sudo systemctl restart myapp.service
sudo journalctl -u myapp.service -f

Docker Deployment

Deploy applikationer med Docker och Docker Compose.

Bash
# docker-compose.yml
version: '3.8'

services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
    image: myapp:latest
    container_name: myapp
    restart: unless-stopped
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
      - DATABASE_URL=postgresql://user:pass@db:5432/mydb
      - REDIS_URL=redis://redis:6379
    depends_on:
      - db
      - redis
    networks:
      - app-network
    volumes:
      - ./uploads:/app/uploads
      - logs:/app/logs
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  db:
    image: postgres:14-alpine
    container_name: myapp-db
    restart: unless-stopped
    environment:
      - POSTGRES_USER=user
      - POSTGRES_PASSWORD=pass
      - POSTGRES_DB=mydb
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./init.sql:/docker-entrypoint-initdb.d/init.sql
    networks:
      - app-network
    ports:
      - "5432:5432"

  redis:
    image: redis:7-alpine
    container_name: myapp-redis
    restart: unless-stopped
    command: redis-server --requirepass redispass
    volumes:
      - redis-data:/data
    networks:
      - app-network

  nginx:
    image: nginx:alpine
    container_name: myapp-nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./ssl:/etc/nginx/ssl
      - ./static:/usr/share/nginx/html
    depends_on:
      - app
    networks:
      - app-network

networks:
  app-network:
    driver: bridge

volumes:
  postgres-data:
  redis-data:
  logs:

# Deployment script
#!/bin/bash
docker-compose pull
docker-compose down
docker-compose up -d
docker-compose logs -f

03 · Drift

Övervakning & underhåll

System Monitoring Script

Bash-script för att övervaka systemresurser.

Bash
#!/bin/bash
# monitor.sh - System monitoring script

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color

# System info
echo -e "${GREEN}=== System Information ===${NC}"
echo "Hostname: $(hostname)"
echo "OS: $(lsb_release -d | cut -f2)"
echo "Kernel: $(uname -r)"
echo "Uptime: $(uptime -p)"

# CPU Usage
echo -e "\n${GREEN}=== CPU Usage ===${NC}"
cpu_usage=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1}')
echo "CPU Usage: ${cpu_usage}%"

# Memory Usage
echo -e "\n${GREEN}=== Memory Usage ===${NC}"
free -h | grep -E '^(Mem|Swap):'

# Disk Usage
echo -e "\n${GREEN}=== Disk Usage ===${NC}"
df -h | grep -E '^/dev/'

# Top Processes
echo -e "\n${GREEN}=== Top 5 Processes by CPU ===${NC}"
ps aux --sort=-%cpu | head -n 6

# Service Status
echo -e "\n${GREEN}=== Service Status ===${NC}"
services=("nginx" "mysql" "redis" "docker")
for service in "${services[@]}"; do
    if systemctl is-active --quiet $service; then
        echo -e "${service}: ${GREEN}running${NC}"
    else
        echo -e "${service}: ${RED}stopped${NC}"
    fi
done

# Network Connections
echo -e "\n${GREEN}=== Active Connections ===${NC}"
ss -tulpn | grep LISTEN

# Disk I/O
echo -e "\n${GREEN}=== Disk I/O ===${NC}"
iostat -x 1 1 | grep -E '^(Device|sd|nvme)'

Log Rotation Configuration

Konfigurera logrotate för att hantera loggfiler.

Bash
# /etc/logrotate.d/myapp
/var/log/myapp/*.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0640 www-data www-data
    sharedscripts
    postrotate
        # Notify app to reopen log files
        kill -USR1 $(cat /var/run/myapp.pid) 2>/dev/null || true
    endscript
}

# Nginx logs
/var/log/nginx/*.log {
    daily
    rotate 52
    compress
    delaycompress
    missingok
    notifempty
    create 0640 www-data adm
    sharedscripts
    prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
            run-parts /etc/logrotate.d/httpd-prerotate; \
        fi
    endscript
    postrotate
        invoke-rc.d nginx rotate >/dev/null 2>&1
    endscript
}

Backup Script

Automatiserat backup-script med rsync.

Bash
#!/bin/bash
# backup.sh - Automated backup script

# Configuration
BACKUP_DIR="/backup"
SOURCE_DIRS="/var/www /etc /home"
DB_NAME="myapp"
DB_USER="postgres"
RETENTION_DAYS=7
REMOTE_HOST="backup.server.com"
REMOTE_DIR="/backups/$(hostname)"

# Create backup directory with timestamp
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_PATH="$BACKUP_DIR/$TIMESTAMP"
mkdir -p "$BACKUP_PATH"

# Log function
log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$BACKUP_DIR/backup.log"
}

log "Starting backup..."

# Backup files
for dir in $SOURCE_DIRS; do
    if [ -d "$dir" ]; then
        log "Backing up $dir..."
        rsync -avz --delete "$dir" "$BACKUP_PATH/"
    fi
done

# Backup database
log "Backing up PostgreSQL database..."
pg_dump -U $DB_USER $DB_NAME | gzip > "$BACKUP_PATH/database.sql.gz"

# Create tarball
log "Creating archive..."
cd "$BACKUP_DIR"
tar -czf "$TIMESTAMP.tar.gz" "$TIMESTAMP/"
rm -rf "$BACKUP_PATH"

# Sync to remote server
log "Syncing to remote server..."
rsync -avz --delete "$BACKUP_DIR/" "$REMOTE_HOST:$REMOTE_DIR/"

# Clean old backups
log "Cleaning old backups..."
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +$RETENTION_DAYS -delete

log "Backup completed successfully!"

# Send notification
echo "Backup completed at $(date)" | mail -s "Backup Success" admin@example.com

04 · Härdning

Säkerhet

Grundläggande härdning varje produktionsserver bör ha:

Firewall Configuration

Konfigurera UFW (Uncomplicated Firewall) för säkerhet

Bash
ufw allow 22/tcp && ufw allow 80/tcp && ufw allow 443/tcp && ufw enable

Fail2ban Setup

Skydda mot brute-force attacker

Bash
apt install fail2ban && systemctl enable fail2ban

Automatic Updates

Aktivera automatiska säkerhetsuppdateringar

Bash
apt install unattended-upgrades && dpkg-reconfigure -plow unattended-upgrades

SSH Hardening

Säkra SSH-konfiguration

Bash
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

05 · Mätning

Prestandaverktyg

htop
Interaktiv processövervakningVisuell översikt av CPU, minne och processer i realtid
netdata
Realtidsövervakning via webbDetaljerad systemövervakning med historik och alerts
glances
Cross-platform monitoring toolÖvervakning av CPU, minne, disk, nätverk i ett interface
nmon
Performance monitoringDetaljerad prestandaanalys och rapportering

06 · Arbetssätt

Praktiska råd

Automatisera allt som går
Använd Ansible, Terraform eller liknande för att undvika manuella fel.
Övervaka proaktivt
Sätt upp alerts för CPU, minne, disk och nätverksproblem innan de blir kritiska.
Dokumentera din infrastruktur
Håll en uppdaterad wiki med nätverksdiagram, lösenordshantering och runbooks.
Testa din disaster recovery
Testa backup-återställning och failover-procedurer regelbundet.