原来的网址https://ports.vmware.com关掉了,移到了下面的这个位置:
https://ports.broadcom.com/home/vSphere
Author: 河小马
C, C++, PHP, Python 开发
业余Front End 开发
Owner of Advertcn.com and cnMarketers.com
C, C++, PHP, Python 开发 业余Front End 开发 Owner of Advertcn.com and cnMarketers.com
vCSA安全设置
VMware其实建议了vCSA security的best practice:
the access to the vCSA should only be allowed from trusted hosts or virtual machines, and access to the remaining devices should be blocked. Also note that some 3rd party VMware backup products or vROPs, SRM etc. should be considered when blocking access to the vCSA.
vCSA默认是不log iptables的activity,如果你想看到iptables的log,你可以在vCSA的shell上运行下面的commands:
# iptables -N LOGGER # iptables -A LOGGER -j LOG –log-prefix ‘iptable log: ’ ‘ --log-level 7 # iptables -A OUTPUT -j LOGGER # iptables -I OUTPUT -j LOGGER # iptables -I INPUT -j LOGGER
然后你就可以通过下面的command来监控iptables 的log:
# journalctl -k |grep “iptable”
加固vCSA有多种措施,最简单有效的就是网络层的限制,也就是通过防火墙来限制.
vCSA自带一个简单的防火墙,调用的是iptables,可以通过vCSA IP:5480 来访问vCenter Server Appliance。
在firewall 里面只能简单的whitelist 或者blacklist ip or CIDR.
一个简单的策略就是在firewall 里面 白名单自己的堡垒机IP,管理IP,备份IP等等,然后通过SSH,登录root,在iptables 里面
直接ban掉80,443和5480端口,这样就相当于你的管理端口没有暴露在公网上.
下面是详细的iptables 规则:
iptables -N inbound-custom iptables -A inbound-custom -p tcp -m tcp --dport 80 -j DROP iptables -A inbound-custom -p tcp -m tcp --dport 443 -j DROP iptables -A inbound-custom -p tcp -m tcp --dport 5480 -j DROP iptables -A inbound-custom -j RETURN iptables -I INPUT 5 -j inbound-custom
vCSA 的默认iptables规则
下面是全新安装的vCSA的默认iptables规则,这里做一个记录方便后面来secure vCSA:
iptables Debug问题
debug iptables规则的时候,不要仅仅简单的使用
iptables -L INPUT
虽然自己不喜欢在iptables 的INPUT chain 里面绑定interface,但是还是有很多公司喜欢的
(今天的debug 没有注意到interface,结果白白浪费了一上午时间)
因此一般建议使用
iptables -L INPUT -v --line-numbers
或者更加推荐使用
iptables -nvL INPUT --line-number
-n → Numeric output (prevents DNS resolution, showing raw IPs instead of hostnames).
-v → Verbose output (displays packet counts, byte counts, and interface details).
-L → List rules in the specified chain (INPUT in this case).
ESXi 7升级到ESXi 8的三种方式
升级vSphere 8之前,需要做如下检查:
- check compatibility, 尤其是CPU
- health check
- SSO Domain Technology reconfiguration
- Remove vCenter HA
- Backup your evnironment
总体来说,大版本的升级主要有三种方式
1 使用ISO
2 使用vSphere Lifycycle Manager
3 使用ESXCLI命令
使用ISO升级:
下载ESXi 8.0 的镜像,然后让ESXi 7 Host 进入maintenance 模式,设置Host 从ESXi 8.0 的ISO 启动,就可以升级了
使用vSphere LifeCycle Manager升级:
最简单明了的方式,推荐使用。
使用ESXCLI命令:
使用vLCM更新ESXi vSphere 7 to 8
从vSphere 8起,传统的vSphere Lifecycle Manager baselines(VUM)已经被抛弃了,VMWare 推荐使用vLCM来进行更新。
(综合体验下来,确实vLCM更加的好用)
在这篇文章中,我们将使用vLCM来将ESXi 7 升级到ESXi8.
初始配置如下:
vCenter Server的版本是8 U3
ESXi host 的版本是7
1 如果要使用desired image的办法,我们在vCenter inventory中,找到我们想要升级的ESXi 7 host,然后点击Update-> Image
2 Step1,我们点击Setup Image Manually, 然后选择我们想要的image。在这里我们选择ESXi version 8.0 U3, 不需要添加其他的components
先validate一下,然后save
3 Step 2 是检查这个image 的compliance
4 显示这个host “Out of compliance with image”, 然后我们点击 FINISH IMAGE SETUP。
5 下面我们就可以开始用这个image来更新ESXi 7了
6 我们首先需要 RUN PRE-CHECK一下,确定都没有问题了就可以点击REMEDIATE来进行真正的upgrade
Host 然后就会开始being remediated 和 rebooted。在Recent Tasks面板这里能够看到Remediate Host 这个Task。同时
我们也能在Image Compliance这里看到remediation 的进程。
Host在更新完毕重启后,我们就能在vCenter里面重新看到这个Host,并且ESXi的版本也升级到了8.
Intel CPU 家族代码
因为vSphere 已经逐渐在抛弃老的CPU了,所以这里对intel的每代Xeon CPU的代码做一个记录:
2nd: Sandy Bridge
3rd: Ivy Bridge
4th: Hashwell
5th: Broadwell
6th: Skylake
7th: Kaby Lake
8th: Coffee Lake
9th: Coffee Lake Refresh
压缩文件的MD5值的变化
即便是同一个文件夹的压缩文件,如果压缩的时间不一样,那么产生的压缩文件的md5值也是不一样的。
原因有三个:
1 Timestamps in Metadata – Many compression tools store file timestamps (creation, modification, and access times) inside the archive. If you compress the same folder at different times, these timestamps may differ, leading to a different MD5 hash.
2 Compression Algorithm Variations – Some compression tools use different compression settings, even if the same files are inside. Small variations in compression level or metadata can result in a different output file and a different MD5 hash.
3 Order of Files – If the compression tool does not always process files in the same order, the resulting archive may be structured differently, leading to a different MD5 hash.
如果想得到固定的MD5值,可以使用如下的三个方法:
1 Hash Individual Files – Instead of hashing the compressed folder, compute MD5 hashes for each file inside the folder and compare them.
2 Use Deterministic Compression – Some tools (like tar –sort=name with gzip –no-name) help create archives with consistent metadata.
3 Exclude Timestamps – Some formats allow you to omit timestamps (e.g., zip –latest-time).
新版Microsoft 365没有classic outlook
老电脑重新升级到了windows11,安装了microsoft 365, 但是发现却没有安装classic outlook,只有系统自带的outlook new
在微软的网站上翻了半天
https://answers.microsoft.com/en-us/outlook_com/forum/all/microsoft-outlook-classic-doesnt-download-with/ddf9a60d-6fc5-4a54-bcd0-8528bf7517b9?correlationid=c24c7410-45b7-4cea-bc99-88e60076c78d&from=ContactUsWebBCQR
看到这篇文章才知道现在新版的microsoft 365都是默认不带classic outlook的,只有系统自带的outlook new,微软也在不断推得动outlook new 的使用
但是还是不如classic outlook使用啊
如果你有microsoft 365 的订阅,但是电脑上只有new outlook没有classic outlook的话,有两个办法,来自于这个网页:
You can’t open classic Outlook on a new Windows PC
你可以从这个网页上下载classic outlook,也可以从microsoft store上下载
我直接下载了standalone version安装,classic outlook就又出来了
不过如果你的邮件比较多的话,你可以需要更改classic outlook存储邮件的位置,可以参见这篇文章:
Dmit LAX Wee评测
系统是Debian 12
秋水的bench:
root@root:~# wget -qO- bench.sh | bash -------------------- A Bench.sh Script By Teddysun ------------------- Version : v2024-11-11 Usage : wget -qO- bench.sh | bash ---------------------------------------------------------------------- CPU Model : AMD EPYC 9654 96-Core Processor CPU Cores : 1 @ 2396.396 MHz CPU Cache : 512 KB AES-NI : ✓ Enabled VM-x/AMD-V : ✗ Disabled Total Disk : 9.7 GB (2.8 GB Used) Total Mem : 964.5 MB (118.1 MB Used) System uptime : 101 days, 10 hour 56 min Load average : 0.00, 0.02, 0.03 OS : Debian GNU/Linux 11 Arch : x86_64 (64 Bit) Kernel : 5.10.0-32-amd64 TCP CC : bbr Virtualization : Dedicated IPv4/IPv6 : ✓ Online / ✓ Online Organization : AS906 DMIT Cloud Services Location : Los Angeles / US Region : California ---------------------------------------------------------------------- I/O Speed(1st run) : 688 MB/s I/O Speed(2nd run) : 939 MB/s I/O Speed(3rd run) : 769 MB/s I/O Speed(average) : 798.7 MB/s
Yabs的评测:
总是显示busy,不知道为什么
流媒体解锁:
root@root:~# bash <(curl -L -s check.unlock.media) 脚本适配 OS: Ubuntu 16+, Debian 10+, RHEL 7+, Arch Linux, Alpine Linux, FreeBSD, MacOS 10.13+, Android (Termux), iOS (iSH), Windows (MinGW/Cygwin), OpenWRT 23+ 等。 [流媒体平台及游戏区域限制测试] 项目地址 https://github.com/lmc999/RegionRestrictionCheck BUG 反馈或使用交流可加 TG 群组 https://t.me/gameaccelerate ** 测试时间: Sun Jan 12 07:39:31 UTC 2025 ** 版本: 1.0.0 请选择检测项目,直接按回车将进行全区域检测 输入数字 [1]: [ 跨国平台+台湾平台 ]检测 输入数字 [2]: [ 跨国平台+香港平台 ]检测 输入数字 [3]: [ 跨国平台+日本平台 ]检测 输入数字 [4]: [ 跨国平台+北美平台 ]检测 输入数字 [5]: [ 跨国平台+南美平台 ]检测 输入数字 [6]: [ 跨国平台+欧洲平台 ]检测 输入数字 [7]: [跨国平台+大洋洲平台]检测 输入数字 [8]: [ 跨国平台+韩国平台 ]检测 输入数字 [9]: [跨国平台+东南亚平台]检测 输入数字 [10]: [ 跨国平台+印度平台 ]检测 输入数字 [11]: [ 跨国平台+非洲平台 ]检测 输入数字 [0]: [ 只进行跨国平台 ]检测 输入数字 [88]: [ Instagram音乐 ]检测 输入数字 [99]: [ 体育直播平台 ]检测 输入数字 [66]: [ 全部平台 ]检测 输入数字 [69]: [ 广告推广投放 ]咨询 请输入正确数字或直接按回车:4 [流媒体平台及游戏区域限制测试] 项目地址 https://github.com/lmc999/RegionRestrictionCheck BUG 反馈或使用交流可加 TG 群组 https://t.me/gameaccelerate ** 测试时间: Sun Jan 12 07:39:35 UTC 2025 ** 版本: 1.0.0 ** 正在测试 IPv4 解锁情况 -------------------------------- ** 您的网络为: DMIT (154.17.*.*) ============[ Multination ]============ Dazn: Failed (Error: ) Disney+: No (IP Banned By Disney+ 1) Netflix: Originals Only YouTube Premium: Yes (Region: US) Amazon Prime Video: Yes (Region: US) TVBAnywhere+: Yes Spotify Registration: No OneTrust Region: US [California] iQyi Oversea Region: US Bing Region: US (Risky) YouTube CDN: Los Angeles, CA Netflix Preferred CDN: Los Angeles, CA ChatGPT: Yes Google Gemini: Yes (Region: USA) Wikipedia Editability: No Google Play Store: United States Google Search CAPTCHA Free: Yes Steam Currency: USD ---Forum--- Reddit: No ======================================= ===========[ North America ]=========== Paramount+: Yes (Region: US) Discovery+: Yes (Region: US) Acorn TV: Yes BritBox: Yes SonyLiv: Failed (Network Connection) NBA TV: Yes TLC GO: Yes (Region: US) Shudder: Yes Fubo TV: Yes (Region:US) Tubi TV: Yes Pluto TV: Yes KOCOWA: Yes AMC+: Yes (Region: USA) MathsSpot Roblox: Failed (Error: FailureUnauthorized) ---US--- FOX: Yes Hulu: No NFL+: Yes ESPN+:[Sponsored by Jam] No MGM+: No Starz: No Philo: Yes FXNOW: Yes HBO Max: Yes (Region: US) Crackle: Yes CW TV: Yes A&E TV: Yes NBC TV: Yes Sling TV: Yes encoreTVB: Yes Peacock TV: Yes Popcornflix: Failed (Network Connection) Crunchyroll: Yes Directv Stream: Failed (Network Connection) Meta AI: Failed (Error: PAGE ERROR) ---CA--- HotStar: No CBC Gem: No Crave: No ======================================= ** 正在测试 IPv6 解锁情况 -------------------------------- ** 您的网络为: DMIT (2605:52c0:2:*:*) ============[ Multination ]============ Dazn: IPv6 Is Not Currently Supported Disney+: IPv6 Is Not Currently Supported Netflix: Originals Only YouTube Premium: Yes (Region: US) Amazon Prime Video: IPv6 Is Not Currently Supported TVBAnywhere+: IPv6 Is Not Currently Supported Spotify Registration: No OneTrust Region: US [California] iQyi Oversea Region: IPv6 Is Not Currently Supported Bing Region: US (Risky) YouTube CDN: Los Angeles, CA Netflix Preferred CDN: Miami, FL ChatGPT: Failed (Network Connection) Google Gemini: Yes (Region: USA) Wikipedia Editability: No Google Play Store: United States Google Search CAPTCHA Free: Yes Steam Currency: IPv6 Is Not Currently Supported ---Forum--- Reddit: IPv6 Is Not Currently Supported ======================================= ===========[ North America ]=========== Paramount+: Yes (Region: US) Discovery+: IPv6 Is Not Currently Supported Acorn TV: IPv6 Is Not Currently Supported BritBox: Yes SonyLiv: Failed (Network Connection) NBA TV: Yes TLC GO: IPv6 Is Not Currently Supported Shudder: Yes Fubo TV: IPv6 Is Not Currently Supported Tubi TV: Yes Pluto TV: IPv6 Is Not Currently Supported KOCOWA: IPv6 Is Not Currently Supported AMC+: Yes (Region: USA) MathsSpot Roblox: IPv6 Is Not Currently Supported ---US--- FOX: Yes Hulu: No NFL+: IPv6 Is Not Currently Supported ESPN+:[Sponsored by Jam] No MGM+: IPv6 Is Not Currently Supported Starz: IPv6 Is Not Currently Supported Philo: IPv6 Is Not Currently Supported FXNOW: IPv6 Is Not Currently Supported HBO Max: Yes (Region: US) Crackle: Yes CW TV: Yes A&E TV: IPv6 Is Not Currently Supported NBC TV: Yes Sling TV: Yes encoreTVB: IPv6 Is Not Currently Supported Peacock TV: Yes Popcornflix: IPv6 Is Not Currently Supported Crunchyroll: IPv6 Is Not Currently Supported Directv Stream: Failed (Network Connection) Meta AI: Failed (Error: PAGE ERROR) ---CA--- HotStar: No (Discontinued in the US) CBC Gem: IPv6 Is Not Currently Supported Crave: IPv6 Is Not Currently Supported =======================================