Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédenteProchaine révisionLes deux révisions suivantes | ||
tech:hypervisor-01 [03/03/2021 12:00] – [Système d'exploitation] LibertAdmin | tech:hypervisor-01 [04/11/2023 19:57] – [Routage et filtrage avec iptables] LibertAdmin | ||
---|---|---|---|
Ligne 21: | Ligne 21: | ||
* [[tech: | * [[tech: | ||
* [[tech: | * [[tech: | ||
- | * [[tech: | + | |
- | * [[tech: | + | * [[tech: |
- | * [[tech: | + | |
- | * [[tech: | + | |
- | * [[tech: | + | * [[tech: |
- | Toutes les requêtes venant d' | + | Toutes les requêtes venant d' |
===== Configuration ===== | ===== Configuration ===== | ||
==== Système d' | ==== Système d' | ||
- | Debian stable (Debian | + | * Debian stable (Debian |
+ | * Debian oldstable pour le serveur web-01 (Debian 11 « Bullseye ») | ||
+ | |||
+ | ==== Adressage IP ==== | ||
+ | Hetzner offre une IP publique. Nous avons modifié l' | ||
+ | |||
+ | L' | ||
+ | |||
+ | L' | ||
+ | |||
+ | < | ||
+ | root@hypervisor-01 ~ # cat / | ||
+ | ### Hetzner Online GmbH installimage | ||
+ | |||
+ | source / | ||
+ | |||
+ | auto lo | ||
+ | iface lo inet loopback | ||
+ | iface lo inet6 loopback | ||
+ | |||
+ | auto br0 | ||
+ | iface br0 inet static | ||
+ | bridge_ports enp0s31f6 | ||
+ | bridge_hw enp0s31f6 | ||
+ | bridge_fd 0 | ||
+ | bridge_stp off | ||
+ | bridge_maxwait 0 | ||
+ | address | ||
+ | netmask | ||
+ | gateway | ||
+ | pre-up / | ||
+ | |||
+ | iface br0 inet6 static | ||
+ | bridge_ports enp0s31f6 | ||
+ | bridge_hw enp0s31f6 | ||
+ | bridge_fd 0 | ||
+ | bridge_stp off | ||
+ | bridge_maxwait 0 | ||
+ | address 2a01: | ||
+ | netmask 64 | ||
+ | gateway fe80::1 | ||
+ | |||
+ | # Management | ||
+ | auto br1 | ||
+ | iface br1 inet static | ||
+ | bridge_ports none | ||
+ | bridge_fd 0 | ||
+ | bridge_stp off | ||
+ | address XXX | ||
+ | netmask 255.255.255.0 | ||
+ | |||
+ | iface br1 inet6 static | ||
+ | bridge_ports none | ||
+ | bridge_fd 0 | ||
+ | bridge_stp off | ||
+ | address XXX | ||
+ | netmask 120 | ||
+ | |||
+ | # VM-LAN | ||
+ | auto br2 | ||
+ | iface br2 inet static | ||
+ | bridge_ports none | ||
+ | bridge_fd 0 | ||
+ | bridge_stp off | ||
+ | address 192.168.10.1 | ||
+ | netmask 255.255.255.0 | ||
+ | |||
+ | iface br2 inet6 static | ||
+ | bridge_ports none | ||
+ | bridge_fd 0 | ||
+ | bridge_stp off | ||
+ | address 2a01: | ||
+ | netmask 120 | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Routage et filtrage avec iptables ==== | ||
+ | |||
+ | Nous avons dû ensuite router et rediriger tout ça avec iptables afin de communiquer depuis l' | ||
+ | |||
+ | Le paquet '' | ||
+ | Le port SSH a été masqué. | ||
+ | |||
+ | Il est bien sûr extrêmement important de sécuriser SSH : interdire le login root avec mot de passe, utiliser de bons algorithmes de chiffrement, | ||
+ | |||
+ | Les règles concernant le réseau d' | ||
+ | |||
+ | Pour IPv4, dans ''/ | ||
+ | |||
+ | <code bash> | ||
+ | *nat | ||
+ | # Router le trafic Web vers le serveur web : | ||
+ | -A PREROUTING -d 159.69.59.13/ | ||
+ | # Router le mail envoi/ | ||
+ | -A PREROUTING -d 159.69.59.13/ | ||
+ | # Router le 8484 pour Zabbix vers le serveur monitoring : | ||
+ | -A PREROUTING -d 159.69.59.13/ | ||
+ | # Ne pas appliquer le masquerading sur le broadcast/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | # Masquerading sur tous les ports dans le sens sortant (VM -> Internet) | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | COMMIT | ||
+ | *filter | ||
+ | # Accepter le trafic basique : ICMP, boucle locale et connexions établies, en entrée : | ||
+ | -A INPUT -m conntrack --ctstate RELATED, | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | # Accepter le SSH : | ||
+ | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 1984 -j ACCEPT | ||
+ | # Accepter les connexions pour le mail : | ||
+ | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 587,993,25 -j ACCEPT | ||
+ | # Accepter le tunnel SSH vers le serveur web-01 sur le port 52365 : | ||
+ | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 52365 -j ACCEPT | ||
+ | # Accepter les connexions VPN WireGuard : | ||
+ | -A INPUT -p udp -m udp --dport 51510 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | # Accepter les requêtes DNS (port 53) depuis les VM : | ||
+ | -A INPUT -i br2 -p udp -m udp -m multiport --dports 53 -j ACCEPT | ||
+ | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -j ACCEPT | ||
+ | # Bloquer les requêtes rpcbind/ | ||
+ | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -j ACCEPT | ||
+ | -A INPUT -i br2 -p tcp -m multiport --dport 111 -j ACCEPT | ||
+ | -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT | ||
+ | -A INPUT -p udp --dport 111 -j DROP | ||
+ | -A INPUT -p tcp --dport 111 -j DROP | ||
+ | # Accepter les requêtes Zabbix passives (port 10050) depuis les VM : | ||
+ | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 10050 -j ACCEPT | ||
+ | # On refuse les trop nombreux ping : | ||
+ | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT | ||
+ | -A INPUT -p icmp -j DROP | ||
+ | # On refuse tout le reste : | ||
+ | -A INPUT -m conntrack --ctstate INVALID -j DROP | ||
+ | -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset | ||
+ | -A INPUT -j REJECT --reject-with icmp-port-unreachable | ||
+ | # Accepter les connexions établies sur le LAN : | ||
+ | -A FORWARD -d 192.168.10.0/ | ||
+ | # Accepter le trafic sortant depuis le LAN : | ||
+ | -A FORWARD -s 192.168.10.0/ | ||
+ | # Accepter le trafic interne entre les VM : | ||
+ | -A FORWARD -i br2 -o br2 -j ACCEPT | ||
+ | # Accepter les paquets redirigés vers des ports particuliers pour le Web vers le serveur web : | ||
+ | -A FORWARD -d 192.168.10.5/ | ||
+ | # Accepter les paquets redirigés vers des ports particuliers pour le mail vers le serveur mail : | ||
+ | -A FORWARD -d 192.168.10.7/ | ||
+ | # Accepter les paquets redirigés vers des ports particuliers pour le monitoring vers le serveur de monitoring : | ||
+ | -A FORWARD -d 192.168.10.250/ | ||
+ | # On bloque TOUT le trafic en provenance de Meta/ | ||
+ | -A INPUT -s 102.132.96.0/ | ||
+ | -A INPUT -s 103.4.96.0/ | ||
+ | -A INPUT -s 129.134.0.0/ | ||
+ | -A INPUT -s 129.134.160.0/ | ||
+ | -A INPUT -s 129.134.25.0/ | ||
+ | -A INPUT -s 129.134.26.0/ | ||
+ | -A INPUT -s 129.134.27.0/ | ||
+ | -A INPUT -s 129.134.28.0/ | ||
+ | -A INPUT -s 129.134.29.0/ | ||
+ | -A INPUT -s 129.134.30.0/ | ||
+ | -A INPUT -s 129.134.31.0/ | ||
+ | -A INPUT -s 139.223.200.130/ | ||
+ | -A INPUT -s 157.240.0.0/ | ||
+ | -A INPUT -s 157.240.192.0/ | ||
+ | -A INPUT -s 157.240.195.0/ | ||
+ | -A INPUT -s 157.240.196.0/ | ||
+ | -A INPUT -s 157.240.197.0/ | ||
+ | -A INPUT -s 157.240.198.0/ | ||
+ | -A INPUT -s 157.240.199.0/ | ||
+ | -A INPUT -s 157.240.200.0/ | ||
+ | -A INPUT -s 157.240.201.0/ | ||
+ | -A INPUT -s 157.240.202.0/ | ||
+ | -A INPUT -s 157.240.203.0/ | ||
+ | -A INPUT -s 157.240.204.0/ | ||
+ | -A INPUT -s 157.240.205.0/ | ||
+ | -A INPUT -s 157.240.207.0/ | ||
+ | -A INPUT -s 157.240.208.0/ | ||
+ | -A INPUT -s 157.240.209.0/ | ||
+ | -A INPUT -s 157.240.210.0/ | ||
+ | -A INPUT -s 157.240.211.0/ | ||
+ | -A INPUT -s 157.240.212.0/ | ||
+ | -A INPUT -s 157.240.214.0/ | ||
+ | -A INPUT -s 157.240.215.0/ | ||
+ | -A INPUT -s 157.240.216.0/ | ||
+ | -A INPUT -s 157.240.217.0/ | ||
+ | -A INPUT -s 157.240.218.0/ | ||
+ | -A INPUT -s 157.240.22.0/ | ||
+ | -A INPUT -s 157.240.221.0/ | ||
+ | -A INPUT -s 157.240.222.0/ | ||
+ | -A INPUT -s 157.240.223.0/ | ||
+ | -A INPUT -s 157.240.224.0/ | ||
+ | -A INPUT -s 157.240.225.0/ | ||
+ | -A INPUT -s 157.240.226.0/ | ||
+ | -A INPUT -s 157.240.227.0/ | ||
+ | -A INPUT -s 157.240.228.0/ | ||
+ | -A INPUT -s 157.240.229.0/ | ||
+ | -A INPUT -s 157.240.23.0/ | ||
+ | -A INPUT -s 157.240.231.0/ | ||
+ | -A INPUT -s 157.240.232.0/ | ||
+ | -A INPUT -s 157.240.233.0/ | ||
+ | -A INPUT -s 157.240.234.0/ | ||
+ | -A INPUT -s 157.240.235.0/ | ||
+ | -A INPUT -s 157.240.236.0/ | ||
+ | -A INPUT -s 157.240.237.0/ | ||
+ | -A INPUT -s 157.240.238.0/ | ||
+ | -A INPUT -s 157.240.239.0/ | ||
+ | -A INPUT -s 157.240.240.0/ | ||
+ | -A INPUT -s 157.240.24.0/ | ||
+ | -A INPUT -s 157.240.241.0/ | ||
+ | -A INPUT -s 157.240.242.0/ | ||
+ | -A INPUT -s 157.240.243.0/ | ||
+ | -A INPUT -s 157.240.244.0/ | ||
+ | -A INPUT -s 157.240.245.0/ | ||
+ | -A INPUT -s 157.240.247.0/ | ||
+ | -A INPUT -s 157.240.249.0/ | ||
+ | -A INPUT -s 157.240.250.0/ | ||
+ | -A INPUT -s 157.240.25.0/ | ||
+ | -A INPUT -s 157.240.251.0/ | ||
+ | -A INPUT -s 157.240.252.0/ | ||
+ | -A INPUT -s 157.240.253.0/ | ||
+ | -A INPUT -s 157.240.254.0/ | ||
+ | -A INPUT -s 157.240.26.0/ | ||
+ | -A INPUT -s 157.240.27.0/ | ||
+ | -A INPUT -s 157.240.28.0/ | ||
+ | -A INPUT -s 157.240.29.0/ | ||
+ | -A INPUT -s 157.240.30.0/ | ||
+ | -A INPUT -s 157.240.3.0/ | ||
+ | -A INPUT -s 157.240.31.0/ | ||
+ | -A INPUT -s 157.240.5.0/ | ||
+ | -A INPUT -s 157.240.6.0/ | ||
+ | -A INPUT -s 157.240.7.0/ | ||
+ | -A INPUT -s 157.240.8.0/ | ||
+ | -A INPUT -s 157.240.9.0/ | ||
+ | -A INPUT -s 162.254.207.51/ | ||
+ | -A INPUT -s 162.255.119.207/ | ||
+ | -A INPUT -s 172.67.135.213/ | ||
+ | -A INPUT -s 173.252.64.0/ | ||
+ | -A INPUT -s 179.60.192.0/ | ||
+ | -A INPUT -s 185.199.108.153/ | ||
+ | -A INPUT -s 185.199.111.153/ | ||
+ | -A INPUT -s 185.60.216.0/ | ||
+ | -A INPUT -s 198.54.117.211/ | ||
+ | -A INPUT -s 204.15.20.0/ | ||
+ | -A INPUT -s 27.124.125.189/ | ||
+ | -A INPUT -s 31.13.24.0/ | ||
+ | -A INPUT -s 31.13.64.0/ | ||
+ | -A INPUT -s 34.117.168.233/ | ||
+ | -A INPUT -s 37.9.175.187/ | ||
+ | -A INPUT -s 45.130.41.7/ | ||
+ | -A INPUT -s 45.64.40.0/ | ||
+ | -A INPUT -s 45.91.92.164/ | ||
+ | -A INPUT -s 54.81.116.232/ | ||
+ | -A INPUT -s 61.9.242.43/ | ||
+ | -A INPUT -s 64.225.91.73/ | ||
+ | -A INPUT -s 66.220.144.0/ | ||
+ | -A INPUT -s 69.171.224.0/ | ||
+ | -A INPUT -s 74.119.76.0/ | ||
+ | -A INPUT -s 89.223.68.248/ | ||
+ | # Rejeter tout le reste : | ||
+ | -A FORWARD -i br2 -j REJECT --reject-with icmp-port-unreachable | ||
+ | -A FORWARD -o br2 -j REJECT --reject-with icmp-port-unreachable | ||
+ | COMMIT | ||
+ | </ | ||
+ | |||
+ | Pour IPv6, dans ''/ | ||
+ | |||
+ | <code bash> | ||
+ | # Accepter le trafic basique : ICMP, boucle locale et connexionx établies, en entrée : | ||
+ | -A INPUT -m conntrack --ctstate RELATED, | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT ! -i lo -d ::1/128 -j REJECT | ||
+ | # Accepter le SSH : | ||
+ | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 1984 -j ACCEPT | ||
+ | # Accepter le tunnel SSH vers le serveur web-01 sur le port 52365 : | ||
+ | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 52365 -j ACCEPT | ||
+ | # Accepter les connexions VPN WireGuard : | ||
+ | -A INPUT -p udp -m udp --dport 51510 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | # Accepter les requêtes DNS (port 53) depuis les VM : | ||
+ | -A INPUT -i br2 -p udp -m udp -m multiport --dports 53 -j ACCEPT | ||
+ | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -j ACCEPT | ||
+ | # Bloquer les requêtes rpcbind/ | ||
+ | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -j ACCEPT | ||
+ | -A INPUT -i br2 -p tcp -m multiport --dport 111 -j ACCEPT | ||
+ | -A INPUT -p tcp -s :: | ||
+ | -A INPUT -p udp --dport 111 -j DROP | ||
+ | -A INPUT -p tcp --dport 111 -j DROP | ||
+ | # Accepter les requêtes Zabbix passives (port 10050) depuis les VM : | ||
+ | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 10050 -j ACCEPT | ||
+ | # On accepte l' | ||
+ | -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | ||
+ | # On refuse les trop nombreux ping : | ||
+ | -A INPUT -p icmpv6 --icmpv6-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT | ||
+ | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | ||
+ | # On refuse tout le reste en entrée : | ||
+ | -A INPUT -m conntrack --ctstate INVALID -j DROP | ||
+ | -A INPUT -j REJECT | ||
+ | # Accepter les connexions établies sur le LAN : | ||
+ | -A FORWARD -d 2a01: | ||
+ | # Accepter le trafic sortant depuis le LAN : | ||
+ | -A FORWARD -s 2a01: | ||
+ | # Accepter le trafic interne entre les VM : | ||
+ | -A FORWARD -i br2 -o br2 -j ACCEPT | ||
+ | # Accepter les paquets redirigés vers des ports particuliers pour le Web vers le serveur web : | ||
+ | -A FORWARD -d 2a01: | ||
+ | # Accepter les paquets redirigés vers des ports particuliers pour le mail vers le serveur mail : | ||
+ | -A FORWARD -d 2a01: | ||
+ | # Accepter les paquets redirigés vers des ports particuliers pour Zabbix tcp 8484 vers le serveur monitoring : | ||
+ | -A FORWARD -d 2a01: | ||
+ | # On bloque TOUT le trafic en provenance de Meta/ | ||
+ | -A INPUT -s 2620: | ||
+ | -A INPUT -s 2620: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2a03: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | -A INPUT -s 2c0f: | ||
+ | # Rejeter tout le reste : | ||
+ | -A FORWARD -i br2 -j REJECT | ||
+ | -A FORWARD -o br2 -j REJECT | ||
+ | COMMIT | ||
+ | </ | ||
==== Paquets installés ==== | ==== Paquets installés ==== | ||
+ | |||
Pour virtualiser, | Pour virtualiser, | ||
La liste des paquets : | La liste des paquets : | ||
+ | |||
< | < | ||
- | root@hypervisor-01 ~ # dpkg -l | grep ' | + | # dpkg -l | grep ' |
+ | acl | ||
+ | acpid | ||
adduser | adduser | ||
adwaita-icon-theme | adwaita-icon-theme | ||
amd64-microcode | amd64-microcode | ||
- | apparmor | ||
apt | apt | ||
- | apt-file | ||
aptitude | aptitude | ||
aptitude-common | aptitude-common | ||
apt-utils | apt-utils | ||
- | at-spi2-core | + | at |
- | attr | + | at-spi2-common |
- | augeas-lenses | + | |
base-files | base-files | ||
base-passwd | base-passwd | ||
bash | bash | ||
bash-completion | bash-completion | ||
+ | bind9-dnsutils | ||
bind9-host | bind9-host | ||
+ | bind9-libs: | ||
binutils | binutils | ||
binutils-common: | binutils-common: | ||
binutils-x86-64-linux-gnu | binutils-x86-64-linux-gnu | ||
- | bolt | ||
bridge-utils | bridge-utils | ||
- | bsdmainutils | + | bsdextrautils |
bsdutils | bsdutils | ||
btrfs-progs | btrfs-progs | ||
- | build-essential | ||
busybox | busybox | ||
bzip2 | bzip2 | ||
ca-certificates | ca-certificates | ||
- | ceph-common | ||
- | ceph-fuse | ||
- | cifs-utils | ||
console-setup | console-setup | ||
console-setup-linux | console-setup-linux | ||
coreutils | coreutils | ||
- | corosync | ||
cpio | cpio | ||
cpp | cpp | ||
- | cpp-8 | + | cpp-10 |
- | cpufrequtils | + | cpp-12 |
cron | cron | ||
+ | cron-daemon-common | ||
+ | cryptsetup | ||
cryptsetup-bin | cryptsetup-bin | ||
- | cryptsetup-run | + | cryptsetup-initramfs |
curl | curl | ||
dash | dash | ||
dbus | dbus | ||
+ | dbus-bin | ||
+ | dbus-daemon | ||
+ | dbus-session-bus-common | ||
+ | dbus-system-bus-common | ||
dbus-user-session | dbus-user-session | ||
dconf-gsettings-backend: | dconf-gsettings-backend: | ||
Ligne 91: | Ligne 449: | ||
debianutils | debianutils | ||
diffutils | diffutils | ||
- | dirmngr | ||
discover | discover | ||
discover-data | discover-data | ||
Ligne 99: | Ligne 456: | ||
dmidecode | dmidecode | ||
dmsetup | dmsetup | ||
+ | dnsmasq | ||
dnsmasq-base | dnsmasq-base | ||
- | dns-root-data | + | dnsutils |
dosfstools | dosfstools | ||
dpkg | dpkg | ||
dpkg-dev | dpkg-dev | ||
e2fsprogs | e2fsprogs | ||
- | ebtables | ||
efibootmgr | efibootmgr | ||
- | eject | ||
ethtool | ethtool | ||
- | exim4-base | ||
- | exim4-config | ||
- | exim4-daemon-light | ||
- | exuberant-ctags | ||
fail2ban | fail2ban | ||
- | fakeroot | ||
fdisk | fdisk | ||
file | file | ||
findutils | findutils | ||
firmware-bnx2x | firmware-bnx2x | ||
- | firmware-linux-free | ||
- | firmware-realtek | ||
fontconfig | fontconfig | ||
fontconfig-config | fontconfig-config | ||
fonts-dejavu-core | fonts-dejavu-core | ||
- | fuse | ||
- | fwupd | ||
- | fwupd-amd64-signed | ||
- | g++ | ||
- | g++-8 | ||
gcc | gcc | ||
- | gcc-8 | + | gcc-10 |
- | gcc-8-base:amd64 | + | gcc-10-base: |
+ | gcc-11-base: | ||
+ | gcc-12 | ||
+ | gcc-12-base: | ||
+ | gcc-9-base:amd64 | ||
gdisk | gdisk | ||
- | genisoimage | ||
- | geoip-database | ||
gettext-base | gettext-base | ||
- | gir1.2-freedesktop: | ||
- | gir1.2-glib-2.0: | ||
- | gir1.2-libosinfo-1.0: | ||
- | glib-networking: | ||
- | glib-networking-common | ||
- | glib-networking-services | ||
- | glusterfs-common | ||
- | gnupg | ||
- | gnupg-l10n | ||
- | gnupg-utils | ||
- | gpg | ||
- | gpg-agent | ||
- | gpgconf | ||
- | gpgsm | ||
gpgv | gpgv | ||
- | gpg-wks-client | ||
- | gpg-wks-server | ||
grep | grep | ||
groff-base | groff-base | ||
grub2-common | grub2-common | ||
grub-common | grub-common | ||
+ | grub-efi-amd64 | ||
grub-efi-amd64-bin | grub-efi-amd64-bin | ||
- | grub-pc | ||
grub-pc-bin | grub-pc-bin | ||
- | gsettings-desktop-schemas | ||
- | gstreamer1.0-libav: | ||
- | gstreamer1.0-plugins-base: | ||
- | gstreamer1.0-plugins-good: | ||
- | gstreamer1.0-plugins-ugly: | ||
- | gstreamer1.0-x: | ||
gtk-update-icon-cache | gtk-update-icon-cache | ||
- | guile-2.2-libs: | ||
gzip | gzip | ||
- | haveged | ||
- | hdparm | ||
hicolor-icon-theme | hicolor-icon-theme | ||
hostname | hostname | ||
htop | htop | ||
- | i965-va-driver: | ||
- | ibverbs-providers: | ||
- | ifenslave | ||
iftop | iftop | ||
ifupdown | ifupdown | ||
+ | inetutils-telnet | ||
init | init | ||
initramfs-tools | initramfs-tools | ||
initramfs-tools-core | initramfs-tools-core | ||
init-system-helpers | init-system-helpers | ||
- | installation-report | ||
- | intel-media-va-driver: | ||
intel-microcode | intel-microcode | ||
iotop | iotop | ||
- | iperf | + | ipcalc-ng |
iproute2 | iproute2 | ||
- | ipset | ||
iptables | iptables | ||
iptables-persistent | iptables-persistent | ||
- | iputils-clockdiff | ||
iputils-ping | iputils-ping | ||
- | iputils-tracepath | ||
ipxe-qemu | ipxe-qemu | ||
- | irqbalance | ||
isc-dhcp-client | isc-dhcp-client | ||
isc-dhcp-common | isc-dhcp-common | ||
iso-codes | iso-codes | ||
iucode-tool | iucode-tool | ||
- | javascript-common | ||
kbd | kbd | ||
keyboard-configuration | keyboard-configuration | ||
Ligne 207: | Ligne 519: | ||
klibc-utils | klibc-utils | ||
kmod | kmod | ||
- | kpartx | ||
- | krb5-locales | ||
laptop-detect | laptop-detect | ||
less | less | ||
- | liba52-0.7.4: | ||
- | libaa1: | ||
- | libaacs0: | ||
libacl1: | libacl1: | ||
- | libacl1-dev: | ||
libaio1: | libaio1: | ||
- | libalgorithm-diff-perl | ||
- | libalgorithm-diff-xs-perl | ||
- | libalgorithm-merge-perl | ||
- | libaom0: | ||
libapparmor1: | libapparmor1: | ||
- | libapt-inst2.0:amd64 | + | libapt-pkg6.0:amd64 |
- | libapt-pkg5.0: | + | |
- | libapt-pkg-perl | + | |
- | libarchive13:amd64 | + | |
libargon2-1: | libargon2-1: | ||
- | libasan5:amd64 | + | libasan6: |
+ | libasan8:amd64 | ||
libasound2: | libasound2: | ||
libasound2-data | libasound2-data | ||
- | libass9: | ||
- | libassuan0: | ||
libasyncns0: | libasyncns0: | ||
libatk1.0-0: | libatk1.0-0: | ||
- | libatk1.0-data | ||
libatk-bridge2.0-0: | libatk-bridge2.0-0: | ||
libatomic1: | libatomic1: | ||
libatspi2.0-0: | libatspi2.0-0: | ||
libattr1: | libattr1: | ||
- | libattr1-dev: | ||
libaudit1: | libaudit1: | ||
libaudit-common | libaudit-common | ||
- | libaugeas0: | ||
- | libauthen-sasl-perl | ||
libavahi-client3: | libavahi-client3: | ||
libavahi-common3: | libavahi-common3: | ||
libavahi-common-data: | libavahi-common-data: | ||
- | libavc1394-0: | ||
- | libavcodec58: | ||
- | libavfilter7: | ||
- | libavformat58: | ||
- | libavutil56: | ||
- | libbabeltrace1: | ||
- | libbdplus0: | ||
- | libbind9-161: | ||
libbinutils: | libbinutils: | ||
libblkid1: | libblkid1: | ||
- | libbluetooth3: | + | libboost-iostreams1.74.0:amd64 |
- | libbluray2: | + | libbpf0:amd64 |
- | libboost-atomic1.67.0: | + | libbpf1:amd64 |
- | libboost-iostreams1.67.0:amd64 | + | libbrlapi0.8:amd64 |
- | libboost-program-options1.67.0:amd64 | + | libbrotli1:amd64 |
- | libboost-regex1.67.0: | + | |
- | libboost-system1.67.0: | + | |
- | libboost-thread1.67.0:amd64 | + | |
- | libbrlapi0.6:amd64 | + | |
- | libbs2b0:amd64 | + | |
libbsd0: | libbsd0: | ||
- | libbytes-random-secure-perl | ||
libbz2-1.0: | libbz2-1.0: | ||
libc6:amd64 | libc6:amd64 | ||
libc6-dev: | libc6-dev: | ||
- | libcaca0: | ||
libcacard0: | libcacard0: | ||
libcairo2: | libcairo2: | ||
Ligne 279: | Ligne 558: | ||
libcap2-bin | libcap2-bin | ||
libcap-ng0: | libcap-ng0: | ||
- | libcapstone3:amd64 | + | libcapstone4:amd64 |
libc-bin | libc-bin | ||
+ | libcbor0.8: | ||
libcc1-0: | libcc1-0: | ||
libc-dev-bin | libc-dev-bin | ||
- | libcdio18: | ||
- | libcdparanoia0: | ||
- | libcephfs2: | ||
- | libcfg7: | ||
- | libchromaprint1: | ||
libc-l10n | libc-l10n | ||
- | libcmap4: | ||
- | libcodec2-0.8.1: | ||
libcolord2: | libcolord2: | ||
libcom-err2: | libcom-err2: | ||
- | libcommon-sense-perl | + | libcrypt1:amd64 |
- | libconvert-asn1-perl | + | libcrypt-dev:amd64 |
- | libcorosync-common4:amd64 | + | |
- | libcpg4:amd64 | + | |
- | libcpufreq0 | + | |
- | libcroco3: | + | |
- | libcrypt-random-seed-perl | + | |
libcryptsetup12: | libcryptsetup12: | ||
- | libcrypt-ssleay-perl | + | libctf0: |
- | libcrystalhd3:amd64 | + | libctf-nobfd0:amd64 |
libcups2: | libcups2: | ||
libcurl3-gnutls: | libcurl3-gnutls: | ||
libcurl4: | libcurl4: | ||
- | libcwidget3v5:amd64 | + | libcwidget4:amd64 |
- | libdata-dump-perl | + | |
libdatrie1: | libdatrie1: | ||
+ | libdaxctl1: | ||
libdb5.3: | libdb5.3: | ||
- | libdbi1: | ||
libdbus-1-3: | libdbus-1-3: | ||
libdconf1: | libdconf1: | ||
libdebconfclient0: | libdebconfclient0: | ||
+ | libdecor-0-0: | ||
+ | libdeflate0: | ||
libdevmapper1.02.1: | libdevmapper1.02.1: | ||
libdevmapper-event1.02.1: | libdevmapper-event1.02.1: | ||
- | libdigest-hmac-perl | ||
libdiscover2 | libdiscover2 | ||
- | libdns1104: | + | libdns-export1110 |
- | libdns-export1104 | + | |
libdpkg-perl | libdpkg-perl | ||
libdrm2: | libdrm2: | ||
Ligne 327: | Ligne 594: | ||
libdrm-nouveau2: | libdrm-nouveau2: | ||
libdrm-radeon1: | libdrm-radeon1: | ||
- | libdv4: | + | libduktape207:amd64 |
- | libdvdnav4: | + | |
- | libdvdread4:amd64 | + | |
libdw1: | libdw1: | ||
libedit2: | libedit2: | ||
Ligne 335: | Ligne 600: | ||
libefivar1: | libefivar1: | ||
libelf1: | libelf1: | ||
- | libelf-dev: | ||
- | libencode-locale-perl | ||
libepoxy0: | libepoxy0: | ||
libestr0: | libestr0: | ||
- | libevent-2.1-6:amd64 | + | libevent-core-2.1-7:amd64 |
+ | libexecs0:amd64 | ||
libexpat1: | libexpat1: | ||
- | libexporter-tiny-perl | ||
libext2fs2: | libext2fs2: | ||
- | libfakeroot: | ||
libfastjson4: | libfastjson4: | ||
libfdisk1: | libfdisk1: | ||
libfdt1: | libfdt1: | ||
- | libffi6:amd64 | + | libffi7:amd64 |
- | libfftw3-double3:amd64 | + | libffi8: |
- | libfile-fcntllock-perl | + | libfido2-1:amd64 |
- | libfile-listing-perl | + | libfile-find-rule-perl |
- | libflac8:amd64 | + | libflac12:amd64 |
- | libflite1: | + | |
- | libfont-afm-perl | + | |
libfontconfig1: | libfontconfig1: | ||
libfreetype6: | libfreetype6: | ||
Ligne 359: | Ligne 619: | ||
libfstrm0: | libfstrm0: | ||
libfuse2: | libfuse2: | ||
- | libfwupd2:amd64 | + | libfuse3-3:amd64 |
libgbm1: | libgbm1: | ||
- | libgc1c2:amd64 | + | libgcc-10-dev:amd64 |
- | libgcab-1.0-0:amd64 | + | libgcc-12-dev:amd64 |
- | libgcc1:amd64 | + | libgcc-s1:amd64 |
- | libgcc-8-dev:amd64 | + | |
libgcrypt20: | libgcrypt20: | ||
libgdbm6: | libgdbm6: | ||
libgdbm-compat4: | libgdbm-compat4: | ||
- | libgdk-pixbuf2.0-0:amd64 | + | libgdk-pixbuf-2.0-0:amd64 |
- | libgdk-pixbuf2.0-bin | + | |
libgdk-pixbuf2.0-common | libgdk-pixbuf2.0-common | ||
- | libgeoip1: | ||
- | libgfapi0: | ||
- | libgfchangelog0: | ||
- | libgfdb0: | ||
- | libgfrpc0: | ||
- | libgfxdr0: | ||
- | libgirepository-1.0-1: | ||
libgl1: | libgl1: | ||
libgl1-mesa-dri: | libgl1-mesa-dri: | ||
libglapi-mesa: | libglapi-mesa: | ||
libglib2.0-0: | libglib2.0-0: | ||
- | libglusterfs0: | ||
- | libglusterfs-dev | ||
libglvnd0: | libglvnd0: | ||
libglx0: | libglx0: | ||
libglx-mesa0: | libglx-mesa0: | ||
- | libgme0: | ||
libgmp10: | libgmp10: | ||
libgnutls30: | libgnutls30: | ||
- | libgnutls-dane0: | ||
libgomp1: | libgomp1: | ||
- | libgoogle-perftools4: | ||
- | libgovirt2: | ||
- | libgovirt-common | ||
libgpg-error0: | libgpg-error0: | ||
- | libgpgme11: | ||
libgpm2: | libgpm2: | ||
+ | libgprofng0: | ||
libgraphite2-3: | libgraphite2-3: | ||
- | libgsasl7 | ||
- | libgsm1: | ||
libgssapi-krb5-2: | libgssapi-krb5-2: | ||
- | libgssapi-perl | ||
libgstreamer1.0-0: | libgstreamer1.0-0: | ||
libgstreamer-plugins-base1.0-0: | libgstreamer-plugins-base1.0-0: | ||
libgtk-3-0: | libgtk-3-0: | ||
- | libgtk-3-bin | ||
libgtk-3-common | libgtk-3-common | ||
- | libgtk-vnc-2.0-0: | ||
- | libgudev-1.0-0: | ||
- | libgusb2: | ||
- | libgvnc-1.0-0: | ||
libharfbuzz0b: | libharfbuzz0b: | ||
- | libhavege1:amd64 | + | libhogweed6:amd64 |
- | libhogweed4: | + | |
- | libhtml-format-perl | + | |
- | libhtml-form-perl | + | |
- | libhtml-parser-perl | + | |
- | libhtml-tagset-perl | + | |
- | libhtml-tree-perl | + | |
- | libhttp-cookies-perl | + | |
- | libhttp-daemon-perl | + | |
- | libhttp-date-perl | + | |
- | libhttp-message-perl | + | |
- | libhttp-negotiate-perl | + | |
libibverbs1: | libibverbs1: | ||
- | libice6: | + | libicu72:amd64 |
- | libicu63: | + | |
- | libidn11:amd64 | + | |
libidn2-0: | libidn2-0: | ||
- | libiec61883-0:amd64 | + | libinih1:amd64 |
- | libigdgmm5:amd64 | + | libip4tc2:amd64 |
- | libio-html-perl | + | libip6tc2:amd64 |
- | libio-socket-ssl-perl | + | libisc-export1105:amd64 |
- | libip4tc0: | + | libisl23:amd64 |
- | libip6tc0: | + | |
- | libipset11: | + | |
- | libiptc0: | + | |
- | libisc1100: | + | |
- | libisccc161: | + | |
- | libisccfg163:amd64 | + | |
- | libisc-export1100: | + | |
- | libisl19:amd64 | + | |
- | libisns0:amd64 | + | |
libitm1: | libitm1: | ||
libjack-jackd2-0: | libjack-jackd2-0: | ||
libjansson4: | libjansson4: | ||
libjbig0: | libjbig0: | ||
+ | libjemalloc2: | ||
libjpeg62-turbo: | libjpeg62-turbo: | ||
- | libjson-c3:amd64 | + | libjson-c5:amd64 |
- | libjson-glib-1.0-0: | + | |
- | libjson-glib-1.0-common | + | |
- | libjson-perl | + | |
- | libjson-xs-perl | + | |
libk5crypto3: | libk5crypto3: | ||
libkeyutils1: | libkeyutils1: | ||
libklibc: | libklibc: | ||
libkmod2: | libkmod2: | ||
- | libknet1: | ||
libkrb5-3: | libkrb5-3: | ||
libkrb5support0: | libkrb5support0: | ||
- | libksba8: | ||
- | libkyotocabinet16v5: | ||
liblcms2-2: | liblcms2-2: | ||
- | libldap-2.4-2:amd64 | + | libldap-2.5-0:amd64 |
libldap-common | libldap-common | ||
- | libldb1:amd64 | + | liblerc4:amd64 |
- | liblilv-0-0: | + | libllvm15:amd64 |
- | liblist-moreutils-perl | + | |
- | libllvm7:amd64 | + | |
liblmdb0: | liblmdb0: | ||
liblocale-gettext-perl | liblocale-gettext-perl | ||
+ | liblockfile-bin | ||
liblognorm5: | liblognorm5: | ||
liblsan0: | liblsan0: | ||
- | libltdl7: | ||
liblvm2cmd2.03: | liblvm2cmd2.03: | ||
- | liblwp-mediatypes-perl | ||
- | liblwp-protocol-https-perl | ||
- | liblwres161: | ||
liblz4-1: | liblz4-1: | ||
liblzma5: | liblzma5: | ||
Ligne 484: | Ligne 687: | ||
libmagic1: | libmagic1: | ||
libmagic-mgc | libmagic-mgc | ||
- | libmailtools-perl | + | libmaxminddb0:amd64 |
- | libmailutils5:amd64 | + | libmd0:amd64 |
- | libmariadb3:amd64 | + | |
- | libmath-random-isaac-perl | + | |
- | libmath-random-isaac-xs-perl | + | |
libmnl0: | libmnl0: | ||
libmount1: | libmount1: | ||
libmp3lame0: | libmp3lame0: | ||
libmpc3: | libmpc3: | ||
- | libmpdec2: | ||
- | libmpeg2-4: | ||
libmpfr6: | libmpfr6: | ||
libmpg123-0: | libmpg123-0: | ||
- | libmpx2: | ||
- | libmysofa0: | ||
libncurses6: | libncurses6: | ||
libncursesw6: | libncursesw6: | ||
- | libnetcf1 | + | libndctl6: |
libnetfilter-conntrack3: | libnetfilter-conntrack3: | ||
- | libnet-http-perl | + | libnettle8:amd64 |
- | libnet-ldap-perl | + | |
- | libnet-libidn-perl | + | |
- | libnet-smtp-ssl-perl | + | |
- | libnet-ssleay-perl | + | |
- | libnettle6:amd64 | + | |
libnewt0.52: | libnewt0.52: | ||
libnfnetlink0: | libnfnetlink0: | ||
- | libnfsidmap2:amd64 | + | libnfsidmap1: |
+ | libnftables1:amd64 | ||
libnftnl11: | libnftnl11: | ||
libnghttp2-14: | libnghttp2-14: | ||
libnl-3-200: | libnl-3-200: | ||
+ | libnl-genl-3-200: | ||
libnl-route-3-200: | libnl-route-3-200: | ||
- | libnorm1:amd64 | + | libnsl2:amd64 |
- | libnpth0:amd64 | + | libnsl-dev:amd64 |
libnspr4: | libnspr4: | ||
libnss3: | libnss3: | ||
- | libntlm0:amd64 | + | libnss-systemd:amd64 |
libnuma1: | libnuma1: | ||
- | libnvpair1linux | + | libnumber-compare-perl |
+ | libnvpair3linux | ||
libogg0: | libogg0: | ||
- | libopencore-amrnb0: | ||
- | libopencore-amrwb0: | ||
- | libopenjp2-7: | ||
- | libopenmpt0: | ||
libopus0: | libopus0: | ||
liborc-0.4-0: | liborc-0.4-0: | ||
- | libosinfo-1.0-0: | ||
libp11-kit0: | libp11-kit0: | ||
libpam0g: | libpam0g: | ||
Ligne 547: | Ligne 736: | ||
libpcre3: | libpcre3: | ||
libpcsclite1: | libpcsclite1: | ||
- | libperl5.28:amd64 | + | libperl5.36:amd64 |
- | libpgm-5.2-0: | + | |
- | libphodav-2.0-0: | + | |
- | libphodav-2.0-common | + | |
libpipeline1: | libpipeline1: | ||
libpixman-1-0: | libpixman-1-0: | ||
+ | libpmem1: | ||
libpng16-16: | libpng16-16: | ||
libpolkit-agent-1-0: | libpolkit-agent-1-0: | ||
- | libpolkit-backend-1-0: | ||
libpolkit-gobject-1-0: | libpolkit-gobject-1-0: | ||
libpopt0: | libpopt0: | ||
- | libpostproc55:amd64 | + | libproc2-0:amd64 |
- | libprocps7:amd64 | + | libprocps8:amd64 |
libprotobuf-c1: | libprotobuf-c1: | ||
- | libproxy1v5: | ||
libpsl5: | libpsl5: | ||
libpulse0: | libpulse0: | ||
- | libpulse-mainloop-glib0: | + | libpython3.11-minimal: |
- | libpython2.7: | + | libpython3.11-stdlib: |
- | libpython2.7-minimal: | + | |
- | libpython2.7-stdlib: | + | |
- | libpython2-stdlib: | + | |
- | libpython3.7: | + | |
- | libpython3.7-minimal: | + | |
- | libpython3.7-stdlib: | + | |
libpython3-stdlib: | libpython3-stdlib: | ||
- | libpython-stdlib: | ||
- | libqb0: | ||
libquadmath0: | libquadmath0: | ||
- | libquorum5: | ||
- | librados2: | ||
- | libradosstriper1: | ||
- | libraw1394-11: | ||
- | librbd1: | ||
librdmacm1: | librdmacm1: | ||
- | libreadline5: | + | libreadline8:amd64 |
- | libreadline7: | + | |
- | libregexp-assemble-perl | + | |
- | librest-0.7-0: | + | |
- | librrd8: | + | |
- | librsvg2-2: | + | |
- | librsvg2-common:amd64 | + | |
librtmp1: | librtmp1: | ||
- | librubberband2: | ||
libsamplerate0: | libsamplerate0: | ||
libsasl2-2: | libsasl2-2: | ||
+ | libsasl2-modules: | ||
libsasl2-modules-db: | libsasl2-modules-db: | ||
+ | libsdl2-2.0-0: | ||
libseccomp2: | libseccomp2: | ||
libselinux1: | libselinux1: | ||
- | libsemanage1:amd64 | + | libsemanage2:amd64 |
libsemanage-common | libsemanage-common | ||
libsensors5: | libsensors5: | ||
libsensors-config | libsensors-config | ||
libsepol1: | libsepol1: | ||
- | libserd-0-0: | + | libsepol2:amd64 |
- | libshine3: | + | |
- | libshout3: | + | |
- | libsidplay1v5:amd64 | + | |
libsigc++-2.0-0v5: | libsigc++-2.0-0v5: | ||
libslang2: | libslang2: | ||
- | libsm6:amd64 | + | libslirp0:amd64 |
libsmartcols1: | libsmartcols1: | ||
- | libsmbios-c2 | ||
- | libsnappy1v5: | ||
libsndfile1: | libsndfile1: | ||
+ | libsndio7.0: | ||
libsodium23: | libsodium23: | ||
- | libsord-0-0: | ||
- | libsoup2.4-1: | ||
- | libsoup-gnome2.4-1: | ||
- | libsoxr0: | ||
- | libspeex1: | ||
- | libspice-client-glib-2.0-8: | ||
- | libspice-client-gtk-3.0-5: | ||
libspice-server1: | libspice-server1: | ||
libsqlite3-0: | libsqlite3-0: | ||
- | libsratom-0-0: | ||
libss2: | libss2: | ||
libssh2-1: | libssh2-1: | ||
- | libssh-gcrypt-4:amd64 | + | libssh-4: |
libssl1.1: | libssl1.1: | ||
- | libstatgrab10 | + | libssl3: |
libstdc++6: | libstdc++6: | ||
- | libstdc++-8-dev: | ||
- | libswresample3: | ||
- | libswscale5: | ||
libsystemd0: | libsystemd0: | ||
- | libtag1v5: | + | libsystemd-shared:amd64 |
- | libtag1v5-vanilla: | + | |
- | libtalloc2:amd64 | + | |
libtasn1-6: | libtasn1-6: | ||
- | libtcmalloc-minimal4: | + | libtext-charwidth-perl: |
- | libtdb1: | + | libtext-glob-perl |
- | libterm-readline-gnu-perl | + | libtext-iconv-perl:amd64 |
- | libtevent0:amd64 | + | |
- | libtext-charwidth-perl | + | |
- | libtext-iconv-perl | + | |
libtext-wrapi18n-perl | libtext-wrapi18n-perl | ||
libthai0: | libthai0: | ||
libthai-data | libthai-data | ||
- | libtheora0:amd64 | + | libtiff6:amd64 |
- | libtiff5: | + | |
- | libtimedate-perl | + | |
libtinfo6: | libtinfo6: | ||
libtirpc3: | libtirpc3: | ||
libtirpc-common | libtirpc-common | ||
- | libtry-tiny-perl | + | libtirpc-dev:amd64 |
libtsan0: | libtsan0: | ||
- | libtss2-esys0 | + | libtsan2:amd64 |
- | libtss2-udev | + | |
- | libtwolame0:amd64 | + | |
- | libtypes-serialiser-perl | + | |
libubsan1: | libubsan1: | ||
libuchardet0: | libuchardet0: | ||
libudev1: | libudev1: | ||
- | libunbound8: | ||
libunistring2: | libunistring2: | ||
libunwind8: | libunwind8: | ||
- | liburcu6:amd64 | + | liburcu8:amd64 |
- | liburi-perl | + | liburing2:amd64 |
- | libusb-0.1-4:amd64 | + | |
libusb-1.0-0: | libusb-1.0-0: | ||
- | libusbredirhost1: | ||
libusbredirparser1: | libusbredirparser1: | ||
- | libutempter0: | ||
libuuid1: | libuuid1: | ||
- | libuutil1linux | + | libuutil3linux |
- | libv4l-0: | + | libuv1:amd64 |
- | libv4lconvert0:amd64 | + | |
libva2: | libva2: | ||
libva-drm2: | libva-drm2: | ||
- | libva-x11-2: | + | libvdeplug2: |
- | libvdeplug2 | + | libvirglrenderer1:amd64 |
- | libvdpau1: | + | |
- | libvdpau-va-gl1: | + | |
- | libvidstab1.1:amd64 | + | |
- | libvirglrenderer0:amd64 | + | |
libvirt0: | libvirt0: | ||
libvirt-clients | libvirt-clients | ||
libvirt-daemon | libvirt-daemon | ||
+ | libvirt-daemon-config-network | ||
+ | libvirt-daemon-config-nwfilter | ||
+ | libvirt-daemon-driver-qemu | ||
libvirt-daemon-system | libvirt-daemon-system | ||
- | libvirt-glib-1.0-0:amd64 | + | libvirt-daemon-system-systemd |
- | libvisual-0.4-0: | + | |
libvorbis0a: | libvorbis0a: | ||
libvorbisenc2: | libvorbisenc2: | ||
- | libvorbisfile3: | ||
- | libvotequorum8: | ||
- | libvpx5: | ||
libvte-2.91-0: | libvte-2.91-0: | ||
libvte-2.91-common | libvte-2.91-common | ||
- | libwavpack1:amd64 | + | libvulkan1:amd64 |
libwayland-client0: | libwayland-client0: | ||
libwayland-cursor0: | libwayland-cursor0: | ||
libwayland-egl1: | libwayland-egl1: | ||
libwayland-server0: | libwayland-server0: | ||
- | libwbclient0: | + | libwebp7:amd64 |
- | libwebp6: | + | |
- | libwebpmux3:amd64 | + | |
libwrap0: | libwrap0: | ||
- | libwww-perl | ||
- | libwww-robotrules-perl | ||
libx11-6: | libx11-6: | ||
libx11-data | libx11-data | ||
libx11-xcb1: | libx11-xcb1: | ||
- | libx264-155: | ||
- | libx265-165: | ||
libxapian30: | libxapian30: | ||
libxau6: | libxau6: | ||
Ligne 719: | Ligne 845: | ||
libxcb-glx0: | libxcb-glx0: | ||
libxcb-present0: | libxcb-present0: | ||
+ | libxcb-randr0: | ||
libxcb-render0: | libxcb-render0: | ||
libxcb-shm0: | libxcb-shm0: | ||
Ligne 727: | Ligne 854: | ||
libxdamage1: | libxdamage1: | ||
libxdmcp6: | libxdmcp6: | ||
- | libxencall1: | ||
- | libxendevicemodel1: | ||
- | libxenevtchn1: | ||
- | libxenforeignmemory1: | ||
- | libxengnttab1: | ||
- | libxenmisc4.11: | ||
- | libxenstore3.0: | ||
- | libxentoolcore1: | ||
- | libxentoollog1: | ||
libxext6: | libxext6: | ||
libxfixes3: | libxfixes3: | ||
Ligne 742: | Ligne 860: | ||
libxkbcommon0: | libxkbcommon0: | ||
libxml2: | libxml2: | ||
- | libxml2-utils | ||
- | libxmlb1: | ||
- | libxml-namespacesupport-perl | ||
- | libxml-parser-perl | ||
- | libxml-sax-base-perl | ||
- | libxml-sax-expat-perl | ||
- | libxml-sax-perl | ||
libxrandr2: | libxrandr2: | ||
libxrender1: | libxrender1: | ||
libxshmfence1: | libxshmfence1: | ||
- | libxslt1.1:amd64 | + | libxss1:amd64 |
libxtables12: | libxtables12: | ||
- | libxtst6: | ||
- | libxv1: | ||
- | libxvidcore4: | ||
libxxf86vm1: | libxxf86vm1: | ||
+ | libxxhash0: | ||
libyajl2: | libyajl2: | ||
- | libzfs2linux | + | libz3-4:amd64 |
- | libzmq5:amd64 | + | libzfs4linux |
- | libzpool2linux | + | libzpool5linux |
libzstd1: | libzstd1: | ||
- | libzvbi0: | ||
- | libzvbi-common | ||
linux-base | linux-base | ||
- | linux-compiler-gcc-8-x86 | + | linux-compiler-gcc-10-x86 |
- | linux-headers-4.19.0-13-amd64 | + | linux-compiler-gcc-12-x86 |
- | linux-headers-4.19.0-13-common | + | linux-headers-5.10.0-15-amd64 |
- | linux-headers-4.19.0-14-amd64 | + | linux-headers-5.10.0-15-common |
- | linux-headers-4.19.0-14-common | + | linux-headers-5.10.0-16-amd64 |
+ | linux-headers-5.10.0-16-common | ||
+ | linux-headers-5.10.0-17-amd64 | ||
+ | linux-headers-5.10.0-17-common | ||
+ | linux-headers-5.10.0-18-amd64 | ||
+ | linux-headers-5.10.0-18-common | ||
+ | linux-headers-5.10.0-19-amd64 | ||
+ | linux-headers-5.10.0-19-common | ||
+ | linux-headers-5.10.0-25-amd64 | ||
+ | linux-headers-5.10.0-25-common | ||
+ | linux-headers-6.1.0-12-amd64 | ||
+ | linux-headers-6.1.0-12-common | ||
linux-headers-amd64 | linux-headers-amd64 | ||
- | linux-image-4.19.0-13-amd64 | + | linux-image-5.10.0-25-amd64 |
- | linux-image-4.19.0-14-amd64 | + | linux-image-6.1.0-12-amd64 |
linux-image-amd64 | linux-image-amd64 | ||
- | linux-kbuild-4.19 | + | linux-kbuild-5.10 |
+ | linux-kbuild-6.1 | ||
linux-libc-dev: | linux-libc-dev: | ||
+ | lm-sensors | ||
locales | locales | ||
login | login | ||
logrotate | logrotate | ||
+ | logsave | ||
lsb-base | lsb-base | ||
lsb-release | lsb-release | ||
lsof | lsof | ||
lvm2 | lvm2 | ||
- | lxcfs | + | mailcap |
- | mailutils | + | |
- | mailutils-common | + | |
make | make | ||
man-db | man-db | ||
manpages | manpages | ||
- | manpages-dev | ||
- | mariadb-common | ||
mawk | mawk | ||
+ | mbuffer | ||
mdadm | mdadm | ||
- | mesa-va-drivers: | + | media-types |
- | mesa-vdpau-drivers: | + | |
mime-support | mime-support | ||
+ | mokutil | ||
mount | mount | ||
- | mysql-common | + | mtr-tiny |
nano | nano | ||
ncurses-base | ncurses-base | ||
Ligne 804: | Ligne 922: | ||
ncurses-term | ncurses-term | ||
netbase | netbase | ||
- | netcat-openbsd | + | netcat-traditional |
netfilter-persistent | netfilter-persistent | ||
net-tools | net-tools | ||
nfs-common | nfs-common | ||
nfs-kernel-server | nfs-kernel-server | ||
- | ntpdate | + | nftables |
- | open-iscsi | + | |
openssh-client | openssh-client | ||
openssh-server | openssh-server | ||
openssh-sftp-server | openssh-sftp-server | ||
openssl | openssl | ||
- | osinfo-db | ||
- | ovmf | ||
- | parted | ||
passwd | passwd | ||
patch | patch | ||
+ | pci.ids | ||
pciutils | pciutils | ||
perl | perl | ||
perl-base | perl-base | ||
- | perl-modules-5.28 | + | perl-modules-5.36 |
- | perl-openssl-defaults: | + | pkexec |
- | pinentry-curses | + | |
policykit-1 | policykit-1 | ||
- | powermgmt-base | + | polkitd |
procps | procps | ||
- | psmisc | + | publicsuffix |
- | python | + | |
- | python2 | + | |
- | python2.7 | + | |
- | python2.7-minimal | + | |
- | python2-minimal | + | |
python3 | python3 | ||
- | python3.7 | + | python3.11 |
- | python3.7-minimal | + | python3.11-minimal |
- | python3-asn1crypto | + | python3-apt |
python3-certifi | python3-certifi | ||
- | python3-cffi-backend | ||
python3-chardet | python3-chardet | ||
- | python3-cryptography | + | python3-charset-normalizer |
+ | python3-debian | ||
+ | python3-debianbts | ||
python3-distutils | python3-distutils | ||
- | python3-gi | + | python3-httplib2 |
python3-idna | python3-idna | ||
- | python3-jwt | ||
python3-lib2to3 | python3-lib2to3 | ||
- | python3-libvirt | ||
- | python3-libxml2: | ||
python3-minimal | python3-minimal | ||
python3-pkg-resources | python3-pkg-resources | ||
- | python3-prettytable | + | python3-pycurl |
- | python3-pyinotify | + | python3-pyparsing |
+ | python3-pysimplesoap | ||
+ | python3-reportbug | ||
python3-requests | python3-requests | ||
python3-six | python3-six | ||
- | python3-systemd | ||
python3-urllib3 | python3-urllib3 | ||
- | python-asn1crypto | + | python-apt-common |
- | python-cephfs | + | python-is-python3 |
- | python-certifi | + | |
- | python-cffi-backend | + | |
- | python-chardet | + | |
- | python-crypto | + | |
- | python-cryptography | + | |
- | python-enum34 | + | |
- | python-gpg | + | |
- | python-idna | + | |
- | python-ipaddress | + | |
- | python-ldb | + | |
- | python-minimal | + | |
- | python-openssl | + | |
- | python-pkg-resources | + | |
- | python-prettytable | + | |
- | python-rados | + | |
- | python-rbd | + | |
- | python-requests | + | |
- | python-samba | + | |
- | python-six | + | |
- | python-talloc: | + | |
- | python-tdb | + | |
- | python-urllib3 | + | |
- | qemu-kvm | + | |
qemu-system-common | qemu-system-common | ||
qemu-system-data | qemu-system-data | ||
Ligne 889: | Ligne 974: | ||
qemu-utils | qemu-utils | ||
readline-common | readline-common | ||
- | rename | + | reportbug |
rpcbind | rpcbind | ||
- | rrdcached | + | rpcsvc-proto |
rsync | rsync | ||
rsyslog | rsyslog | ||
runit-helper | runit-helper | ||
- | samba-common | ||
- | samba-common-bin | ||
- | samba-dsdb-modules: | ||
- | samba-libs: | ||
- | screen | ||
seabios | seabios | ||
sed | sed | ||
Ligne 905: | Ligne 985: | ||
sgml-base | sgml-base | ||
shared-mime-info | shared-mime-info | ||
+ | shim-helpers-amd64-signed | ||
+ | shim-signed: | ||
+ | shim-signed-common | ||
+ | shim-unsigned | ||
smartmontools | smartmontools | ||
- | spice-client-glib-usb-acl-helper | ||
spl-dkms | spl-dkms | ||
- | sqlite3 | + | sudo |
- | ssl-cert | + | |
- | strace | + | |
sysstat | sysstat | ||
systemd | systemd | ||
+ | systemd-container | ||
systemd-sysv | systemd-sysv | ||
+ | systemd-timesyncd | ||
sysvinit-utils | sysvinit-utils | ||
tar | tar | ||
Ligne 921: | Ligne 1004: | ||
task-ssh-server | task-ssh-server | ||
tcpdump | tcpdump | ||
- | telnet | + | traceroute |
- | thin-provisioning-tools | + | |
- | tpm2-abrmd | + | |
- | tpm2-tools | + | |
tree | tree | ||
tzdata | tzdata | ||
ucf | ucf | ||
udev | udev | ||
- | ufw | + | usrmerge |
- | usb.ids | + | |
- | usbutils | + | |
util-linux | util-linux | ||
+ | util-linux-extra | ||
util-linux-locales | util-linux-locales | ||
- | va-driver-all: | ||
- | vdpau-driver-all: | ||
vim | vim | ||
vim-common | vim-common | ||
vim-runtime | vim-runtime | ||
vim-tiny | vim-tiny | ||
- | virtinst | ||
- | virt-viewer | ||
wget | wget | ||
whiptail | whiptail | ||
- | whois | ||
x11-common | x11-common | ||
- | xdg-user-dirs | ||
xfsprogs | xfsprogs | ||
xkb-data | xkb-data | ||
xml-core | xml-core | ||
- | xsltproc | ||
xxd | xxd | ||
xz-utils | xz-utils | ||
+ | zabbix-agent2 | ||
zfs-dkms | zfs-dkms | ||
zfsutils-linux | zfsutils-linux | ||
- | zfs-zed | ||
zlib1g: | zlib1g: | ||
- | zlib1g-dev: | + | znapzend |
+ | zstd | ||
</ | </ | ||
+ | ==== Stockage ZFS ==== | ||
- | ==== Adressage IP ==== | ||
- | Hetzner offre une IP publique. Nous avons modifié l' | ||
- | |||
- | L' | ||
- | |||
- | < | ||
- | root@hypervisor-01 ~ # cat / | ||
- | ### Hetzner Online GmbH installimage | ||
- | |||
- | source / | ||
- | |||
- | auto lo | ||
- | iface lo inet loopback | ||
- | iface lo inet6 loopback | ||
- | |||
- | #auto enp0s31f6 | ||
- | #iface enp0s31f6 inet static | ||
- | # address 159.69.59.13 | ||
- | # netmask 255.255.255.192 | ||
- | # gateway 159.69.59.1 | ||
- | # # route 159.69.59.0/ | ||
- | # up route add -net 159.69.59.0 netmask 255.255.255.192 gw 159.69.59.1 dev enp0s31f6 | ||
- | |||
- | auto br0 | ||
- | iface br0 inet static | ||
- | bridge_ports enp0s31f6 | ||
- | bridge_fd 5 | ||
- | bridge_stp off | ||
- | bridge_maxwait 1 | ||
- | address | ||
- | netmask | ||
- | gateway | ||
- | pre-up / | ||
- | up route add -net 159.69.59.0 netmask 255.255.255.192 gw 159.69.59.1 dev enp0s31f6 | ||
- | |||
- | # Management | ||
- | auto br1 | ||
- | iface br1 inet static | ||
- | bridge_ports none | ||
- | bridge_fd 5 | ||
- | bridge_stp off | ||
- | address 10.X.X.X | ||
- | netmask 255.X.X.X | ||
- | |||
- | # VM-LAN | ||
- | auto br2 | ||
- | iface br2 inet static | ||
- | bridge_ports none | ||
- | bridge_fd 5 | ||
- | bridge_stp off | ||
- | address 192.168.10.1 | ||
- | netmask 255.255.255.0 | ||
- | </ | ||
- | |||
- | ==== Routage et filtrage avec iptables ==== | ||
- | Nous avons dû ensuite router et rediriger tout ça avec iptables afin de communiquer depuis l' | ||
- | |||
- | L' | ||
- | Le paquet '' | ||
- | Le port SSH a été masqué. | ||
- | |||
- | Il est bien sûr extrêmement important de sécuriser SSH : interdire le login root avec mot de passe, utiliser de bons algorithmes de chiffrement, | ||
- | |||
- | Les règles concernant le réseau d' | ||
- | |||
- | <code bash> | ||
- | root@hypervisor-01 ~ # cat / | ||
- | # Router le Web vers le proxy Nginx : | ||
- | -A PREROUTING -d 159.69.59.13/ | ||
- | # Router le mail envoi/ | ||
- | -A PREROUTING -d 159.69.59.13/ | ||
- | # Router le 9000 vers le serveur peertube : | ||
- | -A PREROUTING -d 159.69.59.13/ | ||
- | # Router le 4443 et les 10000-20000 | ||
- | -A PREROUTING -d 159.69.59.13/ | ||
- | -A PREROUTING -d 159.69.59.13/ | ||
- | -A PREROUTING -d 159.69.59.13/ | ||
- | # Ne pas appliquer le masquerading sur le broadcast/ | ||
- | -A POSTROUTING -s 192.168.10.0/ | ||
- | -A POSTROUTING -s 192.168.10.0/ | ||
- | # Masquerading sur tous les ports dans le sens sortant (VM -> Internet) | ||
- | -A POSTROUTING -s 192.168.10.0/ | ||
- | -A POSTROUTING -s 192.168.10.0/ | ||
- | -A POSTROUTING -s 192.168.10.0/ | ||
- | |||
- | # Accepter le trafic basique : ICMP, boucle locale et connexions établies, en entrée : | ||
- | -A INPUT -m conntrack --ctstate RELATED, | ||
- | -A INPUT -i lo -j ACCEPT | ||
- | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | ||
- | # Accepter le SSH : | ||
- | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport XXXX -j ACCEPT | ||
- | # Accepter Spice et VNC (console virtuelle de virt-manager) : | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5900 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5900 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5901 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5901 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5902 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5902 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5903 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5903 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5904 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5904 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5905 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5905 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5906 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5906 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5907 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5907 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5908 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5908 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5909 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5909 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5910 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5910 -j ACCEPT | ||
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 5911 -j ACCEPT | ||
- | -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 5911 -j ACCEPT | ||
- | # Accepter les requêtes DNS (port 53) depuis les VM : | ||
- | -A INPUT -i br2 -p udp -m udp -m multiport --dports 53 -j ACCEPT | ||
- | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -j ACCEPT | ||
- | # Bloquer les requêtes rpcbind/ | ||
- | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -j ACCEPT | ||
- | -A INPUT -i br2 -p tcp -m multiport --dport 111 -j ACCEPT | ||
- | -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT | ||
- | -A INPUT -p udp --dport 111 -j DROP | ||
- | -A INPUT -p tcp --dport 111 -j DROP | ||
- | |||
- | # On refuse tout le reste : | ||
- | -A INPUT -m conntrack --ctstate INVALID -j DROP | ||
- | -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset | ||
- | -A INPUT -j REJECT --reject-with icmp-port-unreachable | ||
- | |||
- | # Accepter les connexions établies sur le LAN : | ||
- | -A FORWARD -d 192.168.10.0/ | ||
- | # Accepter le trafic sortant depuis le LAN : | ||
- | -A FORWARD -s 192.168.10.0/ | ||
- | # Accepter le trafic interne entre les VM : | ||
- | -A FORWARD -i br2 -o br2 -j ACCEPT | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour le Web vers le proxy : | ||
- | -A FORWARD -d 192.168.10.2/ | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour le mail vers le serveur mail : | ||
- | -A FORWARD -d 192.168.10.7/ | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour peertube service 9000 vers le serveur video : | ||
- | -A FORWARD -d 192.168.10.8/ | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour funkwhale service 5000 vers le serveur video : | ||
- | -A FORWARD -d 192.168.10.9/ | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour jitsi meet service tcp 10000-20000 vers le serveur visio : | ||
- | -A FORWARD -d 192.168.10.10/ | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour jitsi meet service udp 10000-20000 vers le serveur visio : | ||
- | -A FORWARD -d 192.168.10.10/ | ||
- | # Accepter les paquets redirigés vers des ports particuliers pour jitsi meet service tcp 4443 vers le serveur visio : | ||
- | -A FORWARD -d 192.168.10.10/ | ||
- | |||
- | # Rejeter tout le reste : | ||
- | -A FORWARD -i br2 -j REJECT --reject-with icmp-port-unreachable | ||
- | -A FORWARD -o br2 -j REJECT --reject-with icmp-port-unreachable | ||
- | </ | ||
- | |||
- | ==== Stockage ZFS ==== | ||
Un « pool » sur les 2 gros disques mécaniques a été créé en miroir (RAID1). Si vous vous demandez pourquoi nous n' | Un « pool » sur les 2 gros disques mécaniques a été créé en miroir (RAID1). Si vous vous demandez pourquoi nous n' | ||
Nous avons décidé d' | Nous avons décidé d' | ||
- | < | + | < |
echo 4294967296 >> / | echo 4294967296 >> / | ||
</ | </ | ||
- | < | + | < |
root@hypervisor-01 ~ # cat / | root@hypervisor-01 ~ # cat / | ||
options zfs zfs_arc_max=4294967296 | options zfs zfs_arc_max=4294967296 | ||
Ligne 1133: | Ligne 1049: | ||
Nous avons ensuite créé un « pool » avec les numéros de série des disques (qu'on trouve dans ''/ | Nous avons ensuite créé un « pool » avec les numéros de série des disques (qu'on trouve dans ''/ | ||
- | < | + | < |
- | root@hypervisor-01 ~ # zpool status | + | # zpool status |
pool: zdata | pool: zdata | ||
| | ||
- | scan: scrub repaired 0B in 3h4m with 0 errors on Sun Feb 14 03:28:19 2021 | + | scan: scrub repaired 0B in 05: |
config: | config: | ||
Ligne 1143: | Ligne 1059: | ||
zdata | zdata | ||
mirror-0 | mirror-0 | ||
- | ata-ST4000NM0245-1Z2107_XXXXX | + | ata-ST4000NM0245-1Z2107_ZC17DQEF |
- | ata-ST4000NM0245-1Z2107_XXXXX | + | ata-ST4000NM0245-1Z2107_ZC17EN25 |
errors: No known data errors | errors: No known data errors | ||
+ | </ | ||
- | root@hypervisor-01 ~ # zfs list | + | <code bash> |
- | NAME | + | # zfs list |
- | zdata | + | NAME USED AVAIL |
- | zdata/ | + | zdata 2.11T 1.40T 120K / |
- | zdata/ | + | zdata/ |
- | zdata/ | + | zdata/ |
- | zdata/mail_data | + | zdata/ |
- | zdata/ | + | zdata/ |
- | zdata/ | + | zdata/ |
+ | zdata/ | ||
+ | zdata/ | ||
+ | zdata/pleroma_data | ||
+ | zdata/ | ||
+ | zdata/ | ||
+ | zdata/ | ||
</ | </ | ||
Ligne 1162: | Ligne 1085: | ||
< | < | ||
- | root@hypervisor-01 ~ # cat / | + | # cat / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
</ | </ | ||
Ligne 1172: | Ligne 1100: | ||
==== Sauvegardes ==== | ==== Sauvegardes ==== | ||
- | Toujours sauvegarder ! Nous avons mis en place des snapshots ZFS que nous répliquons | + | Toujours sauvegarder ! |
+ | |||
+ | Concernant les bases de données MySQL et PostgreSQL, nous utilisons les outils natifs '' | ||
+ | |||
+ | Nous utilisons ZFS pour snapshoter et répliquer toutes les données stockées sur 3 sites géographiques différents, | ||
+ | |||
+ | Nous utilisons [[https:// | ||
+ | |||
+ | Sur la machine de production hypervisor-01 à Falkenstein en Allemagne, nous avons une rétention glissante de snapshots ZFS : | ||
+ | |||
+ | * horaire de 24 heures | ||
+ | * journalière d'une semaine | ||
+ | |||
+ | Sur le serveur de backup backup-01 à Helsinki, nous avons une réplication avec une rétention glissante de snapshots ZFS : | ||
+ | |||
+ | * horaire de 24 heures | ||
+ | * journalière d'une semaine | ||
+ | * hebdomadaire sur deux mois | ||
+ | |||
+ | Nous avons en sus mis en place une réplication | ||
+ | |||
+ | Les donnés sont donc techniquement répliquées | ||
+ | |||
+ | Voici les commandes invoquées pour la mise en place des snapshots et de la réplication dans le sens production => backup avec [[https:// | ||
+ | |||
+ | <code bash> | ||
+ | wget https:// | ||
+ | mv znapzend_0.21.1-1_amd64.deb /tmp/ | ||
+ | apt install / | ||
+ | apt install mbuffer | ||
+ | </ | ||
+ | |||
+ | <code bash> | ||
+ | for f in audio_data cloud_data cryptpad_data mail_data mobilizon_data mysql_data pleroma_data postgresql_data prod-01 video_data; do \ | ||
+ | znapzendzetup create --recursive --mbuffer=/ | ||
+ | --tsformat=' | ||
+ | SRC ' | ||
+ | DST:a ' | ||
+ | root@backup-01: | ||
+ | |||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | *** backup plan: zdata/ | ||
+ | dst_a = root@backup-01: | ||
+ | dst_a_plan = 1day=> | ||
+ | | ||
+ | | ||
+ | mbuffer_size = 1G | ||
+ | | ||
+ | pre_znap_cmd = off | ||
+ | | ||
+ | src = zdata/ | ||
+ | src_plan = 1day=> | ||
+ | tsformat = %Y%m%d-%H%M%S | ||
+ | zend_delay = 28800 | ||
+ | |||
+ | Do you want to save this backup set [y/N]? y | ||
+ | NOTE: if you have modified your configuration, | ||
+ | (pkill -HUP znapzend) to your znapzend daemon for it to notice the change. | ||
+ | </ | ||
- | Nous aimerions pouvoir chiffrer les données nativement, une fois que ZFS 2.0 aura atterri dans Debian stable. Pour le moment, seul Nextcloud permet de chiffrer le stockage nativement. | ||