在信创机器上离线安装 Nginx
忘足,履之适也;忘要,带之适也; 知忘是非,心之适也;不内变,不外从,事会之适也。 始乎适而未尝不适者,忘适之适也。
开发的某项目,需要在政务内网部署,由于没有运维,这个问题到我这里了。通过一个零信任的软件,登录一个堡垒机,然后开启一个 Web 管理页面,里边有几台机器,通过账号密码,登录 Web 的 SSH 页面。
查看机器信息
- 查看操作系统:
Kylin Linux Advanced Server 应该是 银河麒麟的服务器系统 。这个源地址是 http://update.cs2c.com.cn:8080/NS/V10/ 实际上是中标麒麟的网站,两者应该是一家。
[root@localhost ~]# cat /etc/*release
Kylin Linux Advanced Server release V10 (Tercel)
DISTRIB_ID=Kylin
DISTRIB_RELEASE=V10
DISTRIB_CODENAME=juniper
DISTRIB_DESCRIPTION="Kylin V10"
DISTRIB_KYLIN_RELEASE=V10
DISTRIB_VERSION_TYPE=enterprise
DISTRIB_VERSION_MODE=normal
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Tercel)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Tercel)"
ANSI_COLOR="0;31"
Kylin Linux Advanced Server release V10 (Tercel)- 查看硬件信息:
可以看出来是 ARM64 架构 aarch64 ,华为海思 HiSilicon 芯片,型号是 鲲鹏920 Kunpeng-920。KVM 虚拟机,分配 16 G 内存。
以下输出略去了一些信息:
[root@localhost ~]# lscpu
Architecture: aarch64
CPU op-mode(s): 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 8
NUMA node(s): 1
Vendor ID: HiSilicon
Model: 0
Model name: Kunpeng-920
Stepping: 0x1
CPU max MHz: 2600.0000
CPU min MHz: 2600.0000
BogoMIPS: 200.00
L1d cache: 512 KiB
L1i cache: 512 KiB
L2 cache: 4 MiB
L3 cache: 256 MiB
NUMA node0 CPU(s): 0-7
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdh
p cpuid asimdrdm jscvt fcma dcpop asimddp asimdfhm[root@localhost ~]# lspci
00:00.0 Host bridge: Red Hat, Inc. QEMU PCIe Host bridge
00:01.0 PCI bridge: Red Hat, Inc. QEMU PCIe Root port
...
01:00.0 PCI bridge: Red Hat, Inc. Device 000e
02:01.0 SATA controller: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] (rev 02)
02:02.0 USB controller: Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller (rev 10)
02:03.0 Communication controller: Virtio: Virtio console
02:04.0 USB controller: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] (rev 01)
02:05.0 Display controller: Virtio: Virtio GPU (rev 01)
02:06.0 Unclassified device [00ff]: Virtio: Virtio memory balloon
03:00.0 USB controller: NEC Corporation uPD720200 USB 3.0 Host Controller (rev 03)
04:00.0 Ethernet controller: Virtio: Virtio network device (rev 01)
05:00.0 SCSI storage controller: Virtio: Virtio block device (rev 01)[root@localhost ~]# dmidecode -t bios
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.0.0 present.
Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
Vendor: EFI Development Kit II / OVMF
Version: 0.0.0
Release Date: 02/06/2015
Address: 0xE8000
Runtime Size: 96 kB
ROM Size: 64 kB
Characteristics:
BIOS characteristics not supported
Targeted content distribution is supported
UEFI is supported
System is a virtual machine
BIOS Revision: 0.0[root@localhost ~]# dmidecode -t memory
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.0.0 present.
Handle 0x1000, DMI type 16, 23 bytes
Physical Memory Array
Location: Other
Use: System Memory
Error Correction Type: Multi-bit ECC
Maximum Capacity: 16 GB
Error Information Handle: Not Provided
Number Of Devices: 1
Handle 0x1100, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x1000
Size: 16384 MB
Form Factor: DIMM
Set: None
Locator: DIMM 0
Type: RAM
Type Detail: Other
Manufacturer: QEMU[root@localhost ~]# dmidecode -q
System Information
Manufacturer: QEMU
Product Name: KVM Virtual Machine
Version: 1.0
Wake-up Type: Power Switch
Chassis Information
Manufacturer: Huawei Inc.
Type: Other
Version: FusionCompute(KVM)
Boot-up State: Safe
Power Supply State: Safe
Thermal State: Safe
Processor Information
Socket Designation: CPU 0
Type: Central Processor
Family: Other
Manufacturer: HiSilicon
ID: 00 00 00 00 00 00 00 00
Version: HUAWEI Kunpeng 920 5221K
Max Speed: 2600 MHz
Current Speed: 2600 MHz
Status: Populated, Enabled[root@localhost ~]# free -mh
total used free shared buff/cache available
Mem: 14Gi 1.9Gi 8.5Gi 199Mi 4.3Gi 10Gi
Swap: 4.0Gi 0B 4.0Gi直接下载 rpm 包安装
首先盲猜是红帽系的 / 套壳 CentOS,执行 yum 有反应,但是没有外网,连接不通。尝试从 Nginx 官网下载 .rpm 包,使用 rpm 命令安装:
rpm -ivh nginx-1.26.1-2.el7.ngx.aarch64.rpm提示缺少 libcrypto.so 和 libssl.so ,看起来是缺少 OpenSSH 导致的,又尝试使用 rpm 来安装 openssh ,还是一堆报错,依赖一个个的装不完。
期间尝试编译安装 OpenSSL ,但是编译过程又遇到各种依赖,最后还是放弃了。
离线安装
搜索到一个离线安装 Nginx 的教程,大概意思应该是从当前机器下载依赖,然后一起打包,上传到服务器安装,但是服务器是 arm64 的,开发环境没有这个处理器的机器,此路应该不通。
从本地源安装
看到 root 用户下面有一个 iso/Packages 目录,里面有一些现成的包,但是没有找到 nginx 的安装包。联系对接方,提供的方法也是从这个本地 iso 安装,没有的就去官方源下载:
https://update.cs2c.com.cn/NS/V10/V10SP1.1/os/adv/lic/base/aarch64/Packages/
首先查看本地源的配置,/etc/yum.repos.d 目录下 base.repo 和 kylin_aarch64.repo 两个文件,一个是本地文件,一个内网地址,也是不通的。
[root@localhost yum.repos.d]# cat base.repo
[base]
name=base
baseurl=file:///root/iso/
enabled=yes
gpgcheck=no[root@localhost yum.repos.d]# cat ../yum.repos.d.bak/kylin_aarch64.repo
[10-adv-os-arm-sp1]
name = Kylin Linux Advanced Server 10 - Os arm sp1
baseurl = http://10.200.82.70/NS/ks10-adv-os-arm-sp1/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1
[ks10-adv-updates-arm-sp1]
Name = Kylin Linux Advanced Server 10 - Updates arm sp1
baseurl = http://10.200.82.70/NS/ks10-adv-updates-arm-sp1/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1可以新建一个 /etc/yum.repos.d.bak 再将 kylin_aarch64.repo 移过去。或者直接编辑,将 enabled = 0 来禁用。
然后刷新缓存:
yum clean all
yum list all这样截直接从本地安装了。比如安装 开发工具:
yum groupinstall 'Development Tools'去官方源下载了 nginx 相关的的包,然后安装,依赖于 libprofiler.so ,着找不到对应的包。
[root@localhost temp]# yum localinstall nginx-1.21.5-2.p04.ky10.aarch64.rpm
Last metadata expiration check: 2:16:27 ago on Mon 21 Oct 2024 01:32:35 PM CST.
Error:
Problem: conflicting requests
- nothing provides libprofiler.so.0()(64bit) needed by nginx-1:1.21.5-2.p04.ky10.aarch64
- nothing provides nginx-filesystem needed by nginx-1:1.21.5-2.p04.ky10.aarch64
- nothing provides nginx-all-modules = 1:1.21.5-2.p04.ky10 needed by nginx-1:1.21.5-2.p04.ky10.aarch64
- nothing provides nginx-filesystem = 1:1.21.5-2.p04.ky10 needed by nginx-1:1.21.5-2.p04.ky10.aarch64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)然后同时安装 nginx-filesystem nginx-all-modules 等包,依然一堆依赖问题。
再次编译安装
源码编译三步走:
./configure
make
make install直接从 nginx 官网下载源码包 nginx-1.26.2.tar.gz,以及下载 openssl-3.3.2.tar.gz 解压。
进入到 nginx-1.26.2 目录下编译。如果直接执行 ./configure 会提示:
Configuration summary
+ using system PCRE2 library
+ OpenSSL library is not used
+ using system zlib library如果带上参数 ./configure --with-http_ssl_module 则会使用系统的 SSL 库。
Configuration summary
+ using system PCRE2 library
+ using system OpenSSL library
+ using system zlib library但是应该是因为本地 OpenSSL 有问题,直接执行 make 会报错:
/usr/bin/ld: objs/src/event/ngx_event_openssl.o: in function `ngx_ssl_error':
/root/nginx/nginx-1.26.2/src/event/ngx_event_openssl.c:3674: undefined reference to `ERR_peek_error_data'
/usr/bin/ld: objs/src/event/ngx_event_openssl.o: in function `ngx_ssl_sendfile':
/root/nginx/nginx-1.26.2/src/event/ngx_event_openssl.c:3060: undefined reference to `SSL_sendfile'
/usr/bin/ld: objs/src/event/ngx_event_openssl.o: in function `ngx_ssl_ticket_key_callback':
/root/nginx/nginx-1.26.2/src/event/ngx_event_openssl.c:4607: undefined reference to `EVP_CIPHER_get_iv_length'
...
/usr/bin/ld: objs/src/event/ngx_event_openssl.o: in function `ngx_ssl_get_subject_dn_legacy':
/root/nginx/nginx-1.26.2/src/event/ngx_event_openssl.c:5616: undefined reference to `SSL_get1_peer_certificate'
/usr/bin/ld: objs/src/event/ngx_event_openssl.o:/root/nginx/nginx-1.26.2/src/event/ngx_event_openssl.c:5664: more
undefined references to `SSL_get1_peer_certificate' follow
collect2: error: ld returned 1 exit status
make[1]: *** [objs/Makefile:238: objs/nginx] Error 1
make[1]: Leaving directory '/root/nginx/nginx-1.26.2'
make: *** [Makefile:10: build] Error 2搜索 `ngx_ssl_error': undefined reference to `ERR_peek_error_data'看到 这个答案 ,就是还是要加上 --with-openssl= 参数 :
--with-openssl=../openssl-3.3.2然后编译安装没有报错,直接运行出现这个:
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"最后通过这里的 代码 解决了
pkill -9 nginx
nginx -c /etc/nginx/nginx.conf
nginx -s reload将 /usr/local/nginx/sbin/nginx 链接到 /usr/local/sbin/nginx,就可以直接
nginx -s reload来启动 nginx 了。
添加 Systemd 服务
参考这里,新建一个系统服务文件 /lib/systemd/system/nginx.service ,然后在里边添加相应配置,路径要改成自己的。
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target添加到自启动
systemctl list-units | grep nginx
systemctl list-unit-files | grep nginx
systemctl enable nginx
systemctl status nginx
service nginx restart解决 403 问题
查看 nginx 进程的信息:
ps -ef | grep nginx查看配置文件在哪里:
nginx -T | grep 'configuration file'这里刚刚装上的是 /usr/local/nginx/conf/nginx.conf ,所以进到目录: cd /usr/local/nginx ,
编辑文件 vi conf/nginx.conf ,在最前面加上
user root;修改目录权限:
chown -R root:root html/
chmod -R 600 html/然后重启 nginx
service nginx restart最后总算是整好了。