HBSpy's Hexo

发表于 Disqus:

近日在维护的某业务系统中发现 dockerd 进程的 CPU 占用高达 55%

感觉上不太可能,开始排查

perf top -g -p <pid> 发现大量调用发生在 logger, json 读写等

1
2
github.com/docker/docker/daemon/logger/loggerutils.(*forwarder).Do
github.com/docker/docker/daemon/logger/jsonfilelog.(*decoder).Decode

docker 默认的 logging driver 为 json-file,json 的读写还是开销大啊!

反正重要的日志也有其它记录方式,不需要依赖 docker logs,果断切换日志记录方式

https://docs.docker.com/config/containers/logging/configure/#configure-the-default-logging-driver

1
2
3
{
  "log-driver": "local"
}

重启 dockerd,效果显著,目前 CPU 占用小于 5%

发表于 Disqus:

现象

macOS 上 PHP Cli 启动缓慢

php -v等都启动缓慢,大概需要5秒左右

导致 PhpCsFixer 也巨慢,我还以为本身就要花这么久

原因

https://github.com/php/php-src/issues/11673

PHP 的 imap 扩展使用了一个不再更新的库 cclient,且这个库在一些情况下会去解你本机的 hostname

解决方法就是写 /etc/hosts

1
2
3
# FUCK Handle Slow PHP cli with IMAP extension on macOS
::1         localhost HMBP.local
127.0.0.1   localhost HMBP.local

高兴的是 https://wiki.php.net/rfc/unbundle_imap_pspell_oci8

该库将在 PHP 8.4 移出默认 bundle

REF

Handle Slow PHP cli with IMAP extension on macOS

https://samsonasik.wordpress.com/2023/09/30/handle-slow-php-cli-with-imap-extension-on-macos/

发表于 Disqus: 
1
nmap --script ssh2-enum-algos -sV -p <port> <host>

很好用,结果一目了然

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PORT      STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (3)
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (2)
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (13)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       arcfour256
|       arcfour128
|       aes128-cbc
|       3des-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       arcfour
|       rijndael-cbc@lysator.liu.se
|   mac_algorithms: (6)
|       hmac-md5
|       hmac-sha1
|       hmac-ripemd160
|       hmac-ripemd160@openssh.com
|       hmac-sha1-96
|       hmac-md5-96
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

附一些为了兼容老版本 SSH 的配置

1
2
3
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

发表于 Disqus:

终于解决了这个困扰了我半年的问题,记录一下过程和解决方法

环境

  • 出口线路: 北京联通
  • 出口设备: RB5009UPr+S+
  • 协议: IPv4 & IPv6

现象

  • 手机访问阿里系应用有问题,如支付宝、淘宝、盒马,加载很久,也可能很久也加载不出来
  • 开代理科学上网后正常,但按理说大多请求应该还是走的 Direct 规则
  • 怀疑是 IPv6 的问题,于是起了 SmartDNS 的 force-AAAA-SOA yes,BAN 掉了所有的 v6 解析后,有所改善!

坑就在这儿了,又是向着错误的方向优化了一下,神奇的好了

因为这个问题在 IPv6 上的确比 IPv4 上更常见、更严重

解决

无意同事聊起过这个问题,前几天吃饭的时候灵光一闪,想起来这个 PMTU 黑洞的问题

配了一下竟然好了!

1
2
3
4
5
6
7
8
9
/ip/firewall/mangle
add action=change-mss chain=forward comment="IPv4 MSS clamp to PMTU" \
    new-mss=clamp-to-pmtu out-interface="<你的PPPoE出口>" passthrough=yes \
    protocol=tcp tcp-flags=syn

/ipv6/firewall/mangle
add action=change-mss chain=forward comment="IPv6 MSS clamp to PMTU" \
    new-mss=clamp-to-pmtu out-interface="<你的PPPoE出口>" passthrough=yes \
    protocol=tcp tcp-flags=syn

参考

发表于 Disqus:

Synology DSM7 的 Plex 在某一版更新之后,桌面图标消失了

Synology Plex icon missing

原因为群晖的权限系统严格了

可以通过如下步骤找回

  1. 控制面板
  2. 应用程序权限
  3. 找到 Plex Media Server,双击
  4. 在用户账号中给相应的账号赋允许权限,或在用户群组中给相应的组赋允许权限
  5. 保存并刷新

Plex 图标回来啦!

REF: https://forums.plex.tv/t/synology-faq-questions-answers-and-a-few-how-tos/490215/40

发表于 Disqus:

有时候遇到 SSH 到远端服务器,需要下载 Github 的一些东西,但是远端无法科学上网

此时使用 SSH 隧道转发本地的科学上网代理,就很好用了!

1
2
# 在本地
ssh -N -R 1080:localhost:7890 remotehost
1
2
3
4
# 在远端
[root@byrpt ~]# curl www.google.com.hk -x 127.0.0.1:1080
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-SG"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop=
# 科学!

发表于 Disqus:

近期排查问题,发现 DNS 的递归服务器会出带下划线的查询,如:

nslookup www.hbspy.moe 会先发送查询 _.hbspy.moe 的请求

一顿 Google 后发现,是由于 Bind9 的 QNAME Minimization 的机制

https://www.isc.org/blogs/qname-minimization-and-privacy/

默认的配置为 relaxed mode

该机制的目的是为了隐私保护,减小业务域名泄漏到根、顶级域

但是会带来大量的 NXDOMAIN 或 REFUSED 回复

由于大部分 DNS 认为下划线不是合法的域名,虽然现在也已经是合法的了

https://docs.aws.amazon.com/zh_cn/Route53/latest/DeveloperGuide/DomainNameFormat.html

神了个奇

REF:

发表于 Disqus:

失效

突然发现 docker completion 不好用了

但也不是完全的失效,比如docker<tab>里没有 image 了

docker stop<tab>并不列出容器列表了,只有当前目录列表

原因出在 docker 24 的版本更新,官方建议了一种新的方法来生成 completion

但体验是真的不好,所以有老哥打了回到过去的补丁

1
zstyle ':omz:plugins:docker' legacy-completion yes

在 plugins=(…) 之前加即可,如果没有生效可以清除一些缓存

1
2
3
4
5
6
7
8
rm .zcompdump*
rm -rf .oh-my-zsh/cache/*
source .zshrc

[17:39:18] [~] ❱❱❱ docker rm
496f74645e6b  local-nginx  --        3 months, nginx
53ad58bb6618  hyperf       --       15 months, hbspy/hyperf
de0e0ad2cecf  insight      --        7 months, insight

回来啦!

参考

Use old-style completion

Completion is not working properly with Docker version 24.0.2 #11789

发表于 Disqus:

https://vcb-s.com/archives/8431

VCB-Studio 的物语系列

TMDB 关于物语系列的分季分集真是太反人类了!

整理了一份 NAStool 用的自定义识别词,分享出来

1
eyIzIjogeyJpZCI6IDMsICJ0aXRsZSI6ICJcdTcyNjlcdThiZWRcdTdjZmJcdTUyMTciLCAieWVhciI6ICIyMDA5IiwgInR5cGUiOiAyLCAidG1kYmlkIjogNDYxOTUsICJzZWFzb25fY291bnQiOiA0LCAid29yZHMiOiB7IjI4IjogeyJpZCI6IDI4LCAicmVwbGFjZWQiOiAiTmlzZW1vbm9nYXRhcmkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAyXSIsICJmcm9udCI6ICIiLCAiYmFjayI6ICIiLCAib2Zmc2V0IjogIiIsICJ0eXBlIjogMiwgInNlYXNvbiI6IDIsICJyZWdleCI6IDAsICJoZWxwIjogIiJ9LCAiMzAiOiB7ImlkIjogMzAsICJyZXBsYWNlZCI6ICJCYWtlbW9ub2dhdGFyaSIsICJyZXBsYWNlIjogIk1vbm9nYXRhcmkgU2VyaWVzIFtTMDFdIiwgImZyb250IjogIiIsICJiYWNrIjogIiIsICJvZmZzZXQiOiAiIiwgInR5cGUiOiAyLCAic2Vhc29uIjogMSwgInJlZ2V4IjogMCwgImhlbHAiOiAiIn0sICIzMSI6IHsiaWQiOiAzMSwgInJlcGxhY2VkIjogIk1vbm9nYXRhcmkgU2VyaXNlW1JlY2FwX0lJXSIsICJyZXBsYWNlIjogIk1vbm9nYXRhcmkgU2VyaWVzIFtTMDBFMTFdIiwgImZyb250IjogIiIsICJiYWNrIjogIiIsICJvZmZzZXQiOiAiIiwgInR5cGUiOiAyLCAic2Vhc29uIjogMCwgInJlZ2V4IjogMCwgImhlbHAiOiAiIn0sICIzNiI6IHsiaWQiOiAzNiwgInJlcGxhY2VkIjogIk1vbm9nYXRhcmkgU2VyaXNlW1JlY2FwX0l2Ml0iLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAwRTEwXSIsICJmcm9udCI6ICIiLCAiYmFjayI6ICIiLCAib2Zmc2V0IjogIiIsICJ0eXBlIjogMiwgInNlYXNvbiI6IDAsICJyZWdleCI6IDAsICJoZWxwIjogIiJ9LCAiMzciOiB7ImlkIjogMzcsICJyZXBsYWNlZCI6ICJNb25vZ2F0YXJpIFNlcmlzZVtSZWNhcF9JSUldIiwgInJlcGxhY2UiOiAiTW9ub2dhdGFyaSBTZXJpZXMgW1MwMEUxMl0iLCAiZnJvbnQiOiAiIiwgImJhY2siOiAiIiwgIm9mZnNldCI6ICIiLCAidHlwZSI6IDIsICJzZWFzb24iOiAwLCAicmVnZXgiOiAwLCAiaGVscCI6ICIifSwgIjM1IjogeyJpZCI6IDM1LCAicmVwbGFjZWQiOiAiTmVrb21vbm9nYXRhcmkgXFwoU2hpcm9cXCkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAzXSIsICJmcm9udCI6ICIiLCAiYmFjayI6ICIiLCAib2Zmc2V0IjogIiIsICJ0eXBlIjogMiwgInNlYXNvbiI6IDMsICJyZWdleCI6IDEsICJoZWxwIjogIiJ9LCAiMjAiOiB7ImlkIjogMjAsICJyZXBsYWNlZCI6ICJIYW5hbW9ub2dhdGFyaSIsICJyZXBsYWNlIjogIk1vbm9nYXRhcmkgU2VyaWVzIFtTMDBdIiwgImZyb250IjogIlMwMCIsICJiYWNrIjogIkhpMTBwXzEwODBwIiwgIm9mZnNldCI6ICJFUCsxMiIsICJ0eXBlIjogMywgInNlYXNvbiI6IDAsICJyZWdleCI6IDEsICJoZWxwIjogIiJ9LCAiMjEiOiB7ImlkIjogMjEsICJyZXBsYWNlZCI6ICJPbmltb25vZ2F0YXJpIiwgInJlcGxhY2UiOiAiTW9ub2dhdGFyaSBTZXJpZXMgW1MwM10iLCAiZnJvbnQiOiAiUzAzIiwgImJhY2siOiAiSGkxMHBfMTA4MHAiLCAib2Zmc2V0IjogIkVQKzEzIiwgInR5cGUiOiAzLCAic2Vhc29uIjogMywgInJlZ2V4IjogMSwgImhlbHAiOiAiIn0sICIyOSI6IHsiaWQiOiAyOSwgInJlcGxhY2VkIjogIkthYnVraW1vbm9nYXRhcmkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAzXSIsICJmcm9udCI6ICJTMDMiLCAiYmFjayI6ICJIaTEwcF8xMDgwcCIsICJvZmZzZXQiOiAiRVArNSIsICJ0eXBlIjogMywgInNlYXNvbiI6IDMsICJyZWdleCI6IDEsICJoZWxwIjogIiJ9LCAiMzIiOiB7ImlkIjogMzIsICJyZXBsYWNlZCI6ICJLb2ltb25vZ2F0YXJpIiwgInJlcGxhY2UiOiAiTW9ub2dhdGFyaSBTZXJpZXMgW1MwM10iLCAiZnJvbnQiOiAiUzAzIiwgImJhY2siOiAiSGkxMHBfMTA4MHAiLCAib2Zmc2V0IjogIkVQKzE3IiwgInR5cGUiOiAzLCAic2Vhc29uIjogMywgInJlZ2V4IjogMSwgImhlbHAiOiAiIn0sICIzNCI6IHsiaWQiOiAzNCwgInJlcGxhY2VkIjogIk5la29tb25vZ2F0YXJpIFxcKEt1cm9cXCkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAwXSIsICJmcm9udCI6ICJTMDAiLCAiYmFjayI6ICJIaTEwcF8xMDgwcCIsICJvZmZzZXQiOiAiRVArNSIsICJ0eXBlIjogMywgInNlYXNvbiI6IDAsICJyZWdleCI6IDEsICJoZWxwIjogIiJ9LCAiMzgiOiB7ImlkIjogMzgsICJyZXBsYWNlZCI6ICJPdG9yaW1vbm9nYXRhcmkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAzXSIsICJmcm9udCI6ICJTMDMiLCAiYmFjayI6ICJIaTEwcF8xMDgwcCIsICJvZmZzZXQiOiAiRVArOSIsICJ0eXBlIjogMywgInNlYXNvbiI6IDMsICJyZWdleCI6IDEsICJoZWxwIjogIiJ9LCAiMzkiOiB7ImlkIjogMzksICJyZXBsYWNlZCI6ICJPd2FyaW1vbm9nYXRhcmkgUzIiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAwXSIsICJmcm9udCI6ICJTMDAiLCAiYmFjayI6ICJNYTEwcF8xMDgwcCIsICJvZmZzZXQiOiAiRVArMzQiLCAidHlwZSI6IDMsICJzZWFzb24iOiAwLCAicmVnZXgiOiAxLCAiaGVscCI6ICIifSwgIjQwIjogeyJpZCI6IDQwLCAicmVwbGFjZWQiOiAiVHN1a2ltb25vZ2F0YXJpIiwgInJlcGxhY2UiOiAiTW9ub2dhdGFyaSBTZXJpZXMgW1MwMF0iLCAiZnJvbnQiOiAiUzAwIiwgImJhY2siOiAiTWExMHBfMTA4MHAiLCAib2Zmc2V0IjogIkVQKzE3IiwgInR5cGUiOiAzLCAic2Vhc29uIjogMCwgInJlZ2V4IjogMSwgImhlbHAiOiAiIn0sICI0MSI6IHsiaWQiOiA0MSwgInJlcGxhY2VkIjogIktveW9taW1vbm9nYXRhcmkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAwXSIsICJmcm9udCI6ICJTMDAiLCAiYmFjayI6ICJNYTEwcF8xMDgwcCIsICJvZmZzZXQiOiAiRVArMjEiLCAidHlwZSI6IDMsICJzZWFzb24iOiAwLCAicmVnZXgiOiAxLCAiaGVscCI6ICIifSwgIjQzIjogeyJpZCI6IDQzLCAicmVwbGFjZWQiOiAiWm9rdSBPd2FyaW1vbm9nYXRhcmkiLCAicmVwbGFjZSI6ICJNb25vZ2F0YXJpIFNlcmllcyBbUzAwXSIsICJmcm9udCI6ICJTMDAiLCAiYmFjayI6ICJNYTEwcF8xMDgwcCIsICJvZmZzZXQiOiAiRVArNDEiLCAidHlwZSI6IDMsICJzZWFzb24iOiAwLCAicmVnZXgiOiAxLCAiaGVscCI6ICIifSwgIjQ0IjogeyJpZCI6IDQ0LCAicmVwbGFjZWQiOiAiXFxdIE93YXJpbW9ub2dhdGFyaSBcXFsiLCAicmVwbGFjZSI6ICJdTW9ub2dhdGFyaSBTZXJpZXMgW1MwNF1bIiwgImZyb250IjogIlMwNCIsICJiYWNrIjogIk1hMTBwXzEwODBwIiwgIm9mZnNldCI6ICJFUC0xIiwgInR5cGUiOiAzLCAic2Vhc29uIjogNCwgInJlZ2V4IjogMSwgImhlbHAiOiAiIn19fX1AQEBAQEBWQ0ItU3R1ZGlvIOeJqeivreezu+WIlw==

发表于 Disqus:

在 HelloGithub 上看了这个项目 https://github.com/lucavallin/barco

跳过 formatter, linter 直接改成 gcc 试了一下

有报错

1
2
16:41:20 ERROR ./src/cgroups.c:82: failed to open /sys/fs/cgroup/barcontainer/cpu.weight: No such file or directory
16:41:20 FATAL ./src/barco.c:133: failed to initialize cgroups

查后发现

子层级的cgroup资源限制范围被上一级的cgroup.subtree_control文件内容所限制

于是

1
echo '+cpu' > /sys/fs/cgroup/cgroup.subtree_control

正常了!

参考:https://zorrozou.github.io/docs/详解Cgroup V2.html

0%