Applenice

OpenSSH的PermitRootLogin配置问题分析

2026-05-04T15:10:31.000Z

因为要在 CentOS 7.6 上进行漏洞修复，就自行编译了 OpenSSH RPM，A产品上验证通过，但是B产品在拿到RPM按步骤升级后却出现了问题，新开 ssh 会话无法使用 root 用户进入后台，只能靠老会话维持排查问题。那么到底是什么原因导致的呢？

问题介绍

OS: CentOS 7.6.1810
OpenSSH版本：OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

经过漏扫工具进行扫描后需要进行漏洞修复，这里选择自行编译最新的 OpenSSH RPM 进行版本升级，并在A产品进行业务验证。A产品上校验通过，但使用相同 OS 的B产品上却出现了非常严重的问题，在操作后新开 ssh 会话无法使用 root 用户进入后台，只能靠老会话维持排查问题。

通过老会话可以查看到如下信息:

[root@localhost]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since Mon 2026-05-04 22:34:55 CST; 49min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 9262 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 9284 (sshd)
    Tasks: 1
   Memory: 11.0M
   CGroup: /system.slice/sshd.service
           └─9284 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups

May 04 22:34:55 localhost systemd[1]: Starting SYSV: OpenSSH server daemon...
May 04 22:34:55 localhost sshd[9284]: Server listening on 0.0.0.0 port 22.
May 04 22:34:55 localhost sshd[9284]: Server listening on :: port 22.
May 04 22:34:55 localhost sshd[9262]: Starting sshd:[  OK  ]
May 04 22:34:55 localhost systemd[1]: Started SYSV: OpenSSH server daemon.
May 04 22:36:56 localhost sshd[9284]: Timeout before authentication for connection from 192.168.0.133 to 192.168.0.105, pid = 9590
May 04 22:46:21 localhost sshd-session[10584]: Accepted keyboard-interactive/pam for develop from 192.168.0.105 port 54452 ssh2
May 04 23:24:31 localhost sshd-session[11113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=root
May 04 23:24:31 localhost sshd-session[11113]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 04 23:24:32 localhost sshd-session[11111]: error: PAM: Authentication failure for root from 127.0.0.1

通过如上信息可以看到，PAM 模块显示，当前只能 uid 大于等于1000的普通用户登录。如果是初次看，很容易被引导到 PAM 配置上的问题，我们也确实被引导到这个路线上排查了一段时间。

分析PAM相关配置

按照提示信息，查看PAM相关的配置:

[root@localhost]# grep -ni "pam_succeed_if" /etc/pam.d/*ac
/etc/pam.d/fingerprint-auth-ac:10:account     sufficient    pam_succeed_if.so uid < 1000 quiet
/etc/pam.d/fingerprint-auth-ac:18:session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
/etc/pam.d/password-auth-ac:7:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
/etc/pam.d/password-auth-ac:12:account     sufficient    pam_succeed_if.so uid < 1000 quiet
/etc/pam.d/password-auth-ac:24:session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
/etc/pam.d/postlogin-ac:6:session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
/etc/pam.d/smartcard-auth-ac:10:account     sufficient    pam_succeed_if.so uid < 1000 quiet
/etc/pam.d/smartcard-auth-ac:18:session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
/etc/pam.d/system-auth-ac:8:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
/etc/pam.d/system-auth-ac:13:account     sufficient    pam_succeed_if.so uid < 1000 quiet
/etc/pam.d/system-auth-ac:23:session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

[root@localhost]# ls -lrt /etc/pam.d/password-auth
lrwxrwxrwx. 1 root root 16 Apr 16  2023 /etc/pam.d/password-auth -> password-auth-ac

其中和 password 有关的是 password-auth-ac:

[root@localhost]# cat /etc/pam.d/password-auth-ac 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

那么，正常通过 root 登录的流程大概是下面的链路:

sshd
  -> /etc/pam.d/sshd
      -> auth substack password-auth
          -> /etc/pam.d/password-auth
              -> /etc/pam.d/password-auth-ac

然后在 password-auth-ac 上逐行匹配条件，依次执行。直到

1	auth sufficient pam_unix.so nullok try_first_pass

这里 pam_unix.so 会验证本地 /etc/shadow 里的 root 密码。如果 root 密码正确，pam_unix.so 返回成功。由于它的控制标志是 sufficient。如果本模块认证成功，并且前面没有 required 模块失败，那么整个认证栈可以直接认为成功，后面的模块不再继续执行。

所以如果 root 密码正确，后面这句 uid 判断不会触发执行。

1	auth requisite pam_succeed_if.so uid >= 1000 quiet_success

但在A、B两个产品上都没有修改过 password-auth-ac，且和刚装完 OS 的内容一致。那么到底什么因素影响的呢？

故障解除

回来重新分析下问题，现状是两个：

A产品在升级前后都能够正常使用
B产品在没有升级OpenSSH之前，root是能够正常使用的，只是升级后才出现了root无法登录

到这里需要修改下怀疑方向，大概率问题还是在 ssh 的配置有所区别，导致表现不一样。

A产品的 ssh_config 默认使用了自定义内容，会对初始化安装的配置文件进行覆盖:

1
2
3

[root@localhost]# cat /etc/ssh/sshd_config | grep Root
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

B产品的 ssh_config 默认使用了 CentOS 7.6 初始化安装完的状态:

1
2
3

[root@localhost]# cat /etc/ssh/sshd_config | grep Root
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

在B产品的配置上，将 PermitRootLogin 调整为 yes，重启 sshd 服务后故障解除。新开 ssh 会话能够正常使用 root 用户登录后台。

问题根因

但这里要思考一个问题，在B产品上没有修改过 sshd_config、password-auth-ac 配置，升级后出现的问题到底是由谁导致的？为什么把 PermitRootLogin yes 打开就恢复了？

这里使用虚拟机进行一个故障模拟，在一台初始化安装完的 CentOS 7.6机器上，查看信息如下:

[root@localhost]# cat /etc/ssh/sshd_config | grep Root
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

[root@localhost]# sshd -T | grep permit
permitrootlogin yes
permittty yes
permituserrc yes
permitemptypasswords no
permituserenvironment no
permittunnel no
permitopen any

其中 sshd -T 会解析所有配置并显示最终生效的参数，用于配置验证、故障排查、安全审计等使用。这里可以看出 permitrootlogin 默认就是 yes。

当升级完 Openssh 版本之后，再次查看信息如下:

[root@localhost]# cat /etc/ssh/sshd_config | grep Root
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

[root@localhost]# sshd -T | grep permit
permitrootlogin without-password
permittty yes
permituserrc yes
permitemptypasswords no
permittunnel no
permitopen any
permitlisten any
permituserenvironment no

可以看到 PermitRootLogin 已经变成了 without-password。这个值和prohibit-password等价，代表root 可以使用公钥登录，但不能使用密码登录，也不能使用 keyboard-interactive/PAM 交互式密码登录。

到这里，就可以得出第一个结论:

在升级 OpenSSH 版本后，对 PermitRootLogin 的默认行为发生了改变。由 yes 变为了 without-password，导致新开 ssh 会话无法使用 root 用户登录。

谁改了PermitRootLogin默认行为

经过上面的分析，可以继续深究的问题是，PermitRootLogin 的默认行为发生了改变，由 yes 变为了 without-password，是什么时候发生的事？

通过查找资料，在 OpenSSH 7.0 release Changelog 中可能不兼容的变更说明里找到了如下内容:

OpenSSH 7.0 was released on 2015-08-11

Potentially-incompatible Changes
--------------------------------
 .....

 * The default for the sshd_config(5) PermitRootLogin option has
   changed from "yes" to "prohibit-password".

 * PermitRootLogin=without-password/prohibit-password now bans all
   interactive authentication methods, allowing only public-key,
   hostbased and GSSAPI authentication (previously it permitted
   keyboard-interactive and password-less authentication if those
   were enabled).

但是 OpenSSH 7.0 发布在 2015-08-11，CentOS 7.6.1810默认携带的版本是 OpenSSH 7.4p1版本，OpenSSH 7.4 发布在 2016-12-19。

查看7.4的源代码，可以看出来当没有设置 PermitRootLogin 时，将赋值为 PERMIT_NO_PASSWD，启用的是 without-password/prohibit-password。
代码链接：https://github.com/openssh/openssh-portable/blob/V_7_4_P1/servconf.c

    ...
    options->permit_root_login = PERMIT_NOT_SET;

if (options->permit_root_login == PERMIT_NOT_SET)
options->permit_root_login = PERMIT_NO_PASSWD;
    ...

static const struct multistate multistate_permitrootlogin[] = {
{ "without-password",PERMIT_NO_PASSWD },
{ "prohibit-password",PERMIT_NO_PASSWD },
{ "forced-commands-only",PERMIT_FORCED_ONLY },
{ "yes",PERMIT_YES },
{ "no",PERMIT_NO },
{ NULL, -1 }
};

那么早在7.0版本中就完成变更的事，为什么在 CentOS 7.6.1810中，PermitRootLogin 的默认行为仍是 yes呢？

通过进一步查找资料，在CentOS 7的归档仓库中找到了相关的openssh patch，其中有一条是openssh-7.4p1-permit-root-login.patch，该 patch 将上述 OpenSSH 源码中的变更又改了回去…，默认赋值为 PERMIT_YES

代码链接: https://gitlab.com/CentOS/archives/git.centos.org/rpms/openssh/-/blob/c7/SOURCES/openssh-7.4p1-permit-root-login.patch

diff -up openssh-7.4p1/servconf.c.permit-root openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.permit-root2017-02-10 10:27:18.109487568 +0100
+++ openssh-7.4p1/servconf.c2017-02-10 10:28:12.385776132 +0100
@@ -231,7 +231,7 @@ fill_default_server_options(ServerOption
 if (options->login_grace_time == -1)
 options->login_grace_time = 120;
 if (options->permit_root_login == PERMIT_NOT_SET)
-options->permit_root_login = PERMIT_NO_PASSWD;
+options->permit_root_login = PERMIT_YES;
 if (options->ignore_rhosts == -1)
 options->ignore_rhosts = 1;
 if (options->ignore_user_known_hosts == -1)
diff -up openssh-7.4p1/sshd_config.5.permit-root openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.permit-root2017-02-10 10:28:24.174605582 +0100
+++ openssh-7.4p1/sshd_config.52017-02-10 10:28:42.254344023 +0100
@@ -1227,7 +1227,7 @@ The argument must be
 or
 .Cm no .
 The default is
-.Cm prohibit-password .
+.Cm yes .
 .Pp
 If this option is set to
 .Cm prohibit-password
diff -up openssh-7.4p1/sshd_config.permit-root openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.permit-root2017-02-10 10:26:52.256797645 +0100
+++ openssh-7.4p1/sshd_config2017-02-10 10:26:52.276797405 +0100
@@ -35,7 +35,7 @@ SyslogFacility AUTHPRIV
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

所以这里可以得出第二个结论:

在CentOS 7上又或者是其上游 Redhat 的原因，在打包 OpenSSH 7.4p1 时打了一个补丁，可能是出于兼容性的原因修改了源码，把默认值又改回了 yes。所以在 CentOS 7 刚装完系统时，即使配置文件里是 #PermitRootLogin yes，它的默认行为依然是允许 root 密码登录。

综上，当我们手动升级到官方版本编译出的制品物料时，从 OpenSSH 7.0 开始的默认行为 PERMIT_NO_PASSWD (即 prohibit-password / without-password) 就在机器上生效了，导致升级完 SSH 版本，PAM 配置一行没动，新开 ssh 会话时 root 就不能用正常登录。

总结

1、OpenSSH 7.0版本开始，对 PermitRootLogin 的默认行为发生了改变。由 yes 变为了 prohibit-password / without-password
2、操作系统的发行版可能会因为兼容性等因素，改变 OpenSSH 的默认行为，配置影响会非常明显，要根据不同发行版具体分析
3、在处理组件升级变更时，还是要多验证分析，对关键配置项进行不同验证，避免出现配置问题影响

参考

1、https://www.openssh.org/txt/release-7.0
2、https://www.openssh.org/txt/release-7.4
3、https://gitlab.com/CentOS/archives/git.centos.org/rpms/openssh/-/blob/c7/SOURCES/openssh-7.4p1-permit-root-login.patch
4、https://github.com/openssh/openssh-portable/blob/V_7_4_P1/servconf.c

使用 LD_LIBRARY_PATH 解决服务 So 库冲突

2025-12-08T14:15:47.000Z

最近遇到一个案例，在客户提供的机器上部署业务时，所需要的 So 库和对应的软链接已经存在，但是业务报错显示符号表有缺失，导致服务启动失败。排查原因的时候发现是该机器上部署了一个名为 PubKit 的服务，提前占用了同名软链接且对应的 So 库版本低。那么本着服务互不影响的原则，该怎么处理这个问题呢？

环境情况

为了复现这个问题，记录对应的解决方案，我在家里搭建了一套类似的环境。环境如下:
OS: Kylin Linux Advanced Server release V10 SP3 2403/(Halberd)-x86_64-Build20/20240426
软件: MongoDB 3.4.10 及依赖的 libcrypto.so.1.0.2k、libssl.so.1.0.2k

只模拟 PubKit 服务引起的故障点，已知 PubKit 使用的 So 库软链接是:

libcrypto.so.10，对应 libcrypto.so.1.0.0 版本
libssl.so.10，对应 libssl.so.1.0.0 版本

想直接找到现成的对应版本 So 库还真有点费劲，毕竟 OpenSSL 1.0.0t 发布时间已经是 2015 年了，CentOS 6.6开始使用的版本基本都是 OpenSSL 1.0.1 版本，但好在可以自行编译，包地址: https://openssl-library.org/source/old/1.0.0/

这里编译 OpenSSL 1.0.0t 时是在CentOS 7.6上进行，主要是担心存在 GCC 版本兼容问题，CentOS 7.6 GCC 是 4.8.5 版本，在兼容范围内

cd /home/misaka
tar -xvf openssl-1.0.0t.tar.gz
cd openssl-1.0.0t

# 注意这里是要编译 So 库的，所以要加 shared 参数，因为不打算做安装动作，所以 prefix 和 openssldir 参数都不加
./config shared 
make

等待编译完成，即可在当前目录下找到对应的 So 文件: libcrypto.so.1.0.0、libssl.so.1.0.0，将其拷贝出来即可用在故障复现的机器上。

故障复现

1、将上一步准备好的 libcrypto.so.1.0.0、libssl.so.1.0.0 文件上传到麒麟V10 虚拟机(默认使用 1.1.1f 版本，因此和 1.0.0 系列不冲突)上，并创建软链接，用来模拟客户现场的 PubKit 服务提前占用。

[root@localhost 100]# cp libcrypto.so.1.0.0 /usr/lib64/
[root@localhost 100]# cp libssl.so.1.0.0 /usr/lib64/
[root@localhost 100]# cd /usr/lib64

[root@localhost lib64]# ln -s libcrypto.so.1.0.0 libcrypto.so.10
[root@localhost lib64]# ls -lrt libcrypto*
lrwxrwxrwx 1 root root      19 Feb 28  2024 libcrypto.so.1.1 -> libcrypto.so.1.1.1f
lrwxrwxrwx 1 root root      19 Feb 28  2024 libcrypto.so -> libcrypto.so.1.1.1f
-rwxr-xr-x 1 root root 3078240 Feb 28  2024 libcrypto.so.1.1.1f
-rw-r--r-- 1 root root 5806670 Feb 28  2024 libcrypto.a
-rw-r--r-- 1 root root 2059728 Dec  7 00:33 libcrypto.so.1.0.0
lrwxrwxrwx 1 root root      18 Dec  7 00:34 libcrypto.so.10 -> libcrypto.so.1.0.0

[root@localhost lib64]# ln -s libssl.so.1.0.0 libssl.so.10
[root@localhost lib64]# ls -lrt libssl*
lrwxrwxrwx 1 root root      16 Feb 28  2024 libssl.so.1.1 -> libssl.so.1.1.1f
lrwxrwxrwx 1 root root      16 Feb 28  2024 libssl.so -> libssl.so.1.1.1f
-rwxr-xr-x 1 root root  624664 Feb 28  2024 libssl.so.1.1.1f
-rw-r--r-- 1 root root 1073826 Feb 28  2024 libssl.a
-rwxr-xr-x 1 root root  386368 Mar 15  2024 libssl3.so
-rw-r--r-- 1 root root  441560 Dec  7 01:20 libssl.so.1.0.0
lrwxrwxrwx 1 root root      15 Dec  7 01:21 libssl.so.10 -> libssl.so.1.0.0

2、安装准备好的 MongoDB RPM包:

[root@localhost mongo3.4.10]# ls -lrt
total 93532
-rw-rw-r-- 1 misaka misaka     5988 Dec  7 00:32 mongodb-org-3.4.10-1.el7.x86_64.rpm
-rw-rw-r-- 1 misaka misaka 12193778 Dec  7 00:32 mongodb-org-mongos-3.4.10-1.el7.x86_64.rpm
-rw-rw-r-- 1 misaka misaka 20625955 Dec  7 00:32 mongodb-org-server-3.4.10-1.el7.x86_64.rpm
-rw-rw-r-- 1 misaka misaka 11777295 Dec  7 00:32 mongodb-org-shell-3.4.10-1.el7.x86_64.rpm
-rw-rw-r-- 1 misaka misaka 51164902 Dec  7 00:32 mongodb-org-tools-3.4.10-1.el7.x86_64.rpm

[root@localhost mongo3.4.10]# rpm -ivh *.rpm --force --nodeps
warning: mongodb-org-3.4.10-1.el7.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID a15703c6: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:mongodb-org-tools-3.4.10-1.el7   ################################# [ 20%]
   2:mongodb-org-shell-3.4.10-1.el7   ################################# [ 40%]
   3:mongodb-org-server-3.4.10-1.el7  ################################# [ 60%]
Created symlink /etc/systemd/system/multi-user.target.wants/mongod.service → /usr/lib/systemd/system/mongod.service.
   4:mongodb-org-mongos-3.4.10-1.el7  ################################# [ 80%]
   5:mongodb-org-3.4.10-1.el7         ################################# [100%]

3、启动 MongoDB 服务并查看状态，发现服务启动，提示/usr/bin/mongod: symbol FIPS_mode_set version libcrypto.so.10 not defined.

[root@localhost mongo3.4.10]# systemctl start mongod
[root@localhost mongo3.4.10]# systemctl status mongod
● mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2025-12-07 01:28:24 CST; 4s ago
     Docs: https://docs.mongodb.org/manual
  Process: 7414 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 7416 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 7418 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 7420 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=127)
 Main PID: 7420 (code=exited, status=127)

Dec 07 01:28:24 localhost.localdomain systemd[1]: Starting High-performance, schema-free document-oriented database...
Dec 07 01:28:24 localhost.localdomain systemd[1]: Started High-performance, schema-free document-oriented database.
Dec 07 01:28:24 localhost.localdomain mongod[7420]: /usr/bin/mongod: /lib64/libcrypto.so.10: no version information available (required by /usr/bin/mongod)
Dec 07 01:28:24 localhost.localdomain mongod[7420]: /usr/bin/mongod: /lib64/libcrypto.so.10: no version information available (required by /usr/bin/mongod)
Dec 07 01:28:24 localhost.localdomain mongod[7420]: /usr/bin/mongod: /lib64/libssl.so.10: no version information available (required by /usr/bin/mongod)
Dec 07 01:28:24 localhost.localdomain mongod[7420]: /usr/bin/mongod: relocation error: /usr/bin/mongod: symbol FIPS_mode_set version libcrypto.so.10 not defined in file libcrypto.so.1>
Dec 07 01:28:24 localhost.localdomain systemd[1]: mongod.service: Main process exited, code=exited, status=127/n/a
Dec 07 01:28:24 localhost.localdomain systemd[1]: mongod.service: Failed with result 'exit-code'.

4、查看动态库引用关系

[root@localhost mongo3.4.10]# ldd /usr/bin/mongod
/usr/bin/mongod: /lib64/libcrypto.so.10: no version information available (required by /usr/bin/mongod)
/usr/bin/mongod: /lib64/libcrypto.so.10: no version information available (required by /usr/bin/mongod)
/usr/bin/mongod: /lib64/libssl.so.10: no version information available (required by /usr/bin/mongod)
        linux-vdso.so.1 (0x00007ffc0ed99000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fa28fa5b000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fa28f69d000)
        librt.so.1 => /usr/lib64/librt.so.1 (0x00007fa28f694000)
        libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007fa28f68f000)
        libm.so.6 => /usr/lib64/libm.so.6 (0x00007fa28f50e000)
        libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007fa28f4f5000)
        libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007fa28f4d3000)
        libc.so.6 => /usr/lib64/libc.so.6 (0x00007fa28f326000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fa292a26000)

[root@localhost mongo3.4.10]# ls -lrt /lib64/libcrypto.so.10
lrwxrwxrwx 1 root root 18 Dec  7 00:34 /lib64/libcrypto.so.10 -> libcrypto.so.1.0.0

5、确认 libcrypto.so.1.0.0 中是否包含 symbol FIPS_mode_set，这里可以用nm或者objdump等方法，如不包含则没有任何输出

1 2	[root@localhost mongo3.4.10]# nm -D /usr/lib64/libcrypto.so.10 \| grep FIPS_mode_set [root@localhost mongo3.4.10]# objdump -T /usr/lib64/libcrypto.so.10 \| grep FIPS_mode_set

到这里就复现了现场发现的问题，那么该如何解决呢？

解决冲突

确认FIPS_mode_set

确认要准备好的正常 So 库中是包含了 symbol FIPS_mode_set:

[root@localhost mongo3.4.10]# nm -D ./102/libcrypto.so.1.0.2k | grep FIPS_mode_set
0000000000070b60 T FIPS_mode_set
[root@localhost mongo3.4.10]# 
[root@localhost mongo3.4.10]# objdump -T ./102/libcrypto.so.1.0.2k | grep FIPS_mode_set
0000000000070b60 g    DF .text  000000000000007a  libcrypto.so.10 FIPS_mode_set

配置LD_LIBRARY_PATH

LD_LIBRARY_PATH 是 Linux/Unix 系统中动态链接器（ld-linux.so）的核心环境变量，用于临时指定共享库（.so 文件）的搜索路径，补充系统默认的库搜索规则，解决「动态库找不到」「多版本库共存」等问题。当执行一个依赖动态库的程序时，系统的动态链接器会按优先级查找所需的 .so 文件，LD_LIBRARY_PATH 是其中优先级较高的「自定义路径来源」。

基于以上的情况，即不能动 PubKit 的服务依赖，又要保证自身业务能运行。那么基于 LD_LIBRARY_PATH 的方案就是一个比较好的办法。具体操作步骤如下:

1、将上述准备好的 libcrypto.so.1.0.2k、libssl.so.1.0.2k 拷贝到 /usr/lib64/mongodb 下，并创建软链接:

[root@localhost 102]# mkdir -p /usr/lib64/mongodb
[root@localhost 102]# cp libcrypto.so.1.0.2k /usr/lib64/mongodb/
[root@localhost 102]# cp libssl.so.1.0.2k /usr/lib64/mongodb/
[root@localhost 102]# cd /usr/lib64/mongodb/
[root@localhost mongodb]# ln -s libcrypto.so.1.0.2k libcrypto.so.10
[root@localhost mongodb]# ln -s libssl.so.1.0.2k libssl.so.10
[root@localhost mongodb]# ls -lrt
total 2916
-rw-r--r-- 1 root root 2513000 Dec  7 01:45 libcrypto.so.1.0.2k
-rw-r--r-- 1 root root  470360 Dec  7 01:45 libssl.so.1.0.2k
lrwxrwxrwx 1 root root      19 Dec  7 01:45 libcrypto.so.10 -> libcrypto.so.1.0.2k
lrwxrwxrwx 1 root root      16 Dec  7 01:45 libssl.so.10 -> libssl.so.1.0.2k

2、编辑 /usr/lib/systemd/system/mongod.service 文件，在 Environment 中写入 LD_LIBRARY_PATH 配置:

[Service]
User=mongod
Group=mongod
# 增加该行
Environment="LD_LIBRARY_PATH=/usr/lib64/mongodb:$LD_LIBRARY_PATH"
Environment="OPTIONS=-f /etc/mongod.conf"
ExecStart=/usr/bin/mongod $OPTIONS

3、daemon-reload 后启动 mongod，可以看到目前服务已经正常启动:

[root@localhost mongodb]# systemctl daemon-reload 
[root@localhost mongodb]# systemctl start mongod
[root@localhost mongodb]# systemctl status mongod
● mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2025-12-07 01:49:52 CST; 1min 11s ago
     Docs: https://docs.mongodb.org/manual
  Process: 8032 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 8034 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 8036 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
 Main PID: 8041 (mongod)
   Memory: 41.0M
   CGroup: /system.slice/mongod.service
           └─8041 /usr/bin/mongod -f /etc/mongod.conf

Dec 07 01:49:52 localhost.localdomain systemd[1]: Starting High-performance, schema-free document-oriented database...
Dec 07 01:49:52 localhost.localdomain systemd[1]: Started High-performance, schema-free document-oriented database.
Dec 07 01:49:52 localhost.localdomain mongod[8039]: about to fork child process, waiting until server is ready for connections.
Dec 07 01:49:52 localhost.localdomain mongod[8040]: forked process: 8041
Dec 07 01:49:53 localhost.localdomain mongod[8039]: child process started successfully, parent exiting

和上面使用 ldd 的方法不同，这里可以用 lsof 结合 pgrep 命令进行确认，确实已经引用了 LD_LIBRARY_PATH 带入的 So 库文件:

[root@localhost mongodb]# lsof -p $(pgrep mongod) | grep mongodb
mongod  8041 mongod  mem    REG              253,0   2513000    583497 /usr/lib64/mongodb/libcrypto.so.1.0.2k
mongod  8041 mongod  mem    REG              253,0    470360    583498 /usr/lib64/mongodb/libssl.so.1.0.2k
mongod  8041 mongod    4w   REG              253,0      3702 105520618 /var/log/mongodb/mongod.log
mongod  8041 mongod    8u  unix 0x00000000665de206       0t0     87499 /tmp/mongodb-27017.sock type=STREAM

4、但如果执行 mongo 命令，还是会报出如下错误:

1	mongo: relocation error: mongo: symbol FIPS_mode_set version libcrypto.so.10 not defined in file libcrypto.so.10 with link time reference

那么客户端该怎么解决呢？同样也可以在执行 mongo 命令前添加 LD_LIBRARY_PATH，类似如下:

[root@localhost mongodb]# LD_LIBRARY_PATH=/usr/lib64/mongodb:$LD_LIBRARY_PATH mongo
MongoDB shell version v3.4.10
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.10
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
Server has startup warnings: 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
> exit
bye

但如果每次都这样执行，就未免太过麻烦，业务上访问也多有不便。这里我的思路是可以使用脚本替代的方式，充当一个拐棍的作用。
1）将原客户端 mongo 转移到新目录

1
2
3

cd /usr/bin
mkdir mongodb-client-tools
mv mongo mongodb-client-tools/

2）新建 mongo.sh 脚本，并写入如下内容:

1 2	#!/bin/bash LD_LIBRARY_PATH=/usr/lib64/mongodb:$LD_LIBRARY_PATH /usr/bin/mongodb-client-tools/mongo

3）增加执行权限并创建软链接:

1 2	[root@localhost bin]# chmod +x mongo.sh [root@localhost bin]# ln -s mongo.sh mongo

4）验证可行:

[root@localhost bin]# mongo
MongoDB shell version v3.4.10
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.10
Server has startup warnings: 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2025-12-07T01:49:52.704+0800 I CONTROL  [initandlisten] 
>

5）根据上述步骤将 mongoimport、mongoexport 等工具做类似处理即可。

问题思考

经过以上步骤，服务冲突就已经解决完毕，可以开展后续的业务工作，但还是有些内容值得思考的:
1）如果业务上如果有 So 库特定版本依赖并需要创建软链接时，需要考虑下是否为类似 OpenSSL 相关的基础依赖，在部署时是否独占机器，如果非独占，那么还是要考虑下是否会影响其他服务。在本次案例中是采取了主动规避的方案，两边都不受影响，但如果遇到暴力操作，直接解除 PubKit 的软链接再部署服务，那么对业务来说是灾难性的，可能会遇到在排查解决问题时双方互相反复解除软链接的情况。

2）对于业务部署来讲，提前检查环境是必须进行的，除了操作系统、磁盘分区等等基础信息检查项之外，还应该加上业务依赖上的检查，比如 So 版本检查，提前发现问题并制定解决方案，节省现场处理问题的时间。

NetworkManager管理DNS配置

2025-07-13T02:39:09.000Z

遇到一个场景，装完操作系统通过 GUI 进行网络配置、安装业务平台并直接修改 /etc/resolv.conf 文件，改变了DNS地址配置。过了几天后发现配置被修改，影响到了业务平台，但排查以后确认无人操作过 /etc/resolv.conf 文件。最后追查到 NetworkManager 被重启过，每次 NetworkManager 重启都会出现DNS恢复到系统安装时初始网络配置写的 DNS。NetworkManager 的处理流程是什么，跟着日志和源代码一起看看吧☺️

NetworkManager日志

这里复现问题的环境是 Rocky 9.6，网络的初始配置如下

[root@localhost misaka]# nmcli device show ens33
GENERAL.DEVICE:                         ens33
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     ens33
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/2
WIRED-PROPERTIES.CARRIER:               on
IP4.ADDRESS[1]:                         192.168.0.239/24
IP4.GATEWAY:                            192.168.0.1
IP4.ROUTE[1]:                           dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 100
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 192.168.0.1, mt = 100
IP4.DNS[1]:                             8.8.8.8
IP6.ADDRESS[1]:                         fe80::20c:29ff:feec:d07a/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024

RHEL发行版的日志位置通常是 /var/log/message，起初是想通过现有日志看看是否能找到有用信息。这里打开两个窗口，分别执行

1
2
3

tail -f  /var/log/messages | grep NetworkManager

systemctl restart NetworkManager

可以看到有如下输出:

Jul 12 23:33:45 localhost systemd[1]: NetworkManager-wait-online.service: Deactivated successfully.
Jul 12 23:33:45 localhost NetworkManager[171123]:   [1752334425.0882] caught SIGTERM, shutting down normally.
Jul 12 23:33:45 localhost NetworkManager[171123]:   [1752334425.0891] manager: NetworkManager state is now CONNECTED_SITE
Jul 12 23:33:45 localhost NetworkManager[171123]:   [1752334425.0935] exiting (success)
Jul 12 23:33:45 localhost systemd[1]: NetworkManager.service: Deactivated successfully.
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1471] NetworkManager (version 1.52.0-4.el9_6) is starting... (after a restart, boot:682b7f4f-9040-4361-9bbe-3dd582d2db4a)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1472] Read config: /etc/NetworkManager/NetworkManager.conf, /usr/lib/NetworkManager/conf.d/{00-server.conf,99-nvme-nbft-no-ignore-carrier.conf}, /run/NetworkManager/conf.d/15-carrier-timeout.conf
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1508] manager[0x55d4e0a3a050]: monitoring kernel firmware directory '/lib/firmware'.
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1553] hostname: hostname: using hostnamed
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1556] dns-mgr: init: dns=default,systemd-resolved rc-manager=symlink (auto)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1557] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1560] manager[0x55d4e0a3a050]: rfkill: Wi-Fi hardware radio set enabled
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1561] manager[0x55d4e0a3a050]: rfkill: WWAN hardware radio set enabled
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1576] Loaded device plugin: NMAtmManager (/usr/lib64/NetworkManager/1.52.0-4.el9_6/libnm-device-plugin-adsl.so)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1578] Loaded device plugin: NMWifiFactory (/usr/lib64/NetworkManager/1.52.0-4.el9_6/libnm-device-plugin-wifi.so)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1586] Loaded device plugin: NMTeamFactory (/usr/lib64/NetworkManager/1.52.0-4.el9_6/libnm-device-plugin-team.so)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1599] Loaded device plugin: NMBluezManager (/usr/lib64/NetworkManager/1.52.0-4.el9_6/libnm-device-plugin-bluetooth.so)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1601] Loaded device plugin: NMWwanFactory (/usr/lib64/NetworkManager/1.52.0-4.el9_6/libnm-device-plugin-wwan.so)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1603] manager: rfkill: Wi-Fi enabled by radio killswitch; enabled by state file
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1604] manager: rfkill: WWAN enabled by radio killswitch; enabled by state file
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1605] manager: Networking is enabled by state file
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1607] settings: Loaded settings plugin: keyfile (internal)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1610] settings: Loaded settings plugin: ifcfg-rh ("/usr/lib64/NetworkManager/1.52.0-4.el9_6/libnm-settings-plugin-ifcfg-rh.so")
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1626] dhcp: init: Using DHCP client 'internal'
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1629] manager: (lo): new Loopback device (/org/freedesktop/NetworkManager/Devices/1)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1633] device (lo): state change: unmanaged -> unavailable (reason 'connection-assumed', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1640] device (lo): state change: unavailable -> disconnected (reason 'connection-assumed', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1647] device (lo): Activation: starting connection 'lo' (ba530e38-0cc8-44a7-9dea-c1126d22d767)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1651] device (ens33): carrier: link connected
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1655] manager: (ens33): new Ethernet device (/org/freedesktop/NetworkManager/Devices/2)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1659] manager: (ens33): assume: will attempt to assume matching connection 'ens33' (2752299c-a8b2-362e-af75-d3b722cce23b) (indicated)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1659] device (ens33): state change: unmanaged -> unavailable (reason 'connection-assumed', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1664] device (ens33): state change: unavailable -> disconnected (reason 'connection-assumed', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1669] device (ens33): Activation: starting connection 'ens33' (2752299c-a8b2-362e-af75-d3b722cce23b)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1677] bus-manager: acquired D-Bus service "org.freedesktop.NetworkManager"
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1687] device (lo): state change: disconnected -> prepare (reason 'none', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1690] device (lo): state change: prepare -> config (reason 'none', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1693] device (lo): state change: config -> ip-config (reason 'none', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1695] device (ens33): state change: disconnected -> prepare (reason 'none', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1697] device (ens33): state change: prepare -> config (reason 'none', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1771] modem-manager: ModemManager available
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1775] device (ens33): state change: config -> ip-config (reason 'none', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1779] device (lo): state change: ip-config -> ip-check (reason 'none', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1787] policy: set 'ens33' (ens33) as default for IPv4 routing and DNS
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1835] device (lo): state change: ip-check -> secondaries (reason 'none', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1836] device (lo): state change: secondaries -> activated (reason 'none', managed-type: 'external')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1839] device (lo): Activation: successful, device activated.
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1857] device (ens33): state change: ip-config -> ip-check (reason 'none', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1891] device (ens33): state change: ip-check -> secondaries (reason 'none', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1894] device (ens33): state change: secondaries -> activated (reason 'none', managed-type: 'assume')
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1898] manager: NetworkManager state is now CONNECTED_SITE
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1901] device (ens33): Activation: successful, device activated.
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1907] manager: NetworkManager state is now CONNECTED_GLOBAL
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1909] manager: startup complete
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.2826] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.6020] agent-manager: agent[f8948c5639bb9824,:1.25/org.gnome.Shell.NetworkAgent/42]: agent registered
Jul 12 23:33:55 localhost systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Jul 12 23:34:15 localhost NetworkManager[178235]:   [1752334455.0274] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
Jul 12 23:34:25 localhost systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Jul 12 23:34:45 localhost NetworkManager[178235]:   [1752334485.0224] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
Jul 12 23:34:55 localhost systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Jul 12 23:38:45 localhost NetworkManager[178235]:   [1752334725.0229] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
Jul 12 23:38:55 localhost systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.

将此段日志，让豆包分析，豆包反馈日志记录了 NetworkManager 从”旧进程关闭”到”新进程启动并完成初始化””的过程，关键节点包括：

旧进程正常关闭：收到 SIGTERM 信号后，旧 NetworkManager 进程（PID 171123）正常退出，状态为 success。
新进程启动：新进程（PID 178235）以版本 1.52.0-4.el9_6 启动，读取配置文件并初始化核心模块。
设备识别与激活：成功识别回环设备（lo）和以太网设备（ens33），并完成激活，最终网络状态达到 CONNECTED_GLOBAL（全局连接）。
服务初始化完成：启动过程无错误，所有核心功能（DNS 管理、DHCP 客户端、设备插件等）正常加载。

其中能说明有DNS相关的操作如下:

1
2

Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1556] dns-mgr: init: dns=default,systemd-resolved rc-manager=symlink (auto)
Jul 12 23:33:45 localhost NetworkManager[178235]:   [1752334425.1787] policy: set 'ens33' (ens33) as default for IPv4 routing and DNS

当 systemd-resolved 服务不存在时，dns=default 会使 NetworkManager 直接管理 DNS，生成 /etc/resolv.conf，并通过 rc-manager=symlink 创建符号链接。

NetworkManager源码

到这里其实只能看出 NetworkManager 确实操作了/etc/resolv.conf的变更，但具体如何执行还是无法清晰获取，接下来转换思路。

由 NetworkManager 管理的 DNS 配置会在 /etc/resolv.conf 中包含以下注释：

1 2	# Generated by NetworkManager nameserver 8.8.8.8

直接使用 Generated by NetworkManager 字符串检索代码，作为入口，来看下代码中的处理流程。

在 NetworkManager 源代码 src/core/dns/nm-dns-manager.c 中存在函数 create_resolv_conf，其中包含了相应的字符串，且生成 nameserver 配置。

static char *
create_resolv_conf(const char *const *searches,
                   const char *const *nameservers,
                   const char *const *options)
{
    GString *str;
    gsize    i;

    str = g_string_new_len(NULL, 245);

    g_string_append(str, "# Generated by NetworkManager\n");

    if (searches && searches[0]) {
        gsize search_base_idx;

        g_string_append(str, "search");
        search_base_idx = str->len;

        for (i = 0; searches[i]; i++) {
            const char *s = searches[i];
            gsize       l = strlen(s);

            if (l == 0 || NM_STRCHAR_ANY(s, ch, NM_IN_SET(ch, ' ', '\t', '\n'))) {
                /* there should be no such characters in the search entry. Also,
                 * because glibc parser would treat them as line/word separator.
                 *
                 * Skip the value silently. */
                continue;
            }

            if (search_base_idx > 0) {
                if (str->len - search_base_idx + 1 + l > 254) {
                    /* this entry crosses the 256 character boundary. Older glibc versions
                     * would truncate the entry at this point.
                     *
                     * Fill the line with spaces to cross the 256 char boundary and continue
                     * afterwards. This way, the truncation happens between two search entries. */
                    while (str->len - search_base_idx < 257)
                        g_string_append_c(str, ' ');
                    search_base_idx = 0;
                }
            }

            g_string_append_c(str, ' ');
            g_string_append_len(str, s, l);
        }
        g_string_append_c(str, '\n');
    }

    if (nameservers && nameservers[0]) {
        for (i = 0; nameservers[i]; i++) {
            if (i == 3) {
                g_string_append(
                    str,
                    "# NOTE: the libc resolver may not support more than 3 nameservers.\n");
                g_string_append(str, "# The nameservers listed below may not be recognized.\n");
            }
            g_string_append(str, "nameserver ");
            g_string_append(str, nameservers[i]);
            g_string_append_c(str, '\n');
        }
    }

    if (options && options[0]) {
        g_string_append(str, "options");
        for (i = 0; options[i]; i++) {
            g_string_append_c(str, ' ');
            g_string_append(str, options[i]);
        }
        g_string_append_c(str, '\n');
    }

    return g_string_free(str, FALSE);
}

在IDE中继续搜索该函数存在多次调用，分别为

char *
nmtst_dns_create_resolv_conf(const char *const *searches,
                             const char *const *nameservers,
                             const char *const *options)
{
    return create_resolv_conf(searches, nameservers, options);
}

static gboolean
write_resolv_conf(FILE              *f,
                  const char *const *searches,
                  const char *const *nameservers,
                  const char *const *options,
                  GError           **error)
{
    gs_free char *content = NULL;

    content = create_resolv_conf(searches, nameservers, options);
    return write_resolv_conf_contents(f, content, error);
}

static void
update_resolv_conf_no_stub(NMDnsManager      *self,
                           const char *const *searches,
                           const char *const *nameservers,
                           const char *const *options)
{
    gs_free char *content = NULL;
    GError       *local   = NULL;

    content = create_resolv_conf(searches, nameservers, options);

    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
        _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
        g_error_free(local);
        return;
    }

    _LOGT("update-resolv-no-stub: '%s' successfully written", NO_STUB_RESOLV_CONF);
}

static SpawnResult
update_resolv_conf(NMDnsManager                 *self,
                   const char *const            *searches,
                   const char *const            *nameservers,
                   const char *const            *options,
                   GError                      **error,
                   NMDnsManagerResolvConfManager rc_manager)
{
    FILE         *f;
    gboolean      success;
    gs_free char *content           = NULL;
    SpawnResult   write_file_result = SR_SUCCESS;
    int           errsv;
    gboolean      resconf_link_cached = FALSE;
    gs_free char *resconf_link        = NULL;

    content = create_resolv_conf(searches, nameservers, options);

    if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE
        || (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_SYMLINK
            && !_read_link_cached(_PATH_RESCONF, &resconf_link_cached, &resconf_link))) {
        gs_free char      *rc_path_syml = NULL;
        nm_auto_free char *rc_path_real = NULL;
        const char        *rc_path      = _PATH_RESCONF;
        GError            *local        = NULL;

        if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
            rc_path_real = realpath(_PATH_RESCONF, NULL);
            if (rc_path_real)
                rc_path = rc_path_real;
            else {
                /* realpath did not resolve a path-name. That either means,
                 * _PATH_RESCONF:
                 *   - does not exist
                 *   - is a plain file
                 *   - is a dangling symlink
                 *
                 * Handle the case, where it is a dangling symlink... */
                rc_path_syml = nm_utils_read_link_absolute(_PATH_RESCONF, NULL);
                if (rc_path_syml)
                    rc_path = rc_path_syml;
            }
        }

        /* we first write to /etc/resolv.conf directly. If that fails,
         * we still continue to write to runstatedir but remember the
         * error. */
        if (!g_file_set_contents(rc_path, content, -1, &local)) {
            _LOGT("update-resolv-conf: write to %s failed (rc-manager=%s, %s)",
                  rc_path,
                  _rc_manager_to_string(rc_manager),
                  local->message);
            g_propagate_error(error, local);
            /* clear @error, so that we don't try reset it. This is the error
             * we want to propagate to the caller. */
            error             = NULL;
            write_file_result = SR_ERROR;
        } else {
            _LOGT("update-resolv-conf: write to %s succeeded (rc-manager=%s)",
                  rc_path,
                  _rc_manager_to_string(rc_manager));
        }
    }

    if ((f = fopen(MY_RESOLV_CONF_TMP, "we")) == NULL) {
        errsv = errno;
        g_set_error(error,
                    NM_MANAGER_ERROR,
                    NM_MANAGER_ERROR_FAILED,
                    "Could not open %s: %s",
                    MY_RESOLV_CONF_TMP,
                    nm_strerror_native(errsv));
        _LOGT("update-resolv-conf: open temporary file %s failed (%s)",
              MY_RESOLV_CONF_TMP,
              nm_strerror_native(errsv));
        return SR_ERROR;
    }

    success = write_resolv_conf_contents(f, content, error);
    if (!success) {
        errsv = errno;
        _LOGT("update-resolv-conf: write temporary file %s failed (%s)",
              MY_RESOLV_CONF_TMP,
              nm_strerror_native(errsv));
    }

    if (fclose(f) < 0) {
        if (success) {
            errsv = errno;
            /* only set an error here if write_resolv_conf() was successful,
             * since its error is more important.
             */
            g_set_error(error,
                        NM_MANAGER_ERROR,
                        NM_MANAGER_ERROR_FAILED,
                        "Could not close %s: %s",
                        MY_RESOLV_CONF_TMP,
                        nm_strerror_native(errsv));
            _LOGT("update-resolv-conf: close temporary file %s failed (%s)",
                  MY_RESOLV_CONF_TMP,
                  nm_strerror_native(errsv));
        }
        return SR_ERROR;
    } else if (!success)
        return SR_ERROR;

    if (rename(MY_RESOLV_CONF_TMP, MY_RESOLV_CONF) < 0) {
        errsv = errno;
        g_set_error(error,
                    NM_MANAGER_ERROR,
                    NM_MANAGER_ERROR_FAILED,
                    "Could not replace %s: %s",
                    MY_RESOLV_CONF,
                    nm_strerror_native(errsv));
        _LOGT("update-resolv-conf: failed to rename temporary file %s to %s (%s)",
              MY_RESOLV_CONF_TMP,
              MY_RESOLV_CONF,
              nm_strerror_native(errsv));
        return SR_ERROR;
    }

    if (rc_manager == NM_DNS_MANAGER_RESOLV_CONF_MAN_FILE) {
        _LOGT("update-resolv-conf: write internal file %s succeeded (rc-manager=%s)",
              MY_RESOLV_CONF,
              _rc_manager_to_string(rc_manager));
        return write_file_result;
    }

    if (rc_manager != NM_DNS_MANAGER_RESOLV_CONF_MAN_SYMLINK
        || !_read_link_cached(_PATH_RESCONF, &resconf_link_cached, &resconf_link)) {
        _LOGT("update-resolv-conf: write internal file %s succeeded", MY_RESOLV_CONF);
        return write_file_result;
    }

    if (!nm_streq0(_read_link_cached(_PATH_RESCONF, &resconf_link_cached, &resconf_link),
                   MY_RESOLV_CONF)) {
        _LOGT("update-resolv-conf: write internal file %s succeeded (don't touch symlink %s "
              "linking to %s)",
              MY_RESOLV_CONF,
              _PATH_RESCONF,
              _read_link_cached(_PATH_RESCONF, &resconf_link_cached, &resconf_link));
        return write_file_result;
    }

    /* By this point, /etc/resolv.conf exists and is a symlink to our internal
     * resolv.conf. We update the symlink so that applications get an inotify
     * notification.
     */
    if (unlink(RESOLV_CONF_TMP) != 0 && ((errsv = errno) != ENOENT)) {
        g_set_error(error,
                    NM_MANAGER_ERROR,
                    NM_MANAGER_ERROR_FAILED,
                    "Could not unlink %s: %s",
                    RESOLV_CONF_TMP,
                    nm_strerror_native(errsv));
        _LOGT("update-resolv-conf: write internal file %s succeeded "
              "but cannot delete temporary file %s: %s",
              MY_RESOLV_CONF,
              RESOLV_CONF_TMP,
              nm_strerror_native(errsv));
        return SR_ERROR;
    }

    if (symlink(MY_RESOLV_CONF, RESOLV_CONF_TMP) == -1) {
        errsv = errno;
        g_set_error(error,
                    NM_MANAGER_ERROR,
                    NM_MANAGER_ERROR_FAILED,
                    "Could not create symlink %s pointing to %s: %s",
                    RESOLV_CONF_TMP,
                    MY_RESOLV_CONF,
                    nm_strerror_native(errsv));
        _LOGT("update-resolv-conf: write internal file %s succeeded "
              "but failed to symlink %s: %s",
              MY_RESOLV_CONF,
              RESOLV_CONF_TMP,
              nm_strerror_native(errsv));
        return SR_ERROR;
    }

    if (rename(RESOLV_CONF_TMP, _PATH_RESCONF) == -1) {
        errsv = errno;
        g_set_error(error,
                    NM_MANAGER_ERROR,
                    NM_MANAGER_ERROR_FAILED,
                    "Could not rename %s to %s: %s",
                    RESOLV_CONF_TMP,
                    _PATH_RESCONF,
                    nm_strerror_native(errsv));
        _LOGT("update-resolv-conf: write internal file %s succeeded "
              "but failed to rename temporary symlink %s to %s: %s",
              MY_RESOLV_CONF,
              RESOLV_CONF_TMP,
              _PATH_RESCONF,
              nm_strerror_native(errsv));
        return SR_ERROR;
    }

    _LOGT("update-resolv-conf: write internal file %s succeeded and update symlink %s",
          MY_RESOLV_CONF,
          _PATH_RESCONF);
    return write_file_result;
}

因为存在多个函数调用，还是无法确定具体调用流程。但在上述源码中可以看到包含 _LOGT 的日志函数调用，是否可以通过日志配置来观测 NetworkManager 的详细行为呢？

跟随IDE可以在 nm-logging-fwd.h 中可以看到一些关于日志级别的定义:

static inline int
nm_log_level_to_syslog(NMLogLevel nm_level)
{
    switch (nm_level) {
    case LOGL_ERR:
        return 3; /* LOG_ERR */
    case LOGL_WARN:
        return 4; /* LOG_WARN */
    case LOGL_INFO:
        return 5; /* LOG_NOTICE */
    case LOGL_DEBUG:
        return 6; /* LOG_INFO */
    case LOGL_TRACE:
        return 7; /* LOG_DEBUG */
    default:
        return 0; /* LOG_EMERG */
    }
}

#define _LOGL_TRACE LOGL_TRACE
#define _LOGL_DEBUG LOGL_DEBUG
#define _LOGL_INFO  LOGL_INFO
#define _LOGL_WARN  LOGL_WARN
#define _LOGL_ERR   LOGL_ERR

/* This is the default definition of _NMLOG_ENABLED(). Special implementations
 * might want to undef this and redefine it. */
#define _NMLOG_ENABLED(level) (nm_logging_enabled((level), (_NMLOG_DOMAIN)))

#define _LOGT(...) _NMLOG(_LOGL_TRACE, __VA_ARGS__)
#define _LOGD(...) _NMLOG(_LOGL_DEBUG, __VA_ARGS__)
#define _LOGI(...) _NMLOG(_LOGL_INFO, __VA_ARGS__)
#define _LOGW(...) _NMLOG(_LOGL_WARN, __VA_ARGS__)
#define _LOGE(...) _NMLOG(_LOGL_ERR, __VA_ARGS__)

可以看到最详细的日志是 TRACE 级别。那么要观测 NetworkManager 详细输出，就可以在 /etc/NetworkManager/conf.d/99-logging.conf 中添加如下内容，该文件默认不存在直接创建即可，重启 NetworkManager 时会被加载。

1
2
3

[logging]
level=DEBUG  # 可选级别：ERR, WARN, INFO, DEBUG
domains=ALL  # 记录所有模块的日志，或指定特定模块（如 "DHCP4,DHCP6"）

打开两个shell会话，并分别执行以下命令，就可以通过 journalctl 看到详细的日志输出，将该日志截取出来，分析执行步骤即可:

1
2
3

journalctl -fu NetworkManager

systemctl restart NetworkManager

因为 TRACE 日志量非常大，这里就不全放出了。通过检索/etc/resolv.conf关键字，在 TRACE 日志中找到了如下内容:

Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9116] dns-mgr: (device_l3cd_changed): queueing DNS updates (1)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:   [1752340261.9116] policy: set 'ens33' (ens33) as default for IPv4 routing and DNS
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9116] manager: PrimaryConnection now ens33
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9117] policy: set-hostname: updating hostname (ip conf)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9117] policy: get-hostname: "localhost" (from dbus)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9117] policy: device hostname info:
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9117] policy:   - prio:  100 ipv4 (def) dhcp  dns  dev:ens33
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9117] policy:   - prio:  100 ipv6       dhcp  dns  dev:ens33
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9117] policy: get-hostname: "localhost" (from dbus)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:   [1752340261.9117] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: (device_l3cd_changed): DNS configuration changed
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: (device_l3cd_changed): committing DNS changes (0)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: update-dns: updating resolv.conf
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: config:      100 best    v4 2     : 8.8.8.8
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: config:      100 default v6 2     : 
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: plugin: add domain  (i=2, p=100)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9118] dns-mgr: plugin: settings: ifindex=2, priority=100, default-route=1, search=, reverse=0.168.192.in-addr.arpa
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9119] dns-mgr: update-resolv-no-stub: '/run/NetworkManager/no-stub-resolv.conf' successfully written
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9148] dns-mgr: update-resolv-conf: write to /etc/resolv.conf succeeded (rc-manager=symlink)
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9150] dns-mgr: update-resolv-conf: write internal file /run/NetworkManager/resolv.conf succeeded
Jul 13 01:11:01 localhost.localdomain NetworkManager[275984]:  [1752340261.9151] dns-mgr: current configuration: [{'nameservers': <['8.8.8.8']>, 'interface': <'ens33'>, 'priority': <100>, 'vpn': }]

可以看出，正是由 update_resolv_conf 函数产生的写操作。那么通过日志，并结合源代码，利用IDE可以追溯出具体的函数调用链为:

nm_policy_class_init() -> constructed() -> device_added() -> devices_list_register() -> device_l3cd_changed() -> nm_dns_manager_set_ip_config() -> update_dns() -> update_resolv_conf_no_stub()、update_resolv_conf() -> create_resolv_conf() -> write_resolv_conf_contents()

其中 nm_policy_class_init() 是 GObject 框架下的类初始化函数，其调用机制遵循 GObject 的类注册流程。具体来说，这个函数会在 NMPolicy 类型注册时被自动调用，而非通过显式函数调用。跟随IDE可以发现在nm-policy.c文件中存在如下一行

1	G_DEFINE_TYPE(NMPolicy, nm_policy, G_TYPE_OBJECT)

这个宏会展开为类型注册代码，最终触发 nm_policy_class_init() 的调用。

NetworkManager 由 meson 进行构建，在 meason.build 中包含了 subdir(‘src’)，而 src/meson.build 中又包含了 subdir(‘core’)，在执行 meson build 后在 build 目录中生成的 build.ninja 文件中包含了构建过程。

build src/core/libNetworkManager.a.p/nm-policy.c.o: c_COMPILER ../src/core/nm-policy.c || src/libnm-core-public/nm-core-enum-types.h
 DEPFILE = src/core/libNetworkManager.a.p/nm-policy.c.o.d
 DEPFILE_UNQUOTED = src/core/libNetworkManager.a.p/nm-policy.c.o.d
 ARGS = -Isrc/core/libNetworkManager.a.p -Isrc/core -I../src/core -Isrc/libnm-core-public -I../src/libnm-core-public -Isrc -I../src -I. -I.. -I/usr/include/gio-unix-2.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/sysprof-4 -I/usr/include/libmount -I/usr/include/blkid -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -std=gnu11 -O2 -g -fdata-sections -ffunction-sections -Wcast-align=strict -Wdeclaration-after-statement -Wfloat-equal -Wformat-nonliteral -Wformat-security -Wimplicit-function-declaration -Wimplicit-int -Winit-self -Wint-conversion -Wlogical-op -Wmissing-declarations -Wmissing-include-dirs -Wmissing-prototypes -Wold-style-definition -Wpointer-arith -Wshadow -Wshift-negative-value -Wstrict-prototypes -Wundef -Wvla -Wno-duplicate-decl-specifier -Wno-format-truncation -Wno-format-y2k -Wno-missing-field-initializers -Wno-pragmas -Wno-sign-compare -Wno-unknown-pragmas -Wno-unused-parameter -fno-strict-aliasing -Wimplicit-fallthrough -fPIC -pthread -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_42 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_42

NetworkManager 管理 DNS 配置和 NetworkManager 的配置有关。有default、systemd-resolved、dnsmasq 三种方式。我个人观察到在 Centos7、Rocky 9 上通常是采用 default 方式进行，而 Ubuntu 20.04 中采用的是 systemd-resolvd。

1 2	# Ubuntu 20.04的日志输出 Jul 13 02:51:24 misaka NetworkManager[815]: [1752346284.4650] dns-mgr[0x55eb10a9f290]: init: dns=systemd-resolved rc-manager=symlink, plugin=systemd-resolved

systemd-resolved 是 systemd 套件的一部分，用于处理 DNS 解析和其他网络名称解析任务。它提供了 DNS 缓存、多重 DNS 解析、DNS-over-TLS 等功能。在使用systemd-resolved的 Ubuntu 系统中，/etc/resolv.conf通常是指向/run/systemd/resolve/stub-resolv.conf的符号链接，所有 DNS 查询会被转发到systemd-resolved的本地代理（127.0.0.53），然后由systemd-resolved根据/run/systemd/resolve/resolv.conf的配置进行实际的 DNS 解析。

到这里就基础梳理出每次 NetworkManager 重启时，对 DNS 配置进行操作的处理流程。

那么解决文章开头 NetworkManager 每次重启都还原成初始网络配置中的 DNS 问题的答案也非常简单:

在/etc/NetworkManager/system-connections/ens33.nmconnection中注释dns配置，然后在/etc/resolv.conf中添加目标nameserver
在/etc/NetworkManager/system-connections/ens33.nmconnection中修改成目标dns配置，如果有多个，要注意写分号呦(例如: dns=8.8.8.8;114.114.114.114;)

NetworkManager编译

在排查问题前有想过可能需要 debug 或者自行加一些日志，但实际项目 TRACE日志记录的非常详细，这一点是值得去学习的。同时为了IDE读取比较顺利，这里就学习了下 NetworkManager 的编译方法。我尝试了 Rocky 9 和 Ubuntu 20.04 上的编译，进行下记录。

Meson构建

NetworkManager 使用 Meson 构建，Meson 是一个开源构建系统，旨在实现极快的速度，更重要的是，尽可能地方便用户使用。目前有很多项目在使用，比如 GNOME、KDE 等。

Meson 官网: https://mesonbuild.com/index.html
Github 地址: https://github.com/mesonbuild/meson

ninja编译

Meson 和 Ninja 通常会配合使用，Meson 负责构建项目依赖关系，Ninja 负责编译代码。Ninja 是一个轻量的构建系统，主要关注构建的速度。Ninja 使用 .ninja 文件定义构建规则，语法简洁，通常由 Meson 等工具自动生成。

Ninja 官网: https://ninja-build.org/
Github 地址：https://github.com/ninja-build/ninja

Rocky 9.6

1、克隆项目

1
2
3

yum install vim tree curl wget tree

git clone -b nm-1-52 https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git

2、打开rocky devel repo，将 enable 改为1，要不有些 devel 包找不到

vim /etc/yum.repos.d/rocky-devel.repo

[rocky-devel]
name=Rocky Linux $releasever - Devel
baseurl=https://mirrors.rockylinux.org/$contentdir/$releasever/devel/$basearch/os/
enabled=1  # 改为 1 启用
gpgcheck=1
gpgkey=/etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

yum makecache

3、安装 Meson 和 Ninja

yum install python3-pip

pip3 config set global.index-url https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple

pip3 install ninja meson

ln /usr/local/bin/meson -s /usr/bin/meson

ln /usr/local/bin/ninja -s /usr/bin/ninja

4、安装 NetworkManager 所需要的依赖。怎么确定这些依赖呢？项目依赖可以在 meson.build 文件中搜索dependency配置项。

yum install -y cmake uuid libuuid-devel libudev-devel dbus-devel glib2-devel libndp-devel gobject-introspection-devel libaudit-devel audit-libs-devel polkit-devel gnutls-devel nss-devel nspr-devel ppp-devel ModemManager-glib-devel mobile-broadband-provider-info-devel jansson-devel libpsl-devel libcurl-devel readline-devel libedit-devel newt-devel

5、执行 Meson 构建和 Ninja 编译

1
2
3

cd NetworkManager && meson build

cd build && ninja

ninja 会显示编译进度，执行的很快:

1	[649/988] Compiling C object src/core/libNetworkManager.a.p/devices_nm-device-ip-tunnel.c.o

Ubuntu 20.04

1、克隆项目

1
2
3

apt install vim tree curl wget tree git

git clone -b nm-1-52 https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git

2、安装 Meson 和 Ninja

python3 -m pip install --upgrade pip

ln -s /usr/local/bin/pip3 /usr/bin/pip

pip config set global.index-url https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple


pip3 install ninja meson

3、安装 NetworkManager 所需要的依赖，因为 20.04 默认的 Cmake 版本对于 Meson 最新版本来说低一些，所以需要先处理下 CMake PPA 源。

wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | sudo tee /usr/share/keyrings/kitware-archive-keyring.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/kitware-archive-keyring.gpg] https://apt.kitware.com/ubuntu/ focal main' | sudo tee /etc/apt/sources.list.d/kitware.list >/dev/null
apt-get update
apt-get install kitware-archive-keyring
rm /usr/share/keyrings/kitware-archive-keyring.gpg
apt-get install cmake

apt install -y build-essential libdbus-glib-1-dev libglib2.0-dev libnm-dev libssl-dev libxml2-dev libreadline-dev gettext autogen autoconf automake libtool libevdev-dev libsystemd-dev libglib2.0-dev libjson-glib-dev libunistring-dev check valgrind swig libndp-dev libgirepository1.0-dev gobject-introspection gir1.2-glib-2.0 libaudit-dev libpolkit-gobject-1-dev  libgnutls28-dev libnss3-dev libnspr4-dev gnutls-bin ppp-dev libmm-glib-dev  dhcpcd5 libjansson-dev libpsl-dev libcurl4-openssl-dev libnewt-dev xsltproc uuid

4、执行 Meson 构建和 Ninja 编译

1
2
3

cd NetworkManager && meson build

cd build && ninja

构建、编译完成

1、在上面执行 meson build 通过后会生成如下内容，证明可以进入到 ninja 阶段。如果有报错提示，就按信息解决即可。

Message: 
System paths:
  prefix: /usr/local
  exec_prefix: /usr/local
  systemdunitdir: /usr/local/lib/systemd/system
  udev_dir: /usr/local/lib/udev
  nmbinary: /usr/local/sbin/NetworkManager
  nmconfdir: /usr/local/etc/NetworkManager
  nmlibdir: /usr/local/lib/NetworkManager
  nmdatadir: /usr/local/share/NetworkManager
  nmstatedir: /var/local/lib/NetworkManager
  nmrundir: /var/local/run/NetworkManager
  nmvpndir: /usr/local/lib/x86_64-linux-gnu/NetworkManager
  nmplugindir: /usr/local/lib/x86_64-linux-gnu/NetworkManager/1.52.1
  system_ca_path: /etc/ssl/certs
  dbus_conf_dir: /usr/local/share/dbus-1/system.d

Platform:
  session tracking: systemd-logind,consolekit
  suspend/resume: systemd
  policykit: true (default: true) (restrictive modify.system)
  polkit-agent-helper-1: /usr/lib/policykit-1/polkit-agent-helper-1
  selinux: true
  systemd-journald: true (default: logging.backend=journal)
  hostname persist: default
  libaudit: true (default: logging.audit=true)

Features:
  wext: true
  wifi: true
  iwd:  false
  pppd: true /usr/sbin/pppd plugins:/usr/local/lib/x86_64-linux-gnu/pppd/2.4.9
  jansson: yes (soname: libjansson.so.4)
  iptables: "/usr/sbin/iptables"
  ip6tables: "/usr/sbin/ip6tables"
  nft: "/usr/sbin/nft"
  modprobe: "/usr/sbin/modprobe"
  modemmanager-1: true
  mobile-broadband-provider-info-database: /usr/share/mobile-broadband-provider-info/serviceproviders.xml
  ofono: false
  concheck: true
  libteamdctl: false
  ovs: true
  nmcli: true
  nmtui: true
  nm-cloud-setup: true

Configuration_plugins (main.plugins=)
  ifcfg-rh: false (deprecated)
    default value of main.migrate-ifcfg-rh: false
  ifupdown: true

Handlers for /etc/resolv.conf:
  resolvconf: true /usr/sbin/resolvconf
  netconfig: false

  config-dns-rc-manager-default: auto

DHCP clients (default internal):
  dhcpcd: true /usr/sbin/dhcpcd
  dhclient: false (deprecated)


Miscellaneous:
  have introspection: true
  build documentation and manpages: false
  firewalld zone for shared mode: true
  tests: yes
  more-asserts: 0
  more-logging: true
  warning-level: 2
  valgrind: false
  code coverage: false
  LTO: false
  Linker garbage collection: true
  crypto: nss (have-gnutls: true, have-nss: true)
  sanitizers: none
  Mozilla Public Suffix List: true
  vapi: false
  ebpf: false
  readline: libreadline

Build targets in project: 369

Found ninja-1.11.1.git.kitware.jobserver-1 at /usr/local/bin/ninja
WARNING: Running the setup command as `meson [options]` instead of `meson setup [options]` is ambiguous and deprecated.

2、ninja 执行完进度条会消失掉，直接进去看文件即可。编译 NetworkManager 完成后的目录及大小

du -sh ./* | sort -h -r
1.2G    ./src
18M     ./introspection
8.9M    ./po
2.9M    ./meson-private
1.8M    ./build.ninja
1.2M    ./meson-info
1012K   ./compile_commands.json
664K    ./examples
200K    ./data
124K    ./meson-logs
8.0K    ./meson-uninstalled
8.0K    ./config.h
4.0K    ./config-extra.h

3、NetworkManager 编译后的产物会分散在 src 下的各个子目录中，如果有安装需要，可以执行 ninja install 命令。

到这里学习就结束啦☺️

参考链接

1、https://apt.kitware.com/
2、https://people.freedesktop.org/~lkundrak/nm-docs/NetworkManager.conf.html
3、https://www.alibabacloud.com/help/zh/alinux/user-guide/networkmanager-configuration-files-and-common-configurations

单机部署K3s服务并接入Kuboard

2025-03-26T15:29:09.000Z

在Kubernetes上做实验或者写一些自己的小工具时，通常要搭建一个环境用来学习，采用K3s的方式在单机服务器上搭建一套环境是占用资源较少的方式，并且配置上Kuboard进行管理后会更容易操作。本文就记录下环境搭建的步骤。

环境准备

这里采用一台2C、2G配置的腾讯云 22.04.5 LTS (Jammy Jellyfish) 云主机进行，环境为初始化系统，未安装任何服务。

1、先进行系统更新，保证系统内版本是最新的。

1	apt update && apt upgrade -y && apt autoremove -y && reboot

2、安装Docker 25.0.5
这里我选择安装Docker 25.0.5版本作为K3s安装的runtime。

$ apt install apt-transport-https ca-certificates curl gnupg lsb-release -y
$ curl -fsSL https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

$ echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/ \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

$ apt update

#查找可用的docker版本
$ apt-cache madison docker-ce

# 安装Docker
$ apt install docker-ce=5:25.0.5-1~ubuntu.22.04~jammy docker-ce-cli=5:25.0.5-1~ubuntu.22.04~jammy containerd.io -y

3、确认Dokcer安装完成

1
2
3

$ systemctl status docker

$ docker info

4、配置成稳定的Dokcer镜像源

$ sudo tee /etc/docker/daemon.json <<-'EOF'
{
    "registry-mirrors": [
        "https://docker.m.daocloud.io"
    ]
}
EOF
$ systemctl daemon-reload
$ systemctl restart docker

K3S部署

K3s社区已经将所需的K3s资源都同步到了国内的服务器上，可以使用这些国内资源在国内环境上安装K3s，提升了安装速度的同时也提升了安装的稳定性。K3s默认使用containerd作为容器runtime，这里进行修改，选择Docker作为容器runtime。

1、执行安装脚本，使用Docker作为runtime，并设置默认registry地址为registry.cn-hangzhou.aliyuncs.com。

# 使用Docker作为runtime，使用该命令
$ curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -s - --docker --system-default-registry "registry.cn-hangzhou.aliyuncs.com"

# 默认使用containerd作为runtime，使用该命令
$ curl –sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -s - --system-default-registry "registry.cn-hangzhou.aliyuncs.com"

[INFO]  Finding release for channel stable
[INFO]  Using v1.31.6+k3s1 as release
[INFO]  Downloading hash rancher-mirror.rancher.cn/k3s/v1.31.6-k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary rancher-mirror.rancher.cn/k3s/v1.31.6-k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, command exists in PATH at /usr/bin/ctr
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

2、可以等待几分钟后，再查看K3s工作状态：

$ systemctl status k3s
● k3s.service - Lightweight Kubernetes
     Loaded: loaded (/etc/systemd/system/k3s.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2025-03-27 00:21:18 CST; 3min ago
       Docs: https://k3s.io
    Process: 26559 ExecStartPre=/bin/sh -xc ! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service 2>/dev/null (code=exited, status=0/SUCCESS)
    Process: 26561 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
    Process: 26562 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
   Main PID: 26563 (k3s-server)
      Tasks: 16
     Memory: 483.3M
        CPU: 21.133s
     CGroup: /system.slice/k3s.service
             ├─26563 "/usr/local/bin/k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">
             └─28640 "/usr/local/bin/k3s server" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">

$ kubectl get pods --all-namespaces
NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
kube-system   coredns-7f9dc8d998-jl8q8                  1/1     Running     0          93s
kube-system   helm-install-traefik-crd-4v5w2            0/1     Completed   0          93s
kube-system   helm-install-traefik-tjs4j                0/1     Completed   2          93s
kube-system   local-path-provisioner-864d7dff5d-5rph4   1/1     Running     0          93s
kube-system   metrics-server-69969b57cb-k7g2q           1/1     Running     0          93s
kube-system   svclb-traefik-98e2a50a-h5n6s              2/2     Running     0          34s
kube-system   traefik-57d9d494d7-x52jb                  1/1     Running     0          34s

3、同时可以在Docker中查看image和container变化：

$ docker image ls
REPOSITORY                                                           TAG                    IMAGE ID       CREATED        SIZE
registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-library-traefik   2.11.20                d7d7095a482f   7 weeks ago    178MB
registry.cn-hangzhou.aliyuncs.com/rancher/local-path-provisioner     v0.0.31                8309ed19e06b   2 months ago   60.4MB
registry.cn-hangzhou.aliyuncs.com/rancher/klipper-helm               v0.9.4-build20250113   cf1d4e2d0dbd   2 months ago   190MB
....

$ docker ps
CONTAINER ID   IMAGE                                                                COMMAND                  CREATED         STATUS         PORTS     NAMES
624e32c551a8   registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-library-traefik   "/entrypoint.sh --gl…"   5 minutes ago   Up 5 minutes             k8s_traefik_traefik-57d9d494d7-x52jb_kube-system_1562282c-dbdb-490b-bf7e-85a6e4ebc251_0
f1a36596c826   b82360cf0b97                                                         "entry"                  5 minutes ago   Up 5 minutes             k8s_lb-tcp-443_svclb-traefik-98e2a50a-h5n6s_kube-system_2e314526-1424-4989-9dea-09023c830c05_0
ecdd527845ce   registry.cn-hangzhou.aliyuncs.com/rancher/klipper-lb                 "entry"                  5 minutes ago   Up 5 minutes             k8s_lb-tcp-80_svclb-traefik-98e2a50a-h5n6s_kube-system_2e314526-1424-4989-9dea-09023c830c05_0
......

containerd

1、如果是选择containerd作为容器runtime，则还要配置k3s containerd的镜像源并重启K3s，K3s启动时会检查/etc/rancher/k3s/中是否存在registries.yaml文件，并指示containerd使用文件中定义的镜像仓库。

$ cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "docker.io":
    endpoint:
      - "https://docker.m.daocloud.io"
EOF

$ systemctl restart k3s

# 确认镜像配置
$ cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/docker.io/hosts.toml
mirrors:
  "docker.io":
    endpoint:
      - "https://docker.m.daocloud.io"

# 查看k3s containerd 的 socket
$ ls -lrt /run/k3s/containerd/containerd.sock
srw-rw---- 1 root root 0 Mar 27 01:29 /run/k3s/containerd/containerd.sock

2、containerd提供ctr和crictl工具，查看k3s containerd拉取的镜像：

$ k3s ctr image ls
REF                                                                                                                                        TYPE                                    DIGEST                                                                  SIZE      PLATFORMS                                                                                               LABELS                                                          
registry.cn-hangzhou.aliyuncs.com/rancher/klipper-helm:v0.9.4-build20250113                                                                application/vnd.oci.image.index.v1+json sha256:6b33b9efa5b89c2606e777b137e9959fbcd4364501d19c0c746d0cc8f32026d9 67.2 MiB  linux/amd64,linux/arm,linux/arm64/v8                                                                    io.cri-containerd.image=managed    
......

或
$ crictl image ls
root@VM-8-16-ubuntu:/home/ubuntu# crictl image ls
IMAGE                                                                TAG                    IMAGE ID            SIZE
registry.cn-hangzhou.aliyuncs.com/rancher/klipper-helm               v0.9.4-build20250113   cf1d4e2d0dbd1       70.4MB
......

3、对于习惯使用Docker的小伙伴来说，ctr和crictl的操作和Docker还是有所区别，这里可以使用nerdctl与K3s集成，nerdctl是一个与Docker cli风格兼容的containerd客户端工具，而且直接兼容docker compose的语法。
1）下载nerdctl并解压

1
2
3

$ wget https://github.com/containerd/nerdctl/releases/download/v2.0.4/nerdctl-full-2.0.4-linux-amd64.tar.gz

$ tar -xvf nerdctl-full-2.0.4-linux-amd64.tar.gz

2）nerdctl操作K3s自带的containerd，注意此处必须额外指定--namespace=k8s.io

$ ./bin/nerdctl -H /run/k3s/containerd/containerd.sock --namespace=k8s.io images
REPOSITORY                                                            TAG                     IMAGE ID        CREATED           PLATFORM       SIZE       BLOB SIZE
registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-library-traefik                      21f5c16b2215    22 hours ago    linux/amd64    180.4MB    49.45MB
                                                                                  21f5c16b2215    22 hours ago    linux/amd64    180.4MB    49.45MB
........

$ ./bin/nerdctl -H /run/k3s/containerd/containerd.sock --namespace=k8s.io ps
CONTAINER ID    IMAGE                                                                         COMMAND                   CREATED           STATUS    PORTS    NAMES
7db864ef1a2c    registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-library-traefik:2.11.20    "/entrypoint.sh --gl…"    22 hours ago    Up                 k8s://kube-system/traefik-57d9d494d7-wn6nx/traefik

Pod测试

服务部署好以后，这里通过启动一个nginx pod来验证是否可以正常使用
1、编写

$ cat nginx-deployment.yml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.26.3

2、创建deployment并查看pod

$ kubectl apply -f nginx-deployment.yml 
deployment.apps/nginx-deployment created

$ kubectl get pod
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-74bd454fc9-kqjnj   1/1     Running   0          41s

到这里就说明服务OK，可以正常使用，但通过命令操作起来仍然是相对繁琐的，接下来安装Kuboard来管理刚部署的K3s服务。

Kuboard接入

1、创建一个脚本，并执行Kuboard的部署:

$cat kuboard-install.sh 
docker run -itd \
  --restart=unless-stopped \
  --name=kuboard \
  -p 18080:80/tcp \
  -p 10081:10081/tcp \
  -e KUBOARD_ENDPOINT="http://{内网IP}:80" \
  -e KUBOARD_AGENT_SERVER_TCP_PORT="10081" \
  -v /root/kuboard-data:/data \
  eipwork/kuboard:v3

$ sh kuboard-install.sh

$ docker ps -a | grep kuboard
ae14cf2e2ae5   eipwork/kuboard:v3                                                   "/entrypoint.sh"         13 seconds ago   Up 12 seconds               443/tcp, 0.0.0.0:10081->10081/tcp, :::10081->10081/tcp, 0.0.0.0:18080->80/tcp, :::18080->80/tcp   kuboard

# 通过logs确认kuboard启动正常
$ docker logs kuboard

Kuboard安装完成后的默认口令是：admin/Kuboard123

该口令目前是弱口令，建议安装完成后，立即在个人设置中进行修改。

2、在腾讯云主机防火墙上新建一条放行策略，允许访问云主机的18080端口，并通过默认口令登录。

3、点击添加集群，可以看到支持通过Token、KuboConfig、Kuboard Agent三种方式添加Kubernetes 集群。这里我选择Token方式，按照操作说明添加即可。

4、添加完成后，即可在Kuboard中进行各种操作了。

参考

1、https://docs.rancher.cn/docs/k3s/quick-start/_index
2、https://forums.rancher.cn/t/k3s/1416
3、https://kuboard.cn/install/v3/install-built-in.html
4、https://docs.rancher.cn/docs/k3s/installation/private-registry/_index/
5、https://docs.k3s.io/installation/private-registry
6、https://github.com/containerd/nerdctl/issues/128#issuecomment-803544231

Golang中http.Client Transport配置与TIME_WAIT现象

2025-02-01T04:54:26.000Z

2025年的第一篇文章，祝大家新年快乐(#^.^#)

本文用于记录在Golang中使用net/http包的Client时Transport配置不当，同时遇到大量并发请求时引起的TIME_WAIT问题，文章中会通过demo程序复现。

环境准备

此前定位的故障环境是物理机，系统是CentOS 7.6。众所周知，本地IP地址可使用的端口范围是有限的，可以通过如下命令查看：

$ sysctl -a | grep net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768    60999
或者
$ cat /proc/sys/net/ipv4/ip_local_port_range
32768   60999

那么可以计算得出本地可用端口为28231个。

这里为了便于复现场景，采用docker容器的形式进行，同时在启动容器时就限制容器内的net.ipv4.ip_local_port_range参数。

1	$ docker run -itd --sysctl net.ipv4.ip_local_port_range="32768 36768" golang:1.20.14-bullseye

这里允许本地可用端口为4000个，使用wrk工具可以非常容易的打满这个限制。

故障复现

为了复现故障，这里需要准备两个demo程序，都使用Gin框架提供HTTP服务。
1、backends程序，监听8088端口，用于提供的简单的ping、pong应答：

package main

import "github.com/gin-gonic/gin"

func main() {
gin.SetMode(gin.ReleaseMode)
r := gin.Default()
r.GET("/ping", func(c *gin.Context) {
c.JSON(200, gin.H{
"message": "pong",
})
})
r.Run(":8088")
}

进行编译：

1	$ go build -o backends

2、transponder程序，监听8080端口，起到一个代理请求的作用，tping路由下的请求，会再向8088下的ping路由发起HTTP请求。

package main

import (
"fmt"
"io"
"net/http"
"encoding/json"
"github.com/gin-gonic/gin"
)

type ping struct {
Message string `json:"message"`
}

func main() {
gin.SetMode(gin.ReleaseMode)
gin.DefaultWriter = io.Discard
r := gin.Default()

url := "http://127.0.0.1:8088/ping"

//直接使用默认的 http.Client
client := &http.Client{}

r.GET("/tping", func(c *gin.Context) {
req, err := http.NewRequest("GET", url, nil)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("http.NewRequest failed: %v", err),
})
return
}

resp, err := client.Do(req)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("get failed: %v", err),
})
return
}
defer resp.Body.Close()

if resp.StatusCode != http.StatusOK {
c.JSON(resp.StatusCode, gin.H{
"error": fmt.Sprintf("request failed with status code: %d", resp.StatusCode),
})
return
}

body, err := io.ReadAll(resp.Body)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("read body failed: %v", err),
})
return
}

var tping ping
err = json.Unmarshal(body, &tping)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("unmarshal failed: %v", err),
})
return
}

c.JSON(200, gin.H{
"data": tping.Message,
})
})

r.Run(":8080")
}

进行编译：

1	$ go build -o transponder_v1

3、分别在上面准备好的容器内启动程序backends、transponder_v1，通过curl请求验证，服务都正常：

root@d76a1f6b4069:/opt# curl http://127.0.0.1:8088/ping
{"message":"pong"} 

root@d76a1f6b4069:/opt# curl http://127.0.0.1:8080/tping
{"data":"pong"}

且环境中是的网络情况是较为简单的，只有启动的两个服务。

root@d76a1f6b4069:/go# netstat -anlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp6       0      0 :::8080                 :::*                    LISTEN      953/./transponder_v 
tcp6       0      0 :::8088                 :::*                    LISTEN      579/./backends      
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path

root@d76a1f6b4069:/go# ss -s
Total: 652
TCP:   29 (estab 0, closed 27, orphaned 0, timewait 1)

Transport Total     IP        IPv6
RAW       0         0         0        
UDP       0         0         0        
TCP       2         0         2        
INET      2         0         2        
FRAG      0         0         0

4、准备好wrk程序，并启动wrk程序进行压力请求，这里采用8个thread、600 connection，持续180秒:

root@d76a1f6b4069:/opt# ./wrk -t 8 -c 600 -d 180s http://127.0.0.1:8080/tping
Running 3m test @ http://127.0.0.1:8080/tping
  8 threads and 600 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency   574.59ms  611.03ms   2.00s    75.02%
    Req/Sec    67.71     58.33   721.00     86.88%
  96018 requests in 3.00m, 19.79MB read
  Socket errors: connect 0, read 0, write 0, timeout 21152
  Non-2xx or 3xx responses: 57687
Requests/sec:    533.16
Transfer/sec:    112.52KB

此处先贴上wrk执行结果，在执行中观察下面第五点的结果。

5、等待十几秒后，通过以下命令即可观察到TIME_WAIT现象:
1）多次curl请求8080下tping路由，均获得错误响应

1 2	root@d76a1f6b4069:/opt# curl http://127.0.0.1:8080/tping {"error":"get failed: Get \"http://127.0.0.1:8088/ping\": dial tcp 127.0.0.1:8088: connect: cannot assign requested address"}

虽然transponder_v1没有崩溃，但在curl请求下，服务器已经无法正常返回pong结果，同时告知了错误。

2）ss命令

root@d76a1f6b4069:/go# ss -s
Total: 2637
TCP:   5730 (estab 1780, closed 3948, orphaned 0, timewait 3712)

Transport Total     IP        IPv6
RAW       0         0         0        
UDP       0         0         0        
TCP       1782      890       892      
INET      1782      890       892      
FRAG      0         0         0

通过ss的结果，可以看出，当前wrk压力请求产生的连接已经远超我们设置的本地端口范围4000个限制。

3）netstat筛选
通过上面ss的结果，可以看到建立了很多连接，可以筛选看下详细情况。

root@d76a1f6b4069:/go# netstat -anlp | grep ESTABLISHED 
tcp6      45      0 127.0.0.1:8080          127.0.0.1:34111         ESTABLISHED 598/./transponder_v 
tcp6       0      0 127.0.0.1:8080          127.0.0.1:34461         ESTABLISHED 598/./transponder_v 
tcp6       0      0 127.0.0.1:8088          127.0.0.1:34845         ESTABLISHED 579/./backends      
tcp6      45      0 127.0.0.1:8080          127.0.0.1:34635         ESTABLISHED 598/./transponder_v 
tcp6       0      0 127.0.0.1:8080          127.0.0.1:34877         ESTABLISHED 598/./transponder_v 
tcp6      45      0 127.0.0.1:8080          127.0.0.1:33851         ESTABLISHED 598/./transponder_v 
tcp6      45      0 127.0.0.1:8080          127.0.0.1:34745         ESTABLISHED 598/./transponder_v 
tcp6      45      0 127.0.0.1:8080          127.0.0.1:34001         ESTABLISHED 598/./transponder_v 
tcp6       0      0 127.0.0.1:8080          127.0.0.1:33727         ESTABLISHED 598/./transponder_v 
tcp6      45      0 127.0.0.1:8080          127.0.0.1:34981         ESTABLISHED 598/./transponder_v 
tcp6       0      0 127.0.0.1:8088          127.0.0.1:36216         ESTABLISHED 579/./backends      
tcp6       0      0 127.0.0.1:8088          127.0.0.1:36647         ESTABLISHED 579/./backends      
.......

root@d76a1f6b4069:/go# netstat -anlp | grep TIME_WAIT
tcp        0      0 127.0.0.1:35690         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33959         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:34872         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33673         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:35497         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:35692         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:32972         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:34505         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33402         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:36374         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33676         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33601         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33902         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33624         127.0.0.1:8088          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:36397         127.0.0.1:8088          TIME_WAIT   -   
........

root@d76a1f6b4069:/go# netstat -anlp | grep TIME_WAIT | wc -l
3768

root@d76a1f6b4069:/go# netstat -anlp | grep ESTABLISHED | wc -l
1666

通过分析netstat筛选的结果，可以看到8088端口产生了大量的TIME_WAIT，同时backends和transponder_v1之间也产生了大量的ESTAB，和ss的结果能够对应上。

分析现象

通过上面的步骤，已经复现出TIME_WAIT出现的现象，每个处于TIME_WAIT状态的连接会占用一个本地端口，当TIME_WAIT连接过多时，可能会导致本地端口资源耗尽，从而影响新连接的建立。过多的TIME_WAIT连接会增加系统内核的管理负担，影响系统的整体性能。

那么我们的demo也非常简单，同时根据curl请求返回的错误信息connect: cannot assign requested address，经过查找资料和源码阅读，那么问题出现在transponder_v1程序上。

来看这一行代码：

1 2	// 直接使用默认的 http.Client client := &http.Client{}

从IDE跳过去以后，查看Client方法：

type Client struct {
// Transport specifies the mechanism by which individual
// HTTP requests are made.
// If nil, DefaultTransport is used.
Transport RoundTripper
    ......
}

func (c *Client) transport() RoundTripper {
if c.Transport != nil {
return c.Transport
}
return DefaultTransport
}

其中说明了Transport指定了发出单个HTTP请求的机制。如果为空，则使用DefaultTransport。再继续往下看：

// DefaultTransport is the default implementation of Transport and is
// used by DefaultClient. It establishes network connections as needed
// and caches them for reuse by subsequent calls. It uses HTTP proxies
// as directed by the environment variables HTTP_PROXY, HTTPS_PROXY
// and NO_PROXY (or the lowercase versions thereof).
var DefaultTransport RoundTripper = &Transport{
Proxy: ProxyFromEnvironment,
DialContext: defaultTransportDialContext(&net.Dialer{
Timeout:   30 * time.Second,
KeepAlive: 30 * time.Second,
}),
ForceAttemptHTTP2:     true,
MaxIdleConns:          100,
IdleConnTimeout:       90 * time.Second,
TLSHandshakeTimeout:   10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
}

// DefaultMaxIdleConnsPerHost is the default value of Transport's
// MaxIdleConnsPerHost.
const DefaultMaxIdleConnsPerHost = 2

可以看出DefaultTransport是Transport的默认实现，由DefaultClient使用。它根据需要建立网络连接，并缓存这些连接供后续调用重复使用。但这里面有两个关键的参数设置MaxIdleConnsPerHost和MaxIdleConns。

type Transport struct {
    ......
// MaxIdleConns controls the maximum number of idle (keep-alive)
// connections across all hosts. Zero means no limit.
MaxIdleConns int

// MaxIdleConnsPerHost, if non-zero, controls the maximum idle
// (keep-alive) connections to keep per-host. If zero,
// DefaultMaxIdleConnsPerHost is used.
MaxIdleConnsPerHost int

// MaxConnsPerHost optionally limits the total number of
// connections per host, including connections in the dialing,
// active, and idle states. On limit violation, dials will block.
//
// Zero means no limit.
MaxConnsPerHost int

// IdleConnTimeout is the maximum amount of time an idle
// (keep-alive) connection will remain idle before closing
// itself.
// Zero means no limit.
IdleConnTimeout time.Duration
    ......
}

其中MaxIdleConns默认设置连接池的大小为100个连接，MaxIdleConnsPerHost默认为2，导致只会保留2个连接，而将其他的连接主动关闭进入TIME_WAIT状态。而使用wrk进行压力请求，会产生很多TIME_WAIT状态的连接。最终会耗尽主机的所有可用端口，从而导致无法打开新的连接。进而产生错误返回connect: cannot assign requested address。

所以需要根据实际情况，通过性能测试、参考经验值和生产监控去逐步调整MaxIdleConnsPerHost和MaxIdleConns的参数。

程序优化

知道原因后，通过资料检索，可以对Transport进行配置:

package main

import (
"fmt"
"io"
"net/http"
"encoding/json"
"github.com/gin-gonic/gin"
)

type ping struct {
Message string `json:"message"`
}

func main() {
gin.SetMode(gin.ReleaseMode)
gin.DefaultWriter = io.Discard
r := gin.Default()

url := "http://127.0.0.1:8088/ping"

defaultRoundTripper := http.DefaultTransport
defaultTransportPointer, ok := defaultRoundTripper.(*http.Transport)
if !ok {
fmt.Println("defaultRoundTripper not an *http.Transport")
return
}
defaultTransport := *defaultTransportPointer
defaultTransport.MaxIdleConns = 1000
defaultTransport.MaxIdleConnsPerHost = 1000
client := &http.Client{Transport: &defaultTransport}

// 直接使用默认的 http.Client
// client := &http.Client{}

r.GET("/tping", func(c *gin.Context) {
req, err := http.NewRequest("GET", url, nil)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("http.NewRequest failed: %v", err),
})
return
}

resp, err := client.Do(req)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("get failed: %v", err),
})
return
}
defer resp.Body.Close()

if resp.StatusCode != http.StatusOK {
c.JSON(resp.StatusCode, gin.H{
"error": fmt.Sprintf("request failed with status code: %d", resp.StatusCode),
})
return
}

body, err := io.ReadAll(resp.Body)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("read body failed: %v", err),
})
return
}

var tping ping
err = json.Unmarshal(body, &tping)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{
"error": fmt.Sprintf("unmarshal failed: %v", err),
})
return
}

c.JSON(200, gin.H{
"data": tping.Message,
})
})

r.Run(":8080")
}

进行编译：

1	$ go build -o transponder_v2

停止transponder_v1的程序，运行transponder_v2程序，重新进行wrk压测，并在执行中观察curl和ss情况，会发现，TIME_WAIT现象已经消失。
1）wrk请求：

root@d76a1f6b4069:/opt# ./wrk -t 8 -c 600 -d 180s http://127.0.0.1:8080/tping
Running 3m test @ http://127.0.0.1:8080/tping
  8 threads and 600 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency   195.39ms  239.25ms   1.84s    90.57%
    Req/Sec   606.10    214.25     1.30k    72.97%
  531584 requests in 3.00m, 69.96MB read
  Socket errors: connect 0, read 0, write 0, timeout 600
Requests/sec:   2951.69
Transfer/sec:    397.79KB

对比上面的wrk结果，优化后的wrk结果已经没有Non-2xx or 3xx responses，同时timeout数量明显减少。

2）执行多次curl请求，均能获取正常响应。

1 2	root@d76a1f6b4069:/opt# curl http://127.0.0.1:8080/tping {"data":"pong"}

3）ss命令中大量TIME_WAIT同样消失。

root@d76a1f6b4069:/go# ss -s
Total: 3044
TCP:   2437 (estab 2400, closed 35, orphaned 0, timewait 9)

Transport Total     IP        IPv6
RAW       0         0         0        
UDP       0         0         0        
TCP       2402      1200      1202     
INET      2402      1200      1202     
FRAG      0         0         0

到这里故障复现就结束了，也找到了解决方法。

总结下经验，在排查问题时netstat和ss是非常有用的工具，通过他们去观察网络情况，可以很快的分析出具体问题。同时研发实现过程中一定要考虑好调用关系，做好自测和压测。

参考

1、https://studygolang.com/articles/28263
2、https://pkg.go.dev/net/http#Transport