Skip to content

MySQL 8.0 for Database Administrators OCP 课程习题5

5.Skill Check Monitoring MySQL

Examine this output: | HOST | USER | ROLE | ENABLED | HISTORY | | % | % | % | YES | YES | 1 row in set (#.## sec) Which command produces this?

SELECT * FROM setup_objects LIMIT 5\G;

SELECT * FROM setup_actors LIMIT 5\G;

SELECT * FROM setup_instruments LIMIT 5\G;

SELECT * FROM setup_consumers LIMIT 5\G;

What can be configured by modifying the Performance Schema setup_actors table?

foreground threads that are monitored

stored procedures that are monitored

server metrics that are collected

thread classes that are instrumented

How does a Performance Schema provide insight into database activity? (Choose three)

By analyzing I/O wait statistics

By analyzing historical performance data

By interpreting the Performance Schema to DBAs for diagnostic use cases

By analyzing errors that occur on the system

By analyzing which queries are running

By analyzing the audit record of server activity in log files

Which Performance Schema instruments have no subcomponents? (Choose three)

idle

memory

statement

error

transaction

stage

Which command configures and enables slow query logging?

SET GLOBAL slow_query_log_file=’slow-query.log’;

SET GLOBAL log_output=’TABLE’;

SET GLOBAL slow_query_log=ON;

SET SESSION long_query_time=0.5;

Why is the General Query Log used in MySQL? (Choose two)

To record statements where execution time exceeds a specified threshold

To include update operations stored as row-based binary logs on slave servers

To discover queries with excessive execution time.

To record the time and type of each connection and the process ID of all operations

To record all statements executed against all tables

Which command displays collected server metrics stored in the performance schema?

SELECT * FROM setup_objects LIMIT 5\G;

SELECT * FROM setup_actors LIMIT 5\G;

SELECT * FROM setup_consumers LIMIT 5\G;

SELECT * FROM setup_instruments LIMIT 5\G;

Which MySQL logs can be stored in tables? (Choose two)

Slow query log

Error log

Binary log

General query log

Audit log

====

5.Skill Check Monitoring MySQL

Examine this output: | HOST | USER | ROLE | ENABLED | HISTORY | | % | % | % | YES | YES | 1 row in set (#.## sec) Which command produces this?

SELECT * FROM setup_objects LIMIT 5\G;

SELECT * FROM setup_actors LIMIT 5\G;

SELECT * FROM setup_instruments LIMIT 5\G;

SELECT * FROM setup_consumers LIMIT 5\G;

答案:

SELECT * FROM setup_actors LIMIT 5\G;

What can be configured by modifying the Performance Schema setup_actors table?

foreground threads that are monitored

stored procedures that are monitored

server metrics that are collected

thread classes that are instrumented

答案:

foreground threads that are monitored

说明:
Performance Schema Setup Tables
You configure the Performance Schema by modifying the contents of the setup_% tables.
• setup_actors: Which foreground threads (client connections) are monitored
• setup_objects: Which database objects (tables, stored procedures, triggers, events)
are monitored
• setup_threads: Which thread classes are instrumented
• setup_instruments: Which server metrics the Performance Schema collects
• setup_consumers: Where the instrumented events are stored

How does a Performance Schema provide insight into database activity? (Choose three)

By analyzing I/O wait statistics

By analyzing historical performance data

By interpreting the Performance Schema to DBAs for diagnostic use cases

By analyzing errors that occur on the system

By analyzing which queries are running

By analyzing the audit record of server activity in log files

答案:
By analyzing I/O wait statistics

By analyzing historical performance data

By analyzing which queries are running

说明:
Performance Schema
• A set of in-memory tables that MySQL uses to track performance metrics
– Implemented as the PERFORMANCE_SCHEMA storage engine
— Operates on tables in the performance_schema database
• Helps provide insight into database activity. For example:
– Which queries are running
– I/O wait statistics
– Historical performance data
• Only available if support is configured during the build
– Always available in Oracle binary distributions
– If available, it is enabled by default.
— To enable or disable it explicitly, start the server with the
performance_schema variable set to an appropriate value.

Which Performance Schema instruments have no subcomponents? (Choose three)

idle

memory

statement

error

transaction

stage

答案:
idle
error
transaction

说明:
Top-Level Instrument Components
• idle: An instrumented idle event. This instrument has no subcomponents.
• error: An instrumented error event. This instrument has no subcomponents.
• memory: An instrumented memory event
• stage: An instrumented stage event
• statement: An instrumented statement event
• transaction: An instrumented transaction event. This instrument has no further
components.
• wait: An instrumented wait event

Which command configures and enables slow query logging?

SET GLOBAL slow_query_log_file=’slow-query.log’;

SET GLOBAL log_output=’TABLE’;

SET GLOBAL slow_query_log=ON;

SET SESSION long_query_time=0.5;

答案:
SET GLOBAL slow_query_log=ON;

Why is the General Query Log used in MySQL? (Choose two)

To record statements where execution time exceeds a specified threshold

To include update operations stored as row-based binary logs on slave servers

To discover queries with excessive execution time.

To record the time and type of each connection and the process ID of all operations

To record all statements executed against all tables

答案:
To record the time and type of each connection and the process ID of all operations

To record all statements executed against all tables

说明:
General Query Log
• Is enabled by using the general_log server option
• Records connection information and details about statements received
– Records the time and type of each connection and the process ID of all operations
– Records all statements that are executed against all tables
– Excludes update operations stored as row-based binary log on slave servers
• Grows very quickly
– Enable it for short periods to gather a full record of all activities during those periods
• Has a large overhead
– Not feasible to enable it for long periods on busy production systems

Which command displays collected server metrics stored in the performance schema?

SELECT * FROM setup_objects LIMIT 5\G;

SELECT * FROM setup_actors LIMIT 5\G;

SELECT * FROM setup_consumers LIMIT 5\G;

SELECT * FROM setup_instruments LIMIT 5\G;

答案:

SELECT * FROM setup_instruments LIMIT 5\G;

说明:
Performance Schema Setup Tables
You configure the Performance Schema by modifying the contents of the setup_% tables.
• setup_actors: Which foreground threads (client connections) are monitored
• setup_objects: Which database objects (tables, stored procedures, triggers, events)
are monitored
• setup_threads: Which thread classes are instrumented
• setup_instruments: Which server metrics the Performance Schema collects
• setup_consumers: Where the instrumented events are stored

Which MySQL logs can be stored in tables? (Choose two)

Slow query log

Error log

Binary log

General query log

Audit log

答案:

Slow query log

General query log

说明:
Log File Characteristics
• Can use large amounts of disk space
• Can be stored in files
• Can be stored in tables
– General and slow query logs only
• Can be encrypted
– Audit and binary logs only
• Are written in text format
– Except binary log

Posted in Mysql.

Tagged with , .

rev="post-2099" No comments

By C1G 2025/05/29

MySQL 8.0 for Database Administrators OCP 课程习题4

4 Skill Check: Configuring MySQL

Which are server-specific groups in the my.cnf option file? (Choose three)

[mysqld_safe]

[mysqld]

[mysql]

[mysqldump]

[server]

[client]

You changed the maximum number of connections in MySQL. In the variable_info table, the max_connections system variable displays a VARIABLE_SOURCE of DYNAMIC. What does it mean?

The max_connections system variable was set from a server-specific mysqld-auto.cnf option file.

The max_connections system variable has not been configured in any startup file.

The max_connections system variable was set from the my.cnf file.

The max_connections system variable was changed at runtime.

Examine this command and results: SET GLOBAL port = 3303; ERROR 1238 (HY000): Variable “port” is a read only variable. How would you resolve this error? (Choose two)

Change the port option to dynamic in the my.cnf file.

Change the port option to dynamic at the command line.

Change the port number in the mysql-auto.cnf file.

Change the modifier from GLOBAL to SESSION in the command.

Change the default port number in the my.cnf file.

Which command displays the configuration options for a running MySQL server? (Choose two)

# mysqld –verbose –help

mysql> SHOW GLOBAL VARIABLES;

# mysqladmin -uroot -p variables

# systemctl status mysqld

# mysql –print-defaults

Examine this command which executes successfully: SET PERSIST max_connections=99; Which command displays the content of the file that includes this parameter change?

# cat /labs/slap-test-updates.sh

mysql> \! cat /var/lib/mysql/slow-query.log

# cat /labs/multi.cnf

mysql> \! cat /var/lib/mysql/mysqld-auto.cnf | python -m json.tool

Which system variables have both global and session scope in MySQL? (Choose two)

error_count

max_connections

innodb_buffer_pool_size

max_join_size

sort_buffer_size

===

4 Skill Check: Configuring MySQL

Which are server-specific groups in the my.cnf option file? (Choose three)

[mysqld_safe]

[mysqld]

[mysql]

[mysqldump]

[server]

[client]

答案:
[mysqld_safe]
[mysqld]
[server]

You changed the maximum number of connections in MySQL. In the variable_info table, the max_connections system variable displays a VARIABLE_SOURCE of DYNAMIC. What does it mean?

The max_connections system variable was set from a server-specific mysqld-auto.cnf option file.

The max_connections system variable has not been configured in any startup file.

The max_connections system variable was set from the my.cnf file.

The max_connections system variable was changed at runtime.

答案:
The max_connections system variable was changed at runtime.

Examine this command and results: SET GLOBAL port = 3303; ERROR 1238 (HY000): Variable “port” is a read only variable. How would you resolve this error? (Choose two)

Change the port option to dynamic in the my.cnf file.

Change the port option to dynamic at the command line.

Change the port number in the mysql-auto.cnf file.

Change the modifier from GLOBAL to SESSION in the command.

Change the default port number in the my.cnf file.

答案:
Change the port option to dynamic in the my.cnf file.
Change the port option to dynamic at the command line.

Which command displays the configuration options for a running MySQL server? (Choose two)

# mysqld –verbose –help

mysql> SHOW GLOBAL VARIABLES;

# mysqladmin -uroot -p variables

# systemctl status mysqld

# mysql –print-defaults

答案:
mysql> SHOW GLOBAL VARIABLES;
# mysqladmin -uroot -p variables

Examine this command which executes successfully: SET PERSIST max_connections=99; Which command displays the content of the file that includes this parameter change?

# cat /labs/slap-test-updates.sh

mysql> \! cat /var/lib/mysql/slow-query.log

# cat /labs/multi.cnf

mysql> \! cat /var/lib/mysql/mysqld-auto.cnf | python -m json.tool

答案:
mysql> \! cat mysql> \! cat /var/lib/mysql/mysqld-auto.cnf | python -m json.tool

Which system variables have both global and session scope in MySQL? (Choose two)

error_count

max_connections

innodb_buffer_pool_size

max_join_size

sort_buffer_size

答案:
sort_buffer_size
max_join_size

Posted in Mysql.

Tagged with , .

rev="post-2097" No comments

By C1G 2025/05/29

MySQL 8.0 for Database Administrators OCP 课程习题3

3.Skill Check: Understanding MySQL Architecture

How do you set the number of InnoDB buffer pool instances to 12?

Execute SET GLOBAL innodb_buffer_pool_size=12000 1024 1024;

Execute SET GLOBAL innodb_buffer_pool_instances=12;

Add innodb_buffer_pool_instances=12 to /etc/my.cnf

Add innodb_buffer_pool_size=12G to /etc/my.cnf

Which are true about the MyISAM storage engine? (Choose three)

It supports table-level locking

It supports spatial data types and indexes

It supports storing row data and indexes in memory

It supports all data types except spatial data types

It supports FULLTEXT indexes

Which storage engine supports INSERT and SELECT but not DELETE, REPLACE, or UPDATE commands?

ARCHIVE

MyISAM

BLACKHOLE

MEMORY

You must create a table with these attributes: 1. Table name: sqltab1 2. Stored in the general tablespace Which command will do this?

CREATE TABLE sqltab1(a INT PRIMARY KEY, b CHAR(4));

CREATE TABLESPACE myts ADD DATAFILE ‘myts_data1.ibd’;

CREATE TABLE sqltab1(a INT PRIMARY KEY, b CHAR(4)) DATA DIRECTORY=’/datadir2′;

CREATE TABLE sqltab1(a INT PRIMARY KEY) TABLESPACE=myts;

You must create a table with these attributes: 1. Table name: sqltab1 2. A single integer column d 3. Stored in its own default tablespace in the /tablespaces directory Which command will do this?

mysql> CREATE TABLE sqltab1 (d int) TABLESPACE=general;

mysql> CREATE TABLE sqltab1 (d int) TABLESPACE=external;

mysql> CREATE TABLESPACE external ADD DATAFILE ‘/tablespaces/sqltab1.ibd’;

mysql> CREATE TABLE sqltab1 (d INT) DATA DIRECTORY=’/tablespaces’;

Which features are supported by InnoDB? (Choose two)

Hash indexes

Clustered indexes

B-tree indexes

Cluster database support

T-tree indexes

Which MySQL storage engines are transactional and support foreign keys? (Choose two)

BLACKHOLE

NDBCLUSTER

MERGE

InnoDB

MyISAM

====

3.Skill Check: Understanding MySQL Architecture

How do you set the number of InnoDB buffer pool instances to 12?

Execute SET GLOBAL innodb_buffer_pool_size=12000 1024 1024;

Execute SET GLOBAL innodb_buffer_pool_instances=12;

Add innodb_buffer_pool_instances=12 to /etc/my.cnf

Add innodb_buffer_pool_size=12G to /etc/my.cnf

答案:
Add innodb_buffer_pool_instances=12 to /etc/my.cnf

Which are true about the MyISAM storage engine? (Choose three)

It supports table-level locking

It supports spatial data types and indexes

It supports storing row data and indexes in memory

It supports all data types except spatial data types

It supports FULLTEXT indexes

答案:
It supports table-level locking
It supports spatial data types and indexes
It supports FULLTEXT indexes

说明:
MyISAM Storage Engine
• Is used in many legacy systems
– Was the default storage engine before MySQL 5.5
• Is fast and simple, but subject to table corruption if server crashes
– Use REPAIR TABLE to recover corrupted MyISAM tables.
• Supports FULLTEXT indexes
• Supports spatial data types and indexes
• Supports table-level locking
• Supports raw table-level backup and recovery because of the simple file format
• No transactional support
• No support for table partitioning in MySQL 8.0 as compared to MySQL 5.7.

说明:
MySQL RPM Installation Process
• The RPM installation performs the following tasks:
– Extracts RPM files to their default locations
– Registers SysV init or systemd startup scripts
– Sets up the mysql user and group in the operating system
— The MySQL server process runs as the mysql user.
• When you start the service for the first time using service mysqld
start or systemctl start mysqld, MySQL:
– Creates the data directory and the default my.cnf file
— These files are owned by the mysql user and group.
– Creates the default root@localhost account
– Sets up a random temporary password for the root account and
writes that password to the error log file (/var/log/mysqld.log)
— You must change the password before you can use MySQL.

Which storage engine supports INSERT and SELECT but not DELETE, REPLACE, or UPDATE commands?

ARCHIVE

MyISAM

BLACKHOLE

MEMORY

答案:
ARCHIVE

说明:
ARCHIVE Storage Engine
The ARCHIVE storage engine is used for storing large volumes of data in a compressed
format, allowing for a very small footprint. It has these primary characteristics:
• Does not support indexes
• Supports INSERT and SELECT, but not DELETE, REPLACE, or UPDATE
• Supports ORDER BY operations and BLOB columns
• Accepts all data types except spatial data types
• Uses row-level locking
• Supports AUTO_INCREMENT columns
• Disabled by default, need to be enabled to use

You must create a table with these attributes: 1. Table name: sqltab1 2. Stored in the general tablespace Which command will do this?

CREATE TABLE sqltab1(a INT PRIMARY KEY, b CHAR(4));

CREATE TABLESPACE myts ADD DATAFILE ‘myts_data1.ibd’;

CREATE TABLE sqltab1(a INT PRIMARY KEY, b CHAR(4)) DATA DIRECTORY=’/datadir2′;

CREATE TABLE sqltab1(a INT PRIMARY KEY) TABLESPACE=myts;

答案:
CREATE TABLE sqltab1(a INT PRIMARY KEY, b CHAR(4)) TABLESPACE=myts;

You must create a table with these attributes: 1. Table name: sqltab1 2. A single integer column d 3. Stored in its own default tablespace in the /tablespaces directory Which command will do this?

mysql> CREATE TABLE sqltab1 (d int) TABLESPACE=general;

mysql> CREATE TABLE sqltab1 (d int) TABLESPACE=external;

mysql> CREATE TABLESPACE external ADD DATAFILE ‘/tablespaces/sqltab1.ibd’;

mysql> CREATE TABLE sqltab1 (d INT) DATA DIRECTORY=’/tablespaces’;
答案:
mysql> CREATE TABLE sqltab1 (d INT) DATA DIRECTORY=’/tablespaces’;

Which features are supported by InnoDB? (Choose two)

Hash indexes

Clustered indexes

B-tree indexes

Cluster database support

T-tree indexes

答案:

Clustered indexes
B-tree indexes

Which MySQL storage engines are transactional and support foreign keys? (Choose two)

BLACKHOLE

NDBCLUSTER

MERGE

InnoDB

MyISAM
答案:
InnoDB
NDBCLUSTER

说明:
The two MySQL storage engines that are transactional and support foreign keys are:
InnoDB
Transactional: Supports ACID-compliant transactions (COMMIT, ROLLBACK).
Foreign Keys: Enforces referential integrity with foreign key constraints.

NDBCLUSTER (MySQL Cluster)
Transactional: Provides distributed transactions across nodes.
Foreign Keys: Fully supports foreign keys in a clustered environment.

BLACKHOLE: Discards writes (non-transactional), no foreign keys.
MERGE: Combines MyISAM tables (non-transactional), no foreign keys.
MyISAM: Non-transactional, no foreign key support (only table-level locking).

Posted in Mysql.

Tagged with , .

rev="post-2095" No comments

By C1G 2025/05/29

MySQL 8.0 for Database Administrators OCP 课程习题2

2.Skill Check: Installing and Upgrading MySQL

Which command makes mysqld start automatically when the host reboots?

# systemctl enable mysqld.service

# systemctl daemon-reload

# systemctl restart mysqld

# systemctl start mysqld

What does the RPM installation process for MySQL do? (Choose two)

It creates the default my.cnf file

It sets up the mysql user and group in the operating system

It provides a temporary password for the root account

It registers system startup scripts for MySQL services

It creates the default root@localhost account

Which Linux MySQL server installation directories are the base directories? (Choose two)

/var/log

/etc

/var/lib/mysql

/usr/bin

/usr/sbin

What is the purpose of the mysql_config_editor utility? (Choose two)

It reads and summarizes the contents of MySQL slow query log files.

It manages login paths to connect command-line clients to the MySQL server.

It reads and replays the contents of binary log files.

It enables users to store authentication credentials in the .mylogin.cnf file.

It creates TLS keys and certificates.

When installing MySQL from a binary archive distribution, you must add ‘/usr/local/mysql/bin’ to the user’s executable search path. Which line must you add to the ~/.bashrc file?

export PATH=$PATH:/usr/local/mysql/bin

pid-file=/var/run/mysqld/mysqld.pid

datadir=/var/lib/mysql/bin

ExecStart=/usr/local/mysql/bin/mysqld –defaultsfile=/etc/my.cnf –daemonize

Which command creates a symbolic link during the installation phase to the extracted directory of MySQL?

# ln -s /opt/mysql* /usr/local/mysql

# cp /labs/my.cnf /etc/my.cnf

# mv opt/mysql /usr/local/mysql

# ls -l /usr/local/mysql

Which command is used to stop MySQL server?

mysqladmin –login-path=admin shutdown

mysqladmin -uroot -p flush-hosts

mysqladmin -uroot -p stop-slave

mysqladmin -uroot -p shutdown

答案:

Which command makes mysqld start automatically when the host reboots?

# systemctl enable mysqld.service

What does the RPM installation process for MySQL do? (Choose two)

It sets up the mysql user and group in the operating system
It registers system startup scripts for MySQL services

说明:
MySQL RPM Installation Process
• The RPM installation performs the following tasks:
– Extracts RPM files to their default locations
– Registers SysV init or systemd startup scripts
– Sets up the mysql user and group in the operating system
— The MySQL server process runs as the mysql user.
• When you start the service for the first time using service mysqld
start or systemctl start mysqld, MySQL:
– Creates the data directory and the default my.cnf file
— These files are owned by the mysql user and group.
– Creates the default root@localhost account
– Sets up a random temporary password for the root account and
writes that password to the error log file (/var/log/mysqld.log)
— You must change the password before you can use MySQL.

Which Linux MySQL server installation directories are the base directories? (Choose two)

/usr/bin
/usr/sbin

说明:
Data Directory
• /var/lib/mysql is where the server stores databases. This directory is configured when
you (or the installation process) run mysqld –initialize. The InnoDB log files, undo
tablespaces, and system tablespace are in this directory. It also includes a subdirectory for
each database. This includes the mysql directory, which contains system tables including
the grant tables. MySQL 8.0 stores the data dictionary in mysql.ibd tablespace using
InnoDB storage engine.
Base Directory
• /usr/sbin contains the main server executable, mysqld.
• /usr/bin contains client programs and scripts such as mysql, my_print_defaults,
mysqladmin, mysqlcheck, and mysqlimport.
Other Directories
• /var/lib/mysql-files is configured in the secure_file_priv variable for storing
import and export data files.
• /var/lib/mysql-keyring is allocated for storing keyring files.
• /etc and /var/log are standard Linux directories for configuration files and log files. The
/etc/my.cnf file is read by the MySQL server process (mysqld).
• The systemd startup script is stored in the default systemd directory.

What is the purpose of the mysql_config_editor utility? (Choose two)

It manages login paths to connect command-line clients to the MySQL server.
It enables users to store authentication credentials in the .mylogin.cnf file.

说明:
mysql_config_editor
Use mysql_config_editor to create encrypted option files.
• Store user, password, and host options in a dedicated option file:
– .mylogin.cnf in the current user’s home directory
– To specify an alternative file name, set the MYSQL_TEST_LOGIN_FILE environment
variable.
• The .mylogin.cnf file contains login paths.
– They are similar to option groups.
– Each login path contains authentication information for a single identity.
– Clients refer to a login path with the –login-path (or -L) command-line option:
– Protect the file from being read by other users. Anyone who can read the file can use
the credentials and is able to obtain the plain text passwords.

When installing MySQL from a binary archive distribution, you must add ‘/usr/local/mysql/bin’ to the user’s executable search path. Which line must you add to the ~/.bashrc file?

export PATH=$PATH:/usr/local/mysql/bin

Which command creates a symbolic link during the installation phase to the extracted directory of MySQL?

# ln -s /opt/mysql* /usr/local/mysql

Which command is used to stop MySQL server?

mysqladmin -uroot -p shutdown

Posted in Mysql.

Tagged with .

rev="post-2093" No comments

By C1G 2025/05/29

Vite 任意文件访问漏洞(CVE-2025-32395)的安全预警

一、基本情况

Vite是一个现代化的前端构建工具,旨在提供更快的开发体验。它通过基于原生ES模块的开发服务器,在开发过程中实现极速热更新(HMR)。Vite在构建时使用了高度优化的打包工具,如esbuild,极大提高了构建速度。它支持多种前端框架(如React、Vue)并可以通过插件扩展功能。Vite的目标是简化前端开发工作流,并提升开发效率。

二、 漏洞描述

Vite发布的安全公告,Vite存在一个任意文件访问漏洞。该漏洞影响Node和Bun环境下的开发服务器,攻击者可通过发送包含#字符的HTTP请求,绕过服务器的文件访问限制,返回任意文件内容。根据HTTP 1.1和HTTP 2规范,#不应出现在请求目标中,但Node和Bun并未内部拒绝这类无效请求,而是将其传递至用户端。Vite在处理请求时,未正确验证req.url中是否包含#,从而允许请求绕过server.fs.deny设置。此漏洞仅影响在非Deno环境中运行并显式暴露开发服务器(通过–host或server.host配置选项)的应用,漏洞评分6.0分,漏洞级别为中危。

三、 影响范围

6.2.0 <= Vite <= 6.2.5

6.1.0 <= Vite <= 6.1.4

6.0.0 <= Vite <= 6.0.14

5.0.0 <= Vite <= 5.4.17

Vite <= 4.5.12

四、 修复建议

官方已发布修复版本,建议受影响用户尽快更新。

Vite >= 6.2.6

6.1.5 <= Vite < 6.2.0

6.0.15 <= Vite < 6.1.0

5.4.18 <= Vite < 6.0.0

4.5.13 <= Vite < 5.0.0

解决建议
升级至最新版本。

参考链接
https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70
https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4

Posted in 安全通告.

rev="post-2089" No comments

By C1G 2025/04/29

Dify v1.0本地部署+deepseek

Dify 一词源自 Define + Modify,意指定义并且持续的改进你的 AI 应用,它是为你而做的(Do it for you)

生成式 AI 应用创新引擎

开源的 LLM 应用开发平台。内置了构建 LLM 应用所需的关键技术栈,包括对数百个模型的支持,提供从 Agent 构建到 AI workflow 编排、RAG 检索、模型管理等能力,轻松构建和运营生成式 AI 原生应用。比 LangChain 更易用。

在线体验:https://dify.ai/zh
开源地址:https://github.com/langgenius/dify
官方文档:https://docs.dify.ai/v/zh-hans

Dify云服务,可以在线使用.

  • Sandbox(免费版) 每天可调用200次GPT
  • 专业版 $59/month
  • 团队版 $159/month
  • 企业版 面议

开源社区版
安装 Dify 之前, 请确保你的机器已满足最低安装要求:

CPU >= 2 Core

RAM >= 4 GiB

克隆 Dify 代码仓库

安装git

yum install -y git

克隆 Dify 源代码至本地环境

# 假设当前最新版本为 0.15.3
git clone https://github.com/langgenius/dify --branch 0.15.3

Cloning into 'dify'...
remote: Enumerating objects: 143184, done.
remote: Counting objects: 100% (530/530), done.
remote: Compressing objects: 100% (279/279), done.
remote: Total 143184 (delta 440), reused 252 (delta 251), pack-reused 142654 (from 4)
Receiving objects: 100% (143184/143184), 75.24 MiB | 6.51 MiB/s, done.
Resolving deltas: 100% (105740/105740), done.
Note: switching to 'ca19bd31d42fb87c83b91541c473ebae85e9d14e'.

安装docker

docker,docker-ce,podman 安装其中之一就可
rocky8 以上默认为podman

A.安装docker

yum install docker

B.安装docker-ce

删除podman (如需要)
podman数据不会转移到docker
迁移 Docker 镜像,可以先导出再导入,容器用docker export和import
docker save -o image.tar image_name:tag
docker load image.tar

先停止所有容器的应用和删除容器,再删除安装包
podman container prune

清理所有未使用的镜像
podman image prune -a

清理所有未使用的卷
podman volume prune

清理所有未使用的网络
podman network prune

检查存储状态
podman system df

删除 Podman 存储目录
rm -rf /var/lib/containers/storage
systemctl restart podman

检查存储状态
podman system df

删除podman
dnf remove podman

删除podman残余文件
rm -rf /etc/containers /etc/registries.conf /etc/containers/policy.json /etc/containers/storage.conf ~/.config/containers ~/.local/share/containers

安装docker-ce

安装docker所需依赖

dnf install -y yum-utils device-mapper-persistent-data lvm2
dnf install -y dnf-plugins-core

添加docker官方和阿里的YUM仓库

dnf config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf config-manager –add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

安装 Docker Engine

dnf install -y docker-ce docker-ce-cli containerd.io

systemctl start docker
systemctl enable docker

docker –version
Docker version 28.0.1, build 068a01e

docker加速

tee > /etc/docker/daemon.json <<EOF
{
  "builder": {
    "gc": {
      "defaultKeepStorage": "20GB",
      "enabled": true
    }
  },
  "experimental": false,
  "registry-mirrors": [
    "https://hub.rat.dev",
    "https://dockerhub.icu",
    "https://docker.wanpeng.top",
    "https://register.librax.org"
  ]
}
EOF

验证有无出错

docker info

C.安装podman

Podman 是一个与 Docker 兼容的容器工具

dnf install podman
docker –version
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
podman version 5.2.2

设置镜像网站

Podman 默认注册表配置文件在 /etc/containers/registries.conf
vi /etc/containers/registries.conf
[[registry]]
prefix = "docker.io"
location = "docker.io"
mirror = [
{ location = "docker.nju.edu.cn" },
{ location = "docker.m.daocloud.io" }
]
docker info

docker-compose 安装

docker-compose 和 podman-compose安装其中之一就可

docker-compose 安装

如果安装的是docker则安装docker-compose
https://github.com/docker/compose/releases/
curl -L "https://github.com/docker/compose/releases/download/v2.33.0/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose

使用国内加速

wget -o /usr/local/bin/docker-compose https://ghproxy.cn/https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64

chmod +x /usr/local/bin/docker-compose

查看 docker-compose

docker-compose –version 版本
Docker Compose version v2.29.1

安装podman-compose

#yum install podman-compose

系统自带podman-compose version: 1.0.6版本过老
podman-compose –version

podman-compose version: 1.0.6
['podman', '--version', '']
using podman version: 5.2.2
podman-compose version 1.0.6
podman --version
podman version 5.2.2
exit code: 0

会出错以下报错
Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running?

安装pip 后安装podman-compose

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py
pip –version
升级 pip
pip install -U pip

pip 国内加速

pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple

pip 安装podman-compose

pip3 install podman-compose
更新 podman-compose
运行以下命令更新 podman-compose:
pip install –upgrade podman-compose

运行以下命令检查 podman-compose 是否已安装:
pip show podman-compose

#没找到
-bash: /usr/bin/podman-compose: No such file or directory

find / -name podman-compose 2>/dev/null

/usr/share/licenses/podman-compose
/usr/share/doc/podman-compose
/usr/local/bin/podman-compose

将路径加入到环境变量

#临时
export PATH=/usr/local/bin:$PATH
#永久添加
echo 'export PATH=/usr/local/bin:$PATH' >> ~/.bashrc
source ~/.bashrc

查看版本

podman-compose –version

podman-compose version 1.3.0
podman version 5.2.2

使用podman-compose 拉起会报错
podman-compose up -d

RuntimeError: missing networks:

改用docker-compose兼容方式

 检查 Podman 套接字文件

ls -l /run/podman/podman.sock
Podman 的套接字文件通常位于 /run/podman/podman.sock。如果该文件不存在,可能是系统未启用 Podman 的套接字功能。

 启用 Podman 套接字

运行以下命令启用 Podman 套接字:
systemctl –user enable –now podman.socket
验证套接字文件
ls -l /run/podman/podman.sock

如果 Podman 套接字仍未生成,可以尝试手动启动 Podman 套接字服务。

 手动创建套接字文件

podman system service –time=0 unix:///run/podman/podman.sock &
chmod 666 /run/podman/podman.sock
export DOCKER_HOST=unix:///run/podman/podman.sock

docker-compose ps

注册开机自动启动podman socket

cat >/etc/systemd/system/podman.socket.service<<EOF 
[Unit]
Description=Podman API Socket
Documentation=man:podman-system-service(1)
After=network.target

[Service]
ExecStart=/usr/bin/podman system service --time=0 unix:///run/podman/podman.sock
Restart=always
User=root
Group=root

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable podman.socket.service
systemctl start podman.socket.service
systemctl status podman.socket.service
ls -l /run/podman/podman.sock

Dify 安装

进入 Dify 源代码的 Docker 目录

cd dify/docker
复制环境配置文件

cp .env.example .env
启动 Docker 容器

根据你系统上的 Docker Compose 版本,选择合适的命令来启动容器。你可以通过 $ docker compose version 命令检查版本,详细说明请参考 Docker 官方文档:

如果版本是 Docker Compose V2,使用以下命令:
docker compose up -d

如果版本是 Docker Compose V1,使用以下命令:
docker-compose up -d

使用docker-compose拉起

docker compose pull

Trying to pull docker.io/library/redis:6-alpine…
Trying to pull docker.io/langgenius/dify-api:0.15.3…
Trying to pull docker.io/library/postgres:15-alpine…
Trying to pull docker.io/langgenius/dify-web:0.15.3…
Trying to pull docker.io/ubuntu/squid:latest…
Trying to pull docker.io/langgenius/dify-api:0.15.3…
Trying to pull docker.io/semitechnologies/weaviate:1.19.0…
Trying to pull docker.io/library/nginx:latest…
Trying to pull docker.io/langgenius/dify-sandbox:0.2.10…

此时会遇到超时问题
pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp 208.43.237.140:443: i/o timeout

测试拉取

docker pull docker.io/library/redis:6-alpine
docker pull docker.io/langgenius/dify-web:0.15.3
docker pull docker.io/library/postgres:15-alpine

ocker pull register.librax.org/langgenius/dify-api:0.15.3
docker pull register.librax.org/semitechnologies/weaviate:1.19.0
docker pull register.librax.org/library/nginx:latest
docker pull register.librax.org/langgenius/dify-sandbox:0.2.10

docker tag register.librax.org/langgenius/dify-api:0.15.3 docker.io/langgenius/dify-api:0.15.3

docker-compose up -d

[+] Running 11/11
 ✔ Network docker_default             Created                                        0.0s
 ✔ Network docker_ssrf_proxy_network  Created                                        0.0s
 ✔ Container docker-ssrf_proxy-1      Started                                        0.9s
 ✔ Container docker-db-1              Started                                        1.0s
 ✔ Container docker-weaviate-1        Started                                        1.2s
 ✔ Container docker-sandbox-1         Started                                        1.0s
 ✔ Container docker-redis-1           Started                                        0.9s
 ✔ Container docker-web-1             Started                                        0.9s
 ✔ Container docker-worker-1          Started                                        1.4s
 ✔ Container docker-api-1             Started                                        1.2s
 ✔ Container docker-nginx-1           Started                                        1.4s

你应该可以看到包括3个业务服务 api / worker / web,以及6个基础组件 weaviate / db / redis / nginx / ssrf_proxy / sandbox 。
通过这些步骤,你应该可以成功在本地安装Dify。

更新Dify

当Dify版本更新后,你可以克隆或拉取最新的Dify源代码,并通过命令行更新已经部署的Dify环境。‍‍‍‍‍‍‍‍‍‍‍‍
刚好Dify在2月28日发布了1.0.0版本,那么我们也就直接升级一波!

dify v1.0.0更新内容介绍
我们先来看一下这次dify v1.0.0都有哪些重磅更新

1. 插件机制 (Plugin System)

核心变化:将原有的模型和工具都改造成插件形式

应用场景:想用新的 AI 模型时,直接安装对应插件即可

需要连接 Slack 时,安装 Slack 插件就能实现集成

2. 智能工作流 (Intelligent Workflow)

新增 Agent 节点:作为工作流和聊天流的决策中心

通俗解释:相当于一个智能管家,可以根据需求自动调用合适的流程、工具

应用场景:客服机器人可以自动判断用户意图,选择合适的回复方式

数据分析任务可以自动选择合适的分析工具和展示方式

3. 开放生态系统 (Open Ecosystem)

Dify Marketplace:官方插件市场

已有 120+ 插件,包括:模型:OpenAI 、Gemini 2.0 、DeepSeek-R1 等

工具:Perplexity 、Discord 、Slack 等

应用场景:企业可以在市场中找到所需的专业工具

开发者可以发布自己的插件获得收益

4. 多模态交互 (Multimodal I/O)

支持多种数据类型:文本、图像、视频、语音

应用场景:智能客服可以处理图片问题

教育应用可以结合视频和语音进行互动

5. 核心能力增强

推理能力 (Reasoning):提升问题解决能力

执行能力 (Action):可以操作软件和物联网设备

动态记忆 (Dynamic Memory):优化上下文理解

进入dify源代码的docker目录,按顺序执行以下命令:

cd dify/docker
关闭服务
docker-compose down
git pull origin main

remote: Enumerating objects: 535, done.
remote: Counting objects: 100% (290/290), done.
remote: Total 535 (delta 290), reused 290 (delta 290), pack-reused 245 (from 1)
Receiving objects: 100% (535/535), 472.65 KiB | 1.10 MiB/s, done.
Resolving deltas: 100% (387/387), completed with 209 local objects.
From https://github.com/langgenius/dify
 * branch                main       -> FETCH_HEAD
   bafa46393..330dc2fd4  main       -> origin/main

docker-compose pull
docker-compose up -d

执行上述命令更新完成后,需按以下操作同步环境变量配置 (重要!)。‍‍‍‍

如果.env.example文件有更新,请务必同步修改您本地的.env文件。
检查.env文件中的所有配置项,确保它们与您的实际运行环境相匹配。
您可能需要将.env.example中的新变量添加到.env文件中,
并更新已更改的任何值。

查看当前ollama的模型

ollama linux部署可参考之前文章

ollama list
NAME          ID              SIZE      MODIFIED
qwen2:1.5b    f6daf2b25194    934 MB    2 months ago

ollama run qwen2:1.5b

ollama ps
NAME          ID              SIZE      PROCESSOR    UNTIL
qwen2:1.5b    f6daf2b25194    1.5 GB    100% CPU     4 minutes from now

拉取deepseek-r1:1.5b模型

ollama pull deepseek-r1:1.5b
pulling manifest
pulling aabd4debf0c8... 100% ▕██████████████████████████▏ 1.1 GB
pulling 369ca498f347... 100% ▕██████████████████████████▏  387 B
pulling 6e4c38e1172f... 100% ▕██████████████████████████▏ 1.1 KB
pulling f4d24e9138dd... 100% ▕██████████████████████████▏  148 B
pulling a85fe2a2e58e... 100% ▕██████████████████████████▏  487 B
verifying sha256 digest
writing manifest
success

ollama run deepseek-r1:1.5b

 ollama ps
NAME                ID              SIZE      PROCESSOR    UNTIL
deepseek-r1:1.5b    a42b25d8c10a    1.6 GB    100% CPU     4 minutes from now
qwen2:1.5b          f6daf2b25194    1.5 GB    100% CPU     5 seconds from now

创建宿主机到虚拟机的nat

#我使用980,正常使用80端口
#http://localhost:980/install

在virtualbox创建nat转发127.0.0.1:80端口到192.168.244.9:80

使用Dify

按照以上步骤部署好Dify后,首先前往管理员初始化页面设置设置管理员账户:

# 本地环境
http://localhost/install

# 服务器环境
http://your_server_ip/install

通过私有化本地部署Dify,结合Ollama等大模型运行环境,可以打造自己的私有大模型工具链,实现大模型的本地可视化运行。在涉密或敏感数据场合具有极大的应用价值。‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

创建管理员

第一次访问需要先设置最高管理权限账号、密码

添加本地Ollama

登录进去后,右上角用户里设置
在 Dify 中接入 Ollama 在 设置 > 模型供应商 > Ollama 中填入
模型名称:qwen2:1.5b

基础 URL:http://127.0.0.1:11434,此处需填写可访问到的 Ollama 服务地址。
若 Dify 为 docker 部署,建议填写局域网 IP 地址,如:http://192.168.244.9:11434 或 docker 宿主机 IP 地址,如: http://host.docker.internal:11434http://10.89.1.1:11434

Docker版本是18.03或更高可以使用 host.docker.internal。
若为本地源码部署,可填写 http://localhost:11434

模型类型:对话

模型上下文长度:4096

模型的最大上下文长度,若不清楚可填写默认值 4096。

最大 token 上限:4096:模型返回内容的最大 token 数量,若模型无特别说明,则可与模型上下文长度保持一致。

是否支持 Vision:是(当模型支持图片理解(多模态)勾选此项,如 llava。)

点击 “保存” 校验无误后即可在应用中使用该模型。

如出现错误可以检查一下ip和端口是否正确,网络是否通畅。

An error occurred during credentials validation: HTTPConnectionPool(host='10.89.1.1', port=80): Max retries exceeded with url: /api/chat (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f6ea7769040>, 'Connection to 10.89.1.1 timed out. (connect timeout=10)'))

如果不想使用本地Ollama,我们也可以使用deepseek 官方API,或硅基流动的。
DeepSeek是目前最好的开源大模型

Dify v1.0.0是目前最好的开源大模型应用平台

DeepSeek + Dify v1.0.0可谓强强联手!

创建聊天助手

创建空白应用->聊天助手
发布后你就有了一个自已的聊天助手。


创建工作流

回到主页,点击创建空白应用,这里的聊天助手和文本生成应用,是功能最为单一的 LLM 应用,都不支持工具和知识库的接入。
Agent 和 工作流的区别:

Agent:智能体,基于大语言模型的推理能力,可以自主选择工具来完成任务,相对简单。
工作流:以工作流的形式编排 LLM 应用,提供更多的定制化能力,适合有经验的用户。

Posted in AI.

Tagged with , , .

rev="post-2078" No comments

By C1G 2025/03/04

火山方舟引擎限时免费注册送3000万DeepSeek R1满血版tokens

火山引擎介绍

‌火山引擎是字节跳动旗下的云服务平台‌。
豆包大模型-字节跳动自研大模型
火山方舟-一站式大模型服务平台
扣子-专业版AI应用开发平台

火山方舟免登录体验满血版671B

打开火山引擎官网的火山方舟,不用注册、不用填手机号,直接就能使用DeepSeek-R1 满血版 671B参数和豆包-1.5-pro
免登录体验3/3次,登录后后免费赠送每个模型50万tokens推理额度。
https://www.volcengine.com/experience/ark


邀请注册送代金券

每成功邀请1位新用户,最高双方可得145元代金券,可抵扣3625万tokens(相当于免费问 15 万次问题)。

具体玩法:

  • 1、登录活动页面,生成你的专属邀请码:DXRHABFP
  • 2、分享邀请链接给好友,对方注册时填写你的邀请码。
    不限邀请次数,成功邀请后均可依据规则获得奖励。
    邀请链接: https://www.volcengine.com/experience/ark?utm_term=202502dsinvite&ac=DSASUQY5&rc=DXRHABFP
  • 3、实名认证后,双方立即到账代金券:你拿 30 元(750 万 Tokens),好友拿 15 元(375 万Tokens)。如果好友后续付费,你还能再得 100 元代金券(2000 万 Tokens)!
    如账号已实名认证,代金券将在邀请成功后1小时内到账。如账号未实名认证,已邀请成功的奖励将在账号成功认证且满足邀请成功1小时后立即到账。

活动时间: 2025年2月20日0:00 – 2025年3月15日23:59

注意:
100元火山方舟无门槛代金券资需要好友付费后才能获取。
代金券自发放之日起有效期90天,不支持提现、转赠、叠加使用等操作。已过期的代金券不支持延长时效。
活动发放的代金券适用商品范围仅限字节跳动大模型服务(豆包大模型)、开源LLM模型(DeepSeek)、火山方舟大模型服务平台-知识库的全部配置,部分计费项要求现金余额或代金券余额大于100元才可开通使用,以实际使用的要求为准。
1)字节跳动大模型服务(豆包大模型)产品包含Doubao-1.5-pro-32k、Doubao-1.5-pro-256k、Doubao-1.5-lite-32k、Doubao-1.5-vision-pro-32k等模型的用量服务。
2)开源LLM模型产品包含DeepSeek-V3、DeepSeek-R1、DeepSeek-R1-Distill-Qwen-32B、DeepSeek-R1-Distill-Qwen-7B等模型的用量服务。
3)火山方舟大模型服务平台-知识库产品包含知识库中的向量模型、存储等服务。

API

火山方舟也提供兼容Openai的API接口,点击右上角的API接入,如下图:
第一步创建key,第二部选择模型-开通选择的模型,然后会给出实例代码。
这里开通DeepSeek-R1满血和千问32B

curl https://ark.cn-beijing.volces.com/api/v3/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ARK_API_KEY" \
  -d '{
    "model": "deepseek-r1-250120",
    "messages": [
      {"role": "system","content": "你是人工智能助手."},
      {"role": "user","content": "常见的十字花科植物有哪些?"}
    ]
  }'

api url :
https://ark.cn-beijing.volces.com/api/v3/chat/completions
model后面是模型名称:
"model": "deepseek-r1",

==========

在浏览器插件 ChatHub 中使用

使用浏览器插件是最方便的,也省去了登录的麻烦。

关于 ChatHub

ChatHub 是一个流行的大语言模型聚合插件,特点是可以同时和多个模型聊天,方便对比回答。ChatHub 在全球拥有数十万活跃用户。

安装 ChatHub

浏览器打开 ChatHub 官网,点击“新增至Chrome”按钮安装 ChatHub 浏览器插件:

安装后,将自动打开 ChatHub 设置页面.

在ChatHub中使用火山平台的deepseek满血模型

1、在 ChatHub 设置中找到“自定义机器人”模块,点击“添加”按钮

2、在弹窗中,依次:

输入机器人名称:volcengine.com
选择 Custom 作为提供方:
API Host:https://ark.cn-beijing.volces.com/api/v3/chat/completions

输入API KEY :
填写模型 : deepseek-r1-250120

3、点击“确认”后模型即配置成功
4、开始聊天

注册扣子coze专业版

专业版,现价1元套餐,1000点数1年有效期(原先是50W 资源包),专业版用户每日赠送500资源点(仅限当日有效),可抵扣智能体调用费用和模型调用费用。
语音识别 API、语音合成 API、实时音视频 SDK 全面开放,无需申请即可使用


注意:
专业版的账号和基础版账号数据目前没有打通,也就是需要重新注册账号

隔壁硅基流动是送14 元平台配额

我的邀请链接:https://cloud.siliconflow.cn/i/LNzlifKw
我的邀请码:LNzlifKw
也可以扫描下面二维码:

Posted in AI.

Tagged with , , , , .

rev="post-2057" No comments

By C1G 2025/03/04

字节跳动于3月3日发布AI 集成开发环境工具Trae CN

字节跳动于3月3日发布国内首款 AI 原生集成开发环境工具(AI IDE)——Trae 国内版,搭载 doubao-1.5-pro 模型(目前还不能用),并支持切换 DeepSeek R1&V3。帮助开发者高效协作 AI,提升编程效率和质量。
国际版 Trae, 国内版为 Trae CN

国际版 Trae支持 Claude 3.7 Sonnet
国际版官网:https://www.trae.ai/

国内版官网地址:
https://www.trae.com.cn/home
安装包大概150M左右。

国内版集成了DeepSeek R1&V3,提供AI问答、智能代码生成、智能代码补全,多模态输入等功能。支持界面全中文化,为中文开发者提供了高效的开发体验,关键现在限时免费。

使用手机号注册登录后就可以使用。
魔改vscode,可以导入VS Code或Cursor的插件和设置。

Posted in 编辑器.

Tagged with , , .

rev="post-2064" No comments

By C1G 2025/03/03

Ollama 未授权访问漏洞,攻击者可以下载或删除私有模型文件

Ollama 是一个开源的大语言模型(LLM)运行环境和工具集,旨在帮助开发者轻松部署、管理和使用模型(如 DeepSeek 等)。

Ollama 存在未授权访问漏洞,攻击者可以直接访问敏感接口进行读取、下载或删除私有模型文件,或滥用模型推理资源等高危操作。

攻击者只需访问服务端口(默认 11434)即可调用敏感功能接口,进而读取、下载或删除私有模型文件,或滥用模型推理资源等。

直接请求api路径即可,这里查看都有哪些模型

curl http://127.0.0.1:11434/api/tags
这个接口列出 Ollama 提供的 LLM 模型。

该接口对应的处理函数是ListHandler,可以看到,未进行任何权限,直接返回模型。

func (s \*Server) ListHandler(c \*gin.Context) {  
ms, err :\\= Manifests(true)  
if err != nil {  
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})  
return  
}  
​  
models :\\= \[\]api.ListModelResponse{}  
for n, m :\\= range ms {  
var cf ConfigV2  
​  
if m.Config.Digest != "" {  
f, err :\\= m.Config.Open()  
if err != nil {  
slog.Warn("bad manifest filepath", "name", n, "error", err)  
continue  
}  
defer f.Close()  
​  
if err :\\= json.NewDecoder(f).Decode(&cf); err != nil {  
slog.Warn("bad manifest config", "name", n, "error", err)  
continue  
}  
}  
​  
// tag should never be masked  
models \\= append(models, api.ListModelResponse{  
Model: n.DisplayShortest(),  
Name: n.DisplayShortest(),  
Size: m.Size(),  
Digest: m.digest,  
ModifiedAt: m.fi.ModTime(),  
Details: api.ModelDetails{  
Format: cf.ModelFormat,  
Family: cf.ModelFamily,  
Families: cf.ModelFamilies,  
ParameterSize: cf.ModelType,  
QuantizationLevel: cf.FileType,  
},  
})  
}  
​  
slices.SortStableFunc(models, func(i, j api.ListModelResponse) int {  
// most recently modified first  
return cmp.Compare(j.ModifiedAt.Unix(), i.ModifiedAt.Unix())  
})  
​  
c.JSON(http.StatusOK, api.ListResponse{Models: models})  
}

大模型拉取函数,没有进行任何权限验证。
也可以删除指定模型。

修复建议

方法一

最好的修复方法肯定是修改代码逻辑,给 Ollama API 添加认证的需求。当然这需要原作者的配合。

方法二

对web服务器配置进行修改,这里拿nginx进行举例:

对访问接口的请求,添加一个简单的密码验证。

server {
listen 11434;
​
location / {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
​
proxy_pass http://192.168.1.100:11434;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

漏洞分析

https://forum.butian.net/index.php/article/670

Posted in AI, 安全通告.

Tagged with , .

rev="post-2060" No comments

By C1G 2025/03/03

linux 本地部署ollama和docker版openwebui+deepseek

windows 本地部署ollama+deepseek 可见前面文章.

linux 安装ollama

这里使用virtualbox 安装了rocky9.3

cat /etc/redhat-release
Rocky Linux release 9.3 (Blue Onyx)

一健安装

curl -fsSL https://ollama.com/install.sh | sh
自动化安装,但可能下载不了
注意:应该至少有8GB的可用内存来运行7B模型,16GB的可用内存来运行13B模型,以及32GB的内存来运行33B模型。

手动安装

https://github.com/ollama/ollama/blob/main/docs/linux.md
sudo rm -rf /usr/lib/ollama

1.8g左右
curl -L https://ollama.com/download/ollama-linux-amd64.tgz -o ollama-linux-amd64.tgz
sudo tar -C /usr -xzf ollama-linux-amd64.tgz

Start Ollama:
ollama serve

In another terminal, verify that Ollama is running:

验证安装:

ollama -v
ollama version is 0.5.1

添加用户限配置

useradd -r -s /bin/false -U -m -d /usr/share/ollama ollama
usermod -a -G ollama $(whoami)

修改ollama的运行端口

对于每个环境变量,在[Service]部分下添加一行Environment.

Environment="OLLAMA_HOST=0.0.0.0:11434"
Environment="OLLAMA_ORIGINS=*"
Environment="OLLAMA_DEBUG=1"
Environment="OLLAMA_FLASH_ATTENTION=1"

Ollama 提供了多种环境变量以供配置:

OLLAMA_DEBUG:是否开启调试模式,默认为 false。
OLLAMA_FLASH_ATTENTION:是否闪烁注意力,默认为 true。
OLLAMA_HOST:0.0.0.0:11434 修改默认端口 11434 端口
OLLAMA_KEEP_ALIVE:设置模型加载到内存中保持 24 个小时(默认情况下,模型在卸载之前会在内存中保留 5 分钟)
OLLAMA_LLM_LIBRARY:LLM 库,默认为空。
OLLAMA_MAX_LOADED_MODELS:设置同时加载多个模型,默认为 1。
OLLAMA_MAX_QUEUE:最大队列数,默认为空。
OLLAMA_MAX_VRAM:最大虚拟内存,默认为空。
OLLAMA_MODELS:/mnt/data/.ollama/models 模型默认下载路径,默认为空。
OLLAMA_NOHISTORY:是否保存历史记录,默认为 false。
OLLAMA_NOPRUNE:是否启用剪枝,默认为 false。
OLLAMA_NUM_PARALLEL:设置用户并发请求,默认为 1。
OLLAMA_ORIGINS:允许的来源,默认为空。
OLLAMA_RUNNERS_DIR:运行器目录,默认为空。
OLLAMA_SCHED_SPREAD:调度分布,默认为空。
OLLAMA_TMPDIR:临时文件目录,默认为空。

Linux 的 tmp 目录设置为 noexec
如果你的系统将 Ollama 存储临时可执行文件的 tmp 目录设置为了 “noexec”,你可以通过设置 OLLAMA_TMPDIR 来指定一个用户可写的替代位置。例如 OLLAMA_TMPDIR=/usr/share/ollama/

配置为系统服务

cat <<EOF | tee /etc/systemd/system/ollama.service >/dev/null
[Unit]
Description=Ollama Service
After=network-online.target

[Service]
Environment="OLLAMA_HOST=0.0.0.0:11434"
Environment="OLLAMA_ORIGINS=*"
Environment="OLLAMA_DEBUG=1"
Environment="OLLAMA_FLASH_ATTENTION=1"
ExecStart=\$BINDIR/ollama serve
User=ollama
Group=ollama
Restart=always
RestartSec=3
Environment="PATH=\$PATH"

[Install]
WantedBy=default.target
EOF

重新加载 systemd 并重启 Ollama

systemctl daemon-reload #重载服务
systemctl enable ollama #开机启动
systemctl start ollama #启动服务
systemctl restart ollama #重启服务
systemctl status ollama #查看服务状态

运行模型

一旦您下载了模型,就可以使用 Ollama 的 run 命令来运行它们。

拉取模型

ollama pull llama3.2:3b
ollama pull qwen2:1.5b
ollama pull deepseek-r1:1.5b
1.5b的运行速度比较快,也不卡,但比较笨,如果追求性能,可以尝试7b及以上的.

运行千问模型

ollama run qwen2:1.5b

>>> hello world
Hello! It's nice to meet you. Is there anything else you would like assistance with?
Use Ctrl + d or /bye to exit.
>>>

运行deepseek推理模型

ollama run deepseek-r1:7b

修改模型的存储目录

默认情况下,ollama模型的存储目录如下:

macOS: `~/.ollama/models` 
Linux: `/usr/share/ollama/.ollama/models`  
Windows: `C:\Users\<username>\.ollama\models`

如需修改,vi /etc/systemd/system/ollama.service
在[Service]下面加入一行新的Environment,新一行:

Environment="OLLAMA_MODELS=/path/to/ollama/models"

mkdir -p /data/ollama/
chown -R ollama:ollama /data/ollama
chmod 0777 /data/ollama

mv /usr/share/ollama/.ollama/models /data/ollama/

重启服务

systemctl daemon-reload
systemctl restart ollama.service

查看日志

journalctl -u ollama | grep -i ‘prompt=’
/set verbose #设置以查看token速度

测试

curl http://localhost:11434
Ollama is running

配制web ui

安装docker

yum install docker
docker version

Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
Client:       Podman Engine
Version:      5.2.2
API Version:  5.2.2
Go Version:   go1.22.7 (Red Hat 1.22.7-2.el9_5)
Built:        Tue Nov 12 20:34:59 2024
OS/Arch:      linux/amd64

Open-WebUI

Open WebUI是一个可扩展、功能丰富、用户友好的自托管 WebUI,旨在完全离线操作。它支持各种LLM运行程序,包括 Ollama 和 OpenAI 兼容的 API。Open WebUI 适配了 Ollama 接口,提供了 web 的方式来访问 Ollama API。

拉取 Open WebUI 镜像

通过以下命令,从 Open WebUI 官方 GitHub Container Registry (GHCR) 仓库拉取镜像

docker pull ghcr.io/open-webui/open-webui:main
如果速度慢可以使用国内镜像再改名
docker pull ghcr.nju.edu.cn/open-webui/open-webui:main
docker tag ghcr.nju.edu.cn/open-webui/open-webui:main ghcr.io/open-webui/open-webui:main

或者使用自已的代理加速服务器
export https_proxy=’192.168.244.1:8080′

查看默认配制
cat /etc/containers/registries.conf

先创建一个用于 Open WebUI 容器本地存储的本地目录

mkdir /opt/openwebui

通过以下命令启动容器, 映射本地3000 端口到容器内8080, 并挂载本地目录 /opt/openwebui 到容器的 /app/backend/data

docker run -d -p 3000:8080 –add-host=host.docker.internal:host-gateway -v /opt/openwebui:/app/backend/data –name openwebui ghcr.io/open-webui/open-webui:main

设为自动启动

docker update –restart always openwebui

手动启动

docker start openwebui

查看服务

netstat -lntp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      2303/conmon
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1183/sshd: /usr/sbi
tcp6       0      0 :::11434                :::*                    LISTEN      1589/ollama
tcp6       0      0 :::22                   :::*                    LISTEN      1183/sshd: /usr/sbi

防火墙

firewall-cmd –get-default-zone
firewall-cmd –zone=public –add-port=3000/tcp –permanent
firewall-cmd –zone=public –add-port=11434/tcp –permanent

查看已经开启的防火墙端口
firewall-cmd –list-ports
firewall-cmd –get-services

重启防火墙修改才会生效
firewall-cmd –reload

在虚拟机设置nat,映射宿主机127.0.0.1:3000端口到虚拟机 192.158.244.9:3000端口.
在浏览器访问http://127.0.0.1:3000 可以显示webui界面.

注册账号密码,创建管理员账号。
[email protected]/Pass1234

如果不习惯英文界面,可以设置成中文界面

现在,我们就可以用本地部署的 千问或deepseek-r1 模型进行聊天了。

Posted in AI.

Tagged with , , .

rev="post-2045" No comments

By C1G 2025/03/03