Linux Knowledge
[SELinux]
config --> /etc/sysconfig/selinux
command --> setstatus
setenforce 0(寬容模式)
setenforce 1(啟動模式)
[sudo 帳號管理機制] config --> /etc/sudoers command --> visudo log --> /var/log/sudo.log Sample:
## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo", because it will show the password in clear. # You have to run "ssh -t hostname sudo ". # Defaults requiretty # # Preserving HOME has security implications since many programs # use it when searching for configuration files. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL Defaults log_host, logfile=/var/log/sudo.log ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now
[NIC Bonding and IP Aliasing on Linux] IP Aliasing: IP aliasing是把多個IP關聯到同一張網卡的一種技術。一般的使用狀態下,一張網卡只需要一組IP位置,但是有許多時候我們為了安全性/管理方便,會希望一張網卡能有一個以上的IP,因此會使用IP aliasing。 假設主機原本的public IP為182.168.150.124/24,想要再額外指定一個private IP 192.168.150.124/24: * for Debian/Ubuntu/LinuxMint/B2D users: 請注意在Linux底下控制網路有兩種方法:利用NetworkManager以及傳統ifup/ifdown的方式。在Debian系統的邏輯裡,如果有設定檔就會以設定檔為主,因此NetworkManager與ifup/ifdown的控制權不那麼明顯。但在Ubuntu的邏輯裡,一律都以NetworkManager來管理網路,系統並不會去讀取設定檔。由於在固定IP的環境裡,就沒有使用NetworkManager的必要,因此無論是Debian或是Ubuntu,我的建議都是停止這個daemon:停止了惱人的network-manager之後,修改/etc/network/interfaces:/etc/init.d/network-manager stop chkconfig network-manager off紅色字體是額外新增的部份。儲存後,重新啟動你的網路:# The loopback network interface auto lo eth0 eth0:1 iface lo inet loopback iface eth0 inet static address 182.168.150.124 netmask 255.255.255.0 gateway 182.168.150.254 iface eth0:1 inet static address 192.168.150.124 netmask 255.255.255.0* for RHEL/CentOS/Fedora/SL/OracleLinux users: 請先關閉NetworkMnager:/etc/init.d/networking restart複製/etc/sysconfig/network-scripts/ifcfg-eth0為ifcfg-eth0:1並修改ifcfg-eth0:1為自己要alias的IP即可。原本的ifcfg-eth0大致如下:service NetworkManager stop chkconfig --level 2345 NetworkManager off修改過的ifcfg-eth0:1如下DEVICE="eth0" BOOTPROTO=static NM_CONTROLLED="no" ONBOOT="yes" IPADDR=182.168.150.124 NETMASK=255.255.255.0 GATEWAY=182.168.150.254除了IP位置以及裝置名稱有變動之外,其餘均保持不變。儲存後,重新啟動你的網路:DEVICE="eth0:1" BOOTPROTO=static NM_CONTROLLED="no" ONBOOT="yes" IPADDR=192.168.150.124 NETMASK=255.255.255.0 GATEWAY=其中的NM_CONTROLLED變數即是決定是否交由NetworkManager來控制,由於我們已經關閉NM,這個項目僅明確表示不使用NM。Fedora使用者需注意:較新版本的Fedora一旦開啟NM,所有設定都不會寫進設定檔裡,即使寫了設定檔也是無效的,因此強烈建議啟用ip aliasing之前先關閉NM。如果想要新增更多個IP是可行的,只要複製ifcfg-eth0為範本並以:附加數字即可。service network restart
[NIC Bonding] NIC bonding,其真實意義是link aggregation,熟悉Cisco的人可能會比較接受trunking這個說法。白話而言就是把兩張(或以上)獨立的NIC關聯成同一個IP,與上面的IP aliasing剛好相反。不過這個觀念被許多廠商實作出來而成為業界標準,trunking的範圍可以實作在Layer1~4。 觀念上,每張NIC在bonding之後都稱之為slave,組合後的bond為master;對核心來說參與封包傳送的裝置不再是eth0,而是bond0。在Linux底下的NIC bonding共有七種模式,有些使用標準的IEEE 802.3,也採用IEEE的802.3ad/802.1ax的標準,也就是Link Aggregation Control Protocol(LACP)。Linux底下的NIC bonding實作在Layer 2(Data Link Layer),根據Linux Ethernet Bonding Driver HOWTO的說明,NIC bonding的七種模式如下:
Mode Name Interpretation Load Balancing Fault Tolerance
0 Round-Robin
(balance-rr) 所有參與bonding的NIC輪流擔任封包的傳送,但同一時間只有一張NIC真正有作用。普通switch即可啟用。
1 Active-Backup
(active-backup) 參與bonding的NIC只有一張有作用,其餘都處於備援狀態;當其中一張NIC失效後,另一張網卡(slave)才會取而代之。普通switch即可啟用。
2 XOR
(balance-xor) XOR算是mode0的進化版:當主機進行多個連線時,同一個NIC會負責同一個來源位置--也就是盡可能讓同一張NIC負責同一個位置越久越好。普通switch即可啟用。
3 Broadcast
(broadcast) 封包以廣播的方式丟給所有的NIC,所有的NIC也同時接收/傳送所有封包。這個mode擁有最快速的的fault tolerance。普通switch即可啟用。
4 IEEE 802.3ad Dynamic Link Aggregation (802.3ad) 使用這個業界標準的模式擁有真正的outgoing/incoming balancing,只是不僅在linux主機上需要設定,還需要支援802.3ad/802.1ax的switch才行。
5 Adaptive Transmit Load Balancing (balance-tlb) 這個模式只有outgoing traffic擁有load balancing,incoming只有其中一張NIC負責。當負責incoming的那張NIC失效時,另一個slave才會負責incoming traffice。此模式常用於file/mail server。
6 Adaptive Load Balancing
(balance-alb) 利用ARP協商達成每張NIC的incoming balancing--即balance tlb+incoming balancing。他不但是真正的outgoing/incoming balancing,也只要普通的switch就能達此要求。也是大部分中小企業主機所選擇的模式。
以下幾個重要的options,參考自Linux Ethernet Bonding Driver HOWTO
Bonding Options Expression
miimon MII的監控頻率(以millisecond為單位)。當其中一張NIC失效時,MII能多快發現並把工作交給下一張NIC。HOW-TO的建議值為100,預設值為0。
arp_interval ARP的監控頻率(以millisecond為單位)。功能相當於miimon,HOW-TO的建議值為100,預設值為0。設定此變數還必須設定arp_ip_target。
arp_ip_target 指定ARP要監控的IP。此值必須在有指定arp_interval且該值>0才有意義。這個變數會以arp_interval指定的頻率發出請求至指定的位置以決定連線狀態是否正常。多個ip以,作分隔。
mode 就是上表。指定mode可以寫數字或是簡稱,例如mode=4等同於mode=802.3ad。未指定時預設值為0(balance-rr)
downdelay MII監控下,從發現異常到關閉所需的時間(以millisecond為單位)。
updelay MII監控下,從發現恢復正常到啟用所需的時間(以millisecond為單位)。
本文預設使用mode=6(也可以寫作mode=balance-alb)來作為範例,假設你要bond eth0, eth1兩張NIC到182.168.150.124/24: * for Debian/Ubuntu/LinuxMint/B2D users: 1. 安裝bonding介面卡管理程式:ifenslave 2. 修改/etc/modprobe.d/aliases.conf 新增下列幾行:
alias bond0 bonding
alias eth0 e1000
alias eth1 e1000
options bonding miimon=100 mode=6
3. 關閉NetworkManager並啟動bonding: 如果你是ubuntu系列的使用者,請務必移除network-manager。Ubuntu永遠都預設使用network-manager來管理網路,如果不移除他則你的設定永遠都無法生效。
aptitude remove network-manager network-manager-gnome
modprobe bond0 eth0 eth1
invoke-rc.d network-manager stop
chkconfig network-manager off
chkconfig network on
modprobe bond0 eth0 eth1
# The loopback network interface
#auto lo eth0 eth0:1
#iface lo inet loopback
#iface eth0 inet static
#address 182.168.100.124
#netmask 255.255.255.0
#gateway 182.168.100.254
#iface eth0:1 inet static
#address 192.168.150.124
#netmask 255.255.255.0
#auto eth1
#iface eth1 inet dhcp
auto bond0
iface bond0 inet static
address 182.168.150.124
netmask 255.255.255.0
gateway 182.168.150.254
dns-nameservers 182.158.150.1
post-up ifenslave bond0 eth0 eth1
pre-down ifenslave -d bond0 eth0 eth1
/etc/init.d/networking restart
* for RHEL/CentOS/Fedora/SL/OracleLinux users:
1. 修改/etc/modprobe.d/dist.conf
alias bond0 bonding
options bond0 miimon=100 mode=6
service NetworkManager stop
chkconfig --level 2345 NetworkManager off
chkconfig network on
modprobe bond0
為了方便表示,ifcfg-eth0, ifcfg-eth1以及ifcfg-bond0分別如下表:
ifcfg-eth0 ifcfg-eth1 ifcfg-bond0
DEVICE=eth0 DEVICE=eth1 DEVICE=bond0
BOOTPROTO=none BOOTPROTO=none BOOTPROTO=static
ONBOOT=yes ONBOOT=yes ONBOOT=yes
MASTER=bond0 MASTER=bond0 IPADDR=182.168.150.124
SLAVE=yes SLAVE=yes NETMASK=255.255.255.0
USERCTL=no USERCTL=no GATEWAY=182.168.150.254
USERCTL=no
echo "nameserver 182.168.150.1" >> /etc/resolv.conf
service network restart
留言
張貼留言