ReZero's Utopia.

Linux-disk

Word count: 4kReading time: 19 min
2020/10/04 Share

File

x: get in dir. r: browse dir.

File Special Authorization

  1. SUID

    • chmod u+s bin

    • For binary file

    • Equal: (tempUser) execute file

  2. SGID

    • chmod g+s dir

    • For binary file

    • Equal: (tempGroup) execute file

    • IF u create a file, the file will be belong to u,

      but not for sgid, it belongs to sgid directory which it located on.

  3. SBIT

    • chmod -R o+t dir

    • Make sure user only can delete their files

    • Others x authorization(The third x) will be t or T

Hidden attribute

  1. Chattr command

    • chattr +a file

      Option Describtion
      i 无法对文件进行修改;若对目录设置了该参数,则仅能修改其中的子文件内容而不能新建或删除文件
      a 仅允许补充(追加)内容,无法覆盖/删除内容(Append Only)
      S 文件内容在变更后立即同步到硬盘(sync)
      s 彻底从硬盘中删除,不可恢复(用0填充原文件所在硬盘区域)
      A 不再修改这个文件或目录的最后访问时间(atime)
      b 不再修改文件或目录的存取时间
      D 检查压缩文件中的错误
      d 使用dump命令备份时忽略本文件/目录
      c 默认将文件或目录进行压缩
      u 当删除该文件后依然保留其在硬盘中的数据,方便日后恢复
      t 让文件系统支持尾部合并(tail-merging)
      x 可以直接访问压缩文件中的内容
  2. Lsattr command

    • lsattr file

Access File Control Table

ACL: The file inherit parent directoryby default.

  1. Setfacl command

    • setfacl -Rm u:username:rwx /dir

    • serfacl -b /dir delete the acl

    • The last symbol of drwxrwxrwx. will be + instead of .

  2. Getfacl command

    • getfacl dir

User

  1. SU SUDO

    • su - user important -
  2. Option command

    Args Usage
    -h 列出帮助信息
    -l 列出当前用户可执行的命令
    -u 用户名或UID值 以指定的用户身份执行命令
    -k 清空密码的有效时间,下次执行sudo时需要再次进行密码验证
    -b 在后台执行指定的命令
    -p 更改询问密码的提示语
    • Explanation :

      • limit user execute command

      • record every user executed command

      • config(/etc/sudoers) provide concentrated user management, authoization and so on.

  3. visudo

    • Forbidden multi users edit sudoers

    • Syntax check style

    • Use whereis command to find location

    • Edit the visudo 99 line: whoCouldUse AllowedHost=(Identifier) commandList

    • NoPasswd config: whoCouldUse AllowedHost=NOPASSWD: commandList

Storage structure and disk partition

FHS

  • Structure
dirName TheFiles
/boot 开机所需文件—内核、开机菜单以及所需配置文件等
/dev 以文件形式存放任何设备与接口
/etc 配置文件
/home 用户主目录
/bin 存放单用户模式下还可以操作的命令
/lib 开机时用到的函数库,以及
/sbin 开机过程中需要的命令
/media 用于挂载设备文件的目录
/opt 放置第三方的软件
/root 系统管理员的家目录
/srv 一些网络服务的数据文件目录
/tmp 任何人均可使用的“共享”临时目录
/proc 虚拟文件系统,例如系统内核、进程、外部设备及网络状态等
/usr/local 用户自行安装的软件
/usr/sbin Linux系统开机时不会使用到的软件
/usr/share 帮助与说明文件,也可放置共享文件
/var 主要存放经常变化的文件,如日志
/lost+found 当文件系统发生错误时,将一些丢失的文件片段存放在这里

Physics device name rules

udev manage service will monitor kernal signal to manage /dev directory dev file as daemon process.

Note issue:

  • /dev/sd{a-z} not depend on slot, but kernal recognize sequence.

  • sda[0-9] not order but could be manully

The first sector is the most important one.

[byte] 446:Master Boot Recorder, 64(16*4):partition, 2:end symbol

File system and data information

Ext3: log system. Track to recover or fix the crash issue.

Ext4: support: 1EB, batch blocks effectively

XFS: support: 18EB, advantage special after crash

  • partition, formatting file system, mount then could be used.
  1. every file occupies undepend inode table(128 byte)

    • authorization

    • owner and group

    • size

    • ctime (create, last edit)

    • atime (last access)

    • mtime file edited

    • SUID, SGID, SBIT

    • point (file real data address)

  2. file real content saved in block, there will be a master block to note and connect others slaver block

inode default size: 128B(Ext3), block size: 4KB

VFS

  1. Mount hard dev

    Mount:The process associated dev or partition’s data with an existed dir, when user wanna to use them.

  • a option: mount all file system defined from /etc/fstab

  • t option: assign file system type

example: mount /dev/sdb2 /backup lose effect when restart system, umount /dev/sdb2

real ex: devFile mountDir type authorization selfInspect priority

# /etc/fstab
| Field | Usage |
| - | - |
| devFile | UUID, devPath+devName |
| mountDir | mount directory, should be created before mount |
| type | Ext3, xfs, swap, iso9660(CD) and so on |
| Authorization | defaults:rw, suid, exec, auto, nouser, async |
| selfInspection | 1: self-check disk when power on |
| priority | if selfInspection is 1, could be used |

Add disk dev

  1. Fdisk command

    Type fdisk /dev/sdb

    • p: disk dev partition info(size, sectors)

    • n: add new partition

      • p new; e, extend

      • Main partition number: 1~4(default 1)

      • start position: default, sys will calc it

      • size: +2G 2GB disk partition

      • p check above, type w: really create it

      Type partprobe to synchro partitions info to kernal(Or restart sys)

      Mkfs command

    • mkfs tab twice will get command files like mkfs.type

    • mkfs.xfs /dev/sdb1

      Mout it mount /dev/sdb1 /aimDir/(real need /etc/fstab) and check df -h

  2. Du command, check file usage size

Add swap partition

Swap partition: 1.5~2 times than real physics memory

Usage: Stoage uncommonly using memory data to make memory more active for serving process well.

Quota to limit

  1. xfs_quota [args] size fileSys
  • c: args config command

  • x: expert mode

example: xfs_quota -x -c 'limit bsoft=3m bhard=6m isoft=3 ihard=6 tom' /boot disk hard & soft, file hard & soft

  1. ln command

-s: symbolic link(default hard link)


RAID & LVM

RAID

RAID

  1. RAID0

RAID0 splits (“stripes”) data evenly across two or more disks, without parity information, redundancy, or fault tolerance.

  1. RAID1

RAID 1 consists of an exact copy (or mirror) of a set of data on two or more disks; a classic RAID 1 mirrored pair contains two disks.

  1. RAID5

RAID 5 consists of block-level striping with distributed parity. Unlike in RAID 4, parity information is distributed among the drives. It requires that all drives but one be present to operate. Upon failure of a single drive, subsequent reads can be calculated from the distributed parity such that no data is lost. RAID 5 requires at least three disks

  1. RAID1+0

RAID 01, also called RAID 0+1, is a RAID level using a mirror of stripes, achieving both replication and sharing of data between disks.

Mdadm command

Example: RAID1+0

  • mdadm -Cv /dev/md0 -a yes -n 4 -l 10 /dev/sdb /dev/sdc /dev/sdd /dev/sde

    • C create a RAID card

    • v verbose, display the process

    • a automanticly create dev file

    • n number of use disk

    • l plan 10 means RAID1+0

  • formatting: mkfs.ext4 /dev/md0

  • mkdir /RAID & mount /dev/md0 /RAID & df -h

  • mdadm -D /dev/md0 view the detail info

Damage to Disk Array & Repair

  1. Simulate dev damage: mdadm /dev/md0 -f /dev/sdb

  2. RAID 1+0: It will not be effected if only one RAID disk failed. Just use mdadm to replace it.

    • umount /RAID every operation about raid umount first

    • madam /dev/md0 -a /dev/sdb add new /dev/sdb

  3. Disk Array + backup-disk

Extrame:Both of disk from RAID 1 were damaged.

Solution: backup-disk

mdadm -Cv /dev/md0 -n 3 -l 5 -x 1 /dev/sdb /dev/sdc /dev/sdd /dev/sde

  • x backup-disk /dev/sde

LVM: Logical Volume Manager

Note: extend or shrink volume

LVM

功能 物理卷管理 卷组管理 逻辑卷管理
扫描 pvscan vgscan lvscan
建立 pvcreate vgcreate lvcreate
显示 pvdisplay vgdisplay lvdisplay
删除 pvremove vgremove lvremove
扩展 vgextend lvextend
缩小 vgreduce lvreduce

Deploy

  1. support /sdb & /sdc with lvm pvcreate /dev/sdb /dev/sdc

  2. Add both of them into storage and check them vgcreate storage /dev/sdb /dev/sdc & vgdisplay

  3. split a logical volume dev about 150MB size lvcreate -n vo -l 37 storage & lvdisplay

  4. formatting and mount it to use. mkdfs.ext4 /dev/storage/vo & mount /dev/storage/vo /mountDir

  5. check info and make it effect permantly echo "/dev/storage/vo /mountDir ext4 defaults 0 0" >> /etc/fstab

Extend logical volume

  1. umount /mountDir before extend umount it

  2. lvextend -L 290M /dev/storgage/vo extend it to 290MB

  3. Check disk intergrity e2fsck -f /dev/storage/vo

  4. Resize disk resize2fs /dev/storage/vo

  5. Remount and df -h

Shrink logical volume

  1. umount /mountDir before shrink umount it

  2. e2fsck -f /dev/storage/vo check sys intergrity

  3. resize2fs /dev/storage/vo 120M shrink it to 120MB

  4. Remount mount -a & df -h

Snapshot

  1. View volume group vgdisplay

  2. lvcreate -L 120M -s -n SNAP /dev/storage/vo

    • s:create a snap group

    • L: size

  3. Do something…

  4. umount /mountDir & lvconvert --merge /dev/storage/SNAP Recover operation(will be deleted after that)

LVM Delete

  1. umount /mountDir & vim /etc/fstab

  2. lvremove /dev/storage/vo delete logical dev

  3. vgremove storage delete volume group

  4. pvremove /dev/sdb /dev/sdc delete physics group dev


IpTables & Firewalld

iptables

PreRouting, Input, Output, Forward, PostRouting

参数 作用
-P 设置默认策略
-F 清空规则链
-L 查看规则链
-A 在规则链的末尾加入新规则
-I num 在规则链的头部加入新规则
-D num 删除某一条规则
-s 匹配来源地址IP/MASK,加叹号“!”表示除这个IP外
-d 匹配目标地址
-i 网卡名称 匹配从这块网卡流入的数据
-o 网卡名称 匹配从这块网卡流出的数据
-p 匹配协议,如TCP、UDP、ICMP
–dport num 匹配目标端口号
–sport num 匹配来源端口号
  1. iptables -L View existing iptables rule

  2. iptables -F Empty the rules

  3. iptables -P INPUT DROP Default set DROP

  4. iptables -I INPUT -p icmp -j ACCEPT allow ping(icmp)

  5. iptables -I INPUT -s 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT Only allow appoint network segment access 22.

  6. iptables -A INPUT -p tcp --dport 22 -j REJECT Forbidden others host flow

  7. service iptables save Make it effect permanently

FireWalld

区域 默认规则策略
trusted 允许所有的数据包
home 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、mdns、ipp-client、
internal 等同于home区域
work 拒绝流入的流量,除非与流出的流量数相关;而如果流量与ssh、ipp-client与dhcpv6-client
public 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh、dhcpv6-client服务相关,则允许
external 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量
dmz 拒绝流入的流量,除非与流出的流量相关;而如果流量与ssh服务相关,则允许流量
block 拒绝流入的流量,除非与流出的流量相关
drop 拒绝流入的流量,除非与流出的流量相关
  1. firewall-cmd --get-default-zone View current using area

  2. firewall-cmd --get-zone-of-interface=eno16728 View eno netCard wroking area

  3. firewall-cmd --permanent --zone=external --change-interface=eno16278 Set area as external and take effect after restarting system.

  4. firewall-cmd --panic-on Meet an emergency, stop all connections.

  5. firewall-cmd --znoe=public --query-service=https View whether could pass https flow, u can also use –add-service=https(protocol name) to add pass power and –remove-service=https(protocol name) to reject it.

  6. firewall-cmd --reload Take permanent effect immediately.

  7. firewall-cmd --zone-=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10 Forward access 888 port flow to 22 port.

Service access control list

1
2
3
4
# Rules
Match /etc/hosts.allow?pass
:Match /etc/hosts.deny?forbidden
:pass
  1. Two Principles
  • Reject strategy: service name instead protocol

  • Reject strategy editting should be first.

  1. hosts.deny sshd:*

  2. hosts.allow sshd:192.168.10.

参数 作用
–get-default-zone 查询默认的区域名称
–set-default-zone=<区域名称> 设置默认的区域,使其永久生效
–get-zones 显示可用的区域
–get-services 显示预先定义的服务
–get-active-zones 显示当前正在使用的区域与网卡名称
–remove-source= 将源自此IP或子网的流量导向指定的区域
–remove-source= 不再将源自此IP或子网的流量导向某个指定区域
–add-interface=<网卡名称> 将源自该网卡的所有流量都导向某个指定区域
–change-interface=<网卡名称> 将某个网卡与区域进行关联
–list-all 显示当前区域的网卡配置参数、资源、端口以及服务等信息
–list-all-zones 显示所有区域的网卡配置参数、资源、端口以及服务等信息
–add-service=<服务名> 设置默认区域允许该服务的流量
–add-port=<端口号/协议> 设置默认区域允许该端口的流量
–remove-service=<服务名> 设置默认区域不再允许该服务的流量
–remove-port=<端口号/协议> 设置默认区域不再允许该端口的流量
–reload 让“永久生效”的配置规则立即生效,并覆盖当前的配置规则
–panic-on 开启应急状况模式
–panic-off 关闭应急状况模式

Manage remote host

Config net card service

  1. vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=ec77579b-2ced-481f-9c09-f562b321e268
ONBOOT=yes
IPADDR0=192.168.10.10
HWADDR=00:0C:29:C4:A4:09
PREFIX0=24
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
  1. reload it, systemctl restart network

Create net session

  1. nmcli connection show View net status

  2. nmcli con show eno16777736 The same as above

  3. nmcli connection add con-name company ifname eno16777736 autoconnect no type ethernet ip4 192.168.10.10/24 gw4 192.168.10.1 , con-name: session name; ifname: local net card name; autoconnect no: default not active; address could not config if DHCP used.

  4. nmcli connection up con-name Active it.

Bind two net card

  1. vim /etc/sysconfig/network-scripts/ifcfg-eno16777736 Slave net card config
1
2
3
4
5
6
7
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
DEVICE=eno16777736
MASTER=bond0
SLAVE=yes
  1. vim /etc/sysconfig/network-scripts/ifcfg-bond0 Master service config
1
2
3
4
5
6
7
8
9
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
DEVICE=bond0
IPADDR=192.168.10.10
PREFIX=24
DNS=192.168.10.1
NM_CONTROLLED=no
  1. Support net card binding drive

    • mode0: both work normal, auto ready support, binding by port aggregation using switcher

    • mode1: one work, failed will be replace by another one.

    • mode6(good): both work, auto ready support, without switcher

    • vim /etc/modprobe.d/bond.conf create a drive file.

      1
      2
      alias bond0 bonding
      options bond0 miimon=100 mode=6
  2. systemctl restart network restart take binding effect

Config sshd service

  1. vim /etc/ssh/sshd_config Config sshd

  2. Secure key verification ssh-keygen

  3. Post public key of client to remote host ssh-copy-id 192.168.10.10

  4. Config remote host: Only allow private key and reject password vim /etc/ssg/sshd_config

1
78 PasswordAuthentication no
  1. SCP based on ssh protocol to transfer data(Like cp command usage)

Screen command

1
2
3
4
5
6
7
8
9
10
11
-s: create session window

-d: appoint session offline

-r: recover appoint session

-x: recover all session

-ls: display existing session

-wipe: delete session which can not be used currently

Sharing session: One: screen -S sessionName, Another:screen -x

SELinux

Config SELinux

  1. Mode
  • enforcing: Intercept invalid request

  • permissive: Exceed Authority Access, alert but not intercept

  • disabled: Not alert either intercept

  1. Secure context cause the issue: u could not access the www directory while it is under the user home directory.
  • Check

    1
    2
    3
    4
    [root@localhost ~]# `ls -Zd /home/www`
    drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
    [root@localhost ~]# `ls -Zd /home/www`
    drwxrwxrwx. root root unconfined_u:object_r:home_root_t:s0 /home/www
  • Edit
    semanage fcontext -a -t httpd_sys_content_t /homw/www/* & restorecon -Rv /home/www

Bind DNS

  1. Install: yum install bind-chroot

  2. Config /etc/named.conf listen-on port 56 {any; }; & allow-query {any; };

  3. Regional config: /etc/named.rfc1912.zones

Forward


Reverse


DHCP

Deploy

作用域:一个完整的IP地址段,DHCP协议根据作用域来管理网络的分布、分配IP地址及其他配置参数。

超级作用域:用于管理处于同一个物理网络中的多个逻辑子网段。超级作用域中包含了可以统一管理的作用域列表。

排除范围:把作用域中的某些IP地址排除,确保这些IP地址不会分配给DHCP客户端。

地址池:在定义了DHCP的作用域并应用了排除范围后,剩余的用来动态分配给DHCP客户端的IP地址范围。

租约:DHCP客户端能够使用动态分配的IP地址的时间。

预约:保证网络中的特定设备总是获取到相同的IP地址。

vim /etc/dhcp/dhcpd.conf

Args Usage
ddns-update-style 类型 定义DNS服务动态更新的类型,类型包括:none(不支持动态更新)、interim(互动更新模式)与ad-hoc(特殊更新模式)
allow/ignore client-updates 允许/忽略客户端更新DNS记录
default-lease-time 21600 默认超时时间
max-lease-time 43200 最大超时时间
option domain-name-servers 8.8.8.8 定义DNS服务器地址
option domain-name “domain.org” 定义DNS域名
range 定义用于分配的IP地址池
option subnet-mask 定义客户端的子网掩码
option routers 定义客户端的网关地址
broadcase-address 广播地址 定义客户端的广播地址
ntp-server IP地址 定义客户端的网络时间服务器(NTP)
nis-servers IP地址 定义客户端的NIS域服务器的地址
hardware 硬件类型 MAC地址 指定网卡接口的类型与MAC地址
server-name 主机名 向DHCP客户端通知DHCP服务器的主机名
fixed-address IP地址 将某个固定的IP地址分配给指定主机
time-offset 偏移差 指定客户端与格林尼治时间的偏移差

Auto manage ip

Note: Win mac seprator -, linux seprator :

Fixed Ip: Bind MAC & Ip

1
2
3
4
host linuxprobe {
hardware ethernet 00:0c:29:27:c6:12;
fixed-address 192.168.10.88;
}

Postsix & Dovecot

Config Postfix

  1. Config named.conf
1
2
listen-on port 53 {any; };
allow-query {any; };
  1. Config Postfix
Args Usage
myhostname 邮局系统的主机名
mydomain 邮局系统的域名
myorigin 从本机发出邮件的域名名称
inet_interfaces 监听的网卡接口
mydestination 可接收邮件的主机名或域名
mynetworks 设置可转发哪些主机的邮件
relay_domains 设置可转发哪些网域的邮件
  1. Config main.cf
1
2
3
4
5
myhostname = mail.linuxprobe.com
mydomain = linuxprobe.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, $mydomain

Config Dovecot

  1. Config /etc/dovecot/dovecot.conf

Allow plaintext authorization

1
2
protocols = imap pop3 lmtp
disable_plaintext_auth = no

Allow netword segment

1
login_trusted_networks = 192.168.10.0/24

Inbox location

1
mail_location = mbox:~/mail:INBOX=/var/mail/%u
  1. Init :mkdir -p mail/.imap/INBOX & systemctl restart dovecot

Squid

参数 作用
http_port 3128 监听的端口号
cache_mem 64M 内存缓冲区的大小
cache_dir ufs /var/spool/squid 2000 16 256 硬盘缓冲区的大小
cache_effective_user squid 设置缓存的有效用户
cache_effective_group squid 设置缓存的有效用户组
dns_nameservers IP地址 一般不设置,而是用服务器默认的DNS地址
cache_access_log /var/log/squid/access.log 访问日志文件的保存路径
cache_log /var/log/squid/cache.log 缓存日志文件的保存路径
visible_hostname linuxprobe.com 设置Squid服务器的名称
CATALOG
  1. 1. File
    1. 1.1. File Special Authorization
    2. 1.2. Hidden attribute
    3. 1.3. Access File Control Table
  2. 2. User
  3. 3. Storage structure and disk partition
    1. 3.1. FHS
    2. 3.2. Physics device name rules
    3. 3.3. File system and data information
  • Add disk dev
    1. 0.1. Add swap partition
    2. 0.2. Quota to limit
    3. 0.3. Hard & Symbolic link
  • 1. RAID & LVM
    1. 1.1. RAID
      1. 1.1.1. RAID
      2. 1.1.2. Mdadm command
      3. 1.1.3. Damage to Disk Array & Repair
    2. 1.2. LVM: Logical Volume Manager
      1. 1.2.1. Deploy
      2. 1.2.2. Extend logical volume
      3. 1.2.3. Shrink logical volume
      4. 1.2.4. Snapshot
      5. 1.2.5. LVM Delete
  • 2. IpTables & Firewalld
    1. 2.1. iptables
    2. 2.2. FireWalld
    3. 2.3. Service access control list
  • 3. Manage remote host
    1. 3.1. Config net card service
    2. 3.2. Create net session
    3. 3.3. Bind two net card
    4. 3.4. Config sshd service
    5. 3.5. Screen command
  • 4. SELinux
    1. 4.1. Config SELinux
  • 5. Bind DNS
  • 6. DHCP
    1. 6.1. Deploy
    2. 6.2. Auto manage ip
  • 7. Postsix & Dovecot
    1. 7.1. Config Postfix
    2. 7.2. Config Dovecot
  • 8. Squid