====== Linux Admin ======
{{:linux:linux_system_administration.pdf|}}\\
{{:linux:red_hat_linux_administration_-_a_beginner_s_guide_2003.pdf|}}
===== Fix Old CentOS Repos =====
Maintainece update not supported from **2020/11/30** => you must config repos to new mirror for Fixing yum error:
yum list
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Determining fastest mirrors
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt
Steps:
- Step1: **Update /etc/yum.repos.d/CentOS-Base.repo**
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
baseurl=http://vault.centos.org/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
baseurl=http://vault.centos.org/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib&infra=$infra
baseurl=http://vault.centos.org/6.10/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
- Step2:
yum clean all
===== Install software =====
==== Install rpm package ====
mount /dev/cdrom /mnt/cdrom/
cd /mnt/cdrom/CentOS
rpm -i mc-4.6.1a-35.el5.i386.rpm
==== Manage packages with yum - Yellowdog Updater Modified ===
It can automatically perform system updates, including dependancy analysis and obsolete processing based on "repository" metadata. It can also perform installation of new packages, removal of old packages and perform queries on the installed and/or available packages among many other commands/services (see below). yum is similar to other high level package managers like apt-get and smart.
* yum grouplist
=>
Installed Groups:
DNS Name Server
Dialup Networking Support
Editors
FTP Server
.......
Available Groups:
Administration Tools
Authoring and Publishing
Base
Beagle
Cluster Storage
Clustering
Development Libraries
Development Tools
* yum groupinfo
yum groupinfo "Development Libraries"
* How to install gcc:
# yum list | grep gcc
=> output:
gcc.i386 4.1.2-44.el5 base
libgcc.i386 4.1.2-44.el5 base
compat-gcc-34.i386 3.4.6-4 base
.......
# yum install gcc.i386
* check package installed or available:
yum list | grep postfix
postfix.x86_64 2:2.6.6-6.el6_5 @updates
postfix-perl-scripts.x86_64 2:2.6.6-6.el6_5 updates
# @updates => Installed
# update => Available
* yum info php-mysql
Loading mirror speeds from cached hostfile
* base: mirrors.digipower.vn
* elrepo: ftp.osuosl.org
* extras: mirrors.digipower.vn
* updates: mirrors.digipower.vn
Installed Packages
Name : php-mysql
==== Manage Packages with Apt ====
**apt-cache** - performs a variety of operations on **APT's package cache**. apt-cache does not manipulate the state of the system but does provide operations to search and generate interesting output from the package metadata.
**dpkg** - package manager for Debian
upgrades all installed packages
apt-get upgrade
Search Packages:
* Find packages that include
apt-cache search
For example:
dpkg -l *chkconfig*
output:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================================-=======================-=======================-=============================================================================
un chkconfig (no description available)
* Find packages whose names contain . Similar to apt-cache search, but also shows whether a package is installed on your system by marking it with **ii (installed) and un (not installed).**
dpkg -l **
* Shows the description of package and other relevant information including version, size, dependencies and conflicts
apt-cache show
* Shows the description of package
dpkg --print-avail
* List files in package
dpkg -L
===== Admin User and Group =====
==== Admin user ====
* Add user normal
useradd anhvc
* Set password for user anhvc
passwd anhvc
* Remove normal user:
userdel anhvc
* Remove user and home directory itself and the user´s mail spool.
userdel -r anhvc
* Add System User:
#Create User and not create Home Directory
useradd -M dovecot
#Lock User not allow login
usermod -L dovecot
==== Admin group ====
* Change name of group
groupmod -n accounting accountant
* Print all groups which user is in
groups root
output:
root : root bin daemon sys adm disk wheel
* Get All users in group
lid -g
==== Modify Group of user ====
* Add user anhvc with group ztbackup
useradd anhvc -g ztbackup
* Add an Existing User to a Group
usermod -a -G username
* Change a User’s Primary Group
usermod -g username
* Add a User to Multiple Groups:
usermod -a -G ftp,admins,othergroup
* Remove User in Group
gpasswd -d
==== Chown ====
* Change the ownership of the file to the group "accounting":chown :accounting filename
* Command format: chown user:group filename
==== Passwd file ====
refer: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
cat /etc/passwd | grep ftp
output:
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
(username:ftp
userid:14
group:50 => ftp
Real name: FTP User
home directory: /var/ftp
Shell: /sbin/nologin
)
==== Information of user profile ====
cat ~/.bash_profile
cat ~/.bashrc => login profile for user
cat ~/.bash_history => history commands of user
==== sudo config ====
* Prepare for writing **/etc/sudoers**
chmod +w /etc/sudoers
* Add user to run sudo as root add below line to /etc/sudoers:
anhvc ALL=(ALL) NOPASSWD: ALL
=> Allow user anhvc run sudo with no password. And below is config allow user anhvc sudo with password:
anhvc ALL=(ALL) ALL
* Remove below config to allow run sudo command not require tty
#Defaults requiretty
* Remove property write:
chmod -w /etc/sudoers
==== umask ===
umask(The user file-creation mode mask) is use to determine the file permission for newly created files
* normal user: The default umask 0002 => output:
* default directory permissions are 775(rwxrwxr-x)
* and default file permissions are 664(rw-rw-r--)
* root user: The default umask is 0022 result => output:
* default directory permissions are 755 (rwxr-xr-x). How to calculate directory permission for 022 umaks (root user):
Default Permissions: 777
Subtract umask value: 022 (-)
Allowed Permissions: 755
* and default file permissions are 644 (rw-r--r--). How to calculate file permission for 022 umaks (root user):
Default Permissions: 666
Subtract umask value: 022 (-)
Allowed Permissions: 644
* How to restore default mod when we chmod entire the directory with another mod? We **only copy the file/directory to new file/directory** -> The mod will be automatic create base on the umask config
===== System startup and shutdown =====
==== System startup config ====
=== OS startup config files ===
+ /etc/inittab
id:3:initdefault:
=> id:runlevels:action:command
+ /etc/rc.local
=> startup script when linux start
=== Understand run-level scripts in config files ===
Understanding run-level scripts:A software package that has a service to start at boot time (or when the system changes run levels)
* Can add a script to the /etc/init.d directory. That script can then be linked to an appropriate run-level directory and either be started or stopped (to start or stop the service).
* step1: create my_daemon and copy to /etc/init.d. Below is format of my_daemon:
# chkconfig: 345 82 28
# description: Does something pretty cool - you really
# have to see it to believe it!
# processname: my_daemon
* step2: run script: chkconfig --add my_daemon
* All of the programs within the /etc/rcX.d directories (where X is replaced by a run-level number) are symbolic links, usually to a file in /etc/init.d.
* For each run level, a script beginning with K stops the service, whereas a script beginning with S starts the service.
=== Managing xinetd services ===
There are a bunch of services, particularly Internet services, that are not handled by separate run-level scripts. Instead, a single run-level script called xinetd ((formerly inetd)) is run to handle incoming requests for these services => xinetd is sometimes referred to as the super-server.Below is script start,stop:
/etc/inid.d/xinetd
==== Manage services in linux ====
* Start httpd service:
service httpd start
* Stop httpd service:
service httpd stop
* Config autostart httpd when OS boot:
chkconfig httpd on
And in debian:
update-rc.d httpd enable
* Get all services running
service --status-all | grep running
output:
acpid (pid 3039) is running...
atd (pid 3318) is running...
auditd (pid 2690) is running...
automount (pid 3015) is running...
Avahi daemon is running
Avahi DNS daemon is not running
hcid (pid 2892) is running...
sdpd (pid 2896) is running...
capi not installed - No such file or directory (2)
crond (pid 3289) is running...
cupsd (pid 3072) is running...
.............................
===== Host and network config =====
==== Change hostname ====
* Redhat / CentOS / Fedora: Edit **/etc/sysconfig/network**
hostname="GWServer01-YN01"
And run below script to save active hostname:
hostname GWServer01-YN01
/etc/sysconfig/network
* Debian / Ubuntu: Edit **/etc/hostname** file, enter new hostname:
GWServer01-YN01
And run script below to change live hostname:
hostname GWServer01-YN01
==== Edit login banner ====
=== telnet session ===
/etc/issue.net
/etc/issue
=== ssh session ===
/etc/ssh/sshd_config
==== Network config ====
* Redhat: Edit /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=120.138.64.2
NETMASK=255.255.255.192
HWADDR=00:1A:64:56:12:10
GATEWAY=120.138.64.1
And run command below to active config:
/sbin/service network restart
* [debian/ubuntu]:Edit /etc/network/interfaces
auto eth0
iface eth0 inet static
address 123.30.133.150
gateway 123.30.133.129
netmask 255.255.255.128
network 123.30.133.128#custom
broadcast 123.30.133.255#custom
And run command below to active config:
/etc/init.d/networking restart
==== Check network card ====
/sbin/ifconfig -a
/sbin/arp -a
==== Check hardware network ====
sudo /usr/sbin/dmidecode -t
sudo /usr/sbin/dmidecode -t baseboard
output:
Handle 0x002B, DMI type 10, 6 bytes
On Board Device Information
Type: Ethernet
Status: Enabled
Description: Onboard Ethernet
Handle 0x006A, DMI type 41, 11 bytes
Onboard Device
Reference Designation: Onboard LAN
Type: Ethernet
Status: Enabled
Type Instance: 1
Bus Address: 0000:00:19.0
==== Config Route ====
=== Static route ===
* Redhat
route add -net 10.60.3.0/24 gw 10.30.41.1
route add -net 192.168.2.0/24 gw 192.168.2.2
route add default gw 120.138.64.1
* Debian
up route add -net 10.60.3.0/24 gw 10.30.41.1 dev eth1
up route add -net 192.168.2.0/24 gw 192.168.2.2 dev eth1
=== Dynamic route ===
* Redhat: update route in /etc/sysconfig/network-scripts/route-eth1
cat > /etc/sysconfig/network-scripts/route-eth1
10.199.44.0/24 via 10.30.31.1
10.199.51.5/32 via 10.30.31.1
10.199.3.0/24 via 10.30.31.1
10.199.50.213/32 via 10.30.31.1
10.30.4.0/27 via 10.30.31.1
118.102.5.136/32 via 10.30.31.1
192.168.64.0/24 via 10.30.31.1
10.30.4.9/32 via 10.30.31.1
Or run script below to add route:
echo '10.30.15.16/32 via 10.30.31.1' >> /etc/sysconfig/network-scripts/route-eth1
route add -host 10.30.15.16 gw 10.30.31.1
And active configure:
/sbin/service network restart
* Debian: Edit **/etc/network/interfaces**
up route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11
down route del -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11
And active configure:
/etc/init.d/networking restart
==== DNS ====
[/etc/resolv.conf]
nameserver 202.96.209.5
==== DHCP server ====
* config: /etc/dhcp.conf
* client: go dhclient => get dynamic IP
===== Security =====
==== Iptables ====
=== start,stop iptables ===
service iptables start
service iptables stop
service iptables restart
service iptables status
chkconfig --level 345 iptables on
chkconfig --list iptables
=== Iptable config ===
* /etc/sysconfig/iptables
* Create simle iptable which open ssh, http and ICMP:
*filter
:INPUT ACCEPT [396:30624]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [216:23216]
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#eth0 INPUT here
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -j DROP
#eth1 INPUT here
-A INPUT -i eth1 -p icmp -j ACCEPT
-A INPUT -i eth1 -j DROP
COMMIT
==== log system: messages,secure,cron ====
http://linuxhelp.blogspot.com/2005/01/system-logging.html
=== syslogd, klogd ===
These daemons provide centralized logging in linux.
* The configuration file: /etc/syslog.conf
* script controls: /etc/rc.d/init.d/syslog
=== /var/log ===
* /var/log/dmesg: This log file is written upon system boot. It contains messages from the kernel that were raised during the boot process. You can also view them using the command:
#dmesg
* /var/log/messages: This is the standard system log file, which contains messages from all your system software, non-kernel boot issues, and messages that go to 'dmesg'.
* /var/log/maillog: This log file contains messages and errors from your sendmail.
* /var/log/secure: This log file contains messages and errors from security related systems such as login, tcp_wrappers, and xinetd. This log file is very useful in detecting and investigating network abuse.
===== Scheduling System Tasks =====
Check log all crontabs on linux system:
cat /var/log/cron
==== Scheduling System Tasks with at ====
/etc/at.deny
echo "/sbin/init 0" | at now +1 minutes
atq
job 12 at 2009-08-17 20:06
==== Scheduling System Tasks with crond(crontab) ====
to sheduleing with crond, the crond was configured auto-restart when linux start:
chkconfig crond on
=== Availabe System Crontabs ===
All available crontabs:
crontab
cron.deny
cron.hourly
cron.daily
cron.weekly
cron.monthly
cron.d
=== basic contab commands ===
* crontab -e: create or edit crontab configuration file
* crontab -l: display content of crontab configuration file
* crontab -r: delete crontab configuration file
=== crontab configuration file base on linux user ===
* cat /var/spool/cron/root
*/30 * * * * /usr/sbin/ntpdate pool.ntp.org
*/5 * * * * /usr/local/bin/iostat.sh
14 2 * * * /etc/webmin/cron/tempdelete.pl
30 4 * * 1 /root/scripts/kpiweekly.sh >> /var/log/kpiweekly.log
0 5 1 * * /root/scripts/kpimonthly.sh >> /var/log/kpimonthly.log
* structure of crontab
minute(s) hour(s) day(s) month(s) weekday(s) command(s)
* * * * * command to be executed
- - - - -
| | | | |
| | | | +----- day of week (0 - 6) (Sunday=0)
| | | +------- month (1 - 12)
| | +--------- day of month (1 - 31)
| +----------- hour (0 - 23)
+------------- min (0 - 59)
25 18 * * * /etc/webmin/cron/tempdelete.pl
=== Create 1 simple crontab ===
create crontab for user anhvc to backup file /home/anhvc/data.txt at 21h45 every day
* step1: create scrip backup
#!/bin/sh
file_name=`date +%H%M%S_%d%m%y`
cp data.txt $file_name.txt
* step2: Create crontab configuration file
crontab -e
45 21 * * * /home/anhvc/backupdata.sh
* step3: restart crontab service
sudo /etc/init.d/crond restart
* step4: check content of crontab configuration file
crontab -l => 45 21 * * * /home/anhvc/backupdata.sh
* step5: check output of contab
ls /home/anhvc
=> 214501_170809.txt
=== Create contab to update date/time of system ===
- Step1: Install ntpdate
yum install ntpdate
- Step2: Create contab content:
*/30 * * * * /usr/sbin/ntpdate pool.ntp.org
==== logrotate ====
=== Config run logrotate everydays in crond ===
logrotate was run everydays with crond default config **/etc/cron.daily/logrotate** below:
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
=== Config logrotate for apache logs ===
in **/etc/logrotate.d/httpd**
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
delaycompress
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}
=> we can chage the directory which contain log files **/var/log/httpd/*log**
=== Config logrotate for nginx logs ===
refer: http://article.gmane.org/gmane.comp.web.nginx.english/586
- Step1: Config ngix create pid file in conf/nginx.conf:
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /var/run/nginx.pid;
- Step2: **Restart nginx** and check **content of /var/log/nginx.pid**. If OK, go to next step
- Step3: create logrotate config for nginx **/etc/logrotate.d/nginx** with content below:
/usr/local/nginx/logs/*log {
#rotate the logfile(s) daily
daily
# adds extension like YYYYMMDD instead of simply adding a number
dateext
# If log file is missing, go on to next one without issuing an error msg
missingok
# Save logfiles for the last 52 days
rotate 52
# Old versions of log files are compressed with gzip
compress
# Postpone compression of the previous log file to the next rotation cycle
delaycompress
# Do not rotate the log if it is empty
notifempty
# create mode owner group
create 640 root nobody
sharedscripts
#after logfile is rotated and nginx.pid exists, send the USR1 signal
postrotate
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
endscript
}
=> **root:nobody**(user: root, group: nobody) permissions might need further revision in your own system, as well as the **logs** and **pid file** location
- Step4: run to check nginx logrotate config
logrotate --force /etc/logrotate.d/nginx
===== Optimize OS parameters(sysctl) =====
refer: http://ithubinfo.blogspot.com/2013/07/how-to-increase-ulimit-open-file-and.html
==== dynamic config(will restore when OS restart) ====
* run some basic dynamic config
ulimit -n 102400
ulimit -c 1024000
echo 1073741824 >/proc/sys/kernel/shmmax
echo 200000 260000 300000 > /proc/sys/net/ipv4/tcp_mem
* check config:
ulimit -a
=> output:
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 256651
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 1024
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
==== Increase number open files /etc/sysctl.conf ====
Check number open files
* Method1: cat /proc/sys/fs/file-nr
=>output:
960 0 65536
=> 960 files is opened and fs.file-max = 65536
* Method2: Check sysctl
sysctl -a | grep file-max
output:
fs.file-max = 65536
Steps to config max number open files:
- Step1: Edit config in /etc/sysctl.conf to increase max number of ulimit open file in Linux
fs.file-max = 65536
- Step2: add config into /etc/security/limits.conf
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
- Step3: reboot
- Step4: recheck after config:
ulimit -n
output:
65535
==== Check config ====
ulimit -a
sysctl -a => Display all values currently available.
sysctl kernel => for kernel
sysctl fs => for file system
sysctl net => for net system