Ubuntu Server Guide Arabic v1.2.1 PDF

14.
04

.PHP

:

.

.
Academy.hsoub.com

.

Hsoub.com
11 .........................................................
13 .......................................................
.1 14 ......................................................................................
15 ......................................................
.1 16 .................................................................
.2 18 ...............................................
.3 23 ..................................................................................
.4 24 ..................................................................
.5 37 ...............................................................
43 ...............................................
.1 44 ....................................................................................
.2 45 .......................................................................... dpkg
.3 47 ................................................................... Apt-Get
.4 49 ................................................................. Aptitude
.5 52 ............................................................
.6 54 ...................................................................................
.7 56 ...................................................................................
58 ...................................................
.1 59 .........................................................................
.2 74 .............................................................. TCP/IP
.3 82 .................. DHCP
.4 87 ..................... NTP
90 ......................
.1 91 ............................................. DM-Multipath
.2 96 ............................................................. Multipath
.3 101 .................................. DM-Multipath
.4 107 .......................................... DM-Multipath
.5 127 ....................... DM-Multipath
136 ........................................
.1 137 ............................................................ OpenSSH
.2 142 ................................................................... Puppet
.3 147 ............................................................. Zentyal
154 ................................
.1 155 ......................................................... OpenLDAP
.2 198 .............................................. LDAP
.3 208 ..................................................... Kerberos
.4 Kerberos 223 ................................... LDAP
.5 SSSD 234 ..................... Active Directory
243 ........................ DNS

.1 244 ................................................................................
.2 245 .................................................................................
.3 255 ........................................
.4 261 ................................................................................
263 ...................................................
.1 264 ............................................................
.2 275 ...................................................................
.3 276 .....................................................................
.4 289 ...................................................... AppArmor
.5 296 ............................................................................
.6 305 .................................................... eCryptfs
309 ..................................................
.1 311 .............................................................. Nagios
.2 319 .................................................................. Munin
322 .........................................
.1 323 .................................................. HTTPD
.2 339 ......................................................................... PHP5
.3 Squid 342 ...................................................
.4 346 ............................................ Ruby on Rails
.5 348 ................................................. Tomcat
355 .......................................
.1 356 ................................................................ MySQL
.2 364 ...................................................... PostgreSQL
368 ...................................... LAMP

.1 371 ........................................................ Moin Moin
.2 374 ....................................................... MediaWiki
.3 377 ................................................ phpMyAdmin
.4 380 ........................................................ Wordpress
384 .....................................
.1 385 ........................................................................ FTP
.2 392 ................................................ NFS
.3 395 ....................................................................... iSCSI
.4 399 ..................................................... CUPS
404 ........................
.1 405 .................................................................. Postfix
.2 418 .................................................................. Exim4
.3 423 ........................................................... Dovecot
.4 427 .......................................................... Mailman
.5 437 ....................................................................
.6 DKIM 443 ......................................................
448 ..................................
.1 449 ......................................................................... IRC
.2 451 ................................... Jabber
453 .....................
.1 454 .................................................................... Bazaar
.2 455 ............................................................................. Git
.3 461 .......................................................... Subversion
.4 469 .......................................................................... CVS
.5 472 .................................................................................
473 .....................................................
.1 474 ..................................................................................
.2 476 ..................................................................
.3 480 .......................................................
.4 482 ...........
.5 490 .............................
.6 497 .............................. Active Directory
500 ....................................
.1 501 ......................................................................
.2 509 ....................................................................
.3 514 ................................................................. Bacula
523 ..................................
.1 524 .................................................................... libvirt
.2 534 ...................................... uvtool
.3 540 .....................................................................
.4 541 ........................................................ LXC
568 ...................................
.1 569 ....................................................................................
.2 572 ......................................................................
.3 573 ............................................................................
.4 574 ..................................................................................
.5 575 .................................................................................
576 ...............................
.1 577 ..................................................................... DRBD
582 ............................................. VPN

.1 583 ......................................................... OpenVPN
.2 596 ...................
.3 598 ...........................................
.4 599 ......................................................................
605 .............................
.1 606 ......................................................... pam_motd
.2 609 .......................................................... etckeeper
.3 612 .................................................................. Byobu
.4 614 .................................................................................
: 615 .............
.1 616 ....................... apport-cli
.2 620 .............................
.3 621 .................................................................................
11
14.04 -

Linux

.
.Ubuntu Server Guide

.
.
Creative Commons -
(Attribution-ShareAlike 3.0 Unported - CC BY-SA 3.0 ) 3.0
:
http://creativecommons.org/licenses/by-sa/3.0

2016\1\1
12
13
14.04 -

!
.

:
.
.1
) ( )Canonical
(Ltd. .
.

IRC
.
.
14
15
14.04 -
14.04
.

.1
.
.
14.04 : x86 AMD64
ARM
.
:1-2
)(
300
) (
512
1.75
192
700
1.4
16
14.04 -

....
.

apt
.
X
.
.
10.10
) (generic
.
: 64 64
.
/boot/config-3.13.0-server

Linux Kernel in a Nutshell
.
17
14.04 -
.

: .

.

!
.2

.
ISO .
).(Boot prompt
18
14.04 -
CD-ROM
) (RAM

.

DHCP DHCP
.
.sudo
) (hostname .

LVM
LVM
.
19
14.04 -
:
.
: unattended-
upgrades
.
:Lanscape Lanscape
Lanscape.

.
aptitude
.Aptitude
UTC
) (.

.F1
.
20
14.04 -
.

.
:DNS BIND DNS.
:LAMP .Linux-Apache-MySQL-PHP
.
:Mail
:OpenSSH OpenSSH.
:PostgreSQL
.PostgreSQL
.
:

) (Samba File Server
.
: Apache Tomcat
.
: .KVM
: aptitude .
Tasksel ) (
/

.
21
14.04 -

:
tasksel --list-tasks
) (Kubuntu ) (Edubuntu
tasksel
.
--task-packages
DNS :
tasksel --task-packages dns-server
:
bind9-doc
bind9utils
bind9

LAMP DNS

:
sudo tasksel install dns-server
22
14.04 -
.3
. do-release-upgrade
do-release-upgrade
update-manager-core
.
apt-get dist-upgrade
do-release-upgrade
.
:
do-release-upgrade
do-release-upgrade
-d :
do-release-upgrade -d
: .
23
14.04 -
.4
RAID .
)Redundant Array of Independent Disks

(RAID
/ RAID
RAID )
( )
(.
RAID )(
mdadm RAID

RAID1 ) (/
).(Swap
.1
.2

.RAID
24
14.04 -
.3 ][ .
.4

) (RAM
) (.
.5
Ext4
) RAID (RAID
][.
.6 ) (/
][ .
.7
.8

RAID
][.
.9
25
14.04 -
RAID
.1
RAID .
.2
.3 .MD
.4
RAID1 )
RAID0 RAID1 .(RAID5
: RAID5 RAID0 RAID1

.
.5

) (2
.
.6
) ( 0
.
.7
... sda1, sdb1, sdc1.

.
.8 sda1 sdb1 .
.9
) (/ sda2 .sdb2
.10 .
26
14.04 -
RAID
RAID RAID
.1
#1 RAID1 .#0
.2
][.
.3 #1 RAID1 .#1
.4
Ext4.
.5
- /
][.
.6 .
RAID
) (degraded RAID
) (degraded state . .
27
14.04 -
RAID )(degraded state

RAID
).(degraded state
- -
initramfs
initramfs

initramfs
. :
dpkg-reconfigure
....

:mdadm
sudo dpkg-reconfigure mdadm
dpkg-reconfigure mdadm /etc/initramfs-

tools/conf.d/mdadm
:
BOOT_DEGRADED=ture
: .
28
14.04 -
Shift ).(Grub
e .
) bootdegraded=true ( .
Ctrl+x .
) RAID
( .
RAID
mdadm
....

:
sudo mdadm -D /dev/md0
/dev/md0
-D mdadm
RAID ./dev/md0
29
14.04 -
:
sudo mdadm -E /dev/sda1
mdadm -D /dev/sda1
.

:

sudo mdadm --remove /dev/mo0 /dev/sda1
/dev/md0 /dev/sda1 RAID

.
:
sudo mdadm --add /dev/md0 /dev/sda1
) (faulty

.

30
14.04 -
/proc/mdstat RAID :
cat /proc/mdstat
]Personalities : [linear] [multipath] [raid0] [raid1] [raid6

][raid5] [raid4] [raid10
]md0 : active raid1 sda1[0] sdb1[1
]10016384 blocks [2/2] [UU
>unused devices: <none
:
watch -n1 cat /proc/mdstat
Ctrl+c .watch

) (grub

:
sudo grub-install /dev/md0
./dev/md0
.
RAID
RAID :
RAID .
.Software RAID HOWTO
.Managing RAID on Linux
31
14.04 -
. LVM
) (Logical Volume Manager
LVM
RAID

.

LVM
:LVM
) :(PV
RAID .LVM
) :(VG

) (virtual disk drive .
) :(LV ) (LVM
) Ext3 XFS... JFS (.
.
32
14.04 -
/srv
) (PV
LVM

.

LVM -

LVM LVM
- LVM
LVM LVM
.
.1
.2
.3
.
.4
/boot swap / .
.5
/srv LVM
LVM ][.
.6
33
14.04 -
.7 LVM
vg01
LVM .
.8 LVM
) srv
(

.
.9 LVM LVM VG vg01, LV srv

/srv
][ .
.10
.
:LVM
:pvdisplay .
:vgdisplay .
:lvdisplay .
34
14.04 -

LVM /srv
) (PV
) (VG srv
/dev/sdb

) (.
: /dev/sdb
:
sudo pvcreate /dev/sdb
):(VG
sudo vgextend vg01 /dev/sdb
vgdisplay (physical extents ) PE

/ ) (
) PE 511 2 PE 4(
- PE - .
PE :
35
14.04 -
sudo lvextend /dev/vg01/srv -l +511
-l PE -L
....
ext3 ext4

) (.
EXT3 EXT4
:
sudo umount /srv
sudo e2fsck -f /dev/vg01/srv
-f e2fsck .
:
sudo resize2fs /dev/vg01/srv

:
mount /dev/vg01/srv /srv && df -h /srv
36
14.04 -
LVM .
LVM HOWTO .
Managing Disk Space with LVM O'Reilly

.LinuxDevCenter.com
fdisk .
.5
.
) (Kernel Crash Dump

:
).(Kernel Panic
).([NMI] Non Maskable Interrupts
).([MCE] Machine Check Exceptions
.
) (NMI
kexec

.
37
14.04 -
.
kexec
)
(
.
.
:
sudo apt-get install linux-crashdump
.
/etc/default/kdump-tool :
USER_KDUMP=1
38
14.04 -
.

crashkernel )
(:
cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.2.0-17-server root=/dev/mapper/PreciseS root ro crashkernel=384M-2G:64M,2G-:128M
crashkernel :
]crashkernel=<range1>:<size1>[,<range2>:<size2>,...][@offset
range=start-[end] 'start' is inclusive and 'end' is exclusive.
crashkernel /proc/cmdline :
crashkernel=384M-2G:64M,2G-:128M
384 )
].([rescue
384 2 ) 2
( 64.
2 128.
39
14.04 -
kdump
:
dmesg | grep -i crash
...
[ 0.000000] Reserving 64MB of memory at 800MB for crashkernel
)(System RAM: 1023MB
.
:

SysRq :/pro/sys/kernel/sysrq
cat /proc/sys/kernel/sysrq
" " :
sudo sysctl -w kernel.sysrq=1
sudo
:
echo c > /proc/sysrq-trigger
40
14.04 -

.
:
sudo -s
[sudo] password for ubuntu:
# echo c > /proc/sysrq-trigger
[ 31.659002] SysRq : Trigger a crash

[ 31.659749] BUG: unable to handle kernel NULL pointer
dereference at
)(null
]>[ 31.662668] IP: [<ffffffff8139f166
sysrq_handle_crash+0x16/0x20
[ 31.662668] PGD 3bfb9067 PUD 368a7067 PMD 0
[ 31.662668] Oops: 0002 [#1] SMP
[ 31.662668] CPU 1
....

:
Begin: Saving vmcore from kernel crash ...

:/var/crash
ls /var/crash
linux-image-3.0.0-12-server.0.crash
41
14.04 -
.

:
.kdump
.crash
)
(.
42
43
14.04 -
35000

.
.1
/ .
.
.deb
) (repositories
CD-ROM ) (compiled
.
) (dependencies

festival libasound2
ALSA festival
.
44
14.04 -
.2 dpkg
dpkg

dpkg :
:
dpkg -l

grep
:
dpkg -l | grep apache2
)regular
(expression .apache2
ufw
:
dpkg -L ufw
45
14.04 -
dpkg -S :
dpkg -S /etc/host.conf
base-files: /etc/host.conf
/etc/host.conf .base-files
:
dpkg -S .
.deb :
sudo dpkg -i zip_3.0-4_i386.deb
.zip_3.0-4_i386.deb
:
sudo dpkg -r zip
: dpkg

dpkg -r zip zip
dpkg .man dpkg
46
14.04 -
.3 Apt-Get
apt-get
) ([APT] Advanced Packaging Tool
.
) ( apt-get

) (SSH
.cron
:apt-get
: apt-get
:nmap
sudo apt-get install nmap
:
) (
:
sudo apt-get remove nmap
: apt-get
47
14.04 -
--purge apt-get remove apt-get

- -
.
: APT
/etc/apt/sources.list /etc/apt/sources.list.d
sudo apt-get update
.
apt-get
./var/log/dpkg.log
APT APT
:
apt-get help
48
14.04 -
.4 Aptitude
Aptitude
) (APT

.

Aptitude

Aptitude
Aptitude
:
sudo aptitude
Aptitude

.
Aptitude

:Aptitude
:
Enter
+
g
49
14.04 -
g
Enter
g
Enter .
:
Enter ""-

g g
Enter
g
Enter .
: u
Enter

Enter OK .
:

U g
g
Enter
g
Enter .
50
14.04 -
:i .
:c .
:p ) (.
:v ).(Virtual package
:B ).(Broken package
:u
.
:C .
:H .
Aptitude q
Aptitude .F10
. Aptitude
Aptitude ) (
apt-get nmap apt-get
:
sudo aptitude install nmap
51
14.04 -
sudo aptitude remove nmap
man
.aptitude
.5
unattended-upgrades

:
sudo apt-get install unattended-upgrades
unattended-upgrades :
vim /etc/apt/apt.conf.d/50unattended-upgrades
{ Unattended-Upgrade::Allowed-Origins
;""Ubuntu trusty-security
//
;""Ubuntu trusty-updates
;}
52
14.04 -
{ Unattended-Upgrade::Package-Blacklist
//
;""vim
//
;""libc6
//
;""libc6-dev
//
;""libc6-i686
;}
: // ) (comment // .
/etc/apt/apt.conf.d/10periodic
apt:
;"APT::Periodic::Update-Package-Lists "1
;"APT::Periodic::Download-Upgradeable-Packages "1
;"APT::Periodic::AutocleanInterval "7
;"APT::Periodic::Unattended-Upgrade "1
: apt ./etc/cron.daily/apt
unattended-upgrades ./var/log/unattended-upgrades
53
14.04 -
Unattended-Upgrade::Mail /etc/apt/apt.conf.d/50una
ttended-upgrades unattended-upgrades

.
apticron ) (cron

.

:apticron
sudo apt-get install apticron
/etc/apticron/apticron.conf
:
"EMAIL="root@example.com
.6
) (APT
/etc/apt/sources.list /etc/apt/sources.list.d
.
54
14.04 -

CD-ROM :
# no more prompting for CD-ROM please

# deb cdrom:[Ubuntu 14.04 _Trusty Tahr_ - Release i386
(20111013.1)]/ trusty main restricted
. .

Universe Multiverse
.
: Multiverse

.
: Universe Multiverse
.

- -
.
55
14.04 -
Multiverse Universe
/etc/apt/sources.list
:
deb http://archive.ubuntu.com/ubuntu trusty universe multiverse

deb-src http://archive.ubuntu.com/ubuntu trusty universe
multiverse
deb http://us.archive.ubuntu.com/ubuntu/ trusty universe
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty universe
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates
universe
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates
universe
deb http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates
multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates
multiverse
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security
universe
deb http://security.ubuntu.com/ubuntu trusty-security
multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security
multiverse
.7
56
. InstallingSoftware
.man dpkg dpkg
14.04 -
APT HOWTO man apt-get

.apt-get
man aptitude .Aptitude
Adding Repositories HOWTO

.
57
58
14.04 -

.

.

.1

.
.
) (Ethernet interfaces
ethX X eth0
eth1
.

ifconfig :
ifconfig -a | grep eth
eth0 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a
59
14.04 -

lshw lshw eth0
) (bus :
sudo lshw -class network
*-network
description: Ethernet interface
product: BCM4401-B0 100Base-TX
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:03:00.0
logical name: eth0
version: 02
serial: 00:15:c5:4a:16:5a
size: 10MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
)capabilities: (snipped for brevity
)configuration: (snipped for brevity
resources: irq:17 memory:ef9fe000-ef9fffff
/etc/udev/rules.d/70-persistent-
net.rules
MAC NAME=ethX
.
60
14.04 -

ethtool
( ) duplex (auto-negotiation)
( Wake-on-LAN) WoL
:
sudo apt-get install ethtool
sudo ethtool eth0
Settings for eth0:

Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Current message level: 0x000000ff (255)
Link detected: yes
61
14.04 -
ethtool
ethtool ) pre-up
( ./etc/network/interfaces
eth0
1000Mb/s ) full duplex (:
auto eth0
iface eth0 inet static
pre-up /sbin/ethtool -s eth0 speed 1000 duplex full
: static
DHCP pre-up
. IP
IP )(gateway
.
IP
ip ifconfig
route /
.
62
14.04 -
IP : ifconfig IP
:( subnet mask)
sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0
:eth0 IP
ifconfig eth0
eth0
Link encap:Ethernet
HWaddr 00:15:c5:4a:16:5a
inet addr:10.0.0.100 Bcast:10.0.0.255
Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0
frame:0
TX packets:403172654 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB) TX bytes:1618367329
(1.6 GB)
Interrupt:16
: route
:
sudo route add default gw 10.0.0.1 eth0
63
14.04 -
route :
route -n
Flags Metric Ref Use Iface

U
1
0
0
eth0
UG
0
0
0
eth0
Kernel IP routing table

Destination Gateway Genmask
10.0.0.0
0.0.0.0 255.255.255.0
0.0.0.0
10.0.0.1 0.0.0.0
DNS IP DNS
/etc/resolv.conf /etc/resolv.conf
DNS
/etc/resolv.conf
DNS .
nameserver 8.8.8.8
nameserver 8.8.4.4
IP
ip flush :
ip addr flush eth0
: IP ip /etc/resolv.conf
.
64
14.04 -
) IP (DHCP
DHCP dhcp
) (address family inet /etc/network

/interfaces :eth0
auto eth0
iface eth0 inet dhcp
ifup
DHCP .dhclient

sudo ifup eth0

ifdown
) (release DHCP .
sudo ifdown eth0
IP
IP static
inet /etc/network/interfaces
.eth0
65
14.04 -
( gateway ) ( netmask) ( address)

:
auto eth0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.1
:ifup
sudo ifup eth0
: ifdown
sudo ifdown eth0
loopback
lo ( ) loopback
:ifconfig 127.0.0.1 IP
ifconfig lo
lo
Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING
MTU:16436 Metric:1
RX packets:2718 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:183308 (183.3 KB)
TX bytes:183308 (183.3 KB)
66
14.04 -
/etc/network/interfaces
loopback

:
auto lo
iface lo inet loopback
.
) (Name resolution IP
IP
DNS )static
.(hostname records
DNS

/etc/resolv.conf
DHCP
resolvconf

.
67
14.04 -
Resolvconf
/etc/resolv.conf

resolvconf
resolvconf DHCP /etc/network/interfaces
/etc/resolv.conf ):(symlink
/etc/resolv.conf -> ../run/resolvconf/resolv.conf
IP /etc/
network/interfaces DNS suffix) DNS
(search-lists resolv.conf
dns- :

address 192.168.3.3
netmask 255.255.255.0
gateway 192.168.3.1
dns-search example.com
dns-nameservers 192.168.3.45 192.168.8.10
search DNS

example.com sales.example.com
.dev.example.com
68
14.04 -

address 192.168.3.3
netmask 255.255.255.0
gateway 192.168.3.1
dns-search example.com sales.example.com dev.example.com
dns-nameservers 192.168.3.45 192.168.8.10
ping server1 DNS

) ([FQDN] Fully Qualified Domain Name :
.1
server1.example.com
server1.sales.example.com .2
server1.dev.example.com .3
DNS notfound
.DNS

IP /etc/hosts
hosts DNS
/etc/hosts
-
DNS -

.DNS
69
14.04 -
hosts
:
localhost
ubuntu-server
server1 vpn server1.example.com
server2 mail server2.example.com
server3 www server3.example.com
server4 file server4.example.com
127.0.0.1
127.0.1.1
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
server1 vpn server2 mail
server3 www server4 .file
IP
)([NSS] Name Service Switch
/etc/nsswitch.conf
/etc/hosts DNS
:/etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
70
14.04 -
:files
./etc/hosts
:mdns4_minimal .Mulitcast DNS
] :[NOTFOUND=return notfound
mdns4_minimal
.
:dns Unicast DNS.
:mdns4 .Mulitcast DNS

) (name resolution
hosts
Unicast DNS Mulitcast DNS
/etc/nsswitch.conf :
hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4
.
) (bridge

) (filter
) (Virtual Machines
.
71
14.04 -
bridge-utils

:
sudo apt-get install bridge-utils
:/etc/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
:
.
sudo ifup br0
72
14.04 -

brctl
man brctl .
.
Network
.
resolvconf
.resolvconf

man interfaces
./etc/network/interfaces
man dhclient
.DHCP
DNS man resolver

Linux Network : O'Reilly
Administrator's Guide resolver
.
man brctl
Networking-bridge ).(Linux Foundation
73
14.04 -
.2 TCP/IP
) (Transmission Control Protocol

) (Internet Protocol TCP/IP

) ([DARPA] Defense Advanced Research Projects Agency
TCP/IP
.
. TCP/IP
TCP/IP
- IP -TCP/IP ) (connectionless
) (routing IP Datagram
IP Datagram .
TCP TCP/IP
)(data streams
TCP
74
14.04 -
. TCP/IP
TCP/IP
) Dynamic
([DHCP] Host Configuration Protocol TCP/IP

.
TCP/IP :
:IP
) (0 ) (255 ) (8
) (32
.dotted quad notation
: ) : ] ([netmask
IP
) (Subnetwork (Class C network) C
255.255.255.0
IP IP
.
75
14.04 -
: ) (Network Address
IP
12.128.1.2 A 12.0.0.0
12 ) IP (

IP 192.168.1.100 192.
168.1.0 C
192.168.1 .
: ) (Broadcast Address IP
.
IP 255.255.255.255
) (routers

C 192.168.1.0 192.168.1
.255
) ([ARP] Address Resolution Protocol
) .([RIP] Routing Information Protocol
76
14.04 -
: ) (Gateway Address IP

) (router
.
.
: ) (Nameserver Addresses
IP DNS )(resolve
IP
:
) (Primary ) (Secondary
) (Tertiary
IP

TCP/IP

(Verizon) Level3 IP 4.2.2.1 .4.2.2.6
77
14.04 -
: IP
/etc/network/interfaces nameserver
/etc/resolve.conf interfaces resolv.conf

:
interfaces :
:resolv.conf
man interfaces
man resolv.conf
. IP
(IP Routing) IP
TCP/IP
) (routing tables
)(routers
:IP ) (static routing ).(dynamic routing
IP
route
)
(

.
78
14.04 -

)] (Router Information Protocol [RIP

.

.
. TCP UDP
TCP ) (connection-based

) (flow control
)(collisions
TCP
.
79
14.04 -
(User Datagram Protocol ) UDP

) (connectionless

UDP ) (streaming
TCP
.
. ICMP
(Internet Control Messaging Protocol) ICMP
) (IP (Request For Comments) RFC #792

ICMP ping
- ICMP
- Destination Unreachable .Time Exceeded
.
) (Daemons

80
14.04 -
) ([httpd] HyperText Transport Protocol Daemon

) ([sshd] Secure SHell Daemon
) Internet
([imapd] Message Access Protocol Daemon .
.
TCP IP .

.TCP/IP Tutorial and Technical Overview :IBM
TCP/IP Network Administration .O'Reilly
81
14.04 -
.3 DHCP
) (Dynamic Host Configuration Protocol

DHCP
.DHCP
DHCP DHCP:
IP .
IP .
IP DNS .

DHCP :
.
DHCP -
-DNS DHCP
DHCP DHCP

DHCP
IP
.IP
82
14.04 -
DHCP :
) (Manual allocation MAC

DHCP
DHCP

DHCP
.MAC
)(Dynamic allocation
- DHCP - IP )
pool range (scope ) (lease

DHCP

DHCP
.
83
14.04 -
)(Automatic allocation
- DHCP - IP
DHCP
DHCP .
DHCP

IP
.
DHCP dynamic host) dhcpd

(configuration protocol daemon dhclient

.
.
:dhcpd
sudo apt-get install isc-dhcp-server
/etc/dhcp/dhcpd.conf
.
84
14.04 -

/etc/default/isc-dhcp-server
) (listen .dhcpd
: dhcpd syslog .
.

:
IP
:
# minimal sample /etc/dhcp/dhcpd.conf

;default-lease-time 600
;max-lease-time 7200
{ subnet 192.168.1.0 netmask 255.255.255.0
;range 192.168.1.150 192.168.1.200
;option routers 192.168.1.254
;option domain-name-servers 192.168.1.1, 192.168.1.2
;"option domain-name "mydomain.example
}
DHCP IP
192.168.1.150 192.168.1.200 IP 600
7200

192.168.1.254 192.168.1.1 192.168.
85
14.04 -
.DNS
1.2
dhcpd :
sudo service isc-dhcp-server restart
.dhcp3-server
/etc/dhcp/dhcpd.conf man
.dhcpd.conf
.dhcp-server :ISC
86
14.04 -
.4 NTP

NTP TCP/IP
: .
NTP
NTP ) (atomic clock

! ntpdate .ntpd

. ntpdate
ntpdate
NTP :
ntpdate -s ntp.ubuntu.com
. ntpd
ntp
) (logs .
.
87
14.04 -
.
: ntpd
sudo apt-get install ntp
.
/etc/ntp.conf
:
# Use servers from the NTP Pool Project. Approved by Ubuntu
Technical Board
# on 2011-02-08 (LP: #104525). See
http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
:ntpd
sudo service ntp reload
88
14.04 -
.
ntpq :
sudo ntpq -p
remote
refid
st t when poll reach delay offset jitter
===========================================================================
+stratum2-2.NTP. 129.70.130.70 2 u 5
64 377 68.461 -44.274 110.334
+ntp2.m-online.n 212.18.1.106
2 u 5
64 377 54.629 -27.318 78.882
*145.253.66.170 .DCFa.
1 u 10 64 377 83.607 -30.159 68.343
+stratum2-3.NTP. 129.70.130.70 2 u 5
64 357 68.795 -68.168 104.612
+europium.canoni 193.79.237.14 2 u 63 64 337 81.534 -67.968 92.792
Ubuntu Time .
:ntp.org .
89
90
14.04 -
.1 DM-Multipath
) DM-] Device mapper multipathing
([Multipath ) (I/O
. SAN
) (switches )(controllers ) (multipathing

DM-Multipath 12.04
DM-Multipath .
12.04
multipath-0.4.8 .multipath-0.4.9
. 0.4.8

) (key prio_callout
prio
:
{ device
"vendor "NEC
"product "DISK ARRAY
prio_callout mpath_prio_alua /dev/%n
prio
alua
}
91
14.04 -
) ( :
:1-5
0.4.8
0.4.9
prio_callout mpath_prio_emc /dev/%n
prio emc
prio_callout mpath_prio_alua /dev/%n
prio alua
prio_callout mpath_prio_netapp /dev/%n
prio netapp
prio_callout mpath_prio_rdac /dev/%n
prio rdac
prio_callout mpath_prio_hp_sw /dev/%n
prio hp_sw
prio_callout mpath_prio_hds_modular %b
prio hds
/

prio_callout prio
prio
prio_callout .
DM-Multipath:
:Redundancy DM-Multipath
/ )(active/passive - -

) ( DM-Multipath .
92
14.04 -
: DM-Multipath /
) (active/active round-robin
DM-Multipath

.
.
- DM-Multipath -
DM-Multipath multipath.conf.defaults
DM-Multipath
(multipath.conf) DM-Multipath
.DM-Multipath

.
93
14.04 -
. DM-Multipath
:DM-Multipath
:1-5 DM-Multipath
dm_multipath
multipath /etc/rc.sysini
multipath
t udev )
(block device .initramfs
multipathd

multipath
/etc/multipath.conf .
) (device mapper devices
kpartx
. DOS
DM-Multipath kpartx
multipath-tools .
94
14.04 -
. DM-Multipath
DM-Multipath
multipath DM-Multipath
DM-Multipath :
.1
multipath-tools .multipath-tools-boot
.2
.3 multipath.conf
.
.4
.multipath
.5
.initial-ramdisk
multipath .DM-Multipath
95
14.04 -
.2 Multipath

DM-Multipath
DM-Multipath
multipath .
.
) (multipath device ) (WWID
multipath WWID
user_friendly_names multipath
DM-Multipath .mpathn
HBA
FC /dev/sda : /dev/dsb
/dev/sdb ./dev/sdd
DM-Multipath WWID
multipath
user_friendly_names mapthn
DM-Multipath
/dev /dev/mapper/mpathn : ./dev/dm-n
96
14.04 -
/dev/mapper

) .(logical volumes /dev/dm-n
.
multipath
user_friendly_names
multipath alias multipaths

multipath multipaths
multipath .Multipath
. Multipath
user_friendly_names yes
multipath
.multipath alias
multipaths multipath.conf
. LVM
.
multipath
user_friendly_names no .
97
14.04 -

/etc/multipath.conf
:
multipath multipath.conf
.
multipath :
sudo service multipath-tools stop
sudo multipath -F
multipath.conf
.
multipathd
:
sudo service multipath-tools start
98
14.04 -
. Multipath
user_friendly_names alias multipath

multipath ) (entry
multipaths .multipath
multipaths multipath .Multipath
. multipath
multipath multipath

LVM
/dev/mapper/mpatha multipath /dev/mapper

/mpatha :
sudo pvcreate /dev/mapper/mpatha
LVM LVM
LVM .
: LVM
.pvcreate
99
14.04 -
LVM multipath/
) (filters lvm.conf
multipath

multipath LVM
LVM /
) ( . SCSI
(lvm.conf) LVM :
] "filter = [ "r/block/", "r/disk/", "r/sd.*/", "a/.*/
/etc/lvm.conf initrd
:
update-initramfs -u -k all
: /etc/lvm.conf /etc/multipath.conf initrd
100
14.04 -
.3 DM-Multipath
DM-Multipath :
DM-Multipath.
. DM-Multipath
DM-Multipath
multipath-tools SAN

.multipath-tools-boot
/etc/multipath.conf multipath
/etc/multipath.conf

multipath -ll
.multipath
SAN /usr/share/doc/multipath
-tools/examples multipathd:
# echo 'show config' | multipathd -k > multipath.conf-live
101
14.04 -
: multipathd /etc/multipath.conf
/etc/multipath.conf
/etc/multipath.conf touch
:
{ defaults
user_friendly_names no
}
:multipathd
show config .
sudo service multipath-tools restart
Multipath
multipath :
install disk-detect/multipath/enable=true
multipath :
>/dev/mapper/mpath<X
. Multipath
SCSI DM-
Multipath multipath
.multipath
102
14.04 -

- - /dev/sda
( /dev/sda) multipath -v2 multipath
multipath multipath
.multipath
sudo multipath -v2
create: SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1 undef

WINSYS,SF2372
size=33 GB features="0" hwhandler="0" wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 0:0:0:0 sda 8:0 [--------device-mapper ioctl cmd 9 failed: Invalid argument
device-mapper ioctl cmd 14 failed: No such device or address
create: 3600a0b80001327d80000006d43621677 undef
WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
|- 2:0:0:0 sdb 8:16 undef ready running
`- 3:0:0:0 sdf 8:80 undef ready
running
create: 3600a0b80001327510000009a436215ec undef
WINSYS,SF2372
|- 2:0:0:1 sdc 8:32 undef ready
running
`- 3:0:0:1 sdg 8:96 undef ready
running
create: 3600a0b80001327d800000070436216b3 undef
WINSYS,SF2372
|- 2:0:0:2 sdd 8:48 undef ready
running
running
| 103
14.04 -
create: 3600a0b80001327510000009b4362163e undef

WINSYS,SF2372
|- 2:0:0:3 sdd 8:64 undef ready running
`- 3:0:0:3 sdg 8:128 undef ready running
/dev/sda multipath
) (blacklist /etc/multipath.conf
sda devnode
/dev/sda
WWID
multipath -v2 WWID /dev/sda
SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
/etc/multipath.conf:
{ blacklist
wwid SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
}
/etc/multipath.conf multipathd
/etc/multipath.conf:
sudo service multipath-tools reload
104
14.04 -
:multipath
sudo multipath -f SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
multipath -ll
multipath Multipath multipath
.multipath -ll

multipath
v2 ( verbosity ) multipath
:-v
sudo multipath
create: 3600a0b80001327d80000006d43621677 undef

WINSYS,SF2372
|- 2:0:0:0 sdb 8:16
undef ready
running
`- 3:0:0:0 sdf 8:80 undef ready
running
create: 3600a0b80001327510000009a436215ec undef
WINSYS,SF2372
|- 2:0:0:1 sdc 8:32 undef ready running
`- 3:0:0:1 sdg 8:96 undef ready running
create: 3600a0b80001327d800000070436216b3 undef
WINSYS,SF2372
running
running
105
14.04 -
create: 3600a0b80001327510000009b4362163e undef

WINSYS,SF2372
running
running
DM-Multipath DM-
Multipath
.multipath.conf.defaults
multipath
HP Open-V
%n :
{ devices
{ device
"vendor "HP
"product "OPEN-V.
getuid_callout "/lib/udev/scsi_id --whitelisted
"--device=/dev/%n
}
}
106
14.04 -
.4 DM-Multipath
DM-Multipath /etc/multi
path.conf
multipath.conf

:
.Multipath
.
- -multipath
multipath.conf.defaults

.
.
:
/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz
107
14.04 -
.
multipath :
:blacklist .multipath
:blacklist_exceptions multipath
.
:defaults DM-Multipath .
:multipath multipath
defaults devices .

:devices
defaults
devices.
multipath
multipath .multipath
.
multipath
multipath
.multipath
108
14.04 -
WWID .WWID
WWID

wwid blacklist .

:26353900f02796769
{ blacklist
wwid 26353900f02796769
}

multipath devnode blacklist .
109
14.04 -
SCSI
*:sd
{ blacklist
"]devnode "^sd[a-z
}
devnode blacklist

udev

/dev/sda /dev/sdb .
devnode
DM-Multipath
blacklist_exceptions
:
{ blacklist
"*]devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9
"]devnode "^hd[a-z
}
110
14.04 -

blacklist
device IBM DS4200 .HP
{ blacklist
{ device
#DS4200 Product 10
""IBM
""3S42
vendor
product
""HP
"*"
vendor
product
}
{ device
}

.

) multipath WWID (3600d0230000000000e13955cc3757803

:/etc/multipath.conf
{ blacklist
"*" wwid
}
{ blacklist_exceptions
"wwid "3600d0230000000000e13955cc3757803
}
111
14.04 -

blacklist WWID
devnode WWID
. devnode
devnode .
.
/etc/multipath.conf defaults
user_friendly_names yes :
{ defaults
user_friendly_names yes
.user_friendly_names
112
14.04 -
/dev
5
""round-robin 0
failover
"/lib/dev/scsi_id --whitelisted
{ #defaults
#
udev_dir
#
polling_interval
#
selector
#
path_grouping_policy
#
getuid_callout
"--device=/dev/%n
# prio
const
# path_checker
directio
# rr_min_io
1000
# rr_weight
uniform
# failback
manual
# no_path_retry
fail
# user_friendly_names
no
}#

defaults
path_grouping_policy multibus failover
defaults :
yes
multibus
{ defaults
user_friendly_names
defaults
multipath.conf DM-Multipath
devices multipaths .multipath.conf

| 113
14.04 -
:3-5 Multipath
polling_interval

) (polling_interval * 4 .5
udev_dir
multipath_dir
verbosity
udev ./dev

./lib/multipath
.
0 6 .2

:
:round-robin 0
:queue-length 0
.
path_selector
:service-time 0

)(.
.round-robin 0
114
14.04 -
:failover .
:multibus
.
path_grouping
_policy
:group_by_serial

.
: group_by_prio
.
: group_by_node_name
.
.failover

getuid_callout
.

:
/lib/udev/scsi_id --whitelisted --device=/dev/%n
115
14.04 -

ALUA SPC-3 prio
. :
prio
:const 1 .
:emc .EMC
:alua SCSI-3
.ALUA
:netapp .NetApp
:rdac .LSI/Engenio RDAC
:hp_sw Compaq/HP
/ .
:hds Hitachi
.HDS
.const
prio
prio_args
prio datacore prioritizer

timeout=1000 preferredsds=foo :
)""(.
multipath
features
queue_if_no_path no_path_retry
queue
.queue_if_no_path
116
14.04 -
:readsector0 .
:tur TEST UNIT READY .
:emc_clariion ) EVPD (0xC0 EMC

path_checker
Clariion .
:hp_sw HP
/ .
:rdac LSI/Engenio
.RDAC
:directio .
.directio
immediate
failback
manual
.
.manual

rr_min_io
.1000
117
14.04 -
priorities rr_min_io
path_selector
rr_weight
rr_min_io
.prio
uniform .
.uniform
no_path_retry
fail
queue
.
"".
yes
/etc/multipath/bindings
_user_friendly
names
mpathn no WWID

multipaths .
no
queue_without
_daemon
no multipathd
.
.no
118
14.04 -
yes multipath
flush_on_last_del
.no
)open file
(descriptors multipath
multipathd ulimit -n
max_fds
/proc/sys/fs/nr_open

1024
32 .1024
SCSI.
checker_timer
/sys/block/sdx/device/timeout
30 .12.04
SCSI
FC
fast_io_fail_tmo
.dev_loss_tmo
off .
SCSI
dev_loss_tmo
FC infinity
2147483647 68.
.
119
14.04 -
. Multipath
Multipath
multipaths multipath.conf multipath
defaults devices .multipath.conf
:4-5 Multipath
wwid
WWID multipath
.multipath.conf
multipath
multipath
alias
multipath user_friendly_names
mpathn
.
:multipath
no_path_retry
path_selector
rr_min_io
failback
rr_weight
prio
flush_on_last_del
prio_args
120
14.04 -
multipath multipath
WWID 3600508b4000156d70001200000b0000
.yellow
multipath WWID 1DEC_____321816758474

red rr_weight .priorities
yellow
multibus
""round-robin 0
manual
priorities
5
red
priorities
{ multipaths
{ multipath
wwid
3600508b4000156d70001200000b0000
alias
path_selector
failback
rr_weight
no_path_retry
}
{ multipath
wwid
1DEC_____321816758474
alias
rr_weight
}
}
.

devices multipath.conf
DM-Multipath multipaths
multipath.conf
defaults .multipath.conf
121
14.04 -
multipath
.multipath.conf.defaults

multipath.conf.annotated.gz
multipath.conf.synthetic .

vendor product

/sys/block/device_name/device/vendor /sys/block/device_name/model
device_name multipath :
cat /sys/block/sda/device/vendor
WINSYS
cat /sys/block/sda/device/model
SF2372

/
path_grouping_policy multibus
no_path_retry rr_min_io .Multipath
| 122
14.04 -
/

) (
path_checker tur SCSI
) Test Unit Ready (.

multipath emc
.multipath
| 123
14.04 -
:5-5
vendor
product
revision
product_blacklist

.COMPAQ

.HSV110 (C)COMPAQ
revision .
.

:
hardware_handler
:1 emc .EMC
:1 alua SCSI-3
.ALUA
:1 hp_sw
.Compaq/HP
:1 rdac
.LSI/Engenio RDAC
| 124
14.04 -
:device
getuid_callout
path_selector
path_checker
features
failback
prio
prio_args
no_path_retry
rr_min_io
rr_weight
fast_io_fail_tmo
dev_loss_tmo
flush_on_last_del
: hardware_handler
) (interface
/lib/modules/`uname -r`/kernel/drivers/scsi/device_handler/
initd
:
echo scsi_dh_alua >> /etc/initramfs-tools/modules ## append module to file

update-initramfs -u -k all
:multipath
"
{ #devices
{ # device
#
vendor
"COMPAQ
"
#
product
"MSA1000
#
path_grouping_policy multibus
#
path_checker tur
#
rr_weight priorities
} #
}#
| 125
14.04 -
vendor product revision multipath

SCSI
Standard INQUIRY
vendor product revision )(spec

multipath

:
8 :vendor.
16 :product.
4 :revision.

:
^$[].*?+
multipath multipath.conf /usr/share/

:doc/multipath-tools/examples
# echo 'show config' | multipathd -k
| 126
14.04 -
.5 DM-Multipath
. Multipath
multipath :
.
:LUN
sudo multipath -l
. SCSI 1 rescan
SCSI :
# echo 1 > /sys/block/device_name/device/rescan
multipath :multipathd
'sudo multipathd -k 'resize map mpatha
) LVM :(DOS
sudo resize2fs /dev/mapper/mpatha
| 127
14.04 -
.
UUID
multipath-tools-boot
) (initial ramdisk multipath
.UUID
: multipath.conf initrd update-

initramfs -u -k all multipath.conf ramdisk
.

.
. Multipath
multipath
multipathd .multipathd

multipathd multipathd
.
| 128
14.04 -
. queue_if_no_path

" features "1 queue_if_no_path /etc/multipath.conf

no_path_retry N ./etc/multipath.conf
no_path_retry "features "1 queue_if_no_path

/etc/multipath.conf

"features "1 queue_if_no_path )
(SAN " features "0
) devices (
/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz
" features "1 queue_if_no_path
dmsetup LUN
multipath mpathc "
"queue_if_no_path " "fail_if_no_path :
"sudo dmsetup message mpathc 0 "fail_if_no_path
: mpathN .
| 129
14.04 -
Multipath .
multipath
:(multipath )
action_if_any: alias (wwid_if_different_from_alias)
dm_device_name_if_known vendor,product
size=size features='features' hwhandler='hardware_handler'
wp=write_permission_if_known
:
-+- policy='scheduling_policy' prio=prio_if_known
status=path_group_status_if_known
:
`- host:channel:id:lun devnode major:minor
dm_status_if_known path_status
online_status
: multipath
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372
size=269G features='0' hwhandler='0' wp=rw
|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
`- 7:0:0:0 sdf 8:80
active ready
running
| 130
14.04 -
ready ghost
faulty shaky
multipathd polling_interval
./etc/multipath.conf
dm
failed : dm faulty active .
.dm
online_status running offline offline
SCSI .
: multipath dm
dm ) (features .
. Multipath multipath
-l -ll multipath multipath
-l multipath sysfs
-ll -l .
multipath
-v multipath -v0
-v1 multipath
| 131
14.04 -
multipaths -v2 kpartx

.(device maps)
verbosity ( 2) multipath :
.multipath.conf defaults
:multipath -l
sudo multipath -l
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372

|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16
active ready
running
`- 7:0:0:0 sdf 8:80
active ready
running
:multipath -ll
sudo multipath -ll
3600d0230000000000e13955cc3757801 dm-10 WINSYS,SF2372

|-+- policy='round-robin 0' prio=1 status=enabled
| `- 19:0:0:1 sdc 8:32
active ready
running
`- 18:0:0:1 sdh 8:112 active ready running
3600d0230000000000e13955cc3757803 dm-2 WINSYS,SF2372
`-+- policy='round-robin 0' prio=1 status=active
|- 19:0:0:3 sde 8:64 active ready running
`- 18:0:0:3 sdj 8:144 active ready running
| 132
14.04 -
. Multipath
multipath .
:6-5 multipath
-l
-ll
-f device
-F
multipath sysfs
).(device mapper
multipath sysfs
) (device mapper .
multipath.
multipath .
. dmsetup
dmsetup
.multipathd

dm 3 :multipathd
:/dev/dm-3
| 133
14.04 -
sudo dmsetup ls
)4
)12
)11
)3
)14
)13
)2
)9
)8
)1
)7
)0
)6
)10
)5
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
mpathd
mpathep1
mpathfp1
mpathb
mpathgp1
mpathhp1
mpatha
mpathh
mpathg
VolGroup00-LogVol01
mpathf
VolGroup00-LogVol00
mpathe
mpathbp1
mpathd
. multipathd
multipathd -k multipathd
multipath help
Ctrl+D.
multipath
multipath
IBM Tricks with Multipathd .
sudo multipathd -k
> > show config

> > CTRL-D
| 134
14.04 -
multipath
:multipath.conf
sudo multipathd -k
> > reconfigure

> > CTRL-D
:
sudo multipathd -k
> > show paths

> > CTRL-D

multipathd ) (stdin :
# echo 'show config' | multipathd -k
| 135
| 136
14.04 -

OpenSSH Puppet .Zentyal
.1 OpenSSH
.

OpenSSH

OpenSSH .
OpenSSH
) ([SSH] Secure Shell
- telnet -rcp
OpenSSH
.
OpenSSH sshd ) (listens
sshd
ssh

OpenSSH
OpenSSH
OpenSSH scp
OpenSSH
) (public key Kerberos.
| 137
14.04 -
.
OpenSSH
OpenSSH :
sudo apt-get install openssh-client
OpenSSH :
sudo apt-get install openssh-server

openssh-server
.
.
(sshd) OpenSSH
/etc/ssh/sshd_config
:
man sshd_config
sshd
./etc/ssh/sshd_config
| 138
14.04 -
:
.
/etc/ssh/sshd_config :
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

sudo chmod a-w /etc/ssh/sshd_config.original
OpenSSH TCP 2222 TCP

22 :
Port 2222
sshd :
PubkeyAuthentication yes
.
OpenSSH /etc/issue.net
:/etc/ssh/sshd_config
Banner /etc/issue.net
| 139
14.04 -
sshd :
sudo service ssh restart
: sshd
ssh sshd
sshd sshd
. SSH
SSH
SSH : ) (private ).(public

:
ssh-keygen -t dsa
)Digital Signature
([DSA] Algorithm
Enter .
~/.ssh/id_dsa.pub
140
14.04 -
~/.ssh/id_dsa id_dsa.pub
~/.ssh/authorized_keys :
ssh-copy-id username@remotehost
authorized_keys
:
chmod 600 .ssh/authorized_keys
SSH .
.
.SSH
.OpenSSH
.Advanced OpenSSH
141
14.04 -
.2 Puppet
Puppet

Puppet

. Puppet
/.
Puppet/
.Puppet
.

:Puppet
sudo apt-get install puppetmaster
sudo apt-get install puppet
| 142
14.04 -
.
Puppet DNS CNAME
puppet.example.com example.com
Puppet DNS puppet.example.com Puppet
Puppet Master : ) (DNS
.DNS
DNS /etc/hosts
.
/etc/hosts :Puppet
localhost.localdomain localhost puppet

puppetclient.example.com puppetclient
127.0.0.1
192.168.1.17

:Puppet
puppetmaster.example.com puppetmaster puppet
192.168.1.16
: IP IP .
| 143
14.04 -
/etc/puppet/module apache2

: s/apache2/manifests/init.pp
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}
: /etc/puppet/manifests/site.pp
node 'pupetclient.example.com' {
include apache2
}
. Puppet pupetclient.example.com :
: Puppet
sudo service puppetmaster restart
. Puppet
| 144
14.04 -
Puppetagent /etc/default/puppet
START :yes
START=yes
sudo service puppet start
) (fingerprint :
sudo puppet agent --fingerprint
Puppet :
sudo puppet cert list
Puppet :
sudo puppet sign pupetclient.example.com
Puppet puppet ) (foreground

.puppet
sudo puppet agent --test
| 145
14.04 -
/var/log/syslog

apache2 .Puppet
: Puppet
.
Puppet.

.Pro Puppet
.Puppet

| 146
14.04 -
.3 Zentyal
Zentyal ) (business server
) (Unified Threat Manager

Zentyal
Zentyal
) (GPL
.
Zentyal ) ] ([module
Redis
- ) (domains
OpenLDAP
Zentyal

.

| 147
14.04 -
.
Zentyal 2.3 Universe 12.04 :
zentyal-core :zentyal-common Zentyal

) (logs )(events modules
.
:zentyal-network ) IP
DHCP VLAN (PPPoE

DNS.
zentyal-objects :zentyal-services )abstraction

(level ) LAN (192.168.1.0/24
) HTTP .(TCP/80
:zentyal-firewall iptables
NAT .
:zentyal-ntp NTP
.
:zentyal-dhcp ISC DHCP
NTP WINS DNS

.PXE
| 148
14.04 -
:zentyal-dns ISC Bind9

A CNAME MX NS TXT .SRV
:zentyal-ca ) (Certification Authority

Zentyal
.OpenVPN
:zentyal-openvpn VPN
OpenVPN .Quagga
:zentyal-users
OpenLDAP Zentyal
LDAP
Microsoft
.Active Directory
Squid Dansguardian
:zentyal-squid
.
:zentyal-samba LDAP

.
:zentyal-printers CUPS
.LDAP
| 149
14.04 -
Zentyal ) > <zentyal-module

(:
>sudo apt-get install <zentyal-module

: Zentyal ) /(
) (LTS ) 2.2 (3.0
) 2.1 (2.3 12.04 Zentyal 2.3

12.04 Zentyal Team PPA
2.3 .12.04
: PPA Add a Personal

).Pachage Archive (PPA
Zentyal Team PPA

Universe :
:zentyal-antivirus ClamAV
) (proxy .mailfilter
:zentyal-asterisk Asterisk PBX

.LDAP
:zentyal-bwmonitor
.
150
14.04 -
:zentyal-captiveportal captive portal

.LDAP
:zentyal-ebackup
.duplicity
:zentyal-ftp FTP .LDAP
:zentyal-ids .
:zentyal-ipsec IPsec .OpenSwan
:zentyal-jabber XMPP .LDAP
:zentyal-thinclients ) (thin clients

.LTSP
:zentyal-mail Postfix
Dovecot .LDAP
:zentyal-mailfilter amavisd
) (spam .
:zentyal-monitor collectd .
:zentyal-pptp .PPTP VPN
:zentyal-raduis FreeRADIUS .LDAP
:zentyal-software Zentyal
.
151
14.04 -
:zentyal-trafficshaping
).(latency
:zentyal-usercorner LDAP
.
:zentyal-virt
.libvirt
:zentyal-webmail Roundcube
webmail.
:zentyal-webserver
.
:zentyal-zarafa Zarafa Zentyal .LDAP
.
sudo
Zentyal
.sudo
: sudo :
sudo adduser username sudo
| 152
14.04 -
) (Zentyal ) https://localhost/ IP
( Zentyal SSL .
) (dashboard

Save changes

Module Status

.
: ) (
Zentyal /etc/zentyal/stubs/<module>/ hooks
./etc/zentyal/hooks/<module>.<action>
Zentyal.

Zentyal .

....
| 153
| 154
14.04 -
LDAP Network authentication .
.1 OpenLDAP
) (Lightweight Directory Access Protocol
LDAP X.500
TCP/IP LDAP LDAPv3 RFC4510
LDAPv3 .OpenLDAP
LDAP ) (entries
).([DIT] Directory Information Tree
).(attributes
) (type .
objectClass .
objectClasses ) (schemas
.
objectClass
) DN] Distinguished Name ([dn
) Relative Distinguished Name

] ([RDN .
155
14.04 -
: ) (object ) (container ) (node
)(entry .
11
cn=John Doe,dc=example,dc=com ) (RDN cn=John

Doe :dc=example,dc=com
dn: cn=John Doe,dc=example,dc=com

cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Larry Smith,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
) LDIF LDAP Data] LDAP

([Interchange Format ) (DIT
.RFC2849
LDAP
) (backend
) (name:value :
.
| 156
14.04 -
OpenLDAP LDAP
slapd ldap-utils .

slapd
) suffix DN(
/etc/hosts

dc=example,dc=com hosts :
hostname.example.com hostname
127.0.1.1
: .dc=example,dc=com
sudo apt-get install slapd ldap-utils
| 157
14.04 -
8.10
slapd slapd DIT
slapd
LDIF /etc/ldap/slapd.d
: slapd-config Real Time) RTC

(Configuration cn=config

slapd.conf .
: slapd-config slapd .
) administrative
(credentials LDAP rootDN
DN cn=admin,dc=example, dc=com

slapd-config LDAP
.
) cosine nis (inetorgperson slapd

core .
| 158
14.04 -
slapd-) slapd
.( dc=example,dc=com) ( config
LDIF slapd-config
:/etc/ldap/slapd.d
/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
/etc/ldap/slapd.d/cn=config.ldif
)LDAP slapd-config :
.(
. 14.10 :
| 159
14.04 -
:LDAP slapd-config
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
cn=config
cn=module{0},cn=config
cn=schema,cn=config
cn={0}core,cn=schema,cn=config
cn={1}cosine,cn=schema,cn=config
cn={2}nis,cn=schema,cn=config
cn={3}inetorgperson,cn=schema,cn=config
olcBackend={0}hdb,cn=config
olcDatabase={-1}frontend,cn=config
olcDatabase={0}config,cn=config
olcDatabase={1}hdb,cn=config
:
. :cn=config
. :cn=module{0},cn=config
.(hard-coded ) :cn=schema,cn=config
.(hard-coded) :cn={0}core,cn=schema,cn=config
.cosine :cn={1}cosine,cn=schema,cn=config
.inetorgperson :cn={3}inetorgperson,cn=schema,cn=config
.'hdb' :olcBackend={0}hdb,cn=config
(frontend) :olcDatabase={-1}frontend,cn=config
.
.(cn=config) slapd :olcDatabase={0}config,cn=config
:olcDatabase={1}hdb,cn=config
.(dc=example,dc=com)
160
14.04 -
:dc=example,dc=com
ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
:dc=example,dc=com .DIT
:cn=admin,dc=example,dc=com ) (rootDN
)
(.
.
:
) People (.
) Groups (.
.miners
.john
161
14.04 -
:add_content.ldif LDIF
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
gid uid :
ldap gid uid 5000

ldap
.
| 162
14.04 -
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif
Enter LDAP Password: ********

adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "cn=miners,ou=Groups,dc=example,dc=com"
adding new entry "uid=john,ou=People,dc=example,dc=com"
:ldapsearch
ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber
dn: uid=john,ou=People,dc=example,dc=com
cn: John Doe
gidNumber: 5000
:
. SASL :-x
.
:-LLL
.john ( filter) :uid=john
) :cn gidNumber
.(
| 163
14.04 -
slapd .
(slapd-config) slapd
:
( DbIndex )idapmodify
uid_index.ldif ( dc=example,dc=com { ) 1}hdb,cn=config

:
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif
modifying entry "olcDatabase={1}hdb,cn=config"
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \

cn=config '(olcDatabase={1}hdb)' olcDbIndex
olcDbIndex: objectClass eq
| 164
14.04 -
) (schema LDIF
./etc/ldap/schema
: slapd-config
.
)
]:([out-of-the-box
\ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b

cn=schema,cn=config dn
cn=schema,cn=config
dn:
dn:
dn:
dn:
dn:
| 165
14.04 -
: CORBA
: schema_convert.conf
include
include
include
include
include
include
include
include
include
include
include
include
include
include
/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
/etc/ldap/schema/duaconf.schema
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
/etc/ldap/schema/misc.schema
/etc/ldap/schema/nis.schema
/etc/ldap/schema/openldap.schema
/etc/ldap/schema/ppolicy.schema
/etc/ldap/schema/ldapns.schema
/etc/ldap/schema/pmi.schema
.ldif_output
:
slapcat -f schema_convert.conf -F ldif_output \

-n 0 | grep corba,cn=schema
cn={1}corba,cn=schema,cn=config
slapd (injects) :
.{X} :
| 166
14.04 -
: slapcat
slapcat -f schema_convert.conf -F ldif_output -n0 -H \

ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif
.cn=corba.ldif
: cn=corba.ldif
dn: cn=corba,cn=schema,cn=config
...
cn: corba
structuralObjectClass: olcSchemaConfig
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
creatorsName: cn=config
createTimestamp: 20110829165435Z
entryCSN: 20110829165435.935248Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110829165435Z
.
:slapd-config ldapadd
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn=corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"
| 167
14.04 -
\ sudo ldapsearch -Q -LLL -Y EXTERNAL

-H ldapi:/// -b cn=schema,cn=config dn
cn=schema,cn=config
cn={4}corba,cn=schema,cn=config
dn:
dn:
dn:
dn:
dn:
dn:
: LDAP
.
. )(Logging
slapd OpenLDAP

slapd .slapd-config
OpenLDAP ) (

stats
.man slapd-config
| 168
14.04 -
: logging.ldif
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
syslog (in production)

:
rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to

rate-limiting
:/etc/rsyslog.conf rsyslog
# Disable rate limiting

# (default is 200 messages in 5 seconds; below we make the 5
become 0)
$SystemLogRateLimitInterval 0
:rsyslog
sudo service rsyslog restart
| 169
14.04 -
.
LDAP
- - redundancy LDAP
LDAP LDAP
Syncrepl -
refreshAndPersist :
delta-syncrepl
.

):(Provider
LDIF :provider_sync.ldif
# Add indexes to the frontend db.

changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
170
14.04 -
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=example,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than
7 days
olcAccessLogPurge: 07+00:00 01+00:00
171
14.04 -
rootDN LDIF .
apparmor slapd
accesslog /etc/apparmor/local/usr.sbin.slapd :
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,
:apparmor

sudo -u openldap mkdir /var/lib/ldap/accesslog
\ sudo -u openldap cp /var/lib/ldap/DB_CONFIG
/var/lib/ldap/accesslog
sudo service apparmor reload
:apparmor
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif

sudo service slapd restart

.

.
slapd-config
.
| 172
14.04 -
:consumer_sync.ldif LDIF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com
bindmethod=simple binddn="cn=admin,dc=exa
credentials=secret searchbase="dc=example,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
add: olcUpdateRef
olcUpdateRef: ldap://ldap01.example.com
:
.(IP - ldap01.example.com- ) provider
.( ) binddn
.( ) credentials
.( ) searchbase
.( IP ) olcUpdateRef
Replica Id) rid
.( rid
| 173
14.04 -
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

)

.(dc=example,dc=com
ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN
dn: dc=example,dc=com
contextCSN: 20120201193408.178454Z#000000#000#000000
)20120201193408.178454Z#
000000#000#000000 (

.
ldap contextCSN
contextCSN
.
| 174
14.04 -
contextCSN
(syslog) slapd auth

) ldapsearch( .
DN :
\ sudo ldapsearch -Q -LLL -Y EXTERNAL

-H ldapi:/// -b dc=example,dc=com dn
People
john miners
.Groups
.
) ... (.
) (access control
) (access control lists .ACL
slapd

.
| 175
14.04 -
ACL LDAP
)(frontend

) first match

(wins
ACL (dc=example,dc=com) hdb
:

cn=config '(olcDatabase={1}hdb)' olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self
write by anonymous
auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by
dn="cn=admin,dc=example,dc=com" write by * read
: rootDN
.slapd
| 176
14.04 -
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \

cn=config '(olcDatabase={-1}frontend)' olcAccess
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcAccess: {0}to attrs=userPassword,shadowLastChange by self

write by anonymous auth by dn="cn=admin,dc=example,dc=com"
write by * none
to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none
to attrs=shadowLastChange
by self write
by anonymous auth
by * none
| 177
14.04 -
) ( :
' 'auth userPassword
' 'by anonymous auth
.
) (.
' ) 'read 'by self

('write .userPassword
userPassword
rootDN .
passwd
shadowLastChange .
DIT ' 'by * read:
* to
by self write
by * read
ACL bind
) ACL( '.'olcRequire: authc
| 178
14.04 -
.slapd-config
SASL root sudo :
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
) (ACLs :slapd-config

cn=config '(olcDatabase={0}config)' olcAccess
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
SASL SASL
LDAP
:
.1
sudo .
.2
) (EXTERNAL ) IPC (UNIX

.ldapi URI
| 179
14.04 -

cn=config '(olcAccess=*)' olcAccess olcSuffix

.man slapd.access
TLS .
OpenLDAP
) .([TLS] Transport Layer Security
) (Certificate Authority
gnutls certtool
LDAP slapd
.
gnutls-bin :ssl-cert
.1
sudo apt-get install gnutls-bin ssl-cert
:
.2
\ sudo sh -c "certtool
"--generate-privkey > /etc/ssl/private/cakey.pem
180
14.04 -
: /etc/ssl/ca.info / .3
cn = Example Company
ca
cert_signing_key
: .4
sudo certtool --generate-self-signed \
--load-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ca.info \
--outfile /etc/ssl/certs/cacert.pem
:
.5
sudo certtool --generate-privkey \
--bits 1024 \
--outfile /etc/ssl/private/ldap01_slapd_key.pem
ldap01 :
.
: /etc/ssl/ldap01.info .6
organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
181
14.04 -
: .7
sudo certtool --generate-certificate \

--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ldap01.info \
--outfile /etc/ssl/certs/ldap01_slapd_cert.pem
) certinfo.ldif
:(https://www.cacert.org
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
:slapd-config TLS slapd ldapmodify
sudo ldapmodify -Y EXTERNAL \

-H ldapi:/// -f /etc/ssl/certinfo.ldif
/etc/default/slapd ldaps://
:
SLAPD_SERVICES="ldap:/// ldapi:///"
| 182
14.04 -
: LDAP (dlaps://) TLS/SSL StartTLS LDAP
) TCP (389 TLS/SSl - LDAPS -HTTPS

) (encrypted-from-the-start TCP .636
adduser openldap ssl-cert

chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
chmod o-r /etc/ssl/private/ldap01_slapd_key.pem
sudo
sudo
sudo
sudo
:OpenLDAP
) (/var/log/syslog .
. TLS
) (StartTLS

.TLS

TLS .TLS
| 183
14.04 -
) ( LDAP
TLS

/
.
:
) ( :
mkdir ldap02-ssl
cd ldap02-ssl
\ sudo certtool --generate-privkey
\ --bits 1024
--outfile ldap02_slapd_key.pem
ldap02.info :
organization = Example Company

cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
| 184
14.04 -
sudo certtool --generate-certificate \

--load-privkey ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template ldap02.info \
--outfile ldap02_slapd_cert.pem
cp /etc/ssl/certs/cacert.pem .
) scp ldap02-ssl
:(
cd ..
scp -r ldap02-ssl user@consumer:
:
:TLS
sudo
sudo
sudo
sudo
sudo
sudo
sudo
| 185
apt-get install ssl-cert

adduser openldap ssl-cert
cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
cp ldap02_slapd_key.pem /etc/ssl/private
chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem
chmod g+r /etc/ssl/private/ldap02_slapd_key.pem
chmod o-r /etc/ssl/private/ldap02_slapd_key.pem
14.04 -
:( ) /etc/ssl/certinfo.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem
:slapd-config
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
.(SLAPD_SERVICES) /etc/default/slapd
:
olcSyncrepl TLS
. TLS
| 186
14.04 -
: consumer_sync_tls.ldif
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com
bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials=secret
searchbase="dc=example,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on type=refreshAndPersist retry="60 +"
syncdata=accesslog
starttls=critical tls_reqcert=demand
StartTLS
CA
LDIF
.('replace ')
:
sudo ldapmodify -Y EXTERNAL \

-H ldapi:/// -f consumer_sync_tls.ldif
:slapd
| 187
14.04 -
:
TLS /var/log/syslog
' 'conns :
slapd[3620]: conn=1047 fd=20 ACCEPT from
)IP=10.153.107.229:57922 (IP=0.0.0.0:389
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
=slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128
ssf=128
slapd[3620]: conn=1047 op=1 BIND
dn="cn=admin,dc=example,dc=com" method=128
slapd[3620]: conn=1047 op=1 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text
. LDAP
LDAP

:
libnss-ldap
sudo apt-get install libnss-ldap
LDAP :

sudo dpkg-reconfigure ldap-auth-config

/etc/ldap.conf
.
| 188
14.04 -
LDAP :NSS
sudo auth-client-config -t nss -p lac_ldap
LDAP:
sudo pam-auth-update
LDAP .
.LDAP
LDAP
:/etc/ldap.conf
uri ldap://ldap01.example.com ldap://ldap02.example.com
) (timeout ) (ldap02
).(ldap01
LDAP
LDAP LDAP .
: libnss-ldap libnss-ldapd nscd

.
| 189
14.04 -
.
ldap-utils
ldapscripts
.
:
sudo apt-get install ldapscripts
: /etc/ldapscripts/ldapscripts.conf
SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000
: rootDN ldapscripts.passwd
sudo sh -c "echo -n 'secret' > \

/etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
.secret rootDN :
190
14.04 -
:
:
sudo ldapadduser george example
george .example
:
sudo ldapsetpasswd george
Changing password for user

uid=george,ou=People,dc=example,dc=com
New Password:
New Password (verify):
sudo ldapdeleteuser george
sudo ldapaddgroup qa
sudo ldapdeletegroup qa
191
14.04 -
:
sudo ldapaddusertogroup george qa
.george qa memberUid
:
sudo ldapdeleteuserfromgroup george qa
.qa memberUid
ldapmodifyuser
: ldapmodify
sudo ldapmodifyuser george
# About to modify the following entry :

dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
cn: george
uid: george
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword::
e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com
replace: gecos
gecos: George Carlin
.George Carlin gecos
| 192
14.04 -
ldapscripts
user
: /etc/ldapscripts/ldapscripts.conf
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
/etc/ldapscripts
:/etc/ldapscripts/ldapadduser.template ldapadduser.template.sample
sudo cp \
/usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
/etc/ldapscripts/ldapadduser.template

:objectClass inetOrgPerson
dn: uid=<user>,<usuffix>,<suffix>
cn: <user>
sn: <ask>
uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee
ldapadduser sn < ask>
| 193
14.04 -
.
:
ldaprenamemachine
ldapadduser
ldapdeleteuserfromgroup
ldapfinger
ldapid
ldapgid
ldapmodifyuser
ldaprenameuser
lsldap
ldapaddusertogroup
ldapsetpasswd
ldapinit
ldapaddgroup
ldapdeletegroup
ldapmodifygroup
ldapdeletemachine
ldaprenamegroup
ldapaddmachine
ldapmodifymachine
ldapsetprimarygroup
ldapdeleteuser
.
LDAP
.
| 194
14.04 -

ldap
) backend (cn=config ) frontend
(dc=example,dc=com --
/export/backup slapcat

:/usr/local/bin/ldapbackup
#!/bin/bash
BACKUP_PATH=/export/backup
SLAPCAT=/usr/sbin/slapcat
nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif
nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif
nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif
chmod 640 ${BACKUP_PATH}/*.ldif
: LDAP
/export/backup

) (cron
) (
cron /etc/cron.d/

ldapbackup :22:45
MAILTO=backup-emails@domain.com
45 22 * * * root /usr/local/bin/ldapbackup
| 195
14.04 -
.
: ldap
sudo service slapd stop

sudo mkdir /var/lib/ldap/accesslog
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l \
/export/backup/config.ldif
/export/backup/domain.com.ldif
/export/backup/access.ldif
sudo chown -R openldap:openldap /etc/ldap/slapd.d/
sudo chown -R openldap:openldap /var/lib/ldap/
sudo service slapd start
| 196
14.04 -
.www.openldap.org
slapd
:
slapd
slapd-config
slapd.access
slapo-syncprov
OpenLDAP .
O'Reilly .LDAP System Administration
Packt .Mastering OpenLDAP
man
man
man
man
man auth-client-config
man pam-auth-update
| 197
14.04 -
.2 LDAP
LDAP
LDAP
(
)
OpenLDAP
OpenLDAP
.
.
:LDAP samba samba-doc
.smbldap-tools
smbldap-tools
) ( LDAP
.
:
sudo apt-get install samba samba-doc smbldap-tools
| 198
14.04 -
. LDAP
LDAP
:
.1
).(schema
.2
.3 ).(objects

OpenLDAP ) (backend

LDAP .
: .slapd
samba-doc

:/etc/ldap/schema
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
/etc/ldap/schema
sudo gzip -d /etc/ldap/schema/samba.schema.gz
| 199
14.04 -
: schema_convert.conf
include
include
include
include
include
include
include
include
include
include
include
include
include
include
include
/etc/ldap/schema/ldapns.schema
/etc/ldap/schema/pmi.schema
/etc/ldap/schema/samba.schema
. ldif_output
:
slapcat -f schema_convert.conf -F ldif_output -n 0 | \

grep "samba,cn=schema"
dn: cn={14}samba,cn=schema,cn=config
:LDIF
slapcat -f schema_convert.conf -F ldif_output -n0 \

-H ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif
200
14.04 -
: cn=samba.ldif
dn: cn=samba,cn=schema,cn=config
...
cn: samba
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
entryCSN: 20080827045234.341425Z#000000#000#000000
.
:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif
sudo ldapsearch -Q -LLL -Y EXTERNAL \

-H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
201
14.04 -

( indices) slapd
.
: samba_indices.ldif
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
: ldapmodify
sudo ldapmodify -Q -Y EXTERNAL \

-H ldapi:/// -f samba_indices.ldif
:ldapsearch
sudo ldapsearch -Q -LLL -Y EXTERNAL -H \

ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex
| 202
14.04 -
LDAP
smbldap-tools
) smbldap-config.pl
(configure.pl )apt-get source

.(smbldap-tools
/etc/smbldap-tools/smbldap.conf

./etc/smbldap-tools/smbldap_bind.conf
smbldap-populate LDAP
:slapcat
sudo slapcat -l backup.ldif
sudo smbldap-populate
LDIF sudo smbldap-

populate -e samba.ldif
-e LDIF .
LDAP .
| 203
14.04 -
/etc/samba/smb.conf LDAP :
:ldap passdb backend
passdb backend = tdbsam
# LDAP Settings
passdb backend = ldapsam:ldap://hostname
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
ldap ssl = start tls
ldap passwd sync = yes
...
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w
"%u"
.
: samba
sudo restart smbd

sudo restart nmbd
) rootDN
:(slapd
sudo smbpasswd -w password
| 204
14.04 -
LDAP
smbpasswd
) ] [
NSS libnss-ldapd :(libnss-ldap
sudo smbpasswd -a username
.

smbldap-tools :
:
sudo smbldap-useradd -a -P username
-a -P smbldap-passwd
.
:
sudo smbldap-userdel username
-r .
| 205
14.04 -
sudo smbldap-groupadd -a groupname
smbldap-useradd -a .
:
sudo smbldap-groupmod -m username groupname
-m .
:
sudo smbldap-groupmod -x username groupname
sudo smbldap-useradd -t 0 -w username
username ) (workstation -t 0
-w
add machine
script /etc/samba/smb.conf
.smbldap-useradd
| 206
14.04 -
smbldap-tools :
smbldap-groupadd
smbldap-groupdel
smbldap-groupmod
smbldap-groupshow
smbldap-passwd
smbldap-populate
smbldap-useradd
smbldap-userdel
smbldap-userinfo
smbldap-userlist
smbldap-usermod
smbldap-usershow
:
.
LDAP .Samba HOWTO Collection
) (2007 Linux Samba-

OpenLDAP HOWTO .
Samba Ubuntu community documentation

.
| 207
14.04 -
.3 Kerberos
Kerberos

Kerberos
).([SSO] Single Sign On
Kerberos .
.
Kerberos
Kerberos :
) :(Principal
.Kerberos
) :(Instances .
) :(Realms Kerberos

DNS
) (EXAMPLE.COM .

| 208
14.04 -
) :([KDC] Key Distribution Center :
)ticket granting
(server .
) :(Ticket Granting Ticket

)([AS] Authentication Server ) (TGT
).(KDC
) :([TGS] Ticket Granting Server

.
:

.
:Keytab
.

-
-
Kerberos
) (TGT
| 209
14.04 -
Kerberos
) (TGS

.
. Kerberos
MIT Kerberos ) (:
.EXAMPLE.COM :
.(192.168.0.1) kdc01.example.com :
.(192.168.0.2) kdc02.example.com :
.steve :
.steve/admin :
: - -
) .(5000
Kerberos DNS
Kerberos EXAMPLE.COM
: ).(DNS
210
14.04 -
Kerberos
)(
.
)(NTP NTP
.NTP
krb5-kdc krb5-admin-
Kerberos
server :
sudo apt-get install krb5-kdc krb5-admin-server
Kerberos - Admin
- ).(realm
: .
:kdb5_newrealm
sudo kdb5_newrealm
211
14.04 -
/etc/krb5.conf
) (KDC .krb5-kdc
Kerberos :
sudo dpkg-reconfigure krb5-kdc
KDC ) ( .
.
kadmin.local :
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with

password.
kadmin.local: addprinc steve/admin
;WARNING: no policy specified for steve/admin@EXAMPLE.COM
defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit
steve /admin @EXAMPLE.COM

steve@EXAMPLE.COM
.
: EXAMPLE.COM steve .
| 212
14.04 -
)(ACL
:/etc/krb5kdc/kadm5.acl
*
steve/admin@EXAMPLE.COM
steve/admin

Kerberos man kadm5.acl
.
krb5-admin-server :
sudo service krb5-admin-server restart
:kinit
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:
klist ):(TGT
klist
Credentials cache:
FILE:/tmp/krb5cc_1000
Principal:
steve/admin@EXAMPLE.COM
Issued
Expires
Principal
Jul 13 17:53:34
Jul 14 03:53:34
krbtgt/EXAMPLE.COM@EXAMPLE.COM
| 213
14.04 -
krb5cc_1000 _ krb5cc
uid 1000 /etc/hosts
:
kdc01.example.com
kdc01
192.168.0.1
192.168.0.1
Kerberos ).(routers
DNS
SRV :/etc/named/db.example.com
0 88
IN SRV
0 88
IN SRV
0 88
10
IN SRV
0 88
10
IN SRV
0 749
IN SRV
0 464
IN SRV
_kerberos._udp.EXAMPLE.COM.
kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM.
kdc01.example.com.
_kerberos._udp.EXAMPLE.COM.
kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM.
kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM.
kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM.
kdc01.example.com.
: EXAMPLE.COM kdc01 kdc02

.
.DNS Kerberos
.
| 214
14.04 -
.
) (KDC

Kerberos
) (NAT
.
Kerberos Admin server
:
sudo apt-get install krb5-kdc krb5-admin-server
KDC :
"kadmin -q "addprinc -randkey host/kdc02.example.com
: kadmin .username/admin@EXAMPLE.COM
:Keytab
\ kadmin -q "ktadd -norandkey

"-k keytab.kdc02 host/kdc02.example.com
| 215
14.04 -
keytab.kdc02
:/etc/krb5.keytab
sudo mv keytab.kdc02 /etc/krb5.keytab
: keytab.kdc02 .

Keytab
:klist
sudo klist -k /etc/krb5.keytab
-k .keytab
kpropd.acl

/etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
sudo kdb5_util -s create
| 216
14.04 -
kpropd kprop
kprop :
sudo kpropd -S
sudo kdb5_util dump /var/lib/krb5kdc/dump
keytab :/etc/krb5.keytab
"kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com

sudo mv keytab.kdc01 /etc/krb5.keytab
: kdc01.example.com .Keytab
kprop KDC:
\ sudo kprop -r EXAMPLE.COM

-f /var/lib/krb5kdc/dump kdc02.example.com
: SUCCEEDED
/var/log/syslog .
| 217
14.04 -

)
(:
m h dom mon dow command

&& * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump
/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump
kdc02.example.com
#
0
stash Kerberos ):(Master Key

sudo kdb5_util stash
krb5-kdc :
sudo service krb5-kdc start

krb5-kdc kinit

/var/log/syslog /var/log/auth.log .
| 218
14.04 -
. Kerberos
Kerberos
Kerberos .
krb5-user libpam-krb5
Kerberos

:
\ sudo apt-get install krb5-user libpam-krb5 libpam-ccreds

auth-client-config
auth-client-config PAM
libpam-ccreds

Kerberos

.
| 219
14.04 -
sudo dpkg-reconfigure krb5-config
Kerberos
DNS
Kerberos SRV .
dpkg-reconfigure /etc/krb5.conf
:
][libdefaults
default_realm = EXAMPLE.COM
...
][realms
{ = EXAMPLE.COM
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
:
uid 5000
pam Kerberos
uid :5000
# Kerberos should only be applied to ldap/kerberos users, not local ones.

for i in common-auth common-session common-account common-password; do
\ sudo sed -i -r
\ '-e 's/pam_krb5.so minimum_uid=1000/pam_krb5.so minimum_uid=5000/
/etc/pam.d/$i
done
| 220
14.04 -
) (
.passwd
kinit :
kinit steve@EXAMPLE.COM
Password for steve@EXAMPLE.COM:
:klist
klist
Service principal
Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: steve@EXAMPLE.COM
Valid starting
Expires
07/24/08 05:18:56
07/24/08 15:18:56
krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/25/08 05:18:57
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
auth-client-config libpam-krb5
:
sudo auth-client-config -a -p kerberos_example
| 221
14.04 -
MIT Kerberos .MIT Kerberos
.Kerberos
O'Reilly Kerberos: The Definitive Guide

.Kerberos
#ubuntu-server #kerberos IRC

Freenode .Kerberos
| 222
14.04 -
.4 Kerberos LDAP
Kerberos ) (Kerberos
) ]([authorization .LDAP
Kerberos
MIT Kerberos LDAP

Kerberos

OpenLDAP .
: MIT Kerberos .OpenLDAP
. OpenLDAP
OpenLDAP
LDAP
OpenLDAP
.OpenLDAP

OpenLDAP TLS SSL
LDAP KDC TLS.
cn=admin,cn=config : ldap
RootDN .
| 223
14.04 -
LDAP krb5-kdc-ldap LDAP
sudo apt-get install krb5-kdc-ldap
:kerberos.schema.gz
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz

sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema \
/etc/ldap/schema/
cn=config kerberos
.slapd slapd
schema_convert.conf
:
include
include
include
include
include
include
include
include
include
include
include
include
include
| 224
/etc/ldap/schema/kerberos.schema
14.04 -
:LDIF
mkdir /tmp/ldif_output
: slapcat
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \

"cn={12}kerberos,cn=schema,cn=config" > /tmp/cn\=kerberos.ldif
.
:/tmp/cn=kerberos.ldif
dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
entryCSN: 20090111203515.326445Z#000000#000#000000
| 225
14.04 -
:ldapadd
ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn=kerberos.ldif
:krb5principalname
ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:

add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
:(ACL)
ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:

replace: olcAccess
olcAccess: to
attrs=userPassword,shadowLastChange,krbPrincipalKey by
dn="cn=admin,dc=example,dc=com" write by anonymous auth by self
write by * none
add: olcAccess
olcAccess: to dn.base="" by * read
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by *
read
.Kerberos LDAP
| 226
14.04 -
.
. OpenLDAP
:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap
: /etc/krb5.conf
[libdefaults]
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
admin_server = kdc01.example.com
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
| 227
14.04 -
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and
realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights
on
realm sub-trees
ldap_service_password_file =
/etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com
ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
cn=admin,dc=example,dc=com dc=example,dc=com example.com :
. LDAP LDAP ldap01.example.com
: kdb5_ldap_util
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create \

-subtrees dc=example,dc=com -r EXAMPLE.COM -s \
-H ldap://ldap01.example.com
| 228
14.04 -
) (stash LDAP
ldap_kdc_dn ldap_kadmind_dn :/etc/krb5.conf
\ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw

-f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com
:LDAP
scp ldap01:/etc/ssl/certs/cacert.pem .
sudo cp cacert.pem /etc/ssl/certs
/etc/ldap/ldap.conf :
TLS_CACERT /etc/ssl/certs/cacert.pem
: LDAP
.LDAPS
| 229
14.04 -
Kerberos LDAP
LDAP . :kadmin.local
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with
password.
kadmin.local: addprinc -x
dn="uid=steve,ou=people,dc=example,dc=com" steve
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting
to no policy
Enter password for principal "steve@EXAMPLE.COM":
Re-enter password for principal "steve@EXAMPLE.COM":
Principal "steve@EXAMPLE.COM" created.
krbPrincipalName krbPrincipalKey
krbLastPwdChange krbExtraData uid=steve,
kinit klist
ou=people, dc=example, dc=com
: " -x dn="... Kerberos

.
| 230
14.04 -
.
LDAP
. Kerberos
:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap
:LDAP /etc/krb5.conf
[libdefaults]
...
[realms]
EXAMPLE.COM = {
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
| 231
14.04 -
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write
rights on
realm sub-trees
ldap_service_password_file =
/etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com
ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
:LDAP
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw \

-f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com
/etc/krb5kdc/.k5.EXAMPLE.C Master Key

scp OM
.
sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~

sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/
. EXAMPLE.COM :
| 232
14.04 -
ldap:
:krb5-kdc
sudo service krb5-kdc start
) ldap (kerberos.

LDAP Kerberos
LDAP Kerberos .
.
Kerberos Admin Guide .
kdb5_ldap_util .man kdb5_ldap_util
.man krb5.conf

.Kerberos and LDAP :
| 233
14.04 -
.5 SSSD Active Directory

SSSD
Active Directory ad sssd
ldap Active
Directory POSIX AD
ad .
.
Active Directory .
.DNS
DNS ./etc/resolv.conf
_kerberos _ldap ... _kpasswd . .DNS
.myubuntu.example.com
.
krb5-user samba sssd ntp
. Kerberos IP
.
| 234
14.04 -
sudo apt-get install krb5-user samba sssd ntp

.krb5-user
. Kerberos

krb5-user ) (realm name
) ( )

( ] [realm ] [domain_realm
/etc/krb5.conf
.

myubuntu.example.com
:
.MYUBUNTU.EXAMPLE.COM
/etc/krb5.conf
) Kerberos (:
][libdefaults
default_realm = MYUBUNTU.EXAMPLE.COM
ticket_lifetime = 24h #
| 235
14.04 -
renew_lifetime = 7d
default_realm
username@domain .username
Active Directory
Kerberos
NTP :/etc/ntp.conf
server dc.myubuntu.example.com
netbois/nmbd Active
Directory . /etc/samba/smb.conf
] :[global
][global
workgroup = MYUBUNTU
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = MYUBUNTU.EXAMPLE.COM
security = ads
: password server
| 236
14.04 -
DNS
.security = ads password server
SSSD .
/etc/sssd/sssd.conf
: sssd
[sssd]
services = nss, pam
config_file_version = 2
domains = MYUBUNTU.EXAMPLE.COM
[domain/MYUBUNTU.EXAMPLE.COM]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.
# Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match
# the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the
Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
# enumerate = true
| 237
14.04 -
:600
sudo chown root:root /etc/sssd/sssd.conf

sudo chmod 600 /etc/sssd/sssd.conf
sssd .
. nsswitch.conf
sssd
/etc/nsswitch.conf :
compat sss
compat sss
nis sss
files sss
passwd:
group:
...
netgroup:
sudoers:
. /etc/hosts
/etc/hosts
:
192.168.1.10 myserver myserver.myubuntu.example.com
DNS.
| 238
14.04 -
. Active Directory
ntp samba :sssd
service ntp restart

restart smbd
restart nmbd
start sssd
sudo
sudo
sudo
sudo
:Kerberos
sudo kinit Administrator
sudo klist
sudo net ads join -k
No DNS domain configured. Unable to perform DNS Update.

) ( /etc/hosts
/etc/hosts
/etc/hosts.
| 239
14.04 -
NT_STATUS_UNSUCCESSFUL
.

.
:
) (Organizational Unit Active
Directory )
(.
:
AD ) (:
getent passwd username
: enumerate = ture sssd.conf getnet passwd

| 240
14.04 -
.
:Active Directory
su - username

) getty .(SSH

/etc/pam.d sssdwitch.conf

.
. pam_mkhomedir
Active Directory
pam_mkhomedir.so
/etc/pam.d/common-
session :session required pam_unix.so
pam_mkhomedir.so skel=/etc/skel/ umask=0022
required
session
: override_homedir sssd.conf
.
| 241
14.04 -
.

Active Directory AD
lightdm /etc/lightdm/lightd
m.conf.d/50-unity-greeter.conf :
greeter-show-manual-login=true
greeter-hide-users=true
lightdm
username .username/username@domain
.
.SSSD
.DNS Server Configuration guidelines
.Active Directory DNS Zone Entries
.Kerberos config options
| 242
DNS
| 243
14.04 -
DNS
) (Domain Name Service IP

) ([FQDN] fully qualified domain names
DNS .IP DNS

(Brekley Internet Naming Daemon ) BIND
.
.1

:dns
sudo apt-get install bind9
dnsutils DNS

:
sudo apt-get install dnsutils
| 244
DNS
14.04 -
.2
BIND9
) (caching nameserver ) (primary master
).(secondary master
BIND9
.
BIND9 ) (Zone
.
BIND9
.
.
DNS /etc/bind bind
./etc/bind/named.conf
include DNS directory
/etc/bind/named.conf.options DNS
BIND .
| 245
DNS
14.04 -
/etc/bind/db.root
/etc/bind/db.root
bind9 zone ) (master server
.file

) ([SOA] Start of Authority

.LAN
.

IP DNS ISP
:/etc/bind/named.conf.options
{ forwarders
;1.2.3.4
;5.6.7.8
;}
: 1.2.3.4 5.6.7.8 IP .
| 246
14.04 -
DNS
DNS
:
sudo service bind9 restart
dig .DNS
.
BIND9 example.com
example.com .

DNS BIND9 BIND9
:/etc/bind/named.conf.local
{ "zone "example.com
;type master
;"file "/etc/bind/db.example.com
;}
DDNS /var/lib/bind
: bind
/db.example.com /etc/bind/db.example.com
| 247
DNS
14.04 -
:/etc/bind/db.example.com
sudo cp /etc/bind/db.local /etc/bind/db.example.com
/etc/bind/db.example.com localhost FQDN

127.0.0.1 IP
root.localhost " ". "@"
.
) (record example.com

:ns.example.com
;
; BIND data file for example.com
;
$TTL
604800
@
IN
SO
( example.com. root.example.com.
2
; Serial
604800
; Refresh
86400
; Retry
2419200
; Expire
604800
; Negative Cache TTL
)
@
IN
A
;192.168.1.10
@
IN
NS
ns.example.com.
@
IN
A
192.168.1.10
@
IN
AAAA
::1
ns
IN
A
192.168.1.10
) (Serial Number
BIND9 .
| 248
14.04 -
DNS
DNS
.
:
2012010100 ) yyyymmddss ss (.
BIND9
.

IP

) (Reverse zone DNS .
/etc/bind/named.conf.local :
{ "zone "1.168.192.in-addr.arpa
;type master
;"file "/etc/bind/db.192
;}
: 1.168.192
| 249
14.04 -
DNS
/etc/bind/db.192
.
:/etc/bind/db.192
sudo cp /etc/bind/db.127 /etc/bind/db.192
/etc/bind/db.192 :/etc/bind/db.example.com
;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL
604800
@
IN
SOA
ns.example.com. root.example.com.
(
2
; Serial
604800
; Refresh
86400
; Retry
2419200
; Expire
604800
; Negative Cache TTL
;)
@
IN
NS
ns.
10
IN
PTR
ns.example.com.
.
A /etc/bind/db.example.com
PTR ./etc/bind/db.192
BIND9 .
| 250
14.04 -
DNS
.

.

allow-transfer :/etc/bind/named.conf.local
;type master
;} ;allow-transfer { 192.168.1.11
;}
;type master
;} ;allow-transfer { 192.168.1.11
;}
: 192.168.1.11 IP .
BIND9 :
| 251
14.04 -
DNS
bind9
:
/etc/bind/named.conf.local
;type slave
;"file "db.example.com
;} ;masters { 192.168.1.10
;}
;type slave
;"file "db.192
;} ;masters { 192.168.1.10
;}
: 192.168.1.10 IP .
BIND9 :
| 252
14.04 -
DNS
) /var/log/syslog
:(
client 192.168.1.10#39448: received notify for zone

'1.168.192.in-addr.arpa'
zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
Transfer completed: 1 messages,
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)
client 192.168.1.10#20329: received notify for zone
'example.com'
zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected
using 192.168.1.11#38577
zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer
completed: 1 messages,
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)
also-notify DNS
./etc/bind/named.conf.local {; ipaddress; }
| 253
DNS
14.04 -
also-notify :/etc/bind/named.conf.local
;type master
;} ;allow-transfer { 192.168.1.11
;} ;also-notify { 192.168.1.11
;}
;type master
;} ;allow-transfer { 192.168.1.11
;} ;also-notify { 192.168.1.11
;}
: /var/cache/bind

AppArmor named AppArmor
:.
| 254
14.04 -
DNS
.3

DNS .BIND9
.
resolv.conf BIND9 IP

/etc/resolv.conf :
nameserver 192.168.1.10
nameserver 192.168.1.11
* 127. IP
) resolv.conf (resolveconf /etc/default/bind9

RESOLVECONF=no .RESOLVECONF=yes
: IP .
dig
dnsutils DNS
.dig
| 255
14.04 -
DNS
BIND9 dig ) loopback (localhost

53
:
dig -x 127.0.0.1
;; Query time: 1 msec

);; SERVER: 192.168.1.10#53(192.168.1.10

BIND9 ) (dig
:
dig ubuntu.com
dig :

ping
| 256
14.04 -
DNS
DNS ping
ICMP echo :
ping example.com
ns.example.com
IP :
PING ns.example.com (192.168.1.10) 56(84) bytes of data.

64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms
named-checkzone
bind9
BIND9 .

:
named-checkzone example.com /etc/bind/db.example.com
zone example.com/IN: loaded serial 6

OK
| 257
14.04 -
DNS
named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.192
zone 1.168.192.in-addr.arpa/IN: loaded serial 3

OK
: .
.
BIND9 )(logging
channel category
.
:
{ logging
;} ;category default { default_syslog; default_debug
;} ;category unmatched { null
;}
BIND9 debug DNS

.
| 258
14.04 -
DNS
) (channel
/etc/bind/named.conf.local :
{ logging
{ channel query.log
;"file "/var/log/query.log
;severity debug 3
;}
;}
DNS :query
{ logging
{ channel query.log
;"file "/var/log/query.log
;severity debug 3
;}
;} ;category queries { query.log
;}
: debug 1 3 1
.
named bind /var/log/query.log

:
sudo touch /var/log/query.log

sudo chown bind /var/log/query.log
| 259
14.04 -
DNS
named
AppArmor /etc/apparmor.d/usr.sbin.named:
/var/log/query.log w,
cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r
AppArmor .
BIND9 :
/var/log/query.log
BIND9 .
| 260
14.04 -
DNS
.4
.
DNS.
:A IP .
A
192.168.1.12
IN
www
:CNAME
CNAME CNAME.
CNAME
www
IN
web
:MX A
.CNAME
mail.example.com.
192.168.1.13
MX
A
IN
IN
mail
:NS
A CNAME .
ns.example.com.
ns2.example.com.
192.168.1.10
192.168.1.11
NS
NS
A
A
IN
IN
IN
IN
ns
ns2
| 261
DNS
14.04 -
DNS HOWTO .BIND9
bind9.net DNS .BIND9
DNS and BIND

.DNS and BIND on IPv6
BIND9 IRC
.Freenode #ubuntu-server

BIND Server HOWTO .
| 262
| 263
14.04 -

).(deployment

14.04
.
.1

.
.

| 264
14.04 -

sudo
sudo
.
.
:
sudo passwd
sudo
:
)[sudo] password for username: (enter your own password

)Enter new UNIX password: (enter a new password for root
)Retype new UNIX password: (repeat new password for root
passwd: password updated successfully
passwd :
sudo passwd -l root
usermod --expiredate 1
| 265
14.04 -
sudo :
man sudo
sudo

/etc/sudoers sudo
sudo .sudo
.

/
adduser .

....
sudo adduser username
sudo deluser username
| 266
14.04 -
UID/GID

.
UID/GID - -

:
sudo chown -R root:root /home/username/

sudo mkdir /home/archived_users/
sudo mv /home/username /home/archived_users/
passwd
) (:
sudo passwd -l username

sudo passwd -u username
sudo addgroup groupname

sudo delgroup groupname
adduser :
sudo adduser username groupname
.
adduser
| 267
14.04 -
/home/username ) (profile
/etc/skel .

.
:
ls -ld /home/username
/home/username
) :(world
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
sudo chmod 0750 /home/username
: ) ([recursive ] -R
| 268
14.04 -
adduser
/etc/adduser.conf
DIR_MODE
:
DIR_MODE=0750
ls -ld /home/username
:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
| 269
14.04 -
.

) (brute force

.

/etc/pam.d/common-password :
pam_unix.so
password
][success=2 default=ignore
obscure sha512

min=8 :
pam_unix.so
password
][success=2 default=ignore
obscure sha512 min=8
: sudo
.
| 270
14.04 -

.
:
sudo chage -l username

:
Jan 20, 2008
never
never
never
0
99999
7
Last password change

:
Password expires
:
Password inactive
:
Account expires
:
Minimum number of days between password change
:
Maximum number of days between password change
:
Number of days of warning before password expires:
sudo chage username
| 271
14.04 -

) (-E 01/31/2008
) (-m 5 ) (-M 90
) inactivity (-I 5 )(-W
14 .
sudo chage -E 01/31/2008 -m 5 -M 90 -I 5 -W 14 username
sudo chage -l username
:
2008
2008
2008
2008
20,
19,
19,
31,
Jan
Apr
May
Jan
5
90
14
Last password change

:
Password expires
:
Password inactive
:
Account expires
:
Minimum number of days between password change
:
Maximum number of days between password change
:
Number of days of warning before password expires:
.

.
| 272
14.04 -
SSH

RSA ) (shell

SSH ./home/username/.ssh/authroized_keys
.ssh/
.SSH
SSH
) (kill .
# to get the pts/X terminal
who | grep username

sudo pkill -f pts/X
SSH
sshlogin
AllowGroups ./etc/ssh/sshd_config
AllowGroups sshlogin
| 273
14.04 -
SSH sshlogin
:SSH
sudo adduser username sshlogin

sudo service ssh restart
| 274
14.04 -
.2

...
) (screen door
!
.
.
. Ctrl+Alt+Delete

Ctrl+Alt+Delete

.
Ctrl+Alt+Delete
:/etc/init/control-alt-delete.conf
"#exec shutdown -r now "Control-Alt-Delete pressed
| 275
14.04 -
.3
.
Netfilter

.

iptables
Netfilter
iptables iptables
.
. ufw
Uncomplicated Firewall
ufw iptables ufw
IPv4 .IPv6
ufw
. :man ufw
ufw

).(host-based firewalls
| 276
14.04 -
:ufw
ufw
:
sudo ufw enable
) ssh (:
sudo ufw allow 22
:
sudo ufw deny 22
delete :
sudo ufw delete deny 22

ssh 192.168.0.2 IP :
sudo ufw allow proto tcp from 192.168.0.2 to any port 22
192.168.0.0/24 192.168.0.2 ssh

.
| 277
14.04 -
ufw --dry-run
:HTTP
sudo ufw --dry-run allow http
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix
"[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT
Rules updated
: ufw
sudo ufw disable
| 278
14.04 -
sudo ufw status
sudo ufw status verbose
) ( :numbered
sudo ufw status numbered
: /etc/services
22 ssh .
ufw ufw
.
ufw
ufw
/etc/ufw/applications.d
.
| 279
14.04 -
sudo ufw app list
sudo ufw allow Samba
:
ufw allow from 192.168.0.0/24 to any app Samba
Samba 192.168.0.0/24 IP.

:
.
)... (.
:
sudo ufw app info Samba
| 280
14.04 -
ufw

:Lanuchpad
ubuntu-bug nameofpackage
IP
(IP Masquerading) IP IP

IP
IP ) (private IP
) (conntrack

)(
) .(Internet Connection Sharing
ufw
IP ufw ufw
iptables-restore /etc/ufw/*.rules
iptables ufw
.
| 281
14.04 -

ufw .
ufw
DEFAULT_FORWARD_POLICY " "ACCEPT :/etc/default/ufw
"DEFAULT_FORWARD_POLICY="ACCEPT
/etc/ufw/sysctl.conf :
net/ipv4/ip_forward=1
IPv6 :
net/ipv6/conf/default/forwarding=1
/etc/ufw/before.rules
filter nat
:
# nat Table rules
*nat
]:POSTROUTING ACCEPT [0:0
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't
be processed
COMMIT
| 282
14.04 -

/etc/ufw
:
# don't delete the 'COMMIT' line or these nat table rules won't
be processed
COMMIT
COMMIT
raw .mangle
nat filter
:- eth0 - eth1 192.168.0.0/24 IP.
ufw :
sudo ufw disable && sudo ufw enable
IP FORWARD
/etc/ufw/before.rules ufw-before-
.forward
| 283
14.04 -
iptables
iptables . ufw
IPv4 /etc/sysctl.conf :
net.ipv4.ip_forward=1
IPv6 :
net.ipv6.conf.default.forwarding=1
sysctl :
sudo sysctl -p
IP iptables
:
\ sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16

-o ppp0 -j MASQUERADE
192.168.0.0/16
ppp0 :
:-t nat .nat
:-A POSTROUTING ) (-A .POSTROUTING
| 284
14.04 -
:-s 192.168.0.0/16 .
:-o ppp0 .
:-j MASQUERADE ) (jump

MASQUERADE .

) filter
( ACCEPT
DROP REJECT
FORWARD :
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT

\ sudo iptables -A FORWARD -d 192.168.0.0/16 -m state
--state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

.
- -
/etc/rc.local :
\ iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0

-j MASQUERADE
| 285
14.04 -
.

)
ACCEPT DROP .(REJECT
ufw :
sudo ufw logging on
ufw on off .
iptables ufw :
\ sudo iptables -A INPUT -m state --state NEW -p tcp

" --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN:
80 dmesg )
(:
=[4304885.870000] NEW_HTTP_CONN: IN=lo OUT

MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00
SYN URGP=0
| 286
14.04 -
/var/log/massages /var/log/syslog
/var/log/kern.log /etc/syslog.conf
ulogd ULOG .LOG
ulogd ) (userspace server

PostgreSQL MySQL
logwatch fwanalog fwlogwatch .lire
.

iptables :
fwbulider1
.Checkpoint FireWall-1

:
Shorewall2 .
| 287
14.04 -
Ubuntu Firewall .ufw

ufw .man ufw :
packet filtering HOWTO .iptables
nat-HOWTO .
IPTables HowTo .
| 288
14.04 -
.4 AppArmor
AppArmor
.posix 1003.le
AppArmor )(profiles

.apparmor-profiles
apparmor-profiles
sudo apt-get install apparmor-profiles
AppArmor :
) :(Complaining/Learning
.
) :(Enforced/Confined

.
| 289
14.04 -
. AppArmor
: .
apparmor-utils
AppArmor ....
apparmor_status .AppArmor
sudo apparmor_status
:
aa-complain
sudo aa-complain /path/to/bin
:
aa-enforce
sudo aa-enforce /path/to/bin
/etc/apparmor.d AppArmor
.

:
*sudo aa-complain /etc/apparmor.d/
| 290
14.04 -
sudo aa-enforce /etc/apparmor.d/*
apparmor_parser
: -r
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
: service apparmor
sudo service apparmor reload
- apparmor_parser /etc/apparmor.d/disable
: R
sudo ln -s /etc/apparmor.d/profile.name \
/etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name
| 291
14.04 -
/etc/apparmor.d
/disable :-a
sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
AppArmor :
sudo service apparmor stop

sudo update-rc.d -f apparmor remove
AppArmor
:
sudo service apparmor start

sudo update-rc.d apparmor defaults
: profile.name
/path/to/bin
ping ./bin/ping
.
) (profiles /etc/apparmor.d/
/ .
/etc/apparmor.d/bin.ping AppArmor ./bin/ping
| 292
14.04 -
) :(Path entries
.
) :(Capability entries .
/etc/apparmor.d/bin.ping:

>#include <tunables/global
{ )/bin/ping flags=(complain
>#include <abstractions/base
>#include <abstractions/consoles
>#include <abstractions/nameservice
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
:#include <tunables/global>
.
) :/bin/ping flags=(complain
.complain
:capability net_raw, .CAP_NET_RAW Posix.le
:/bin/ping mixr, .
: AppArmor.
| 293
14.04 -

:
.
:
.init
: aa-genprof :
sudo aa-genprof exectable
sudo aa-genprof slapd
apparmor-profiles
Lanuchpad :AppArmor
| 294
14.04 -

aa-logprof
AppArmor .
sudo aa-logprof
AppArmor Administraion Guide .
AppArmor
.AppArmor
OpenSUSE AppArmor .AppArmor
AppArmor
#ubuntu-server ) Freenode .(IRC
| 295
14.04 -
.5

) (public-key cryptography
)(private key ) (encrypt
) (public key

) (decrypted .

(Secure Socket Layer ) SSL (Transport Layer Security ) TLS
- HTTPS HTTP -SSL
.
) (Certificate
)(CA

.
.
-
- ) (

. .
: .
| 296
14.04 -
HTTPS
:
)(
.
SSL

) (
.
:
.1
.2
.
.3

.
| 297
14.04 -
.4
.5
.6 .
. )(CSR

.
Postfix

... Dovecot . ) (passphrase
.

.
:
.
| 298
14.04 -
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus

..........................++++++
.......++++++
)e is 65537 (0x10001
Enter pass phrase for server.key:

-des3

.

.server.key
) insecure ( :
openssl rsa -in server.key -out server.key.insecure

mv server.key server.key.secure
mv server.key.insecure server.key
server.key
CSR .
| 299
14.04 -
:CSR
openssl req -new -key server.key -out server.csr

... .

) (CSR .server.csr

.
.
:
\ openssl x509 -req -days 365 -in server.csr -signkey server.key
-out server.crt

.server.crt
: ) (CA
.
| 300
14.04 -
.
server.key server.crt
:
sudo cp server.crt /etc/ssl/certs

sudo cp server.key /etc/ssl/private

HTTPS
Dovecot IMAPS ... POP3S.
.

.
:
sudo mkdir /etc/ssl/CA

sudo mkdir /etc/ssl/newcerts
| 301
14.04 -
"sudo sh -c "echo '01' > /etc/ssl/CA/serial

sudo touch /etc/ssl/CA/index.txt

/etc/ssl/openssl.cnf
] [ CA_default :
/etc/ssl/
# Where everything is kept
$dir/CA/index.txt
# database index file.
$dir/certs/cacert.pem # The CA certificate
$dir/CA/serial
# The current serial number
$dir/private/cakey.pem # The private key
=
=
=
=
=
dir
database
certificate
serial
private_key
:
\ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem
-out cacert.pem -days 3650
.
:
sudo mv cakey.pem /etc/ssl/private/
| 302
14.04 -
sudo mv cacert.pem /etc/ssl/certs/
)
(

:
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf

.
/etc/ssl/netcerts/01.pem
-----BEGIN CERTIFICATE -----
-----END CERTIFICATE----
mail.example.com.crt .
02.pem ... 03.pem.
: mail.example.com.crt .

/etc/ssl/certs
.
CA

| 303
14.04 -
/etc/ssl/certs/cacert.pem /etc/ssl/certs/ .
.
.SSL Certificates HOWTO
HTTPS .HTTPS
OpenSSL .OpenSSL
Network Security with OpenSSL O'Reilly .
| 304
14.04 -
.6 eCryptfs
eCryptfs POSIX
eCryptfs
....
/home
. /srv .eCryptfs
. eCryptfs
:
sudo apt-get install ecryptfs-utils
sudo mount -t ecryptfs /srv /srv
.
/srv /etc/default :/srv
sudo cp -r /etc/default /srv
| 305
14.04 -
/srv :
sudo umount /srv

cat /srv/default/cron
/srv ecryptfs .
.
ecryptfs
/root/.ecryptfsrc
.USB
/root/.ecryptfsrc :
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
: ecryptfs_sig ./root/.ecryptfs/sig-cache.txt
:/mnt/usb/passwd_file.txt
]passphrase_passwd=[secrets
| 306
14.04 -
:/etc/fstab
0 0
0 0
ro
defaults
ext3
ecryptfs
/dev/sdb1 /mnt/usb
/srv
/srv
USB .
/srv .eCryptfs
.

:
ecryptfs-utils
ecryptfs-setup-private ~/Private

.
ecryptfs-mount-private ecryptfs-umount-private
~/Private .
:ecryptfs-add-passphrase .kernel keyring
:ecryptfs-manager eCryptfs .
:ecryptfs-stat eCryptfs .
| 307
14.04 -
eCryptfs .Lanuchpad
Linux Journal .eCryptfs
eCryptfs .man ecryptfs
eCryptfs .
| 308
10
| 309
14.04 -

) (performance ) (availability
Nagios Munin .
server01 server02
server01 Nagios server02
server01 Munin munin-node
server02 .server01
.
| 310
14.04 -
.1 Nagios
.
nagios server01 :
sudo apt-get install nagios3 nagios-nrpe-plugin
nagiosadmin
./etc/nagios3/htpasswd.users nagiosadmin
Nagios CGI htpasswd
.apache2-utils
:nagiosadmin
sudo htpasswd /etc/nagios3/htpasswd.users nagiosadmin
sudo htpasswd /etc/nagios3/htpasswd.users steve
| 311
14.04 -
server02 nagios-nrpe-server
:server02
sudo apt-get install nagios-nrpe-server
: NRPE
Nagios.
.
Nagios ).(check files
:/etc/nagios3 nagios CGI

....
:/etc/nagios-plugins .
:/etc/nagios nagios-nrpe-
.server
:/usr/lib/nagios/plugins/
-h .
| 312
14.04 -
/usr/lib/nagios/plugins/check_dhcp -h
Nagios
Nagios DNS MySQL
DNS server02 MySQL server01 .server02
: :
DNS .MySQL
:Nagios
) :(host ) (workstation ... . .
) :(host group
....
) :(service HTTP DNS ... NFS.
) :(service group

HTTP .
) :(contact

Nagios ... SMS.
| 313
14.04 -
Nagios HTTP
SSH
localhost
Nagios
ping.
Nagios
.
.
.1 server02
server01
:
\ sudo cp /etc/nagios3/conf.d/localhost_nagios2.cfg
/etc/nagios3/conf.d/server02.cfg
: server01 server02 172.18.100.100

172.18.100.101 IP.
| 314
14.04 -
:/etc/nagios3/conf.d/server02.cfg
define host {
use
generic-host
use
host_name
server02
alias
Server 02
address
172.18.100.101
}
# check DNS service.
define service {
use
host_name
service_description
check_command
}
; Name of host template to
generic-service
server02
DNS
check_dns!172.18.100.101
: nagios
sudo service nagios3 restart
/etc/nagios3/conf.d/ MySQL
:services_nagios.cfg
# check MySQL servers.

define service {
hostgroup_name
service_description
check_command
secret!$HOSTADDRESS
use
notification_interval
renotified
}
| 315
mysql-servers
MySQL
check_mysql_cmdlinecred!nagios!
generic-service
0 ; set > 0 if you want to be
14.04 -
/etc/nagios3/conf.d/ mysql-servers
: hostgroups_nagios2.cfg
# MySQL hostgroup.
define hostgroup {
hostgroup_name
alias
members
}
mysql-servers
MySQL servers
localhost, server02
MySQL nagios MySQL Nagios .3

:
mysql -u root -p \
-e "create user nagios identified by 'secret';"
.mysql-servers nagios :
:MySQL nagios
| 316
14.04 -
.server02 NRPE
:/etc/nagios3/conf.d/server02.cfg server01
# NRPE disk check.

define service {
use
host_name
service_description
check_command
172.18.100.101
}
generic-service
server02
nrpe-disk
check_nrpe_1arg!check_all_disks!
: /etc/nagios/nrpe.cfg server02
allowed_hosts=172.18.100.100
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w
20% -c 10% -e
:nagios-nrpe-server
sudo service nagios-nrpe-server restart

:nagios server01
| 317
14.04 -
Nagios CGI
http://server01/nagios3
nagiosadmin .
.
Nagios nagios-
plugins-extra nagios-snmp-plugins .
Nagios .
.Nagios
Nagios .
| 318
14.04 -
.2 Munin
.
Munin server01 apache2
.munin

munin server01 :
sudo apt-get install munin
munin-node :server02
sudo apt-get install munin-node
/etc/munin/munin.conf server01 IP
:server02
## First our "normal" host.

][server02
address 172.18.100.101
: server02 172.18.100.101 IP .
| 319
14.04 -
munin-node server02 /etc/munin/munin-

node.conf :server01
allow ^172\.18\.100\.100$
: ^172\.18\.100\.100$ IP Munin .
munin-node server02 :
sudo service munin-node restart
http://server01/munin
munin-plugins
.
: .
.

munin-plugins-extra
DNS DHCP ... . :
sudo apt-get install munin-plugins-extra
.

| 320
14.04 -
Munin .
Munin
.
.Munin
| 321
11
| 322
14.04 -
HTTP
HTTP
HTML ....
.1 HTTPD
) (Apache

.

) URL (Uniform Resource Locator
) (FQDN
:
www.ubuntu.com

:
www.ubuntu.com/community
) Hyper
Text Transfer Protocol (HTTP
) Hyper Text Transfer Protocol over Secure

Sockets Layer (HTTPS ) File Transfer Protocol
(FTP ) (upload ) (download .
| 323
14.04 -
MySQL
) (PHP ) (scripting languages
Linux, Apache, MySQL and ) LAMP

(Perl/Python/PHP .
sudo apt-get install apache2
) (directives
:
:apache2.conf
.
:httpd.conf
httpd

.
| 324
14.04 -
:conf-available
/etc/apache2/conf.d /etc/apache2/conf-
.available
:conf-enabled /etc/apache2
/conf-available
.
:envvars )environment
(variables.
:mods-available
) (modules .
:mods-enabled /etc/apache2
/mods-available
.
:ports.conf TCP
.
| 325
14.04 -
:sites-available
) (Virtual Hosts
.
:sites-enabled mods-enabled sites-enabled

/etc/apache2/sites-available

.
:magic MIME .
Include
) (wildcards
.

.

) (mime types
TypesConfig /etc/apache2/mods-
available/mime.conf ./etc/mime.types
| 326
14.04 -

.

) (VirtualHost

URL ServerName
./etc/apache2/sites-available/default
webmaster .
\ sudo cp /etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/mynewsite.conf
.
| 327
14.04 -
ServerAdmin
webmaster@localhost )
(

./etc/apache2/sites-available
listen IP
IP IP
listen 80 127.0.0.1:80
loopback 81
) (
./etc/apache2/ports.conf
ServerName ) (FQDN
ServerName
ServerName

ubunturocks.com
ServerName
ubunturocks.com
).(/etc/apache2/sites-available/mynewsite.conf
| 328
14.04 -
www.ubunturocks.com
www
ServerAlias ) (wildcards .ServerAlias

:.ubunturocks.com
ServerAlias *.ubunturocks.com
DocumentRoot
/var/www /etc/apache2/sites-available/000-
default.conf
.
a2ensite :
sudo a2ensite mynewsite

sudo service apache2 restart
: mynewsite
ServerName .
| 329
14.04 -
a2dissite
:
sudo a2dissite mynewsite

.
DirectoryIndex
) (/ .
http://www.example.com/directory/
DirectoryIndex
Indexes Permission Denied
. DirectoryIndex
Options Indexes
HTML
/etc/apache2/mods-available/dir.conf "index.html
"index.cgi index.pl index.php index.xhtml index.htm
.
| 330
14.04 -
ErrorDocument
404
HTTP 404 /etc/apache2/conf.d/localized-error-pages
ErrorDocument .
/var/log/apache2/access.log

CustomLog /etc/apache2/conf.d/
.other-vhosts-access-log

ErrorLog /var/log/apache2/error.log

) LogLevel " ("warn LogFormat
) /etc/apache2/apache2.conf (.
Options
Directory XML :
><Directory /var/www/mynewsite
...
></Directory
| 331
14.04 -
Options Directory
:
ExecCGI CGI CGI

.
: CGI ! CGI
ExecCGI
CGI ./usr/lib/cgi-bin
:Includes
HTML Apache SSI Documentation
.
:IncludesNOEXEC #exe
c #Include .CGI
:Indexes
) DirectoryIndex (index.html .
!
:
| 332
14.04 -
Multiview content-negotiated multiviews

.
SysLinksIfOwnerMatch
.
httpd
httpd.
:LockFile LockFile
USE_FCNTL_SERIALIZED_ACCEPT
USE_FLOCK_SERIALAIZED_ACCEPT

NFS
) (root.
:PidFile PidFile
) process ID pid(
.
| 333
14.04 -
:User User userid

"."www-data
: User root
.
:Group Group User Group

" "www-data
.

LoadModule
.
| 334
14.04 -

>.<IfModule

:MySQL
sudo apt-get install libapache2-mod-auth-mysql
/etc/apache2/mods-available .
a2enmod :
sudo a2enmod auth_mysql

a2dismod :
sudo a2dismod auth_mysql
HTTPS
mod_ssl
SSL
https:// URL .
| 335
14.04 -
mod_ssl apache2-common
:mod_ssl
sudo a2enmod ssl
HTTPS /etc/apache2/sites-available/default-
ssl.conf HTTPS
HTTPS
ssl-cert

:.

:HTTPS
sudo a2ensite default-ssl
: /etc/ssl/certs /etc/ssl/private
SSLCertificateFile
SSLCertificateKeyFile .
| 336
14.04 -
HTTPS :
: .
https://hostname/url/
.
/var/www
:webmasters
sudo chgrp -R webmasters /var/www

;\ "}{" sudo find /var/www -type d -exec chmod g=rwxs
;\ "}{" sudo find /var/www -type f -exec chmod g=rws
: ).(ACLs
| 337
14.04 -

apache2-doc .
Mod SSL .SSL
O'Reilly Apache Cookbook

.
IRC #ubuntu-server
.freenode.net
PHP MySQL Apache

MySQL PHP .
| 338
14.04 -
.2 PHP5
PHP PHP HTML
PHP5 .MySQL
MySQL
MySQL .
.
PHP5
PHP.

:PHP5
sudo apt-get install php5 libapache2-mod-php5
PHP5 php5-cli
PHP5 :
sudo apt-get install php5-cli
| 339
14.04 -

PHP5 PHP5
php5-cgi :
sudo apt-get install php5-cgi
MySQL PHP5 php5-mysql :
sudo apt-get install php5-mysql
PostgreSQL PHP5 :php5-pgsql
sudo apt-get install php5-pgsql
.
PHP5 PHP5
php5-cli php5 .
PHP5 PHP5

/etc/apache2/mods/enabled/php5.conf /etc/apache2/modsenabled/php5.l
oad .a2enmod
| 340
14.04 -
PHP5
PHP5 :
.
PHP phpinfo:
<?php
;)(phpinfo
>?
phpinfo.php
DocumentRoot
http://hostname/phpinfo.php PHP5.
.
.php.net
PHP O'Reilly
Learning PHP .PHP CookBook
| 341
14.04 -
.3 Squid
Squid ) (web proxy cache server
) (HTTP
) (FTP Squid
) (SSL DNS Squid

) Internet Cache Protocol
(ICP ) Hyper Text Caching Protocol (HTCP
) Cache Array Routing Protocol (CARP
) Web Cache Coordination Protocol .(WCCP

Squid

) Simple Network
Management Protocol .(SNMP
Squid
Squid .
| 342
14.04 -
.

:Squid
sudo apt-get install squid3
.
Squid /etc/squid3/squid.conf
Squid
Squid .
:
.
/etc/squid/squid.conf
:
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original

sudo chmod a-w /etc/squid3/squid.conf.original
Squid TCP 8888 TCP

3128 http_port :
http_port 8888
| 343
14.04 -
visible_hostname Squid

:weezie
visible_hostname weezie
Squid
Squid IP
192.168.42.0/24:
ACL :/etc/squid3/squid.conf
acl fortytwo_network src 192.168.42.0/24
http_access :/etc/squid3/squid.conf
http_access allow fortytwo_network
Squid
Squid
9:00AM 5:00PM
:10.1.42.0/42
| 344
14.04 -
ACL :/etc/squid3/squid.conf
acl biz_network src 10.1.42.0/24

acl biz_hours time M T W T F 9:00-17:00
http_access :/etc/squid3/squid.conf
http_access allow biz_network biz_hours
: /etc/squid3/squid.conf
Squid :
sudo service squid3 restart
.Squid
.Squid
| 345
14.04 -
.4 Ruby on Rails
Ruby on Rails

.convention over configuration
.
Ruby on Rails MySQL
.
MySQL Ruby on Rails
:
sudo apt-get install rails
.
/etc/apache2/sites-available/000-default.conf
.
:DocumentRoot
DocumentRoot /path/to/rails/application/public
| 346
14.04 -
:<Directory "/path/to/rails/application/public">
<Directory "/path/to/rails/application/public">
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Order allow,deny
allow from all
AddHandler cgi-script .cgi
</Directory>
: mod_rewrite
sudo a2enmod rewrite
/path/to/rails/application/public
: /path/to/rails/application/tmp
sudo chown -R www-data:www-data \

/path/to/rails/application/public
sudo chown -R www-data:www-data /path/to/rails/application/tmp
.Ruby on Rails !
.
| 347
. Ruby on Rails
. Agile Development with Rails
.Ruby on Rails
14.04 -
.5 Tomcat
) (Apache Tomcat ) (web container
Java Servlets .(Java Server Pages) JSP
6 7 6 7

.
7 .

) tomcat7 (tomcat6

.
.
:
sudo apt-get install tomcat7
ROOT
"."It works
| 348
14.04 -
.
/etc/tomcat7
Tomcat 7.0.

7.0 (HTTP connector) HTTP 8080
AJP 8009
:/etc/tomcat7/server.xml
"<Connector port="8080" protocol="HTTP/1.1

"connectionTimeout="20000
>redirectPort="8443" /
...
"<Connector port="8009" protocol="AJP/1.3
>redirectPort="8443" /
JVM
OpenJDK JVM

Sun JVMs JVMs
JAVA_HOME :/etc/default/tomcat7
JAVA_HOME=/usr/lib/jvm/java-6-sun
| 349
14.04 -

) (
Servlet :/etc/tomcat7/tomcat-users.xml
><role rolename="admin"/
><user username="tomcat" password="s3cret" roles="admin"/
.
.

tomcat7-docs
http://server:8080/docs :
sudo apt-get install tomcat7-docs

tomcat7-admin
:
sudo apt-get install tomcat7-admin
| 350
14.04 -
manager
http://server:8080/manager/html
.
: manager-gui
: manager
/etc/tomcat7/tomcat-users.xml .
host-manager
http://server:8080/host-manager/html
.
: host-manager
:
admin-gui /etc/tomcat7/tomcat-users.xml .
tomcat7 /etc/tomcat7
) (

tomcat7 :
sudo chgrp -R tomcat7 /etc/tomcat7

sudo chmod -R g+w /etc/tomcat7
| 351
14.04 -

tomcat7-example
Servlets JSP http://server:8080/examples
:
sudo apt-get install tomcat7-examples
.

) (
.
: ) (
.TCP
sudo apt-get install tomcat7-user
| 352
14.04 -
tomcat7-instance-create my-instance
my-instance
lib/
webapps/ .

conf/
conf/server.xml
.

)
:(my-instance
my-instance/bin/startup.sh
: /logs
java.net.BindException: Address already in use<null>:8080
| 353
14.04 -
my-instance/bin/shutdown.sh
Apache Tomcat .
Tomcat: The Definitive Guide .
Tomcat Books .
| 354
12
| 355
14.04 -
.MySQL
.PostgreSQL
)(main
.1 MySQL
MySQL ) (multi-threaded

).(mass-deployed
.
:MySQL
sudo apt-get install mysql-server
MySQL .
MySQL
MySQL :
sudo netstat -tap | grep mysql
| 356
14.04 -
2556/mysqld
LISTEN
**:
localhost:mysql
tcp
sudo service mysql restart
.
/etc/mysql/my.cnf
. MySQL
bind-address IP:
192.168.0.5
bind-address
: 192.168.0.5 .
/etc/mysql/my.cnf
:MySQL
sudo service mysql restart
| 357
14.04 -
) (root
:MySQL
sudo dpkg-reconfigure mysql-server-5.5
MySQL .
.
MySQL
.
MySQL
) (Storage engine
InnoDB : MyISAM
MySQL

.

.
| 358
14.04 -
MyISAM
InnoDB
) MyISAM (InnoDB MyISAM

FULLTEXT
MyISAM

MyISAM journaling

MyISAM .
InnoDB ACID

) (row

) (file block
ACID journaled
.
InnoDB MySQL 5.5
MyISAM .
| 359
14.04 -
my.cnf
MySQL
Percona's my.cnf generating tool
my.cnf .
my.cnf Percona

MySQL
mysqldump :
\ mysqldump --all-databases --all-routines -u root

-p > ~/fulldump.sql
MySQL

.
MySQL ):(dump
sudo service mysql stop
| 360
14.04 -
my.cnf :
sudo cp /etc/my.cnf /etc/my.cnf.backup

sudo cp /path/to/new/my.cnf /etc/my.cnf

:MySQL
*rm -rf /var/lib/mysql/

mysql_install_db
chown -R mysql: /var/lib/mysql
service start mysql
sudo
sudo
sudo
sudo

(Pipe Viewer) pv
pv pv cat
) (ETA pv
:
sudo apt-get install pv

pv ~/fulldump.sql | mysql
: my.cnf
| 361
14.04 -
MySQL Tuner
MySQL Tuner MySQL

mysqltuner
24 mysqltuner
:
sudo apt-get install mysqltuner
mysqltuner

my.cnf

MySQL
.
:
-------- Recommendations -----------------------------General recommendations:

Run OPTIMIZE TABLE to defragment tables for better
performance
Increase table_cache gradually to avoid file descriptor
limits
| 362
14.04 -
Variables to adjust:
)key_buffer_size (> 1.4G
)query_cache_size (> 32M
)table_cache (> 64
)innodb_buffer_pool_size (>= 22G
:

) (Wordpress ) (Drupal )(Joomla

...

MySQL
).(Slaves
.
MySQL .
online offline .MySQL Developers portal
SQL .Using SQL Special Edition
Apache MySQL PHP .
| 363
14.04 -
.2 PostgreSQL
PostgreSQL
.DBMS
.
:PostgreSQL
sudo apt-get install postgresql
PostgreSQL
.
.
TCP/IP PostgreSQL
IDENT postgres
PostgreSQL Administrator's Guide
.Kerberos
TCP/IP MD5
PostgreSQL /etc/postgresql/<version>/main
PostgreSQL 9.1
./etc/postgresql/9.1/main
| 364
14.04 -
: ident /etc/postgresql/9.1/main/pg_ident.conf
.
TCP/IP /etc/postgresql/9.1/main/postgresq
l.conf ' #listen_addresses = 'localhost :
'*' = listen_addresses
: IPv4 IPv6 " "localhost "."::

.PostgreSQL
PostgreSQL
postgres PostgreSQL
:
sudo -u postgres psql template1
PostgreSQL template1
postgres PostgreSQL .SQL
| 365
14.04 -
SQL psql :postgres
;'ALTER USER postgres with encrypted password 'your_password
/etc/postgresql/9.1/main/pg_hba.conf
MD5 :postgres
md5
postgres
all
local
PostgreSQL
:
sudo service postgresql restart
: PostgreSQL Administrator's
Guide .
:PostgreSQL
sudo apt-get install postgresql-client

psql -h postgres.example.com -U postgres -W
: .
| 366
14.04 -
PostgreSQL Administrator's Guide

postgresql-doc-9.1 :
sudo apt-get install postgresql-doc-9.1

file:///usr/share/doc/postgresql-doc-9.1/html/index.html
.

PostgreSQL .
| 367
13
LAMP
| 368
14.04 -
LAMP
) LAMP (Linux + Apache + MySQL + PHP/Perl/Python

LAMP
.phpMyAdmin
LAMP
MySQL PostgreSQL SQLite
Python Perl Ruby PHP Nginx Cherokee

Lighttpd .
LAMP tasksel tasksel
/

:LAMP
sudo tasksel install lamp-server
LAMP :
| 369
LAMP
14.04 -

.
LAMP

.LAMP
| 370
14.04 -
LAMP
.1 Moin Moin
MoinMoin PikiPiki
.GUN GPL
.
:MoinMoin
sudo apt-get install python-moinmoin

.
.

:mywiki
cd /usr/share/moin
sudo mkdir mywiki
sudo cp -R data mywiki
sudo cp -R underlay mywiki
sudo cp server/moin.cgi mywiki
sudo chown -R www-data.www-data mywiki
sudo chmod -R ug+rwX mywiki
sudo chmod -R o-rwx mywiki
| 371
14.04 -
LAMP
MoinMoin mywiki
MoinMoin /etc/moin/mywiki.py :
'data_dir = '/org/mywiki/data
'data_dir = '/usr/share/moin/mywiki/data

data_dir :data_underlay_dir
'data_underlay_dir='/usr/share/moin/mywiki/underlay
: /etc/moin/mywiki.py /usr/share/moin/config/wik
ifarm/mywiki.py /etc/moin/mywiki.py .
: my_wiki_name )"* ("my_wiki_name",r".
/etc/moin/farmconfig.py )"*.("mywiki", r".
MoinMoin mywiki
.
| 372
14.04 -
LAMP
/etc/apache2/sites-available/default

<VirtualHost *>:
### moin
"ScriptAlias /mywiki "/usr/share/moin/mywiki/moin.cgi
"alias /moin_static193 "/usr/share/moin/htdocs
><Directory /usr/share/moin/htdocs
Order allow,deny
allow from all
></Directory
### end moin

:
.
:
http://localhost/mywiki
MoinMoin.
.
.moinmoin

.MoinMoin
| 373
14.04 -
LAMP
.2 MediaWiki
MediaWiki Wiki PHP
MySQL .PostgreSQL
.
MediaWiki PHP5
MySQL PostgreSQL
.
:MediaWiki
sudo apt-get install mediawiki php5-gd
MediaWiki .mediawiki-extensions
.
mediawiki.conf
/etc/apache2/conf-available/
:MediaWiki
# Alias /mediawiki /var/lib/mediawiki
| 374
14.04 -
LAMP

MediaWiki :http://localhost/mediawiki/config/index.php
sudo a2enconf mediawiki.conf

: Checking environment...
.
LocalSettings.php
:/etc/mediawiki
\ sudo mv /var/lib/mediawiki/config/LocalSettings.php
/etc/mediawiki/

/etc/mediawiki/LocalSettings.php
) (:
;) 'ini_set( 'memory_limit', '64M
.
MediaWiki
MediaWiki .
| 375
LAMP
14.04 -
MediaWiki ) (checkout
Subversion /var/lig/mediawiki/extensions

:/etc/mediawiki/LocalSettings.php
;"require_once "$IP/extensions/ExtentionName/ExtentionName.php
.MediaWiki

MediaWiki Administrators Tutorial Guide
MediaWiki.
MediaWiki
.
| 376
14.04 -
LAMP
.3 phpMyAdmin
MySQL
phpMyAdmin LAMP
PHP phpMyAdmin
.
.
phpMyAdmin MySQL
phpMyAdmin
MySQL

:phpMyAdmin
sudo apt-get install phpmyadmin
phpMyAdmin
.
http://server/phpmyadmin server
root
MySQL .

....
| 377
14.04 -
LAMP
.
phpMyAdmin /etc/phpmyadmin
/etc/phpmyadmin/config.inc.php
.phpMyAdmin
phpMyAdmin MySQL
:/etc/phpmyadmin/config.inc.php
;'$cfg['Servers'][$i]['host'] = 'db_server
: db_server IP

phpMyAdmin .
phpMyAdmin
.
config.header.inc.php config.footer.inc.php
HTML .phpMyAdmin
/etc/phpmyadmin/apache.conf
/etc/apache2/conf.d/phpmyadmin.conf
phpMyAdmin PHP ....
| 378
LAMP
14.04 -
phpMyAdmin
phpMyAdmin Documentation phpMyAdmin

.phpMyAdmin
Mastering phpMyAdmin .
.phpMyAdmin
| 379
14.04 -
LAMP
Wordpress .4
( Wordpress)
.GNU GPLv2 PHP
.
:
sudo apt-get install wordpress

MySQL
.
.
/etc/apache2/sites-
: available/wordpress.conf
Alias /blog /usr/share/wordpress
<Directory /usr/share/wordpress>
Options FollowSymLinks
AllowOverride Limit Options FileInfo
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/wordpress/wp-content>
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
| 380
14.04 -
LAMP
sudo a2ensite wordpress

/etc/wordpress/config-10.211.55.50.php :
/etc/wordpress/config-hostalias1.php.
)
(SSH /etc/wordpress/config-
localhost.php ./etc/wordpress/config/NAME_OF_VIRTUAL_HOST.php
MySQL
localhost.
| 381
14.04 -
LAMP
/etc/wordpress MySQL
: /config-localhost.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>
wordpree.sql
: MySQL
CREATE DATABASE wordpress;

GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
ON wordpress.*
TO wordpress@localhost
IDENTIFIED BY 'yourpasswordhere';
FLUSH PRIVILEGES;
: MySQL
cat wordpress.sql | sudo mysql \

--defaults-extra-file=/etc/mysql/debian.cnf

http://localhost/blog/wp-admin/install.php
.
| 382
LAMP
14.04 -
.
.
.Wordpress.org Codex
.WordPress
| 383
14
| 384
14.04 -

FTP NFS .CUPS
.1 FTP
) File Transfer Protocol (FTP TCP

OpenSSH

.
FTP / FTP FTP
FTP
FTP .

FTP :
.
)(Anonymous
FTP anonymous ftp

| 385
14.04 -
SFTP .OpenSSH-Server
FTP
FTP FTP
FTP .
. vsftpd FTP
vsftpd FTP
vsftpd :
sudo apt-get install vsftpd
. FTP
vsftpd
/etc/vsftpd.conf:
anonymous_enable=Yes
ftp /srv/ftp FTP

.
| 386
14.04 -
/srv/files/ftp
:ftp
sudo mkdir /srv/files/ftp
sudo usermod -d /srv/files/ftp
vsftpd :
sudo restart vsftpd
ftp
/srv/files/ftp /srv/ftp .
. FTP
vsftpd
:/etc/vsftpd.conf
write_enable=YES
:vsftpd
sudo restart vsftpd
FTP
....
| 387
14.04 -
FTP
:vsftpd
anon_upload_enable=YES
:

.

man 5 vsftpd.conf
.
. FTP
/etc/vsftpd.conf vsftpd
:
chroot_local_users=YES
:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
| 388
14.04 -
/etc/vsftpd.chroot_list
:vsftpd
sudo restart vsftpd
/etc/ftpusers

FTP root daemon ... nobody .
FTP .
FTP FTPS SFTP FTPS FTP
) (SSL SFTP FTP SSH
SFTP
shell nologin

SFTP OpenSSH .
FTPS /etc/vsftpd.conf :
ssl_enable=Yes
| 389
14.04 -
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl-sert

:.
vsftpd :FTPS
sudo restart vsftpd
/usr/sbin/nologin FTP
/etc/shells :nologin
# /etc/shells: valid login shells

/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/sbin/nologin
| 390
14.04 -
vsftpd PAM /etc/pam.d/vsftpd

:
pam_shells.so
required
auth
PAM ./etc/shells
FTP .FTPS lftp
FTPS
.
.
vsftpd .
/etc/vsftpd.conf .vsftpd.conf
| 391
14.04 -
.2 NFS
NFS

.NFS
:NFS

NFS .
CD-ROM USB
.
.
:NFS
sudo apt-get install nfs-kernel-server
| 392
14.04 -
.
/etc/exports :
)*(ro,sync,no_root_squash
)*(rw,sync,no_root_squash
/ubuntu
/home
"*"
.NFS
:NFS
sudo service nfs-kernel-server start
. NFS
mount NFS
:
sudo mount example.hostname.com:/ubuntu /local/ubuntu
: /local/ubuntu
.
| 393
14.04 -
NFS /etc/fstab
NFS

NFS
/etc/fstab:
example.hostname.com:/ubuntu /local/ubuntu nfs

rsize=8192,wsize=8192,timeo=14,intr
NFS nfs-common
:
sudo apt-get install nfs-common
.Linux NFS faq2
.NFS Howto
| 394
14.04 -
.3 iSCSI
(Internet Small Computer System Interface ) iSCSI
SCSI iSCSI (Storage Area Network ) SAN
iSCSI
) (initiators iSCSI ).(targets
iSCSI
iSCSI iSCSI

iSCSI .
. iSCSI
iSCSI open-iscsi :
sudo apt-get install open-iscsi
. iSCSI
open-iscsi /etc/iscsi/iscsid.conf
:
node.startup = automatic
| 395
14.04 -
iscsiadm
:
sudo iscsiadm -m discovery -t st -p 192.168.0.10
:-m .iscsiadm
:-t .
:-p IP.
: 192.168.0.10 IP .
192.168.0.10:3260,1 iqn.1992-05.com.emc:sl7b92030000520000-2
: iqn IP .
iSCSI
:iSCSI
sudo iscsiadm -m node --login
| 396
14.04 -
:dmesg
dmesg | grep sd
[
4.322384] sd 2:0:0:0:Attached scsi generic sg1 type 0
[
4.322797] sd 2:0:0:0: [sda] 41943040 512-byte logical
blocks:(21.4GB/20.0 GiB)
[
4.322843] sd 2:0:0:0: [sda] Write Protect is off
[
4.322846] sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00
[
4.322896] sd 2:0:0:0: [sda] Cache data unavailable
[
4.322899] sd 2:0:0:0: [sda] Assuming drive cache: write
through
[
[
through
[
4.325312] sda: sda1 sda2 < sda5 >
[
[
through
[
4.325735] sd 2:0:0:0: [sda] Attached SCSI disk
[2486.941805] sd 4:0:0:3: Attached scsi generic sg3 type 0
[2486.952093] sd 4:0:0:3: [sdb] 1126400000 512-byte logical
blocks: (576 GB/537GiB)
[2486.954195] sd 4:0:0:3: [sdb] Write Protect is off
[2486.954200] sd 4:0:0:3: [sdb] Mode Sense: 8f 00 00 08
[2486.954692] sd 4:0:0:3: [sdb] Write cache: disabled, read
cache: enabled, doesn't support DPO or FUA
[2486.960577] sdb: sdb1
[2486.964862] sd 4:0:0:3: [sdb] Attached SCSI disk
iSCSI sdb
.
| 397
14.04 -

iSCSI

:
sudo fdisk /dev/sdb
n
p
enter
w
: fdisk man fdisk

cfdisk
.

/srv :

sudo mkfs.ext4 /dev/sdb1
sudo mount /dev/sdb1 /srv
/etc/fstab iSCSI :
defaults,auto,_netdev
/srv ext4
/dev/sdb1
.
.
Open-iSCSI.
.Open-iSCSI
| 398
14.04 -
.4 CUPS

) Common UNIX Printing System (CUPS
.
CUPS
) Internet Printing Protocol (IPP
CUPS )(dot-matrix
CUPS
PostScript Printer Description
) (PPD .
.
:CUPS
sudo apt-get install cups
CUPS .
| 399
14.04 -
CUPS

/var/log/cups/error_log
CUPS LogLevel
" "debug " "debug2
" "info .
.
CUPS /etc/cups/cupsd.conf
CUPS
.
:
.
/etc/cups/cupsd.conf :
sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original

sudo chmod a-w /etc/cups/cupsd.conf.original
400
14.04 -
:ServerAdmin CUPS
/etc/cups/cupsd.conf ServerAdmin
CUPS
user@example.com ServerAdmin :
ServerAdmin user@example.com
:Listen CUPS loopback

IP 127.0.0.1 CUPS IP
IP IP
Listen CUPS IP 192.16

8.10.250
/etc/cups/cupsd.conf Listen :
# existing loopback Listen

# existing socket Listen
# Listen on the LAN
Listen 127.0.0.1:631
Listen /var/run/cups/cups.sock
Listen 192.168.10.250:631
)interface, Port 631 (IPP
401
14.04 -
(127.0.0.1) loopback
cupsd
LAN loopback
Listen ) (socrates :
# Listen on all interfaces for the
Listen socrates:631
'hostname 'socrates
Listen Port
:
# Listen on port 631 on all interfaces
Port 631
CUPS
:
man cupsd.conf
: /etc/cups/cupsd.conf
CUPS :
sudo service cups restart
| 402
14.04 -
.
: CUPS
http://localhost:631/admin .

CUPS
lpadmin
.
lpadmin :
sudo usermod -aG lpadmin username
Documentation/Help .
.
CUPS.
| 403
15
| 404
14.04 -
)Mail User
Agent (MUA
) Mail Transfer Agents (MTA
) Mail Delivery Agent (MDA
POP3
.IMAP
.1 Postfix

Postfix ) (MTA
sendmail
Postfix
SMTP )
(.
: Postfix Virtual Domains

.
| 405
14.04 -
.
:postfix
sudo apt-get install postfix
.
.
:postfix
sudo dpkg-reconfigure postfix
Internet Site
mail.example.com
steve
mail.example.com, localhost.localdomail, localhost
No
127.0.0.1/8 8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
0
+
all
: mail.example.com 192.168.0.0/24
steve .
| 406
14.04 -

Postfix mbox
postconf postfix
/etc/postfix/main.cf
:Maildir
'sudo postconf -e 'home_mailbox = Maildir/
: /home/username/Maildir
) (MDA .
. SMTP
SMTP-AUTH ) (SASL

) (TLS SMTP
.
| 407
14.04 -
Postfix SMTP-AUTH :(Dovecot SASL ) SASL
'sudo postconf -e 'smtpd_sasl_type = dovecot

'sudo postconf -e 'smtpd_sasl_path = private/auth-client
'= sudo postconf -e 'smtpd_sasl_local_domain
'sudo postconf -e 'smtpd_sasl_security_options = noanonymous
'sudo postconf -e 'broken_sasl_auth_clients = yes
'sudo postconf -e 'smtpd_sasl_auth_enable = yes
\ = sudo postconf -e 'smtpd_recipient_restrictions
\ permit_sasl_authenticated,permit_mynetworks,
'reject_unauth_destination
: smtpd_sasl_path .Postfix
TLS :

) Certificate Authority (CA
.
: ) (MUA TLS
TLS
TLS
TLS MTA MTA
| 408
14.04 -
: TLS Postfix
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file =
/etc/ssl/private/server.key'
sudo postconf -e 'smtpd_tls_cert_file =
/etc/ssl/certs/server.crt'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = mail.example.com'

:
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'

Postfix :
SMTP-AUTH
. TLS
# See /usr/share/postfix/main.cf.dist for a commented, more

complete
# version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
| 409
14.04 -
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com,
localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject
_unauth_destination
smtpd_tls_auth_only = no
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
: postfix
sudo service postfix restart
RFC2554 SMTP-AUTH Postfix

.SMTP-AUTH SASL SASL
410
14.04 -
SASL .
Dovecot SASL Cyrus SASL SASL Postfix
dovecot-common Dovecot SASL
:
sudo apt-get install dovecot-common
: /etc/dovecot/conf.d/10-master.conf
service auth {
# auth_socket_path points to this userdb socket by default.
It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc.
Its default
# permissions make it readable only by root, but you may
need to relax these
# permissions. Users that have access to this socket are
able to get a list
# of all usernames and get results of everyone's userdb
lookups.
unix_listener auth-userdb {
#mode = 0600
#user =
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
411
14.04 -
Outlook SMTP-AUTH
authentication mechanisms :/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain
auth_mechanisms = plain login

Dovecot :
sudo service dovecot restart
. Mail-Stack Delivery
Postfix SMTP-AUTH mail-stack-

) delivery (dovecot-postfix Dovecot
Postfix SASL )(MDA
Dovecot
IMAP IMAPS POP3 .POP3S
: IMAP IMAPS POP3 POP3S

) (Spam
... . Postfix
.SMTP-AUTH
| 412
14.04 -
sudo apt-get install mail-stack-delivery

ssl-cert
.
/etc/postfix/main.cf :
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
:Postfix
.
SMTP-AUTH .
SMTP-AUTH TLS :
telnet mail.example.com 25
| 413
14.04 -
postfix :
ehlo mail.example.com
quit.
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
.
.
chroot

postfix chroot
.
chroot :/etc/postfix/master.cf
smtpd
inet
smtp
smtpd
inet
smtp
| 414
14.04 -
Postfix :
Smtps
smtps /etc/postfix/master.cf :
smtps
inet
n
smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

Postfix /var/log/mail.log

/var/log/mail.err
/var/log/mail.warn .
tail -f
:
tail -f /var/log/mail.err

.
| 415
14.04 -
TLS smtpd_tls_loglevel 1 :4
'sudo postconf -e 'smtpd_tls_loglevel = 4

:debug_peer_list
'sudo postconf -e 'debug_peer_list = problem.domain
Postfix /etc/postfix
/master.cf -v smtp :
smtp -v
unix
smtp
:
Postfix :
sudo service postfix reload
| 416
14.04 -
SASL
:/etc/dovecot/conf.d/10-logging.conf
auth_debug=yes
auth_debug_passwords=yes
: Postfix Dovecot :
sudo service dovecot reload
Postfix
.
Postfix
#ubuntu-server freenode
.
Postfix .The Book of Postfix
Postfix .

Postfix .
| 417
14.04 -
.2 Exim4
Exim4
Exim sendmail
exim .sendmail
.
:exim4
sudo apt-get install exim4
.
:Exim4
sudo dpkg-reconfigure exim4-config

Exim4 .

/etc/exim4/update-exim4.conf
.
| 418
14.04 -
sudo update-exim4.conf
./var/lib/exim4/config.autogenerated
: /var/lib/exim4/config.autogenerated
.update-exim4.conf
:Exim4
sudo service exim4 start
. SMTP
Exim4 SMTP-AUTH TLS .SASL
TLS :
sudo /usr/share/doc/exim4-base/examples/exim-gencert
Exim4 TLS /etc/exim4/conf.d/main

/03_exim4-config_tlsoptions :
MAIN_TLS_ENABLE = yes
| 419
14.04 -
saslauthd Exim4
/etc/exim4/conf.d/auth/30_exim4-config_examples
:login_saslauthd_server plain_saslauthd_server
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
#
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
exim
: exim
sudo /usr/share/doc/exim4/examples/exim-adduser
| 420
14.04 -
exim :
sudo chown root:Debian-exim /etc/exim4/passwd

sudo chmod 640 /etc/exim4/passwd
Exim4 :
sudo update-exim4.conf
sudo service exim4 restart
. SASL
saslauthd .Exim4
sasl2-bin :
sudo apt-get install sasl2-bin
saslauthd /etc/default/saslauthd START=no:
START=yes
Debian-exim sasl
Exim4 :saslauthd
sudo adduser Debian-exim sasl
| 421
14.04 -
:saslauthd
sudo service saslauthd start
Exim4 SMTP-AUTH TLS .SASL

.
exim.org .

.Exim4 Book
.Exim4
| 422
14.04 -
.3 Dovecot

Dovecot
mbox : Maildir
imap .pop3
.
:dovecot
sudo apt-get install dovecot-imapd dovecot-pop3d
.
/etc/dovecot/dovecot.conf dovecot
pop3 ) pop3s pop3( imap
) imaps imap(
.
IMAPS POP3S IMAP POP3
SSL
:/etc/dovecot/dovecot.conf
protocols = pop3 pop3s imap imaps
| 423
14.04 -
Dovecot maildir
mbox
.Dovecot
/etc/dovecot/conf.d/10-mail.conf
:
)mail_location = maildir:~/Maildir # (for maildir
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for

)mbox
: ) (MTA
.
dovecot dovecot
:
sudo service dovecot restart
| 424
14.04 -
imap pop3

telnet localhost pop3 telnet localhost imap2
:
user@localbox:~$ telnet localhost pop3

Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+OK Dovecot ready.
. Dovecot SSL
Dovecot SSL /etc/dovecot/conf.d/10-ssl.conf

:
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
SSL SSL
SMTP

SSL
./etc/dovecot/conf.d/10-ssl.conf
| 425
14.04 -
.

:

IMAP 143
IMAPs 993
POP3 110
POP3s 995
Dovecot .
Dovecot

.
| 426
14.04 -
.4 Mailman
Mailman
)
( Mailman .
.
Mailman
:
Postfix
Exim
Sendmail
Qmail
Mailman
Postfix Exim Mailman

.
: Postfix .
| 427
14.04 -
Apache2
apache2 .
Postfix
.Postfix
Exim4
Exim4 .
/etc/exim4 exim4
exim4
:/etc/exim4/update-exim4.conf
'dc_use_split_config='true
Mailman
:Mailman
sudo apt-get install mailman
/var/lib/mailman CGI
/usr/lib/cgi-bin/mailman list
list mailman .
| 428
14.04 -
.
mailman apache2 postfix exim4
.

Mailman /etc/mailman/apache.conf
:/etc/apache2/sites-available
\ sudo cp /etc/mailman/apache.conf
/etc/apache2/sites-available/mailman.conf
Mailman
:
sudo a2ensite mailman.conf

Mailman CGI CGI

/usr/lib/cgi-bin/mailman mailman
http://hostname/cgi-bin/mailman
/etc/apache2/sites-available/mailman.conf .
Postfix
lists.example.com Postfix
lists.example.com .
| 429
14.04 -
:/etc/postfix/main.cf postconf
sudo postconf -e 'relay_domains = lists.example.com'

sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'
sudo postconf -e 'mailman_destination_recipient_limit = 1'

(transporter) /etc/postfix/master.cf
:
mailman
unix
n
n
pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-tomailman.py ${nexthop} ${user}
. postfix-to-mailman.py
Mailman lists.example.com
:/etc/postfix/transport (transport map)
lists.example.com
mailman:
: Postfix
sudo postmap -v /etc/postfix/transport
: Postfix
| 430
14.04 -
Exim4
Exim :Exim4
sudo service exim4 start
mailman Exim4 Exim4

Exim4
.Exim
:mailman
.1
) Main(.
.2
) Transport(.
) Router .3(.
Exim
.

| 431
14.04 -
( Main)
/etc/exim4/conf.d/main/
:04_exim4-config_mailman
# start
# Home dir for your Mailman installation -- aka Mailman's
prefix
# directory.
# On Ubuntu this should be "/var/lib/mailman"
# This is normally the same as ~mailman
MM_HOME=/var/lib/mailman
#
# User and group for Mailman, should match your --with-mail-gid
# switch to Mailman's configure script.
Value is
normally "mailman"
MM_UID=list
MM_GID=list
#
# Domains that your lists are in - colon separated list
# you may wish to add these into local_domains as well
domainlist mm_domains=hostname.com
#
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#
# These values are derived from the ones above and should not
need
# editing unless you have munged your mailman installation
#
# The path of the Mailman mail wrapper script
MM_WRAP=MM_HOME/mail/mailman
#
# The path of the list config file (used as a required file
when
# verifying list addresses)
MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck
# end
| 432
14.04 -
( transport )
/etc/exim4/conf.d/transport/
mailman_transport:
driver = pipe
command = MM_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\
+.*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MM_HOME
home_directory = MM_HOME
user = MM_UID
group = MM_GID
( router )
/etc/exim4/conf.d/router/
mailman_router:
driver = accept
require_files = MM_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin
transport = mailman_transport
| 433
14.04 -
:
200_exim4-config_primary
Mailman
: mailman
sudo service mailman start
sudo /usr/sbin/newlist mailman
Enter the email address of the person running the list: user
at ubuntu.com
Initial mailman password:
To finish creating your mailing list, you must edit your
/etc/aliases (or
equivalent) file by adding the following lines, and possibly
running the
`newaliases' program:
## mailman mailing list
mailman:
post mailman"
mailman-admin:
admin mailman"
mailman-bounces:
bounces mailman"
mailman-confirm:
confirm mailman"
mailman-join:
join mailman"
mailman-leave:
leave mailman"
| 434
"|/var/lib/mailman/mail/mailman
14.04 -
mailman-owner:
"owner mailman
mailman-request:
"request mailman
mailman-subscribe:
"subscribe mailman
mailman-unsubscribe:
"unsubscribe mailman
Hit enter to notify mailman owner...

#
Postfix Exim4 mailman

/etc/aliases
.
: Exim4 Mailman
) (aliases MTA=None
Mailman ./etc/mailman/mm_cfg.py
.
CGI
./usr/lib/cgi-bin/mailman/ Mailman
:
http://hostname/cgi-bin/mailman/admin
| 435
14.04 -
mailman

/usr/sbin/newlist .
.
Mailman
:
http://hostname/cgi-bin/mailman/listinfo
mailman

)(
.
.
.GNU Mainman
.HOWTO Using Exim 4 and Mailman 2.1 together

.Mailman
| 436
14.04 -
.5

) Unsolicited Bulk Email (UBE
) (SPAM

.
Amavisd-new Spamassassin ClamAV

Postfix

opendkim
.python-policyd-spf
Amavisd-new ) (wrapper
....
.
Spamassassin
ClamAV .
opendkim ) Milter (Sendmail Mail Filter

) DKIM .(DomainKeys Identified Mail
python-policyd-spf ) SPF Sender Policy

(Framework .Postfix
| 437
14.04 -
.Postfix
opendkim python-policyd-spf
.
Amavisd-new.
ClamAV
.Postfix
Spamassassin
Spamassassin X-Header
Amavisd-new .

) (queue
) (MUA
.
| 438
14.04 -
.
.Postfix

:
sudo apt-get install amavisd-new spamassassin clamav-daemon

sudo apt-get install opendkim postfix-policyd-spf-python
Spamassassin
:
sudo apt-get install pyzor razor
sudo apt-get install arj cabextract cpio lha nomarch pax rar
unrar unzip zip
: multiverse
./etc/apt/sources.list

sudo
apt-get update .
| 439
14.04 -
.

.
ClamAV
ClamAV
ClamAV ./etc/clamav
clamav amavis Amavisd-new
:
sudo adduser clamav amavis

sudo adduser amavis clamav
Spamassassin
Spamassassin
pyzor .razor
/etc/default/spamassassin Spamassassin
ENABLED=0:
ENABLED=1
sudo service spamassassin start
| 440
14.04 -
Amavisd-new
Amavisd-new
:/etc/amavis/conf.d/15-content_filter_mode
use strict;
# You can modify this file to re-enable SPAM checking through
spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \
$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \
$bypass_spam_checks_re);
1;
# insure a defined return

/etc/amavis/conf.d/20-debian_defaults
: D_BOUNCE D_DISCARD $final_spam_destiny
$final_spam_destiny
| 441
= D_DISCARD;
14.04 -
:( flag)
$sa_tag_level_deflt = -999; # add spam info headers if at, or

above that level
$sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at
that level
$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is
not sent
MX ( hostname)
$myhostname
@ local_domains_acl
/etc/amavis/co
:nf.d/50-user
$myhostname = 'mail.example.com';
@local_domains_acl = ( "example.com", "example.org" );
:/etc/amavis/conf.d/50-user
@local_domains_acl = qw(.);
: Amavisd-new
sudo service amavis restart
| 442
14.04 -
.6 DKIM
Amavisd-new
) (Domain Keys )(Whitelist
:/etc/amavis/conf.d/40-policy_banks
:
:'example.com' => 'WHITELIST',

" "example.com .
:'.example.com' => 'WHITELIST',

" "example.com ) (valid signature .
:'.example.com/@example.com' => 'WHITELIST',

" "example.com
" ."example.com
:'./@example.com' => 'WHITELIST',

" "example.com .
amavisd-
new :
sudo service amavis restart
| 443
14.04 -
:
.
Postfix .
:Postfix
sudo postconf -e 'content_filter = smtp-amavis: \
[127.0.0.1]:10024'
: /etc/postfix/master.cf
smtp-amavis
unix
2
smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet
n
smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recip
ient_checks
| 444
14.04 -

:pickup
-o content_filter=
-o receive_override_options=no_header_body_checks

:Postfix
.
.
: Amavisd-new SMTP
telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]
: ( header)
X-Spam-Level:
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0
tests=AWL, BAYES_00
X-Spam-Level:
| 445
14.04 -
: X-Virus-Scanned
.X-Spam-Status
.

.
Postfix .
Amavisd-new Syslog /var/log/mail.log
$log_level /etc/amavis/conf.d/50-
user 1 :5
;$log_level = 2
: Amavisd-new Spamassassin
.
ClamAV /etc/clamav/clamd.conf
:
LogVerbose true
ClamAV ./var/log/clamav/clamav.log
| 446
14.04 -
:

.
.
:
.Amavisd-new
ClamAV .ClamAV
.Spamassassin
Pyzor.
Razor .
.DKIM.org
.Postfix Amavis New

#ubuntu-sever .freenode
| 447
16
| 448
14.04 -
(ircd-irc2) IRC
.Jabber
.1 IRC
IRC
IRC .ircd-irc2
.

:ircd-irc2
sudo apt-get install ircd-irc2
/etc/ircd :
./usr/share/doc/ircd-irc2
.
IRC /etc/ircd/ircd.conf
IRC :
M:irc.localhost::Debian ircd default configuration::000A
| 449
14.04 -
DNS IRC
irc.liveciper.com IRC irc.liveciper.com
IRC .
IRC :
A:Organization, IRC dept.:Daemon <ircd@example.irc.org>:Client

Server::IRCnet:
IRC
... .
./usr/share/doc/ircd-irc2/ircd.conf.example.gz
IRC IRC
./etc/ircd/ircd.motd
IRC :
sudo service ircd-irc2 restart
IRC
ircd-ircu .ircd-hybrid
IRCD FAQ .IRC
| 450
14.04 -
.2 Jabber
Jabber ) XMPP
( .
Jabberd 2 LAN
.
.
jabberd2
:
sudo apt-get install jabberd2
XML Jabberd2 Berkeley DB

Jabberd2
LDAP MySQL ... PostgreSQL . .
/etc/jabberd2/sm.xml:
><id>jabber.example.com</id
: jabber.example.com ID .
| 451
14.04 -
> <storage > <driver:

><driver>db</driver
/etc/jabberd2/c2s.xml >:<local
><id>jabber.example.com</id

> <module > <authreg:
><module>db</module
jabberd2 :
sudo service jabberd2 restart
Jabber ) (Pidgin .
: Berkeley DB
.
Jabberd2 .Jabberd2
.Jabberd2 Install Guide

.Setting Up Jabber Server
| 452
17
| 453
14.04 -
) (Version Control

!

.
.1 Bazaar
Bazaar -
Subversion CVS
Bazaar
) distributed version
Bazaar
(control
.
.

:bzr
sudo apt-get install bzr
.
bzr whoami :
'>bzr whoami 'Joe Doe <joe.doe@gmail.com
| 454
14.04 -
. Bazaar
Bazaar /usr/share/doc/bzr/html
bzr
:
bzr help
:
bzr help foo
. Launchpad

Launchpad
Bazaar
Launchpad .Launchpad Integration
.2 Git
Git ) (distributed
Git

.
| 455
14.04 -
.
git :
sudo apt-get install git
.
git git :
"git config --global user.email "you@example.com

"git config --global user.name "Your Name
.
git
SSH :
git init --bare /path/to/repository
:
) (bare
. .--bare
SSH :
git clone username@hostname:/path/to/repository
| 456
14.04 -
cd /path/to/repository
# Edit some files

# Commit all changes to the local version of the repository
git commit -a
# Push changes to the server's version of the repository
git push origin master
. Gitolite

git git

Gitolite :
sudo apt-get install gitolite
Gitolite
Gitolite
/etc/ Gitolite git
.
| 457
14.04 -
Gitolite :
\ sudo adduser --system --shell /bin/bash --group

--disabled-password --home /home/git git
Gitolite SSH
SSH
:
cp ~/.ssh/id_rsa.pub /tmp/$(whoami).pub
git :Gitolite
sudo su - git
gl-setup /tmp/*.pub
Gitolite
Gitolite ) SSH
( :
exit
git clone git@$IP_ADDRESS:gitolite-admin.git
cd gitolite-admin
gitolite-admin conf keydir

conf keydir SSH
.
| 458
14.04 -
Gitolite
Gitolite : SSH
keydir USERNAME.pub Gitolite

Gitolite

git :
git commit -a
git push origin master
conf/gitolite.conf

:
admin
alice
alice
bob
denise
gitolite-admin
RW+
=
R
=
project1
RW+
=
RW
=
R
=
repo
repo
| 459
14.04 -

Gitolite
Gitolite
:
git clone git@$SERVER_IP:$PROJECT_NAME.git
git remote add gitolite git@$SERVER_IP:$PROJECT_NAME.git
| 460
14.04 -
.3 Subversion
Subversion Subversion
.

.
.
Subversion HTTP

Subversion
Subversion
HTTPS .
:Subversion
sudo apt-get install subversion libapache2-svn
.
Subversion .
Subversion
Subversion :
svnadmin create /path/to/repos/project
| 461
14.04 -

:
\ svn import /path/to/import/directory
file:///path/to/repos/project
.
) Subversion ] ([checked out
) repository
(location URL URL
.
:1-17 Subversion
file://
http://
https://
svn://
svn+ssh://
WebDAV
.Subversion
http:// .SSL
.svnserve
svn:// .SSH
| 462
14.04 -
- - Subversion
SVN book .

Subversion
Subversion :
svn co file:///path/to/repos/project
svn co file://localhost/path/to/repos/project
: ) (///
.

.
(http://) WebDAV
Subversion
WebDAV > <VirtualHost > </VirtualHost
| 463
14.04 -
/etc/apache2/sites-available/default VirtualHost:
><Location /svn
DAV svn
SVNPath /home/svn
AuthType Basic
"AuthName "Your repository name
AuthUserFile /etc/subversion/passwd
Require valid-user
></Location
: Subversion /home/svn
svnadmin HTTP
.http://hostname/svn/repos_name
sudo service apache2 reload
Subversion HTTP
HTTP HTTP
www-data
:
sudo chown -R www-data:www-data /path/to/repos
: www-data
svn import file:/// .www-data
| 464
14.04 -
/etc/subversion/passwd
) (:
sudo htpasswd -c /etc/subversion/passwd user_name
-c

:
sudo htpasswd /etc/subversion/passwd user_name

:
svn co http://servername/svn
:
SSL .
WebDAV SSL )(https://

Subversion WebDAV SSL
http://
/etc/apache2/sites-available/default-ssl.conf
SSL Subversion
.SSL
| 465
14.04 -

.

Subversion
https:// .Subversion

Subversion
/path/to/repos/project/conf/svnserve.conf
:
]# [general
# password-db = passwd

passwd passwd :
username = password
| 466
14.04 -
Subversion svn://
svnserver svnserve :
svnserve -d --foreground -r /path/to/repos
# -d -- daemon mode
)# --foreground -- run in foreground (useful for debugging
# -r -- root of directory to serve
Subversion ) (3690
:
svn co svn://hostname/project project --username user_name

.Subversion
update :
cd project_dir; svn update
Subversion
) co (checkout
:
svn co help
| 467
14.04 -
(svn+ssh://) SSL
svn://
Subversion .svnserve

ssh
ssh

.
svn+ssh:// Subversion
SSL )
( :
svn co svn+ssh://hostname/var/svn/repos/project
: /path/to/repos/project Subversion

ssh
.Subversion
| 468
14.04 -
.4 CVS
CVS .
.
:CVS
sudo apt-get install cvs
cvs xinetd cvs

:
sudo apt-get install xinetd
.

cvs
/srv/cvs :
cvs -d /your/new/cvs/repo init
| 469
14.04 -
xinetd CVS
:/etc/xinetd.d/cvspserver
service cvspserver
{
port = 2401
socket_type = stream
protocol = tcp
user = root
wait = no
type = UNLISTED
server = /usr/bin/cvs
server_args = -f --allow-root /srv/cvs pserver
disable = no
}
: ).(/srv/cvs
xinetd CVS :
sudo service xinetd restart
CVS :
sudo netstat -tap | grep cvs
*:* LISTEN
0 *:cvspserver
tcp
| 470
14.04 -
.CVS
: CVS
CVS CVS.
.
CVS
:CVS
cd your/project
\ cvs -d :pserver:username@hostname.com:/srv/cvs import -m
"Importing my project to CVS repository" . new_project start
: CVSROOT CVS
-d cvs ) (export
.CVSROOT
new_project vendor start release
CVS .
: CVS CVS
)(/srv/cvs src CVS
.CVS
| 471
14.04 -
.5
Bazaar.
.Launchpad
Git.
.Gitolite
Subversion.
.Subversion
.CVS
.Easy Bazaar
.Subversion
| 472
18
| 473
14.04 -
.1

:
. Server Message
) Block (SMB
.
) .(Directory
LDAP .Microsoft Active Directory
.

.Kerberos
| 474
14.04 -

SMB .

.
| 475
14.04 -
.2

.

.
.
samba :
sudo apt-get install samba
! .
.
/etc/samba/smb.conf
.
:
smb.conf .Samba HOWTO
| 476
14.04 -
/ ] [global :/etc/samba/smb.conf
workgroup = EXAMPLE
...
security = user
security ] [global

EXAMPLE .
- -
:
][share
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
create mask = 0755
:comment .
:path /srv/samba/sharename
) Filesystem Hierarchy Standard
(FHS /srv )(

.
| 477
14.04 -
:browsable .
:guest ok .
:read only
) no (
yes .
:create mask .

:
sudo mkdir -p /srv/samba/share
sudo chown nobody.nogroup /srv/samba/share/
: -p mkdir .
samba :
sudo restart smbd

sudo restart nmbd
:
.
| 478
14.04 -

IP \\192.168.1.1
.
] [dir /etc/samba/smb.conf

.
: ] [share /srv/samba/share

] [qa ./srv/samba/qa
Using Samba O'Reilly .
Samba .
| 479
14.04 -
.3

.
.
.
CUPS
CUPS .

:samba
sudo apt-get install samba
/etc/samba/smb.conf workgroup
security :user
workgroup = EXAMPLE
...
security = user
| 480
14.04 -
guest ok yes ]:[printers
browsable = yes
guest ok = yes
:smb.conf
sudo restart smbd

sudo restart nmbd

.
.
CUPS .CUPS
| 481
14.04 -
.4
.

) Common Internet Filesystem (CIFS user-level share-level

user-level :share-level
:security=user

libpam-smbpass
.
:security=domain
) Primary Domain Controller (PDC
) Backup Domain Controller (BDC
) Domain Member Server (DMS
.
:security=ADS Active
Directory )(native member Active
Directory.
| 482
14.04 -
:security=server
Server
Security .
:security=share
.
.
Security = User

.
libpam-smbpass
:
sudo apt-get install libpam-smbpass
: Samba Server libpam-smbpass
| 483
14.04 -
/etc/samba/smb.conf ]:[share
guest ok = no
sudo restart smbd

sudo restart nmbd
: Reconnect at Logon
.
.

] [share .
| 484
14.04 -

qa
freda danika rob support danika
jeremy vincent
qa
freda danika rob jeremy vincent
danika qa support

.
/etc/group

.
/etc/samba/smb.conf
@
sysadmin /etc/samba/smb.conf
.@sysadmin
| 485
14.04 -
/etc/samba/smb.conf
.

share
qa sysadmin
vincent /etc/samba/smb.conf
]:[share
read list = @qa

write list = @sysadmin, vincent
.

share
melissa
/etc/samba/smb.conf ]:[share
admin users = melissa
| 486
14.04 -
/etc/samba/smb.conf :
sudo restart smbd
sudo restart nmbd
: read list write list

.security = share
NT
) Windows NT Access Control Lists (ACLs POSIX
ACLs ACLs
/srv EXT3 /etc/fstab acl :
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3
noatime,relatime,acl 0
1
:
sudo mount -v -o remount /srv
: /srv /srv
/ .
| 487
14.04 -
sysadmin

/srv/samba/share qa
.melissa
:
sudo chown -R melissa /srv/samba/share/
sudo chgrp -R sysadmin /srv/samba/share/
sudo setfacl -R -m g:qa:rx /srv/samba/share/
: setfacl /srv/samba/share
.

acl setfacl .POSIX ACLs
. AppArmor
AppArmor
AppArmor
AppArmor -.
/usr/sbin/smbd ) /usr/sbin/nmbd
( apparmor-profiles

:
sudo apt-get install apparmor-profiles apparmor-utils
| 488
14.04 -
smbd nmbd
smbd

.
/etc/apparmor.d/usr.sbin.smbd ]:[share
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
sudo aa-enforce /usr/sbin/smbd

cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r

smbd

./var/log/syslog
.
Samba HOWTO Collection

.
Samba ACLs .Samba ACLs

.Samba
| 489
14.04 -
.5
Active Directory Primary Domain
(PDC) Controller Windows
NT4
) (backends .
.
) (PDC
.smbpasswd
libpam-smbpass
:
sudo apt-get install samba libpam-smbpass
/etc/samba/smb.conf
security user workgroup:
workgroup = EXAMPLE
...
security = user
| 490
14.04 -
Domains )
(:
domain logons = yes

logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c
Machine -d /var/lib/samba -s /bin/false %u
: Roamin Profiles logon home logon path
:domain logons netlogon

.
:logon path profile

] [profiles profile .
:logon home .
:logon script
].[netlogon
:add machine script Machine Trust

) (workstation .
| 491
14.04 -
machines addgroup
.
] [homes :logon home
][homes
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
] [netlogon
:
][netlogon
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no
: netlogon /home/samba/netlogon
) (FHS /srv .
| 492
14.04 -
netlogon logon.cmd
)(:
sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
Windows Logon logon.cmd

.
:
sudo restart smbd

sudo restart nmbd
.

Windows Domain Admins

:net
\ "sudo net groupmap add ntgroup="Domain Admins

unixgroup=sysadmin rid=512 type=d
: sysadmin

sysadmin admin .sudo
| 493
14.04 -

smbpasswd sysadmin :
sudo smbpasswd -a sysadmin

Domain Admins
) machine script ( :
\ "net rpc rights grant -U sysadmin "EXAMPLE\Domain Admins

\ SeMachineAccountPrivilege SePrintOperatorPrivilege
\ SeAddUsersPrivilege SeDiskOperatorPrivilege
SeRemoteShutdownPrivilege

NT4 .
.
) (PDC
) (BDC
.

scp rsync LDAP

passdb.
| 494
14.04 -
LDAP
LDAP

LDAP.
samba libpam-smbpass :
sudo apt-get install samba libpam-smbpass
/etc/samba/smb.conf ]:[global
workgroup = EXAMPLE
...
security = user
Domains :
domain logons = yes

domain master = no
/var/lib/samba
admin scp
:
sudo chgrp -R admin /var/lib/samba
| 495
14.04 -
scp /var/lib/samba :PDC
sudo scp -r username@pdc:/var/lib/samba /var/lib
: username pdc PDC IP.
sudo restart smbd

sudo restart nmbd
PDC
.

logon home PDC
PDC
logon home PDC .BDC
.
Samba HOWTO Collection

.
| 496
14.04 -
.6 Active Directory
.

Active Directory
.AD
AD Likewise-open
.Likewise Open Installation and Administration Guide
Active Directory
:
sudo apt-get install samba smbfs smbclient
/etc/samba/smb.conf:
workgroup = EXAMPLE
...
security = ads
realm = EXAMPLE.COM
...
idmap backend = lwopen
idmap uid = 50-9999999999
idmap gid = 50-9999999999
sudo restart smbd

sudo restart nmbd
| 497
14.04 -
Windows
AD
.
.
Active Directory
:

:
mount.cifs //fs01.example.com/share mount_point
AD
.
/etc/fstab :
//192.168.0.5/share /mnt/windows cifs

auto,username=steve,password=secret,rw 0
smbclient
:
"smbclient //fs01.example.com/share -k -c "ls
| 498
14.04 -
:
"smbclient //fs01.example.com/share -k -c "get file.txt
file.txt .
:
"smbclient //fs01.example.com/share -k -c "put /etc/hosts hosts
/etc/hosts .//fs01.example.com/share/hosts
-c smbclient
smb: \>
FTP :
smbclient //fs01.example.com/share -k
: fs01.example.com //192.168.0.5/share
username=steve,password=secret file.txt IP
.
smbclient .man smbclient

man mount.cifs
.
| 499
19
500
14.04 -

.
.
.1
) (shell script

tar

.NFS
tar
tar
.
501
14.04 -
.

NFS tar
:
#!/bin/sh
####################################
#
# Backup to NFS mount script.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/mnt/backup"
# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo
echo "Backup finished"
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest
| 502
14.04 -
:$backup_files
.
:$day ) Monday Tuesday

... Wednesday(.

.date
:$hostname
.
:$archive_file .
:$dest

) (NFS .NFS
:status messages .echo
| 503
14.04 -
:tar czf $dest/$archive_file $backup_files tar .
:c .
:z gzip .
:f tar
.
:ls -lh $dest ) (-l

) (-h
!

.
.

backup.sh :
sudo bash backup.sh
| 504
14.04 -
)(cron
cron cron
.
cron crontab crontab :
command
# m h dom mon dow
:m 0 .59
:h 0 .23
:dom .
:mon 1 .12
:dow 0 7
0 7 .
:command .
crontab -e crontab
crontab .crontab -l
505
14.04 -

backup.sh :cron
sudo crontab -e

: sudo crontab -e
:crontab
# m h dom mon dow command

0 0 * * * bash /usr/local/bin/backup.sh
backup.sh . 12:00 AM
: backup.sh /usr/local/bin

.

.
| 506
14.04 -
tar -tzvf /mnt/backup/host-Monday.tgz
tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts
-C tar
/etc/hosts /tmp/etc/hosts tar .

/ .

:
cd /
sudo tar -xzvf /mnt/backup/host-Monday.tgz
: .
| 507
14.04 -
Advanced Bash-
.Scription Guide
Teach Yourself Shell Programming in 24 Hours

.
CronHowto cron.
GNU tar .tar
Bachup Rotation Scheme

.
tar

:
:cpio .
:dd coreutils
.
:rsnapshot snapshot
.
:rsync .
| 508
14.04 -
.2

.
. NFS
-- )--(:
| 509
14.04 -
#!/bin/bash
####################################
#
# Backup to NFS mount script with
# grandfather-father-son rotation.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
dest="/mnt/backup"
# Setup variables for the archive filename.
day=$(date +%A)
hostname=$(hostname -s)
# Find which week of the month 1-4 it is.
day_num=$(date +%d)
if (( $day_num <= 7 )); then
week_file="$hostname-week1.tgz"
elif (( $day_num > 7 && $day_num <= 14 )); then
elif (( $day_num > 14 && $day_num <= 21 )); then
elif (( $day_num > 21 && $day_num < 32 )); then
fi
# Find if the Month is odd or even.
month_num=$(date +%m)
month=$(expr $month_num % 2)
if [ $month -eq 0 ]; then
month_file="$hostname-month2.tgz"
else
month_file="$hostname-month1.tgz"
fi
510
14.04 -
# Create archive filename.

if [ $day_num == 1 ]; then
archive_file=$month_file
elif [ $day != "Saturday" ]; then
"archive_file="$hostname-$day.tgz
else
archive_file=$week_file
fi
"echo "Backing up $backup_files to $dest/$archive_file
date
echo
tar czf $dest/$archive_file $backup_files
echo
"echo "Backup finished
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest/
.

NFS
NFS
WAN .
511
14.04 -

.
.
) (tape NFS
.

mt .cpio
:
#!/bin/bash
####################################
#
# Backup to tape drive script.
#
####################################
# What to backup.
"backup_files="/home /var/spool/mail /etc /root /boot /opt
"dest="/dev/st0
| 512
14.04 -

echo "Backing up $backup_files to $dest"
date
echo
# Make sure the tape is rewound.
mt -f $dest rewind
tar czf $dest $backup_files
# Rewind and eject the tape.
mt -f $dest rewoffl
echo
echo "Backup finished"
date
/dev/st0 SCSI :
.

/etc/hosts
:/tmp/etc/hosts
mt -f /dev/st0 rewind
tar -xzf /dev/st0 -C /tmp etc/hosts
| 513
14.04 -
.3 Bacula
Bacula
Bacula OS X
.
. Bacula
Bacula :
:Bacula Director
.
:Bacula Console Director

:Console
.GTK+
.wxWidgets
:Bacula File
Bacula
.Director
:Bacula Storage
.
| 514
14.04 -
:Bacula Catalog

Catalog MySQL
PostgreSQL .SQLite
:Bacula Monitor Director

Monitor GTK+.

515
14.04 -
.
: MySQL PostgreSQL
.Bacula
Bacula
:Bacula
sudo apt-get install bacula
bacula MySQL Catalog
SQLite PostgreSQL Catalog bacula-

director-sqlite3 bacula-director-pgsql .

bacula
: .
| 516
14.04 -
.
Bacula
}{ Bacula ./etc/bacula
Bacula

password Storage /etc/bacula/ba

cula-dir.conf Director ./etc/bacula/bacula-sd.conf
Client1 Bacula Catalog

:/etc/bacula/bacula-dir.conf
#
# Define the main nightly save backup job
#
By default, this job will back up to disk in
{ Job
"Name = "BackupServer
"JobDefs = "DefaultJob
"Write Bootstrap = "/var/lib/bacula/Client1.bsr
}
: BackupServer
BackupServer .
| 517
14.04 -
Console Director
Console bacula
:
sudo adduser $username bacula
: $username
.
.

.
Storage /etc/bacula/bacula-sd.conf:
{ Device
"Name = "Tape Drive
Device Type = tape
Media Type = DDS-4
Archive Device = /dev/st0
;Hardware end of medium = No
;AutomaticMount = yes
# when device opened, read
it
;AlwaysOpen = Yes
;RemovableMedia = yes
;RandomAccess = no
"'Alert Command = "sh -c 'tapeinfo -f %c | grep TapeAlert
}
| 518
14.04 -
DDS-4 Media Type

Archive Device .

.
/etc/bacula/bacula-ds.conf :Storage
sudo service bacula-sd restart
Storage /etc/bacula/bacula-dir.conf
:
# Definition of "Tape Drive" storage device

{ Storage
Name = TapeDrive
# Do not use "localhost" here
Address = backupserver
# N.B. Use a fully
qualified name here
SDPort = 9103
"Password = "Cv70F6pf1t6pBopT4vQOnigDrR0v3LT3Cgkiyjc
"Device = "Tape Drive
Media Type = tape
}
Address ) (FQDN
backupserver .

Password password
./etc/bacula/bacula-sd.conf
| 519
14.04 -
FileSet :
# LocalhostBacup FileSet.
{ FileSet
"Name = "LocalhostFiles
{ Include
{ Options
signature = MD5
compression=GZIP
}
File = /etc
File = /home
}
}
/etc /home Options FileSet

MD5 .gzip
) Schedule( :
# LocalhostBackup Schedule -- Daily.

{ Schedule
"Name = "LocalhostDaily
Run = Full daily at 00:01
}
00:01 12:01 AM
.
| 520
14.04 -

:Job
# Localhost backup.
{ Job
"Name = "LocalhostBackup
"JobDefs = "DefaultJob
Enabled = yes
Level = Full
"FileSet = "LocalhostFiles
"Schedule = "LocalhostDaily
Storage = TapeDrive
"Write Bootstrap = "/var/lib/bacula/LocalhostBackup.bsr
}
.
) (Label
Bacula
Console :
bconsole
Bacula Console
:
label
| 521
14.04 -
:Storage
Automatically selected Catalog: MyCatalog
Using Catalog "MyCatalog"
The defined Storage resources are:
1: File
2: TapeDrive
Select Storage resource (1-2):2

:
Enter new Volume name: Sunday
Defined Pools:
1: Default
2: Scratch
. Sunday
:Pool
Select the Pool (1-2): 1
Connecting to Storage daemon TapeDrive at backupserver:9103 ...
Sending label command for Volume "Sunday" Slot 0 ...
. Bacula !
.
.Bacula User's Manual Bacula
.Bacula Bacula

.Bacula
| 522
20
| 523
14.04 -

.
.
KVM KVM
Intel AMD Xen

Xen
Qemu
) .(virtualization extensions
.1 libvirt
libvirt
libvirt KVM
:
kvm-ok
:
BIOS.
| 524
14.04 -
.

usermode SLIRP
NAT .

bridge
.
.

:
sudo apt-get install kvm libvirt-bin
libvirtd
libvirt-bin :
sudo adduser $USER libvirtd
:
.
| 525
14.04 -
)(Guest

.
) (GUI
virt-viewer
VNC .
preseed kickstart
. .
ubuntu-vm-builder
ubuntu-vm-builder .
.uvtools
Libvirt Xen .
virt-install
virt-install virtinst
:
sudo apt-get install virtinst
| 526
14.04 -
:virt-install
\ sudo virt-install -n web_devel -r 256 disk

\ path=/var/lib/libvirt/images/web_devel.img,bus=virtio,size=4
\ -c ubuntu-14.04-server-i386.iso
\ --network network=default,model=virtio
--graphics vnc,listen=0.0.0.0 --noautoconsole -v
:-n web_devel web_devel .
:-r 256 .
:--disk path=/var/lib/libvirt/images/web_devel.img,size=4

web_devel.img /var/lib/libvirt/images/
4 virtio ).(disk bus
:-c ubuntu-14.04-server-i386.iso CD-ROM

ISO CD-ROM .
:--network
default
.virtio
:--graphics vnc,listen=0.0.0.0 VNC

VNC
.
| 527
14.04 -
:--noautoconsole .
:-v .
virt-install
GUI .virt-viewer
virt-clone
virt-clone :
\ sudo virt-clone -o web_devel -n database_devel

-f /path/to/database_devel.img --connect=qemu:///system
:-o .
:-n .
:-f
.
.
:--connect ) (hypervisor

-d --debug .virt-clone
: web_devel database_devel .
| 528
14.04 -
virsh
libvirt virsh
:
:
virsh -c qemu:///system list
:
virsh -c qemu:///system start web_devel
:
virsh -c qemu:///system autostart web_devel
:
virsh -c qemu:///system reboot web_devel
) (state
:
virsh -c qemu:///system save web_devel web_devel-022708.state
| 529
14.04 -
.
:
virsh -c qemu:///system restore web_devel-022708.state
virsh -c qemu:///system shutdown web_devel
CD-ROM :
\ virsh -c qemu:///system attach-disk web_devel /dev/cdrom

/media/cdrom
: web_devel web_devel-
022708.state .
| 530
14.04 -

virt-manager

:
sudo apt-get install virt-manager
virt-manager ) (GUI

libvirt:
virt-manager -c qemu:///system
libvirt :
virt-manager -c qemu+ssh://virtnode1.mydomain.com/system
: SSH
virtnode1.mydomain.com
SSH
SSH libvirt . SSH
: .
| 531
14.04 -
virt-viewer virt-viewer
) (GUI

:virt-viewer
sudo apt-get install virt-viewer
virt-viewer -c qemu:///system web_devel
virt-manager virt-viewer SSH

:
\ virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system
web_devel
web_devel .
) (bridged network interface
SSH .
| 532
14.04 -
KVM .
libvirt libvirt.
Virtual Machine Manager

.virt-manager
#ubuntu-virt freenode
.
.KVM
Xen Xen libvirt

.Xen
| 533
14.04 -
.2 uvtool
.

12.04

.
. uvtool
14.04 uvtool )(VM
uvtool
.
Uvtool
:uvtool
uvtool
uvtool-libvirt
uvtool :apt-get
sudo apt-get install uvtool
| 534
14.04 -
:uvtool
uvt-simplestreams-libvirt
uvt-kvm
uvt-simplestreams-libvirt
uvtool

amd64 :
uvt-simplestreams-libvirt sync arch=amd64

:
uvt-simplestreams-libvirt query
)release=oneiric arch=amd64 label=release (20130509

)release=precise arch=amd64 label=release (20140227
)release=quantal arch=amd64 label=release (20140302
)release=saucy arch=amd64 label=release (20140226
)release=trusty arch=amd64 label=beta1 (20140226.1

= release = arch :
uvt-simplestreams-libvirt sync release=precise arch=amd64
| 535
14.04 -
uvt-kvm

SSH
:
ssh-keygen
Generating public/private rsa key pair.

Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ubuntu/.ssh/id_rsa.
Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub.
The key fingerprint is:
4d:ba:5d:57:c9:49:ef:b5:ab:71:14:56:6e:2b:ad:9b ubuntu@TrustyS
The key's randomart image is:
+--[ RSA 2048]----+
|
..|
|
o.=|
|
.
**|
|
+
o+=|
|
S . ...=.|
|
o . .+ .|
|
. . o o |
|
*
|
|
E
|
+-----------------+
uvtool
:
uvt-kvm create firsttest
| 536
14.04 -
firsttest
) (LTS
=:release
uvt-kvm create secondtest release=trusty
uvt-kvm wait NAME :
uvt-kvm wait secondttest --insecure
Warning: secure wait for boot-finished not yet implemented; use

--insecure.

:SSH
uvt-kvm ssh secondtest --insecure
--insecure
.
| 537
14.04 -

IP ssh
: IP
uvt-kvm ip secondtest
192.168.123.242
ssh -i ~/.ssh/id_rsa ubuntu@192.168.123.242
The authenticity of host '192.168.123.242 (192.168.123.242)'
can't be established.
ECDSA key fingerprint is
3a:12:08:37:79:24:2f:58:aa:62:d3:9d:c0:99:66:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.123.242' (ECDSA) to the
list of known hosts.
Welcome to Ubuntu Trusty Tahr (development branch) (GNU/Linux
3.13.0-12-generic x86_64)
* Documentation:
https://help.ubuntu.com/
System information disabled due to load higher than 1.0
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
0 packages can be updated.
0 updates are security updates.
Last login: Fri Mar 21 13:25:56 2014 from 192.168.123.1

:
uvt-kvm list
secondtest

:
uvt-kvm destroy secondtest
| 538
14.04 -
uvt-kvm
:
:--memory ) (RAM .512
:--disk .8
:--cup .1
:cloud-init
:--password password
ubuntu .
:--run-script-once script_file script_file

.
:--packages package_list package_list

.
.man uvt-kvm
IRC #ubuntu-server .Freenode
.ubuntu-server at lists.ubuntu.com :
| 539
14.04 -
.3
) (Cloud Computing

) (abstracted
.

OpenStack .
.

.
.
.Colud Computing service models
.OpenStack Compute
.OpenStack Image Service
.OpenStack Object Storage Administration Guide
.Installing OpenStack Object Storage on Ubuntu
.CloudGlossary.com
| 540
14.04 -
.4 LXC
) (containers
chroot Qemu VMware

) (Solaris zones .(BSD jails) BSD
Linux-vserver OpenVZ
vserver
.OpenVZ
) (user-space
Libvirt LXC lxc:///
.
LXC libvirt

.
lxc libvirt-lxc
AppArmor libvirt-lxc
CN C1 .C2
| 541
14.04 -
.
lxc :
sudo apt-get install lxc

subuids subgids
.
.
LXC lxc
lxc )
(

.
sudo lxc-create --template download --name u1
| 542
14.04 -
:
sudo lxc-create -t download -n u1

:
\ sudo lxc-create -t download -n u1 -- --dist ubuntu
--release trusty --arch amd64
\ sudo lxc-create -t download -n u1 -- -d ubuntu -r trusty

-a amd64
lxc-ls lxc-info
lxc-start lxc-stop lxc-

attach lxc-console SSH
lxc-destory
:
lxc-ls --fancy
lxc-start --name u1 --daemon
lxc-info --name u1
lxc-stop --name u1
lxc-destroy --name u1
sudo
sudo
sudo
sudo
sudo
| 543
14.04 -
) user
(namespaces

) (initial user namespace
/proc/self/uid_map
/proc/self/gid_map 0 0 4294967295
14.04

/etc/subuid /etc/subgid
subuid subgid 100000 .

usermod :
sudo usermod -v 100000-200000 -w 100000-200000 user1
newuidmap newgidmap setuid-root uidmap

lxc subuids subgids
.
| 544
14.04 -

. 100000 - 165536
mkdir -p ~/.config/lxc
\ > "echo "lxc.id_map = u 0 100000 65536
~/.config/lxc/default.conf
\ >> "echo "lxc.id_map = g 0 100000 65536
~/.config/lxc/default.conf
echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf
echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf
echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet

:sudo
lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64

lxc-start -n u1 -d
lxc-attach -n u1
lxc-stop -n u1
lxc-destroy -n u1
| 545
14.04 -
- -
:
lxc.mount.auto = cgroup
lxc.aa_profile = lxc-container-default-with-nesting
lxc

AppArmor
AppArmor

AppArmor .
.
LXC
/etc/lxc .~/.config/lxc
lxc.conf lxc lxcpath

lvm .zfs
| 546
14.04 -
default.conf

.
lxc-usernet.conf
.
lxc.conf default.conf /etc/lxc $HOME/.config/lxc
lxc-usernet.conf .
/var/lib/lxc
$HOME/.local/share/lxc lxc
.-P|--lxcpath

LXC
) (layer 2
veth LXC
NAT lxcbr0
veth lxcbr0

.
| 547
14.04 -

upstart
init shutdown
) (abstract Unix domain socket upstart
!
lxcbr0 IP
:/etc/lxc/dnsmasq.conf
dhcp-host=lxcmail,10.0.3.100
dhcp-host=ttrss,10.0.3.101

iptables :
\ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587

-j DNAT --to-destination 10.0.3.100:587
| 548
14.04 -
) -
( lxcbr0:
lxc.network.type = veth
lxc.network.link = br0
LXC macvlan

.
IP lxc-ls fancy
IP lxc-info -i -H -n C1
IP C1 dnsmasq
/etc/dnsmasq.conf :
server=/lxc/10.0.3.1
dnsmasq C1.lxc :
ping C1
ssh C1
lxc.conf
./usr/share/doc/lxc/examples/
| 549
14.04 -
. LXC
LXC :upstart
:/etc/init/lxc-net.conf
/etc/default/lxc ) USE_LXC_BRIDGE true(
NAT .

:/etc/init/lxc.conf ) LXC_AUTO true

( true /etc/default/lxc
/etc/lxc/auto/
.
:/etc/init/lxc-instance.conf /etc/init/lxc.conf
.
.
LXC

/var/lib/lxc/C1/rootfs
~/.local/share/lxc/C1/rootfs lxcpath
lxc.system.com
.$lxcpath/C1/rootfs
550
14.04 -
snapshot C2 C1 overlayfs
overlayfs:/var/lib/lxc/C1/rootfs:/var/lib/lxc/C2/delta0
loop btrfs LVM .zfs
btrfs
)(subvolume
snapshot snapshot .
LVM
lxc.conf
.lxc-create
zfs zfs
/var/lib/lxc/C1/rootfs zfsroot lxc-create
.lxc.system.conf

.lxc-create
551
14.04 -
.
lxc-create
) (templates lxc
lxc /usr/share/lxc/templates
.

lxc download lxc

.debootstrap
lxc-create --
--name --template --bdev lxc-create
--release :
\ lxc-create --template ubuntu --name c1 --bdev loop --

--release trusty
| 552
14.04 -

--help lxc-create
:
lxc-create --template download --help

LXC 14.04
/etc/lxc/auto 14.04
:
lxc.start.auto = 1
lxc.start.delay = 5
5

LXC

autostart lxc-autostart lxc-container.conf
.
| 553
14.04 -
. AppArmor
LXC AppArmor

/proc/sysrq-trigger ./sys
usr.bin.lxc-start lxc-start
lxc-start
init LXC .
lxc-container-default ./etc/apparmor.d/lxc/lxc-default
.
MySQL
) ( MySQL
) (.
lxc-execute AppArmor )(spawn
.
| 554
14.04 -

lxc-start AppArmor
lxc-start:
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
\ sudo ln -s /etc/apparmor.d/usr.bin.lxc-start
/etc/apparmor.d/disabled/
lxc-start
usr.bin.lxc-start
:
lxc.aa_profile = unconfined
. LXC
)( lxc-container-default-with-
nasting :
lxc.aa_profile = lxc-container-default-with-nesting
libvirt )
(/etc/apparmor.d/lxc/lxc-default-with-nasting :
mount fstype=cgroup -> /sys/fs/cgroup/**,
| 555
14.04 -

/sys /proc
AppArmor
proc sys .

/etc/apparmor.d/lxc lxc- lxc-start

lxc-default
/etc/apparmor.d/abstraction/lxc/container-base
.
:
sudo apparmor_parser -r /etc/apparmor.d/lxc-containers

/etc/apparmor.d/lxc-containers CN
lxc-CN-profile :
lxc.aa_profile = lxc-CN-profile
| 556
14.04 -
.
) (cgroups

) (block or character devices

.
CN /lxc/CN
) lxcpaths(
-n n .
CN CN
/usr/1000.user/1.session/CN
) (
.
14.04 LXC cgmanager
D-Bus /sys/fs/cgroup
cgmanager/sock / :
lxc.mount.auto = cgroup
| 557
14.04 -
/sys/fs/cgroup/cgmanager
) (bind-mounted
) cgmanager (
/sys/fs/cgroup/cgmanager /sys/fs/cgroup/cgmanager.lower
/sys/fs/cgroup/cgmanager/sock

.

.lxc-clone
snapshots
snapshot
snapshots --
) (copy-on-write snapshots
btrfs LVM zfs
LVM thinpool-provisioned
snapshots snapshots zfs snapshots
) (release snapshots LVM
. btrfs fsync
dpkg apt-get.
| 558
14.04 -
snapshots
C1 /var/lib/lxc/C1/rootfs
snapshot C1 C2 C1
/var/lib/lxc/C2/delta0
C1 C2 C1
snapshot .
C1 :
sudo lxc-clone -o C1 -n C2
snapshot:
sudo lxc-clone -s -o C1 -n C2
lxc-clone .
| 559
14.04 -
Snapshots
LXC snapshots snapshot
- C1 - :snapshot
sudo lxc-snapshot -n C1
snapshot snap0 /var/lib/lxcsnaps

$HOME/.local/share/lxcsnaps snap1
lxc-snapshot -L -n C1
snapshot C1 lxc-snapshot -r snap1 -n C1
snap1.
snapshots btrfs lvm zfs overlayfs
lxc-snapshot copy-clone
overlayfs snapshot
snapshot snapshots C1
overlayfs C1 C1
overlayfs snapshots :
C1 -n C2
-d # make some changes
C2
# etc
lxc-clone -s -o
lxc-start -n C2
lxc-stop -n C2
lxc-snapshot -n
lxc-start -n C2
| 560
14.04 -

) (Ephemeral containers
C1 :
lxc-start-ephemeral -o C1
snapshot C1
lxc-start-
ephemeral .
.
12.10 ) (hooks
:

.

.

pivot_root .
| 561
14.04 -
.

).(debug
lxc.container.conf
lxc
.

)(consoles
/dev/console lxc-start -d
/dev/console -c console-file
lxc-start lxc.tty
4 ) /dev/ttyN N 1
(4 console 3 :
sudo lxc-console -n container -t 3
-t N
Ctrl-a q lxc-start
.-d
| 562
14.04 -

:LXC
sudo lxc-start -n C1 -l trace -o debug.out
lxc trace
debug.out debug.out
.

lxc-monitor :
-n
POSIX
lxc-monitor lxc-wait
:
*]sudo lxc-monitor -n cont[0-5
| 563
14.04 -
'sudo lxc-wait -n cont1 -s 'STOPPED|FROZEN
cont1 STOPPED FROZEN .

14.04 ) (attach
:
sudo lxc-attach -n C1
C1
) (namespaces
) (security context .
init
LXC init )
( init :upstart
sudo lxc-start -n C1 /sbin/init loglevel=debug
| 564
14.04 -

: init
sudo lxc-start -n C1 /bin/bash

sudo lxc-start -n C1 /bin/sleep 100
sudo lxc-start -n C1 /bin/cat /proc/1/status
LXC API .
liblxc ( API) LXC
.go lua
(python3-lxc )
:
sudo python3
Python 3.2.3 (default, Aug 28 2012, 08:26:03)

[GCC 4.7.1 20120814 (prerelease)] on linux2
Type "help", "copyright", "credits" or "license" for more
information.
>>> import lxc
__main__:1: Warning: The python-lxc API isn't yet stable and
may change at any p
oint in the future.
>>> c=lxc.Container("C1")
>>> c.create("ubuntu")
True
>>> c.start()
True
>>> c.wait("STOPPED")
True
| 565
14.04 -
.
) (ids

IPC
) (leaks
.
LXC AppArmor
AppArmor LXC AppArmor

/proc /sys .

) (system calls
!
12.10 seccomp Seccomp

) (1 )
(whitelist .
| 566
14.04 -

-
- 32 64
lxc.container.conf seccomp
.seccomp
.
Secure Containers Cookbook

.
LXC .linuxcontainers.org
LXC .LXC Security
| 567
21
| 568
14.04 -

libcgroup .lmctfy
freedesktop.org
) .(cgroup filesystem interface
14.04 ) (cgmanager
cgroup dbus
.1
) (cgroups
) (hierarchy

) (devices /sys/fs/cgroups/set1
/child1 .
) (
/child1 /child1
./child1
| 569
14.04 -
:cpusets
cpusets
.
:blkio / .
:cpuacct .
:devices

) (whitelist ).(blacklist
:freezer ) (freeze ) (thaw

) (scheduled .
:hugetlb hugetlb .
:memory ) (swap .
| 570
14.04 -
:net_cls
(traffic controller ) tc
.
:net_prio .
:cup .
:pref_event ) (threads .

systemd .
| 571
14.04 -
.2
mount -t cgroup -o devices,memory,freezer cgroup /cgroup1

) (child cgroup :mkdir
mkdir /cgroup1/child1

tasks :cgroup.procs
sleep 100
echo $! > /cgroup1/child1/cgroup.procs

cgroup
:child1
echo FROZEN > /cgroup1/child1/freezer.state

cgroups .
| 572
14.04 -
.3
) (delegation
/child1
/child1/child2 .
14.04

LXC
.
| 573
14.04 -
.4
) (cgmanager D-Bus

. ) (namespace

D-Bus
process user group SCM_CREDENTIALS
.
D-Bus
) (cgproxy D-Bus
SCM D-Bus
.cgmanager
- ) (compile
- :
cgm create cpuset build1

cgm movepid cpuset build1 $$
cgm setvalue cpuset build1 cpuset.cpus 1
make
| 574
14.04 -
.5
cgmanager .linuxcontainers.org
freedesktop.org .
| 575
22
| 576
14.04 -
.1 DRBD
) ([DRBD] Distributed Replicated Block Device

. RAID
... . ).(mirrored
DRBD :
sudo apt-get install drbd8-utils
: ) (virtual kernel
) (compile debd linux-server

. debd /srv ext3
.
| 577
14.04 -
.
drbd02 debd01
. /etc/hosts DNS
: /etc/drbd.conf drbd
global { usage-count no; }

common { syncer { rate 100M; } }
resource r0 {
protocol C;
startup {
wfc-timeout 15;
degr-wfc-timeout 60;
}
net {
cram-hmac-alg sha1;
shared-secret "secret";
}
on drbd01 {
device /dev/drbd0;
disk /dev/sdb1;
address 192.168.0.1:7788;
meta-disk internal;
}
on drbd02 {
device /dev/drbd0;
disk /dev/sdb1;
address 192.168.0.2:7788;
meta-disk internal;
}
}
. /etc/drbd.conf :
| 578
14.04 -
/etc/drbd.conf :
~scp /etc/drbd.conf drbd02:
/etc :drbd02
sudo mv drbd.conf /etc/
drbdadm :
sudo drbdadm create-md r0
:drbd
sudo service drbd start
drbd01
:
sudo drbdadm -- --overwrite-data-of-peer primary all

drbd02 :
watch -n1 cat /proc/drbd
Ctrl+c .
| 579
14.04 -
/dev/drbd0
:
sudo mkfs.ext3 /dev/drbd0

sudo mount /dev/drbd0 /srv
.
drbd01
:/srv
sudo cp -r /etc/default /srv
:/srv
sudo umount /srv
sudo drbdadm secondary r0
sudo drbdadm primary r0
| 580
14.04 -
sudo mount /dev/drbd0 /srv
ls /srv/default )(
.drbd01
.
DRBD .
man drbd.conf .

.man drbdadm
DRBD .
| 581
23
VPN
| 582
14.04 -
VPN
OpenVPN )Virtual Private Networks

(VPN
) SSL/TLS VPN (IPSec VPN
OpenVPN .
.1 OpenVPN
OpenVPN
) Public Key Infrastructure (PKI
SSL/TLS VPN
OpenVPN (routed or bridged VPN) VPN
TCP UDP
1194
VPN OS X
) (routers .OpenWRT
.
OpenVPN
:
sudo apt-get install openvpn
| 583
14.04 -
VPN
.
OpenVPN ) (PKI
:
)
( .
) (CA

.
OpenVPN

.

) (.

OpenVPN
easy-rsa /etc/openvpn

:
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
| 584
14.04 -
VPN
: /etc/openvpn/easy-rsa/vars
export
export
export
export
export
export
export
export
KEY_COUNTRY="US"
KEY_PROVINCE="NC"
KEY_CITY="Winston-Salem"
KEY_ORG="Example Company"
KEY_EMAIL="steve@example.com"
KEY_CN=MyVPN
KEY_NAME=MyVPN
KEY_OU=MyVPN
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
./build-key-server myservername
1 out of 1 " " Sign the certificate? [y/n] "

."certificate requests certified, commit? [y/n]
| 585
14.04 -
VPN
Diffie Hellman :OpenVPN
./build-dh
/keys
:/etc/openvpn
cd keys/
\ cp myservername.crt myservername.key ca.crt dh2048.pem
/etc/openvpn/

VPN

:
cd /etc/openvpn/easy-rsa/
source vars
./build-key client1
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key
| 586
14.04 -
VPN
.
: OpenVPN
ls -l /usr/share/doc/openvpn/examples/sample-config-files/
total 68
-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
./etc/openvpn/server.conf server.conf.gz
sudo cp /usr/share/doc/openvpn/examples/\
sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
/etc/openvpn/server.conf
:
ca ca.crt
cert myservername.crt
key myservername.key
dh dh2048.pem
:IP /etc/sysctl.conf
#net.ipv4.ip_forward=1
:sysctl
sudo sysctl -p /etc/sysctl.conf
| 587
14.04 -
VPN
OpenVPN
server.conf
:syslog
sudo service openvpn start
* Starting virtual private network daemon(s)...

*
'Autostarting VPN 'server
] [ OK
OpenVPN :tun0
ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-0000-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST
MTU:1500
Metric:1
][...
.
OpenVPN
OpenVPN
openvpn :
| 588
14.04 -
VPN
client.conf :/etc/openvpn/
\sudo cp /usr/share/doc/openvpn/examples/
sample-config-files/client.conf /etc/openvpn/

/etc/openvpn/client.conf
:/etc/openvpn
ca ca.crt
cert client1.crt
key client1.key
OpenVPN
client :
client
remote vpnserver.example.com 1194
:OpenVPN
sudo service openvpn start
* Starting virtual private network daemon(s)...

*
'Autostarting VPN 'client
] [ OK
| 589
14.04 -
VPN
:tun0
ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-0000-00-00-00-00-00
inet addr:10.8.0.6
P-t-P:10.8.0.5
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST
MTU:1500
Metric:1
ping :OpenVPN
ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms
: OpenVPN IP
ping
/24
.1 ) PTP (peer to peer ifconfig
.ping
Iface
tun0
tun0
eth0
eth0
irtt
0
0
0
0
Window
0
0
0
0
MSS
0
0
0
0
Flags
UH
UGH
U
UG
sudo netstat -rn

Kernel IP routing table
Destination Gateway Genmask
10.8.0.5
0.0.0.0 255.255.255.255
10.8.0.1
10.8.0.5 255.255.255.255
192.168.42.0 0.0.0.0 255.255.255.0
0.0.0.0
192.168.42.1 0.0.0.0
| 590
VPN
14.04 -
.
:
.1
syslog .grep -i vpn /var/log/syslog
.2

syslog .
.3 UDP 1194
proto .port

.4

.comp-lzo
.5
.
VPN
VPN
VPN

192.168.0.0/16

.VPN
| 591
14.04 -
VPN

VPN
.

(10.8.0.0/24) OpenVPN .OpenVPN
"push "route 10.0.0.0 255.0.0.0
VPN DNS VPN

) OpenVPN TUN/TAP
(.
VPN OpenVPN
10.8.0.1
.10.8.0.1 )
:(ethernet bridging
server 10.8.0.0 255.255.255.0
| 592
VPN
14.04 -
IP OpenVPN
IP
.
ifconfig-pool-persist ipp.txt
DNS :
"push "dhcp-option DNS 10.0.0.2

"push "dhcp-option DNS 10.1.0.2
client-to-client
:VPN
comp-lzo
keepalive ping

ping 1
3:
keepalive 1 3
| 593
14.04 -
VPN
OpenVPN :
user nobody
group nogroup
OpenVPN 2.0 OpenVPN

auth-user-pass
OpenVPN
TLS.
!# client config
auth-user-pass
OpenVPN
PAM
.Kerberos
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
| 594
VPN
14.04 -
VPN
OpenVPN VPN ) (bridged VPN
)(routed VPN VPN OSI
VPN ) (frames ) (layer-2
(VPN partners) VPN
(VPN Partners ) VPN
LAN DHCP ... ARP
VPN .
| 595
14.04 -
VPN
.2
:bridge-utils
sudo apt-get install bridge-utils
OpenVPN
eth0 eth1
LAN /etc/network/interfaces :
auto eth0
address 1.2.3.4
netmask 255.255.255.248
default 1.2.3.1
auto eth1
address 10.0.0.4
netmask 255.255.255.0

eth1 br0 br0
eth1 eth1 :
| 596
VPN
14.04 -
inet static
1.2.3.4
255.255.255.248
1.2.3.1
auto eth0
iface eth0
address
netmask
default
auto eth1
iface eth1 inet manual
up ip link set $IFACE up promisc on
auto br0
iface br0 inet static
address 10.0.0.4
netmask 255.255.255.0
bridge_ports eth1

.
sudo ifdown eth1 && sudo ifup -a
| 597
14.04 -
VPN
.3
: /etc/openvpn/server.conf
;dev tun
dev tap
up "/etc/openvpn/up.sh br0 eth1"
;server 10.8.0.0 255.255.255.0
server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254

eth1 tap

:/etc/openvpn/up.sh
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV
sudo chmod 755 /etc/openvpn/up.sh
: openvpn
sudo service openvpn restart
| 598
14.04 -
VPN
.4
openvpn :
/etc/openvpn
:
sudo cp /usr/share/doc/openvpn/examples/sample-configfiles/client.conf /etc/openvpn
/etc/openvpn/client.conf :
dev tap
;dev tun
ca ca.crt
cert client1.crt
key client1.key
:openvpn
sudo service openvpn restart
LAN .VPN
| 599
14.04 -
VPN
. OpenVPN

VPN network-manager-openvpn
:
sudo apt-get install network-manager-openvpn
restart network-manager
network-manager start/running, process 3078
VPN "" OpenVPN

VPN OpenVPN
) (TLS
CA

.VPN
| 600
14.04 -
VPN
OS X Tunnelblick
Tunnelblick OpenVPN
OpenVPN
client.ovpn
:
/Users/username/Library/ApplicationSupport/Tunnelblick/Configur
ations/
. Tunnelblick
# sample client.ovpn for Tunnelblick

client
remote blue.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-nocache
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
cert client.crt
key client.key
601
VPN
14.04 -
OpenVPN
OpenVPN
OpenVPN Windows GUI OpenVPN
- - - -
OpenVPN OpenVPN
MI GUI .
OpenVPN C:\Program
Files\OpenVPN\config\client.ovpn CA
:
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote server.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
"cert "C:\\Users\\username\\My Documents\\openvpn\\client.crt
"key "C:\\Users\\username\\My Documents\\openvpn\\client.key
management 127.0.0.1 1194
management-hold
management-query-passwords
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node MyTAP
| 602
14.04 -
VPN
auth-user-pass
auth-retry interact
management 127.0.0.1 1194
management-hold
management-query-passwords
OpenVPN OpenWRT
OpenWRT WLAN
OpenWRT
OpenVPN
VPN .
OpenWRT :OpenVPN
opkg update
opkg install openvpn
| 603
14.04 -
VPN
/etc/config/openvpn
:/etc/openvpn
config openvpn client1

option enable 1
option client 1
#
option dev tap
option dev tun
option proto udp
option ca /etc/openvpn/ca.crt
option cert /etc/openvpn/client.crt
option key /etc/openvpn/client.key
option comp_lzo 1
:OpenVPN
service openvpn restart
.
.
. OpenVPN
.OpenVPN hardening security guide

OpenVPN: Building And Integration Pakt
. Virtual Private Networks
| 604
24
| 605
14.04 -
.1 pam_motd
) Message Of The
Day (MOTD :
:landscape-common landscape-client
Landscape
/usr/bin/landscape-sysinfo
MOTD ... . :
Processes:
0.0
Users logged in:

1
IP address for eth0:
30.2% of 3.11GB
20%
0%
System load:
76
Usage of /:
Memory usage:
10.153.107.115
Swap usage:
Graph this data and manage this system at

https://landscape.canonical.com/
: landscape-sysinfo .
| 606
14.04 -
:update-notifier-common
) (fsck ) (.

pam_motd /etc/update-motd.d

/var/run/motd
./etc/motd.tail

:
:weather-util
sudo apt-get install weather-util
METAR National Oceanic and Atmospheric

Administration and Forecast National Weather Service
ICAO
. Weather.gov
National Weather Service

.
/usr/local/bin/local-weather
| 607
14.04 -
#!/bin/sh
#
#
# Prints the local weather information for the MOTD.
#
#
# Replace KINT with your local weather station.
# Local stations can be found here:
http://www.weather.gov/tg/siteloc.shtml
echo
weather -i KINT
echo
sudo chmod 755 /usr/local/bin/local-weather
:/etc/update-motd.d/98-local-weather
\ sudo ln -s /usr/local/bin/local-weather
/etc/update-motd.d/98-local-weather
.

! .pam_motd
| 608
14.04 -
.2 etckeeper
etckeeper /etc/
)(VCS apt /etc

. /etc
etckeeper .

:etckeeper
sudo apt-get install etckeeper
/etc/etckeeper/etckeeper.conf
etckeeper
Bazaar ) (
:
sudo etckeeper uninit
etckeeper /etc
AVOID_DAILY_AUTOCOMMITS
| 609
14.04 -
sudo etckeeper commit "..Reason for configuration change.."
:/etc VCS
sudo bzr log /etc/passwd
:postfix
sudo apt-get install postfix
: postfix
Committing to: /etc/

added aliases.db
modified group
modified groupmodified gshadow
modified gshadowmodified passwd
modified passwdadded postfix
added resolvconf
added rsyslog.d
modified shadow
modified shadowadded init.d/postfix
added network/if-down.d/postfix
added network/if-up.d/postfix
added postfix/dynamicmaps.cf
added postfix/main.cf
610
14.04 -
added postfix/master.cf
added postfix/post-install
added postfix/postfix-files
added postfix/postfix-script
added postfix/sasl
added ppp/ip-down.d
added ppp/ip-down.d/postfix
added ppp/ip-up.d/postfix
added rc0.d/K20postfix
added rc2.d/S20postfix
added resolvconf/update-libc.d
added resolvconf/update-libc.d/postfix
added rsyslog.d/postfix.conf
added ufw/applications.d/postfix
Committed revision 2.
/etc/ etckeeper
: bzr hosts
sudo bzr status /etc/
modified:
hosts
sudo etckeeper commit "new host"
. : bzr
611
14.04 -
.3 Byobu
screen
) (shells screen
.byobu
byobu F9 :
.Byobu
.Byobu
Byobu ) (.
) (escape sequence
... . f-keys
screen-escape-keys .none
| 612
14.04 -
byobu
.
Byobu byobu
byobu
.
byobu scrollback F7
scrollback
vi :
:h .
:j .
:k .
:l .
:0 .
:$ .
:G ) (.
? : .
:n .
| 613
14.04 -
.4
man update-motd
.update-motd
etckeeper .

.etckeeper
bzr bzr.
screen .

.Screen
Byobu .
| 614
| 615
14.04 -
- - Launchpad
Launchpad
.
.1 apport-cli

apport-cli

Launchpad Launchpad
) (
.
: apport-cli ubuntu-bug
apport-bug
apport-cli
.apport-cli

) /( :apport-cli
apport-cli PACKAGENAME
: : .
| 616
14.04 -
apport-cli
:vim
apport-cli vim
*** Collecting problem information

The collected information can be sent to the developers to
improve the
application. This might take a few minutes.
...
*** Send problem report to the developers?
After the problem report has been sent, please fill out the
form in the automatically opened web browser.
What would you like to do? Your options are:
1 https://launchpad.net/
2 https://help.launchpad.net/YourAccount/NewAccount
S: Send report (2.8 KB)
V: View report
K: Keep report file for sending later or copying to
somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C):
:
Launchpad :Send
*** Uploading problem information

The collected information is being sent to the bug tracking
system.
This might take a few minutes.
94%
*** To continue, you must visit the following URL:
https://bugs.launchpad.net/ubuntu/+source/vim/
+filebug/09b2495a-e2ab-11e3-879b-68b5996a96c8?
| 617
14.04 -
You can launch a browser now, or copy this URL into a browser
on another computer.
Choices:
1: Launch a browser now
C: Cancel
Please choose (1/C):
1
1 www-
browser )Debian alternatives
(system links elinks lynx
w3m URL.
:View
Enter q
.
:Keep
) (.

)S: Send report (2.8 KB
V: View report
somewhere else
I: Cancel and ignore future crashes of this program
version
C: Cancel
Please choose (S/V/K/I/C): k
Problem report file: /tmp/apport.vim.1pg92p02.apport
| 618
14.04 -
apport-cli
) (
s :
apport-cli apport.vim.1pg92p02.apport
) ( :
apport-cli vim --save apport.vim.test.apport
".".apport
: / apport-cli
apport .
| 619
14.04 -
.2
apport apport-cli
.(/etc/default/apport )
: /var/crash apport
-rw-r----- 1 peter whoopsie 150K Jul 24 16:17

_usr_lib_x86_64-linux-gnu_libmenu-cache2_libexec_m
apport-cli
.
apport-cli
*** Send problem report to the developers?

After the problem report has been sent, please fill out the
form in the automatically opened web browser.
S: Send report (153.0 KB)
V: View report
somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): s
| 620
14.04 -
-
-
/var /crash :
-rw-r----- 1 peter
whoopsie 150K Jul 24 16:17
-rw-rw-r-- 1 peter
whoopsie
0 Jul 24 16:37
-rw------- 1 whoopsie whoopsie
0 Jul 24 16:37
) (public
) (private Launchpad

.
.3
.Reporting Bugs
Apport
.
| 621

Ubuntu Server Guide Arabic v1.2.1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ubuntu Server Guide Arabic v1.2.1 PDF

Uploaded by

Copyright:

Available Formats

14.

243 ........................ DNS

368 ...................................... LAMP

582 ............................................. VPN

:DNS BIND DNS.

)Redundant Array of Independent Disks

: RAID5 RAID0 RAID1

... sda1, sdb1, sdc1.

RAID )(degraded state

dpkg-reconfigure mdadm /etc/initramfs-

/dev/md0 /dev/sda1 RAID

]Personalities : [linear] [multipath] [raid0] [raid1] [raid6

.Software RAID HOWTO

.Managing RAID on Linux

vgdisplay (physical extents ) PE

sudo lvextend /dev/vg01/srv -l +511

Managing Disk Space with LVM O'Reilly

).([NMI] Non Maskable Interrupts

).([MCE] Machine Check Exceptions

BOOT_IMAGE=/vmlinuz-3.2.0-17-server root=/dev/mapper/PreciseS root ro crashkernel=384M-2G:64M,2G-:128M

[sudo] password for ubuntu:

# echo c > /proc/sysrq-trigger

[ 31.659002] SysRq : Trigger a crash

dpkg -l | grep apache2

sudo dpkg -i zip_3.0-4_i386.deb

sudo dpkg -r zip

dpkg -r zip zip

dpkg .man dpkg

--purge apt-get remove apt-get

sudo apt-get update

sudo aptitude install nmap

sudo aptitude remove nmap

sudo apt-get install unattended-upgrades

sudo apt-get install apticron

# no more prompting for CD-ROM please

deb http://archive.ubuntu.com/ubuntu trusty universe multiverse

.man dpkg dpkg

APT HOWTO man apt-get

man aptitude .Aptitude

Adding Repositories HOWTO

ifconfig -a | grep eth

eth0 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a

sudo lshw -class network

sudo ethtool eth0

Settings for eth0:

sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0

sudo route add default gw 10.0.0.1 eth0

Flags Metric Ref Use Iface

Kernel IP routing table

ip addr flush eth0

) (address family inet /etc/network

sudo ifdown eth0

( gateway ) ( netmask) ( address)

Link encap:Local Loopback

/etc/resolv.conf -> ../run/resolvconf/resolv.conf

iface eth0 inet static

iface eth0 inet static

ping server1 DNS

server1 vpn server2 mail

server3 www server4 .file

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

:mdns4_minimal .Mulitcast DNS

:dns Unicast DNS.