Professional Documents
Culture Documents
Ubuntu Server Guide Arabic v1.2.1 PDF
Ubuntu Server Guide Arabic v1.2.1 PDF
04
.PHP
:
.
.
Academy.hsoub.com
.
Hsoub.com
11 .........................................................
13 .......................................................
.1 14 ......................................................................................
15 ......................................................
.1 16 .................................................................
.2 18 ...............................................
.3 23 ..................................................................................
.4 24 ..................................................................
.5 37 ...............................................................
43 ...............................................
.1 44 ....................................................................................
.2 45 .......................................................................... dpkg
.3 47 ................................................................... Apt-Get
.4 49 ................................................................. Aptitude
.5 52 ............................................................
.6 54 ...................................................................................
.7 56 ...................................................................................
58 ...................................................
.1 59 .........................................................................
.2 74 .............................................................. TCP/IP
.3 82 .................. DHCP
.4 87 ..................... NTP
90 ......................
.1 91 ............................................. DM-Multipath
.2 96 ............................................................. Multipath
.3 101 .................................. DM-Multipath
.4 107 .......................................... DM-Multipath
.5 127 ....................... DM-Multipath
136 ........................................
.1 137 ............................................................ OpenSSH
.2 142 ................................................................... Puppet
.3 147 ............................................................. Zentyal
154 ................................
.1 155 ......................................................... OpenLDAP
.2 198 .............................................. LDAP
.3 208 ..................................................... Kerberos
.4 Kerberos 223 ................................... LDAP
.5 SSSD 234 ..................... Active Directory
263 ...................................................
.1 264 ............................................................
.2 275 ...................................................................
.3 276 .....................................................................
.4 289 ...................................................... AppArmor
.5 296 ............................................................................
.6 305 .................................................... eCryptfs
309 ..................................................
.1 311 .............................................................. Nagios
.2 319 .................................................................. Munin
322 .........................................
.1 323 .................................................. HTTPD
.2 339 ......................................................................... PHP5
.3 Squid 342 ...................................................
.4 346 ............................................ Ruby on Rails
.5 348 ................................................. Tomcat
355 .......................................
.1 356 ................................................................ MySQL
.2 364 ...................................................... PostgreSQL
384 .....................................
.1 385 ........................................................................ FTP
.2 392 ................................................ NFS
.3 395 ....................................................................... iSCSI
.4 399 ..................................................... CUPS
404 ........................
.1 405 .................................................................. Postfix
.2 418 .................................................................. Exim4
.3 423 ........................................................... Dovecot
.4 427 .......................................................... Mailman
.5 437 ....................................................................
.6 DKIM 443 ......................................................
448 ..................................
.1 449 ......................................................................... IRC
.2 451 ................................... Jabber
453 .....................
.1 454 .................................................................... Bazaar
.2 455 ............................................................................. Git
.3 461 .......................................................... Subversion
.4 469 .......................................................................... CVS
.5 472 .................................................................................
473 .....................................................
.1 474 ..................................................................................
.2 476 ..................................................................
.3 480 .......................................................
.4 482 ...........
.5 490 .............................
.6 497 .............................. Active Directory
500 ....................................
.1 501 ......................................................................
.2 509 ....................................................................
.3 514 ................................................................. Bacula
523 ..................................
.1 524 .................................................................... libvirt
.2 534 ...................................... uvtool
.3 540 .....................................................................
.4 541 ........................................................ LXC
568 ...................................
.1 569 ....................................................................................
.2 572 ......................................................................
.3 573 ............................................................................
.4 574 ..................................................................................
.5 575 .................................................................................
576 ...............................
.1 577 ..................................................................... DRBD
605 .............................
.1 606 ......................................................... pam_motd
.2 609 .......................................................... etckeeper
.3 612 .................................................................. Byobu
.4 614 .................................................................................
: 615 .............
.1 616 ....................... apport-cli
.2 620 .............................
.3 621 .................................................................................
11
14.04 -
Linux
.
.Ubuntu Server Guide
.
.
Creative Commons -
(Attribution-ShareAlike 3.0 Unported - CC BY-SA 3.0 ) 3.0
:
http://creativecommons.org/licenses/by-sa/3.0
2016\1\1
12
13
14.04 -
!
.
:
.
.1
) ( )Canonical
(Ltd. .
.
IRC
.
.
14
15
14.04 -
14.04
.
.1
.
.
14.04 : x86 AMD64
ARM
.
:1-2
)(
300
) (
512
1.75
192
700
1.4
16
14.04 -
....
.
apt
.
X
.
.
10.10
) (generic
.
: 64 64
.
/boot/config-3.13.0-server
Linux Kernel in a Nutshell
.
17
14.04 -
.
: .
.
!
.2
.
ISO .
).(Boot prompt
18
14.04 -
CD-ROM
) (RAM
.
DHCP DHCP
.
.sudo
) (hostname .
LVM
LVM
.
19
14.04 -
:
.
: unattended-
upgrades
.
:Lanscape Lanscape
Lanscape.
.
aptitude
.Aptitude
UTC
) (.
.F1
.
20
14.04 -
.
.
:LAMP .Linux-Apache-MySQL-PHP
.
:Mail
:OpenSSH OpenSSH.
:PostgreSQL
.PostgreSQL
.
:
) (Samba File Server
.
: Apache Tomcat
.
: .KVM
: aptitude .
Tasksel ) (
/
.
21
14.04 -
:
tasksel --list-tasks
) (Kubuntu ) (Edubuntu
tasksel
.
--task-packages
DNS :
tasksel --task-packages dns-server
:
bind9-doc
bind9utils
bind9
LAMP DNS
:
sudo tasksel install dns-server
22
14.04 -
.3
. do-release-upgrade
do-release-upgrade
update-manager-core
.
apt-get dist-upgrade
do-release-upgrade
.
:
do-release-upgrade
do-release-upgrade
-d :
do-release-upgrade -d
: .
23
14.04 -
.4
RAID .
/ RAID
RAID )
( )
(.
RAID )(
mdadm RAID
RAID1 ) (/
).(Swap
.1
.2
.RAID
24
14.04 -
.3 ][ .
.4
) (RAM
) (.
.5
Ext4
) RAID (RAID
][.
.6 ) (/
][ .
.7
.8
RAID
][.
.9
25
14.04 -
RAID
.1
RAID .
.2
.3 .MD
.4
RAID1 )
RAID0 RAID1 .(RAID5
.5
) (2
.
.6
) ( 0
.
.7
.8 sda1 sdb1 .
.9
) (/ sda2 .sdb2
.10 .
26
14.04 -
RAID
RAID RAID
.1
#1 RAID1 .#0
.2
][.
.3 #1 RAID1 .#1
.4
Ext4.
.5
- /
][.
.6 .
RAID
) (degraded RAID
) (degraded state . .
27
14.04 -
dpkg-reconfigure
....
:mdadm
sudo dpkg-reconfigure mdadm
: .
28
14.04 -
Shift ).(Grub
e .
) bootdegraded=true ( .
Ctrl+x .
) RAID
( .
RAID
mdadm
....
:
sudo mdadm -D /dev/md0
/dev/md0
-D mdadm
RAID ./dev/md0
29
14.04 -
:
sudo mdadm -E /dev/sda1
mdadm -D /dev/sda1
.
:
sudo mdadm --remove /dev/mo0 /dev/sda1
:
sudo mdadm --add /dev/md0 /dev/sda1
) (faulty
.
30
14.04 -
/proc/mdstat RAID :
cat /proc/mdstat
:
watch -n1 cat /proc/mdstat
Ctrl+c .watch
) (grub
:
sudo grub-install /dev/md0
./dev/md0
.
RAID
RAID :
RAID .
31
14.04 -
. LVM
) (Logical Volume Manager
LVM
RAID
.
LVM
:LVM
) :(PV
RAID .LVM
) :(VG
) (virtual disk drive .
) :(LV ) (LVM
) Ext3 XFS... JFS (.
.
32
14.04 -
/srv
) (PV
LVM
.
LVM -
LVM LVM
- LVM
LVM LVM
.
.1
.2
.3
.
.4
/boot swap / .
.5
/srv LVM
LVM ][.
.6
33
14.04 -
.7 LVM
vg01
LVM .
.8 LVM
) srv
(
.
.9 LVM LVM VG vg01, LV srv
/srv
][ .
.10
.
:LVM
:pvdisplay .
:vgdisplay .
:lvdisplay .
34
14.04 -
LVM /srv
) (PV
) (VG srv
/dev/sdb
) (.
: /dev/sdb
:
sudo pvcreate /dev/sdb
):(VG
sudo vgextend vg01 /dev/sdb
14.04 -
-l PE -L
....
ext3 ext4
) (.
EXT3 EXT4
:
sudo umount /srv
sudo e2fsck -f /dev/vg01/srv
-f e2fsck .
:
sudo resize2fs /dev/vg01/srv
:
mount /dev/vg01/srv /srv && df -h /srv
36
14.04 -
LVM .
LVM HOWTO .
.5
.
) (Kernel Crash Dump
:
).(Kernel Panic
.
) (NMI
kexec
.
37
14.04 -
.
kexec
)
(
.
.
:
sudo apt-get install linux-crashdump
.
/etc/default/kdump-tool :
USER_KDUMP=1
38
14.04 -
.
crashkernel )
(:
cat /proc/cmdline
crashkernel :
]crashkernel=<range1>:<size1>[,<range2>:<size2>,...][@offset
range=start-[end] 'start' is inclusive and 'end' is exclusive.
crashkernel /proc/cmdline :
crashkernel=384M-2G:64M,2G-:128M
384 )
].([rescue
384 2 ) 2
( 64.
2 128.
39
14.04 -
kdump
:
dmesg | grep -i crash
...
[ 0.000000] Reserving 64MB of memory at 800MB for crashkernel
)(System RAM: 1023MB
.
:
SysRq :/pro/sys/kernel/sysrq
cat /proc/sys/kernel/sysrq
" " :
sudo sysctl -w kernel.sysrq=1
sudo
:
echo c > /proc/sysrq-trigger
40
14.04 -
.
:
sudo -s
:
Begin: Saving vmcore from kernel crash ...
:/var/crash
ls /var/crash
linux-image-3.0.0-12-server.0.crash
41
14.04 -
.
:
.kdump
.crash
)
(.
42
43
14.04 -
35000
.
.1
/ .
.
.deb
) (repositories
CD-ROM ) (compiled
.
) (dependencies
festival libasound2
ALSA festival
.
44
14.04 -
.2 dpkg
dpkg
dpkg :
:
dpkg -l
grep
:
)regular
(expression .apache2
ufw
:
dpkg -L ufw
45
14.04 -
dpkg -S :
dpkg -S /etc/host.conf
base-files: /etc/host.conf
/etc/host.conf .base-files
:
dpkg -S .
.deb :
.zip_3.0-4_i386.deb
:
: dpkg
46
14.04 -
.3 Apt-Get
apt-get
) ([APT] Advanced Packaging Tool
.
) ( apt-get
) (SSH
.cron
:apt-get
: apt-get
:nmap
sudo apt-get install nmap
:
) (
:
sudo apt-get remove nmap
: apt-get
47
14.04 -
.
apt-get
./var/log/dpkg.log
APT APT
:
apt-get help
48
14.04 -
.4 Aptitude
Aptitude
) (APT
.
Aptitude
Aptitude
Aptitude
:
sudo aptitude
Aptitude
.
Aptitude
:Aptitude
:
Enter
+
g
49
14.04 -
g
Enter
g
Enter .
:
Enter ""-
g g
Enter
g
Enter .
: u
Enter
Enter OK .
:
U g
g
Enter
g
Enter .
50
14.04 -
:i .
:c .
:p ) (.
:v ).(Virtual package
:B ).(Broken package
:u
.
:C .
:H .
Aptitude q
Aptitude .F10
. Aptitude
Aptitude ) (
apt-get nmap apt-get
:
51
14.04 -
man
.aptitude
.5
unattended-upgrades
:
unattended-upgrades :
vim /etc/apt/apt.conf.d/50unattended-upgrades
{ Unattended-Upgrade::Allowed-Origins
;""Ubuntu trusty-security
//
;""Ubuntu trusty-updates
;}
52
14.04 -
{ Unattended-Upgrade::Package-Blacklist
//
;""vim
//
;""libc6
//
;""libc6-dev
//
;""libc6-i686
;}
: // ) (comment // .
/etc/apt/apt.conf.d/10periodic
apt:
;"APT::Periodic::Update-Package-Lists "1
;"APT::Periodic::Download-Upgradeable-Packages "1
;"APT::Periodic::AutocleanInterval "7
;"APT::Periodic::Unattended-Upgrade "1
: apt ./etc/cron.daily/apt
unattended-upgrades ./var/log/unattended-upgrades
53
14.04 -
Unattended-Upgrade::Mail /etc/apt/apt.conf.d/50una
ttended-upgrades unattended-upgrades
.
apticron ) (cron
.
:apticron
/etc/apticron/apticron.conf
:
"EMAIL="root@example.com
.6
) (APT
/etc/apt/sources.list /etc/apt/sources.list.d
.
54
14.04 -
CD-ROM :
. .
Universe Multiverse
.
: Multiverse
.
: Universe Multiverse
.
- -
.
55
14.04 -
Multiverse Universe
/etc/apt/sources.list
:
.7
56
. InstallingSoftware
14.04 -
57
58
14.04 -
.
.
.1
.
.
) (Ethernet interfaces
ethX X eth0
eth1
.
ifconfig :
59
14.04 -
lshw lshw eth0
) (bus :
*-network
description: Ethernet interface
product: BCM4401-B0 100Base-TX
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:03:00.0
logical name: eth0
version: 02
serial: 00:15:c5:4a:16:5a
size: 10MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
)capabilities: (snipped for brevity
)configuration: (snipped for brevity
resources: irq:17 memory:ef9fe000-ef9fffff
/etc/udev/rules.d/70-persistent-
net.rules
MAC NAME=ethX
.
60
14.04 -
ethtool
( ) duplex (auto-negotiation)
( Wake-on-LAN) WoL
:
sudo apt-get install ethtool
61
14.04 -
ethtool
ethtool ) pre-up
( ./etc/network/interfaces
eth0
1000Mb/s ) full duplex (:
auto eth0
iface eth0 inet static
pre-up /sbin/ethtool -s eth0 speed 1000 duplex full
: static
DHCP pre-up
. IP
IP )(gateway
.
IP
ip ifconfig
route /
.
62
14.04 -
IP : ifconfig IP
:( subnet mask)
:eth0 IP
ifconfig eth0
eth0
Link encap:Ethernet
HWaddr 00:15:c5:4a:16:5a
inet addr:10.0.0.100 Bcast:10.0.0.255
Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0
frame:0
TX packets:403172654 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB) TX bytes:1618367329
(1.6 GB)
Interrupt:16
: route
:
63
14.04 -
route :
route -n
DNS IP DNS
/etc/resolv.conf /etc/resolv.conf
DNS
/etc/resolv.conf
DNS .
nameserver 8.8.8.8
nameserver 8.8.4.4
IP
ip flush :
: IP ip /etc/resolv.conf
.
64
14.04 -
) IP (DHCP
DHCP dhcp
auto eth0
iface eth0 inet dhcp
ifup
DHCP .dhclient
sudo ifup eth0
ifdown
) (release DHCP .
IP
IP static
inet /etc/network/interfaces
.eth0
65
14.04 -
:ifup
sudo ifup eth0
: ifdown
sudo ifdown eth0
loopback
lo ( ) loopback
:ifconfig 127.0.0.1 IP
ifconfig lo
lo
66
14.04 -
/etc/network/interfaces
loopback
:
auto lo
iface lo inet loopback
.
) (Name resolution IP
IP
DNS )static
.(hostname records
DNS
/etc/resolv.conf
DHCP
resolvconf
.
67
14.04 -
Resolvconf
/etc/resolv.conf
resolvconf
resolvconf DHCP /etc/network/interfaces
/etc/resolv.conf ):(symlink
IP /etc/
network/interfaces DNS suffix) DNS
(search-lists resolv.conf
dns- :
search DNS
example.com sales.example.com
.dev.example.com
68
14.04 -
.1
server1.example.com
server1.sales.example.com .2
server1.dev.example.com .3
DNS notfound
.DNS
IP /etc/hosts
hosts DNS
/etc/hosts
-
DNS -
.DNS
69
14.04 -
hosts
:
localhost
ubuntu-server
server1 vpn server1.example.com
server2 mail server2.example.com
server3 www server3.example.com
server4 file server4.example.com
127.0.0.1
127.0.1.1
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
IP
)([NSS] Name Service Switch
/etc/nsswitch.conf
/etc/hosts DNS
:/etc/nsswitch.conf
70
14.04 -
:files
./etc/hosts
] :[NOTFOUND=return notfound
mdns4_minimal
.
hosts
Unicast DNS Mulitcast DNS
/etc/nsswitch.conf :
.
) (bridge
) (filter
) (Virtual Machines
.
71
14.04 -
bridge-utils
:
:/etc/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
:
.
72
14.04 -
brctl
man brctl .
.
Network
.
resolvconf
.resolvconf
man interfaces
./etc/network/interfaces
man dhclient
.DHCP
man brctl
Networking-bridge ).(Linux Foundation
73
14.04 -
.2 TCP/IP
) (Transmission Control Protocol
) (Internet Protocol TCP/IP
) ([DARPA] Defense Advanced Research Projects Agency
TCP/IP
.
. TCP/IP
TCP/IP
- IP -TCP/IP ) (connectionless
) (routing IP Datagram
IP Datagram .
TCP TCP/IP
)(data streams
TCP
74
14.04 -
. TCP/IP
TCP/IP
) Dynamic
([DHCP] Host Configuration Protocol TCP/IP
.
TCP/IP :
:IP
) (0 ) (255 ) (8
) (32
.dotted quad notation
: ) : ] ([netmask
IP
) (Subnetwork (Class C network) C
255.255.255.0
IP IP
.
75
14.04 -
: ) (Network Address
IP
12.128.1.2 A 12.0.0.0
12 ) IP (
IP 192.168.1.100 192.
168.1.0 C
192.168.1 .
: ) (Broadcast Address IP
.
IP 255.255.255.255
) (routers
C 192.168.1.0 192.168.1
.255
) ([ARP] Address Resolution Protocol
) .([RIP] Routing Information Protocol
76
14.04 -
: ) (Gateway Address IP
) (router
.
.
: ) (Nameserver Addresses
IP DNS )(resolve
IP
:
) (Primary ) (Secondary
) (Tertiary
IP
TCP/IP
(Verizon) Level3 IP 4.2.2.1 .4.2.2.6
77
14.04 -
: IP
/etc/network/interfaces nameserver
interfaces :
:resolv.conf
man interfaces
man resolv.conf
. IP
(IP Routing) IP
TCP/IP
) (routing tables
)(routers
:IP ) (static routing ).(dynamic routing
IP
route
)
(
.
78
14.04 -
)] (Router Information Protocol [RIP
.
.
. TCP UDP
TCP ) (connection-based
) (flow control
)(collisions
TCP
.
79
14.04 -
. ICMP
(Internet Control Messaging Protocol) ICMP
80
14.04 -
) Internet
([imapd] Message Access Protocol Daemon .
.
TCP IP .
.TCP/IP Tutorial and Technical Overview :IBM
81
14.04 -
.3 DHCP
DHCP
.DHCP
DHCP DHCP:
IP .
IP .
IP DNS .
DHCP :
.
DHCP -
-DNS DHCP
DHCP DHCP
DHCP
IP
.IP
82
14.04 -
DHCP :
83
14.04 -
)(Automatic allocation
- DHCP - IP
DHCP
DHCP .
DHCP
IP
.
/etc/dhcp/dhcpd.conf
.
84
14.04 -
/etc/default/isc-dhcp-server
) (listen .dhcpd
: dhcpd syslog .
.
:
IP
:
DHCP IP
192.168.1.150 192.168.1.200 IP 600
7200
192.168.1.254 192.168.1.1 192.168.
85
14.04 -
.DNS
1.2
dhcpd :
.dhcp3-server
/etc/dhcp/dhcpd.conf man
.dhcpd.conf
.dhcp-server :ISC
86
14.04 -
.4 NTP
NTP TCP/IP
: .
NTP
NTP ) (atomic clock
! ntpdate .ntpd
. ntpdate
ntpdate
NTP :
ntpdate -s ntp.ubuntu.com
. ntpd
ntp
) (logs .
.
87
14.04 -
.
: ntpd
.
/etc/ntp.conf
:
# Use servers from the NTP Pool Project. Approved by Ubuntu
Technical Board
# on 2011-02-08 (LP: #104525). See
http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org
:ntpd
88
14.04 -
.
ntpq :
sudo ntpq -p
remote
refid
st t when poll reach delay offset jitter
===========================================================================
+stratum2-2.NTP. 129.70.130.70 2 u 5
64 377 68.461 -44.274 110.334
+ntp2.m-online.n 212.18.1.106
2 u 5
64 377 54.629 -27.318 78.882
*145.253.66.170 .DCFa.
1 u 10 64 377 83.607 -30.159 68.343
+stratum2-3.NTP. 129.70.130.70 2 u 5
64 357 68.795 -68.168 104.612
+europium.canoni 193.79.237.14 2 u 63 64 337 81.534 -67.968 92.792
Ubuntu Time .
:ntp.org .
89
90
14.04 -
.1 DM-Multipath
) DM-] Device mapper multipathing
([Multipath ) (I/O
. SAN
) (switches )(controllers ) (multipathing
DM-Multipath 12.04
DM-Multipath .
12.04
multipath-0.4.8 .multipath-0.4.9
. 0.4.8
) (key prio_callout
prio
:
{ device
"vendor "NEC
"product "DISK ARRAY
prio_callout mpath_prio_alua /dev/%n
prio
alua
}
91
14.04 -
) ( :
:1-5
0.4.8
0.4.9
prio emc
prio alua
prio netapp
prio rdac
prio hp_sw
prio_callout mpath_prio_hds_modular %b
prio hds
/
prio_callout prio
prio
prio_callout .
DM-Multipath:
:Redundancy DM-Multipath
/ )(active/passive - -
) ( DM-Multipath .
92
14.04 -
: DM-Multipath /
) (active/active round-robin
DM-Multipath
.
.
- DM-Multipath -
DM-Multipath multipath.conf.defaults
DM-Multipath
(multipath.conf) DM-Multipath
.DM-Multipath
.
93
14.04 -
. DM-Multipath
:DM-Multipath
:1-5 DM-Multipath
dm_multipath
multipath /etc/rc.sysini
multipath
t udev )
(block device .initramfs
multipathd
multipath
/etc/multipath.conf .
) (device mapper devices
kpartx
. DOS
DM-Multipath kpartx
multipath-tools .
94
14.04 -
. DM-Multipath
DM-Multipath
multipath DM-Multipath
DM-Multipath :
.1
multipath-tools .multipath-tools-boot
.2
/etc/multipath.conf .
.3 multipath.conf
.
.4
.multipath
.5
.initial-ramdisk
multipath .DM-Multipath
95
14.04 -
.2 Multipath
DM-Multipath
DM-Multipath
multipath .
.
) (multipath device ) (WWID
multipath WWID
user_friendly_names multipath
DM-Multipath .mpathn
HBA
FC /dev/sda : /dev/dsb
/dev/sdb ./dev/sdd
DM-Multipath WWID
multipath
user_friendly_names mapthn
DM-Multipath
/dev /dev/mapper/mpathn : ./dev/dm-n
96
14.04 -
/dev/mapper
) .(logical volumes /dev/dm-n
.
multipath
user_friendly_names
. LVM
.
multipath
user_friendly_names no .
97
14.04 -
/etc/multipath.conf
:
multipath multipath.conf
.
multipath :
sudo service multipath-tools stop
sudo multipath -F
multipath.conf
.
multipathd
:
sudo service multipath-tools start
98
14.04 -
. Multipath
user_friendly_names alias multipath
multipath ) (entry
multipaths .multipath
multipaths multipath .Multipath
. multipath
multipath multipath
LVM
LVM LVM
LVM .
: LVM
.pvcreate
99
14.04 -
LVM multipath/
) (filters lvm.conf
multipath
multipath LVM
LVM /
) ( . SCSI
(lvm.conf) LVM :
] "filter = [ "r/block/", "r/disk/", "r/sd.*/", "a/.*/
/etc/lvm.conf initrd
:
update-initramfs -u -k all
100
14.04 -
.3 DM-Multipath
DM-Multipath :
DM-Multipath.
. DM-Multipath
DM-Multipath
multipath-tools SAN
.multipath-tools-boot
/etc/multipath.conf multipath
/etc/multipath.conf
multipath -ll
.multipath
SAN /usr/share/doc/multipath
-tools/examples multipathd:
# echo 'show config' | multipathd -k > multipath.conf-live
101
14.04 -
: multipathd /etc/multipath.conf
/etc/multipath.conf
/etc/multipath.conf touch
:
{ defaults
user_friendly_names no
}
:multipathd
show config .
Multipath
multipath :
install disk-detect/multipath/enable=true
multipath :
>/dev/mapper/mpath<X
. Multipath
SCSI DM-
Multipath multipath
.multipath
102
14.04 -
- - /dev/sda
( /dev/sda) multipath -v2 multipath
multipath multipath
.multipath
sudo multipath -v2
| 103
14.04 -
/dev/sda multipath
) (blacklist /etc/multipath.conf
sda devnode
/dev/sda
WWID
multipath -v2 WWID /dev/sda
SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
/etc/multipath.conf:
{ blacklist
wwid SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
}
/etc/multipath.conf multipathd
/etc/multipath.conf:
sudo service multipath-tools reload
104
14.04 -
:multipath
sudo multipath -f SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
multipath -ll
multipath Multipath multipath
.multipath -ll
multipath
v2 ( verbosity ) multipath
:-v
sudo multipath
105
14.04 -
DM-Multipath DM-
Multipath
.multipath.conf.defaults
multipath
/etc/multipath.conf .
HP Open-V
%n :
{ devices
{ device
"vendor "HP
"product "OPEN-V.
getuid_callout "/lib/udev/scsi_id --whitelisted
"--device=/dev/%n
}
}
106
14.04 -
.4 DM-Multipath
DM-Multipath /etc/multi
path.conf
multipath.conf
:
.Multipath
.
- -multipath
multipath.conf.defaults
.
.
:
/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz
107
14.04 -
.
multipath :
:blacklist .multipath
:blacklist_exceptions multipath
.
:defaults DM-Multipath .
:multipath multipath
defaults devices .
:devices
defaults
devices.
multipath
multipath .multipath
.
multipath
multipath
.multipath
108
14.04 -
WWID .WWID
WWID
wwid blacklist .
:26353900f02796769
{ blacklist
wwid 26353900f02796769
}
multipath devnode blacklist .
109
14.04 -
SCSI
*:sd
{ blacklist
"]devnode "^sd[a-z
}
devnode blacklist
udev
/dev/sda /dev/sdb .
devnode
DM-Multipath
blacklist_exceptions
:
{ blacklist
"*]devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9
"]devnode "^hd[a-z
}
110
14.04 -
blacklist
device IBM DS4200 .HP
{ blacklist
{ device
#DS4200 Product 10
""IBM
""3S42
vendor
product
""HP
"*"
vendor
product
}
{ device
}
blacklist_exceptions
.
) multipath WWID (3600d0230000000000e13955cc3757803
:/etc/multipath.conf
{ blacklist
"*" wwid
}
{ blacklist_exceptions
"wwid "3600d0230000000000e13955cc3757803
}
111
14.04 -
blacklist_exceptions
blacklist WWID
devnode WWID
. devnode
devnode .
.
/etc/multipath.conf defaults
user_friendly_names yes :
{ defaults
user_friendly_names yes
.user_friendly_names
112
14.04 -
/dev
5
""round-robin 0
failover
"/lib/dev/scsi_id --whitelisted
{ #defaults
#
udev_dir
#
polling_interval
#
selector
#
path_grouping_policy
#
getuid_callout
"--device=/dev/%n
# prio
const
# path_checker
directio
# rr_min_io
1000
# rr_weight
uniform
# failback
manual
# no_path_retry
fail
# user_friendly_names
no
}#
defaults
path_grouping_policy multibus failover
defaults :
yes
multibus
{ defaults
user_friendly_names
path_grouping_policy
defaults
multipath.conf DM-Multipath
devices multipaths .multipath.conf
| 113
14.04 -
:3-5 Multipath
polling_interval
) (polling_interval * 4 .5
udev_dir
multipath_dir
verbosity
udev ./dev
./lib/multipath
.
0 6 .2
:
:round-robin 0
:queue-length 0
.
path_selector
:service-time 0
)(.
.round-robin 0
114
14.04 -
:failover .
:multibus
.
path_grouping
_policy
:group_by_serial
.
: group_by_prio
.
: group_by_node_name
.
.failover
getuid_callout
.
:
115
14.04 -
ALUA SPC-3 prio
. :
prio
:const 1 .
:emc .EMC
:alua SCSI-3
.ALUA
:netapp .NetApp
:hp_sw Compaq/HP
/ .
:hds Hitachi
.HDS
.const
prio
prio_args
features
queue_if_no_path no_path_retry
queue
.queue_if_no_path
116
14.04 -
:readsector0 .
:tur TEST UNIT READY .
Clariion .
:hp_sw HP
/ .
:rdac LSI/Engenio
.RDAC
:directio .
.directio
immediate
failback
manual
.
.manual
rr_min_io
.1000
117
14.04 -
priorities rr_min_io
path_selector
rr_weight
rr_min_io
.prio
uniform .
.uniform
no_path_retry
fail
queue
.
"".
yes
/etc/multipath/bindings
_user_friendly
names
mpathn no WWID
multipaths .
no
queue_without
_daemon
no multipathd
.
.no
118
14.04 -
yes multipath
flush_on_last_del
.no
)open file
(descriptors multipath
multipathd ulimit -n
max_fds
/proc/sys/fs/nr_open
1024
32 .1024
SCSI.
checker_timer
/sys/block/sdx/device/timeout
30 .12.04
SCSI
FC
fast_io_fail_tmo
.dev_loss_tmo
off .
SCSI
dev_loss_tmo
FC infinity
2147483647 68.
.
119
14.04 -
. Multipath
Multipath
multipaths multipath.conf multipath
multipath DM-Multipath
defaults devices .multipath.conf
:4-5 Multipath
wwid
WWID multipath
.multipath.conf
multipath
multipath
alias
multipath user_friendly_names
mpathn
.
:multipath
path_grouping_policy
no_path_retry
path_selector
rr_min_io
failback
rr_weight
prio
flush_on_last_del
prio_args
120
14.04 -
multipath multipath
WWID 3600508b4000156d70001200000b0000
.yellow
yellow
multibus
""round-robin 0
manual
priorities
5
red
priorities
{ multipaths
{ multipath
wwid
3600508b4000156d70001200000b0000
alias
path_grouping_policy
path_selector
failback
rr_weight
no_path_retry
}
{ multipath
wwid
1DEC_____321816758474
alias
rr_weight
}
}
.
devices multipath.conf
DM-Multipath multipaths
multipath.conf
defaults .multipath.conf
121
14.04 -
multipath
.multipath.conf.defaults
multipath.conf.annotated.gz
multipath.conf.synthetic .
vendor product
/sys/block/device_name/device/vendor /sys/block/device_name/model
device_name multipath :
cat /sys/block/sda/device/vendor
WINSYS
cat /sys/block/sda/device/model
SF2372
/
path_grouping_policy multibus
no_path_retry rr_min_io .Multipath
| 122
14.04 -
/
) (
path_checker tur SCSI
) Test Unit Ready (.
multipath emc
.multipath
| 123
14.04 -
:5-5
vendor
product
revision
product_blacklist
.COMPAQ
.HSV110 (C)COMPAQ
revision .
.
:
hardware_handler
:1 emc .EMC
:1 alua SCSI-3
.ALUA
:1 hp_sw
.Compaq/HP
:1 rdac
.LSI/Engenio RDAC
| 124
14.04 -
:device
path_grouping_policy
getuid_callout
path_selector
path_checker
features
failback
prio
prio_args
no_path_retry
rr_min_io
rr_weight
fast_io_fail_tmo
dev_loss_tmo
flush_on_last_del
: hardware_handler
) (interface
/lib/modules/`uname -r`/kernel/drivers/scsi/device_handler/
initd
:
:multipath
"
{ #devices
{ # device
#
vendor
"COMPAQ
"
#
product
"MSA1000
#
path_grouping_policy multibus
#
path_checker tur
#
rr_weight priorities
} #
}#
| 125
14.04 -
8 :vendor.
16 :product.
4 :revision.
:
^$[].*?+
| 126
14.04 -
.5 DM-Multipath
. Multipath
multipath :
.
:LUN
sudo multipath -l
. SCSI 1 rescan
SCSI :
# echo 1 > /sys/block/device_name/device/rescan
multipath :multipathd
'sudo multipathd -k 'resize map mpatha
) LVM :(DOS
sudo resize2fs /dev/mapper/mpatha
| 127
14.04 -
.
UUID
multipath-tools-boot
) (initial ramdisk multipath
.UUID
.
.
. Multipath
multipath
multipath DM-Multipath
multipathd .multipathd
multipathd multipathd
.
| 128
14.04 -
. queue_if_no_path
" features "1 queue_if_no_path /etc/multipath.conf
no_path_retry N ./etc/multipath.conf
: mpathN .
| 129
14.04 -
Multipath .
multipath
:(multipath )
action_if_any: alias (wwid_if_different_from_alias)
dm_device_name_if_known vendor,product
size=size features='features' hwhandler='hardware_handler'
wp=write_permission_if_known
:
-+- policy='scheduling_policy' prio=prio_if_known
status=path_group_status_if_known
:
`- host:channel:id:lun devnode major:minor
dm_status_if_known path_status
online_status
: multipath
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372
size=269G features='0' hwhandler='0' wp=rw
|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
`- 7:0:0:0 sdf 8:80
active ready
running
| 130
14.04 -
ready ghost
faulty shaky
multipathd polling_interval
./etc/multipath.conf
dm
failed : dm faulty active .
.dm
online_status running offline offline
SCSI .
: multipath dm
dm ) (features .
. Multipath multipath
-l -ll multipath multipath
-l multipath sysfs
-ll -l .
multipath
-v multipath -v0
-v1 multipath
| 131
14.04 -
verbosity ( 2) multipath :
.multipath.conf defaults
:multipath -l
sudo multipath -l
:multipath -ll
sudo multipath -ll
| 132
14.04 -
. Multipath
multipath .
:6-5 multipath
-l
-ll
-f device
-F
multipath sysfs
).(device mapper
multipath sysfs
) (device mapper .
multipath.
multipath .
. dmsetup
dmsetup
.multipathd
dm 3 :multipathd
:/dev/dm-3
| 133
14.04 -
sudo dmsetup ls
)4
)12
)11
)3
)14
)13
)2
)9
)8
)1
)7
)0
)6
)10
)5
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
(253,
mpathd
mpathep1
mpathfp1
mpathb
mpathgp1
mpathhp1
mpatha
mpathh
mpathg
VolGroup00-LogVol01
mpathf
VolGroup00-LogVol00
mpathe
mpathbp1
mpathd
. multipathd
multipathd -k multipathd
multipath help
Ctrl+D.
multipath
multipath
IBM Tricks with Multipathd .
sudo multipathd -k
| 134
14.04 -
multipath
:multipath.conf
sudo multipathd -k
:
sudo multipathd -k
multipathd ) (stdin :
# echo 'show config' | multipathd -k
| 135
| 136
14.04 -
OpenSSH Puppet .Zentyal
.1 OpenSSH
.
OpenSSH
OpenSSH .
OpenSSH
) ([SSH] Secure Shell
- telnet -rcp
OpenSSH
.
OpenSSH sshd ) (listens
sshd
ssh
OpenSSH
OpenSSH
OpenSSH scp
OpenSSH
) (public key Kerberos.
| 137
14.04 -
.
OpenSSH
OpenSSH :
OpenSSH :
openssh-server
.
.
(sshd) OpenSSH
/etc/ssh/sshd_config
:
man sshd_config
sshd
./etc/ssh/sshd_config
| 138
14.04 -
:
.
/etc/ssh/sshd_config :
Port 2222
sshd :
PubkeyAuthentication yes
.
OpenSSH /etc/issue.net
:/etc/ssh/sshd_config
Banner /etc/issue.net
| 139
14.04 -
/etc/ssh/sshd_config
sshd :
: sshd
ssh sshd
/etc/ssh/sshd_config
sshd sshd
. SSH
SSH
SSH : ) (private ).(public
:
ssh-keygen -t dsa
)Digital Signature
([DSA] Algorithm
Enter .
~/.ssh/id_dsa.pub
140
14.04 -
~/.ssh/id_dsa id_dsa.pub
~/.ssh/authorized_keys :
ssh-copy-id username@remotehost
authorized_keys
:
SSH .
.
.SSH
.OpenSSH
.Advanced OpenSSH
141
14.04 -
.2 Puppet
Puppet
Puppet
. Puppet
/.
Puppet/
.Puppet
.
:Puppet
| 142
14.04 -
.
Puppet DNS CNAME
puppet.example.com example.com
Puppet DNS puppet.example.com Puppet
Puppet Master : ) (DNS
.DNS
DNS /etc/hosts
.
/etc/hosts :Puppet
127.0.0.1
192.168.1.17
:Puppet
192.168.1.16
: IP IP .
| 143
14.04 -
/etc/puppet/module apache2
: s/apache2/manifests/init.pp
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}
: /etc/puppet/manifests/site.pp
node 'pupetclient.example.com' {
include apache2
}
. Puppet pupetclient.example.com :
: Puppet
. Puppet
| 144
14.04 -
Puppetagent /etc/default/puppet
START :yes
START=yes
) (fingerprint :
Puppet :
Puppet :
| 145
14.04 -
/var/log/syslog
apache2 .Puppet
: Puppet
.
Puppet.
.Pro Puppet
.Puppet
| 146
14.04 -
.3 Zentyal
Zentyal ) (business server
) (Unified Threat Manager
Zentyal
Zentyal
) (GPL
.
Zentyal ) ] ([module
Redis
- ) (domains
OpenLDAP
Zentyal
.
| 147
14.04 -
.
Zentyal 2.3 Universe 12.04 :
:zentyal-network ) IP
DHCP VLAN (PPPoE
DNS.
:zentyal-firewall iptables
NAT .
:zentyal-ntp NTP
.
| 148
14.04 -
:zentyal-openvpn VPN
OpenVPN .Quagga
:zentyal-users
OpenLDAP Zentyal
LDAP
Microsoft
.Active Directory
Squid Dansguardian
:zentyal-squid
.
:zentyal-samba LDAP
.
:zentyal-printers CUPS
.LDAP
| 149
14.04 -
: Zentyal ) /(
) (LTS ) 2.2 (3.0
) 2.1 (2.3 12.04 Zentyal 2.3
12.04 Zentyal Team PPA
2.3 .12.04
:zentyal-antivirus ClamAV
) (proxy .mailfilter
:zentyal-bwmonitor
.
150
14.04 -
:zentyal-ebackup
.duplicity
:zentyal-ids .
:zentyal-mail Postfix
Dovecot .LDAP
:zentyal-mailfilter amavisd
) (spam .
:zentyal-monitor collectd .
:zentyal-software Zentyal
.
151
14.04 -
:zentyal-trafficshaping
).(latency
:zentyal-usercorner LDAP
.
:zentyal-virt
.libvirt
:zentyal-webmail Roundcube
webmail.
:zentyal-webserver
.
.
sudo
Zentyal
.sudo
: sudo :
| 152
14.04 -
) (Zentyal ) https://localhost/ IP
( Zentyal SSL .
) (dashboard
Save changes
Module Status
.
: ) (
Zentyal /etc/zentyal/stubs/<module>/ hooks
./etc/zentyal/hooks/<module>.<action>
Zentyal.
Zentyal .
....
| 153
| 154
14.04 -
.1 OpenLDAP
) (Lightweight Directory Access Protocol
LDAP X.500
TCP/IP LDAP LDAPv3 RFC4510
LDAPv3 .OpenLDAP
LDAP ) (entries
).([DIT] Directory Information Tree
).(attributes
) (type .
objectClass .
objectClasses ) (schemas
.
objectClass
155
14.04 -
)(entry .
11
| 156
14.04 -
OpenLDAP LDAP
slapd ldap-utils .
slapd
) suffix DN(
/etc/hosts
dc=example,dc=com hosts :
hostname.example.com hostname
127.0.1.1
: .dc=example,dc=com
| 157
14.04 -
8.10
slapd slapd DIT
slapd
LDIF /etc/ldap/slapd.d
: slapd-config slapd .
) administrative
(credentials LDAP rootDN
DN cn=admin,dc=example, dc=com
slapd-config LDAP
.
| 158
14.04 -
slapd-) slapd
.( dc=example,dc=com) ( config
LDIF slapd-config
:/etc/ldap/slapd.d
/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
/etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
/etc/ldap/slapd.d/cn=config.ldif
)LDAP slapd-config :
.(
. 14.10 :
| 159
14.04 -
:LDAP slapd-config
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
dn:
cn=config
cn=module{0},cn=config
cn=schema,cn=config
cn={0}core,cn=schema,cn=config
cn={1}cosine,cn=schema,cn=config
cn={2}nis,cn=schema,cn=config
cn={3}inetorgperson,cn=schema,cn=config
olcBackend={0}hdb,cn=config
olcDatabase={-1}frontend,cn=config
olcDatabase={0}config,cn=config
olcDatabase={1}hdb,cn=config
:
. :cn=config
. :cn=module{0},cn=config
.(hard-coded ) :cn=schema,cn=config
.(hard-coded) :cn={0}core,cn=schema,cn=config
.cosine :cn={1}cosine,cn=schema,cn=config
.inetorgperson :cn={3}inetorgperson,cn=schema,cn=config
.'hdb' :olcBackend={0}hdb,cn=config
(frontend) :olcDatabase={-1}frontend,cn=config
.
.(cn=config) slapd :olcDatabase={0}config,cn=config
:olcDatabase={1}hdb,cn=config
.(dc=example,dc=com)
160
14.04 -
:dc=example,dc=com
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
:dc=example,dc=com .DIT
:cn=admin,dc=example,dc=com ) (rootDN
)
(.
.
:
) People (.
) Groups (.
.miners
.john
161
14.04 -
:add_content.ldif LDIF
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
gid uid :
ldap gid uid 5000
ldap
.
| 162
14.04 -
:ldapsearch
dn: uid=john,ou=People,dc=example,dc=com
cn: John Doe
gidNumber: 5000
:
. SASL :-x
.
:-LLL
) :cn gidNumber
.(
| 163
14.04 -
slapd .
(slapd-config) slapd
:
( DbIndex )idapmodify
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uid eq,pres,sub
| 164
14.04 -
) (schema LDIF
./etc/ldap/schema
: slapd-config
.
)
]:([out-of-the-box
cn=schema,cn=config
cn={0}core,cn=schema,cn=config
cn={1}cosine,cn=schema,cn=config
cn={2}nis,cn=schema,cn=config
cn={3}inetorgperson,cn=schema,cn=config
dn:
dn:
dn:
dn:
dn:
| 165
14.04 -
: CORBA
: schema_convert.conf
include
include
include
include
include
include
include
include
include
include
include
include
include
include
/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
/etc/ldap/schema/duaconf.schema
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
/etc/ldap/schema/misc.schema
/etc/ldap/schema/nis.schema
/etc/ldap/schema/openldap.schema
/etc/ldap/schema/ppolicy.schema
/etc/ldap/schema/ldapns.schema
/etc/ldap/schema/pmi.schema
.ldif_output
:
cn={1}corba,cn=schema,cn=config
slapd (injects) :
.{X} :
| 166
14.04 -
: slapcat
.cn=corba.ldif
: cn=corba.ldif
dn: cn=corba,cn=schema,cn=config
...
cn: corba
structuralObjectClass: olcSchemaConfig
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
creatorsName: cn=config
createTimestamp: 20110829165435Z
entryCSN: 20110829165435.935248Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110829165435Z
.
:slapd-config ldapadd
| 167
14.04 -
cn=schema,cn=config
cn={0}core,cn=schema,cn=config
cn={1}cosine,cn=schema,cn=config
cn={2}nis,cn=schema,cn=config
cn={3}inetorgperson,cn=schema,cn=config
cn={4}corba,cn=schema,cn=config
dn:
dn:
dn:
dn:
dn:
dn:
: LDAP
.
. )(Logging
slapd OpenLDAP
slapd .slapd-config
OpenLDAP ) (
stats
.man slapd-config
| 168
14.04 -
: logging.ldif
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats
:/etc/rsyslog.conf rsyslog
:rsyslog
| 169
14.04 -
.
LDAP
- - redundancy LDAP
LDAP LDAP
Syncrepl -
refreshAndPersist :
delta-syncrepl
.
):(Provider
LDIF :provider_sync.ldif
170
14.04 -
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=example,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than
7 days
olcAccessLogPurge: 07+00:00 01+00:00
171
14.04 -
rootDN LDIF .
apparmor slapd
accesslog /etc/apparmor/local/usr.sbin.slapd :
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,
:apparmor
sudo -u openldap mkdir /var/lib/ldap/accesslog
\ sudo -u openldap cp /var/lib/ldap/DB_CONFIG
/var/lib/ldap/accesslog
sudo service apparmor reload
:apparmor
.
.
slapd-config
.
| 172
14.04 -
:consumer_sync.ldif LDIF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com
bindmethod=simple binddn="cn=admin,dc=exa
credentials=secret searchbase="dc=example,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
add: olcUpdateRef
olcUpdateRef: ldap://ldap01.example.com
:
.(IP - ldap01.example.com- ) provider
.( ) binddn
.( ) credentials
.( ) searchbase
.( IP ) olcUpdateRef
.( rid
| 173
14.04 -
)
.(dc=example,dc=com
dn: dc=example,dc=com
contextCSN: 20120201193408.178454Z#000000#000#000000
)20120201193408.178454Z#
000000#000#000000 (
.
ldap contextCSN
contextCSN
.
| 174
14.04 -
contextCSN
People
john miners
.Groups
.
) ... (.
) (access control
) (access control lists .ACL
slapd
.
| 175
14.04 -
ACL LDAP
)(frontend
) first match
(wins
ACL (dc=example,dc=com) hdb
:
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self
write by anonymous
auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by
dn="cn=admin,dc=example,dc=com" write by * read
: rootDN
.slapd
| 176
14.04 -
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none
to attrs=shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none
| 177
14.04 -
) ( :
' 'auth userPassword
' 'by anonymous auth
.
) (.
* to
by self write
by dn="cn=admin,dc=example,dc=com" write
by * read
ACL bind
) ACL( '.'olcRequire: authc
| 178
14.04 -
.slapd-config
SASL root sudo :
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
) (ACLs :slapd-config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
SASL SASL
LDAP
:
.1
sudo .
.2
| 179
14.04 -
.man slapd.access
TLS .
OpenLDAP
) .([TLS] Transport Layer Security
) (Certificate Authority
gnutls certtool
LDAP slapd
.
gnutls-bin :ssl-cert
.1
sudo apt-get install gnutls-bin ssl-cert
:
.2
\ sudo sh -c "certtool
"--generate-privkey > /etc/ssl/private/cakey.pem
180
14.04 -
: /etc/ssl/ca.info / .3
cn = Example Company
ca
cert_signing_key
: .4
sudo certtool --generate-self-signed \
--load-privkey /etc/ssl/private/cakey.pem \
--template /etc/ssl/ca.info \
--outfile /etc/ssl/certs/cacert.pem
:
.5
sudo certtool --generate-privkey \
--bits 1024 \
--outfile /etc/ssl/private/ldap01_slapd_key.pem
ldap01 :
.
: /etc/ssl/ldap01.info .6
organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
181
14.04 -
: .7
) certinfo.ldif
:(https://www.cacert.org
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
/etc/default/slapd ldaps://
:
SLAPD_SERVICES="ldap:/// ldapi:///"
| 182
14.04 -
sudo
sudo
sudo
sudo
:OpenLDAP
) (/var/log/syslog .
. TLS
) (StartTLS
.TLS
TLS .TLS
| 183
14.04 -
) ( LDAP
TLS
/
.
:
) ( :
mkdir ldap02-ssl
cd ldap02-ssl
\ sudo certtool --generate-privkey
\ --bits 1024
--outfile ldap02_slapd_key.pem
ldap02.info :
| 184
14.04 -
cp /etc/ssl/certs/cacert.pem .
) scp ldap02-ssl
:(
cd ..
scp -r ldap02-ssl user@consumer:
:
:TLS
sudo
sudo
sudo
sudo
sudo
sudo
sudo
| 185
14.04 -
:( ) /etc/ssl/certinfo.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem
:slapd-config
.(SLAPD_SERVICES) /etc/default/slapd
:
olcSyncrepl TLS
. TLS
| 186
14.04 -
: consumer_sync_tls.ldif
dn: olcDatabase={1}hdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com
bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials=secret
searchbase="dc=example,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on type=refreshAndPersist retry="60 +"
syncdata=accesslog
starttls=critical tls_reqcert=demand
StartTLS
CA
LDIF
.('replace ')
:
:slapd
| 187
14.04 -
:
TLS /var/log/syslog
' 'conns :
slapd[3620]: conn=1047 fd=20 ACCEPT from
)IP=10.153.107.229:57922 (IP=0.0.0.0:389
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
=slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128
ssf=128
slapd[3620]: conn=1047 op=1 BIND
dn="cn=admin,dc=example,dc=com" method=128
slapd[3620]: conn=1047 op=1 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text
. LDAP
LDAP
:
libnss-ldap
sudo apt-get install libnss-ldap
LDAP :
sudo dpkg-reconfigure ldap-auth-config
/etc/ldap.conf
.
| 188
14.04 -
LDAP :NSS
sudo auth-client-config -t nss -p lac_ldap
LDAP:
sudo pam-auth-update
LDAP .
.LDAP
LDAP
:/etc/ldap.conf
) (timeout ) (ldap02
).(ldap01
LDAP
LDAP LDAP .
| 189
14.04 -
.
ldap-utils
ldapscripts
.
:
: /etc/ldapscripts/ldapscripts.conf
SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000
: rootDN ldapscripts.passwd
.secret rootDN :
190
14.04 -
:
:
george .example
:
sudo ldapaddgroup qa
sudo ldapdeletegroup qa
191
14.04 -
:
sudo ldapaddusertogroup george qa
.george qa memberUid
:
sudo ldapdeleteuserfromgroup george qa
.qa memberUid
ldapmodifyuser
: ldapmodify
| 192
14.04 -
ldapscripts
user
: /etc/ldapscripts/ldapscripts.conf
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
/etc/ldapscripts
:/etc/ldapscripts/ldapadduser.template ldapadduser.template.sample
sudo cp \
/usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
/etc/ldapscripts/ldapadduser.template
:objectClass inetOrgPerson
dn: uid=<user>,<usuffix>,<suffix>
objectClass: inetOrgPerson
objectClass: posixAccount
cn: <user>
sn: <ask>
uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee
| 193
14.04 -
.
:
ldaprenamemachine
ldapadduser
ldapdeleteuserfromgroup
ldapfinger
ldapid
ldapgid
ldapmodifyuser
ldaprenameuser
lsldap
ldapaddusertogroup
ldapsetpasswd
ldapinit
ldapaddgroup
ldapdeletegroup
ldapmodifygroup
ldapdeletemachine
ldaprenamegroup
ldapaddmachine
ldapmodifymachine
ldapsetprimarygroup
ldapdeleteuser
.
LDAP
.
| 194
14.04 -
ldap
) backend (cn=config ) frontend
(dc=example,dc=com --
/export/backup slapcat
:/usr/local/bin/ldapbackup
#!/bin/bash
BACKUP_PATH=/export/backup
SLAPCAT=/usr/sbin/slapcat
nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif
nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif
nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif
chmod 640 ${BACKUP_PATH}/*.ldif
: LDAP
/export/backup
) (cron
) (
cron /etc/cron.d/
ldapbackup :22:45
MAILTO=backup-emails@domain.com
45 22 * * * root /usr/local/bin/ldapbackup
| 195
14.04 -
.
: ldap
| 196
14.04 -
.www.openldap.org
slapd
:
slapd
slapd-config
slapd.access
slapo-syncprov
OpenLDAP .
man
man
man
man
man auth-client-config
man pam-auth-update
| 197
14.04 -
.2 LDAP
LDAP
LDAP
(
)
OpenLDAP
OpenLDAP
.
.
:LDAP samba samba-doc
.smbldap-tools
smbldap-tools
) ( LDAP
.
:
| 198
14.04 -
. LDAP
LDAP
:
.1
).(schema
.2
.3 ).(objects
OpenLDAP ) (backend
LDAP .
: .slapd
samba-doc
:/etc/ldap/schema
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
/etc/ldap/schema
sudo gzip -d /etc/ldap/schema/samba.schema.gz
| 199
14.04 -
: schema_convert.conf
include
include
include
include
include
include
include
include
include
include
include
include
include
include
include
/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
/etc/ldap/schema/duaconf.schema
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
/etc/ldap/schema/misc.schema
/etc/ldap/schema/nis.schema
/etc/ldap/schema/openldap.schema
/etc/ldap/schema/ppolicy.schema
/etc/ldap/schema/ldapns.schema
/etc/ldap/schema/pmi.schema
/etc/ldap/schema/samba.schema
. ldif_output
:
dn: cn={14}samba,cn=schema,cn=config
:LDIF
200
14.04 -
: cn=samba.ldif
dn: cn=samba,cn=schema,cn=config
...
cn: samba
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
.
:
201
14.04 -
( indices) slapd
.
: samba_indices.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
: ldapmodify
:ldapsearch
| 202
14.04 -
LDAP
smbldap-tools
) smbldap-config.pl
/etc/smbldap-tools/smbldap.conf
./etc/smbldap-tools/smbldap_bind.conf
smbldap-populate LDAP
:slapcat
sudo smbldap-populate
| 203
14.04 -
/etc/samba/smb.conf LDAP :
:ldap passdb backend
# LDAP Settings
passdb backend = ldapsam:ldap://hostname
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
ldap ssl = start tls
ldap passwd sync = yes
...
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w
"%u"
.
: samba
) rootDN
:(slapd
sudo smbpasswd -w password
| 204
14.04 -
LDAP
smbpasswd
) ] [
NSS libnss-ldapd :(libnss-ldap
.
smbldap-tools :
:
-a -P smbldap-passwd
.
:
-r .
| 205
14.04 -
smbldap-useradd -a .
:
sudo smbldap-groupmod -m username groupname
-m .
:
username ) (workstation -t 0
-w
add machine
script /etc/samba/smb.conf
.smbldap-useradd
| 206
14.04 -
smbldap-tools :
smbldap-groupadd
smbldap-groupdel
smbldap-groupmod
smbldap-groupshow
smbldap-passwd
smbldap-populate
smbldap-useradd
smbldap-userdel
smbldap-userinfo
smbldap-userlist
smbldap-usermod
smbldap-usershow
:
.
| 207
14.04 -
.3 Kerberos
Kerberos
Kerberos
).([SSO] Single Sign On
Kerberos .
.
Kerberos
Kerberos :
) :(Principal
.Kerberos
) :(Instances .
) :(Realms Kerberos
DNS
) (EXAMPLE.COM .
| 208
14.04 -
)ticket granting
(server .
:
.
:Keytab
.
-
-
Kerberos
) (TGT
| 209
14.04 -
Kerberos
) (TGS
.
. Kerberos
MIT Kerberos ) (:
.EXAMPLE.COM :
.(192.168.0.1) kdc01.example.com :
.(192.168.0.2) kdc02.example.com :
.steve :
.steve/admin :
: - -
) .(5000
Kerberos DNS
Kerberos EXAMPLE.COM
: ).(DNS
210
14.04 -
Kerberos
)(
.
)(NTP NTP
.NTP
krb5-kdc krb5-admin-
Kerberos
server :
Kerberos - Admin
- ).(realm
: .
:kdb5_newrealm
sudo kdb5_newrealm
211
14.04 -
/etc/krb5.conf
) (KDC .krb5-kdc
Kerberos :
sudo dpkg-reconfigure krb5-kdc
KDC ) ( .
.
kadmin.local :
sudo kadmin.local
: EXAMPLE.COM steve .
| 212
14.04 -
)(ACL
:/etc/krb5kdc/kadm5.acl
*
steve/admin@EXAMPLE.COM
steve/admin
Kerberos man kadm5.acl
.
krb5-admin-server :
:kinit
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:
klist ):(TGT
klist
Credentials cache:
FILE:/tmp/krb5cc_1000
Principal:
steve/admin@EXAMPLE.COM
Issued
Expires
Principal
Jul 13 17:53:34
Jul 14 03:53:34
krbtgt/EXAMPLE.COM@EXAMPLE.COM
| 213
14.04 -
krb5cc_1000 _ krb5cc
uid 1000 /etc/hosts
:
kdc01.example.com
kdc01
192.168.0.1
192.168.0.1
Kerberos ).(routers
DNS
SRV :/etc/named/db.example.com
0 88
IN SRV
0 88
IN SRV
0 88
10
IN SRV
0 88
10
IN SRV
0 749
IN SRV
0 464
IN SRV
_kerberos._udp.EXAMPLE.COM.
kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM.
kdc01.example.com.
_kerberos._udp.EXAMPLE.COM.
kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM.
kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM.
kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM.
kdc01.example.com.
.DNS Kerberos
.
| 214
14.04 -
.
) (KDC
Kerberos
) (NAT
.
Kerberos Admin server
:
KDC :
: kadmin .username/admin@EXAMPLE.COM
:Keytab
| 215
14.04 -
keytab.kdc02
:/etc/krb5.keytab
: keytab.kdc02 .
Keytab
:klist
-k .keytab
kpropd.acl
/etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
| 216
14.04 -
kpropd kprop
kprop :
sudo kpropd -S
keytab :/etc/krb5.keytab
: kdc01.example.com .Keytab
kprop KDC:
: SUCCEEDED
/var/log/syslog .
| 217
14.04 -
)
(:
#
0
krb5-kdc :
krb5-kdc kinit
/var/log/syslog /var/log/auth.log .
| 218
14.04 -
. Kerberos
Kerberos
Kerberos .
krb5-user libpam-krb5
Kerberos
:
auth-client-config PAM
libpam-ccreds
Kerberos
.
| 219
14.04 -
Kerberos
DNS
Kerberos SRV .
dpkg-reconfigure /etc/krb5.conf
:
][libdefaults
default_realm = EXAMPLE.COM
...
][realms
{ = EXAMPLE.COM
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
:
uid 5000
pam Kerberos
uid :5000
| 220
14.04 -
) (
.passwd
kinit :
kinit steve@EXAMPLE.COM
:klist
klist
Service principal
auth-client-config libpam-krb5
:
| 221
14.04 -
.Kerberos
| 222
14.04 -
.4 Kerberos LDAP
Kerberos ) (Kerberos
) ]([authorization .LDAP
Kerberos
. OpenLDAP
OpenLDAP
LDAP
OpenLDAP
.OpenLDAP
OpenLDAP TLS SSL
LDAP KDC TLS.
cn=admin,cn=config : ldap
RootDN .
| 223
14.04 -
:kerberos.schema.gz
cn=config kerberos
.slapd slapd
schema_convert.conf
:
include
include
include
include
include
include
include
include
include
include
include
include
include
| 224
/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
/etc/ldap/schema/duaconf.schema
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
/etc/ldap/schema/misc.schema
/etc/ldap/schema/nis.schema
/etc/ldap/schema/openldap.schema
/etc/ldap/schema/ppolicy.schema
/etc/ldap/schema/kerberos.schema
14.04 -
:LDIF
mkdir /tmp/ldif_output
: slapcat
.
:/tmp/cn=kerberos.ldif
dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos
structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515Z
| 225
14.04 -
:ldapadd
:krb5principalname
ldapmodify -x -D cn=admin,cn=config -W
:(ACL)
ldapmodify -x -D cn=admin,cn=config -W
.Kerberos LDAP
| 226
14.04 -
.
. OpenLDAP
:
: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
admin_server = kdc02.example.com
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
| 227
14.04 -
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and
realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights
on
# the realm container, principal container and
realm sub-trees
ldap_service_password_file =
/etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com
ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
: kdb5_ldap_util
| 228
14.04 -
) (stash LDAP
ldap_kdc_dn ldap_kadmind_dn :/etc/krb5.conf
:LDAP
scp ldap01:/etc/ssl/certs/cacert.pem .
sudo cp cacert.pem /etc/ssl/certs
/etc/ldap/ldap.conf :
TLS_CACERT /etc/ssl/certs/cacert.pem
: LDAP
.LDAPS
| 229
14.04 -
Kerberos LDAP
LDAP . :kadmin.local
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with
password.
kadmin.local: addprinc -x
dn="uid=steve,ou=people,dc=example,dc=com" steve
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting
to no policy
Enter password for principal "steve@EXAMPLE.COM":
Re-enter password for principal "steve@EXAMPLE.COM":
Principal "steve@EXAMPLE.COM" created.
krbPrincipalName krbPrincipalKey
kinit klist
ou=people, dc=example, dc=com
| 230
14.04 -
.
LDAP
. Kerberos
:
:LDAP /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
admin_server = kdc02.example.com
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
| 231
14.04 -
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and
realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write
rights on
# the realm container, principal container and
realm sub-trees
ldap_service_password_file =
/etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com
ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
:LDAP
. EXAMPLE.COM :
| 232
14.04 -
ldap:
:krb5-kdc
) ldap (kerberos.
LDAP Kerberos
LDAP Kerberos .
.
.man krb5.conf
.Kerberos and LDAP :
| 233
14.04 -
ldap Active
Directory POSIX AD
ad .
.
Active Directory .
.DNS
DNS ./etc/resolv.conf
.myubuntu.example.com
.
krb5-user samba sssd ntp
. Kerberos IP
.
| 234
14.04 -
.krb5-user
. Kerberos
krb5-user ) (realm name
) ( )
( ] [realm ] [domain_realm
/etc/krb5.conf
.
myubuntu.example.com
:
.MYUBUNTU.EXAMPLE.COM
/etc/krb5.conf
) Kerberos (:
][libdefaults
default_realm = MYUBUNTU.EXAMPLE.COM
ticket_lifetime = 24h #
| 235
14.04 -
renew_lifetime = 7d
default_realm
username@domain .username
Active Directory
Kerberos
NTP :/etc/ntp.conf
server dc.myubuntu.example.com
netbois/nmbd Active
Directory . /etc/samba/smb.conf
] :[global
][global
workgroup = MYUBUNTU
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = MYUBUNTU.EXAMPLE.COM
security = ads
: password server
| 236
14.04 -
DNS
SSSD .
/etc/sssd/sssd.conf
: sssd
[sssd]
services = nss, pam
config_file_version = 2
domains = MYUBUNTU.EXAMPLE.COM
[domain/MYUBUNTU.EXAMPLE.COM]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.
# Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match
# the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the
Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
# enumerate = true
| 237
14.04 -
:600
sssd .
. nsswitch.conf
sssd
/etc/nsswitch.conf :
compat sss
compat sss
nis sss
files sss
passwd:
group:
...
netgroup:
sudoers:
. /etc/hosts
/etc/hosts
:
DNS.
| 238
14.04 -
. Active Directory
ntp samba :sssd
sudo
sudo
sudo
sudo
:Kerberos
sudo klist
| 239
14.04 -
NT_STATUS_UNSUCCESSFUL
.
.
:
Directory )
(.
:
AD ) (:
getent passwd username
| 240
14.04 -
.
:Active Directory
su - username
) getty .(SSH
/etc/pam.d sssdwitch.conf
.
. pam_mkhomedir
Active Directory
pam_mkhomedir.so
/etc/pam.d/common-
session :session required pam_unix.so
required
session
: override_homedir sssd.conf
.
| 241
14.04 -
.
Active Directory AD
lightdm /etc/lightdm/lightd
m.conf.d/50-unity-greeter.conf :
greeter-show-manual-login=true
greeter-hide-users=true
lightdm
username .username/username@domain
.
.SSSD
| 242
DNS
| 243
14.04 -
DNS
.1
:dns
dnsutils DNS
:
| 244
DNS
14.04 -
.2
BIND9
) (caching nameserver ) (primary master
).(secondary master
BIND9
.
BIND9 ) (Zone
.
BIND9
.
.
DNS /etc/bind bind
./etc/bind/named.conf
include DNS directory
/etc/bind/named.conf.options DNS
BIND .
| 245
DNS
14.04 -
/etc/bind/db.root
/etc/bind/db.root
bind9 zone ) (master server
.file
) ([SOA] Start of Authority
.LAN
.
IP DNS ISP
:/etc/bind/named.conf.options
{ forwarders
;1.2.3.4
;5.6.7.8
;}
: 1.2.3.4 5.6.7.8 IP .
| 246
14.04 -
DNS
DNS
:
dig .DNS
.
BIND9 example.com
example.com .
DNS BIND9 BIND9
:/etc/bind/named.conf.local
{ "zone "example.com
;type master
;"file "/etc/bind/db.example.com
;}
DDNS /var/lib/bind
: bind
/db.example.com /etc/bind/db.example.com
| 247
DNS
14.04 -
:/etc/bind/db.example.com
.
) (record example.com
:ns.example.com
;
; BIND data file for example.com
;
$TTL
604800
@
IN
SO
( example.com. root.example.com.
2
; Serial
604800
; Refresh
86400
; Retry
2419200
; Expire
604800
; Negative Cache TTL
)
@
IN
A
;192.168.1.10
@
IN
NS
ns.example.com.
@
IN
A
192.168.1.10
@
IN
AAAA
::1
ns
IN
A
192.168.1.10
) (Serial Number
BIND9 .
| 248
14.04 -
DNS
DNS
.
:
2012010100 ) yyyymmddss ss (.
BIND9
.
IP
) (Reverse zone DNS .
/etc/bind/named.conf.local :
{ "zone "1.168.192.in-addr.arpa
;type master
;"file "/etc/bind/db.192
;}
: 1.168.192
| 249
14.04 -
DNS
/etc/bind/db.192
.
:/etc/bind/db.192
/etc/bind/db.192 :/etc/bind/db.example.com
;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL
604800
@
IN
SOA
ns.example.com. root.example.com.
(
2
; Serial
604800
; Refresh
86400
; Retry
2419200
; Expire
604800
; Negative Cache TTL
;)
@
IN
NS
ns.
10
IN
PTR
ns.example.com.
.
A /etc/bind/db.example.com
PTR ./etc/bind/db.192
BIND9 .
| 250
14.04 -
DNS
.
.
allow-transfer :/etc/bind/named.conf.local
{ "zone "example.com
;type master
;"file "/etc/bind/db.example.com
;} ;allow-transfer { 192.168.1.11
;}
{ "zone "1.168.192.in-addr.arpa
;type master
;"file "/etc/bind/db.192
;} ;allow-transfer { 192.168.1.11
;}
: 192.168.1.11 IP .
BIND9 :
| 251
14.04 -
DNS
bind9
:
/etc/bind/named.conf.local
{ "zone "example.com
;type slave
;"file "db.example.com
;} ;masters { 192.168.1.10
;}
{ "zone "1.168.192.in-addr.arpa
;type slave
;"file "db.192
;} ;masters { 192.168.1.10
;}
: 192.168.1.10 IP .
BIND9 :
| 252
14.04 -
DNS
) /var/log/syslog
:(
also-notify DNS
./etc/bind/named.conf.local {; ipaddress; }
| 253
DNS
14.04 -
also-notify :/etc/bind/named.conf.local
{ "zone "example.com
;type master
;"file "/etc/bind/db.example.com
;} ;allow-transfer { 192.168.1.11
;} ;also-notify { 192.168.1.11
;}
{ "zone "1.168.192.in-addr.arpa
;type master
;"file "/etc/bind/db.192
;} ;allow-transfer { 192.168.1.11
;} ;also-notify { 192.168.1.11
;}
: /var/cache/bind
AppArmor named AppArmor
:.
| 254
14.04 -
DNS
.3
DNS .BIND9
.
resolv.conf BIND9 IP
/etc/resolv.conf :
nameserver 192.168.1.10
nameserver 192.168.1.11
* 127. IP
: IP .
dig
dnsutils DNS
.dig
| 255
14.04 -
DNS
dig -x 127.0.0.1
BIND9 ) (dig
:
dig ubuntu.com
dig :
| 256
14.04 -
DNS
DNS ping
ICMP echo :
ping example.com
ns.example.com
IP :
bind9
BIND9 .
:
| 257
14.04 -
DNS
: .
.
BIND9 )(logging
channel category
.
:
{ logging
;} ;category default { default_syslog; default_debug
;} ;category unmatched { null
;}
| 258
14.04 -
DNS
) (channel
/etc/bind/named.conf.local :
{ logging
{ channel query.log
;"file "/var/log/query.log
;severity debug 3
;}
;}
DNS :query
{ logging
{ channel query.log
;"file "/var/log/query.log
;severity debug 3
;}
;} ;category queries { query.log
;}
: debug 1 3 1
.
| 259
14.04 -
DNS
named
AppArmor /etc/apparmor.d/usr.sbin.named:
/var/log/query.log w,
AppArmor .
BIND9 :
/var/log/query.log
BIND9 .
| 260
14.04 -
DNS
.4
.
DNS.
:A IP .
A
192.168.1.12
IN
www
:CNAME
CNAME CNAME.
CNAME
www
IN
web
:MX A
.CNAME
mail.example.com.
192.168.1.13
MX
A
IN
IN
:NS
A CNAME .
ns.example.com.
ns2.example.com.
192.168.1.10
192.168.1.11
NS
NS
A
A
IN
IN
IN
IN
ns
ns2
| 261
DNS
14.04 -
BIND9 IRC
.Freenode #ubuntu-server
BIND Server HOWTO .
| 262
| 263
14.04 -
).(deployment
14.04
.
.1
.
.
| 264
14.04 -
sudo
sudo
.
.
:
sudo passwd
sudo
:
passwd :
usermod --expiredate 1
| 265
14.04 -
sudo :
man sudo
sudo
/etc/sudoers sudo
sudo .sudo
.
/
adduser .
....
| 266
14.04 -
UID/GID
.
UID/GID - -
:
passwd
) (:
adduser :
.
adduser
| 267
14.04 -
/home/username ) (profile
/etc/skel .
.
:
ls -ld /home/username
/home/username
) :(world
: ) ([recursive ] -R
| 268
14.04 -
adduser
/etc/adduser.conf
DIR_MODE
:
DIR_MODE=0750
ls -ld /home/username
:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
| 269
14.04 -
.
) (brute force
.
/etc/pam.d/common-password :
pam_unix.so
password
][success=2 default=ignore
obscure sha512
min=8 :
pam_unix.so
password
][success=2 default=ignore
obscure sha512 min=8
: sudo
.
| 270
14.04 -
.
:
:
Jan 20, 2008
never
never
never
0
99999
7
| 271
14.04 -
) (-E 01/31/2008
) (-m 5 ) (-M 90
) inactivity (-I 5 )(-W
14 .
:
2008
2008
2008
2008
20,
19,
19,
31,
Jan
Apr
May
Jan
5
90
14
.
.
| 272
14.04 -
SSH
RSA ) (shell
SSH ./home/username/.ssh/authroized_keys
.ssh/
.SSH
SSH
) (kill .
SSH
sshlogin
AllowGroups ./etc/ssh/sshd_config
AllowGroups sshlogin
| 273
14.04 -
SSH sshlogin
:SSH
| 274
14.04 -
.2
...
) (screen door
!
.
.
. Ctrl+Alt+Delete
Ctrl+Alt+Delete
.
Ctrl+Alt+Delete
:/etc/init/control-alt-delete.conf
| 275
14.04 -
.3
.
Netfilter
.
iptables
Netfilter
iptables iptables
.
. ufw
Uncomplicated Firewall
ufw iptables ufw
IPv4 .IPv6
ufw
. :man ufw
ufw
).(host-based firewalls
| 276
14.04 -
:ufw
ufw
:
) ssh (:
:
sudo ufw deny 22
delete :
ssh 192.168.0.2 IP :
| 277
14.04 -
ufw --dry-run
:HTTP
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix
"[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT
Rules updated
: ufw
| 278
14.04 -
) ( :numbered
: /etc/services
22 ssh .
ufw ufw
.
ufw
ufw
/etc/ufw/applications.d
.
| 279
14.04 -
:
ufw allow from 192.168.0.0/24 to any app Samba
:
.
)... (.
:
sudo ufw app info Samba
| 280
14.04 -
ufw
:Lanuchpad
ubuntu-bug nameofpackage
IP
(IP Masquerading) IP IP
IP
IP ) (private IP
) (conntrack
)(
) .(Internet Connection Sharing
ufw
IP ufw ufw
iptables-restore /etc/ufw/*.rules
iptables ufw
.
| 281
14.04 -
ufw .
ufw
DEFAULT_FORWARD_POLICY " "ACCEPT :/etc/default/ufw
"DEFAULT_FORWARD_POLICY="ACCEPT
/etc/ufw/sysctl.conf :
net/ipv4/ip_forward=1
IPv6 :
net/ipv6/conf/default/forwarding=1
/etc/ufw/before.rules
filter nat
:
# nat Table rules
*nat
]:POSTROUTING ACCEPT [0:0
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't
be processed
COMMIT
| 282
14.04 -
/etc/ufw
:
# don't delete the 'COMMIT' line or these nat table rules won't
be processed
COMMIT
COMMIT
raw .mangle
nat filter
ufw :
IP FORWARD
/etc/ufw/before.rules ufw-before-
.forward
| 283
14.04 -
iptables
iptables . ufw
IPv4 /etc/sysctl.conf :
net.ipv4.ip_forward=1
IPv6 :
net.ipv6.conf.default.forwarding=1
sysctl :
sudo sysctl -p
IP iptables
:
192.168.0.0/16
ppp0 :
| 284
14.04 -
:-s 192.168.0.0/16 .
:-o ppp0 .
( ACCEPT
DROP REJECT
FORWARD :
.
- -
/etc/rc.local :
| 285
14.04 -
.
)
ACCEPT DROP .(REJECT
ufw :
ufw on off .
iptables ufw :
80 dmesg )
(:
| 286
14.04 -
/var/log/massages /var/log/syslog
/var/log/kern.log /etc/syslog.conf
ulogd ULOG .LOG
ulogd ) (userspace server
PostgreSQL MySQL
logwatch fwanalog fwlogwatch .lire
.
iptables :
fwbulider1
.Checkpoint FireWall-1
:
Shorewall2 .
| 287
14.04 -
ufw .man ufw :
nat-HOWTO .
IPTables HowTo .
| 288
14.04 -
.4 AppArmor
AppArmor
.posix 1003.le
AppArmor )(profiles
.apparmor-profiles
apparmor-profiles
sudo apt-get install apparmor-profiles
AppArmor :
) :(Complaining/Learning
.
) :(Enforced/Confined
.
| 289
14.04 -
. AppArmor
: .
apparmor-utils
AppArmor ....
apparmor_status .AppArmor
sudo apparmor_status
:
aa-complain
:
aa-enforce
/etc/apparmor.d AppArmor
.
:
| 290
14.04 -
apparmor_parser
: -r
: service apparmor
- apparmor_parser /etc/apparmor.d/disable
: R
sudo ln -s /etc/apparmor.d/profile.name \
/etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name
| 291
14.04 -
/etc/apparmor.d
/disable :-a
sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
AppArmor :
AppArmor
:
: profile.name
/path/to/bin
ping ./bin/ping
.
) (profiles /etc/apparmor.d/
/ .
/etc/apparmor.d/bin.ping AppArmor ./bin/ping
| 292
14.04 -
) :(Path entries
.
) :(Capability entries .
/etc/apparmor.d/bin.ping:
>#include <tunables/global
{ )/bin/ping flags=(complain
>#include <abstractions/base
>#include <abstractions/consoles
>#include <abstractions/nameservice
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
:#include <tunables/global>
.
) :/bin/ping flags=(complain
.complain
:/bin/ping mixr, .
: AppArmor.
| 293
14.04 -
:
.
:
.init
: aa-genprof :
apparmor-profiles
Lanuchpad :AppArmor
| 294
14.04 -
aa-logprof
AppArmor .
sudo aa-logprof
AppArmor
.AppArmor
AppArmor
#ubuntu-server ) Freenode .(IRC
| 295
14.04 -
.5
) (public-key cryptography
)(private key ) (encrypt
) (public key
) (decrypted .
(Secure Socket Layer ) SSL (Transport Layer Security ) TLS
- HTTPS HTTP -SSL
.
) (Certificate
)(CA
.
.
-
- ) (
. .
: .
| 296
14.04 -
HTTPS
:
)(
.
SSL
) (
.
:
.1
.2
.
.3
.
| 297
14.04 -
.4
.5
.6 .
. )(CSR
.
Postfix
... Dovecot . ) (passphrase
.
.
:
.
| 298
14.04 -
-des3
.
.server.key
) insecure ( :
server.key
CSR .
| 299
14.04 -
:CSR
... .
) (CSR .server.csr
.
.
:
\ openssl x509 -req -days 365 -in server.csr -signkey server.key
-out server.crt
.server.crt
: ) (CA
.
| 300
14.04 -
.
server.key server.crt
:
HTTPS
Dovecot IMAPS ... POP3S.
.
.
:
| 301
14.04 -
/etc/ssl/openssl.cnf
] [ CA_default :
/etc/ssl/
# Where everything is kept
$dir/CA/index.txt
# database index file.
$dir/certs/cacert.pem # The CA certificate
$dir/CA/serial
# The current serial number
$dir/private/cakey.pem # The private key
=
=
=
=
=
dir
database
certificate
serial
private_key
:
\ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem
-out cacert.pem -days 3650
.
:
| 302
14.04 -
)
(
:
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
.
/etc/ssl/netcerts/01.pem
-----BEGIN CERTIFICATE -----
-----END CERTIFICATE----
mail.example.com.crt .
02.pem ... 03.pem.
: mail.example.com.crt .
/etc/ssl/certs
.
CA
| 303
14.04 -
/etc/ssl/certs/cacert.pem /etc/ssl/certs/ .
.
HTTPS .HTTPS
OpenSSL .OpenSSL
| 304
14.04 -
.6 eCryptfs
eCryptfs POSIX
eCryptfs
....
/home
. /srv .eCryptfs
. eCryptfs
:
.
/srv /etc/default :/srv
| 305
14.04 -
/srv :
/srv ecryptfs .
.
ecryptfs
/root/.ecryptfsrc
.USB
/root/.ecryptfsrc :
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
: ecryptfs_sig ./root/.ecryptfs/sig-cache.txt
:/mnt/usb/passwd_file.txt
]passphrase_passwd=[secrets
| 306
14.04 -
:/etc/fstab
0 0
0 0
ro
defaults
ext3
ecryptfs
/dev/sdb1 /mnt/usb
/srv
/srv
USB .
/srv .eCryptfs
.
:
ecryptfs-utils
ecryptfs-setup-private ~/Private
.
ecryptfs-mount-private ecryptfs-umount-private
~/Private .
:ecryptfs-manager eCryptfs .
:ecryptfs-stat eCryptfs .
| 307
14.04 -
eCryptfs .Lanuchpad
eCryptfs .
| 308
10
| 309
14.04 -
) (performance ) (availability
Nagios Munin .
server01 server02
server01 Nagios server02
server01 Munin munin-node
server02 .server01
.
| 310
14.04 -
.1 Nagios
.
nagios server01 :
nagiosadmin
./etc/nagios3/htpasswd.users nagiosadmin
Nagios CGI htpasswd
.apache2-utils
:nagiosadmin
| 311
14.04 -
server02 nagios-nrpe-server
:server02
: NRPE
Nagios.
.
Nagios ).(check files
:/etc/nagios-plugins .
:/etc/nagios nagios-nrpe-
.server
:/usr/lib/nagios/plugins/
-h .
| 312
14.04 -
/usr/lib/nagios/plugins/check_dhcp -h
Nagios
Nagios DNS MySQL
DNS server02 MySQL server01 .server02
: :
DNS .MySQL
:Nagios
) :(host group
....
) :(service group
HTTP .
) :(contact
Nagios ... SMS.
| 313
14.04 -
Nagios HTTP
SSH
localhost
Nagios
ping.
Nagios
.
.
.1 server02
server01
:
\ sudo cp /etc/nagios3/conf.d/localhost_nagios2.cfg
/etc/nagios3/conf.d/server02.cfg
| 314
14.04 -
:/etc/nagios3/conf.d/server02.cfg
define host {
use
generic-host
use
host_name
server02
alias
Server 02
address
172.18.100.101
}
# check DNS service.
define service {
use
host_name
service_description
check_command
}
generic-service
server02
DNS
check_dns!172.18.100.101
: nagios
/etc/nagios3/conf.d/ MySQL
:services_nagios.cfg
| 315
mysql-servers
MySQL
check_mysql_cmdlinecred!nagios!
generic-service
0 ; set > 0 if you want to be
14.04 -
/etc/nagios3/conf.d/ mysql-servers
: hostgroups_nagios2.cfg
# MySQL hostgroup.
define hostgroup {
hostgroup_name
alias
members
}
mysql-servers
MySQL servers
localhost, server02
mysql -u root -p \
-e "create user nagios identified by 'secret';"
.mysql-servers nagios :
:MySQL nagios
| 316
14.04 -
.server02 NRPE
:/etc/nagios3/conf.d/server02.cfg server01
generic-service
server02
nrpe-disk
check_nrpe_1arg!check_all_disks!
: /etc/nagios/nrpe.cfg server02
allowed_hosts=172.18.100.100
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w
20% -c 10% -e
:nagios-nrpe-server
:nagios server01
| 317
14.04 -
Nagios CGI
http://server01/nagios3
nagiosadmin .
.
Nagios nagios-
plugins-extra nagios-snmp-plugins .
Nagios .
.Nagios
Nagios .
| 318
14.04 -
.2 Munin
.
Munin server01 apache2
.munin
munin server01 :
munin-node :server02
/etc/munin/munin.conf server01 IP
:server02
: server02 172.18.100.101 IP .
| 319
14.04 -
: ^172\.18\.100\.100$ IP Munin .
munin-node server02 :
sudo service munin-node restart
http://server01/munin
munin-plugins
.
: .
.
munin-plugins-extra
DNS DHCP ... . :
sudo apt-get install munin-plugins-extra
.
| 320
14.04 -
Munin .
Munin
.
.Munin
| 321
11
| 322
14.04 -
HTTP
HTTP
HTML ....
.1 HTTPD
) (Apache
.
) URL (Uniform Resource Locator
) (FQDN
:
www.ubuntu.com
:
www.ubuntu.com/community
) Hyper
Text Transfer Protocol (HTTP
| 323
14.04 -
MySQL
) (PHP ) (scripting languages
) (directives
:
:apache2.conf
.
:httpd.conf
httpd
.
| 324
14.04 -
:conf-available
/etc/apache2/conf.d /etc/apache2/conf-
.available
:conf-enabled /etc/apache2
/conf-available
.
:envvars )environment
(variables.
:mods-available
) (modules .
:mods-enabled /etc/apache2
/mods-available
.
:ports.conf TCP
.
| 325
14.04 -
:sites-available
) (Virtual Hosts
.
:magic MIME .
Include
) (wildcards
.
.
) (mime types
TypesConfig /etc/apache2/mods-
available/mime.conf ./etc/mime.types
| 326
14.04 -
.
) (VirtualHost
URL ServerName
./etc/apache2/sites-available/default
webmaster .
\ sudo cp /etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/mynewsite.conf
.
| 327
14.04 -
ServerAdmin
webmaster@localhost )
(
./etc/apache2/sites-available
listen IP
IP IP
listen 80 127.0.0.1:80
loopback 81
) (
./etc/apache2/ports.conf
ServerName ) (FQDN
ServerName
ServerName
ubunturocks.com
ServerName
ubunturocks.com
).(/etc/apache2/sites-available/mynewsite.conf
| 328
14.04 -
www.ubunturocks.com
www
ServerAlias ) (wildcards .ServerAlias
:.ubunturocks.com
ServerAlias *.ubunturocks.com
DocumentRoot
/var/www /etc/apache2/sites-available/000-
default.conf
.
a2ensite :
: mynewsite
ServerName .
| 329
14.04 -
a2dissite
:
sudo a2dissite mynewsite
sudo service apache2 restart
.
DirectoryIndex
) (/ .
http://www.example.com/directory/
DirectoryIndex
Indexes Permission Denied
. DirectoryIndex
Options Indexes
HTML
/etc/apache2/mods-available/dir.conf "index.html
"index.cgi index.pl index.php index.xhtml index.htm
.
| 330
14.04 -
ErrorDocument
404
HTTP 404 /etc/apache2/conf.d/localized-error-pages
ErrorDocument .
/var/log/apache2/access.log
CustomLog /etc/apache2/conf.d/
.other-vhosts-access-log
ErrorLog /var/log/apache2/error.log
) LogLevel " ("warn LogFormat
) /etc/apache2/apache2.conf (.
Options
Directory XML :
><Directory /var/www/mynewsite
...
></Directory
| 331
14.04 -
Options Directory
:
: CGI ! CGI
ExecCGI
CGI ./usr/lib/cgi-bin
:Includes
HTML Apache SSI Documentation
.
:IncludesNOEXEC #exe
c #Include .CGI
:Indexes
) DirectoryIndex (index.html .
!
:
| 332
14.04 -
SysLinksIfOwnerMatch
.
httpd
httpd.
:LockFile LockFile
USE_FCNTL_SERIALIZED_ACCEPT
USE_FLOCK_SERIALAIZED_ACCEPT
NFS
) (root.
:PidFile PidFile
) process ID pid(
.
| 333
14.04 -
: User root
.
LoadModule
.
| 334
14.04 -
>.<IfModule
:MySQL
/etc/apache2/mods-available .
a2enmod :
a2dismod :
sudo a2dismod auth_mysql
sudo service apache2 restart
HTTPS
mod_ssl
SSL
https:// URL .
| 335
14.04 -
mod_ssl apache2-common
:mod_ssl
HTTPS /etc/apache2/sites-available/default-
ssl.conf HTTPS
HTTPS
ssl-cert
:.
:HTTPS
: /etc/ssl/certs /etc/ssl/private
SSLCertificateFile
SSLCertificateKeyFile .
| 336
14.04 -
HTTPS :
: .
https://hostname/url/
.
/var/www
:webmasters
: ).(ACLs
| 337
14.04 -
apache2-doc .
IRC #ubuntu-server
.freenode.net
| 338
14.04 -
.2 PHP5
PHP PHP HTML
PHP5 .MySQL
MySQL
MySQL .
.
PHP5
PHP.
:PHP5
PHP5 php5-cli
PHP5 :
| 339
14.04 -
PHP5 PHP5
php5-cgi :
.
PHP5 PHP5
php5-cli php5 .
PHP5 PHP5
/etc/apache2/mods/enabled/php5.conf /etc/apache2/modsenabled/php5.l
oad .a2enmod
| 340
14.04 -
PHP5
PHP5 :
.
PHP phpinfo:
<?php
;)(phpinfo
>?
phpinfo.php
DocumentRoot
http://hostname/phpinfo.php PHP5.
.
.php.net
PHP O'Reilly
Learning PHP .PHP CookBook
| 341
14.04 -
.3 Squid
Squid ) (web proxy cache server
) (HTTP
) (FTP Squid
) (SSL DNS Squid
) Internet Cache Protocol
(ICP ) Hyper Text Caching Protocol (HTCP
) Cache Array Routing Protocol (CARP
) Web Cache Coordination Protocol .(WCCP
Squid
) Simple Network
Management Protocol .(SNMP
Squid
Squid .
| 342
14.04 -
.
:Squid
.
Squid /etc/squid3/squid.conf
Squid
Squid .
:
.
/etc/squid/squid.conf
:
http_port 8888
| 343
14.04 -
visible_hostname Squid
:weezie
visible_hostname weezie
Squid
Squid IP
192.168.42.0/24:
ACL :/etc/squid3/squid.conf
http_access :/etc/squid3/squid.conf
Squid
Squid
9:00AM 5:00PM
:10.1.42.0/42
| 344
14.04 -
ACL :/etc/squid3/squid.conf
http_access :/etc/squid3/squid.conf
: /etc/squid3/squid.conf
Squid :
.Squid
.Squid
| 345
14.04 -
.4 Ruby on Rails
Ruby on Rails
.convention over configuration
.
Ruby on Rails MySQL
.
MySQL Ruby on Rails
:
.
/etc/apache2/sites-available/000-default.conf
.
:DocumentRoot
DocumentRoot /path/to/rails/application/public
| 346
14.04 -
:<Directory "/path/to/rails/application/public">
<Directory "/path/to/rails/application/public">
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Order allow,deny
allow from all
AddHandler cgi-script .cgi
</Directory>
: mod_rewrite
/path/to/rails/application/public
: /path/to/rails/application/tmp
.Ruby on Rails !
.
| 347
. Ruby on Rails
.Ruby on Rails
14.04 -
.5 Tomcat
) (Apache Tomcat ) (web container
Java Servlets .(Java Server Pages) JSP
6 7 6 7
.
7 .
) tomcat7 (tomcat6
.
.
:
ROOT
"."It works
| 348
14.04 -
.
/etc/tomcat7
Tomcat 7.0.
7.0 (HTTP connector) HTTP 8080
AJP 8009
:/etc/tomcat7/server.xml
JVM
OpenJDK JVM
Sun JVMs JVMs
JAVA_HOME :/etc/default/tomcat7
JAVA_HOME=/usr/lib/jvm/java-6-sun
| 349
14.04 -
) (
Servlet :/etc/tomcat7/tomcat-users.xml
><role rolename="admin"/
><user username="tomcat" password="s3cret" roles="admin"/
.
.
tomcat7-docs
http://server:8080/docs :
sudo apt-get install tomcat7-docs
tomcat7-admin
:
| 350
14.04 -
manager
http://server:8080/manager/html
.
: manager-gui
: manager
/etc/tomcat7/tomcat-users.xml .
host-manager
http://server:8080/host-manager/html
.
: host-manager
:
admin-gui /etc/tomcat7/tomcat-users.xml .
tomcat7 /etc/tomcat7
) (
tomcat7 :
| 351
14.04 -
tomcat7-example
Servlets JSP http://server:8080/examples
:
.
) (
.
: ) (
.TCP
| 352
14.04 -
tomcat7-instance-create my-instance
my-instance
lib/
webapps/ .
conf/
conf/server.xml
.
)
:(my-instance
my-instance/bin/startup.sh
: /logs
java.net.BindException: Address already in use<null>:8080
| 353
14.04 -
my-instance/bin/shutdown.sh
Apache Tomcat .
Tomcat Books .
| 354
12
| 355
14.04 -
.MySQL
.PostgreSQL
)(main
.1 MySQL
MySQL ) (multi-threaded
).(mass-deployed
.
:MySQL
MySQL .
MySQL
MySQL :
| 356
14.04 -
2556/mysqld
LISTEN
**:
localhost:mysql
tcp
.
/etc/mysql/my.cnf
. MySQL
bind-address IP:
192.168.0.5
bind-address
: 192.168.0.5 .
/etc/mysql/my.cnf
:MySQL
| 357
14.04 -
) (root
:MySQL
MySQL .
.
MySQL
.
MySQL
) (Storage engine
InnoDB : MyISAM
MySQL
.
.
| 358
14.04 -
MyISAM
InnoDB
InnoDB ACID
) (row
) (file block
ACID journaled
.
InnoDB MySQL 5.5
MyISAM .
| 359
14.04 -
my.cnf
MySQL
Percona's my.cnf generating tool
my.cnf .
my.cnf Percona
MySQL
mysqldump :
MySQL
.
MySQL ):(dump
| 360
14.04 -
my.cnf :
:MySQL
sudo
sudo
sudo
sudo
(Pipe Viewer) pv
pv pv cat
) (ETA pv
:
: my.cnf
| 361
14.04 -
MySQL Tuner
MySQL Tuner MySQL
mysqltuner
24 mysqltuner
:
mysqltuner
my.cnf
MySQL
.
:
| 362
14.04 -
Variables to adjust:
)key_buffer_size (> 1.4G
)query_cache_size (> 32M
)table_cache (> 64
)innodb_buffer_pool_size (>= 22G
:
) (Wordpress ) (Drupal )(Joomla
...
MySQL
).(Slaves
.
MySQL .
| 363
14.04 -
.2 PostgreSQL
PostgreSQL
.DBMS
.
:PostgreSQL
PostgreSQL
.
.
TCP/IP PostgreSQL
IDENT postgres
PostgreSQL Administrator's Guide
.Kerberos
TCP/IP MD5
PostgreSQL /etc/postgresql/<version>/main
PostgreSQL 9.1
./etc/postgresql/9.1/main
| 364
14.04 -
: ident /etc/postgresql/9.1/main/pg_ident.conf
.
TCP/IP /etc/postgresql/9.1/main/postgresq
l.conf ' #listen_addresses = 'localhost :
'*' = listen_addresses
.PostgreSQL
PostgreSQL
postgres PostgreSQL
:
PostgreSQL template1
postgres PostgreSQL .SQL
| 365
14.04 -
/etc/postgresql/9.1/main/pg_hba.conf
MD5 :postgres
md5
postgres
all
local
PostgreSQL
:
: PostgreSQL Administrator's
Guide .
:PostgreSQL
: .
| 366
14.04 -
file:///usr/share/doc/postgresql-doc-9.1/html/index.html
.
PostgreSQL .
| 367
13
LAMP
| 368
14.04 -
LAMP
LAMP :
| 369
LAMP
14.04 -
.
LAMP
.LAMP
| 370
14.04 -
LAMP
.1 Moin Moin
MoinMoin PikiPiki
.GUN GPL
.
:MoinMoin
.
.
:mywiki
cd /usr/share/moin
sudo mkdir mywiki
sudo cp -R data mywiki
sudo cp -R underlay mywiki
sudo cp server/moin.cgi mywiki
sudo chown -R www-data.www-data mywiki
sudo chmod -R ug+rwX mywiki
sudo chmod -R o-rwx mywiki
| 371
14.04 -
LAMP
MoinMoin mywiki
MoinMoin /etc/moin/mywiki.py :
'data_dir = '/org/mywiki/data
'data_dir = '/usr/share/moin/mywiki/data
data_dir :data_underlay_dir
'data_underlay_dir='/usr/share/moin/mywiki/underlay
: /etc/moin/mywiki.py /usr/share/moin/config/wik
ifarm/mywiki.py /etc/moin/mywiki.py .
MoinMoin mywiki
.
| 372
14.04 -
LAMP
/etc/apache2/sites-available/default
<VirtualHost *>:
### moin
"ScriptAlias /mywiki "/usr/share/moin/mywiki/moin.cgi
"alias /moin_static193 "/usr/share/moin/htdocs
><Directory /usr/share/moin/htdocs
Order allow,deny
allow from all
></Directory
### end moin
:
sudo service apache2 restart
.
:
http://localhost/mywiki
MoinMoin.
.
.moinmoin
.MoinMoin
| 373
14.04 -
LAMP
.2 MediaWiki
MediaWiki Wiki PHP
MySQL .PostgreSQL
.
MediaWiki PHP5
MySQL PostgreSQL
.
:MediaWiki
MediaWiki .mediawiki-extensions
.
mediawiki.conf
/etc/apache2/conf-available/
:MediaWiki
| 374
14.04 -
LAMP
MediaWiki :http://localhost/mediawiki/config/index.php
: Checking environment...
.
LocalSettings.php
:/etc/mediawiki
\ sudo mv /var/lib/mediawiki/config/LocalSettings.php
/etc/mediawiki/
/etc/mediawiki/LocalSettings.php
) (:
;) 'ini_set( 'memory_limit', '64M
.
MediaWiki
MediaWiki .
| 375
LAMP
14.04 -
MediaWiki ) (checkout
Subversion /var/lig/mediawiki/extensions
:/etc/mediawiki/LocalSettings.php
;"require_once "$IP/extensions/ExtentionName/ExtentionName.php
.MediaWiki
MediaWiki Administrators Tutorial Guide
MediaWiki.
MediaWiki
.
| 376
14.04 -
LAMP
.3 phpMyAdmin
MySQL
phpMyAdmin LAMP
PHP phpMyAdmin
.
.
phpMyAdmin MySQL
phpMyAdmin
MySQL
:phpMyAdmin
phpMyAdmin
.
http://server/phpmyadmin server
root
MySQL .
....
| 377
14.04 -
LAMP
.
phpMyAdmin /etc/phpmyadmin
/etc/phpmyadmin/config.inc.php
.phpMyAdmin
phpMyAdmin MySQL
:/etc/phpmyadmin/config.inc.php
;'$cfg['Servers'][$i]['host'] = 'db_server
: db_server IP
phpMyAdmin .
phpMyAdmin
.
config.header.inc.php config.footer.inc.php
HTML .phpMyAdmin
/etc/phpmyadmin/apache.conf
/etc/apache2/conf.d/phpmyadmin.conf
phpMyAdmin PHP ....
| 378
LAMP
14.04 -
phpMyAdmin
phpMyAdmin Documentation phpMyAdmin
.phpMyAdmin
Mastering phpMyAdmin .
.phpMyAdmin
| 379
14.04 -
LAMP
Wordpress .4
( Wordpress)
.GNU GPLv2 PHP
.
:
sudo apt-get install wordpress
MySQL
.
.
/etc/apache2/sites-
: available/wordpress.conf
Alias /blog /usr/share/wordpress
<Directory /usr/share/wordpress>
Options FollowSymLinks
AllowOverride Limit Options FileInfo
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/wordpress/wp-content>
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
| 380
14.04 -
LAMP
/etc/wordpress/config-10.211.55.50.php :
/etc/wordpress/config-hostalias1.php.
)
(SSH /etc/wordpress/config-
localhost.php ./etc/wordpress/config/NAME_OF_VIRTUAL_HOST.php
MySQL
localhost.
| 381
14.04 -
LAMP
/etc/wordpress MySQL
: /config-localhost.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>
wordpree.sql
: MySQL
: MySQL
http://localhost/blog/wp-admin/install.php
.
| 382
LAMP
14.04 -
.
.
.Wordpress.org Codex
.WordPress
| 383
14
| 384
14.04 -
FTP NFS .CUPS
.1 FTP
) File Transfer Protocol (FTP TCP
OpenSSH
.
FTP / FTP FTP
FTP
FTP .
FTP :
.
)(Anonymous
14.04 -
SFTP .OpenSSH-Server
FTP
FTP FTP
FTP .
. vsftpd FTP
vsftpd FTP
vsftpd :
. FTP
vsftpd
/etc/vsftpd.conf:
anonymous_enable=Yes
| 386
14.04 -
/srv/files/ftp
:ftp
sudo mkdir /srv/files/ftp
sudo usermod -d /srv/files/ftp
vsftpd :
ftp
/srv/files/ftp /srv/ftp .
. FTP
vsftpd
:/etc/vsftpd.conf
write_enable=YES
:vsftpd
FTP
....
| 387
14.04 -
FTP
:vsftpd
anon_upload_enable=YES
:
.
man 5 vsftpd.conf
.
. FTP
/etc/vsftpd.conf vsftpd
:
chroot_local_users=YES
:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
| 388
14.04 -
/etc/vsftpd.chroot_list
:vsftpd
/etc/ftpusers
FTP root daemon ... nobody .
FTP .
FTP FTPS SFTP FTPS FTP
) (SSL SFTP FTP SSH
SFTP
shell nologin
SFTP OpenSSH .
FTPS /etc/vsftpd.conf :
ssl_enable=Yes
| 389
14.04 -
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl-sert
:.
vsftpd :FTPS
sudo restart vsftpd
/usr/sbin/nologin FTP
/etc/shells :nologin
| 390
14.04 -
pam_shells.so
required
auth
PAM ./etc/shells
FTP .FTPS lftp
FTPS
.
.
vsftpd .
/etc/vsftpd.conf .vsftpd.conf
| 391
14.04 -
.2 NFS
NFS
.NFS
:NFS
NFS .
CD-ROM USB
.
.
:NFS
| 392
14.04 -
.
/etc/exports :
)*(ro,sync,no_root_squash
)*(rw,sync,no_root_squash
/ubuntu
/home
"*"
.NFS
:NFS
. NFS
mount NFS
:
: /local/ubuntu
.
| 393
14.04 -
NFS /etc/fstab
NFS
NFS
/etc/fstab:
NFS nfs-common
:
.NFS Howto
| 394
14.04 -
.3 iSCSI
iSCSI
) (initiators iSCSI ).(targets
iSCSI
iSCSI iSCSI
iSCSI .
. iSCSI
iSCSI open-iscsi :
. iSCSI
open-iscsi /etc/iscsi/iscsid.conf
:
node.startup = automatic
| 395
14.04 -
iscsiadm
:
:-m .iscsiadm
:-t .
:-p IP.
: 192.168.0.10 IP .
192.168.0.10:3260,1 iqn.1992-05.com.emc:sl7b92030000520000-2
: iqn IP .
iSCSI
:iSCSI
| 396
14.04 -
:dmesg
dmesg | grep sd
[
4.322384] sd 2:0:0:0:Attached scsi generic sg1 type 0
[
4.322797] sd 2:0:0:0: [sda] 41943040 512-byte logical
blocks:(21.4GB/20.0 GiB)
[
4.322843] sd 2:0:0:0: [sda] Write Protect is off
[
4.322846] sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00
[
4.322896] sd 2:0:0:0: [sda] Cache data unavailable
[
4.322899] sd 2:0:0:0: [sda] Assuming drive cache: write
through
[
4.323230] sd 2:0:0:0: [sda] Cache data unavailable
[
4.323233] sd 2:0:0:0: [sda] Assuming drive cache: write
through
[
4.325312] sda: sda1 sda2 < sda5 >
[
4.325729] sd 2:0:0:0: [sda] Cache data unavailable
[
4.325732] sd 2:0:0:0: [sda] Assuming drive cache: write
through
[
4.325735] sd 2:0:0:0: [sda] Attached SCSI disk
[2486.941805] sd 4:0:0:3: Attached scsi generic sg3 type 0
[2486.952093] sd 4:0:0:3: [sdb] 1126400000 512-byte logical
blocks: (576 GB/537GiB)
[2486.954195] sd 4:0:0:3: [sdb] Write Protect is off
[2486.954200] sd 4:0:0:3: [sdb] Mode Sense: 8f 00 00 08
[2486.954692] sd 4:0:0:3: [sdb] Write cache: disabled, read
cache: enabled, doesn't support DPO or FUA
[2486.960577] sdb: sdb1
[2486.964862] sd 4:0:0:3: [sdb] Attached SCSI disk
iSCSI sdb
.
| 397
14.04 -
iSCSI
:
n
p
enter
w
/srv :
sudo mkfs.ext4 /dev/sdb1
sudo mount /dev/sdb1 /srv
/etc/fstab iSCSI :
defaults,auto,_netdev
/srv ext4
/dev/sdb1
.
.
Open-iSCSI.
.Open-iSCSI
| 398
14.04 -
.4 CUPS
) Common UNIX Printing System (CUPS
.
CUPS
) Internet Printing Protocol (IPP
CUPS )(dot-matrix
CUPS
PostScript Printer Description
) (PPD .
.
:CUPS
CUPS .
| 399
14.04 -
CUPS
/var/log/cups/error_log
CUPS LogLevel
" "debug " "debug2
" "info .
.
CUPS /etc/cups/cupsd.conf
CUPS
.
:
.
/etc/cups/cupsd.conf :
400
14.04 -
:ServerAdmin CUPS
/etc/cups/cupsd.conf ServerAdmin
CUPS
user@example.com ServerAdmin :
ServerAdmin user@example.com
Listen 127.0.0.1:631
Listen /var/run/cups/cups.sock
Listen 192.168.10.250:631
)interface, Port 631 (IPP
401
14.04 -
(127.0.0.1) loopback
cupsd
LAN loopback
Listen ) (socrates :
Listen socrates:631
'hostname 'socrates
Listen Port
:
Port 631
CUPS
:
man cupsd.conf
: /etc/cups/cupsd.conf
CUPS :
| 402
14.04 -
.
: CUPS
http://localhost:631/admin .
CUPS
lpadmin
.
lpadmin :
Documentation/Help .
.
CUPS.
| 403
15
| 404
14.04 -
)Mail User
Agent (MUA
) Mail Transfer Agents (MTA
) Mail Delivery Agent (MDA
POP3
.IMAP
.1 Postfix
Postfix ) (MTA
sendmail
Postfix
SMTP )
(.
| 405
14.04 -
.
:postfix
.
.
:postfix
Internet Site
mail.example.com
steve
mail.example.com, localhost.localdomail, localhost
No
127.0.0.1/8 8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
0
+
all
: mail.example.com 192.168.0.0/24
steve .
| 406
14.04 -
Postfix mbox
postconf postfix
/etc/postfix/main.cf
:Maildir
: /home/username/Maildir
) (MDA .
. SMTP
SMTP-AUTH ) (SASL
) (TLS SMTP
.
| 407
14.04 -
: smtpd_sasl_path .Postfix
TLS :
) Certificate Authority (CA
.
: ) (MUA TLS
TLS
TLS
| 408
14.04 -
: TLS Postfix
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file =
/etc/ssl/private/server.key'
sudo postconf -e 'smtpd_tls_cert_file =
/etc/ssl/certs/server.crt'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = mail.example.com'
:
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
Postfix :
SMTP-AUTH
. TLS
| 409
14.04 -
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com,
localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject
_unauth_destination
smtpd_tls_auth_only = no
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
: postfix
410
14.04 -
SASL .
Dovecot SASL Cyrus SASL SASL Postfix
dovecot-common Dovecot SASL
:
: /etc/dovecot/conf.d/10-master.conf
service auth {
# auth_socket_path points to this userdb socket by default.
It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc.
Its default
# permissions make it readable only by root, but you may
need to relax these
# permissions. Users that have access to this socket are
able to get a list
# of all usernames and get results of everyone's userdb
lookups.
unix_listener auth-userdb {
#mode = 0600
#user =
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
411
14.04 -
Outlook SMTP-AUTH
authentication mechanisms :/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain
Dovecot :
sudo service dovecot restart
. Mail-Stack Delivery
... . Postfix
.SMTP-AUTH
| 412
14.04 -
ssl-cert
.
/etc/postfix/main.cf :
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
:Postfix
.
SMTP-AUTH .
SMTP-AUTH TLS :
telnet mail.example.com 25
| 413
14.04 -
postfix :
ehlo mail.example.com
quit.
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
.
.
chroot
postfix chroot
.
chroot :/etc/postfix/master.cf
smtpd
inet
smtp
smtpd
inet
smtp
| 414
14.04 -
Postfix :
Smtps
smtps /etc/postfix/master.cf :
smtps
inet
n
smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Postfix /var/log/mail.log
/var/log/mail.err
/var/log/mail.warn .
tail -f
:
tail -f /var/log/mail.err
.
| 415
14.04 -
TLS smtpd_tls_loglevel 1 :4
:debug_peer_list
Postfix /etc/postfix
/master.cf -v smtp :
smtp -v
unix
smtp
:
Postfix :
| 416
14.04 -
SASL
:/etc/dovecot/conf.d/10-logging.conf
auth_debug=yes
auth_debug_passwords=yes
: Postfix Dovecot :
Postfix
.
Postfix
#ubuntu-server freenode
.
Postfix .
Postfix .
| 417
14.04 -
.2 Exim4
Exim4
Exim sendmail
exim .sendmail
.
:exim4
.
:Exim4
Exim4 .
/etc/exim4/update-exim4.conf
.
| 418
14.04 -
sudo update-exim4.conf
./var/lib/exim4/config.autogenerated
: /var/lib/exim4/config.autogenerated
.update-exim4.conf
:Exim4
. SMTP
Exim4 SMTP-AUTH TLS .SASL
TLS :
sudo /usr/share/doc/exim4-base/examples/exim-gencert
MAIN_TLS_ENABLE = yes
| 419
14.04 -
saslauthd Exim4
/etc/exim4/conf.d/auth/30_exim4-config_examples
:login_saslauthd_server plain_saslauthd_server
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
#
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
exim
: exim
sudo /usr/share/doc/exim4/examples/exim-adduser
| 420
14.04 -
exim :
Exim4 :
sudo update-exim4.conf
sudo service exim4 restart
. SASL
saslauthd .Exim4
sasl2-bin :
START=yes
Debian-exim sasl
Exim4 :saslauthd
| 421
14.04 -
:saslauthd
exim.org .
.Exim4 Book
.Exim4
| 422
14.04 -
.3 Dovecot
Dovecot
mbox : Maildir
imap .pop3
.
:dovecot
.
/etc/dovecot/dovecot.conf dovecot
pop3 ) pop3s pop3( imap
) imaps imap(
.
IMAPS POP3S IMAP POP3
SSL
:/etc/dovecot/dovecot.conf
| 423
14.04 -
Dovecot maildir
mbox
.Dovecot
/etc/dovecot/conf.d/10-mail.conf
:
: ) (MTA
.
dovecot dovecot
:
| 424
14.04 -
imap pop3
telnet localhost pop3 telnet localhost imap2
:
. Dovecot SSL
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
SSL SSL
SMTP
SSL
./etc/dovecot/conf.d/10-ssl.conf
| 425
14.04 -
.
:
IMAP 143
IMAPs 993
POP3 110
POP3s 995
Dovecot .
Dovecot
.
| 426
14.04 -
.4 Mailman
Mailman
)
( Mailman .
.
Mailman
:
Postfix
Exim
Sendmail
Qmail
Mailman
: Postfix .
| 427
14.04 -
Apache2
apache2 .
Postfix
.Postfix
Exim4
Exim4 .
/etc/exim4 exim4
exim4
:/etc/exim4/update-exim4.conf
'dc_use_split_config='true
Mailman
:Mailman
sudo apt-get install mailman
/var/lib/mailman CGI
/usr/lib/cgi-bin/mailman list
list mailman .
| 428
14.04 -
.
mailman apache2 postfix exim4
.
Mailman /etc/mailman/apache.conf
:/etc/apache2/sites-available
\ sudo cp /etc/mailman/apache.conf
/etc/apache2/sites-available/mailman.conf
Mailman
:
Postfix
lists.example.com Postfix
lists.example.com .
| 429
14.04 -
:/etc/postfix/main.cf postconf
(transporter) /etc/postfix/master.cf
:
mailman
unix
n
n
pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-tomailman.py ${nexthop} ${user}
. postfix-to-mailman.py
Mailman lists.example.com
:/etc/postfix/transport (transport map)
lists.example.com
mailman:
: Postfix
: Postfix
| 430
14.04 -
Exim4
Exim :Exim4
.1
) Main(.
.2
) Transport(.
) Router .3(.
Exim
.
| 431
14.04 -
( Main)
/etc/exim4/conf.d/main/
:04_exim4-config_mailman
# start
# Home dir for your Mailman installation -- aka Mailman's
prefix
# directory.
# On Ubuntu this should be "/var/lib/mailman"
# This is normally the same as ~mailman
MM_HOME=/var/lib/mailman
#
# User and group for Mailman, should match your --with-mail-gid
# switch to Mailman's configure script.
Value is
normally "mailman"
MM_UID=list
MM_GID=list
#
# Domains that your lists are in - colon separated list
# you may wish to add these into local_domains as well
domainlist mm_domains=hostname.com
#
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#
# These values are derived from the ones above and should not
need
# editing unless you have munged your mailman installation
#
# The path of the Mailman mail wrapper script
MM_WRAP=MM_HOME/mail/mailman
#
# The path of the list config file (used as a required file
when
# verifying list addresses)
MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck
# end
| 432
14.04 -
( transport )
/etc/exim4/conf.d/transport/
:40_exim4-config_mailman
mailman_transport:
driver = pipe
command = MM_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\
+.*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MM_HOME
home_directory = MM_HOME
user = MM_UID
group = MM_GID
( router )
/etc/exim4/conf.d/router/
:101_exim4-config_mailman
mailman_router:
driver = accept
require_files = MM_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin
transport = mailman_transport
| 433
14.04 -
:
200_exim4-config_primary
Mailman
: mailman
Enter the email address of the person running the list: user
at ubuntu.com
Initial mailman password:
To finish creating your mailing list, you must edit your
/etc/aliases (or
equivalent) file by adding the following lines, and possibly
running the
`newaliases' program:
## mailman mailing list
mailman:
post mailman"
mailman-admin:
admin mailman"
mailman-bounces:
bounces mailman"
mailman-confirm:
confirm mailman"
mailman-join:
join mailman"
mailman-leave:
leave mailman"
| 434
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
14.04 -
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
"|/var/lib/mailman/mail/mailman
mailman-owner:
"owner mailman
mailman-request:
"request mailman
mailman-subscribe:
"subscribe mailman
mailman-unsubscribe:
"unsubscribe mailman
: Exim4 Mailman
) (aliases MTA=None
Mailman ./etc/mailman/mm_cfg.py
.
CGI
./usr/lib/cgi-bin/mailman/ Mailman
:
http://hostname/cgi-bin/mailman/admin
| 435
14.04 -
mailman
/usr/sbin/newlist .
.
Mailman
:
http://hostname/cgi-bin/mailman/listinfo
mailman
)(
.
.
.GNU Mainman
.Mailman
| 436
14.04 -
.5
) Unsolicited Bulk Email (UBE
) (SPAM
.
opendkim
.python-policyd-spf
Amavisd-new ) (wrapper
....
.
Spamassassin
ClamAV .
14.04 -
.Postfix
opendkim python-policyd-spf
.
Amavisd-new.
ClamAV
.Postfix
Spamassassin
Spamassassin X-Header
Amavisd-new .
) (queue
) (MUA
.
| 438
14.04 -
.
.Postfix
:
Spamassassin
:
sudo apt-get install arj cabextract cpio lha nomarch pax rar
unrar unzip zip
: multiverse
./etc/apt/sources.list
sudo
apt-get update .
| 439
14.04 -
.
.
ClamAV
ClamAV
ClamAV ./etc/clamav
clamav amavis Amavisd-new
:
Spamassassin
pyzor .razor
/etc/default/spamassassin Spamassassin
ENABLED=0:
ENABLED=1
| 440
14.04 -
Amavisd-new
Amavisd-new
:/etc/amavis/conf.d/15-content_filter_mode
use strict;
# You can modify this file to re-enable SPAM checking through
spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \
$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \
$bypass_spam_checks_re);
1;
/etc/amavis/conf.d/20-debian_defaults
: D_BOUNCE D_DISCARD $final_spam_destiny
$final_spam_destiny
| 441
= D_DISCARD;
14.04 -
:( flag)
MX ( hostname)
$myhostname
@ local_domains_acl
/etc/amavis/co
:nf.d/50-user
$myhostname = 'mail.example.com';
@local_domains_acl = ( "example.com", "example.org" );
:/etc/amavis/conf.d/50-user
@local_domains_acl = qw(.);
: Amavisd-new
| 442
14.04 -
.6 DKIM
Amavisd-new
) (Domain Keys )(Whitelist
:/etc/amavis/conf.d/40-policy_banks
:
amavisd-
new :
| 443
14.04 -
:
.
Postfix .
:Postfix
sudo postconf -e 'content_filter = smtp-amavis: \
[127.0.0.1]:10024'
: /etc/postfix/master.cf
smtp-amavis
unix
2
smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet
n
smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recip
ient_checks
| 444
14.04 -
:pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
:Postfix
.
.
: Amavisd-new SMTP
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]
: ( header)
X-Spam-Level:
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0
tests=AWL, BAYES_00
X-Spam-Level:
| 445
14.04 -
: X-Virus-Scanned
.X-Spam-Status
.
.
Postfix .
Amavisd-new Syslog /var/log/mail.log
$log_level /etc/amavis/conf.d/50-
user 1 :5
;$log_level = 2
: Amavisd-new Spamassassin
.
ClamAV /etc/clamav/clamd.conf
:
LogVerbose true
ClamAV ./var/log/clamav/clamav.log
| 446
14.04 -
:
.
.
:
.Amavisd-new
ClamAV .ClamAV
.Spamassassin
Pyzor.
Razor .
.DKIM.org
#ubuntu-sever .freenode
| 447
16
| 448
14.04 -
(ircd-irc2) IRC
.Jabber
.1 IRC
IRC
IRC .ircd-irc2
.
:ircd-irc2
/etc/ircd :
./usr/share/doc/ircd-irc2
.
IRC /etc/ircd/ircd.conf
IRC :
| 449
14.04 -
DNS IRC
irc.liveciper.com IRC irc.liveciper.com
IRC .
IRC :
IRC
... .
./usr/share/doc/ircd-irc2/ircd.conf.example.gz
IRC IRC
./etc/ircd/ircd.motd
IRC :
sudo service ircd-irc2 restart
IRC
ircd-ircu .ircd-hybrid
| 450
14.04 -
.2 Jabber
Jabber ) XMPP
( .
Jabberd 2 LAN
.
.
jabberd2
:
: jabber.example.com ID .
| 451
14.04 -
/etc/jabberd2/c2s.xml >:<local
><id>jabber.example.com</id
> <module > <authreg:
><module>db</module
jabberd2 :
sudo service jabberd2 restart
Jabber ) (Pidgin .
: Berkeley DB
.
Jabberd2 .Jabberd2
.Setting Up Jabber Server
| 452
17
| 453
14.04 -
) (Version Control
!
.
.1 Bazaar
Bazaar -
Subversion CVS
Bazaar
) distributed version
Bazaar
(control
.
.
:bzr
.
bzr whoami :
| 454
14.04 -
. Bazaar
Bazaar /usr/share/doc/bzr/html
bzr
:
bzr help
:
bzr help foo
. Launchpad
Launchpad
Bazaar
Launchpad .Launchpad Integration
.2 Git
Git ) (distributed
Git
.
| 455
14.04 -
.
git :
.
git git :
.
git
SSH :
:
) (bare
. .--bare
SSH :
| 456
14.04 -
cd /path/to/repository
. Gitolite
git git
Gitolite :
Gitolite
Gitolite
/etc/ Gitolite git
.
| 457
14.04 -
Gitolite :
Gitolite SSH
SSH
:
cp ~/.ssh/id_rsa.pub /tmp/$(whoami).pub
git :Gitolite
sudo su - git
gl-setup /tmp/*.pub
Gitolite
Gitolite ) SSH
( :
exit
git clone git@$IP_ADDRESS:gitolite-admin.git
cd gitolite-admin
| 458
14.04 -
Gitolite
Gitolite : SSH
conf/gitolite.conf
:
admin
alice
alice
bob
denise
gitolite-admin
RW+
=
R
=
project1
RW+
=
RW
=
R
=
repo
repo
| 459
14.04 -
Gitolite
Gitolite
:
| 460
14.04 -
.3 Subversion
Subversion Subversion
.
.
.
Subversion HTTP
Subversion
Subversion
HTTPS .
:Subversion
.
Subversion .
Subversion
Subversion :
svnadmin create /path/to/repos/project
| 461
14.04 -
:
\ svn import /path/to/import/directory
file:///path/to/repos/project
.
) Subversion ] ([checked out
) repository
(location URL URL
.
:1-17 Subversion
file://
http://
https://
svn://
svn+ssh://
WebDAV
.Subversion
http:// .SSL
.svnserve
svn:// .SSH
| 462
14.04 -
- - Subversion
SVN book .
Subversion
Subversion :
svn co file:///path/to/repos/project
svn co file://localhost/path/to/repos/project
: ) (///
.
.
(http://) WebDAV
Subversion
WebDAV > <VirtualHost > </VirtualHost
| 463
14.04 -
/etc/apache2/sites-available/default VirtualHost:
><Location /svn
DAV svn
SVNPath /home/svn
AuthType Basic
"AuthName "Your repository name
AuthUserFile /etc/subversion/passwd
Require valid-user
></Location
: Subversion /home/svn
svnadmin HTTP
.http://hostname/svn/repos_name
Subversion HTTP
HTTP HTTP
www-data
:
: www-data
| 464
14.04 -
/etc/subversion/passwd
) (:
sudo htpasswd -c /etc/subversion/passwd user_name
-c
:
sudo htpasswd /etc/subversion/passwd user_name
:
svn co http://servername/svn
:
SSL .
/etc/apache2/sites-available/default-ssl.conf
SSL Subversion
.SSL
| 465
14.04 -
.
Subversion
https:// .Subversion
Subversion
/path/to/repos/project/conf/svnserve.conf
:
]# [general
# password-db = passwd
passwd passwd :
username = password
| 466
14.04 -
Subversion svn://
svnserver svnserve :
# -d -- daemon mode
)# --foreground -- run in foreground (useful for debugging
# -r -- root of directory to serve
Subversion ) (3690
:
.Subversion
update :
Subversion
) co (checkout
:
svn co help
| 467
14.04 -
(svn+ssh://) SSL
svn://
Subversion .svnserve
ssh
ssh
.
svn+ssh:// Subversion
SSL )
( :
svn co svn+ssh://hostname/var/svn/repos/project
: /path/to/repos/project Subversion
ssh
.Subversion
| 468
14.04 -
.4 CVS
CVS .
.
:CVS
.
cvs
/srv/cvs :
| 469
14.04 -
xinetd CVS
:/etc/xinetd.d/cvspserver
service cvspserver
{
port = 2401
socket_type = stream
protocol = tcp
user = root
wait = no
type = UNLISTED
server = /usr/bin/cvs
server_args = -f --allow-root /srv/cvs pserver
disable = no
}
: ).(/srv/cvs
xinetd CVS :
CVS :
*:* LISTEN
0 *:cvspserver
tcp
| 470
14.04 -
.CVS
: CVS
CVS CVS.
.
CVS
:CVS
cd your/project
\ cvs -d :pserver:username@hostname.com:/srv/cvs import -m
"Importing my project to CVS repository" . new_project start
: CVSROOT CVS
-d cvs ) (export
.CVSROOT
new_project vendor start release
CVS .
: CVS CVS
)(/srv/cvs src CVS
.CVS
| 471
14.04 -
.5
Bazaar.
.Launchpad
Git.
.Gitolite
Subversion.
.Subversion
.CVS
.Easy Bazaar
.Subversion
| 472
18
| 473
14.04 -
.1
:
. Server Message
) Block (SMB
.
) .(Directory
LDAP .Microsoft Active Directory
.
.Kerberos
| 474
14.04 -
SMB .
.
| 475
14.04 -
.2
.
.
.
samba :
! .
.
/etc/samba/smb.conf
.
:
smb.conf .Samba HOWTO
| 476
14.04 -
/ ] [global :/etc/samba/smb.conf
workgroup = EXAMPLE
...
security = user
security ] [global
EXAMPLE .
- -
:
][share
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
create mask = 0755
:comment .
:path /srv/samba/sharename
) Filesystem Hierarchy Standard
(FHS /srv )(
.
| 477
14.04 -
:browsable .
:guest ok .
:read only
) no (
yes .
:create mask .
:
sudo mkdir -p /srv/samba/share
sudo chown nobody.nogroup /srv/samba/share/
: -p mkdir .
samba :
:
.
| 478
14.04 -
IP \\192.168.1.1
.
] [dir /etc/samba/smb.conf
.
: ] [share /srv/samba/share
] [qa ./srv/samba/qa
Samba .
| 479
14.04 -
.3
.
.
.
CUPS
CUPS .
:samba
/etc/samba/smb.conf workgroup
security :user
workgroup = EXAMPLE
...
security = user
| 480
14.04 -
browsable = yes
guest ok = yes
:smb.conf
.
.
CUPS .CUPS
| 481
14.04 -
.4
.
) Common Internet Filesystem (CIFS user-level share-level
user-level :share-level
:security=user
libpam-smbpass
.
:security=domain
) Primary Domain Controller (PDC
) Backup Domain Controller (BDC
) Domain Member Server (DMS
.
:security=ADS Active
Directory )(native member Active
Directory.
| 482
14.04 -
:security=server
Server
Security .
:security=share
.
.
Security = User
.
libpam-smbpass
:
| 483
14.04 -
/etc/samba/smb.conf ]:[share
guest ok = no
: Reconnect at Logon
.
.
] [share .
| 484
14.04 -
qa
freda danika rob support danika
jeremy vincent
qa
freda danika rob jeremy vincent
danika qa support
.
/etc/group
.
/etc/samba/smb.conf
@
sysadmin /etc/samba/smb.conf
.@sysadmin
| 485
14.04 -
/etc/samba/smb.conf
.
share
qa sysadmin
vincent /etc/samba/smb.conf
]:[share
.
share
melissa
/etc/samba/smb.conf ]:[share
| 486
14.04 -
/etc/samba/smb.conf :
sudo restart smbd
sudo restart nmbd
NT
) Windows NT Access Control Lists (ACLs POSIX
ACLs ACLs
/srv EXT3 /etc/fstab acl :
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3
noatime,relatime,acl 0
1
:
sudo mount -v -o remount /srv
: /srv /srv
/ .
| 487
14.04 -
sysadmin
/srv/samba/share qa
.melissa
:
sudo chown -R melissa /srv/samba/share/
sudo chgrp -R sysadmin /srv/samba/share/
sudo setfacl -R -m g:qa:rx /srv/samba/share/
: setfacl /srv/samba/share
.
acl setfacl .POSIX ACLs
. AppArmor
AppArmor
AppArmor
AppArmor -.
/usr/sbin/smbd ) /usr/sbin/nmbd
( apparmor-profiles
:
sudo apt-get install apparmor-profiles apparmor-utils
| 488
14.04 -
smbd nmbd
smbd
.
/etc/apparmor.d/usr.sbin.smbd ]:[share
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
smbd
./var/log/syslog
.
.Samba
| 489
14.04 -
.5
Active Directory Primary Domain
(PDC) Controller Windows
NT4
) (backends .
.
) (PDC
.smbpasswd
libpam-smbpass
:
/etc/samba/smb.conf
security user workgroup:
workgroup = EXAMPLE
...
security = user
| 490
14.04 -
Domains )
(:
:logon home .
:logon script
].[netlogon
| 491
14.04 -
machines addgroup
.
] [homes :logon home
][homes
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
] [netlogon
:
][netlogon
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no
: netlogon /home/samba/netlogon
) (FHS /srv .
| 492
14.04 -
netlogon logon.cmd
)(:
sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
.
Windows Domain Admins
:net
: sysadmin
| 493
14.04 -
smbpasswd sysadmin :
sudo smbpasswd -a sysadmin
Domain Admins
) machine script ( :
NT4 .
.
) (PDC
) (BDC
.
| 494
14.04 -
LDAP
LDAP
LDAP.
samba libpam-smbpass :
/etc/samba/smb.conf ]:[global
workgroup = EXAMPLE
...
security = user
Domains :
/var/lib/samba
admin scp
:
| 495
14.04 -
PDC
.
logon home PDC
PDC
logon home PDC .BDC
.
| 496
14.04 -
.6 Active Directory
.
Active Directory
.AD
AD Likewise-open
.Likewise Open Installation and Administration Guide
Active Directory
:
/etc/samba/smb.conf:
workgroup = EXAMPLE
...
security = ads
realm = EXAMPLE.COM
...
idmap backend = lwopen
idmap uid = 50-9999999999
idmap gid = 50-9999999999
| 497
14.04 -
Windows
AD
.
.
Active Directory
:
:
AD
.
/etc/fstab :
smbclient
:
| 498
14.04 -
:
"smbclient //fs01.example.com/share -k -c "get file.txt
file.txt .
:
"smbclient //fs01.example.com/share -k -c "put /etc/hosts hosts
/etc/hosts .//fs01.example.com/share/hosts
-c smbclient
smb: \>
FTP :
smbclient //fs01.example.com/share -k
: fs01.example.com //192.168.0.5/share
username=steve,password=secret file.txt IP
.
man mount.cifs
.
| 499
19
500
14.04 -
.
.
.1
) (shell script
tar
.NFS
tar
tar
.
501
14.04 -
.
NFS tar
:
#!/bin/sh
####################################
#
# Backup to NFS mount script.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/mnt/backup"
# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo
echo "Backup finished"
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest
| 502
14.04 -
:$backup_files
.
:$hostname
.
:$archive_file .
:$dest
) (NFS .NFS
| 503
14.04 -
:c .
:z gzip .
:f tar
.
.
.
backup.sh :
| 504
14.04 -
)(cron
cron cron
.
cron crontab crontab :
command
:m 0 .59
:h 0 .23
:dom .
:mon 1 .12
:dow 0 7
0 7 .
:command .
crontab -e crontab
crontab .crontab -l
505
14.04 -
backup.sh :cron
sudo crontab -e
: sudo crontab -e
:crontab
backup.sh . 12:00 AM
: backup.sh /usr/local/bin
.
.
| 506
14.04 -
-C tar
/etc/hosts /tmp/etc/hosts tar .
/ .
:
cd /
sudo tar -xzvf /mnt/backup/host-Monday.tgz
: .
| 507
14.04 -
Advanced Bash-
.Scription Guide
CronHowto cron.
tar
:
:cpio .
:dd coreutils
.
:rsnapshot snapshot
.
:rsync .
| 508
14.04 -
.2
.
. NFS
-- )--(:
| 509
14.04 -
#!/bin/bash
####################################
#
# Backup to NFS mount script with
# grandfather-father-son rotation.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/mnt/backup"
# Setup variables for the archive filename.
day=$(date +%A)
hostname=$(hostname -s)
# Find which week of the month 1-4 it is.
day_num=$(date +%d)
if (( $day_num <= 7 )); then
week_file="$hostname-week1.tgz"
elif (( $day_num > 7 && $day_num <= 14 )); then
week_file="$hostname-week2.tgz"
elif (( $day_num > 14 && $day_num <= 21 )); then
week_file="$hostname-week3.tgz"
elif (( $day_num > 21 && $day_num < 32 )); then
week_file="$hostname-week4.tgz"
fi
# Find if the Month is odd or even.
month_num=$(date +%m)
month=$(expr $month_num % 2)
if [ $month -eq 0 ]; then
month_file="$hostname-month2.tgz"
else
month_file="$hostname-month1.tgz"
fi
510
14.04 -
.
NFS
NFS
WAN .
511
14.04 -
.
.
) (tape NFS
.
mt .cpio
:
#!/bin/bash
####################################
#
# Backup to tape drive script.
#
####################################
# What to backup.
"backup_files="/home /var/spool/mail /etc /root /boot /opt
# Where to backup to.
"dest="/dev/st0
| 512
14.04 -
/dev/st0 SCSI :
.
/etc/hosts
:/tmp/etc/hosts
mt -f /dev/st0 rewind
tar -xzf /dev/st0 -C /tmp etc/hosts
| 513
14.04 -
.3 Bacula
Bacula
Bacula OS X
.
. Bacula
Bacula :
:Bacula Director
.
.GTK+
.wxWidgets
:Bacula File
Bacula
.Director
:Bacula Storage
.
| 514
14.04 -
:Bacula Catalog
Catalog MySQL
PostgreSQL .SQLite
515
14.04 -
.
: MySQL PostgreSQL
.Bacula
Bacula
:Bacula
| 516
14.04 -
.
Bacula
}{ Bacula ./etc/bacula
Bacula
#
# Define the main nightly save backup job
#
By default, this job will back up to disk in
{ Job
"Name = "BackupServer
"JobDefs = "DefaultJob
"Write Bootstrap = "/var/lib/bacula/Client1.bsr
}
: BackupServer
BackupServer .
| 517
14.04 -
Console Director
Console bacula
:
: $username
.
.
.
Storage /etc/bacula/bacula-sd.conf:
{ Device
"Name = "Tape Drive
Device Type = tape
Media Type = DDS-4
Archive Device = /dev/st0
;Hardware end of medium = No
;AutomaticMount = yes
# when device opened, read
it
;AlwaysOpen = Yes
;RemovableMedia = yes
;RandomAccess = no
"'Alert Command = "sh -c 'tapeinfo -f %c | grep TapeAlert
}
| 518
14.04 -
Storage /etc/bacula/bacula-dir.conf
:
Address ) (FQDN
backupserver .
Password password
./etc/bacula/bacula-sd.conf
| 519
14.04 -
FileSet :
# LocalhostBacup FileSet.
{ FileSet
"Name = "LocalhostFiles
{ Include
{ Options
signature = MD5
compression=GZIP
}
File = /etc
File = /home
}
}
00:01 12:01 AM
.
| 520
14.04 -
:Job
# Localhost backup.
{ Job
"Name = "LocalhostBackup
"JobDefs = "DefaultJob
Enabled = yes
Level = Full
"FileSet = "LocalhostFiles
"Schedule = "LocalhostDaily
Storage = TapeDrive
"Write Bootstrap = "/var/lib/bacula/LocalhostBackup.bsr
}
.
) (Label
Bacula
Console :
bconsole
Bacula Console
:
label
| 521
14.04 -
:Storage
Automatically selected Catalog: MyCatalog
Using Catalog "MyCatalog"
The defined Storage resources are:
1: File
2: TapeDrive
Select Storage resource (1-2):2
:
Enter new Volume name: Sunday
Defined Pools:
1: Default
2: Scratch
. Sunday
:Pool
Select the Pool (1-2): 1
Connecting to Storage daemon TapeDrive at backupserver:9103 ...
Sending label command for Volume "Sunday" Slot 0 ...
. Bacula !
.
.Bacula Bacula
.Bacula
| 522
20
| 523
14.04 -
.
.
KVM KVM
Intel AMD Xen
Xen
Qemu
) .(virtualization extensions
.1 libvirt
libvirt
libvirt KVM
:
kvm-ok
:
BIOS.
| 524
14.04 -
.
usermode SLIRP
NAT .
bridge
.
.
:
libvirtd
libvirt-bin :
:
.
| 525
14.04 -
)(Guest
.
) (GUI
virt-viewer
VNC .
preseed kickstart
. .
ubuntu-vm-builder
ubuntu-vm-builder .
.uvtools
Libvirt Xen .
virt-install
virt-install virtinst
:
| 526
14.04 -
:virt-install
:-r 256 .
:--disk path=/var/lib/libvirt/images/web_devel.img,size=4
web_devel.img /var/lib/libvirt/images/
4 virtio ).(disk bus
:--network
default
.virtio
VNC
.
| 527
14.04 -
:--noautoconsole .
:-v .
virt-install
GUI .virt-viewer
virt-clone
virt-clone :
:-o .
:-n .
:-f
.
.
:--connect ) (hypervisor
-d --debug .virt-clone
: web_devel database_devel .
| 528
14.04 -
virsh
libvirt virsh
:
:
virsh -c qemu:///system list
:
virsh -c qemu:///system start web_devel
:
virsh -c qemu:///system autostart web_devel
:
virsh -c qemu:///system reboot web_devel
) (state
:
| 529
14.04 -
.
:
CD-ROM :
: web_devel web_devel-
022708.state .
| 530
14.04 -
virt-manager
:
virt-manager ) (GUI
libvirt:
virt-manager -c qemu:///system
libvirt :
virt-manager -c qemu+ssh://virtnode1.mydomain.com/system
: SSH
virtnode1.mydomain.com
SSH
SSH libvirt . SSH
: .
| 531
14.04 -
virt-viewer virt-viewer
) (GUI
:virt-viewer
\ virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system
web_devel
web_devel .
) (bridged network interface
SSH .
| 532
14.04 -
KVM .
libvirt libvirt.
#ubuntu-virt freenode
.
.KVM
| 533
14.04 -
.2 uvtool
.
12.04
.
. uvtool
14.04 uvtool )(VM
uvtool
.
Uvtool
:uvtool
uvtool
uvtool-libvirt
uvtool :apt-get
| 534
14.04 -
:uvtool
uvt-simplestreams-libvirt
uvt-kvm
uvt-simplestreams-libvirt
uvtool
amd64 :
:
uvt-simplestreams-libvirt query
= release = arch :
| 535
14.04 -
uvt-kvm
SSH
:
ssh-keygen
uvtool
:
| 536
14.04 -
firsttest
) (LTS
=:release
:SSH
--insecure
.
| 537
14.04 -
IP ssh
: IP
uvt-kvm ip secondtest
192.168.123.242
ssh -i ~/.ssh/id_rsa ubuntu@192.168.123.242
The authenticity of host '192.168.123.242 (192.168.123.242)'
can't be established.
ECDSA key fingerprint is
3a:12:08:37:79:24:2f:58:aa:62:d3:9d:c0:99:66:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.123.242' (ECDSA) to the
list of known hosts.
Welcome to Ubuntu Trusty Tahr (development branch) (GNU/Linux
3.13.0-12-generic x86_64)
* Documentation:
https://help.ubuntu.com/
System information disabled due to load higher than 1.0
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
0 packages can be updated.
0 updates are security updates.
Last login: Fri Mar 21 13:25:56 2014 from 192.168.123.1
:
uvt-kvm list
secondtest
:
uvt-kvm destroy secondtest
| 538
14.04 -
uvt-kvm
:
:--disk .8
:--cup .1
:cloud-init
:--password password
ubuntu .
.ubuntu-server at lists.ubuntu.com :
| 539
14.04 -
.3
) (Cloud Computing
) (abstracted
.
OpenStack .
.
.
.
.OpenStack Compute
.CloudGlossary.com
| 540
14.04 -
.4 LXC
) (containers
vserver
.OpenVZ
) (user-space
Libvirt LXC lxc:///
.
LXC libvirt
.
lxc libvirt-lxc
AppArmor libvirt-lxc
CN C1 .C2
| 541
14.04 -
.
lxc :
subuids subgids
.
.
LXC lxc
lxc )
(
.
| 542
14.04 -
:
sudo lxc-create -t download -n u1
:
\ sudo lxc-create -t download -n u1 -- --dist ubuntu
--release trusty --arch amd64
lxc-ls lxc-info
sudo
sudo
sudo
sudo
sudo
| 543
14.04 -
) user
(namespaces
) (initial user namespace
/proc/self/uid_map
/proc/self/gid_map 0 0 4294967295
14.04
/etc/subuid /etc/subgid
subuid subgid 100000 .
usermod :
| 544
14.04 -
. 100000 - 165536
mkdir -p ~/.config/lxc
\ > "echo "lxc.id_map = u 0 100000 65536
~/.config/lxc/default.conf
\ >> "echo "lxc.id_map = g 0 100000 65536
~/.config/lxc/default.conf
echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf
echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf
echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
:sudo
| 545
14.04 -
- -
:
lxc.mount.auto = cgroup
lxc.aa_profile = lxc-container-default-with-nesting
lxc
AppArmor
AppArmor
AppArmor .
.
LXC
/etc/lxc .~/.config/lxc
lxc.conf lxc lxcpath
lvm .zfs
| 546
14.04 -
default.conf
.
lxc-usernet.conf
.
lxc.conf default.conf /etc/lxc $HOME/.config/lxc
lxc-usernet.conf .
/var/lib/lxc
$HOME/.local/share/lxc lxc
.-P|--lxcpath
LXC
) (layer 2
veth LXC
NAT lxcbr0
veth lxcbr0
.
| 547
14.04 -
upstart
init shutdown
) (abstract Unix domain socket upstart
!
lxcbr0 IP
:/etc/lxc/dnsmasq.conf
dhcp-host=lxcmail,10.0.3.100
dhcp-host=ttrss,10.0.3.101
iptables :
| 548
14.04 -
) -
( lxcbr0:
lxc.network.type = veth
lxc.network.link = br0
LXC macvlan
.
IP lxc-ls fancy
IP lxc-info -i -H -n C1
IP C1 dnsmasq
/etc/dnsmasq.conf :
server=/lxc/10.0.3.1
dnsmasq C1.lxc :
ping C1
ssh C1
lxc.conf
./usr/share/doc/lxc/examples/
| 549
14.04 -
. LXC
LXC :upstart
:/etc/init/lxc-net.conf
/etc/default/lxc ) USE_LXC_BRIDGE true(
NAT .
:/etc/init/lxc-instance.conf /etc/init/lxc.conf
.
.
LXC
/var/lib/lxc/C1/rootfs
~/.local/share/lxc/C1/rootfs lxcpath
lxc.system.com
.$lxcpath/C1/rootfs
550
14.04 -
snapshot C2 C1 overlayfs
overlayfs:/var/lib/lxc/C1/rootfs:/var/lib/lxc/C2/delta0
loop btrfs LVM .zfs
btrfs
)(subvolume
snapshot snapshot .
LVM
lxc.conf
.lxc-create
zfs zfs
/var/lib/lxc/C1/rootfs zfsroot lxc-create
.lxc.system.conf
.lxc-create
551
14.04 -
.
lxc-create
) (templates lxc
lxc /usr/share/lxc/templates
.
lxc download lxc
.debootstrap
lxc-create --
--name --template --bdev lxc-create
--release :
| 552
14.04 -
--help lxc-create
:
LXC 14.04
/etc/lxc/auto 14.04
:
lxc.start.auto = 1
lxc.start.delay = 5
5
LXC
autostart lxc-autostart lxc-container.conf
.
| 553
14.04 -
. AppArmor
LXC AppArmor
/proc/sysrq-trigger ./sys
usr.bin.lxc-start lxc-start
lxc-start
init LXC .
lxc-container-default ./etc/apparmor.d/lxc/lxc-default
.
MySQL
) ( MySQL
) (.
lxc-execute AppArmor )(spawn
.
| 554
14.04 -
lxc-start AppArmor
lxc-start:
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
\ sudo ln -s /etc/apparmor.d/usr.bin.lxc-start
/etc/apparmor.d/disabled/
lxc-start
usr.bin.lxc-start
:
lxc.aa_profile = unconfined
. LXC
)( lxc-container-default-with-
nasting :
lxc.aa_profile = lxc-container-default-with-nesting
libvirt )
(/etc/apparmor.d/lxc/lxc-default-with-nasting :
mount fstype=cgroup -> /sys/fs/cgroup/**,
| 555
14.04 -
/sys /proc
AppArmor
proc sys .
/etc/apparmor.d/lxc-containers CN
lxc-CN-profile :
lxc.aa_profile = lxc-CN-profile
| 556
14.04 -
.
) (cgroups
) (block or character devices
.
CN /lxc/CN
) lxcpaths(
-n n .
CN CN
/usr/1000.user/1.session/CN
) (
.
14.04 LXC cgmanager
D-Bus /sys/fs/cgroup
cgmanager/sock / :
lxc.mount.auto = cgroup
| 557
14.04 -
/sys/fs/cgroup/cgmanager
) (bind-mounted
) cgmanager (
/sys/fs/cgroup/cgmanager /sys/fs/cgroup/cgmanager.lower
/sys/fs/cgroup/cgmanager/sock
.
.lxc-clone
snapshots
snapshot
snapshots --
) (copy-on-write snapshots
btrfs LVM zfs
LVM thinpool-provisioned
snapshots snapshots zfs snapshots
) (release snapshots LVM
. btrfs fsync
dpkg apt-get.
| 558
14.04 -
snapshots
C1 /var/lib/lxc/C1/rootfs
snapshot C1 C2 C1
/var/lib/lxc/C2/delta0
C1 C2 C1
snapshot .
C1 :
sudo lxc-clone -o C1 -n C2
snapshot:
sudo lxc-clone -s -o C1 -n C2
lxc-clone .
| 559
14.04 -
Snapshots
LXC snapshots snapshot
- C1 - :snapshot
sudo lxc-snapshot -n C1
snapshot snapshots C1
overlayfs C1 C1
overlayfs snapshots :
C1 -n C2
-d # make some changes
C2
# etc
lxc-clone -s -o
lxc-start -n C2
lxc-stop -n C2
lxc-snapshot -n
lxc-start -n C2
| 560
14.04 -
) (Ephemeral containers
C1 :
lxc-start-ephemeral -o C1
snapshot C1
lxc-start-
ephemeral .
.
12.10 ) (hooks
:
.
.
pivot_root .
| 561
14.04 -
.
).(debug
lxc.container.conf
lxc
.
)(consoles
/dev/console lxc-start -d
/dev/console -c console-file
lxc-start lxc.tty
4 ) /dev/ttyN N 1
(4 console 3 :
-t N
Ctrl-a q lxc-start
.-d
| 562
14.04 -
:LXC
lxc trace
debug.out debug.out
.
lxc-monitor :
-n
POSIX
lxc-monitor lxc-wait
:
| 563
14.04 -
sudo lxc-attach -n C1
C1
) (namespaces
) (security context .
init
LXC init )
( init :upstart
| 564
14.04 -
: init
LXC API .
liblxc ( API) LXC
.go lua
(python3-lxc )
:
sudo python3
| 565
14.04 -
.
) (ids
IPC
) (leaks
.
LXC AppArmor
AppArmor LXC AppArmor
/proc /sys .
) (system calls
!
12.10 seccomp Seccomp
) (1 )
(whitelist .
| 566
14.04 -
-
- 32 64
lxc.container.conf seccomp
.seccomp
.
LXC .linuxcontainers.org
| 567
21
| 568
14.04 -
libcgroup .lmctfy
freedesktop.org
) .(cgroup filesystem interface
14.04 ) (cgmanager
cgroup dbus
.1
) (cgroups
) (hierarchy
) (devices /sys/fs/cgroups/set1
/child1 .
) (
/child1 /child1
./child1
| 569
14.04 -
:cpusets
cpusets
.
:blkio / .
:cpuacct .
:devices
) (whitelist ).(blacklist
) (scheduled .
:hugetlb hugetlb .
:memory ) (swap .
| 570
14.04 -
:net_cls
(traffic controller ) tc
.
:net_prio .
:cup .
:pref_event ) (threads .
systemd .
| 571
14.04 -
.2
) (child cgroup :mkdir
mkdir /cgroup1/child1
tasks :cgroup.procs
sleep 100
echo $! > /cgroup1/child1/cgroup.procs
cgroup
:child1
cgroups .
| 572
14.04 -
.3
) (delegation
/child1
/child1/child2 .
14.04
LXC
.
| 573
14.04 -
.4
) (cgmanager D-Bus
. ) (namespace
D-Bus
process user group SCM_CREDENTIALS
.
D-Bus
) (cgproxy D-Bus
SCM D-Bus
.cgmanager
- ) (compile
- :
| 574
14.04 -
.5
cgmanager .linuxcontainers.org
freedesktop.org .
| 575
22
| 576
14.04 -
.1 DRBD
) ([DRBD] Distributed Replicated Block Device
. RAID
... . ).(mirrored
DRBD :
: ) (virtual kernel
| 577
14.04 -
.
drbd02 debd01
. /etc/hosts DNS
: /etc/drbd.conf drbd
. /etc/drbd.conf :
| 578
14.04 -
/etc/drbd.conf :
/etc :drbd02
drbdadm :
:drbd
drbd01
:
drbd02 :
Ctrl+c .
| 579
14.04 -
/dev/drbd0
:
.
drbd01
:/srv
:/srv
| 580
14.04 -
ls /srv/default )(
.drbd01
.
DRBD .
man drbd.conf .
.man drbdadm
DRBD .
| 581
23
VPN
| 582
14.04 -
VPN
.1 OpenVPN
OpenVPN
) Public Key Infrastructure (PKI
SSL/TLS VPN
OpenVPN (routed or bridged VPN) VPN
TCP UDP
1194
VPN OS X
) (routers .OpenWRT
.
OpenVPN
:
| 583
14.04 -
VPN
.
OpenVPN ) (PKI
:
)
( .
) (CA
.
OpenVPN
.
) (.
OpenVPN
easy-rsa /etc/openvpn
:
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
| 584
14.04 -
VPN
: /etc/openvpn/easy-rsa/vars
export
export
export
export
export
export
export
export
KEY_COUNTRY="US"
KEY_PROVINCE="NC"
KEY_CITY="Winston-Salem"
KEY_ORG="Example Company"
KEY_EMAIL="steve@example.com"
KEY_CN=MyVPN
KEY_NAME=MyVPN
KEY_OU=MyVPN
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
./build-key-server myservername
| 585
14.04 -
VPN
./build-dh
/keys
:/etc/openvpn
cd keys/
\ cp myservername.crt myservername.key ca.crt dh2048.pem
/etc/openvpn/
VPN
:
cd /etc/openvpn/easy-rsa/
source vars
./build-key client1
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key
| 586
14.04 -
VPN
.
: OpenVPN
ls -l /usr/share/doc/openvpn/examples/sample-config-files/
total 68
-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
./etc/openvpn/server.conf server.conf.gz
sudo cp /usr/share/doc/openvpn/examples/\
sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
/etc/openvpn/server.conf
:
ca ca.crt
cert myservername.crt
key myservername.key
dh dh2048.pem
:IP /etc/sysctl.conf
#net.ipv4.ip_forward=1
:sysctl
| 587
14.04 -
VPN
OpenVPN
server.conf
:syslog
OpenVPN :tun0
ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-0000-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST
MTU:1500
Metric:1
][...
.
OpenVPN
OpenVPN
openvpn :
| 588
14.04 -
VPN
client.conf :/etc/openvpn/
\sudo cp /usr/share/doc/openvpn/examples/
sample-config-files/client.conf /etc/openvpn/
/etc/openvpn/client.conf
:/etc/openvpn
ca ca.crt
cert client1.crt
key client1.key
OpenVPN
client :
client
remote vpnserver.example.com 1194
:OpenVPN
| 589
14.04 -
VPN
:tun0
ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-0000-00-00-00-00-00
inet addr:10.8.0.6
P-t-P:10.8.0.5
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST
MTU:1500
Metric:1
ping :OpenVPN
ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms
: OpenVPN IP
ping
/24
.ping
Iface
tun0
tun0
eth0
eth0
irtt
0
0
0
0
Window
0
0
0
0
MSS
0
0
0
0
Flags
UH
UGH
U
UG
| 590
VPN
14.04 -
.
:
.1
.2
syslog .
.3 UDP 1194
proto .port
.4
.comp-lzo
.5
.
VPN
VPN
VPN
192.168.0.0/16
.VPN
| 591
14.04 -
VPN
VPN
.
(10.8.0.0/24) OpenVPN .OpenVPN
| 592
VPN
14.04 -
IP OpenVPN
IP
.
ifconfig-pool-persist ipp.txt
DNS :
client-to-client
:VPN
comp-lzo
keepalive ping
ping 1
3:
keepalive 1 3
| 593
14.04 -
VPN
OpenVPN :
user nobody
group nogroup
!# client config
auth-user-pass
OpenVPN
PAM
.Kerberos
| 594
VPN
14.04 -
VPN
OpenVPN VPN ) (bridged VPN
)(routed VPN VPN OSI
VPN ) (frames ) (layer-2
(VPN partners) VPN
(VPN Partners ) VPN
LAN DHCP ... ARP
VPN .
| 595
14.04 -
VPN
.2
:bridge-utils
OpenVPN
eth0 eth1
LAN /etc/network/interfaces :
auto eth0
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.248
default 1.2.3.1
auto eth1
iface eth1 inet static
address 10.0.0.4
netmask 255.255.255.0
eth1 br0 br0
eth1 eth1 :
| 596
VPN
14.04 -
inet static
1.2.3.4
255.255.255.248
1.2.3.1
auto eth0
iface eth0
address
netmask
default
auto eth1
iface eth1 inet manual
up ip link set $IFACE up promisc on
auto br0
iface br0 inet static
address 10.0.0.4
netmask 255.255.255.0
bridge_ports eth1
.
sudo ifdown eth1 && sudo ifup -a
| 597
14.04 -
VPN
.3
: /etc/openvpn/server.conf
;dev tun
dev tap
up "/etc/openvpn/up.sh br0 eth1"
;server 10.8.0.0 255.255.255.0
server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254
eth1 tap
:/etc/openvpn/up.sh
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV
: openvpn
| 598
14.04 -
VPN
.4
openvpn :
/etc/openvpn
:
/etc/openvpn/client.conf :
dev tap
;dev tun
ca ca.crt
cert client1.crt
key client1.key
:openvpn
LAN .VPN
| 599
14.04 -
VPN
. OpenVPN
VPN network-manager-openvpn
:
restart network-manager
| 600
14.04 -
VPN
OS X Tunnelblick
Tunnelblick OpenVPN
OpenVPN
client.ovpn
:
/Users/username/Library/ApplicationSupport/Tunnelblick/Configur
ations/
. Tunnelblick
601
VPN
14.04 -
OpenVPN
OpenVPN
OpenVPN Windows GUI OpenVPN
- - - -
OpenVPN OpenVPN
MI GUI .
OpenVPN C:\Program
Files\OpenVPN\config\client.ovpn CA
:
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote server.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
"cert "C:\\Users\\username\\My Documents\\openvpn\\client.crt
"key "C:\\Users\\username\\My Documents\\openvpn\\client.key
management 127.0.0.1 1194
management-hold
management-query-passwords
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node MyTAP
| 602
14.04 -
VPN
auth-user-pass
auth-retry interact
management 127.0.0.1 1194
management-hold
management-query-passwords
OpenVPN OpenWRT
OpenWRT WLAN
OpenWRT
OpenVPN
VPN .
OpenWRT :OpenVPN
opkg update
opkg install openvpn
| 603
14.04 -
VPN
/etc/config/openvpn
:/etc/openvpn
:OpenVPN
.
.
. OpenVPN
OpenVPN: Building And Integration Pakt
| 604
24
| 605
14.04 -
.1 pam_motd
) Message Of The
Day (MOTD :
:landscape-common landscape-client
Landscape
/usr/bin/landscape-sysinfo
MOTD ... . :
Processes:
0.0
30.2% of 3.11GB
20%
0%
System load:
76
Usage of /:
Memory usage:
10.153.107.115
Swap usage:
: landscape-sysinfo .
| 606
14.04 -
:update-notifier-common
) (fsck ) (.
pam_motd /etc/update-motd.d
/var/run/motd
./etc/motd.tail
:
:weather-util
14.04 -
#!/bin/sh
#
#
# Prints the local weather information for the MOTD.
#
#
# Replace KINT with your local weather station.
# Local stations can be found here:
http://www.weather.gov/tg/siteloc.shtml
echo
weather -i KINT
echo
:/etc/update-motd.d/98-local-weather
\ sudo ln -s /usr/local/bin/local-weather
/etc/update-motd.d/98-local-weather
.
! .pam_motd
| 608
14.04 -
.2 etckeeper
etckeeper /etc/
)(VCS apt /etc
. /etc
etckeeper .
:etckeeper
/etc/etckeeper/etckeeper.conf
etckeeper
Bazaar ) (
:
etckeeper /etc
AVOID_DAILY_AUTOCOMMITS
| 609
14.04 -
:/etc VCS
:postfix
: postfix
610
14.04 -
added postfix/master.cf
added postfix/post-install
added postfix/postfix-files
added postfix/postfix-script
added postfix/sasl
added ppp/ip-down.d
added ppp/ip-down.d/postfix
added ppp/ip-up.d/postfix
added rc0.d/K20postfix
added rc1.d/K20postfix
added rc2.d/S20postfix
added rc3.d/S20postfix
added rc4.d/S20postfix
added rc5.d/S20postfix
added rc6.d/K20postfix
added resolvconf/update-libc.d
added resolvconf/update-libc.d/postfix
added rsyslog.d/postfix.conf
added ufw/applications.d/postfix
Committed revision 2.
/etc/ etckeeper
: bzr hosts
modified:
hosts
. : bzr
611
14.04 -
.3 Byobu
screen
) (shells screen
.byobu
byobu F9 :
.Byobu
.Byobu
Byobu ) (.
) (escape sequence
... . f-keys
screen-escape-keys .none
| 612
14.04 -
byobu
.
Byobu byobu
byobu
.
byobu scrollback F7
scrollback
vi :
:h .
:j .
:k .
:l .
:0 .
:$ .
:G ) (.
? : .
:n .
| 613
14.04 -
.4
man update-motd
.update-motd
etckeeper .
.etckeeper
bzr bzr.
screen .
.Screen
Byobu .
| 614
| 615
14.04 -
- - Launchpad
Launchpad
.
.1 apport-cli
apport-cli
Launchpad Launchpad
) (
.
: apport-cli ubuntu-bug
apport-bug
apport-cli
.apport-cli
) /( :apport-cli
apport-cli PACKAGENAME
: : .
| 616
14.04 -
apport-cli
:vim
apport-cli vim
:
Launchpad :Send
| 617
14.04 -
You can launch a browser now, or copy this URL into a browser
on another computer.
Choices:
1: Launch a browser now
C: Cancel
Please choose (1/C):
1
1 www-
browser )Debian alternatives
(system links elinks lynx
w3m URL.
:View
Enter q
.
:Keep
) (.
| 618
14.04 -
apport-cli
) (
s :
apport-cli apport.vim.1pg92p02.apport
) ( :
".".apport
: / apport-cli
apport .
| 619
14.04 -
.2
apport apport-cli
.(/etc/default/apport )
: /var/crash apport
apport-cli
.
apport-cli
| 620
14.04 -
-
-
/var /crash :
-rw-r----- 1 peter
whoopsie 150K Jul 24 16:17
_usr_lib_x86_64-linux-gnu_libmenu-cache2_libexec_m
-rw-rw-r-- 1 peter
whoopsie
0 Jul 24 16:37
_usr_lib_x86_64-linux-gnu_libmenu-cache2_libexec_m
-rw------- 1 whoopsie whoopsie
0 Jul 24 16:37
_usr_lib_x86_64-linux-gnu_libmenu-cache2_libexec_m
) (public
) (private Launchpad
.
.3
.Reporting Bugs
Apport
.
| 621