You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Linux</strong> <br />
LPI-Japan <br />
2015-04-16
<strong>Linux</strong> <br />
<strong>Linux</strong> <br />
<br />
<strong>Linux</strong> <br />
<strong>Linux</strong> <strong>Linux</strong> <br />
<strong>Linux</strong> <br />
<br />
<strong>Linux</strong> <br />
<br />
<br />
<br />
URL<br />
http://list.ospn.jp/mailman/listinfo/linux-text<br />
<br />
1 3 <br />
<strong>Linux</strong> <br />
systemd <strong>Linux</strong> <br />
systemd <br />
4 6 <br />
<strong>Linux</strong> OS <br />
<br />
<br />
www.lpi.or.jp i (C) LPI-Japan
7 <br />
<strong>Linux</strong> <strong>Linux</strong> <br />
<br />
<br />
<br />
<strong>Linux</strong> <br />
<br />
OS Red<br />
Hat <br />
OS <br />
<br />
PDF EPUB <br />
PDFEPUB <br />
<br />
<br />
<br />
All Rights Reserved. Copyright(C) The <strong>Linux</strong> Professional Institute Japan.<br />
1<br />
CC BY-NC-ND<br />
<br />
- - 2.1 (CC<br />
BY-NC-ND 2.1 JP)<br />
www.lpi.or.jp ii (C) LPI-Japan
LPI-Japan <br />
<br />
<br />
<br />
<br />
<br />
http://list.ospn.jp/mailman/listinfo/linux-text<br />
<br />
• <br />
<br />
<br />
LPI-Japan<br />
106-0041 1-11-9 CR 7F<br />
TEL03-3568-4482<br />
FAX03-3568-4483<br />
E-Mailinfo@lpi.or.jp<br />
www.lpi.or.jp iii (C) LPI-Japan
LPIC <strong>Linux</strong> <br />
Web <br />
<br />
<br />
<br />
<br />
1 <br />
<br />
1 <br />
<br />
<br />
Windows <strong>Linux</strong> <br />
Windows <br />
IP <br />
IP <br />
<strong>Linux</strong> <br />
<br />
OS<br />
<strong>Linux</strong> CentOS 6.664 <br />
CentOS 7 7 CentOS 7 <br />
<br />
www.lpi.or.jp iv (C) LPI-Japan
OS DVD <br />
<br />
<br />
<br />
<strong>Linux</strong> <br />
<br />
1 <br />
IP <br />
OS <br />
CentOS 6.6 64 Desktop<br />
yum <br />
<br />
IP <br />
<br />
<br />
server.example.com<br />
IP 192.168.0.10<br />
24 255.255.255.0<br />
192.168.0.1<br />
DNS 192.168.0.1<br />
<br />
UTC <br />
www.lpi.or.jp v (C) LPI-Japan
sato<br />
<br />
<br />
<br />
• 1 <br />
• 2 <br />
• 3 <br />
• 4 <br />
• 5 <br />
• 6 <br />
• 7 CentOS 7 <br />
<br />
<br />
iptables SE<strong>Linux</strong> <br />
6 <br />
<br />
<br />
<br />
<br />
• <strong>Linux</strong> 1 root <br />
#<br />
<br />
• <strong>Linux</strong> 2 <br />
<br />
• <br />
<br />
www.lpi.or.jp vi (C) LPI-Japan
# command root <br />
$ command <br />
[root@server ~]# command root <br />
[sshuser@client ~]$ command sshuser <br />
$ id<br />
uid=500(sato) gid=500(sato) =500(sato) context=unconfined_u:uncon<br />
fined_r:unconfined_t:s0-s0:c0.c1023<br />
www.lpi.or.jp vii (C) LPI-Japan
i<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi<br />
1 1<br />
1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
1.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
1.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
1.1.3 root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
1.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
1.1.5 useradd . . . . . . . . . . . . . . . . . . 3<br />
1.1.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
1.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4<br />
1.1.8 . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
1.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
1.2.2 /etc/group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
1.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
1.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
1.2.5 . . . . . . . . . . . . . . . . . . . . . . 7<br />
1.2.6 . . . . . . . . . . . . . . . . . . . . . 8<br />
1.2.7 gpasswd . . . . . . . . . . . . . 8<br />
1.3 . . . . . . . . . . . . . . 9<br />
1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
1.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
1.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.3.4 . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
www.lpi.or.jp ix (C) LPI-Japan
1.3.5 . . . . . . . . . . . . . . . . . . . 12<br />
1.3.6 . . . . . . . . . . . . . . . . . . . . . . . 13<br />
1.3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
1.3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
1.4 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
1.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
1.4.2 SSH . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
1.4.3 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
1.4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
1.4.5 ssh . . . . . . . . . . 20<br />
1.4.6 SSH . . . . . . . . . . . . . . . 20<br />
1.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
1.4.8 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
1.4.9 .ssh . . 23<br />
1.4.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24<br />
1.4.11 ssh-copy-id . . . . . . . . . . . . . . . . . . 26<br />
1.4.12 scp . . . . . . . . . . . . . . . . . . . . . . 27<br />
1.4.13 sftp . . . . . . . . . . . . . . . . . . . . . . 28<br />
1.4.14 Tera Term Windows <br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
1.4.15 Tera Term . . . . . . . . . . . . . . . . . . 32<br />
1.4.16 Tera Term . . . . . . . . . . . . . . . . . . . . . . . 33<br />
1.4.17 Tera Term Windows . 35<br />
1.4.18 root . . . . . . . . 35<br />
1.5 root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
1.5.1 root . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
1.5.2 su root . . . . . . . . . . . 37<br />
1.5.3 su . . . . . . . . . . . . . . . . . . 38<br />
1.5.4 sudo . . . . . . . . . . . . . . . . . . . . 39<br />
1.5.5 sudo . . . . . . . . . . . . . . . . . . . . . . 40<br />
2 43<br />
2.1 . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
2.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
2.1.2 . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
2.1.3 . . . . . . . . . . . . . . . . 44<br />
2.1.4 ip . . . . . . . . . . 45<br />
2.1.5 netstat . . . . . . . . . . . . . . . . . . . . . . 46<br />
2.1.6 ping . . . . . . . . . . . . . . . . . . . . . 48<br />
2.1.7 ethtool . . . . 49<br />
www.lpi.or.jp x (C) LPI-Japan
2.2 network NetworkManager . . . . . . . . . . . . . . . . . . . . . . . . 51<br />
2.2.1 NetworkManager network . . . . . . . . . . . 51<br />
2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
2.3.1 /etc/sysconfig/network . . . . . . . 52<br />
2.3.2 /etc/hosts . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
2.3.3 DNS /etc/resolv.conf . . . . . . . . . . . . . . . . . . . 52<br />
2.3.4 /etc/nsswitch.conf . . . . . . . . . . . . . . . . . . 53<br />
2.3.5 /etc/services . . . . . . . . . . . . . . 54<br />
2.3.6 /etc/protocols . . . . . . . . . . . . . . . . . . . 54<br />
2.4 iptables . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
2.4.1 iptables NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
2.4.2 iptables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
2.4.3 iptables . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
2.4.4 . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
2.4.5 iptables . . . . . . . . . . . . . . . . 58<br />
2.4.6 iptables . . . . . . . . . . . . . . . . . . . . . . . . . . . 59<br />
2.4.7 iptables . . . . . . . . . . . . . . . . . . . . . 59<br />
2.4.8 system-config-firewall-tui iptables . . . . . . . . . . . . 59<br />
2.5 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
2.5.1 DHCP 1 . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
2.5.2 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
2.5.3 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
2.5.4 DHCP . . . . . . . . . . . . . . . . . 63<br />
2.5.5 IP . . . . . . . . . . . . . 64<br />
2.5.6 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<br />
2.5.7 <strong>Linux</strong> DHCP . . . . . . . . . . . . . . . . . . . . 65<br />
2.5.8 Windows DHCP . . . . . . . . . . . 66<br />
2.5.9 DHCP IP . . . . . . . . . . . . . . . 70<br />
3 73<br />
3.1 OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
3.1.1 GRUB . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
3.1.2 GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74<br />
3.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 76<br />
3.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
3.1.5 init . . . . . . . . . . . . . . . . . . . . . . . 78<br />
3.1.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
3.1.7 . . . . . . . . . . . . . . . . . . . . . . 81<br />
3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82<br />
3.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82<br />
www.lpi.or.jp xi (C) LPI-Japan
3.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . 83<br />
3.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . 83<br />
3.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
3.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
3.2.6 . . . . . . . . . . . . . . . . . . . . . . 84<br />
3.2.7 . . . . . . . . . . . . . 86<br />
3.2.8 init systemd . . . . . . . . . . . . . . . . . . . . . . . . . . 86<br />
3.3 cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
3.3.1 crond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
3.3.2 cron . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
3.3.3 cron . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
3.3.4 cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
3.3.5 crontab cron . . . . . . . . . . . . . . . . 89<br />
3.3.6 cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90<br />
3.3.7 cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
3.3.8 cron . . . . . . . . . . . . . . . . . . . . . 91<br />
3.3.9 root cron . . . . . . . . . . . . . . . . . . . . . 92<br />
3.3.10 /etc/crontab cron . . . . . . . . . . . . . . . . . . . 92<br />
3.3.11 cron . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
3.3.12 anacron . . . . . . . . . . . . . . . . . . . . . . . . . 94<br />
3.3.13 anacron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94<br />
3.4 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95<br />
3.4.1 NTP . . . . . . . . . . . . . . . . . . . . . . . . . 96<br />
3.4.2 NTP . . . . . . . . . . . . . . . . . . . 96<br />
3.4.3 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96<br />
3.4.4 NTP . . . . . . . . . . . . . 97<br />
3.4.5 . . . . . . . . . . . . . . . . . . . . . . . . 98<br />
3.4.6 NTP NTP NTP 99<br />
4 101<br />
4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101<br />
4.1.1 UID GID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101<br />
4.1.2 . . . . . . . . . . . . . . . . . . . . . . . . 101<br />
4.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 102<br />
4.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102<br />
4.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . 103<br />
4.1.6 umask . . . . . . . . . . . . . . . . . 103<br />
4.1.7 umask . . . . . . . . . . . . . . . . . . . 104<br />
4.1.8 umask . . . . . . . . . . . . . . . . . 104<br />
4.1.9 umask 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105<br />
www.lpi.or.jp xii (C) LPI-Japan
4.1.10 umask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105<br />
4.1.11 root umask umask . . . . . . . . . . . . . . . . . 105<br />
4.1.12 setUID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106<br />
4.1.13 setGID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107<br />
4.1.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
4.2 POSIX ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109<br />
4.2.1 ACL . . . . . . . . . . . . . . . . . . . . . . . . . 109<br />
4.2.2 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110<br />
4.2.3 Samba ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111<br />
4.3 SE<strong>Linux</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118<br />
4.3.1 SE<strong>Linux</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118<br />
4.3.2 SE<strong>Linux</strong> . . . . . . . . . . . . . . . . . . . . . . . . . 118<br />
4.3.3 setenforce SE<strong>Linux</strong> . . . . . . . . . . . . . . 119<br />
4.3.4 SE<strong>Linux</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119<br />
4.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<br />
4.3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<br />
4.3.7 Boolean SE<strong>Linux</strong> . . . . . . . . . . . . . . . . . . . . . . 122<br />
4.4 LVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125<br />
4.4.1 PV . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125<br />
4.4.2 VG . . . . . . . . . . . . . . . . . . . . . . . . . . 127<br />
4.4.3 LV . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127<br />
4.4.4 . . . . . . . . . . . . . . . . . . 128<br />
4.4.5 . . . . . . . . . . . . . . . . . . . 128<br />
4.4.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
4.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130<br />
4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132<br />
4.5.1 . . . . . . . . . . . . . . . . . . . . . . . . 132<br />
4.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . 132<br />
4.5.3 dd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132<br />
4.5.4 dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
4.5.5 tar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
4.5.6 rsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
4.5.7 . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
4.5.8 dd . . . . . . . . . . . . . . . . . . . . . . 135<br />
4.5.9 dump . . . . . . . . . . . . . . . . . . . . . . 137<br />
4.5.10 tar . . . . . . . . . . . . . . . . . . . . . . . 139<br />
4.5.11 rsync . . . . . . . . . . . . . . . . . . . . . . 140<br />
5 143<br />
5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143<br />
www.lpi.or.jp xiii (C) LPI-Japan
5.1.1 Yum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143<br />
5.1.2 Yum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144<br />
5.1.3 yum . . . . . . . . . . . . . . . . . . . . . . . . 145<br />
5.1.4 . . . . . . . . . . . . . . . . . 146<br />
5.1.5 . . . . . . . . . . . . . . . . . 149<br />
5.1.6 DVD . . . . . . . . . . . . 149<br />
5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151<br />
5.2.1 stress . . . . . . . . . . . . . . . . . . . . . . . . 151<br />
5.2.2 top . . . . . . . . . . . . . . . . . . 152<br />
5.2.3 vmstat . . . . . . . . . . . . . . . . 155<br />
5.2.4 sysstat . . . . . . . . . . . . . . . . . . . . . 156<br />
5.2.5 iostat . . . . . . . . . . . . . . . . . 156<br />
5.2.6 sarSystem Admin Reporter . . . . . . . . 159<br />
5.2.7 logwatch . . . . . . . . . . . . . . . . . . . . . . . . . . 161<br />
6 167<br />
6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
6.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
6.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
6.1.3 dmesg . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6.1.4 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6.1.5 . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
6.1.6 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
6.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
6.1.8 syslog . . . . . . . . . . . . . . . . . . 171<br />
6.1.9 syslog . . . . . . . . . . . . . . . . . . . . . . . . 172<br />
6.1.10 UDP . . . . . . . . . . . . . . . . . . 173<br />
6.1.11 TCP . . . . . . . . . . . . . . . . . . 174<br />
6.1.12 syslog iptables . . . . . . . . . . . . . . . . . . . . . . . . 175<br />
6.1.13 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . 176<br />
6.1.14 logrotate . . . . . . . . . . . . . . . . . . . . . 177<br />
6.1.15 . . . . . . . . . . . . . . . . . . . . . . 182<br />
6.2 . . . . . . . . . . . . . . . . 182<br />
6.2.1 ping IP . . . . . . . . . . . . . . . . . . . . . . 183<br />
6.2.2 telnet TCP . . . . . . . . . . . . . . . . . . . . 183<br />
6.2.3 netstat . . . . . . . . . . . . . . . . . . . . . . . 184<br />
6.2.4 . . . . . . . . . . . . . . . . . . 185<br />
6.2.5 tcpdump . . . . . . . . . . . . . . . 185<br />
6.2.6 Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186<br />
6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
www.lpi.or.jp xiv (C) LPI-Japan
6.3.1 . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
6.3.2 DVD . . . . . . . . . . 190<br />
7 CentOS 7 197<br />
7.1 CentOS 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
7.2 SysV init systemd . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
7.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
7.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
7.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
7.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
7.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
7.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
7.2.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
7.2.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
7.2.9 systemd . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
7.2.10 systemd . . . . 204<br />
7.2.11 . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
7.2.12 . . . . . . . . . . . . . . . . . . . . . . . 206<br />
7.3 journald . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
7.3.1 journald . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
7.3.2 journald . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
7.4 firewalld . . . . . . . . . . . . . . . . . . . . . . . 208<br />
7.4.1 firewalld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
7.4.2 firewalld HTTP . . . . . . . . . . . . . . . . . . . . . . . . 209<br />
7.4.3 iptables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210<br />
www.lpi.or.jp xv (C) LPI-Japan
1 <br />
<br />
1.1 <br />
Windows Mac OS X OS 1 1 <br />
<br />
UNIX <strong>Linux</strong> OS<br />
<br />
<br />
1.1.1 <br />
root <br />
()<br />
<br />
<br />
root ()<br />
<br />
<br />
<br />
<br />
<br />
1.1.2 <br />
<br />
id CentOS <br />
sato id <br />
$ id<br />
uid=500(sato) gid=500(sato) =500(sato) context=unconfined_u:uncon<br />
www.lpi.or.jp 1 (C) LPI-Japan
1.1 <br />
fined_r:unconfined_t:s0-s0:c0.c1023<br />
uid IDgid ID groups<br />
ID ID <br />
uid CentOS 6 50065535 <br />
<br />
1.1.3 root <br />
uid 0 <br />
<br />
root <br />
<strong>Linux</strong> root <br />
<strong>Linux</strong> root <br />
<br />
su <br />
root su su -<br />
<br />
$ su -<br />
Password: root <br />
#<br />
root #<br />
id <br />
# id<br />
uid=0(root) gid=0(root) =0(root) context=unconfined_u:unconfined_<br />
r:unconfined_t:s0-s0:c0.c1023<br />
root uid 0 <br />
root <br />
<br />
root <br />
www.lpi.or.jp 2 (C) LPI-Japan
1 <br />
1.1.4 <br />
CentOS 6 uid <br />
1 499 <br />
<br />
SSH sshd sshd <br />
root id sshd <br />
<br />
# id sshd<br />
uid=74(sshd) gid=74(sshd) =74(sshd)<br />
1.1.5 useradd <br />
root useradd <br />
passwd <br />
useradd <br />
-c <br />
# useradd -c "Ichiro Suzuki" suzuki<br />
# id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki)<br />
useradd <br />
<br />
<br />
-u ID <br />
-g ID <br />
-G (,) <br />
-s shell <br />
-c <br />
-d <br />
-e YYYY-MM-DD <br />
1.1.6 <br />
passwd <br />
www.lpi.or.jp 3 (C) LPI-Japan
1.1 <br />
# passwd suzuki<br />
suzuki <br />
: suzuki <br />
: suzuki <br />
passwd: <br />
root <br />
<br />
<br />
<br />
suzuki <br />
$ passwd<br />
suzuki <br />
suzuki <br />
UNIX: suzuki <br />
: suzuki <br />
: suzuki <br />
passwd: <br />
1.1.7 <br />
/etc/passwd <br />
cat /etc/passwd <br />
# cat /etc/passwd<br />
root:x:0:0:root:/root:/bin/bash<br />
bin:x:1:1:bin:/bin:/sbin/nologin<br />
<br />
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br />
tcpdump:x:72:72::/:/sbin/nologin<br />
sato:x:500:500::/home/sato:/bin/bash<br />
suzuki:x:501:501:Ichiro Suzuki:/home/suzuki:/bin/bash<br />
/etc/passwd (:) <br />
www.lpi.or.jp 4 (C) LPI-Japan
1 <br />
<br />
<br />
<br />
ID<br />
ID<br />
<br />
<br />
<br />
<br />
<br />
x <br />
ID<br />
ID<br />
<br />
<br />
<br />
1.1.8 <br />
UNIX /etc/passwd <br />
/etc/passwd <br />
<br />
root (/etc/shadow) <br />
<br />
<br />
/etc/passwd x <br />
/etc/shadow 000 <br />
400root <br />
<br />
# ls -l /etc/shadow<br />
----------. 1 root root 1164 1 6 06:48 2015 /etc/shadow<br />
root suzuki <br />
# grep suzuki /etc/shadow<br />
suzuki:$6$Tq1q9Ztw$8sh1KFpEGFAmU68P8hYLuGjImlO1omSdTELmhGNFLWdielH8CzmLLrI<br />
c88G.yGqxty4vuI3xiTKWKJ6HOoBAV.:16384:0:99999:7:::<br />
1.2 <br />
<br />
<br />
<br />
<br />
<br />
www.lpi.or.jp 5 (C) LPI-Japan
1.2 <br />
1.2.1 <br />
1 <br />
() <br />
<br />
<br />
# id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki)<br />
gid <br />
1.2.2 /etc/group <br />
/etc/group <br />
# cat /etc/group<br />
root:x:0:<br />
bin:x:1:bin,daemon<br />
<br />
sato:x:500:<br />
suzuki:x:501:<br />
useradd <br />
ID <br />
uid <br />
1.2.3 <br />
groupadd ID -g <br />
ID <br />
groupadd <br />
groupadd [-g ID] <br />
ID 5000 grouptest <br />
www.lpi.or.jp 6 (C) LPI-Japan
1 <br />
# groupadd -g 5000 grouptest<br />
/etc/group <br />
# grep grouptest /etc/group<br />
grouptest:x:5000:<br />
1.2.4 <br />
groupmod <br />
groupmod <br />
groupmod [-n ] <br />
grouptest eigyou <br />
# groupmod -n eigyou grouptest<br />
/etc/group <br />
# grep eigyou /etc/group<br />
eigyou:x:5000:<br />
1.2.5 <br />
usermod -G<br />
<br />
<br />
gpasswd <br />
<br />
usermod <br />
usermod [-G [,...]] <br />
suzuki eigyou <br />
# usermod -G eigyou suzuki<br />
id <br />
www.lpi.or.jp 7 (C) LPI-Japan
1.2 <br />
# id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),5000(eigyou)<br />
eigyou <br />
1.2.6 <br />
/etc/group <br />
# grep eigyou /etc/group<br />
eigyou:x:5000:suzuki<br />
suzuki eigyou <br />
1.2.7 gpasswd <br />
gpasswd gpasswd<br />
1 <br />
gpasswd <br />
gpasswd -a <br />
gpasswd -d <br />
suzuki eigyou <br />
# gpasswd -d suzuki eigyou<br />
Removing user suzuki from group eigyou<br />
# id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki)<br />
/etc/group eigyou suzuki <br />
# grep eigyou /etc/group<br />
eigyou:x:5000:<br />
eigyou suzuki <br />
suzuki eigyou <br />
# gpasswd -a suzuki eigyou<br />
www.lpi.or.jp 8 (C) LPI-Japan
1 <br />
Adding user suzuki to group eigyou<br />
# id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),5000(eigyou)<br />
suzuki eigyou <br />
1.3 <br />
<br />
(permission) <br />
<br />
<br />
1.3.1 <br />
cd <br />
<br />
<br />
<br />
pwd <br />
$ cd<br />
$ pwd<br />
/home/suzuki<br />
touch <br />
$ touch test.txt<br />
ls -l <br />
$ ls -l<br />
0<br />
-rw-rw-r--. 1 suzuki suzuki 0 1 6 07:34 2015 test.txt<br />
rw-rw-r--<br />
CentOS 6 ll ls -lllls -l<br />
<br />
www.lpi.or.jp 9 (C) LPI-Japan
1.3 <br />
$ ll<br />
0<br />
-rw-rw-r--. 1 suzuki suzuki 0 1 6 07:34 2015 test.txt<br />
alias <br />
$ alias<br />
alias l.='ls -d .∗ --color=auto'<br />
alias ll='ls -l --color=auto'<br />
alias ls='ls --color=auto'<br />
alias vi='vim'<br />
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --sho<br />
w-tilde'<br />
1.3.2 <br />
rwx 3 <br />
chmod <br />
<br />
<br />
(Readable) r 4<br />
(Writable) w 2<br />
(eXecutable) x 1<br />
- 0<br />
test.txt <br />
user (group) (other)<br />
rw- rw- r--<br />
4+2+0=6 4+2+0=6 4+0+0=4<br />
<br />
<br />
• rw- suzuki <br />
• rw- suzuki <br />
• r--<br />
<br />
www.lpi.or.jp 10 (C) LPI-Japan
1 <br />
1.3.3 <br />
<br />
3 <br />
rw-rw-r--664<br />
1.3.4 <br />
<br />
<br />
<br />
mkdir testdir <br />
$ mkdir testdir<br />
$ ls -l<br />
4<br />
-rw-rw-r--. 1 suzuki suzuki 0 1 6 07:34 2015 test.txt<br />
drwxrwxr-x. 2 suzuki suzuki 4096 1 6 07:42 2015 testdir<br />
testdir d <br />
<br />
rwx(4+2+1)rwx(4+2+1)r-x(4+1) 775 <br />
<br />
chmod chmod <br />
chmod <br />
<br />
+ -<br />
<br />
<br />
ug+x<br />
a+x<br />
g-w<br />
<br />
<br />
<br />
<br />
chmod <br />
www.lpi.or.jp 11 (C) LPI-Japan
1.3 <br />
<br />
$ chmod u-x testdir<br />
$ ls -l<br />
4<br />
-rw-rw-r--. 1 suzuki suzuki 0 1 6 07:34 2015 test.txt<br />
drw-rwxr-x. 2 suzuki suzuki 4096 1 6 07:42 2015 testdir<br />
$ cd testdir<br />
-bash: cd: testdir: <br />
$ chmod u+x testdir<br />
$ cd testdir<br />
$ pwd<br />
/home/suzuki/testdir<br />
1.3.5 <br />
<br />
<br />
<br />
useradd usermod <br />
-e <br />
<br />
useradd -e YYYY-MM-DD <br />
usermod -e YYYY-MM-DD <br />
usermod <br />
<br />
<br />
# usermod -e 2015-1-6 suzuki<br />
chage <br />
# chage -l suzuki<br />
Last password change : Jan 05, 2015<br />
Password expires : never<br />
Password inactive : never<br />
Account expires : Jan 06, 2015<br />
www.lpi.or.jp 12 (C) LPI-Japan
1 <br />
Minimum number of days between password change : 0<br />
Maximum number of days between password change : 99999<br />
Number of days of warning before password expires : 7<br />
Your<br />
account has expired<br />
login: suzuki<br />
Password: suzuki <br />
Your account has expired; please contact your system administrator<br />
” 2 <br />
Account expires never <br />
# usermod -e '' suzuki<br />
# chage -l suzuki<br />
Last password change : Jan 05, 2015<br />
Password expires : never<br />
Password inactive : never<br />
Account expires : never<br />
Minimum number of days between password change : 0<br />
Maximum number of days between password change : 99999<br />
Number of days of warning before password expires : 7<br />
1.3.6 <br />
chage -M <br />
<br />
30 30 <br />
<br />
# chage -M 30 suzuki<br />
Password expires <br />
<br />
# chage -l suzuki<br />
Last password change : Jan 05, 2015<br />
Password expires : Feb 04, 2015<br />
Password inactive : never<br />
www.lpi.or.jp 13 (C) LPI-Japan
1.3 <br />
Account expires : never<br />
Minimum number of days between password change : 0<br />
Maximum number of days between password change : 30<br />
Number of days of warning before password expires : 7<br />
-d 0 <br />
1970 1 1 <br />
<br />
# chage -d 0 suzuki<br />
chage Last password changePassword expires<br />
Password inactive password must be changed<br />
# chage -l suzuki<br />
Last password change : password must be changed<br />
Password expires : password must be changed<br />
Password inactive : password must be changed<br />
Account expires : never<br />
Minimum number of days between password change : 0<br />
Maximum number of days between password change : 30<br />
Number of days of warning before password expires : 7<br />
<br />
<br />
login: suzuki<br />
Password: suzuki <br />
You are required to change your password immediately (root enforced)<br />
Changing password for suzuki.<br />
(current) UNIX password: suzuki <br />
New password: suzuki <br />
Retype new password: suzuki <br />
1.3.7 <br />
<br />
cron <br />
cron <br />
cron <br />
www.lpi.or.jp 14 (C) LPI-Japan
1 <br />
cron 3 <br />
testuser <br />
# useradd testuser<br />
# id testuser<br />
uid=502(testuser) gid=502(testuser) =502(testuser)<br />
# userdel testuser<br />
# id testuser<br />
id: testuser: <br />
userdel <br />
<br />
userdel -r <br />
# ls -l /home<br />
28<br />
drwx------. 2 root root 16384 1 6 06:07 2015 lost+found<br />
drwx------. 26 sato sato 4096 1 6 06:49 2015 sato<br />
drwx------. 5 suzuki suzuki 4096 1 6 09:00 2015 suzuki<br />
drwx------. 4 502 502 4096 1 6 09:56 2015 testuser<br />
# ls -l /var/spool/mail<br />
0<br />
0<br />
-rw-rw----. 1 rpc mail 0 1 6 06:11 2015 rpc<br />
-rw-rw----. 1 sato mail 0 1 6 06:23 2015 sato<br />
-rw-rw----. 1 suzuki mail 0 1 6 06:48 2015 suzuki<br />
-rw-rw----. 1 502 mail 0 1 6 09:56 2015 testuser<br />
<br />
ID <br />
testuser <br />
# useradd testuser<br />
useradd: : <br />
skel <br />
: <br />
# ls -l /home<br />
28<br />
drwx------. 2 root root 16384 1 6 06:07 2015 lost+found<br />
www.lpi.or.jp 15 (C) LPI-Japan
1.3 <br />
drwx------. 26 sato sato 4096 1 6 06:49 2015 sato<br />
drwx------. 5 suzuki suzuki 4096 1 6 09:00 2015 suzuki<br />
drwx------. 4 testuser testuser 4096 1 6 09:56 2015 testuser<br />
# ls -l /var/spool/mail<br />
0<br />
-rw-rw----. 1 rpc mail 0 1 6 06:11 2015 rpc<br />
-rw-rw----. 1 sato mail 0 1 6 06:23 2015 sato<br />
-rw-rw----. 1 suzuki mail 0 1 6 06:48 2015 suzuki<br />
-rw-rw----. 1 testuser mail 0 1 6 09:56 2015 testuser<br />
ID 502<br />
testuser <br />
ID502<br />
<br />
userdel -r testuser <br />
<br />
# userdel -r testuser<br />
# ls -l /home<br />
24<br />
drwx------. 2 root root 16384 1 6 06:07 2015 lost+found<br />
drwx------. 26 sato sato 4096 1 6 06:49 2015 sato<br />
drwx------. 5 suzuki suzuki 4096 1 6 09:00 2015 suzuki<br />
# ls -l /var/spool/mail<br />
0<br />
-rw-rw----. 1 rpc mail 0 1 6 06:11 2015 rpc<br />
-rw-rw----. 1 sato mail 0 1 6 06:23 2015 sato<br />
-rw-rw----. 1 suzuki mail 0 1 6 06:48 2015 suzuki<br />
1.3.8 <br />
groupdel <br />
/etc/group <br />
<br />
testuser testuser testgroup <br />
<br />
www.lpi.or.jp 16 (C) LPI-Japan
1 <br />
# useradd testuser<br />
# groupadd testgroup<br />
# gpasswd -a testuser testgroup<br />
Adding user testuser to group testgroup<br />
# id testuser<br />
uid=502(testuser) gid=502(testuser) =502(testuser),5001(testgrou<br />
p)<br />
# groupdel testuser<br />
groupdel: 'testuser' <br />
# groupdel testgroup<br />
# id testuser<br />
uid=502(testuser) gid=502(testuser) =502(testuser)<br />
1.4 SSH <br />
SSH (Secure Shell) () <br />
SSH <br />
<strong>Linux</strong> OpenSSH <strong>Linux</strong> <br />
Windows SSH <br />
1.4.1 <br />
2 <strong>Linux</strong> SSH SSH <br />
SSH SSH <br />
2 <strong>Linux</strong> <br />
IP <br />
server.example.com 192.168.0.10<br />
client.example.com 192.168.0.101<br />
<strong>Linux</strong> /etc/hosts <br />
<br />
192.168.0.10 server.example.com server<br />
192.168.0.101 client.example.com client<br />
www.lpi.or.jp 17 (C) LPI-Japan
1.4 SSH <br />
1.4.2 SSH <br />
CentOS OpenSSH sshd<br />
<br />
SSH 22 <br />
[root@server ~]# lsof -i:22<br />
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME<br />
sshd 1718 root 3u IPv4 13399 0t0 TCP ∗:ssh (LISTEN)<br />
sshd 1718 root 4u IPv6 13401 0t0 TCP ∗:ssh (LISTEN)<br />
1.4.3 SSH <br />
SSH <br />
<br />
<br />
<br />
<br />
SSH <br />
<br />
<br />
<br />
<br />
1.4.4 <br />
SSH <br />
sshuser <br />
[root@server ~]# useradd sshuser<br />
[root@server ~]# passwd sshuser<br />
sshuser <br />
www.lpi.or.jp 18 (C) LPI-Japan
1 <br />
: sshuser <br />
: sshuser <br />
passwd: <br />
sshuser SSH <br />
<br />
<br />
sshuser SSH ssh <br />
ssh <br />
<br />
ssh <br />
$ ssh [@]<br />
IP <br />
[sshuser@client ~]$ ssh sshuser@server<br />
SSH SSH <br />
yes sshuser <br />
<br />
<br />
[sshuser@client ~]$ ssh sshuser@server<br />
The authenticity of host 'server (192.168.0.10)' can't be established.<br />
RSA key fingerprint is b6:95:54:92:62:cb:c8:f7:17:97:88:8e:69:f9:2a:dd.<br />
Are you sure you want to continue connecting (yes/no)? yes yes <br />
Warning: Permanently added 'server,192.168.0.10' (RSA) to the list of known h<br />
osts.<br />
sshuser@server's password: sshuser <br />
[sshuser@server ~]$<br />
ifconfig IP IP <br />
192.168.0.10<br />
[sshuser@server ~]$ ifconfig eth0<br />
eth0 Link encap:Ethernet HWaddr 00:1C:42:65:AF:C4<br />
inet addr:192.168.0.10 Bcast:10.0.0.255 Mask:255.255.255.0<br />
inet6 addr: fe80::21c:42ff:fe65:afc4/64 Scope:Link<br />
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br />
www.lpi.or.jp 19 (C) LPI-Japan
1.4 SSH <br />
RX packets:19972 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:11094 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:15984761 (15.2 MiB) TX bytes:992110 (968.8 KiB)<br />
exit <br />
[sshuser@server ~]$ exit<br />
logout<br />
Connection to server closed.<br />
[sshuser@client ~]$<br />
1.4.5 ssh <br />
ssh -v () <br />
<br />
[sshuser@client ~]$ ssh -v sshuser@server<br />
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013<br />
debug1: Reading configuration data /etc/ssh/ssh_config<br />
debug1: Applying options for ∗<br />
debug1: Connecting to server [192.168.0.10] port 22.<br />
debug1: Connection established.<br />
<br />
1.4.6 SSH <br />
SSH <br />
.ssh known_hosts <br />
2 <br />
<br />
[sshuser@client ~]$ ssh sshuser@server<br />
sshuser@server's password:<br />
cat ~/.ssh/known_hosts <br />
[sshuser@client ~]$ cat ~/.ssh/known_hosts<br />
server,192.168.0.10 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0xULiTzWSingpALtma51<br />
www.lpi.or.jp 20 (C) LPI-Japan
1 <br />
pnsMrOwW8drd+9S2ocC9/LF0ThhnQCZ49xAYx2DRNqTNNSW4Oo0qMCHch4zBse7kOEUk3FexsG<br />
RwBtvFXSyU4wOVkXnd42IFXYoKNUEfmcsWS18kslPhIJByfXpQyv6RC4px0W0VlhoK8CA732Mn<br />
qbEznIRedQ15QymX24M+nJ7oXAIAG8WCViY4b1syL7bKOoAlQ5QiBYh5B4ixL/CSar1Gbz7Edo<br />
MQOjoxPUhe4inY4ZRyRwh68hbHpBGfF9FZ1AlIwxdwV0bMQw/shTP24dOaUn8bjimqBGwG/Bwy<br />
c4oV96wV9nC47ADl2zG6fb8TXQ==<br />
SSH SSH <br />
~/.ssh/known_hosts SSH <br />
yes ~/.ssh/known_hosts <br />
2 SSH known_hosts SSH <br />
SSH <br />
ssh <br />
<br />
SSH <br />
<br />
SSH SSH 2 <br />
<br />
SSH <br />
~/.ssh/known_hosts SSH <br />
~/.ssh/known_hosts vi<br />
SSH 1 <br />
1.4.7 <br />
<br />
<br />
<br />
<br />
<br />
SSH <br />
<br />
<br />
1. <br />
2. <br />
3. <br />
www.lpi.or.jp 21 (C) LPI-Japan
1.4 SSH <br />
1.4.8 SSH <br />
SSH <strong>Linux</strong> ssh-keygen <br />
<br />
<br />
<br />
ssh-keygen <br />
ssh-keygen <br />
.ssh <br />
<br />
SSH<br />
<br />
[sshuser@client ~]$ ssh-keygen<br />
Generating public/private rsa key pair.<br />
Enter file in which to save the key (/home/sshuser/.ssh/id_rsa): Enter <br />
<br />
Enter passphrase (empty for no passphrase): <br />
Enter same passphrase again: <br />
Your identification has been saved in /home/sshuser/.ssh/id_rsa.<br />
Your public key has been saved in /home/sshuser/.ssh/id_rsa.pub.<br />
The key fingerprint is:<br />
91:47:d4:85:39:58:59:7e:d4:0b:50:7c:56:f7:28:45 sshuser@client<br />
The key's randomart image is:<br />
+--[ RSA 2048]----+<br />
| .o==OE ∗|<br />
| o. ∗= =+|<br />
| o . ..∗ +|<br />
| o . o |<br />
| S |<br />
| |<br />
| |<br />
| |<br />
| |<br />
+-----------------+<br />
~/.ssh id_rsa.pub (id_rsa) .ssh <br />
www.lpi.or.jp 22 (C) LPI-Japan
1 <br />
ssh ssh-keygen <br />
[sshuser@client ~]$ ls -ld .ssh<br />
drwx------. 2 sshuser sshuser 4096 1 7 14:17 2015 .ssh<br />
[sshuser@client ~]$ ls -l .ssh<br />
8<br />
-rw-------. 1 sshuser sshuser 1743 1 7 14:17 2015 id_rsa<br />
-rw-r--r--. 1 sshuser sshuser 396 1 7 14:17 2015 id_rsa.pub<br />
cat <br />
[sshuser@client ~]$ cat .ssh/id_rsa.pub<br />
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxaKrCiK5rrJBqtjG3NbWoRlGJMGEqkND6WYTfLhB<br />
by55+1C4kLL6GGXkGPWqIIqFk6WLFm7OVbYIh8Gk3IJG2R0xFU5WVBDzxmNPZ2ngP940ACKwh4<br />
U+BC+0vqtAg/NNiQRcBf1MOvFnqdnheUBfGA51YM2tjfhgJ+xaF7X8mgGjNColHXY2WUuAe9xI<br />
WNNxXUiAflh8jhztguh2HtXh5CoXwqeI9miokC15turklUd2D4mPxfiSrbYSBJUh3ofvgxX0NN<br />
AAEg4VlA0eA2pqFbZFMiLHnLBRqHxNiricuqCdueVQQXy0xFcMv8T6qyL7cwrdBSAgcePK3mE+<br />
ZmfZTQ== sshuser@client<br />
1 <br />
[sshuser@client .ssh]$ cat id_rsa<br />
-----BEGIN RSA PRIVATE KEY-----<br />
Proc-Type: 4,ENCRYPTED<br />
DEK-Info: DES-EDE3-CBC,9A3828879701873A<br />
kSkjcd/9+VWwk2NR8CuET4CXKu7ZIAOkNmvHwUZVMpUlnDwqxeznXP4NVGEq5uFD<br />
<br />
Jw6FruKNyjl8mqLtrj+eltCUh6N4Z+NPVzlAHMQ9IQmBjdpArj0SLQ==<br />
-----END RSA PRIVATE KEY-----<br />
1.4.9 .ssh <br />
.ssh <br />
<br />
ssh-keygen <br />
<br />
<br />
ssh <br />
root root <br />
www.lpi.or.jp 23 (C) LPI-Japan
1.4 SSH <br />
<br />
<br />
<br />
~/.ssh <br />
id_rsa.pub<br />
id_rsa<br />
<br />
rwx------(700)<br />
rw-r--r--(644)<br />
rw-------(600)<br />
1.4.10 <br />
SSH (id_rsa.pub) <br />
<br />
1. <br />
2. ~/.ssh <br />
3. ~/.ssh/authorized_keys <br />
4. ~/.ssh/authorized_keys <br />
5. <br />
1. <br />
id_rsa.pub SSH <br />
scp <br />
scp <br />
scp @:<br />
scp ~/.ssh/id_rsa.pub sshuser <br />
<br />
[sshuser@client ~]$ scp ~/.ssh/id_rsa.pub sshuser@server:~<br />
sshuser@server's password: sshuser <br />
id_rsa.pub 100% 396 0.4KB/s 00:00<br />
2. ~/.ssh <br />
ssh <br />
[sshuser@client ~]$ ssh sshuser@server<br />
www.lpi.or.jp 24 (C) LPI-Japan
1 <br />
sshuser@server's password: sshuser <br />
Last login: Tue Jan 6 10:58:42 2015 from client<br />
[sshuser@server ~]$<br />
id_rsa.pub<br />
[sshuser@server ~]$ ls -l<br />
4<br />
-rw-r--r--. 1 sshuser sshuser 396 1 6 10:56 2015 id_rsa.pub<br />
[sshuser@server ~]$ cat id_rsa.pub<br />
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxaKrCiK5rrJBqtjG3NbWoRlGJMGEqkND6WYTfLhB<br />
by55+1C4kLL6GGXkGPWqIIqFk6WLFm7OVbYIh8Gk3IJG2R0xFU5WVBDzxmNPZ2ngP940ACKwh4<br />
U+BC+0vqtAg/NNiQRcBf1MOvFnqdnheUBfGA51YM2tjfhgJ+xaF7X8mgGjNColHXY2WUuAe9xI<br />
WNNxXUiAflh8jhztguh2HtXh5CoXwqeI9miokC15turklUd2D4mPxfiSrbYSBJUh3ofvgxX0NN<br />
AAEg4VlA0eA2pqFbZFMiLHnLBRqHxNiricuqCdueVQQXy0xFcMv8T6qyL7cwrdBSAgcePK3mE+<br />
ZmfZTQ== sshuser@client<br />
.ssh chmod <br />
[sshuser@server ~]$ mkdir .ssh<br />
[sshuser@server ~]$ chmod 700 .ssh<br />
[sshuser@server ~]$ ls -ld .ssh<br />
drwx------. 2 sshuser sshuser 4096 1 6 10:59 2015 .ssh<br />
3. ~/.ssh/authorized_keys <br />
.ssh authorized_keys <br />
<br />
[sshuser@server ~]$ touch .ssh/authorized_keys<br />
[sshuser@server ~]$ chmod 600 .ssh/authorized_keys<br />
[sshuser@server ~]$ ls -l .ssh<br />
0<br />
-rw-------. 1 sshuser sshuser 0 1 6 10:59 2015 authorized_keys<br />
4. ~/.ssh/authorized_keys <br />
authorized_keys cat >><br />
authorized_keys <br />
authorized_keys cp mv <br />
www.lpi.or.jp 25 (C) LPI-Japan
1.4 SSH <br />
authorized_keys SE<strong>Linux</strong> <br />
<br />
[sshuser@server ~]$ cat id_rsa.pub >> .ssh/authorized_keys<br />
[sshuser@server ~]$ cat .ssh/authorized_keys<br />
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxaKrCiK5rrJBqtjG3NbWoRlGJMGEqkND6WYTfLhB<br />
by55+1C4kLL6GGXkGPWqIIqFk6WLFm7OVbYIh8Gk3IJG2R0xFU5WVBDzxmNPZ2ngP940ACKwh4<br />
U+BC+0vqtAg/NNiQRcBf1MOvFnqdnheUBfGA51YM2tjfhgJ+xaF7X8mgGjNColHXY2WUuAe9xI<br />
WNNxXUiAflh8jhztguh2HtXh5CoXwqeI9miokC15turklUd2D4mPxfiSrbYSBJUh3ofvgxX0NN<br />
AAEg4VlA0eA2pqFbZFMiLHnLBRqHxNiricuqCdueVQQXy0xFcMv8T6qyL7cwrdBSAgcePK3mE+<br />
ZmfZTQ== sshuser@client<br />
5. <br />
<br />
<br />
<br />
<br />
[sshuser@server ~]$ exit<br />
logout<br />
Connection to server closed.<br />
[sshuser@client ~]$ ssh sshuser@server<br />
Enter passphrase for key '/home/sshuser/.ssh/id_rsa': <br />
Last login: Tue Jan 6 10:59:03 2015 from client<br />
[sshuser@server ~]$<br />
1.4.11 ssh-copy-id <br />
SSH ssh-copy-id <br />
<br />
ssh-copy-id authorized_keys <br />
ssh-copy-id <br />
$ ssh-copy-id @<br />
ssh-copy-id <br />
www.lpi.or.jp 26 (C) LPI-Japan
1 <br />
[sshuser@client ~]$ ssh-copy-id sshuser@server<br />
sshuser@server's password:<br />
Now try logging into the machine, with "ssh 'sshuser@server'", and check in:<br />
.ssh/authorized_keys<br />
to make sure we haven't added extra keys that you weren't expecting.<br />
SSH <br />
[sshuser@client ~]$ ssh sshuser@server<br />
Enter passphrase for key '/home/sshuser/.ssh/id_rsa': <br />
Last login: Tue Jan 6 11:01:52 2015 from client<br />
[sshuser@server ~]$<br />
OpenSSH <br />
<br />
1.4.12 scp <br />
scp SSH <br />
<br />
<br />
testdir <br />
scp -r <br />
<br />
[sshuser@client ~]$ mkdir testdir<br />
[sshuser@client ~]$ cd testdir<br />
[sshuser@client testdir]$ touch testfile1 testfile2<br />
[sshuser@client testdir]$ ls<br />
testfile1 testfile2<br />
[sshuser@client testdir]$ cd<br />
[sshuser@client ~]$ scp -r testdir sshuser@server:~<br />
Enter passphrase for key '/home/sshuser/.ssh/id_rsa': <br />
testfile1 100% 0 0.0KB/s 00:00<br />
testfile2 100% 0 0.0KB/s 00:00<br />
<br />
www.lpi.or.jp 27 (C) LPI-Japan
1.4 SSH <br />
[sshuser@client ~]$ ssh sshuser@server<br />
Enter passphrase for key '/home/sshuser/.ssh/id_rsa': <br />
Last login: Tue Jan 6 11:02:46 2015 from client<br />
[sshuser@server ~]$ ls<br />
id_rsa.pub testdir<br />
[sshuser@server ~]$ ls -l testdir<br />
0<br />
-rw-rw-r--. 1 sshuser sshuser 0 1 6 11:04 2015 testfile1<br />
-rw-rw-r--. 1 sshuser sshuser 0 1 6 11:04 2015 testfile2<br />
1.4.13 sftp <br />
SFTP (SSH File Transfer Protocol) SSH <br />
FTP <br />
sftp <br />
<br />
sftp><br />
[sshuser@client ~]$ touch sftptestfile<br />
[sshuser@client ~]$ ls<br />
sftptestfile testdir<br />
[sshuser@client ~]$ sftp sshuser@server<br />
Connecting to server...<br />
Enter passphrase for key '/home/sshuser/.ssh/id_rsa': <br />
sftp><br />
put <br />
sftp> put sftptestfile<br />
Uploading sftptestfile to /home/sshuser/sftptestfile<br />
sftptestfile 100% 0 0.0KB/s 00:00<br />
ls <br />
sftp> ls<br />
id_rsa.pub sftptestfile testdir<br />
sftp> ls -l<br />
-rw-r--r-- 1 sshuser sshuser 396 Jan 6 10:56 id_rsa.pub<br />
www.lpi.or.jp 28 (C) LPI-Japan
1 <br />
-rw-rw-r-- 1 sshuser sshuser 0 Jan 6 11:20 sftptestfile<br />
drwxrwxr-x 2 sshuser sshuser 4096 Jan 6 11:04 testdir<br />
sftp> exit<br />
[sshuser@client ~]$<br />
SFTP <br />
<br />
pwd<br />
ls<br />
cd []<br />
put [-P] []<br />
get [-P] []<br />
rm <br />
mkdir <br />
rmdir <br />
lpwd<br />
lls [ls ] []<br />
lcd <br />
lmkdir <br />
<br />
<br />
<br />
<br />
-P <br />
-P <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1.4.14 Tera Term Windows <br />
<br />
Windows Tera Term SSH OpenSSH <br />
Tera Term SSH SCP<br />
Tera Term Tera Term Web <br />
.EXE <br />
<br />
http://sourceforge.jp/projects/ttssh2/<br />
Tera Term <br />
1. Tera Term <br />
www.lpi.or.jp 29 (C) LPI-Japan
1.4 SSH <br />
1.1<br />
IP <br />
IP SSH<br />
OK<br />
2. <br />
1.2<br />
<br />
<br />
www.lpi.or.jp 30 (C) LPI-Japan
1 <br />
knows hosts <br />
<br />
3. <br />
1.3<br />
<br />
SSH <br />
<br />
4. <br />
www.lpi.or.jp 31 (C) LPI-Japan
1.4 SSH <br />
1.4<br />
<br />
<br />
1.4.15 Tera Term <br />
Tera Term <br />
<br />
1. <br />
1.5<br />
<br />
www.lpi.or.jp 32 (C) LPI-Japan
1 <br />
Tera Term SSH <br />
<br />
TTSSH:<br />
<br />
2. <br />
1.6<br />
<br />
<br />
<br />
3. <br />
<br />
1.4.16 Tera Term <br />
Tera Term SSH SCP <br />
id_rsa.pub<br />
1. Secure File Copy <br />
www.lpi.or.jp 33 (C) LPI-Japan
1.4 SSH <br />
1.7<br />
From:<br />
TeraTerm SSH SCP<br />
<br />
2. <br />
TTSSH: Secure File CopyFrom:...<br />
id_rsa.pub<br />
<br />
3. <br />
Send<br />
<br />
4. <br />
[sshuser@server ~]$ ls<br />
id_rsa.pub sftptestfile testdir<br />
1. <br />
2. <strong>Linux</strong> authorized_keys <br />
<br />
[sshuser@server ~]$ mkdir .ssh<br />
[sshuser@server ~]$ chmod 700 .ssh<br />
[sshuser@server ~]$ touch .ssh/authorized_keys<br />
[sshuser@server ~]$ chmod 600 .ssh/authorized_keys<br />
[sshuser@server ~]$ cat id_rsa.pub >> .ssh/authorized_keys<br />
www.lpi.or.jp 34 (C) LPI-Japan
1 <br />
1.4.17 Tera Term Windows <br />
Tera Term <br />
1. Tera Term <br />
2.SSH <br />
3.RSA/DSA/EC DSA <br />
id_rsaOK<br />
1.8<br />
RSA/DSA/EC DSA <br />
TeraTerm <br />
1.4.18 root <br />
OpenSSH <br />
<br />
www.lpi.or.jp 35 (C) LPI-Japan
1.5 root <br />
OpenSSH /etc/ssh/sshd_config <br />
[root@server ~]# vi /etc/ssh/sshd_config<br />
PasswordAuthentication no no <br />
root root <br />
root SSH <br />
<br />
PermitRootLogin no no <br />
service sshd <br />
[root@server ~]# service sshd restart<br />
sshd : [ OK ]<br />
sshd : [ OK ]<br />
root SSH <br />
<br />
1.5 root <br />
root <br />
<br />
root 3 <br />
• root <br />
• su root <br />
• sudo root <br />
root <br />
su sudo <br />
root <br />
<br />
<br />
<br />
<br />
<br />
www.lpi.or.jp 36 (C) LPI-Japan
1 <br />
1.5.1 root <br />
root <br />
last root <br />
<br />
# last<br />
root ttyS0 Mon Aug 11 12:56 still logged in<br />
root ttyS0 Mon Aug 11 12:23 - 12:56 (00:32)<br />
root ttyS0 Mon Aug 11 01:11 - 12:23 (11:11)<br />
root <br />
root root <br />
<br />
OpenSSH root (<br />
) SSH <br />
SSH OpenSSH IP <br />
<br />
1.5.2 su root <br />
su root <br />
root <br />
uid 501 suzuki su <br />
$ su -<br />
:<br />
# tail /var/log/secure<br />
<br />
Jan 6 11:33:55 server su: pam_unix(su-l:session): session opened for user ro<br />
ot by suzuki(uid=501)<br />
root root <br />
<br />
<br />
su <br />
<br />
www.lpi.or.jp 37 (C) LPI-Japan
1.5 root <br />
1.5.3 su <br />
su root root <br />
PAMPluggable Authentication Modulessu <br />
<br />
wheel su root <br />
<br />
PAM /etc/pam.d/su vi 2 <br />
<br />
wheel su <br />
<br />
wheel su <br />
<br />
# vi /etc/pam.d/su<br />
#%PAM-1.0<br />
auth sufficient pam_rootok.so<br />
# Uncomment the following line to implicitly trust users in the "wheel" grou<br />
p.<br />
auth sufficient pam_wheel.so trust use_uid #<br />
# Uncomment the following line to require a user to be in the "wheel" group.<br />
auth required pam_wheel.so use_uid #<br />
auth include system-auth<br />
account sufficient pam_succeed_if.so uid = 0 use_uid quiet<br />
account include system-auth<br />
password include system-auth<br />
session include system-auth<br />
session optional pam_xauth.so<br />
<br />
suzuki su root <br />
root <br />
$ id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),5000(eigyou)<br />
www.lpi.or.jp 38 (C) LPI-Japan
1 <br />
$ su -<br />
:<br />
su: <br />
root gpasswd suzuki wheel <br />
# gpasswd -a suzuki wheel<br />
Adding user suzuki to group wheel<br />
suzuki su <br />
root <br />
$ id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),10(wheel),5000(eigyo<br />
u)<br />
$ su -<br />
[root@server ~]#<br />
1.5.4 sudo <br />
sudo root <br />
su <br />
sudo <br />
<br />
sudo <br />
root <br />
<br />
CentOS sudo <br />
$ id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),10(wheel),5000(eigyo<br />
u) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
$ sudo cat /etc/shadow<br />
We trust you have received the usual lecture from the local System<br />
Administrator. It usually boils down to these three things:<br />
#1) Respect the privacy of others.<br />
www.lpi.or.jp 39 (C) LPI-Japan
1.5 root <br />
#2) Think before you type.<br />
#3) With great power comes great responsibility.<br />
[sudo] password for suzuki: suzuki <br />
suzuki sudoers <br />
sudo wheel sudo <br />
<br />
root visudo /etc/sudoers wheel <br />
sudo <br />
# visudo<br />
%wheel wheel <br />
ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL #<br />
visudo vi :wq<br />
<br />
sudo useradd <br />
$ sudo useradd testuser<br />
[sudo] password for suzuki: suzuki <br />
[suzuki@server ~]$ id testuser<br />
uid=503(testuser) gid=503(testuser) =503(testuser)<br />
1.5.5 sudo <br />
sudo <br />
<br />
webadm Web httpd<br />
visudo 1 <br />
<br />
$ sudo visudo<br />
%webadm ALL=NOPASSWD: /sbin/service httpd start, /sbin/service httpd stop, /<br />
sbin/service httpd restart<br />
www.lpi.or.jp 40 (C) LPI-Japan
1 <br />
webadm useradd -G<br />
<br />
$ sudo groupadd webadm<br />
$ sudo useradd -G webadm httpdtest<br />
su - httpdtest <br />
$ sudo su - httpdtest<br />
$ id<br />
uid=504(httpdtest) gid=504(httpdtest) =504(httpdtest),5001(webad<br />
m)<br />
sudo Web <br />
$ sudo service httpd start<br />
httpd : httpd: Could not reliably determine the server's fully qualif<br />
ied domain name, using 192.168.0.10 for ServerName<br />
[ OK ]<br />
<br />
Web <br />
$ ps ax | grep httpd<br />
28608 pts/0 S 0:00 su - httpdtest<br />
31175 ? Ss 0:00 /usr/sbin/httpd<br />
31176 ? S 0:00 /usr/sbin/httpd<br />
31177 ? S 0:00 /usr/sbin/httpd<br />
31179 ? S 0:00 /usr/sbin/httpd<br />
31180 ? S 0:00 /usr/sbin/httpd<br />
31181 ? S 0:00 /usr/sbin/httpd<br />
31182 ? S 0:00 /usr/sbin/httpd<br />
31183 ? S 0:00 /usr/sbin/httpd<br />
31184 ? S 0:00 /usr/sbin/httpd<br />
31198 pts/0 S+ 0:00 grep httpd<br />
Web <br />
$ sudo service httpd stop<br />
httpd : [ OK ]<br />
$ ps ax | grep httpd<br />
www.lpi.or.jp 41 (C) LPI-Japan
1.5 root <br />
28608 pts/0 S 0:00 su - httpdtest<br />
31325 pts/0 S+ 0:00 grep httpd<br />
Web <br />
www.lpi.or.jp 42 (C) LPI-Japan
2 <br />
<br />
2.1 <br />
IP <br />
<br />
2.1.1 <br />
ifconfig ifconfig <br />
<br />
# ifconfig<br />
eth0 Link encap:Ethernet HWaddr 00:1C:42:DC:25:92<br />
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0<br />
inet6 addr: fe80::21c:42ff:fedc:2592/64 Scope:Link<br />
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br />
RX packets:6267 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:3120 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:706436 (689.8 KiB) TX bytes:472809 (461.7 KiB)<br />
lo Link encap:Local Loopback<br />
inet addr:127.0.0.1 Mask:255.0.0.0<br />
inet6 addr: ::1/128 Scope:Host<br />
UP LOOPBACK RUNNING MTU:65536 Metric:1<br />
RX packets:45 errors:0 dropped:0 overruns:0 frame:0<br />
www.lpi.or.jp 43 (C) LPI-Japan
2.1 <br />
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:0<br />
RX bytes:5792 (5.6 KiB) TX bytes:5792 (5.6 KiB)<br />
2.1.2 <br />
route netstat -rn <br />
# route<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
192.168.0.0 ∗ 255.255.255.0 U 1 0 0 eth0<br />
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0<br />
Destination default <br />
192.168.0.1 eth0 <br />
<br />
2.1.3 <br />
/etc/sysconfig/network-scripts <br />
ifcfg-<br />
eth0 <br />
ifcfg-eth0 <br />
# cat /etc/sysconfig/network-scripts/ifcfg-eth0<br />
DEVICE=eth0<br />
TYPE=Ethernet<br />
UUID=c9eaa5e8-a31a-4d36-8dc7-2fc8de8350b3<br />
ONBOOT=yes<br />
NM_CONTROLLED=yes<br />
BOOTPROTO=none<br />
HWADDR=00:1C:42:DC:25:92<br />
IPADDR=192.168.0.10<br />
PREFIX=24<br />
GATEWAY=192.168.0.1<br />
DNS1=192.168.0.1<br />
DEFROUTE=yes<br />
www.lpi.or.jp 44 (C) LPI-Japan
2 <br />
IPV4_FAILURE_FATAL=yes<br />
IPV6INIT=no<br />
NAME="System eth0"<br />
2.1.4 ip <br />
ip <br />
ARP <br />
<br />
CentOS ifconfig/route/arp/netstat net-tools <br />
ip <br />
IP MAC <br />
IP MAC ip address show <br />
ifconfig <br />
# ip address show<br />
1: lo: mtu 65536 qdisc noqueue state UNKNOWN<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
inet6 ::1/128 scope host<br />
valid_lft forever preferred_lft forever<br />
2: eth0: mtu 1500 qdisc pfifo_fast state U<br />
P qlen 1000<br />
link/ether 00:1c:42:dc:25:92 brd ff:ff:ff:ff:ff:ff<br />
inet 192.168.0.10/24 brd 192.168.0.255 scope global eth0<br />
inet6 fe80::21c:42ff:fedc:2592/64 scope link<br />
valid_lft forever preferred_lft forever<br />
<br />
ip route show route<br />
<br />
# ip route show<br />
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10 metric 1<br />
default via 192.168.0.1 dev eth0 proto static<br />
www.lpi.or.jp 45 (C) LPI-Japan
2.1 <br />
ARP <br />
ARP ip neighbor show arp <br />
neighbor neigh <br />
# ip neigh show<br />
192.168.0.1 dev eth0 lladdr 00:1c:42:00:00:18 STALE<br />
192.168.0.2 dev eth0 lladdr 00:1c:42:00:00:08 REACHABLE<br />
2.1.5 netstat <br />
netstat <br />
<br />
<br />
-i <br />
-n IP <br />
-a <br />
-l <br />
-t TCP <br />
-u UDP <br />
<br />
netstat -i <br />
<br />
# netstat -i<br />
Kernel Interface table<br />
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg<br />
eth0 1500 0 47780 0 0 0 16784 0 0 0 BMRU<br />
lo 65536 0 2366 0 0 0 2366 0 0 0 LRU<br />
TCP <br />
TCP netstat -nat <br />
# netstat -nat<br />
Active Internet connections (servers and established)<br />
www.lpi.or.jp 46 (C) LPI-Japan
2 <br />
Proto Recv-Q Send-Q Local Address Foreign Address State<br />
tcp 0 0 0.0.0.0:22 0.0.0.0:∗ LISTEN<br />
tcp 0 0 127.0.0.1:631 0.0.0.0:∗ LISTEN<br />
tcp 0 0 127.0.0.1:25 0.0.0.0:∗ LISTEN<br />
tcp 0 0 0.0.0.0:37729 0.0.0.0:∗ LISTEN<br />
tcp 0 0 0.0.0.0:111 0.0.0.0:∗ LISTEN<br />
tcp 0 0 :::22 :::∗ LISTEN<br />
tcp 0 0 ::1:631 :::∗ LISTEN<br />
tcp 0 0 ::1:25 :::∗ LISTEN<br />
tcp 0 0 :::37114 :::∗ LISTEN<br />
tcp 0 0 :::111 :::∗ LISTEN<br />
TCP <br />
TCP netstat -nlt <br />
# netstat -nlt<br />
Active Internet connections (only servers)<br />
Proto Recv-Q Send-Q Local Address Foreign Address State<br />
tcp 0 0 0.0.0.0:22 0.0.0.0:∗ LISTEN<br />
tcp 0 0 127.0.0.1:631 0.0.0.0:∗ LISTEN<br />
tcp 0 0 127.0.0.1:25 0.0.0.0:∗ LISTEN<br />
tcp 0 0 0.0.0.0:37729 0.0.0.0:∗ LISTEN<br />
tcp 0 0 0.0.0.0:111 0.0.0.0:∗ LISTEN<br />
tcp 0 0 :::22 :::∗ LISTEN<br />
tcp 0 0 ::1:631 :::∗ LISTEN<br />
tcp 0 0 ::1:25 :::∗ LISTEN<br />
tcp 0 0 :::37114 :::∗ LISTEN<br />
tcp 0 0 :::111 :::∗ LISTEN<br />
UDP <br />
UDP netstat -nlu <br />
# netstat -nlu<br />
Active Internet connections (only servers)<br />
Proto Recv-Q Send-Q Local Address Foreign Address State<br />
udp 0 0 0.0.0.0:68 0.0.0.0:∗<br />
udp 0 0 127.0.0.1:708 0.0.0.0:∗<br />
www.lpi.or.jp 47 (C) LPI-Japan
2.1 <br />
udp 0 0 0.0.0.0:111 0.0.0.0:∗<br />
udp 0 0 0.0.0.0:631 0.0.0.0:∗<br />
udp 0 0 192.168.0.10:123 0.0.0.0:∗<br />
udp 0 0 127.0.0.1:123 0.0.0.0:∗<br />
udp 0 0 0.0.0.0:123 0.0.0.0:∗<br />
udp 0 0 0.0.0.0:44415 0.0.0.0:∗<br />
udp 0 0 0.0.0.0:655 0.0.0.0:∗<br />
udp 0 0 :::111 :::∗<br />
udp 0 0 fe80::21c:42ff:fedc:2592:123 :::∗<br />
udp 0 0 ::1:123 :::∗<br />
udp 0 0 :::123 :::∗<br />
udp 0 0 :::39182 :::∗<br />
udp 0 0 :::655 :::∗<br />
2.1.6 ping <br />
IP ping <br />
Ctrl+C <br />
# ping 8.8.8.8<br />
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.<br />
64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=6.26 ms<br />
64 bytes from 8.8.8.8: icmp_seq=2 ttl=128 time=3.28 ms<br />
64 bytes from 8.8.8.8: icmp_seq=3 ttl=128 time=2.85 ms<br />
^C Ctrl+C <br />
--- 8.8.8.8 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2003ms<br />
rtt min/avg/max/mdev = 62.780/64.980/66.416/1.579 ms<br />
-c 5 <br />
# ping -c 5 8.8.8.8<br />
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.<br />
64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=3.39 ms<br />
64 bytes from 8.8.8.8: icmp_seq=2 ttl=128 time=3.12 ms<br />
64 bytes from 8.8.8.8: icmp_seq=3 ttl=128 time=3.44 ms<br />
64 bytes from 8.8.8.8: icmp_seq=4 ttl=128 time=2.85 ms<br />
64 bytes from 8.8.8.8: icmp_seq=5 ttl=128 time=3.10 ms<br />
www.lpi.or.jp 48 (C) LPI-Japan
2 <br />
--- 8.8.8.8 ping statistics ---<br />
5 packets transmitted, 5 received, 0% packet loss, time 4012ms<br />
rtt min/avg/max/mdev = 2.856/3.185/3.440/0.225 ms<br />
ping ICMP <br />
ICMP ping <br />
ping <br />
<br />
(RTT) 1ms(<br />
) 10ms30ms 500ms <br />
<br />
2.1.7 ethtool <br />
ethtool <br />
<br />
<br />
<br />
ethtool <br />
# ethtool eth0<br />
Settings for eth0:<br />
Supported ports: [ TP ]<br />
Supported link modes: 10baseT/Half 10baseT/Full<br />
100baseT/Half 100baseT/Full<br />
1000baseT/Full<br />
Supported pause frame use: No<br />
Supports auto-negotiation: Yes<br />
Advertised link modes: 10baseT/Half 10baseT/Full<br />
100baseT/Half 100baseT/Full<br />
1000baseT/Full<br />
Advertised pause frame use: No<br />
Advertised auto-negotiation: Yes<br />
Speed: 1000Mb/s<br />
Duplex: Full<br />
Port: Twisted Pair<br />
PHYAD: 1<br />
www.lpi.or.jp 49 (C) LPI-Japan
2.1 <br />
Transceiver: internal<br />
Auto-negotiation: on<br />
MDI-X: Unknown<br />
Supports Wake-on: g<br />
Wake-on: g<br />
Link detected: yes<br />
ethtool -i <br />
# ethtool -i eth0<br />
driver: bnx2<br />
version: 2.2.3<br />
firmware-version: bc 4.6.4 NCSI 1.0.3<br />
bus-info: 0000:02:00.0<br />
supports-statistics: yes<br />
supports-test: yes<br />
supports-eeprom-access: yes<br />
supports-register-dump: yes<br />
supports-priv-flags: no<br />
<br />
<br />
# ethtool eth0<br />
Settings for eth0:<br />
Link detected: yes<br />
# ethtool -i eth0<br />
driver: virtio_net<br />
version:<br />
firmware-version:<br />
bus-info: virtio0<br />
supports-statistics: no<br />
supports-test: no<br />
supports-eeprom-access: no<br />
supports-register-dump: no<br />
supports-priv-flags: no<br />
www.lpi.or.jp 50 (C) LPI-Japan
2 <br />
2.2 network NetworkManager<br />
CentOS 6 network NetworkManager <br />
<br />
network <strong>Linux</strong> <br />
IP <br />
DNS <br />
<br />
NetworkManager <strong>Linux</strong> <br />
NetworkManager <strong>Linux</strong> D-Bus API <br />
<br />
CentOS 6 NeworkManager Minimal <br />
NetworkManager network <br />
NetworkManager network <br />
2.2.1 NetworkManager network <br />
network NetworkManager <br />
network <br />
SSH <br />
<br />
service NetworkManager chkconfig <br />
NetworkManager <br />
# service NetworkManager stop<br />
NetworkManager : [ OK ]<br />
# chkconfig NetworkManager off<br />
# chkconfig --list NetworkManager<br />
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off<br />
service network chkconfig network<br />
<br />
# service network start<br />
[ OK ]<br />
eth0 : [ OK ]<br />
www.lpi.or.jp 51 (C) LPI-Japan
2.3 <br />
# chkconfig network on<br />
# chkconfig --list network<br />
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br />
2.3 <br />
<strong>Linux</strong> <br />
2.3.1 /etc/sysconfig/network<br />
/etc/sysconfig/network <br />
<br />
# cat /etc/sysconfig/network<br />
NETWORKING=yes<br />
HOSTNAME=server.example.com<br />
NTPSERVERARGS=iburst<br />
HOSTNAME <br />
2.3.2 /etc/hosts<br />
/etc/hosts IP <br />
<br />
# cat /etc/hosts<br />
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4<br />
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6<br />
192.168.0.10 server.example.com server<br />
192.168.0.101 client.example.com client<br />
2.3.3 DNS /etc/resolv.conf<br />
/etc/resolv.conf DNS DNS <br />
DNS DNS <br />
DNS DNS <br />
<br />
www.lpi.or.jp 52 (C) LPI-Japan
2 <br />
# cat /etc/resolv.conf<br />
# Generated by NetworkManager<br />
search example.com<br />
nameserver 192.168.0.1<br />
/etc/resolv.conf <br />
/etc/resolv.conf DNS <br />
NetworkManager network DHCP <br />
/etc/resolv.conf /etc/resolv.conf <br />
/etc/resolv.conf <br />
<br />
DNS <br />
/etc/resolv.conf <br />
<br />
/etc/sysconfig/network-scripts/ifcfg-eth0 DNS1 DNS DNS2<br />
DNS <br />
DNS1=192.168.0.1<br />
DNS2=192.168.0.2<br />
NetworkManager network <br />
/etc/resolv.conf <br />
2.3.4 /etc/nsswitch.conf<br />
/etc/nsswitch.conf <br />
/etc/hosts DNS NIS <br />
<br />
# cat /etc/nsswitch.conf<br />
<br />
#hosts: db files nisplus nis dns<br />
hosts: files dns<br />
<br />
filesdns<br />
/etc/hosts DNS <br />
www.lpi.or.jp 53 (C) LPI-Japan
2.3 <br />
<br />
2.3.5 /etc/services<br />
/etc/services TCP/UDP <br />
<br />
HTTP <br />
http 80/tcp www www-http # WorldWideWeb HTTP<br />
TCP 80 <br />
http <br />
netstat -n -n <br />
<br />
<br />
<br />
# netstat -nat | grep 80<br />
tcp 0 0 :::80 :::∗ LISTEN<br />
# netstat -at | grep http<br />
tcp 0 0 ∗:http ∗:∗ LISTEN<br />
80 http <br />
/etc/services <br />
1 IPv6 IPv6 Apache<br />
Web IPv4 <br />
2.3.6 /etc/protocols<br />
/etc/protocols <br />
<br />
ip 0 IP # internet protocol, pseudo protocol number<br />
icmp 1 ICMP # internet control message protocol<br />
tcp 6 TCP # transmission control protocol<br />
udp 17 UDP # user datagram protocol<br />
www.lpi.or.jp 54 (C) LPI-Japan
2 <br />
2.4 iptables <br />
iptables <strong>Linux</strong> <br />
<br />
<br />
<br />
iptables NF(netfilter) <br />
iptables <br />
2.4.1 iptables NAT <br />
iptables NAT(Network Address Translation) <br />
IP <br />
NAT IP <br />
LAN IP <br />
<br />
NAT<br />
IP IP 1 1 <br />
IP IP <br />
IP <br />
IP <br />
<br />
NAT<br />
IP IP N N <br />
IP IP IP<br />
IP <br />
IP IP <br />
IP <br />
IP <br />
NAPT <br />
www.lpi.or.jp 55 (C) LPI-Japan
2.4 iptables <br />
NAPT(IP )<br />
IP 1 IP IP <br />
IP NAPT <br />
65535 1 IP <br />
<br />
2.4.2 iptables <br />
service iptables <br />
# service iptables start<br />
iptables: ACCEPT filter [ OK ]<br />
iptables: : [ OK ]<br />
iptables: : [ OK ]<br />
iptables: : [ OK ]<br />
service iptables <br />
# service iptables stop<br />
iptables: ACCEPT filter [ OK ]<br />
iptables: : [ OK ]<br />
iptables: : [ OK ]<br />
2.4.3 iptables <br />
service iptables <br />
# service iptables start<br />
iptables: : [ OK ]<br />
# service iptables status<br />
: filter<br />
Chain INPUT (policy ACCEPT)<br />
num target prot opt source destination<br />
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED<br />
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0<br />
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0<br />
www.lpi.or.jp 56 (C) LPI-Japan
2 <br />
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22<br />
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited<br />
Chain FORWARD (policy ACCEPT)<br />
num target prot opt source destination<br />
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited<br />
Chain OUTPUT (policy ACCEPT)<br />
num target prot opt source destination<br />
iptables -L iptables <br />
# iptables -L<br />
iptables-save iptables iptables <br />
<br />
# iptables-save<br />
# Generated by iptables-save v1.4.7 on Fri Jan 9 16:51:47 2015<br />
∗filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [33:4180]<br />
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br />
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br />
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
# Completed on Fri Jan 9 16:51:47 2015<br />
2.4.4 <br />
iptables-A <br />
iptables -A -j <br />
<br />
<br />
www.lpi.or.jp 57 (C) LPI-Japan
2.4 iptables <br />
<br />
INPUT<br />
OUTPUT<br />
FORWARD<br />
PREROUTING<br />
POSTROUTING<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
ACCEPT<br />
DROP<br />
REJECT [--reject-with ]<br />
LOG<br />
<br />
<br />
<br />
ICMP <br />
syslog <br />
2.4.5 iptables <br />
INPUT <br />
<br />
iptables -A INPUT -m tcp -p tcp --dport -j ACCEPT<br />
TCP 80 (HTTP) <br />
iptables <br />
REJECT <br />
<br />
/etc/sysconfig/iptables iptables <br />
<br />
# iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT<br />
# iptables -L<br />
Chain INPUT (policy ACCEPT)<br />
target prot opt source destination<br />
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED<br />
ACCEPT icmp -- anywhere anywhere<br />
ACCEPT all -- anywhere anywhere<br />
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh<br />
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited <br />
ACCEPT tcp -- anywhere anywhere tcp dpt:http <br />
<br />
www.lpi.or.jp 58 (C) LPI-Japan
2 <br />
2.4.6 iptables <br />
iptables <br />
# service iptables save<br />
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]<br />
iptables /etc/sysconfig/iptables iptables <br />
<br />
iptables iptables <br />
<br />
2.4.7 iptables <br />
/etc/sysconfig/iptables ()<br />
service iptables reload <br />
<br />
iptables service iptables restart <br />
iptables restart <br />
reload <br />
<br />
# service iptables reload<br />
iptables: Trying to reload firewall rules: [ OK ]<br />
2.4.8 system-config-firewall-tui iptables <br />
system-config-firewall-tui iptable CUI <br />
<br />
# yum install system-config-firewall-tui<br />
1. system-config-firewall-tui <br />
www.lpi.or.jp 59 (C) LPI-Japan
2.4 iptables <br />
# system-config-firewall-tui<br />
2. <br />
2.1<br />
<br />
system-config-firewall-tui <br />
Enter TAB <br />
<br />
3. <br />
www.lpi.or.jp 60 (C) LPI-Japan
2 <br />
2.2<br />
<br />
<br />
WWW (HTTP)<br />
1. <br />
2.3<br />
<br />
OK iptables <br />
www.lpi.or.jp 61 (C) LPI-Japan
2.5 DHCP <br />
<br />
5. <br />
system-config-firewall-tui /etc/sysconfig/iptables <br />
iptables <br />
WWW(HTTP) 80 <br />
<br />
# cat /etc/sysconfig/iptables<br />
# Firewall configuration written by system-config-firewall<br />
# Manual customization of this file is not recommended.<br />
∗filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br />
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
2.5 DHCP <br />
DHCP IP DHCP DHCP <br />
IP <br />
2.5.1 DHCP 1 <br />
DHCP 1 DHCP <br />
DHCP <br />
IP <br />
DHCP <br />
www.lpi.or.jp 62 (C) LPI-Japan
2 <br />
DHCP <br />
DHCP DHCP<br />
IP <br />
IP VLAN L3 <br />
<br />
2.5.2 DHCP <br />
DHCP dhcp <br />
# yum install dhcp<br />
2.5.3 DHCP <br />
DHCP /etc/dhcp/dhcpd.conf <br />
;<br />
ddns-update-style none;<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
}<br />
range 192.168.0.200 192.168.0.254;<br />
<br />
<br />
ddns-update-style DNS none<br />
subnet 192.168.0.0<br />
netmask 255.255.255.0<br />
range IP IP 192.168.0.200 192.168.0.254<br />
2.5.4 DHCP <br />
DHCP IP DHCP <br />
<br />
ddns-update-style none;<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
www.lpi.or.jp 63 (C) LPI-Japan
2.5 DHCP <br />
range 192.168.0.200 192.168.0.254;<br />
option routers 192.168.0.1;<br />
option domain-name-servers 192.168.0.1,192.168.0.2;<br />
default-lease-time 18000;<br />
max-lease-time 36000;<br />
}<br />
<br />
option routers 192.168.0.1<br />
option domain-name-servers DNS 192.168.0.1 192.168.0.2<br />
default-lease-time () 180005 <br />
max-lease-time () 3600010 <br />
DHCP DHCP IP <br />
IP default-lease-time<br />
max-lease-time<br />
<br />
2.5.5 IP <br />
IP host hardware ethernet<br />
MAC fixed-address IP <br />
host client1 {<br />
hardware ethernet FA:16:3E:01:DB:D0;<br />
fixed-address 192.168.0.10;<br />
}<br />
2.5.6 DHCP <br />
service DHCP DHCP <br />
chkconfig <br />
# service dhcpd start<br />
# chkconfig dhcpd on<br />
www.lpi.or.jp 64 (C) LPI-Japan
2 <br />
2.5.7 <strong>Linux</strong> DHCP <br />
<strong>Linux</strong> DHCP <br />
BOOTPROTO= dhcp<br />
DHCP DNS /etc/resolv.conf<br />
/etc/resolv.conf <br />
PEERDNS yes <br />
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0<br />
DEVICE= eth0<br />
BOOTPROTO= dhcp<br />
ONBOOT= yes<br />
PEERDNS=yes<br />
network <br />
# service network restart<br />
IP DNS <br />
$ ifconfig eth0<br />
eth0 Link encap:Ethernet HWaddr 00:1C:42:D0:CA:A0<br />
inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0<br />
<br />
$ route<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
192.168.0.0 ∗ 255.255.255.0 U 1 0 0 eth0<br />
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0<br />
$ cat /etc/resolv.conf<br />
# Generated by NetworkManager<br />
nameserver 192.168.0.1<br />
nameserver 192.168.0.2<br />
www.lpi.or.jp 65 (C) LPI-Japan
2.5 DHCP <br />
2.5.8 Windows DHCP <br />
Windows DHCP <br />
IP <br />
1. <br />
2.4<br />
<br />
Windows7 <br />
2. <br />
www.lpi.or.jp 66 (C) LPI-Japan
2 <br />
2.5<br />
<br />
<br />
3. <br />
2.6<br />
<br />
<br />
<br />
4. TCP/IPv4 <br />
www.lpi.or.jp 67 (C) LPI-Japan
2.5 DHCP <br />
2.7<br />
TCP/IPv4 <br />
4 (TCP/IPv4)<br />
<br />
5. DHCP <br />
2.8<br />
<br />
www.lpi.or.jp 68 (C) LPI-Japan
2 <br />
IP DNS DHCP <br />
DNS OK<br />
<br />
6. <br />
<br />
7. <br />
2.9<br />
<br />
IPv4 <br />
<br />
8. <br />
www.lpi.or.jp 69 (C) LPI-Japan
2.5 DHCP <br />
2.10<br />
IP <br />
IP DNS <br />
<br />
2.5.9 DHCP IP <br />
DHCP DHCP IP /var/lib/dhcpd/dhcpd.leases<br />
<br />
[root@server ~]# cat /var/lib/dhcpd/dhcpd.leases<br />
# The format of this file is documented in the dhcpd.leases(5) manual page.<br />
# This lease file was written by isc-dhcp-4.1.1-P1<br />
server-duid "\000\001\000\001\034H\217F\000\034B\334%\222";<br />
lease 192.168.0.200 {<br />
starts 3 2015/01/14 02:22:17;<br />
ends 3 2015/01/14 07:22:17;<br />
cltt 3 2015/01/14 02:22:17;<br />
binding state active;<br />
next binding state free;<br />
hardware ethernet 00:1c:42:d0:ca:a0;<br />
client-hostname "client";<br />
}<br />
www.lpi.or.jp 70 (C) LPI-Japan
2 <br />
lease 192.168.0.201 {<br />
starts 3 2015/01/14 02:22:40;<br />
ends 3 2015/01/14 07:22:40;<br />
cltt 3 2015/01/14 02:22:40;<br />
binding state active;<br />
next binding state free;<br />
hardware ethernet 00:1c:42:46:9b:b4;<br />
uid "\001\000\034BF\233\264";<br />
client-hostname "TORUWIN7MACPRO";<br />
}<br />
www.lpi.or.jp 71 (C) LPI-Japan
3 <br />
<br />
3.1 OS <br />
OS <br />
1. <br />
2. BIOS <br />
3. GRUB<br />
4. <strong>Linux</strong> <br />
5. init <br />
6. <br />
7. OS <br />
3.1.1 GRUB <br />
BIOS <br />
<br />
GRUB <br />
GRUB <strong>Linux</strong> <br />
www.lpi.or.jp 73 (C) LPI-Japan
3.1 OS <br />
3.1<br />
GRUB <br />
<strong>Linux</strong> GRUB <br />
GRUB Enter <br />
<br />
3.1.2 GRUB <br />
GRUB /boot/grub/grub.conf <br />
<br />
GRUB <br />
<br />
# cat /boot/grub/grub.conf<br />
# grub.conf generated by anaconda<br />
#<br />
# Note that you do not have to rerun grub after making changes to this file<br />
# NOTICE: You have a /boot partition. This means that<br />
# all kernel and initrd paths are relative to /boot/, eg.<br />
# root (hd0,0)<br />
# kernel /vmlinuz-version ro root=/dev/mapper/vg_server-lv_root<br />
# initrd /initrd-[generic-]version.img<br />
#boot=/dev/sda<br />
default=0<br />
www.lpi.or.jp 74 (C) LPI-Japan
3 <br />
timeout=5<br />
splashimage=(hd0,0)/grub/splash.xpm.gz<br />
hiddenmenu<br />
title CentOS 6 (2.6.32-504.el6.x86_64)<br />
root (hd0,0)<br />
kernel /vmlinuz-2.6.32-504.el6.x86_64 ro root=/dev/mapper/vg_server-lv_ro<br />
ot rd_LVM_LV=vg_server/lv_swap rd_NO_LUKS rd_LVM_LV=vg_server/lv_root rd_N<br />
O_MD crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=jp106 LANG=ja_JP.UTF-8 rd_N<br />
O_DM rhgb quiet<br />
initrd /initramfs-2.6.32-504.el6.x86_64.img<br />
<br />
default=0<br />
timeout <br />
<br />
0 title <br />
timeout=5<br />
GRUB <br />
5 5 <br />
<br />
splashimage=(hd0,0)/grub/splash.xpm.gz<br />
GRUB <br />
hiddenmenu<br />
GRUB <br />
title CentOS 6 (2.6.32-504.el6.x86_64)<br />
GRUB title title 1 <br />
<br />
www.lpi.or.jp 75 (C) LPI-Japan
3.1 OS <br />
root (hd0,0)<br />
<br />
GRUB 1 0 <br />
<br />
( ,)<br />
<br />
HDD SSD SATASCSIIDE <br />
hdfd<br />
<br />
<br />
BIOS 0 1 hd02 <br />
hd13 hd2<br />
<br />
(hd0,0)1 <br />
<br />
kernel /vmlinuz-2.6.32-504.el6.x86_64<br />
<br />
<br />
initrd /initramfs-2.6.32-504.el6.x86_64.img<br />
RAM <br />
3.1.3 <br />
2.6.32-431.11.2.el6.x86_64<br />
<br />
www.lpi.or.jp 76 (C) LPI-Japan
3 <br />
..-<br />
2.6.32-504.el6.x86_64<br />
<br />
3 <br />
2. 6.32-504.el6.x86_64<br />
2 <br />
3 1 <br />
<br />
2.6. 32-504.el6.x86_64<br />
<br />
2.6.32- 504.el6.x86_64<br />
<br />
<strong>Linux</strong> CentOS 6 <br />
Red Hat Enterprise <strong>Linux</strong> 6 el6<br />
<br />
: 2.6.32-504.el6. x86_64<br />
CPU x86_64 64 <br />
3.1.4 <br />
GRUB <strong>Linux</strong> <br />
<br />
RAM <br />
initramfs RAM <br />
<br />
<br />
www.lpi.or.jp 77 (C) LPI-Japan
3.1 OS <br />
dmesg <br />
dmesg <br />
# dmesg<br />
Initializing cgroup subsys cpuset<br />
Initializing cgroup subsys cpu<br />
<strong>Linux</strong> version 2.6.32-504.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gc<br />
c version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Oct 15<br />
04:27:16 UTC 2014<br />
Command line: ro root=/dev/mapper/vg_server-lv_root rd_LVM_LV=vg_server/lv_s<br />
wap rd_NO_LUKS rd_LVM_LV=vg_server/lv_root rd_NO_MD crashkernel=auto KEYBO<br />
ARDTYPE=pc KEYTABLE=jp106 LANG=ja_JP.UTF-8 rd_NO_DM rhgb quiet<br />
KERNEL supported cpus:<br />
Intel GenuineIntel<br />
AMD AuthenticAMD<br />
Centaur CentaurHauls<br />
Disabled fast string operations<br />
BIOS-provided physical RAM map:<br />
BIOS-e820: 0000000000000000 - 000000000009ec00 (usable)<br />
<br />
3.1.5 init <br />
init <br />
init <br />
init <br />
OS <br />
/etc/inittab <br />
<br />
<br />
<strong>Linux</strong> <br />
CentOS 6 <br />
www.lpi.or.jp 78 (C) LPI-Japan
3 <br />
<br />
0 <br />
1 <br />
2 <br />
3 <br />
4 <br />
5 <br />
6 <br />
0<br />
0 <br />
# init 0<br />
# telinit 0<br />
shutdown –h <br />
<br />
# shutdown -h now<br />
halt shutdown -h <br />
halt <br />
# halt<br />
1<br />
<br />
root <br />
<br />
<br />
root <br />
# telinit 1<br />
# init 1<br />
root <br />
<br />
6 <br />
www.lpi.or.jp 79 (C) LPI-Japan
3.1 OS <br />
2 4<br />
<br />
<br />
3<br />
<br />
CUI <br />
3 <br />
# telinit 3<br />
# init 3<br />
5<br />
3 <br />
3 5 X Window System <br />
# startx<br />
<br />
# telinit 5<br />
# init 5<br />
6<br />
<br />
/etc/inittab <br />
<br />
# telinit 6<br />
# init 6<br />
# reboot<br />
# shutdown ^^e2^^80^^93r now<br />
www.lpi.or.jp 80 (C) LPI-Japan
3 <br />
3.1.6 <br />
runlevel <br />
# runlevel<br />
N 5<br />
5 <br />
N<br />
telinit <br />
53GUI CUI <br />
<br />
# telinit 3<br />
CUI runlevel 5 3<br />
<br />
# runlevel<br />
5 3<br />
3.1.7 <br />
/etc/inittab <br />
/etc/inittab <br />
<br />
# vi /etc/inittab<br />
id:3:initdefault: 5 3 <br />
CUI <br />
<br />
# reboot<br />
CUI 5 <br />
<br />
www.lpi.or.jp 81 (C) LPI-Japan
3.2 <br />
# vi /etc/inittab<br />
id:5:initdefault: 3 5 <br />
# reboot<br />
3.2 <br />
<strong>Linux</strong> <br />
CPU <br />
<br />
3.2.1 <br />
service <br />
Web httpd <br />
<br />
service httpd start Web<br />
<br />
# service httpd start<br />
httpd : [ OK ]<br />
<br />
httpd <br />
# service httpd status<br />
httpd (pid 5234) ...<br />
<br />
httpd restart <br />
<br />
# service httpd restart<br />
httpd : [ OK ]<br />
www.lpi.or.jp 82 (C) LPI-Japan
3 <br />
httpd : [ OK ]<br />
<br />
httpd <br />
# service httpd stop<br />
httpd : [ OK ]<br />
3.2.2 <br />
OS chkconfig <br />
chkconfig --list OS <br />
<br />
# chkconfig --list<br />
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off<br />
abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off<br />
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off<br />
<br />
<br />
# chkconfig --list httpd<br />
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off<br />
httpd <br />
3.2.3 <br />
chkconfig on <br />
<br />
# chkconfig httpd on<br />
# chkconfig --list httpd<br />
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br />
chkconfig 2345 on <strong>Linux</strong> <br />
3 5 <br />
<strong>Linux</strong> httpd <br />
www.lpi.or.jp 83 (C) LPI-Japan
3.2 <br />
3.2.4 <br />
<strong>Linux</strong> chkconfig <br />
off <br />
# chkconfig httpd off<br />
# chkconfig --list httpd<br />
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off<br />
httpd <br />
3.2.5 <br />
service <br />
/etc/rc.d/init.d <br />
# ls /etc/rc.d/init.d/<br />
NetworkManager dhcpd kdump portreserve single<br />
abrt-ccpp dhcpd6 killall postfix smartd<br />
abrt-oops dhcrelay lvm2-lvmetad psacct snmpd<br />
abrtd dhcrelay6 lvm2-monitor quota_nld snmptrapd<br />
acpid dnsmasq mdmonitor rdisc spice-vdagentd<br />
atd firstboot messagebus restorecond sshd<br />
auditd functions netconsole rngd sssd<br />
autofs haldaemon netfs rpcbind sysstat<br />
blk-availability halt network rpcgssd udev-post<br />
bluetooth htcacheclean nfs rpcidmapd wdaemon<br />
certmonger httpd nfslock rpcsvcgssd winbind<br />
cpuspeed ip6tables ntpd rsyslog wpa_supplicant<br />
crond iptables ntpdate sandbox ypbind<br />
cups irqbalance oddjobd saslauthd<br />
3.2.6 <br />
/etc/rc.d/init.d <br />
<strong>Linux</strong> /etc/rc.d <br />
<br />
www.lpi.or.jp 84 (C) LPI-Japan
3 <br />
5 rc5.d <br />
<br />
# ls /etc/rc.d<br />
init.d rc.local rc0.d rc2.d rc4.d rc6.d<br />
rc rc.sysinit rc1.d rc3.d rc5.d<br />
/etc/rc.d/rc5.d <br />
# ls /etc/rc.d/rc5.d/<br />
K01smartd K69rpcsvcgssd S08iptables S26haldaemon<br />
K02oddjobd K73winbind S10network S26udev-post<br />
K05wdaemon K75ntpdate S11auditd S28autofs<br />
K10psacct K75quota_nld S11portreserve S50bluetooth<br />
K10saslauthd K76ypbind S12rsyslog S55sshd<br />
K15htcacheclean K80kdump S13cpuspeed S58ntpd<br />
K15httpd K84NetworkManager S13irqbalance S70spice-vdagentd<br />
K35dhcpd K84wpa_supplicant S13rpcbind S80postfix<br />
K35dhcpd6 K87restorecond S15mdmonitor S82abrt-ccpp<br />
K35dhcrelay K88sssd S22messagebus S82abrtd<br />
K35dhcrelay6 K89rdisc S24nfslock S90crond<br />
K50dnsmasq K95firstboot S24rpcgssd S95atd<br />
K50netconsole K99rngd S25blk-availability S99certmonger<br />
K50snmpd S01sysstat S25cups S99local<br />
K50snmptrapd S02lvm2-monitor S25netfs<br />
K60nfs S08ip6tables S26acpid<br />
/etc/rc.d/rc5.d/S55sshd /etc/rc.d/init.d/sshd <br />
<br />
# ls -l /etc/rc.d/rc5.d/S55sshd<br />
lrwxrwxrwx. 1 root root 14 1 6 06:18 2015 /etc/rc.d/rc5.d/S55sshd -> ../in<br />
it.d/sshd<br />
StartKill<br />
<br />
telinit <br />
1. <br />
2. K stop /var/lockwww.lpi.or.jp<br />
85 (C) LPI-Japan
3.2 <br />
/subsys <br />
<br />
3. S start /var/lock-<br />
/subsys <br />
<br />
3.2.7 <br />
<br />
<br />
<br />
<br />
Apache Web /etc/rc.d/init.d/httpd <br />
<br />
• /etc/rc.d/init.d/functions functions <br />
<br />
• startstopstatusrestart <br />
case <br />
• restart stop start <br />
<br />
• reload killproc httpd HUP<br />
HUP <br />
<br />
• configtest apachectl configtest Apache Web<br />
<br />
3.2.8 init systemd <br />
2014 6 Red Hat Eenterprise <strong>Linux</strong> 7 CentOS 7 <br />
SysV init Upstart <strong>Linux</strong> <br />
systemdsystemd 7 <br />
<br />
www.lpi.or.jp 86 (C) LPI-Japan
3 <br />
3.3 cron <br />
<strong>Linux</strong> cron <br />
<br />
3.3.1 crond <br />
cron crond crond <br />
cron <br />
crond cron <br />
cron <br />
crond <br />
<br />
# service crond status<br />
crond (pid 1720) ...<br />
# chkconfig --list crond<br />
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off<br />
3.3.2 cron <br />
cron cron <br />
cron 2 <br />
cron /etc/crontab <br />
cron /var/spool/cron <br />
/var/spool/cron root <br />
crontab cron <br />
<br />
cron <br />
# ls -ld /var/spool/cron/<br />
drwx------. 2 root root 4096 11 23 21:43 2013 /var/spool/cron/<br />
# ls -l /var/spool/cron/<br />
8<br />
www.lpi.or.jp 87 (C) LPI-Japan
3.3 cron <br />
-rw-------. 1 root root 28 1 14 13:38 2015 root<br />
-rw-------. 1 testuser testuser 37 1 14 13:40 2015 testuser<br />
3.3.3 cron <br />
/etc/cron.allow /etc/cron.deny crontab <br />
<br />
• /etc/cron.allow crontab <br />
• /etc/cron.deny crontab <br />
• /etc/cron.allow/etc/cron.deny <br />
crontab <br />
• /etc/cron.allow /etc/cron.deny /etc/cron.allow <br />
crontab <br />
• /etc/cron.allow crontab <br />
<br />
/etc/cron.allow /etc/cron.deny <br />
crontab <br />
/etc/cron.allow /etc/cron.deny <br />
<br />
/etc/cron.deny <br />
<br />
/etc/cron.allow <br />
<br />
3.3.4 cron <br />
crond cron <br />
[] <br />
cron <br />
<br />
www.lpi.or.jp 88 (C) LPI-Japan
3 <br />
<br />
0-59<br />
0-23<br />
1-31<br />
1-12<br />
0-70,7 <br />
<br />
<br />
,/<br />
<br />
0 30 example.sh <br />
0,30 * * * * example.sh<br />
10 example.sh <br />
*/10 * * * * example.sh<br />
3.3.5 crontab cron <br />
cron crontab <br />
crontab <br />
-e crontab <br />
-l crontab <br />
-r crontab <br />
-u crontab root <br />
crontab -e cron <br />
vi cron <br />
<br />
y<br />
# crontab -e<br />
vi :wq <br />
0 0 ∗ ∗ ∗ /root/crontest.sh<br />
cron <br />
www.lpi.or.jp 89 (C) LPI-Japan
3.3 cron <br />
crontab: installing new crontab<br />
cron <br />
crontab: installing new crontab<br />
"/tmp/crontab.2dEukI":1: bad day-of-week<br />
errors in crontab file, can't install.<br />
Do you want to retry the same edit? y y <br />
testuser cron su testuser <br />
crontab -e <br />
# su - testuser<br />
$ crontab -e<br />
<br />
0 0 ∗ ∗ ∗ /home/testuser/crontest.sh<br />
exit root <br />
$ exit<br />
logout<br />
#<br />
3.3.6 cron <br />
cron <br />
# crontab -l<br />
0 0 ∗ ∗ ∗ /root/crontest.sh<br />
root -u cron <br />
<br />
# crontab -u testuser -l<br />
0 0 ∗ ∗ ∗ /home/testuser/crontest.sh<br />
root -e cron <br />
<br />
# crontab -u testuser -e<br />
www.lpi.or.jp 90 (C) LPI-Japan
3 <br />
3.3.7 cron <br />
crontab -r cron <br />
# ls /var/spool/cron/<br />
root testuser<br />
# crontab -r<br />
# ls /var/spool/cron/<br />
testuser<br />
-r -u <br />
# crontab -u testuser -r<br />
# ls /var/spool/cron/<br />
<br />
crontab -r cron cron <br />
<br />
-e -r <br />
crontab -l cron <br />
<br />
# crontab -l > ~/crontab_backup<br />
3.3.8 cron <br />
cron <br />
<br />
/var/spool/cron/root root cron root <br />
/etc/crontab root <br />
/etc/cron.d cron root <br />
/etc/anacrontab root <br />
/etc/crontab /etc/cron.d cron root <br />
<br />
www.lpi.or.jp 91 (C) LPI-Japan
3.3 cron <br />
3.3.9 root cron <br />
root crontab cron /var/spool/cron/root <br />
crontab cron <br />
anacron <br />
<br />
3.3.10 /etc/crontab cron <br />
/etc/crontab cron <br />
cron <br />
CentOS 6 1 1 1 1 <br />
cron <br />
<br />
3.3.11 cron <br />
/etc/cron.d cron <br />
crond cron <br />
# ls /etc/cron.d<br />
0hourly raid-check sysstat<br />
/etc/cron.d/0hourly 1 1 /etc/cron.hourly <br />
cron 1 cron <br />
/etc/cron.hourly <br />
<br />
# cat /etc/cron.d/0hourly<br />
SHELL=/bin/bash<br />
PATH=/sbin:/bin:/usr/sbin:/usr/bin<br />
MAILTO=root<br />
HOME=/<br />
01 ∗ ∗ ∗ ∗ root run-parts /etc/cron.hourly<br />
/etc/cron.hourly anacron <br />
<br />
www.lpi.or.jp 92 (C) LPI-Japan
3 <br />
# ls /etc/cron.hourly/<br />
0anacron<br />
# cat /etc/cron.hourly/0anacron<br />
#!/bin/bash<br />
# Skip excecution unless the date has changed from the previous run<br />
if test -r /var/spool/anacron/cron.daily; then<br />
day=`cat /var/spool/anacron/cron.daily`<br />
fi<br />
if [ `date +%Y%m%d` = "$day" ]; then<br />
exit 0;<br />
fi<br />
# Skip excecution unless AC powered<br />
if test -x /usr/bin/on_ac_power; then<br />
/usr/bin/on_ac_power &> /dev/null<br />
if test $? -eq 1; then<br />
exit 0<br />
fi<br />
fi<br />
/usr/sbin/anacron -s<br />
/etc/cron.d/raid-check RAID raid-check <br />
1 <br />
# cat /etc/cron.d/raid-check<br />
# Run system wide raid-check once a week on Sunday at 1am by default<br />
0 1 ∗ ∗ Sun root /usr/sbin/raid-check<br />
/etc/cron.d/sysstat sar 10 <br />
/usr/lib64/sa/sa1 23 53 /usr/lib64/sa/sa2 <br />
# cat /etc/cron.d/sysstat<br />
# Run system activity accounting tool every 10 minutes<br />
∗/10 ∗ ∗ ∗ ∗ root /usr/lib64/sa/sa1 1 1<br />
# 0 ∗ ∗ ∗ ∗ root /usr/lib64/sa/sa1 600 6 &<br />
# Generate a daily summary of process accounting at 23:53<br />
53 23 ∗ ∗ ∗ root /usr/lib64/sa/sa2 -A<br />
www.lpi.or.jp 93 (C) LPI-Japan
3.3 cron <br />
3.3.12 anacron <br />
cron cron <br />
cron CPU<br />
I/O <br />
anacron <br />
<br />
anacron <br />
<br />
<br />
<br />
<br />
1 /etc/cron.daily<br />
1 /etc/cron.weekly<br />
1 /etc/cron.monthly<br />
3.3.13 anacron <br />
anacron 1 crond /etc/anacrontab<br />
<br />
<br />
# cat /etc/anacrontab<br />
# /etc/anacrontab: configuration file for anacron<br />
# See anacron(8) and anacrontab(5) for details.<br />
SHELL=/bin/sh<br />
PATH=/sbin:/bin:/usr/sbin:/usr/bin<br />
MAILTO=root<br />
# the maximal random delay added to the base delay of the jobs<br />
RANDOM_DELAY=45<br />
# the jobs will be started during the following hours only<br />
START_HOURS_RANGE=3-22<br />
www.lpi.or.jp 94 (C) LPI-Japan
3 <br />
#period in days delay in minutes job-identifier command<br />
1 5 cron.daily nice run-parts /etc/cron.daily<br />
7 25 cron.weekly nice run-parts /etc/cron.weekly<br />
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly<br />
1<br />
7 1 <br />
<br />
<br />
@daily<br />
@weekly<br />
@monthly<br />
<br />
1 1 <br />
7 1 <br />
1 <br />
45 RAN-<br />
DOM_DELAY 2 <br />
1 5 1 25 1 45 <br />
<br />
<br />
anacron START_HOURS_RANGE 3 22 <br />
anacron <br />
<br />
<br />
/etc/anacrontab <br />
23 6 <br />
START_HOURS_RANGE=23-6<br />
3.4 NTP <br />
1 OFF <br />
<br />
<br />
NTPNetwork Time ProtocolNTP <br />
NTP <br />
<br />
www.lpi.or.jp 95 (C) LPI-Japan
3.4 NTP <br />
3.4.1 NTP <br />
NTP NTP NTP <br />
NTP NTP NTP <br />
NTP <br />
NTP yum <br />
# yum install ntp<br />
3.4.2 NTP <br />
NTP ntpd<br />
# service ntpd start<br />
chkconfig <br />
# chkconfig ntpd on<br />
# chkconfig --list ntpd<br />
ntpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off<br />
NTP NTP <br />
<br />
3.4.3 NTP <br />
NTP /etc/ntp.conf <br />
CentOS pool.ntp.org NTP <br />
pool.ntp.org NTP <br />
<br />
server 0.centos.pool.ntp.org iburst<br />
server 1.centos.pool.ntp.org iburst<br />
server 2.centos.pool.ntp.org iburst<br />
server 3.centos.pool.ntp.org iburst<br />
ntpq NTP <br />
www.lpi.or.jp 96 (C) LPI-Japan
3 <br />
# ntpq -p<br />
remote refid st t when poll reach delay offset jitter<br />
==============================================================================<br />
<br />
∗219x123x70x91.a 192.168.7.123 2 u 424 1024 377 2.296 -0.851 1.985<br />
-balthasar.gimas 65.32.162.194 3 u 764 1024 377 4.574 3.282 1.737<br />
+ntp-v6.chobi.pa 61.114.187.55 2 u 960 1024 337 1.012 0.546 1.170<br />
+the.platformnin 22.42.17.250 3 u 46 1024 377 3.686 0.123 2.642<br />
<br />
<br />
<br />
* <br />
+ <br />
x<br />
<br />
<br />
3.4.4 NTP <br />
NTP NTP <br />
<br />
NTP /etc/ntp.conf 192.168.0.0/255.255.255.0<br />
NTP <br />
<br />
# vi /etc/ntp.conf<br />
# Hosts on local network are less restricted.<br />
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap<br />
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap <br />
ntp <br />
# service ntpd restart<br />
ntpd : [ OK ]<br />
ntpd : [ OK ]<br />
www.lpi.or.jp 97 (C) LPI-Japan
3.4 NTP <br />
3.4.5 <br />
NTP UDP 123 NTP <br />
iptables <br />
<br />
/etc/sysconfig/iptables iptables <br />
# vi /etc/sysconfig/iptables<br />
# Firewall configuration written by system-config-firewall<br />
# Manual customization of this file is not recommended.<br />
∗filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT <br />
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br />
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
service iptables <br />
# service iptables reload<br />
iptables: Trying to reload firewall rules: [ OK ]<br />
# iptables -L<br />
Chain INPUT (policy ACCEPT)<br />
target prot opt source destination<br />
<br />
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp<br />
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited<br />
<br />
www.lpi.or.jp 98 (C) LPI-Japan
3 <br />
3.4.6 NTP NTP NTP <br />
NTP /etc/ntp.conf server NTP <br />
<br />
pool.ntp.org server <br />
NTP 192.168.0.10<br />
NTP yum <br />
<br />
[root@client ~]# yum install ntp<br />
[root@client ~]# vi /etc/ntp.conf<br />
#server 0.centos.pool.ntp.org iburst <br />
#server 1.centos.pool.ntp.org iburst <br />
#server 2.centos.pool.ntp.org iburst <br />
#server 3.centos.pool.ntp.org iburst <br />
server 192.168.0.10 iburst <br />
NTP <br />
# service ntpd restart<br />
ntpd : [ OK ]<br />
ntpd : [ OK ]<br />
ntpq <br />
[root@client ~]# ntpq -p<br />
remote refid st t when poll reach delay offset jitter<br />
==============================================================================<br />
<br />
∗server 157.7.154.29 3 u 2 64 1 0.152 0.108 0.007<br />
www.lpi.or.jp 99 (C) LPI-Japan
4 <br />
<br />
4.1 <br />
<strong>Linux</strong> POSIX POSIX Portable Operating<br />
System Interface for UNIXIEEE UNIX OS <br />
IDuid/ IDgid<br />
<br />
4.1.1 UID GID<br />
IDuidUser Identifier) <strong>Linux</strong> <br />
<strong>Linux</strong> uid <br />
uid 0 65535 0 ID root <br />
<br />
IDgid: Group Identifier<strong>Linux</strong> <br />
1 <br />
gid 0 65535 <br />
4.1.2 <br />
1 <br />
useradd grooupadd <br />
sato suzuki suzuki wheel eigyou <br />
<br />
www.lpi.or.jp 101 (C) LPI-Japan
4.1 <br />
# id sato<br />
uid=500(sato) gid=500(sato) =500(sato)<br />
# id suzuki<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),10(wheel),5000(eigyo<br />
u)<br />
4.1.3 <br />
sato suzuki <br />
<br />
<strong>Linux</strong> <br />
<strong>Linux</strong> X Window System root <br />
su <br />
A sato <br />
[root@server ~]# su - sato<br />
[sato@server ~]$ id<br />
uid=500(sato) gid=500(sato) =500(sato) context=unconfined_u:uncon<br />
fined_r:unconfined_t:s0-s0:c0.c1023<br />
B suzuki <br />
[root@server ~]# su - suzuki<br />
[suzuki@server ~]$ id<br />
uid=501(suzuki) gid=501(suzuki) =501(suzuki),10(wheel),5000(eigyo<br />
u) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
4.1.4 <br />
<strong>Linux</strong> root <br />
sato vi vim/tmp <br />
suzuki kill <br />
sato vi /tmp/sato <br />
www.lpi.or.jp 102 (C) LPI-Japan
4 <br />
[sato@server ~]$ vi /tmp/sato<br />
suzuki vim <br />
[suzuki@server ~]$ ps aux | grep vim<br />
sato 6456 0.1 0.3 148100 3692 pts/2 S+ 19:46 0:00 vim /tmp/sato<br />
suzuki 6462 0.0 0.0 107464 916 pts/3 S+ 19:46 0:00 grep vim<br />
suzuki sato vim kill <br />
ID ps 2 <br />
[suzuki@server ~]$ kill 6456<br />
-bash: kill: (6456) - <br />
sato :q! vim <br />
4.1.5 <br />
sato /tmp/sato <br />
sato /tmp/sato <br />
<br />
[sato@server ~]$ ls -l /tmp/sato<br />
-rw-rw-r--. 1 sato sato 5 12 9 17:51 2014 /tmp/sato<br />
suzuki cat /tmp/sato <br />
<br />
[suzuki@server ~]$ cat /tmp/sato<br />
sato<br />
suzuki /tmp/sato <br />
<br />
[suzuki@server ~]$ echo "suzuki" >> /tmp/sato<br />
-bash: /tmp/sato: <br />
4.1.6 umask <br />
umask <br />
umask <br />
www.lpi.or.jp 103 (C) LPI-Japan
4.1 <br />
[sato@server ~]$ umask<br />
0002<br />
umask <br />
8 <br />
<br />
r w x<br />
8 4 2 1<br />
<br />
<br />
4.1.7 umask<br />
(eXecute) <br />
0666(rw-rw-rw-) umask <br />
umask 0002 w<br />
-rw-rw-r--0664<br />
[sato@server ~]$ umask<br />
0002<br />
[sato@server ~]$ touch testfile<br />
[sato@server ~]$ ls -l testfile<br />
-rw-rw-r--. 1 sato sato 0 1 14 19:51 2015 testfile<br />
4.1.8 umask<br />
(eXecute) <br />
0777(rwxrwxrwx) umask <br />
1 <br />
<br />
umask 0002 w<br />
-rwxrwxr-x0775<br />
[sato@server ~]$ umask<br />
0002<br />
[sato@server ~]$ mkdir testdir<br />
www.lpi.or.jp 104 (C) LPI-Japan
4 <br />
[sato@server ~]$ ls -ld testdir<br />
drwxrwxr-x. 2 sato sato 4096 1 14 19:52 2015 testdir<br />
4.1.9 umask 4 <br />
3 <br />
umask 4 setUID/setGID/<br />
setUID <br />
setUID umask <br />
3 <br />
umask 022 3 umask 0022 <br />
<br />
[sato@server ~]$ umask 022<br />
[sato@server ~]$ umask<br />
0022<br />
4.1.10 umask <br />
umask umask umask <br />
umask 0022 <br />
644(-rw-r--r--) <br />
[sato@server ~]$ umask 0022<br />
[sato@server ~]$ touch umasktest<br />
[sato@server ~]$ ls -l umasktest<br />
-rw-r--r--. 1 sato sato 0 1 14 19:53 2015 umasktest<br />
4.1.11 root umask umask<br />
umask 0002 root umask 0022 <br />
[root@server ~]# umask<br />
0022<br />
bash /etc/bashrc <br />
umask uid 200 uid gid <br />
umask 0002002 3 0022 <br />
<br />
www.lpi.or.jp 105 (C) LPI-Japan
4.1 <br />
/etc/profile <br />
# cat /etc/bashrc<br />
<br />
# By default, we want umask to get set. This sets it for non-login shell.<br />
# Current threshold for system reserved uid/gids is 200<br />
# You could check uidgid reservation validity in<br />
# /usr/share/doc/setup-∗/uidgid file<br />
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then<br />
umask 002<br />
else<br />
umask 022<br />
fi<br />
<br />
uid gid useradd <br />
uid gid <br />
uid gid useradd <br />
<br />
4.1.12 setUID <br />
setUID <br />
setUID ls s<br />
<br />
setUID passwd <br />
root /etc/shadow <br />
passwd root setUID <br />
passwd root /etc/shadow <br />
<br />
setUID <br />
<br />
passwd ps <br />
setUID <br />
[sato@server ~]$ ls -l /usr/bin/passwd<br />
-rwsr-xr-x. 1 root root 30768 2 22 20:48 2012 /usr/bin/passwd<br />
www.lpi.or.jp 106 (C) LPI-Japan
4 <br />
passwd Ctrl+Z <br />
Enter <br />
[sato@server ~]$ passwd<br />
sato <br />
sato <br />
UNIX: Ctrl+Z Enter <br />
[1]+ passwd<br />
ps passwd root <br />
<br />
[sato@server ~]$ ps aux | grep passwd<br />
root 15052 0.0 0.2 164012 2068 pts/1 T 10:47 0:00 passwd<br />
sato 15178 0.0 0.0 107464 916 pts/1 S+ 10:48 0:00 grep passwd<br />
fg passwd Ctrl+C <br />
<br />
[sato@server ~]$ fg<br />
passwd<br />
^C Ctrl+C <br />
[sato@server ~]$<br />
4.1.13 setGID <br />
setGID setGID <br />
s<br />
setGID write slocate <br />
$ ls -l /usr/bin/write<br />
-rwxr-sr-x 1 root tty 10124 2 18 2011 /usr/bin/write<br />
$ ls -l /usr/bin/slocate<br />
-rwxr-sr-x 1 root slocate 38516 11 17 2007 /usr/bin/slocate<br />
write <br />
write ps <br />
2 <br />
write Ctrl+Z <br />
www.lpi.or.jp 107 (C) LPI-Japan
4.1 <br />
[sato@server ~]$ write suzuki<br />
^Z Ctrl+Z <br />
[1]+ write suzuki<br />
ps <br />
[sato@server ~]$ ps a -eo "%p %u %g %G %y %c" | grep write<br />
23400 sato sato tty pts/1 write<br />
ID%p%u%g%G<br />
%y%c sato setGID <br />
tty <br />
tty Tele-TYpewriterwrite <br />
setGID tty <br />
<br />
4.1.14 <br />
<br />
<br />
/tmp /tmp <br />
<br />
/tmp 777rwxrwxrwx<br />
/tmp <br />
<br />
ls <br />
t<br />
[sato@server ~]$ ls -ld /tmp<br />
drwxrwxrwt. 16 root root 4096 1 14 20:26 2015 /tmp<br />
sato /tmp/sbittest 666 <br />
[sato@server ~]$ touch /tmp/sbittest<br />
[sato@server ~]$ chmod 666 /tmp/sbittest<br />
[sato@server ~]$ ls -l /tmp/sbittest<br />
-rw-rw-rw-. 1 sato sato 0 1 14 20:28 2015 /tmp/sbittest<br />
suzuki /tmp/sbittest <br />
www.lpi.or.jp 108 (C) LPI-Japan
4 <br />
<br />
[suzuki@server ~]$ echo "suzuki" >> /tmp/sbittest<br />
[suzuki@server ~]$ cat /tmp/sbittest<br />
suzuki<br />
suzuki /tmp/sbittest <br />
<br />
[suzuki@server ~]$ rm /tmp/sbittest<br />
rm: cannot remove `/tmp/sbittest': <br />
sato /tmp/sbittest <br />
[sato@server ~]$ rm /tmp/sbittest<br />
4.2 POSIX ACL<br />
ACL(Access Control ListPOSIX ACL POSIX ACL ) <strong>Linux</strong><br />
2.6 <strong>Linux</strong> <br />
<br />
<strong>Linux</strong> OS Windows ACL <br />
<strong>Linux</strong> Windows Samba<br />
ACL <br />
4.2.1 ACL <br />
ACL <br />
ext3 ext4XFS <br />
<br />
mount acl <br />
CentOS 6 ext4 ACL <br />
acl <br />
ACL ls "."<br />
<br />
"." ACL ACL "+"<br />
<br />
www.lpi.or.jp 109 (C) LPI-Japan
4.2 POSIX ACL<br />
4.2.2 ACL <br />
ACL getfacl <br />
ACL setfacl ACL <br />
<br />
sato /tmp/acltest <br />
[sato@server ~]$ touch /tmp/acltest<br />
suzuki /tmp/acltest <br />
<br />
[suzuki@server ~]$ echo "suzuki" >> /tmp/acltest<br />
-bash: /var/tmp/acltest: <br />
getfacl /tmp/acltest ACL <br />
[sato@server ~]$ getfacl /tmp/acltest<br />
getfacl: Removing leading '/' from absolute path names<br />
# file: tmp/acltest<br />
# owner: sato<br />
# group: sato<br />
user::rw-<br />
group::r--<br />
other::r--<br />
sato setfacl suzuki /tmp/acltest <br />
ACL <br />
[sato@server ~]$ setfacl -m u:suzuki:rw /tmp/acltest<br />
[sato@server ~]$ getfacl /tmp/acltest<br />
getfacl: Removing leading '/' from absolute path names<br />
# file: tmp/acltest<br />
# owner: sato<br />
# group: sato<br />
user::rwuser:suzuki:rw-<br />
suzuki ACL <br />
group::rwwww.lpi.or.jp<br />
110 (C) LPI-Japan
4 <br />
mask::rw-<br />
other::r--<br />
suzuki /tmp/acltest ACL <br />
<br />
[suzuki@server ~]$ echo "suzuki" >> /tmp/acltest<br />
[suzuki@server ~]$ cat /tmp/acltest<br />
suzuki<br />
sato setfacl suzuki /tmp/acltest <br />
ACL <br />
[sato@server ~]$ setfacl -x u:suzuki /tmp/acltest<br />
[sato@server ~]$ getfacl /tmp/acltest<br />
getfacl: Removing leading '/' from absolute path names<br />
# file: tmp/acltest<br />
# owner: sato<br />
# group: sato<br />
user::rwgroup::rwmask::rwother::r--<br />
suzuki /tmp/acltest ACL <br />
<br />
[suzuki@server ~]$ echo "suzuki" >> /tmp/acltest<br />
-bash: /var/tmp/acltest: <br />
4.2.3 Samba ACL <br />
Samba Windows Windows <br />
<strong>Linux</strong> ACL <br />
/home/sato samba_ACL_test ACL <br />
<br />
Samba <br />
Samba <br />
www.lpi.or.jp 111 (C) LPI-Japan
4.2 POSIX ACL<br />
# yum install samba<br />
Samba /etc/samba/smb.conf workgroup <br />
Windows Windows <br />
WORKGROUP <br />
vi /etc/samba/smb.conf<br />
workgroup = WORKGROUP <br />
Samba smb nmb <br />
# service smb start<br />
SMB : [ OK ]<br />
# service nmb start<br />
NMB : [ OK ]<br />
iptables <br />
iptables system-config-firewall-tui <br />
Samba /etc/sysconfig/iptables 4 iptables reload<br />
Samba SMB/CIFS TCP UDP 2 <br />
<br />
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT<br />
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT<br />
SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> SE<strong>Linux</strong> setsebool <br />
Samba SE<strong>Linux</strong> <br />
<br />
# setsebool -P samba_enable_home_dirs on<br />
Samba <br />
smbpasswd Samba <strong>Linux</strong> <br />
sato <br />
www.lpi.or.jp 112 (C) LPI-Japan
4 <br />
Windows <br />
<br />
# smbpasswd -a sato<br />
New SMB password: <br />
Retype new SMB password: <br />
Added user sato.<br />
Windows Samba <br />
Windows Samba <br />
1. Samba <br />
4.1<br />
Samba <br />
YserverYY192.168.0.10<br />
<br />
2. <br />
www.lpi.or.jp 113 (C) LPI-Japan
4.2 POSIX ACL<br />
4.2<br />
<br />
<br />
3. <br />
4.3<br />
<br />
sato Samba<br />
<br />
<br />
www.lpi.or.jp 114 (C) LPI-Japan
4 <br />
4. <br />
4.4<br />
samba_acl_test <br />
samba_acl_test <br />
5. <br />
4.5<br />
<br />
www.lpi.or.jp 115 (C) LPI-Japan
4.2 POSIX ACL<br />
Windows samba_acl_test <br />
<br />
6. <br />
4.6<br />
<br />
Everyone 5 OK<br />
OK <br />
<strong>Linux</strong> ACL <br />
1. sato samba_acl_test <br />
ACL <br />
[sato@server ~]$ getfacl samba_acl_test/<br />
# file: samba_acl_test/<br />
# owner: sato<br />
# group: sato<br />
user::rwx<br />
group::r-x<br />
other::r-x<br />
www.lpi.or.jp 116 (C) LPI-Japan
4 <br />
2. setfacl samba_acl_test <br />
ACL <br />
[sato@server ~]$ setfacl -m o::rwx samba_acl_test<br />
[sato@server ~]$ getfacl samba_acl_test/<br />
# file: samba_acl_test/<br />
# owner: sato<br />
# group: sato<br />
user::rwx<br />
group::r-x<br />
other::rwx <br />
3. Windows <br />
4.7<br />
<br />
Windows Everyone<br />
<br />
www.lpi.or.jp 117 (C) LPI-Japan
4.3 SE<strong>Linux</strong><br />
4.3 SE<strong>Linux</strong><br />
SE<strong>Linux</strong> <strong>Linux</strong> 2.6 root <br />
MACMandatory Access Control<br />
SE<strong>Linux</strong> SE<strong>Linux</strong> <br />
<strong>Linux</strong> <br />
4.3.1 SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> <strong>Linux</strong> contexts<br />
subject<br />
object<br />
<br />
SE<strong>Linux</strong> <br />
<strong>Linux</strong> <br />
<br />
4.3.2 SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> getenforce <br />
[root@server ~]# getenforce<br />
Enforcing<br />
getenforce <br />
<br />
Enforcing<br />
Permissive<br />
Disabled<br />
<br />
SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> setenforce /etc/selinux/config <br />
<br />
www.lpi.or.jp 118 (C) LPI-Japan
4 <br />
4.3.3 setenforce SE<strong>Linux</strong> <br />
setenforce SE<strong>Linux</strong> root <br />
<br />
Enforcing Permissive SE<strong>Linux</strong> <br />
Disabled<br />
<br />
setenforce [ Enforcing | Permissive | 1 | 0 ]<br />
SE<strong>Linux</strong> <br />
Permissive SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> Permissive <br />
SE<strong>Linux</strong> <br />
# setenforce permissive<br />
# getenforce<br />
Permissive<br />
4.3.4 SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> SE<strong>Linux</strong> /etc/selinux/config<br />
<br />
/etc/selinux/config SELINUX disabled <br />
# vi /etc/selinux/config<br />
#SELINUX=enforcing #<br />
SELINUX=disabled <br />
<br />
# reboot<br />
getenforce SE<strong>Linux</strong> Disabled<br />
# getenforce<br />
Disabled<br />
www.lpi.or.jp 119 (C) LPI-Japan
4.3 SE<strong>Linux</strong><br />
/etc/selinux/config SELINUX enforcing <br />
# vi /etc/selinux/config<br />
SELINUX=enforcing #<br />
#SELINUX=disabled #<br />
<br />
# reboot<br />
getenforce SE<strong>Linux</strong> Enforcing<br />
# getenforce<br />
Enforcing<br />
4.3.5 <br />
4<br />
<br />
• (user)<br />
• (role)<br />
• (type)<br />
• MLS Multi Level Security <br />
<br />
<br />
:::MLS<br />
SE<strong>Linux</strong> <br />
<br />
Apache Web httpd httpd_t<br />
<br />
4.3.6 <br />
SE<strong>Linux</strong> <br />
-Z <br />
www.lpi.or.jp 120 (C) LPI-Japan
4 <br />
ls -lZ <br />
Apache Web httpd<br />
# ls -lZ /var/www<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 error<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 icons<br />
/var/www/html /var/www/icons Web <br />
httpd_sys_content_t<br />
/var/www/html <br />
<br />
/var/www/html index.html <br />
index.html httpd_sys_content_t<br />
<br />
# touch /var/www/html/index.html<br />
# ls -lZ /var/www/html/index.html<br />
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/h<br />
tml/index.html<br />
ps axZ <br />
httpd httpd_t <br />
<br />
[root@server ~]# service httpd start<br />
httpd : [ OK ]<br />
[root@server ~]# ps axZ | grep httpd<br />
unconfined_u:system_r:httpd_t:s0 27104 ? Ss 0:00 /usr/sbin/httpd<br />
unconfined_u:system_r:httpd_t:s0 27106 ? S 0:00 /usr/sbin/httpd<br />
<br />
SE<strong>Linux</strong> httpd httpd_t <br />
httpd_sys_content_t read<br />
<br />
www.lpi.or.jp 121 (C) LPI-Japan
4.3 SE<strong>Linux</strong><br />
4.3.7 Boolean SE<strong>Linux</strong> <br />
SE<strong>Linux</strong> SE<strong>Linux</strong> <br />
<br />
SE<strong>Linux</strong> <br />
Boolean<br />
Boolean CentOS 6 200 <br />
<br />
<strong>Linux</strong> <br />
<br />
Apache Web (httpd) <br />
getsebool Boolean Boolean <br />
grep httpd<br />
# getsebool -a | grep httpd<br />
allow_httpd_anon_write --> off<br />
allow_httpd_mod_auth_ntlm_winbind --> off<br />
<br />
httpd_enable_homedirs --> off<br />
<br />
httpd_enable_homedirs Boolean Boolean Apache Web<br />
<br />
public_html Web <br />
<br />
Apache Web /etc/httpd/conf/httpd.conf UserDir <br />
<br />
# vi /etc/httpd/conf/httpd.conf<br />
<br />
<br />
#<br />
# UserDir is disabled by default since it can confirm the presence<br />
# of a username on the system (depending on home directory<br />
www.lpi.or.jp 122 (C) LPI-Japan
4 <br />
# permissions).<br />
#<br />
#UserDir disabled #<br />
#<br />
# To enable requests to /~user/ to serve the user's public_html<br />
# directory, remove the "UserDir disabled" line above, and uncomment<br />
# the following line instead:<br />
#<br />
UserDir public_html #<br />
<br />
httpd <br />
# service httpd restart<br />
httpd : [ OK ]<br />
httpd : [ OK ]<br />
sato public_html <br />
$ pwd<br />
/home/sato<br />
$ mkdir public_html<br />
/home/sato /home/sato/public_html 711 <br />
<br />
$ chmod 711 /home/sato<br />
$ chmod 711 /home/sato/public_html/<br />
public_html index.html <br />
[sato@server ~]$ echo "SE<strong>Linux</strong> test" > /home/sato/public_html/index.html<br />
http://192.168.0.10/~sato/SE<strong>Linux</strong> <br />
Forbidden<br />
www.lpi.or.jp 123 (C) LPI-Japan
4.3 SE<strong>Linux</strong><br />
4.8<br />
Forbidden<br />
root /var/log/audit/audit.log httpd(httpd_t) <br />
(user_home_dir_t) <br />
[root@server ~]# tail /var/log/audit/audit.log<br />
<br />
type=AVC msg=audit(1421241819.317:804): avc: denied { search } for pid=7357 co<br />
mm="httpd" name="sato" dev=dm-2 ino=130305 scontext=unconfined_u:system_r:<br />
httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir<br />
type=SYSCALL msg=audit(1421241819.317:804): arch=c000003e syscall=4 success=<br />
no exit=-13 a0=7f7f0adf26e8 a1=7fff803d37c0 a2=7fff803d37c0<br />
a3=1999999999999999 items=0 ppid=7352 pid=7357 auid=0 uid=48 gid=48 eui<br />
d=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=87 comm="htt<br />
pd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)<br />
type=AVC msg=audit(1421241819.317:805): avc: denied { getattr<br />
} for pid=7357 comm="httpd" path="/home/sato" dev=dm-2 ino=130305 scontext=u<br />
nconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:<br />
user_home_dir_t:s0 tclass=dir<br />
type=SYSCALL msg=audit(1421241819.317:805): arch=c000003e syscall=6 success=<br />
no exit=-13 a0=7f7f0adf2798 a1=7fff803d37c0 a2=7fff803d37c0 a3=1 items=0 p<br />
www.lpi.or.jp 124 (C) LPI-Japan
4 <br />
pid=7352 pid=7357 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sg<br />
id=48 fsgid=48 tty=(none) ses=87 comm="httpd" exe="/usr/sbin/httpd" subj=u<br />
nconfined_u:system_r:httpd_t:s0 key=(null)<br />
setsebool Booleanhttpd_enable_homedirs<br />
[root@server ~]# getsebool httpd_enable_homedirs<br />
httpd_enable_homedirs --> off<br />
[root@server ~]# setsebool httpd_enable_homedirs on<br />
[root@server ~]# getsebool httpd_enable_homedirs<br />
httpd_enable_homedirs --> on<br />
http://192.168.0.10/~sato/Boolean <br />
<br />
4.4 LVM <br />
LVMLogical Volume Manager<br />
<br />
LVM <br />
<br />
<br />
HDD HDD <br />
<br />
<br />
<strong>Linux</strong> LVM <br />
CentOS <br />
LVM <br />
LVM <br />
LVM PV: Physical VolumeVG: Volume Group<br />
LV: Logical Volume 3 <br />
4.4.1 PV<br />
(PV) <br />
PV <br />
www.lpi.or.jp 125 (C) LPI-Japan
4.4 LVM <br />
PV <br />
PV 8E <br />
<strong>Linux</strong> /dev/sdb <br />
LVM fdisk PV <br />
<br />
# fdisk /dev/sdb<br />
DOS Sun, SGI OSF <br />
<br />
<br />
(m ): n n <br />
<br />
e <br />
p (1-4)<br />
p p <br />
(1-4): 1 1 <br />
(1-8354, 1): 1 1 <br />
Last , + or +size{K,M,G} (1-8354, 8354): +2G <br />
+2GB <br />
(m ): n n <br />
<br />
e <br />
p (1-4)<br />
p p <br />
(1-4): 2 2 <br />
(263-8354, 263): Enter <br />
263 <br />
Last , + or +size{K,M,G} (263-8354, 8354): +2G <br />
+2GB <br />
(m ): t t <br />
(1-4): 1 1 <br />
16 (L ): 8e LVM 8e <br />
1 8e (<strong>Linux</strong> LVM) <br />
www.lpi.or.jp 126 (C) LPI-Japan
4 <br />
(m ): t t <br />
(1-4): 2 2 <br />
16 (L ): 8e LVM 8e <br />
2 8e (<strong>Linux</strong> LVM) <br />
(m ): w w <br />
<br />
ioctl() <br />
<br />
4.4.2 VG<br />
(VG) 1 PV<br />
<br />
vgcreate <br />
vgcreate PV [PV ...]<br />
PV/dev/sdb1 Volume00 <br />
vgcreate <br />
# vgcreate Volume00 /dev/sdb1<br />
Physical volume "/dev/sdb1" successfully created<br />
Volume group "Volume00" successfully created<br />
vgscan <br />
# vgscan<br />
Reading all physical volumes. This may take a while...<br />
Found volume group "Volume00" using metadata type lvm2<br />
Found volume group "vg_server" using metadata type lvm2<br />
4.4.3 LV<br />
LVVG<br />
<strong>Linux</strong> <br />
<br />
<br />
www.lpi.or.jp 127 (C) LPI-Japan
4.4 LVM <br />
lvcreate <br />
lvcreate -L -n <br />
Volume00 1GBLogVol01<br />
lvcreate <br />
# lvcreate -L 1024M -n LogVol01 Volume00<br />
4.4.4 <br />
<br />
<br />
/dev//<br />
/dev/Volume00/LogVol01 ext4 mkfs <br />
<br />
# mkfs -t ext4 /dev/Volume00/LogVol01<br />
mke2fs 1.41.12 (17-May-2010)<br />
Discarding device blocks: done<br />
Filesystem label=<br />
OS type: <strong>Linux</strong><br />
<br />
This filesystem will be automatically checked every 33 mounts or<br />
180 days, whichever comes first. Use tune2fs -c or -i to override.<br />
mount /dev/Volume00/LogVol01 <br />
# mkdir /mnt/LVMtest<br />
# mount -t ext4 /dev/Volume00/LogVol01 /mnt/LVMtest/<br />
# mount /mnt/LVMtest/<br />
mount: /dev/mapper/Volume00-LogVol01 /mnt/LVMtest <br />
<br />
mount: mtab /dev/mapper/Volume00-LogVol01 /mnt/LVMtest <br />
<br />
4.4.5 <br />
Volume00 /dev/sdb2 <br />
www.lpi.or.jp 128 (C) LPI-Japan
4 <br />
vgextend /dev/sdb2 Volume00 <br />
<br />
# vgextend Volume00 /dev/sdb2<br />
Physical volume "/dev/sdb2" successfully created<br />
Volume group "Volume00" successfully extended<br />
vgdisplay Volume00 PVPhysical<br />
volume 2 /dev/sdb2 <br />
# vgdisplay Volume00<br />
--- Volume group ---<br />
VG Name Volume00<br />
System ID<br />
Format lvm2<br />
Metadata Areas 2<br />
Metadata Sequence No 3<br />
VG Access read/write<br />
VG Status resizable<br />
MAX LV 0<br />
Cur LV 1<br />
Open LV 1<br />
Max PV 0<br />
Cur PV 2<br />
Act PV 2<br />
VG Size 4.01 GiB<br />
PE Size 4.00 MiB<br />
Total PE 1026<br />
Alloc PE / Size 256 / 1.00 GiB<br />
Free PE / Size 770 / 3.01 GiB<br />
VG UUID yTTwWd-G5tb-FzNb-Ow0L-ebvr-1n9I-ikLWo2<br />
4.4.6 <br />
LVM LVM <br />
ext4 <br />
df 1GB <br />
www.lpi.or.jp 129 (C) LPI-Japan
4.4 LVM <br />
# df /mnt/LVMtest/<br />
Filesystem 1K-blocks Used Available Use% Mounted on<br />
/dev/mapper/Volume00-LogVol01<br />
999320 1284 945608 1% /mnt/LVMtest<br />
lvextend LogVol01 2G <br />
# lvextend -L 2G /dev/Volume00/LogVol01<br />
Size of logical volume Volume00/LogVol01 changed from 1.00 GiB (256 extent<br />
s) to 2.00 GiB (512 extents).<br />
Logical volume LogVol01 successfully resized<br />
resize2fs <br />
# resize2fs /dev/Volume00/LogVol01<br />
resize2fs 1.41.12 (17-May-2010)<br />
Filesystem at /dev/Volume00/LogVol01 is mounted on /mnt/LVMtest; on-line res<br />
izing required<br />
old desc_blocks = 1, new_desc_blocks = 1<br />
Performing an on-line resize of /dev/Volume00/LogVol01 to 524288 (4k) block<br />
s.<br />
The filesystem on /dev/Volume00/LogVol01 is now 524288 blocks long.<br />
df 2GB <br />
# df /mnt/LVMtest/<br />
Filesystem 1K-blocks Used Available Use% Mounted on<br />
/dev/mapper/Volume00-LogVol01<br />
2031440 1536 1925060 1% /mnt/LVMtest<br />
4.4.7 <br />
<br />
<br />
<br />
<br />
<br />
umount /mnt/LVMtest <br />
<br />
www.lpi.or.jp 130 (C) LPI-Japan
4 <br />
# umount /mnt/LVMtest/<br />
/dev/Volume00/LogVol01 fsck <br />
-f <br />
# fsck -f /dev/Volume00/LogVol01<br />
fsck from util-linux-ng 2.17.2<br />
e2fsck 1.41.12 (17-May-2010)<br />
Pass 1: Checking inodes, blocks, and sizes<br />
Pass 2: Checking directory structure<br />
Pass 3: Checking directory connectivity<br />
Pass 4: Checking reference counts<br />
Pass 5: Checking group summary information<br />
/dev/mapper/Volume00-LogVol01: 11/131072 files (0.0% non-contiguous),<br />
16812/524288 blocks<br />
resize2fs 1GB <br />
# resize2fs /dev/Volume00/LogVol01 1G<br />
resize2fs 1.41.12 (17-May-2010)<br />
Resizing the filesystem on /dev/Volume00/LogVol01 to 262144 (4k) blocks.<br />
The filesystem on /dev/Volume00/LogVol01 is now 262144 blocks long.<br />
lvreduce /dev/Volume00/LogVol01 <br />
# lvreduce -L 1G /dev/Volume00/LogVol01<br />
WARNING: Reducing active logical volume to 1.00 GiB<br />
THIS MAY DESTROY YOUR DATA (filesystem etc.)<br />
Do you really want to reduce LogVol01? [y/n]: y y <br />
Size of logical volume Volume00/LogVol01 changed from 2.00 GiB (512 extent<br />
s) to 1.00 GiB (256 extents).<br />
Logical volume LogVol01 successfully resized<br />
/mnt/LVMtest <br />
# mount -t ext4 /dev/Volume00/LogVol01 /mnt/LVMtest/<br />
# df /mnt/LVMtest/<br />
Filesystem 1K-blocks Used Available Use% Mounted on<br />
/dev/mapper/Volume00-LogVol01<br />
999320 1284 945616 1% /mnt/LVMtest<br />
www.lpi.or.jp 131 (C) LPI-Japan
4.5 <br />
4.5 <br />
<br />
<br />
<br />
4.5.1 <br />
<br />
<br />
<br />
<br />
CD DVD <br />
<br />
<br />
4.5.2 <br />
<strong>Linux</strong> <br />
<br />
<br />
• dd <br />
• dump <br />
• tar <br />
• rsync <br />
4.5.3 dd <br />
dd <br />
<br />
www.lpi.or.jp 132 (C) LPI-Japan
4 <br />
dd <br />
• MBR(Master Boot Record) <br />
<br />
• i atimectime <br />
• <br />
<br />
dd <br />
• <br />
<br />
<br />
• <br />
4.5.4 dump <br />
<br />
dump <br />
• <br />
• <br />
• <br />
• i atimectime <br />
• <br />
• <br />
dump <br />
• <br />
• <br />
• <br />
• ext2/3/4 XFS <br />
xfsdump <br />
www.lpi.or.jp 133 (C) LPI-Japan
4.5 <br />
4.5.5 tar <br />
Tape Archiver<br />
<br />
tar <br />
• <br />
• <br />
• <br />
• <br />
tar <br />
• <br />
• i i <br />
<br />
4.5.6 rsync <br />
remote sync<br />
<br />
<br />
rsync <br />
• <br />
• tar <br />
• <br />
rsync <br />
• dd dump <br />
• i i <br />
<br />
www.lpi.or.jp 134 (C) LPI-Japan
4 <br />
4.5.7 <br />
<br />
<br />
/mnt/backup_test/dev/sdb1/mnt/restore_test/dev/sdc1<br />
2 <br />
/dev/sdb /dev/sdc OS <br />
2 1 <br />
2 /dev/sdb1 /dev/sdb2<br />
LVM /dev/sdb <br />
fdisk <br />
fdisk /dev/sdb /dev/sdb1 mkfs.ext4 ext4<br />
/mnt/backup_test <br />
LVM LVM <br />
<br />
# fdisk /dev/sdb<br />
<br />
# mkfs.ext4 /dev/sdb1<br />
# mkdir /mnt/backup_test<br />
# mount -t ext4 /dev/sdb1 /mnt/backup_test/<br />
/mnt/backup_test <br />
# mkdir /mnt/backup_test/test_dir<br />
# touch /mnt/backup_test/test_dir/test_file<br />
4.5.8 dd <br />
dd /dev/sdb <br />
<br />
/dev/sdc dd /dev/sdb /dev/sdc <br />
<br />
www.lpi.or.jp 135 (C) LPI-Japan
4.5 <br />
# dd if=/dev/sdb of=/dev/sdc<br />
208896+0 records in<br />
208896+0 records out<br />
106954752 bytes (107 MB) copied, 1.29132 s, 82.8 MB/s<br />
fdisk /dev/sdc1 <br />
/dev/sdc OS OS <br />
<br />
# reboot<br />
<br />
# fdisk /dev/sdc<br />
<br />
(m ): p p <br />
/dev/sdc: 106 MB, 106954752 <br />
255, 63, 13<br />
Units = of 16065 ∗ 512 = 8225280 <br />
( / ): 512 / 4096 <br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
: 0x43b56949<br />
Id <br />
/dev/sdc1 1 13 104391 83 <strong>Linux</strong><br />
Partition 1 does not start on physical sector boundary.<br />
(m ): q q <br />
/dev/sdc1 /mnt/restore_test /mnt/backup_test <br />
<br />
# mount /dev/sdc1 /mnt/restore_test<br />
# cd /mnt/restore_test<br />
# ls -l<br />
14<br />
drwx------. 2 root root 12288 12 22 13:16 2014 lost+found<br />
drwxr-xr-x. 3 root root 1024 12 22 13:16 2014 test_dir<br />
[root@server restore_test]# ls -l test_dir/<br />
0<br />
www.lpi.or.jp 136 (C) LPI-Japan
4 <br />
-rw-r--r--. 1 root root 0 12 22 13:16 2014 test_file<br />
4.5.9 dump <br />
dump <br />
/etc/fstab <br />
/boot /boot <br />
//boot<br />
/boot dump <br />
<br />
CentOS 6 dump dump <br />
<br />
# yum install dump<br />
dump /etc/fstab /etc/fstab 5 <br />
2 1 dump <br />
/boot dump <br />
/proc /sys <br />
# vi /etc/fstab<br />
/dev/mapper/vg_cent65-lv_root / ext4 defaults<br />
1 1<br />
UUID=fe4d3f56-a570-44b4-a863-418b789b42bc /boot ext4<br />
defaults 1 2<br />
/dev/mapper/vg_cent65-lv_swap swap swap defaults<br />
0 0<br />
tmpfs /dev/shm tmpfs defaults 0 0<br />
devpts /dev/pts devpts gid=5,mode=620 0 0<br />
sysfs /sys sysfs defaults 0 0<br />
proc /proc proc defaults 0 0<br />
dump /boot <br />
dump dd <br />
<br />
-<br />
<br />
www.lpi.or.jp 137 (C) LPI-Japan
4.5 <br />
<br />
-0 0 0 <br />
-u /etc/dumpdates <br />
-a <br />
-n operator <br />
-f <br />
# dump -0uan -f - /boot | dd of=/tmp/boot.dump<br />
DUMP: No group entry for operator.<br />
DUMP: Date of this level 0 dump: Thu Jan 15 00:07:19 2015<br />
DUMP: Dumping /dev/sda1 (/boot) to standard output<br />
<br />
DUMP: Date this dump completed: Thu Jan 15 00:07:20 2015<br />
DUMP: Average transfer rate: 26570 kB/s<br />
DUMP: DUMP IS DONE<br />
53140+0 records in<br />
53140+0 records out<br />
27207680 bytes (27 MB) copied, 0.202273 s, 135 MB/s<br />
# ls -l /tmp/boot.dump<br />
-rw-r--r--. 1 root root 27207680 1 15 00:07 2015 /tmp/boot.dump<br />
restore /tmp/restore_test -r <br />
-f <br />
-dump <br />
cat restore <br />
# mkdir /tmp/restore_test<br />
# cd /tmp/restore_test<br />
# cat /tmp/boot.dump | restore -rf -<br />
# ls<br />
System.map-2.6.32-504.el6.x86_64 initramfs-2.6.32-504.el6.x86_64.img<br />
config-2.6.32-504.el6.x86_64 lost+found<br />
efi symvers-2.6.32-504.el6.x86_64.gz<br />
grub vmlinuz-2.6.32-504.el6.x86_64<br />
/tmp/restore_test <br />
# rm -rf /tmp/restore_test/∗<br />
www.lpi.or.jp 138 (C) LPI-Japan
4 <br />
4.5.10 tar <br />
tar <br />
<strong>Linux</strong> <br />
<br />
/boot <br />
/tmp/boot_backup.tar tar -c <br />
<br />
# tar -cvf /tmp/boot_backup.tar /boot<br />
tar: `/' <br />
/boot/<br />
/boot/grub/<br />
<br />
/boot/System.map-2.6.32-504.el6.x86_64<br />
/boot/.vmlinuz-2.6.32-504.el6.x86_64.hmac<br />
# ls -l /tmp/boot_backup.tar<br />
-rw-r--r--. 1 root root 26982400 1 15 00:15 2015 /tmp/boot_backup.tar<br />
/tmp/restore_test <br />
tar -x <br />
<br />
# cd /tmp/restore_test<br />
# tar -xvf /tmp/boot_backup.tar<br />
boot/<br />
boot/grub/<br />
<br />
boot/System.map-2.6.32-504.el6.x86_64<br />
boot/.vmlinuz-2.6.32-504.el6.x86_64.hmac<br />
# ls -l<br />
4<br />
dr-xr-xr-x. 5 root root 4096 1 6 06:20 2015 boot<br />
# ls boot/<br />
System.map-2.6.32-504.el6.x86_64 initramfs-2.6.32-504.el6.x86_64.img<br />
config-2.6.32-504.el6.x86_64 lost+found<br />
www.lpi.or.jp 139 (C) LPI-Japan
4.5 <br />
efi symvers-2.6.32-504.el6.x86_64.gz<br />
grub vmlinuz-2.6.32-504.el6.x86_64<br />
/tmp/restore_test <br />
# rm -rf /tmp/restore_test/∗<br />
4.5.11 rsync <br />
rsync <br />
<br />
<br />
/boot <br />
<br />
rsync /boot /tmp/restore_test <br />
<br />
# rsync -av /boot /tmp/restore_test<br />
sending incremental file list<br />
boot/<br />
boot/.vmlinuz-2.6.32-504.el6.x86_64.hmac<br />
<br />
boot/grub/xfs_stage1_5<br />
boot/lost+found/<br />
sent 26964672 bytes received 457 bytes 53930258.00 bytes/sec<br />
total size is 26959690 speedup is 1.00<br />
/tmp/restore_test <br />
# ls -l /tmp/restore_test<br />
4<br />
dr-xr-xr-x. 5 root root 4096 1 6 06:20 2015 boot<br />
# ls -l /tmp/restore_test/boot<br />
25848<br />
-rw-r--r--. 1 root root 2544748 10 15 13:54 2014 System.map-2.6.32-504.e<br />
l6.x86_64<br />
-rw-r--r--. 1 root root 106308 10 15 13:54 2014 config-2.6.32-504.el6.x86<br />
www.lpi.or.jp 140 (C) LPI-Japan
4 <br />
_64<br />
<br />
-rw-r--r--. 1 root root 200191 10 15 13:55 2014 symvers-2.6.32-504.el6.x86<br />
_64.gz<br />
-rwxr-xr-x. 1 root root 4152336 10 15 13:54 2014 vmlinuz-2.6.32-504.el6.<br />
x86_64<br />
/boot/rsync_test <br />
# touch /boot/rsync_test<br />
# ls -l /boot/rsync_test<br />
-rw-r--r--. 1 root root 0 1 15 00:23 2015 /boot/rsync_test<br />
rsync <br />
# rsync -av /boot /tmp/restore_test<br />
sending incremental file list<br />
boot/<br />
boot/rsync_test<br />
sent 832 bytes received 40 bytes 1744.00 bytes/sec<br />
total size is 26959690 speedup is 30917.08<br />
<br />
# ls -l /tmp/restore_test/boot/rsync_test<br />
-rw-r--r--. 1 root root 0 1 15 00:23 2015 /tmp/restore_test/boot/rsync_tes<br />
t<br />
tmp/restore_test <br />
# rm -rf /tmp/restore_test/∗<br />
www.lpi.or.jp 141 (C) LPI-Japan
5 <br />
<br />
5.1 <br />
<strong>Linux</strong> <strong>Linux</strong> <br />
<br />
<strong>Linux</strong> 1 <br />
<br />
Red Hat Enterprise <strong>Linux</strong> CentOSSUSE <strong>Linux</strong> RPM(Red Hat<br />
Package Manager) <br />
YumYellowdog Updater Modified<br />
Debian GNU/<strong>Linux</strong> Ubuntu Debian<br />
deb APTAdvanced<br />
Package Tool<br />
CentOS 6 yum <br />
5.1.1 Yum <br />
RPM rpm <br />
<br />
<br />
<br />
Yum yum <br />
<br />
www.lpi.or.jp 143 (C) LPI-Japan
5.1 <br />
5.1.2 Yum <br />
Yum RPM <br />
RPM <br />
/etc/yum.repos.d <br />
# ls /etc/yum.repos.d<br />
CentOS-Base.repo CentOS-Media.repo CentOS-fasttrack.repo<br />
CentOS-Debuginfo.repo CentOS-Vault.repo<br />
<br />
CentOS-Base.repo <br />
# cat /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
[base]<br />
name=CentOS-$releasever - Base<br />
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&<br />
repo=os&infra=$infra<br />
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/<br />
gpgcheck=1<br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6<br />
<br />
#additional packages that extend functionality of existing packages<br />
[centosplus]<br />
name=CentOS-$releasever - Plus<br />
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&<br />
repo=centosplus&infra=$infra<br />
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/<br />
gpgcheck=1<br />
enabled=0<br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6<br />
<br />
mirrorlist mirror.centos.org <br />
<br />
www.lpi.or.jp 144 (C) LPI-Japan
5 <br />
enabled 0 yum --enablerepo <br />
<br />
yum HTTP <br />
PROXY yum <br />
/etc/yum.conf PROXY <br />
<br />
<br />
proxy<br />
proxy_username<br />
proxy_password<br />
<br />
PROXY URL<br />
PROXY <br />
PROXY <br />
DVD <br />
<br />
5.1.3 yum <br />
yum <br />
<br />
<br />
<br />
yum install <br />
<br />
<br />
yum remove <br />
<br />
<br />
yum check-update<br />
www.lpi.or.jp 145 (C) LPI-Japan
5.1 <br />
<br />
<br />
<br />
yum update []<br />
<br />
<br />
yum grouplist<br />
<br />
<br />
yum groupinstall <br />
<br />
<br />
<br />
yum groupremove <br />
5.1.4 <br />
yum dump <br />
<br />
Emacs<br />
<br />
# yum grouplist<br />
:fastestmirror, refresh-packagekit, security<br />
<br />
Loading mirror speeds from cached hostfile<br />
www.lpi.or.jp 146 (C) LPI-Japan
5 <br />
∗ base: ftp.nara.wide.ad.jp<br />
∗ extras: ftp.nara.wide.ad.jp<br />
∗ updates: ftp.nara.wide.ad.jp<br />
:<br />
CIFS <br />
Java <br />
<br />
<br />
Eclipse<br />
Emacs<br />
<br />
Emacs<br />
# yum groupinstall Emacs<br />
:fastestmirror, refresh-packagekit, security<br />
<br />
Loading mirror speeds from cached hostfile<br />
∗ base: ftp.riken.jp<br />
∗ extras: ftp.riken.jp<br />
∗ updates: ftp.riken.jp<br />
<br />
--> <br />
---> Package emacs.x86_64 1:23.1-25.el6 will be <br />
--> : emacs-common = 1:23.1-25.el6 : 1:ema<br />
cs-23.1-25.el6.x86_64<br />
<br />
<br />
================================================================================<br />
<br />
<br />
<br />
<br />
================================================================================<br />
<br />
:<br />
www.lpi.or.jp 147 (C) LPI-Japan
5.1 <br />
emacs x86_64 1:23.1-25.el6 base 2.2 M<br />
:<br />
emacs-common x86_64 1:23.1-25.el6 base 18 M<br />
libXaw x86_64 1.0.11-2.el6 base 178 k<br />
libXpm x86_64 3.5.10-2.el6 base 51 k<br />
libotf x86_64 0.9.9-3.1.el6 base 80 k<br />
m17n-db-datafiles noarch 1.5.5-1.1.el6 base 717 k<br />
<br />
================================================================================<br />
<br />
6 <br />
: 21 M<br />
: 73 M<br />
? [y/N]y y <br />
:<br />
(1/6): emacs-23.1-25.el6.x86_64.rpm | 2.2 MB 00:00<br />
<br />
:<br />
emacs.x86_64 1:23.1-25.el6<br />
:<br />
emacs-common.x86_64 1:23.1-25.el6 libXaw.x86_64 0:1.0.11-2.el6<br />
libXpm.x86_64 0:3.5.10-2.el6 libotf.x86_64 0:0.9.9-3.1.el6<br />
m17n-db-datafiles.noarch 0:1.5.5-1.1.el6<br />
!<br />
Emacs <br />
# emacs<br />
Emacs Ctrl+X Ctrl+C <br />
www.lpi.or.jp 148 (C) LPI-Japan
5 <br />
5.1.5 <br />
yum Locale LANG <br />
yum groupinstall <br />
<br />
yum <br />
LANG=C<br />
LANG yum <br />
# LANG=C yum grouplist<br />
<br />
Installed Groups:<br />
Additional Development<br />
Base<br />
CIFS file server<br />
<br />
<br />
"<br />
<br />
Development tools<br />
<br />
# yum groupinstall "Development tools"<br />
5.1.6 DVD <br />
yum DVD <br />
<br />
/etc/yum.repos.d/CentOS-Media.repo <br />
<br />
# cat /etc/yum.repos.d/CentOS-Media.repo<br />
# CentOS-Media.repo<br />
#<br />
# This repo can be used with mounted DVD media, verify the mount point for<br />
www.lpi.or.jp 149 (C) LPI-Japan
5.1 <br />
# CentOS-6. You can use this repo and yum to install items directly off the<br />
# DVD ISO that we release.<br />
#<br />
# To use this repo, put in your DVD and use it with the other repos too:<br />
# yum --enablerepo=c6-media [command]<br />
#<br />
# or for ONLY the media repo, do this:<br />
#<br />
# yum --disablerepo=\∗ --enablerepo=c6-media [command]<br />
[c6-media]<br />
name=CentOS-$releasever - Media<br />
baseurl=file:///media/CentOS/<br />
file:///media/cdrom/<br />
file:///media/cdrecorder/<br />
gpgcheck=1<br />
enabled=0<br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6<br />
DVD /media/CentOS <br />
yum <br />
DVD <br />
1. CentOS root <br />
2. DVD DVD <br />
ISO DVD <br />
3. <br />
4. mount DVD /media/CentOS_6.6_Final<br />
<br />
# mount<br />
<br />
/dev/sr0 on /media/CentOS_6.6_Final type iso9660 (ro,nosuid,nodev,uhelper=ud<br />
isks,uid=0,gid=0,iocharset=utf8,mode=0400,dmode=0500)<br />
5. /media/CentOS <br />
www.lpi.or.jp 150 (C) LPI-Japan
5 <br />
# ln -s /media/CentOS_6.6_Final/ /media/CentOS<br />
# ls -l /media<br />
4<br />
lrwxrwxrwx. 1 root root 24 1 15 02:47 2015 CentOS -> /media/CentOS_6.6_Fin<br />
al/<br />
dr-xr-xr-x. 7 root root 4096 10 24 23:17 2014 CentOS_6.6_Final<br />
6. yum --disablerepo <br />
--enablerepo c6-media <br />
<br />
# yum --disablerepo=\∗ --enablerepo=c6-media grouplist<br />
5.2 <br />
<br />
<br />
<br />
5.2.1 stress <br />
stress stress CentOS 6 <br />
RPMforge <br />
yum <br />
RPMforge <br />
rpmforge-release <br />
http://pkgs.repoforge.org/rpmforge-release/<br />
64 CentOS 6 <br />
<br />
http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.<br />
x86_64.rpm<br />
wget <br />
www.lpi.or.jp 151 (C) LPI-Japan
5.2 <br />
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.e<br />
l6.rf.x86_64.rpm<br />
<br />
2014-12-24 11:19:30 (19.2 KB/s) - `rpmforge-release-0.5.3-1.el6.rf.x86_64.rp<br />
m' [12640/12640]<br />
rpm rpmforge-release <br />
# ls -l rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm<br />
-rw-r--r--. 1 root root 12640 3 21 00:59 2013 rpmforge-release-0.5.3-1.e<br />
l6.rf.x86_64.rpm<br />
# rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm<br />
yum stress <br />
# yum install stress<br />
RPM <br />
URL <br />
RPM <br />
http://pkgs.repoforge.org/stress/<br />
http://pkgs.repoforge.org/stress/stress-1.0.2-1.el6.rf.x86_64.rpm<br />
5.2.2 top <br />
top CPU <br />
<br />
top <br />
<br />
<br />
top - 03:11:49 up 16:28, 4 users, load average: 0.08, 0.03, 0.01<br />
Tasks: 188 total, 1 running, 187 sleeping, 0 stopped, 0 zombie<br />
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni, 99.8%id, 0.2%wa, 0.0%hi, 0.0%si, 0.0%st<br />
Mem: 1016372k total, 811796k used, 204576k free, 24736k buffers<br />
Swap: 2064380k total, 41640k used, 2022740k free, 295652k cached<br />
www.lpi.or.jp 152 (C) LPI-Japan
5 <br />
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND<br />
1 root 20 0 19364 1304 1036 S 0.0 0.1 0:01.24 init<br />
2 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kthreadd<br />
3 root RT 0 0 0 0 S 0.0 0.0 0:00.03 migration/0<br />
4 root 20 0 0 0 0 S 0.0 0.0 0:00.09 ksoftirqd/0<br />
5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 stopper/0<br />
6 root RT 0 0 0 0 S 0.0 0.0 0:00.08 watchdog/0<br />
7 root RT 0 0 0 0 S 0.0 0.0 0:00.04 migration/1<br />
8 root RT 0 0 0 0 S 0.0 0.0 0:00.00 stopper/1<br />
9 root 20 0 0 0 0 S 0.0 0.0 0:00.07 ksoftirqd/1<br />
10 root RT 0 0 0 0 S 0.0 0.0 0:00.06 watchdog/1<br />
11 root 20 0 0 0 0 S 0.0 0.0 0:03.16 events/0<br />
12 root 20 0 0 0 0 S 0.0 0.0 0:02.79 events/1<br />
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cgroup<br />
14 root 20 0 0 0 0 S 0.0 0.0 0:00.01 khelper<br />
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 netns<br />
16 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr<br />
17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pm<br />
5 <br />
<br />
1 <br />
2 <br />
3 CPU <br />
4 <br />
5 <br />
stress top <br />
stress <br />
stress Enter <br />
<br />
# stress --cpu 3 --io 4 --vm 2 --vm-bytes 128M &<br />
[1] 9747<br />
# stress: info: [9747] dispatching hogs: 3 cpu, 4 io, 2 vm, 0 hdd<br />
Enter <br />
#<br />
www.lpi.or.jp 153 (C) LPI-Japan
5.2 <br />
top stress CPU<br />
<br />
# top<br />
top - 03:28:09 up 16:44, 3 users, load average: 16.85, 14.44, 7.86<br />
Tasks: 208 total, 13 running, 195 sleeping, 0 stopped, 0 zombie<br />
Cpu(s): 55.5%us, 44.5%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st<br />
Mem: 1016372k total, 718440k used, 297932k free, 1528k buffers<br />
Swap: 2064380k total, 116124k used, 1948256k free, 39532k cached<br />
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND<br />
9692 sato 20 0 6516 176 92 R 17.0 0.0 2:02.20 stress<br />
9698 sato 20 0 6516 176 92 R 17.0 0.0 2:03.52 stress<br />
9748 root 20 0 6516 188 104 R 17.0 0.0 0:04.95 stress<br />
9750 root 20 0 134m 125m 184 R 17.0 12.6 0:05.11 stress<br />
9754 root 20 0 6516 188 104 R 17.0 0.0 0:05.11 stress<br />
9694 sato 20 0 134m 24m 168 R 16.6 2.4 2:00.22 stress<br />
9695 sato 20 0 6516 176 92 R 16.6 0.0 2:02.48 stress<br />
9751 root 20 0 6516 188 104 R 16.6 0.0 0:04.88 stress<br />
9697 sato 20 0 134m 59m 168 R 16.3 6.0 2:00.31 stress<br />
9753 root 20 0 134m 55m 184 R 16.3 5.6 0:04.87 stress<br />
9755 root 20 0 6516 184 100 D 4.7 0.0 0:01.50 stress<br />
9756 root 20 0 6516 184 100 D 4.7 0.0 0:01.49 stress<br />
9696 sato 20 0 6516 172 88 R 4.0 0.0 0:54.59 stress<br />
9699 sato 20 0 6516 172 88 D 4.0 0.0 0:59.14 stress<br />
9693 sato 20 0 6516 172 88 D 2.0 0.0 0:57.48 stress<br />
9700 sato 20 0 6516 172 88 D 2.0 0.0 0:59.43 stress<br />
9749 root 20 0 6516 184 100 D 2.0 0.0 0:01.60 stress<br />
q top stress <br />
fg <br />
# fg<br />
stress --cpu 3 --io 4 --vm 2 --vm-bytes 128M<br />
^C Ctrl+C <br />
www.lpi.or.jp 154 (C) LPI-Japan
5 <br />
5.2.3 vmstat <br />
vmstat CPU <br />
vmstat CPU<br />
<br />
# vmstat<br />
procs -----------memory---------- ---swap-- -----io---- --system-- -----cp<br />
u-----<br />
r b swpd free buff cache si so bi bo in cs us sy id wa st<br />
8 0 116104 408536 58692 71292 0 1 10 11 251 66 2 2 97 0 0<br />
<br />
<br />
r<br />
b<br />
swpd<br />
free<br />
buff<br />
cache<br />
si<br />
so<br />
bi<br />
bo<br />
in<br />
cs<br />
us<br />
sy<br />
id<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1 <br />
1 <br />
1 <br />
1 <br />
1 <br />
1 <br />
CPU <br />
CPU <br />
CPU <br />
vmstat <br />
Ctrl+C <br />
# vmstat 5<br />
procs -----------memory---------- ---swap-- -----io---- --system-- -----cp<br />
u-----<br />
r b swpd free buff cache si so bi bo in cs us sy id wa st<br />
10 0 116104 261708 65040 79460 0 1 11 11 253 70 2 2 97 0 0<br />
9 0 116104 358068 65712 80356 0 0 189 242 5411 8564 42 58 0 0 0<br />
www.lpi.or.jp 155 (C) LPI-Japan
5.2 <br />
7 0 116104 301924 66184 81372 0 0 202 308 4610 7441 41 59 0 0 0<br />
^C Ctrl+C <br />
5.2.4 sysstat <br />
<strong>Linux</strong> sysstat iostat<br />
sar <br />
sysstat <br />
# yum install sysstat<br />
sysstat 10 <br />
cron <br />
# cat /etc/cron.d/sysstat<br />
# Run system activity accounting tool every 10 minutes<br />
∗/10 ∗ ∗ ∗ ∗ root /usr/lib64/sa/sa1 1 1<br />
# 0 ∗ ∗ ∗ ∗ root /usr/lib64/sa/sa1 600 6 &<br />
# Generate a daily summary of process accounting at 23:53<br />
53 23 ∗ ∗ ∗ root /usr/lib64/sa/sa2 -A<br />
10 /usr/lib64/sa/sa1 /usr/lib64/sa/sadc <br />
/var/log/sa/saDD DD 2 <br />
<br />
23:53 /usr/lib64/sa/sa2 sa1 <br />
/var/log/sa/sarDDDD 2 <br />
28 <br />
/etc/sysconfig/sysstat HISTORY <br />
sar <br />
5.2.5 iostat <br />
sysstat iostat CPU I/O <br />
I/O <br />
<br />
iostat iostat <br />
CPU I/O <br />
www.lpi.or.jp 156 (C) LPI-Japan
5 <br />
# iostat<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 15 _x86_64(2 CP<br />
U)<br />
avg-cpu: %user %nice %system %iowait %steal %idle<br />
1.72 0.00 1.95 0.03 0.00 96.30<br />
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn<br />
sda 1.89 44.06 117.04 2720068 7224884<br />
scd0 0.01 0.18 0.00 11204 0<br />
dm-0 6.51 41.98 42.57 2591466 2627904<br />
dm-1 0.49 0.17 74.44 10552 4595040<br />
dm-2 0.01 0.06 0.03 3522 1856<br />
<br />
<br />
%user<br />
%nice<br />
%system<br />
%iowait<br />
%steal<br />
%idle<br />
tps<br />
Blk_read/s<br />
Blk_wrtn/s<br />
Blk_read<br />
Blk_wrtn<br />
<br />
CPU <br />
nice CPU <br />
CPU <br />
I/O CPU <br />
CPU CPU <br />
CPU ( I/O <br />
1 I/O <br />
1 ()<br />
1 ()<br />
()<br />
()<br />
iostat -x KB <br />
<br />
kB_read/s<br />
kB_wrtn/s<br />
kB_read<br />
kB_wrtn<br />
<br />
1 (KB )<br />
1 (KB )<br />
(KB )<br />
(KB )<br />
iostat 1 iostat <br />
I/O <br />
Ctrl+C <br />
# iostat 5<br />
www.lpi.or.jp 157 (C) LPI-Japan
5.2 <br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 15 _x86_64(2 CP<br />
U)<br />
avg-cpu: %user %nice %system %iowait %steal %idle<br />
1.76 0.00 2.01 0.03 0.00 96.20<br />
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn<br />
sda 1.89 44.02 116.93 2720092 7225892<br />
scd0 0.01 0.18 0.00 11204 0<br />
dm-0 6.51 41.94 42.54 2591474 2628888<br />
dm-1 0.49 0.17 74.36 10552 4595040<br />
dm-2 0.01 0.06 0.03 3522 1856<br />
avg-cpu: %user %nice %system %iowait %steal %idle<br />
44.30 0.00 55.70 0.00 0.00 0.00<br />
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn<br />
sda 0.00 0.00 0.00 0 0<br />
scd0 0.00 0.00 0.00 0 0<br />
dm-0 0.00 0.00 0.00 0 0<br />
dm-1 0.00 0.00 0.00 0 0<br />
dm-2 0.00 0.00 0.00 0 0<br />
^C Ctrl+C <br />
iostat -x <br />
# iostat -x<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 15 _x86_64(2 CP<br />
U)<br />
avg-cpu: %user %nice %system %iowait %steal %idle<br />
1.78 0.00 2.04 0.03 0.00 96.16<br />
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s avgrq-sz avgqu-sz await svctm %u<br />
til<br />
sda 0.83 4.90 0.83 1.06 44.00 116.88 85.16 0.00 0.57 0.30 0.06<br />
scd0 0.04 0.00 0.01 0.00 0.18 0.00 27.00 0.00 14.24 9.61 0.01<br />
www.lpi.or.jp 158 (C) LPI-Japan
5 <br />
dm-0 0.00 0.00 1.17 5.33 41.92 42.52 12.98 0.02 3.17 0.10 0.06<br />
dm-1 0.00 0.00 0.02 0.47 0.17 74.33 150.83 0.00 1.80 0.03 0.00<br />
dm-2 0.00 0.00 0.01 0.00 0.06 0.03 7.97 0.00 0.37 0.27 0.00<br />
<br />
<br />
rrqm/s<br />
wrqm/s<br />
r/s<br />
w/s<br />
rsec/s<br />
wsec/s<br />
rkB/s<br />
wkB/s<br />
avgrq-sz<br />
avgqu-sz<br />
await<br />
svctm<br />
%util<br />
<br />
1 <br />
1 <br />
1 <br />
1 <br />
1 <br />
1 <br />
1 KB<br />
1 KB<br />
IO <br />
IO <br />
IO <br />
IO <br />
IO CPU <br />
5.2.6 sarSystem Admin Reporter<br />
sar CPU <br />
sar <br />
<br />
sar sadc <br />
sysstat <br />
cron sar <br />
sar 1 3 CPU <br />
# sar 1 3<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 23 _x86_64(2 CP<br />
U)<br />
18 25 47 CPU %user %nice %system %iowait %steal %idle<br />
18 25 48 all 38.00 0.00 62.00 0.00 0.00 0.00<br />
18 25 49 all 38.50 0.00 61.50 0.00 0.00 0.00<br />
18 25 50 all 39.80 0.00 60.20 0.00 0.00 0.00<br />
: all 38.77 0.00 61.23 0.00 0.00 0.00<br />
www.lpi.or.jp 159 (C) LPI-Japan
5.2 <br />
sar -b I/O <br />
# sar -b 1 3<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 23 _x86_64(2 CP<br />
U)<br />
18 26 15 tps rtps wtps bread/s bwrtn/s<br />
18 26 16 0.00 0.00 0.00 0.00 0.00<br />
18 26 17 0.00 0.00 0.00 0.00 0.00<br />
18 26 18 352.00 142.00 210.00 5648.00 1904.00<br />
: 117.73 47.49 70.23 1888.96 636.79<br />
sar -r <br />
# sar -r 1 3<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 23 _x86_64(2 CP<br />
U)<br />
18 26 32 kbmemfree kbmemused %memused kbbuffers kbcached kbcommit %commi<br />
t<br />
18 26 33 233684 782688 77.01 81008 152872 1562412 50.72<br />
18 26 34 101404 914968 90.02 81008 152872 1562412 50.72<br />
18 26 35 112552 903820 88.93 81008 152872 1562412 50.72<br />
: 149213 867159 85.32 81008 152872 1562412 50.72<br />
sar sysstat <br />
# sar<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 23 _x86_64(2 CP<br />
U)<br />
11 10 01 CPU %user %nice %system %iowait %steal %idle<br />
11 20 01 all 0.39 0.00 0.36 0.01 0.00 99.24<br />
11 30 02 all 9.34 0.00 12.22 0.04 0.00 78.39<br />
11 40 01 all 43.10 0.00 56.90 0.00 0.00 0.00<br />
<br />
sar -f /var/log/sa/saDD <br />
<br />
www.lpi.or.jp 160 (C) LPI-Japan
5 <br />
# sar -f /var/log/sa/sa22<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015 01 22 _x86_64(2 CP<br />
U)<br />
12 10 02 CPU %user %nice %system %iowait %steal %idle<br />
12 20 01 all 0.33 0.00 0.34 0.01 0.00 99.32<br />
12 30 01 all 0.39 0.00 0.34 0.02 0.00 99.25<br />
: all 0.36 0.00 0.34 0.01 0.00 99.29<br />
<br />
/var/log/sa/sarDD 1 less <br />
23 53 sarDD <br />
root sarDD <br />
<br />
# /usr/lib64/sa/sa2 -A<br />
# cat /var/log/sa/sar24<br />
<strong>Linux</strong> 2.6.32-504.el6.x86_64 (server.example.com) 2015-01-23 _x86_64(2 CPU)<br />
11 10 01 CPU %usr %nice %sys %iowait %steal %irq %soft %guest %idle<br />
11 20 01 all 0.39 0.00 0.35 0.01 0.00 0.00 0.01 0.00 99.24<br />
11 20 01 0 0.44 0.00 0.36 0.02 0.00 0.00 0.02 0.00 99.17<br />
<br />
5.2.7 logwatch <br />
<br />
<br />
logwatch <br />
<br />
<br />
logwatch <br />
# yum install logwatch<br />
logwatch logwatch.conf /usr/share/logwatch/default.conf/logwatch.conf<br />
<br />
/etc/logwatch/conf/logwatch.conf <br />
www.lpi.or.jp 161 (C) LPI-Japan
5.2 <br />
<br />
LogDir<br />
<br />
TmpDir<br />
<br />
MailTo<br />
<br />
MailFrom<br />
<br />
Print<br />
STDOUTYes MailTo No<br />
Save<br />
<br />
<br />
Archives<br />
Yes<br />
<br />
Range<br />
<br />
AllTodayYesterday<br />
www.lpi.or.jp 162 (C) LPI-Japan
5 <br />
Detail<br />
<br />
Low0Med5High10<br />
Service<br />
LogWatch <br />
/usr/share/logwatch/scripts/services <br />
LogFile<br />
<br />
<br />
mailer<br />
<br />
HostLimit<br />
hostname <br />
<br />
MailToDetail <br />
<br />
# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwa<br />
tch.conf<br />
cp: `/etc/logwatch/conf/logwatch.conf' (yes/no)? y<br />
y <br />
<br />
MailTo = root<br />
Range = yesterday<br />
Detail = Low<br />
Service = All<br />
root <br />
www.lpi.or.jp 163 (C) LPI-Japan
5.2 <br />
/usr/share/logwatch/scripts/services <br />
<br />
# ls /usr/share/logwatch/scripts/services<br />
afpd eximstats pam_unix sendmail-largeboxes<br />
amavis extreme-networks php shaperd<br />
arpwatch fail2ban pix slon<br />
audit ftpd-messages pluto smartd<br />
automount ftpd-xferlog pop3 sonicwall<br />
autorpm http portsentry sshd<br />
bfd identd postfix sshd2<br />
cisco imapd pound stunnel<br />
clam-update in.qpopper proftpd-messages sudo<br />
clamav init pureftpd syslogd<br />
clamav-milter ipop3d qmail tac_acc<br />
courier iptables qmail-pop3d up2date<br />
cron kernel qmail-pop3ds vpopmail<br />
denyhosts mailscanner qmail-send vsftpd<br />
dhcpd modprobe qmail-smtpd windows<br />
dnssec mountd raid xntpd<br />
dovecot named resolver yum<br />
dpkg netopia rt314 zz-disk_space<br />
emerge netscreen samba zz-fortune<br />
evtapplication oidentd saslauthd zz-network<br />
evtsecurity openvpn scsi zz-runtime<br />
evtsystem pam secure zz-sys<br />
exim pam_pwdb sendmail<br />
/etc/logwatch/conf/logwatch.conf <br />
<br />
# vi /etc/logwatch/conf/logwatch.conf<br />
#Range = yesterday #<br />
Range = All <br />
logwatch logwatch --print <br />
<br />
www.lpi.or.jp 164 (C) LPI-Japan
5 <br />
# logwatch --print<br />
################### Logwatch 7.3.6 (05/19/07) ####################<br />
Processing Initiated: Tue Jan 27 11:53:04 2015<br />
Date Range Processed: all<br />
Detail Level of Output: 0<br />
Type of Output: unformatted<br />
Logfiles for Host: server.example.com<br />
##################################################################<br />
--------------------- Selinux Audit Begin ------------------------<br />
Number of audit daemon stops: 1<br />
---------------------- Selinux Audit End -------------------------<br />
<br />
--------------------- Disk Space Begin ------------------------<br />
Filesystem Size Used Avail Use% Mounted on<br />
/dev/mapper/vg_server-lv_root<br />
50G 3.8G 43G 9% /<br />
/dev/sda1 477M 28M 424M 7% /boot<br />
/dev/mapper/vg_server-lv_home<br />
12G 31M 11G 1% /home<br />
---------------------- Disk Space End -------------------------<br />
###################### Logwatch End #########################<br />
/etc/logwatch/conf/logwatch.conf<br />
<br />
```shell-session<br />
# vi /etc/logwatch/conf/logwatch.conf<br />
www.lpi.or.jp 165 (C) LPI-Japan
5.2 <br />
Range = Today<br />
logwatch --print <br />
<br />
www.lpi.or.jp 166 (C) LPI-Japan
6 <br />
<br />
6.1 <br />
<br />
<br />
OS <br />
<br />
6.1.1 <br />
CentOS /var/log <br />
<br />
<br />
messages<br />
secure<br />
maillog<br />
dmesg<br />
<br />
<br />
<br />
<br />
<br />
6.1.2 <br />
<br />
<br />
• /var/log/messages <br />
• /var/log/secure <br />
www.lpi.or.jp 167 (C) LPI-Japan
6.1 <br />
• /var/log/maillog <br />
• Web /var/log/httpd/error_log <br />
6.1.3 dmesg <br />
dmesg display message<strong>Linux</strong> <br />
<br />
<br />
dmesg <br />
<br />
# dmesg<br />
Initializing cgroup subsys cpuset<br />
Initializing cgroup subsys cpu<br />
<strong>Linux</strong> version 2.6.32-504.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gc<br />
c version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Oct 15<br />
04:27:16 UTC 2014<br />
Command line: ro root=/dev/mapper/vg_server-lv_root rd_LVM_LV=vg_server/lv_s<br />
wap rd_NO_LUKS rd_LVM_LV=vg_server/lv_root rd_NO_MD crashkernel=auto KEYBO<br />
ARDTYPE=pc KEYTABLE=jp106 LANG=ja_JP.UTF-8 rd_NO_DM rhgb quiet<br />
KERNEL supported cpus:<br />
Intel GenuineIntel<br />
AMD AuthenticAMD<br />
Centaur CentaurHauls<br />
Disabled fast string operations<br />
<br />
6.1.4 syslog <br />
syslog syslog<br />
<br />
syslog <br />
<br />
CentOS 6 syslog rsyslog <br />
rsyslog syslog syslogd syslog <br />
rsyslogReliable syslog<br />
TCP <br />
www.lpi.or.jp 168 (C) LPI-Japan
6 <br />
syslogd <br />
<br />
6.1.5 <br />
syslog facility<br />
priority<br />
<br />
<br />
<br />
<br />
<br />
<br />
auth<br />
authpriv<br />
cron<br />
daemon<br />
kern<br />
lpr<br />
mail<br />
news<br />
security<br />
syslog<br />
user<br />
uucp<br />
local0 local7<br />
<br />
loginsu <br />
<br />
cron at <br />
<br />
<br />
<br />
<br />
NetNews <br />
auth <br />
syslogd <br />
<br />
uucp <br />
facility<br />
<br />
www.lpi.or.jp 169 (C) LPI-Japan
6.1 <br />
<br />
debug<br />
info<br />
notice<br />
warning<br />
warn<br />
err<br />
error<br />
crit<br />
alert<br />
emerg<br />
panic<br />
none<br />
<br />
<br />
<br />
<br />
<br />
warning <br />
<br />
err <br />
<br />
<br />
<br />
emerg <br />
<br />
6.1.6 syslog <br />
syslog /etc/rsyslog.conf <br />
<br />
<br />
. <br />
syslog ,<br />
UUCP <br />
<br />
uucp,news.crit /var/log/spooler<br />
syslog <br />
<br />
mail.warning<br />
mail warning errcritalertemerg<br />
<br />
=<br />
mail.=warning<br />
mail warning <br />
none <br />
www.lpi.or.jp 170 (C) LPI-Japan
6 <br />
6.1.7 <br />
<br />
<br />
<br />
<br />
<br />
-<br />
<br />
<br />
Y<br />
<br />
*<br />
<br />
@ IP <br />
UDP syslog <br />
@@ IP <br />
TCP syslog <br />
6.1.8 syslog <br />
/etc/rsyslog.conf <br />
www.lpi.or.jp 171 (C) LPI-Japan
6.1 <br />
authpriv.∗ /var/log/secure<br />
authpriv*<br />
/var/log/secure <br />
∗.info;mail.none;authpriv.none;cron.none /var/log/messages<br />
info /var/log/messages<br />
mailauthprivcron 3 none <br />
<br />
<br />
mail <br />
-<br />
<br />
authpriv.∗ /var/log/secure<br />
mail.∗ -/var/log/maillog<br />
cron.∗ /var/log/cron<br />
6.1.9 syslog <br />
<br />
iptables <br />
iptables /etc/sysconfig/iptables 22 ACCEPT<br />
REJECT<br />
# Firewall configuration written by system-config-firewall<br />
# Manual customization of this file is not recommended.<br />
∗filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
-A INPUT -j LOG --log-level debug --log-prefix ’[iptables_test]:’ <br />
www.lpi.or.jp 172 (C) LPI-Japan
6 <br />
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br />
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
iptables reload <br />
# service iptables reload<br />
iptables: Trying to reload firewall rules: [ OK ]<br />
/etc/rsyslog.conf kern/var/log/kern.log<br />
<br />
# vi /etc/rsyslog.conf<br />
# Log all kernel messages to the console.<br />
# Logging much else clutters up the screen.<br />
#kern.∗ /dev/console<br />
kern.* /var/log/kern.log <br />
rsyslog <br />
# service rsyslog restart<br />
: [ OK ]<br />
: [ OK ]<br />
iptables 80 <br />
Web <br />
/var/log/kern.log 80 <br />
# tail /var/log/kern.log<br />
Dec 25 14:54:16 server kernel: imklog 5.8.10, log source = /proc/kmsg starte<br />
d.<br />
Dec 25 14:54:50 server kernel: ’[iptables_test]:’IN=eth0 OUT= MAC=00:1c:42:65:a<br />
f:c4:00:1c:42:00:00:08:08:00 SRC=192.168.0.2 DST=192.168.0.10 LEN=64 TOS=0<br />
x00 PREC=0x00 TTL=64 ID=24955 DF PROTO=TCP SPT=57191 DPT=80 WINDOW=65535<br />
RES=0x00 SYN URGP=0<br />
6.1.10 UDP <br />
syslog syslog <br />
UDP <br />
www.lpi.or.jp 173 (C) LPI-Japan
6.1 <br />
/etc/rsyslog.conf 2 <br />
<br />
$ModLoad UDP $UDPServerRun <br />
UDP <br />
[root@server ~]## vi /etc/rsyslog.conf<br />
<br />
# Provides UDP syslog reception<br />
$ModLoad imudp #<br />
$UDPServerRun 514 #<br />
rsyslog rsyslogd UDP 514 <br />
<br />
[root@server ~]# service rsyslog restart<br />
: [ OK ]<br />
: [ OK ]<br />
[root@server ~]# lsof -i:514<br />
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME<br />
rsyslogd 9282 root 3u IPv4 134339 0t0 UDP ∗:syslog<br />
rsyslogd 9282 root 4u IPv6 134340 0t0 UDP ∗:syslog<br />
iptables UDP 514 <br />
<br />
6.1.11 TCP <br />
TCP UDP <br />
UDP <br />
<br />
TCP UDP <br />
syslog <br />
<br />
TCP <br />
syslog <br />
UDP <br />
/etc/rsyslog.conf 2 <br />
www.lpi.or.jp 174 (C) LPI-Japan
6 <br />
<br />
$ModLoad TCP $InputTCPServerRun<br />
TCP <br />
[root@server ~]# vi /etc/rsyslog.conf<br />
<br />
# Provides TCP syslog reception<br />
$ModLoad imtcp #<br />
$InputTCPServerRun 514 #<br />
rsyslog rsyslogd TCP 514 <br />
<br />
[root@server ~]# service rsyslog restart<br />
: [ OK ]<br />
: [ OK ]<br />
[root@server ~]# lsof -i:514<br />
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME<br />
rsyslogd 24138 root 1u IPv4 107209 0t0 TCP ∗:shell (LISTEN)<br />
rsyslogd 24138 root 3u IPv4 107202 0t0 UDP ∗:syslog<br />
rsyslogd 24138 root 4u IPv6 107203 0t0 UDP ∗:syslog<br />
rsyslogd 24138 root 8u IPv6 107210 0t0 TCP ∗:shell (LISTEN)<br />
shell /etc/services <br />
<br />
# grep 514 /etc/services<br />
shell 514/tcp cmd # no passwords used<br />
syslog 514/udp<br />
<br />
iptables TCP 514 <br />
<br />
6.1.12 syslog iptables <br />
syslog iptables TCP UDP 514 <br />
iptables <br />
www.lpi.or.jp 175 (C) LPI-Japan
6.1 <br />
[root@server ~]# service iptables stop<br />
iptables: ACCEPT filter [ OK ]<br />
iptables: : [ OK ]<br />
iptables: : [ OK ]<br />
/etc/sysconfig/iptables iptables <br />
Reject iptables <br />
reload <br />
[root@server ~]# vi /etc/sysconfig/iptables<br />
<br />
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT <br />
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT <br />
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br />
6.1.13 syslog <br />
syslog syslog <br />
<br />
syslog rsyslog syslog<br />
<br />
syslog /etc/rsyslog.conf <br />
authpriv syslog <br />
@ UDP <br />
mail syslog <br />
@@ TCP <br />
# vi /etc/rsyslog.conf<br />
# The authpriv file has restricted access.<br />
authpriv.∗ /var/log/secure<br />
authpriv.* @192.168.0.10 <br />
# Log all the mail messages in one place.<br />
mail.∗ -/var/log/maillog<br />
mail.* @@192.168.0.10 “‘<br />
www.lpi.or.jp 176 (C) LPI-Japan
6 <br />
syslogrsyslog<br />
```shell-session<br />
[root@client ~]# service rsyslog restart<br />
: [ OK ]<br />
: [ OK ]<br />
UDP <br />
syslog logger authpriv.debug <br />
<br />
[root@client ~]# logger -p authpriv.debug "This is auth log over UDP"<br />
syslog /var/log/secure <br />
[root@server ~]# tail -f /var/log/secure<br />
<br />
Dec 25 17:16:50 client root: This is auth log over UDP<br />
TCP <br />
syslog logger mail.debug <br />
<br />
[root@client ~]# logger -p mail.debug "This is mail log over TCP"<br />
syslog /var/log/maillog <br />
[root@server ~]# tail /var/log/secure<br />
<br />
Dec 25 17:18:03 client root: This is mail log over TCP<br />
6.1.14 logrotate <br />
<br />
<br />
logrotate <br />
logrotate cron 1 1 /etc/cron.daily/logrotate <br />
www.lpi.or.jp 177 (C) LPI-Japan
6.1 <br />
/etc/logrotate.conf logrotate <br />
<br />
/etc/logrotate.d <br />
logrotate <br />
create [] [] []<br />
<br />
0755 <br />
<br />
nocreate<br />
create create <br />
copy/nocopy<br />
<br />
copytruncate/nocopytruncate<br />
copy create <br />
<br />
Oracle 10g R1/R2 alert <br />
alert_xx.log.1<br />
rotate <br />
a.log num 2<br />
a.log a.log.1 a.log.2 0 a.log <br />
start <br />
1 <br />
num 5 a.log a.log.5 a.log.6 <br />
www.lpi.or.jp 178 (C) LPI-Japan
6 <br />
extension <br />
<br />
.baksome.log some.log.1.bak<br />
<br />
compress/nocompress<br />
nocompress<br />
compresscmd <br />
gzip <br />
uncompresscmd <br />
gunzip <br />
compressoptions <br />
gzip -9<br />
-9 -s<br />
compressext <br />
<br />
<br />
delaycompress/nodelaycompress<br />
<br />
olddir /noolddir<br />
<br />
<br />
www.lpi.or.jp 179 (C) LPI-Japan
6.1 <br />
mail address/nomail<br />
address maillast <br />
<br />
maillast<br />
<br />
mailfirst<br />
<br />
daily/weekly/monthly<br />
// daily weekly <br />
1 <br />
size [K/M]<br />
daily,weekly<br />
KM<br />
ifempty/notifempty<br />
<br />
missingok/nomissingok<br />
<br />
<br />
firstaction<br />
prerotete <br />
<br />
www.lpi.or.jp 180 (C) LPI-Japan
6 <br />
prerotate<br />
firstaction <br />
<br />
postrotate<br />
lastaction <br />
<br />
lastaction<br />
postrotate <br />
<br />
sharedscripts<br />
prerotatepostrotate <br />
<br />
nosharedscripts<br />
prerotatepostrotate <br />
<br />
include <br />
include <br />
<br />
<br />
tabooext [+] [, ,...]<br />
include <br />
.rpmorig.rpmsave,v.swp.rpmnew~.cfsaved.rhn-cfg-tmp-*<br />
+ + <br />
<br />
www.lpi.or.jp 181 (C) LPI-Japan
6.2 <br />
6.1.15 <br />
/etc/logrotate.d/httpd <br />
# cat /etc/logrotate.d/httpd<br />
/var/log/httpd/∗log {<br />
missingok<br />
notifempty<br />
sharedscripts<br />
delaycompress<br />
postrotate<br />
/sbin/service httpd reload > /dev/null 2>/dev/null || true<br />
endscript<br />
}<br />
<br />
/var/log/httpd log <br />
access_logerror_log <br />
<br />
• 1 missingok <br />
<br />
• 2 notifempty <br />
• 3 sharedscripts prerotate,postrotate <br />
• 4 delaycompress <br />
• 5 "postrotate""endscript"<br />
service httpd reload <br />
<br />
6.2 <br />
<br />
<br />
• ping<br />
• traceroute<br />
www.lpi.or.jp 182 (C) LPI-Japan
6 <br />
• netstat<br />
• tcpdump<br />
• Wireshark<br />
<br />
<br />
1. <br />
2. ping IP <br />
3. telnet TCP <br />
4. netstat <br />
5. <br />
6.2.1 ping IP <br />
ping ping <br />
ICMP IP ping <br />
<br />
<br />
IP iptables <br />
ICMP <br />
ping <br />
<br />
<br />
<br />
<br />
traceroute traceroute<br />
ICMP ICMP <br />
<br />
6.2.2 telnet TCP <br />
telnet 2 <br />
TCP <br />
www.lpi.or.jp 183 (C) LPI-Japan
6.2 <br />
telnet IP <br />
telnet <br />
<br />
# yum install telnet<br />
<br />
<br />
iptables <br />
<br />
iptables <br />
<br />
Listen <br />
127.0.0.1 Listen IP <br />
<br />
netstat lsof <br />
6.2.3 netstat <br />
netstat IP <br />
<br />
netstat -p <br />
# netstat -anp | grep sshd<br />
tcp 0 0 0.0.0.0:22 0.0.0.0:∗ LISTEN 1493/sshd<br />
<br />
• sshd ID 1493 <br />
• TCP 22 LISTEN <br />
• 22 IP 0.0.0.0:22<br />
• 0.0.0.0:*<br />
www.lpi.or.jp 184 (C) LPI-Japan
6 <br />
6.2.4 <br />
<br />
<br />
<br />
tcpdump GUI <br />
Wireshark <br />
6.2.5 tcpdump <br />
tcpdump <br />
<br />
tcpdump <br />
<br />
-i eth0 <br />
<br />
tcpdump tcpdump.out <br />
<br />
# tcpdump -i eth0 > tcpdump.out<br />
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br />
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br />
SSH <br />
Ctrl+C tcpdump <br />
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br />
^C216 packets captured Ctrl+C <br />
216 packets received by filter<br />
0 packets dropped by kernel<br />
tcpdump.out <br />
# grep ssh tcpdump.out<br />
13:17:06.041096 IP client.example.com.43880 > server.example.com.ssh: Flags<br />
[S], seq 4050960604, win 14600, options [mss 1460,sackOK,TS val 13231 ecr 0,n<br />
op,wscale 6], length 0<br />
www.lpi.or.jp 185 (C) LPI-Japan
6.2 <br />
13:17:06.041125 IP server.example.com.ssh > client.example.com.43880: Flags<br />
[S.], seq 3335753529, ack 4050960605, win 14480, options [mss 1460,sackOK,TS<br />
val 22019990 ecr 13231,nop,wscale 6], length 0<br />
13:17:06.041240 IP client.example.com.43880 > server.example.com.ssh: Flags<br />
[.], ack 1, win 229, options [nop,nop,TS val 13231 ecr 22019990], length 0<br />
) IP . .<br />
SYN)<br />
<br />
1 <br />
43880 22ssh SYN TCP <br />
<br />
2 <br />
1 SYN+ACK TCP <br />
3 <br />
ACK TCP TCP <br />
<br />
6.2.6 Wireshark <br />
tcpdump <br />
<br />
GUI Wireshark <br />
<br />
<br />
Wireshark GUI wireshark-gnome <br />
<br />
# yum install wireshark-gnome<br />
1. Wireshark <br />
2. CentOS GUI wireshark <br />
www.lpi.or.jp 186 (C) LPI-Japan
6 <br />
Wireshark Network Analyzer<br />
# wireshark &<br />
2. <br />
6.1<br />
CaptureInterfaces<br />
CaptureInterfaces<br />
3. <br />
www.lpi.or.jp 187 (C) LPI-Japan
6.2 <br />
6.2<br />
eth0 <br />
eth0 Start<br />
<br />
4. Web <br />
5. Web <br />
Web <br />
5. <br />
6.CaptureStop<br />
6. <br />
www.lpi.or.jp 188 (C) LPI-Japan
6 <br />
6.3<br />
http <br />
Filter:httpEnter <br />
Hypertext Transfer Protocol<br />
HTTP <br />
6.3 <br />
OS <br />
<br />
<br />
<br />
6.3.1 <br />
<strong>Linux</strong> 1 <br />
root <br />
3 5 <br />
<br />
www.lpi.or.jp 189 (C) LPI-Japan
6.3 <br />
GRUB <br />
1. 5 <br />
GRUB <br />
2. e kernel <br />
e single 1<br />
3. Enter <br />
4. b <br />
6.4<br />
<br />
5. root <br />
fsck <br />
<br />
6. exit <br />
6.3.2 DVD <br />
OS <br />
DVD <br />
www.lpi.or.jp 190 (C) LPI-Japan
6 <br />
<br />
1. CentOS DVD BIOS <br />
DVD <br />
2. Rescue installed system<br />
6.5<br />
<br />
3. Language<br />
www.lpi.or.jp 191 (C) LPI-Japan
6.3 <br />
6.6<br />
Language <br />
6.7<br />
<br />
www.lpi.or.jp 192 (C) LPI-Japan
6 <br />
6.8<br />
<br />
4. /mnt/sysimage <br />
Read-Only<br />
Continue<br />
6.9<br />
Continue <br />
www.lpi.or.jp 193 (C) LPI-Japan
6.3 <br />
5. /mnt/sysimage <br />
6.10<br />
/mnt/sysimage <br />
6. shellfakd First<br />
Aid Kit reboot<br />
shell<br />
www.lpi.or.jp 194 (C) LPI-Japan
6 <br />
6.11<br />
shell <br />
7. bash /mnt/sysimage <br />
<br />
6.12<br />
<br />
8. fsck <br />
www.lpi.or.jp 195 (C) LPI-Japan
6.3 <br />
exit <br />
9.reboot DVD DVD <br />
<br />
6.13<br />
reboot <br />
www.lpi.or.jp 196 (C) LPI-Japan
7 <br />
CentOS 7 <br />
7.1 CentOS 7 <br />
CentOS 6 CentOS<br />
7 <br />
CentOS 7 CentOS<br />
7 <br />
• SysV init systemd <br />
• journald <br />
• firewalld <br />
NetworkManager CentOS 6 <br />
CUI NetworkManager nmtui <br />
7.2 SysV init systemd <br />
CentOS 7 SysV init Upstart <strong>Linux</strong> <br />
systemd/etc/rc.d <br />
<br />
systemd <br />
www.lpi.or.jp 197 (C) LPI-Japan
7.2 SysV init systemd <br />
7.2.1 <br />
systemd <br />
<br />
<br />
<br />
SysV init <br />
<br />
1 <br />
<br />
systemd <br />
<br />
<br />
<br />
service<br />
target<br />
mount<br />
swap<br />
device<br />
<br />
<br />
<br />
<br />
<br />
<br />
7.2.2 <br />
systemd systemctl <br />
service <br />
Web systemctl <br />
<br />
<br />
systemctl start <br />
# systemctl start httpd<br />
www.lpi.or.jp 198 (C) LPI-Japan
7 CentOS 7 <br />
<br />
systemctl status <br />
systemd cgroup <strong>Linux</strong> <br />
cgroup CPU <br />
<br />
# systemctl status httpd<br />
httpd.service - The Apache HTTP Server<br />
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)<br />
Active: active (running) since 2015-01-28 15:23:50 JST; 33s ago<br />
Main PID: 2926 (httpd)<br />
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0<br />
B/sec"<br />
CGroup: /system.slice/httpd.service<br />
2926 /usr/sbin/httpd -DFOREGROUND<br />
2927 /usr/sbin/httpd -DFOREGROUND<br />
2928 /usr/sbin/httpd -DFOREGROUND<br />
2929 /usr/sbin/httpd -DFOREGROUND<br />
2930 /usr/sbin/httpd -DFOREGROUND<br />
2931 /usr/sbin/httpd -DFOREGROUND<br />
1 28 15:23:50 centos7.example.com httpd[2926]: AH00557: httpd: apr_socka<br />
d...<br />
1 28 15:23:50 centos7.example.com httpd[2926]: AH00558: httpd: Could not<br />
...<br />
1 28 15:23:50 centos7.example.com systemd[1]: Started The Apache HTTP Se<br />
r...<br />
Hint: Some lines were ellipsized, use -l to show in full.<br />
<br />
systemctl restart <br />
# systemctl restart httpd<br />
# systemctl status httpd<br />
httpd.service - The Apache HTTP Server<br />
www.lpi.or.jp 199 (C) LPI-Japan
7.2 SysV init systemd <br />
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)<br />
Active: active (running) since 2015-01-28 15:24:40 JST; 2s ago<br />
Process: 2945 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/<br />
SUCCESS)<br />
Main PID: 2950 (httpd)<br />
<br />
<br />
systemctl stop <br />
# systemctl stop httpd<br />
# systemctl status httpd<br />
httpd.service - The Apache HTTP Server<br />
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)<br />
Active: inactive (dead)<br />
7.2.3 <br />
systemd systemctl list-unit-files <br />
<br />
# systemctl list-unit-files<br />
-t <br />
<br />
service systemctl <br />
chkconfig --list <br />
# systemctl list-unit-files -t service<br />
STATE<br />
<br />
enabled<br />
disabled<br />
static<br />
<br />
<br />
<br />
<br />
www.lpi.or.jp 200 (C) LPI-Japan
7 CentOS 7 <br />
7.2.4 <br />
systemctl list-units systemctl <br />
<br />
<br />
# systemctl list-units<br />
# systemctl<br />
-t service <br />
# systemctl -t service<br />
UNIT LOAD ACTIVE SUB DESCRIPTION<br />
abrt-ccpp.service loaded active exited Install ABRT coredump hook<br />
abrt-oops.service loaded active running ABRT kernel log watcher<br />
abrt-xorg.service loaded active running ABRT Xorg log watcher<br />
abrtd.service loaded active running ABRT Automated Bug Reporting<br />
alsa-state.service loaded active running Manage Sound Card State (rest<br />
atd.service loaded active running Job spooling tools<br />
<br />
kdump.service loaded failed failed Crash recovery kernel arming<br />
<br />
<br />
<br />
UNIT<br />
LOAD<br />
ACTIVE<br />
SUB<br />
DESCRIPTION<br />
<br />
<br />
systemd <br />
active inactive <br />
running exited<br />
<br />
ACTIVE active <br />
inactive --all <br />
LOAD systemctl mask masked <br />
<br />
ACTIVE failed <br />
kdump<br />
www.lpi.or.jp 201 (C) LPI-Japan
7.2 SysV init systemd <br />
7.2.5 <br />
-t device <br />
# systemctl list-units -t device<br />
UNIT LOAD ACTIVE SUB DESCRIPTION<br />
sys-devices-pci0000:00-0000:00:05.0-virtio0-net-eth0.device loaded active pl<br />
ugged Virtio network device<br />
sys-devices-pci0000:00-0000:00:1f.2-ata3-host2-target2:0:0-2:0:0:0-block-sd<br />
a-sda1.device loaded active plugged CentOS_7-0_SSD<br />
<br />
7.2.6 <br />
-t mount <br />
# systemctl list-units -t mount<br />
UNIT LOAD ACTIVE SUB DESCRIPTION<br />
-.mount loaded active mounted /<br />
boot.mount loaded active mounted /boot<br />
dev-hugepages.mount loaded active mounted Huge Pages File System<br />
dev-mqueue.mount loaded active mounted POSIX Message Queue File Syst<br />
home.mount loaded active mounted /home<br />
<br />
7.2.7 <br />
-t swap <br />
# systemctl list-units -t swap<br />
UNIT LOAD ACTIVE SUB DESCRIPTION<br />
dev-dm\x2d0.swap loaded active active /dev/dm-0<br />
<br />
www.lpi.or.jp 202 (C) LPI-Japan
7 CentOS 7 <br />
7.2.8 <br />
systemctl enable <br />
chkconfig <br />
Web /usr/lib/systemd/system/httpd.service<br />
Web systemctl enable <br />
/etc/systemd/system/multi-user.target.wants <br />
<br />
multi-user.target <br />
SysV init /etc/init.d <br />
/etc/rc.d <br />
<br />
# systemctl enable httpd<br />
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.<br />
target.wants/httpd.service'<br />
systemctl disable <br />
<br />
# systemctl disable httpd<br />
rm '/etc/systemd/system/multi-user.target.wants/httpd.service'<br />
7.2.9 systemd <br />
systemctl mask systemd <br />
<br />
/etc/systemd/system/httpd.service /dev/null <br />
<br />
Web systemd <br />
# systemctl mask httpd<br />
ln -s '/dev/null' '/etc/systemd/system/httpd.service'<br />
# systemctl start httpd<br />
Failed to issue method call: Unit httpd.service is masked.<br />
systemctl is-enabled httpd masked<br />
www.lpi.or.jp 203 (C) LPI-Japan
7.2 SysV init systemd <br />
<br />
# systemctl is-enabled httpd<br />
masked<br />
systemctl unmask <br />
systemd httpd disabled <br />
# systemctl unmask httpd<br />
rm '/etc/systemd/system/httpd.service'<br />
# systemctl is-enabled httpd<br />
disabled<br />
7.2.10 systemd <br />
systemd <br />
systemctl enable systemd <br />
2 <br />
/usr/lib/systemd/system <br />
/etc/rc.d/init.d <br />
/etc/systemd/system <br />
/etc/rc.d <br />
<br />
systemd /etc/systemd/system <br />
<br />
<br />
<br />
<br />
1. /etc/systemd/system/sysinit.target.wants/<br />
rc.sysinit <br />
www.lpi.or.jp 204 (C) LPI-Japan
7 CentOS 7 <br />
2. /etc/systemd/system/basic.target.wants/<br />
<br />
3. /etc/systemd/system/multi-user.target.wants/<br />
3CUI<br />
4. /etc/systemd/system/graphical.target.wants/<br />
5GUI<br />
SysV init 3 5 systemd multi-user.target<br />
graphical.target <br />
<br />
7.2.11 <br />
systemd <br />
CUI <br />
GUI <br />
systemctl set-default SysV init<br />
/etc/inittab initdefault<br />
<br />
systemctl get-default <br />
# systemctl get-default<br />
graphical.target<br />
CUI <br />
multi-user.target CUI <br />
<br />
www.lpi.or.jp 205 (C) LPI-Japan
7.3 journald <br />
# systemctl set-default multi-user.target<br />
# reboot<br />
GUI <br />
GUI systemctl set-default <br />
# systemctl set-default graphical.target<br />
# reboot<br />
7.2.12 <br />
systemd systemctl isolate <br />
SysV init telinit <br />
GUI CUI GUI <br />
# systemctl isolate multi-user.target<br />
CUI GUI <br />
# systemctl isolate graphical.target<br />
7.3 journald <br />
systemd journald syslog <br />
<br />
7.3.1 journald <br />
journald journalctl <br />
<br />
dmesg <strong>Linux</strong> <br />
<br />
# journalctl<br />
-- Logs begin at 2015-01-28 17:29:04 JST, end at 2015-01-28 17:29:38 J<br />
ST.<br />
www.lpi.or.jp 206 (C) LPI-Japan
7 CentOS 7 <br />
1 28 17:29:04 centos7.example.com systemd-journal[149]: Runtime journal i<br />
s us<br />
1 28 17:29:04 centos7.example.com systemd-journal[149]: Runtime journal i<br />
s us<br />
<br />
-u <br />
httpd <br />
# journalctl -u httpd<br />
-- Logs begin at 2015-01-28 17:29:04 JST, end at 2015-01-28 17:31:34 J<br />
ST.<br />
1 28 17:31:28 centos7.example.com systemd[1]: Starting The Apache HTTP Se<br />
rver<br />
1 28 17:31:34 centos7.example.com httpd[2232]: AH00557: httpd: apr_sockad<br />
dr_i<br />
1 28 17:31:34 centos7.example.com httpd[2232]: AH00558: httpd: Could not<br />
reli<br />
1 28 17:31:34 centos7.example.com systemd[1]: Started The Apache HTTP Ser<br />
ver.<br />
7.3.2 journald <br />
journald journald <br />
/etc/systemd/journald.conf Storage auto <br />
<br />
1. /var/log/journal <br />
2. /var/log/journal /run/log/journal<br />
<br />
/var/log/journal /run/log/journal <br />
/run/log/journal tmpfs <br />
<br />
journald /var/log/journal<br />
<br />
www.lpi.or.jp 207 (C) LPI-Japan
7.4 firewalld <br />
# mkdir /var/log/journal<br />
# chmod 700 /var/log/journal<br />
# reboot<br />
<br />
# ls -l /var/log/journal/<br />
0<br />
drwxr-sr-x. 2 root systemd-journal 49 1 28 14:53 3b71b9857a284561a3450996b<br />
f78a306<br />
# ls -l /var/log/journal/3b71b9857a284561a3450996bf78a306/<br />
16392<br />
-rw-r-----. 1 root root 8388608 1 28 14:56 system.journal<br />
-rw-r-----+ 1 root systemd-journal 8388608 1 28 14:55 user-42.journal<br />
7.4 firewalld <br />
CentOS 7 <strong>Linux</strong> iptables firewalld<br />
firewalld <br />
<br />
iptables <br />
7.4.1 firewalld <br />
firewalld <br />
firewall-cmd <br />
--get-default-zone public <br />
<br />
# firewall-cmd --get-default-zone<br />
public<br />
public DHCP SSH <br />
# firewall-cmd --list-all<br />
public (default, active)<br />
interfaces: eth0<br />
www.lpi.or.jp 208 (C) LPI-Japan
7 CentOS 7 <br />
sources:<br />
services: dhcpv6-client ssh<br />
ports:<br />
masquerade: no<br />
forward-ports:<br />
icmp-blocks:<br />
rich rules:<br />
--list-services <br />
<br />
# firewall-cmd --list-services<br />
dhcpv6-client ssh<br />
<br />
<br />
# firewall-cmd --get-services<br />
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-av<br />
ailability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap lda<br />
ps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmpro<br />
xy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba sa<br />
mba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server<br />
wbem-https<br />
7.4.2 firewalld HTTP <br />
firewalld HTTP <br />
--add-service <br />
--permanent /etc/firewalld/zones/public.xml<br />
HTTP <br />
# firewall-cmd --add-service=http --permanent<br />
success<br />
# firewall-cmd --list-services<br />
dhcpv6-client http ssh<br />
# cat /etc/firewalld/zones/public.xml<br />
<br />
www.lpi.or.jp 209 (C) LPI-Japan
7.4 firewalld <br />
<br />
Public<br />
For use in public areas. You do not trust the other computers<br />
on networks to not harm your computer. Only selected incoming connections<br />
are accepted.<br />
<br />
<br />
<br />
<br />
Web Web <br />
# systemctl start httpd<br />
7.4.3 iptables <br />
firewalld iptables <br />
# systemctl stop firewalld<br />
# systemctl disable firewalld<br />
# systemctl enable iptables<br />
# systemctl start iptables<br />
firewalld <br />
# systemctl stop iptables<br />
# systemctl disable iptables<br />
# systemctl enable firewalld<br />
# systemctl start firewalld<br />
*NetworkManager nmtui<br />
CentOS 7 NetworkManager <br />
NetworkManager GUI CUI <br />
<br />
www.lpi.or.jp 210 (C) LPI-Japan
7 CentOS 7 <br />
7.1<br />
GUI NetworkManager <br />
GUI <br />
<br />
www.lpi.or.jp 211 (C) LPI-Japan
7.4 firewalld <br />
7.2<br />
CUI NetworkManager <br />
CUI nmtui <br />
IP <br />
www.lpi.or.jp 212 (C) LPI-Japan
<strong>Linux</strong> <br />
2015 4 16 v1.0.0 <br />
LPI-Japan <br />
(C) 2015 LPI-Japan