You are on page 1of 8

Linux-2012

2 CentOS 6.3 x64,


VLAN. - stud#-node1 stud#-node2.
node1 node2 .
- vSphere client,
. 172.25.4.48, stud#,
.
SELinux targeted enforcing.
.

1. root ,
.
,
GRUB, , , single 1,
.
- root.
- ,
root passwd.

2. node1 eth0 netdev0.


/etc/udev/rules.d/70-persistent-net.rules ,
eth0:
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:1f:xx:a1",
ATTR{type}=="1", KERNEL=="eth*", NAME="netdev0"
/etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE="netdev0"
,
/etc/sysconfig/network-scripts/ifcfg-eth0

/etc/sysconfig/network-scripts/ifcfg-netdev0

3. - 10.1.x.y
x - , y - (node1 = 1, node2 = 2)
, node1 stud141 IP- 10.1.141.1
10.1.x.250
/etc/sysconfig/network-scripts/ifcfg-netdev0 (node1)
/etc/sysconfig/network-scripts/ifcfg-eth0 (node2) :
BOOTPROTO = none ( static)
IPADDR=10.1.x.y
NETMASK=255.255.255.0
NETWORK=10.1.x.0
BROADCAST=10.1.x.255
GATEWAY=10.1.x.250
GATEWAY /etc/sysconfig/network.
4. .
.
-IP /etc/hosts. node1
/etc/nsswitch.conf, , immutable
chattr i /etc/nsswitch.conf
5. ssh root.
.
- , :
ssh-keygen -t rsa
,
/root/.ssh/authorized_keys
cat id_rda.put >> authorized_keys
> >>. -,
.
ssh-copy-id.
6. node1 grp1 grp2, user1, user2, user3, user4.
user1 user2 grp1, user3 user4 - grp2.
. user1 ,
, ,
.
, .
chage -d 0 user1

.
7. node1 /pub. ,
/pub, . /pub
user1 user2. ,
/pub , .
.
SETGID-directory, .
mkdir /pub
chown root:grp1 /pub
chmod u=rwx,g=rws,o= /pub
SETGID (s) , , /pub,
, /pub, .. grp1.
, grp1 umask=0002,
g=rwx.
8. node1
/d01/public /d01/private ext4 1G .
/d01/private .
, .
.
.
fdisk/sfdisk/parted. ( )
LVM, volume group 2 1G:
pvcreate /dev/sda3
vgcreate newvg /dev/sda3
lvcreate -L 1G -n publicvol newvg
lvcreate -L 1G -n privatevol newvg
publicvol , privatevol LUKS-encrypted volume:
mkfs.ext4 /dev/newvg/publicvol
cryptsetup --verify-passphrase luksFormat /dev/newvg/privatevol
:
cryptsetup luksOpen /dev/newvg/privatevol private
mkfs.ext4 /dev/mapper/private
/dev/mapper/private c /etc/crypttab (
). /etc/fstab.
, LVM,
.

9. /d01/public, grp2
, grp1 ,
.
.7, .
, ACL
/d01/public user_xattr,acl ( /etc/fstab).
,
:
chown root:root /d01/public
chmod 0750 /d01/public
:
setfacl m g:grp2:rwx,g:grp1:rx /d01/public
, , default acl (
):
setfacl m d:g:grp2:rwx,d:g:grp1:rx /d01/public

10. node1 /clone,


, /d01/public.
. ,
grp2 , .
mkdir /clone
mount --bind /d01/public /clone
/etc/fstab
11. node1 /d01 NFS
. , node2.
, /d01
, .
/etc/exports /d01, /d01/public /d01/private.
/d01 nohide,
(man 5 exports)
, , :
rpcbind:ALL
/etc/hosts.deny node2.

chkconfig nfs on
NFS . , , ..
:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -m state --state NEW -j ACCEPT

12. node1 /d01/public /usr/share/doc.


, /d01/public some (
) any. , some , .
find sed
, some .
, some ,
, some
. \b (word
boundaries), , :
find /d01/public -type f -exec sed -i s/\bsome\b/any/g {} \;
13. node1 .12 root
15 20 23 .
cron:
yum install cronie
crontab :
*/15 * 20-23 * * 4,6
*/15 * 20-23 * * wed,fri

14. node1 grp1


, .
sudo, /etc/sudoers ( visudo) :
%grp1

ALL=NOPASSWD:/usr/bin/renice

15. node2 2
iSCSI node1. node1
.
LVM ( .8) 2 ( , ,
). node2 scsi-target-utils. /etc/tgt/targets.conf:
<target iqn.2012-12.bla-bla-bla:target0>
backing-store /dev/newvg/iscsi-vol
</target>
tgtd :
service tgtd restart
chkconfig tgtd on

iscsi-target 3260/tcp iptables.


node1 , iscsi-initiator-utils, target:
iscsiadm -m discovery -t st -p 10.1.x.2:3260
Starting iscsid:
[ OK ]
10.1.x.2:3260,1 iqn.2012-12.com.example:server.target0
, :
fdisk l

16. node2 , .14,


.
LVM ( ),
paging space:
mkswap /dev/newvg/swapvol
:
swapon /dev/newvg/swapvol
swapon s
/etc/fstab.

17. node2 web- www.example.com www.test.net. www.example.com


8088 , www.test.net - 8088 443. web-
.
httpd mod_ssl. /etc/httpd/conf/httpd.conf :
Listen 8088
NameVirtualHost *:8088

virtual hosts (
httpd.conf):
<VirtualHost *:8088>
ServerName www.example.com
</VirtualHost>
<VirtualHost *:8088>
ServerName www.test.net
</VirtualHost>

SSL- /etc/httpd/conf.d/ssl.conf:

Listen 443
<VirtualHost *:443>
ServerName www.test.net:443
.
SELinux targeted enforcing, apache 8088,
:
semanage port -l | grep -w http_port_t
http_port_t
tcp 8080, 80, 443, 488, 8008, 8009, 8443
http_port_t ( semanage
policycoreutils-python, ):
semanage port -a -t http_port_t -p tcp 8088
apache :
service httpd start
chkconfig httpd on
8088 443.

18. node2 tcp/8088 , 3


IP-.
iptables recent. :
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8088 -m recent --name HTTP --update -seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8088 -m recent --name HTTP --set
19. node2 warn ,
node1.
node1 /etc/rsyslog.conf:
*.warn @@10.1.x.2:514
rsyslog.
node2 /etc/rsyslog.conf , :
$ModLoad imtcp
$InputTCPServerRun 514
tcp/514 rsyslog.
, UDP.

20. node2 NTP ,


, node1 node2.
ntp. node2 /etc/ntp.conf
, node1:
restrict 10.1.x.1 nomodify notrap
. udp/123.
node1 :
server 10.1.x.2
ntp .