初探centos7-安装 一、安装 1、新的安装界面 2、新的分区方式 默认为xfs分区,支持分区容量从ext4的16T扩大到500T 二、进入系统 1、系统版本 [root@local ~]# cat /etc/system-release CentOS Linux release 7.2.1511 (Core) 2、内核升级为3.10 [root@local ~]# uname -r 3.10.0-327.el7.x86_64 3、runlevel改变 [root@local ~]# ll /etc/systemd/system/default.target lrwxrwxrwx. 1 root root 37 Dec 29 15:19 /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target 4、hostname配置变化 [root@local ~]# cat /etc/hostname local.centos7.test [root@local ~]# hostnamectl status Static hostname: local.centos7.test Icon name: computer-vm Chassis: vm Machine ID: de4091fb34364f4ab7266b983f8dc1cb Boot ID: e32ee2c43e004aae87a0837665f05c3b Virtualization: kvm Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-327.el7.x86_64 Architecture: x86-64 5、/bin,/sbin,/lib,/lib64 的路径改变 [root@local ~]# ls / -l |sort |grep -E 'bin|lib' lrwxrwxrwx. 1 root root 7 Dec 29 15:12 bin -> usr/bin lrwxrwxrwx. 1 root root 7 Dec 29 15:12 lib -> usr/lib lrwxrwxrwx. 1 root root 8 Dec 29 15:12 sbin -> usr/sbin lrwxrwxrwx. 1 root root 9 Dec 29 15:12 lib64 -> usr/lib64 6、free 的格式改变 [root@local ~]# free -m total used free shared buff/cache available Mem: 1838 105 1172 8 560 1564 Swap: 2047 0 2047 7、用户id从1000开始 [root@local ~]# useradd Jack [root@local ~]# id Jack uid=1000(Jack) gid=1000(Jack) groups=1000(Jack) 8、限制使用su 先看看Jack能否su root: [root@sz-local-vm41 ~]# su Jack [Jack@local root]$ su Password: [root@local ~]# exit exit [Jack@local root]$ exit exit 看起来一切如旧,开始调整配置 [root@sz-local-vm41 ~]# vim /etc/pam.d/su # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid 启用上面这行配置,再次测试 [root@sz-local-vm41 ~]# su Jack [Jack@local root]$ su Password: su: Permission denied 被拒绝,,符合预期 [Jack@local root]$ exit exit 9、升级了python版本 [root@local ~]# rpm -qa |grep python-2.7 python-2.7.5-34.el7.x86_64 三、使用 systemd 替代 service 和 chkconfig 来管理服务 1、类型和路径 Table 8.1. Available systemd Unit Types Unit Type File Extension Description Service unit .service A system service. Target unit .target A group of systemd units. Automount unit .automount A file system automount point. Device unit .device A device file recognized by the kernel. Mount unit .mount A file system mount point. Path unit .path A file or directory in a file system. Scope unit .scope An externally created process. Slice unit .slice A group of hierarchically organized units that manage system processes. Snapshot unit .snapshot A saved state of the systemd manager. Socket unit .socket An inter-process communication socket. Swap unit .swap A swap device or a swap file. Timer unit .timer A systemd timer. Table 8.2. Systemd Unit Locations Directory Description /usr/lib/systemd/system/ Systemd units distributed with installed RPM packages. /run/systemd/system/ Systemd units created at run time. This directory takes precedence over the directory with installed service units. /etc/systemd/system/ Systemd units created and managed by the system administrator. This directory takes precedence over the directory with runtime units. 2、使用 Service units(.service 结尾的文件)来替代原来在 /etc/rc.d/init.d/中配置的服务控制脚本 Table 8.3. Comparison of the service Utility with systemctl service systemctl Description service name start systemctl start name.service Starts a service. service name stop systemctl stop name.service Stops a service. service name restart systemctl restart name.service Restarts a service. service name condrestart systemctl try-restart name.service Restarts a service only if it is running. service name reload systemctl reload name.service Reloads configuration. service name status systemctl status name.service Checks if a service is running. systemctl is-active name.service service --status-all systemctl list-units --type service --all Displays the status of all services. Table 8.4. Comparison of the chkconfig Utility with systemctl chkconfig systemctl Description chkconfig name on systemctl enable name.service Enables a service. chkconfig name off systemctl disable name.service Disables a service. chkconfig --list name systemctl status name.service Checks if a service is enabled. systemctl is-enabled name.service chkconfig --list systemctl list-unit-files --type service Lists all services and checks if they are enabled. chkconfig --list systemctl list-dependencies --after Lists services that are ordered to start before the specified unit. chkconfig --list systemctl list-dependencies --before Lists services that are ordered to start after the specified unit. 3、禁用和启用服务 [root@local ~]# ls /etc/systemd/system/multi-user.target.wants/ abrt-ccpp.service abrt-oops.service abrt-xorg.service crond.service kdump.service postfix.service rsyslog.service tuned.service abrtd.service abrt-vmcore.service auditd.service irqbalance.service NetworkManager.service remote-fs.target sshd.service [root@local ~]# systemctl disable postfix.service Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service. [root@local ~]# ls /etc/systemd/system/multi-user.target.wants/ abrt-ccpp.service abrt-oops.service abrt-xorg.service crond.service kdump.service remote-fs.target sshd.service abrtd.service abrt-vmcore.service auditd.service irqbalance.service NetworkManager.service rsyslog.service tuned.service [root@local ~]# systemctl enable postfix.service Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. 4、使用 Target unit (.target 结尾的文件)来组合不同运行级别上的 Service unit 的集合。 Table 8.6. Comparison of SysV Runlevels with systemd Targets Runlevel Target Units Description 0 runlevel0.target, poweroff.target Shut down and power off the system. 1 runlevel1.target, rescue.target Set up a rescue shell. 2 runlevel2.target, multi-user.target Set up a non-graphical multi-user system. 3 runlevel3.target, multi-user.target Set up a non-graphical multi-user system. 4 runlevel4.target, multi-user.target Set up a non-graphical multi-user system. 5 runlevel5.target, graphical.target Set up a graphical multi-user system. 6 runlevel6.target, reboot.target Shut down and reboot the system. 默认运行级别: [root@local ~]# systemctl get-default multi-user.target 列出当前的target [root@local ~]# systemctl list-units --type target 5、服务配置 [root@local ~]# cat /usr/lib/systemd/system/postfix.service [Unit] Description=Postfix Mail Transport Agent After=syslog.target network.target Conflicts=sendmail.service exim.service [Service] Type=forking PIDFile=/var/spool/postfix/pid/master.pid EnvironmentFile=-/etc/sysconfig/network ExecStartPre=-/usr/libexec/postfix/aliasesdb ExecStartPre=-/usr/libexec/postfix/chroot-update ExecStart=/usr/sbin/postfix start ExecReload=/usr/sbin/postfix reload ExecStop=/usr/sbin/postfix stop [Install] WantedBy=multi-user.target 四、常用服务 1、tigervnc yum install tigervnc-server cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service vim /etc/systemd/system/vncserver@.service 更新了用户和分辨率配置,主要是这两行: ExecStart=/usr/sbin/runuser -l root -c "/usr/bin/vncserver %i -geometry 1024x768" PIDFile=/root/.vnc/%H%i.pid systemctl daemon-reload systemctl start vncserver@:0.service systemctl enable vncserver@:0.service vncpasswd 2、防火墙 使用 Firewall 替代 iptables 来管理防火墙 停止和启动服务: [root@local ~]# systemctl stop firewalld.service [root@local ~]# systemctl start firewalld.service 列出: [root@local ~]# firewall-cmd --list-all 放行端口: [root@local ~]# firewall-cmd --zone=public --add-port=5900/tcp [root@local ~]# firewall-cmd --zone=public --remove-port=5900/tcp 配置持久化: [root@local ~]# firewall-cmd --zone=public --add-port=5900/tcp --permanent [root@local ~]# firewall-cmd --zone=public --remove-port=5900/tcp --permanent 查看配置: [root@local ~]# cat /etc/firewalld/zones/public.xml 3、http服务 1)服务 [root@local ~]# yum install httpd [root@local ~]# systemctl start httpd.service [root@local ~]# systemctl enable httpd.service 2)虚拟主机 [root@local ~]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d/vhosts.conf [root@local ~]# grep ^[^#] /etc/httpd/conf.d/vhosts.conf <VirtualHost *:80> ServerAdmin webmaster@office.test DocumentRoot "/var/www/html/office.test" ServerName office.test ServerAlias www.office.test ErrorLog "/var/log/httpd/office.test-error_log" CustomLog "/var/log/httpd/office.test-access_log" common </VirtualHost> [root@local ~]# systemctl restart httpd.service [root@local ~]# mkdir /var/www/html/office.test [root@local ~]# echo 'abc' > /var/www/html/office.test/index.html 更新防火墙配置: [root@local ~]# firewall-cmd --add-service http [root@local ~]# firewall-cmd --add-service http --permanent 测试: [root@tvm02 ~]# curl office.test abc 3)https SSL/TLS [root@local ~]# yum install mod_ssl openssl [root@local ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf #SSLProtocol all -SSLv2 SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 [root@local ~]# systemctl restart httpd.service 测试: [root@local ~]# openssl s_client -connect 127.0.0.1:443 -ssl3 Secure Renegotiation IS NOT supported [root@local ~]# openssl s_client -connect 127.0.0.1:443 -tls1_2 Secure Renegotiation IS supported 使用已有的cert和key文件: [root@local ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 或,创建新的cert和key文件(发送给CA签名或自签名): [root@local ~]# yum install crypto-utils [root@local ~]# genkey hostname 跟着指引操作即可。 调整配置文件,指向对应的crt和key文件的路径 [root@local ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key [root@local ~]# systemctl restart httpd.service 更新防火墙配置: [root@local ~]# firewall-cmd --add-service https [root@local ~]# firewall-cmd --add-service https --permanent 更新配置: [root@local ~]# grep ^[^#] /etc/httpd/conf.d/vhosts.conf <VirtualHost *:443> ServerAdmin webmaster@office.test SSLEngine on SSLCertificateFile /etc/pki/tls/certs/n41.test.crt SSLCertificateKeyFile /etc/pki/tls/private/n41.test.key DocumentRoot "/var/www/html/office.test" ServerName office.test ServerAlias www.office.test ErrorLog "/var/log/httpd/office.test-443-error_log" CustomLog "/var/log/httpd/office.test-443-access_log" common </VirtualHost> [root@local ~]# systemctl restart httpd.service 测试: [root@tvm02 ~]# curl -k https://office.test abc 4、Chrony 和 NTP 1)启动Chrony [root@local ~]# yum install chrony 编辑配置,注释掉其他的server,增加一个本地server来测试 [root@local ~]# vim /etc/chrony.conf [root@local ~]# systemctl start chronyd [root@local ~]# systemctl status chronyd [root@local ~]# systemctl enable chronyd 2)检查同步 [root@local ~]# chronyc tracking [root@local ~]# chronyc sources [root@local ~]# chronyc sourcestats [root@local ~]# chronyc tracking 3)同步 启动服务时,将生成一个key,这里会用到: [root@local ~]# cat /etc/chrony.keys #1 a_key 1 SHA1 HEX:0981828C41097692E12DCBE377D3CAF06EE7A2CD 手动: [root@local ~]# chronyc chrony version 2.1.1 Copyright (C) 1997-2003, 2007, 2009-2015 Richard P. Curnow and others chrony comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public License version 2 for details. chronyc> authhash SHA1 chronyc> password HEX:0981828C41097692E12DCBE377D3CAF06EE7A2CD 200 OK chronyc> makestep 200 OK chronyc> exit 自动: [root@local ~]# chronyc -a makestep 4)NTP (略,和旧版本的使用方法大致上一致) 5)查看clocksource [root@local ~]# cd /sys/devices/system/clocksource/clocksource0/ [root@local clocksource0]# cat available_clocksource kvm-clock tsc acpi_pm [root@local clocksource0]# cat current_clocksource kvm-clock 五、监控和自动化 1、系统监控工具 1)块设备和文件系统 [root@local ~]# lsblk [root@local ~]# blkid [root@local ~]# blkid -po udev /dev/vda5 [root@local ~]# findmnt |grep '/data' [root@local ~]# df -h 2)硬件信息 [root@local ~]# lspci [root@local ~]# lspci -v [root@local ~]# lsusb [root@local ~]# lsusb -v [root@local ~]# lscpu 2、OpenLMI(Open Linux Management Infrastructure) 1)由以下3个部分组成: a)System management agents — Common Information Model providers or CIM providers. b)A standard object broker — is also known as a CIM Object Monitor or CIMOM. c)Client applications and scripts — call the system management agents through the standard object broker. Table 19.1. Available CIM Providers Package Name Description openlmi-account A CIM provider for managing user accounts. openlmi-logicalfile A CIM provider for reading files and directories. openlmi-networking A CIM provider for network management. openlmi-powermanagement A CIM provider for power management. openlmi-service A CIM provider for managing system services. openlmi-storage A CIM provider for storage management. openlmi-fan A CIM provider for controlling computer fans. openlmi-hardware A CIM provider for retrieving hardware information. openlmi-realmd A CIM provider for configuring realmd. openlmi-software A CIM provider for software management. 2)在 Managed System 上安装: yum install tog-pegasus yum install openlmi-{storage,networking,service,account,powermanagement} passwd pegasus systemctl start tog-pegasus.service systemctl enable tog-pegasus.service firewall-cmd --add-port 5989/tcp firewall-cmd --add-port 5989/tcp --permanent 3)在 Client System 上安装: yum install openlmi-tools 4)配置SSL/TLS Table 19.2. Certificate and Trust Store Locations Configuration Option Location Description sslCertificateFilePath /etc/Pegasus/server.pem Public certificate of the CIMOM. sslKeyFilePath /etc/Pegasus/file.pem Private key known only to the CIMOM. sslTrustStore /etc/Pegasus/client.pem The file or directory providing the list of trusted certificate authorities. 如果修改了上面的文件,需要重启服务: systemctl restart tog-pegasus.service 现在以自签名的证书来举例(机构签名的证书请参考文档:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Configuring-SSL-Certificates-for-OpenPegasus.html) 为了让 Client System 信任 自签名的证书,从 Managed System 上 拷贝 server.pem 到 Client System 上,下面以本机同时作为 Client System 和 Managed System 为例 [root@local ~]# scp root@127.0.0.1:/etc/Pegasus/server.pem /etc/pki/ca-trust/source/anchors/pegasus-local.centos7.test.pem 校验: [root@local ~]# sha1sum /etc/Pegasus/server.pem 26de58c7027a8a7177711d9fd4353ceafc545b57 /etc/Pegasus/server.pem [root@local ~]# sha1sum /etc/pki/ca-trust/source/anchors/pegasus-local.centos7.test.pem 26de58c7027a8a7177711d9fd4353ceafc545b57 /etc/pki/ca-trust/source/anchors/pegasus-local.centos7.test.pem 更新证书存储库 [root@local ~]# update-ca-trust extract 5)使用 LMISHELL [root@local ~]# lmishell > c = connect("local.centos7.test", "pegasus") password: > quit() 可以用 tab 键补齐命令。 如果是连接到本机的 CIMOM 可以直接连接unix socket: [root@local ~]# lmishell > c = connect("localhost") 验证 c 是否包含对象 LMIConnection > isinstance(c, LMIConnection) True 也可以用这种方法: > c is None False 还有不少命令行的用法请参考文档,大致是就是可以用脚本的方式组合命令来达到目的。 3、日志管理 1)rsyslog 新的版本使用了 RainerScript 语法 包括 input() 和 ruleset() 语句 示例-配置服务端 [root@local ~]# cat /etc/rsyslog.d/test.conf template(name="TmplAuthpriv" type="string" string="/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" ) template(name="TmplMsg" type="string" string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" ) module(load="imtcp") ruleset(name="remote1"){ authpriv.* action(type="omfile" DynaFile="TmplAuthpriv") *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg") } input(type="imtcp" port="514" ruleset="remote1") [root@local ~]# firewall-cmd --zone=public --add-port=514/tcp [root@local ~]# firewall-cmd --zone=public --add-port=514/tcp--permanent systemctl restart rsyslog.service 示例-配置客户端 [root@tvm02 ~]# cat /etc/rsyslog.d/test.conf # udp => @ip:port tcp => @@ip:port, default port=514 *.* @@server_ip #使用&连接另一个action来丢弃(~)上面过滤的消息(不保存到本地的syslog中) & ~ [root@tvm02 ~]# service rsyslog restart 示例-测试 [root@tvm02 ~]# logger 'hellllllllllllllllllllllllllllo' [root@tvm02 ~]# logger 'hellllllllllllllllllllllllllllllo' [root@local ~]# cat /var/log/remote/msg/tvm02/root.log Jan 7 13:49:11 tvm02 root: hellllllllllllllllllllllllllllo Jan 7 14:01:58 tvm02 root: hellllllllllllllllllllllllllllllo 2)journal 显示最近10条日志 [root@local ~]# journalctl -n 10 指定日志的格式 [root@local ~]# journalctl -n 10 -o verbose 滚动显示最近10条 [root@local ~]# journalctl -f 根据日志类型优先级筛选 [root@local ~]# journalctl -p err 根据时间来筛选,从当前系统引导的时间开始 [root@local ~]# journalctl -b 指定时间和优先级来筛选 [root@local ~]# journalctl -p warning --since="2016-1-6 23:59:59" 根据指定的key=value来筛选 [root@local ~]# journalctl _SYSTEMD_UNIT=crond.service 默认journal日志保存在内存或缓冲区中,如果要持久化保存,则: [root@local ~]# mkdir -p /var/log/journal [root@local ~]# systemctl restart systemd-journald 4、使用grub2 1)使用 grubby 来获取或调整menuentry的信息 [root@local ~]# grubby --default-kernel [root@local ~]# grubby --default-index [root@local ~]# grubby --info=ALL [root@local ~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel=DEFAULT 2)grub2使用/etc/grub.d/目录下定义的脚本来生成menu 其中: 00_header:从文件 /etc/default/grub 加载了grub2的一些设置。 40_custom:新增的内核可以在这里定义,然后通过 grub2-mkconfig -o /boot/grub2/grub.cfg 生成新的grub配置 ZYXW、参考 1、rhel7 doc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide 2、This page would list out some of the major differences between RHEL 7 and 6 variants and key features in RHEL 7 . http://simplylinuxfaq.blogspot.com/p/major-difference-between-rhel-7-and-6.html 3、apache http ssl http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html (责任编辑:IT) |