日拱一卒
0%

Posted on

创建用户帐户

创建下列用户、组和组成员资格:

名为 sysmgrs 的组

用户 natasha,作为次要组从属于 sysmgrs

用户 harry,作为次要组还从属于 sysmgrs

用户 sarah,无权访问系统上的 交互式 shell 且不是 sysmgrs 的成员

natashaharrysarah 的密码应当都是 flectrag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@node1 ~]# groupadd sysmgrs
[root@node1 ~]# tail /etc/group
...
sysmgrs:x:1005:
[root@node1 ~]# useradd -G sysmgrs natasha
[root@node1 ~]# useradd -G sysmgrs harry
[root@node1 ~]# useradd -s /sbin/nologin sarah
[root@node1 ~]# tail /etc/passwd
...
natasha:x:1005:1006::/home/natasha:/bin/bash
harry:x:1006:1007::/home/harry:/bin/bash
sarah:x:1007:1008::/home/sarah:/sbin/nologin
[root@node1 ~]# tail /etc/group
...
sysmgrs:x:1005:natasha,harry
natasha:x:1006:
harry:x:1007:
sarah:x:1008:
[root@node1 ~]# for i in natasha harry sarah; do echo flectrag | passwd --stdin $i; done
Changing password for user natasha.
passwd: all authentication tokens updated successfully.
Changing password for user harry.
passwd: all authentication tokens updated successfully.
Changing password for user sarah.
passwd: all authentication tokens updated successfully.
[root@node1 ~]# ssh natasha@localhost id
natasha@localhost's password: 
uid=1005(natasha) gid=1006(natasha) groups=1006(natasha),1005(sysmgrs) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Posted on

调试 SELinux

非标准端口 82 上运行的 Web 服务器在提供内容时遇到问题。根据需要调试并解决问题,使其满足以下条件:

系统上的 Web 服务器能够提供 /var/www/html 中所有现有的 HTML 文件(注:不要删除或以其他方式改动现有的文件内容)

Web 服务器在端口 82 上提供此内容

Web 服务器在系统启动时 自动启动

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@node1 ~]# systemctl is-active httpd.service 
failed
[root@node1 ~]# systemctl status httpd.service 
...
clear.domain250.example.com httpd[821]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:82
clear.domain250.example.com httpd[821]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:82
clear.domain250.example.com httpd[821]: no listening sockets available, shutting down
...
[root@node1 ~]# sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing httpd from name_bind access on the tcp_socket port 82.

*****  Plugin bind_ports (99.5 confidence) suggests   ************************

If you want to allow httpd to bind to network port 82
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 82
    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.
...
[root@node1 ~]# semanage port -l | grep "http"
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989
[root@node1 ~]# semanage port -a -t http_port_t -p tcp 82
[root@node1 ~]# semanage port -l | grep "http_port_t"
http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
[root@node1 ~]# systemctl enable --now httpd.service
[root@node1 ~]# systemctl is-active httpd.service; systemctl is-enabled httpd.service 
active
enabled
[root@node1 ~]# ss -ntlp | grep ":82"
LISTEN    0         128                      *:82                     *:*        users:(("httpd",pid=25751,fd=4),("httpd",pid=25750,fd=4),("httpd",pid=25749,fd=4),("httpd",pid=25747,fd=4))
[root@node1 ~]# curl http://localhost:82
...
		<title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
...
1
2
[kiosk@foundation0 ~]$ curl http://172.25.250.100:82
curl: (7) Failed to connect to 172.25.250.100 port 82: No route to host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@node1 ~]# firewall-cmd --get-default-zone 
public
[root@node1 ~]# firewall-cmd --permanent --zone=public --list-all 
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@node1 ~]# firewall-cmd --permanent --zone=public --add-port=82/tcp
success
[root@node1 ~]# firewall-cmd --reload 
success
[root@node1 ~]# firewall-cmd --permanent --zone=public --list-all 
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 82/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

1
2
3
4
[kiosk@foundation0 ~]$ curl http://172.25.250.100:82
...
		<title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@node1 ~]# ls /var/www/html/
file1  file2  file3
[root@node1 ~]# curl http://localhost:82/file1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /file1
on this server.<br />
</p>
</body></html>
[root@node1 ~]# curl http://localhost:82/file2
EX200 Testing
[root@node1 ~]# curl http://localhost:82/file3
EX200 Testing
[root@node1 ~]# ls -lZ /var/www/html/
total 12
-rw-r--r--. 1 root root system_u:object_r:default_t:s0           14 Feb 19 11:56 file1
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file2
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file3
[root@node1 ~]# semanage fcontext -l | grep "/var/www"
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 
...
/var/www/html/file1                                all files          system_u:object_r:default_t:s0 
...
[root@node1 ~]# semanage fcontext -d /var/www/html/file1
[root@node1 ~]# restorecon -Rv /var/www/html/
Relabeled /var/www/html/file1 from system_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
[root@node1 ~]# ls -lZ /var/www/html/
total 12
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file1
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file2
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file3
[root@node1 ~]# curl http://localhost:82/file1
EX200 Testing

Posted on

配置您的系统以使用默认存储库

YUM 存储库已可以从 http://foundation0.ilt.example.com/dvd/BaseOShttp://foundation0.ilt.example.com/dvd/AppStream 使用配置您的系统,以将这些位置用作默认存储库

Option A

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@node1 ~]# rpm -ivh http://foundation0.ilt.example.com/dvd/BaseOS/Packages/yum-utils-4.0.12-3.el8.noarch.rpm
Retrieving http://foundation0.ilt.example.com/dvd/BaseOS/Packages/yum-utils-4.0.12-3.el8.noarch.rpm
warning: /var/tmp/rpm-tmp.3ndcXQ: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:yum-utils-4.0.12-3.el8           ################################# [100%]
[root@node1 ~]# yum-config-manager --add-repo http://foundation0.ilt.example.com/dvd/BaseOS
Adding repo from: http://foundation0.ilt.example.com/dvd/BaseOS
[root@node1 ~]# yum-config-manager --add-repo http://foundation0.ilt.example.com/dvd/AppStream
Adding repo from: http://foundation0.ilt.example.com/dvd/AppStream
[root@node1 ~]# find / -name "*GPG-KEY*"
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[root@node1 ~]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[root@node1 ~]# yum repolist all 
repo id                                                                          repo name                                                                                                                  status
foundation0.ilt.example.com_dvd_AppStream                                        created by dnf config-manager from http://foundation0.ilt.example.com/dvd/AppStream                                        enabled
foundation0.ilt.example.com_dvd_BaseOS                                           created by dnf config-manager from http://foundation0.ilt.example.com/dvd/BaseOS                                           enabled

Option B

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@node1 ~]# man yum.conf 
[root@node1 ~]# vim /etc/yum.repos.d/defaults.repo
# defaults.repo
[BaseOS]
name=BaseOS
baseurl=http://foundation0.ilt.example.com/dvd/BaseOS
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[AppStream]
name=AppStream
baseurl=http://foundation0.ilt.example.com/dvd/AppStream
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Posted on

将 node1 配置为具有以下网络配置:

主机名:node1.domain250.example.com

IP 地址:172.25.250.100

子网掩码:255.255.255.0

网关:172.25.250.254

DNS服务器:172.25.250.254

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# VM Control / node1 / Console_node1_VM
clear login: root
Password:
[root@clear ~]# ip link 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:00:fa:0a brd ff:ff:ff:ff:ff:ff
[root@clear ~]# ip address show eth0 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:00:fa:0a brd ff:ff:ff:ff:ff:ff
    inet 172.25.250.10/24 brd 172.25.250.255 scope global dynamic noprefixroute eth0
       valid_lft 38785sec preferred_lft 38785sec
    inet6 fe80::b3ba:2f60:8a37:f33e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[kiosk@foundation0 ~]$ ssh root@172.25.250.10
root@172.25.250.10's password:
[root@clear ~]# nmcli device status 
DEVICE  TYPE      STATE      CONNECTION   
eth0    ethernet  connected  Wired connection 1 
lo      loopback  unmanaged  --   
[root@clear ~]# nmcli connection show Wired\ connection\ 1 
...
ipv4.method:                            auto
ipv4.dns:                               --
ipv4.addresses:                         --
ipv4.gateway:                           --
...
[root@clear ~]# nmcli connection modify Wired\ connection\ 1 ipv4.method manual ipv4.addresses 172.25.250.100/24 ipv4.gateway 172.25.250.254 ipv4.dns 172.25.250.254
[root@clear ~]# nmcli connection up Wired\ connection\ 1 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[kiosk@foundation0 ~]$ ssh root@172.25.250.100
root@172.25.250.100's password: 
[root@clear ~]# nmcli connection show Wired\ connection\ 1 
ipv4.method:                            manual
ipv4.dns:                               172.25.250.254
ipv4.addresses:                         172.25.250.100/24
ipv4.gateway:                           172.25.250.254
[root@clear ~]# ip address show eth0 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:00:fa:0a brd ff:ff:ff:ff:ff:ff
    inet 172.25.250.100/24 brd 172.25.250.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::b3ba:2f60:8a37:f33e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@clear ~]# ip route 
default via 172.25.250.254 dev eth0 proto static metric 100 
172.25.250.0/24 dev eth0 proto kernel scope link src 172.25.250.100 metric 100 
[root@clear ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search domain250.example.com
nameserver 172.25.250.254
[root@clear ~]# hostname
clear.domain250.example.com
[root@clear ~]# hostnamectl set-hostname node1.domain250.example.com
[root@clear ~]# cat /etc/hostname 
node1.domain250.example.com

Posted on 
1
2
3
4
5
6
7
8
9
10
final ExecutorService executorService = Executors.newSingleThreadExecutor();
executorService.submit(() -> {
    System.out.println("First");
    try {
        executorService.submit(() -> System.out.println("Second")).get();
    } catch (final InterruptedException | ExecutionException e) {
        e.printStackTrace();
    }
    System.out.println("Three");
});

Deadlock! Step by step:

  • Task printing "First" is submitted to an idle single-threaded pool
  • This task begins execution and prints "First"
  • We submit an inner task printing "Second" to a thread pool
  • The inner task lands in a pending task queue - no threads are available since the only one is currently being occupied
  • We block waiting for the result of the inner task. Unfortunately while waiting for the inner task we hold the only available thread
  • get() will wait forever, unable to acquire thread
  • Deadlock