日拱一卒
0%

Posted on

设置默认权限

用户 manalo 在 node1 上,所有新创建的文件都应具有 -r--r--r-- 的默认权限

此用户的所有新创建目录应具有 dr-xr-xr-x 的默认权限

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@node1 ~]# su - manalo 
[manalo@node1 ~]$ umask 
0002
[manalo@node1 ~]# echo "umask 0222" >> .bashrc 
[manalo@node1 ~]# source .bashrc 
[manalo@node1 ~]# umask 
0222
[manalo@node1 ~]# touch tmpfile
[manalo@node1 ~]# ls -l tmpfile 
-r--r--r--. 1 manalo manalo 0 Feb 19 22:49 tmpfile
[manalo@node1 ~]# mkdir tmpfolder
[manalo@node1 ~]# ls -ld tmpfolder/
dr-xr-xr-x. 2 manalo manalo 6 Feb 19 22:50 tmpfolder/

默认文件权限

创建新文件或目录时,会为其分配初始权限。有两个因素会影响这些初始权限。首先是您要创建常规文件还是目录。其次是当前的 umask。

如果是创建新目录,操作系统首先会为其分配八进制权限 0777(drwxrwxrwx)。如果是创建新的常规文件,操作系统则为其分配八进制权限 0666(-rw-rw-rw-)。

不过,shell 会话还会设置一个 umask,以进一步限制初始设置的权限。这是一个八进制位掩码,用于清除由该进程创建的新文件和目录的权限。如果在 umask 中设置了一个位,则新文件中的对应的权限将被清除。例如,umask 0002 可清除其他用户的写入位。前导零表示特殊的用户和组权限未被清除。umask 为 0077 时,清除新创建文件的所有组和其他权限。

Posted on

配置创建新用户的密码策略

创建新用户时,默认密码策略为 20 天后,密码会过期

1
2
3
4
5
6
7
8
9
10
[root@node1 ~]# man -k login
...
login.defs (5)       - shadow password suite configuration
[root@node1 ~]# man useradd 
# SEE ALSO
[root@node1 ~]# man login.defs 
[root@node1 ~]# vim /etc/login.defs 
...
PASS_MAX_DAYS   20
...

Posted on

添加 sudo 免密操作

允许 sysmgrs 组成员 sudo 时不需要密码

Option A

1
2
3
4
5
6
7
8
9
[root@node1 ~]# visudo
...
## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
%sysmgrs        ALL=(ALL)       NOPASSWD: ALL
...

Option B

1
[root@node1 ~]# echo "%sysmgrs ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/sysmgrs

Posted on

容器 nginx

利用注册服务器上的 nginx 镜像,创建一个名为 nginx 的容器

面向 wallah 用户,配置一个 systemd 服务

该服务命名为 container-nginx,并在系统重启时自动启动,无需干预

/home/wallah/www 下创建文件 index.html,内容为 hello nginx

将服务配置为在启动时自动将 /home/wallah/www 挂载到容器中的 /usr/share/nginx/html

将容器主机上的端口 8080 映射到容器上的端口 80

1
2
3
4
5
6
7
8
9
10
11
12
13
[wallah@node1 ~]$ man -k registries
containers-registries.conf (5) - Syntax of System Registry Configuration File
containers-registries.d (5) - Directory for various registries configurations
skopeo (1)           - - Command line utility used to interact with local and remote container images and container image registries
skopeo-sync (1)      - Synchronize images between container registries and local directories.
[wallah@node1 ~]$ man containers-registries.conf
[wallah@node1 ~]$ cat /etc/containers/registries.conf
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
[registries.insecure]
registries = []
[registries.block]
registries = []
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[root@node1 ~]# ssh wallah@localhost 
[wallah@node1 ~]$ mkdir /home/wallah/www
[wallah@node1 ~]$ echo "hello nginx" > /home/wallah/www/index.html
[wallah@node1 ~]$ podman login registry.domain250.example.com
Username: admin
Password: 
Login Succeeded!
[wallah@node1 ~]$ podman search registry.domain250.example.com/
INDEX         NAME                                               DESCRIPTION   STARS   OFFICIAL   AUTOMATED
example.com   registry.domain250.example.com/rhel8/mariadb-103                 0  
example.com   registry.domain250.example.com/rhel8/httpd-24                    0  
example.com   registry.domain250.example.com/library/nginx                     0  
example.com   registry.domain250.example.com/ubi7/ubi                          0  
example.com   registry.domain250.example.com/ubi8/ubi                          0  
example.com   registry.domain250.example.com/rhel8/rsyslog                     0  
[wallah@node1 ~]$ podman pull registry.domain250.example.com/library/nginx
Trying to pull registry.domain250.example.com/library/nginx...
Getting image source signatures
Copying blob 2ee525c5c3cc done  
Copying blob ebd81fc8c071 done  
Copying blob d15953c0e0f8 done  
Copying blob d121f8d1c412 done  
Copying blob 655316c160af done  
Copying config 7e4d58f0e5 done  
Writing manifest to image destination
Storing signatures
7e4d58f0e5f3b60077e9a5d96b4be1b974b5a484f54f9393000a99f3b6816e3d
[wallah@node1 ~]$ podman run -d --name nginx -p 8080:80 -v /home/wallah/www:/usr/share/nginx/html:Z registry.domain250.example.com/library/nginx
715b0d5e63c1fffd41f40910f017b0a3d5884310cd8af9ca5867480c514563bb
[wallah@node1 ~]$ curl localhost:8080
hello nginx
[wallah@node1 ~]$ podman stop nginx 
715b0d5e63c1fffd41f40910f017b0a3d5884310cd8af9ca5867480c514563bb
[wallah@node1 ~]$ loginctl enable-linger
[wallah@node1 ~]$ loginctl show-user wallah 
...
Linger=yes
[wallah@node1 ~]$ mkdir -p ~/.config/systemd/user/
[wallah@node1 ~]$ cd ~/.config/systemd/user/
[wallah@node1 user]$ podman generate systemd --name nginx --files
/home/wallah/.config/systemd/user/container-nginx.service
[wallah@node1 user]$ systemctl --user enable --now container-nginx.service
Created symlink /home/wallah/.config/systemd/user/multi-user.target.wants/container-nginx.service → /home/wallah/.config/systemd/user/container-nginx.service.
Created symlink /home/wallah/.config/systemd/user/default.target.wants/container-nginx.service → /home/wallah/.config/systemd/user/container-nginx.service.
[wallah@node1 user]$ curl localhost:8080
hello nginx

Posted on

配置容器使其自动启动(A卷)

利用注册服务器上的 rsyslog 镜像,创建一个名为 logserver 的容器

面向 wallah 用户,配置一个 systemd 服务

该服务命名为 container-logserver ,并在系统重启时自动启动,无需干预

为容器配置持久存储(A卷)

通过以下方式扩展上一个任务的服务

配置主机系统的 journald 日志以在系统重启后保留数据,并重新启动日志记录服务

将主机 /var/log/journal 目录下任何以 *.journal 的文件复制到 /home/wallah/container_logfile

将服务配置为在启动时自动将 /home/wallah/container_logfile 挂载到容器中的 /var/log/journal

配置容器使其自动启动(B卷)

利用注册服务器上的 rsyslog 镜像,创建一个名为 logger 的容器

面向 wallah 用户,配置一个 systemd 服务

该服务命名为 container-logger,并在系统重启时自动启动,无需干预

将服务配置为在启动时自动将 /home/wallah/var_log 挂载到容器中的 /var/log

在容器中执行命令 podman exec logger logger -p authpriv.info SUIBIAN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@node1 ~]# man -k journal
journald.conf (5)    - Journal service configuration files
systemd-journald.service (8) - Journal service
...
[root@node1 ~]# systemctl is-enabled systemd-journald.service; systemctl is-active systemd-journald.service 
static
active
[root@node1 ~]# man journald.conf
[root@node1 ~]# vim /etc/systemd/journald.conf 
[Journal]
Storage=persistent
[root@node1 ~]# systemctl restart systemd-journald.service
[root@node1 ~]# ls /var/log/journal/
f874df04639f474cb0a9881041f4f7d4
[root@node1 ~]# ls -ld /home/wallah/container_logfile/
drwxr-xr-x. 2 wallah wallah 6 Feb 19 11:56 /home/wallah/container_logfile/
[root@node1 ~]# cp /var/log/journal/*/*.journal /home/wallah/container_logfile/
[root@node1 ~]# chown -R wallah:wallah /home/wallah/container_logfile/
[root@node1 ~]# ls -l /home/wallah/container_logfile/
total 8192
-rw-r-----. 1 wallah wallah 8388608 Feb 19 12:14 system.journal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
[root@node1 ~]# ssh wallah@localhost 
[wallah@node1 ~]$ podman login registry.domain250.example.com
Username: admin
Password: 
Login Succeeded!
[wallah@node1 ~]$ podman search registry.domain250.example.com/
INDEX         NAME                                               DESCRIPTION   STARS   OFFICIAL   AUTOMATED
example.com   registry.domain250.example.com/rhel8/mariadb-103                 0  
example.com   registry.domain250.example.com/rhel8/httpd-24                    0  
example.com   registry.domain250.example.com/library/nginx                     0  
example.com   registry.domain250.example.com/ubi7/ubi                          0  
example.com   registry.domain250.example.com/ubi8/ubi                          0  
example.com   registry.domain250.example.com/rhel8/rsyslog                     0  
[wallah@node1 ~]$ podman pull registry.domain250.example.com/rhel8/rsyslog
Trying to pull registry.domain250.example.com/rhel8/rsyslog...
Getting image source signatures
Copying blob 68a85f8ea16b done  
Copying blob 864ad45e3300 done  
Copying blob 5bbc26867c5f done  
Copying blob e36a18df25d4 done  
Copying config 8411a1edd4 done  
Writing manifest to image destination
Storing signatures
8411a1edd4bb97aeae6bf9124cb00c66ff577ae68848e50704e9157263127aeb
[wallah@node1 ~]$ podman run -d --name logserver -v /home/wallah/container_logfile:/var/log/journal:Z registry.domain250.example.com/rhel8/rsyslog
9b4395be4aeb8aeeaf22dfb1503c72a6f9541cc815738adff94c048bbb7c9540
[wallah@node1 ~]$ podman exec logserver ls -l /var/log/journal
total 8192
-rw-r-----    1 root     root       8388608 Feb 19 17:17 system.journal
[wallah@node1 ~]$ podman stop logserver 
9b4395be4aeb8aeeaf22dfb1503c72a6f9541cc815738adff94c048bbb7c9540
[wallah@node1 ~]$ 
[wallah@node1 ~]$ man -k systemd
...
loginctl (1)         - Control the systemd login manager
[wallah@node1 ~]$ loginctl enable-linger
[wallah@node1 ~]$ loginctl show-user wallah 
...
Linger=yes
[wallah@node1 ~]$ man systemd.unit
[wallah@node1 ~]$ mkdir -p ~/.config/systemd/user/
[wallah@node1 ~]$ cd ~/.config/systemd/user/
[wallah@node1 user]$ podman generate systemd --name logserver --files
/home/wallah/.config/systemd/user/container-logserver.service
[wallah@node1 user]$ systemctl --user enable --now container-logserver.service
Created symlink /home/wallah/.config/systemd/user/multi-user.target.wants/container-logserver.service → /home/wallah/.config/systemd/user/container-logserver.service.
Created symlink /home/wallah/.config/systemd/user/default.target.wants/container-logserver.service → /home/wallah/.config/systemd/user/container-logserver.service.
[wallah@node1 user]$ systemctl --user is-active container-logserver.service; systemctl --user is-enabled container-logserver.service 
active
enabled
[wallah@node1 ~]$ podman ps
CONTAINER ID  IMAGE                                                COMMAND  CREATED             STATUS                 PORTS  NAMES
9b4395be4aeb  registry.domain250.example.com/rhel8/rsyslog:latest           5 minutes ago       Up About a minute ago         logserver
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[wallah@node1 ~]$ ls -ld /home/wallah/var_log/
drwxr-xr-x. 2 wallah wallah 6 Feb 19 11:56 /home/wallah/var_log/
[wallah@node1 ~]$ ls -l /home/wallah/var_log/
total 0
[wallah@node1 ~]$ podman run -d --name logger -v /home/wallah/var_log:/var/log:Z registry.domain250.example.com/rhel8/rsyslog
e3ce1a94d1ede3f69a3280b4112c0b5fdad70f9c70784dc8235aebebe9b86094
[wallah@node1 ~]$ podman stop logger 
e3ce1a94d1ede3f69a3280b4112c0b5fdad70f9c70784dc8235aebebe9b86094
[wallah@node1 ~]$ cd ~/.config/systemd/user/
[wallah@node1 user]$ podman generate systemd --name logger --files
/home/wallah/.config/systemd/user/container-logger.service
[wallah@node1 user]$ systemctl --user enable --now container-logger.service
Created symlink /home/wallah/.config/systemd/user/multi-user.target.wants/container-logger.service → /home/wallah/.config/systemd/user/container-logger.service.
Created symlink /home/wallah/.config/systemd/user/default.target.wants/container-logger.service → /home/wallah/.config/systemd/user/container-logger.service.
[wallah@node1 user]$ podman ps
CONTAINER ID  IMAGE                                                COMMAND  CREATED        STATUS            PORTS  NAMES
e3ce1a94d1ed  registry.domain250.example.com/rhel8/rsyslog:latest           2 minutes ago  Up 3 seconds ago         logger
...
[wallah@node1 user]$ podman exec logger logger -p authpriv.info SUIBIAN
[wallah@node1 user]$ ls -lZ /home/wallah/var_log/
total 8
-rw-r--r--. 1 wallah wallah system_u:object_r:container_file_t:s0:c593,c702 666 Feb 19 20:36 messages
-rw-r--r--. 1 wallah wallah system_u:object_r:container_file_t:s0:c593,c702  60 Feb 19 20:36 secure
[wallah@node1 user]$ cat /home/wallah/var_log/secure 
2023-02-20T01:36:46.475110+00:00 e3ce1a94d1ed root: SUIBIAN

/etc/systemd/journald.conf 文件中的 Storage 参数决定系统日志以易失性方式存储,还是在系统重启后持久保留。按照如下所示,将该参数设置为 persistent、volatile 或 auto:

persistent:将日志存储在 /var/log/journal 目录中,这可在系统重启后持久保留。

如果 /var/log/journal 目录不存在,systemd-journald 服务会创建它。

volatile:将日志存储在易失性 /run/log/journal 目录中。

因为 /run 文件系统是临时的,仅存在于运行时内存中,存储在其中的数据(包括系统日志)不会在系统重启后持久保留。

auto:rsyslog 决定要使用持久存储还是易失性存储。如果 /var/log/journal 目录存在,那么 rsyslog 会使用持久存储,否则使用易失性存储。

如果未设置 Storage 参数,此为默认操作。

--volume host_dir:container_dir:Z

借助 Z 选项,Podman 会自动将 SELinux container_file_t 上下文类型应用