linux ubuntu 常用指令

替 history 加上時間戳記

https://blog.longwin.com.tw/2017/05/linux-bash-history-date-time-display-2017/

vim ~/.bashrc # 於最下面加入：
HISTTIMEFORMAT='%F %T '
source ~/.bashrc

owan@node1:~$ history 
    1  2022-03-29 11:16:56 shutdonw -h now 
    2  2022-03-29 11:16:56 shutdown -h now 
    3  2022-03-29 11:16:56 ip a

virtualbox guest additions

sudo apt update
sudo apt install -y 

# insert guest cd
mkdir /tmp/iso
sudo mount /dev/cdrom /tmp/iso
sudo /tmp/iso/VBoxLinuxAdditions.run

ansible

sudo apt install -y python3-pip git wget vim bash-completion curl jq tar  sshpass




cat <<EOF>> ~/.bashrc
export PATH=$PATH:$HOME/.local/bin
EOF
source ~/.bashrc

samba

https://www.thegeekdiary.com/how-to-add-or-delete-a-samba-user-under-linux/ sudo apt update sudo apt install samba

sudo nano /etc/samba/smb.conf 加最後面 [nasDatasets] comment = Samba on Ubuntu path = /home/nas/Datasets read only = no browsable = yes

啟動服務

建立 nas 的 smb user sudo smbpasswd -a nas

sudo service smbd restart

APT

搜尋可用套件版本 apt info wget -a

list 套件是否已安裝 (–installed), (–upgradeable) apt list wget

套件庫清單 /etc/apt/sources.list.d

apt-key - APT key management utility

listening port

sudo lsof -i -P -n | grep LISTEN

ssh

https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys#generating-and-working-with-ssh-keys ssh key login

# 產生 key
# 先在本機產生SSH Key Generate an SSH Key
# key 位置 
# ~/.ssh/id_rsa: The private key. DO NOT SHARE THIS FILE!
# ~/.ssh/id_rsa.pub: The associated public key. This can be shared freely without consequence.

ssh-keygen -t rsa -b 4096 -N ''

# 更安全的 不使用 -N 參數
# 除了 key 外還需要 key 的 passphrase
ssh-keygen

# Copy the key to a server (playbook 工作)
ssh-copy-id user@host

# 手動 copy key
.ssh/authorized_keys

關閉 Host Key Checking /etc/ssh/ssh_config StrictHostKeyChecking=no

Setup ssh tunnel

sshuttle -r kubo@10.92.21.17 30.0.0.0/16 192.168.150.0/24 -e ...

ssh proxy

-N : 不執行任何指令
-f : 在背景執行
-L : 將 local port 轉向
-R : 將 remote port 轉向
-D : socks proxy


# 建立 SSH tunnel（正向）
# 192.168.1.60 有 nginx server 
# 連線後
# 在本機 8080 port 等於使用 ssh tunnel 至 192.168.1.60 再連線至 localhost:80
# 本機 192.168.1.61
ssh -NL 8080:localhost:80 owan@192.168.1.60

# 反向 
# 192.168.1.60 連線 8080 port 時 會 tunnel 至我的 80
ssh -NR 8080:localhost:80 owan@192.168.1.60

建立 SOCKS proxy server

# 將我的 3128 port 封包給 192.168.1.61 處理
ssh -NfD 3128 owan@192.168.1.61

Bastion 情境

https://towardsaws.com/ssh-into-the-private-server-through-bastion-host-f637aa5f5c17

ssh client 193.168.1.141 Bastion host 193.168.1.142 web server 193.168.1.143

web server install nginx sudo apt install nginx -y sudo systemctl enable nginx –now
ssh client gen ssh key ssh-keygen 並將 key copy 至 web server

ssh-agent

Start the ssh-agent eval $(ssh-agent)

Add ssh keys to the ssh-agent 指定 private key owan@node1:~$ ssh-add .ssh/id_rsa

Forward the ssh keys to the bastion host -A flag forwards the ssh keys into the bastion host owan@node1:~$ ssh -A owan@192.168.1.142 check ssh agent owan@node2:~$ ssh-add -l

log into the remote host ssh owan@192.168.1.143

此時因為 ssh-agent 自動使用 ssh key 及 passphrases 進行登入 web server 不須再進一步驗證

https://smallstep.com/blog/ssh-agent-explained/ security risk: anyone with root access on the remote host can discreetly access your local SSH agent through the socket

Proxy Jump

不使用 ssh-agent 直接 jump 至 web server

ssh -J [user@bastion_ip] [user@Destination_IP]

使用 config file 方便重複登入 .ssh/config

owan@node1:~$ cat .ssh/config
## Bastion Host
Host bastion-host
  HostName 192.168.1.142
  User owan

## Remote Host
Host node3
  HostName 192.168.1.143
  User owan
  ProxyJump bastion-host

連線 ssh node3

Proxy Command

ProxyCommand

單次執行

ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host

The %h:%p arguments to the -W flag above specify to forward standard in and out to the remote host (%h) and the remote host’s port (%p).

config

## Bastion Host
Host bastion-host
  HostName 192.168.1.142
  User owan

## Remote Host
Host node3
  HostName 192.168.1.143
  User owan
  ProxyCommand ssh -q -W %h:%p bastion-host

GNOME Flashback

sudo apt install gnome-session-flashback

把不要的 session rename

weicloud@ubuntu1804:/usr/share/xsessions$ ls gnome-flashback-compiz.desktop.old gnome-flashback-metacity.desktop ubuntu-communitheme-snap.desktop.old ubuntu.desktop

移除 welcome screen sudo apt remove gnome-initial-setup

DHCP-server

apt install isc-dhcp-server /etc/dhcp/dhcpd.conf /var/lib/dhcp/dhcpd.lease

Option	Description
Type	simple – The default value
	forking – parent process 會產生 child process as service 若 parent process 沒有在時間內結束,會作為 fail
	oneshot – process 生命週期短, systemd 需等待完成,用於單次執行 service
	dbus – This indicates that unit will take a name on the D-Bus bus. When this happens, systemd will continue to process the next unit.
	notify – This indicates that the service will issue a notification when it has finished starting up. The systemd process will wait for this to happen before proceeding to other units.
	idle – This indicates that the service will not be run until all jobs are dispatched
ExecStart	full path and the arguments of the command to be executed to start the process
ExecStartpPre	provide additional commands that should be executed before the main process is started
ExecStartPost	與 ExecStartpPre 差別在於 main process 之後執行
ExecStop	This indicates the command needed to stop the service. If this is not given, the process will be killed immediately when the service is stopped
Restart	This indicates the circumstances under which systemd will attempt to automatically restart the service. This can be set to values like “always”, “on-success”, “on-failure”, “on-abnormal”, “on-abort”, or “on-watchdog”. These will trigger a restart according to the way that the service was stopped.
	搭配 `StartLimitInterval`, `StartLimitBurst` 來限制最大重試次數,StartLimitInterval 的時間內只能重啟 StartLimitBurst 次
RestartSec	If automatically restarting the service is enabled,自動重啟間隔時間
TimeoutSec	定義當 service stopping 時,判斷要 force kill 時間間隔
alias bitfusion2g=“bitfusion run -n 1 -m 2775” #bitfusion
alias bitfusion4g=“bitfusion run -n 1 -m 3700” #bitfusion
alias bitfusion8g=“bitfusion run -n 1 -m 7400” #bitfusion
alias bitfusion12g=“bitfusion run -n 1 -m 11100” #bitfusion
alias bitfusion16g=“bitfusion run -n 1 -m 14800” #bitfusion
alias bitfusion24g=“bitfusion run -n 1 -m 22200” #bitfusion
alias bitfusion48g=“bitfusion run -n 1 -m 44400” #bitfusion

add sudo user

weicloud@ubuntu:~$ sudo adduser bimap Adding user bimap' ... Adding new group bimap’ (1001) … Adding new user bimap' (1001) with group bimap’ … Creating home directory /home/bimap' ... Copying files from /etc/skel’ … New password: Retype new password: No password supplied New password: Retype new password: passwd: password updated successfully Changing the user information for bimap Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []:

weicloud@ubuntu:~$ sudo usermod -aG sudo bimap

nopassword wardah ALL=(ALL) NOPASSWD:ALL

config IP address

https://netplan.io/examples/

weicloud@ubuntu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:8a:70:b6 brd ff:ff:ff:ff:ff:ff
    inet 10.201.99.5/16 brd 10.201.255.255 scope global dynamic ens160
       valid_lft 162262sec preferred_lft 162262sec
    inet6 fe80::250:56ff:fe8a:70b6/64 scope link
       valid_lft forever preferred_lft forever

# use static IP
sudo nano /etc/netplan/99_config.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    ens160:
      addresses:
        - 10.201.102.24/16
      gateway4: 10.201.100.254
      nameservers:
          search: [mydomain, otherdomain]
          addresses: [10.201.100.100, 1.1.1.1]

sudo rm -f 00-installer-config.yaml 
          
sudo netplan apply



# use DHCP
network:
    version: 2
    renderer: networkd
    ethernets:
        enp3s0:
            dhcp4: true

UFW

sudo ufw allow 7080

sudo ufw status numbered

sudo ufw delete [numbered] sudo ufw delete 22 sudo ufw insert 1 allow 22 sudo ufw deny from 10.0.0.1

HA

sudo nano /etc/hosts 10.201.102.26 ha1 10.201.102.27 ha2

sudo apt install -y pacemaker corosync crmsh sudo systemctl stop corosync sudo systemctl stop pacemaker

第一台執行

sudo apt install -y haveged

sudo corosync-keygen

cd /etc/corosync/ sudo mv corosync.conf corosync.conf.bekup

sudo nano corosync.conf # 第一台執行

Totem Protocol Configuration

totem { version: 2 cluster_name: hakase-cluster transport: udpu

Interface configuration for Corosync

interface { ringnumber: 0 bindnetaddr: 10.201.0.0 broadcast: yes mcastport: 5407 } }

Nodelist - Server List

nodelist { node { ring0_addr: HA1 } node { ring0_addr: HA2 } }

Quorum configuration

quorum { provider: corosync_votequorum }

Corosync Log configuration

logging { to_logfile: yes logfile: /var/log/corosync/corosync.log to_syslog: yes timestamp: on }

service { name: pacemaker ver: 0 } scp scp /etc/corosync/* root@web02:/etc/corosync/ scp /etc/corosync/* root@web03:/etc/corosync/

Start All Cluster Services sudo systemctl start corosync sudo systemctl enable corosync sudo systemctl start pacemaker sudo update-rc.d pacemaker defaults 20 01 sudo systemctl enable pacemaker

sudo crm status

sudo corosync-cmapctl | grep members

Create and Configure the Cluster

第一台執行

sudo crm configure property stonith-enabled=false sudo crm configure property no-quorum-policy=ignore sudo crm configure show

enable vip sudo crm configure primitive virtual_ip
ocf💓IPaddr2 params ip=“10.201.102.28”
cidr_netmask=“32” op monitor interval=“10s”
meta migration-threshold=“10”

HA (keepalive) sudo apt-get update sudo apt-get install linux-headers-$(uname -r) sudo nano /etc/keepalived/keepalived.conf 第一台 ! Configuration File for keepalived

global_defs { notification_email { sysadmin@mydomain.com support@mydomain.com } notification_email_from lb1@mydomain.com smtp_server localhost smtp_connect_timeout 30 }

vrrp_instance VI_1 { state MASTER interface ens160 virtual_router_id 101 priority 101 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 10.201.102.28 } } 第二台 ! Configuration File for keepalived

global_defs { notification_email { sysadmin@mydomain.com support@mydomain.com } notification_email_from lb1@mydomain.com smtp_server localhost smtp_connect_timeout 30 }

vrrp_instance VI_1 { state MASTER interface ens160 virtual_router_id 101 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 10.201.102.28 } }

sudo systemctl start keepalived

scan disk

for host in /sys/class/scsi_host/; do echo “- - -” | sudo tee $host/scan; ls /dev/sd ; done

ulimit

ulimit: usage: ulimit [-SHabcdefiklmnpqrstuvxPT] [limit]
owan@lab:~$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 7579
max locked memory       (kbytes, -l) 65536
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 7579
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

http://manpages.ubuntu.com/manpages/bionic/man7/signal.7.html