· 7 years ago · Jan 31, 2019, 12:54 PM
1
2
3Linux notatki
4
5
6Libertarian paternalism
7https://pl.wikipedia.org/wiki/Heurystyka_reprezentatywności
8https://pl.wikipedia.org/wiki/Lista_b%C5%82%C4%99d%C3%B3w_poznawczych
9!!!
10
11rezerwacja Camel: A3ED2
12https://bilety-rockserwis.pl
13;
14Telewizja CBS sfabularyzowała przebieg eksperymentu, kręcąc film The Tenth Level. Wystąpili John Travolta a w roli Milgrama William Shatner, znany z serialu Star Trek.
15;
16W 2015 r.odbyła się premiera filmu biograficznego [1]"Ekperymentator ("Experimenter" ang.).
17;
18https://pl.wikipedia.org/wiki/Ekonomia_behawioralna
19;
20W 2011 roku ukazaÅ‚a siÄ™ zadedykowana Tversky’emu książka Kahnemana „Thinking. Fast and Slowâ€, podsumowujÄ…ca jego karierÄ™ naukowÄ….
21
22
23
24numer wniosku o dowód:
251261049/2018/5162871/01
26!!!
27
28
29
30ps -elf
31 shows proccessess with parent PID
32changing niceness of currently running process:
33 renice +3 [pid]
34ps lf
35
36libraries, good if reused
37 static - loaded during compiling, changing it later doesn't affect running process
38 shared - loaded during runtime, changing it later affects running process. also called DDL (on Windows (?)). more efficient, memory usage is lower, exe size too, and they can be used by many apps at once.
39 big change in shared library can cause so called "DLL Hell". especially on 16-bit where all apps ran in shared address space
40
41ldd `which vim`
42 shows shared library dependencies
43 it's not safe since it can result in executing some arbitrary code
44
45ulimit -n 2048
46 change max no of opened files by 2048
47
48zombie process - has terminated but no other process has yet asked about its exit state
49
50
51
52ipcs
53 stary sposób na IPC - Inter Process Communication. System V IPC. Key of 0 means IPC_PRIVATE - they are only shared between processes in a parent/child relationship
54
55SIGNALS:
56 what they are?
57 know different types of signals in Linux
58 use signals from command line: kill, killall, pkill
59
60s. - used to notify processes asynchronously (so s. was not expected, or was expected but exact time was not expected)
612 paths:
62 kernel -> process when there is an exception
63 user process -> another (or the same) process
64
65s. can be sent only between processes owned by the same user or from a process owned by the superuser to any process
66
672 s. cannot be handled and just terminate the program:
68 SIGKILL
69 SIGSTOP
70
71SIGKILL kills a process and cannot be caught
72
73SIGTERM kills a process but can be caught to do a graceful exit
74
75SIGSTOP suspends the process until you do a SIGCONT
76
77kill -l
78 list all (?) signals
79
80man 7 signal
81 shows overview of signals
82
83examples of 'kill' command:
84 kill 1991
85 kill -9 1991
86 kill -SIGKILL 1991
87
88_______
89
90package managers:
91 Red Hat - Yum
92 Fedora - DNF
93 SUSE - Zypper
94 Debian - apt-get
95
962 levels of packaging system utilities:
97 low level, not resolving dependencies, like rpm, dpkg
98 high level, solving dependencies, like yum/dnf/zypper for rpm; apt-get/apt-cache for dpkg
99
100Process of installing/removing software:
101 creating symbolic links
102 creating dirs if needed
103 setting permissions
104 anything that can be scripted (?)
105
106in Debian based systems with source package comes:
107 tarball: "*.tar.gz"
108 Description: "*.dsc"
109 second tarball with patches or other files. "*.debian.tar.gz" or "*.diff.gz"
110
111
112
113
114apt-get source logrotate
115;
116https://lms.quickstart.com/custom/799658/LAB_7.1.pdf
117;
118/etc/apt/sources.list # poczytać!!!
119/etc/apt/sources.list.d/
120;
121/etc/apt/preferences # nadawanie preferencji. poczytać!
122;
123apt-get moo
124;
125sudo apt-get autoremove # get rid of older kernel versions
126sudo apt-get clean # cleans archived package files that have been installed
127;
128https://lms.quickstart.com/custom/799658/LAB_10.1.pdf
129!!!
130https://lms.quickstart.com/custom/799658/LAB_10.2.pdf
131https://lms.quickstart.com/custom/799658/LAB_10.3.pdf
132
133
134info about packages, examine contents, download
135packages.debian.org
136packages.ubuntu.org
137
138
139dpkg -l # list all installed packages
140dpkg -L wget # # list files in wget package
141dpkg -s wget # show info about installed package
142dpkg -I wget # show info about package file
143dpkg -c # list files in package file
144dpkg -S /etc/init/networking.conf # show what package owns /etc/init/networking.conf
145dpkg -S wget # list files in package file
146dpkg -V package # without arg. will verify all packages on the system. see man page to interpret output
147
148sudo dpkg -i foobar.deb # install/upgrade `foobar` package
149sudo dpkg -r foobar.deb # remove `foobar` package (except its configs)
150sudo dpkg -P foobar.deb # remove `foobar` package (with configs) (P is for Purge)
151
152apt-cache search apache2
153apt-cache show apache2 # show info about apache2
154apt-cache showpkg apache2 # show more detailed info about apache2
155apt-cache depends apache2 # list dependencies of apache2
156apt-cache search apache2.conf
157apt-cache list apache2 # list all files in apache2 package
158
159sudo apt-get update
160sudo apt-get install <package>
161sudo apt-get remove <package>
162sudo apt-get --purge remove <package> # remove package and its configs from system
163sudo apt-get upgrade # apply all available updates to packages already installed
164sudo apt-get dist-upgrade # smarter upgrade
165sudo apt-get autoremove # get rid of older kernel versions
166sudo apt-get clean # cleans archived package files that have been installed
167;
168notice that update without upgrade effectively does nothing
169
170
171
172monitoring - chapter 11
173 many system monitoring tools make use of pseudo-file systems, especially in /proc and /sys
174(/proc and /sys pseudo-filesystems)
175
176main process and load monitoring utilities:
177 top # process activity, dynamically updated
178 uptime # how long system is running and avg load
179 ps # detailed info about processes
180 pstree # a tree of processes and their connections
181 mpstat # multiple CPU usage
182 iostat # CPU utilization and I/O stats
183 sar # display and collect info about system activity
184 numastat # info about NUMA (Non-Uniform Memory-Architecture)
185 strace # info about all system calls a process makes
186
187memory monitoring utilities:
188 free # brief summary of memory usage
189 vmstat # detailed virtual memory stats and block I/O, dynamically updated
190 pmap # process memory map
191
192I/O monitoring utilities
193 iostat # CPU utilization and I/O statistics
194 sar # display and collect info about system activity
195 vmstat # detailed virtual memory stats and block I/O, dynamically updated
196
197network monitoring utilities
198 netstat # detailed networking stats
199 iptraf # gather info on network if-aces
200 tcpdump # detailed analysis of network packets and traffic
201 wireshark # detailed network traffic analysis
202
203/proc and /sys:
204 pseudo-filesystems with lot of info about system; many are writable and writing to them will change system behavior
205 pseudo-filesystems bcs:
206 when system is not running, they are empty
207 only when user looks at them. they are not updated periodically
208 most *tunable* system parameters are in '/proc/sys/*'
209 TODO: fs/ - file system; net/, vm/
210 modifying values:
211 sudo bash -c 'echo 100000 > /proc/sys/kernel/threads-max'
212
213/sys is based on Unified Device Model, conceptually device tree, with buses, devices, etc.. Most lines contain only 1 line of text.
214
215You might find the output from "man hier" fascinating
216
217network devices:
218ls -lF /sys/class/net
219
220
221sar - System Activity Reporter. just a command line tool. it's backend is SADC - SYstem Activity Data Collector which accumulates statistics.
222 > sar [options] [interval] [count]
223np.:
224 > sar 3 3
225ciekawe przełączki
226 -A almost all, ściana tekstu
227
228stress - tool to stress CPU
229np.:
230 > stress -c 8 -i 4 -m 6 -t 20s
231 fork off 8 CPU-intensive processes, each doing sqrt()
232 fork off 4 I/O-intensive processes, each doing sync()
233 fork off 6 memory-intensive processes, each doing malloc(), allocating 256MB by default. Size can be changes as in --vm-bytes 128M
234
235chapter 12 - process monitoring
236(by the end of this chapter: ps, pstree, top)
237
238ps has 3 formats of options (to wyjaśnia tą dziwną składnię)
239
240> ps aux
241// processes that exist totally within the kernel are surrounded by [] (like [kthreadd])
242if there is one per CPU, number tells us on which CPU it runs
243
244legend:
245VSZ - virtual memory size in KB
246RSS - resident set size
247STAT - describes state of the process. mostly sleeping or running.
248 < high prio (not nice)
249 N low prio (nice)
250 L having pages locked in memory
251 s session leader
252 l multi-threaded
253 + being in the foreground process group
254
255adding f option (ps auxf) shows ancestry, like pstree (?)
256
257> ps -elf #unix option format
258#shows NI(ceness) and Parent Process ID
259
260you can specify output format with "-o", like:
261ps -o pid,uid,cputime,pmem,command
262
263
264/// chapter 13 - memoty, monitoring usage, tuning ///
265by the end:
266 list the primary (inter-related) considerations and tasks involved in memory tuning (?)
267 know entries of /proc/sys/vm and
268 decipher /proc/meminfo
269 understand OOM-killer (which selects processess to exterminate to open up some memory)
270
271when tweaking /proc/sys/vm, you want to change 1 thing and look for effects.
272also:
273 control flushing (?)
274 control swap behaviour
275 control overcomission (?)
276
277utilities to use:
278 free - brief summary of memory usage
279 vmstat - detailed virtual memory stats and block I/O, dynamically updated (nie u mnie raczej)
280 pmap - processor map
281
282values in /proc/sys/vm can be changed by:
283 directly writing to the entry. almost all entries are writable (by root)
284 using sysctl utility
285you can find docs describing this directory in the kernel source (?). Usually under Documentation/sysctl/vm.txt
286
287> vmstat [options] [delay] [count]
288> vmstat 2 4 # jakies delaye i county
289> vmstat -s # summary fajne
290> vmstat -d # table of disk statistics
291> vmstat -p /dev/sdb1 2 4 # staty podanej partycji, i jeszcze jakieÅ› polle wykonywane
292
29313.7.b. /proc/meminfo II
294tą tabelkę z opisami pól nauczyć się, przeanalizować, zrobić screena, cokolwiek
295
296OOM-Killer I
297Linux overcommits memory, w praktyce się to sprawdza bo mało który program wykorzystuje 100% zaalokowanej pamięci
298Whenever a child process is forked, it receives a copy of entire memory space of parent
299Bcs Linux uses COW (Copy on Write) technique, no actual copy needs to be made unless one of the processess modifies memory. However, the kernel has to assume that the copy might need to be done (?).
300If mem is exhausted, Linux invokes OOM-Killer (Out Of Memory-Killer) which decides which processess should be exterminated.
301
302Order of killing is determined by badness (/proc/[pid]/oom_score). normal user can only increase the badness. negative value can be given only by root. note that /proc/[pid]/oom_adj is deprecated
303
304sudo swapoff -a # turn off a swap
305
306# !!!!!!!
307dmesg # kernel msgs
308
309disabling swap partitions increases the chanses of the system invoking the OOM-Killer
310
311algorytm heurystyczny - poczytać co to
312
313
314
315/// chapter 14 - I/O Monitoring and Tuning ///
316by the end:
317 use iostat to monitor system I/O device activity
318 use iotop to display a constantly updated table of current I/O usage
319 use ionice to set both the I/O schedulling class and the priority for a given process
320
321system is considered I/O-bound when the CPU is found sitting idle waiting for I/O to complete, or the network is waiting to clear buffers
322
323I/O is complex. we'll consider I/O scheduling later
324
325> iostat # generates general I/O reports
326#tps - I/O transactions per sec; logical requests can be merged into one actual request
327# block read or written per unit time, where block is most of the time 512B
328# total block read or written
329# dm - device mapper
330
331> iostat -k # kB instead of blocks. "-m" also works
332
333> iostat -xk # extended!!!
334
335> iotop # top dla I/O
336> iotop -o # shows only devices that are inputting/outputting now
337
338> ionice -p [pid] # checking scheduling class and priority for a given process
339
340
341
342/// chapter 15 - I/O scheduling ///
343(???)
344system depends heavily on optimizing the I/O scheduling strategy
345by the end:
346 explain the importance of I/O scheduling and describe the conflicting requirements that need to be satisfied
347 delineate and contrast the options available under Linux (?)
348 understand how CFQ (Completely Fair Queue) and Deadline algorithms work
349
3502 layers: VM (Virtual Memory) and VFS (Virtual File System) submit I/O requests to block devices. it is the job of the scheduling layer to prioritize and order there requests before they are given to the block devices
351
352at least 1 I/O scheduling algorithm must be compiled into the kernel:
353 CFQ
354 Deadline Scheduling
355 noop (A simple scheme)
356CFG and DS are default
357
358> cat /sys/block/<sda>/queue/rotational # checks if disk is SSD (0 - SSD)
359
360> echo noop > /sys/block/<sda>/queue/scheduler
361> cat /sys/block/<sda>/queue/scheduler
362
363things to change vary according to the particular I/O scheduler and can be found under:
364/sys/block/<device>/queue/iosched
365
366<bla bla, nie rozumiem tego>
367
368
369
370/// chapter 16 - Linux Filesystems and the VFS ///
371!!!!!!!
372by the end:
373 explain the basic filesystem organisation
374 understand the role of VFS
375 know which filessytems are available and which ones can be used on your actual system
376 know why journaling filesystems are better
377 discuss the sue of special filesystems in Linux
378
379VFS - Linux nie musi wiedzieć dokładnie na jakims systemie plików działa
380Modern Linux filesystems:
381 ext4
382 xfs
383 btrfs
384
385!!!
386Linux uses inverted tree hierarchy ("/"). Usually there are multiple partitions joined together at mount points. They can also include reomvable media, like USB drives and others.
387Also certain "virtual pseudo filesystems" will be mounted within the tree, things like /proc, /sys, /tmp, /run
388
389Each of the elements within tree may in facy have its own filesystem variety (!). But to the OS it all appears in one, unified tree structure.
390Linux implements VFS, like every modern OS (!). It translates all I/O system calls into specific code relevant to the particular actual filesystem. Therefore, filesystem needs to be considered by applications. Also, network filesystems (such as NFS) can be handled transparently
391
392/proc has filesystem named "proc" (!)
393
394!!!
395
396> cat /proc/filesystems # outputs all filesystems "understood' by our OS
397
398> dd if=/dev/zero of=junk bs=1M count=512
399> sudo mkfs.xfs junk
400> sudo mount junk /mnt
401> df -h # by sprawdzić nowo powstały dysk
402> lsmod | less # we can see that xfs is now used (it wasn't before)
403
404newer filesystems include full "journaling" capability, which allows to recover from system crashes. it comes with a price of more operations to do.
405In journaling filesystems operations are grouped into "transactions". Each t. must be completed without error, atomically, or will not be completed.
406Ext3 was 1st journaling filesystem for Linux (Ext3 was Ext2 + journaling)
407
408Some of Linux's filesystems have no mount point - user apps don't interact with them, but kernel uses them, taking the advantage of VFS layers and code.
409
410tmpfs - expands its size dynamically. starts at 0, expands as necessary up to a max. size it was mounted with
411
412
413/// chapter 17 - Disk partitioning - introduction ///
414After:
415 describe and contrast most the common types of hard disks and data buses
416 partitioning strategies
417 Use blkid and fdisk
418 back up and restore partitions (!)
419
420 disk geometry. get geometry:
421 fdisk -l /dev/sda
422
423up to 4 partitions -> disk
4241 of them may be subdivided into logical partitions
425
426reasons to divide disks:
427 separation
428 sharing - through /home
429 security - imposed quotas, permissions and settings
430 size
431
432also:
433 performance - data can be accesses faster if it is either closer to the center or on a quicker disk
434 swap - Linux prefer specific swap partitions. Hibernation also use it
435
436512 bytes - MBR, including:
437 first 446 bytes - program, usually GRUB
438 16*4 partition tables
439 2 left (?)
440
441Each of those 16 bytes:
442 active bit
443 beginning address in cylinder/head/sectors (CHS) format (ignored by Linux)
444 partition tpe code indicating: xfs, LVM, ext4, ...
445 ending address in CHS (also ignored by Linux)
446 start sector, counting linearly from 0 } in Linux those 2 is coded using Linear Block Addressing (LBA)
447 number of sectors in partition }
448
449Linux normally access device nodes in /dev directory through infrastructure of kernel's Virtual File System
450SCSI and SATA disks naming:
451 sda, sdb - 1st disk, 2nd disk
452 sda1, sdc4 - 1st partition of 1st disk, 4th partition of 3rd disk
453back in the days of IDE disks it could be also:
454 /dev/hda3, /dev/hdb
455
456blkid - utility to locate block devices and report on their attributes. it works with libblkid library.
457Identifying disks with /dev/* is not reliable. It can change after changing port. use UUID instead. Blkid shows UUIDs.
458> sudo blkid /dev/sda*
459;
460lsblk - related utility which presents results in a tree format
461
462Linux requires min. 2 partitions:
463 /
464 swap - can be >1. on single disk system try to center swap. on multiple disk system try to spread it over disks.
465
466backing up system!!!
467sudo dd if=/dev/sda of=mbrbackup bs=512 count=1 # backing up MBR on first disk including 64-bit partition table which is part of it
468restoring!!!
469sudo dd of=mbrbackup of=/dev/sda bs=512 count=1
470
471note that it only copies the primary partition table, not partition tables stored in the other partitions (for extended partition, etc.).
472
473
474utilities to manage partition tables:
475 fdisk - menu driven partition table editor.
476 sfdisk - non=interactive, useful for scripting. use it CAREFULLY
477 parted - GNU partition manipulation program. It can create, remove, resize and move partitions (including certain FSes)
478 gparted - GUI parted. Popular on live editions of systems. It's better (?) to use only CLI tools. E.G. RHEL no longer supports gparted.
479
480Fdisk is ALWAYS included in Linux distro, so it's good to know it.
481> sudo fdisk /dev/sdb
482 m - display the menu
483 p - list the partition table
484 n - new partition
485 d - delete the partition
486 t - change partition type
487 w - write new partition table information and exit. Before using it, no changes are made!!! So before you use `w`, use `p`
488 q - quit without making changes. It's safe to quit before using `w`.
489
490When it asks for last sector, you can input:
491> +5G
492to create 5 Gb partition
493
494System will not use new partition table until you reboot. But
495> sudo partprobe -s
496tries to read new partitino table. not always reliable
497> cat /proc/partitions (!!!)
498to examine partitions system is currently aware of
499
500Then:
501> mkfs.ext4 /dev/sda3
502Proceed?
503> y
504
505
506
507/// chapter 18 - Filesystems features - attributes, creating, checking, mounting ///
508By the end I should be able to:
509 Explain concepts as inodes (<3), directory files, extended attributes
510 create and format filesystems
511 check and fix errors on FSes
512 mount and unmount FSes
513
514
515Inode - data structure describing and storing file attributes, including location. Every file is associated with its own inode.
516Info contained:
517 permissions
518 user and group ownership
519 size
520 timestamps (nanosecond)
521 last access time
522 last modification time
523 change time
524 NOT filenames - they are stored in directory file
525All I/O activity concerning a file usually also involves the file's inode as information be updated
526
527
528Directory file: specific type of file. Associated file names and inodes. 2 ways of doing this:
529 Hard links point to an inode
530 Soft (symbolic) -links point to a file name which has an associated inode
531
532chattr [+|-|=mode] filename
533lsattr filename
534
535those are equivalent:
536> sudo mkfs -t ext4 /dev/sda10
537> sudo mkfs.ext4 /dev/sda10
538
539there's also
540> fsck - file system check (?) // TODO
541
542
543mount - attach an FS at any point in the tree structure
544umount - detach them
545
546mount point must exist before the FS is attached. It must exist before mount can use it (TODO). mkdir will help here. If files existed there before, they will disappear and appear again after unmounting (TODO).
547Each FS is mounted under a specific directory
548> sudo mount -t ext /dev/sdb4 /home
549 o mounts an ext4 FS
550 o FS is located on a specific partition of a hard drive (/dev/sdb4/)
551 o FS is mounted at the position /home in the current directory tree
552 o Now-existing files in /home will disappear for now
553
554More examples:
555> sudo mount /dev/sda2 /home
556> sudo mount LABEL=home /home // (?)
557> sudo mount -L home /home
558> sudo mount UUID=1234134-23542345-235235... /home
559> sudo mount U=1234134-23542345-235235... /home
560
561labels are assignedby specific utilities, e.g. e2label.
562
563remounts a filesystem with read-only attribute:
564sudo mount -o remount, ro /myfs
565
566unmounting:
567> sudo umount /dev/sda2
568device must not be used to unmount it
569> fuser (...) # use it to find user currently using the filesystem
570> lsof (...) # list open files to see which files are being used and blocking unmounting
571
572mounting network drives:
573sudo mount -t nfs myserver.com:/sharedir /mnt/sharedir
574you can put in /fstab:
575myserver.com:/sharedir /mnt/sharedir nfs rsize=8192,wsize=8192,timeo=14,intr 0 0
576
577the system may try to mount it before network is up. There options might help:
578_netdev, noauto
579for more info:
580> man nfs
581> man mount
582
583During system boot command "mount -a" is executed. It mounts all filesystems in the /etc/fstab configuration file. (TODO)
584
585mount and umount can use info from /etc/fstab. So this can work if you have related setting in /etc/fstab:
586> mount /usr/src
587instead of:
588> mount LABEL=src /usr/src
589
590setting up (e.g.) pendrive to be mounted only when used:
591
592> grep automount /etc/fstab
593LABEL=Sam128 /SAM ext4 noauto,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.idle-timeout=30 0 0
594> df -h | grep SAM
595ls /SAM
596<output of ls>
597> sleep 40
598>df -h | grep SAM
599<empty output>
600
601list of currently mounted FSes: (TODO)
602> mount
603
604
605see if there are swaps:
606> cat /proc/swaps
607
608> df -h -T # T - type
609
610
611
612>dumpe2fs /dev/sda2 | less
613TODO!!!
614check "mount count", "maximum mount count"
615> fsck /dev/sda2 (TODO)
616
617mkfs - format filesystems
618fsck - checking and fixing filesystems
619lsattr - list extended attributes of a file
620chattr - change extended attributes of a file
621lsof - list open files
622
623
624/// chapter 19 - Filesystems features - swap, quotas, usage ///
625By the end:
626 o Expain the concept of swap and quotas
627 o use utilities: quotacheck, quotaon, quotaoff, edquota, quota
628 o use utilities: df, du
629
630the only commands involving swapping are:
631> mkswap # format a swap partition / file
632> swapon # activate a swap partition / file
633> deactivate a swap partition / file
634
635> sudo quotacheck -vu /home # (TODO)
636
637> df # (TODO) (-i - inode)
638> du # (TODO)
639
640
641/// chapter 20 - Filesystems ext2/3/4 ///
642By the end:
643 → describe main features of ext4 and how it's laid out on disk
644 → explain the concept of block groups, superblock, data blocks, inodes
645 → use dumpe2fs and tune2fs utilities
646 → list ext4 FS enhancements
647
648ext2 - rarely used today
649ext3 - ext2 + journalling. other than that it has the same on-disk layout as ext2
650ext4 - mainly used now and default on most systems (but not on RHEL7 using XFS)
651
652ext* was designed to cooperate with VFS (and the other way around).
653
654inode reservation - feature that creates several inodes when a dir is created, expecting them to be used in the future. Performance++.
655
656Fields on a disk are written in little-endian order - except the journal.
657
658ext2/3/4 - layout of one block groups:
659super block, group descriptors, data block bitmap, inode bitmap, inode table (n blocks), data blocks (n blocks)
660
661super block - redundantly stored
662data block bitmap, inode bitmap - bits contain 0 or 1 for each one used
663inode table - each inode is 128 bytes, so 4KB block can contain 32 inodes
664
665Ext3:
666 → backwards-compatible with ext2/3
667 → max. size of a FS: 1 EB (was: 16TB) } those limits case from 48-bit addressing used
668 → max. file size: 16TB (was: 2TB) }
669 → increases max. number of subdirectories to inifinite* (was: 32k)
670 → better large file performance
671 → preallocating. allocated space is guaranteed and contiguous.
672 → use checksums for journal. reliability++
673 → timestamps are in [ms] now
674 → snapshot support
675
676/// chapter 21 - Filesystems XFS, btrfs ///
677By the end:
678 → describe XFS
679 → maintain XFS
680 → describe btrfs
681
682XFS - most maintenance tasks can be done while system is fully mounted: defragmenting, enlarging, dumping/restoring.
683
684
685
686/// chapter 22 - disk encryption ///
687By the end:
688 → why to use encryption
689 → understand how LUKS operates through the use of "cryptsetup"
690 → be able to set up and use encrypted filesystems and partitions
691 → be able to configure system to mount encrypted partitions at boot
692
693LUKS - Linux Unified Key Setup - block device level encryption. LUKS is installed on top of "cryptsetup", an utility that can user other methods like "plain dm-crypt" volumes, "loop-AES", "TrueCrypt". LUKS is default.
694
695Encrypting is done using "cryptsetup". Encrypting partition:
696> sudo cryptsetup luksFormat /dev/sda7
697if your system doesn't support default encryption method used by "cryptsetup", you can choose different one:
698> cat /proc/crypto (TODO)
699> sudo cryptsetup luksFormat --cipher aes /dev/sda7
700
701make volume available at any time with:
702> sudo cryptsetup --verbose luksOpen /dev/sda7
703format partition:
704> sudo mkfs.ext4 /dev/mapper/SECRET
705mount it:
706> sudo mount /dev/mapper/SECRET /mnt
707use it. then unmount:
708> sudo umount /mnt
709remove the mapper association for now, the partition will always be available for later use:
710> sudo cryptsetup --verbose luksClose SECRET
711
712to mount an encrypted partition at boot:
713 → add an appropriate entry in /etc/fstab. nothing special about it and it doesn't refer to encryption in any way
714 → add an entry to /etc/crypttab, as:
715 SECRET /dev/mapper/MYSECRET
716
717> man crypttab (TODO)
718
719
720> dd if=/dev/zero of=loop-partition bs=1M count=1024
721> losetup -f
722 /dev/loop1
723> sudo losetup /dev/loop2 loop=partition
724> losetup -l
725 <we can see our loop2 added>
726> sudo cryptsetup luksFormat /dev/loop2
727> YES
728 <now it should be encrypted>
729
730> sudo cryptsetup luksOpen /dev/lopp2 crypt-partition
731> ls -l /dev/mapper
732> sudo mkfs.ext4 /dev/mapper/crypt-partition
733> sudo mount /dev/mapper/crypt-partition
734...
735> sudo umount /dev/mapper/crypt-partition
736> sudo cryptsetup luksClose /dev/mapper/crypt-partition
737> sudo losetup -d /dev/loop2
738> losetup -f
739 /dev/loop1
740> rm loop-partition
741
742so the order is:
7431. create a partition for the encrypted block device
7442. format with cryptsetup
7453. create the un-encrypted pass through device
7464. format with a standard FS such as ext4
7475. mount the filesystem on the encrypted block device
748
749
750
751/// chapter 23 - logical volume mgmt (LVM) ///
752By the end:
753 → explain the concept behind LVM
754 → create, display, resize logical volumes
755 → use LVM snapshots
756
757LVMs are similar to RAIDs, and actually can build on top of RAID device. LVMs are more scalable.
758
759> sudo lvdisplay # shows all physical volumes, volume groups, logical volumes
760
761resize2fs - app to resize ext4 partitions.
762
763LVM snapshots are useful for backups, apps testing and deploying VMs
764
765
766
767/// chapter 24 - RAID ///
768By the end:
769 → explain the concept of RAID
770 → summarize RAID lvls
771 → configure a RAID
772 → monitor RAID devices
773 → use hot spares (?)
774
775RAID - Redundant Array of Independent Disks spreads I/O over multiple disks. May be SW (it's mature part of The Kernel) or HW. HW'll propably be faster.
776
777
778Striping - better performance by spreading data so simultaneous writes are possible
779Mirroring - same data on multiple disks, safety++
780
781mdadm - tool to create RAIDs.
782one created, array name: /dev/mdX can be used just like any other device, like /dev/sda1
783
784> sudo mdadm -S # stops RAID
785> sudo mdadm -S /dev/md0 # stops RAID
786
787steps to create a RAID:
7881. create partitions on each disk (type fd in fdisk)
7892. create RAID device with mdadm
7903. format RAID device
7914. add device to /etc/fstab
7925. mount RAID device
7936. capture RAID details to ensure persistence
794
795E.g.:
796> sudo fdisk /dev/sdb
797> sudo fdisk /dev/sdc
798
799> sudo mdadm --create /dev/md0 --level=1 --raid-disks=2 /dev/sdbX /dev/sdcX
800> sudo mkfs.ext4 /dev/md0
801> sudo bash -c "mdadm --detail" --scan >> /etc/mdadm.conf"
802> sudo mkdir /myraid
803> sudo mount /dev/md0 /myraid
804
805Be sure to add a line in /etc/fstab for the mount point:
806/dev/md0 /myraid ext4 defaults 0 2
807
808
809
810monitoring:
811 > sudo mdadm --detail /dev/md0
812 > cat /proc/mdstat
813
814 or use mdmonitor service:
815 > echo << "MAILADDR your@mail.com" >> /etc/mdadm.conf
816 start it by typing:
817 > sudo systemctl start mdmonitor } on Ubuntu it's rather called mdadm
818 > sudo systemctl enable mdmonitor }
819
820
821
822/// chapter 25 ///
823by the end:
824 → grasp the main responsibilities that Kernel must fulfill and how it achieves them
825 → explain what params can be set on the kernel command line and how to make them effective for one or more systems - persistently
826 → know where to find detailed documentation on there parameters
827 → know how to use sysctl to set kernel parameters either after the system starts, or persistently across system reboots
828
829responsibilities of kernel:
830 → system initalization and boot up
831 → process scheduling
832 → memory mgmt
833 → controlling access to HW
834 → I/O between apps and storage devices
835 → implementation of local and network FSes
836 → security control, both locally (such as FS permissions) and over the network
837 → networking control
838
839
840params are passed to system at boot on the kernel cmd line. they can be modified at boot.
841to see what options were used to start this system:
842> cat /proc/cmdline
843
844documentation of available kernel parameters:
845kernel source: Documentation/kernel-parameters.txt
846or by typing:
847> man bootparam
848
849params are given in form:
850param=value, like:
851vmlinuz root=/dev/sda6 ... noapic ... crashkernel=256M
852
853!!!
854sysctl - app to read and tune kernel parameters at runtime
855
856show current values:
857> sysctl -a
858browsing /proc/sys will render the same information
859
860showing values:
861> sysctl kernel.pid_max
862
863changing values:
864sudo sysctl net.ipv4.ip_forward=1
865
866> man 8 sysctl
867
868
869(???)
870> sudo sysctl -p
871if settings are placed in /etc/sysctl.conf (!!!), this will read file at boot
872> man sysctl.conf # for details
873on newer systems setting file is in:
874/usr/lib/sysctl.d/00-system
875but the original file is still supported
876
877exercise:
878lower pid_max to 29000
879
880
881
882/// chapter 26 - kernel modules ///
883by the end:
884 → list advantages of utilizing kernel modules
885 → use insmod, rmmod, modprobe to load and unload kernel modules
886 → use modinfo to find out info about kernel modules
887
888some parts can be added (or removed) as modules when necessary. all but most central kernel modules are integrated in such a fashion.
889they may or may not be device drivers.
890even though usage of kernel modules is wastly widespread, Linux is monolithic architecture rather that microkernel one. This is bcs once a module is loaded, it becomes a fully functional part of the kernel, with few restrictions. It communicated with all kernel subsystems via shared resources, such as memory and locks, rather than through message passing as might a microkernel.
891Solaris also uses modules.
892
893apps for modules:
894 → lsmod - list loaded modules (!!!)
895 → insmod - directly load a module
896 → rmmod - directly remove a module
897 → modprobe - (un)load modules, using a pre-built module DB with dependency info
898 → depmod - rebuild the module depencency DB; needed by `modprobe` and `modinfo`
899 → modinfo - display info about a module
900
901location of modules: (!!!)
902 /lib/modules/module_name.ko
903
904kernel modules always have extension: *.ko
905
906kernel modules are kernel version specific and must match the running kernel or they cannot be loaded (!!!). they must be compiled either when the kernel itself is compiled, or later, on a system which retains enough of the kernel source and compilation configuration
907
908ciekawostka:
909/lib/modules/$(uname -r) # where uname -r is current kernel version, such as 4.14.2
910
911it's impossible to unload a module being used by on or more other modules
912
913many modules can be loaded while specifying parameter values, such as;
914 /sbin/insmod <path_to>/e1000e.ko debug=2 copybreak=256
915or for module already loaded:
916 /sbin/modprobe e1000e debug=2 copybreak=256
917
918files in /etc/modprobe.d control params important when loading with `modprobe`, like:
919 → module name aliases
920 → automatically supplied options
921 → blacklist of some modules
922format of files is simple. one command per line. # for comments. \ at the end - continuation of a line in new line
923
924
925dmesg !!!!!!!!!!
926
927
928
929/// chapter 27 - devices and udev ///
930udev - intelligent mechanism to DYNAMICALLY discover HW and peripherial devices during boot or later. Device Nodes are created automatically and then used by apps and OS subsystems to communicate with and transfer data to and from devices.
931Admins can control how udev operates and craft special udev rules to assure desired behaviour results.
932
933by the end:
934 → explain role of device nodes, major and minor numbers.
935 → understand the need for udev method and list its key components
936 → describe how udev device manager functions
937 → identify udev rule files and learn how to create custom rules
938
939character and block devices have FS entries associated with them; network devices don't.
940Device nodes can be used by programs to communicate with devices, using normal I/O system calls, such as open(), close(), read(), write() (!!!!!!!).
941Network devices work by transmitting and receiving packets, which must be constructed by breaking up streams of data, or reassembled into streams when received.
942
943A device driver may manage multiple device nodes, which are normally placed in /dev directory:
944> ls -l /dev
945
946udev runs as daemon (named (?) udevd or systemd-udevd) and monitors a netlink socket. when new device is initialized or removed, uevent kernel facility sends a message through the socket, which udev deceives and takes appriopriate action to create/remove device node of the right names according to the rules.
947
9483 components of udev:
949 → libudev - library which allows access to information about the devices
950 → udevd / systemd-udevd daemon that manages the /dev directory
951 → udevadm - utility for control and diagnostics
952
953path of rules: (!!!)
954 /etc/udev/rules.d/*.rules
955 /usr/lib/udev/rules.d/*.rules
956
957
958
959/// chapter 28 - virtualization overview ///
960by the end:
961 → understand concept of virtualization, hosts and guests
962 → discuss difference: emulation vs virtualization
963 → types of hypervisors
964 → know how linux distros use and depend on libvirt
965 → use `qemu` hypervisor
966 → install, use and manage KVM (!!!)
967
968outside world sees the VM as it were an actual physical machine, present somewhere on the network. apps running in VMs are generally unaware of their non-physical environment.
969
970other kinds of virtualization:
971 → network - details of actual physical network, like types of HW, routers, are abstracted and need not be known by software running on it and configuring it
972 → storage - multiple network storage devices are configured to look like one big storage unit
973 → application - is isolated in container
974
975still there are important differences between physical and virtual machines.
976
977virtualization has long history and started on mainframes.
978on PCs initially it was done using emulation
979
980host - underlying physical OS managing 1 or more VMs
981guest - VM which is an instance of a complete OS, running 1 or more apps. Also: client.
982
983emulator runs completely in software. HW constructs are replaced by software. it is useful for running virtual machines on different architectures, such as running a pretend ARM guest machine on an X86 host. Emulation is often used for developing an OS for a new CPU, even before HW is avalilable (!). Performance is relatively slow.
984
9852 types of virtualization:
986 → HW v. (Full v.) - does not need modifications.
987 → Para-v. - guest system is aware it is running in a virtualized environment and has been modified specifically to work with it.
988
989recent CPUs from Intel and AMD incorporate virtualization extensions to the x86 architecture that allow full v. with only minor performance penalty.
990 → Intel - Intel V. Technology
991 → AMD - AMD-V (code-name: Pacifica)
992
993checking if your CPU supports HW v.:
994> cat /proc/cpuinfo
995if your CPU is IVT-capable, you'll see `vmx` in the flags field. If AMD-V: `svm`. you may also ensure v. capability is turned on in yuor CMOS.
996
997
998Hypervisor can be:
999 → External to host OS - VMWare
1000 → Internal to host OS - KVM - we'll use this one here, it's Open Source and requires no external hypervisor program
1001
1002KVM added hypervisor capabilities into Linux kernel.
1003Libvirt - project designed to be a toolkit to interact with virtualization technologies. Provides mgmt for virtual machines, virtual networks, storage. Some of the apps using it:
1004 → virt-manager
1005 → virt-viewer
1006 → virt-install
1007 → virsh
1008
1009> ls -lF /usr/bin/virt* # (!!!)
1010
1011
1012QEMU - Quick Emulator. It emulates CPUs by dynamically translating binary instructions between the host architecture and emulated one.
1013
1014Can be used to emulate apps, not just an entire OS. Can save, pause, restore a VM at any time. License: GPL.
1015
1016In fact, QEMU has often been used to develop CPUs which have not been physically produced or released.
1017
1018We recommand using virt-manager (!) to configure and run virtual machines.
1019
1020list of supported formats:
1021> qemu-img --help | grep formats
1022
1023
1024
1025/// chapter 29 - containers ///
1026by the end:
1027 → know and use docker
1028
1029container - emulate only app (usually) or set of apps. unlike virtual machines, multiple containers can be run on 1 system. common method of deploying containers is using docker.
1030
1031worth mentioning are orchestration systems, such as kubernetes or mesos, can decide on the proper quantity of containers needed, do load balancing, replicate images and remove them, etc. as needed.
1032
1033docker is app-lvl virtualization uses many images to build up necessary services to support target app. these images are packaged into containers. they can contain:
1034 → app code
1035 → runtime libs
1036 → system tools
1037 → and more...
1038
1039most docker commands have own help. exaples are:
1040 → docker
1041 → docker-search
1042 → docker-pull
1043 → docker-create
1044 → docker-run
1045
1046ps will list running containers, or all containers (with --all param).
1047
1048docker command has >40 sub-commands, some with >50 options.
1049
1050often confused are commands run, create, exec.
1051 docker run will start a new container and execute command within.
1052 docker create creates a container. it has many options for configuring settings and attachments.
1053 if the container is already running, "docker exec" will execute something inside of it. accepts -t and -d params
1054 docker images - shows images in various outputs
1055 docker rmi - remove images and delete untagged parents by default
1056
1057 you can also use shell to operate upon all containers. example:
1058 > docker rm $(ps -a -q)
1059
1060
1061
1062/// chapter 30 - user account mgmt ///
1063 → explain purpose of user accounts and their main attribute
1064 → create new accounts, modify properties, remove or lock accounts
1065 → manage user's passwords
1066 → explain restricted shell and restricted accout
1067 → understand root account
1068
1069purpose of individual user accounts:
1070 → individualized personal space
1071 → create accounts for specific purposes
1072 → distinguish privileges
1073
1074daemon account - it exists to allow processes to run as a user other than root
1075
1076each user has correcponding line in /etc/passwd that describes account attributes, in format:
1077 beav:x:1000:1000:John Smith:/home/beav:/bin/bash
1078 username:user_password:UID:GID:some_contact_info(?):home_dir_path:login_shell
1079
1080 password - it's 'x' when /etc/shadow is used
1081 login_shell - generally any executable. look also for: /sbin/nologin.
1082
1083nologin refuses to a user to log in, shows default message and returns 0. if /etc/nologin.txt exists, message is overwritten by its content.
1084
1085creating user using some predefined algorithm (described in course):
1086> sudo useradd stephanie
1087default options can be overrulled:
1088> sudo useradd -s /bin/csh -m -k /etc/skel -c "John Smith" jsmith
1089
1090> userdel stephanie
1091account will be deleted, all references will be erased from:
1092 → /etc/passwd
1093 → /etc/shadow
1094 → /etc/group
1095
1096/home/stephanie will not be deleted so the account may be reestablished. delete also home of a user with "userdel -r". however all other files on the system owned by removed user will remain
1097
1098usermod - change params of user account
1099
1100> sudo usermod -L stephanie
1101lock stephanie account. it stays in the system, but logging in is impossible. it's a good practice to lock user account whenever they leave organization or will absent for longer period of time.
1102> sudo chage -E 2011-01-01 stephanie
1103where date is a date in the past. effect is the same as usermod usage above
1104
1105don't modify /etc/passwd, /etc/group, nor /etc/shadow
1106
1107/etc/shadow format:
1108 daemon:*:16141:0:99999:7:::
1109 ...
1110 beav:$sdyubgy7asdfb77bgf7yb7fg/ngfdyuagnfysgdfugsunayuga:16316:0:99999:7:::
1111so colon-separated fields are:
1112 username:password:lastchange:mindays:maxdays:warn:grace:expire:reserved
1113
1114 username name must match that one from /etc/passwd, order also must match.
1115 password hash is the string "$6$" followed by an eight chars salt value, then '$' and an 88 chars (sha512).
1116
1117/etc/passwd permissions are 644 (-rw-r--r--)
1118/etc/shadow permissions are 400 (-r--------) (only root can access it)
1119
1120you should use /etc/shadow unless you have a good reason not to do so
1121
1122normal user can change only his password:
1123> passwd
1124root can change anyone's password:
1125> sudo passwd kevin
1126passwords are examined by pam_cracklib.so
1127when root changes a user's password, is not prompted for the current password
1128
1129it is important to change passwords periodically.
1130> chage -l <username> # list passwords data
1131
1132> bash -r # restricted mode, disallowing user to do some things
1133
1134root login via network is generally prohibited.
1135
1136
1137ssh'ing:
1138> whoami
1139student
1140> ssh farflung.com
1141student@farflung.com's password: (type here) #we assume there is 'student' account on farflung.com
1142> ssh root@farflung.com
1143
1144copy'ing files:
1145> scp file.txt farflung.com:/tmp
1146> scp file.txt student@farflung.com/home/student
1147> scp -r some_dir farflung.com:/tmp/some_dir
1148
1149to run command on multiple machines:
1150> for machines in node1 node2 node3
1151 do (ssh $machines some_command &)
1152 done
1153
1154permitting to log in without a password:
1155> ls -l ~/.ssh
1156id_rsa user's private encryption key; NEVER show it to anyone
1157id_rsa.pub user's public encryption key
1158authorized_keys list of public keys that are permitted to login; info about USERS AND NODES
1159known_hosts a list of hosts from which logins have been allowed in the past; ONLY info about computer NODES
1160config a configuration file for specifying various options
1161
1162
1163(!!!)
1164to log in to remote machine with full GUI, use VNC (Virtual Network Computing) client. a common implementation is "tigervnc".
1165> sudo apt-get install tigervnc tigervnc-server
1166#start server as normal user
1167> vncserver
1168> vncviewer localhost:2 #test it. you might use different number: 1, 3, 4 depending on how your machine is configured.
1169view from remote machine:
1170> vncviewer -via student@some_machine localhost:2
1171
1172if some "color profile" bug occurs, kill the "colord" daemon
1173> sudo systemctl stop colord
1174
1175
1176
1177working with accounts:
1178> less /etc/default/useradd #we can see env var, for example SHELL=/bin/sh
1179> sudo useradd -m "some name" -s /bin/bash someName666 # -m to make sure it creates a home dir
1180> sudo passwd someName666 #and type some password
1181> cat /etc/passwd /etc/group | grep someName666
1182/etc/passwd:someName666:...................
1183/etc/group:someName666:x:1001:
1184log in to that accout (???)
1185> ssh someName666 #and give password
1186> (do sth)
1187> exit
1188> ls -la /etc/skel
1189cleaning up. "-r" is needed to remove also home dir:
1190> userdel -r someName666
1191#get an error about mail spool sth
1192
1193
1194what is "vipw"?
1195
1196
1197
1198/// chapter 31 - group mgmt ///
1199collection of users is a group. group members share some common purpose, also files and dirs and maintain some privilages. this seperates them from others on the system, collectively called the world. using groups aids collaborative projects enourmously.
1200 → purpose of groups
1201 → use groupadd, groupdel, groupmod, usermod
1202 → describe user private groups
1203 → explain the concept of group membership
1204
1205groups are defined in /etc/groups, which has the same role as /etc/passwd for users. entry structure:
1206groupname:password:GID:user1:user2,...
1207
1208group passwords may be set, but only if /etc/gshadow file exists.
1209
1210GID - group identifier. values 0-99 are for system groups. values between 100 and GID_MIN (defined in /etc/login.defs and usually the same as UID_MIN) are special. values > GID_MIN are for UPG (User private groups).
1211
1212user1,user2 - comma-separated list of users who are members of the group. user don't have to be here if tre group is the user's principal group.
1213
1214adding: groupadd
1215 > sudo groupadd -r -g 215 staff
1216modifying group's properties : groupmod
1217 > sudo groupmod -g 101 blah
1218deleting: groupdel
1219 > sudo groupdel newgroup
1220
1221modify user's group properties: usermod
1222 > sudo usermod -G student,group1,group2 student
1223 note that if -G, you need to provide full list of groups. with -a you can add new groups without providing full list.
1224
1225UPG - User Private Groups. each user can have it's own group. However, UPGs are not guaranteed to be private.
1226
1227by default, users whose accounts are created with "useradd" have primary GID == UID and the group name is also identical to the username.
1228
1229Linux has 1 primary group. this is listed in /etc/passwd and also in /etc/group.
1230
1231identify group membership:
1232> groups [user1 user2]
1233> id -Gn [user1 user2]
1234
1235
1236
1237/// chapter 32 - group mgmt ///
1238
1239by the end:
1240 → explain concepts: owner, group, world
1241 → set file access rights for each category
1242 → authenticate requests for file access, respectin proper permissions
1243 → user chmod (change file permissions), chown (change user ownership), chgrp (change group ownership)
1244 → understand umask used to establish desired permissions on newly created files
1245 → use ACL to extend the simpler user, group, world and read, write, execute model
1246
1247show file permissions
1248> ls -l
1249-rw-rw-r-- 1 coop aproject 1601 Mar 9 15:04 a_file
1250
1251which means:
1252- r w - r w - r - -
1253 owner^^ group^^ other/world
1254
1255user coop is in group aproject
1256
1257each of a triplets can have each of the following sets: Read, Write, Execute
1258
1259other specialized permissions exist for each category, such as setuid/setgid.
1260
1261any (EVERY) access to a file requires comparison of credentials and identity of the requesting user to those of the owner of the file. Authentication is granted depending on one of these three sets of permissions, in the following order:
1262 1. If the requester is file owner, file owner permissions are used.
1263 2. Else, if the requester is in group that owns the files, group permissions are examined.
1264 3. Else, world permissions are examined
1265
1266You can change only permissions to your files with chmod, unless you're a superuser. examples:
1267> chmod uo+x,g-w some_file
1268# add u and o permissions to execute, remove group permissions to write
1269 u - user (owner)
1270 o - other (world)
1271 g - group
1272
1273changing group ownership:
1274> chgrp aproject some_file
1275
1276changing ownership:
1277> chown coop some_file
1278
1279default permissions:
1280for a file: 0666
1281for a dir: 0777
1282
1283umasks:
12840666 & ~002 = 0664
1285
1286checking umask:
1287> umask
1288or
1289> umask -S # to get more symbolic form
1290
1291changing umask:
1292> umask 0022
1293or
1294> umask u=r, g=2, o=rw
1295
1296POSIX ACL - Access Control List
1297extension of simpler ugo model.
1298how to use ACL:
1299> getfacl file|dir #shows
1300> setfacl options permissions file|dir
1301> setfacl -m u:isabelle:rx ~/file1
1302> setfacl -x u:isabelle ~/file1
1303
1304remove ACL:
1305> setfacl -x u:isabelle ~/file1
1306to set default on a dir:
1307> setfacl -m d:u:isabelle:rx some_dir
1308
1309
1310
1311/// chapter 33 - PAM - Pluggable Authentication Modules ///
1312PAM provides a uniform mechanism to ensure that users and apps are properly identified and authenticated. PAM can work with LDAP to centralize auth throughout a network.
1313
1314by the end:
1315 → explain the concepts that motivate to use PAM
1316 → list steps of auth process
1317 → use, modify PAM configuration files
1318 → know how to interpret PAM rules and create new ones
1319 → apply LDAP to use and administrate distributed dir services over the network
1320
1321before auth of users was performed by individual apps, like su, login, ssh would separately authenticate a user. now PAM takes care of it, most new Linux apps use it, by using libpam.
1322
1323it consists of:
1324 → PAM-aware apps
1325 → configuration: /etc/pam.d (!!!)
1326 → PAM modules in libpam* libs, which can be found in different locations depending on the Linux distro
1327
1328each app might be configurate seperately by an individual conf file in /etc/pam.d
1329
1330steps:
1331 → user invokes a PAM-aware app, like login
1332 → app calls libpam
1333 → lib checks for files in /etc/pam.d; it is checked which PAM modules to invoke, including system-auth
1334 → each referenced module is executed in accordance with the rules of the relevant conf file for that app
1335
1336each file in /etc/pam.d/ corresponds to a *service* and each uncommented line in the file specifies a rule. rule is formatted as a list of space-separated tokens, the first two of which are case insensitive:
1337> type control module-path module-arguments
1338 type - specifies the mgmt group the module is to be associated with:
1339 auth - gets an app to prompt the user for identification (username, pass). may set credentials and grant privileges
1340 account - check on aspects of the user's account, like password aging, access ctrl, etc.
1341 password - updates the user auth token, usually a password
1342 session - provides functions before and after the session is established (like setting up environment, logging, etc.)
1343 control flag controls how the success or fail of a module affects the overall auth process.
1344
1345
1346
1347
1348/// chapter 34 - Network Addresses ///
1349by the end:
1350 → tell about IPv4 vs IPv6
1351 → get, set, change hostname, based on a system that you are using
1352
1353IPv4 - 32 bits == 4 octets
1354example: 148.114.252.10
1355
1356IPv6 - 128 bits, 16 octets
1357example: 2003:0db5:6123:0000:1f4f:0000:5529:fe23
1358
1359in both cases, a set of reserved addresses is also included.
1360
1361in IPv4 4 types of casting:
1362 → unicast - to one
1363 → network - to whole network. host portion is zeros
1364 → broadcast - to each member of a network. host portions are ones, like 172.16.255.255
1365 → multicast - ...
1366
1367reserved addresses:
1368 → 127.x.x.x - loopback, where 0 <= x <= 254. generally 127.0.0.1
1369 → 0.0.0.0 - used by systems that don't know yet their addresses. protocols like DHCP or BOOTP use this addres when attempting to communicate with server.
1370 → 255.255.255.255 - generic broadcast, for internal use
1371 → and others
1372
1373> hostname
1374 # gives a hostname
1375
1376> sudo hostname myName
1377 # changes hostname to myName
1378
1379but restart will revert its value.
1380
1381current hostname is in /etc/hostname (on almost all Linux distros). persistent change requires changing config files in /etc/ dir. utility to do this:
1382> hostnamectl # which arises from systemd architecture
1383
1384> sudo hostnamectl set-hostname MYPC
1385
1386
1387
1388/// chapter 35 - Network devices and configuration ///
1389 → identify network devices and understand how the operating system names them and binds them to specific duties
1390 → use ip utility to control, route, tunnel
1391 → use older ifconfig
1392 → use Network Manager (nmtui and nmcli) to configure devices in a distro-independent manner
1393 → know how to setup default routes
1394 → configure diagnostic utilities
1395
1396unlike block and char devices, network devices are not associated with special device files (device nodes), rather with entries in the /dev directory and are known by their names:
1397 → eth0, eth1, eno1, eno2, etc. for Ethernet devices
1398 → wlan0, wlan1, wlan2, wlp3s0, wlp3s2, etc. for wireless devices
1399 → br0, br1, br2, etc. for bridge interfaces
1400 → vmnet0, vmnet1, vmnet2, etc. for virtual devices for communicating with virtual clients
1401sometimes multiple virtual devices can be associated with single physical devices
1402
1403previous naming convention encountered difficulties, like when multiple interfaces of the same type were present.
1404it was solved by some admins by hardcoding associations between HW (MAC) addresses and device names in system configuration files and startup scripts. this method worked for years, but it requires manual tuning and had other problems, such as when MAC addresses were not fixed; this can happen in both embedded and virtualized systems.
1405
1406PNIDN - Predictable Network Interface Device Names - strongly correlated with the use of udev and integration with systemd. There are now 5 types of names that devices can be given:
1407 → Incorporating Firmware or BIOS provided index numbers for on-board devices, like eno1
1408 → Incorporating Firmware or BIOS provided PCI Express hotplug slot index numbers, like ens1
1409 → Incorporating physical and/or geographical location of the HW connection, like enp2s0
1410 → Incorporating the MAC address, like enx7837d1ea46da
1411 → Using old classic method, like eth0
1412
1413examples of new naming scheme:
1414> ifconfig | grep enp
1415# name shows up
1416
1417> ifconfig | grep wl
1418
1419> lspci | grep Centrino
1420
1421ip is preferred over ifconfig and is more versatile as well as more efficient because it uses netlink sockets rather than ioctl system calls. basic syntax:
1422> ip [OPTIONS] OBJECT { COMMAND | help }
1423> ip [ -force ] - batch filename
1424
14252nd form can read commands from a designated file
1426
1427ip is a multiplex utility. the OBJECT arg describes what kind of action is going to be performed. the possible COMMANDS depend on which OBJECT is selected. Main ip OBJECTS:
1428 → address IPv4 or IPv6 protocol device address
1429 → link network devices
1430 → maddress multicast address
1431 → monitor watch for netlink messages
1432 → route routing table entry
1433 → rule rule in the routing policy database
1434 → tunnel tunnel over IP
1435
1436examples of usage of ip:
1437> ip link # shows info about all network interfaces
1438> ip -s link show eth0 # shows info for the eth0 interface
1439> sudo ip addr add 192.168.1.7 dev eth0 # set the IP address for eth0
1440> sudo ip link set eth0 down # bring eth0 down
1441> sudo ip link set eth0 mtu 1480 # set the MTU to 1480 bytes for eth0
1442> sudo ip route add 172.16.1.0/24 via 192.168.1.5 # set the networking route
1443
1444> ip -s link show ens33
1445> ip addr show
1446
1447ifconfig - system utility long found in UNIX-like OSes. used by CLI or from system configuration scripts.
1448ifconfig examples:
1449> ifconfig # show info about all interfaces
1450> ifconfig eth0 # show info about only eth0 interface
1451> sudo ifconfig eth0 192.168.1.50 # set the IP address to 192.168.1.50 on interface eth0
1452> sudo ifconfig eth0 netmask 255.255.255.0 # set the netmask to 24 bit
1453> sudo ifconfig eth0 up # bring interface eth0 up
1454> sudo ifconfig eth0 down # bring interface eth0 down
1455
1456> sudo ifconfig eth0 mtu 1480 # set MTU (Maximum Transfer Unit) to 1480 bytes for interface eth0
1457
1458configuring with ip or ifconfig is not persistent. to change persistently use:
1459Red Hat:
1460 /etc/sysconfig/network
1461 /etc/sysconfig/network-scripts/ifcfg-ethX
1462 /etc/sysconfig/network-scripts/ifcfg-ethX:Y
1463 /etc/sysconfig/network-scripts/route-ethX
1464Debian:
1465 /etc/network/interfaces
1466SUSE:
1467 /etc/sysconfig/network
1468when using systemd, it is preferable to use Network Manager, rather than configure underlying test files. in fact, in many new Linux distros these files are non-existent, empty or much smaller and only for compatibility reasons.
1469
1470once upon a time almost all network connections were wired (Ethernet). During boot, files in /etc/ were consulted to establish all device configuration.
1471Now configuration changes more often.
1472Tools:
1473> nmtui - almost no learning curve and will edit underlying conf. files for user (!!!)
1474> nmcli - if you want to run scripts that change the network configuration. for examples use:
1475> man nmcli-examples
1476Network Manager SHOULD WORK THE SAME on every distro.
1477
1478
1479routing - process of selecting paths in a network. routing table - list of routes to other networks managed by the system. it defines paths to all networks and hosts, sending remote traffic to routers. to see current routing table:
1480> route
1481or
1482> ip
1483
1484default route - where packets go if there is no other match in routing table. setting:
1485> sudo nmcli con mod virbr0 ipv4.routes 192.168.10.0/24 +ipv4.gateway 192.168.122.0
1486> sudo nmcli con up virbr0
1487
1488or modify configuration files directly. on Red Hat:
1489> echo "GATEWAY=1.2.3.4" >> /etc/sysconfig/network
1490or alternatively in /etc/sysconfig/network-scripts/ifcfg-ethX on a device-specific basis in the configuration files for the individual NIC.
1491On Debian:
1492> echo "gateway=1.2.3.4" >> /etc/network/interfaces
1493
1494on either system you can set the default gateway at runtime with:
1495> sudo route add default gw 192.168.1.10 enp2s0
1496> route # to see results
1497it's not persistent!
1498
1499static routes - used to control packet flow when there is more than one router or route. defined for each interface and can be persistent or not.
1500when system can access >1 router, it's good to selectively control which packets go to which router.
1501route or ip can be used to set non-persistent route, as in:
1502> sudo ip route add 10.5.0.0/16 via 192.168.1.100
1503> route # some output
1504
1505/etc/hosts - local DB of hostnames and IP addresses. set of records (each taking 1 line) which map IP addresses with correcponding hostnames and aliases.
1506if the name resolution cannot be done locally using /etc/hosts, system queries DNS.
1507machine usage of DNS is configured in /etc/resolv.conf, which historically looked like this:
1508
1509search example.com aps.org
1510nameserver 192.168.1.1
1511nameserver 8.8.8.8
1512
1513this can:
1514 → specify particular domains to search
1515 → define strict order of nameservers to query
1516 → may be manually configured or updated from a service such as DHCP
1517
1518most modern systems have /etc/hosts.resolv file generated automatically, such as:
1519
1520# Generated by NetworkManager
1521192.168.1.1
1522
1523other network tools:
1524 → ping - sends 64-byte test packet
1525 → traceroute - displays network path
1526 → mtr - combines both above, is continuously updated, like top
1527 → dig - useful for testing DNS functionality (you can also use host or nslookup)
1528
1529
1530
1531/// chapter 36 - firewalls ///
1532by the end:
1533 → what are firewalls
1534 → know what GUI and CLI tools there are
1535 → discuss about firewalld and firewall-cmd
1536 → know how to work with zones, sources, services, ports
1537
1538firewall - network security system that monitors and controls all network traffic. it applies rules on both incoming and outgoing network connections and packets and builds flexible barriers (firewalls) depending on the level of trust of a given connection. Is HW- or SW-based. They are in routers, in PCs, network nodes. many firewalls have routing capabilities.
1539early FW were based on packet filtering. content of each packet was inspected and was either dropped, rejected or sent on. there was no concideration about the connection state; what stream of traffic the packet was part of.
1540next gen. of FWs was based on stateful filters, which also examine the connection state of the packet; is it a new connection, part of existing one or none. This generation could be DDoSsed.
15413rd generation: Application Layer Firewalls, are aware of the kind of application and protocol the connection is using. they can block anything which should not be part of the normal flow.
1542
1543all (?) FW are based on Packet Filtering. Each message across networks is in the form of packets, and each packet has:
1544 → header
1545 → payload
1546 → footer
1547
1548header and footer - destination and source addresses, kind of packet, type of protocol, flags, which packet number this is in a stream, and other metadata about transmissions. the actual data is payload.
1549
1550FW may do with packets:
1551 → accept / reject
1552 → mangle in some way
1553 → redirect to another address
1554 → inspect for security reasons
1555 → ...
1556
1557there are many tools to set rules of packet filtering. examples:
1558 low-level tools:
1559 → iptables
1560 → firewall-cmd
1561 → ufw
1562
1563 robust graphical interfaces:
1564 → system-config-firewall
1565 → firewall-config
1566 → gufw
1567 → yast
1568
1569firewalld - dynamic firewall manager. it uses network/firewall zones which have defined levels of trust for network interfaces or connections. supports IPv4/6. It separates runtime and persistent changes to configs and has interfaces for services to add firewall rules.
1570it replaces older iptables. you shouldn't run both at the same time.
1571
1572configs:
1573/etc/firewalld
1574or
1575/usr/lib/firewalld
15761st path takes precedense
1577
1578cmd-line tool:
1579> firewall-cmd
1580before you begin:
1581> firewall-cmd --help
1582
1583firewalld is a service that needs to be running to use and conf. the firewall and is started/stopped/enabled/disabled in the usual way:
1584> sudo systemctl [enable/disable] firewalld
1585> sudo systemctl [start/stop] firewalld
1586
1587current status:
1588> sudo systemctl status firewalld
1589or just:
1590> sudo firewall-cmd --state
1591< running
1592
1593if you have >1 IPv4, you have to turn on ip forwarding. you can do this at runtime by doing (warning: not persistent!):
1594> sudo sysctl net.ipv4.ip_forward=1
1595or
1596> echo 1 > /proc/sys/net/ipv4/ip_forward # as root!
1597
1598persistent:
1599> echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
1600then reboot or read new settings without rebooting by:
1601> sudo sysctl -p
1602
1603firewalld works with zones, each has a defined lvl of trust. zones:
1604 → drop - all incoming packets are dropped with no reply. only outgoing connections are permitted
1605 → block - all incoming packets are rejected. the only permitted connections are those from within the system
1606 → public - don't trust any computers on the network. only some, consciously selected incoming connections are permitted
1607 → external - used when masquerading is being used, such as in routers. trust levels are the same as in public
1608 → DMZ - Demilitarized Zone - access to some (but not all) services are to be allowed to the public. only some incoming connections are allowed
1609 → work
1610 → home
1611 → internal
1612 → trusted
1613
1614on system installation most distros will select the public zone as default for all interfaces.
1615
1616get default zone:
1617> sudo firewall-cmd --get-default-zone
1618< public
1619
1620get list of zones currently being used:
1621> sudo firewall-cmd --get-active-zones
1622< public
1623< interfaces: eno16777736
1624
1625list all available zones:
1626> sudo firewall-cmd --get-zones
1627< block dmz drop external home internal public trusted work
1628
1629change default zone to trusted and then change it back:
1630> sudo firewall-cmd --get-default-zone=trusted
1631< success
1632> sudo firewall-cmd --get-default-zone=public
1633< success
1634
1635assign interface termporarily to a particular zones:
1636> sudo firewall-cmd --zone-internal --change-interface=eno1
1637< success
1638
1639assign an interface to a particular zone permanently:
1640> sudo firewall-cmd --permanent --zone=internal --change-interface=eno1
1641< success
1642which creates the file:
1643/etc/firewalld/zones/internal.xml
1644
1645to ascertain the zone associated with a particular interface:
1646> sudo firewall-cmd --get-zone-of-interface=eno1
1647< public
1648
1649to get all details about a particular zone:
1650> sudo firewall-cmd --zone=public --list-all
1651< wow, much output
1652
1653<some skipped>
1654
1655port mgmt:
1656> sudo firewall-cmd --zone=home --add-port=21/tcp
1657< success
1658> sudo firewall-cmd --zone=home --list-ports
1659< 21/tcp
1660where by looking at /etc/services we can ascertain that port 21 corresponds to ftp:
1661> grep " 21/tcp" /etc/services
1662< ftp 21/tcp
1663
1664
1665/// chapter 37 - system startup and shutdown ///
1666by the end:
1667 → explain the boot process
1668 → types of boot loaders
1669 → know what BIOS does
1670 → relevant config files
1671 → describe how the system shuts down and reboots
1672
1673steps of boot sequence:
16741. BIOS/UEFI locates and executes the boot program or boot loader
16752. boot loader loads kernel
16763. kernel starts init process (pid=1)
16774. init manages system initialization, using systemd, Upstart or older SysVinit startup scripts
1678
1679when power is applied to a PC, it can only perform operations on BIOS.
16801. BIOS runs POST (Power On Self Test, checking memory and HW).
16812. searches for a specific location or device for a boot program. typically it is in device's MBR - Master Boot Record. If found...
16823. Control is transfered to this program (usually GRUB)
16834. boot program loads the kernel into memory and executes it. on x86 platform (and many others) kernel first decompresses itself in place. then HW checks, gains access to important peripherial HW, eventually runs the init process.
16845. 1st process continues the system startup.
1685
1686newer computers use UEFI instead of BIOS.
1687
1688on x86 arch. BIOS contains all the code required to gain initial access to keyboard, display, disks and so on
1689BIOS is typically placed in a ROM chip. that's why BIOS remains when HDD crashes. during startup BIOS loads boot loader from the MBR.
1690
1691Linux boot loaders:
1692 → GRUB (mostly used) (!!!)
1693 → LILO (old and obsolete)
1694 → efilinux (designed for UEFI)
1695 → Das U-Boot (popular in embedded Linux systems)
1696 → bareboot - also embedded
1697
1698
1699
1700/etc/default #Debian-based distros
1701vs
1702/etc/sysconfig #Red Hat based
1703
1704shutdown in a secure fashion, notifying all users that the system is going down and then stopping gracefully. then system is halted or rebooted. examples
1705> sudo shutdown -h +1 "Power Failure imminent"
1706> sudo shutdown -h now
1707> sudo shutdown -r now
1708> sudo shutdown now
1709
1710leagacy commands:
1711> reboot
1712> halt
1713> poweroff
1714
1715
1716
1717/// chapter 38 - GRUB ///
1718GRUB - Grand Unified Boot Loader
1719
1720by the end:
1721 → what GRUB is?
1722 → diff between GRUB1 and GRUB2
1723 → interactive selections you can make at boot
1724 → installing GRUB
1725 → how config files that GRUB needs are used and modified
1726
1727GRUBS allows to:
1728 → choose different OSes at boot time
1729 → choose kernel versions for a given OS
1730 → boot parameters can be easily changed at boot time without editing configuration files, etc. in advance
1731
1732GRUB2 replaced GRUB1 on all distros but RHEL6-based ones.
1733At boot, basic config file is read, depending on a distro either:
1734/boot/grub/grub.cfg
1735or
1736/boot/grub2/grub.cfg
1737
1738this file is autogenerated by update-grub (or grub2-mkconfig on RHEL7) based on config files in
1739/etc/grub.d/
1740and on
1741/etc/default/grub and should never be edited by hand.
1742
1743config file contains some global parameters and then "stanza" for each OS or kernel configured.
1744
1745after POST and BIOS you will enter display menu. after selecting entry, "e" will get you to interactive shell where you can edit "stanza" in the configuration file that describes particular boot option.
1746changes WILL NOT be persistent.
1747you can also enter pure shell.
1748
1749installing GRUB may have few meanings:
1750 1. installing GRUB program. in GRUB1 there's app grub. in GRUB2 there's bunch of utilities: grub2-*, grub-*. it's rather distro-dependent.
1751 2. installing files GRUB needs to operate at boot time, under /boot/grub[2]/.
1752 3. installing GRUB as the boot loader in the system. usually at the front of hard disk, but sometimes also in a partition and accessed via chainloading from one GRUB to another.
1753
1754installing GRUB2:
1755> sudo grub2-install /dev/sda
1756but read man before!
1757
1758in both GRUBs first HDD is denoted as hd0, second as hd1. but partition start counting differentiate:
1759 > sda1 is (hd0, 1) in GRUB2, but (hd0, 0) in GRUB1
1760 > sda4 is (hd2, 4) in GRUB2, but (hd2, 3) in GRUB1
1761! !!!
1762
1763in this order, configs depends on those 2 files:
1764/etc/default/grub
1765/etc/grub.d
1766
1767
1768> sudo systemctl start gdm # gnome display mgr
1769
1770
1771
1772/// chapter 39 - init, SystemV, Upstart, systemd ///
1773systemd - now mostly used
1774
1775by the end:
1776 → understand importance of init process
1777 → understand how systemd (and Upstart) work
1778 → use systemctl to configure and control systemd
1779 → explain how traditional SysVinit method works and how it incorporates runlevels and what happens in each one
1780 → know how to use chkconfig and service (and alternative utilities) to start and stop services or make them persistent across reboots when using SysVinit
1781
1782/sbin/init (called just init) is the first user-level ps (or task) run on the system, and until system shutdowns. tradicionally it's considered parent of all user processes, but technically it's not true - some PSes are started by the kernel.
1783
1784init:
1785coordinates later stages of the boot process, configures all aspects of the environment, starts the PSes needed for logging into the system, works closely with the kernel in cleaning up after PSes when they terminate.
1786
1787In the past all distros based the init sp on UNIX's venerable SysVinit. back then target was:
1788 → multi-user mainframe OS (not PC)
1789 → a single CPU OS
1790 → startup and shutdown time wasn't important, far less then getting things right
1791
1792startup was viewed as a serial ps, divided into a series of sequential stages. each stage required completion before the next could proceed. there was no advantage of the parallel processing that could be done on multiple CPUs or cores.
1793Also, shutdown/reboot was a relatively rare event so time wasn't as important.
1794
1795to deal with those issues, 2 system appeared:
1796 → Upstart - developed under Ubuntu, first in 2006. adopted in Fedora 9, RHEL6 and it's clones, like CentOS, Scientific Linux, Oracle Linux, OpenSUSE
1797 → systemd - first adopted in Fedora in 2011. Standard since RHEL7 and Ubuntu 16.04. Now MOSTLY used.
1798
1799features of systemd:
1800 → compatible with SysVinit scripts
1801 → boots faster than previous systems
1802 → provides aggresive parallelization capabilities
1803 → uses socket and D-Bus activation for starting services
1804 → replaces shell scripts with programs
1805 → offers on-demand starting of daemons
1806 → keeps track of processes using "cgroups"
1807 → supports creating snapshots and restoring of the system state
1808 → maintains mount and automounts points
1809 → implements an elaborate transactional dependency-based service control logic
1810 → can work as a drop-in replacement for SysVinit
1811
1812instead of bash scripts, systemd uses .service files. also systemd sorts all daemons into their own Linux cgoups (?). s. is backwards-compatible with SysVinit.
1813
1814<skipped some>
1815
1816systemctl is main utility for managing services. examples:
1817> systemctl # show status of everything
1818> systemctl list-units -t service --all
1819> systemctl list-units -t service # show list of available services
1820> systemctl list-units -t service # show only active services
1821
1822start/activate >= 1 unit:
1823> sudo systemctl start foo
1824> sudo systemctl start foo.service
1825> sudo systemctl start /path/to/foo.service
1826where a unit can be a service or a socket
1827
1828to stop (deactivate) a service:
1829> sudo systemctl stop foo.service
1830
1831to enable/disable a service:
1832> sudo systemctl enable sshd.service
1833> sudo systemctl disable sshd.service
1834
1835
1836as SysVinit system starts, it passes through a sequence of runlevels which define different system states numbered 0-6.
1837runlevel meaning
1838S, s same as 1
18390 shutdown system and turn power off
18401 Single User Mode
18412 multiple user, no NFS, only test login
18423 multiple user, with NFS and network, only text login
18434 not used
18445 multiple user, with NFS nad network, garphical login with X
18456 reboot
1846
1847show current level:
1848> runlevel
1849< N 5 # first char is prev level. N == unknown
1850
1851change runlevel on the system. for example, to go from runlevel 3 to 5, type:
1852> sudo /sbin/telinit 5
1853
1854init ps firstly reads /etc/inittab. historically this file told init which scripts to run to bring the system up each runlevel, and was done with a series on lines, one for each runlevel, like:
1855 id:runlevel(s):action:process
1856where:
1857 id - unique 1-4 char identification for the entry
1858 runlevel(s) - >= 0 single chars or digit identifiers indicating which runlevel will be taken for
1859 action - describes the action to be taken
1860 process - ps to be executed
1861
1862RHEL6 hides upstart behind a compatibility layer, only uncommented line (and only thing being set) is:
1863 id:5:initdefault
1864
1865<skipped>
1866
1867chconfig - query and configure what runlevels the various system services are to run in. check some service:
1868> chkconfig <some_service>
1869returns true if the service is configured to be running, false otherwise. note that it might be stopped.
1870see what services are configured to run in each of the runlevels:
1871> chkconfig --list [service names]
1872
1873turn on some service next time system boots:
1874> sudo chkconfig <some_service> on
1875or don't:
1876> sudo chkconfig <some_service> off
1877
1878note that on and off don't affect the current state by starting or stopping a service. to do this:
1879> sudo service <some_service> [stop | start]
1880
1881
1882to add own services, place a script in /etc/init.d which has to have certain features in it (just some lines at the top!) and then use > chkconfig --add to enable (or --del to disable) use of the on and off instructions, etc..
1883
1884<skipped>
1885
1886services:
1887 on Linux using or emulating SysVinit services are those in /etc/init.d/
1888 status:
1889 > sudo service network status
1890 > sudo service vsftpd status
1891 parameters taken vary. see examples:
1892 > sudo service network
1893 > sudo service iptables
1894
1895all service does is change dir. to /etc/init.d and run appropriate script in that directory with the supplied options. status of all the services on the system with:
1896> sudo service --status-all
1897
1898changing services is lost after reboot. to make more persistent change, use chkconfig instead.
1899
1900sometimes you need to install:
1901> sudo apt-get install sysvinit-utils chkconfig
1902
1903
1904Upstart is event-driven rather than a set of serial procedures. event notifications are sent to the init ps to tell to execute certain commands at the right time after pre-requisites have been fulfilled. Upstart is superseded by systemd, so don't care about it. files of it:
1905/etc/init/rcS.conf
1906/etc/rc.sysinit
1907/etc/inittab
1908/etc/initrc.conf
1909/etc/initrc[0-5].d
1910/etc/init/start-ttys.conf
1911
1912
1913
1914
1915
1916
1917/// chapter 40 - backup and recovery methods ///
1918by the end:
1919 → identify and prioritize data that needs backup
1920 → employ different backup methods depending on a situation
1921 → use cpio, gzip, bzip2, xz, dd, rsync, dump, restore, mt
1922 → 2 most known backup apps: Amanda and Bacula
1923
1924priorities:
1925 must have:
1926 → business-related data
1927 → system configs
1928 → user files (typically /home)
1929 maybe:
1930 → spooling dirs (for printing, mail, etc.)
1931 → logging files (found in /var/log and elsewhere)
1932 rather not:
1933 → SW that can be easily reinstalled, on a good system almost everything
1934 → /tmp dir
1935 no!:
1936 → pseudo-filesystems like /proc, /dev, /sys
1937 → any swap partitions or files
1938
1939 might also consider logging files since they may help to investigate your system history
1940
1941types of backup:
1942 o full - all files on a system
1943 o incremental - all files that has changed since the last incremental backup
1944 o differential - all files that has changed since the last full backup
1945 o multiple lvl incremental - all files that has changed since the previous backup at the same or a previous level
1946 o user - only in specific user's dir
1947
1948backups are useless without associated restore methods. take into account: robustness, clarity and easy of both directions when selecting strategies.
1949
1950simple startegy: full backup once, then incremental backups of everything that subsequently changes. restoring from incremental backups can be more difficult and time consuming.
1951
1952good rule is to have at least 2 weeks of backups available.
1953
1954apps:
1955 o cpio, tar - create and extract archives of files
1956 o gzip, bzip2, xc - compressing archives. archives are useful for transferring files from one machine to another
1957 o dd - transfer raw data between media. it can copy entire partitions or entire disks
1958 o rsync - synchronize dir subtrees or entire filesystems across a network or between different filesystem locations on a local machine
1959 o dump, restore - ancient utilities that were designed specifically for backups. they read from the filesystem directly (more efficient). but it must be stored on the same filesystem type. there are newer alternatives
1960 o mt - querying andf positioning tapes before performing backups andf restores
1961
1962using tar:
1963 o when creating a tar archive, for each dir given as an argument, all files and subdirs will be included in the archive (!!!)
1964 o when restoring, it reconstitutes dirs as necessary
1965 o --newer option for incremental backups
1966
1967
1968> tar --create --file /dev/st0 /root
1969> tar -cvf /dev/st0 /root
1970< prompt to put next tape when needed
1971
1972multi-volume option:
1973> tar -cMf /dev/st0 /root
1974
1975verify files:
1976> tar --compare --verbose --file /dev/st0
1977> tar -dvf /dev/st0
1978
1979single-dashed tar args can be used without dash
1980
1981
1982restoring with tar:
1983> tar --extract --same-permissions --verbose --file /dev/st0
1984==
1985> tar -xpvf /dev/st0
1986==
1987> tar xpvf /dev/st0
1988
1989specify only some files:
1990> tar xvf /dev/st0 someFile
1991
1992list files:
1993tar --list --file /dev/st0
1994tar -tf /dev/st0
1995
1996
1997incremental backups:
1998> tar --create --newer '2011-12-1' -vf backup1.tar /var/tmp
1999> tar --create --after-date '2011-12-1' -vf backup1.tar /var/tmp
2000both create backup archive of all files in /var/tmp modified after 01.12.2011
2001note: tar only looks at a file's date
2002note: if you use "--newer", you must use dash in args
2003
2004
2005
2006usually compress -> transmit -> decompress cycle is faster than transmitting uncompressed file
2007compressing tools in order of increasing efficiency (and longer compression times):
2008 o gzip - LZ77 coding, outputs .gz files
2009 o bzip2 - Burrows-Wheeler block sorting compression algorithm and Huffman coding, outputs .bz2 files
2010 o xz - supports legacy .lzma format, outputs .xz files
2011
2012decompression time is similar, compression time varies
2013zip is rarely used, mostly when dealing with compressed files from other systems
2014
2015using tar for creating compressed archive
2016 o tar zcvf source.tar.gz source
2017 o tar zcvf source.tar.bz2 source
2018 o tar Jcvf source.tar.xz source
20191st command has the same effect as:
2020> tar cvf source.tar source ; gzip -v source.tar
2021but is more efficient bcs:
2022 o there's no intermediate file storage
2023 o arciving and compression happen simultaneously in the pipeline
2024
2025decompressing with tar:
2026> tar xzvf source.tar.gz
2027> tar xjvf source.tar.bz2
2028> tar xJvf source.tar.xc
2029
2030or even simpler:
2031> tar xvf source.tar.gz
2032as modern tar can sense the method of compression
2033
2034dd usage:
2035> dd if=inputFile of=outputFile options
2036> dd if=/dev/zero of=outFile bs=1M count=10 # 10 MB file with zeros (!!!)
2037> dd if=/dev/sda of=/dev/sdb # backup an entire drive to another (raw copy)
2038> dd if=/dev/sda of=/dev/sdadisk.img # backup to a file (can be transfered to another hard disk)
2039> dd if=/dev/sda of=partition1.img # backup a partition
2040> dd if=ndata conv swab count=1014 | uniq > ofile # using dd in a pipeline (???)
2041
2042rsync:
2043rsync [options] src dest
2044
2045examples:
2046> rsync file.tar someone@backup.mydomain:/usr/local
2047> rsync -r a-machine:/usr/local b-machine:/usr
2048> rsync -r --dry-run /usr/local /BACKUP/usr
2049
2050need to be careful with rsync (especially with --delete option) so it's recommanded to use --dry-run first and run if output looks correct
2051rsync is clever and efficient. only the differences are copied over the network. good way of usage:
2052> rsync -r project-X archive-machine:archives/project-X
2053this is very efficient and fast backup strategy
2054
2055cpio (copy in and out) - legacy utility, but still in use sometimes
2056
2057> ls | cpio --create -O /dev/st0 # create an archive
2058> cpio -i someFile -I /dev/st0 # extract from an archive
2059> cpio -t -I /dev/st0 # list contents of an archive
2060-I device - specify input or use redirection on the command line
2061-o or --create - copy files out of an archive. cpio reads a list of file names (one per line) from stdin and writes the archives to stdout
2062-i or --extract - copy files from an archive, reading the archive from stdin. If you list names as patterns (such as *.c), only files in archive that match the pattern are copied from the archive.
2063-t or --list - list the archive contents
2064-v or --verbose - verbose
2065
2066
2067dump and restore - from earliest days of UNIX, and not designed for modern HW and FSes.z
2068it is used by higher-lvl backup programs such as Amanda.
2069<skipped>
2070
2071Amanda - uses native utils, but is more robust and controllable
2072Bacula - only for advanced admins
2073Clonezilla - live version for single machine backup and recovery and SE (server editions) for many machines at once. Not only for Linux. very hard to use and very flexible.
2074
2075
2076
2077/// chapter 41 - Linux Security Modules ///
2078by the end:
2079 → understand how LSM framework works and how it's deployed
2080 → list various LSM implementations
2081 → ...
2082 → use AppArmor
2083
2084the idea is to implement mandatory access controls over a variety of requests made to kernel in a way that:
2085 o it minimizes changes to kernel
2086 o it minimizes overhead to kernel
2087 o permits flexibility and choice between different implementations, each of which is presented as a self-contained LSM.
2088
2089So it uses hook system calls.
2090
2091for a long time only security model implemented was SELinux. Current implementations of S. are:
2092 o SELinux
2093 o AppArmor
2094 o Smack
2095 o Tomoyo
2096
2097only one LSM can be used at a time, as they potentially modify the same parts of kernel.
2098
2099SELinux was originally developed by NSA and has been integral to RHEL for a very long time. That caused large usage base.
2100It's a set of security rules that are used to determine which processes can access which files, dirs, ports and other items on the system.
2101It works with 3 conceptual quantities:
2102 o Contexts - labels to files, PSes, ports. examples are SELinux user, role and type
2103 o Rules - describe access control in terms of contexts, PSes, files, ports, users, etc.
2104 o Policies - sets of rules that describe what system-wide access control, decisions should be made by SELinux
2105
2106"SELinux context" is a name used by a rule to define how users, PSes, files and ports interact with each other. default policy is to deny any access, rules are used to describe allowed actions on the system.
2107
2108SELinux can be run under one of 3 modes:
2109 o Enforcing - all SELinux code is operative and access is denied according to policy. All violations are audited and logged.
2110 o Permissive - enables SELinux code, nut only audits and warns about operations that would be denied in enforcing mode.
2111 o Disabled - completely disabled. no SELinux protection.
2112
2113Those modes are also explained in /etc/selinux/config. it varies by distribution, it is often at /etc/sysconfig/selinux or is linked from there (!!!).
2114
2115> sestatus - current mode and policy
2116> getenforce
2117> setenforce
2118> sudo setenforce Permissive
2119< Permissive
2120
2121setenforce allows to switch on the fly, but you cannot disable using it.
2122to disable SELinux:
2123 o edit a config file (/etc/selinux/config) and set SELINUX=disabled. default way
2124 o kernel param: add selinux=0 to the kernel param list when rebooting
2125
2126 File /etc/sysconfig/selinux sets SELinux policy. multiple policies are allowed, but only 1 can be active at a time. each policy has files which must be installed under /etc/selinux/<SELINUXTYPE>
2127
2128 most common policies:
2129 o targeted - default. user PSes and init are not targeted. S. restricts memory restrictions for all PSes, which reduces the vulnerability to buffer overflow attacks.
2130 o minimum - modification of "targeted". Only selected PSes are targetted.
2131 o MLS - Multi-Level Security. much restriction. all PSes are placed in fine-grained security domains with particular policies.
2132
2133contexts are labels applied to files, dirs, ports, PSes. those labels are used to describe access rules.
2134context utilities:
2135 o user
2136 o role
2137 o type
2138 o level
2139we will describe type. context labels should end with "_t".
2140
2141use -z to see the context: (!!!)
2142> ls -Z
2143> ps auZ
2144
2145chcon changes context:
2146> chcon -t etc_t someFile
2147> chcon --reference someFile so
2148
2149commands extended to work with SELinux: ls, ps, cp, mv, mkdir
2150if S. is disabled, no useful info is displayed in related fields of those.
2151
2152newly created files inherit from their parent dir, but when moving files, context of the source dir may be preserved.
2153
2154> restorecon - resets file contexts, based on parent dir settings
2155
2156to change SELinux policy behaviour at runtime without rewriting the policy, configure SELinux Booleans, which are policy parameters that can be enabled or disabled.
2157> getsebool # see booleans. try also with "-a"
2158> setsebool # set booleans
2159> semanage boolean -i # see persistent boolean settings
2160
2161example:
2162> getsebool ssh_chroot_rw_homedirs
2163< ssh_chroot_rw_homedirs --> off
2164> sudo setsebool ssh_chroot_rw_homedirs on
2165> getsebool ssh_chroot_rw_homedirs
2166< ssh_chroot_rw_homedirs --> on
2167> sudo reboot
2168...
2169> getsebool ssh_chroot_rw_homedirs
2170< ssh_chroot_rw_homedirs --> off
2171
2172example of persistent:
2173> getsebool ssh_chroot_rw_homedirs
2174< ssh_chroot_rw_homedirs --> off
2175> sudo setsebool -P ssh_chroot_rw_homedirs on
2176> getsebool ssh_chroot_rw_homedirs
2177< ssh_chroot_rw_homedirs --> on
2178> sudo reboot
2179...
2180> getsebool ssh_chroot_rw_homedirs
2181< ssh_chroot_rw_homedirs --> on
2182
2183
2184setroubleshoot-server example:
2185> echo dupa > file
2186> mv file /var/www/html
2187wget -O - localhost/rootfile
2188< some output
2189> tail /var/log/messages
2190< someoutput
2191> sealert -l d51d34f9-... (numer z poprzedniego outputu)
2192
2193tool that generates SELinux policy rules from logs of denied operations:
2194> audit2allow
2195
2196tool that generates SELinux audit messages into a description of why the access was denied:
2197> audit2why
2198
2199links about SELinux:
2200https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/
2201https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/
2202
2203
2204AppArmor:
2205 o LSM alternative to SELinux
2206 o provides Mandatory Access Control (MAC)
2207 o supported since 2006
2208 o used in Suse, Ubuntu and other distros
2209 o considered easier by some but not all
2210 o FS-neutral
2211 o also provides learning mode, where violations are only logged
2212
2213if A. is available kernel module, on a systemd-equipped system you can do:
2214> sudo systemctl <start|stop|restart|status> apparmor
2215
2216to change or inquire about current state of operation:
2217> sudo systemctl <enable|disable> apparmor
2218to en/disable loading at boot
2219status:
2220> sudo apparmor_status
2221
2222apparmor modes: enforce and complain, analogous to SELinux enforcing and permissive modes.
2223> ps aux | grep libvirtd
2224
2225profiles are stored in: /etc/apparmor.d
2226
2227> man apparmor.d
2228
2229A. has few utilities. for example on OpenSUSE:
2230> rpm -qil apparmor-utils | grep bin
2231utils:
2232apparmor_status show status of all profiles and PSes with profiles
2233apparmor_notify show a summary for AppArmor log msgs
2234complain set a specified profile to complain mode
2235enforce set a specified profile to enforce mode
2236disabled unload a specific profile from the current kernel and prevent from being loaded on system startup
2237logprof scan log files, if some violations have been found, ...===suggest how to take into account, and, if approved, modify and reload
2238easyprof help set up a basic AppArmor profile for a program
2239
2240
2241
2242/// chapter 42 - Local System Security ///
2243by the end:
2244 → assess system security risks
2245 → protect BIOS and boot loader with passwords
2246 → use appropriate mount options, setuid, setgid to enhance security
2247
22484 areas to protect: physical, local, remote, personnel
2249
2250organization should have a clear security policy, simple and easy, updated frequently, be in the form of a written document in addition to online documentation if needed, specifying actions to take in response to a security breach.
2251
2252risk analysis:
2253 o what do I want to protect
2254 o what am I protecting against
2255 o how much time, personnel and money is needed to provide adequate protection
2256
22572 security philosophies:
2258 o anything not expressly permitted is denied
2259 o anything not expressly forbidden is permitted
2260
2261general guidelines:
2262 o human factor is the weakest link. you must educate your users. largest percentage of break-ins are internal and not even malicious
2263 o no computing environment is invulnerable. only system not connected to anything and turned off is
2264 o paranoia is a good thing
2265
2266users should never put current dir in their path. substituting script ls with 1 line:
2267/bin/rm -rf $HOME
2268would remove home dir after typing ls
2269
2270any system not fully updated should be considered vulnerable.
2271in Linux world security regressions are extremely rare, and the danger of delaying applying a security patch is propably never justifiable.
2272
2273any time HW is physically accessible, those can happen:
2274 o key logging
2275 o network sniffing
2276 o booting with a live or rescue disk - it's good to configure BIOS in such a way to protect from this
2277 o remounting and modifying disk content
2278
2279
2280BIOS is the lowest level of security. should be protected by use of a password. should be updated and current.
2281Boot Loader - also password. in GRUB 2 it's harder.
2282link:
2283https://help.ubuntu.com/community/Grub2/Passwords
2284
2285when an FS is mounted, in /etc/fstab various ptions can be specified to enhance security:
2286 o nodev - don't interpret char or block special devices on the FS
2287 o nosuid - fields set-user-identifier and set-group-identifier are not to take effect
2288 o noexec - restrict direct execution of any binaries on the mounted filesystem
2289 o mount the FS in read-only mode, as in:
2290 > mount -o ro,noexec,nodev /dev/sda2 /mymountpt
2291 or in etc.fstab
2292 /dev/sda2 /mymountpt ext4 ro,noexec,nodev 0 0
2293
2294normally app runs with the privileges of the user executing the program! Ocasionally you want to extend capabilities of users.
2295by setting setuid (set user ID) flag on executable file, one modifies this normal behaviour by giving the program the access rights of the owner rather than the user of the program. this is generally a bad idea.
2296
2297setting setuid/setgid bits:
2298> chmod u+s file
2299> chmod g+s file
2300
2301for dirs it is used to create a shared dir. file created in this dir are group owned by the group owner of the dir.
2302
2303
2304
2305/// chapter 43 - basic troubleshooting ///
2306There's no one good way to do this. It is a combination of skill, intuition and luck.
2307by the end:
2308 → troubleshoot your system, following a number of steps iteratively until solutions are found
2309 → check your network and file integrity for possible issues
2310 → resolve problems when there is system boot failure
2311 → repair and recover coruupted filesystems
2312 → understand how rescue and recovery media can be used for troubleshooting
2313
23143 lvls of troubleshooting:
2315 beginner - can be taught very quickly
2316 experienced - comes after a few years of practice
2317 wizard - some people think you have to be born this way, but no. all skills can be learned. every company should have at least 1 person at this lvl
2318
2319even best-administered systems will develop problems. troubleshooting can isolate HW from SW problems, and local from local network and Internet problems.
2320
2321basic recipe:
2322 characterize the problem
2323 reproduce a problem
2324 always try the easy things first
2325 eliminate possible causes 1 at a time
2326 change only 1 thing at a time. if it doesn't fix the problem, change it back
2327 check the system logs for further info (/var/log/messages, /var/log/secure)
2328
2329things to check when there is an issue with networking:
2330 o IP configuration - use ifconfig or ip to see if interface is up, and if so, if it is configured
2331 o Network Driver - maybe correct device driver for network cards is not loaded. check lsmod to check if network driver is loaded as kernel module (!!!) =, or by examining relevant pseudo-files in /proc, /sys, such as /proc/interrupts or /sys/class/net
2332 o connectivity - use ping to see if network is visible, checking for response time and packet loss. traceroute can follow packets through the network, while mtr can do this in a continuous fashion. use there utilities to check if problem is local or on the Internet.
2333 o default gateway and routing config - run route -n and see if the routing table makes sense
2334 o hostname resolution - run dig or host on a URL and see if the routing table makes sense.
2335
2336network problems can be caused either by SW or HW.
2337
2338things to check when there is an issue with files integrity:
2339to check for corrupt files and binaries, on rpm-based systems:
2340> rpm -V some_package # check single package
2341> rpm -Va # check all packages on the system
2342
2343od Debian-based systems:
2344> debsums options some_package # check checksums on the files in that package. but not packages have checksums
2345> dpkg -v # verify
2346> sudo aide --check #intrusion detection, scan files and compare them to the last scan
2347
2348things to check when there is an issue with boot process failures:
2349need to check what happens at each stage is important. assuming you get through the BIOS stage, those might happen:
2350 o no boot loader screen - check for GRUB misconfiguration or corrupted boot sector. you might want to reinstall the boot loader
2351 o kernel fails to load - if the kernel panics during the boot process, is most likely misconfigured or corrupted, or incorrect params specified on the kernel command line in the GRUB config file. you can reinstall kernel or enter into the interactive GRUB menu at boot and use cmd line params and try to fix that way. or boot into a rescue image as described in the next chapter
2352 o kernel loads but fails to mount the root filesystem - main causes:
2353 - misconfigured GRUB config file
2354 - misconfigured /etc/fstab
2355 - no support for the root FS type either build into the kernel or as a module in the initramfs initial ram disk or FS
2356 o failure during the init process - maaany things. look closely at the messages displayed before things stop. try booting into a lower runlevel, such as 3 (no graphics), or 1 (single user mode)
2357
2358things to check when there is an issue with filesystem corruption and recovery:
2359if during boot process >=1 FS fails to mount, fsck may be used to attempt repair. however, before doing that one should check that /etc/fstab has not been misconfigured or corrupted. note once again that you could check that you could have problem with a FS type the kernel does not understand.
2360
2361if root FS has been mounted, you can examine this file, but "/" may have been mounted as read-only, so to edit the file and fix it you can run:
2362> sudo mount -o remount,rw / # remount it with write permission.
2363
2364if /etc/fstab seems to be correct, move to fsck. first try:
2365> sudo mount -a
2366to try and mount all FSes. if it fails, try to manually mount the ones with problems. first run fsck, afterwards run it again to have it try and fix any errors found.
2367
2368
2369
2370/// chapter 44 - system rescue ///
2371sooner or later a system is likely to fail. it's good to have rescue media (pendrive / CD / network)
2372by the end:
2373 → explain forms of system rescue media
2374 → know how to enter emergency mode and what can be done there
2375 → know how to enter single user mode, what can be done there and hwo it differs from emergency mode
2376
2377
2378
2379rescue image generally contains a limited but powerful set of utilities useful for troubleshooting and fixing problems on a system:
2380 o disk mgmt utils
2381 o network utils
2382 o miscellaneous utils
2383 o logging files
2384
2385exact choices vary from one Linux distro to another, but when you boot from an install or live CD/pendrive, you'll get option with a name like "Rescue Installed System".
2386
2387examples of utils:
2388 o disk utils for creating partitions, managing RAID devices, managing logical volume and creating FSes: fdisk, mdadm, pvcreate, vgcreate, lvcreate, mkfs and others
2389 o network utils for network debugging and network connectivity: ifconfig, route, traceroute, mtr, host, ftp, scp, ssh
2390 o other commands like: bash, chroot, kill, vi, dd, tar, cpio, gzip, rpm, mkdir, ls, cp, mv, rm and others
2391
2392rescue image will ask a number of questions upon starting, one of there is whether or not to mount your FS (if it can). if so, they are mounted at somewhere, usually at /mnt/source. you can move to that dir to get to your files or can change into that environment:
2393> sudo chroot /mnt/sysimage
2394
2395for a network-based rescue you may also be asked to mount /mnt/source.
2396
2397you may install SW packages from inside the chroot-ed environment. you may also be able to install them from outside the chroot-ed environment, for example on an rpm-based system, by using --root option to specify the location of the root directory:
2398> sudo rpm -ivh --force --root=/mnt/sysimage /mnt/source/Packages/vsftpd-2*.rpm
2399
2400emergency boot media - useful when your system won't boot due to some issue such as missing, misconfigured or corrupted files or misconfigured service
2401
2402rescue media may also be useful if the root password is somehow lost or scrambled and needs to be reset.
2403
2404most Linux distros permit install media to be also a rescue disk, which is very convenient. there are also special-purpose rescue disks available.
2405
2406live media provide a complete and bootable OS which runs in memory rather than loading from a disk. users can evaluate an OS without installing it or making changes to the existing OS. they can run without HDD.
2407
2408Procedure for entering into a special OS for rescue are the same. it can be accessed from an option on the boot menu. in many cases you may have to type rescue on a line like:
2409> boot: Linux rescue.
2410it may vary in different distros (?)
2411
2412then you might be asked such as which language to continue in, and make some distro-dependent choices. then prompt to select where valid rescue image is located: CD/DVD, HDD, NFS, FTP or HTTP.
2413then prompt about mounting your FSes. if they can be found, they are mounted under /mnt/sysimage. you'll be given a shell prompt and access to various utils to make the appropriate fixes to your system.
2414
2415chroot can be used to better access your root ("/") FS.
2416
2417many distros provide a boot.iso (or other name) image file for download. then you can use dd to place this on a USB key drive as in:
2418> dd if=boot.iso of=/dev/sdX
2419
2420utils livecd-tools and liveusb-creator allow specification of either a local drive or the Internet as the location for obtaining an install img. it works for virtually all Linux distros.
2421
2422emergency mode - boot into the most minimal env possible. root FS is mounted read-only, no init scrpits are run and almost nothing is set up. it is the main advantage of emergency mode over single-user mode: corrupted init will stop the former.
2423
2424to enter emergency mode, select an entry from the GRUB boot menu and then hit e for edit. then add word emergency to the kernel command line before telling the system to boot
2425
2426when your system boots but does not allow you to log in when it has completed booting, try single user mode. in this mode:
2427 o init is started
2428 o services are not
2429 o network neither
2430 o all FSes are mounted
2431 o root access is granted without a password
2432 o system maintenance cmd line shell is launched
2433 o system boots to runlevel 1 (in SysVinit language). Because single user mode automatically tries to mount your FS, you cannot use it when your root FS cannot be mounted successfully or if the init configuration is corrupted.
2434
2435to log in single user mode use the same method as for emergency, but instead of "emergency" write "single".
2436
2437
2438
2439chroot - is to run commands such as "mount" and "update-grub" in Linux in order to recover the system.
2440
2441
2442
2443
2444
2445
2446
2447systemd - now mostly used
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480https://training.linuxfoundation.org/certification/linux-foundation-certified-sysadmin-lfcs/
2481!!!!!!!!
2482
2483
2484administer, administrate
2485
2486https://www.istqb.org/
2487http://sjsi.org/polaczenie-ireb-i-reqb/
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506Overall description:: Add new signal to modify GTP-U session.
2507
2508IP_PACGEN:: Add handling for new signal IPPACGEN_CN_GTPU_SESSION_MODIFY_IND
2509 to support CNHHO. Signal allow to change TEID and RNC IP
2510 addres in GTP-U in existing session.
2511
2512RANAP_CO:: Change in IpPacGenGtpUSessionProxy API.
2513
2514CN_SG:: Add handling of swaping GTPU tunnel in
2515 RelocationPending State in case of CNHHO
2516
2517
2518
2519
2520
2521
2522
2523https://www.dreamincode.net/forums/topic/78802-martyr2s-mega-project-ideas-list/
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538https://4programmers.net/Forum/Edukacja/317916-droga_do_devopsa?p=1538664#id1538664
2539
2540
2541
2542
2543
2544
2545
2546stoły
2547
2548https://www.ikea.com/pl/pl/catalog/products/30339735/
2549https://www.ikea.com/pl/pl/catalog/products/60261037/
2550
2551ikea do wyboru:
2552https://www.ikea.com/pl/pl/catalog/categories/departments/workspaces/20649/
2553;
2554ta kolekcja:
2555https://www.officefurnitureitaly.com/modern-desk/infinity-babini.html
2556
2557http://krakow-meble.pl/14-stoly-i-krzesla
2558
2559
2560
2561
2562
2563The static keyword has another meaning when applied to global variables -- it gives them internal linkage (which restricts them from being seen/used outside of the file they are defined in). Because global variables are typically avoided, the static keyword is not often used in this capacity.
2564!!!
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585https://writing.stackexchange.com/questions/39876/how-can-i-make-a-character-who-isnt-a-jerk-seem-like-one
2586
2587
2588
2589https://law.stackexchange.com/questions/33212/student-drugs-a-teacher-what-laws-are-potentially-broken
2590
2591
2592http://www.lambdafaq.org/what-about-the-diamond-problem/
2593
2594
2595
2596book: najgorszy człowiek na świecie
2597
2598
2599
2600meble modułowe
2601porównywarki cen mebli
2602
2603https://allegro.pl/uzytkownik/DekoracjaDomu-pl?order=m
2604;
2605https://allegro.pl/hit-regal-styl-bialy-188x188-cm-nowoczesny-biuro-i7072196632.html?reco_id=f657bbff-e0fe-11e8-b3c8-246e9680da28
2606;
2607https://allegro.pl/uzytkownik/DekoracjaDomu-pl/meble-522?order=m
2608;
2609https://allegro.pl/uzytkownik/DekoracjaDomu-pl/wyposazenie-123?order=m
2610;
2611https://allegro.pl/uzytkownik/DekoracjaDomu-pl/meble-522?order=m&p=5
2612
2613outlety meblowe
2614http://www.outletmeblowy.pl/
2615
2616przez Internet kupować w:
2617http://pl.dawanda.com/
2618https://www.etsy.com/
2619;
2620Co warto kupić?
2621Pojedyncze meble, które mają się wyróżniać i robić efekt "wow" - stoły, stoliki kawowe, fotele, stoliki nocne, dodatki.
2622
2623
262411. Targi staroci, ogłoszenia
2625http://patyna.pl/
2626http://odwzorowanie.pl/
2627http://allegro.pl/
2628http://olx.pl/
2629
2630
2631
2632Z polskich salonów z dobrym wzornictwem dodałabym Moma Studio http://www.momastudio.pl/ i NAP http://nap.com.pl/, ze skandynawskich BoConcept, z pięknych mebli i dodatków MintGrey http://www.mintgrey.pl/, BB Home http://bbhomeonline.pl/ oraz House and More http://houseandmore.pl/. Z polskich producentów mebli dobre jakościowo poza Pagedem znajdziemy też w Bydgoskie Fabryki Mebli i Matkowski Meble. Pozdrawiam, Kasia
2633
2634
2635
2636
2637There are two resources that I always recommend when preparing for interviews:
2638
2639http://www.crackingthecodinginterview.com/
2640 “Cracking the Coding Interviewâ€, a fantastic book that includes a lot of coding problems and their solutions, as well as summaries of what you need to know to solve them
2641
2642 https://www.codewars.com/
2643 CodeWars, a website that has a large collection of coding problems that you can solve in the browser using a wide selection of languages. The most useful part is seeing how other users solved the same problem. You’ll get to see different approaches to the same problem and learn new tools in the language of your choice.
2644
2645
2646
2647
2648but at what cost
2649
2650
2651
2652
2653
2654
2655w RNC testują release 8, nie ma nic o releasie 9. tymczasem w PSS piszą o releasie 9. "RANAP Relocation request contains RRC SRNS Relocation Info IE in version higher than r5 (up to r9)"