· 7 years ago · Feb 21, 2019, 12:04 PM
1
2
3
4Libertarian paternalism
5https://pl.wikipedia.org/wiki/Heurystyka_reprezentatywności
6https://pl.wikipedia.org/wiki/Lista_b%C5%82%C4%99d%C3%B3w_poznawczych
7!!!
8
9rezerwacja Camel: A3ED2
10https://bilety-rockserwis.pl
11;
12Telewizja CBS sfabularyzowała przebieg eksperymentu, kręcąc film The Tenth Level. Wystąpili John Travolta a w roli Milgrama William Shatner, znany z serialu Star Trek.
13;
14W 2015 r.odbyła się premiera filmu biograficznego [1]"Ekperymentator ("Experimenter" ang.).
15;
16https://pl.wikipedia.org/wiki/Ekonomia_behawioralna
17;
18W 2011 roku ukazaÅ‚a siÄ™ zadedykowana Tversky’emu książka Kahnemana „Thinking. Fast and Slowâ€, podsumowujÄ…ca jego karierÄ™ naukowÄ….
19
20
21
22numer wniosku o dowód:
231261049/2018/5162871/01
24!!!
25
26
27
28ps -elf
29 shows proccessess with parent PID
30changing niceness of currently running process:
31 renice +3 [pid]
32ps lf
33
34libraries, good if reused
35 static - loaded during compiling, changing it later doesn't affect running process
36 shared - loaded during runtime, changing it later affects running process. also called DDL (on Windows (?)). more efficient, memory usage is lower, exe size too, and they can be used by many apps at once.
37 big change in shared library can cause so called "DLL Hell". especially on 16-bit where all apps ran in shared address space
38
39ldd `which vim`
40 shows shared library dependencies
41 it's not safe since it can result in executing some arbitrary code
42
43ulimit -n 2048
44 change max no of opened files by 2048
45
46zombie process - has terminated but no other process has yet asked about its exit state
47
48
49
50ipcs
51 stary sposób na IPC - Inter Process Communication. System V IPC. Key of 0 means IPC_PRIVATE - they are only shared between processes in a parent/child relationship
52
53SIGNALS:
54 what they are?
55 know different types of signals in Linux
56 use signals from command line: kill, killall, pkill
57
58s. - used to notify processes asynchronously (so s. was not expected, or was expected but exact time was not expected)
592 paths:
60 kernel -> process when there is an exception
61 user process -> another (or the same) process
62
63s. can be sent only between processes owned by the same user or from a process owned by the superuser to any process
64
652 s. cannot be handled and just terminate the program:
66 SIGKILL
67 SIGSTOP
68
69SIGKILL kills a process and cannot be caught
70
71SIGTERM kills a process but can be caught to do a graceful exit
72
73SIGSTOP suspends the process until you do a SIGCONT
74
75kill -l
76 list all (?) signals
77
78man 7 signal
79 shows overview of signals
80
81examples of 'kill' command:
82 kill 1991
83 kill -9 1991
84 kill -SIGKILL 1991
85
86_______
87
88package managers:
89 Red Hat - Yum
90 Fedora - DNF
91 SUSE - Zypper
92 Debian - apt-get
93
942 levels of packaging system utilities:
95 low level, not resolving dependencies, like rpm, dpkg
96 high level, solving dependencies, like yum/dnf/zypper for rpm; apt-get/apt-cache for dpkg
97
98Process of installing/removing software:
99 creating symbolic links
100 creating dirs if needed
101 setting permissions
102 anything that can be scripted (?)
103
104in Debian based systems with source package comes:
105 tarball: "*.tar.gz"
106 Description: "*.dsc"
107 second tarball with patches or other files. "*.debian.tar.gz" or "*.diff.gz"
108
109
110
111
112apt-get source logrotate
113;
114https://lms.quickstart.com/custom/799658/LAB_7.1.pdf
115;
116/etc/apt/sources.list # poczytać!!!
117/etc/apt/sources.list.d/
118;
119/etc/apt/preferences # nadawanie preferencji. poczytać!
120;
121apt-get moo
122;
123sudo apt-get autoremove # get rid of older kernel versions
124sudo apt-get clean # cleans archived package files that have been installed
125;
126https://lms.quickstart.com/custom/799658/LAB_10.1.pdf
127!!!
128https://lms.quickstart.com/custom/799658/LAB_10.2.pdf
129https://lms.quickstart.com/custom/799658/LAB_10.3.pdf
130
131
132info about packages, examine contents, download
133packages.debian.org
134packages.ubuntu.org
135
136
137dpkg -l # list all installed packages
138dpkg -L wget # # list files in wget package
139dpkg -s wget # show info about installed package
140dpkg -I wget # show info about package file
141dpkg -c # list files in package file
142dpkg -S /etc/init/networking.conf # show what package owns /etc/init/networking.conf
143dpkg -S wget # list files in package file
144dpkg -V package # without arg. will verify all packages on the system. see man page to interpret output
145
146sudo dpkg -i foobar.deb # install/upgrade `foobar` package
147sudo dpkg -r foobar.deb # remove `foobar` package (except its configs)
148sudo dpkg -P foobar.deb # remove `foobar` package (with configs) (P is for Purge)
149
150apt-cache search apache2
151apt-cache show apache2 # show info about apache2
152apt-cache showpkg apache2 # show more detailed info about apache2
153apt-cache depends apache2 # list dependencies of apache2
154apt-cache search apache2.conf
155apt-cache list apache2 # list all files in apache2 package
156
157sudo apt-get update
158sudo apt-get install <package>
159sudo apt-get remove <package>
160sudo apt-get --purge remove <package> # remove package and its configs from system
161sudo apt-get upgrade # apply all available updates to packages already installed
162sudo apt-get dist-upgrade # smarter upgrade
163sudo apt-get autoremove # get rid of older kernel versions
164sudo apt-get clean # cleans archived package files that have been installed
165;
166notice that update without upgrade effectively does nothing
167
168
169
170monitoring - chapter 11
171 many system monitoring tools make use of pseudo-file systems, especially in /proc and /sys
172(/proc and /sys pseudo-filesystems)
173
174main process and load monitoring utilities:
175 top # process activity, dynamically updated
176 uptime # how long system is running and avg load
177 ps # detailed info about processes
178 pstree # a tree of processes and their connections
179 mpstat # multiple CPU usage
180 iostat # CPU utilization and I/O stats
181 sar # display and collect info about system activity
182 numastat # info about NUMA (Non-Uniform Memory-Architecture)
183 strace # info about all system calls a process makes
184
185memory monitoring utilities:
186 free # brief summary of memory usage
187 vmstat # detailed virtual memory stats and block I/O, dynamically updated
188 pmap # process memory map
189
190I/O monitoring utilities
191 iostat # CPU utilization and I/O statistics
192 sar # display and collect info about system activity
193 vmstat # detailed virtual memory stats and block I/O, dynamically updated
194
195network monitoring utilities
196 netstat # detailed networking stats
197 iptraf # gather info on network if-aces
198 tcpdump # detailed analysis of network packets and traffic
199 wireshark # detailed network traffic analysis
200
201/proc and /sys:
202 pseudo-filesystems with lot of info about system; many are writable and writing to them will change system behavior
203 pseudo-filesystems bcs:
204 when system is not running, they are empty
205 only when user looks at them. they are not updated periodically
206 most *tunable* system parameters are in '/proc/sys/*'
207 TODO: fs/ - file system; net/, vm/
208 modifying values:
209 sudo bash -c 'echo 100000 > /proc/sys/kernel/threads-max'
210
211/sys is based on Unified Device Model, conceptually device tree, with buses, devices, etc.. Most lines contain only 1 line of text.
212
213You might find the output from "man hier" fascinating
214
215network devices:
216ls -lF /sys/class/net
217
218
219sar - System Activity Reporter. just a command line tool. it's backend is SADC - SYstem Activity Data Collector which accumulates statistics.
220 > sar [options] [interval] [count]
221np.:
222 > sar 3 3
223ciekawe przełączki
224 -A almost all, ściana tekstu
225
226stress - tool to stress CPU
227np.:
228 > stress -c 8 -i 4 -m 6 -t 20s
229 fork off 8 CPU-intensive processes, each doing sqrt()
230 fork off 4 I/O-intensive processes, each doing sync()
231 fork off 6 memory-intensive processes, each doing malloc(), allocating 256MB by default. Size can be changes as in --vm-bytes 128M
232
233chapter 12 - process monitoring
234(by the end of this chapter: ps, pstree, top)
235
236ps has 3 formats of options (to wyjaśnia tą dziwną składnię)
237
238> ps aux
239// processes that exist totally within the kernel are surrounded by [] (like [kthreadd])
240if there is one per CPU, number tells us on which CPU it runs
241
242legend:
243VSZ - virtual memory size in KB
244RSS - resident set size
245STAT - describes state of the process. mostly sleeping or running.
246 < high prio (not nice)
247 N low prio (nice)
248 L having pages locked in memory
249 s session leader
250 l multi-threaded
251 + being in the foreground process group
252
253adding f option (ps auxf) shows ancestry, like pstree (?)
254
255> ps -elf #unix option format
256#shows NI(ceness) and Parent Process ID
257
258you can specify output format with "-o", like:
259ps -o pid,uid,cputime,pmem,command
260
261
262/// chapter 13 - memoty, monitoring usage, tuning ///
263by the end:
264 list the primary (inter-related) considerations and tasks involved in memory tuning (?)
265 know entries of /proc/sys/vm and
266 decipher /proc/meminfo
267 understand OOM-killer (which selects processess to exterminate to open up some memory)
268
269when tweaking /proc/sys/vm, you want to change 1 thing and look for effects.
270also:
271 control flushing (?)
272 control swap behaviour
273 control overcomission (?)
274
275utilities to use:
276 free - brief summary of memory usage
277 vmstat - detailed virtual memory stats and block I/O, dynamically updated (nie u mnie raczej)
278 pmap - processor map
279
280values in /proc/sys/vm can be changed by:
281 directly writing to the entry. almost all entries are writable (by root)
282 using sysctl utility
283you can find docs describing this directory in the kernel source (?). Usually under Documentation/sysctl/vm.txt
284
285> vmstat [options] [delay] [count]
286> vmstat 2 4 # jakies delaye i county
287> vmstat -s # summary fajne
288> vmstat -d # table of disk statistics
289> vmstat -p /dev/sdb1 2 4 # staty podanej partycji, i jeszcze jakieÅ› polle wykonywane
290
29113.7.b. /proc/meminfo II
292tą tabelkę z opisami pól nauczyć się, przeanalizować, zrobić screena, cokolwiek
293
294OOM-Killer I
295Linux overcommits memory, w praktyce się to sprawdza bo mało który program wykorzystuje 100% zaalokowanej pamięci
296Whenever a child process is forked, it receives a copy of entire memory space of parent
297Bcs Linux uses COW (Copy on Write) technique, no actual copy needs to be made unless one of the processess modifies memory. However, the kernel has to assume that the copy might need to be done (?).
298If mem is exhausted, Linux invokes OOM-Killer (Out Of Memory-Killer) which decides which processess should be exterminated.
299
300Order of killing is determined by badness (/proc/[pid]/oom_score). normal user can only increase the badness. negative value can be given only by root. note that /proc/[pid]/oom_adj is deprecated
301
302sudo swapoff -a # turn off a swap
303
304# !!!!!!!
305dmesg # kernel msgs
306
307disabling swap partitions increases the chanses of the system invoking the OOM-Killer
308
309algorytm heurystyczny - poczytać co to
310
311
312
313/// chapter 14 - I/O Monitoring and Tuning ///
314by the end:
315 use iostat to monitor system I/O device activity
316 use iotop to display a constantly updated table of current I/O usage
317 use ionice to set both the I/O schedulling class and the priority for a given process
318
319system is considered I/O-bound when the CPU is found sitting idle waiting for I/O to complete, or the network is waiting to clear buffers
320
321I/O is complex. we'll consider I/O scheduling later
322
323> iostat # generates general I/O reports
324#tps - I/O transactions per sec; logical requests can be merged into one actual request
325# block read or written per unit time, where block is most of the time 512B
326# total block read or written
327# dm - device mapper
328
329> iostat -k # kB instead of blocks. "-m" also works
330
331> iostat -xk # extended!!!
332
333> iotop # top dla I/O
334> iotop -o # shows only devices that are inputting/outputting now
335
336> ionice -p [pid] # checking scheduling class and priority for a given process
337
338
339
340/// chapter 15 - I/O scheduling ///
341(???)
342system depends heavily on optimizing the I/O scheduling strategy
343by the end:
344 explain the importance of I/O scheduling and describe the conflicting requirements that need to be satisfied
345 delineate and contrast the options available under Linux (?)
346 understand how CFQ (Completely Fair Queue) and Deadline algorithms work
347
3482 layers: VM (Virtual Memory) and VFS (Virtual File System) submit I/O requests to block devices. it is the job of the scheduling layer to prioritize and order there requests before they are given to the block devices
349
350at least 1 I/O scheduling algorithm must be compiled into the kernel:
351 CFQ
352 Deadline Scheduling
353 noop (A simple scheme)
354CFG and DS are default
355
356> cat /sys/block/<sda>/queue/rotational # checks if disk is SSD (0 - SSD)
357
358> echo noop > /sys/block/<sda>/queue/scheduler
359> cat /sys/block/<sda>/queue/scheduler
360
361things to change vary according to the particular I/O scheduler and can be found under:
362/sys/block/<device>/queue/iosched
363
364<bla bla, nie rozumiem tego>
365
366
367
368/// chapter 16 - Linux Filesystems and the VFS ///
369!!!!!!!
370by the end:
371 explain the basic filesystem organisation
372 understand the role of VFS
373 know which filessytems are available and which ones can be used on your actual system
374 know why journaling filesystems are better
375 discuss the sue of special filesystems in Linux
376
377VFS - Linux nie musi wiedzieć dokładnie na jakims systemie plików działa
378Modern Linux filesystems:
379 ext4
380 xfs
381 btrfs
382
383!!!
384Linux uses inverted tree hierarchy ("/"). Usually there are multiple partitions joined together at mount points. They can also include reomvable media, like USB drives and others.
385Also certain "virtual pseudo filesystems" will be mounted within the tree, things like /proc, /sys, /tmp, /run
386
387Each of the elements within tree may in facy have its own filesystem variety (!). But to the OS it all appears in one, unified tree structure.
388Linux implements VFS, like every modern OS (!). It translates all I/O system calls into specific code relevant to the particular actual filesystem. Therefore, filesystem needs to be considered by applications. Also, network filesystems (such as NFS) can be handled transparently
389
390/proc has filesystem named "proc" (!)
391
392!!!
393
394> cat /proc/filesystems # outputs all filesystems "understood' by our OS
395
396> dd if=/dev/zero of=junk bs=1M count=512
397> sudo mkfs.xfs junk
398> sudo mount junk /mnt
399> df -h # by sprawdzić nowo powstały dysk
400> lsmod | less # we can see that xfs is now used (it wasn't before)
401
402newer filesystems include full "journaling" capability, which allows to recover from system crashes. it comes with a price of more operations to do.
403In journaling filesystems operations are grouped into "transactions". Each t. must be completed without error, atomically, or will not be completed.
404Ext3 was 1st journaling filesystem for Linux (Ext3 was Ext2 + journaling)
405
406Some of Linux's filesystems have no mount point - user apps don't interact with them, but kernel uses them, taking the advantage of VFS layers and code.
407
408tmpfs - expands its size dynamically. starts at 0, expands as necessary up to a max. size it was mounted with
409
410
411/// chapter 17 - Disk partitioning - introduction ///
412After:
413 describe and contrast most the common types of hard disks and data buses
414 partitioning strategies
415 Use blkid and fdisk
416 back up and restore partitions (!)
417
418 disk geometry. get geometry:
419 fdisk -l /dev/sda
420
421up to 4 partitions -> disk
4221 of them may be subdivided into logical partitions
423
424reasons to divide disks:
425 separation
426 sharing - through /home
427 security - imposed quotas, permissions and settings
428 size
429
430also:
431 performance - data can be accesses faster if it is either closer to the center or on a quicker disk
432 swap - Linux prefer specific swap partitions. Hibernation also use it
433
434512 bytes - MBR, including:
435 first 446 bytes - program, usually GRUB
436 16*4 partition tables
437 2 left (?)
438
439Each of those 16 bytes:
440 active bit
441 beginning address in cylinder/head/sectors (CHS) format (ignored by Linux)
442 partition tpe code indicating: xfs, LVM, ext4, ...
443 ending address in CHS (also ignored by Linux)
444 start sector, counting linearly from 0 } in Linux those 2 is coded using Linear Block Addressing (LBA)
445 number of sectors in partition }
446
447Linux normally access device nodes in /dev directory through infrastructure of kernel's Virtual File System
448SCSI and SATA disks naming:
449 sda, sdb - 1st disk, 2nd disk
450 sda1, sdc4 - 1st partition of 1st disk, 4th partition of 3rd disk
451back in the days of IDE disks it could be also:
452 /dev/hda3, /dev/hdb
453
454blkid - utility to locate block devices and report on their attributes. it works with libblkid library.
455Identifying disks with /dev/* is not reliable. It can change after changing port. use UUID instead. Blkid shows UUIDs.
456> sudo blkid /dev/sda*
457;
458lsblk - related utility which presents results in a tree format
459
460Linux requires min. 2 partitions:
461 /
462 swap - can be >1. on single disk system try to center swap. on multiple disk system try to spread it over disks.
463
464backing up system!!!
465sudo dd if=/dev/sda of=mbrbackup bs=512 count=1 # backing up MBR on first disk including 64-bit partition table which is part of it
466restoring!!!
467sudo dd of=mbrbackup of=/dev/sda bs=512 count=1
468
469note that it only copies the primary partition table, not partition tables stored in the other partitions (for extended partition, etc.).
470
471
472utilities to manage partition tables:
473 fdisk - menu driven partition table editor.
474 sfdisk - non=interactive, useful for scripting. use it CAREFULLY
475 parted - GNU partition manipulation program. It can create, remove, resize and move partitions (including certain FSes)
476 gparted - GUI parted. Popular on live editions of systems. It's better (?) to use only CLI tools. E.G. RHEL no longer supports gparted.
477
478Fdisk is ALWAYS included in Linux distro, so it's good to know it.
479> sudo fdisk /dev/sdb
480 m - display the menu
481 p - list the partition table
482 n - new partition
483 d - delete the partition
484 t - change partition type
485 w - write new partition table information and exit. Before using it, no changes are made!!! So before you use `w`, use `p`
486 q - quit without making changes. It's safe to quit before using `w`.
487
488When it asks for last sector, you can input:
489> +5G
490to create 5 Gb partition
491
492System will not use new partition table until you reboot. But
493> sudo partprobe -s
494tries to read new partitino table. not always reliable
495> cat /proc/partitions (!!!)
496to examine partitions system is currently aware of
497
498Then:
499> mkfs.ext4 /dev/sda3
500Proceed?
501> y
502
503
504
505/// chapter 18 - Filesystems features - attributes, creating, checking, mounting ///
506By the end I should be able to:
507 Explain concepts as inodes (<3), directory files, extended attributes
508 create and format filesystems
509 check and fix errors on FSes
510 mount and unmount FSes
511
512
513Inode - data structure describing and storing file attributes, including location. Every file is associated with its own inode.
514Info contained:
515 permissions
516 user and group ownership
517 size
518 timestamps (nanosecond)
519 last access time
520 last modification time
521 change time
522 NOT filenames - they are stored in directory file
523All I/O activity concerning a file usually also involves the file's inode as information be updated
524
525
526Directory file: specific type of file. Associated file names and inodes. 2 ways of doing this:
527 Hard links point to an inode
528 Soft (symbolic) -links point to a file name which has an associated inode
529
530chattr [+|-|=mode] filename
531lsattr filename
532
533those are equivalent:
534> sudo mkfs -t ext4 /dev/sda10
535> sudo mkfs.ext4 /dev/sda10
536
537there's also
538> fsck - file system check (?) // TODO
539
540
541mount - attach an FS at any point in the tree structure
542umount - detach them
543
544mount point must exist before the FS is attached. It must exist before mount can use it (TODO). mkdir will help here. If files existed there before, they will disappear and appear again after unmounting (TODO).
545Each FS is mounted under a specific directory
546> sudo mount -t ext /dev/sdb4 /home
547 o mounts an ext4 FS
548 o FS is located on a specific partition of a hard drive (/dev/sdb4/)
549 o FS is mounted at the position /home in the current directory tree
550 o Now-existing files in /home will disappear for now
551
552More examples:
553> sudo mount /dev/sda2 /home
554> sudo mount LABEL=home /home // (?)
555> sudo mount -L home /home
556> sudo mount UUID=1234134-23542345-235235... /home
557> sudo mount U=1234134-23542345-235235... /home
558
559labels are assignedby specific utilities, e.g. e2label.
560
561remounts a filesystem with read-only attribute:
562sudo mount -o remount, ro /myfs
563
564unmounting:
565> sudo umount /dev/sda2
566device must not be used to unmount it
567> fuser (...) # use it to find user currently using the filesystem
568> lsof (...) # list open files to see which files are being used and blocking unmounting
569
570mounting network drives:
571sudo mount -t nfs myserver.com:/sharedir /mnt/sharedir
572you can put in /fstab:
573myserver.com:/sharedir /mnt/sharedir nfs rsize=8192,wsize=8192,timeo=14,intr 0 0
574
575the system may try to mount it before network is up. There options might help:
576_netdev, noauto
577for more info:
578> man nfs
579> man mount
580
581During system boot command "mount -a" is executed. It mounts all filesystems in the /etc/fstab configuration file. (TODO)
582
583mount and umount can use info from /etc/fstab. So this can work if you have related setting in /etc/fstab:
584> mount /usr/src
585instead of:
586> mount LABEL=src /usr/src
587
588setting up (e.g.) pendrive to be mounted only when used:
589
590> grep automount /etc/fstab
591LABEL=Sam128 /SAM ext4 noauto,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.idle-timeout=30 0 0
592> df -h | grep SAM
593ls /SAM
594<output of ls>
595> sleep 40
596>df -h | grep SAM
597<empty output>
598
599list of currently mounted FSes: (TODO)
600> mount
601
602
603see if there are swaps:
604> cat /proc/swaps
605
606> df -h -T # T - type
607
608
609
610>dumpe2fs /dev/sda2 | less
611TODO!!!
612check "mount count", "maximum mount count"
613> fsck /dev/sda2 (TODO)
614
615mkfs - format filesystems
616fsck - checking and fixing filesystems
617lsattr - list extended attributes of a file
618chattr - change extended attributes of a file
619lsof - list open files
620
621
622/// chapter 19 - Filesystems features - swap, quotas, usage ///
623By the end:
624 o Expain the concept of swap and quotas
625 o use utilities: quotacheck, quotaon, quotaoff, edquota, quota
626 o use utilities: df, du
627
628the only commands involving swapping are:
629> mkswap # format a swap partition / file
630> swapon # activate a swap partition / file
631> deactivate a swap partition / file
632
633> sudo quotacheck -vu /home # (TODO)
634
635> df # (TODO) (-i - inode)
636> du # (TODO)
637
638
639/// chapter 20 - Filesystems ext2/3/4 ///
640By the end:
641 → describe main features of ext4 and how it's laid out on disk
642 → explain the concept of block groups, superblock, data blocks, inodes
643 → use dumpe2fs and tune2fs utilities
644 → list ext4 FS enhancements
645
646ext2 - rarely used today
647ext3 - ext2 + journalling. other than that it has the same on-disk layout as ext2
648ext4 - mainly used now and default on most systems (but not on RHEL7 using XFS)
649
650ext* was designed to cooperate with VFS (and the other way around).
651
652inode reservation - feature that creates several inodes when a dir is created, expecting them to be used in the future. Performance++.
653
654Fields on a disk are written in little-endian order - except the journal.
655
656ext2/3/4 - layout of one block groups:
657super block, group descriptors, data block bitmap, inode bitmap, inode table (n blocks), data blocks (n blocks)
658
659super block - redundantly stored
660data block bitmap, inode bitmap - bits contain 0 or 1 for each one used
661inode table - each inode is 128 bytes, so 4KB block can contain 32 inodes
662
663Ext3:
664 → backwards-compatible with ext2/3
665 → max. size of a FS: 1 EB (was: 16TB) } those limits case from 48-bit addressing used
666 → max. file size: 16TB (was: 2TB) }
667 → increases max. number of subdirectories to inifinite* (was: 32k)
668 → better large file performance
669 → preallocating. allocated space is guaranteed and contiguous.
670 → use checksums for journal. reliability++
671 → timestamps are in [ms] now
672 → snapshot support
673
674/// chapter 21 - Filesystems XFS, btrfs ///
675By the end:
676 → describe XFS
677 → maintain XFS
678 → describe btrfs
679
680XFS - most maintenance tasks can be done while system is fully mounted: defragmenting, enlarging, dumping/restoring.
681
682
683
684/// chapter 22 - disk encryption ///
685By the end:
686 → why to use encryption
687 → understand how LUKS operates through the use of "cryptsetup"
688 → be able to set up and use encrypted filesystems and partitions
689 → be able to configure system to mount encrypted partitions at boot
690
691LUKS - Linux Unified Key Setup - block device level encryption. LUKS is installed on top of "cryptsetup", an utility that can user other methods like "plain dm-crypt" volumes, "loop-AES", "TrueCrypt". LUKS is default.
692
693Encrypting is done using "cryptsetup". Encrypting partition:
694> sudo cryptsetup luksFormat /dev/sda7
695if your system doesn't support default encryption method used by "cryptsetup", you can choose different one:
696> cat /proc/crypto (TODO)
697> sudo cryptsetup luksFormat --cipher aes /dev/sda7
698
699make volume available at any time with:
700> sudo cryptsetup --verbose luksOpen /dev/sda7
701format partition:
702> sudo mkfs.ext4 /dev/mapper/SECRET
703mount it:
704> sudo mount /dev/mapper/SECRET /mnt
705use it. then unmount:
706> sudo umount /mnt
707remove the mapper association for now, the partition will always be available for later use:
708> sudo cryptsetup --verbose luksClose SECRET
709
710to mount an encrypted partition at boot:
711 → add an appropriate entry in /etc/fstab. nothing special about it and it doesn't refer to encryption in any way
712 → add an entry to /etc/crypttab, as:
713 SECRET /dev/mapper/MYSECRET
714
715> man crypttab (TODO)
716
717
718> dd if=/dev/zero of=loop-partition bs=1M count=1024
719> losetup -f
720 /dev/loop1
721> sudo losetup /dev/loop2 loop=partition
722> losetup -l
723 <we can see our loop2 added>
724> sudo cryptsetup luksFormat /dev/loop2
725> YES
726 <now it should be encrypted>
727
728> sudo cryptsetup luksOpen /dev/lopp2 crypt-partition
729> ls -l /dev/mapper
730> sudo mkfs.ext4 /dev/mapper/crypt-partition
731> sudo mount /dev/mapper/crypt-partition
732...
733> sudo umount /dev/mapper/crypt-partition
734> sudo cryptsetup luksClose /dev/mapper/crypt-partition
735> sudo losetup -d /dev/loop2
736> losetup -f
737 /dev/loop1
738> rm loop-partition
739
740so the order is:
7411. create a partition for the encrypted block device
7422. format with cryptsetup
7433. create the un-encrypted pass through device
7444. format with a standard FS such as ext4
7455. mount the filesystem on the encrypted block device
746
747
748
749/// chapter 23 - logical volume mgmt (LVM) ///
750By the end:
751 → explain the concept behind LVM
752 → create, display, resize logical volumes
753 → use LVM snapshots
754
755LVMs are similar to RAIDs, and actually can build on top of RAID device. LVMs are more scalable.
756
757> sudo lvdisplay # shows all physical volumes, volume groups, logical volumes
758
759resize2fs - app to resize ext4 partitions.
760
761LVM snapshots are useful for backups, apps testing and deploying VMs
762
763
764
765/// chapter 24 - RAID ///
766By the end:
767 → explain the concept of RAID
768 → summarize RAID lvls
769 → configure a RAID
770 → monitor RAID devices
771 → use hot spares (?)
772
773RAID - Redundant Array of Independent Disks spreads I/O over multiple disks. May be SW (it's mature part of The Kernel) or HW. HW'll propably be faster.
774
775
776Striping - better performance by spreading data so simultaneous writes are possible
777Mirroring - same data on multiple disks, safety++
778
779mdadm - tool to create RAIDs.
780one created, array name: /dev/mdX can be used just like any other device, like /dev/sda1
781
782> sudo mdadm -S # stops RAID
783> sudo mdadm -S /dev/md0 # stops RAID
784
785steps to create a RAID:
7861. create partitions on each disk (type fd in fdisk)
7872. create RAID device with mdadm
7883. format RAID device
7894. add device to /etc/fstab
7905. mount RAID device
7916. capture RAID details to ensure persistence
792
793E.g.:
794> sudo fdisk /dev/sdb
795> sudo fdisk /dev/sdc
796
797> sudo mdadm --create /dev/md0 --level=1 --raid-disks=2 /dev/sdbX /dev/sdcX
798> sudo mkfs.ext4 /dev/md0
799> sudo bash -c "mdadm --detail" --scan >> /etc/mdadm.conf"
800> sudo mkdir /myraid
801> sudo mount /dev/md0 /myraid
802
803Be sure to add a line in /etc/fstab for the mount point:
804/dev/md0 /myraid ext4 defaults 0 2
805
806
807
808monitoring:
809 > sudo mdadm --detail /dev/md0
810 > cat /proc/mdstat
811
812 or use mdmonitor service:
813 > echo << "MAILADDR your@mail.com" >> /etc/mdadm.conf
814 start it by typing:
815 > sudo systemctl start mdmonitor } on Ubuntu it's rather called mdadm
816 > sudo systemctl enable mdmonitor }
817
818
819
820/// chapter 25 ///
821by the end:
822 → grasp the main responsibilities that Kernel must fulfill and how it achieves them
823 → explain what params can be set on the kernel command line and how to make them effective for one or more systems - persistently
824 → know where to find detailed documentation on there parameters
825 → know how to use sysctl to set kernel parameters either after the system starts, or persistently across system reboots
826
827responsibilities of kernel:
828 → system initalization and boot up
829 → process scheduling
830 → memory mgmt
831 → controlling access to HW
832 → I/O between apps and storage devices
833 → implementation of local and network FSes
834 → security control, both locally (such as FS permissions) and over the network
835 → networking control
836
837
838params are passed to system at boot on the kernel cmd line. they can be modified at boot.
839to see what options were used to start this system:
840> cat /proc/cmdline
841
842documentation of available kernel parameters:
843kernel source: Documentation/kernel-parameters.txt
844or by typing:
845> man bootparam
846
847params are given in form:
848param=value, like:
849vmlinuz root=/dev/sda6 ... noapic ... crashkernel=256M
850
851!!!
852sysctl - app to read and tune kernel parameters at runtime
853
854show current values:
855> sysctl -a
856browsing /proc/sys will render the same information
857
858showing values:
859> sysctl kernel.pid_max
860
861changing values:
862sudo sysctl net.ipv4.ip_forward=1
863
864> man 8 sysctl
865
866
867(???)
868> sudo sysctl -p
869if settings are placed in /etc/sysctl.conf (!!!), this will read file at boot
870> man sysctl.conf # for details
871on newer systems setting file is in:
872/usr/lib/sysctl.d/00-system
873but the original file is still supported
874
875exercise:
876lower pid_max to 29000
877
878
879
880/// chapter 26 - kernel modules ///
881by the end:
882 → list advantages of utilizing kernel modules
883 → use insmod, rmmod, modprobe to load and unload kernel modules
884 → use modinfo to find out info about kernel modules
885
886some parts can be added (or removed) as modules when necessary. all but most central kernel modules are integrated in such a fashion.
887they may or may not be device drivers.
888even though usage of kernel modules is wastly widespread, Linux is monolithic architecture rather that microkernel one. This is bcs once a module is loaded, it becomes a fully functional part of the kernel, with few restrictions. It communicated with all kernel subsystems via shared resources, such as memory and locks, rather than through message passing as might a microkernel.
889Solaris also uses modules.
890
891apps for modules:
892 → lsmod - list loaded modules (!!!)
893 → insmod - directly load a module
894 → rmmod - directly remove a module
895 → modprobe - (un)load modules, using a pre-built module DB with dependency info
896 → depmod - rebuild the module depencency DB; needed by `modprobe` and `modinfo`
897 → modinfo - display info about a module
898
899location of modules: (!!!)
900 /lib/modules/module_name.ko
901
902kernel modules always have extension: *.ko
903
904kernel modules are kernel version specific and must match the running kernel or they cannot be loaded (!!!). they must be compiled either when the kernel itself is compiled, or later, on a system which retains enough of the kernel source and compilation configuration
905
906ciekawostka:
907/lib/modules/$(uname -r) # where uname -r is current kernel version, such as 4.14.2
908
909it's impossible to unload a module being used by on or more other modules
910
911many modules can be loaded while specifying parameter values, such as;
912 /sbin/insmod <path_to>/e1000e.ko debug=2 copybreak=256
913or for module already loaded:
914 /sbin/modprobe e1000e debug=2 copybreak=256
915
916files in /etc/modprobe.d control params important when loading with `modprobe`, like:
917 → module name aliases
918 → automatically supplied options
919 → blacklist of some modules
920format of files is simple. one command per line. # for comments. \ at the end - continuation of a line in new line
921
922
923dmesg !!!!!!!!!!
924
925
926
927/// chapter 27 - devices and udev ///
928udev - intelligent mechanism to DYNAMICALLY discover HW and peripherial devices during boot or later. Device Nodes are created automatically and then used by apps and OS subsystems to communicate with and transfer data to and from devices.
929Admins can control how udev operates and craft special udev rules to assure desired behaviour results.
930
931by the end:
932 → explain role of device nodes, major and minor numbers.
933 → understand the need for udev method and list its key components
934 → describe how udev device manager functions
935 → identify udev rule files and learn how to create custom rules
936
937character and block devices have FS entries associated with them; network devices don't.
938Device nodes can be used by programs to communicate with devices, using normal I/O system calls, such as open(), close(), read(), write() (!!!!!!!).
939Network devices work by transmitting and receiving packets, which must be constructed by breaking up streams of data, or reassembled into streams when received.
940
941A device driver may manage multiple device nodes, which are normally placed in /dev directory:
942> ls -l /dev
943
944udev runs as daemon (named (?) udevd or systemd-udevd) and monitors a netlink socket. when new device is initialized or removed, uevent kernel facility sends a message through the socket, which udev deceives and takes appriopriate action to create/remove device node of the right names according to the rules.
945
9463 components of udev:
947 → libudev - library which allows access to information about the devices
948 → udevd / systemd-udevd daemon that manages the /dev directory
949 → udevadm - utility for control and diagnostics
950
951path of rules: (!!!)
952 /etc/udev/rules.d/*.rules
953 /usr/lib/udev/rules.d/*.rules
954
955
956
957/// chapter 28 - virtualization overview ///
958by the end:
959 → understand concept of virtualization, hosts and guests
960 → discuss difference: emulation vs virtualization
961 → types of hypervisors
962 → know how linux distros use and depend on libvirt
963 → use `qemu` hypervisor
964 → install, use and manage KVM (!!!)
965
966outside world sees the VM as it were an actual physical machine, present somewhere on the network. apps running in VMs are generally unaware of their non-physical environment.
967
968other kinds of virtualization:
969 → network - details of actual physical network, like types of HW, routers, are abstracted and need not be known by software running on it and configuring it
970 → storage - multiple network storage devices are configured to look like one big storage unit
971 → application - is isolated in container
972
973still there are important differences between physical and virtual machines.
974
975virtualization has long history and started on mainframes.
976on PCs initially it was done using emulation
977
978host - underlying physical OS managing 1 or more VMs
979guest - VM which is an instance of a complete OS, running 1 or more apps. Also: client.
980
981emulator runs completely in software. HW constructs are replaced by software. it is useful for running virtual machines on different architectures, such as running a pretend ARM guest machine on an X86 host. Emulation is often used for developing an OS for a new CPU, even before HW is avalilable (!). Performance is relatively slow.
982
9832 types of virtualization:
984 → HW v. (Full v.) - does not need modifications.
985 → Para-v. - guest system is aware it is running in a virtualized environment and has been modified specifically to work with it.
986
987recent CPUs from Intel and AMD incorporate virtualization extensions to the x86 architecture that allow full v. with only minor performance penalty.
988 → Intel - Intel V. Technology
989 → AMD - AMD-V (code-name: Pacifica)
990
991checking if your CPU supports HW v.:
992> cat /proc/cpuinfo
993if your CPU is IVT-capable, you'll see `vmx` in the flags field. If AMD-V: `svm`. you may also ensure v. capability is turned on in yuor CMOS.
994
995
996Hypervisor can be:
997 → External to host OS - VMWare
998 → Internal to host OS - KVM - we'll use this one here, it's Open Source and requires no external hypervisor program
999
1000KVM added hypervisor capabilities into Linux kernel.
1001Libvirt - project designed to be a toolkit to interact with virtualization technologies. Provides mgmt for virtual machines, virtual networks, storage. Some of the apps using it:
1002 → virt-manager
1003 → virt-viewer
1004 → virt-install
1005 → virsh
1006
1007> ls -lF /usr/bin/virt* # (!!!)
1008
1009
1010QEMU - Quick Emulator. It emulates CPUs by dynamically translating binary instructions between the host architecture and emulated one.
1011
1012Can be used to emulate apps, not just an entire OS. Can save, pause, restore a VM at any time. License: GPL.
1013
1014In fact, QEMU has often been used to develop CPUs which have not been physically produced or released.
1015
1016We recommand using virt-manager (!) to configure and run virtual machines.
1017
1018list of supported formats:
1019> qemu-img --help | grep formats
1020
1021
1022
1023/// chapter 29 - containers ///
1024by the end:
1025 → know and use docker
1026
1027container - emulate only app (usually) or set of apps. unlike virtual machines, multiple containers can be run on 1 system. common method of deploying containers is using docker.
1028
1029worth mentioning are orchestration systems, such as kubernetes or mesos, can decide on the proper quantity of containers needed, do load balancing, replicate images and remove them, etc. as needed.
1030
1031docker is app-lvl virtualization uses many images to build up necessary services to support target app. these images are packaged into containers. they can contain:
1032 → app code
1033 → runtime libs
1034 → system tools
1035 → and more...
1036
1037most docker commands have own help. exaples are:
1038 → docker
1039 → docker-search
1040 → docker-pull
1041 → docker-create
1042 → docker-run
1043
1044ps will list running containers, or all containers (with --all param).
1045
1046docker command has >40 sub-commands, some with >50 options.
1047
1048often confused are commands run, create, exec.
1049 docker run will start a new container and execute command within.
1050 docker create creates a container. it has many options for configuring settings and attachments.
1051 if the container is already running, "docker exec" will execute something inside of it. accepts -t and -d params
1052 docker images - shows images in various outputs
1053 docker rmi - remove images and delete untagged parents by default
1054
1055 you can also use shell to operate upon all containers. example:
1056 > docker rm $(ps -a -q)
1057
1058
1059
1060/// chapter 30 - user account mgmt ///
1061 → explain purpose of user accounts and their main attribute
1062 → create new accounts, modify properties, remove or lock accounts
1063 → manage user's passwords
1064 → explain restricted shell and restricted accout
1065 → understand root account
1066
1067purpose of individual user accounts:
1068 → individualized personal space
1069 → create accounts for specific purposes
1070 → distinguish privileges
1071
1072daemon account - it exists to allow processes to run as a user other than root
1073
1074each user has correcponding line in /etc/passwd that describes account attributes, in format:
1075 beav:x:1000:1000:John Smith:/home/beav:/bin/bash
1076 username:user_password:UID:GID:some_contact_info(?):home_dir_path:login_shell
1077
1078 password - it's 'x' when /etc/shadow is used
1079 login_shell - generally any executable. look also for: /sbin/nologin.
1080
1081nologin refuses to a user to log in, shows default message and returns 0. if /etc/nologin.txt exists, message is overwritten by its content.
1082
1083creating user using some predefined algorithm (described in course):
1084> sudo useradd stephanie
1085default options can be overrulled:
1086> sudo useradd -s /bin/csh -m -k /etc/skel -c "John Smith" jsmith
1087
1088> userdel stephanie
1089account will be deleted, all references will be erased from:
1090 → /etc/passwd
1091 → /etc/shadow
1092 → /etc/group
1093
1094/home/stephanie will not be deleted so the account may be reestablished. delete also home of a user with "userdel -r". however all other files on the system owned by removed user will remain
1095
1096usermod - change params of user account
1097
1098> sudo usermod -L stephanie
1099lock stephanie account. it stays in the system, but logging in is impossible. it's a good practice to lock user account whenever they leave organization or will absent for longer period of time.
1100> sudo chage -E 2011-01-01 stephanie
1101where date is a date in the past. effect is the same as usermod usage above
1102
1103don't modify /etc/passwd, /etc/group, nor /etc/shadow
1104
1105/etc/shadow format:
1106 daemon:*:16141:0:99999:7:::
1107 ...
1108 beav:$sdyubgy7asdfb77bgf7yb7fg/ngfdyuagnfysgdfugsunayuga:16316:0:99999:7:::
1109so colon-separated fields are:
1110 username:password:lastchange:mindays:maxdays:warn:grace:expire:reserved
1111
1112 username name must match that one from /etc/passwd, order also must match.
1113 password hash is the string "$6$" followed by an eight chars salt value, then '$' and an 88 chars (sha512).
1114
1115/etc/passwd permissions are 644 (-rw-r--r--)
1116/etc/shadow permissions are 400 (-r--------) (only root can access it)
1117
1118you should use /etc/shadow unless you have a good reason not to do so
1119
1120normal user can change only his password:
1121> passwd
1122root can change anyone's password:
1123> sudo passwd kevin
1124passwords are examined by pam_cracklib.so
1125when root changes a user's password, is not prompted for the current password
1126
1127it is important to change passwords periodically.
1128> chage -l <username> # list passwords data
1129
1130> bash -r # restricted mode, disallowing user to do some things
1131
1132root login via network is generally prohibited.
1133
1134
1135ssh'ing:
1136> whoami
1137student
1138> ssh farflung.com
1139student@farflung.com's password: (type here) #we assume there is 'student' account on farflung.com
1140> ssh root@farflung.com
1141
1142copy'ing files:
1143> scp file.txt farflung.com:/tmp
1144> scp file.txt student@farflung.com/home/student
1145> scp -r some_dir farflung.com:/tmp/some_dir
1146
1147to run command on multiple machines:
1148> for machines in node1 node2 node3
1149 do (ssh $machines some_command &)
1150 done
1151
1152permitting to log in without a password:
1153> ls -l ~/.ssh
1154id_rsa user's private encryption key; NEVER show it to anyone
1155id_rsa.pub user's public encryption key
1156authorized_keys list of public keys that are permitted to login; info about USERS AND NODES
1157known_hosts a list of hosts from which logins have been allowed in the past; ONLY info about computer NODES
1158config a configuration file for specifying various options
1159
1160
1161(!!!)
1162to log in to remote machine with full GUI, use VNC (Virtual Network Computing) client. a common implementation is "tigervnc".
1163> sudo apt-get install tigervnc tigervnc-server
1164#start server as normal user
1165> vncserver
1166> vncviewer localhost:2 #test it. you might use different number: 1, 3, 4 depending on how your machine is configured.
1167view from remote machine:
1168> vncviewer -via student@some_machine localhost:2
1169
1170if some "color profile" bug occurs, kill the "colord" daemon
1171> sudo systemctl stop colord
1172
1173
1174
1175working with accounts:
1176> less /etc/default/useradd #we can see env var, for example SHELL=/bin/sh
1177> sudo useradd -m "some name" -s /bin/bash someName666 # -m to make sure it creates a home dir
1178> sudo passwd someName666 #and type some password
1179> cat /etc/passwd /etc/group | grep someName666
1180/etc/passwd:someName666:...................
1181/etc/group:someName666:x:1001:
1182log in to that accout (???)
1183> ssh someName666 #and give password
1184> (do sth)
1185> exit
1186> ls -la /etc/skel
1187cleaning up. "-r" is needed to remove also home dir:
1188> userdel -r someName666
1189#get an error about mail spool sth
1190
1191
1192what is "vipw"?
1193
1194
1195
1196/// chapter 31 - group mgmt ///
1197collection of users is a group. group members share some common purpose, also files and dirs and maintain some privilages. this seperates them from others on the system, collectively called the world. using groups aids collaborative projects enourmously.
1198 → purpose of groups
1199 → use groupadd, groupdel, groupmod, usermod
1200 → describe user private groups
1201 → explain the concept of group membership
1202
1203groups are defined in /etc/groups, which has the same role as /etc/passwd for users. entry structure:
1204groupname:password:GID:user1:user2,...
1205
1206group passwords may be set, but only if /etc/gshadow file exists.
1207
1208GID - group identifier. values 0-99 are for system groups. values between 100 and GID_MIN (defined in /etc/login.defs and usually the same as UID_MIN) are special. values > GID_MIN are for UPG (User private groups).
1209
1210user1,user2 - comma-separated list of users who are members of the group. user don't have to be here if tre group is the user's principal group.
1211
1212adding: groupadd
1213 > sudo groupadd -r -g 215 staff
1214modifying group's properties : groupmod
1215 > sudo groupmod -g 101 blah
1216deleting: groupdel
1217 > sudo groupdel newgroup
1218
1219modify user's group properties: usermod
1220 > sudo usermod -G student,group1,group2 student
1221 note that if -G, you need to provide full list of groups. with -a you can add new groups without providing full list.
1222
1223UPG - User Private Groups. each user can have it's own group. However, UPGs are not guaranteed to be private.
1224
1225by default, users whose accounts are created with "useradd" have primary GID == UID and the group name is also identical to the username.
1226
1227Linux has 1 primary group. this is listed in /etc/passwd and also in /etc/group.
1228
1229identify group membership:
1230> groups [user1 user2]
1231> id -Gn [user1 user2]
1232
1233
1234
1235/// chapter 32 - group mgmt ///
1236
1237by the end:
1238 → explain concepts: owner, group, world
1239 → set file access rights for each category
1240 → authenticate requests for file access, respectin proper permissions
1241 → user chmod (change file permissions), chown (change user ownership), chgrp (change group ownership)
1242 → understand umask used to establish desired permissions on newly created files
1243 → use ACL to extend the simpler user, group, world and read, write, execute model
1244
1245show file permissions
1246> ls -l
1247-rw-rw-r-- 1 coop aproject 1601 Mar 9 15:04 a_file
1248
1249which means:
1250- r w - r w - r - -
1251 owner^^ group^^ other/world
1252
1253user coop is in group aproject
1254
1255each of a triplets can have each of the following sets: Read, Write, Execute
1256
1257other specialized permissions exist for each category, such as setuid/setgid.
1258
1259any (EVERY) access to a file requires comparison of credentials and identity of the requesting user to those of the owner of the file. Authentication is granted depending on one of these three sets of permissions, in the following order:
1260 1. If the requester is file owner, file owner permissions are used.
1261 2. Else, if the requester is in group that owns the files, group permissions are examined.
1262 3. Else, world permissions are examined
1263
1264You can change only permissions to your files with chmod, unless you're a superuser. examples:
1265> chmod uo+x,g-w some_file
1266# add u and o permissions to execute, remove group permissions to write
1267 u - user (owner)
1268 o - other (world)
1269 g - group
1270
1271changing group ownership:
1272> chgrp aproject some_file
1273
1274changing ownership:
1275> chown coop some_file
1276
1277default permissions:
1278for a file: 0666
1279for a dir: 0777
1280
1281umasks:
12820666 & ~002 = 0664
1283
1284checking umask:
1285> umask
1286or
1287> umask -S # to get more symbolic form
1288
1289changing umask:
1290> umask 0022
1291or
1292> umask u=r, g=2, o=rw
1293
1294POSIX ACL - Access Control List
1295extension of simpler ugo model.
1296how to use ACL:
1297> getfacl file|dir #shows
1298> setfacl options permissions file|dir
1299> setfacl -m u:isabelle:rx ~/file1
1300> setfacl -x u:isabelle ~/file1
1301
1302remove ACL:
1303> setfacl -x u:isabelle ~/file1
1304to set default on a dir:
1305> setfacl -m d:u:isabelle:rx some_dir
1306
1307
1308
1309/// chapter 33 - PAM - Pluggable Authentication Modules ///
1310PAM provides a uniform mechanism to ensure that users and apps are properly identified and authenticated. PAM can work with LDAP to centralize auth throughout a network.
1311
1312by the end:
1313 → explain the concepts that motivate to use PAM
1314 → list steps of auth process
1315 → use, modify PAM configuration files
1316 → know how to interpret PAM rules and create new ones
1317 → apply LDAP to use and administrate distributed dir services over the network
1318
1319before auth of users was performed by individual apps, like su, login, ssh would separately authenticate a user. now PAM takes care of it, most new Linux apps use it, by using libpam.
1320
1321it consists of:
1322 → PAM-aware apps
1323 → configuration: /etc/pam.d (!!!)
1324 → PAM modules in libpam* libs, which can be found in different locations depending on the Linux distro
1325
1326each app might be configurate seperately by an individual conf file in /etc/pam.d
1327
1328steps:
1329 → user invokes a PAM-aware app, like login
1330 → app calls libpam
1331 → lib checks for files in /etc/pam.d; it is checked which PAM modules to invoke, including system-auth
1332 → each referenced module is executed in accordance with the rules of the relevant conf file for that app
1333
1334each file in /etc/pam.d/ corresponds to a *service* and each uncommented line in the file specifies a rule. rule is formatted as a list of space-separated tokens, the first two of which are case insensitive:
1335> type control module-path module-arguments
1336 type - specifies the mgmt group the module is to be associated with:
1337 auth - gets an app to prompt the user for identification (username, pass). may set credentials and grant privileges
1338 account - check on aspects of the user's account, like password aging, access ctrl, etc.
1339 password - updates the user auth token, usually a password
1340 session - provides functions before and after the session is established (like setting up environment, logging, etc.)
1341 control flag controls how the success or fail of a module affects the overall auth process.
1342
1343
1344
1345
1346/// chapter 34 - Network Addresses ///
1347by the end:
1348 → tell about IPv4 vs IPv6
1349 → get, set, change hostname, based on a system that you are using
1350
1351IPv4 - 32 bits == 4 octets
1352example: 148.114.252.10
1353
1354IPv6 - 128 bits, 16 octets
1355example: 2003:0db5:6123:0000:1f4f:0000:5529:fe23
1356
1357in both cases, a set of reserved addresses is also included.
1358
1359in IPv4 4 types of casting:
1360 → unicast - to one
1361 → network - to whole network. host portion is zeros
1362 → broadcast - to each member of a network. host portions are ones, like 172.16.255.255
1363 → multicast - ...
1364
1365reserved addresses:
1366 → 127.x.x.x - loopback, where 0 <= x <= 254. generally 127.0.0.1
1367 → 0.0.0.0 - used by systems that don't know yet their addresses. protocols like DHCP or BOOTP use this addres when attempting to communicate with server.
1368 → 255.255.255.255 - generic broadcast, for internal use
1369 → and others
1370
1371> hostname
1372 # gives a hostname
1373
1374> sudo hostname myName
1375 # changes hostname to myName
1376
1377but restart will revert its value.
1378
1379current hostname is in /etc/hostname (on almost all Linux distros). persistent change requires changing config files in /etc/ dir. utility to do this:
1380> hostnamectl # which arises from systemd architecture
1381
1382> sudo hostnamectl set-hostname MYPC
1383
1384
1385
1386/// chapter 35 - Network devices and configuration ///
1387 → identify network devices and understand how the operating system names them and binds them to specific duties
1388 → use ip utility to control, route, tunnel
1389 → use older ifconfig
1390 → use Network Manager (nmtui and nmcli) to configure devices in a distro-independent manner
1391 → know how to setup default routes
1392 → configure diagnostic utilities
1393
1394unlike block and char devices, network devices are not associated with special device files (device nodes), rather with entries in the /dev directory and are known by their names:
1395 → eth0, eth1, eno1, eno2, etc. for Ethernet devices
1396 → wlan0, wlan1, wlan2, wlp3s0, wlp3s2, etc. for wireless devices
1397 → br0, br1, br2, etc. for bridge interfaces
1398 → vmnet0, vmnet1, vmnet2, etc. for virtual devices for communicating with virtual clients
1399sometimes multiple virtual devices can be associated with single physical devices
1400
1401previous naming convention encountered difficulties, like when multiple interfaces of the same type were present.
1402it was solved by some admins by hardcoding associations between HW (MAC) addresses and device names in system configuration files and startup scripts. this method worked for years, but it requires manual tuning and had other problems, such as when MAC addresses were not fixed; this can happen in both embedded and virtualized systems.
1403
1404PNIDN - Predictable Network Interface Device Names - strongly correlated with the use of udev and integration with systemd. There are now 5 types of names that devices can be given:
1405 → Incorporating Firmware or BIOS provided index numbers for on-board devices, like eno1
1406 → Incorporating Firmware or BIOS provided PCI Express hotplug slot index numbers, like ens1
1407 → Incorporating physical and/or geographical location of the HW connection, like enp2s0
1408 → Incorporating the MAC address, like enx7837d1ea46da
1409 → Using old classic method, like eth0
1410
1411examples of new naming scheme:
1412> ifconfig | grep enp
1413# name shows up
1414
1415> ifconfig | grep wl
1416
1417> lspci | grep Centrino
1418
1419ip is preferred over ifconfig and is more versatile as well as more efficient because it uses netlink sockets rather than ioctl system calls. basic syntax:
1420> ip [OPTIONS] OBJECT { COMMAND | help }
1421> ip [ -force ] - batch filename
1422
14232nd form can read commands from a designated file
1424
1425ip is a multiplex utility. the OBJECT arg describes what kind of action is going to be performed. the possible COMMANDS depend on which OBJECT is selected. Main ip OBJECTS:
1426 → address IPv4 or IPv6 protocol device address
1427 → link network devices
1428 → maddress multicast address
1429 → monitor watch for netlink messages
1430 → route routing table entry
1431 → rule rule in the routing policy database
1432 → tunnel tunnel over IP
1433
1434examples of usage of ip:
1435> ip link # shows info about all network interfaces
1436> ip -s link show eth0 # shows info for the eth0 interface
1437> sudo ip addr add 192.168.1.7 dev eth0 # set the IP address for eth0
1438> sudo ip link set eth0 down # bring eth0 down
1439> sudo ip link set eth0 mtu 1480 # set the MTU to 1480 bytes for eth0
1440> sudo ip route add 172.16.1.0/24 via 192.168.1.5 # set the networking route
1441
1442> ip -s link show ens33
1443> ip addr show
1444
1445ifconfig - system utility long found in UNIX-like OSes. used by CLI or from system configuration scripts.
1446ifconfig examples:
1447> ifconfig # show info about all interfaces
1448> ifconfig eth0 # show info about only eth0 interface
1449> sudo ifconfig eth0 192.168.1.50 # set the IP address to 192.168.1.50 on interface eth0
1450> sudo ifconfig eth0 netmask 255.255.255.0 # set the netmask to 24 bit
1451> sudo ifconfig eth0 up # bring interface eth0 up
1452> sudo ifconfig eth0 down # bring interface eth0 down
1453
1454> sudo ifconfig eth0 mtu 1480 # set MTU (Maximum Transfer Unit) to 1480 bytes for interface eth0
1455
1456configuring with ip or ifconfig is not persistent. to change persistently use:
1457Red Hat:
1458 /etc/sysconfig/network
1459 /etc/sysconfig/network-scripts/ifcfg-ethX
1460 /etc/sysconfig/network-scripts/ifcfg-ethX:Y
1461 /etc/sysconfig/network-scripts/route-ethX
1462Debian:
1463 /etc/network/interfaces
1464SUSE:
1465 /etc/sysconfig/network
1466when using systemd, it is preferable to use Network Manager, rather than configure underlying test files. in fact, in many new Linux distros these files are non-existent, empty or much smaller and only for compatibility reasons.
1467
1468once upon a time almost all network connections were wired (Ethernet). During boot, files in /etc/ were consulted to establish all device configuration.
1469Now configuration changes more often.
1470Tools:
1471> nmtui - almost no learning curve and will edit underlying conf. files for user (!!!)
1472> nmcli - if you want to run scripts that change the network configuration. for examples use:
1473> man nmcli-examples
1474Network Manager SHOULD WORK THE SAME on every distro.
1475
1476
1477routing - process of selecting paths in a network. routing table - list of routes to other networks managed by the system. it defines paths to all networks and hosts, sending remote traffic to routers. to see current routing table:
1478> route
1479or
1480> ip
1481
1482default route - where packets go if there is no other match in routing table. setting:
1483> sudo nmcli con mod virbr0 ipv4.routes 192.168.10.0/24 +ipv4.gateway 192.168.122.0
1484> sudo nmcli con up virbr0
1485
1486or modify configuration files directly. on Red Hat:
1487> echo "GATEWAY=1.2.3.4" >> /etc/sysconfig/network
1488or alternatively in /etc/sysconfig/network-scripts/ifcfg-ethX on a device-specific basis in the configuration files for the individual NIC.
1489On Debian:
1490> echo "gateway=1.2.3.4" >> /etc/network/interfaces
1491
1492on either system you can set the default gateway at runtime with:
1493> sudo route add default gw 192.168.1.10 enp2s0
1494> route # to see results
1495it's not persistent!
1496
1497static routes - used to control packet flow when there is more than one router or route. defined for each interface and can be persistent or not.
1498when system can access >1 router, it's good to selectively control which packets go to which router.
1499route or ip can be used to set non-persistent route, as in:
1500> sudo ip route add 10.5.0.0/16 via 192.168.1.100
1501> route # some output
1502
1503/etc/hosts - local DB of hostnames and IP addresses. set of records (each taking 1 line) which map IP addresses with correcponding hostnames and aliases.
1504if the name resolution cannot be done locally using /etc/hosts, system queries DNS.
1505machine usage of DNS is configured in /etc/resolv.conf, which historically looked like this:
1506
1507search example.com aps.org
1508nameserver 192.168.1.1
1509nameserver 8.8.8.8
1510
1511this can:
1512 → specify particular domains to search
1513 → define strict order of nameservers to query
1514 → may be manually configured or updated from a service such as DHCP
1515
1516most modern systems have /etc/hosts.resolv file generated automatically, such as:
1517
1518# Generated by NetworkManager
1519192.168.1.1
1520
1521other network tools:
1522 → ping - sends 64-byte test packet
1523 → traceroute - displays network path
1524 → mtr - combines both above, is continuously updated, like top
1525 → dig - useful for testing DNS functionality (you can also use host or nslookup)
1526
1527
1528
1529/// chapter 36 - firewalls ///
1530by the end:
1531 → what are firewalls
1532 → know what GUI and CLI tools there are
1533 → discuss about firewalld and firewall-cmd
1534 → know how to work with zones, sources, services, ports
1535
1536firewall - network security system that monitors and controls all network traffic. it applies rules on both incoming and outgoing network connections and packets and builds flexible barriers (firewalls) depending on the level of trust of a given connection. Is HW- or SW-based. They are in routers, in PCs, network nodes. many firewalls have routing capabilities.
1537early FW were based on packet filtering. content of each packet was inspected and was either dropped, rejected or sent on. there was no concideration about the connection state; what stream of traffic the packet was part of.
1538next gen. of FWs was based on stateful filters, which also examine the connection state of the packet; is it a new connection, part of existing one or none. This generation could be DDoSsed.
15393rd generation: Application Layer Firewalls, are aware of the kind of application and protocol the connection is using. they can block anything which should not be part of the normal flow.
1540
1541all (?) FW are based on Packet Filtering. Each message across networks is in the form of packets, and each packet has:
1542 → header
1543 → payload
1544 → footer
1545
1546header and footer - destination and source addresses, kind of packet, type of protocol, flags, which packet number this is in a stream, and other metadata about transmissions. the actual data is payload.
1547
1548FW may do with packets:
1549 → accept / reject
1550 → mangle in some way
1551 → redirect to another address
1552 → inspect for security reasons
1553 → ...
1554
1555there are many tools to set rules of packet filtering. examples:
1556 low-level tools:
1557 → iptables
1558 → firewall-cmd
1559 → ufw
1560
1561 robust graphical interfaces:
1562 → system-config-firewall
1563 → firewall-config
1564 → gufw
1565 → yast
1566
1567firewalld - dynamic firewall manager. it uses network/firewall zones which have defined levels of trust for network interfaces or connections. supports IPv4/6. It separates runtime and persistent changes to configs and has interfaces for services to add firewall rules.
1568it replaces older iptables. you shouldn't run both at the same time.
1569
1570configs:
1571/etc/firewalld
1572or
1573/usr/lib/firewalld
15741st path takes precedense
1575
1576cmd-line tool:
1577> firewall-cmd
1578before you begin:
1579> firewall-cmd --help
1580
1581firewalld is a service that needs to be running to use and conf. the firewall and is started/stopped/enabled/disabled in the usual way:
1582> sudo systemctl [enable/disable] firewalld
1583> sudo systemctl [start/stop] firewalld
1584
1585current status:
1586> sudo systemctl status firewalld
1587or just:
1588> sudo firewall-cmd --state
1589< running
1590
1591if you have >1 IPv4, you have to turn on ip forwarding. you can do this at runtime by doing (warning: not persistent!):
1592> sudo sysctl net.ipv4.ip_forward=1
1593or
1594> echo 1 > /proc/sys/net/ipv4/ip_forward # as root!
1595
1596persistent:
1597> echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
1598then reboot or read new settings without rebooting by:
1599> sudo sysctl -p
1600
1601firewalld works with zones, each has a defined lvl of trust. zones:
1602 → drop - all incoming packets are dropped with no reply. only outgoing connections are permitted
1603 → block - all incoming packets are rejected. the only permitted connections are those from within the system
1604 → public - don't trust any computers on the network. only some, consciously selected incoming connections are permitted
1605 → external - used when masquerading is being used, such as in routers. trust levels are the same as in public
1606 → DMZ - Demilitarized Zone - access to some (but not all) services are to be allowed to the public. only some incoming connections are allowed
1607 → work
1608 → home
1609 → internal
1610 → trusted
1611
1612on system installation most distros will select the public zone as default for all interfaces.
1613
1614get default zone:
1615> sudo firewall-cmd --get-default-zone
1616< public
1617
1618get list of zones currently being used:
1619> sudo firewall-cmd --get-active-zones
1620< public
1621< interfaces: eno16777736
1622
1623list all available zones:
1624> sudo firewall-cmd --get-zones
1625< block dmz drop external home internal public trusted work
1626
1627change default zone to trusted and then change it back:
1628> sudo firewall-cmd --get-default-zone=trusted
1629< success
1630> sudo firewall-cmd --get-default-zone=public
1631< success
1632
1633assign interface termporarily to a particular zones:
1634> sudo firewall-cmd --zone-internal --change-interface=eno1
1635< success
1636
1637assign an interface to a particular zone permanently:
1638> sudo firewall-cmd --permanent --zone=internal --change-interface=eno1
1639< success
1640which creates the file:
1641/etc/firewalld/zones/internal.xml
1642
1643to ascertain the zone associated with a particular interface:
1644> sudo firewall-cmd --get-zone-of-interface=eno1
1645< public
1646
1647to get all details about a particular zone:
1648> sudo firewall-cmd --zone=public --list-all
1649< wow, much output
1650
1651<some skipped>
1652
1653port mgmt:
1654> sudo firewall-cmd --zone=home --add-port=21/tcp
1655< success
1656> sudo firewall-cmd --zone=home --list-ports
1657< 21/tcp
1658where by looking at /etc/services we can ascertain that port 21 corresponds to ftp:
1659> grep " 21/tcp" /etc/services
1660< ftp 21/tcp
1661
1662
1663/// chapter 37 - system startup and shutdown ///
1664by the end:
1665 → explain the boot process
1666 → types of boot loaders
1667 → know what BIOS does
1668 → relevant config files
1669 → describe how the system shuts down and reboots
1670
1671steps of boot sequence:
16721. BIOS/UEFI locates and executes the boot program or boot loader
16732. boot loader loads kernel
16743. kernel starts init process (pid=1)
16754. init manages system initialization, using systemd, Upstart or older SysVinit startup scripts
1676
1677when power is applied to a PC, it can only perform operations on BIOS.
16781. BIOS runs POST (Power On Self Test, checking memory and HW).
16792. searches for a specific location or device for a boot program. typically it is in device's MBR - Master Boot Record. If found...
16803. Control is transfered to this program (usually GRUB)
16814. boot program loads the kernel into memory and executes it. on x86 platform (and many others) kernel first decompresses itself in place. then HW checks, gains access to important peripherial HW, eventually runs the init process.
16825. 1st process continues the system startup.
1683
1684newer computers use UEFI instead of BIOS.
1685
1686on x86 arch. BIOS contains all the code required to gain initial access to keyboard, display, disks and so on
1687BIOS is typically placed in a ROM chip. that's why BIOS remains when HDD crashes. during startup BIOS loads boot loader from the MBR.
1688
1689Linux boot loaders:
1690 → GRUB (mostly used) (!!!)
1691 → LILO (old and obsolete)
1692 → efilinux (designed for UEFI)
1693 → Das U-Boot (popular in embedded Linux systems)
1694 → bareboot - also embedded
1695
1696
1697
1698/etc/default #Debian-based distros
1699vs
1700/etc/sysconfig #Red Hat based
1701
1702shutdown in a secure fashion, notifying all users that the system is going down and then stopping gracefully. then system is halted or rebooted. examples
1703> sudo shutdown -h +1 "Power Failure imminent"
1704> sudo shutdown -h now
1705> sudo shutdown -r now
1706> sudo shutdown now
1707
1708leagacy commands:
1709> reboot
1710> halt
1711> poweroff
1712
1713
1714
1715/// chapter 38 - GRUB ///
1716GRUB - Grand Unified Boot Loader
1717
1718by the end:
1719 → what GRUB is?
1720 → diff between GRUB1 and GRUB2
1721 → interactive selections you can make at boot
1722 → installing GRUB
1723 → how config files that GRUB needs are used and modified
1724
1725GRUBS allows to:
1726 → choose different OSes at boot time
1727 → choose kernel versions for a given OS
1728 → boot parameters can be easily changed at boot time without editing configuration files, etc. in advance
1729
1730GRUB2 replaced GRUB1 on all distros but RHEL6-based ones.
1731At boot, basic config file is read, depending on a distro either:
1732/boot/grub/grub.cfg
1733or
1734/boot/grub2/grub.cfg
1735
1736this file is autogenerated by update-grub (or grub2-mkconfig on RHEL7) based on config files in
1737/etc/grub.d/
1738and on
1739/etc/default/grub and should never be edited by hand.
1740
1741config file contains some global parameters and then "stanza" for each OS or kernel configured.
1742
1743after POST and BIOS you will enter display menu. after selecting entry, "e" will get you to interactive shell where you can edit "stanza" in the configuration file that describes particular boot option.
1744changes WILL NOT be persistent.
1745you can also enter pure shell.
1746
1747installing GRUB may have few meanings:
1748 1. installing GRUB program. in GRUB1 there's app grub. in GRUB2 there's bunch of utilities: grub2-*, grub-*. it's rather distro-dependent.
1749 2. installing files GRUB needs to operate at boot time, under /boot/grub[2]/.
1750 3. installing GRUB as the boot loader in the system. usually at the front of hard disk, but sometimes also in a partition and accessed via chainloading from one GRUB to another.
1751
1752installing GRUB2:
1753> sudo grub2-install /dev/sda
1754but read man before!
1755
1756in both GRUBs first HDD is denoted as hd0, second as hd1. but partition start counting differentiate:
1757 > sda1 is (hd0, 1) in GRUB2, but (hd0, 0) in GRUB1
1758 > sda4 is (hd2, 4) in GRUB2, but (hd2, 3) in GRUB1
1759! !!!
1760
1761in this order, configs depends on those 2 files:
1762/etc/default/grub
1763/etc/grub.d
1764
1765
1766> sudo systemctl start gdm # gnome display mgr
1767
1768
1769
1770/// chapter 39 - init, SystemV, Upstart, systemd ///
1771systemd - now mostly used
1772
1773by the end:
1774 → understand importance of init process
1775 → understand how systemd (and Upstart) work
1776 → use systemctl to configure and control systemd
1777 → explain how traditional SysVinit method works and how it incorporates runlevels and what happens in each one
1778 → know how to use chkconfig and service (and alternative utilities) to start and stop services or make them persistent across reboots when using SysVinit
1779
1780/sbin/init (called just init) is the first user-level ps (or task) run on the system, and until system shutdowns. tradicionally it's considered parent of all user processes, but technically it's not true - some PSes are started by the kernel.
1781
1782init:
1783coordinates later stages of the boot process, configures all aspects of the environment, starts the PSes needed for logging into the system, works closely with the kernel in cleaning up after PSes when they terminate.
1784
1785In the past all distros based the init sp on UNIX's venerable SysVinit. back then target was:
1786 → multi-user mainframe OS (not PC)
1787 → a single CPU OS
1788 → startup and shutdown time wasn't important, far less then getting things right
1789
1790startup was viewed as a serial ps, divided into a series of sequential stages. each stage required completion before the next could proceed. there was no advantage of the parallel processing that could be done on multiple CPUs or cores.
1791Also, shutdown/reboot was a relatively rare event so time wasn't as important.
1792
1793to deal with those issues, 2 system appeared:
1794 → Upstart - developed under Ubuntu, first in 2006. adopted in Fedora 9, RHEL6 and it's clones, like CentOS, Scientific Linux, Oracle Linux, OpenSUSE
1795 → systemd - first adopted in Fedora in 2011. Standard since RHEL7 and Ubuntu 16.04. Now MOSTLY used.
1796
1797features of systemd:
1798 → compatible with SysVinit scripts
1799 → boots faster than previous systems
1800 → provides aggresive parallelization capabilities
1801 → uses socket and D-Bus activation for starting services
1802 → replaces shell scripts with programs
1803 → offers on-demand starting of daemons
1804 → keeps track of processes using "cgroups"
1805 → supports creating snapshots and restoring of the system state
1806 → maintains mount and automounts points
1807 → implements an elaborate transactional dependency-based service control logic
1808 → can work as a drop-in replacement for SysVinit
1809
1810instead of bash scripts, systemd uses .service files. also systemd sorts all daemons into their own Linux cgoups (?). s. is backwards-compatible with SysVinit.
1811
1812<skipped some>
1813
1814systemctl is main utility for managing services. examples:
1815> systemctl # show status of everything
1816> systemctl list-units -t service --all
1817> systemctl list-units -t service # show list of available services
1818> systemctl list-units -t service # show only active services
1819
1820start/activate >= 1 unit:
1821> sudo systemctl start foo
1822> sudo systemctl start foo.service
1823> sudo systemctl start /path/to/foo.service
1824where a unit can be a service or a socket
1825
1826to stop (deactivate) a service:
1827> sudo systemctl stop foo.service
1828
1829to enable/disable a service:
1830> sudo systemctl enable sshd.service
1831> sudo systemctl disable sshd.service
1832
1833
1834as SysVinit system starts, it passes through a sequence of runlevels which define different system states numbered 0-6.
1835runlevel meaning
1836S, s same as 1
18370 shutdown system and turn power off
18381 Single User Mode
18392 multiple user, no NFS, only test login
18403 multiple user, with NFS and network, only text login
18414 not used
18425 multiple user, with NFS nad network, garphical login with X
18436 reboot
1844
1845show current level:
1846> runlevel
1847< N 5 # first char is prev level. N == unknown
1848
1849change runlevel on the system. for example, to go from runlevel 3 to 5, type:
1850> sudo /sbin/telinit 5
1851
1852init ps firstly reads /etc/inittab. historically this file told init which scripts to run to bring the system up each runlevel, and was done with a series on lines, one for each runlevel, like:
1853 id:runlevel(s):action:process
1854where:
1855 id - unique 1-4 char identification for the entry
1856 runlevel(s) - >= 0 single chars or digit identifiers indicating which runlevel will be taken for
1857 action - describes the action to be taken
1858 process - ps to be executed
1859
1860RHEL6 hides upstart behind a compatibility layer, only uncommented line (and only thing being set) is:
1861 id:5:initdefault
1862
1863<skipped>
1864
1865chconfig - query and configure what runlevels the various system services are to run in. check some service:
1866> chkconfig <some_service>
1867returns true if the service is configured to be running, false otherwise. note that it might be stopped.
1868see what services are configured to run in each of the runlevels:
1869> chkconfig --list [service names]
1870
1871turn on some service next time system boots:
1872> sudo chkconfig <some_service> on
1873or don't:
1874> sudo chkconfig <some_service> off
1875
1876note that on and off don't affect the current state by starting or stopping a service. to do this:
1877> sudo service <some_service> [stop | start]
1878
1879
1880to add own services, place a script in /etc/init.d which has to have certain features in it (just some lines at the top!) and then use > chkconfig --add to enable (or --del to disable) use of the on and off instructions, etc..
1881
1882<skipped>
1883
1884services:
1885 on Linux using or emulating SysVinit services are those in /etc/init.d/
1886 status:
1887 > sudo service network status
1888 > sudo service vsftpd status
1889 parameters taken vary. see examples:
1890 > sudo service network
1891 > sudo service iptables
1892
1893all service does is change dir. to /etc/init.d and run appropriate script in that directory with the supplied options. status of all the services on the system with:
1894> sudo service --status-all
1895
1896changing services is lost after reboot. to make more persistent change, use chkconfig instead.
1897
1898sometimes you need to install:
1899> sudo apt-get install sysvinit-utils chkconfig
1900
1901
1902Upstart is event-driven rather than a set of serial procedures. event notifications are sent to the init ps to tell to execute certain commands at the right time after pre-requisites have been fulfilled. Upstart is superseded by systemd, so don't care about it. files of it:
1903/etc/init/rcS.conf
1904/etc/rc.sysinit
1905/etc/inittab
1906/etc/initrc.conf
1907/etc/initrc[0-5].d
1908/etc/init/start-ttys.conf
1909
1910
1911
1912
1913
1914
1915/// chapter 40 - backup and recovery methods ///
1916by the end:
1917 → identify and prioritize data that needs backup
1918 → employ different backup methods depending on a situation
1919 → use cpio, gzip, bzip2, xz, dd, rsync, dump, restore, mt
1920 → 2 most known backup apps: Amanda and Bacula
1921
1922priorities:
1923 must have:
1924 → business-related data
1925 → system configs
1926 → user files (typically /home)
1927 maybe:
1928 → spooling dirs (for printing, mail, etc.)
1929 → logging files (found in /var/log and elsewhere)
1930 rather not:
1931 → SW that can be easily reinstalled, on a good system almost everything
1932 → /tmp dir
1933 no!:
1934 → pseudo-filesystems like /proc, /dev, /sys
1935 → any swap partitions or files
1936
1937 might also consider logging files since they may help to investigate your system history
1938
1939types of backup:
1940 o full - all files on a system
1941 o incremental - all files that has changed since the last incremental backup
1942 o differential - all files that has changed since the last full backup
1943 o multiple lvl incremental - all files that has changed since the previous backup at the same or a previous level
1944 o user - only in specific user's dir
1945
1946backups are useless without associated restore methods. take into account: robustness, clarity and easy of both directions when selecting strategies.
1947
1948simple startegy: full backup once, then incremental backups of everything that subsequently changes. restoring from incremental backups can be more difficult and time consuming.
1949
1950good rule is to have at least 2 weeks of backups available.
1951
1952apps:
1953 o cpio, tar - create and extract archives of files
1954 o gzip, bzip2, xc - compressing archives. archives are useful for transferring files from one machine to another
1955 o dd - transfer raw data between media. it can copy entire partitions or entire disks
1956 o rsync - synchronize dir subtrees or entire filesystems across a network or between different filesystem locations on a local machine
1957 o dump, restore - ancient utilities that were designed specifically for backups. they read from the filesystem directly (more efficient). but it must be stored on the same filesystem type. there are newer alternatives
1958 o mt - querying andf positioning tapes before performing backups andf restores
1959
1960using tar:
1961 o when creating a tar archive, for each dir given as an argument, all files and subdirs will be included in the archive (!!!)
1962 o when restoring, it reconstitutes dirs as necessary
1963 o --newer option for incremental backups
1964
1965
1966> tar --create --file /dev/st0 /root
1967> tar -cvf /dev/st0 /root
1968< prompt to put next tape when needed
1969
1970multi-volume option:
1971> tar -cMf /dev/st0 /root
1972
1973verify files:
1974> tar --compare --verbose --file /dev/st0
1975> tar -dvf /dev/st0
1976
1977single-dashed tar args can be used without dash
1978
1979
1980restoring with tar:
1981> tar --extract --same-permissions --verbose --file /dev/st0
1982==
1983> tar -xpvf /dev/st0
1984==
1985> tar xpvf /dev/st0
1986
1987specify only some files:
1988> tar xvf /dev/st0 someFile
1989
1990list files:
1991tar --list --file /dev/st0
1992tar -tf /dev/st0
1993
1994
1995incremental backups:
1996> tar --create --newer '2011-12-1' -vf backup1.tar /var/tmp
1997> tar --create --after-date '2011-12-1' -vf backup1.tar /var/tmp
1998both create backup archive of all files in /var/tmp modified after 01.12.2011
1999note: tar only looks at a file's date
2000note: if you use "--newer", you must use dash in args
2001
2002
2003
2004usually compress -> transmit -> decompress cycle is faster than transmitting uncompressed file
2005compressing tools in order of increasing efficiency (and longer compression times):
2006 o gzip - LZ77 coding, outputs .gz files
2007 o bzip2 - Burrows-Wheeler block sorting compression algorithm and Huffman coding, outputs .bz2 files
2008 o xz - supports legacy .lzma format, outputs .xz files
2009
2010decompression time is similar, compression time varies
2011zip is rarely used, mostly when dealing with compressed files from other systems
2012
2013using tar for creating compressed archive
2014 o tar zcvf source.tar.gz source
2015 o tar zcvf source.tar.bz2 source
2016 o tar Jcvf source.tar.xz source
20171st command has the same effect as:
2018> tar cvf source.tar source ; gzip -v source.tar
2019but is more efficient bcs:
2020 o there's no intermediate file storage
2021 o arciving and compression happen simultaneously in the pipeline
2022
2023decompressing with tar:
2024> tar xzvf source.tar.gz
2025> tar xjvf source.tar.bz2
2026> tar xJvf source.tar.xc
2027
2028or even simpler:
2029> tar xvf source.tar.gz
2030as modern tar can sense the method of compression
2031
2032dd usage:
2033> dd if=inputFile of=outputFile options
2034> dd if=/dev/zero of=outFile bs=1M count=10 # 10 MB file with zeros (!!!)
2035> dd if=/dev/sda of=/dev/sdb # backup an entire drive to another (raw copy)
2036> dd if=/dev/sda of=/dev/sdadisk.img # backup to a file (can be transfered to another hard disk)
2037> dd if=/dev/sda of=partition1.img # backup a partition
2038> dd if=ndata conv swab count=1014 | uniq > ofile # using dd in a pipeline (???)
2039
2040rsync:
2041rsync [options] src dest
2042
2043examples:
2044> rsync file.tar someone@backup.mydomain:/usr/local
2045> rsync -r a-machine:/usr/local b-machine:/usr
2046> rsync -r --dry-run /usr/local /BACKUP/usr
2047
2048need to be careful with rsync (especially with --delete option) so it's recommanded to use --dry-run first and run if output looks correct
2049rsync is clever and efficient. only the differences are copied over the network. good way of usage:
2050> rsync -r project-X archive-machine:archives/project-X
2051this is very efficient and fast backup strategy
2052
2053cpio (copy in and out) - legacy utility, but still in use sometimes
2054
2055> ls | cpio --create -O /dev/st0 # create an archive
2056> cpio -i someFile -I /dev/st0 # extract from an archive
2057> cpio -t -I /dev/st0 # list contents of an archive
2058-I device - specify input or use redirection on the command line
2059-o or --create - copy files out of an archive. cpio reads a list of file names (one per line) from stdin and writes the archives to stdout
2060-i or --extract - copy files from an archive, reading the archive from stdin. If you list names as patterns (such as *.c), only files in archive that match the pattern are copied from the archive.
2061-t or --list - list the archive contents
2062-v or --verbose - verbose
2063
2064
2065dump and restore - from earliest days of UNIX, and not designed for modern HW and FSes.z
2066it is used by higher-lvl backup programs such as Amanda.
2067<skipped>
2068
2069Amanda - uses native utils, but is more robust and controllable
2070Bacula - only for advanced admins
2071Clonezilla - live version for single machine backup and recovery and SE (server editions) for many machines at once. Not only for Linux. very hard to use and very flexible.
2072
2073
2074
2075/// chapter 41 - Linux Security Modules ///
2076by the end:
2077 → understand how LSM framework works and how it's deployed
2078 → list various LSM implementations
2079 → ...
2080 → use AppArmor
2081
2082the idea is to implement mandatory access controls over a variety of requests made to kernel in a way that:
2083 o it minimizes changes to kernel
2084 o it minimizes overhead to kernel
2085 o permits flexibility and choice between different implementations, each of which is presented as a self-contained LSM.
2086
2087So it uses hook system calls.
2088
2089for a long time only security model implemented was SELinux. Current implementations of S. are:
2090 o SELinux
2091 o AppArmor
2092 o Smack
2093 o Tomoyo
2094
2095only one LSM can be used at a time, as they potentially modify the same parts of kernel.
2096
2097SELinux was originally developed by NSA and has been integral to RHEL for a very long time. That caused large usage base.
2098It's a set of security rules that are used to determine which processes can access which files, dirs, ports and other items on the system.
2099It works with 3 conceptual quantities:
2100 o Contexts - labels to files, PSes, ports. examples are SELinux user, role and type
2101 o Rules - describe access control in terms of contexts, PSes, files, ports, users, etc.
2102 o Policies - sets of rules that describe what system-wide access control, decisions should be made by SELinux
2103
2104"SELinux context" is a name used by a rule to define how users, PSes, files and ports interact with each other. default policy is to deny any access, rules are used to describe allowed actions on the system.
2105
2106SELinux can be run under one of 3 modes:
2107 o Enforcing - all SELinux code is operative and access is denied according to policy. All violations are audited and logged.
2108 o Permissive - enables SELinux code, nut only audits and warns about operations that would be denied in enforcing mode.
2109 o Disabled - completely disabled. no SELinux protection.
2110
2111Those modes are also explained in /etc/selinux/config. it varies by distribution, it is often at /etc/sysconfig/selinux or is linked from there (!!!).
2112
2113> sestatus - current mode and policy
2114> getenforce
2115> setenforce
2116> sudo setenforce Permissive
2117< Permissive
2118
2119setenforce allows to switch on the fly, but you cannot disable using it.
2120to disable SELinux:
2121 o edit a config file (/etc/selinux/config) and set SELINUX=disabled. default way
2122 o kernel param: add selinux=0 to the kernel param list when rebooting
2123
2124 File /etc/sysconfig/selinux sets SELinux policy. multiple policies are allowed, but only 1 can be active at a time. each policy has files which must be installed under /etc/selinux/<SELINUXTYPE>
2125
2126 most common policies:
2127 o targeted - default. user PSes and init are not targeted. S. restricts memory restrictions for all PSes, which reduces the vulnerability to buffer overflow attacks.
2128 o minimum - modification of "targeted". Only selected PSes are targetted.
2129 o MLS - Multi-Level Security. much restriction. all PSes are placed in fine-grained security domains with particular policies.
2130
2131contexts are labels applied to files, dirs, ports, PSes. those labels are used to describe access rules.
2132context utilities:
2133 o user
2134 o role
2135 o type
2136 o level
2137we will describe type. context labels should end with "_t".
2138
2139use -z to see the context: (!!!)
2140> ls -Z
2141> ps auZ
2142
2143chcon changes context:
2144> chcon -t etc_t someFile
2145> chcon --reference someFile so
2146
2147commands extended to work with SELinux: ls, ps, cp, mv, mkdir
2148if S. is disabled, no useful info is displayed in related fields of those.
2149
2150newly created files inherit from their parent dir, but when moving files, context of the source dir may be preserved.
2151
2152> restorecon - resets file contexts, based on parent dir settings
2153
2154to change SELinux policy behaviour at runtime without rewriting the policy, configure SELinux Booleans, which are policy parameters that can be enabled or disabled.
2155> getsebool # see booleans. try also with "-a"
2156> setsebool # set booleans
2157> semanage boolean -i # see persistent boolean settings
2158
2159example:
2160> getsebool ssh_chroot_rw_homedirs
2161< ssh_chroot_rw_homedirs --> off
2162> sudo setsebool ssh_chroot_rw_homedirs on
2163> getsebool ssh_chroot_rw_homedirs
2164< ssh_chroot_rw_homedirs --> on
2165> sudo reboot
2166...
2167> getsebool ssh_chroot_rw_homedirs
2168< ssh_chroot_rw_homedirs --> off
2169
2170example of persistent:
2171> getsebool ssh_chroot_rw_homedirs
2172< ssh_chroot_rw_homedirs --> off
2173> sudo setsebool -P ssh_chroot_rw_homedirs on
2174> getsebool ssh_chroot_rw_homedirs
2175< ssh_chroot_rw_homedirs --> on
2176> sudo reboot
2177...
2178> getsebool ssh_chroot_rw_homedirs
2179< ssh_chroot_rw_homedirs --> on
2180
2181
2182setroubleshoot-server example:
2183> echo dupa > file
2184> mv file /var/www/html
2185wget -O - localhost/rootfile
2186< some output
2187> tail /var/log/messages
2188< someoutput
2189> sealert -l d51d34f9-... (numer z poprzedniego outputu)
2190
2191tool that generates SELinux policy rules from logs of denied operations:
2192> audit2allow
2193
2194tool that generates SELinux audit messages into a description of why the access was denied:
2195> audit2why
2196
2197links about SELinux:
2198https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/
2199https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/
2200
2201
2202AppArmor:
2203 o LSM alternative to SELinux
2204 o provides Mandatory Access Control (MAC)
2205 o supported since 2006
2206 o used in Suse, Ubuntu and other distros
2207 o considered easier by some but not all
2208 o FS-neutral
2209 o also provides learning mode, where violations are only logged
2210
2211if A. is available kernel module, on a systemd-equipped system you can do:
2212> sudo systemctl <start|stop|restart|status> apparmor
2213
2214to change or inquire about current state of operation:
2215> sudo systemctl <enable|disable> apparmor
2216to en/disable loading at boot
2217status:
2218> sudo apparmor_status
2219
2220apparmor modes: enforce and complain, analogous to SELinux enforcing and permissive modes.
2221> ps aux | grep libvirtd
2222
2223profiles are stored in: /etc/apparmor.d
2224
2225> man apparmor.d
2226
2227A. has few utilities. for example on OpenSUSE:
2228> rpm -qil apparmor-utils | grep bin
2229utils:
2230apparmor_status show status of all profiles and PSes with profiles
2231apparmor_notify show a summary for AppArmor log msgs
2232complain set a specified profile to complain mode
2233enforce set a specified profile to enforce mode
2234disabled unload a specific profile from the current kernel and prevent from being loaded on system startup
2235logprof scan log files, if some violations have been found, ...===suggest how to take into account, and, if approved, modify and reload
2236easyprof help set up a basic AppArmor profile for a program
2237
2238
2239
2240/// chapter 42 - Local System Security ///
2241by the end:
2242 → assess system security risks
2243 → protect BIOS and boot loader with passwords
2244 → use appropriate mount options, setuid, setgid to enhance security
2245
22464 areas to protect: physical, local, remote, personnel
2247
2248organization should have a clear security policy, simple and easy, updated frequently, be in the form of a written document in addition to online documentation if needed, specifying actions to take in response to a security breach.
2249
2250risk analysis:
2251 o what do I want to protect
2252 o what am I protecting against
2253 o how much time, personnel and money is needed to provide adequate protection
2254
22552 security philosophies:
2256 o anything not expressly permitted is denied
2257 o anything not expressly forbidden is permitted
2258
2259general guidelines:
2260 o human factor is the weakest link. you must educate your users. largest percentage of break-ins are internal and not even malicious
2261 o no computing environment is invulnerable. only system not connected to anything and turned off is
2262 o paranoia is a good thing
2263
2264users should never put current dir in their path. substituting script ls with 1 line:
2265/bin/rm -rf $HOME
2266would remove home dir after typing ls
2267
2268any system not fully updated should be considered vulnerable.
2269in Linux world security regressions are extremely rare, and the danger of delaying applying a security patch is propably never justifiable.
2270
2271any time HW is physically accessible, those can happen:
2272 o key logging
2273 o network sniffing
2274 o booting with a live or rescue disk - it's good to configure BIOS in such a way to protect from this
2275 o remounting and modifying disk content
2276
2277
2278BIOS is the lowest level of security. should be protected by use of a password. should be updated and current.
2279Boot Loader - also password. in GRUB 2 it's harder.
2280link:
2281https://help.ubuntu.com/community/Grub2/Passwords
2282
2283when an FS is mounted, in /etc/fstab various ptions can be specified to enhance security:
2284 o nodev - don't interpret char or block special devices on the FS
2285 o nosuid - fields set-user-identifier and set-group-identifier are not to take effect
2286 o noexec - restrict direct execution of any binaries on the mounted filesystem
2287 o mount the FS in read-only mode, as in:
2288 > mount -o ro,noexec,nodev /dev/sda2 /mymountpt
2289 or in etc.fstab
2290 /dev/sda2 /mymountpt ext4 ro,noexec,nodev 0 0
2291
2292normally app runs with the privileges of the user executing the program! Ocasionally you want to extend capabilities of users.
2293by setting setuid (set user ID) flag on executable file, one modifies this normal behaviour by giving the program the access rights of the owner rather than the user of the program. this is generally a bad idea.
2294
2295setting setuid/setgid bits:
2296> chmod u+s file
2297> chmod g+s file
2298
2299for dirs it is used to create a shared dir. file created in this dir are group owned by the group owner of the dir.
2300
2301
2302
2303/// chapter 43 - basic troubleshooting ///
2304There's no one good way to do this. It is a combination of skill, intuition and luck.
2305by the end:
2306 → troubleshoot your system, following a number of steps iteratively until solutions are found
2307 → check your network and file integrity for possible issues
2308 → resolve problems when there is system boot failure
2309 → repair and recover coruupted filesystems
2310 → understand how rescue and recovery media can be used for troubleshooting
2311
23123 lvls of troubleshooting:
2313 beginner - can be taught very quickly
2314 experienced - comes after a few years of practice
2315 wizard - some people think you have to be born this way, but no. all skills can be learned. every company should have at least 1 person at this lvl
2316
2317even best-administered systems will develop problems. troubleshooting can isolate HW from SW problems, and local from local network and Internet problems.
2318
2319basic recipe:
2320 characterize the problem
2321 reproduce a problem
2322 always try the easy things first
2323 eliminate possible causes 1 at a time
2324 change only 1 thing at a time. if it doesn't fix the problem, change it back
2325 check the system logs for further info (/var/log/messages, /var/log/secure)
2326
2327things to check when there is an issue with networking:
2328 o IP configuration - use ifconfig or ip to see if interface is up, and if so, if it is configured
2329 o Network Driver - maybe correct device driver for network cards is not loaded. check lsmod to check if network driver is loaded as kernel module (!!!) =, or by examining relevant pseudo-files in /proc, /sys, such as /proc/interrupts or /sys/class/net
2330 o connectivity - use ping to see if network is visible, checking for response time and packet loss. traceroute can follow packets through the network, while mtr can do this in a continuous fashion. use there utilities to check if problem is local or on the Internet.
2331 o default gateway and routing config - run route -n and see if the routing table makes sense
2332 o hostname resolution - run dig or host on a URL and see if the routing table makes sense.
2333
2334network problems can be caused either by SW or HW.
2335
2336things to check when there is an issue with files integrity:
2337to check for corrupt files and binaries, on rpm-based systems:
2338> rpm -V some_package # check single package
2339> rpm -Va # check all packages on the system
2340
2341od Debian-based systems:
2342> debsums options some_package # check checksums on the files in that package. but not packages have checksums
2343> dpkg -v # verify
2344> sudo aide --check #intrusion detection, scan files and compare them to the last scan
2345
2346things to check when there is an issue with boot process failures:
2347need to check what happens at each stage is important. assuming you get through the BIOS stage, those might happen:
2348 o no boot loader screen - check for GRUB misconfiguration or corrupted boot sector. you might want to reinstall the boot loader
2349 o kernel fails to load - if the kernel panics during the boot process, is most likely misconfigured or corrupted, or incorrect params specified on the kernel command line in the GRUB config file. you can reinstall kernel or enter into the interactive GRUB menu at boot and use cmd line params and try to fix that way. or boot into a rescue image as described in the next chapter
2350 o kernel loads but fails to mount the root filesystem - main causes:
2351 - misconfigured GRUB config file
2352 - misconfigured /etc/fstab
2353 - no support for the root FS type either build into the kernel or as a module in the initramfs initial ram disk or FS
2354 o failure during the init process - maaany things. look closely at the messages displayed before things stop. try booting into a lower runlevel, such as 3 (no graphics), or 1 (single user mode)
2355
2356things to check when there is an issue with filesystem corruption and recovery:
2357if during boot process >=1 FS fails to mount, fsck may be used to attempt repair. however, before doing that one should check that /etc/fstab has not been misconfigured or corrupted. note once again that you could check that you could have problem with a FS type the kernel does not understand.
2358
2359if root FS has been mounted, you can examine this file, but "/" may have been mounted as read-only, so to edit the file and fix it you can run:
2360> sudo mount -o remount,rw / # remount it with write permission.
2361
2362if /etc/fstab seems to be correct, move to fsck. first try:
2363> sudo mount -a
2364to try and mount all FSes. if it fails, try to manually mount the ones with problems. first run fsck, afterwards run it again to have it try and fix any errors found.
2365
2366
2367
2368/// chapter 44 - system rescue ///
2369sooner or later a system is likely to fail. it's good to have rescue media (pendrive / CD / network)
2370by the end:
2371 → explain forms of system rescue media
2372 → know how to enter emergency mode and what can be done there
2373 → know how to enter single user mode, what can be done there and hwo it differs from emergency mode
2374
2375
2376
2377rescue image generally contains a limited but powerful set of utilities useful for troubleshooting and fixing problems on a system:
2378 o disk mgmt utils
2379 o network utils
2380 o miscellaneous utils
2381 o logging files
2382
2383exact choices vary from one Linux distro to another, but when you boot from an install or live CD/pendrive, you'll get option with a name like "Rescue Installed System".
2384
2385examples of utils:
2386 o disk utils for creating partitions, managing RAID devices, managing logical volume and creating FSes: fdisk, mdadm, pvcreate, vgcreate, lvcreate, mkfs and others
2387 o network utils for network debugging and network connectivity: ifconfig, route, traceroute, mtr, host, ftp, scp, ssh
2388 o other commands like: bash, chroot, kill, vi, dd, tar, cpio, gzip, rpm, mkdir, ls, cp, mv, rm and others
2389
2390rescue image will ask a number of questions upon starting, one of there is whether or not to mount your FS (if it can). if so, they are mounted at somewhere, usually at /mnt/source. you can move to that dir to get to your files or can change into that environment:
2391> sudo chroot /mnt/sysimage
2392
2393for a network-based rescue you may also be asked to mount /mnt/source.
2394
2395you may install SW packages from inside the chroot-ed environment. you may also be able to install them from outside the chroot-ed environment, for example on an rpm-based system, by using --root option to specify the location of the root directory:
2396> sudo rpm -ivh --force --root=/mnt/sysimage /mnt/source/Packages/vsftpd-2*.rpm
2397
2398emergency boot media - useful when your system won't boot due to some issue such as missing, misconfigured or corrupted files or misconfigured service
2399
2400rescue media may also be useful if the root password is somehow lost or scrambled and needs to be reset.
2401
2402most Linux distros permit install media to be also a rescue disk, which is very convenient. there are also special-purpose rescue disks available.
2403
2404live media provide a complete and bootable OS which runs in memory rather than loading from a disk. users can evaluate an OS without installing it or making changes to the existing OS. they can run without HDD.
2405
2406Procedure for entering into a special OS for rescue are the same. it can be accessed from an option on the boot menu. in many cases you may have to type rescue on a line like:
2407> boot: Linux rescue.
2408it may vary in different distros (?)
2409
2410then you might be asked such as which language to continue in, and make some distro-dependent choices. then prompt to select where valid rescue image is located: CD/DVD, HDD, NFS, FTP or HTTP.
2411then prompt about mounting your FSes. if they can be found, they are mounted under /mnt/sysimage. you'll be given a shell prompt and access to various utils to make the appropriate fixes to your system.
2412
2413chroot can be used to better access your root ("/") FS.
2414
2415many distros provide a boot.iso (or other name) image file for download. then you can use dd to place this on a USB key drive as in:
2416> dd if=boot.iso of=/dev/sdX
2417
2418utils livecd-tools and liveusb-creator allow specification of either a local drive or the Internet as the location for obtaining an install img. it works for virtually all Linux distros.
2419
2420emergency mode - boot into the most minimal env possible. root FS is mounted read-only, no init scrpits are run and almost nothing is set up. it is the main advantage of emergency mode over single-user mode: corrupted init will stop the former.
2421
2422to enter emergency mode, select an entry from the GRUB boot menu and then hit e for edit. then add word emergency to the kernel command line before telling the system to boot
2423
2424when your system boots but does not allow you to log in when it has completed booting, try single user mode. in this mode:
2425 o init is started
2426 o services are not
2427 o network neither
2428 o all FSes are mounted
2429 o root access is granted without a password
2430 o system maintenance cmd line shell is launched
2431 o system boots to runlevel 1 (in SysVinit language). Because single user mode automatically tries to mount your FS, you cannot use it when your root FS cannot be mounted successfully or if the init configuration is corrupted.
2432
2433to log in single user mode use the same method as for emergency, but instead of "emergency" write "single".
2434
2435
2436
2437chroot - is to run commands such as "mount" and "update-grub" in Linux in order to recover the system.
2438
2439
2440
2441
2442
2443
2444
2445systemd - now mostly used
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478https://training.linuxfoundation.org/certification/linux-foundation-certified-sysadmin-lfcs/
2479!!!!!!!!
2480
2481
2482administer, administrate
2483
2484https://www.istqb.org/
2485http://sjsi.org/polaczenie-ireb-i-reqb/
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504Overall description:: Add new signal to modify GTP-U session.
2505
2506IP_PACGEN:: Add handling for new signal IPPACGEN_CN_GTPU_SESSION_MODIFY_IND
2507 to support CNHHO. Signal allow to change TEID and RNC IP
2508 addres in GTP-U in existing session.
2509
2510RANAP_CO:: Change in IpPacGenGtpUSessionProxy API.
2511
2512CN_SG:: Add handling of swaping GTPU tunnel in
2513 RelocationPending State in case of CNHHO
2514
2515
2516
2517
2518
2519
2520
2521https://www.dreamincode.net/forums/topic/78802-martyr2s-mega-project-ideas-list/
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536https://4programmers.net/Forum/Edukacja/317916-droga_do_devopsa?p=1538664#id1538664
2537
2538
2539
2540
2541
2542
2543
2544stoły
2545
2546https://www.ikea.com/pl/pl/catalog/products/30339735/
2547https://www.ikea.com/pl/pl/catalog/products/60261037/
2548
2549ikea do wyboru:
2550https://www.ikea.com/pl/pl/catalog/categories/departments/workspaces/20649/
2551;
2552ta kolekcja:
2553https://www.officefurnitureitaly.com/modern-desk/infinity-babini.html
2554
2555http://krakow-meble.pl/14-stoly-i-krzesla
2556
2557
2558
2559
2560
2561The static keyword has another meaning when applied to global variables -- it gives them internal linkage (which restricts them from being seen/used outside of the file they are defined in). Because global variables are typically avoided, the static keyword is not often used in this capacity.
2562!!!
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583https://writing.stackexchange.com/questions/39876/how-can-i-make-a-character-who-isnt-a-jerk-seem-like-one
2584
2585
2586
2587https://law.stackexchange.com/questions/33212/student-drugs-a-teacher-what-laws-are-potentially-broken
2588
2589
2590http://www.lambdafaq.org/what-about-the-diamond-problem/
2591
2592
2593
2594book: najgorszy człowiek na świecie
2595
2596
2597
2598meble modułowe
2599porównywarki cen mebli
2600
2601https://allegro.pl/uzytkownik/DekoracjaDomu-pl?order=m
2602;
2603https://allegro.pl/hit-regal-styl-bialy-188x188-cm-nowoczesny-biuro-i7072196632.html?reco_id=f657bbff-e0fe-11e8-b3c8-246e9680da28
2604;
2605https://allegro.pl/uzytkownik/DekoracjaDomu-pl/meble-522?order=m
2606;
2607https://allegro.pl/uzytkownik/DekoracjaDomu-pl/wyposazenie-123?order=m
2608;
2609https://allegro.pl/uzytkownik/DekoracjaDomu-pl/meble-522?order=m&p=5
2610
2611outlety meblowe
2612http://www.outletmeblowy.pl/
2613
2614przez Internet kupować w:
2615http://pl.dawanda.com/
2616https://www.etsy.com/
2617;
2618Co warto kupić?
2619Pojedyncze meble, które mają się wyróżniać i robić efekt "wow" - stoły, stoliki kawowe, fotele, stoliki nocne, dodatki.
2620
2621
262211. Targi staroci, ogłoszenia
2623http://patyna.pl/
2624http://odwzorowanie.pl/
2625http://allegro.pl/
2626http://olx.pl/
2627
2628
2629
2630Z polskich salonów z dobrym wzornictwem dodałabym Moma Studio http://www.momastudio.pl/ i NAP http://nap.com.pl/, ze skandynawskich BoConcept, z pięknych mebli i dodatków MintGrey http://www.mintgrey.pl/, BB Home http://bbhomeonline.pl/ oraz House and More http://houseandmore.pl/. Z polskich producentów mebli dobre jakościowo poza Pagedem znajdziemy też w Bydgoskie Fabryki Mebli i Matkowski Meble. Pozdrawiam, Kasia
2631
2632
2633
2634
2635There are two resources that I always recommend when preparing for interviews:
2636
2637http://www.crackingthecodinginterview.com/
2638 “Cracking the Coding Interviewâ€, a fantastic book that includes a lot of coding problems and their solutions, as well as summaries of what you need to know to solve them
2639
2640 https://www.codewars.com/
2641 CodeWars, a website that has a large collection of coding problems that you can solve in the browser using a wide selection of languages. The most useful part is seeing how other users solved the same problem. You’ll get to see different approaches to the same problem and learn new tools in the language of your choice.
2642
2643
2644
2645
2646but at what cost