Linux - General: Difference between revisions
NickPGSmith (talk | contribs) |
NickPGSmith (talk | contribs) No edit summary |
||
| (44 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Chrome == | |||
wget https://dl.google.com/linux/linux_signing_key.pub | |||
sudo rpm -e "gpg-pubkey-7fac5991-*" "gpg-pubkey-d38b4796-*" | |||
sudo rpm --import linux_signing_key.pub | |||
== Cockpit == | == Cockpit == | ||
dnf install cockpit | dnf install cockpit | ||
systemctl enable | systemctl enable cockpit.socket | ||
systemctl start | systemctl start cockpit.socket | ||
firewall-cmd --permanent --add-service=cockpit | firewall-cmd --permanent --add-service=cockpit | ||
Access via https://host.example.conm:9090 | |||
Default self-signed key and cert: | |||
* /etc/cockpit/ws-certs.d/0-self-signed.key | |||
* /etc/cockpit/ws-certs.d/0-self-signed.cert | |||
== GPG == | |||
gpg -o out.txt -d in.asc | |||
== Gnome == | == Gnome == | ||
| Line 24: | Line 40: | ||
To disable, set to 0. | To disable, set to 0. | ||
== MOTD == | |||
Files in /etc/motd.d, create text with banner or figlet. | |||
== OneDrive == | == OneDrive == | ||
| Line 63: | Line 83: | ||
* dom0_mem=max:1024M dom0_max_vcpus=1 | * dom0_mem=max:1024M dom0_max_vcpus=1 | ||
grub2-mkconfig -o /boot/grub2/grub.cfg | grub2-mkconfig -o /boot/grub2/grub.cfg | ||
== RPM == | |||
Extract files from an RPM without installing: | |||
rpm2cpio ./something.rpm | cpio -idmv | |||
== SELinux == | |||
See [https://docs.fedoraproject.org/en-US/quick-docs/selinux-getting-started/ here] for more details. | |||
* SELinux labels (contexts) abstract away the details, eg a changeable exact path to a file. | |||
** Have fields: user, role, type, security level | |||
* A policy uses these contexts to define how processes can inteact (deny by default). | |||
* Modes: | |||
** Disabled | |||
** Permissive: applies lables and deny messages, but does not actually deny: useful for development | |||
** Enforcing: normal mode. | |||
Show current mode: | |||
getenforce | |||
Enter permissive mode: | |||
setenforce 0 | |||
Enter enforcing mode: | |||
setenforce 1 | |||
These are not persistent over reboots; see file: | |||
* /etc/selinux/config | |||
Individual domains can be made permissive in enforcing modem eg: | |||
semanage permissive -a httpd_t | |||
Show all boolean flags (state and default): | |||
semanage boolean --list | |||
Boolean flags (-P for persistence accross reboots): | |||
getsebool -a | |||
setsebool -P httpd_read_user_content true | |||
setsebool -P httpd_enable_homedirs true | |||
or with semanage tool: | |||
semanage boolean --modify --on httpd_enable_homedirs | |||
Change context of the public directory and its contents: | |||
chcon -R -t httpd_user_content_t public_html | |||
Change context of writable directory: | |||
semanage fcontext -a -t httpd_sys_rw_content_t '/home/jblogs/public_html/writable' | |||
Restore to default context: | |||
restorecon -v '/home/jblogs/public_html' | |||
Interrogate SE policy: | |||
sesearch --allow -s httpd_t -b httpd_enable_homedirs | |||
Use setroubleshoot to diagnose blocked activities. | |||
== systemd == | == systemd == | ||
| Line 83: | Line 160: | ||
systemctl list-unit-files --type=service | systemctl list-unit-files --type=service | ||
== | === Log Monitoring === | ||
All entries from boot time in UTC: | |||
journalctl -b --utc | |||
Show how many boots are recorded: | |||
journalctl --list-boots | |||
Time window: | |||
journalctl --since "2022-01-01 00:50" --until yesterday | |||
journalctl --since 09:00 --until "1 hour ago" | |||
Filter by unit (multiple -u options can be given): | |||
journalctl -u httpd.service | |||
Filter by UID/GID: | |||
journalctl _UID=1000 _GID=1000 | |||
Do not page kernel messages: | |||
journalctl -k --no-pager | |||
SHow only 20 lines, or follow: | |||
journalctl -20 | |||
journalctl -f | |||
=== Service Definitions === | |||
See also: | |||
* [https://www.freedesktop.org/software/systemd/man/255/systemd.service.html Systemd Services] | |||
Create service file: | |||
* /etc/systemd/system/example.service | |||
[Unit] | |||
Description=Example Service | |||
[Service] | |||
Type=oneshot | |||
ExecStart=/usr/bin/python3 /example.py | |||
A oneshot type is suitable for commands that run and then finish. The default type is simple, which assumes service has started as soon as it starts executing. | |||
Other optional settings: | |||
Type=simple | |||
Restart=always | |||
User=jbloggs | |||
WorkingDirectory=/blah | |||
Note that systemd does not use a shell to exec so a shebang does not work: run explicity under sh, python3, etc. | |||
For services intended to be started by systemctl, and entry such as: | |||
[Install] | |||
WantedBy=multi-user.target | |||
is require, or WantedBy=, RequiredBy, etc. | |||
=== Timers === | |||
See also: | |||
* [https://opensource.com/article/20/7/systemd-timers here] | |||
Show timers: | |||
systemctl list-timers | |||
systemctl list-timers -all | |||
systemctl list-timers state=failed | |||
systemctl status *timer | |||
Create unit file: | |||
* /etc/systemd/system/example.timer | |||
[Unit] | |||
Description=Example Timer | |||
[Timer] | |||
OnBootSec=10min | |||
OnUnitActiveSec=5min | |||
OnCalendar=*-*-* *:0/15 | |||
Persistent=true | |||
Unit=example.service | |||
[Install] | |||
WantedBy=multi-user.target | |||
* Run 10 mins after booting, 5 min after activation and every 15 mins | |||
* Persistent=true: If the system is offline during a scheduled run, execute when the system is next online. | |||
Check syntax: | |||
systemd-analyze verify example.* | |||
Enable and start the timer: | |||
systemctl daemon-reload | |||
systemctl enable example.timer | |||
systemctl start example.timer | |||
Check with: | |||
systemctl status example.timer | |||
journalctl -f -u example.service | |||
==== OnCalendar ==== | |||
General format (Day Of Week is optional): | |||
* DOW YYYY-MM-DD HH:MM:SS | |||
{| class="wikitable" | |||
!Definition | |||
!Meaning | |||
|- | |||
|+OnCalendar Examples | |||
|- | |||
|* Weekly || Weekly | |||
|+ | |||
|* *-*-* 00:30:00 || Every month at 30 mins past midnight | |||
|- | |||
|Sun 2025-*-* 03:00:00 || Every Sunday in 2025 at 0300 | |||
|- | |||
|*-*-* *:*:00 || Every Minute | |||
|- | |||
|*-*-* *:*/5:00 || Every 5 minutes | |||
|- | |||
|*-*-* *:*/30:00 || Every 30 minutes | |||
|- | |||
|*-*-* *:00:00 || Every 1 hour | |||
|- | |||
|*-*-* */2:00:00 || Every other hour | |||
|- | |||
|*-*-* */12:00:00 || Every 12 hour | |||
|- | |||
|*-*-* 9-17:00:00||Between certain hours | |||
|- | |||
|*-*-* 00:00:00 || Daily | |||
|- | |||
|*-*-* 01:00:00 || Every Night | |||
|- | |||
|*-*-* 02:00:00 || Every Night at 2am | |||
|- | |||
|*-*-* 07:00:00 || Every morning | |||
|- | |||
|*-*-* 00:00:00 || Every midnight | |||
|- | |||
|Sun *-*-* 00:00:00 || Every sunday | |||
|- | |||
|Fri *-*-* 00:00:00 || Every friday at midnight | |||
|- | |||
|Mon...Fri *-*-* 00:00:00 || Every weekday | |||
|- | |||
|Sat,Sun *-*-* 00:00:00 || Every weekend | |||
|- | |||
|* *-*-* 00:00:00 || Every 7 days | |||
|- | |||
|* *-*-01 00:00:00 || Monthly | |||
|- | |||
|* *-01,04,07,10-01 00:00:00 || Every quarter | |||
|- | |||
|* *-01,07-01 00:00:00 || Every 6 months | |||
|- | |||
|* *-01-01 00:00:00 || Every year | |||
|} | |||
Check with: | |||
# systemd-analyze calendar '*-*-* *:0/15' | |||
Original form: *-*-* *:0/15 | |||
Normalized form: *-*-* *:00/15:00 | |||
Next elapse: Wed 2024-05-15 06:45:00 BST | |||
(in UTC): Wed 2024-05-15 05:45:00 UTC | |||
From now: 9min left | |||
== Stress-NG == | == Stress-NG == | ||
| Line 127: | Line 360: | ||
== UDEV == | == UDEV == | ||
Rules files in /etc/udev/rules.d | See also: [https://www.freedesktop.org/software/systemd/man/latest/udev.html Udev] and [http://www.reactivated.net/writing_udev_rules.html Udev Rules]. | ||
Custom rules files in /etc/udev/rules.d and must have .rules suffix, system rules live in /usr/lib/udev/rules.d. The are processed in lexographical order. | |||
Display device attributes with: | Display device attributes with: | ||
udevadm info --query=env --name=/dev/sdg | udevadm info --query=env --name=/dev/sdg | ||
Match the kernel assigned name for disk, and add (+=) a symlink with a new name "/dev/bigdata": | |||
KERNEL=="sdb", SYMLINK+="bigdata" | |||
Match PATH_ID from udevadm command, and add a symlink to a new name "/dev/database": | |||
SUBSYSTEM=="block", ATTRS{ID_PATH}=="pci-0000:00:10.0-scsi-0:0:1:0", SYMLINK+="database" | |||
Matching on ID_PART_TABLE_UUID is another candidate. | |||
* Sepate multiple matches (==) with commas | |||
* Single assignment (=) or append to list (+=). | |||
== Users / Accounts == | == Users / Accounts == | ||
Latest revision as of 08:54, 22 October 2025
Chrome
wget https://dl.google.com/linux/linux_signing_key.pub sudo rpm -e "gpg-pubkey-7fac5991-*" "gpg-pubkey-d38b4796-*" sudo rpm --import linux_signing_key.pub
Cockpit
dnf install cockpit systemctl enable cockpit.socket systemctl start cockpit.socket firewall-cmd --permanent --add-service=cockpit
Access via https://host.example.conm:9090
Default self-signed key and cert:
- /etc/cockpit/ws-certs.d/0-self-signed.key
- /etc/cockpit/ws-certs.d/0-self-signed.cert
GPG
gpg -o out.txt -d in.asc
Gnome
Window Manager
Bring back minimise/maximise buttons:
gsettings set org.gnome.desktop.wm.preferences button-layout ":minimize,maximize,close"
Power Settings
Fedora 38 changed default power settings. Per-user can be control in the control UI widget. For workstation edition, there is a default that applies at login screen (eg after reboot).
Check with:
sudo -u gdm dbus-run-session gsettings list-recursively org.gnome.settings-daemon.plugins.power | grep sleep
Set (eg to 1 hour) with:
sudo -u gdm dbus-run-session gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 3600
To disable, set to 0.
MOTD
Files in /etc/motd.d, create text with banner or figlet.
OneDrive
Microsoft OneDrive sync:
- install package: onedrive
Authorization:
onedrive
and follow link to generate a login link to give back to onedrive.
- Storage in ~/OneDrive
- Configuration in ~/.config/onedrive
Show config:
onedrive --display-config
Dry run Synchronise:
onedrive --synchronize --dry-run --verbose
Synchronise:
onedrive --synchronize
Sync file list in ~/.config/ondrive/sync_list like:
# Demo /Security/*.kdbx !/Documents/Unwanted /Documents !/Temp
Then test:
onedrive --synchronize --dry-run --verbose
See also here
Grub
In /etc/default/grub, add to GRUB_CMDLINE_LINUX (GRUB_CMDLINE_XEN):
- dom0_mem=max:1024M dom0_max_vcpus=1
grub2-mkconfig -o /boot/grub2/grub.cfg
RPM
Extract files from an RPM without installing:
rpm2cpio ./something.rpm | cpio -idmv
SELinux
See here for more details.
- SELinux labels (contexts) abstract away the details, eg a changeable exact path to a file.
- Have fields: user, role, type, security level
- A policy uses these contexts to define how processes can inteact (deny by default).
- Modes:
- Disabled
- Permissive: applies lables and deny messages, but does not actually deny: useful for development
- Enforcing: normal mode.
Show current mode:
getenforce
Enter permissive mode:
setenforce 0
Enter enforcing mode:
setenforce 1
These are not persistent over reboots; see file:
- /etc/selinux/config
Individual domains can be made permissive in enforcing modem eg:
semanage permissive -a httpd_t
Show all boolean flags (state and default):
semanage boolean --list
Boolean flags (-P for persistence accross reboots):
getsebool -a setsebool -P httpd_read_user_content true setsebool -P httpd_enable_homedirs true
or with semanage tool:
semanage boolean --modify --on httpd_enable_homedirs
Change context of the public directory and its contents:
chcon -R -t httpd_user_content_t public_html
Change context of writable directory:
semanage fcontext -a -t httpd_sys_rw_content_t '/home/jblogs/public_html/writable'
Restore to default context:
restorecon -v '/home/jblogs/public_html'
Interrogate SE policy:
sesearch --allow -s httpd_t -b httpd_enable_homedirs
Use setroubleshoot to diagnose blocked activities.
systemd
Service Control
Basic use:
systemctl start something systemctl stop something systemctl enable something systemctl disable something
Service definition files in:
- /usr/lib/systemd/system
Deinitions with "@" names have argument passed as parameter, such as:
systemctl status clamd@scan
Show all defintions:
systemctl list-unit-files --type=service
Log Monitoring
All entries from boot time in UTC:
journalctl -b --utc
Show how many boots are recorded:
journalctl --list-boots
Time window:
journalctl --since "2022-01-01 00:50" --until yesterday journalctl --since 09:00 --until "1 hour ago"
Filter by unit (multiple -u options can be given):
journalctl -u httpd.service
Filter by UID/GID:
journalctl _UID=1000 _GID=1000
Do not page kernel messages:
journalctl -k --no-pager
SHow only 20 lines, or follow:
journalctl -20 journalctl -f
Service Definitions
See also:
Create service file:
- /etc/systemd/system/example.service
[Unit] Description=Example Service [Service] Type=oneshot ExecStart=/usr/bin/python3 /example.py
A oneshot type is suitable for commands that run and then finish. The default type is simple, which assumes service has started as soon as it starts executing.
Other optional settings:
Type=simple Restart=always User=jbloggs WorkingDirectory=/blah
Note that systemd does not use a shell to exec so a shebang does not work: run explicity under sh, python3, etc.
For services intended to be started by systemctl, and entry such as:
[Install] WantedBy=multi-user.target
is require, or WantedBy=, RequiredBy, etc.
Timers
See also:
Show timers:
systemctl list-timers systemctl list-timers -all systemctl list-timers state=failed systemctl status *timer
Create unit file:
- /etc/systemd/system/example.timer
[Unit] Description=Example Timer [Timer] OnBootSec=10min OnUnitActiveSec=5min OnCalendar=*-*-* *:0/15 Persistent=true Unit=example.service [Install] WantedBy=multi-user.target
- Run 10 mins after booting, 5 min after activation and every 15 mins
- Persistent=true: If the system is offline during a scheduled run, execute when the system is next online.
Check syntax:
systemd-analyze verify example.*
Enable and start the timer:
systemctl daemon-reload systemctl enable example.timer systemctl start example.timer
Check with:
systemctl status example.timer journalctl -f -u example.service
OnCalendar
General format (Day Of Week is optional):
- DOW YYYY-MM-DD HH:MM:SS
| Definition | Meaning |
|---|---|
| * Weekly | Weekly |
| * *-*-* 00:30:00 | Every month at 30 mins past midnight |
| Sun 2025-*-* 03:00:00 | Every Sunday in 2025 at 0300 |
| *-*-* *:*:00 | Every Minute |
| *-*-* *:*/5:00 | Every 5 minutes |
| *-*-* *:*/30:00 | Every 30 minutes |
| *-*-* *:00:00 | Every 1 hour |
| *-*-* */2:00:00 | Every other hour |
| *-*-* */12:00:00 | Every 12 hour |
| *-*-* 9-17:00:00 | Between certain hours |
| *-*-* 00:00:00 | Daily |
| *-*-* 01:00:00 | Every Night |
| *-*-* 02:00:00 | Every Night at 2am |
| *-*-* 07:00:00 | Every morning |
| *-*-* 00:00:00 | Every midnight |
| Sun *-*-* 00:00:00 | Every sunday |
| Fri *-*-* 00:00:00 | Every friday at midnight |
| Mon...Fri *-*-* 00:00:00 | Every weekday |
| Sat,Sun *-*-* 00:00:00 | Every weekend |
| * *-*-* 00:00:00 | Every 7 days |
| * *-*-01 00:00:00 | Monthly |
| * *-01,04,07,10-01 00:00:00 | Every quarter |
| * *-01,07-01 00:00:00 | Every 6 months |
| * *-01-01 00:00:00 | Every year |
Check with:
# systemd-analyze calendar '*-*-* *:0/15'
Original form: *-*-* *:0/15
Normalized form: *-*-* *:00/15:00
Next elapse: Wed 2024-05-15 06:45:00 BST
(in UTC): Wed 2024-05-15 05:45:00 UTC
From now: 9min left
Stress-NG
Load CPU:
stress-ng --cpu 4 --timeout 60s --metrics
Swap
Add filesystem swap:
fallocate -l 1G /somepath/swap chmod 600 /somepath/swap mkswap /somepath/swap swapon /somepath/swap
Check:
swapon NAME TYPE SIZE USED PRIO /dev/sda2 partition 8G 219.8M -2 /somepath/swap file 1024M 0B -3
And then add a line to /etc/fstab to ensure it is enabled at boot:
/somepath/swap swap swap defaults 0 0
Timezone
Show available zones:
timedatectl list-timezones
Set and check:
timedatectl set-timezone timedatectl timedatectl
UDEV
See also: Udev and Udev Rules.
Custom rules files in /etc/udev/rules.d and must have .rules suffix, system rules live in /usr/lib/udev/rules.d. The are processed in lexographical order.
Display device attributes with:
udevadm info --query=env --name=/dev/sdg
Match the kernel assigned name for disk, and add (+=) a symlink with a new name "/dev/bigdata":
KERNEL=="sdb", SYMLINK+="bigdata"
Match PATH_ID from udevadm command, and add a symlink to a new name "/dev/database":
SUBSYSTEM=="block", ATTRS{ID_PATH}=="pci-0000:00:10.0-scsi-0:0:1:0", SYMLINK+="database"
Matching on ID_PART_TABLE_UUID is another candidate.
- Sepate multiple matches (==) with commas
- Single assignment (=) or append to list (+=).
Users / Accounts
Show password hashing algorithm:
authconfig --test | grep hashing
Set algorithm:
authconfig --passalgo=sha512 --update
Control password policy:
- /etc/security/pwquality.conf