10.19 iptables規則備份和恢復
service iptables save 把規則保存到 /etc/sysconfig/iptables
iptables-save > 目標文件 保存規則到另一個文件中
[root@arslinux-01 ~]# iptables-save > /tmp/ipt.txt [root@arslinux-01 ~]# cat !$ cat /tmp/ipt.txt # Generated by iptables-save v1.4.21 on Wed Apr 17 19:56:24 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [192:17603] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Apr 17 19:56:24 2019
iptables-restore < 存檔文件 恢復 iptables 規則
[root@arslinux-01 ~]# iptables -F [root@arslinux-01 ~]# iptables -nvL Chain INPUT (policy ACCEPT 24 packets, 1584 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes) pkts bytes target prot opt in out source destination [root@arslinux-01 ~]# iptables-restore < /tmp/ipt.txt [root@arslinux-01 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 40 2640 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 21 packets, 1964 bytes) pkts bytes target prot opt in out source destination
10.20 firewalld的9個zone
禁掉 iptables ,打開 firewalld
[root@arslinux-01 ~]# systemctl disable iptables Removed symlink /etc/systemd/system/basic.target.wants/iptables.service. [root@arslinux-01 ~]# systemctl stop iptables
[root@arslinux-01 ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [root@arslinux-01 ~]# systemctl start firewalld
[root@arslinux-01 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 23 1528 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 13 packets, 1180 bytes) pkts bytes target prot opt in out source destination 13 1180 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain FORWARD_OUT_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDO_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public (3 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public (3 references) pkts bytes target prot opt in out source destination 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_log (1 references) pkts bytes target prot opt in out source destination Chain INPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 IN_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto] 1 92 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain INPUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain INPUT_direct (1 references) pkts bytes target prot opt in out source destination Chain IN_public (3 references) pkts bytes target prot opt in out source destination 1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW Chain IN_public_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_public_log (1 references) pkts bytes target prot opt in out source destination Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destination
firewalld 默認喲9個zone
block,dmz,drop,external,home,internal,public,trusted,work
firewalld 默認zone爲public
每個zone就是規則集合,自帶一些規則
firewall-cmd --get-zones 查看所有zone
[root@arslinux-01 ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
firewall-cmd --get-default-zone 查看默認zone
[root@arslinux-01 ~]# firewall-cmd --get-default-zone public
9個zone的詳細解釋
10.21 firewalld關於zone的操作
firewall-cmd --set-default-zone=名稱 設置默認的zone
[root@arslinux-01 ~]# firewall-cmd --get-default-zone public [root@arslinux-01 ~]# firewall-cmd --set-default-zone=work success [root@arslinux-01 ~]# firewall-cmd --get-default-zone work
firewall-cmd --get-zone-of-interface=網卡名 查看指定網卡的默認zone
[root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=ens33 work [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=ens37 work [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo no zone
firewall-cmd --zone=public --add-interface=lo 給指定網卡設置zone
[root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo no zone [root@arslinux-01 ~]# firewall-cmd --zone=public --add-interface=lo success firewall-cmd: error: unrecognized arguments: --get-zone-of-intreface=lo [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo public
firewall-cmd --zone=dmz --change-interface=lo 針對網卡更改zone
[root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo public [root@arslinux-01 ~]# firewall-cmd --zone=dmz --change-interface=lo success [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo dmz
firewall-cmd --zone=dmz --remove-interface=lo 針對網卡刪除zone
[root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo dmz [root@arslinux-01 ~]# firewall-cmd --zone=dmz --remove-interface=lo success [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo no zone
可以不指定zone,直接刪
[root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo public [root@arslinux-01 ~]# firewall-cmd --remove-interface=lo success [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=lo no zone
網卡 ens37,刪除zone會恢復到默認的zone,因爲有NetworkManage
[root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=ens37 work [root@arslinux-01 ~]# firewall-cmd --zone=public --change-interface=ens37 The interface is under control of NetworkManager, setting zone to 'public'. success [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=ens37 public [root@arslinux-01 ~]# firewall-cmd --remove-interface=ens37 The interface is under control of NetworkManager, setting zone to default. success [root@arslinux-01 ~]# firewall-cmd --get-zone-of-interface=ens37 work
firewall-cmd --get-active-zones 查看系統所有網卡所在的zone
[root@arslinux-01 ~]# firewall-cmd --get-active-zones work interfaces: ens33 ens37 public interfaces: lo
10.22 firewalld關於service的操作
service是zone下面的子單元,可以理解成,是指定的端口
firewall-cmd --get-services 查看所有的service
[root@arslinux-01 ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp open*** ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
firewall-cmd --list-services 查看當前zone下有哪些service
[root@arslinux-01 ~]# firewall-cmd --list-services ssh dhcpv6-client
firewall-cmd --zone=public --list-service 查看指定zone下的service
[root@arslinux-01 ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client
firewall-cmd --zone=public --add-service=http 爲指定zone下增加service
[root@arslinux-01 ~]# firewall-cmd --zone=public --add-service=http success [root@arslinux-01 ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client http
★上述命令只是將更改添加到內存中,臨時生效,如果想永久生效,需要增加到配置文件中去
配置文件:/etc/firewalld/zones 下
firewall-cmd --zone=public --add-service=ftp --permanent 指定zone下增加service並加入到配置文件中
[root@arslinux-01 ~]# firewall-cmd --zone=public --add-service=ftp --permanent success [root@arslinux-01 ~]# ls /etc/firewalld/zones/ public.xml public.xml.old [root@arslinux-01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> </zone>
[root@arslinux-01 ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client http
☆需求:ftp服務自定義端口1121,需要在work zone下面放行ftp
1.拷貝 ftp 模板到 /etc/firewalld/services/下
[root@arslinux-01 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
2.編輯 ftp.xml 文件,port 改爲 1121
[root@arslinux-01 ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> ##把端口號改爲1121 <module name="nf_conntrack_ftp"/> </service>
3.拷貝work模板到/etc/firewalld/zones/下
[root@arslinux-01 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
4.編輯work.xml,增加一行<service name="ftp"/>
[root@arslinux-01 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> ##增加一行service </zone>
5.重新加載一下
[root@arslinux-01 ~]# firewall-cmd --reload success
6.查看work zone下的services
[root@arslinux-01 ~]# firewall-cmd --zone=work --list-services ssh dhcpv6-client ftp
思路:zone是規則集合,每個zone下都有對應的iptables規則,每個zone下有一些service,service就是白名單,如果有某個服務的需求,那麼可以把服務增加到配置文件中予以放行。
先修改service的參數,在吧service加入zone
10.23 linux任務計劃cron
crontab 配置文件
[root@arslinux-01 ~]# cat /etc/crontab
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed
任務計劃配置文件,定義幾個環境變量
格式:分鐘 小時 日期 月份 周 用戶 命令
crontab -e 進入 crontab 配置文件
[root@arslinux-01 ~]# crontab -e
no crontab for root - using an empty one crontab: installing new crontab 0 3 * * * /bin/bash /usr/local/sbin/123.sh >>/tmp/123.log 2>>/tmp/123.log ~
範圍1-10號 0 3 1-10 * *
範圍每兩個月 0 3 1-10 */2
範圍週二和週五 0 3 1-10 * 2,5
systemctl start crond 啓動crond服務
[root@arslinux-01 ~]# systemctl start crond
檢查是否啓動:ps aux | grep crond 查看crond是否啓動或者systemctl status crond是否是綠色運行
[root@arslinux-01 ~]# ps aux |grep crond root 6235 0.0 0.1 126316 1672 ? Ss 19:05 0:00 /usr/sbin/crond -n root 8389 0.0 0.0 112724 988 pts/0 S+ 22:31 0:00 grep --color=auto crond
[root@arslinux-01 ~]# systemctl status crond ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since 三 2019-04-17 19:05:38 CST; 3h 26min ago Main PID: 6235 (crond) CGroup: /system.slice/crond.service └─6235 /usr/sbin/crond -n 4月 17 19:05:38 arslinux-01 systemd[1]: Started Command Scheduler. 4月 17 19:05:38 arslinux-01 crond[6235]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 34% if used.) 4月 17 19:05:38 arslinux-01 crond[6235]: (CRON) INFO (running with inotify support) 4月 17 22:30:01 arslinux-01 crond[6235]: (root) RELOAD (/var/spool/cron/root)
如果任務計劃放到配置文件中,但是沒有執行,很有可能是腳本用的是一個命令,而不是絕對路徑
有兩種解決方法:1,命令寫絕對路徑;2,把命令的路徑加入到配置文件中的PATH變量中
建議:每寫一個任務計劃都要寫上追加日誌,正確和錯誤輸出
[root@arslinux-01 ~]# crontab -e crontab: installing new crontab 1 10 * 2 * /usr/bin/find /tmp/ -type f -mtime +100 |xargs rm -f [root@arslinux-01 ~]# crontab -l 1 10 * 2 * /usr/bin/find /tmp/ -type f -mtime +100 |xargs rm -f
任務計劃會保存在/var/spool/cron/下對應用戶名的文件中,備份改文件就可以備份任務計劃
如果要備份計劃任務,可以直接拷貝 /var/spool/cron下對應文件
crontab -r 刪除任務計劃
[root@arslinux-01 ~]# crontab -r [root@arslinux-01 ~]# crontab -r no crontab for root
crontab -u 查看指定用戶的任務計劃
[root@arslinux-01 ~]# crontab -u root -l no crontab for root
10.24 chkconfig工具
chkconfig --list 查看所有的服務
[root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關
/etc/init.d/ 服務腳本所在位置
[root@arslinux-01 ~]# ls /etc/init.d/ functions netconsole network README
chkconfig 服務名 off 關閉指定服務
[root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關 [root@arslinux-01 ~]# chkconfig network off [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:關3:關4:關5:關6:關
chkconfig 服務名 on 打開指定服務
[root@arslinux-01 ~]# chkconfig network on [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關
·更改運行級別:更改/etc/inittab,不過CentOS7開始已經不使用了
chkconfig --level 數字 服務名 on/off 指定某個級別開啓或關閉
[root@arslinux-01 ~]# chkconfig --level 3 network off [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:關4:開5:開6:關 [root@arslinux-01 ~]# chkconfig --level 3 network on [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關
--level在前後都可以,沒有區別
chkconfig -level 多個數字 服務名 on/off 指定多個級別的開啓關閉(數字不加逗號)
[root@arslinux-01 ~]# chkconfig --level 345 network off [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:關4:關5:關6:關
0和6是不可以開啓的
chkconfig --add 服務名 自定義服務並加入服務列表
[root@arslinux-01 ~]# ls /etc/init.d/ functions netconsole network README [root@arslinux-01 ~]# cp /etc/init.d/network /etc/init.d/123 [root@arslinux-01 ~]# ls /etc/init.d/ 123 functions netconsole network README [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關 [root@arslinux-01 ~]# chkconfig --add 123 [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 123 0:關1:關2:開3:開4:開5:開6:關 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關
首先,自定義的服務要在/etc/init.d目錄下,其次,文件的內容有格式
chkconfig --del 服務名 刪除自定義服務
[root@arslinux-01 ~]# chkconfig --del 123 [root@arslinux-01 ~]# chkconfig --list 注:該輸出結果只顯示 SysV 服務,並不包含 原生 systemd 服務。SysV 配置數據 可能被原生 systemd 配置覆蓋。 要列出 systemd 服務,請執行 'systemctl list-unit-files'。 查看在具體 target 啓用的服務請執行 'systemctl list-dependencies [target]'。 netconsole 0:關1:關2:關3:關4:關5:關6:關 network 0:關1:關2:開3:開4:開5:開6:關
服務的格式中,紅色箭頭所指的兩行必須要有,才能被識別
10.25 systemd管理服務
systemctl list-units --all --type=service 列出所有 service 服務
[root@arslinux-01 ~]# systemctl list-units --all --type=service UNIT LOAD ACTIVE SUB DESCRIPTION 123.service loaded active exited LSB: Bring up/down networking auditd.service loaded active running Security Auditing Service chronyd.service loaded active running NTP client/server cpupower.service loaded inactive dead Configure CPU power related settings crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus ● display-manager.service not-found inactive dead display-manager.service dm-event.service loaded inactive dead Device-mapper event daemon dracut-shutdown.service loaded inactive dead Restore /run/initramfs ebtables.service loaded inactive dead Ethernet Bridge Filtering tables emergency.service loaded inactive dead Emergency Shell ● exim.service not-found inactive dead exim.service firewalld.service loaded active running firewalld - dynamic firewall daemon [email protected] loaded active running Getty on tty1 ip6tables.service loaded inactive dead IPv6 firewall with ip6tables ● ipset.service not-found inactive dead ipset.service iptables.service loaded inactive dead IPv4 firewall with iptables irqbalance.service loaded inactive dead irqbalance daemon ● kdump.service loaded failed failed Crash recovery kernel arming kmod-static-nodes.service loaded active exited Create list of required static device nod ● lvm2-activation.service not-found inactive dead lvm2-activation.service lvm2-lvmetad.service loaded active running LVM2 metadata daemon lvm2-lvmpolld.service loaded inactive dead LVM2 poll daemon lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc lvm2-pvscan@8:17.service loaded active exited LVM2 PV scan on device 8:17 lvm2-pvscan@8:18.service loaded active exited LVM2 PV scan on device 8:18 lines 1-27
不詳細展示
systemctl list-units --type=service 列出激活狀態的 service 服務
[root@arslinux-01 ~]# systemctl list-units --type=service UNIT LOAD ACTIVE SUB DESCRIPTION 123.service loaded active exited LSB: Bring up/down networking auditd.service loaded active running Security Auditing Service chronyd.service loaded active running NTP client/server crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus firewalld.service loaded active running firewalld - dynamic firewall daemon [email protected] loaded active running Getty on tty1 ● kdump.service loaded failed failed Crash recovery kernel arming kmod-static-nodes.service loaded active exited Create list of required static device nodes for the cur lvm2-lvmetad.service loaded active running LVM2 metadata daemon lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeven lvm2-pvscan@8:17.service loaded active exited LVM2 PV scan on device 8:17 lvm2-pvscan@8:18.service loaded active exited LVM2 PV scan on device 8:18 lvm2-pvscan@8:19.service loaded active exited LVM2 PV scan on device 8:19 network.service loaded active exited LSB: Bring up/down networking NetworkManager-wait-online.service loaded active exited Network Manager Wait Online NetworkManager.service loaded active running Network Manager polkit.service loaded active running Authorization Manager postfix.service loaded active running Postfix Mail Transport Agent rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg rhel-domainname.service loaded active exited Read and set NIS domainname from /etc/sysconfig/network rhel-import-state.service loaded active exited Import network configuration from initramfs rhel-readonly.service loaded active exited Configure read-only root support rsyslog.service loaded active running System Logging Service sshd.service loaded active running OpenSSH server daemon sysstat.service loaded active exited Resets System Activity Logs lines 1-27
不詳細展示
systemctl enable 服務名 讓服務開機啓動
systemctl disable 服務名 讓服務開機不啓動
systemctl status 服務名 查看服務狀態
[root@arslinux-01 ~]# systemctl enable crond
[root@arslinux-01 ~]# systemctl status crond ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since 四 2019-04-18 18:51:26 CST; 27min ago Main PID: 6132 (crond) CGroup: /system.slice/crond.service └─6132 /usr/sbin/crond -n 4月 18 18:51:26 arslinux-01 systemd[1]: Started Command Scheduler. 4月 18 18:51:26 arslinux-01 crond[6132]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 54% if used.) 4月 18 18:51:26 arslinux-01 crond[6132]: (CRON) INFO (running with inotify support)
[root@arslinux-01 ~]# systemctl disable crond.service Removed symlink /etc/systemd/system/multi-user.target.wants/crond.service.
systemctl stop 服務名 停止服務
systemctl start 服務名 啓動服務
systemctl restart 服務名 重啓服務
[root@arslinux-01 ~]# systemctl stop crond [root@arslinux-01 ~]# systemctl status crond ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; disabled; vendor preset: enabled) Active: inactive (dead) 4月 18 18:51:26 arslinux-01 systemd[1]: Started Command Scheduler. 4月 18 18:51:26 arslinux-01 crond[6132]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 54% if used.) 4月 18 18:51:26 arslinux-01 crond[6132]: (CRON) INFO (running with inotify support) 4月 18 19:22:38 arslinux-01 systemd[1]: Stopping Command Scheduler... 4月 18 19:22:38 arslinux-01 systemd[1]: Stopped Command Scheduler.
[root@arslinux-01 ~]# systemctl start crond [root@arslinux-01 ~]# systemctl status crond ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; disabled; vendor preset: enabled) Active: active (running) since 四 2019-04-18 19:23:03 CST; 2s ago Main PID: 7852 (crond) CGroup: /system.slice/crond.service └─7852 /usr/sbin/crond -n 4月 18 19:23:03 arslinux-01 systemd[1]: Started Command Scheduler. 4月 18 19:23:03 arslinux-01 crond[7852]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 95% if used.) 4月 18 19:23:03 arslinux-01 crond[7852]: (CRON) INFO (running with inotify support) 4月 18 19:23:03 arslinux-01 crond[7852]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
[root@arslinux-01 ~]# systemctl restart crond
systemctl is-enabled crond 查看服務是否開機啓動
[root@arslinux-01 ~]# systemctl is-enabled crond disabled [root@arslinux-01 ~]# systemctl enable crond Created symlink from /etc/systemd/system/multi-user.target.wants/crond.service to /usr/lib/systemd/system/crond.service. [root@arslinux-01 ~]# systemctl is-enabled crond enabled
服務配置文件內容: /etc/systemd/system/multi-user.target.wants/crond.service
[root@arslinux-01 ~]# cat /etc/systemd/system/multi-user.target.wants/crond.service
[Unit] Description=Command Scheduler After=auditd.service systemd-user-sessions.service time-sync.target [Service] EnvironmentFile=/etc/sysconfig/crond ExecStart=/usr/sbin/crond -n $CRONDARGS ExecReload=/bin/kill -HUP $MAINPID KillMode=process [Install] WantedBy=multi-user.target
實際文件在:/usr/lib/systemd/system/crond.service
如果disable服務,那麼會挪走軟連接
10.26 unit介紹
系統所有 unit,都在 /usr/lib/systemd/system 中
分爲以下類型:
service 系統服務
target 多個unit組成的組
device 硬件設備
mount 文件系統掛載點
automount 自動掛載點
path 文件或路徑
scope 不是由systemd啓動的外部進程
slice 進程組
snapshot systemd 快照
socket 進程間通信套接字
swap swap文件
timer 定時器
unit 相關命令
systemctl list-units 列出正在運行的 unit
[root@arslinux-01 ~]# systemctl list-units UNIT LOAD ACTIVE SUB DESCRIPTION proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File Syste sys-devices-pci0000:00-0000:00:07.1-ata2-host2-target2:0:0-2:0:0:0-block-sr0.device loaded active plugged VMwa sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged VMwa sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged VMwa sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda3.device loaded active plugged VMwa sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged VMware_Vi sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:1-0:0:1:0-block-sdb-sdb1.device loaded active plugged LVM sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:1-0:0:1:0-block-sdb-sdb2.device loaded active plugged LVM sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:1-0:0:1:0-block-sdb-sdb3.device loaded active plugged LVM sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:1-0:0:1:0-block-sdb.device loaded active plugged VMware_Vi sys-devices-pci0000:00-0000:00:11.0-0000:02:01.0-net-ens33.device loaded active plugged 82545EM Gigabit Ethern sys-devices-pci0000:00-0000:00:11.0-0000:02:02.0-sound-card0.device loaded active plugged ES1371/ES1373 / Crea sys-devices-pci0000:00-0000:00:11.0-0000:02:05.0-net-ens37.device loaded active plugged 82545EM Gigabit Ethern sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/tt sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/tt sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/tt sys-devices-pnp0-00:05-tty-ttyS0.device loaded active plugged /sys/devices/pnp0/00:05/tty/ttyS0 sys-devices-virtual-block-dm\x2d0.device loaded active plugged /sys/devices/virtual/block/dm-0 sys-module-configfs.device loaded active plugged /sys/module/configfs sys-subsystem-net-devices-ens33.device loaded active plugged 82545EM Gigabit Ethernet Controller (Copper) sys-subsystem-net-devices-ens37.device loaded active plugged 82545EM Gigabit Ethernet Controller (Copper) -.mount loaded active mounted / boot.mount loaded active mounted /boot dev-hugepages.mount loaded active mounted Huge Pages File System dev-mqueue.mount loaded active mounted POSIX Message Queue File System run-user-0.mount loaded active mounted /run/user/0 lines 1-27
systemctl list units --all 列出所有的 unit
[root@arslinux-01 ~]# systemctl list-units --all
不僅包括正在運行的,還包括失敗的或者 inactive 的
systemctl list-units --all --state=inactive 列出 inactive 的 unit
[root@arslinux-01 ~]# systemctl list-units --all --state=inactive UNIT LOAD ACTIVE SUB DESCRIPTION UNIT LOAD ACTIVE SUB DESCRIPTION proc-sys-fs-binfmt_misc.mount loaded inactive dead Arbitrary Executable File Formats File Sys sys-fs-fuse-connections.mount loaded inactive dead FUSE Control File System tmp.mount loaded inactive dead Temporary Directory systemd-ask-password-console.path loaded inactive dead Dispatch Password Requests to Console Dire cpupower.service loaded inactive dead Configure CPU power related settings ● display-manager.service not-found inactive dead display-manager.service dm-event.service loaded inactive dead Device-mapper event daemon dracut-shutdown.service loaded inactive dead Restore /run/initramfs ebtables.service loaded inactive dead Ethernet Bridge Filtering tables emergency.service loaded inactive dead Emergency Shell ● exim.service not-found inactive dead exim.service ip6tables.service loaded inactive dead IPv6 firewall with ip6tables ● ipset.service not-found inactive dead ipset.service iptables.service loaded inactive dead IPv4 firewall with iptables irqbalance.service loaded inactive dead irqbalance daemon ● lvm2-activation.service not-found inactive dead lvm2-activation.service lvm2-lvmpolld.service loaded inactive dead LVM2 poll daemon microcode.service loaded inactive dead Load CPU microcode update ● ntpd.service not-found inactive dead ntpd.service ● ntpdate.service not-found inactive dead ntpdate.service plymouth-quit-wait.service loaded inactive dead Wait for Plymouth Boot Screen to Quit plymouth-quit.service loaded inactive dead Terminate Plymouth Boot Screen plymouth-read-write.service loaded inactive dead Tell Plymouth To Write Out Runtime Data plymouth-start.service loaded inactive dead Show Plymouth Boot Screen rc-local.service loaded inactive dead /etc/rc.d/rc.local Compatibility rescue.service loaded inactive dead Rescue Shell lines 1-27
systemctl list-units --type=service 列出狀態爲 active 的 service
[root@arslinux-01 ~]# systemctl list-units --type=service UNIT LOAD ACTIVE SUB DESCRIPTION 123.service loaded active exited LSB: Bring up/down networking auditd.service loaded active running Security Auditing Service chronyd.service loaded active running NTP client/server crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus firewalld.service loaded active running firewalld - dynamic firewall daemon [email protected] loaded active running Getty on tty1 ● kdump.service loaded failed failed Crash recovery kernel arming kmod-static-nodes.service loaded active exited Create list of required static device nodes for the cur lvm2-lvmetad.service loaded active running LVM2 metadata daemon lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeven lvm2-pvscan@8:17.service loaded active exited LVM2 PV scan on device 8:17 lvm2-pvscan@8:18.service loaded active exited LVM2 PV scan on device 8:18 lvm2-pvscan@8:19.service loaded active exited LVM2 PV scan on device 8:19 network.service loaded active exited LSB: Bring up/down networking NetworkManager-wait-online.service loaded active exited Network Manager Wait Online NetworkManager.service loaded active running Network Manager polkit.service loaded active running Authorization Manager postfix.service loaded active running Postfix Mail Transport Agent rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg rhel-domainname.service loaded active exited Read and set NIS domainname from /etc/sysconfig/network rhel-import-state.service loaded active exited Import network configuration from initramfs rhel-readonly.service loaded active exited Configure read-only root support rsyslog.service loaded active running System Logging Service sshd.service loaded active running OpenSSH server daemon sysstat.service loaded active exited Resets System Activity Logs lines 1-27
systemctl is-active 服務名 查看某個服務是否爲 active
[root@arslinux-01 ~]# systemctl is-active crond active
類似於:systemctl is-enabled crond.service
10.27 target介紹
·系統爲了方便管理,用 target 來管理 unit
systemctl list-unit-files --type=target 列出系統中所有 target
[root@arslinux-01 ~]# systemctl list-unit-files --type=target UNIT FILE STATE basic.target static bluetooth.target static cryptsetup-pre.target static cryptsetup.target static ctrl-alt-del.target disabled default.target enabled emergency.target static final.target static getty-pre.target static getty.target static graphical.target static halt.target disabled hibernate.target static hybrid-sleep.target static initrd-fs.target static initrd-root-fs.target static initrd-switch-root.target static initrd.target static iprutils.target disabled kexec.target disabled local-fs-pre.target static local-fs.target static machines.target disabled multi-user.target enabled network-online.target static network-pre.target static lines 1-27
systemctl list-dependencies target名 查看指定 target 下有哪些 unit
[root@arslinux-01 ~]# systemctl list-dependencies multi-user.target multi-user.target ● ├─123.service ● ├─auditd.service ● ├─chronyd.service ● ├─crond.service ● ├─dbus.service ● ├─firewalld.service ● ├─irqbalance.service ● ├─kdump.service ● ├─network.service ● ├─NetworkManager.service ● ├─plymouth-quit-wait.service ● ├─plymouth-quit.service ● ├─postfix.service ● ├─rhel-configure.service ● ├─rsyslog.service ● ├─sshd.service ● ├─sysstat.service ● ├─systemd-ask-password-wall.path ● ├─systemd-logind.service ● ├─systemd-readahead-collect.service ● ├─systemd-readahead-replay.service ● ├─systemd-update-utmp-runlevel.service ● ├─systemd-user-sessions.service ● ├─tuned.service ● ├─vmtoolsd.service ● ├─basic.target lines 1-27
target下面可以繼續含有target
systemctl get-default 查看系統默認的 target
[root@arslinux-01 ~]# systemctl get-default multi-user.target
systemctl set-default target名設置默認的 target
[root@arslinux-01 ~]# systemctl set-default multi-user.target Removed symlink /etc/systemd/system/default.target. Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
·一個service屬於一種類型的unit
·多個unit組成了一個target
·一個target裏面包含了多個service
查看某個 service 屬於哪個 target,看[Install]部分
[root@arslinux-01 ~]# cat /usr/lib/systemd/system/sshd.service
[Unit] Description=OpenSSH server daemon Documentation=man:sshd(8) man:sshd_config(5) After=network.target sshd-keygen.service Wants=sshd-keygen.service [Service] Type=notify EnvironmentFile=/etc/sysconfig/sshd ExecStart=/usr/sbin/sshd -D $OPTIONS ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s [Install] WantedBy=multi-user.target
所以 sshd.service 屬於 multi-user.target
系統有多種 unit 組成的,爲了方便管理,就將 unit 歸成若干類,每種類就是 target
target 是由多個 unit 組成的,service 是一種類型的unit,一個target 包含多個 service
擴展
firewalld自定義iptables規則 https://blog.51cto.com/jevic/1785162
提供一個iptables系列文章的博客 https://www.zsythink.net/archives/tag/iptables/page/2/
anacron https://www.jianshu.com/p/3009a9b7d024?from=timeline
systemd自定義啓動腳本 http://www.jb51.net/article/100457.htm
課堂筆記
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
firewall-cmd --add-port=80/tcp
firewall-cmd --permanent --add-port=80/tcp; firewall-cmd --reload
firewall-cmd --permanent --add-service=http; firewall-cmd --reload
firewall-cmd 如何添加自定義規則: