rockey linux 9.1安装配置
查看内核版本
uname -a
dmesg | grep Linux
查看主机名称
hostname
hostnamectl status
shutdown -h now
修改主机名称
vi /etc/hostname# 编辑
hostnamectl set-hostname sys-blog.local# hostnamectl命令
nmtui# nmtui命令
添加用户
useradd username# 添加用户和用户组
usermod -G wheel username# 扩展用户组
dnf常用参数
#安装软件包
dnf install <package>
#卸载软件包
dnf remove <package>
#查找提供文件、包名或者能力的软件包
dnf provides <provides>
#下载源码包
dnf download --source <package>
替换源
cp -r /etc/yum.repos.d/ /etc/yum.repos.d_bak
sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' \
-i.bak \
/etc/yum.repos.d/rocky-*.repo
dnf makecache
安装中文语言包
localectl list-locales |grep zh
dnf list |grep glibc-langpack
dnf install glibc-langpack-zh
安装semanage
sestatus
dnf provides semanage
dnf install policycoreutils-python-utils
semanage -h
semodule -l
semanage port -a -t ssh_port_t -p tcp 3576
semanage port -l | grep ssh
semanage fcontext -l | grep -i mysql
端口监听
dnf install net-tools
netstat -lnpt
安装配置SSH
rpm -qa |grep openssh
dnf install openssh-server openssh-clients
systemctl start sshd
systemctl stop sshd
systemctl enable sshd
systemctl disable sshd
systemctl status sshd
systemctl status firewalld
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --reload
## 帐号密码登录
vi /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
PermitRootLogin yes
## 免密登录
dnf install ssh-keygen ssh-copy-id
ssh-keygen -t rsa -b 4096 -C "user@example.com"
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@127.0.0.j
grep -Ev '^$|^[# ]' /etc/ssh/sshd_config
vim /etc/ssh/sshd_config
Port 3576
RSAAuthentication yes #是否允许RSA验证
PubkeyAuthentication yes #是否允许公钥验证
AuthorizedKeysFile .ssh/authorized_keys #公钥文件存放的位置
ChallengeResponseAuthentication no #设置是否允许使用提示应答式认证。sshd支持login.conf文件中定义的所有认证类型
PasswordAuthentication no #设置是否需要口令验证,默认为yes
PermitEmptyPasswords no #设置是否允许用空口令登录
UsePAM yes #是否启用PAM插件式认证模块,默认为yes RHEL系不允许设置
PermitRootLogin no #如果为yes则允许root用户使用ssh登录
AllowUsers aliyun test@192.168.1.1
DenyUsers d4rksec aliyun
semanage port -a -t ssh_port_t -p tcp 3576
semanage port -l | grep ssh
systemctl status firewalld
firewall-cmd --permanent --zone=public --add-port=3576/tcp
firewall-cmd --reload
systemctl restart sshd
安装 Mysql 8
## 默认安装
dnf install mysql-server
systemctl start mysqld
systemctl status mysqld
systemctl enable mysqld
mysql_secure_installation
create user 'user'@'%' identified by 'password';
grant all on *.* to 'user'@'%';
firewall-cmd --permanent --zone=public --add-service=mysql
firewall-cmd --reload
## 自定义
mkdir -p /data/mysql/{data,log}
chown -R mysql:mysql /data/mysql
semanage fcontext -a -t mysqld_db_t "/data/mysql/data(/.*)?"
restorecon -RvvF /data/mysql/data
ls -Zd /data/mysql/data/
systemctl start mysqld
mysql_secure_installation
journalctl -xeu mysqld.service
## https://dev.mysql.com/doc/refman/8.0/en/selinux-file-context.html
## 设置数据目录上下文
semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?"
restorecon -Rv /path/to/my/custom/datadir
semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?"
restorecon -Rv /path/to/my/custom/logdir
## error log
semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"
restorecon -Rv /path/to/my/custom/error.log
## pid
semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"
restorecon -Rv /path/to/my/custom/pidfile/directory
## sock
semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql\.sock"
restorecon -Rv /path/to/my/custom/mysql.sock
## secure_file_priv目录上下文
semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?"
restorecon -Rv /var/lib/mysql-files
## tcp
$> semanage port -l | grep mysqld
mysqld_port_t tcp 1186, 3306, 63132-63164
semanage port -a -t mysqld_port_t -p tcp 3306
semanage port -l | grep ssh
percona-xtrabackup
yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm
yum remove percona-release
yum list | grep percona-xtrabackup
dnf install percona-xtrabackup-80
## backup
xtrabackup -u username -p --backup --target-dir=/home/virgil/backup/## full back
xtrabackup -u username -p --backup --target-dir=/home/virgil/backup_inc1 \--incremental-basedir=/home/virgil/backup## full incremental
## restore prepare
## full restore
xtrabackup --prepare --target-dir=/home/virgil/backup1## prepare
systemctl stop mysqld## stop mysqld
mv /data/mysql/data/ /data/mysql/data_bak## backup files
xtrabackup -u username -p --copy-back --target-dir=/home/virgil/backup## restore
## increment restore
xtrabackup --prepare --apply-log-only --target-dir=/home/virgil/backup
xtrabackup --prepare --apply-log-only --target-dir=/home/virgil/backup \--incremental-dir=/home/virgil/backup_inc1
xtrabackup --prepare --target-dir=/data/backups/base \--incremental-dir=/data/backups/inc2
systemctl stop mysqld## stop mysqld
mv /data/mysql/data/ /data/mysql/data_bak## backup files
xtrabackup -u username -p --copy-back --target-dir=/home/virgil/backup## restore
## restroe ownership and permissions.
chown -R mysql:mysql /data/mysql
semanage fcontext -a -t mysqld_db_t "/data/mysql/data(/.*)?"
restorecon -RvvF /data/mysql/data
ls -Zd /data/mysql/data/
systemctl start mysqld
redis
dnf provides redis
dnf install redis
systemctl start redis
systemctl enable redis
redis-server --version
redis-cli --version
vim /etc/redis/redis.conf
#bind
protected-mode no
daemonize yes
requirepass
grep -Ev '^$|^[# ]' /etc/redis/redis.conf
systemctl daemon-reload
systemctl restart redis
firewall-cmd --zone=public --permanent --add-port=6379/tcp
firewall-cmd --reload
firewall-cmd --list-all
java npm nodejs
java 1.8.0 TLS13 TLS12 错误修改参数设置无效(仅centos7)
dnf search java | grep openjdk
dnf install java-17-openjdk java-17-openjdk-devel
dnf install java-1.8.0-openjdk java-1.8.0-openjdk-devel
java-version
alternatives --config java
vim /etc/profile
JAVA_HOME="/path/to/java/install"
source /etc/profile
## java 8
java-version
cat <<EOF | tee /etc/profile.d/java8.sh
export JAVA_HOME=/usr/lib/jvm/jre-openjdk
export PATH=\$PATH:\$JAVA_HOME/bin
export CLASSPATH=.:\$JAVA_HOME/jre/lib:\$JAVA_HOME/lib:\$JAVA_HOME/lib/tools.jar
EOF
source /etc/profile.d/java8.sh
dnf provides npm nodejs
dnf install npm nodejs
npm config set registry http://registry.npmmirror.com
java -jar packages.jar
nginx
dnf install nginx
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
# Or, in some other cases:
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload
mkdir /usr/share/nginx/html/www
groupadd www
adduser -G nginx -g www -d /usr/share/nginx/html/www www --system --shell=/bin/false
chown -R www:www /usr/share/nginx/html/www
find /usr/share/nginx/html/www -type d -exec chmod 555 "{}" \;
find /usr/share/nginx/html/www -type f -exec chmod 444 "{}" \;
setsebool httpd_can_network_connect 1 -P
查看内核版本
uname -a
dmesg | grep Linux
查看主机名称
hostname
hostnamectl status
shutdown -h now
修改主机名称
vi /etc/hostname# 编辑
hostnamectl set-hostname sys-blog.local# hostnamectl命令
nmtui# nmtui命令
添加用户
useradd username# 添加用户和用户组
usermod -G wheel username# 扩展用户组
dnf常用参数
#安装软件包
dnf install <package>
#卸载软件包
dnf remove <package>
#查找提供文件、包名或者能力的软件包
dnf provides <provides>
#下载源码包
dnf download --source <package>
替换源
cp -r /etc/yum.repos.d/ /etc/yum.repos.d_bak
sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' \
-i.bak \
/etc/yum.repos.d/rocky-*.repo
dnf makecache
安装中文语言包
localectl list-locales |grep zh
dnf list |grep glibc-langpack
dnf install glibc-langpack-zh
安装semanage
sestatus
dnf provides semanage
dnf install policycoreutils-python-utils
semanage -h
semodule -l
semanage port -a -t ssh_port_t -p tcp 3576
semanage port -l | grep ssh
semanage fcontext -l | grep -i mysql
端口监听
dnf install net-tools
netstat -lnpt
安装配置SSH
rpm -qa |grep openssh
dnf install openssh-server openssh-clients
systemctl start sshd
systemctl stop sshd
systemctl enable sshd
systemctl disable sshd
systemctl status sshd
systemctl status firewalld
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --reload
## 帐号密码登录
vi /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
PermitRootLogin yes
## 免密登录
dnf install ssh-keygen ssh-copy-id
ssh-keygen -t rsa -b 4096 -C "user@example.com"
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@127.0.0.j
grep -Ev '^$|^[# ]' /etc/ssh/sshd_config
vim /etc/ssh/sshd_config
Port 3576
RSAAuthentication yes #是否允许RSA验证
PubkeyAuthentication yes #是否允许公钥验证
AuthorizedKeysFile .ssh/authorized_keys #公钥文件存放的位置
ChallengeResponseAuthentication no #设置是否允许使用提示应答式认证。sshd支持login.conf文件中定义的所有认证类型
PasswordAuthentication no #设置是否需要口令验证,默认为yes
PermitEmptyPasswords no #设置是否允许用空口令登录
UsePAM yes #是否启用PAM插件式认证模块,默认为yes RHEL系不允许设置
PermitRootLogin no #如果为yes则允许root用户使用ssh登录
AllowUsers aliyun test@192.168.1.1
DenyUsers d4rksec aliyun
semanage port -a -t ssh_port_t -p tcp 3576
semanage port -l | grep ssh
systemctl status firewalld
firewall-cmd --permanent --zone=public --add-port=3576/tcp
firewall-cmd --reload
systemctl restart sshd
安装 Mysql 8
## 默认安装
dnf install mysql-server
systemctl start mysqld
systemctl status mysqld
systemctl enable mysqld
mysql_secure_installation
create user 'user'@'%' identified by 'password';
grant all on *.* to 'user'@'%';
firewall-cmd --permanent --zone=public --add-service=mysql
firewall-cmd --reload
## 自定义
mkdir -p /data/mysql/{data,log}
chown -R mysql:mysql /data/mysql
semanage fcontext -a -t mysqld_db_t "/data/mysql/data(/.*)?"
restorecon -RvvF /data/mysql/data
ls -Zd /data/mysql/data/
systemctl start mysqld
mysql_secure_installation
journalctl -xeu mysqld.service
## https://dev.mysql.com/doc/refman/8.0/en/selinux-file-context.html
## 设置数据目录上下文
semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?"
restorecon -Rv /path/to/my/custom/datadir
semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?"
restorecon -Rv /path/to/my/custom/logdir
## error log
semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"
restorecon -Rv /path/to/my/custom/error.log
## pid
semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"
restorecon -Rv /path/to/my/custom/pidfile/directory
## sock
semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql\.sock"
restorecon -Rv /path/to/my/custom/mysql.sock
## secure_file_priv目录上下文
semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?"
restorecon -Rv /var/lib/mysql-files
## tcp
$> semanage port -l | grep mysqld
mysqld_port_t tcp 1186, 3306, 63132-63164
semanage port -a -t mysqld_port_t -p tcp 3306
semanage port -l | grep ssh
percona-xtrabackup
yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm
yum remove percona-release
yum list | grep percona-xtrabackup
dnf install percona-xtrabackup-80
## backup
xtrabackup -u username -p --backup --target-dir=/home/virgil/backup/## full back
xtrabackup -u username -p --backup --target-dir=/home/virgil/backup_inc1 \--incremental-basedir=/home/virgil/backup## full incremental
## restore prepare
## full restore
xtrabackup --prepare --target-dir=/home/virgil/backup1## prepare
systemctl stop mysqld## stop mysqld
mv /data/mysql/data/ /data/mysql/data_bak## backup files
xtrabackup -u username -p --copy-back --target-dir=/home/virgil/backup## restore
## increment restore
xtrabackup --prepare --apply-log-only --target-dir=/home/virgil/backup
xtrabackup --prepare --apply-log-only --target-dir=/home/virgil/backup \--incremental-dir=/home/virgil/backup_inc1
xtrabackup --prepare --target-dir=/data/backups/base \--incremental-dir=/data/backups/inc2
systemctl stop mysqld## stop mysqld
mv /data/mysql/data/ /data/mysql/data_bak## backup files
xtrabackup -u username -p --copy-back --target-dir=/home/virgil/backup## restore
## restroe ownership and permissions.
chown -R mysql:mysql /data/mysql
semanage fcontext -a -t mysqld_db_t "/data/mysql/data(/.*)?"
restorecon -RvvF /data/mysql/data
ls -Zd /data/mysql/data/
systemctl start mysqld
redis
dnf provides redis
dnf install redis
systemctl start redis
systemctl enable redis
redis-server --version
redis-cli --version
vim /etc/redis/redis.conf
#bind
protected-mode no
daemonize yes
requirepass
grep -Ev '^$|^[# ]' /etc/redis/redis.conf
systemctl daemon-reload
systemctl restart redis
firewall-cmd --zone=public --permanent --add-port=6379/tcp
firewall-cmd --reload
firewall-cmd --list-all
java npm nodejs
dnf search java | grep openjdk
dnf install java-17-openjdk java-17-openjdk-devel
dnf install java-1.8.0-openjdk java-1.8.0-openjdk-devel
java-version
alternatives --config java
## java 8
java-version
cat <<EOF | tee /etc/profile.d/java8.sh
export JAVA_HOME=/usr/lib/jvm/jre-openjdk
export PATH=\$PATH:\$JAVA_HOME/bin
export CLASSPATH=.:\$JAVA_HOME/jre/lib:\$JAVA_HOME/lib:\$JAVA_HOME/lib/tools.jar
EOF
source /etc/profile.d/java8.sh
dnf provides npm nodejs
dnf install npm nodejs
npm config set registry http://registry.npmmirror.com
java -jar packages.jar
nginx
dnf install nginx
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload
systemctl start nginx
vim /etc/nginx/nginx.conf
mkdir /usr/share/nginx/html/www
groupadd www
adduser -G nginx -g www -d /usr/share/nginx/html/www www --system --shell=/bin/false
chown -R www:www /usr/share/nginx/html/www
find /usr/share/nginx/html/www -type d -exec chmod 555 "{}" \;
find /usr/share/nginx/html/www -type f -exec chmod 444 "{}" \;
setsebool httpd_can_network_connect 1 -P
