xud6的笔记本

centos7

A 14 post collection


Centos 开启 dns缓存

 •  Filed under centos, centos7

安装nscd

yum install nscd

在有IPA Client(或SSSD)的情况下修改/etc/nscd.conf中enable-cache为如下

enable-cache hosts yes
enable-cache passwd no
enable-cache group no
enable-cache netgroup no
enable-cache services no

启动

systemctl enable nscd
systemctl restart nscd

验证已经开启

time getent hosts www.bing.com

结果中

real    0m0.002s
user    0m0.001s
sys     0m0.000s

real 几乎等于 user + sys

Centos 7 启用定期TRIM

 •  Filed under centos, centos7

启用定期TRIM

sudo systemctl enable fstrim.timer
sudo systemctl restart fstrim.timer

手动TRIM

sudo fstrim -a -v

debian8

sudo cp /usr/share/doc/util-linux/examples/fstrim.service /etc/systemd/system
sudo cp /usr/share/doc/util-linux/examples/fstrim.timer /etc/systemd/system

selinux 常用命令

 •  Filed under linux, centos, centos7, selinux

查看是否有被selinux阻挡

sudo cat /var/log/audit/audit.log | grep denied

boolean

查看boolean状态

sudo sestatus -b

sudo sestatus -b | grep -i sendmail

设置boolean

sudo setsebool -P $boolean名 $1或0

常用boolean

boolean名 意义
httpd_can_network_connect 允许httpd反向代理
httpd_can_sendmail 允许httpd发送邮件

semanager

安装semanager

sudo yum install -y policycoreutils-python

Centos 8

sudo yum install -y policycoreutils-python-utils

获取系统中的可用label

sudo semanage fcontext -l |grep {SOMETHING}

给文件设置label

sudo semanage fcontext -a -t httpd_sys_content_t /path/to/file
restorecon -v /path/to/file

给文件夹设置label

sudo semanage fcontext -a -t httpd_sys_content_t "/path/to/dir(/.*)?"
restorecon -R -v /path/to/dir

Centos 清理旧内核

 •  Filed under centos7, centos, linux

Centos 7

sudo yum install yum-utils -y && sudo package-cleanup --oldkernels --count=1 -y

Centos 8

dnf remove --oldinstallonly --setopt installonly_limit=1

Centos7 apache使用freeipa pki提供证书

 •  Filed under centos, centos7, linux, selinux, freeipa

安装apache和mod_nss

sudo yum install httpd mod_nss -y

配置mod_nss

sudo sh -c "echo 'Listen 443' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCertificateDatabase /etc/httpd/alias' >> /etc/httpd/conf.d/nssconfig.conf"

从/etc/httpd/conf.d/nss.conf中删除默认虚拟主机

获取证书

ipa-getcert request -d /etc/httpd/alias -n 'alianame' -K HTTP/'hostname' -D 'FQDN.com'

配置https虚拟主机

<VirtualHost *:443>
    ServerName FQDN

    NSSEngine on
    NSSNickname alianame

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>