Linux日常运维管理技巧(三)
Linux防火墙-netfilter
iptables规则备份和恢复
service iptables save ##会把规则保存到/etc/sysconfig/iptables配置文件中
把iptables规则备份到自定义my.ipt文件中:命令iptables-save > my.ipt
[[email protected] ~]# iptables -t nat -A PREROUTING -d 192.168.43.32 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 [[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.43.32 [[email protected] ~]# iptables-save > /tmp/myipt.txt ##把前面2条nat规则保存到自定义文件 [[email protected] ~]# cat !$ ##查看保存规则的内容 cat /tmp/myipt.txt # Generated by iptables-save v1.4.21 on Tue Jun 12 22:40:22 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d 192.168.43.32/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22 -A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.43.32 COMMIT # Completed on Tue Jun 12 22:40:22 2018
恢复刚才备份的规则:命令iptables-restore < my.ipt
[[email protected] ~]# iptables -nvL ##filter表是空的 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -t nat -F ##清空nat表 [[email protected] ~]# iptables -t nat -nvL ##确认nat表是空的 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables-restore < /tmp/myipt.txt ##从自定义文件备份规则中恢复规则 [[email protected] ~]# iptables -t nat -nvL ##确实是把nat表的规则恢复 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.43.32
Linux防火墙-firewalled
firewalld的9个zone
打开firewalld,需要把前面开启的netfilter先关闭,再启动firewalled.
[[email protected] ~]# systemctl disable iptables Removed symlink /etc/systemd/system/basic.target.wants/iptables.service. [[email protected] ~]# systemctl stop iptables [[email protected] ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [[email protected] ~]# systemctl start firewalld [[email protected] ~]#
firewalld默认有9个zone,zone是firewalld的单位,每个zone相当于一个规则集合。
[[email protected] network-scripts]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
默认zone为public
[[email protected] network-scripts]# firewall-cmd --get-default-zone public
每个zone的含义
firewalld关于zone的操作
1、更改默认zone 命令firewall-cmd --set-default-zone=work
[[email protected] ~]# firewall-cmd --set-default-zone=work success [[email protected] ~]# firewall-cmd --get-default-zone work
2、查看指定网卡用的是什么zone 命令firewall-cmd --get-zone-of-interface=lo
[[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33 work [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens37 work [[email protected] ~]# firewall-cmd --get-zone-of-interface=lo no zone [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33:0 no zone
3、给指定网卡设置zone 命令firewall-cmd --zone=public --add-interface=lo
##新增网卡没有zone## [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens37 no zone ##到路径/etc/sysconfig/network-scripts/去## [[email protected] ~]# cd /etc/sysconfig/network-scripts/ [[email protected] network-scripts]# ls ifcfg-ens33 ifdown-ippp ifdown-sit ifup-bnep ifup-plusb ifup-TeamPort ifcfg-ens33:0 ifdown-ipv6 ifdown-Team ifup-eth ifup-post ifup-tunnel ifcfg-lo ifdown-isdn ifdown-TeamPort ifup-ippp ifup-ppp ifup-wireless ifdown ifdown-post ifdown-tunnel ifup-ipv6 ifup-routes init.ipv6-global ifdown-bnep ifdown-ppp ifup ifup-isdn ifup-sit network-functions ifdown-eth ifdown-routes ifup-aliases ifup-plip ifup-Team network-functions-ipv6 ##复制ifcfg-ens33文件,改为ifcfg-ens37,修改名字、IP等参数## [[email protected] network-scripts]# cp ifcfg-ens33 ifcfg-ens37 [[email protected] network-scripts]# ls ifcfg-ens33 ifdown-ippp ifdown-Team ifup-ippp ifup-routes network-functions ifcfg-ens33:0 ifdown-ipv6 ifdown-TeamPort ifup-ipv6 ifup-sit network-functions-ipv6 ifcfg-ens37 ifdown-isdn ifdown-tunnel ifup-isdn ifup-Team ifcfg-lo ifdown-post ifup ifup-plip ifup-TeamPort ifdown ifdown-ppp ifup-aliases ifup-plusb ifup-tunnel ifdown-bnep ifdown-routes ifup-bnep ifup-post ifup-wireless ifdown-eth ifdown-sit ifup-eth ifup-ppp init.ipv6-global [[email protected] network-scripts]# vim ifcfg-ens37 ##再重启firewalld服务## [[email protected] network-scripts]# systemctl restart firewalld ##仍然没有zone## [[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=ens37 no zone ##用命令赋予zone## [[email protected] network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37 success ##zone设置完成## [[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=ens37 dmz ##给网卡lo设置zone## [[email protected] network-scripts]# firewall-cmd --zone=public --add-interface=lo success [[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=lo public
4、针对某个网卡更改zone 命令firewall-cmd --zone=dmz --change-interface=lo
[[email protected] network-scripts]# firewall-cmd --zone=drop --change-interface=lo success [[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=lo drop
5、针对某个网卡删除zone 命令firewall-cmd --zone=dmz --remove-interface=lo
[[email protected] network-scripts]# firewall-cmd --zone=drop --remove-interface=lo success ##如果该网卡有默认的zone,就恢复默认zone;没就会删除zone [[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=lo no zone
6、查看系统所有网卡所在的zone 命令firewall-cmd --get-active-zones
[[email protected] network-scripts]# firewall-cmd --get-active-zones dmz interfaces: ens33:0 work interfaces: ens33 public interfaces: ens37 lo
firewalld关于service的操作
service是zone下的一个子单元。
1、查看所有的services 命令firewall-cmd --get-services(s可加可不加)
[[email protected] ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openv*n ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server [[email protected] ~]# firewall-cmd --get-service RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openv*n ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
2、查看当前zone下有哪些service 命令firewall-cmd --list-services
[[email protected] ~]# firewall-cmd --get-default-zone work [[email protected] ~]# firewall-cmd --list-services ssh dhcpv6-client [[email protected] ~]# firewall-cmd --list-service ssh dhcpv6-client
3、指定某个zone下拥有的services 命令firewall-cmd --zone=public --list-services
[[email protected] ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client [[email protected] ~]# firewall-cmd --zone=block --list-services [[email protected] ~]# firewall-cmd --zone=trusted --list-services [[email protected] ~]#
4、把http和ftp添加到public zone下面
命令firewall-cmd --zone=public --add-service=http
[[email protected] ~]# firewall-cmd --zone=public --add-service=http success [[email protected] ~]# firewall-cmd --zone=public --add-service=ftp success [[email protected] ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client http ftp
5、把http和ft从public zone下面移除
命令firewall-cmd --zone=public --remove-service=http
[[email protected] ~]# firewall-cmd --zone=public --remove-service=http success [[email protected] ~]# firewall-cmd --zone=public --remove-service=ftp success [[email protected] ~]# firewall-cmd --zone=public --list-service ssh dhcpv6-client
6、前面2步都是在内存上操作,想把新的service永久加载到zone下,需要更改配置文件
命令firewall-cmd --zone=public --add-service=http --permanent
之后会在/etc/firewalld/zones目录下面生成配置文件
zone的配置文件模板在这个路径下/usr/lib/firewalld/zones/
service的配置文件模板在这个路径下/usr/lib/firewalld/services/
[[email protected] ~]# ls /usr/lib/firewalld/zones/ ##zone的配置文件模板## block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml [[email protected] ~]# ls /etc/firewalld/zones public.xml public.xml.old ##添加"http"到public zone配置文件下## [[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent success [[email protected] ~]# ls /etc/firewalld/zones public.xml public.xml.old [[email protected] ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="http"/> ##添加的"http"## </zone> ##添加"ftp"到public zone配置文件下## [[email protected] ~]# firewall-cmd --zone=public --add-service=ftp --permanent success [[email protected] ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="http"/> <service name="ftp"/> ##添加的"ftp"## </zone>
7、需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
[[email protected] ~]# ls /etc/firewalld/zones/ public.xml public.xml.old [[email protected] ~]# ls /etc/firewalld/services/ ##把services中的ftp.xml模板拷贝到配置文件的services中## [[email protected] ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services [[email protected] ~]# ls /etc/firewalld/services/ ftp.xml [[email protected] ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> ##把21端口改为1121端口## <module name="nf_conntrack_ftp"/> </service> ##把zones中的work.xml模板拷贝到配置文件的zones中## [[email protected] ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ [[email protected] ~]# ls /etc/firewalld/zones/ public.xml public.xml.old work.xml [[email protected] ~]# vim /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> ##添加一行,把"ftp"加进去## </zone>
重新加载firewall服务
[[email protected] ~]# firewall-cmd --reload success [[email protected] ~]# firewall-cmd --zone=work --list-services ##确认生效## ssh dhcpv6-client ftp
Linux任务计划cron
需求:在凌晨备份数据,启动服务,操作过程可以时shell脚本或一个单独的命令
任务计划的配置文件:
[[email protected] ~]# cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed [[email protected] ~]#
格式:分 时 日 月 周 user command
分范围0-59,时范围0-23,日范围1-31,月范围1-12,周0-6
在配置文件中可以把计划的输出结果输出到指定文件,方便追溯。
[[email protected] ~]# crontab -e no crontab for root - using an empty one 0 3 1-10 */2 2,5 /bin/bash /usr/local/sbin/123.sh >>/tmp/123.log 2>>/tmp/123.log
为什么没有年?它用周来区别唯一性,每年的某一天日期所在的周都是不同的。
可用格式1-5表示一个范围1到5
可用格式1,2,3表示1或者2或者3
可用格式*/2表示被2整除的数字,比如小时,那就是每隔2小时
如何定义后面的命令呢,与vi同样操作,*代表所有(每天),用命令Crontab –u指定用户、 -e编辑、 -l列出、 -r删除
[[email protected] ~]# crontab -l no crontab for root [[email protected] ~]# crontab -e no crontab for root - using an empty one crontab: installing new crontab [[email protected] ~]# crontab -l 0 3 1-10 */2 2,5 /bin/bash /usr/local/sbin/123.sh >>/tmp/123.log 2>>/tmp/123.log [[email protected] ~]# crontab -r [[email protected] ~]# crontab -l no crontab for root [[email protected] ~]# crontab -u root -l no crontab for root
要保证服务是启动状态:systemctl start crond.service
有cron这个进程,就证明上面的命令成功启动了服务.
查看该服务的启动与停止状态
查看cron计划里的命令,命令保存在/var/spool/cron/root路径下,以用户的名字命名.
可能出现问题:计划没执行,原因可能是没用绝对命令而是用了命令,该命令并没有在PATH环境变量里面。养成写脚本时用绝对路径命令的习惯。计划命令写正确错误输出方便后期追溯。
Linux系统服务管理-chkonfig工具
该工具是在centos6中使用的,在centos7中已经不用了,但向之前版本兼容,所以还能用,过度作用。只剩2个服务了netconsole,network,这2服务在/etc/init.d/服务脚本下.
chkconfig --list
[[email protected] ~]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:开 4:开 5:开 6:关 [[email protected] ~]# ls /etc/init.d/ functions netconsole network README
0关机,1单用户,2多用户但少了nfs服务(网络文件系统),3多用户少了图型,4保留的级别暂时没用,5带图形多用户,6级别重启.
仅关闭级别3 命令chkconfig –level 3 network off
[[email protected] ~]# chkconfig --level 3 network off [[email protected] ~]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:关 4:开 5:开 6:关
把级别345都关闭 命令chkconfig –level 345 network off
[[email protected] ~]# chkconfig --level 345 network off [[email protected] ~]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:关 4:关 5:关 6:关
把级别345都开启 命令chkconfig –level 345 network on
[[email protected] ~]# chkconfig --level 345 network on [[email protected] ~]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:开 4:开 5:开 6:关
添加服务 命令chkconfig –add networkd
[[email protected] ~]# ls /etc/init.d/ functions netconsole network README ##到脚本目录下## [[email protected] ~]# cd !$ cd /etc/init.d/ [[email protected] init.d]# ls functions netconsole network README ##拷贝服务文件## [[email protected] init.d]# cp network 123 [[email protected] init.d]# ls -l 总用量 48 -rwxr-xr-x 1 root root 7293 6月 14 23:12 123 -rw-r--r--. 1 root root 17500 5月 3 2017 functions -rwxr-xr-x. 1 root root 4334 5月 3 2017 netconsole -rwxr-xr-x. 1 root root 7293 5月 3 2017 network -rw-r--r-- 1 root root 1160 4月 11 15:36 README ##拷贝的服务文件没在chkconfig里面## [[email protected] init.d]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:开 4:开 5:开 6:关 ##必须用下面这个命令才能把123服务添加到chkconfig## [[email protected] init.d]# chkconfig --add 123 [[email protected] init.d]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 123 0:关 1:关 2:开 3:开 4:开 5:开 6:关 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:开 4:开 5:开 6:关 [[email protected] init.d]# ls 123 functions netconsole network README
vim 123 该服务文件
其中最重要的规则和描述
# chkconfig: 2345 10 90 # description: Activates/Deactivates all network interfaces configured to \ # start at boot time.
把服务从chkconfig中删除 命令chkconfig –del networkd
[[email protected] init.d]# chkconfig --del 123 [[email protected] init.d]# chkconfig --list 注:该输出结果只显示 SysV 服务,并不包含 原生 systemd 服务。SysV 配置数据 可能被原生 systemd 配置覆盖。 要列出 systemd 服务,请执行 'systemctl list-unit-files'。 查看在具体 target 启用的服务请执行 'systemctl list-dependencies [target]'。 netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关 network 0:关 1:关 2:开 3:开 4:开 5:开 6:关
systemd管理服务
查看所有的unit和service,相对来说是第2条命令比较有序。
[[email protected] init.d]# systemctl list-unit-files [[email protected] init.d]# systemctl list-units --all --type=service
几个常用的服务相关的命令
systemctl enable crond.service //让服务开机启动
systemctl disable crond //不让开机启动
systemctl status crond //查看状态
systemctl stop crond //停止服务
systemctl start crond //启动服务
systemctl restart crond //重启服务
systemctl is-enabled crond //检查服务是否开机启动
配置文件内容,实际上是一个软连接
[[email protected] ~]# systemctl disable crond [[email protected] ~]# systemctl enable crond.service Created symlink from /etc/systemd/system/multi-user.target.wants/crond.service to /usr/lib/systemd/system/crond.service. [[email protected] ~]# cat /etc/systemd/system/multi-user.target.wants/crond.service [Unit] Description=Command Scheduler After=auditd.service systemd-user-sessions.service time-sync.target [Service] EnvironmentFile=/etc/sysconfig/crond ExecStart=/usr/sbin/crond -n $CRONDARGS ExecReload=/bin/kill -HUP $MAINPID KillMode=process [Install] WantedBy=multi-user.target [[email protected] ~]# ls -l !$ ls -l /etc/systemd/system/multi-user.target.wants/crond.service lrwxrwxrwx 1 root root 37 6月 14 23:43 /etc/systemd/system/multi-user.target.wants/crond.service -> /usr/lib/systemd/system/crond.service
启动就创建一个软连接,关闭就是把软连接删除.
[[email protected] ~]# ls -l /usr/lib/systemd/system/crond.service -rw-r--r--. 1 root root 284 8月 3 2017 /usr/lib/systemd/system/crond.service [[email protected] ~]# systemctl disable crond Removed symlink /etc/systemd/system/multi-user.target.wants/crond.service. [[email protected] ~]# ls -l /etc/systemd/system/multi-user.target.wants/crond.service ls: 无法访问/etc/systemd/system/multi-user.target.wants/crond.service: 没有那个文件或目录
unit介绍
ls /usr/lib/systemd/system //系统所有unit,分为以下类型
service 系统服务
target 多个unit组成的组
device 硬件设备
mount 文件系统挂载点
automount 自动挂载点
path 文件或路径
scope 不是由systemd启动的外部进程
slice 进程组
snapshot systemd快照
socket 进程间通信套接字
swap swap文件
timer 定时器
[[email protected] ~]# cd /usr/lib/systemd/system [[email protected] system]# ls -l runlevel* lrwxrwxrwx 1 root root 15 6月 13 18:53 runlevel0.target -> poweroff.target lrwxrwxrwx 1 root root 13 6月 13 18:53 runlevel1.target -> rescue.target lrwxrwxrwx 1 root root 17 6月 13 18:53 runlevel2.target -> multi-user.target lrwxrwxrwx 1 root root 17 6月 13 18:53 runlevel3.target -> multi-user.target lrwxrwxrwx 1 root root 17 6月 13 18:53 runlevel4.target -> multi-user.target lrwxrwxrwx 1 root root 16 6月 13 18:53 runlevel5.target -> graphical.target lrwxrwxrwx 1 root root 13 6月 13 18:53 runlevel6.target -> reboot.target
unit相关的命令
systemctl list-units //列出正在运行的unit
systemctl list-units --all //列出所有,包括失败的或者inactive的
systemctl list-units --all --state=inactive //列出inactive的unit
systemctl list-units --type=service//列出状态为active的service
systemctl is-active crond.service //查看某个服务是否为active
[[email protected] ~]# systemctl is-active crond.service active [[email protected] ~]# systemctl is-enabled crond.service disabled [[email protected] ~]# systemctl is-active crond.service active
target介绍
系统为了方便管理用target来管理unit
systemctl list-unit-files --type=target //列出所有的target
systemctl list-dependencies multi-user.target //查看指定target下面有哪些unit
[[email protected] ~]# systemctl list-dependencies multi-user.target multi-user.target ● ├─auditd.service ● ├─brandbot.path ● ├─chronyd.service ● ├─dbus.service ● ├─firewalld.service ● ├─irqbalance.service ● ├─kdump.service ● ├─network.service ● ├─NetworkManager.service ● ├─plymouth-quit-wait.service ● ├─plymouth-quit.service ● ├─postfix.service ● ├─rsyslog.service ● ├─sshd.service ● ├─sysstat.service ● ├─systemd-ask-password-wall.path ● ├─systemd-logind.service ● ├─systemd-readahead-collect.service ● ├─systemd-readahead-replay.service ● ├─systemd-update-utmp-runlevel.service ● ├─systemd-user-sessions.service ● ├─tuned.service ● ├─vmtoolsd.service ● ├─basic.target ● │ ├─microcode.service ● │ ├─rhel-autorelabel-mark.service
systemctl get-default //查看系统默认的target
[[email protected] ~]# systemctl get-default multi-user.target
systemctl set-default multi-user.target //设置默认的target
[[email protected] ~]# systemctl set-default multi-user.target Removed symlink /etc/systemd/system/default.target. Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target. [[email protected] ~]#
一个service属于一种类型的unit
多个unit组成了一个target
一个target里面包含了多个service
cat /usr/lib/systemd/system/sshd.service //看[install]部分
[[email protected] ~]# cat /usr/lib/systemd/system/sshd.service [Unit] Description=OpenSSH server daemon Documentation=man:sshd(8) man:sshd_config(5) After=network.target sshd-******.service Wants=sshd-******.service [Service] Type=notify EnvironmentFile=/etc/sysconfig/sshd ExecStart=/usr/sbin/sshd -D $OPTIONS ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s [Install] WantedBy=multi-user.target ##这里看sshd.service是属于multi-user.target##
扩展
提供一个iptables系列文章的博客 https://www.zsythink.net/archives/tag/iptables/page/2/
anacron https://www.jianshu.com/p/3009a9b7d024?from=timeline
systemd自定义启动脚本 http://www.jb51.net/article/100457.htm