初探centos7-安装

一、安装
1、新的安装界面
2、新的分区方式
默认为xfs分区，支持分区容量从ext4的16T扩大到500T

二、进入系统
1、系统版本
[root@local ~]# cat /etc/system-release
CentOS Linux release 7.2.1511 (Core)

2、内核升级为3.10
[root@local ~]# uname -r
3.10.0-327.el7.x86_64

3、runlevel改变
[root@local ~]# ll /etc/systemd/system/default.target
lrwxrwxrwx. 1 root root 37 Dec 29 15:19 /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target

4、hostname配置变化
[root@local ~]# cat /etc/hostname
local.centos7.test
[root@local ~]# hostnamectl status
Static hostname: local.centos7.test
Icon name: computer-vm
Chassis: vm
Machine ID: de4091fb34364f4ab7266b983f8dc1cb
Boot ID: e32ee2c43e004aae87a0837665f05c3b
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64

如何更改hostname？
hostnamectl --static set-hostname VM_200_5_centos.test.com

5、/bin,/sbin,/lib,/lib64 的路径改变
[root@local ~]# ls / -l |sort |grep -E 'bin|lib'
lrwxrwxrwx.   1 root root    7 Dec 29 15:12 bin -> usr/bin
lrwxrwxrwx.   1 root root    7 Dec 29 15:12 lib -> usr/lib
lrwxrwxrwx.   1 root root    8 Dec 29 15:12 sbin -> usr/sbin
lrwxrwxrwx.   1 root root    9 Dec 29 15:12 lib64 -> usr/lib64

6、free 的格式改变
[root@local ~]# free -m
total        used        free      shared  buff/cache   available
Mem:           1838         105        1172           8         560        1564
Swap:          2047           0        2047

7、用户id从1000开始
[root@local ~]# useradd Jack
[root@local ~]# id Jack
uid=1000(Jack) gid=1000(Jack) groups=1000(Jack)

8、限制使用su
先看看Jack能否su root：
[root@sz-local-vm41 ~]# su Jack
[Jack@local root]$ su
Password:
[root@local ~]# exit
exit
[Jack@local root]$ exit
exit
看起来一切如旧，开始调整配置
[root@sz-local-vm41 ~]# vim /etc/pam.d/su
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
启用上面这行配置，再次测试
[root@sz-local-vm41 ~]# su Jack
[Jack@local root]$ su
Password:
su: Permission denied
被拒绝，，符合预期
[Jack@local root]$ exit
exit

9、升级了python版本
[root@local ~]# rpm -qa |grep python-2.7
python-2.7.5-34.el7.x86_64

三、使用 systemd 替代 service 和 chkconfig 来管理服务
1、类型和路径
Table 8.1. Available systemd Unit Types
Unit Type	    File Extension	    Description
Service unit	.service	        A system service.
Target unit	    .target 	        A group of systemd units.
Automount unit	.automount	        A file system automount point.
Device unit	    .device	            A device file recognized by the kernel.
Mount unit	    .mount	            A file system mount point.
Path unit	    .path	            A file or directory in a file system.
Scope unit	    .scope	            An externally created process.
Slice unit	    .slice	            A group of hierarchically organized units that manage system processes.
Snapshot unit	.snapshot	        A saved state of the systemd manager.
Socket unit	    .socket	            An inter-process communication socket.
Swap unit	    .swap	            A swap device or a swap file.
Timer unit	    .timer	            A systemd timer.

Table 8.2. Systemd Unit Locations
Directory	                Description
/usr/lib/systemd/system/	Systemd units distributed with installed RPM packages.
/run/systemd/system/	    Systemd units created at run time. This directory takes precedence over the directory with installed service units.
/etc/systemd/system/	    Systemd units created and managed by the system administrator. This directory takes precedence over the directory with runtime units.

2、使用 Service units（.service 结尾的文件）来替代原来在 /etc/rc.d/init.d/中配置的服务控制脚本
Table 8.3. Comparison of the service Utility with systemctl
service	                        systemctl	                                    Description
service name start              systemctl start name.service                    Starts a service.
service name stop               systemctl stop name.service                     Stops a service.
service name restart            systemctl restart name.service                  Restarts a service.
service name condrestart        systemctl try-restart name.service              Restarts a service only if it is running.
service name reload             systemctl reload name.service                   Reloads configuration.
service name status             systemctl status name.service                   Checks if a service is running.
systemctl is-active name.service

service --status-all            systemctl list-units --type service --all       Displays the status of all services.

Table 8.4. Comparison of the chkconfig Utility with systemctl
chkconfig	                    systemctl	                                    Description
chkconfig name on               systemctl enable name.service                   Enables a service.
chkconfig name off              systemctl disable name.service                  Disables a service.
chkconfig --list name           systemctl status name.service                   Checks if a service is enabled.
systemctl is-enabled name.service
chkconfig --list                systemctl list-unit-files --type service        Lists all services and checks if they are enabled.
chkconfig --list                systemctl list-dependencies --after             Lists services that are ordered to start before the specified unit.
chkconfig --list                systemctl list-dependencies --before            Lists services that are ordered to start after the specified unit.

3、禁用和启用服务
[root@local ~]# ls /etc/systemd/system/multi-user.target.wants/
abrt-ccpp.service  abrt-oops.service    abrt-xorg.service  crond.service       kdump.service           postfix.service   rsyslog.service  tuned.service
abrtd.service      abrt-vmcore.service  auditd.service     irqbalance.service  NetworkManager.service  remote-fs.target  sshd.service

[root@local ~]# systemctl disable postfix.service
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.

[root@local ~]# ls /etc/systemd/system/multi-user.target.wants/
abrt-ccpp.service  abrt-oops.service    abrt-xorg.service  crond.service       kdump.service           remote-fs.target  sshd.service
abrtd.service      abrt-vmcore.service  auditd.service     irqbalance.service  NetworkManager.service  rsyslog.service   tuned.service

[root@local ~]# systemctl enable postfix.service
Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.

4、使用 Target unit （.target 结尾的文件）来组合不同运行级别上的 Service unit 的集合。
Table 8.6. Comparison of SysV Runlevels with systemd Targets
Runlevel	Target Units	                        Description
0	        runlevel0.target, poweroff.target	    Shut down and power off the system.
1	        runlevel1.target, rescue.target	        Set up a rescue shell.
2	        runlevel2.target, multi-user.target	    Set up a non-graphical multi-user system.
3	        runlevel3.target, multi-user.target	    Set up a non-graphical multi-user system.
4	        runlevel4.target, multi-user.target	    Set up a non-graphical multi-user system.
5	        runlevel5.target, graphical.target	    Set up a graphical multi-user system.
6	        runlevel6.target, reboot.target	        Shut down and reboot the system.

默认运行级别：
[root@local ~]# systemctl get-default
multi-user.target

列出当前的target
[root@local ~]# systemctl list-units --type target

5、服务配置
[root@local ~]# cat /usr/lib/systemd/system/postfix.service
[Unit]
Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service

[Service]
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
EnvironmentFile=-/etc/sysconfig/network
ExecStartPre=-/usr/libexec/postfix/aliasesdb
ExecStartPre=-/usr/libexec/postfix/chroot-update
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop

[Install]
WantedBy=multi-user.target

6、使用 rc.local
[root@local ~]# cat /etc/rc.d/rc.local
#!/bin/sh

# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
/usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null 2>&1 &

注意这一句：
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

[root@local ~]# ls -l /etc/rc.d/rc.local
-rwxr-xr-x 1 root root 777 Aug  4 10:08 /etc/rc.d/rc.local

四、常用服务
1、tigervnc
yum install tigervnc-server
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service
vim /etc/systemd/system/vncserver@.service
更新了用户和分辨率配置，主要是这两行：
ExecStart=/usr/sbin/runuser -l root -c "/usr/bin/vncserver %i -geometry 1024x768"
PIDFile=/root/.vnc/%H%i.pid

systemctl daemon-reload
systemctl start vncserver@:0.service
systemctl enable vncserver@:0.service
vncpasswd

2、防火墙
使用 Firewall 替代 iptables 来管理防火墙
停止和启动服务：
[root@local ~]# systemctl stop firewalld.service
[root@local ~]# systemctl start firewalld.service
列出：
[root@local ~]# firewall-cmd --list-all
放行端口：
[root@local ~]# firewall-cmd --zone=public --add-port=5900/tcp
[root@local ~]# firewall-cmd --zone=public --remove-port=5900/tcp
配置持久化：
[root@local ~]# firewall-cmd --zone=public --add-port=5900/tcp --permanent
[root@local ~]# firewall-cmd --zone=public --remove-port=5900/tcp --permanent
查看配置：
[root@local ~]# cat /etc/firewalld/zones/public.xml

3、http服务
1）服务
[root@local ~]# yum install httpd
[root@local ~]# systemctl start httpd.service
[root@local ~]# systemctl enable httpd.service
2）虚拟主机
[root@local ~]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d/vhosts.conf
[root@local ~]# grep ^[^#] /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:80>
ServerAdmin webmaster@office.test
DocumentRoot "/var/www/html/office.test"
ServerName office.test
ServerAlias www.office.test
ErrorLog "/var/log/httpd/office.test-error_log"
CustomLog "/var/log/httpd/office.test-access_log" common
</VirtualHost>
[root@local ~]# systemctl restart httpd.service
[root@local ~]# mkdir /var/www/html/office.test
[root@local ~]# echo 'abc' > /var/www/html/office.test/index.html
更新防火墙配置：
[root@local ~]# firewall-cmd --add-service http
[root@local ~]# firewall-cmd --add-service http --permanent
测试：
[root@tvm02 ~]# curl office.test
abc

3）https SSL/TLS
[root@local ~]# yum install mod_ssl openssl
[root@local ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf
#SSLProtocol all -SSLv2
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
[root@local ~]# systemctl restart httpd.service
测试：
[root@local ~]# openssl s_client -connect 127.0.0.1:443 -ssl3
Secure Renegotiation IS NOT supported
[root@local ~]# openssl s_client -connect 127.0.0.1:443 -tls1_2
Secure Renegotiation IS supported

使用已有的cert和key文件：
[root@local ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

或，创建新的cert和key文件（发送给CA签名或自签名）：
[root@local ~]# yum install crypto-utils
[root@local ~]# genkey hostname
跟着指引操作即可。
调整配置文件，指向对应的crt和key文件的路径
[root@local ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
[root@local ~]# systemctl restart httpd.service
更新防火墙配置：
[root@local ~]# firewall-cmd --add-service https
[root@local ~]# firewall-cmd --add-service https --permanent

更新配置：
[root@local ~]# grep ^[^#] /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:443>
ServerAdmin webmaster@office.test
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/n41.test.crt
SSLCertificateKeyFile /etc/pki/tls/private/n41.test.key
DocumentRoot "/var/www/html/office.test"
ServerName office.test
ServerAlias www.office.test
ErrorLog "/var/log/httpd/office.test-443-error_log"
CustomLog "/var/log/httpd/office.test-443-access_log" common
</VirtualHost>
[root@local ~]# systemctl restart httpd.service
测试：
[root@tvm02 ~]# curl -k https://office.test abc

4、Chrony 和 NTP
1）启动Chrony
[root@local ~]# yum install chrony
编辑配置，注释掉其他的server，增加一个本地server来测试
[root@local ~]# vim /etc/chrony.conf

[root@local ~]# systemctl start chronyd
[root@local ~]# systemctl status chronyd
[root@local ~]# systemctl enable chronyd

2）检查同步
[root@local ~]# chronyc tracking
[root@local ~]# chronyc sources
[root@local ~]# chronyc sourcestats
[root@local ~]# chronyc tracking

3）同步
启动服务时，将生成一个key，这里会用到：
[root@local ~]# cat /etc/chrony.keys
#1 a_key

1 SHA1 HEX:0981828C41097692E12DCBE377D3CAF06EE7A2CD

手动：
[root@local ~]# chronyc
chrony version 2.1.1
Copyright (C) 1997-2003, 2007, 2009-2015 Richard P. Curnow and others
chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and
you are welcome to redistribute it under certain conditions.  See the
GNU General Public License version 2 for details.

chronyc> authhash SHA1
chronyc> password HEX:0981828C41097692E12DCBE377D3CAF06EE7A2CD
200 OK
chronyc> makestep
200 OK
chronyc> exit

自动：
[root@local ~]# chronyc -a makestep

4）NTP
（略，和旧版本的使用方法大致上一致）

5）查看clocksource
[root@local ~]# cd /sys/devices/system/clocksource/clocksource0/
[root@local clocksource0]# cat available_clocksource
kvm-clock tsc acpi_pm
[root@local clocksource0]# cat current_clocksource
kvm-clock

五、监控和自动化
1、系统监控工具
1）块设备和文件系统
[root@local ~]# lsblk
[root@local ~]# blkid
[root@local ~]# blkid -po udev /dev/vda5
[root@local ~]# findmnt |grep '/data'
[root@local ~]# df -h

2）硬件信息
[root@local ~]# lspci
[root@local ~]# lspci -v
[root@local ~]# lsusb
[root@local ~]# lsusb -v
[root@local ~]# lscpu

2、OpenLMI(Open Linux Management Infrastructure)
1）由以下3个部分组成：
a）System management agents — Common Information Model providers or CIM providers.
b）A standard object broker — is also known as a CIM Object Monitor or CIMOM.
c）Client applications and scripts — call the system management agents through the standard object broker.

Table 19.1. Available CIM Providers
Package Name	            Description
openlmi-account	            A CIM provider for managing user accounts.
openlmi-logicalfile	        A CIM provider for reading files and directories.
openlmi-networking	        A CIM provider for network management.
openlmi-powermanagement	    A CIM provider for power management.
openlmi-service	            A CIM provider for managing system services.
openlmi-storage	            A CIM provider for storage management.
openlmi-fan	                A CIM provider for controlling computer fans.
openlmi-hardware	        A CIM provider for retrieving hardware information.
openlmi-realmd	            A CIM provider for configuring realmd.
openlmi-software            A CIM provider for software management.

2）在 Managed System 上安装：
yum install tog-pegasus
yum install openlmi-{storage,networking,service,account,powermanagement}
passwd pegasus
systemctl start tog-pegasus.service
systemctl enable tog-pegasus.service
firewall-cmd --add-port 5989/tcp
firewall-cmd --add-port 5989/tcp --permanent

3）在 Client System 上安装：
yum install openlmi-tools

4）配置SSL/TLS
Table 19.2. Certificate and Trust Store Locations
Configuration Option	Location	                Description
sslCertificateFilePath	/etc/Pegasus/server.pem	    Public certificate of the CIMOM.
sslKeyFilePath	        /etc/Pegasus/file.pem	    Private key known only to the CIMOM.
sslTrustStore	        /etc/Pegasus/client.pem	    The file or directory providing the list of trusted certificate authorities.

如果修改了上面的文件，需要重启服务：
systemctl restart tog-pegasus.service

现在以自签名的证书来举例（机构签名的证书请参考文档：https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Configuring-SSL-Certificates-for-OpenPegasus.html）
为了让 Client System 信任 自签名的证书，从 Managed System 上 拷贝 server.pem 到 Client System 上，下面以本机同时作为 Client System 和 Managed System 为例
[root@local ~]# scp root@127.0.0.1:/etc/Pegasus/server.pem  /etc/pki/ca-trust/source/anchors/pegasus-local.centos7.test.pem
校验：
[root@local ~]# sha1sum /etc/Pegasus/server.pem
26de58c7027a8a7177711d9fd4353ceafc545b57  /etc/Pegasus/server.pem
[root@local ~]# sha1sum /etc/pki/ca-trust/source/anchors/pegasus-local.centos7.test.pem
26de58c7027a8a7177711d9fd4353ceafc545b57  /etc/pki/ca-trust/source/anchors/pegasus-local.centos7.test.pem
更新证书存储库
[root@local ~]# update-ca-trust extract

5）使用 LMISHELL
[root@local ~]# lmishell
> c = connect("local.centos7.test", "pegasus")
password:
> quit()
可以用 tab 键补齐命令。

如果是连接到本机的 CIMOM 可以直接连接unix socket：
[root@local ~]# lmishell
> c = connect("localhost")

验证 c 是否包含对象 LMIConnection
> isinstance(c, LMIConnection)
True
也可以用这种方法：
> c is None
False

还有不少命令行的用法请参考文档，大致是就是可以用脚本的方式组合命令来达到目的。

3、日志管理
1）rsyslog
新的版本使用了 RainerScript 语法
包括 input() 和 ruleset() 语句
示例-配置服务端
[root@local ~]# cat /etc/rsyslog.d/test.conf
template(name="TmplAuthpriv" type="string"
string="/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
)

template(name="TmplMsg" type="string"
string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
)

module(load="imtcp")

ruleset(name="remote1"){
authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
*.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
}

input(type="imtcp" port="514" ruleset="remote1")

[root@local ~]# firewall-cmd --zone=public --add-port=514/tcp
[root@local ~]# firewall-cmd --zone=public --add-port=514/tcp--permanent
systemctl restart rsyslog.service

示例-配置客户端
[root@tvm02 ~]# cat /etc/rsyslog.d/test.conf
# udp => @ip:port tcp => @@ip:port, default port=514
*.* @@server_ip
#使用&连接另一个action来丢弃(~)上面过滤的消息(不保存到本地的syslog中)
& ~
[root@tvm02 ~]# service rsyslog restart

示例-测试
[root@tvm02 ~]# logger 'hellllllllllllllllllllllllllllo'
[root@tvm02 ~]# logger 'hellllllllllllllllllllllllllllllo'
[root@local ~]# cat /var/log/remote/msg/tvm02/root.log
Jan  7 13:49:11 tvm02 root: hellllllllllllllllllllllllllllo
Jan  7 14:01:58 tvm02 root: hellllllllllllllllllllllllllllllo

2）journal
显示最近10条日志
[root@local ~]# journalctl -n 10
指定日志的格式
[root@local ~]# journalctl -n 10 -o verbose
滚动显示最近10条
[root@local ~]# journalctl -f
根据日志类型优先级筛选
[root@local ~]# journalctl -p err
根据时间来筛选，从当前系统引导的时间开始
[root@local ~]# journalctl -b
指定时间和优先级来筛选
[root@local ~]# journalctl -p warning --since="2016-1-6 23:59:59"
根据指定的key=value来筛选
[root@local ~]# journalctl _SYSTEMD_UNIT=crond.service

默认journal日志保存在内存或缓冲区中，如果要持久化保存，则：
[root@local ~]# mkdir -p /var/log/journal
[root@local ~]# systemctl restart systemd-journald

4、使用grub2
1)使用 grubby 来获取或调整menuentry的信息
[root@local ~]# grubby --default-kernel
[root@local ~]# grubby --default-index
[root@local ~]# grubby --info=ALL
[root@local ~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel=DEFAULT

2）grub2使用/etc/grub.d/目录下定义的脚本来生成menu
其中：
00_header：从文件 /etc/default/grub 加载了grub2的一些设置。
40_custom：新增的内核可以在这里定义，然后通过 grub2-mkconfig -o /boot/grub2/grub.cfg  生成新的grub配置

ZYXW、参考
1、rhel7 doc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide 2、This page would list out some of the major differences between RHEL 7 and 6 variants and key features in RHEL 7 . http://simplylinuxfaq.blogspot.com/p/major-difference-between-rhel-7-and-6.html 3、apache http ssl http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html[/code]