RHCE 常用命令

LinuxAnsible
,
  • 成绩镇楼

一、RHCSA

1. user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# root远程登录
$ vi /etc/ssh/sshd_config
PermitRootLogin yes
$ systemctl restart sshd

# 添加用户
$ useradd -G <group> <user>  # 次组
$ useradd -s /bin/false <user>  # 无shell
$ useradd -u <uid> <user>  # 指定uid

# 为用户设置密码
$ echo <password> | passwd --stdin <user>

# 密码默认过期时间
$ vim /etc/login.defs
PASS_MAX_DAYS 25
$ chage -l <user>

# sudo免密
$ visudo
%<group> ALL=(ALL) NOPASSWD: ALL

# UMASK(文件默认0666,文件夹默认0777,减去UMASK后为实际的)
$ echo 'umask 222' >> ~/.bashrc

2. file

1
2
3
4
5
6
7
8
9
# 目录下创建的文件自动设为dir的组
$ chmod 2770 <dir>

# 查找文件
## -user:所属用户
## -type:类型
## -size:大小
## -perm:权限
$ find / -user <user> -and -type f -and -size -10M -and -perm -2000 -exec cp -a {} <dir> \;

3. nmcli

1
2
3
4
5
6
7
8
# 查看网卡信息
$ nmcli connection show

# 配置网络
$ nmcli connection modify <name> ipv4.method manual ipv4.addresses <ip>/24 ipv4.gateway <gateway> ipv4.dns <dns> autoconnect yes

# 启用网络
$ nmcli connection up <name>

4. yum

1
2
3
4
5
6
7
8
# 列出yum源
$ yum repoinfo

# 模糊查询rpm包
$ yum search <keyword>

# 根据命令查询rpm包
$ yum provides '*/<cmd>'

5. selinux

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 查看文件安全策略
$ ll -Z

# 更改文件安全策略
## -l:List records of the fcontext object type
## -m:Modify a record of the fcontext object type
## -t:SELinux Type for the object
$ semanage fcontext <file> -m -t <type>

# 更改端口安全策略
## -l:List records of the port object type
## -a:Add a record of the port object type
## -t:SELinux Type for the object
## -p:Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version for the specified node (ipv4|ipv6)
$ semanage port <port> -a -t <type> -p <protocol>

# 恢复文件安全上下文
$ restorecon -Rv <dir>

6. firewalld

1
2
3
4
5
6
7
8
# 放开服务
$ firewall-cmd --permanent --add-service=<service>

# 放开端口
$ firewall-cmd --permanent --add-port=<port>/<protocol>

# 重载规则
$ firewall-cmd --reload

7. cron

1
2
3
4
5
6
7
8
9
10
11
# 编辑指定用户的定时任务
$ crontab -e -u <user>

# 查看指定用户的定时任务
$ crontab -l -u <user>

## */n:每隔n
## ,:或
## -:范围
## 0周为星期日
<分> <时> <日> <月> <周> <bash>

8. chrony

1
2
3
$ vim /etc/chrony.conf
server <server> iburst
$ systemctl restart chronyd

9. podman

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ yum install container-tools

# 登录仓库
$ podman login -u <username> -p <password> <registry>

# 构建镜像(Containerfile)
$ podman build -t <i_name> .

# 启动镜像
$ podman run -d --name <c_name> -v <dir>:<c_dir>:Z <i_name>

# 容器配置为服务
$ ssh <user>@<host>
$ mkdir -p ~/.config/systemd/user
$ podman generate systemd -n <c_name> -f --new
$ podman rm -f <c_name>
$ systemctl --user daemon-reload
$ systemctl --user enable --now container-<c_name>
# 确保服务在系统启动时启动
$ loginctl enable-linger
$ loginctl show-user <user>

10. ps

1
2
# 自定义格式
$ ps -xao user,pid,vsz,rss,%cpu --sort=pcpu

11. rescue

1
2
3
4
5
6
7
8
# rw rd.break

$ chroot /sysroot 
$ echo <password> | passwd --stdin root
$ touch /.autorelabel
$ sync 
$ exit 
$ reboot

12. lv

13. tuned

1
2
3
4
5
6
7
8
$ yum -y install tuned
$ systemctl enable --now tuned
# 查看推荐的配置集
$ tuned-adm recommend
# 设置配置集
$ tuned-adm profile <profile>
# 查看当前配置集
$ tuned-adm active

二、RHCE

1. 基础

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# 安装
$ yum -y install ansible-navigator

# 配置文件
$ ansible-config init --disabled -t all > ansible.cfg
$ vim ansible.cfg
[defaults]
inventory=...
remote_user=...
host_key_checking=False
roles_path=...
collections_path=...
[privilege_escalation]
become=True

# 查看配置是否生效
$ ansible-inventory --graph
$ ansible all -m ping
$ ansible-galaxy role list
$ ansible-navigator images
$ ansible-navigator collections

# 查看模块帮助
$ ansible-doc -l | grep <keyword>
$ ansible-doc <module>
$ ansible-navigator doc <module> -m stdout

# 运行脚本
$ ansible-navigator run <yml> -m stdout
  • 文件结构:
1
2
3
4
5
6
7
8
9
10
11
12
- hosts: a,b,c
  vars:
    key1: value1
    key2: value2
  vars_files:
  - file1
  - file2
  roles:
  - role1
  - role2
  tasks:
  - ...

2. 常用模块

  • yum_repository
  • yum
  • user
  • group
  • get_url
  • copy
  • file
  • lineinfile
  • template
  • lvol
  • filesystem
  • parted
  • debug
  • cron

3. 常用变量:

  • ansible_nodename
  • ansible_default_ipv4.address
  • ansible_devices.vda.size
  • ansible_memtotal_mb
  • inventory_hostname
  • groups.all
  • hostvars['node1'].ansible_facts.default_ipv4.address

4. 循环

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
- name: test1
  hosts: node1
  tasks:
  - ansible.builtin.yum:
      name: "{{ packages }}"
      state: present
    vars:
      packages:
      - php
      - mariadb

---
- name: test2
  hosts: node2
  vars:
    packages:
    - php
    - mariadb
  tasks:
  - ansible.builtin.yum:
      name: "{{ item }}"
      state: present
    loop: "{{ packages }}"

---
- name: test3
  hosts: node3
  tasks:
  - ansible.builtin.yum:
      name:
      - php
      - mariadb
      state: present

5. 系统角色

1
2
3
4
5
6
7
$ yum search role
$ yum -y install rhel-system-roles
$ ansible-galaxy role list

$ find / -name rhel-system-roles

$ ansible-playbook <yml>

6. ansible-galaxy

  • 安装 conllections
1
2
3
4
5
6
7
8
$ cat requirements.yml
collections:
- name: ...
- name: ...

$ ansible-galaxy collection install -r requirements.yml -p collections/

$ ansible-navigator collections
  • 安装 roles
1
2
3
4
5
6
7
8
9
$ cat requirements.yml
- src: ...
  name: foo
- src: ...
  name: bar

$ ansible-galaxy role install -r requirements.yml -p roles/

$ ansible-galaxy role list
  • 创建 role
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ ansible-galaxy role init <name> --init-path roles/
$ tree roles
roles/
└── apache
    ├── defaults
    │   └── main.yml
    ├── files
    ├── handlers
    │   └── main.yml
    ├── meta
    │   └── main.yml
    ├── README.md
    ├── tasks
    │   └── main.yml
    ├── templates
    ├── tests
    │   ├── inventory
    │   └── test.yml
    └── vars
        └── main.yml

7. ansible-vault

1
2
3
4
5
# 创建密码库
$ ansible-vault create --vault-password-file=secret.txt <yml>

# 修改密码
$ ansible-vault rekey <yml>