欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

十五次课 2018-08-28

程序员文章站 2022-07-12 13:48:26
...

iptables规则备份和恢复

设定的防火墙规则只是保存在内存中,并没有保存到配置文件中,也就说当系统重启后以前设定的规则就没有了,所以设定好规则后要先保存规则,以免重启后规则丢失。

  • 保存和备份iptables规则
    service iptables save //会把规则保存到/etc/sysconfig/iptables
[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ]
  • 把iptables规则备份到my.ipt文件中
    iptables-save > my.ipt
[[email protected] ~]# iptables-save > /tmp/my.txt
[[email protected] ~]# cat /tmp/my.txt 
# Generated by iptables-save v1.4.21 on Tue Jun 12 19:16:51 2018
*mangle
:PREROUTING ACCEPT [277:25577]
:INPUT ACCEPT [277:25577]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [239:28886]
:POSTROUTING ACCEPT [248:30809]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Jun 12 19:16:51 2018
# Generated by iptables-save v1.4.21 on Tue Jun 12 19:16:51 2018
*nat
:PREROUTING ACCEPT [31:3306]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [98:7544]
:POSTROUTING ACCEPT [98:7544]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Jun 12 19:16:51 2018
# Generated by iptables-save v1.4.21 on Tue Jun 12 19:16:51 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [239:28886]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Tue Jun 12 19:16:51 2018

-恢复刚才备份的规则
iptables-restore < my.ipt

[[email protected] ~]# iptables-restore < /tmp/my.txt

当系统开机或者重启时,就想要加载一些规则,那么最好把规则放到/etc/sysconfig/iptables里,放到这里可以先保存。

//通过iptables-restore规则集到数据包过滤表中

[[email protected] ~]# iptables-restore iptables-script 
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 2 packets, 986 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  1412 ACCEPT     tcp  --  *      *       192.168.1.9          0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12 packets, 1152 bytes)
 pkts bytes target     prot opt in     out     source               destination         

firewalld的9个zone

centos7以及以后的版本使用的防火墙为firewalld

  • 打开firewalld
//取消iptables的开机启动
[[email protected] ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
//停止iptables防火墙
[[email protected] ~]# systemctl stop iptables
//验证iptables的状态已关闭
[[email protected] ~]# systemctl status iptables.service 
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead) since Thu 2018-06-14 22:29:10 CST; 41s ago
 Main PID: 731 (code=exited, status=0/SUCCESS)

Jun 13 19:50:33 lanquark.com systemd[1]: Starting IPv4 firewall with iptables...
Jun 13 19:50:33 lanquark.com iptables.init[731]: iptables: Applying firewall rules: [  OK  ]
Jun 13 19:50:33 lanquark.com systemd[1]: Started IPv4 firewall with iptables.
Jun 14 22:29:09 lanquark.com systemd[1]: Stopping IPv4 firewall with iptables...
Jun 14 22:29:09 lanquark.com iptables.init[3516]: iptables: Setting chains to policy ACCEPT: nat filter [  OK  ]
Jun 14 22:29:09 lanquark.com iptables.init[3516]: iptables: Flushing firewall rules: [  OK  ]
Jun 14 22:29:10 lanquark.com iptables.init[3516]: iptables: Unloading modules: [  OK  ]
Jun 14 22:29:10 lanquark.com systemd[1]: Stopped IPv4 firewall with iptables.
//将firewalld设为开机启动
[[email protected] ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
//启动firewalld
[[email protected] ~]# systemctl start firewalld
//验证firewalld状态
[[email protected] ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-06-14 22:30:19 CST; 3min 6s ago
     Docs: man:firewalld(1)
 Main PID: 3726 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─3726 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jun 14 22:30:18 lanquark.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 14 22:30:19 lanquark.com systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 14 22:30:19 lanquark.com firewalld[3726]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Jun 14 22:30:19 lanquark.com firewalld[3726]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignorin...-time.
Jun 14 22:30:19 lanquark.com firewalld[3726]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Jun 14 22:30:19 lanquark.com firewalld[3726]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignori...-time.
Jun 14 22:30:19 lanquark.com firewalld[3726]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Jun 14 22:30:19 lanquark.com firewalld[3726]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignorin...-time.
Hint: Some lines were ellipsized, use -l to show in full.

使用iptables -nvL发现规则变多了,这些就是firewalld自带的规则。

  • firewalld默认有9个zone
    zone是firewalld的一个单位

默认zone为public,每个zone好比一个规则集,自带一些规则。

  • 查看所有zone
    firewall-cmd --get-zones
[[email protected] ~]#  firewall-cmd --get-zones 
block dmz drop external home internal public trusted work
  • 查看默认zone
    firewall-cmd --get-default-zone
[[email protected] ~]# firewall-cmd --get-default-zone
public
  • 9个zone区别
drop(丢弃):任何接受的网络数据包都被丢弃,没有任何恢复,仅能有发送出去的网络连接(数据包不能进来,但是可以出去)
block(限制):任何接受的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝。(和drop相比,比较宽松一些,主要是为了针对icmp)
piblic(公共):在公共区域内使用,不能相信网络内其他计算机不会对你造成危害,只能接受经过选取的连接。
external(外部):特别是为路由器启用了伪装功能的外部网,你不能信任来自网络的其他计算,不能相信他们不会对你造成伤害,只能接受经过选择的连接。
dmz(非军事区):用于你的非军事区内的电脑,此区域可公开访问,可以有限的进入你的内部网络,仅仅接受经过选择的连接。
work(工作):用于工作区,你可以基本信任网络内的其他电脑不会对你造成危害,仅仅接收经过选择的连接。
home(家庭):用于内部网络,你可以基本上信任网络内其他电脑不会对你造成危害,仅仅接收经过选择的连接。
internal(内部):用于内部网络,你可以基本上信任网络内其他电脑不会对你造成危害,仅仅接收经过选择的连接。
trusted(信任):可接受所有的网络连接。

firewalld关于zone的操作

  • 设定默认zone
    firewall-cmd --set-default-zone=work
[[email protected] ~]# firewall-cmd --set-default-zone=work
success
[[email protected] ~]# firewall-cmd --get-default-zone 
work
  • 查指定网卡
    firewall-cmd --get-zone-of-interface=ens33
[[email protected] ~]#  firewall-cmd --get-zone-of-interface=ens33 
work
[[email protected] ~]#  firewall-cmd --get-zone-of-interface=ens33:0
no zone
[[email protected] ~]#  firewall-cmd --get-zone-of-interface=lo
no zone
  • 给指定网卡设置zone
    firewall-cmd --zone=public --add-interface=lo
[[email protected] network-scripts]# firewall-cmd --zone=public --add-interface=ens33:0
success
[[email protected] network-scripts]#  firewall-cmd --get-zone-of-interface=ens33:0
public
  • 针对网卡更改zone
    firewall-cmd --zone=dmz --change-interface=lo
[[email protected] network-scripts]# firewall-cmd --zone=dmz --change-interface=ens33:0
success
[[email protected] network-scripts]#  firewall-cmd --get-zone-of-interface=ens33:0
dmz
  • 针对网卡删除zone
    firewall-cmd --zone=dmz --remove-interface=lo
[[email protected] network-scripts]#  firewall-cmd --zone=dmz  --remove-interface=ens33:0
success
[[email protected] network-scripts]#  firewall-cmd --get-zone-of-interface=ens33:0
no zone
  • 查看系统所有网卡所在的zone
    firewall-cmd --get-active-zones
[[email protected] network-scripts]# firewall-cmd --get-active-zones  
work
  interfaces: ens33
public
  interfaces: lo

firewalld关于service的操作

service:zone下面的一个子单元,可以理解成里面的一个端口

  • 查看所有的servies
    firewall-cmd --get-service(s)
[[email protected] ~]# firewall-cmd --get-service 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin 
bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine 
condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-
lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-
trust ftp ganglia-client ganglia-master high-availability http https imap 
imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd
 kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt
 mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-
vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy
 proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd
 samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap
 spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-
client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-
bosh xmpp-client xmpp-local xmpp-server

services也可以写成service

  • 查看当前zone下有哪些service
    firewall-cmd --list-services
[[email protected] ~]# firewall-cmd --get-default-zone 
work
[[email protected] ~]# firewall-cmd --list-services  
ssh dhcpv6-client
[[email protected] ~]# firewall-cmd --list-service
ssh dhcpv6-client
  • 查看指定zone下有哪些service
    firewall-cmd --zone=public --list-service
[[email protected] ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client
[[email protected] ~]# firewall-cmd --zone=block --list-service

空
  • 把http增加到public zone下面
    firewall-cmd --zone=public --add-service=http
[[email protected] ~]# firewall-cmd --zone=public --add-service=http
success
[[email protected] ~]# firewall-cmd --zone=public --list-services 
ssh dhcpv6-client http

  • 更改配置文件
    firewall-cmd --zone=public --add-service=http --permanent
    之后会在/etc/firewalld/zones目录下面生成配置文件
[[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[[email protected] ~]# ls /etc/firewalld/zones
public.xml  public.xml.old
[[email protected] ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="http"/>
</zone>

如果这时候在增加一个ftp,他是不会再配置文件里的,因为没有用 --permanent,使用permanent永久保存之后,在新增一个,会生成一个old文件将旧的保存下来。

  • zone的配置文件模板
    ls /usr/lib/firewalld/zones/

/etc/firewalld/zones里面的文件都是有模板的,这些模板在/usr/lib/firewalld/zones/里
/etc/firewalld/services里面也有模板,在/usr/lib/firewalld/services/下

[[email protected] ~]# ls /usr/lib/firewalld/zones/
block.xml  dmz.xml  drop.xml  external.xml  home.xml  internal.xml  public.xml  trusted.xml  work.xml
[[email protected] ~]# ls /usr/lib/firewalld/services/
amanda-client.xml        freeipa-replication.xml  libvirt-tls.xml           postgresql.xml       spideroak-lansync.xml
amanda-k5-client.xml     freeipa-trust.xml        libvirt.xml               privoxy.xml          squid.xml
bacula-client.xml        ftp.xml                  managesieve.xml           proxy-dhcp.xml       ssh.xml
bacula.xml               ganglia-client.xml       mdns.xml                  ptp.xml              synergy.xml
bitcoin-rpc.xml          ganglia-master.xml       mosh.xml                  pulseaudio.xml       syslog-tls.xml
bitcoin-testnet-rpc.xml  high-availability.xml    mountd.xml                puppetmaster.xml     syslog.xml
bitcoin-testnet.xml      https.xml                mssql.xml                 quassel.xml          telnet.xml
bitcoin.xml              http.xml                 ms-wbt.xml                radius.xml           tftp-client.xml
ceph-mon.xml             imaps.xml                mysql.xml                 RH-Satellite-6.xml   tftp.xml
ceph.xml                 imap.xml                 nfs.xml                   rpc-bind.xml         tinc.xml
cfengine.xml             ipp-client.xml           nrpe.xml                  rsh.xml              tor-socks.xml
condor-collector.xml     ipp.xml                  ntp.xml                   rsyncd.xml           transmission-client.xml
ctdb.xml                 ipsec.xml                openvpn.xml               samba-client.xml     vdsm.xml
dhcpv6-client.xml        iscsi-target.xml         ovirt-imageio.xml         samba.xml            vnc-server.xml
dhcpv6.xml               kadmin.xml               ovirt-storageconsole.xml  sane.xml             wbem-https.xml
dhcp.xml                 kerberos.xml             ovirt-vmconsole.xml       sips.xml             xmpp-bosh.xml
dns.xml                  kibana.xml               pmcd.xml                  sip.xml              xmpp-client.xml
docker-registry.xml      klogin.xml               pmproxy.xml               smtp-submission.xml  xmpp-local.xml
dropbox-lansync.xml      kpasswd.xml              pmwebapis.xml             smtps.xml            xmpp-server.xml
elasticsearch.xml        kshell.xml               pmwebapi.xml              smtp.xml
freeipa-ldaps.xml        ldaps.xml                pop3s.xml                 snmptrap.xml
freeipa-ldap.xml         ldap.xml                 pop3.xml                  snmp.xml

需求
ftp服务自定义端口1121,需要在work zone下面放行ftp

1.首先需要将/usr/lib/firewalld/services/ftp.xml拷贝到/etc/firewalld/services去

[[email protected] ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/

2.然后编辑/etc/firewalld/services/ftp.xml,将端口更改为1121

[[email protected] ~]# vi /etc/firewalld/services/ftp.xml 

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="1121"/>
  <module name="nf_conntrack_ftp"/>
</service>
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
-- INSERT --

3.将/usr/lib/firewalld/zones/work.xml复制到/etc/firewalld/zones下

[[email protected] ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

4.编辑/etc/firewalld/zones/work.xml,将ftp添加到work中去

[[email protected] ~]# vim /etc/firewalld/zones/work.xml 

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="ftp"/>
</zone>
~                                                                                                                        
~                                                                                                                        
~                                                                                                                        
                                                                                                                     
-- 插入 --                                                                                             8,8          全部

5.重新加载 firewall-cmd --reload

[[email protected] ~]# firewall-cmd --reload 
success

6.查看work下的service

[[email protected] ~]#  firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp

linux任务计划cron

  • 查看配置文件
[[email protected] ~]# cat /etc/crontab 
SHELL=/bin/bash  --shell
PATH=/sbin:/bin:/usr/sbin:/usr/bin  --环境变量,命令路径
MAILTO=root  --发送邮件给谁

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

5个*位分别表示分 时 日 月 周 ,后面表示用户(user-name)和要执行的命令(command to be executed)

  • 写一个任务计划
    crontab -e

用法和vim类似,使用i编辑文件

0 22 * * * /usr/bin/top >>/tmp/123.log 2>>/tmp/123.log
在每天22点执行top命令并将正确信息和错误信息输出到/tmp/123.log里,*表示全部,每周每月每天。

可用格式1-5表示一个范围1到5
可用格式1,2,3表示1或者2或者3
可用格式*/2表示被2整除的数字,比如小时,那就是每隔2小时

0 22 1-10 */2 2,5 /bin/bash /usr/local/sbin/123.sh >>/tmp/123.log 2>>/tmp/123.log
每隔两个月的1-10号,周二或者周五,22点执行一个脚本并将结果输出到tmp/123.log里

**要确定某一天的唯一性,比如明年,可以用星期指定,因为明年的星期和今年是不一样的,这样就可以确定时间的唯一性 **

  • 要保证服务是启动状态
    systemctl start crond.service
[[email protected] ~]# systemctl start crond.service
[[email protected] ~]# ps aux |grep cron
root       939  0.0  0.1 126280  1620 ?        Ss   18:27   0:00 /usr/sbin/crond -n
root      4451  0.0  0.0 112720   984 pts/0    S+   21:24   0:00 grep --color=auto cron

使用ps aux |grep cron查看是否启动成功,第一条显示说明已经启动成功了。

也可以使用systemctl status crond查看,如果是绿色,表示启动成功,如果停止是没有颜色的。

[[email protected] ~]# systemctl status crond
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since 二 2018-06-12 18:27:56 CST; 2h 58min ago
 Main PID: 939 (crond)
   CGroup: /system.slice/crond.service
           └─939 /usr/sbin/crond -n

6月 12 18:27:56 linux7-128 systemd[1]: Started Command Scheduler.
6月 12 18:27:56 linux7-128 systemd[1]: Starting Command Scheduler...
6月 12 18:27:56 linux7-128 crond[939]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 38% if used.)
6月 12 18:27:56 linux7-128 crond[939]: (CRON) INFO (running with inotify support)

  • 由于没有使用绝对路径而导致的计划没有执行

有时候,一些设置的计划并没有执行,可能就是因为脚本里的命令没有使用绝对路径,要想计划生效,需要将脚本里的命令使用绝对路径,或者在crond的配置文件里环境变量定义所使用的命令路径,才会生效。建议每个计划都要写上追加日志,这样方便我们排查问题。

  • 查看设置的计划
    crontab -l
[[email protected] ~]# crontab -l
0 22 12 6 * /usr/bin/top >/tmp/1.log 2> /tmp/1/log

文件位于:/var/spool/cron/username

[[email protected] ~]# cat /var/spool/cron/root
0 22 12 6 * /usr/bin/top >/tmp/1.log 2> /tmp/1/log
  • 备份计划

拷贝/var/spool/cron/username文件即可

  • 删除计划
    crontab -r
[[email protected] ~]# crontab -r
[[email protected] ~]# crontab -l
no crontab for root
  • 指定用户
    crontab -u
[[email protected] ~]# crontab -u root -l
no crontab for root

chkconfig工具

系统服务管理

centos6以前使用chkconfig,centos7以后不用了,但是依旧兼容。

  • 查看系统使用chkconfig工具的服务有哪些
    chkconfig --list
[[email protected] ~]# chkconfig --list

注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。 

      要列出 systemd 服务,请执行 'systemctl list-unit-files'。
      查看在具体 target 启用的服务请执行
      'systemctl list-dependencies [target]'。

netconsole     	0:关	1:关	2:关	3:关	4:关	5:关	6:关
network        	0:关	1:关	2:开	3:开	4:开	5:开	6:关

centos6及以前使用的sysV服务,centos7级以后使用的是systemd服务

服务存放路径:/etc/init.d/

[[email protected] ~]# ls /etc/init.d/
functions  netconsole  network  README
  • 对服务进行开关
    chkconfig network off
    chkconfig network on
[[email protected] ~]# chkconfig network off
[[email protected] ~]# chkconfig --list

netconsole     	0:关	1:关	2:关	3:关	4:关	5:关	6:关
network        	0:关	1:关	2:关	3:关	4:关	5:关	6:关
[[email protected] ~]# chkconfig network on
[[email protected] ~]# chkconfig --list

netconsole     	0:关	1:关	2:关	3:关	4:关	5:关	6:关
network        	0:关	1:关	2:开	3:开	4:开	5:开	6:关

在6及6之前,系统运行级别有7个。
0 关机
1 单用户
2 多用户模式,不带图形,没有nfs服务(网络文件系统)
3 多用户模式,不带图形
4 保留级别
5 多用户模式,带图形
6 重启

在6及之前,可以定义/etc/inittab定义系统级别 ,7系统已经不在使用。

  • 指定某一个级别关闭
    chkconfig --level 3 network off
[[email protected] ~]# chkconfig --level 3 network off 
[[email protected] ~]# chkconfig --list


netconsole     	0:关	1:关	2:关	3:关	4:关	5:关	6:关
network        	0:关	1:关	2:开	3:关	4:开	5:开	6:关

多个级别不需要加逗号,使用chkconfig --level 345 network off

  • 把一个脚本加入到服务列表里

1.自定义一个脚本

[[email protected] ~]# cd /etc/init.d/
[[email protected] init.d]# ls
functions  netconsole  network  README
[[email protected] init.d]# cp network 123
[[email protected] init.d]# ls
123  functions  netconsole  network  README

2.把123加入到服务列表

[[email protected] init.d]# chkconfig --add 123
[[email protected] init.d]# chkconfig --list

注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。 

      要列出 systemd 服务,请执行 'systemctl list-unit-files'。
      查看在具体 target 启用的服务请执行
      'systemctl list-dependencies [target]'。

123            	0:关	1:关	2:开	3:开	4:开	5:开	6:关
netconsole     	0:关	1:关	2:关	3:关	4:关	5:关	6:关
network        	0:关	1:关	2:开	3:关	4:开	5:开	6:关

名称无所谓,但是文件内容有要求,首先是一个shell脚本,而且必须在/etc/init.d/目录下

[[email protected] init.d]# vim 123

#! /bin/bash
#
# network       Bring up/down networking
#
(# chkconfig: 2345 10 90
# description: Activates/Deactivates all network interfaces configured to \
#              start at boot time.
#)
### BEGIN INIT INFO
# Provides: $network
# Should-Start: iptables ip6tables NetworkManager-wait-online NetworkManager $network-pre
# Short-Description: Bring up/down networking
# Description: Bring up/down networking
### END INIT INFO

# Source function library.
. /etc/init.d/functions

if [ ! -f /etc/sysconfig/network ]; then
    exit 6
"123" 250L, 7293C                          

括号括起来的部分必须有才可以识别出来,10表示第10位启动,90表示第90位关闭。

  • 删除一个服务
    chkconfig --del 123
[[email protected] init.d]# chkconfig --del 123
[[email protected] init.d]# chkconfig --list

注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。 

      要列出 systemd 服务,请执行 'systemctl list-unit-files'。
      查看在具体 target 启用的服务请执行
      'systemctl list-dependencies [target]'。

netconsole     	0:关	1:关	2:关	3:关	4:关	5:关	6:关
network        	0:关	1:关	2:开	3:关	4:开	5:开	6:关

systemd管理服务

  • 查看系统服务
    systemctl list-unit-files
[[email protected] ~]# systemctl list-unit-files
UNIT FILE                                     STATE   
proc-sys-fs-binfmt_misc.automount             static  
dev-hugepages.mount                           static  
dev-mqueue.mount                              static  
proc-fs-nfsd.mount                            static  
proc-sys-fs-binfmt_misc.mount                 static  
sys-fs-fuse-connections.mount                 static  
sys-kernel-config.mount                       static  
sys-kernel-debug.mount                        static  
tmp.mount                                     disabled
var-lib-nfs-rpc_pipefs.mount                  static  
brandbot.path                                 disabled
cups.path                                     enabled 
systemd-ask-password-console.path             static  
systemd-ask-password-plymouth.path            static  
systemd-ask-password-wall.path                static  
session-6.scope                               static  
abrt-ccpp.service                             enabled 
abrt-oops.service                             enabled 
abrt-pstoreoops.service                       disabled
lines 1-20

显示前20行,按q退出

  • 只显示类型为service的服务
    systemctl list-units --all --type=service
[[email protected] ~]# systemctl list-units --all --type=service
  UNIT                                            LOAD      ACTIVE   SUB     DESCRIPTION
  abrt-ccpp.service                               loaded    active   exited  Install ABRT coredump hook
  abrt-oops.service                               loaded    active   running ABRT kernel log watcher
  abrt-vmcore.service                             loaded    inactive dead    Harvest vmcores for ABRT
  abrt-xorg.service                               loaded    active   running ABRT Xorg log watcher
  abrtd.service                                   loaded    active   running ABRT Automated Bug Reporting Tool
  accounts-daemon.service                         loaded    inactive dead    Accounts Service
  alsa-restore.service                            loaded    inactive dead    Save/Restore Sound Card State
  alsa-state.service                              loaded    active   running Manage Sound Card State (restore and store)
● apparmor.service                                not-found inactive dead    apparmor.service
  atd.service                                     loaded    active   running Job spooling tools
  auditd.service                                  loaded    active   running Security Auditing Service
  auth-rpcgss-module.service                      loaded    inactive dead    Kernel Module supporting RPCSEC_GSS
  avahi-daemon.service                            loaded    active   running Avahi mDNS/DNS-SD Stack
  blk-availability.service                        loaded    active   exited  Availability of block devices
  brandbot.service                                loaded    inactive dead    Flexible Branding Service
  chronyd.service                                 loaded    active   running NTP client/server
  cpupower.service                                loaded    inactive dead    Configure CPU power related settings
  crond.service                                   loaded    active   running Command Scheduler
  cups.service                                    loaded    active   running CUPS Printing Service
lines 1-20
按空格继续往下翻
LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

143 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.

这样显示比较清晰一点,还会显示描述信息

如果不加all就会只显示active ,不会显示 inactive

[[email protected] ~]# systemctl list-units  --type=service
  UNIT                               LOAD   ACTIVE SUB     DESCRIPTION
  abrt-ccpp.service                  loaded active exited  Install ABRT coredump hook
  abrt-oops.service                  loaded active running ABRT kernel log watcher
  abrt-xorg.service                  loaded active running ABRT Xorg log watcher
  abrtd.service                      loaded active running ABRT Automated Bug Reporting Tool
  alsa-state.service                 loaded active running Manage Sound Card State (restore and store)
  atd.service                        loaded active running Job spooling tools
  auditd.service                     loaded active running Security Auditing Service
  avahi-daemon.service               loaded active running Avahi mDNS/DNS-SD Stack
  blk-availability.service           loaded active exited  Availability of block devices
  chronyd.service                    loaded active running NTP client/server
  crond.service                      loaded active running Command Scheduler
  cups.service                       loaded active running CUPS Printing Service
  dbus.service                       loaded active running D-Bus System Message Bus
  firewalld.service                  loaded active running firewalld - dynamic firewall daemon
  [email protected]                 loaded active running Getty on tty1
  gssproxy.service                   loaded active running GSSAPI Proxy Daemon
  irqbalance.service                 loaded active running irqbalance daemon
  iscsi-shutdown.service             loaded active exited  Logout off all iSCSI sessions on shutdown
● kdump.service                      loaded failed failed  Crash recovery kernel arming
lines 1-20
  • 让服务开机启动
    systemctl enable crond.service
[[email protected] ~]# systemctl enable crond.service 
[[email protected] ~]# systemctl enable crond

可以不加.service

  • 不让开机启动
    systemctl disable crond
[[email protected] ~]# systemctl disable crond 
Removed symlink /etc/systemd/system/multi-user.target.wants/crond.service.
  • 查看状态
    systemctl status crond
[[email protected] ~]# systemctl status crond
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since 二 2018-06-12 18:27:56 CST; 4h 20min ago
 Main PID: 939 (crond)
   CGroup: /system.slice/crond.service
           └─939 /usr/sbin/crond -n

6月 12 18:27:56 linux7-128 systemd[1]: Started Command Scheduler.
6月 12 18:27:56 linux7-128 systemd[1]: Starting Command Scheduler...
6月 12 18:27:56 linux7-128 crond[939]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 38% if used.)
6月 12 18:27:56 linux7-128 crond[939]: (CRON) INFO (running with inotify support)

  • 停止服务
    systemctl stop crond

  • 启动服务
    systemctl start crond

  • 重启服务
    systemctl restart crond

  • 检查服务是否开机启动
    systemctl is-enabled crond

[[email protected] ~]# systemctl is-enabled crond 
enabled
  • 根据输出信息获得service的配置文件内容
[[email protected] ~]# systemctl enable crond
Created symlink from /etc/systemd/system/multi-user.target.wants/crond.service to /usr/lib/systemd/system/crond.service.
[[email protected] ~]# cat /etc/systemd/system/multi-user.target.wants/crond.service
[Unit]
Description=Command Scheduler
After=auditd.service systemd-user-sessions.service time-sync.target

[Service]
EnvironmentFile=/etc/sysconfig/crond
ExecStart=/usr/sbin/crond -n $CRONDARGS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process

[Install]
WantedBy=multi-user.target

[[email protected] ~]# ls -l /etc/systemd/system/multi-user.target.wants/crond.service
lrwxrwxrwx 1 root root 37 6月  12 23:01 /etc/systemd/system/multi-user.target.wants/crond.service -> /usr/lib/systemd/system/crond.service

可以看到这是一个软链接,真正的文件路径是在/usr/lib/systemd/system/crond.service

[[email protected] ~]# ls -l /usr/lib/systemd/system/crond.service
-rw-r--r--. 1 root root 284 8月   3 2017 /usr/lib/systemd/system/crond.service

如果enable开机启动就会生成一个软链接,如果disable不让开机启动,就会把软链接挪走

[[email protected] ~]# systemctl disable crond 
Removed symlink /etc/systemd/system/multi-user.target.wants/crond.service.
[[email protected] ~]# ls -l /etc/systemd/system/multi-user.target.wants/crond.service
ls: 无法访问/etc/systemd/system/multi-user.target.wants/crond.service: 没有那个文件或目录

unit介绍

  • 系统的unti所在目录
    /usr/lib/systemd/system
[[email protected] ~]#  ls /usr/lib/systemd/system 
abrt-ccpp.service                        plymouth-kexec.service
abrtd.service                            plymouth-poweroff.service
abrt-oops.service                        plymouth-quit.service
abrt-pstoreoops.service                  plymouth-quit-wait.service
abrt-vmcore.service                      plymouth-read-write.service
abrt-xorg.service                        plymouth-reboot.service
accounts-daemon.service                  plymouth-start.service
alsa-restore.service                     plymouth-switch-root.service
alsa-state.service                       polkit.service
alsa-store.service                       postfix.service
anaconda-direct.service                  poweroff.target
anaconda-nm-config.service               poweroff.target.wants
anaconda-noshell.service                 printer.target
anaconda-pre.service                     proc-fs-nfsd.mount
anaconda.service                         proc-sys-fs-binfmt_misc.automount
[email protected]                  proc-sys-fs-binfmt_misc.mount
anaconda-sshd.service                    psacct.service
...............

这些文件都叫unit

  • unit类型
 service 系统服务 
 target 多个unit组成的组
 device 硬件设备
 mount 文件系统挂载点
 automount 自动挂载点
 path 文件或路径
 scope 不是由systemd启动的外部进程
 slice 进程组
 snapshot systemd快照
 socket 进程间通信套接字
 swap  swap文件
 timer 定时器

centos7也有类似和centos6相比较的系统级别

[[email protected] ~]# cd !$
cd /usr/lib/systemd/system
[[email protected] system]# ls -l runlevel*
lrwxrwxrwx. 1 root root 15 4月  27 20:58 runlevel0.target -> poweroff.target
lrwxrwxrwx. 1 root root 13 4月  27 20:58 runlevel1.target -> rescue.target
lrwxrwxrwx. 1 root root 17 4月  27 20:58 runlevel2.target -> multi-user.target
lrwxrwxrwx. 1 root root 17 4月  27 20:58 runlevel3.target -> multi-user.target
lrwxrwxrwx. 1 root root 17 4月  27 20:58 runlevel4.target -> multi-user.target
lrwxrwxrwx. 1 root root 16 4月  27 20:58 runlevel5.target -> graphical.target
lrwxrwxrwx. 1 root root 13 4月  27 20:58 runlevel6.target -> reboot.target

runlevel1.target.wants:
总用量 0
lrwxrwxrwx. 1 root root 39 4月  27 20:58 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

runlevel2.target.wants:
总用量 0
lrwxrwxrwx. 1 root root 39 4月  27 20:58 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

runlevel3.target.wants:
总用量 0
lrwxrwxrwx. 1 root root 39 4月  27 20:58 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

runlevel4.target.wants:
总用量 0
lrwxrwxrwx. 1 root root 39 4月  27 20:58 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

runlevel5.target.wants:
总用量 0
lrwxrwxrwx. 1 root root 39 4月  27 20:58 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

同样也有7个级别的target,每个target对应软链接,源指的是后面的target

unit相关命令

  • 列出正在运行的unit
    systemctl list-units
[[email protected] system]# systemctl list-units 
  UNIT                                            LOAD   ACTIVE SUB       DESCRIPTION
  proc-sys-fs-binfmt_misc.automount               loaded active waiting   Arbitrary Executable File Formats File System A
  sys-devices-pci0000:00-0000:00:07.1-ata2-host1-target1:0:0-1:0:0:0-block-sr0.device loaded active plugged   VMware_Virt
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:0-2:0:0:0-block-sda-sda1.device loaded active plugged   VMware_Virt
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:0-2:0:0:0-block-sda-sda2.device loaded active plugged   VMware_Virt
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:0-2:0:0:0-block-sda-sda3.device loaded active plugged   VMware_Virt
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:0-2:0:0:0-block-sda.device loaded active plugged   VMware_Virtual_S
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:1-2:0:1:0-block-sdb-sdb1.device loaded active plugged   LVM PV Dd1J
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:1-2:0:1:0-block-sdb-sdb2.device loaded active plugged   LVM PV x2pF
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:1-2:0:1:0-block-sdb-sdb3.device loaded active plugged   LVM PV pmaL
  sys-devices-pci0000:00-0000:00:10.0-host2-target2:0:1-2:0:1:0-block-sdb.device loaded active plugged   VMware_Virtual_S
  sys-devices-pci0000:00-0000:00:11.0-0000:02:01.0-net-ens33.device loaded active plugged   82545EM Gigabit Ethernet Cont
  sys-devices-pci0000:00-0000:00:11.0-0000:02:02.0-sound-card0.device loaded active plugged   ES1371/ES1373 / Creative La
......................
......................

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

143 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
lines 132-151/151 (END)
  • 如果要列出全部的unit,包括失败的或者inactive的,加–all
    systemctl list-units --all

  • 列出inactive的unit
    systemctl list-units --all --state=inactive

[[email protected] system]# systemctl list-units --all --state=inactive 
  UNIT                                             LOAD      ACTIVE   SUB  DESCRIPTION
  proc-sys-fs-binfmt_misc.mount                    loaded    inactive dead Arbitrary Executable File Formats File System
  sys-fs-fuse-connections.mount                    loaded    inactive dead FUSE Control File System
  tmp.mount                                        loaded    inactive dead Temporary Directory
  systemd-ask-password-console.path                loaded    inactive dead Dispatch Password Requests to Console Director
  abrt-vmcore.service                              loaded    inactive dead Harvest vmcores for ABRT
  accounts-daemon.service                          loaded    inactive dead Accounts Service
  alsa-restore.service                             loaded    inactive dead Save/Restore Sound Card State
● apparmor.service                                 not-found inactive dead apparmor.service
  auth-rpcgss-module.service                       loaded    inactive dead Kernel Module supporting RPCSEC_GSS
  brandbot.service                                 loaded    inactive dead Flexible Branding Service
  cpupower.service                                 loaded    inactive dead Configure CPU power related settings
  dm-event.service                                 loaded    inactive dead Device-mapper event daemon

................
................
  • 列出状态为active的service
    systemctl list-units --type=service
[[email protected] system]#  systemctl list-units --type=service
  UNIT                               LOAD   ACTIVE SUB     DESCRIPTION
  abrt-ccpp.service                  loaded active exited  Install ABRT coredump hook
  abrt-oops.service                  loaded active running ABRT kernel log watcher
  abrt-xorg.service                  loaded active running ABRT Xorg log watcher
  abrtd.service                      loaded active running ABRT Automated Bug Reporting Tool
  alsa-state.service                 loaded active running Manage Sound Card State (restore and store)
  atd.service                        loaded active running Job spooling tools
  auditd.service                     loaded active running Security Auditing Service
  avahi-daemon.service               loaded active running Avahi mDNS/DNS-SD Stack
  blk-availability.service           loaded active exited  Availability of block devices
  chronyd.service                    loaded active running NTP client/server
  crond.service                      loaded active running Command Scheduler
  cups.service                       loaded active running CUPS Printing Service
  dbus.service                       loaded active running D-Bus System Message Bus
  firewalld.service                  loaded active running firewalld - dynamic firewall daemon
  [email protected]                 loaded active running Getty on tty1
  gssproxy.service                   loaded active running GSSAPI Proxy Daemon
  irqbalance.service                 loaded active running irqbalance daemon

...............
..............

不加–all会列出状态为active的service

  • 查看某个服务是否为active
    systemctl is-active crond.service
    也可以查看某个服务是否为enable
    systemctl is-enabled crond.service
[[email protected] system]#  systemctl is-active crond.service 
active
[[email protected] system]#  systemctl is-enabled crond.service 
enabled

target介绍

系统为了方便管理用target来管理unit

  • 列出系统里所有的target
    systemctl list-unit-files --type=target
[[email protected] ~]#  systemctl list-unit-files --type=target
UNIT FILE                  STATE   
anaconda.target            static  
basic.target               static  
bluetooth.target           static  
cryptsetup-pre.target      static  
cryptsetup.target          static  
ctrl-alt-del.target        disabled
default.target             enabled 
emergency.target           static  
final.target               static  
getty.target               static  
graphical.target           static  
halt.target                disabled
hibernate.target           static  
hybrid-sleep.target        static  
initrd-fs.target           static  
initrd-root-fs.target      static  
initrd-switch-root.target  static  
initrd.target              static  
.................
  • 查看指定target下面有哪些unit
    systemctl list-dependencies multi-user.target
[[email protected] ~]# systemctl list-dependencies multi-user.target 
multi-user.target
● ├─abrt-ccpp.service
● ├─abrt-oops.service
● ├─abrt-vmcore.service
● ├─abrt-xorg.service
● ├─abrtd.service
● ├─atd.service
● ├─auditd.service
● ├─avahi-daemon.service
● ├─brandbot.path
● ├─chronyd.service
● ├─crond.service
● ├─cups.path
● ├─cups.service
● ├─dbus.service
● ├─firewalld.service
● ├─irqbalance.service
● ├─kdump.service
● ├─ksm.service
● ├─ksmtuned.service
.............
  • 查看系统默认的target
    systemctl get-default
[[email protected] ~]# systemctl get-default 
multi-user.target

centos7可以更改系统默认的target来达到类似centos6更改系统运行级别的效果

  • 设置默认的target
    systemctl set-default multi-user.target
[[email protected] ~]# systemctl set-default multi-user.target
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
[[email protected] ~]# ls -l /etc/systemd/system/default.target
lrwxrwxrwx 1 root root 41 6月  13 13:39 /etc/systemd/system/default.target -> /usr/lib/systemd/system/multi-user.target

设置的时候会创建一个软链接

  • 一个service属于一种类型的unit
    多个unit组成了一个target
    一个target里面包含了多个service

cat /usr/lib/systemd/system/sshd.service //看[install]部分

[[email protected] ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-******.service
Wants=sshd-******.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

**
总结:
系统由多种unit组成,为了方便管理归类成若干个类,每一类叫target。也就是说target由多个unit组成,service属于一种类型的unit,一个target里面有若干个service。**

拓展

一个iptables系列文章的博客 https://www.zsythink.net/archives/tag/iptables/page/2/
anacron https://www.jianshu.com/p/3009a9b7d024?from=timeline
systemd自定义启动脚本 http://www.jb51.net/article/100457.htm