Changes

From SME Server
Jump to navigationJump to search

Useful Commands (view source)

Revision as of 17:10, 5 August 2021

170 bytes removed ,  17:10, 5 August 2021
→‎PHP settings only for SME9
Line 11: Line 11:  
===set ACL===
 
===set ACL===
 
  setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders
 
  setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders
 +
 +
-R : recursive<br />
 +
 +
-P : physical, follow symlinks
    
==Apache Related Commands==
 
==Apache Related Commands==
Line 27: Line 31:  
or  
 
or  
 
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
 +
 +
=====SME10=====
 +
How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.
 +
 +
# systemctl start httpd-e-smith.service
 +
# systemctl restart httpd-e-smith.service
 +
# systemctl stop httpd-e-smith.service
 +
# systemctl reload httpd-e-smith.service
 +
# systemctl status httpd-e-smith.service
    
====Enable AllowOverride All/None====
 
====Enable AllowOverride All/None====
Line 101: Line 114:  
  signal-event ibay-modify ibayname
 
  signal-event ibay-modify ibayname
   −
  AllowUrlfOpen : enabled/disabled
+
  AllowUrlFopen : enabled/disabled
 
  MemoryLimit : set a M as unit, eg 64M
 
  MemoryLimit : set a M as unit, eg 64M
 
  UpMaxFileSize : set a M as unit, eg 64M
 
  UpMaxFileSize : set a M as unit, eg 64M
 
  PostMaxSize : set a M as unit, eg 64M
 
  PostMaxSize : set a M as unit, eg 64M
 
  MaxExecTime: unlimited or set time in second without units, eg 60
 
  MaxExecTime: unlimited or set time in second without units, eg 60
      
====PHPinfo====
 
====PHPinfo====
Line 209: Line 221:  
  signal-event post-upgrade
 
  signal-event post-upgrade
 
  signal-event reboot
 
  signal-event reboot
 +
alternately
 +
config show modSSL
 +
config delprop modSSL crt key CertificateChainFile
 +
signal-event ssl-update
    
==Command-Line Quick Reference Guide==
 
==Command-Line Quick Reference Guide==
Line 249: Line 265:  
|-
 
|-
 
| ps -AH || report process status
 
| ps -AH || report process status
 +
|-
 +
| ps fax || display processes by tree with their pid
 
|-
 
|-
 
| top || shows processes
 
| top || shows processes
Line 274: Line 292:  
| grep -nsri server-manager.jpg  /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
 
| grep -nsri server-manager.jpg  /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
 
|-
 
|-
| grep -P '^www|apache' /etc/group || search after patterns which start by www and/or apache in /etc/group
+
| grep -P '^www |apache' /etc/group || search after patterns which start by www and/or apache in /etc/group
 
|-
 
|-
 
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
 
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
Line 369: Line 387:  
  # perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
 
  # perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
 
  EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
 
  EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
 +
alternatively, and only for SME9 or greater, you can use
 +
# ip addr
 +
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
 +
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 +
    inet 127.0.0.1/8 scope host lo
 +
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 +
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
 +
    inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0
 +
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
 +
    link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff
 +
    inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0
    
====find files by their size====
 
====find files by their size====
Line 379: Line 408:  
  ‘M’    for Megabytes (units of 1048576 bytes)
 
  ‘M’    for Megabytes (units of 1048576 bytes)
 
  ‘G’    for Gigabytes (units of 1073741824 bytes)
 
  ‘G’    for Gigabytes (units of 1073741824 bytes)
 +
 +
====reduce root's user reserved space====
 +
as a default, 5% of the disk space is allocated to root user
 +
 +
you can reduce the allocated space to 1% with (for LVM)
 +
 +
tune2fs -m 1 /dev/mapper/main-root
 +
 +
if you're not using LVM, use
 +
 +
df -h
 +
 +
to see where / is mounted
    
====find files by the Name====
 
====find files by the Name====
Line 520: Line 562:  
|-
 
|-
 
| yum remove <packagename> || removes packagename
 
| yum remove <packagename> || removes packagename
 +
|-
 +
| yum history package-info <packagename> || Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
 +
|-
 +
| yum history undo <Transaction ID> || Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
 
|-
 
|-
 
| yum list updates || list updates to any installed package
 
| yum list updates || list updates to any installed package
Line 582: Line 628:  
===namingContexts===
 
===namingContexts===
 
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
 
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
+
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts''
 
or you can do
 
or you can do
 
  ldapsearch -x -h localhost -s base |grep 'dn'
 
  ldapsearch -x -h localhost -s base |grep 'dn'
Line 603: Line 649:     
===Bind with a specific user on LDAP===
 
===Bind with a specific user on LDAP===
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the ''''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
+
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
      Line 612: Line 658:     
===Check a specific  user in LDAP catalogue===
 
===Check a specific  user in LDAP catalogue===
display informations on the user requested. Find the ''''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
+
display informations on the user requested. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
    
'''for sme9'''
 
'''for sme9'''
Line 641: Line 687:  
==Log==
 
==Log==
 
===Parse Log files to search for errors===
 
===Parse Log files to search for errors===
When you want to test the SME Product it can be useful to see what it occurs
+
When you want to test the SME Product it can be useful to see what it occurs.
 
This CL can help you, but you should read the entire log
 
This CL can help you, but you should read the entire log
 
  grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
 
  grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
Line 651: Line 697:  
{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}
 
{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}
    +
=== '''Parse log for hack / phishing for missing files''' ===
 +
<syntaxhighlight lang="bash">
 +
EXTIP=`curl -s ifconfig.me/ip`
 +
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
 +
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt
 +
</syntaxhighlight>
 
* verbose output
 
* verbose output
   Line 744: Line 796:  
  mysql
 
  mysql
 
  create database '''databasename''';
 
  create database '''databasename''';
  grant all privileges on '''databasename'''.* to '''username''' identified by ''''password'''';
+
  grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';
 
  flush privileges;
 
  flush privileges;
 
  exit
 
  exit
Line 751: Line 803:     
  mysql -e "create database '''databasename''';"
 
  mysql -e "create database '''databasename''';"
  mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by ''''password'''';"
+
  mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';"
 
  mysql -e "flush privileges;"
 
  mysql -e "flush privileges;"
   Line 887: Line 939:       −
===Configure <b><u>PHP Basedir</u></B> Restriction per ibay===
+
===Configure <b><u>PHP Basedir</u></b> Restriction per ibay===
    
  db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
 
  db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
Line 948: Line 1,000:     
This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.
 
This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.
 +
 +
===enable samba audit logs for ibays===
 +
Samba audit logging can be enabled for ibays using db variables.
 +
 +
Samba activity is logged in /var/log/samba/samba_audit
 +
 +
To enable audit logging for an ibay named "fileshare":
 +
<nowiki>db accounts setprop fileshare Audit enabled
 +
signal-event ibay-modify fileshare</nowiki>
 +
 +
To enable audit logging for every ibay on your server:
 +
<nowiki>for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done
 +
signal-event ibay-modify</nowiki>
 +
 +
The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit
    
==SME Server specific==
 
==SME Server specific==
Line 1,082: Line 1,149:     
=== General Service Handling ===
 
=== General Service Handling ===
 +
====SME9====
 
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]
 
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]
   Line 1,099: Line 1,167:  
{{tip box|you may use TAB to auto-complete your command line}}
 
{{tip box|you may use TAB to auto-complete your command line}}
   −
 
+
you have some shortcuts
 
+
down => 'd',
====Example====  
+
stop => 'd',
 +
up => 'u',
 +
start => 'u',
 +
restart => 't',
 +
sigterm => 't',
 +
adjust => 'h',
 +
reload => 'h',
 +
sighup => 'h',
 +
sigusr1 => '1',
 +
sigusr2 => '2',
 +
once => 'o',
 +
pause => 'p',
 +
alarm => 'a',
 +
interrupt => 'i',
 +
quit => 'q',
 +
kill => 'k',
 +
exit => 'x',
    
Restarting:
 
Restarting:
Line 1,107: Line 1,191:  
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
   −
===chkconfig and runlevel information===
+
====SME10====
[http://linuxcommand.org/man_pages/chkconfig8.html chkconfig] provides a simple  command-line  tool  for maintaining  the /etc/rc[0-6].d  directory  hierarchy by relieving system administrators of the task of directly manipulating the  numerous  symbolic  links  in those directories.
+
'''Systemctl''' is a '''systemd''' utility that is responsible for Controlling the '''systemd''' system and service manager. '''Systemd''' is a collection of system management daemons, utilities, and libraries which serves as a replacement of '''System V init''' daemon. Systemd functions as central management and configuration platform
   −
You need to say to SME Server to add the script to each run level you have specified at the top of your init script( Default-Start: 2 3 4 5 and Default-Stop: 0 1 6 ). For Linux using rpm as centos or redhat, you can use
+
To list all loaded services on your system (whether active; running, exited or failed, use the '''list-units''' subcommand and <code>--type</code> switch with a value of service.
 +
# systemctl list-units --type=service
 +
OR
 +
# systemctl --type=service
   −
chkconfig YOUR_SERVICE_NAME --add
     −
You can set the levels where the initscript has to start
+
But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.
  chkconfig YOUR_SERVICE_NAME --level 2345 on
+
# systemctl list-units --type=service --state=running
 +
OR
 +
  # systemctl --type=service --state=running
   −
If you want to see which runlevel your script will run in
     −
chkconfig YOUR_SERVICE_NAME --list
+
List all failed units.
you can pipe the command
+
  # systemctl --failed
  chkconfig --list | egrep "nfs|rpc"
     −
example :
  −
# chkconfig dhcp-dns --list
  −
dhcp-dns      0:arrêt 1:arrêt 2:marche 3:marche 4:marche 5:marche 6:arrêt
     −
===allow a service to start for a particular time===
+
Check whether a Unit or Service is running or not?.
{{Note box| '''If you want to start a service at boot time, a relevant page needs [[Add_a_custom_service|also your attention ]]'''}}
+
  # systemctl status httpd-e-smith
If your package implements a server or daemon, you will probably want it to be started automatically when the system boots. The SME Server boots in runlevel 7, so you can get an idea of the startup processes by listing the contents of /etc/rc.d/rc7.d.
     −
These are similar to the init scripts you may be familiar with from other Linux systems, with one important difference. Instead of pointing to scripts within /etc/rc.d/init.d, all of those init entries are links to /etc/rc.d/init.d/e-smith-service. This is a wrapper which checks the configuration database to see if the service is supposed to be running and if so, starts the service from /etc/rc.d/init.d/whatever.
     −
So for example, you might have:
+
How do I start, restart, stop, reload and check the status of a service ('''httpd.service''') in Linux.
 +
# systemctl start httpd-e-smith.service
 +
# systemctl restart httpd-e-smith.service
 +
# systemctl stop httpd-e-smith.service
 +
# systemctl reload httpd-e-smith.service
 +
# systemctl status httpd-e-smith.service
   −
S90squid -> /etc/rc.d/init.d/e-smith-service
+
===Add a custom service===
   −
The e-smith-service script looks up the name it was invoked with (S90squid), drops the prefix (leaving squid), checks the configuration database for the "squid" service, then if it's supposed to run, does:
+
see this [[Add_a_custom_service |page]]
 
  −
/etc/rc.d/init.d/squid start
  −
 
  −
* with this way SME's knows how to/if start the service at startup
  −
 
  −
config set '''myapplicationname''' service status enabled
  −
 
  −
cd /etc/rc.d/init.d
  −
ln -s /path/to/myinitscript '''myapplicationname'''
  −
 
  −
'''We are creating a symlink of the original startup script with a new name (the point is that '''myapplicationname''' must be identical to the service name above)'''
  −
 
  −
cd /etc/rc7.d
  −
ln -s  /etc/rc.d/init.d/e-smith-service '''SXXmyapplicationname'''
  −
 
  −
we create a symlink to e-smith-service startup script with a name where: S tells SME to start XX are numbers
  −
 
  −
You can decide when to start the service '''myapplicationname''', but you should not start something that need the network before the network itself is up and running. Therefore you can see the content of /etc/rc7.d and see which scripts are needed to execute your new startup script
  −
 
  −
signal-event remoteaccess-update
  −
service '''myapplicationname''' start
  −
====Creating or deleting a service====
  −
 
  −
*Creating and starting service
  −
 
  −
ln -f -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S98popfile
  −
/sbin/e-smith/db configuration set popfile service status enabled
  −
/sbin/e-smith/signal-event remoteaccess-update
  −
service popfile start
  −
 
  −
*Deleting and unregistering service
  −
 
  −
service popfile stop
  −
sleep 3
  −
rm -f /etc/rc7.d/S98popfile
  −
rm -f /etc/rc.d/init.d/popfile
  −
/sbin/e-smith/config delete popfile
  −
/sbin/e-smith/signal-event remoteaccess-update
  −
 
  −
====Create a service with db command and set network access====
  −
[[DB_Variables_Configuration#Additional_information_on_customizing_iptables]]
  −
 
  −
Create a custom-named service definition in the configuration database.
  −
 
  −
db configuration set <servicename> service
  −
 
  −
Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.
  −
 
  −
db configuration setprop <servicename> TCPPort <portnumber>
  −
db configuration setprop <servicename> TCPPorts <portnumbers> # Ranges of ports are defined with a : not a -
  −
db configuration setprop <servicename> UDPPort <portnumber>
  −
db configuration setprop <servicename> UDPPorts <portnumbers> # Ranges of ports are defined with a : not a -
  −
db configuration setprop <servicename> status enabled|disabled
  −
db configuration setprop <servicename> access public|private
  −
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
  −
db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24
  −
 
  −
 
  −
Effectuate the changes you have made
  −
signal-event remoteaccess-update
      
==SSL==
 
==SSL==
Line 1,287: Line 1,313:     
  https://localhost:9443/server-manager
 
  https://localhost:9443/server-manager
       
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/30022...40411"

Navigation menu