# 本章习题

# 情景模拟题

通过设置、启动、观察等机制,完整了解一个服务的启动与观察

  • 目标:了解 daemon 的管控机制,以 sshd daemon 为例
  • 前提:需要对本章已经了解,尤其是 systemd 的管理部分
  • 需求:已经有 sshd 这个服务,但是没有修改过端口

启动两个 sshd 服务,另一个一个使用端口 222

# 1. 查看 sshd 服务是否存在
[root@study ~]# systemctl status sshd.service 
* sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-17 10:49:56 CST; 3 days ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1378 (sshd)
    Tasks: 1
   CGroup: /system.slice/sshd.service
           `-1378 /usr/sbin/sshd -D

Mar 17 10:49:55 study.centos.mrcode systemd[1]: Starting OpenSSH server daemon...
Mar 17 10:49:56 study.centos.mrcode sshd[1378]: Server listening on 0.0.0.0 port 22.
Mar 17 10:49:56 study.centos.mrcode sshd[1378]: Server listening on :: port 22.
Mar 17 10:49:56 study.centos.mrcode systemd[1]: Started OpenSSH server daemon.
Mar 17 10:51:42 study.centos.mrcode sshd[2344]: Accepted password for mrcode from 192.168.4.170 port 60750 ssh2
Mar 17 17:35:40 study.centos.mrcode sshd[7250]: Accepted password for ftptest from 192.168.4.170 port 59071 ssh2
Mar 17 22:22:50 study.centos.mrcode sshd[10579]: Accepted password for root from 192.168.4.170 port 59851 ssh2

# 查看他的启动脚本文件
[root@study ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

# 通过 man ssshd 中的 FILES 信息中,找到了他的配置文件地址
/etc/ssh/sshd_config
             Contains configuration data for sshd.  The file format and configuration options are described in sshd_config(5).

# 2. 复制该配置文件,并修改端口号为 222
[root@study ~]# cd /etc/ssh/
[root@study ssh]# cp sshd_config sshd2_config
[root@study ssh]# vim sshd2_config
Port 222

# 3. 修改启动脚本等文件
[root@study ssh]# cd /etc/systemd/system/
[root@study system]# cp /usr/lib/systemd/system/sshd.service sshd2.service
[root@study system]# vim sshd2.service
[Unit]
Description=OpenSSH server daemon 2
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
# 主要是这里
ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd2_config -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
# 上述增加了 -f 参数指定了刚刚我们复制出来的配置文件
# 该语法是从这个脚本中的 Documentation=man:sshd(8),然后使用 man 8 sshd 资料中 SYNOPSIS 中的  [-f config_file] 得知,可以指定一个配置文件
# 所以,其实这一步应该在最开始的时候去查阅,然后才是来达成这个配置文件的操作

# 4. 重新加载配置与这个服务的启动等观察
[root@study system]# systemctl daemon-reload 
[root@study system]# systemctl enable sshd2.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd2.service to /etc/systemd/system/sshd2.service.
[root@study system]# systemctl start sshd2.service  
Job for sshd2.service failed because the control process exited with error code. See "systemctl status sshd2.service" and "journalctl -xe" for details.
[root@study system]# systemctl status sshd2.service 
* sshd2.service - OpenSSH server daemon 2
   Loaded: loaded (/etc/systemd/system/sshd2.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Fri 2020-03-20 14:04:25 CST; 12s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 21511 ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd2_config -D $OPTIONS (code=exited, status=255)
 Main PID: 21511 (code=exited, status=255)

Mar 20 14:04:25 study.centos.mrcode systemd[1]: sshd2.service: main process exited, code=exited, status=255/n/a
Mar 20 14:04:25 study.centos.mrcode systemd[1]: Failed to start OpenSSH server daemon 2.
Mar 20 14:04:25 study.centos.mrcode systemd[1]: Unit sshd2.service entered failed state.
Mar 20 14:04:25 study.centos.mrcode systemd[1]: sshd2.service failed.

# 发现没有启动起来,启动失败了,去观察他的日志记录
[root@study system]# tail -n 20 /var/log/messages
Mar 20 14:05:08 study python: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 222.#012#012*****  Plugin bind_ports (99.5 confidence) suggests   ************************#012#012If you want to allow /usr/sbin/sshd to bind to network port 222#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 222#012    where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that sshd should be allowed name_bind access on the port 222 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -i my-sshd.pp#012

# 会发现触发了 SELInux ,没有通过检查, 99.5 的那个配置方案的解决告知我们需要执行
semanage port -a -t ssh_port_t -p tcp 222
[root@study system]# netstat -tlnp | grep ssh
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      2350/sshd: mrcode@p 
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      10579/sshd: root@pt 
tcp        0      0 0.0.0.0:222             0.0.0.0:*               LISTEN      21918/sshd          
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1378/sshd           
tcp6       0      0 ::1:6010                :::*                    LISTEN      2350/sshd: mrcode@p 
tcp6       0      0 ::1:6011                :::*                    LISTEN      10579/sshd: root@pt 
tcp6       0      0 :::222                  :::*                    LISTEN      21918/sshd          
tcp6       0      0 :::22                   :::*                    LISTEN      1378/sshd

# 就会发现已经启动成功了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# 简单部分

  • 使用 netstat -tulnetstat -tunl 有什么差别

    使用 n 时,netstat 不会使用主机名与服务名表示,而是以 IP 和 端口来显示。IP 的分析与 /etc/hosts/etc/resolv.conf 有关,port 则与 /etc/services 有关

  • 找到 port 3306 的端口号的服务是什么

    可以通过搜索 /etc/services 搜索到 3306 对应与 mysql 服务。

    并且通过 netstat -tlnp | grep 3306 的方式也能得到他的服务名称(如果运行中的话)

  • 可以通过哪些指令查询到目前系统默认开机启动的服务

    systemctl list-unitssystemctl list-unit-files

  • 获取哪些服务在启动状态?

    通过上面查询出来的服务,应该使用 systemctl status [unit.service] 一项一项查询