# systemctl status cron
# vim /etc/crontab # vim /etc/default/cron
# vim /etc/cron.d/example
30 05 * * 0 www-data /usr/local/adm/savelog-weekly
$ crontab -e
# crontab -u jdoe -e
0,30,45,51 * * * * /usr/local/adm/send-data */15 * * * * /usr/local/adm/check-nis 1>/dev/null 2>&1 00 01 * * * nice -10 find /inf -name core -exec rm -f {} \; 10 03 * * 1-6 nice -10 /usr/local/adm/sauvegarde-daily 30 05 * * 0 /usr/local/adm/savelog-weekly 30 06 1 * * /usr/local/adm/savelog-monthly 00 00 1 1 * /usr/local/bin/happy-new-year MAILTO=alert@example.com @daily /usr/local/bin/minuit-check
$ man 5 crontab
$ crontab -l
# crontab -u jdoe -l
$ date
# apt install ntp
# cat /etc/ntp.conf :
server ntp.evolix.net
# ntpq -p
$ timedatectl
# hwclock --show
# hwclock --systohc
Alternative au System V, installé par défaut depuis Debian 8.
# systemctl status
# systemctl list-units
# systemctl --failed
# systemctl list-unit-files
# systemctl start <unité>
# systemctl stop <unité>
# systemctl restart <unité>
# systemctl reload <unité>
# systemctl status <unité>
# systemctl is-enabled <unité>
# systemctl enable <unité>
# systemctl disable <unité>
# systemctl reboot
# systemctl poweroff
# systemd-analyze
# cp -a /lib/systemd/system/<service>.service /etc/systemd/system/
# vim /etc/systemd/system/<service>.service
# systemctl cat ssh
# systemctl edit <unité>
# systemctl daemon-reload
# apt install postfix
# vim main.cf
smtpd_banner = $myhostname ESMTP mail server
biff = no
append_dot_mydomain = no
myhostname = hosting.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $myhostname
mydestination = $myhostname localhost.localdomain localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
disable_vrfy_command = yes
# date | mail -s test jdoe@example.com
# mailq
# qshape deferred
# postcat -vq < queue_id > > message.txt
# postsuper -d < queue_id >
# postsuper -d ALL
# postsuper -r < queue_id >
# postsuper -r ALL
# mailq | tail -n +2 | \
awk 'BEGIN { RS = "" } /example\.com$/ { print $1 }' | \
tr -d '*!' | postsuper -d -
Rsyslog est le démon syslog par défaut sous Debian.
# systemctl status rsyslog
# vim /etc/rsyslog.conf
*.*;auth,authpriv.none;cron,mail,local4,local5,local7.none -/var/log/syslog cron.* /var/log/cron.log #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn #mail.err /var/log/mail.err local0.* /var/log/postgresql.log local1.* /var/log/sympa.log local4.* -/var/log/openldap.log local5.* -/var/log/haproxy.log local7.* -/var/log/dhcp.log
Le logiciel logrotate permet de gérer la rotation des journaux système et applicatif de façon précise et ordonnée.
# vim /etc/logrotate.d/dpkg
/var/log/dpkg.log {
monthly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
Note : le programme "savelog" permet une rotation ultrasimple de journaux en ajoutant un suffixe et conservant 7 versions.
Pour surveiller précisement un fichier journal et recevoir immédiatemment des alertes par mail si certains termes apparaissent dans ce fichier.
# apt install log2mail
# vim /etc/log2mail/config/default
file = /var/log/mail.log pattern = "fatal" mailto = admin@example.com template = /etc/log2mail/mail# /etc/init.d/log2mail restart
Logcheck envoie par mail, les lignes inconnues (non répertoriées dans ses règles) trouvées dans certains journaux.
# aptitude install logcheck logcheck-database
# cat /etc/logcheck/logcheck.conf
REPORTLEVEL="server" SENDMAILTO="alert@example.com" MAILASATTACH=0 FQDN=1 TMP="/tmp"
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[IPTABLES DROP\] : IN=eth0 OUT= MAC=.* ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ log2mail\[[0-9]+\]: Logfile [.[:alnum:]/]+ rotated. Listening to new file.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nrpe\[[0-9]+\]: Could not read request from client, bailing out...$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nrpe\[[0-9]+\]: INFO: SSL Socket Shutdown.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: clock is now [[:alnum:]]+$
# apt install fail2ban
# fail2ban-client status
# fail2ban-client status ssh
# vim /etc/fail2ban/filter.d/demo :
[Definition] failregex = warning: \[\]: authentication failed: ignoreregex =
# vim /etc/fail2ban/jail.local
[demo-rule]
enabled = true
port = http,https
filter = demo
logpath = /var/log/demo.log
maxretry = 3
findtime = 1800
bantime = 3600
Système de contrôle de versions, open-source, décentralisé, conçu pour être efficace et rapide.
cp main.c main.c.old
Une bonne pratique Evolix.
$ su
# apt install git
# git --version
git version 2.11.0
$ cd /etc
$ su
# git init
# git status
# git add .
# git commit -m "commit initial"
# echo "127.0.0.1 foo" >> /etc/hosts
# git status
# git diff [HEAD]
# git commit --all --message "Ajout de foo dans /etc/hosts"
# git log
# git show
Le livre Pro Git est incontournable,
pour le débutant comme pour l'expert.
Paquets pour de nombreuses distributions
$ su
# apt install ansible
# ansible --version
ansible 2.2.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
$ ansible localhost --module-name ping
$ ansible localhost --module-name ping --one-line
$ ansible localhost --module-name setup
$ ansible localhost --module-name setup --args "filter=ansible_mem*"
$ ansible localhost --module-name lineinfile --args \
"dest=/etc/hosts regexp=example.com line='192.168.0.25 example.com'"
inventory/
├── group_vars
│ ├── all.yml
│ ├── hypervisors.yml
│ └── proxies.yml
├── hosts
├── hosts-dev
└── host_vars
├── stack01-data01.yml
├── stack01-front01-web01.yml
└── stack01-front01.yml
kvm01 ansible_host=192.168.2.1
kvm02 ansible_host=192.168.2.2
stack01-front01 ansible_host=192.168.2.1 ansible_port=22020
stack01-front01-web01 ansible_host=192.168.2.1 ansible_port=22101
stack01-data01 ansible_host=192.168.2.1 ansible_port=22010
[hypervisors]
kvm01
kvm02
[fronts]
stack01-front01
[dbs]
stack01-data01
[web]
stack01-front01-web01
---
- hosts: localhost
tasks:
- name: example.com in /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: example.com
line: '192.168.0.25 example.com'
state: present
$ ansible-playbook playbook.yml