我对此有点陌生,所以我不确定去哪里看。
我可以访问一个服务器,作为一个执行有限版本 systemctl 的命令,我想扩展它。
该命令的作用如下:它允许没有 sudo 权限的特定用户执行 systemctl。它只允许用户在 3 个特定服务上运行 systemctl。
我看了一下这最初是如何完成的,这个命令的创建者制作了一个可执行文件(ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux -x86-64.so.2, BuildID[sha1]=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,对于 GNU/Linux 3.2.0,已剥离)由 root 拥有并且 setuid 位为真。我尝试反编译可执行文件,它似乎只是检查用户是否是特定用户并以 root 身份运行 systemctl。
我有两个问题:
我的 vServer (Centos 7) 出现可疑情况。未知的 bash 脚本正在消耗服务器的所有内存。与“外部”有明显的联系。
不幸的是,我的 Unix 知识有限。
如何禁止用户 git 与外部的连接?
我怎样才能弄清楚这个 bash 脚本驻留在哪里,脚本的内容是什么?
lsof -p 1577
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1577 git cwd DIR 182,395665 4096 2 /
bash 1577 git rtd DIR 182,395665 4096 2 /
bash 1577 git txt unknown /proc/1577/exe (readlink: No such file or directory)
bash 1577 git mem REG 182,395665 795648 (deleted)/var/tmp/.ICE-unix/.bash/.bash/bash (stat: No such file or directory)
bash 1577 git 0r FIFO 0,8 0t0 3801753555 pipe
bash 1577 git 1w FIFO 0,8 0t0 3801753556 pipe
bash 1577 git 2w FIFO 0,8 0t0 3801753556 pipe
bash 1577 git 3u REG 182.395665 0 5390 /tmp/.lock
bash 1577 git 4u 0000 0,9 0 4145 [eventpoll]
bash 1577 git 5r FIFO 0,8 0t0 3801755403 pipe
bash 1577 git 6w FIFO 0,8 0t0 3801755403 pipe
bash 1577 git 7r FIFO 0,8 0t0 3801755399 pipe
bash 1577 git 8w FIFO 0,8 0t0 3801755399 pipe
bash 1577 git 9u 0000 0,9 0 4145 [eventfd]
bash 1577 git 10r CHR 1,3 0t0 3801397120 /dev/null
bash 1577 git 11u IPv4 3801755495 0t0 TCP <my server IP>:56542->**blackcat.ro:http** (ESTABLISHED)
我有两个 shell 脚本名称 first.sh 和 second.sh。first.sh 和 second.sh 的内容如下:
>>first.sh
#!/bin/bash
while true
do
echo The current time is $(date)
sleep(1)
done
>>second.sh
#!/bin/bash
while true
do
echo The current time from second script is $(date)
sleep(1)
done
同样,first.service的内容是:
[Unit]
Description=first service
After=second.service
[Service]
ExecStart=/home/abanstola/first.sh
second.service 的内容是:
[Unit]
Description=Second service
[Service]
ExecStart=/home/abanstola/second.sh
请注意After=second.servicefirst.service 代码中的 。根据文档,在第二个服务启动之前,第一个服务不应该运行。但即使我禁用或停止第二个服务,第一个服务运行没有任何问题。我在这里做错了什么?
我想杀死一个 systemd 服务的所有实例。
这很好用:sudo systemctl stop 'custom-service@*'
但它很慢,因为它运行我的自定义ExecStop,它做了额外的工作来安全地关闭进程。
在某些情况下,我宁愿杀死进程。我试图这样做,
sudo systemctl kill -s SIGKILL 'custom-service@*'但是,这不会杀死任何东西。
如果我将其修改为特定实例,它可以正常工作并且该实例被杀死。例如sudo systemctl kill -s SIGKILL 'custom-service@someinstance-1.service',但我宁愿不为每个人都这样做。
我错过了什么吗?
我正在尝试在没有 root 身份的情况下重新启动服务。这是正在使用命令的代码片段
template {
source = "{{vault_template_dir}}/agent.crt.tpl"
destination = "{{vault_tls_dir}}/agent.crt"
command = "/usr/bin/systemctl restart vault.service"
}
在研究和阅读了类似的问题之后,我尝试通过编辑/etc/sudoers文件并添加以下行来为我使用的组(user=vault,group=vault)提供一个有限的 sudo 命令:
%vault ALL=(root) NOPASSWD: /usr/bin/systemctl restart vault.service
但是,当我尝试运行命令时仍然出现错误。错误日志文件:
Apr 4 23:27:41 xxxxxx vault[133973]: Failed to restart vault.service: Interactive authentication required.
保险库服务
[Unit]
After=network.service hostname.service consul-init.service consul.service
Description="Hashicorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
StartLimitInterval=200
StartLimitBurst=5
[Service]
User=vault
Group=vault
ExecStart=/usr/bin/vault server -config="{{vault_server_config_file}}"
ExecReload=/usr/bin/kill -HUP $MAINIP
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
LimitNOFILE=65536
LimitMEMLOCK=infinity
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
有人可以帮我解决这个问题吗?
我有一个服务,我试图以这种方式运行,但它是一个稍微大一点的 python 程序。我退后一步,构建了一个简单的 Python 程序,看看我是否可以让它运行。当我尝试通过 telnet 连接到正在运行的此套接字时,它失败了。下面是 .socket、.service 和 .py 文件....
testPy.socket
[Unit]
Description=Socket to TESTPY for connection
PartOf=testPy.service
[Socket]
ListenStream=30001
[Install]
WantedBy=sockets.target
testPy.service
[Unit]
Description=TEST PY
After=network.target testPy.socket
Requires=testPy.socket
[Service]
ExecStart=/home/workers/miniconda2/bin/python /home/workers/testPy.py
StandardInput=socket
[Install]
WantedBy=default.target
testPy.py
import sys
END_OF_LINE = '\r\n'
while(1):
input = sys.stdin.readline()
buffer = input.strip()
if not buffer:
sys.stdout.write("OKAY DUDE")
sys.stdout.flush()
continue
if buffer in ['quit', 'QUIT']:
break
sys.stdout.write('\n' + buffer + END_OF_LINE)
sys.stdout.flush()
现在,如果我在命令行中运行它,它运行良好。我可以输入退出,它退出循环,回声任何东西..
如果我说:
systemctl start testPy.socket
然后输入:
远程登录本地主机 30001
它连接一点然后放下它。然后各种状态(对我来说)是非描述性的:
systemctl status testPy.socket
● testPy.socket - Socket to TESTPY for connection
Loaded: loaded (/etc/systemd/system/testPy.socket; disabled; vendor preset: disabled)
Active: failed (Result: service-failed-permanent) since Thu 2021-03-11 13:59:54 EST; 11min ago
Listen: [::]:30001 (Stream)
Mar 11 13:59:42 dhcp-093.apo.nmsu.edu systemd[1]: Listening on Socket to TESTPY for connection.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Unit testPy.socket entered failed state.
systemctl status testPy.service
● testPy.service - TEST PY
Loaded: loaded (/etc/systemd/system/testPy.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Thu 2021-03-11 13:59:54 EST; 12min ago
Process: 2087 ExecStart=/home/workers/miniconda2/bin/python /home/workers/testPy.py (code=exited, status=1/FAILURE)
Main PID: 2087 (code=exited, status=1/FAILURE)
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Started TEST PY.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: testPy.service: main process exited, code=exited, status=1/FAILURE
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Unit testPy.service entered failed state.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: testPy.service failed.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: start request repeated too quickly for testPy.service
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Failed to start TEST PY.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: testPy.service failed.
我相信如果我可以让这个简单的测试工作,我可以获得我需要运行的更大的 .py 文件,因为它的工作原理基本相同。我为此构建了一个服务和套接字,通常有相同的错误。虽然systemctl status kosmos.service给出了一个失败的仍然但是说主PID状态= 0/成功所以这很奇怪。
它说启动限制是失败的,但是如果像这里这样简单的服务必须启动并启动并启动这意味着其他错误,猜测我的套接字或服务文件中的配置但不确定是什么。我希望我的 python 不会因监听 sys.stdin.readline 等而改变,而它读取的行只是来自另一台机器在该端口(30001)上建立的连接。我认为这就是所有这些套接字的作用(所有这些都是因为它曾经在带有 xinetd 的旧机器上运行)
我有一个全新的 CentOS 7 服务器,正在执行初始设置。
我已经开始使用防火墙了
sudo systemctl enable firewalld
sudo systemctl start firewalld
两个命令似乎都成功运行
创建了从 /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service 到 /usr/lib/systemd/system/firewalld.service 的符号链接。创建了从 /etc/systemd/system/multi-user.target.wants/firewalld.service 到 /usr/lib/systemd/system/firewalld.service 的符号链接。
并且 systemctl status 命令显示
已加载:已加载(/usr/lib/systemd/system/firewalld.service;已启用;供应商预设:已启用)
活动:活动(运行)自 WHENEVER
但是,整个早上都有一些时刻在使用 systemctl 状态显示进行签到
已加载:已加载(/usr/lib/systemd/system/firewalld.service;已 禁用;供应商预设:已启用)
活动:非活动(已死)
例如,我可以理解该服务已经崩溃,但是任何人都可以帮助我调试它是如何以任意时间间隔停止和禁用的吗?
安装 Modoboa(开源邮件托管)后,我尝试启动 clamav-daemon,但遇到启动条件失败。
systemctl status clamav-daemon.service
clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf
Active: inactive (dead)
Condition: start condition failed at Fri 2021-01-15 04:19:06 EST; 33min ago
└─ ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not met
下面显示了问题,conditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} 不满足。我无法使用 systemctl 或其他命令启动服务。经过一些故障排除后,我发现 /var/lib/clamav 是空的,应该有一些 .cvd 更新文件。此外,我无法使用此命令更新 clamav(显示 403 错误):
sudo clamav-freshclam
我现在能做什么?
使用最新的可用软件包更新基本系统后:
apt-get update -y
和
root@localhost:~# timedatectl
Local time: Wed 2021-01-06 08:03:11 UTC
Universal time: Wed 2021-01-06 08:03:11 UTC
RTC time: Wed 2021-01-06 08:03:12
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
但是当我使用以下内容检查时间同步服务的状态时:
systemctl status systemd-timesyncd.service
我懂了:
● systemd-timesyncd.service
Loaded: masked (Reason: Unit systemd-timesyncd.service is masked.)
Active: inactive (dead)
我在 Ubuntu 18.04 上有一个 GMod 服务器,当我通过./run_gmod.sh(作为拥有文件夹/文件的“蒸汽”用户)运行它时它运行良好,其内容是
#!/bin/sh
/datadrive/srcds/gmod/srcds_run -game garrysmod -console -norestart -strictportbind -port 27015 -tickrate 60 -maxplayers 20 \
+gamemode terrortown +map ttt_minecraft_b5 \
+host_workshop_collection 1413001823 \
+sv_setsteamaccount XXXXXXXXXXXX
但是,我想使用 systemctl 将其安装为服务,以便在启动服务器(Azure VM)时自动启动。我创建了一个包含/etc/systemd/system/gmod.service以下内容的文件:
[Unit]
Description=Gmod Server
After=network.target
[Service]
User=steam
WorkingDirectory=/datadrive/srcds/
ExecStart=/datadrive/srcds/gmod/srcds_run -game garrysmod -console -norestart -strictportbind -port 27015 -tickrate 60 -maxplayers 20 +gamemode terrortown +map ttt_minecraft_b5 +host_workshop_collection 1413001823 +sv_setsteamaccount XXXXXXXXXXXX
[Install]
WantedBy=multi-user.target
但是,当我尝试systemctl start gmod得到的日志时,我很奇怪:
Nov 27 22:54:49 Server1 systemd[1]: Started Gmod Server.
Nov 27 22:54:49 Server1 bash[4025]: Auto detecting CPU
Nov 27 22:54:49 Server1 bash[4025]: Using default binary: ./srcds_linux
Nov 27 22:54:52 Server1 bash[4025]: Setting breakpad minidump AppID = 4000
Nov 27 22:54:52 Server1 bash[4025]: [S_API] SteamAPI_Init(): Loaded 'steamclient.so' OK.
Nov 27 22:54:52 Server1 bash[4025]: Could not find steamerrorreporter binary. Any minidumps will be uploaded in-processapplicationmanager.cpp (3936) : Assertion Failed: CApplicationManager::GetMountVolume: invalid index
Nov 27 22:54:52 Server1 bash[4025]: CAppInfoCacheReadFromDiskThread took 0 milliseconds to initialize
Nov 27 22:54:52 Server1 bash[4025]: Uploading dump (in-process) [proxy '']
Nov 27 22:54:52 Server1 bash[4025]: /tmp/dumps/crash_20201127225452_4.dmp
Nov 27 22:54:52 Server1 bash[4025]: success = no
Nov 27 22:54:52 Server1 bash[4025]: error: libcurl.so: cannot open shared object file: No such file or directory
Nov 27 22:54:52 Server1 bash[4025]: applicationmanager.cpp (3936) : Assertion Failed: CApplicationManager::GetMountVolume: invalid index
Nov 27 22:54:52 Server1 bash[4025]: applicationmanager.cpp (4099) : Assertion Failed: m_vecInstallBaseFolders.Count() > 0
Nov 27 22:54:52 Server1 bash[4025]: CApplicationManagerPopulateThread took 0 milliseconds to initialize (will have waited on CAppInfoCacheReadFromDiskThread)
Nov 27 22:54:52 Server1 bash[4025]: [S_API FAIL] Tried to access Steam interface SteamUser020 before SteamAPI_Init succeeded.
Nov 27 22:54:56 Server1 bash[4025]: applicationmanager.cpp (4099) : Assertion Failed: m_vecInstallBaseFolders.Count() > 0
Nov 27 22:55:00 Server1 bash[4025]: [S_API] SteamAPI_Init(): Loaded 'steamclient.so' OK.
Nov 27 22:55:00 Server1 bash[4025]: CAppInfoCacheReadFromDiskThread took 0 milliseconds to initialize
Nov 27 22:55:00 Server1 bash[4025]: Could not find steamerrorreporter binary. Any minidumps will be uploaded in-processapplicationmanager.cpp (3936) : Assertion Failed: CApplicationManager::GetMountVolume: invalid index
Nov 27 22:55:00 Server1 bash[4025]: Uploading dump (in-process) [proxy '']
Nov 27 22:55:00 Server1 bash[4025]: /tmp/dumps/crash_20201127225500_5.dmp
Nov 27 22:55:00 Server1 bash[4025]: success = no
Nov 27 22:55:00 Server1 bash[4025]: error: libcurl.so: cannot open shared object file: No such file or directory
Nov 27 22:55:00 Server1 bash[4025]: applicationmanager.cpp (3936) : Assertion Failed: CApplicationManager::GetMountVolume: invalid index
Nov 27 22:55:00 Server1 bash[4025]: applicationmanager.cpp (3936) : Assertion Failed: CApplicationManager::GetMountVolume: invalid index
Nov 27 22:55:00 Server1 bash[4025]: applicationmanager.cpp (4099) : Assertion Failed: m_vecInstallBaseFolders.Count() > 0
Nov 27 22:55:00 Server1 bash[4025]: CApplicationManagerPopulateThread took 0 milliseconds to initialize (will have waited on CAppInfoCacheReadFromDiskThread)
Nov 27 22:55:09 Server1 bash[4025]: applicationmanager.cpp (4099) : Assertion Failed: m_vecInstallBaseFolders.Count() > 0
Nov 27 22:55:09 Server1 bash[4025]: httpclient.cpp (4181) : Assertion Failed: Failed writing http cache file to disk
Nov 27 23:00:42 Server1 systemd[1]: gmod.service: Current command vanished from the unit file, execution of the command list won't be resumed.
正常日志,通过run_gmod.sh脚本启动时,如下所示:
Auto detecting CPU
Using default binary: ./srcds_linux
mount.cfg adding path: '/datadrive/srcds/gmod/content/css/cstrike'
Couldn't load shader dll: game_shader_generic_garrysmod_srv.soConVarRef mat_dxlevel doesn't point to an existing ConVar
Game_srv.so loaded for "Garry's Mod"
Setting breakpad minidump AppID = 4000
Initializing Steam libraries for Workshop..
[S_API] SteamAPI_Init(): Loaded 'steamclient.so' OK.
CApplicationManagerPopulateThread took 0 milliseconds to initialize (will have waited on CAppInfoCacheReadFromDiskThread)
CAppInfoCacheReadFromDiskThread took 2 milliseconds to initialize
[S_API FAIL] Tried to access Steam interface SteamUser020 before SteamAPI_Init succeeded.
WS: Waiting for Steam to log us in..
WS: Fetching collection info...
Processing collection 1413001823...
Collection 'TGN Reborn Content'
75 new addons
WS: Finished!
WS: Processing 75 addons...
and then more stuff happens
日志在第二行 ( Using default binary: ./srcds_linux) 之后就出现了分歧,我不明白为什么在运行相同的命令时结果如此不同,只是方式不同。这是 GMod 特有的,还是我的gmod.service文件不正确?我已经尝试过查找,但是将服务器作为服务运行的资源很少,而且.service我发现的示例文件最终会给出类似的错误,所以我认为我应该从头开始。