Wheezy/SqueezeでKeepalived+LVS(IPVS)構成(NAT)にする。
■Wheezy/SqueezeでKeepalived+LVS(IPVS)構成(NAT)にする。 Wheezy/Squeezeにkeepalivedを導入、VRRPで仮想IPにアクセス。 http://d.hatena.ne.jp/labunix/20130618 IPVSのみでWebサーバをラウンドロビン構成にする。 http://labunix.hateblo.jp/entry/20130619/1371652385 ■以下を確認。 $ sudo sysctl -p net.ipv4.ip_forward = 1 ■サンプルとコメントを参考に記述。 $ lv -s /usr/share/doc/keepalived/keepalived.conf.SYNOPSIS.gz | wc -l 407 ■途中、「lvs_」と「lb_」で差が出るが、サンプルファイルのオプション名とした。 $ lv -s /usr/share/doc/keepalived/keepalived.conf.SYNOPSIS.gz | grep lvs lvs_sync_daemon_interface <STRING> # Binding interface for lvs syncd lvs_sched rr|wrr|lc|wlc|lblc|sh|dh # LVS scheduler used lvs_method NAT|DR|TUN # LVS method used $ grep lb_ /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.lvs_syncd lb_algo rr lb_kind NAT ■上記の通り、keepalivedの設定ファイルでIPVSも設定できるが、 便宜上、「keepalived用」と「IPVS用」にファイルを分けた。 「keepalived用」には送信元メールと優先度以外に、 MASTER/BACKUPの本質的な違いは無い。 $ sudo diff keepalived.conf /etc/keepalived/keepalived.conf 7c7 < notification_email_from vrrp100@vmdebian1.test.local --- > notification_email_from vrrp200@vmdebian1.test.local 21c21 < priority 100 --- > priority 200 44c44 < priority 200 --- > priority 100 ■keepalived用の設定 $ cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { root@vmdebian1.test.local } notification_email_from vrrp200@vmdebian1.test.local smtp_server 192.168.164.11 smtp_connect_timeout 30 # router_id LVS_DEVEL enable_traps } vrrp_instance VI_1 { state BACKUP interface eth0 garp_master_delay 10 smtp_alert virtual_router_id 52 priority 200 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.164.16 # 192.168.200.16 # 192.168.200.17 # 192.168.200.18 # optional label. should be of the form "realdev:sometext" for # compatibility with ifconfig. # 192.168.200.18 label eth0:1 } } vrrp_instance VI_2 { state BACKUP interface eth0 garp_master_delay 10 smtp_alert virtual_router_id 53 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.164.17 # 192.168.200.16 # 192.168.200.17 # 192.168.200.18 # optional label. should be of the form "realdev:sometext" for # compatibility with ifconfig. # 192.168.200.18 label eth0:1 } } include /etc/keepalived/with_lvs.conf ■IPVS用の設定 ※ここは2台とも同じでもよいし、IPの順序を反転してもよい。 $ cat /etc/keepalived/with_lvs.conf virtual_server_group HTTP52 { 192.168.164.16 80 } virtual_server_group HTTP53 { 192.168.164.17 80 } virtual_server group HTTP52 { delay_loop 3 lb_algo rr lb_kind DR # nat_mask 255.255.255.0 #persistence_timeout 50 protocol TCP sorry_server 192.168.164.1 80 real_server 192.168.164.10 80 { weight 1 inhibit_on_failure #TCP_CHECK { HTTP_GET { url { path /check.html status_code 200 } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } } real_server 192.168.164.11 80 { weight 1 inhibit_on_failure TCP_CHECK { connect_timeout 3 } } } virtual_server group HTTP53 { delay_loop 3 lb_algo rr lb_kind DR # nat_mask 255.255.255.0 #persistence_timeout 50 protocol TCP sorry_server 192.168.164.1 80 real_server 192.168.164.11 80 { weight 1 inhibit_on_failure #TCP_CHECK { HTTP_GET { url { path /check.html status_code 200 } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } } real_server 192.168.164.10 80 { weight 1 inhibit_on_failure TCP_CHECK { connect_timeout 3 } } } ■コンテンツの確認 面倒なので、両方のVIPをワンライナーで交互にチェックします。 $ while true ;do \ echo -n "$n,";echo "$n" | awk '{print "w3m -dump -no-proxy http://192.168.164."($n%2)+16}' | `xargs` | head -1; \ let n++; \ sleep 1; \ done ,vmdebian1 1,vmdebian1 2,vmdebian2 3,vmdebian2 4,vmdebian1 5,vmdebian1 6,vmdebian2 7,vmdebian2 8,vmdebian1 9,vmdebian1 10,vmdebian2 ^C ■apache2のログの抑制 $ sudo cp /var/www/index.html /var/www/check.html $ grep nolog /etc/apache2/sites-available/default || \ sudo sed -i s/"CustomLog.*"/'SetEnvIf Request_URI "check.html" nolog'"\n\t& "'env=!nolog'/ \ /etc/apache2/sites-available/default $ sudo /etc/init.d/apache2 restart [ ok ] Restarting web server: apache2 ... waiting . ■おおよそ順序よく分散されていることがわかる。 $ sudo ipvsadm -Ln --stats IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes -> RemoteAddress:Port TCP 192.168.164.16:80 3 15 15 1506 2170 -> 192.168.164.10:80 1 5 5 502 722 -> 192.168.164.11:80 2 10 10 1004 1448 TCP 192.168.164.17:80 2 10 10 1004 1446 -> 192.168.164.10:80 1 5 5 502 722 -> 192.168.164.11:80 1 5 5 502 724 $ sudo ipvsadm -Ln --stats IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes -> RemoteAddress:Port TCP 192.168.164.16:80 2 10 10 1004 1446 -> 192.168.164.10:80 1 5 5 502 722 -> 192.168.164.11:80 1 5 5 502 724 TCP 192.168.164.17:80 3 15 15 1506 2168 -> 192.168.164.10:80 2 10 10 1004 1444 -> 192.168.164.11:80 1 5 5 502 724
WheezyでPAMを使ってあるグループをパスワードなしでsudoする
■外出時にWheezyでPAMを使ってあるグループをパスワードなしでsudoする。 普段はパスワードあり。 パスワード入力を見られたくない場合に使用する。 ■PAMのマニュアル $ apropos ^pam_ | awk '{print $1}' | column pam_access pam_lastlog pam_selinux pam_ck_connector pam_limits pam_sepermit pam_debug pam_listfile pam_shells pam_deny pam_localuser pam_succeed_if pam_echo pam_loginuid pam_tally pam_env pam_mail pam_tally2 pam_env.conf pam_mkhomedir pam_time pam_exec pam_motd pam_timestamp pam_faildelay pam_namespace pam_timestamp_check pam_filter pam_nologin pam_umask pam_ftp pam_permit pam_unix pam_getenv pam_pwhistory pam_userdb pam_group pam_rhosts pam_warn pam_issue pam_rootok pam_wheel pam_keyinit pam_securetty pam_xauth ■PAMモジュールの場所 $ ls /lib/i386-linux-gnu/security/ pam_access.so pam_group.so pam_namespace.so pam_succeed_if.so pam_cap.so pam_issue.so pam_nologin.so pam_tally.so pam_ck_connector.so pam_keyinit.so pam_permit.so pam_tally2.so pam_debug.so pam_lastlog.so pam_pwhistory.so pam_time.so pam_deny.so pam_limits.so pam_rhosts.so pam_timestamp.so pam_echo.so pam_listfile.so pam_rootok.so pam_umask.so pam_env.so pam_localuser.so pam_securetty.so pam_unix.so pam_exec.so pam_loginuid.so pam_selinux.so pam_userdb.so pam_faildelay.so pam_mail.so pam_sepermit.so pam_warn.so pam_filter.so pam_mkhomedir.so pam_shells.so pam_wheel.so pam_ftp.so pam_motd.so pam_stress.so pam_xauth.so ■簡単に説明。 typeについて auth ユーザ認証の設定 account アカウントの制限、有効性のチェック password パスワード認証の設定 session 接続時の動作設定 controlについて optional ステータスを無視 required 失敗時はログインに失敗、処理は続行 requisite 失敗時は処理を終了 sufficient 成功時はアクセス許可 ■今回は「type auth」で「control sufficient」で制御する。 ■sudoersの確認。 rootユーザかsudoグループが実行可能。 ここでも「NOPASSWORD」で設定出来るが、ここでの変更はしない。 $ sudo grep -v "^#\|^\$" /etc/sudoers Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" root ALL=(ALL:ALL) ALL %sudo ALL=(ALL:ALL) ALL ■include文の前に記述する。 rootユーザか、かwheel(sudo)グループを信頼、パスワード不要とする。 上記、sudoersに設定したユーザ以外は sudo の実行はsudoersで拒否する。 debianの場合、「group=sudo」でwheelグループとしている。 $ cat /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_wheel.so group=sudo trust use_uid @include common-auth @include common-account @include common-session-noninteractive ■上記をtoggleで有効、無効に切り替える。 ※上記を入力しなくても初回は無効の状態で設定される。 Redhat用に/etc/redhat-releaseを見て、 「group=sudo」の箇所を書き換える処理も分岐出来るが、 変数を書き換えた方が早いので、今回はやらない。 $ cat nopass_sudo.sh #!/bin/bash if [ `id -u` -ne "0" ];then echo "Sorry, Not Permit User!" >&2 exit 1 fi TARGET="/etc/pam.d/sudo" ROOTOK='auth sufficient pam_rootok.so' WHEELOK='auth sufficient pam_wheel.so group=sudo trust use_uid' FLAG=1 grep "$ROOTOK" "$TARGET" > /dev/null && FLAG=0 if [ "$FLAG" -eq "1" ];then sed -i s/'#%PAM-1.0'/"&\n\n${ROOTOK}\n${WHEELOK}"/ "$TARGET" fi FLAG=1 grep "^$ROOTOK" "$TARGET" > /dev/null && FLAG=0 if [ "$FLAG" -eq "0" ];then sed -i s/"$ROOTOK"/"# &"/ "$TARGET" sed -i s/"$WHEELOK"/"# &"/ "$TARGET" else sed -i s/"# $ROOTOK"/"$ROOTOK"/ "$TARGET" sed -i s/"# $WHEELOK"/"$WHEELOK"/ "$TARGET" fi grep "rootok\|wheel" "$TARGET" unset TARGET ROOTOK WHEELOK FLAG exit 0 ■実行 ※一度ログオフして再度入り直せば有効になる。 $ cat /etc/pam.d/sudo #%PAM-1.0 @include common-auth @include common-account @include common-session-noninteractive # sudo ./nopass_sudo.sh # auth sufficient pam_rootok.so # auth sufficient pam_wheel.so group=sudo trust use_uid # sudo ./nopass_sudo.sh auth sufficient pam_rootok.so auth sufficient pam_wheel.so group=sudo trust use_uid $ cat /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_wheel.so group=sudo trust use_uid @include common-auth @include common-account @include common-session-noninteractive ■確認方法は以下で十分。 $ sudo echo "hello" ■include文の前に記述しているので、「sudo」でなく、「labunix+sudo」グループなら、パスなしでOKにも出来る。 「sudo」グループには所属しているけど、パス無しで使用させるほど信頼しているアカウントでなければ、 分けることも出来るということ。
Wheezyにlibgraph-easy-perlを導入、ASCIIでネットワーク図を描く。
■はじめに。 nwdiagやblockdiagでPNGやSVG出力出来るのは良いけど、 そこまで必要ないときやむしろテキストオンリーで管理したいとき。。。 chrootのwheezy/sidにnwdiagを導入する http://d.hatena.ne.jp/labunix/20130321 nwdiagでネットワーク図を描いてみた。 http://labunix.hateblo.jp/entry/20121104/1352031606 blockdiagで遊ぶ http://labunix.hateblo.jp/entry/20130407/1365341897 Wheezy/SqueezeでOpenVPNを使って暗号化なしのお手軽VPNで接続する http://labunix.hateblo.jp/entry/20130610/1370869975 ■Wheezyにlibgraph-easy-perlを導入、ASCIIでネットワーク図を描く。 $ sudo apt-get install -y libgraph-easy-perl ■「ASCII」の出力サンプル。 $ man graph-easy | grep -A 13 ^EXAMPLES EXAMPLES ASCII output echo "[ Bonn ] -- car --> [ Berlin ], [ Ulm ]" | graph-easy +--------+ car +-----+ | Bonn | -----> | Ulm | +--------+ +-----+ | | car v +--------+ | Berlin | +--------+ ■参考 Graph::Easy - Manual - Introduction http://bloodgate.com/perl/graph/manual/index.html ■例えば前回のVRRPによる仮想IPのイメージ。 Master/Backupのどちらかがレスポンスを返す。 Wheezy/Squeezeにkeepalivedを導入、VRRPで仮想IPにアクセス。 http://d.hatena.ne.jp/labunix/20130618 $ echo -e "\n\n"; echo "graph { flow: north; } [ Client] \ <-- GET/Reponse --> [ Keepalived-vrrp VIP\n(ipvsadm) ] \ <-- Master/Backup --> [ vrrp100\n(Web2) ] , [ vrrp200\n(Web1) ]" | graph-easy +---------------------+ | vrrp100 | | (Web2) | +---------------------+ ^ | | Master/Backup v +---------------------+ +---------+ | Keepalived-vrrp VIP | Master/Backup | vrrp200 | | (ipvsadm) | <---------------> | (Web1) | +---------------------+ +---------+ ^ | | GET/Reponse v +---------------------+ | Client | +---------------------+ ■LVSでは以下のようなイメージ。 「LVS VIP」はサービスを提供する「仮想IP」なので、keepalivedを使わないIPでも良い。 Web1とWeb2が順番にレスポンスを返す。 $ echo -e "\n\n"; echo "graph { flow: north; } [ Client] \ <-- GET/Reponse --> [ LVS VIP\n(ipvsadm) ] \ <-- rr --> [ Web2 ] , [ web1 ]" | graph-easy +--------------+ | Web2 | +--------------+ ^ | | rr v +--------------+ +------+ | LVS VIP | rr | web1 | | (ipvsadm) | <----> | | +--------------+ +------+ ^ | | GET/Reponse v +--------------+ | Client | +--------------+ ■VRRP+LVSのイメージ。 Master/BackupのどちらかのVIPで受けて、順番にレスポンスを返す。 $ echo -e "\n\n"; echo "graph { flow: south; } [ Client ] <-- GET/Response --> \ { flow: north; } [ VRRP+LVS ] <-- or/rr --> [ vrrp100 ] , [ vrrp200 ]" | graph-easy +---------+ or/rr +---------------+ or/rr +---------+ | vrrp200 | <-------> | VRRP+LVS | <-------> | vrrp100 | +---------+ +---------------+ +---------+ ^ | | GET/Response v +---------------+ | Client | +---------------+
Wheezy/Squeezeにkeepalivedを導入、VRRPで仮想IPにアクセス。
■Wheezy/Squeezeにkeepalivedを導入、VRRPで仮想IPにアクセス。 ※Wheezy/Squeeze共に手順に差は無い。 $ apt-cache search vrrp keepalived - Failover and monitoring daemon for LVS clusters ucarp - user-space replacement to VRRP -- automatic IP fail-over vrrpd - Virtual Router Redundancy Protocol user-space implementation $ sudo apt-get install -y keepalived ■シンプルに設定します。 $ dpkg -L keepalived | grep "samples/.*.vrrp" /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.sync /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.scripts /usr/share/doc/keepalived/samples/keepalived.conf.vrrp /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.routes /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.static_ipaddress /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.lvs_syncd /usr/share/doc/keepalived/samples/keepalived.conf.vrrp.localcheck $ cat /usr/share/doc/keepalived/samples/keepalived.conf.vrrp | \ sudo tee /etc/keepalived/keepalived.conf > /dev/null ■まずはメール通知を編集。 $ grep -B 1 -A 2 "acassen" /etc/keepalived/keepalived.conf notification_email { acassen } notification_email_from Alexandre.Cassen@firewall.loc ■送信先を「acassen」から自身の通知先メールアドレスに変更。 $ sudo sed -i s/"acassen"/"root@`hostname -f`"/g /etc/keepalived/keepalived.conf ■送信元は役割+優先度のダミーアカウントとします。 $ sudo sed -i s/"Alexandre.Cassen@firewall.loc"/"vrrp100@`hostname -f`"/g /etc/keepalived/keepalived.conf ■次はSMTPトラップを編集。 $ grep -A 4 smtp_server /etc/keepalived/keepalived.conf smtp_server 192.168.200.1 smtp_connect_timeout 30 router_id LVS_DEVEL } ■SMTPサーバを指定 $ sudo sed -i s/"\(smtp_server\) .*"/"\1 192.168.45.11"/ /etc/keepalived/keepalived.conf ■ルータIDのホスト名はコメントアウトし、SMTPトラップを有効にします。 ※メール通知のSubject欄のホスト名に反映される。 実マシンのホスト名が同じ2台構成の場合は「router_id」を設定した方が良い。 $ man keepalived.conf | grep -A 1 "^ *router_id" router_id my_hostname # string identifying the machine, # (doesn't have to be hostname). $ sudo sed -i s/"router_id LVS_DEVEL"/"# &\n enable_traps"/ /etc/keepalived/keepalived.conf ■ここまでで一旦、ベースとします。 $ sudo mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.base ■VIはひとつだけでよいので、2番目以降は削除。 $ nl -ba /etc/keepalived/keepalived.conf.base | \ grep "vrrp_instance VI_2" | \ awk '{print $1-1}' | \ head -n `xargs` /etc/keepalived/keepalived.conf.base | \ sudo tee /etc/keepalived/keepalived.conf > /dev/null ■仮想IPを決めます。 $ grep -A 8 virtual_ipaddress /etc/keepalived/keepalived.conf virtual_ipaddress { 192.168.200.16 192.168.200.17 192.168.200.18 # optional label. should be of the form "realdev:sometext" for # compatibility with ifconfig. 192.168.200.18 label eth0:1 } ■ラベルをコメントアウト $ sudo sed -i s/"192.168.200.18 label eth0:1"/"# &"/ /etc/keepalived/keepalived.conf ■初期で振っているIPをコメントアウト。 ※「ip addr」コマンドでなく「ifconfig」での閲覧を望むなら、設定しましょう。 $ sudo sed -i s/"\( \)\(192.168.200.1[678]\)"/"\1# \2"/ /etc/keepalived/keepalived.conf $ ip addr | grep 16/32 inet 192.168.45.16/32 scope global eth1 ■仮想IPを振る。 $ sudo sed -i s/"virtual_ipaddress {"/"&\n 192.168.45.16"/ /etc/keepalived/keepalived.conf ■「interface eth0」を「eth1」に変更します。 $ grep -A 11 vrrp_instance /etc/keepalived/keepalived.conf vrrp_instance VI_1 { state MASTER interface eth0 garp_master_delay 10 smtp_alert virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } $ sudo sed -i s/"interface eth0"/"interface eth1"/ /etc/keepalived/keepalived.conf ■私の場合、「state MASTER」では無く、 両方とも「state BACKUP」にし、優先度で制御しています。 $ sudo sed -i s/"state MASTER"/"state BACKUP"/ /etc/keepalived/keepalived.conf ■スレーブ側は以下のようになります。 $ cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { root@vmdebian-slave.myhome.local } notification_email_from vrrp100@vmdebian-slave.myhome.local smtp_server 192.168.45.11 smtp_connect_timeout 30 #router_id LVS_DEVEL enable_traps } vrrp_instance VI_1 { state BACKUP interface eth1 garp_master_delay 10 smtp_alert virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.45.16 # 192.168.200.16 # 192.168.200.17 # 192.168.200.18 # optional label. should be of the form "realdev:sometext" for # compatibility with ifconfig. # 192.168.200.18 label eth0:1 } } ■これをマスター側にコピーして優先度を高くし、メールのfromも変更します。 ※優先度は0〜255まで。 $ sudo sed -i s/"priority 100"/"priority 200"/ /etc/keepalived/keepalived.conf $ sudo sed -i s/"vrrp100"/"vrrp200"/ /etc/keepalived/keepalived.conf ■まずはマスター側を起動 ※keepalived単独で使う間、 「IPVS: Can’t initialize ipvs: Protocol not available」が気になるなら、 「dpkg-reconfigure ipvsadm」で無効にしても良い。 $ sudo /etc/init.d/keepalived start $ sudo tail -100 /var/log/syslog | grep -i "vrrp\|keepalived" Jun 18 19:46:33 vmdebian-master Keepalived: Starting Keepalived v1.1.20 (03/24,2012) Jun 18 19:46:33 vmdebian-master Keepalived: Starting Healthcheck child process, pid=2917 Jun 18 19:46:33 vmdebian-master Keepalived: Starting VRRP child process, pid=2918 Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Registering Kernel netlink reflector Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Registering Kernel netlink command channel Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Registering gratutious ARP shared channel Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Initializing ipvs 2.6 Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: Initializing ipvs 2.6 Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: IPVS: Can't initialize ipvs: Protocol not available Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: IPVS: Can't initialize ipvs: Protocol not available Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: Registering Kernel netlink reflector Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: Registering Kernel netlink command channel Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Opening file '/etc/keepalived/keepalived.conf'. Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: Opening file '/etc/keepalived/keepalived.conf'. Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Configuration is using : 62958 Bytes Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Using LinkWatch kernel netlink reflector... Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: Configuration is using : 7447 Bytes Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: VRRP_Instance(VI_1) Entering BACKUP STATE Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: Remote SMTP server [192.168.45.11:25] connected. Jun 18 19:46:33 vmdebian-master Keepalived_healthcheckers: Using LinkWatch kernel netlink reflector... Jun 18 19:46:33 vmdebian-master Keepalived_vrrp: SMTP alert successfully sent. Jun 18 19:46:36 vmdebian-master Keepalived_vrrp: VRRP_Instance(VI_1) Transition to MASTER STATE Jun 18 19:46:37 vmdebian-master Keepalived_vrrp: VRRP_Instance(VI_1) Entering MASTER STATE Jun 18 19:46:37 vmdebian-master Keepalived_vrrp: Remote SMTP server [192.168.45.11:25] connected. Jun 18 19:46:37 vmdebian-master Keepalived_vrrp: SMTP alert successfully sent. ■2つの「SMTP alert successfully sent.」に応じた2つのメールが来る。 From: vrrp200@vmdebian-slave.example.jp Subject: [vmdebian-master.example.jp] VRRP Instance VI_1 - Entering BACKUP state X-Mailer: Keepalived => VRRP Instance is nolonger owning VRRP VIPs <= From: vrrp200@vmdebian-slave.example.jp Subject: [vmdebian-master.example.jp VRRP Instance VI_1 - Entering MASTER state X-Mailer: Keepalived => VRRP Instance is now owning VRRP VIPs <= ■スレーブ側を起動 $ sudo /etc/init.d/keepalived start $ sudo tail -100 /var/log/syslog | grep -i "vrrp\|keepalived" Jun 18 19:49:39 vmdebian-slave Keepalived: Starting Keepalived v1.1.20 (03/24,2012) Jun 18 19:49:39 vmdebian-slave Keepalived: Starting Healthcheck child process, pid=5138 Jun 18 19:49:39 vmdebian-slave Keepalived: Starting VRRP child process, pid=5140 Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: Initializing ipvs 2.6 Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Registering Kernel netlink reflector Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Registering Kernel netlink command channel Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Registering gratutious ARP shared channel Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Initializing ipvs 2.6 Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: IPVS: Can't initialize ipvs: Protocol not available Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: Registering Kernel netlink reflector Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: Registering Kernel netlink command channel Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: Opening file '/etc/keepalived/keepalived.conf'. Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: IPVS: Can't initialize ipvs: Protocol not available Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Opening file '/etc/keepalived/keepalived.conf'. Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: Configuration is using : 7247 Bytes Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Configuration is using : 62758 Bytes Jun 18 19:49:39 vmdebian-slave Keepalived_healthcheckers: Using LinkWatch kernel netlink reflector... Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Using LinkWatch kernel netlink reflector... Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: VRRP_Instance(VI_1) Entering BACKUP STATE Jun 18 19:49:39 vmdebian-slave Keepalived_vrrp: Remote SMTP server [192.168.45.11:25] connected. Jun 18 19:49:39 ibm-amddebian Keepalived_vrrp: SMTP alert successfully sent. ■メール通知のログは1つなので、1件のメールが確認できる。 From: vrrp100@vmdebian-slave.example.jp Subject: [vmdebian-slave.example.jp] VRRP Instance VI_1 - Entering BACKUP state X-Mailer: Keepalived To: undisclosed-recipients:; => VRRP Instance is nolonger owning VRRP VIPs <= ■パケットキャプチャ 切り替わると、「prio 100」になる。GARPはWindowsが居ないネットワークセグメントである方がベター。 $ sudo tcpdump -n -i eth1 host 192.168.45.16 or vrrp or arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:03:09.956098 IP 192.168.45.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 200, authtype simple, intvl 1s, length 20 $ sudo tcpdump -n -i eth1 host 192.168.45.16 or vrrp or arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:03:09.956098 IP 192.168.45.11 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 200, authtype simple, intvl 1s, length 20 ■pingを打つなどしてARP情報を更新しながら、MACアドレスが変わることを確認。 マスター側のMACを優先的に使用していることが分かる。 ※keepalivedのVRRPの実装は仮想MACアドレスには対応していないため。 $ sudo arp -an | grep .16\) ? (192.168.45.16) at XX:XX:XX:XX:XX:df [ether] on eth1 $ sudo /etc/init.d/keepalived stop Stopping keepalived: keepalived. $ sudo arp -an | grep .16\) ? (192.168.45.16) at XX:XX:XX:XX:XX:ca [ether] on eth1 $ sudo /etc/init.d/keepalived start Stopping keepalived: keepalived. $ sudo arp -an | grep .16\) ? (192.168.45.16) at XX:XX:XX:XX:XX:df [ether] on eth1 ■後はデフォルトの「auth_pass 1111」を変更し、余計なVRRPが参加しないようにする。
WheezyにVLANを導入する
■WheezyにVLANを導入する。 eth0、wlan0のActive-Backup方式のbond0にタグVLANを作成。 eth0+wlan0でActive-Backupのbondingを構成する。 http://d.hatena.ne.jp/labunix/20130303 squeezeにvconfigを導入する http://d.hatena.ne.jp/labunix/20121003 ■kernelオプションの確認。 $ sudo apt-get install kernel-package $ grep VLAN /usr/share/kernel-package/Config/config.`uname -m` CONFIG_VLAN_8021Q=m ■「vlan」の導入。 モジュールのロードは不要になった。 $ apt-cache search ^vlan vlan - user mode programs to enable VLANs on your ethernet devices $ sudo apt-get install -y vlan $ dpkg -L vlan | grep bin/ /sbin/vconfig $ sudo modprobe 8021q $ lsmod | grep 8021q 8021q 14118 0 garp 4150 1 8021q $ grep 8021q /etc/modules >/dev/null|| echo "8021q" | sudo tee -a /etc/modules 8021q ■手動追加、確認、手動削除。 $ sudo vconfig add bond0 2 Added VLAN with VID == 2 to IF -:bond0:- $ find /proc/net/vlan/ -type f -print | sudo grep . `xargs` /proc/net/vlan/bond0.2:bond0.2 VID: 2 REORDER_HDR: 1 dev->priv_flags: 1 /proc/net/vlan/bond0.2: total frames received 0 /proc/net/vlan/bond0.2: total bytes received 0 /proc/net/vlan/bond0.2: Broadcast/Multicast Rcvd 0 /proc/net/vlan/bond0.2: total frames transmitted 0 /proc/net/vlan/bond0.2: total bytes transmitted 0 /proc/net/vlan/bond0.2: total headroom inc 0 /proc/net/vlan/bond0.2: total encap on xmit 0 /proc/net/vlan/bond0.2:Device: bond0 /proc/net/vlan/bond0.2:INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0 /proc/net/vlan/bond0.2: EGRESS priority mappings: /proc/net/vlan/config:VLAN Dev name | VLAN ID /proc/net/vlan/config:Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD /proc/net/vlan/config:bond0.2 | 2 | bond0 ■ネットワークの設定 $ sudo vconfig rem bond0.2 Removed VLAN -:bond0.2:- $ sudo tail -7 /etc/network/interfaces auto bond0.2 allow-hotplug bond0.2 iface bond0.2 inet static address XXX.XXX.XXX.111 netmask 255.255.255.0 down /sbin/vconfig rem bond0.2 $ sudo /etc/init.d/networking restart $ env LANG=C /sbin/ifconfig bond0.2 | sed s/"\(HWaddr\).*"/"\1 dummy"/g | grep -v inet6 bond0.2 Link encap:Ethernet HWaddr dummy inet addr:XXX.XXX.XXX.XXX.111 Bcast:XXX.XXX.XXX.XXX.255 Mask:255.255.255.0 UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:34 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:6445 (6.2 KiB) $ ip addr | grep bond0.2 10: bond0.2@bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP inet XXX.XXX.XXX.111/24 brd XXX.XXX.XXX.255 scope global bond0.2
WheezyにRCSを導入する
■debian WheezyにRCSを導入する。 $ sudo apt-get install -y rcs $ dpkg -L rcs | grep bin/ /usr/bin/merge /usr/bin/rcs /usr/bin/co /usr/bin/ident /usr/bin/rcsmerge /usr/bin/ci /usr/bin/rcsdiff /usr/bin/rlog /usr/bin/rcsclean ■hostsを「~/dummy/etc」にコピーしてそこで作業する。 $ sudo mkdir -p ~/dummy/etc $ sudo cp -pi /etc/hosts ~/dummy/etc $ test -d ~/dummy/etc && cd ~/dummy/etc $ pwd /home/labunix/dummy/etc $ ls -l hosts -rw-r--r-- 1 root root 206 5月 9 22:32 hosts $ sudo sed -i s/"`hostname -s`\$"/"dummy"/g hosts $ sudo sed -i s/"`hostname -f`"/"dummy.example.jp"/g hosts $ cat hosts 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ■RCSの初期化 $ test -d RCS || mkdir RCS $ rcs -i hosts rcs: hosts,v: Permission denied $ sudo rcs -i hosts RCS file: hosts,v enter description, terminated with single '.' or end of file: NOTE: This is NOT the log message! >> Hello RCS >> >> . done ■ロックとアンロック 「strict」は厳格モード。 厳格モードとは、RCS ファイルの所有者であっても、 ロックしているファイルをチェックインすることができなるモードのこと。 $ sudo rcs -L hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: strict $ sudo rcs -U hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: ■チェックインとチェックアウト ※チェックインはロックされている状態で行う。 $ sudo ci hosts;ls -l hosts hosts,v <-- hosts initial revision: 1.1 done ls: hosts にアクセスできません: そのようなファイルやディレクトリはありません $ sudo co hosts;ls -l hosts hosts,v --> hosts revision 1.1 done -r--r--r-- 1 root root 202 6月 4 21:15 hosts ■ログの確認 $ sudo rlog ./hosts RCS file: ./hosts,v Working file: ./hosts head: 1.1 branch: locks: access list: symbolic names: keyword substitution: kv total revisions: 1; selected revisions: 1 description: Hello RCS ---------------------------- revision 1.1 date: 2013/06/04 13:02:54; author: root; state: Exp; Initial revision ============================================================================= ■使用可能な「ident」の確認 $ man ident 2>/dev/null | grep "^ \$[A-Z][a-z].*\$" $Author$ $Date$ そのリビジョンをチェックインした日付と時刻です。 $Header$ $Id$ RCS ファイルの名前がフルパスでないことを除いて、 $Header$, と同 $Locker$ $Log$ チェックインのときに書かれたログメッセージです。 ident の目的と $Name$ リビジョンをチェックアウトするときに使うシンボル名です(ないかも $Revision$ $Source$ $State$ ■編集時にはアンロックされていること。 $ sudo rcs -U hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: $ sudo sed -i s/"^127.0.0.1"/'# $Id$'"\n"'# $Author$'"\n"'# $Log$'"\ "'# $Date$ '"\n"'# $Header$'"\n"'# $Locker$'"\n"'# $RCSfile$'"\n"'# $Revision$'"\n"'# $Source$'"\n"'# $State$'"\n&"/ hosts $ cat hosts # $Id$ # $Author$ # $Log$ # $Date$ # $Header$ # $Locker$ # $RCSfile$ # $Revision$ # $Source$ # $State$ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
■チェックインして更新、チェックアウトしてファイルに書き出す必要がある。 書き出した後は保護する為、ロックする。 $ rlog hosts | grep lock locks: $ sudo ci hosts hosts,v <-- hosts new revision: 1.2; previous revision: 1.1 enter log message, terminated with single '.' or end of file: >> Add ident options. >> >> . done $ sudo co hosts hosts,v --> hosts revision 1.2 done $ sudo rcs -L hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: strict ■以下のように書き変わる。 下に見るとおり、「$Id$」か「$Log$」があれば充分。 $ cat hosts # $Id: hosts,v 1.2 2013/06/04 13:04:48 root Exp $ # $Author: root $ # $Log: hosts,v $ # Revision 1.2 2013/06/04 13:04:48 root # Add ident options. ## $Date: 2013/06/04 13:04:48 $ # $Header: /home/labunix/dummy/etc/hosts,v 1.2 2013/06/04 13:04:48 root Exp $ # $Locker: $ # $RCSfile: hosts,v $ # $Revision: 1.2 $ # $Source: /home/labunix/dummy/etc/hosts,v $ # $State: Exp $ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ■差分を確認。 $ sudo rcsdiff -r1.1 -r1.2 hosts =================================================================== RCS file: hosts,v retrieving revision 1.1 retrieving revision 1.2 diff -r1.1 -r1.2 0a1,12 > # $Id: hosts,v 1.2 2013/06/04 13:04:48 root Exp $ > # $Author: root $ > # $Log: hosts,v $ > # Revision 1.2 2013/06/04 13:04:48 root > # Add ident options. > ## $Date: 2013/06/04 13:04:48 $ > # $Header: /home/labunix/dummy/etc/hosts,v 1.2 2013/06/04 13:04:48 root Exp $ > # $Locker: $ > # $RCSfile: hosts,v $ > # $Revision: 1.2 $ > # $Source: /home/labunix/dummy/etc/hosts,v $ > # $State: Exp $ ■diffらしく表示するならば。。。 「-u」はアンロックではなく、diffのオプション。 $ sudo rcsdiff -r1.1 -r1.2 -u hosts =================================================================== RCS file: hosts,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- hosts 2013/06/04 13:02:54 1.1 +++ hosts 2013/06/04 13:04:48 1.2 @@ -1,3 +1,15 @@ +# $Id: hosts,v 1.2 2013/06/04 13:04:48 root Exp $ +# $Author: root $ +# $Log: hosts,v $ +# Revision 1.2 2013/06/04 13:04:48 root +# Add ident options. +## $Date: 2013/06/04 13:04:48 $ +# $Header: /home/labunix/dummy/etc/hosts,v 1.2 2013/06/04 13:04:48 root Exp $ +# $Locker: $ +# $RCSfile: hosts,v $ +# $Revision: 1.2 $ +# $Source: /home/labunix/dummy/etc/hosts,v $ +# $State: Exp $ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy ■ということでここでは「$Log$」を採用する。 $ sudo rcs -U hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: $ sudo vim hosts $ cat hosts # $Log$ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters $ sudo ci hosts hosts,v <-- hosts new revision: 1.3; previous revision: 1.2 enter log message, terminated with single '.' or end of file: >> Change Ident Log Only. >> >> . done $ ls hosts,v $ sudo co hosts hosts,v --> hosts revision 1.3 writable hosts exists; remove it? [ny](n): y done $ ls hosts hosts,v $ sudo rcs -L hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: strict ■1.1と1.3の差分を表示 $ sudo rcsdiff -r1.1 -r1.3 hosts =================================================================== RCS file: hosts,v retrieving revision 1.1 retrieving revision 1.3 diff -r1.1 -r1.3 0a1,4 > # $Log: hosts,v $ > # Revision 1.3 2013/06/04 13:08:03 root > # Change Ident Log Only. > # ■1.2は不要になった。 $ sudo rcs -U hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: $ sudo rcs -o1.2 hosts RCS file: hosts,v deleting revision 1.2 done $ sudo rcs -L hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: strict ■1.2の変更情報が消えた。 $ sudo rlog hosts RCS file: hosts,v Working file: hosts head: 1.3 branch: locks: strict access list: symbolic names: keyword substitution: kv total revisions: 2; selected revisions: 2 description: Hello RCS ---------------------------- revision 1.3 date: 2013/06/04 13:08:03; author: root; state: Exp; lines: +1 -0 Change Ident Log Only. ---------------------------- revision 1.1 date: 2013/06/04 13:02:54; author: root; state: Exp; Initial revision ============================================================================= ■誰がロックしているか見るには「grep lock」で良い。 また、ロック中は所有者も変更不可なので、変更は失敗する。 $ sudo rlog hosts | grep lock locks: strict $ sudo rcs -o1.3 hosts RCS file: hosts,v rcs: hosts,v: can’t remove locked revision 1.3 ■やっぱり、一行で済む「$Id$」にしよう。 $ sudo rcs -U hosts;sudo rlog hosts | grep locks RCS file: hosts,v done locks: $ sudo vim hosts $ cat hosts # $Id$ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters $ sudo ci hosts hosts,v <-- hosts new revision: 1.4; previous revision: 1.3 enter log message, terminated with single '.' or end of file: >> Change indent Log to Id. >> . done $ sudo co hosts hosts,v --> hosts revision 1.4 done $ cat hosts # $Id: hosts,v 1.4 2013/06/04 13:12:05 root Exp $ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ■マージする。 $ sudo rcsmerge -r1.1 -r1.4 hosts RCS file: hosts,v retrieving revision 1.1 retrieving revision 1.4 Merging differences between 1.1 and 1.4 into hosts $ rlog hosts RCS file: hosts,v Working file: hosts head: 1.4 branch: locks: access list: symbolic names: keyword substitution: kv total revisions: 3; selected revisions: 3 description: Hello RCS ---------------------------- revision 1.4 date: 2013/06/04 13:12:05; author: root; state: Exp; lines: +1 -1 Change indent Log to Id. ---------------------------- revision 1.3 date: 2013/06/04 13:08:03; author: root; state: Exp; lines: +1 -0 Change Ident Log Only. ---------------------------- revision 1.1 date: 2013/06/04 13:02:54; author: root; state: Exp; Initial revision ============================================================================= $ sudo rcs -o1.1 hosts RCS file: hosts,v deleting revision 1.1 done $ sudo rcs -o1.3 hosts RCS file: hosts,v deleting revision 1.3 done ■間違えた。 $ sudo ci -s1.0 hosts hosts,v <-- hosts new revision: 1.5; previous revision: 1.4 enter log message, terminated with single '.' or end of file: >> 1.0 release. >> >> . done $ sudo co hosts hosts,v --> hosts revision 1.5 done $ cat hosts # $Id: hosts,v 1.5 2013/06/04 13:20:48 root 1.0 $ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters $ sudo co -r1.4 hosts hosts,v --> hosts revision 1.4 writable hosts exists; remove it? [ny](n): y done $ cat hosts # $Id: hosts,v 1.4 2013/06/04 13:12:05 root Exp $ 127.0.0.1 localhost 127.0.1.1 dummy.example.jp dummy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters $ sudo rcs -o1.5 hosts RCS file: hosts,v deleting revision 1.5 done ■強制的に「1.0」にして、「Rel」する。 ※複数人でやると大変なことになるのでローカルのみ。 $ sudo sed -i s/"1.4"/"0.0"/g hosts,v $ rlog hosts RCS file: hosts,v Working file: hosts head: 0.0 branch: locks: access list: symbolic names: keyword substitution: kv total revisions: 1; selected revisions: 1 description: Hello RCS ---------------------------- revision 0.0 date: 2013/06/04 13:12:05; author: root; state: Exp; Change indent Log to Id. ============================================================================= $ sudo ci -srel -r1.0 hosts hosts,v <-- hosts new revision: 1.0; previous revision: 0.0 enter log message, terminated with single '.' or end of file: >> 1st release. >> . done $ sudo co hosts hosts,v --> hosts revision 1.0 done $ sudo rcs -o0.0 hosts RCS file: hosts,v deleting revision 0.0 done $ cat hosts # $Id: hosts,v 1.0 2013/06/04 13:32:29 root rel $ 127.0.0.1 localhost 127.0.1.1 lpic303.test.local lpic303 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters $ sudo rlog hosts RCS file: hosts,v Working file: hosts head: 1.0 branch: locks: access list: symbolic names: keyword substitution: kv total revisions: 1; selected revisions: 1 description: Hello RCS ---------------------------- revision 1.0 date: 2013/06/04 13:32:29; author: root; state: rel; 1st release. ============================================================================= $ sudo rcs -L ./hosts RCS file: ./hosts,v done $ sudo rlog ./hosts RCS file: ./hosts,v Working file: ./hosts head: 1.0 branch: locks: strict access list: symbolic names: keyword substitution: kv total revisions: 1; selected revisions: 1 description: Hello RCS ---------------------------- revision 1.0 date: 2013/06/04 13:32:29; author: root; state: rel; 1st release. ============================================================================
cryptmountパーティション内にACLを設定する
■cryptmountパーティション内にACLを設定する。 debian Wheezyにdm_cryptを導入 http://d.hatena.ne.jp/labunix/20130516 cryptsetupの暗号化方式について http://d.hatena.ne.jp/labunix/20130526 ■まずは暗号化デバイスを開く $ sudo cryptsetup luksOpen luks.img luks Enter passphrase for /home/labunix/luks.img: ■実態は「/dev/dm-0」となる。 $ ls -l /dev/mapper/luks lrwxrwxrwx 1 root root 7 5月 29 08:55 /dev/mapper/luks -> ../dm-0 $ test -d /media/luksfs || sudo mkdir /media/luksfs $ sudo mount /dev/dm-0 /media/luksfs ■ext2だが、ACLオプション付でマウントされている。 $ mount | grep luks /dev/mapper/luks on /media/luksfs type ext2 (rw,relatime,errors=continue,user_xattr,acl) ■ユーザ用のディレクトリを準備 $ sudo mkdir /media/luksfs/`whoami` $ sudo chown labunix:labunix /media/luksfs/`whoami` $ ls -ld /media/luksfs/labunix/ drwxr-xr-x 2 labunix labunix 1024 5月 29 09:00 /media/luksfs/labunix/ ■デフォルトのACL情報を確認 $ getfacl /media/luksfs/labunix/ getfacl: Removing leading '/' from absolute path names # file: media/luksfs/labunix/ # owner: labunix # group: labunix user::rwx group::r-x other::r-x ■まずはテストして、ユーザを追加。 $ setfacl --test -m user:labunix:rwx /media/luksfs/labunix/ /media/luksfs/labunix/: u::rwx,u:labunix:rwx,g::r-x,m::rwx,o::r-x,* $ setfacl -m user:labunix:rwx /media/luksfs/labunix/ $ getfacl /media/luksfs/labunix/ ■ユーザのアクセス権が追加された。 $ getfacl: Removing leading '/' from absolute path names # file: media/luksfs/labunix/ # owner: labunix # group: labunix user::rwx user:labunix:rwx group::r-x mask::rwx other::r-x ■グループとその他の権限を削除 $ setfacl --test -m group::- /media/luksfs/labunix/ /media/luksfs/labunix/: u::rwx,u:labunix:rwx,g::---,m::rwx,o::r-x,* $ setfacl -m group::- /media/luksfs/labunix/ $ setfacl -m other::- /media/luksfs/labunix/ ■グループのアクセス権はなくなった。 $ getfacl /media/luksfs/labunix/ getfacl: Removing leading '/' from absolute path names # file: media/luksfs/labunix/ # owner: labunix # group: labunix user::rwx user:labunix:rwx group::--- mask::rwx other::--- ■ディレクトリを作成。継承はされていない。 $ mkdir /media/luksfs/labunix/Hello $ getfacl /media/luksfs/labunix/Hello/ getfacl: Removing leading '/' from absolute path names # file: media/luksfs/labunix/Hello/ # owner: labunix # group: labunix user::rwx group::r-x other::r-x ■再帰的に変更するには「-R」オプションをつける。 $ setfacl --test -R -m user:labunix:rwx /media/luksfs/labunix/ /media/luksfs/labunix/: *,* /media/luksfs/labunix//Hello: u::rwx,u:labunix:rwx,g::r-x,m::rwx,o::r-x,* $ setfacl -R -m group::- /media/luksfs/labunix/ $ setfacl -R -m other::- /media/luksfs/labunix/ $ getfacl /media/luksfs/labunix/Hello/ getfacl: Removing leading '/' from absolute path names # file: media/luksfs/labunix/Hello/ # owner: labunix # group: labunix user::rwx user:labunix:rwx group::--- mask::rwx other::--- ■他のユーザでは閲覧出来る。 通常のグループやその他ユーザが許可されている箇所は出来ない。 $ ls -ld /media/luksfs/labunix/ drwxrwx---+ 3 labunix labunix 1024 5月 29 09:11 /media/luksfs/labunix/ $ sudo -u toor ls /media/luksfs/labunix/ ls: ディレクトリ /media/luksfs/labunix/ を開くことが出来ません: 許可がありません $ sudo -u toor ls -ld ~/ drwxr-xr-x 12 labunix labunix 4096 5月 28 22:28 /home/labunix/ ■ACLオプションをつけずに再マウント $ sudo umount /media/luksfs $ sudo mount -o rw,noacl /dev/dm-0 /media/luksfs/ $ mount | grep luks /dev/mapper/luks on /media/luksfs type ext2 (rw,relatime,errors=continue,user_xattr,noacl) ■ユーザアクセス制御は正しく動作している。 $ ls -l /media/luksfs/labunix/ 合計 2 drwxrwx--- 3 labunix labunix 1024 5月 29 09:18 Hello $ ls -l /media/luksfs/labunix/Hello/ 合計 2 drwxr-xr-x 2 labunix labunix 1024 5月 29 09:18 World $ sudo -u toor ls -l /media/luksfs/labunix/ ls: ディレクトリ /media/luksfs/labunix/ を開くことが出来ません: 許可がありません $ sudo -u toor ls -l /media/luksfs/labunix/Hello/ ls: /media/luksfs/labunix/Hello/ にアクセスできません: 許可がありません $ setfacl -m user:toor:r /media/luksfs/labunix/ setfacl: /media/luksfs/labunix/: サポートされていない操作です $ env LANG=C setfacl -m user:toor:r /media/luksfs/labunix/ setfacl: /media/luksfs/labunix/: Operation not supported ■ACLオプション付きでマウントしなおす。 $ sudo umount /media/luksfs $ sudo mount /dev/dm-0 /media/luksfs/ $ mount | grep luks /dev/mapper/luks on /media/luksfs type ext2 (rw,relatime,errors=continue,user_xattr,acl) ■今度は正しく設定出来た。 $ env LANG=C setfacl -m user:toor:r /media/luksfs/labunix/ $ getfacl /media/luksfs/labunix/ getfacl: Removing leading '/' from absolute path names # file: media/luksfs/labunix/ # owner: labunix # group: labunix user::rwx user:labunix:rwx user:toor:r-- group::--- mask::rwx other::---
