\documentclass[DIV=12,%
BCOR=0mm,%
headinclude=false,%
footinclude=false,open=any,%
fontsize=10pt,%
oneside,%
paper=210mm:11in]%
{scrbook}
\usepackage[noautomatic]{imakeidx}
\usepackage{microtype}
\usepackage{graphicx}
\usepackage{alltt}
\usepackage{verbatim}
\usepackage[shortlabels]{enumitem}
\usepackage{tabularx}
\usepackage[normalem]{ulem}
\def\hsout{\bgroup \ULdepth=-.55ex \ULset}
% https://tex.stackexchange.com/questions/22410/strikethrough-in-section-title
% Unclear if \protect \hsout is needed. Doesn't looks so
\DeclareRobustCommand{\sout}[1]{\texorpdfstring{\hsout{#1}}{#1}}
\usepackage{wrapfig}
% avoid breakage on multiple
and avoid the next [] to be eaten
\newcommand*{\forcelinebreak}{\strut\\*{}}
\newcommand*{\hairline}{%
\bigskip%
\noindent \hrulefill%
\bigskip%
}
% reverse indentation for biblio and play
\newenvironment*{amusebiblio}{
\leftskip=\parindent
\parindent=-\parindent
\smallskip
\indent
}{\smallskip}
\newenvironment*{amuseplay}{
\leftskip=\parindent
\parindent=-\parindent
\smallskip
\indent
}{\smallskip}
\newcommand*{\Slash}{\slash\hspace{0pt}}
% http://tex.stackexchange.com/questions/3033/forcing-linebreaks-in-url
\PassOptionsToPackage{hyphens}{url}\usepackage[hyperfootnotes=false,hidelinks,breaklinks=true]{hyperref}
\usepackage{bookmark}
\usepackage[english,shorthands=off]{babel}
\babelfont{rm}[Path=/home/wiki/.fonts/cm-unicode/,%
BoldFont=cmunbx.otf,%
BoldItalicFont=cmunbi.otf,%
ItalicFont=cmunti.otf]{cmunrm.otf}
\babelfont{tt}[Scale=MatchLowercase,%
Path=/home/wiki/.fonts/cm-unicode/,%
BoldFont=cmuntb.otf,%
BoldItalicFont=cmuntx.otf,%
ItalicFont=cmunit.otf]{cmuntt.otf}
\babelfont{sf}[Scale=MatchLowercase,%
Path=/home/wiki/.fonts/cm-unicode/,%
BoldFont=cmunsx.otf,%
BoldItalicFont=cmunso.otf,%
ItalicFont=cmunsi.otf]{cmunss.otf}
\renewcommand*{\partpagestyle}{empty}
% global style
\pagestyle{plain}
\usepackage{indentfirst}
% remove the numbering
\setcounter{secnumdepth}{-2}
% remove labels from the captions
\renewcommand*{\captionformat}{}
\renewcommand*{\figureformat}{}
\renewcommand*{\tableformat}{}
\KOMAoption{captions}{belowfigure,nooneline}
\addtokomafont{caption}{\centering}
\deffootnote[3em]{0em}{4em}{\textsuperscript{\thefootnotemark}~}
\addtokomafont{disposition}{\rmfamily}
\addtokomafont{descriptionlabel}{\rmfamily}
\frenchspacing
% avoid vertical glue
\raggedbottom
% this will generate overfull boxes, so we need to set a tolerance
% \pretolerance=1000
% pretolerance is what is accepted for a paragraph without
% hyphenation, so it makes sense to be strict here and let the user
% accept tweak the tolerance instead.
\tolerance=200
% Additional tolerance for bad paragraphs only
\setlength{\emergencystretch}{30pt}
% (try to) forbid widows/orphans
\clubpenalty=10000
\widowpenalty=10000
% given that we said footinclude=false, this should be safe
\setlength{\footskip}{2\baselineskip}
\setlength{\parindent}{15pt}
\title{Debian\Slash{}Linux Administration}
\date{}
\author{Stefan Hornburg (Racke)}
\subtitle{}
% https://groups.google.com/d/topic/comp.text.tex/6fYmcVMbSbQ/discussion
\hypersetup{%
pdfencoding=auto,
pdftitle={Debian\Slash{}Linux Administration},%
pdfauthor={Stefan Hornburg (Racke)},%
pdfsubject={},%
pdfkeywords={Debian; tail; Linux; Apt; dpkg; Ubuntu; fail2ban; Libvirt}%
}
\begin{document}
\begin{titlepage}
\strut\vskip 2em
\begin{center}
{\usekomafont{title}{\huge Debian\Slash{}Linux Administration\par}}%
\vskip 1em
\vskip 2em
{\usekomafont{author}{Stefan Hornburg (Racke)\par}}%
\vskip 1.5em
\vfill
\strut\par
\end{center}
\end{titlepage}
\cleardoublepage
\tableofcontents
% start a new right-handed page
\cleardoublepage
systemd is covered in a
\href{https://wiki.linuxia.de/library/stefan-hornburg-racke-systemd-en}{separate document}.
\chapter{Logging}
Watch log file entries for sympa and postfix services (analogous to \texttt{tail -f}):
\begin{alltt}
journalctl -u sympa.service -u postfix.service -f
\end{alltt}
Test remote syslog server:
\begin{alltt}
\textasciitilde{}\# logger --server=audit.intern -P 40615 "Test Splunk connnection"
\end{alltt}
\chapter{Recommended Debian packages}
\section{cron-apt}
\section{etckeeper}
On Ubuntu, the preconfigured VCS is \texttt{bzr}. In order to use Git, please edit the VCS lines
in \texttt{/etc/etckeeper/etckeeper.conf}:
\begin{alltt}
\# The VCS to use.
\#VCS="hg"
VCS="git"
\#VCS="bzr"
\#VCS="darcs"
\end{alltt}
After that, run \texttt{etckeeper init} to setup the Git repository.
\section{fail2ban}
See \hyperref{}{amuse}{fail2ban}{Fail2ban} below. An alternative to Fail2ban is \href{https://www.sshguard.net/}{SSHGuard}.
\section{ferm}
Check configuration file for errors:
\begin{alltt}
ferm --noexec /etc/ferm/ferm.conf
\end{alltt}
Show the \emph{iptables} commands before they are executed:
\begin{alltt}
ferm --lines /etc/ferm/ferm.conf
\end{alltt}
\section{needrestart}
\section{screen}
\chapter{Security}
\section{Fail2ban}
\hyperdef{amuse}{fail2ban}{}%
\label{textamuse:fail2ban}%
Fail2ban activates only the \emph{sshd} jail by default:
\begin{alltt}
\$ fail2ban-client status
Status
\textbar{}- Number of jail: 1
`- Jail list: sshd
\end{alltt}
\section{Unban an ip}
\begin{alltt}
\$ fail2ban-client set nextcloud unbanip 93.184.216.34
93.184.216.34
\end{alltt}
\chapter{SSH}
\section{Password authentication}
Turn off password authentication in \texttt{/etc/ssh/sshd\_config}:
\begin{alltt}
PasswordAuthentication No
\end{alltt}
\section{Conditions}
Allow weak algorithm for old server only:
\begin{alltt}
Match Address 10.11.12.13
PubkeyAcceptedAlgorithms +ssh-rsa
\end{alltt}
Negation:
\begin{alltt}
Match Address *,!10.11.12.13
PasswordAuthentication no
\end{alltt}
\section{Remove host keys}
By domain:
\begin{alltt}
\$ ssh-keygen -R foo.linuxia.de
\end{alltt}
By IP and port:
\begin{alltt}
\$ ssh-keygen -R '[10.11.12.137]:77127'
\end{alltt}
\chapter{Networking}
\section{TCP and Unix Sockets}
Show listening TCP sockets (long and short form):
\begin{alltt}
ss --listen --tcp
ss -l -t
\end{alltt}
See also: \href{https://wiki.linuxia.de/library/stefan-hornburg-racke-move-old-files-to-another-directory-with-find\#text-amuse-label-lsofnetconns}{lsof}
\hyperdef{amuse}{tcdumpsshout}{}%
\label{textamuse:tcdumpsshout}%
Outgoing SSH connections from server with the IP \texttt{146.0.35.17} through network interface \texttt{eth0}:
\begin{alltt}
tcpdump -i eth0 port 22 and 'tcp[tcpflags] == tcp-syn' and src 146.0.35.17
\end{alltt}
\section{UDP}
Display UDP packages going to another server \emph{foomachine}:
\begin{alltt}
tcpdump -i eth0 ip host foomachine
\end{alltt}
\section{Network Manager}
The commandline tool \texttt{nmcli} may show you the list of wireless networks with the following command:
\begin{alltt}
\$ nmcli dev wifi list
\end{alltt}
Be aware that shows you an \textbf{empty list} (without error message) when \emph{wpa\_supplicant} service is not running.
To show a list of connections:
\begin{alltt}
\$ nmcli con show
\end{alltt}
\section{Resources}
\href{https://blog.packagecloud.io/eng/2017/02/06/monitoring-tuning-linux-networking-stack-sending-data/}{Monitoring and Tuning the Linux Networking Stack: Sending Data}
\chapter{Libvirt}
\section{Domains}
Show all domains:
\begin{alltt}
\textasciitilde{}\# virsh list
Id Name State
---------------------------------------
4 buster-test-box running
\end{alltt}
\section{Networks}
Show network list:
\begin{alltt}
\textasciitilde{}\# virsh net-list
Name State Autostart Persistent
----------------------------------------------------
default active no yes
vagrant-libvirt active no yes
\end{alltt}
Show network info:
\begin{alltt}
\textasciitilde{}\# virsh net-info default
Name: default
UUID: 0532c102-48d1-4c0e-a8f3-1024a83b3f4a
Active: yes
Persistent: yes
Autostart: no
Bridge: virbr0
\end{alltt}
Show info on DHCP leases:
\begin{alltt}
\textasciitilde{}virsh net-dhcp-leases default
\end{alltt}
\chapter{Apt}
\section{Installation from package file}
You need to pass the path to beĀ“the package file. It doesn't work with the
filename only.
\begin{alltt}
apt install ./containerd\_1.4.4\textasciitilde{}ds1-1\_amd64.deb
\end{alltt}
This also allows you to install multiple package files:
\begin{alltt}
apt install /usr/local/pkgs/*.deb
\end{alltt}
\section{Repositories}
To use Debian repositories on Ubuntu install package \emph{debian-archive-keyring} first.
After that you need to add the required key to the trusted keys (\href{https://wiki.debian.org/SecureApt}{\texttt{https://wiki.debian.org/SecureApt}}), e.g.:
\begin{alltt}
apt-key add /usr/share/keyrings/debian-archive-stretch-stable.gpg
\end{alltt}
\section{Show all versions of a package}
\begin{alltt}
\$ apt-cache madison gitlab-runner
gitlab-runner \textbar{} 15.0.0 \textbar{} https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal/main amd64 Packages
gitlab-runner \textbar{} 14.10.1 \textbar{} https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal/main amd64 Packages
gitlab-runner \textbar{} 14.10.0 \textbar{} https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal/main amd64 Packages
gitlab-runner \textbar{} 14.9.2 \textbar{} https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal/main amd64 Packages
...
\end{alltt}
\section{Upgrade distribution to a new release}
Make sure that you know the root password, in case you want to login through
a remote console to troubleshoot the upgrade.
\section{Problems}
Sometimes maintainer scripts are failing without useful error messages.
It can be useful in these cases to trace the processing of \emph{debconf} values:
\begin{alltt}
export DEBCONF\_DEBUG=developer
\end{alltt}
\section{Hold and unhold packages}
Packages in \emph{hold} state are skipped by upgrades.
Set package \texttt{nginx} into \emph{hold} state:
\begin{alltt}
apt-mark hold nginx
\end{alltt}
Re-enable upgrades for \texttt{nginx}:
\begin{alltt}
apt-mark unhold nginx
\end{alltt}
\section{Preferences}
In order to set lower priority for packages from unstable (sid)
add a file to the \texttt{/etc/apt/preferences.d} directory:
\begin{alltt}
\textasciitilde{} cat /etc/apt/preferences.d/00sid
\# Lower priority for unstable
Package: *
Pin: release o=Debian,a=unstable,n=sid
Pin-Priority: 300
\end{alltt}
\section{Proxies}
\begin{alltt}
Acquire::http::Proxy "http://proxy.example.com:6123";
Acquire::https::Proxy "http://proxy.example.com:6123";
Acquire::http::Proxy::repo.example.com DIRECT;
\end{alltt}
\section{Upgrades}
Download packages only:
\begin{alltt}
apt-get dist-upgrade --download-only
\end{alltt}
\section{Unattended upgrades}
Install the following packages:
\begin{alltt}
apt-get install unattended-upgrades apt-listchanges
\end{alltt}
Activate unattended upgrades by creating or editing \texttt{/etc/apt/apt.conf.d/20auto-upgrades}:
\begin{alltt}
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
\end{alltt}
On Debian 9 and above the package includes two systemd timers:
\begin{description}
\item[{apt-daily.timer}]
APT updates
\item[{apt-daily-upgrade.timer}]
APT upgrades
\end{description}
You find the log file at \texttt{/var/log/unattended-upgrades/unattended-upgrades.log}.
The default configuration file is \texttt{/etc/apt/apt.conf.d/50unattended-upgrades}.
See also:
\href{https://wiki.debian.org/UnattendedUpgrades}{Debian Wiki page on Unattended upgrades}
\section{Diversions}
Diversions are used by Debian packages to prevent conflicts between files with the same name in different packages. Using \emph{alternatives} or \emph{Conflicts} relation is the preferred method though.
List diversions:
\begin{alltt}
dpkg-divert --list '*'
\end{alltt}
The diversions are saved in \texttt{/var/lib/dpkg/diversions}.
\chapter{Users}
\section{Change login shell}
\begin{alltt}
\$ usermod -s /bin/bash sympa
\end{alltt}
\chapter{Locales}
Show enabled locales:
\begin{alltt}
\$ locale -a
C
C.UTF-8
POSIX
en\_US.utf8
\end{alltt}
\chapter{LVM}
\href{https://wiki.debian.org/LVM}{Debian Wiki}
\chapter{Architectures}
Display current architecture:
\begin{alltt}
\textasciitilde{}\# dpkg --print-architecture
amd64
\end{alltt}
Display supported architectures (needs \texttt{arch-test} package to be installed):
\begin{alltt}
\textasciitilde{}\# arch-test
amd64
i386
\end{alltt}
See also: \href{https://wiki.debian.org/Multiarch/HOWTO}{\texttt{https://wiki.debian.org/Multiarch/HOWTO}}
CrossGrading: https:\Slash{}\Slash{}wiki.debian.org\Slash{}CrossGrading
Never tried that though.
\chapter{Grub}
\section{Default kernel}
In order to set the default kernel to boot you need to change the
GRUB\_DEFAULT variable in \texttt{/etc/default/grub} as follows:
\{\{
GRUB\_DEFAULT=saved
\}\}
After that, you can set it with the \texttt{grub-set-default} command:
\begin{alltt}
\$ grub-set-default 'Debian GNU/Linux, with Linux 3.2.0-4-amd64'
\$ update-grub
\end{alltt}
\section{Reboot into specific kernel}
\begin{alltt}
\$ grub-reboot gnulinux-3.16.0-5-amd64-advanced-3871a2a4-6faf-4fec-b5f9-99fb3c75a731
\$ reboot
\end{alltt}
\chapter{RAID}
You find Debian packages for proprietary and opensource tools at \href{https://hwraid.le-vert.net/wiki/DebianPackages}{\texttt{https://hwraid.le-vert.net/wiki/DebianPackages}}.
\section{MegaCLI}
\begin{itemize}
\item\relax
\hyperdef{amuse}{megacli}{}%
\label{textamuse:megacli}%
Make sure that use the correct disk.
\item\relax
The parameter \texttt{-a} refers to the adapter number (starting with 0) or to all adapters \texttt{-aALL}
\end{itemize}
\subsection{Disable disk in RAID array}
\begin{alltt}
root@devserver:/var/cache\# megacli -pdoffline -physdrv[32:1] -a0
Adapter: 0: EnclId-32 SlotId-1 state changed to OffLine.
Exit Code: 0x00
root@devserver:/var/cache\# megacli -pdmarkmissing -physdrv[32:1] -aALL
EnclId-32 SlotId-1 is marked Missing.
Exit Code: 0x00
root@devserver:/var/cache\# megacli -pdprprmv -physdrv[32:1] -aALL
Prepare for removal Success
Exit Code: 0x00
\end{alltt}
\subsection{Clear disk in RAID array}
\textbf{Please be careful with these commands!}
Starting the process:
\begin{alltt}
root@fileserver:\textasciitilde{}\# megacli -pdclear -start -physdrv[32:1] -aALL
Started clear progress on device(Encl-32 Slot-1)
Exit Code: 0x00
\end{alltt}
\begin{alltt}
root@fileserver:\textasciitilde{}\# megacli -pdclear -showprog -physdrv[32:1] -aALL
Clear Progress on Device at Enclosure 32, Slot 1 Completed 2\% in 0 Minutes.
Exit Code: 0x00
\end{alltt}
\begin{alltt}
root@fileserver:\textasciitilde{}\# megacli -pdclear -showprog -physdrv[32:1] -aALL
Device(Encl-32 Slot-1) is not in clear process
Exit Code: 0x00
\end{alltt}
\subsection{Resources}
\begin{description}
\item[{Reference docs}]
\href{https://things.maths.cam.ac.uk/computing/docs/public/megacli\_raid\_lsi.html}{\texttt{https://things.maths.cam.ac.uk/computing/docs/public/megacli\_raid\_lsi.html}}
\item[{Replacing disk with MegaCLI}]
\href{http://www.advancedclustering.com/act\_kb/replacing-a-disk-with-megacli/}{\texttt{http://www.advancedclustering.com/act\_kb/replacing-a-disk-with-megacli/}}
\end{description}
\chapter{Troubleshooting}
Check whether system files have been changed:
\begin{alltt}
debsums -c
\end{alltt}
\section{Speed test}
\begin{alltt}
apt-get install speedtest-cli
speedtest-cli
\end{alltt}
\chapter{Building from source}
\section{Problems and solutions}
\hyperdef{amuse}{amposubdirs}{}%
\label{textamuse:amposubdirs}%
Problem:
\begin{alltt}
configure.ac:31: warning: macro 'AM\_PO\_SUBDIRS' not found in library
configure.ac:31: error: possibly undefined macro: AM\_PO\_SUBDIRS
If this token and others are legitimate, please use m4\_pattern\_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
\end{alltt}
Solution:
You need to install the \emph{gettext} package first.
% begin final page
\clearpage
% new page for the colophon
\thispagestyle{empty}
\begin{center}
Linuxia Wiki
\strut
\end{center}
\strut
\vfill
\begin{center}
Stefan Hornburg (Racke)
Debian\Slash{}Linux Administration
\bigskip
\bigskip
\textbf{wiki.linuxia.de}
\end{center}
% end final page with colophon
% end closing pages
\end{document}
% No format ID passed.