Useful Commands
The commands here can save your life, please help us to maintain this page
Not Specific To Nethserver
ACL
Each time you launch 'signal-event ibay-modify IBAYNAME' you will restore the good ACL ownership.
See ACL
getfacl /path/2/files/or/folders
set ACL
setfacl -P -R -m u:UID:rwX,d:u:UID:rwX /path/2/files/or/folders setfacl -P -R -m g:UID:rwX,d:g:UID:rwX /path/2/files/or/folders
-R : recursive -P : physical, follow symlinks
Remove Specific ACL
setfacl -d u:UID:rwX,d:u:UID:rwX /path/2/files/or/folders setfacl -d g:UID:rwX,d:g:UID:rwX /path/2/files/or/folders
Remove all ACL
setfacl -b /path/2/files/or/folders
Apache
Virtualhost parsing order
-S Show the settings as parsed from the config file (currently only shows the virtualhost settings).
httpd -S
Command Line Interface
Adding date and time to bash history
By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:
HISTTIMEFORMAT="%d/%m/%y %T "
where %d=day, %m is month, &y is year and %T is time
To see the bash history with the date and time added, enter:
history
the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.
Find a file/folder
* find quickly with a database
locate <FileOrFolderName'>
do before :
yum install mlocate -y ; updatedb
updatedb must be launched manually each time you add new files (a cron job runs each night).
* find by name
find / -iname 'FileOrFolderName'
* find files by their size
it could be useful to find large file by the command line
find /home/e-smith -type f -size +200M -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';
use
k for Kilobytes (units of 1024 bytes) M for Megabytes (units of 1048576 bytes) G for Gigabytes (units of 1073741824 bytes)
Replace a chain of characters
Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'
find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;
Run a command a multiple time
you can run a command as fast the computer can do to test if it fails or not. For example here the `echo 'plop'` will be executed until you stop it with `ctrl+c`
time while echo 'plop'; do : ; done
`time` will save the time it will end, you can remove it if needed
you can add `&` at the end, it will run as a background process and you can launch it several time.
time while echo 'plop'; do : ; done &
Unix user/group properties
Explanation | Command |
---|---|
see informations of a user | id USER |
change the uid of a user | usermod -u <UID> USER_NAME |
create a group | groupadd -g <GID> -o GROUPE_NAME |
modify the GID of a group | groupmod -o -g <GID> GROUPE_NAME |
add a principal group to a user | usermod -g <GROUP_NAME_OR_GID> USER_NAME |
add a secondary group to a user | usermod -a -G <GROUP_NAME_OR_GID> USER_NAME |
change the home directory (-m move files/folders to the new location) | usermod -d /var/lib/jdownloader jdownloader |
change the shell access of a user | usermod --shell /bin/bash jdownloader |
Read a TAI64N timestamp in human readable format
[http://cr.yp.to/daemontools/tai64nlocal.html tai64nlocal] converts precise TAI64N timestamps to a human-readable format. tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. <br />
Eg
cat /var/log/qpsmtpd/current |tai64nlocal|less
Or
tailf /var/log/sshd/current | tai64nlocal
Network port tricks
* find which service use a specific port
fuser -vn tcp 53 #TCP fuser -vn udp 53 #UDP
* connect to a port with the command line
nc -tv 127.0.0.1 53 # TCP nc -uv 127.0.0.1 53 # UDP
Test network connectivity
- mtr does a traceroute to 8.8.8.8 from an interface (use an IP)
mtr -rbwz 8.8.8.8 -a xxx.xxx.xxx.xxx
Like see you can see if the relevant NIC gets a network connectivity
- ping
ping google.fr
- traceroute
traceroute google.fr
- see the network setings
ip r ip a
RPM's
Command | Explanation |
---|---|
rpm -qa | shows all rpms installed |
rpm -qa --last | shows all rpms installed & installation date |
rpm -q | asks for rpm info |
rpm -qi | asks for detailed rpm info |
rpm -qlv <packagename> | lists all files in a package |
rpm -qlvp <packagename.rpm> | List all files in a rpm which is not installed |
rpm -qf <filename> | reports what package a file belongs to |
rpm -ql <packagename> | for listing the files |
rpm -qc <packagename> | for listing the config files |
rpm -qd <packagename> | for listing the documentation files |
rpm -qV <packagename> | reports if permission and ownership are OK |
rpm -qRp <packagename.rpm> | Find what dependencies have a rpm |
rpm -qR <packagename> | Find what dependencies have a package name |
rpm -q --whatrequires <packagename> | find what packages have <packagename> as dependency |
rpm -e --test <packagename> | find what packages have <packagename> as dependancy (more verbose as above) |
rpm -e --nodeps <packagename> | remove packagename without removing dependencies |
rpm --setugids <packagename> | set right ownership to rpm |
rpm --setperms <packagename> | set right permissions to rpm |
rpm -e --noscripts <packagename> | remove packagename without executing sciptlets (%pre, %post, %preun, %postun) |
rpm -Va | capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified. |
- Restore all permissions and ownership
If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal.
for f in $(rpm -qa); do echo $f; rpm --setugids $f; done for f in $(rpm -qa); do echo $f; rpm --setperms $f; done
- or specific to a rpm
# rpm --setugids opendkim # rpm --setperms opendkim # rpm -V opendkim S.5....T. c /etc/opendkim.conf S.5....T. c /etc/opendkim/KeyTable S.5....T. c /etc/opendkim/SigningTable S.5....T. c /etc/opendkim/TrustedHosts
Yum
- reinstall all base dependencies
yum install @nethserver-iso
* Yum helper
Command | Explanation |
---|---|
yum install <packagename> | installs packagename & any package it may need |
yum remove <packagename> | removes packagename |
yum history package-info <packagename> | Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands] |
yum history undo <Transaction ID> | Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands] |
yum list updates | list updates to any installed package |
yum list available | list available packages in all repos not already installed |
yum list available | grep <reponame> | list available packages -shows only from repo name |
yum search <packagename> | lists all packages in all repos matching packagename |
yum clean all --enablerepo=* | Is used to clean up various things which accumulate in the yum cache (includes disabled repos) |
yum --enablerepo=<reponame> <command> | enable a repo not normally enabled |
yum autoremove | remove all orphan dependencies |
CLAMAV
* reload the database
you can force clamav to reload its database
kill -USR2 `cat /var/run/clamd@rspamd/clamav.pid`
or to make a long freeze
kill -STOP `cat /var/run/clamd@rspamd/clamav.pid`
 and to unfreeze
kill -CONT `cat /var/run/clamd@rspamd/clamav.pid`
slow clamav
cpulimit -l 10 -p $(pidof clamd)
When testing, remember to flush caches:
systemctl restart clamd@rspamd systemctl restart rspamd redis-cli -s /var/run/redis-rspamd/rspamd flushall
Some useful commands:
Measure time taken by clamd to scan an email: clamdscan --config-file=/etc/clamd.d/rspamd.conf /tmp/mail Measure time taken by rspam to analyze an email: rspamc -t 120 </tmp/mail
Collabora
Enable the repository to get updates
yum install yum-utils yum-config-manager --add-repo https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7 wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/repodata/repomd.xml.key && rpm --import repomd.xml.key yum update -y
DOCKER
* inspect
see all settings of a container
docker inspect containerName
see some settings of a container (EG: command given)
docker inspect -f "{{.Name}} {{.Config.Cmd}}" containerName
* Ping the host
Testing It Out, Can the Container Reach the Docker Host?
We can test this out without needing to run a database or any service. We’ll just run an Alpine image, drop into a shell, install the ping utility and ping the Docker host.
Start the Alpine container and drop into a Shell prompt.
docker run --rm -it alpine sh
Install the ping utility.
apk update && apk add iputils
Ping your local network IP address (replace my IP address with yours).
ping 192.168.1.3
* ping a host from a container
docker run busybox ping -c 1 8.8.4.4 PING 8.8.4.4 (8.8.4.4): 56 data bytes 64 bytes from 8.8.4.4: seq=0 ttl=61 time=19.222 ms --- 8.8.4.4 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 19.222/19.222/19.222 ms
* query dns from a container
docker run busybox nslookup google.com Server: 127.0.0.11 Address: 127.0.0.11:53 Non-authoritative answer: Name: google.com Address: 2a00:1450:4007:805::200e *** Can't find google.com: No answer
* start a container and open a shell inside
docker exec -ti dockername /bin/sh
* start a nginx container for testing networking
docker run -dit --name nginx-test-01 -p 9001:80 --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'
* delete all container
docker rm -f $(docker ps -aq)
* fix docker dns
https://development.robinwinslow.uk/2016/06/23/fix-docker-networking-dns/
vim /etc/docker/daemon.json { "dns": ["10.0.0.2", "8.8.8.8"] } Then restart the docker service: sudo service docker restart
or
Discover the address of your DNS server You can find out what network’s DNS server from within Ubuntu as follows:
$ nmcli dev show | grep 'IP4.DNS' IP4.DNS[1]: 10.0.0.2
Run Docker with the new DNS server To run a docker container with this DNS server, provide the –dns flag to the run command. For example, let’s run the command we used to check if DNS is working:
$ docker run --dns 10.0.0.2 busybox nslookup google.com Server: 10.0.0.2 Address 1: 10.0.0.2 Name: google.com Address 1: 2a00:1450:4009:811::200e lhr26s02-in-x200e.1e100.net Address 2: 216.58.198.174 lhr25s10-in-f14.1e100.net And that’s what success looks like.
DNS
DNSMASQ
Debug
For a debugging purpose you can redirect queries to logs add in /etc/dnsmasq.conf
#redirect dns queries to /var/log/messages (test purpose) log-queries
restart dnsmasq
systemctl restart dnsmasq
then check /var/log/messages
Unbound
Unbound runs on the port ````10053````
dig @127.0.0.1 -p 10053 maps.rspamd.comf
JQ
$ jq --arg value 30 -n '{"value":$value}' { "value": "30" } $ jq --argjson value 30 -n '{"value":$value}' { "value": 30 }
Mysql
mysql users
display all mysql users
SELECT User,Host FROM mysql.user;
delete a mysql user
SELECT User,Host FROM mysql.user; DROP USER 'testuser'@'localhost';
Create a database
mysql create database owncloud; grant all privileges on owncloud.* to username@localhost identified by 'password'; flush privileges; exit
delete a database
mysql drop database owncloud;
Backup a database
mysqldump database > database.sql
When you want to diff the differences between two versions of a database, you need to do a specific dump
mysqldump --skip-comments --skip-extended-insert database > database.sql
* Backup a database with the idea to diff the output
You might need to want to dump the database and have the need to diff the output against another database.
mysqldump --skip-comments --skip-extended-insert database > filename
then
diff -Nur filename1 filename2 > diff_mysql.sql
a nice mysqldump
mysqldump databaseName --default-character-set=utf8mb4 --skip-dump-date --ignore-table=mysql.event --single-transaction --quick --add-drop-table > databaseName.sql
a shorter, it dumps the table roundcubemail to the file roundcubemail.sql
mysqldump --single-transaction --quick --add-drop-table -QB "roundcubemail" -r roundcubemail.sql
Networking
Find open ports
* to find opened udp and tcp ports in the firewall:
netstat -tupln
* to find TCP ports with nmap
yum install nmap nmap -p 1-65535 127.0.0.1
* find a specific port with netstat
# netstat -anp|grep 5232 tcp 0 0 192.168.12.233:5232 0.0.0.0:* LISTEN 2028/python
* find a specific port with nmap
nmap can specify if a port is closed or not
yum install nmap nmap localhost -p 5232
Get MAC address without ifconfig
cat /sys/class/net/host0/address
openssl
connect to a remote host and check what tls protocol and cipher is used
openssl s_client -connect 192.168.56.12:636 -tls1_2
-ssl3 - just use SSLv3 -tls1_2 - just use TLSv1.2 -tls1_1 - just use TLSv1.1 -tls1 - just use TLSv1 -dtls1 - just use DTLSv1 -cipher - preferred cipher to use, use the 'openssl ciphers' command to see what is available
test if starttls is accepted
openssl s_client -starttls smtp -connect 127.0.0.1:587 openssl s_client -starttls imap -connect 127.0.0.1:143 openssl s_client -starttls sieve -connect 127.0.0.1:4190
PHP
PHPinfo
PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:
explanation | Command |
---|---|
get overview | php -r "phpinfo();" |less |
to save to a text file | php -r "phpinfo();" > phpinfo.txt |
to search for specific values and save to a text file | php -r "phpinfo();" | grep mysql > phpmysql.txt |
to push it directly in the vhost data content | echo '<?php phpinfo(); ?>' > /var/lib/nethserver/vhost/plop.com/info.php |
in the terminal | php -i |
List PHP modules
drop a file
<?php echo implode("\n", get_loaded_extensions()); echo "\n";
then
php file
PODMAN
* remove all podman containers, if you use podman containers just for makerpms
sudo rm -rf $HOME/.local/share/containers/
RSPAMD
Uptime
rspamc uptime
Dump the configuration
Display all settings in rspamd, useful to understand what it occurs
rspamadm configdump
rspamadm configdump | grep -E '(WHITE|BLACK)LIST \{'
Test manually to check an email
rspamc email.eml
curl smtp://127.0.0.1:25 -v --anyauth --mail-from no-reply@neth.net --mail-rcpt filippo@neth.net --upload-file ./2019.eml
- test the fom IP
[root@ns7loc14 ~]# host $(hostname) [root@ns7loc14 ~]# config setprop postfix AccessBypassList 192.168.56.15 ((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from davidep2@email.celio.com --mail-rcpt postmaster@dpnet.nethesis.it <<EOF Subject: Test ${I} Date: $(date -R) Message-ID: <${I}.$(date +%s)@$(hostname -d)> From: davidep2@nethserver.org To: postmaster@dpnet.nethesis.it Mime-Version: 1.0 Test $I Configuration settings for bayes expiry module should be added to the corresponding classifier section (for instance in the local.d/classifier-bayes.conf). Bayes expiry module provides intelligent expiration of statistical tokens for the new schema of Redis statistics storage. EOF
- test from email/domain
((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from davidep2@email.celio.com --mail-rcpt postmaster@dpnet.nethesis.it <<EOF Subject: Test ${I} Date: $(date -R) Message-ID: <${I}.$(date +%s)@$(hostname -d)> From: davidep2@nethserver.org To: postmaster@dpnet.nethesis.it Mime-Version: 1.0 Test $I Configuration settings for bayes expiry module should be added to the corresponding classifier section (for instance in the local.d/classifier-bayes.conf). Bayes expiry module provides intelligent expiration of statistical tokens for the new schema of Redis statistics storage. EOF
- test with getMail and a eicar
[root@vm5 ~]# /usr/bin/rspamc-getmail "-i" "127.0.0.1" "--mime" "-t" "120" "-h" "localhost:11334" <<'EOF' Return-Path: <root@nethservice.nethesis.it> Delivered-To: davidep2@nethesis.it Received: from nethservice.nethesis.it by nethservice.nethesis.it with LMTP id 2MyWCgn7O14ucwAAJc5BcA for <davidep2@nethesis.it>; Thu, 06 Feb 2020 12:39:53 +0100 Received: by nethservice.nethesis.it (Postfix, from userid 0) id 2A0133054108E; Thu, 6 Feb 2020 12:39:53 +0100 (CET) From: virus-tester@nethservice.nethesis.it To: undisclosed-recipients:; Subject: amavisd test - simple - virus scanner test pattern Message-Id: <20200206113953.2A0133054108E@nethservice.nethesis.it> Date: Thu, 6 Feb 2020 12:39:53 +0100 (CET) X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EOF
check the content of all maps
grep -r -F . /etc/rspamd/{white,black}list* | grep -v -F '#' | sort
Train rspamd for bayes
train rspamd to learn about spam and ham
https://wiki.nethserver.org/doku.php?id=userguide:manual_training_of_the_bayes_filter_rspamd
Statistics
- Display statistics
rspamc stat
- Show scores and actions (no action, reject…) from a log file
rspamd_stats </var/log/maillog
Validate the settings
When you upgrade a rspamd version, useful to check if the settings are not obsoleted
rspamadm configtest
check clamav reloading
grep -E '(Cannot validate the message now|SelfCheck|Database correctly reloaded|/var/run/clamd@rspamd/clamav)' /var/log/maillog
flush clamav cache
systemctl restart clamd@rspamd systemctl restart rspamd redis-cli -s /var/run/redis-rspamd/rspamd flushall
Some useful commands
Measure time taken by clamd to scan an email: clamdscan --config-file=/etc/clamd.d/rspamd.conf /tmp/mail Measure time taken by rspam to analyze an email: rspamc -t 120 </tmp/mail
Yomi
Yomi is a plugin for the enterprise version who send attachment to yoroy servers to be analysed, authenticated users are not able to use it, only attachments of unauthenticated senders are tested by yomi
make with thunderbird an email with an attachment that yomi will verify and scp it to the server, then issue the command
curl smtp://localhost:25 -v --anyauth --mail-from no-reply@neth.net --mail-rcpt stephane@domain.fr --upload-file ./hello.eml
then you can go to the maillog to see if the archive has been uploaded
Jun 28 14:56:46 ns7dev13 rspamd[5057]: <7fac8e>; proxy; rspamd_add_passthrough_result: <f5b43be1-2c53-2655-e6c3-0d2cb75ceaa3@domain.fr>: set pre-result to 'soft reject' (no score): 'Yomi cannot validate the message now. Try again later' from force_actions(0) Jun 28 14:56:46 ns7dev13 rspamd[5057]: <7fac8e>; proxy; rspamd_task_write_log: id: <f5b43be1-2c53-2655-e6c3-0d2cb75ceaa3@domain.fr>, qid: <A77ED10813B2>, ip: 127.0.0.1, from: <no-reply@neth.net>, (default: F (soft reject): [-0.90/20.00] [SIGNED_PGP(-2.00){},YOMI_WAIT(1.00){Analysis in progress for CB_P5_fournissez-un-support-aux-utilisateurs_2021-06-25T162139.zip;},FORGED_SENDER(0.30){stephane@domain.fr;no-reply@neth.net;},MIME_GOOD(-0.20){multipart/signed;multipart/mixed;multipart/alternative;text/plain;},FORCE_ACTION_YOMI_FAIL(0.00){soft reject;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){stephane@domain.fr;no-reply@neth.net;},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:+;4:+;5:~;6:~;7:~;...;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){},YOMI_FAIL(0.00){Analysis in progress for CB_P5_fournissez-un-support-aux-utilisateurs_2021-06-25T162139.zip;},YOMI_SKIPPED(0.00){OpenPGP_signature has MIME type to skip: application/pgp-signature;}]), len: 439113, time: 3194.391ms, dns req: 4, digest: <65cc257b362cd78c777438eaab09c6e7>, rcpts: <stephane@nethserver.fr>, mime_rcpts: <stephane@nethserver.fr>, forced: soft reject "Yomi cannot validate the message now. Try again later"; score=nan (set by force_actions)
You have to wait the remote provider scan your archive, but we could test also that the archive has been well submitted
Yomi is supposed to work with a list of mime contents
[root@ns7dev13 ~]# cat /usr/share/nethserver-yomi/mime_type_graylist application/octet-stream application/javascript application/vnd.ms-excel application/vnd.ms-excel.sheet.macroEnabled.12 application/vnd.ms-word.document.macroEnabled.12 application/x-7z-compressed application/x-ms-dos-executable application/x-dosexec application/x-vbscript application/x-rar text/x-sh text/x-python application/zip application/gzip application/x-silverlight application/x-python-code application/x-msdos-program application/vnd.openxmlformats-officedocument.wordprocessingml.document application/vnd.openxmlformats-officedocument.spreadsheetml.sheet application/vnd.openxmlformats-officedocument.presentationml.presentation application/vnd.oasis.opendocument.text application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.presentation application/vnd.ms-word.template.macroEnabled.12 application/vnd.ms-powerpoint application/vnd.ms-excel.template.macroEnabled.12 application/msword application/CDFV2-unknown application/x-iso9660-image application/x-tar
Redis
Flush cache data in redis
redis-cli -s /var/run/redis-rspamd/rspamd FLUSHALL
Delete all the keys of the currently selected DB in redis
https://redis.io/commands/flushdb
redis-cli -s /var/run/redis-rspamd/rspamd FLUSHDB
check bayes in redis
[root@prometheus ~]# redis-cli -s /var/run/redis-rspamd/rspamd redis /var/run/redis-rspamd/rspamd> HGET BAYES_HAM learns redis /var/run/redis-rspamd/rspamd> HGET BAYES_SPAM learns
check keys/values in redis
#!/bin/bash for key in $(redis-cli -s /var/run/redis-rspamd/rspamd keys \*); do #if [[ $key =~ 'BAYES' ]]; then echo "Key : '$key'" redis-cli -s /var/run/redis-rspamd/rspamd type $key; redis-cli -s /var/run/redis-rspamd/rspamd GET $key; #fi done
redis monitor
redis-cli -s /var/run/redis-rspamd/rspamd monitor
Test rspamd by the command line
RESET bayes data
https://mailcow.github.io/mailcow-dockerized-docs/u_e-rspamd/#reset-learned-data
You need to delete keys in Redis to reset learned mail, so create a copy of your Redis database now:
Backup database
# It is better to stop Redis before you copy the file. cp /var/lib/redis/rspamd/dump.rdb /root/Reset Bayes data
redis-cli -s /var/run/redis-rspamd/rspamd --scan --pattern BAYES_* | xargs redis-cli -s /var/run/redis-rspamd/rspamd del redis-cli -s /var/run/redis-rspamd/rspamd --scan --pattern RS* | xargs redis-cli -s /var/run/redis-rspamd/rspamd del
If it complains about…
(error) ERR wrong number of arguments for 'del' command …the key pattern was not found and thus no data is available to delete.
redis & oletools
* To flush the oletools verdicts cache run the following command
redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -- redis-cli -s /var/run/redis-rspamd/rspamd DEL
* To check how much seconds before a cache entry is being expunged from the cache (first match only)
redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -L
Send email
Curl could be a good way too but sendmail could help
echo "Subject: Test d'envoi mail"| sendmail -f stephane@domain.com -v stephane@domain.com
Send an email to the recipient with the maillog transaction
Shorewall
Clear dynamic
iptables -F dynamic shorewall save
Disable shorewall
shorewall clear
to restart
shorewall start
Systemd
RedHat documentation
Check customized services
systemd-delta
Manage a service
Procedure The following commands control the foo service:
- Activate a service immediately:
# systemctl start foo
- Deactivate a service immediately:
# systemctl stop foo
- Restart a service:
# systemctl restart foo
- Show the status of a service including, whether it is running or not:
# systemctl status foo
- Enable a service to be started on boot:
# systemctl enable foo
- Disable a service to not start during boot:
# systemctl disable foo
- Prevent a service from starting dynamically or even manually unless unmasked:
# systemctl mask foo
- Check if a service is enabled or not:
# systemctl is-enabled foo
- Check if the service is active (started) or inactive (stopped)
# systemctl is-active foo
- Related Information Run ```man systemctl``` for more details.
TCPDUMP
capture packet and check port activity
tcpdump -i any port 389
Specific To Nethserver
Backup
Rsync Backup
The official backup module is probably the better way to do, but you can rsync the data of the NS by rsync. Only rsync the /var/lib/nethserver, might not be enough since some additional modules put a link in /etc/backup-data.d/ to save their data with the backup module.
[root@NS7DEVAllModules ~]# cat /etc/backup-data.d/* /var/lib/nethserver/backup/duplicity/ /var/lib/nethserver/db /var/www/bandwidthd/stats.db /var/lib/nethserver/secrets /root /var/lib/nethserver /var/lib/collectd /var/spool/hylafax/log/seqf /var/spool/hylafax/sendq/seqf /var/spool/hylafax/docq/seqf /var/spool/hylafax/recvq/seqf /var/lightsquid /var/lib/nethserver/webtop/logs /var/www/html/nextcloud/config/config.php
so if you want a full backup solution, these paths must be saved also.
Therefore a solution like this should be better
rsync -avzR $(cat /etc/backup-data.d/*) root@YourIP:/your/path/to/save
the -R rsync option save the full path, it will ease your restoration
E-smith Database
You have a full howto Page to RTFM, Like in every Linux shell you can use the TAB key when you use the command line to auto complete or propose all available answers.
dbfile : database name see them in /var/lib/nethserver/db or type 'db' then 'tab' key : uniq name not modifiable prop : property of key val : value of property
Command | |
---|---|
db dbfile keys | List all keys |
db dbfile print [key] | Print the [key] properties |
db dbfile printjson [key] | Print the [key] properties in a Json format |
db dbfile show [key] | Display the [key] properties |
db dbfile showjson [key] | Display the [key] properties in a Json format |
db dbfile get [key] | Retrieve the values of [key] properties |
db dbfile getjson [key] | Retrieve the values of [key] properties in a Json format |
db dbfile set [key] [type] [prop1 val1] [prop2 val2] … | Create the [key] and [prop* val*] following a 'type' value(adjust the 'type') |
db dbfile setdefault [key] [type] [prop1 val1] [prop2 val2] … | Create the default [key] and [prop* val*] following a key 'type' (adjust the 'type') |
db dbfile delete [key] | Delete the [key] |
db dbfile printtype [key] | Print the type value of [key] |
db dbfile gettype [key] | Retrieve the type value of [key] |
db dbfile settype [key] [type] | Set a different type of [key] |
db dbfile printprop [key] [prop1] [prop2] [prop3] … | Print the value of [key] following [prop*] |
db dbfile getprop [key] [prop] | Give the value of [prop] |
db dbfile setprop [key] [prop1] [val1] [prop2 val2] [prop3 val3] … | Set the values of [prop*] |
db dbfile delprop [key] [prop1] [prop2] [prop3] … | Delete the values of [prop*] |
LDAP
Access to the LDAP server
the STARTTLS command is supported on port 389, and is the preferred method if the clients have it. Check the libuser's password has been correctly set. The libuser's DN should be
uid=libuser,ou=People,dc=directory,dc=nh
or, if your domain part is example.com
uid=libuser,ou=People,dc=example,dc=com
The port 636 is disabled by default
you have two specific users to bind for ldap service
- ldapservice - read-only
- libuser - full access, read-write restricted to the localhost
- Anonymous bind has read-only access and does not require STARTTLS.
passwords are stored under /var/lib/nethserver/secrets/
For more documentation, please read
List all entries with libuser bind
ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser`
List all entries with admin user remotely over starttls
ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.56.12 -D uid=admin,ou=People,dc=directory,dc=nh -W
same over ldaps
ldapsearch -b dc=directory,dc=nh -H ldaps://192.168.56.12 -D uid=admin,ou=People,dc=directory,dc=nh -W
same with ldapservice
ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.56.12 -D cn=ldapservice,dc=directory,dc=nh -w V_85617fr2bK3Csj
LOG
Log retention policy on nethserver
By default set to 4 weeks, if you want to increase to one year
config setprop logrotate Times 52 signal-event nethserver-base-update
You have other options like compression and rotate condition
# config show logrotate logrotate=configuration Compression=disabled Rotate=weekly Times=52
Force log rotation
logrotate -vf /etc/logrotate.conf
OTP (one time password)
- generate the backup code (5 code, it is not possible to know if they have not been already used, reset the key or generate more code)
oathtool -w 5 $(cat /var/lib/nethserver/home/user/.2fa.secret)
- generate a time based code (valid 30 seconds)
oathtool --totp $(cat /var/lib/nethserver/home/user/.2fa.secret)
- reset the otp for a user
rm -f /var/lib/nethserver/home/user/.2fa.secret
SAMBA4
have a shell inside the nsdc container
If you find something strange, you need to access the container and use the samba-tool
systemd-run -M nsdc -t /bin/bash
Control samba container
stop, start and status of the samba DC process
systemctl -M nsdc stop samba systemctl -M nsdc start samba systemctl -M nsdc status samba
Search following filter in SAMBA AD
search with filters
net ads search -P objectClass=Computer net ads search -P objectClass=User net ads search -P objectClass=Group
you can retrieve for a specific cn
net ads search -P cn=stephane
or use wildcard
net ads search -P cn=*|less
list all entries with the administrator bind
ldapsearch -Z -x -D CN=Administrator,CN=Users,DC=neth,DC=eu -w Nethesis,1234 -b CN=Users,DC=neth,DC=eu -h 192.168.5.44 ldapsearch -Z -x -D CN=stephane,CN=Users,DC=ad,DC=nethservertest,DC=org -w 'azerty' -b CN=Users,DC=ad,DC=nethservertest,DC=org -h 192.168.56.101 ldapsearch -Z -x -D "DOMAIN\stephane' -w 'azerty' -b CN=Users,DC=ad,DC=domain,DC=com -h 192.168.56.101 ldapsearch -Z -x -D "stephane@domain.com' -w 'azerty' -b CN=Users,DC=ad,DC=domain,DC=com -h 192.168.56.101
- the ip must be relevant to the one of your container.
- the default password (Nethesis,1234) must be changed to the right one.
Browse SAMBA AD field without password
systemd-run -M nsdc -q -t /usr/bin/ldbsearch -H /var/lib/samba/private/sam.ldb
Retrieve the dn without password with ldapsearch
systemd-run -M nsdc -q -t \ /usr/bin/ldbsearch -H /var/lib/samba/private/sam.ldb "samaccountname=${userName}" dn | \ sed -n '/^dn: / { s/\r// ; p ; q }'
reset administrator's password
If you're running a local Samba DC account provider, to enable and reset administrator's password:
systemd-run -t -M nsdc /bin/bash samba-tool user enable administrator samba-tool user setpassword administrator --newpassword=Nethesis,1234
join the domain
It supports -U flag, to specify an alternative user with domain join rights. For instance
realm join -U administrator YOURDOMAIN.COM
to leave it
realm leave
Demote a Secondary Domain Controller
Please check this https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Offline_Domain_Controller
A secondary DC is down, you are sure it will never come up again (e.g. hardware failure). You may want to remove it. Make sure the “broken DC” is offline.
From Nethserver root log into the NSDC chroot.
systemd-run -M nsdc -t /bin/bash
If you know the DC-name, you can check is status in your AD, please notice the name is case-sensitive.
ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC-NAME
If you do not know the name, you may check all configured AD-DCs:
ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
Now the magic … you are sure what you are doing?
samba-tool domain demote --remove-other-dead-server=DC-NAME
Modify the SAMBA4 AD settings
You can modify the samba ldap of the samba container with a ldif file, put your file in /var/lib/machines/nsdc/var/lib/samba/private/file.ldif.
then launch
/usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif
this is an example of a ldif file
dn: cn=stephane,cn=Users,dc=ad,dc=plop,dc=org changetype: modify replace: loginShell loginShell: /usr/libexec/openssh/sftp-server
Get MAC address of nsdc interface
cat /var/lib/machines/nsdc/sys/class/net/host0/address
Samba Member Server Troubleshooting
Please check this page In short
* Do you have a keytab on the file server ?
klist -k
* check if the computer is joined to the domain.
sudo net ads testjoin
This should print:
Join is OK
* leave the domain and rejoin:
net ads leave -U Administrator net ads join -U Administrator
You should now have a keytab, if it is still not there, try creating it manually:
net ads keytab create -U Administrator
Retrieve LDAP Settings
To retrieve the ldap settings, in a shell type the following command to get the current NethServer setup:
[root@vm5 ~]# account-provider-test dump { "startTls" : "", "bindUser" : "VM5$", "userDN" : "dc=dpnet,dc=nethesis,dc=it", "port" : 636, "isAD" : "1", "host" : "dpnet.nethesis.it", "groupDN" : "dc=dpnet,dc=nethesis,dc=it", "isLdap" : "", "ldapURI" : "ldaps://dpnet.nethesis.it", "baseDN" : "dc=dpnet,dc=nethesis,dc=it", "bindPassword" : "secret", "bindDN" : "DPNET\\VM5$" }
Reconfigure the Server
To expand all templates and restart the relevant services (no reboot, a business server shouldn't be rebooted) you can use:
/etc/e-smith/events/actions/system-adjust
Reinstall all required packages
yum install @nethserver-iso
Server-manager
Allow a user to the server-manager
- NS7
The builtin /usr/share/nethesis/NethServer/Authorization/base.json policy grants full access to members of administrators.
groupadd administrators usermod -G administrators -a davidep@adnethesis.it
Now user davidep@adnethesis.it has full privileges from server-manager. You have two groups with delegated powers
- administrators: Users of this group have the same permissions as the root or admin user.
- managers: Users of this group are granted access to the Management section.
Use the server-manager with a SSH tunnel
A SSH local port forward of 980
ssh -L 9980:localhost:980 <public IP>
Then connect to
https://localhost:9980
Use the Server Manager by the terminal
Of course the display is not as good as you can have in a real browser :)
elinks -eval 'set connection.ssl.cert_verify = 0' https://localhost:980/
or
yum install links # if not installed yet links2 https://localhost:980
Sudoers
Allow sudo power for a group
- create a group powerusers in Users & Groups page
- add one ore more user to the group
- create a sudo file like this:
echo "%powerusers ALL=(ALL) ALL" > /etc/sudoers.d/90powerusers chmod 440 /etc/sudoers.d/90powerusers
Sudoers files validation
Validation of the sudoers.d syntax
visudo -c
Determine what commands a user can do
See all commands that the user may do on your system
sudo -ll -U userName
Edit sudoers files
Edit and valid when you exit the sudoers file
visudo -f /etc/sudoers.d/20_nethserver_sssd
NethServer repository Tests
- Test changes in comps file
https://github.com/NethServer/dev/issues/6117#issuecomment-618316043
Upgrade to major version
- if you want to test the upgrade of centos rpm (only) to a major version (eg 7.8 → 7.9)
yum --enablerepo=cr update
- if you want to upgrade your nethserver to a major version with the CLI
yum update yum --enablerepo=nethserver-testing update nethserver-subscription\* signal-event software-repos-upgrade
Or
yum install -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm signal-event software-repos-save yum update