![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
Centos 7 Template
[1] 別用大吃的 firewalld, 改用 iptables
yum install iptables-services
systemctl enable iptables
systemctl disable firewalld
[2] Disable usage service
ls -1 /etc/systemd/system/multi-user.target.wants
# 不使用的 service
- remote-fs.target
- tuned.service
- NetworkManager.service
- kdump.service
- irqbalance.service
- auditd.service
# 暫時 Stop 的 Services
- crond.service
- httpd.service
- mariadb.service
- rsyslog.service
- postfix.service
[3] 安裝 httpd 要有 Capabilitie - setfcap
/usr/share/lxc/config/centos.common.conf
#lxc.cap.drop = setfcap
[4] 連 console login (lxc-console c1)時登入失敗
/var/log/secure
Jul 10 03:29:12 c1 login: pam_securetty(login:auth): access denied: tty 'pts/0' is not secure !
/etc/securetty
# 加入 lxc/console lxc/tty1 lxc/tty2 lxc/tty3 lxc/tty4
[5] ssh fail
login via ssh to centos7 container => immediately closed
log: /var/log/secure
... sshd[319]: pam_loginuid(sshd:session): set_loginuid failed ... sshd[319]: pam_unix(sshd:session): session opened for user root by (uid=0) ... sshd[319]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
pam_loginuid.so
Record user's login uid to the process attribute
修改 /etc/pam.d/sshd
#session required pam_loginuid.so[6] systemd-journald hight loading at startup
strace -p ?
epoll_wait(7, [{EPOLLIN|EPOLLERR|EPOLLHUP, {u32=1277044336, u64=94808385136240}},
{EPOLLIN, {u32=1277043568, u64=94808385135472}},
{EPOLLIN, {u32=1277043824, u64=94808385135728}},
{EPOLLIN, {u32=1277044080, u64=94808385135984}}], 16, 0) = 4
clock_gettime(CLOCK_BOOTTIME, {tv_sec=16153446, tv_nsec=759399572}) = 0
writev(2, [{iov_base="/dev/kmsg buffer overrun, some m"..., iov_len=45},
{iov_base="\n", iov_len=1}], 2) = 46
read(8, "", 8192)[Fix]
# In container
rm -f /dev/kmsg
# container setting
lxc.kmsg = 0 lxc.autodev = 1
[7] systemd-sysctl error
... systemd-sysctl: Failed to write '16' to '/proc/sys/kernel/sysrq': Read-only file system ... systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Read-only file system ...
[Fix]
cd /usr/lib/sysctl.d
rm 00-system.conf 10-default-yama-scope.conf 50-default.conf
touch 00-system.conf 10-default-yama-scope.conf 50-default.conf
chattr +i 00-system.conf 10-default-yama-scope.conf 50-default.conf
P.S.
chattr 後 systemd 會 update 失敗
Error unpacking rpm package systemd-219-78.el7_9.3.x86_64 error: unpacking of archive failed on file /usr/lib/sysctl.d/50-default.conf: cpio: rename error: systemd-219-78.el7_9.3.x86_64: install failed
