Posts under category Linux笔记

systemctl .service file for vncserver under CentOS 7.7

People can do almost everything vis ssh under Linux, no exception for CentOS. But in some cases, using a X Windows improves efficiency greatly.

Tiger VNC server is a good server end package for VNC protocal under CentOS.
Tonight, just an hour ago, I encountered a disaster due to an unprofessional systemctl script privided by Tiger VNC server devolopers.

I’m tired so I shall not record the details.
If you are suffering problems while you are deploying autostart VNC server via systemctl, like:

  1. New main PID <pid> does not belong to service, and PID file is not owned by root. Refusing.;
  2. Enabled multiple vnc ports for no reason;
  3. Can not input password when the vnc client in locked screen;

Just try a .service file as fllow:
Do !NOT! forget to change USERNAME to your own user.

Description=Remote desktop service (VNC)


# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/sbin/runuser -l <USERNAME> -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l <USERNAME> -c "/usr/bin/vncserver :1"
ExecStartPost=/bin/sh -c '/usr/bin/cat /home/<USERNAME>/.vnc/ > /tmp/'
ExecStop=/sbin/runuser -l <USERNAME> -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'


Gogs迁移到Gitlab -- 利用Gitea作为中介完美迁移



  1. 能够完成Gogs的备份;
  2. 能够完成Gogs与Gitea的升级、降级;
  3. 了解Gitea的Access Tokens的使用;
  4. 能够安装Gitlab(或熟悉Gitlab的使用)。

- Read More -

Modifying SElinux configure for allowing nginx reverse proxy local site

Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.

    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
    [root]# cat nginxlocalconf.te 
    module nginxlocalconf 1.0;
    require {
        type httpd_t;
        type var_t;
        type transproxy_port_t;
        class tcp_socket name_connect;
        class file { read getattr open };
    #============= httpd_t ==============
    #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
    allow httpd_t transproxy_port_t:tcp_socket name_connect;
    allow httpd_t var_t:file { read getattr open };
    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    semodule -i nginxlocalconf.pp
    [root]# semodule -i nginxlocalconf.pp

To allow http server to connect local DB, like mysql, do as fllows:

# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1

To allow nginx(or apache, php-fpm, etc...) to write/read some dir, do as fllows:

semanage fcontext -a -t httpd_sys_rw_content_t "/path(/.*)?"
restorecon -r /path


How to fix permission denied under Linux with SELinux:

Explaining command su

Running a command with substitute user is the typical use of command su under linux.

Sometimes, use -s option to running the specified shell instead of the default, this option may helps a lot when need to access user whose default shell is /sbin/nologin, usage like su -s /bin/bash jenkins

Explaining file /ets/sudoers

/ets/sudoers configure user(s) who can get root privileges under linux.
440 permission is on this file by default, so chmod +w operation is required before modify file, don't forget chmod -w once modified.

Some typical configs are as follow:

allow jenkins user restart uwsgi service via systemd:

jenkins     ALL  = NOPASSWD    : /bin/systemctl restart uwsgi


user        host = need passwd?: command 1, shell 2, ...

allow moon user access sudo privileges unconditional:

moon    ALL=(ALL)       NOPASSWD: ALL


然后更新镜像 yum makecache

- Read More -