Posts under category Linux笔记

systemctl .service file for vncserver under CentOS 7.7

People can do almost everything vis ssh under Linux, no exception for CentOS. But in some cases, using a X Windows improves efficiency greatly.

Tiger VNC server is a good server end package for VNC protocal under CentOS.
Tonight, just an hour ago, I encountered a disaster due to an unprofessional systemctl script privided by Tiger VNC server devolopers.

I’m tired so I shall not record the details.
If you are suffering problems while you are deploying autostart VNC server via systemctl, like:

  1. New main PID <pid> does not belong to service, and PID file is not owned by root. Refusing.;
  2. Enabled multiple vnc ports for no reason;
  3. Can not input password when the vnc client in locked screen;
    ....

Just try a .service file as fllow:
Do !NOT! forget to change USERNAME to your own user.

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking

# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/sbin/runuser -l <USERNAME> -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l <USERNAME> -c "/usr/bin/vncserver :1"
ExecStartPost=/bin/sh -c '/usr/bin/cat /home/<USERNAME>/.vnc/%H%i.pid > /tmp/vnc-server.pid'
PIDFile=/tmp/vnc-server.pid
ExecStop=/sbin/runuser -l <USERNAME> -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

Gogs迁移到Gitlab -- 利用Gitea作为中介完美迁移

在一段时间以来,我一直使用轻量级的Gogs作为私有代码仓库。最近一段时间苦于Gogs缺少CI、任务管理等一系列功能,准备将Gogs迁移到Gitlab。

网上找过很多迁移方法只能迁移仓库,issues信息会全部丢失。因此我探索了一个可以完整迁移repos、issues的办法,在此简单记录迁移过程,不做详细教程。如果你希望从本文中获得帮助,请确保拥有以下知识储备:

  1. 能够完成Gogs的备份;
  2. 能够完成Gogs与Gitea的升级、降级;
  3. 了解Gitea的Access Tokens的使用;
  4. 能够安装Gitlab(或熟悉Gitlab的使用)。

- Read More -

Modifying SElinux configure for allowing nginx reverse proxy local site

Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.

    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
    [root]# cat nginxlocalconf.te 
    
    module nginxlocalconf 1.0;
    
    require {
        type httpd_t;
        type var_t;
        type transproxy_port_t;
        class tcp_socket name_connect;
        class file { read getattr open };
    }
    
    #============= httpd_t ==============
    
    #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
    allow httpd_t transproxy_port_t:tcp_socket name_connect;
    allow httpd_t var_t:file { read getattr open };
    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i nginxlocalconf.pp
    
    [root]# semodule -i nginxlocalconf.pp

To allow http server to connect local DB, like mysql, do as fllows:

# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1

To allow nginx(or apache, php-fpm, etc...) to write/read some dir, do as fllows:

semanage fcontext -a -t httpd_sys_rw_content_t "/path(/.*)?"
restorecon -r /path

see kuddusic.wordpress.com

How to fix permission denied under Linux with SELinux:
update-wordpress-with-selinux-enabled
install-wordpress-centos-7

Explaining command su

Running a command with substitute user is the typical use of command su under linux.

Sometimes, use -s option to running the specified shell instead of the default, this option may helps a lot when need to access user whose default shell is /sbin/nologin, usage like su -s /bin/bash jenkins

Explaining file /ets/sudoers

/ets/sudoers configure user(s) who can get root privileges under linux.
440 permission is on this file by default, so chmod +w operation is required before modify file, don't forget chmod -w once modified.

Some typical configs are as follow:

allow jenkins user restart uwsgi service via systemd:

jenkins     ALL  = NOPASSWD    : /bin/systemctl restart uwsgi

explain:

user        host = need passwd?: command 1, shell 2, ...

allow moon user access sudo privileges unconditional:

moon    ALL=(ALL)       NOPASSWD: ALL