메모장

CentOS 6/7에서 Server에서 RSA 공개키 설정을 해도 passwd 입력을 받을 때가 있다.

SELinux 가 활성화 되어 있는 경우 .ssh 폴더의 Type 설정이 제대로 되어 있지 않아서 발생한다.

해결 방법은 아래와 같다.

[ ssh 공개키 설정 시 확인 사항 ]

1. SELinux 비활성화

# SELinux 활성화 확인
[root@skt-ocs2th-test ~]# getenforce
Enforcing
# SELinux 비활성화
[root@skt-ocs2th-test ~]# setenforce 0
# SELinux 비활성화 확인
[root@skt-ocs2th-test ~]# getenforce
Permissive

## selinux 설정 파일 변경 enforcing -> disabled
vi /etc/sysconfig/selinux
#SELINUX=enforcing
SELINUX=disabled

2. SELinux 활성화 시 확인 사항

2-1. restorecon 명령어로 SELinux 보안 Context 복구한다. ( type이 ssh_home_t로 설정되어야 한다.)

[jenkins@skt-ocs2th-test ~]$ restorecon -R -v ~/.ssh
restorecon reset /home/jenkins/.ssh context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/jenkins/.ssh/id_rsa context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/jenkins/.ssh/authorized_keys context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/jenkins/.ssh/id_rsa.pub context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:ssh_home_t:s0
[jenkins@skt-ocs2th-test ~]$
[jenkins@skt-ocs2th-test ~]$ ls -Z .ssh
-rw-------. jenkins jenkins unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. jenkins jenkins unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-r--r--. jenkins jenkins unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub

2-2. restorecon 명령어를 수행해도 ssh_home_t로 복구 되지 않는 경우

 - 이 경우 해당 계정의 home이 /var/lib과 같이 특수한 directory 아래에 생성되었다면 SELinux의 다른 Type 설정에 따라 ssh_home_t가 설정되지 않을 수 있다.

 - 아래의 경우 jenkins 계정의 home은 /var/lib이기 때문에 .ssh 폴더의 type이 var_lib_t로 되어 있다.

[jenkins@skt-ocs2th ~]$ ls -aZ
drwx------. jenkins jenkins system_u:object_r:var_lib_t:s0   .
drwxr-xr-x. root    root    system_u:object_r:var_lib_t:s0   ..
-rw-------. jenkins jenkins unconfined_u:object_r:var_lib_t:s0 .bash_history
-rw-r--r--. jenkins jenkins system_u:object_r:var_lib_t:s0   .bash_logout
-rw-r--r--. jenkins jenkins system_u:object_r:var_lib_t:s0   .bash_profile
-rw-r--r--. jenkins jenkins system_u:object_r:var_lib_t:s0   .bashrc
drwx------. jenkins jenkins unconfined_u:object_r:var_lib_t:s0 .ssh
-rw-------. jenkins jenkins unconfined_u:object_r:var_lib_t:s0 .viminfo

 - /etc/selinux/targeted/contexts/files/file_contexts 파일에서 해당 계정에 맞는 path를 지정해서 ssh_home_t로 바꿔준다.

/var/lib(/.*)?  system_u:object_r:var_lib_t:s0
/var/lib(/.*)/.ssh(/.*)?        unconfined_u:object_r:ssh_home_t:s0

 - restorecon 명령어로 SELinux 보안 Context 변경한다.

[jenkins@skt-ocs2th .ssh]$ restorecon -R -v ~/.ssh
restorecon reset /var/lib/jenkins/.ssh/id_rsa context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /var/lib/jenkins/.ssh/authorized_keys context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /var/lib/jenkins/.ssh/id_rsa.pub context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:ssh_home_t:s0

CentOS 6/7에서 RSA ssh 공개키로 접속하는 방법.

[ Server 장비 ]

1. sshd 설정 변경

vi /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys

- AuthorizedKeysFile의 경우 %u는 해당 계졍의 username이며, %h는 해당 계정의 home path를 뜻한다.

# /etc/ssh/<username>/authorized_keys 에서 관리하고 싶은 경우
AuthorizedKeysFile   /etc/ssh/%u/authorized_keys

# ~/.ssh/authorized_keys 에서 관리하고 싶은 경우
AuthorizedKeysFile   %h/.ssh/authorized_keys

2. sshd 재시작

# CentOS 6
service sshd restart

# CentOS 7
systemctl restart sshd

3. 접속하려는 계정의 .ssh 폴더 및 .ssh/authorized_keys 권한 설정

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

[ Client 장비 ]

1. RSA 공개키 생성

hjshuMBP:.ssh hjshu$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/hjshu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/hjshu/.ssh/id_rsa.
Your public key has been saved in /Users/hjshu/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qWkd3w98lVXLZDpfU3uQYb/ZQ924mkuBHYSwj8E3WRs hjshu@hjshuMBP.local
The key's randomart image is:
+---[RSA 2048]----+
|        .. .E +=o|
|       . ..+ +*+B|
|        + + oo.*B|
|         * + .+.X|
|        S o o .*o|
|       + o o + ..|
|      + . . B .  |
|     .     . =   |
|            . .  |
+----[SHA256]-----+

2. 공개키 확인

# cat .ssh/id_rsa.pub

3. 해당 공개키를 접속하고 싶은 서버 계정의  ~/.ssh/authorized_keys에 추가해준다.

[jenkins@skt-ocs2th ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCg3PdtVO5qB5l2Q1PEm8cU2f/zdrXN0eKIAqc7QAvp7xFEwIczxPhnkwYbRh+4Yp9Y+aarBaA/mvNoZSMuxKZqEaVXzlZX5rOJuDK+GepyFvDU1D9k+CmycJkeFbmr1cMuL0e19l7zccWmQFbkMmhj0mSJX+yApPixFGcpCL/h7pQi6lkJeiStIuLlkJnQGbntPA8JCLm4mZdrGBvQFbs61lhVmkJNqddDWbrnybwK2CRrfXCzud6lsvmh2vZnrimBDAayytGwDBI3+7+C9C6ueGId8DLi3Aqe37ikzgpa9wXDjGEipTnUjrIA6FjzdVAPG3t6D2QV3F3NS7aIk3Ob hjshu@hjshuMBP.local

이 작업 이후 부터 Client가 Server로 접속 시 passwd 입력 없이 접속이 가능해진다.

CentOS에서 부팅 시 네트워크가 느린 경우 삼바, sshfs 등의 네크워크 파일 시스템 mount가 되지 않는 경우가 발생한다.

/etc/fstab에 _netdev나 x-systemd.automount,x-systemd.requires=network-online.target,x-systemd.after=network-online.target의 경우 System의 Network가 online이 되면 mount를 시도하는 옵션이지만 mount 명령어를 따로 실행해도 mount하는데 20초 이상 걸리는 상황에서는 해당 옵션을 활성화해도 boot 후 mount가 되지 않았다.

결국 Google 검색 후 Crontab에 boot 시 script를 돌리는 것으로 해결

1. mount 실패 로그

● TKS_VM_BACKUP.mount - /TKS_VM_BACKUP
   Loaded: loaded (/etc/fstab; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2020-04-10 18:13:49 KST; 12min ago
    Where: /TKS_VM_BACKUP
     What: //192.168.x.x/TKS_VM_IMG
     Docs: man:fstab(5)
           man:systemd-fstab-generator(8)

  Process: 2270 ExecMount=/bin/mount //192.168.x.x/TKS_VM_IMG /TKS_VM_BACKUP -t cifs -o _netdev,x-systemd.after=network-online.target,noexec,nosuid,vers=3.0,credentials=/root/.smb.cred (code=exited, status=32)

Apr 10 18:13:42 winterfell systemd[1]: Mounting /TKS_VM_BACKUP...
Apr 10 18:13:42 winterfell snoopy[2270]: [uid:0 sid:1 tty:(none) cwd:/ filename:/bin/mount]: /bin/mount //192.168.x.x/TKS_VM_IMG /TKS_VM_BACKUP -t cifs -o _netdev,x-s...ot/.smb.cred
Apr 10 18:13:42 winterfell snoopy[2278]: [uid:0 sid:1 tty:(none) cwd:/ filename:/sbin/mount.cifs]: /sbin/mount.cifs //192.168.x.x/TKS_VM_IMG /TKS_VM_BACKUP -o rw,noex...cred,_netdev
Apr 10 18:13:48 winterfell mount[2270]: Unable to find suitable address.
Apr 10 18:13:49 winterfell systemd[1]: TKS_VM_BACKUP.mount mount process exited, code=exited status=32
Apr 10 18:13:49 winterfell systemd[1]: Failed to mount /TKS_VM_BACKUP.
Apr 10 18:13:49 winterfell systemd[1]: Unit TKS_VM_BACKUP.mount entered failed state.

2. Script 생성

vi /root/smb_mount_chk.sh

#!/bin/bash
# nettester.sh: test runs in loop to MAX = number of TRIES
#               or until network responds successfully

NETWORK=0
COUNTER=0

# wait till next loop
SECONDS=2

#stop testing after N times
TRIES=300
# your most faithfull url to hit success all the time
URL=192.168.x.x

until [  $COUNTER -eq "$TRIES" ]
do
      let COUNTER=$COUNTER+1
      GETURL=`curl -vs -o /dev/null --max-time 1 --connect-timeout 1 $URL 2>&1 |grep -c Connected`
      if [ $GETURL -eq 1 ]
	then
	    NETWORK=1
	    if [ $NETWORK -eq 1 ]
	      then
		COUNTER=$TRIES
	      else
		NETWORK=0
	    fi
	else
            echo 'sleep'
	    sleep $SECONDS
      fi
done

if [ $NETWORK -eq 1 ]
    then
        mount -t cifs -o credentials=/root/.smb.cred,vers=3.0 //$URL/TKS_VM_IMG /TKS_VM_BACKUP
	  # do your mount stuff here
    else
        exit 1 # -bailing, had to many tries
fi

3. Script 실행 권한 추가

chmod +x /root/smb_mount_chk.sh

4. Crontab 등록

@reboot /root/smb_mount_chk.sh > /root/cron.log 2>&1

[ CentOS 7 에서 삼바(samba) Client 설정 ]

1. samba 관련 패키지 설치 및 기동

sudo yum -y install samba samba-client cifs-utils

2. mount 할 폴더 생성

mkdir /share

3. 아래의 명령어로 mount

# mount -t cifs -o username=user,password=passwd,vers=3.0 //server_ip/diretory /share

- credentials 파일로 계정 정보 등록해서 mount

# cat /root/.smb.cred
username=user
password=passwd

# mount -t cifs -o credentials=/root/.smb.cred,vers=3.0 //server_ip/diretory /share

4. 시스템 기동 시 자동 mount 등록 방법

- /etc/fstab 등록

//server_ip/diretory /share cifs _netdev,rw,credentials=/root/.smb.cred,vers=3.0  0 0

- systemd에 등록

# vi share.mount
[Unit]
Description = SMB share
Requires=network-online.target
After=network-online.target

[Mount]
What = //server_ip/diretory
Where = /share
Type = cifs
Options = credentials=/root/.smb.cred,vers=3.0

[Install]
WantedBy = multi-user.target

# systemctl enable share.mount
# systemctl status share.mount

[ CentOS 7 에서 SAMBA Server 설정 방법 ]

1. samba 관련 패키지 설치 및 기동

sudo yum install samba samba-client samba-common

systemctl enable smb
systemctl enable nmb
systemctl start smb
systemctl start nmb

2. 공유하고 싶은 폴더 생성

# /share 폴더 생성
mkdir /share
# 권한 설정
chmod 777 /share

3. SAMBA 권한 설정

3-1. 계정 로그인 없이 ( Anonymous ) 접속

- /etc/samba/smb.conf 설정

[global]
        workgroup = WORKGROUP
        netbios name = centos
        security = user
        map to guest = bad user

[Anonymous]
        comment = Anonymous File Server Share
        path = /share
        browsable =yes
        writable = yes
        guest ok = yes
        read only = no
        public = yes
        force create mode = 0777
        directory mask = 0777

3-2. 계정 설정

- Samba 접속용 계정 생성

useradd -M -s /sbin/nologin smbuser

- Samba 계정 비밀번호 설정

# smbpasswd -a smbuser

New SMB password:
Retype new SMB password:
Added user smbuser.

- /etc/samba/smb.conf 설정

[global]
        workgroup = WORKGROUP
        netbios name = centos
        security = user
        map to guest = bad user

[share]
        comment = share
        path = /share
        public = no
        writable = yes
        printable = yes
        write list = smbuser
        # 계정이 여러개일 경우 아래와 같이 추가 
        # write list = smbuser app root
        create mask = 0777
        directory mask = 0777

4. Samba 재기동

systemctl stop smb
systemctl stop nmb
systemctl start smb
systemctl start nmb

우선 원하는 MySQL 버전을 다운로드 받자

 - Product Version : 5.1.52

 - Operating System : Source Code

 - OS Version : Linux Generic (glibc 2.3)

https://downloads.mysql.com/archives/community

( 현재 회사에서 사용하는 MySQL이 5.1.52 버전이라 해당 버전으로 설치 진행 )

설치 서버는 redhat 6

설치 전에 /etc/my.cnf를 /etc/my.cnt_bk로 바꾸자

( mysql이 기본적으로 /etc/my.cnf를 보게 되어 있어 /usr/local/mysql/data/my.cnf를 수정해도 반영이 안됨 )

받은 패키지를 원하는 위치에 압축을 풀고

OAMPKB2A [ app{52} ~/DB/mysql ] tar xvf mysql-5.1.52-linux-x86_64-glibc23.tar.gz

root 계정에서 /usr/local/mysql 을 link 걸자

# cd /usr/local
# sudo ln -s /home/app/DB/mysql/mysql-5.1.52-linux-x86_64-glibc23 mysql
# ls -l
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 bin
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 etc
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 games
drwxr-xr-x. 3 root root 4096 2019-02-08 05:31 hp
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 include
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 lib
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 lib64
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 libexec
lrwxrwxrwx. 1 root root   52 2019-02-13 09:43 mysql -> /home/app/DB/mysql/mysql-5.1.52-linux-x86_64-glibc23
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 sbin
drwxr-xr-x. 5 root root 4096 2019-02-08 03:28 share
drwxr-xr-x. 2 root root 4096 2011-06-28 21:13 src

이후 /usr/local/mysql 위치에서 ./scripts/mysql_install_db 명령어 수행

# cd /usr/local/mysql
# ./scripts/mysql_install_db

WARNING: The host 'OAMPKB2A' could not be looked up with resolveip.
This probably means that your libc libraries are not 100 % compatible
with this binary MySQL version. The MySQL daemon, mysqld, should work
normally with the exception that host name resolving will not work.
This means that you should use IP addresses instead of hostnames
when specifying MySQL privileges !
Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

./bin/mysqladmin -u root password 'new-password'
./bin/mysqladmin -u root -h OAMPKB2A password 'new-password'

Alternatively you can run:
./bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd . ; ./bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd ./mysql-test ; perl mysql-test-run.pl

Please report any problems with the ./bin/mysqlbug script!

mysqld_safe & 로 기동

# /usr/local/mysql/bin/mysqld_safe &
[1] 29641
190213 10:00:38 mysqld_safe Logging to '/usr/local/mysql/data/OAMPKB2A.err'.
190213 10:00:38 mysqld_safe Starting mysqld daemon with databases from /usr/local/mysql/data

아래의 명령어로 root 비번을 원하는 걸로 바꾸자

# /usr/local/mysql/bin/mysqladmin -u root password root.123

접속 확인

# mysql -uroot -proot.123
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52-log MySQL Community Server (GPL)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

nginx 설치 후 아래와 같이 php-fpm과 connection 실패가 되는 현상이 발생

2018/12/26 11:31:07 [error] 28434#0: *8 connect() failed (111: Connection refused) while connecting to upstream, client: 222.235.208.2, server: hjshunas.iptime.org, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: ""

한참을 헤매다 centos 7 설치 후 selinux 설정되어 있는 것을 확인

selinux와 iptables rule 날리고 정상 connection 되는 것 확인

아래는 selinux 해제 방법과 iptables flush 방법 ( 보안이 필요한 환경에서는 권장하지 않고 php-fpm port 에 대해 whitelist 등록줘야 함 )

# 0이 selinux 해제 1이 설정
sudo setenforce 0

# 재기동 시에도 반영하기 위해 아래 파일 수정
sudo vi /etc/sysconfig/selinux

#SELINUX=enforcing
SELINUX=disabled

# iptables flush 후 저장
sudo iptables --flush
sudo service iptables save