Ubuntu¶
- Landscape https://landscape.canonical.com/index.html
- Ubuntu 18.04でsudoがやけに遅い場合の対処 https://serverfault.com/a/41820
- Ubuntu 18.04以降ではインストール時にGitHubから信頼済み公開鍵をダウンロードしてくることができる。githubに置いてある公開鍵を指定してインストールすると、対になる秘密鍵を持っているユーザーはパスワードを設定しなくてもいい。
- EDITORのデフォルトをvimにする:
sudo update-alternatives --set editor /usr/bin/vim.basic
netplan¶
- Live CDからインストールした場合は/etc/netplan/50-cloud-init.yaml
- mini.isoからインストールした場合は/etc/netplan/01-netcfg.yaml
$ sudo vi /etc/netplan/50-cloud-init.yaml
設定例
$ cat /etc/netplan/50-cloud-init.yaml
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
ens18:
addresses:
- 192.168.1.11/24
- 2001:db8:1111::11/64
gateway4: 192.168.1.1
gateway6: 2001:db8:1111::1
nameservers:
addresses:
- 192.168.1.53
search:
- ainoniwa.net
optional: true
version: 2
サービスの再起動で適用する場合は以下のコマンド
$ sudo netplan apply
dhcp4: yes
の時にStatic Routeを設定する場合は、以下のように on-link: true
を追加する。
dhcp4: yes
routes:
- on-link: true
to: x.x.x.x/x
via: x.x.x.x
apt¶
Debian系統で使うパッケージマネージャ
man APT(8): https://manpages.debian.org/stretch/apt/apt.8.ja.html
パッケージをアップデートするときのお手軽スニペット(Ubuntu 14.04/16.04では一部 apt-get
に読み替えること)
apt -q update
apt -q -y upgrade
apt -y autoremove
apt -y autoclean
$ sudo apt update -q
$ sudo apt upgrade -q -y
$ apt-get autoremove -q -y
$ apt-get autoclean -q -y
Note
apt upgrade
の実行後に/var/run/reboot-required
が出来ている場合はOSの再起動が必要- linux-kernelをupgradeしていると
/boot
が溢れる可能性があるのでチェックする
needrestart¶
UnattendedUpgrades¶
自動的にアップデート、再起動をしてくれるツール群。Ubuntu 18.04/20.04の場合は最初から入っていると思われる。
- Debian公式: https://wiki.debian.org/UnattendedUpgrades
- ソースコードのドキュメント: https://github.com/mvo5/unattended-upgrades/blob/master/README.md
- その他参考:
To override the configuration it is recommended to create an other APT configuration file fragment which overrides the shipped default value because updates to to shipped configuration file may conflict with the local changes blocking updating unattended-upgrades itself. The new file should sort later than 50unattended-upgrades to be parsed later than the one shipping the default values, it can be e.g. 52unattended-upgrades-local.
ソースコードのドキュメントに書かれているように、既存のファイルを直接編集するのは適切ではない。
そこで、新しく /etc/apt/apt.conf.d/52unattended-upgrades-local
を作成する。
/etc/apt/apt.conf.d/52unattended-upgrades-local
に以下を設定(多分デフォルト "0" で設定されている)
// Do "apt-get update" automatically every n-days (0=disable)
// APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
};
// Only Ubuntu 20.04/unattended-upgrades 2.3 or higher
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
// If `/var/run/reboot-required` is exists, shutdown scheduled.
// Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Automatic-Reboot-Time
の設定はノードによる。
ACTIVE/STANDBYなノードの場合は片方を無効にしておくとかUnattended-Upgrade::Automatic-Reboot-Time "02:00";
の時間をずらしておくとかしておく。- リポジトリを追加している場合
Allowed-Origins
にはOrigin
とSuite
を追加してやれば大抵動く- Dockerの場合だと以下の出力が得られるので
"Docker:${distro_codename}";
と書いてやれば良いだろう
$ grep -e Origin -e Suite /var/lib/apt/lists/download.docker.com_linux_ubuntu_dists_bionic_* /var/lib/apt/lists/download.docker.com_linux_ubuntu_dists_bionic_InRelease:Origin: Docker /var/lib/apt/lists/download.docker.com_linux_ubuntu_dists_bionic_InRelease:Suite: bionic
- Dockerの場合だと以下の出力が得られるので
設定が終わった後は sudo unattended-upgrade -d
で意図通り動いているか確認する。
試験的に実行する場合は --dry-run
を付与する。
例えば、以下のケースでは追加したDockerのリポジトリは Unattended-Upgrade::Allowed-Origins
の設定に追加していないので「アップデートできるが自動更新の対象ではない」という出力になる。
$ sudo unattended-upgrade -d --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESMApps,a=bionic-apps-security, o=UbuntuESM,a=bionic-infra-security, o=Ubuntu,a=bionic-updates
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*|^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages
Using (^linux-image-4\.15\.0\-180\-generic$|^linux-headers-4\.15\.0\-180\-generic$|^linux-image-extra-4\.15\.0\-180\-generic$|^linux-modules-4\.15\.0\-180\-generic$|^linux-modules-extra-4\.15\.0\-180\-generic$|^linux-signed-image-4\.15\.0\-180\-generic$|^linux-image-unsigned-4\.15\.0\-180\-generic$|^kfreebsd-image-4\.15\.0\-180\-generic$|^kfreebsd-headers-4\.15\.0\-180\-generic$|^gnumach-image-4\.15\.0\-180\-generic$|^.*-modules-4\.15\.0\-180\-generic$|^.*-kernel-4\.15\.0\-180\-generic$|^linux-backports-modules-.*-4\.15\.0\-180\-generic$|^linux-modules-.*-4\.15\.0\-180\-generic$|^linux-tools-4\.15\.0\-180\-generic$|^linux-cloud-tools-4\.15\.0\-180\-generic$|^linux-buildinfo-4\.15\.0\-180\-generic$|^linux-source-4\.15\.0\-180\-generic$|^linux-image-4\.15\.0\-180\-generic$|^linux-headers-4\.15\.0\-180\-generic$|^linux-image-extra-4\.15\.0\-180\-generic$|^linux-modules-4\.15\.0\-180\-generic$|^linux-modules-extra-4\.15\.0\-180\-generic$|^linux-signed-image-4\.15\.0\-180\-generic$|^linux-image-unsigned-4\.15\.0\-180\-generic$|^kfreebsd-image-4\.15\.0\-180\-generic$|^kfreebsd-headers-4\.15\.0\-180\-generic$|^gnumach-image-4\.15\.0\-180\-generic$|^.*-modules-4\.15\.0\-180\-generic$|^.*-kernel-4\.15\.0\-180\-generic$|^linux-backports-modules-.*-4\.15\.0\-180\-generic$|^linux-modules-.*-4\.15\.0\-180\-generic$|^linux-tools-4\.15\.0\-180\-generic$|^linux-cloud-tools-4\.15\.0\-180\-generic$|^linux-buildinfo-4\.15\.0\-180\-generic$|^linux-source-4\.15\.0\-180\-generic$) regexp to find running kernel packages
Checking: containerd.io ([<Origin component:'stable' archive:'bionic' origin:'Docker' label:'Docker CE' site:'download.docker.com' isTrusted:True>])
Checking: docker-ce ([<Origin component:'stable' archive:'bionic' origin:'Docker' label:'Docker CE' site:'download.docker.com' isTrusted:True>])
Checking: docker-ce-cli ([<Origin component:'stable' archive:'bionic' origin:'Docker' label:'Docker CE' site:'download.docker.com' isTrusted:True>])
Checking: docker-ce-rootless-extras ([<Origin component:'stable' archive:'bionic' origin:'Docker' label:'Docker CE' site:'download.docker.com' isTrusted:True>])
Checking: docker-scan-plugin ([<Origin component:'stable' archive:'bionic' origin:'Docker' label:'Docker CE' site:'download.docker.com' isTrusted:True>])
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals
タイマーに apt-daily.timer
と apt-daily-upgrade.timer
があることを確認して完了。
$ systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2022-05-24 17:33:46 JST 5h 41min left Tue 2022-05-24 11:23:36 JST 28min ago ua-timer.timer ua-timer.service
Tue 2022-05-24 19:01:34 JST 7h left Tue 2022-05-24 07:06:57 JST 4h 45min ago apt-daily.timer apt-daily.service
Tue 2022-05-24 20:44:34 JST 8h left Tue 2022-05-24 09:55:25 JST 1h 56min ago motd-news.timer motd-news.service
Wed 2022-05-25 06:13:20 JST 18h left Tue 2022-05-24 06:23:57 JST 5h 28min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Wed 2022-05-25 10:10:26 JST 22h left Tue 2022-05-24 10:10:26 JST 1h 41min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2022-05-30 00:00:00 JST 5 days left Mon 2022-05-23 00:00:19 JST 1 day 11h ago fstrim.timer fstrim.service
6 timers listed.
Pass --all to see loaded but inactive timers, too.
設定参考¶
トラブルシューティング¶
- unattended-upgrades do not work properly
- unattended-upgrades does not fetch updates unless I run apt-get update
Container¶
- lxc
- lxd
Docker¶
- container security analysis
- Aqua Security's MicroScanner https://github.com/aquasecurity/microscanner
インストール¶
一般ユーザーでもdockerコマンドが使えた方が良いので、セットでいつもやる。(あんまり良くない
sudo apt update
sudo apt upgrade -y
sudo apt install -y docker docker-compose
sudo usermod -a -G docker $USER
sudo reboot
よく使うイメージ¶
- Redmine https://hub.docker.com/_/redmine/
- MariaDB https://hub.docker.com/_/mariadb/
メモ¶
Ubuntu 18.04だと docker build
がエラー吐くときがある: https://github.com/docker/docker-credential-helpers/issues/103
$ sudo docker build .
double free or corruption (out)
SIGABRT: abort
PC=0x7f0d7bcc7e97 m=0 sigcode=18446744073709551610
signal arrived during cgo execution
とりあえずこうすると直る。
$ sudo apt update && sudo apt install -y gnupg2 pass gpg
edac-utils¶
ECCメモリのエラーカウンタの確認ツール。
$ sudo apt install edac-utils
$ edac-util -rfull
mc0:noinfo:all:UE:0
mc0:noinfo:all:CE:0
ツールを使わなくても /sys/devices/system/edac/mc
以下をcatで確認できる。
See: How do I get notified of ECC errors in Linux?
ECCメモリーが認識されているかどうかを見る¶
sudo dmidecode --type memory
で Error Correction Type: Single-bit ECC
が確認できる。
Total Width: 72 bits
と Data Width: 64 bits
を見ると、DIMMのバス幅(64bits)に誤り訂正符号用の8bitsが追加されている。
ECCの場合:
# dmidecode --type memory
# dmidecode 3.3
Getting SMBIOS data from sysfs.
SMBIOS 3.0.0 present.
Handle 0x0029, DMI type 16, 23 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: Single-bit ECC
Maximum Capacity: 64 GB
Error Information Handle: Not Provided
Number Of Devices: 4
Handle 0x002A, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x0029
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 16 GB
Form Factor: DIMM
Set: None
Locator: DIMM CHA3
Bank Locator: BANK 0
Type: DDR4
Type Detail: Synchronous
Speed: 2133 MT/s
Manufacturer: Samsung
Serial Number: 332480F6
Asset Tag: 1632
Part Number: M391A2K43BB1-CPB
Rank: 2
Configured Memory Speed: 2133 MT/s
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: 1.2 V
Handle 0x002B, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x0029
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 16 GB
Form Factor: DIMM
Set: None
Locator: DIMM CHA1
Bank Locator: BANK 1
Type: DDR4
Type Detail: Synchronous
Speed: 2133 MT/s
Manufacturer: Samsung
Serial Number: 332479AB
Asset Tag: 1632
Part Number: M391A2K43BB1-CPB
Rank: 2
Configured Memory Speed: 2133 MT/s
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: 1.2 V
Handle 0x002C, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x0029
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 16 GB
Form Factor: DIMM
Set: None
Locator: DIMM CHB4
Bank Locator: BANK 2
Type: DDR4
Type Detail: Synchronous
Speed: 2133 MT/s
Manufacturer: Samsung
Serial Number: 332478B4
Asset Tag: 1632
Part Number: M391A2K43BB1-CPB
Rank: 2
Configured Memory Speed: 2133 MT/s
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: 1.2 V
Handle 0x002D, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x0029
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 16 GB
Form Factor: DIMM
Set: None
Locator: DIMM CHB2
Bank Locator: BANK 3
Type: DDR4
Type Detail: Synchronous
Speed: 2133 MT/s
Manufacturer: Samsung
Serial Number: 332476CF
Asset Tag: 1632
Part Number: M391A2K43BB1-CPB
Rank: 2
Configured Memory Speed: 2133 MT/s
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: 1.2 V
ECCじゃない場合:
$ sudo dmidecode --type memory
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.0.0 present.
Handle 0x0009, DMI type 16, 23 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 32 GB
Error Information Handle: Not Provided
Number Of Devices: 2
Handle 0x000A, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x0009
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 4096 MB
Form Factor: DIMM
Set: None
Locator: DIMM1
Bank Locator: Not Specified
Type: DDR4
Type Detail: Synchronous Unbuffered (Unregistered)
Speed: 2400 MT/s
Manufacturer: 80CE000080CE
Serial Number: 24880502
Asset Tag: 03185100
Part Number: M378A5244CB0-CRC
Rank: 1
Configured Memory Speed: 2133 MT/s
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: 1.2 V
Handle 0x000B, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x0009
Error Information Handle: Not Provided
Total Width: Unknown
Data Width: Unknown
Size: No Module Installed
Form Factor: Unknown
Set: None
Locator: DIMM2
Bank Locator: Not Specified
Type: Unknown
Type Detail: None
Speed: Unknown
Manufacturer: Not Specified
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Rank: Unknown
Configured Memory Speed: Unknown
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: Unknown