结尾工作
优质
小牛编辑
129浏览
2023-12-01
系统清理
为了最大限度避免不必要的麻烦,这里首先简单的删除一些无用文件,存储随机数种子,然后重新启动,再使用临时工具链进行 strip 操作。
cd / &&
ln -sf /proc/mounts /etc/mtab &&
rm /bin/tmpinit /etc/{ld.so.cache,profile} ~/.bash* /tmp/* /usr{,/share}/{doc,info,man} &&
cp /www/bin/{bash,mount} / &&
echo 'kernel (hd0,0)/bzImage root=0802 rootfstype=xfs rw init=/bash panic=30' > /boot/menu.lst &&
dd if=/dev/urandom of=/var/random-seed bs=8k count=1 &&
dd if=/dev/urandom of=/var/urandom-seed bs=8k count=1 &&
sync &&
umount -l /dev/sda{9,8,7,6,5,1} &&
# 此命令一般不会成功,不过你可以等待30秒(panic=30)后由内核自动重启。
shutdown -r -q now
重启完毕,现在可以使用下面的命令进行 strip 操作。[提示]设置 lo 网络接口是为了在初始化 PostgreSQL 数据库后,启动数据库服务时可以使用 INET socket ,否则无法安装加密模块。设置 eth0 网络接口是为了便于使用SSH。
cd / &&
export PATH=/bin:/usr/bin HISTFILESIZE=0 &&
/mount -t proc proc /proc &&
/mount -t tmpfs shm /dev/shm &&
/mount -t devpts devpts /dev/pts &&
/mount -t ext2 /dev/sda1 /boot &&
/mount -t xfs /dev/sda5 /usr &&
/mount -t xfs /dev/sda6 /root &&
/mount -t xfs /dev/sda7 /var &&
/mount -t xfs /dev/sda8 /www &&
/mount -t xfs /dev/sda9 /data &&
/www/bin/mkdir -p -m 1777 /dev/shm/{tmp,run,pg_socket,php_session} &&
( /www/bin/strip --strip-all {,/root/*}/{,usr/}bin/* {,/root/*}/usr/libexec/{*,*/*,*/*/*,*/*/*/*,*/*/*/*/*} ;
/www/bin/strip --strip-debug {,/root/*}/{,usr}/lib/{*,*/*,*/*/*,*/*/*/*,*/*/*/*/*} ;
rm -f /{bash,mount} /root/.bash* ) &&
sync &&
ip -4 link set lo txqueuelen 0 &&
ip -4 link set eth0 txqueuelen 4000 &&
ip -4 link set lo mtu 16436 &&
ip -4 link set eth0 mtu 1500 &&
ip -4 addr add 127.0.0.1/8 scope host dev lo valid_lft forever preferred_lft forever &&
ip -4 addr add 192.168.10.33/24 broadcast 192.168.10.255 scope global dev eth0 valid_lft forever preferred_lft forever &&
ip -4 link set lo up &&
ip -4 link set eth0 up &&
ip -4 route add unicast default via 192.168.10.250 dev eth0 &&
创建站点目录、安装 phpPgAdmin APC-monitor
umount /www &&
mkfs.xfs -f -q /dev/sda8 &&
mount -t xfs /dev/sda8 /www &&
mkdir -p /www/{oklaoshi/{htdocs,secret,www},phppgadmin,upload} &&
tar -xf /data/phpPgAdmin-4.2.tar.bz2 -C /data &&
tar -xf /data/APC-3.0.16.tgz -C /data &&
mv /data/phpPgAdmin/* /www/phppgadmin/ &&
mv /data/APC-3.0.16/apc.php /www/phppgadmin/ &&
mv /data/config.inc.php /www/phppgadmin/conf/ &&
chown -R httpd: /www &&
chmod -R 1500 /www &&
find /www ! -type d ! -type l | xargs chmod 1400 &&
chmod 1700 /www/upload &&
sync &&
umount /www &&
初始化 PostgreSQL 数据库集群
[提示]数据库的超级用户名是:pgsql,密码是:123
umount /data &&
mkfs.xfs -f -q /dev/sda9 &&
mount -t xfs /dev/sda9 /data &&
chown pgsql: /data &&
chmod 1700 /data &&
su -c'echo 123 > /dev/shm/pass.txt &&
initdb -Atrust -D/data -EUTF-8 --locale=C -Upgsql --pwfile=/dev/shm/pass.txt &&
pg_ctl start -w -D/data -p/bin/postgres &&
psql -d template1 -f /usr/share/postgresql/contrib/pgcrypto.sql -Upgsql -1 &&
pg_ctl stop -D/data -msmart' -s/bin/bash pgsql &&
chown -R pgsql: /data &&
chmod -R og=- /data &&
rm -f /data/*.{conf,opts} /dev/shm/pass.txt && sync &&
umount /data &&
配置 Bash
启动登陆(交互) shell 时会执行 /etc/profile 和 ~/.bash_profile 文件(后者的内容会覆盖前者),通常在其中定义环境变量。
启动非登录(非交互) shell 时会执行 /etc/bashrc 和 ~/.bashrc 文件(后者的内容会覆盖前者),通常在其中定义别名和函数。
习惯上一般要求 profile 额外执行 bashrc 的内容。
退出 shell 时会执行 /etc/bash_logout 和 ~/.bash_logout 文件。
umount /root && echo 'umask 077 export HISTFILESIZE=0 PATH=/bin:/usr/bin PS1="[\\u:\\w]" export INPUTRC=/etc/inputrc TZ=UTC LC_ALL=zh_CN.UTF-8 . /etc/bashrc' > /etc/profile && echo "alias make='make -j1' mkdir='mkdir -p' patch='patch -p1 -i' mv='mv -f' cp='cp -af' rm='rm -fr' ls='ls -AFh' mount='mount -n' umount='umount -n'" > /etc/bashrc && echo 'umount -nl /usr' > /etc/bash_logout && echo 'mount -n -t xfs -o async,noatime,nodiratime,nodev,nosuid,ro /dev/sda5 /usr' > /root/musr && chmod 1000 /root/musr && chown 0:0 /root/musr &&
配置 Grub4dos
出于安全考虑,需要使用md5密码(这里是"123")保护启动菜单。密码字符串可以使用宿主系统的 grub-md5-crypt 程序得到。[提示]因为simpleinit会在运行'bootprog'之前首先创建 /dev/initctl 这个FIFO,所以要先"rw"挂载根然后再在启动脚本里面remount成"ro"。
echo 'timeout 5 default=0 password --md5 $1$A6dtK$96kvTFeAhOiK524zH2U260 title miniLAPP kernel (hd0,0)/bzImage root=0802 rootfstype=xfs rw panic=30 init=/bin/simpleinit title miniLAPP (single mode) lock kernel (hd0,0)/bzImage root=0802 rootfstype=xfs rw panic=30 init=/bin/simpleinit single' > /boot/menu.lst &&
编写启动脚本/关机脚本
下面的脚本相当于"有网络多用户模式"的运行级别。一般来说,启动时至少要(大体上按这个顺序)做这些事情:⒈设置掩码与环境变量。⒉挂载内核文件系统。⒊加载内核模块。⒋启动Udev守护进程。⒌挂载交换分区。⒍设置各项内核参数(控制台日志等级、主机名、ctrl-alt-del、硬件时钟……)。⒎磁盘文件系统检查与挂载。⒏清理文件系统中的垃圾、创建所必要的文件和目录。⒐还原上次关机时保存的随机数。⒑设置控制台特性。⒒启动网络接口。⒓开启防火墙。⒔启动日志守护进程。⒕启动其它各项守护进程。而关闭时的动作基本上就是上述步骤的逆过程。
[提示]PostgreSQL的自动清理功能依赖于 INET socket 和 /etc/hosts ,所以必须要启动本地回环接口。
echo '#!/bin/bash
umask 077
export PATH=/bin:/usr/bin
if [ "$1" = "start" ]; then
echo "Server Starting ..."
echo "Only root can login" > /etc/nologin
sync
mount -n -t xfs -o remount,noatime,nodiratime,nosuid,ro /dev/sda2 / && echo "remount / ok" || echo "remount / failed"
mount -n -t proc proc /proc && echo "mount /proc ok" || echo "mount /proc failed"
mount -n -t devpts -o uid=0,gid=0,mode=1000 devpts /dev/pts && echo "mount /dev/pts ok" || echo "mount /dev/pts failed"
mount -n -t tmpfs -o nodev,noexec,mode=1777,size=128m shm /dev/shm && echo "mount /dev/shm ok" || echo "mount /dev/shm failed"
echo "4 4 0 4" > /proc/sys/kernel/printk &&
echo miniLAPP > /proc/sys/kernel/hostname &&
echo 0 > /proc/sys/kernel/ctrl-alt-del &&
echo 1073741824 > /proc/sys/kernel/shmmax &&
echo 16777216 > /proc/sys/kernel/shmall &&
echo 1 > /proc/sys/net/ipv4/tcp_syncookies &&
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all &&
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects &&
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects &&
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter && echo "setting kernel ok" || echo "setting kernel failed"
# e2fsck -pf /dev/sda1 ; xfs_repair /dev/sda2
xfs_repair /dev/sda3 2>/dev/null && echo "/dev/sda3 check ok" || echo "/dev/sda3 check failed"
xfs_repair /dev/sda5 2>/dev/null && echo "/dev/sda5 check ok" || echo "/dev/sda5 check failed"
xfs_repair /dev/sda6 2>/dev/null && echo "/dev/sda6 check ok" || echo "/dev/sda6 check failed"
xfs_repair /dev/sda7 2>/dev/null && echo "/dev/sda7 check ok" || echo "/dev/sda7 check failed"
xfs_repair /dev/sda8 2>/dev/null && echo "/dev/sda8 check ok" || echo "/dev/sda8 check failed"
xfs_repair /dev/sda9 2>/dev/null && echo "/dev/sda9 check ok" || echo "/dev/sda9 check failed"
mount -n -t xfs -o async,noatime,nodiratime,nodev,nosuid,ro /dev/sda5 /usr 2>/dev/null && echo "mount /usr ok" || echo "mount /usr failed"
mount -n -t xfs -o async,noatime,nodiratime,nodev,noexec /dev/sda7 /var 2>/dev/null && echo "mount /var ok" || echo "mount /var failed"
mount -n -t xfs -o async,noatime,nodiratime,nodev,noexec /dev/sda8 /www 2>/dev/null && echo "mount /www ok" || echo "mount /www failed"
mount -n -t xfs -o async,noatime,nodiratime,nodev,noexec /dev/sda9 /data 2>/dev/null && echo "mount /data ok" || echo "mount /data failed"
rm -fr /www/upload/* && echo "clean /www/upload/ ok" || echo "clean /www/upload/ failed"
mkdir -p -m 1777 /dev/shm/{tmp,run} && echo "create /dev/shm/{tmp,run} ok" || echo "create /dev/shm/{tmp,run} failed"
mkdir -p -m 1770 /dev/shm/pg_socket && echo "create /dev/shm/pg_socket ok" || echo "create /dev/shm/pg_socket failed"
chown pgsql: /dev/shm/pg_socket && echo "chown /dev/shm/pg_socket ok" || echo "chown /dev/shm/pg_socket failed"
mkdir -p -m 1700 /dev/shm/php_session && echo "create /dev/shm/php_session ok" || echo "create /dev/shm/php_session failed"
chown httpd: /dev/shm/php_session && echo "chown /dev/shm/php_session ok" || echo "chown /dev/shm/php_session failed"
touch /var/run/utmp && echo "create /var/run/utmp ok" || echo "create /var/run/utmp failed"
dd if=/var/random-seed of=/dev/random 2>/dev/null && echo "restore /dev/random ok" || echo "restore /dev/random failed"
dd if=/var/urandom-seed of=/dev/urandom 2>/dev/null && echo "restore /dev/urandom ok" || echo "restore /dev/urandom failed"
ip -4 link set lo txqueuelen 0 &&
ip -4 link set eth0 txqueuelen 4000 &&
ip -4 link set lo mtu 16436 &&
ip -4 link set eth0 mtu 1500 &&
ip -4 addr add 127.0.0.1/8 scope host dev lo valid_lft forever preferred_lft forever &&
ip -4 addr add 192.168.10.33/24 broadcast 192.168.10.255 scope global dev eth0 valid_lft forever preferred_lft forever &&
ip -4 link set lo up &&
ip -4 link set eth0 up &&
ip -4 route add unicast default via 192.168.10.250 dev eth0 && echo "start Network Interface ok" || echo "start Network Interface failed"
#iptables here
/bin/klogd -f/var/log/kernel.log -x && echo "start klogd ok" || echo "start klogd failed"
/bin/syslogd -p/dev/shm/log && echo "start syslogd ok" || echo "start syslogd failed"
/bin/crond -c/etc/crontabs -s/share/empty 1>>/var/log/crond-stdout.log 2>>/var/log/crond-stderr.log && echo "start crond ok" || echo "start crond failed"
/bin/sshd -4 -e -u0 2>> /var/log/sshd.log && echo "start sshd ok" || echo "start sshd failed"
su -c"/bin/postgres -c config_file=/etc/postgresql/postgresql.conf" -s/usr/bin/bash pgsql && echo "start postgres ok" || echo "start postgres failed"
ENCRYPT_KEY=enc-key /bin/httpd -f/etc/apache/httpd.conf -k start && echo "start httpd ok" || echo "start httpd failed"
umount -n /usr && echo "umount /usr ok" || echo "umount /usr failed"
sync
fi
if [ "$1" = "stop" ]; then
mount -n -t xfs -o async,noatime,nodiratime,nodev,nosuid,ro /dev/sda5 /usr 2>/dev/null && echo "mount /usr ok" || echo "mount /usr failed"
kill -WINCH `cat /var/run/httpd.pid` && echo "stop httpd ok" || echo "stop httpd failed"
sync ; echo "waiting 10 sec for Apache to quit ..." ; sleep 10 ; sync
kill -TERM `cat /var/run/postgresql.pid` && echo "stop postgres ok" || echo "stop postgres failed"
sync ; echo "waiting 5 sec for PostgreSQL to quit ..." ; sleep 5 ; sync
kill -TERM `cat /var/run/sshd.pid` && echo "stop sshd ok" || echo "stop sshd failed"
killall /bin/crond && echo "stop crond ok" || echo "stop crond failed"
kill -TERM `cat /var/run/syslogd.pid` && echo "stop syslogd ok" || echo "stop syslogd failed"
kill -TERM `cat /var/run/klogd.pid` && echo "stop klogd ok" || echo "stop klogd failed"
sync ; echo "waiting 20 sec for Other Daemons to quit ..." ; sleep 20 ; sync
ps -ef | grep -P "/bin/(httpd|rotatelogs|postgres|sshd|sftp-server|crond|syslogd|klogd)" &&
( echo "The above Daemons are still running, waiting 5 min for them to quit ..." ;
killall /bin/{httpd,rotatelogs,postgres,sshd,sftp-server,crond,syslogd,klogd} ; sleep 300 ; sync )
ps -ef | grep -P "/bin/(httpd|rotatelogs|postgres|sshd|sftp-server|crond|syslogd|klogd)" &&
( echo "The above Daemons will be killed immediately" ;
killall -s KILL /bin/{httpd,rotatelogs,postgres,sshd,sftp-server,crond,syslogd,klogd} )
ip link set eth0 down && echo "stop eth0 ok" || echo "stop eth0 failed"
rm -fr /www/upload/* && echo "clean /www/upload/ ok" || echo "clean /www/upload/ failed"
dd if=/dev/urandom of=/var/random-seed bs=8k count=1 2>/dev/null && echo "store /dev/random ok" || echo "store /dev/random failed"
dd if=/dev/urandom of=/var/urandom-seed bs=8k count=1 2>/dev/null && echo "store /dev/urandom ok" || echo "store /dev/urandom failed"
sync
umount -nl /{www,data,var} && echo "umount /{www,data,var} ok" || echo "umount /{www,data,var} failed"
umount -nl /usr /dev/shm && echo "umount /usr /dev/shm ok" || echo "umount /usr /dev/shm failed"
fi
exit 0' > /etc/init.d/rc &&
chmod 1100 /etc/init.d/rc &&
设置文件和目录权限
先关机:
sync &&
umount -l /dev/sda{7,5,1} &&
shutdown -h -q now
重新开机后,将BIOS调整为从 LFS LiveCD 启动,所有设置均采用默认。首先进行磁盘检查,然后再设置权限:
cd /
e2fsck -pf /dev/sda1 2>/dev/null && echo "/dev/sda1 check ok" || echo "/dev/sda1 check failed" &&
xfs_repair /dev/sda2 2>/dev/null && echo "/dev/sda2 check ok" || echo "/dev/sda2 check failed" &&
xfs_repair /dev/sda3 2>/dev/null && echo "/dev/sda3 check ok" || echo "/dev/sda3 check failed" &&
xfs_repair /dev/sda5 2>/dev/null && echo "/dev/sda5 check ok" || echo "/dev/sda5 check failed" &&
xfs_repair /dev/sda6 2>/dev/null && echo "/dev/sda6 check ok" || echo "/dev/sda6 check failed" &&
xfs_repair /dev/sda7 2>/dev/null && echo "/dev/sda7 check ok" || echo "/dev/sda7 check failed" &&
xfs_repair /dev/sda8 2>/dev/null && echo "/dev/sda8 check ok" || echo "/dev/sda8 check failed" &&
xfs_repair /dev/sda9 2>/dev/null && echo "/dev/sda9 check ok" || echo "/dev/sda9 check failed" &&
# Default Permission
mount /dev/sda2 /mnt &&
touch /mnt/etc/nologin &&
chown -R 0:0 /mnt &&
chmod -R 1555 /mnt &&
find /mnt ! -type d ! -type l | xargs chmod 1000 &&
mount /dev/sda1 /mnt/boot &&
mount /dev/sda5 /mnt/usr &&
mount /dev/sda6 /mnt/root &&
mount /dev/sda7 /mnt/var &&
chown -R 0:0 /mnt &&
chmod -R 1555 /mnt &&
find /mnt ! -type d ! -type l | xargs chmod 1000 &&
# /bin
chmod 1100 /mnt/bin/* &&
chmod 1555 /mnt/bin/{false,mktemp,sync} &&
chown 1002:1000 /mnt/bin/postgres &&
chmod 1500 /mnt/bin/postgres &&
# /boot
chmod -R 1000 /mnt/boot &&
# /data
chown 1002:1000 /mnt/data &&
chmod 1700 /mnt/data &&
# /dev
chmod 1100 /mnt/dev/pts &&
chmod 1777 /mnt/dev/shm &&
chmod 1666 /mnt/dev/{full,null} &&
chmod 1444 /mnt/dev/{random,rtc,urandom,zero} &&
# /etc
chmod 1100 /mnt/etc/{certs,crontabs,iproute2,private,ssh} &&
chown 1001:1000 /mnt/etc/apache/{,authn.md5} &&
chmod 1500 /mnt/etc/apache/ &&
chmod 1400 /mnt/etc/apache/authn.md5 &&
chmod -R 1100 /mnt/etc/init.d &&
chown -R 1002:1000 /mnt/etc/postgresql &&
chmod 1400 /mnt/etc/postgresql/* &&
chmod 1500 /mnt/etc/postgresql &&
chmod 1444 /mnt/etc/{hosts,localtime} &&
# /lib
chmod 1444 /mnt/lib/lib*.* &&
chmod 1111 /mnt/lib/ld-linux.so.2 &&
chmod 1100 /mnt/lib/apache &&
chown -R 1002:1000 /mnt/lib/postgresql &&
chmod 1400 /mnt/lib/postgresql/* &&
chmod 1500 /mnt/lib/postgresql &&
# /proc /root
chmod 1100 /mnt/{proc,root} &&
find /mnt/root -type d | xargs chmod 1100 &&
# /share
chmod 1000 /mnt/share/empty &&
chown -R 1002:1000 /mnt/share/postgresql &&
chmod -R 1500 /mnt/share/postgresql &&
chmod 1400 /mnt/share/postgresql/*/* &&
# /usr
find /mnt/usr -type d | xargs chmod 1100 &&
chmod -R 1100 /mnt/usr/{bin,libexec} &&
chmod 1555 /mnt/usr{,/bin,/bin/bash} &&
# /var
chmod 1100 /mnt/var/{locate,log/apache} &&
chown 1002:1000 /mnt/var/log/postgresql &&
chmod 1700 /mnt/var/log/postgresql &&
chown 1001:1000 /mnt/var/log/php_error.log &&
chmod 1200 /mnt/var/log/php_error.log &&
# /www
chown 1001:1000 /mnt/www &&
chmod 1500 /mnt/www &&
# umount
sync &&
umount /dev/sda{7,6,5,1,2} &&
echo "Permission finished"
大功告成!
到此为止,这个 MiniLAPP 系统全部制作完毕。现在可以关闭计算机,拿掉CDROM。
poweroff
重新开机后,将BIOS设置为从硬盘启动,进行最后的"冒烟测试",如果不出意外的话,应当一切正常。具体说来也就是:
- 使用 SSH2 客户端(PuTTY SecureCRT SecureFX ssh sftp ...)连接到 192.168.10.33:22 并使用 root 账号和密码("123")应当可以正常登陆。
- 登陆后,首先执行"source /root/musr"将 /dev/sda5 挂载到 /usr ,然后使用 pstree 应当可以看到所有的守护进程都在运行当中。
- 将 SSH2 客户端的字符集设为 UTF-8 ,应当可以在命令行上正常使用中文。比如创建和删除中文名称的文件和目录。
- 在 /etc/hosts 或 C:\WINDOWS\system32\drivers\etc\hosts 中添加一条"192.168.10.33 dbadmin.oklaoshi.com"记录之后应当就可以使用 http://dbadmin.oklaoshi.com 来访问phpPgAdmin[HTTP认证的用户名和密码都是"DB_Admin"],然后应当也可以使用"pgsql"用户(密码:"123")登陆数据库。
- 可以使用 /bin/reboot 正常重启,使用 /bin/shutdown -q -h now 正常关闭。