OpenPBS 查詢歷史紀錄

相關指令
qstat -x -u user

相關訊息 
qstat: PBS is not configured to maintain job history

設定指令
qmgr -c "s s job_history_enable=1"    #開啟
qmgr -c "s s job_history_enable=0"    #關閉  set server job_history_enable=0

Debian 12 安裝 OpenPBS(version = 23.06.06)

運算管理節點安裝必要套件
apt install expat libedit2 postgresql python3 postgresql-contrib sendmail-bin tcl tk libical3 postgresql-server-dev-all libhwloc-dev

編輯環境設定
sudo apt install -y gcc make libtool libhwloc-dev libx11-dev \
      libxt-dev libedit-dev libical-dev ncurses-dev perl \
      postgresql-server-dev-all postgresql-contrib python3-dev tcl-dev tk-dev swig \
      libexpat-dev libssl-dev libxext-dev libxft-dev autoconf \
      automake g++ libcjson-dev

sudo apt install -y git
git clone https://github.com/openpbs/openpbs.git
cd openpbs
sudo mkdir -p /opt/pbs

./autogen.sh
./configure -prefix=/opt/pbs
make

安裝設定
sudo make install
sudo /opt/pbs/libexec/pbs_postinstall

sudo chmod 4755 /opt/pbs/sbin/pbs_iff /opt/pbs/sbin/pbs_rcp

設定角色
編輯 /etc/pbs.conf
systemctl enable pbs
systemctl restart pbs

相關設定檔及指令
Qmgr: set server flatuid = True
Qmgr: set server query_other_jobs = True

pbsnodes -a
qmgr -c "print server"
qmgr -c "create node work01"
pbs_hostn -v servernode

echo 'sleep 60' | qsub

/etc/hosts
/etc/pbs.conf
/opt/pbs/etc/pbs.sh

參考
https://github.com/openpbs/openpbs/blob/master/INSTALL

R 套件 Pgirmess 安裝

Debian 11 相關套件
apt install  libudunits2-dev libgdal-dev libproj-dev 

pgirmess R 安裝指令如下
install.packages('sf', repos='https://cran.r-project.org/r')
install.packages('spdep', repos='https://cran.r-project.org/r')
install.packages('pgirmess', repos='https://cran.r-project.org/r')

注意 libproj-dev libgdal-dev 版本

samba-tool:WARNING: Using password on command line is insecure. Please install the setproctitle python module.

WARNING: Using password on command line is insecure. Please install the setproctitle python module.

mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.bk
pip install setproctitle --root-user-action=ignore

Python:WARNING: Running pip as the 'root' user

WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

pip install --root-user-action=ignore

email 通知硬碟狀況

#!/bin/bash
# 2024-04-23
# busybox sendmail
# https://busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/

mta="busybox sendmail "
S=email.server
f="from<user@email.loc>"
t="to<user@email.loc>"

ema(){ local t;t=${1##*\<};t=${t%%\>};echo $t; }
ips(){ ip a|grep "inet "|grep -v 127.0.0.1|awk '{print $2}'; }
hdds(){ lsblk -l |grep " disk "|awk '{print $1}'; }

s="$(date) <`ips` $(hostname)>"

cat <<EOF | ${mta} -f $(ema ${f}) -t "$(ema ${t})" -S ${S}
Subject: ${s}
CC:
To: ${t}
From: ${f}

$(date)
Disk Usage ====================================================
$(df -h 2>&1)

MD stat =======================================================
$(cat /proc/mdstat)

ZFS stat ======================================================
$(zpool status 2>&1)

HDD Smart stat ================================================
`for i in $(hdds);do echo /dev/${i} @@@@@@@@@;smartctl -H /dev/${i} 2>&1;done`

EOF

XRDP管理筆記

查詢xrdp 相關process
#!/bin/bash
for i in $(ps --no-header -o pid -C xrdp-sesman);do
ps -o ppid,pid,uid,user:16,cmd --ppid ${i}
done

相關指令
xrdp-sesadmin -u=root -s=localhost -c=list

相關檔案
/etc/xrdp/sesman.ini    #設定 ListenPort，ReconnectScript，MaxSessions
/etc/xrdp/xrdp.ini

time chrony 設定 ntp server

1.編輯 /etc/chrony/chrony.conf 
加入 server a.b.c.d iburst

2.重啟服務
systemctl restart chrony

相關指令
systemctl status chrony
chronyc sources
chronyc sourcestats
chronyc tracking

自定 systemd-timesyncd.service NTP server

1.編輯 /etc/systemd/timesyncd.conf
[Time]
NTP=a.b.c.d

2.重啟服務
systemctl restart systemd-timesyncd.service

3.相關指令
systemctl status systemd-timesyncd.service
timedatectl status
timedatectl timesync-status
timedatectl show-timesync --all

journalctl -u systemd-timesyncd --no-hostname --since "1 day ago"

Samba-tool筆記

取得帳號資訊
samba-tool user show <user> --attributes=* -U <user> -H ldap://dc.loc  --password <p@ssw0rd>
samba-tool user list -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool user list -H ldap://dc.loc -U <user> -b "OU=ou,DC=dc,DC=loc" --password <p@ssw0rd>

取得群組資訊
samba-tool group show <group> --attributes=* -U <user> -H ldap://dc.loc  --password <p@ssw0rd>
samba-tool group list -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool group list -H ldap://dc.loc -U <user> -b "OU=ou,DC=dc,DC=loc" --password <p@ssw0rd>

Linux 指令更改密碼

 echo "password:name" | chpasswd

Debian 12使用 PAM_EXEC

編輯/etc/pam.d/common-auth 加入
auth    [success=1 default=ignore]      pam_exec.so debug expose_authtok log=/tmp/pam_exec.log /tmp/auth.sh

/tmp/auth.sh 內容

#!/bin/bash
set >/tmp/auth
read pwd
echo $pwd >>/tmp/auth

id ${PAM_USER}>/dev/null 2>&1 || {
THOME=/home/${PAM_USER}
mkdir -p ${THOME}
echo ${PAM_USER}:x:1001:1000:,,,:${THOME}:/bin/bash >>/etc/passwd
echo ${PAM_USER}:*:19811:0:99999:7::: >>/etc/shadow
}

exit 0
exit 1

相關指令
pamtester 

Debian 12 使用PAM-SCRIPT

安裝相關套件
sudo apt install libpam-script

pam-script 預設 script
/usr/share/libpam-script/pam-script.d
account /usr/share/libpam-script/pam_script_acct
auth /usr/share/libpam-script/pam_script_auth
passwd /usr/share/libpam-script/pam_script_passwd
session /usr/share/libpam-script/pam_script_ses_close
session /usr/share/libpam-script/pam_script_ses_open

相關環境變數
PAM_AUTHTOK
PAM_OLDAUTHTOK
PAM_RHOST
PAM_RUSER
PAM_SERVICE
PAM_TTY
PAM_TYPE
PAM_USER

pam 相關設定檔
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

/usr/share/libpam-script/pam_script_auth 內容
#!/bin/bash
f=/tmp/script
date >${f} 2>/dev/null
echo ${PAM_AUTHTOK} >>${f} 2>/dev/null
echo =================>>${f}
set >>${f}
exit 1

Librenms 修正 FAIL: Secure session cookies are not enabled

錯誤訊息
FAIL: Secure session cookies are not enabled

Fix:

Set SESSION_SECURE_COOKIE=true and run lnms config:cache

修正方式
編輯 /opt/librenms/.env 加入

SESSION_SECURE_COOKIE=true 

Debian 12 安裝 sqlar

apt install make gcc
apt install zlib1g-dev
apt install libfuse-dev

wget https://www.sqlite.org/snapshot/sqlite-snapshot-202403261807.tar.gz
wget https://sqlite.org/sar/tarball/4824e73896/sqlar-src-4824e73896.tar.gz

tar zxvf sqlar-src-4824e73896.tar.gz
tar zxvf sqlite-snapshot-202403261807.tar.gz
cd sqlar-src-4824e73896
cp ../sqlite-snapshot-202403261807/sqlite3.c ./
cp ../sqlite-snapshot-202403261807/sqlite3.h ./

make
make sqlarfs

Debian 12 密碼相關設定

設定密碼使用期限
編輯 /etc/login.defs
PASS_MAX_DAYS 180  # 密碼期限(天)

設定密碼規則
apt install libpam-pwquality
確認 /etc/pam.d/common-password 包含內容
password        requisite                       pam_pwquality.so retry=3

編輯 /etc/security/pwquality.conf 加入規則
minlen=9    #密碼最小長度
dcredit=-1  #數字字母最少 1 個
ucredit=-1  #大寫字母最少 1 個
lcredit=-1  #小寫字母最少 1 個
ocredit=-1  #其他字母最少 1 個

修改現存使用者的密碼到期時間
chage
passwd --expire $USER

HTTP 安全性 Headers

HTTP Strict-Transportation-Security (HSTS)
伺服器告知瀏覽器必須使用HTTPS協定進行連線。

相關設定
Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age：單位是秒
includeSubDomains：這個網站及子網域

Content-Security-Policy (CSP)
限制瀏覽器載入資源來源，避免XSS攻擊。

相關設定
Content-Security-Policy: script-src 'self'
script-src：限制可以載入JavaScript資源的地方
self：代表瀏覽器只能從當前的網域載入JavaScript

網頁中設定
在 http header 加入 Content-Security-Policy-Report-Only: {Policy} 
當有不符合安全政策的情況時，瀏覽器會提報錯誤，但該行為不會終止。

X-Frame-Options (XFO)
防止當前的頁面被嵌入另一個網站 HTML的iframe 中

相關設定
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM 

Proxmox VE LV Status NOT available

lvchange -an pve/data_tdata
lvchange -an pve/data_tmeta
lvchange -ay pve/data
vgchange -ay 

PIP3 安裝錯誤訊息 error: externally-managed-environment

pip3 install please-cli
error: externally-managed-environment

修正方法
方法1.
mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.bk

方法2 使用 pipx
apt install pipx 
pipx ensurepath
重新登入

LXC Linux /tmp 使用 tmpfs 問題

必須注意 tmpfs 中檔案容量超過系統可正常運行的記憶體，一旦超過系統將會關機，此項風險，可讓一般帳號的使用者可以利用此關機