Jerin RHCSA: Amfani da ACLs (Jerin Sarrafa Shiga) da Haɗin Samba/NFS - Sashe na 7

A labarin da ya gabata (RHCSA series Part 6) mun fara bayanin yadda ake saitawa da daidaita ma'ajin tsarin gida ta hanyar amfani da parted da ssm.

Mun kuma tattauna yadda ake ƙirƙira da hawan rufaffiyar kundin tare da kalmar sirri yayin boot ɗin tsarin. Bugu da kari, mun gargade ku da ku guji yin mahimman ayyukan sarrafa ma'ajiya akan tsarin fayilolin da aka ɗora. Tare da wannan a zuciyarmu yanzu za mu sake nazarin tsarin tsarin fayil ɗin da aka fi amfani da su a cikin Red Hat Enterprise Linux 7 sannan mu ci gaba da rufe batutuwan hawa, amfani, da cirewa duka da hannu da kuma tsarin fayilolin cibiyar sadarwa ta atomatik (CIFS da NFS), tare da aiwatarwa. na lissafin ikon shiga don tsarin ku.

Kafin a ci gaba, da fatan za a tabbatar cewa kuna da sabar Samba da uwar garken NFS (lura cewa NFSv2 baya goyon bayan RHEL 7).

A yayin wannan jagorar za mu yi amfani da na'ura mai IP 192.168.0.10 tare da duk ayyukan da ke gudana a ciki a matsayin uwar garke, da kuma akwatin RHEL 7 a matsayin abokin ciniki mai adireshin IP 192.168.0.18. Daga baya a cikin labarin za mu gaya muku waɗanne fakitin da kuke buƙatar shigar akan abokin ciniki.

Tsarin Tsarin Fayil a cikin RHEL 7

Da farko da RHEL 7, XFS an gabatar da shi azaman tsarin fayil ɗin tsoho don duk gine-gine saboda babban aikinsa da haɓakawa. A halin yanzu yana goyan bayan matsakaicin girman tsarin fayil na 500 TB kamar yadda sabbin gwaje-gwajen Red Hat da abokan haɗin gwiwa suka yi don kayan aikin yau da kullun.

Har ila yau, XFS yana ba da damar user_xattr (halayen mai amfani) da acl (jerin sarrafa damar shiga POSIX) azaman zaɓin tsaunuka na tsoho, sabanin ext3 ko ext4 (ext2 ana ɗaukar raguwa kamar na RHEL 7). ), wanda ke nufin cewa ba kwa buƙatar ƙayyade waɗannan zaɓuɓɓukan a bayyane ko dai a kan layin umarni ko a/sauransu/fstab lokacin hawan tsarin fayil na XFS (idan kuna son kashe irin waɗannan zaɓuɓɓuka a cikin wannan yanayin na ƙarshe, dole ne ku yi amfani da su a fili). b>no_acl da no_user_xattr).

Ka tuna cewa tsawaita halayen mai amfani za a iya sanyawa ga fayiloli da kundayen adireshi don adana ƙarin bayanai na sabani kamar nau'in mime, saitin hali ko ɓoye fayil, yayin da izinin samun damar halayen mai amfani ana ayyana su ta hanyar ragowar izinin fayil na yau da kullun.

Kamar yadda kowane mai kula da tsarin, ko dai mafari ko ƙwararre, ya san iznin samun dama akai-akai akan fayiloli da kundayen adireshi, waɗanda ke ƙayyadad da wasu gata (karanta, rubuta, da aiwatarwa) ga mai shi, ƙungiyar, da \duniya (duk sauran). Koyaya, jin kyauta don koma zuwa Sashe na 3 na jerin RHCSA idan kuna buƙatar sabunta ƙwaƙwalwar ajiyar ku kaɗan.

Koyaya, tunda daidaitaccen tsarin ugo/rwx baya bada izinin saita izini daban-daban don masu amfani daban-daban, an gabatar da ACLs don ayyana ƙarin haƙƙoƙin samun dama ga fayiloli da kundayen adireshi fiye da waɗanda aka kayyade ta izini na yau da kullun.

A haƙiƙa, ƙayyadaddun izini na ACL babban saiti ne na izini da aka kayyade ta ragowar izinin fayil. Bari mu ga yadda ake amfani da duk waɗannan fassarori a cikin ainihin duniya.

1. Akwai nau'ikan ACL guda biyu: samun damar ACLs, waɗanda za'a iya amfani da su ko dai takamaiman fayil ko kundin adireshi), da tsoffin ACLs, waɗanda kawai za'a iya amfani da su zuwa kundin adireshi. Idan fayilolin da ke ƙunshe a ciki ba su da saitin ACL, sun gaji tsohowar ACL na littafin iyayensu.

2. Don farawa, ana iya daidaita ACLs kowane mai amfani, kowane rukuni, ko kowane mai amfani ba cikin rukunin fayil ɗin mallakar ba.

3. ACLs an saita (kuma cire) ta amfani da setfacl, tare da ko dai zaɓin -m ko -x, bi da bi.

Misali, bari mu ƙirƙiri wata ƙungiya mai suna tecmint kuma mu ƙara masu amfani johndoe da davenull zuwa gare ta:

# groupadd tecmint
# useradd johndoe
# useradd davenull
# usermod -a -G tecmint johndoe
# usermod -a -G tecmint davenull

Kuma bari mu tabbatar da cewa masu amfani biyu suna cikin ƙarin rukunin tecmint:

# id johndoe
# id davenull

Yanzu bari mu ƙirƙiri adireshi mai suna filin wasa a cikin /mnt, da fayil mai suna testfile.txt a ciki. Za mu saita mai ƙungiyar zuwa tecmint kuma mu canza tsoffin izinin ugo/rwx zuwa 770 (karanta, rubuta, da aiwatar da izini da aka bayar ga mai shi da mai rukunin fayil ɗin):

# mkdir /mnt/playground
# touch /mnt/playground/testfile.txt
# chmod 770 /mnt/playground/testfile.txt

Sa'an nan kuma canza mai amfani zuwa johndoe da davenull, a cikin wannan tsari, kuma rubuta zuwa fayil:

echo "My name is John Doe" > /mnt/playground/testfile.txt
echo "My name is Dave Null" >> /mnt/playground/testfile.txt

Ya zuwa yanzu yana da kyau. Yanzu bari mu sa mai amfani gacanepa ya rubuta zuwa fayil ɗin - kuma aikin rubutun zai gaza, wanda ake tsammani.

Amma idan da gaske muna buƙatar mai amfani gacanepa (wanda ba memba na tecmint ba) don samun izinin rubutawa akan /mnt/playground/testfile.txt? Abu na farko da zai iya zuwa zuciyarka shine ƙara wannan asusun mai amfani zuwa rukunin tecmint. Amma hakan zai ba shi izinin rubuta izini akan DUKAN fayiloli idan an saita bit ɗin don rukunin, kuma ba ma son hakan. Muna son kawai ya iya rubutawa zuwa /mnt/playground/testfile.txt.

# touch /mnt/playground/testfile.txt
# chown :tecmint /mnt/playground/testfile.txt
# chmod 777 /mnt/playground/testfile.txt
# su johndoe
$ echo "My name is John Doe" > /mnt/playground/testfile.txt
$ su davenull
$ echo "My name is Dave Null" >> /mnt/playground/testfile.txt
$ su gacanepa
$ echo "My name is Gabriel Canepa" >> /mnt/playground/testfile.txt

Bari mu ba mai amfani gacanepa karatu da rubuta damar zuwa /mnt/playground/testfile.txt.

Gudu kamar tushen,

# setfacl -R -m u:gacanepa:rwx /mnt/playground

kuma za ku sami nasarar ƙara ACL wanda ke ba da damar gacanepa ya rubuta zuwa fayil ɗin gwaji. Sannan canza zuwa mai amfani gacanepa kuma gwada sake rubutawa zuwa fayil ɗin:

$ echo "My name is Gabriel Canepa" >> /mnt/playground/testfile.txt

Don duba ACLs don takamaiman fayil ko kundin adireshi, yi amfani da getfacl:

# getfacl /mnt/playground/testfile.txt

Don saita tsoho ACL zuwa kundin adireshi (wanda abinda ke ciki zai gaji sai dai idan an sake rubuta shi ba haka ba), ƙara d: kafin ka'ida kuma saka kundin adireshi maimakon sunan fayil:

# setfacl -m d:o:r /mnt/playground

ACL na sama zai ba masu amfani da ba a cikin rukunin masu mallakar damar karanta damar zuwa abubuwan da ke cikin /mnt/ directory filin wasa na gaba. Lura da bambanci a cikin fitarwa na getfacl /mnt/ filin wasa kafin da bayan canji:

Babi na 20 a cikin Jagoran Gudanarwa na Adana RHEL 7 yana ba da ƙarin misalan ACL, kuma ina ba da shawarar ku duba shi kuma ku sami amfani azaman tunani.