|
ot Nikolay Hristov(20-04-2012)
reiting (18)
[ dobre ]
[ zle ]
Variant za otpechatvane Softuera, napisan ot profesor Daniel J. Bernstein e trudno
razbiraem za mnogo hora i mozhe bi za tova ne e tolkova
populiaren. V tazi statiia shte se opitam da obiasnia kontsepiiata,
stoiashta zad negovite programi.
Bernstein e priel modela na UNIX, toest programite da sa
kolkoto se mozhe po-malki, da vurshat strogo opredelena
rabota, da komunikirat posredstvom unix pipes. Eto primer,
koito vseki administrator izpolzva:
#ps ax|grep httpd|wc -l
12
Tipichen pipeline, kudeto izhoda ot programata ps se podava
na vhoda na programata grep, koiato puk otbira redovete koito
sudurzhat httpd, kato sled tova se podava na programata wc,
koiato prebroiava kolko reda sudurzhat httpd i otpechatva
stoinostta. V sluchaia - v momenta imame 12 aktivni protsesa na
httpd - survur.
Kodut na programite mu e napisan na ANSI C, kompilira se na
vsiakakvi OS poddurzhashti POSIX modela.
SHTe zapochnem s daemontools, koito sa osnovata na negoviiat
tip softuer. Daemontools predstavliava paket ot malki polezni
programki, koito slediat i poddurzhat daden protses da bude
aktiven. Dobur analog na tazi sistema e Services v Windows
XP/7.
Instalatsiiata e oprostena maksimalno:
# wget http://cr.yp.to/daemontools/daemontools...
# zcat daemontools-0.76.tar.gz|tar xvf -
# cd admin/daemontools-0.76
# package/install
Programata dobavia red v /etc/inittab:
SV:123456:respawn:/usr/bin/svscanboot
koito ukazva, che ako protsesut svscanboot zavurshi po niakakuv
nachin, triabva da se startira nanovo.
Vsushtnost svscanboot e prosto edin skript:
#!/bin/sh
# WARNING: This file was auto-generated. Do
not edit!
PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin
exec </dev/null
exec >/dev/null
exec 2>/dev/null
svc -dx /service/* /service/*/log
env - PATH=$PATH svscan /service 2>&1 |
\
env - PATH=$PATH readproctitle service
errors:
...............................................................
Skriptut izpulniava svscan, s optsiia direktoriiata s
/services, kato izhoda na svscan e prenasochen kum
druga programka - readproctitle. Ako ima greshki pri
startiraneto na niakoi service, to suobshtenieto za greshka shte
go poluchi readproctitle, koito ot svoia starna shte go
otpechata na miastoto na tochkite. Tova ni dava vuzmozhnostta da
prosledim greshkite ot /service eto taka:
`--# ps ax|grep readproc
173 ttyE0- IW 0:00.01
readproctitle service errors:
...............................................................
Kakto se vizhda - greshki niama. Eto primer - kogato ima
greshki (promenih narochno run faila v koito se startira
multilog -> multilog_proba_za_error):
# ps aux|grep readproc
root 172 0.0
0.0 16 500 ttyE0- S
2Mar12 0:00.02 readproctitle service errors: ...s not
exist\nsetuidgid: fatal: unable to run
multilog_proba_za_error: file does not exist\n setuidgid:
fatal: unable to run multilog_proba_za_error: file does not
exist\nsetuidgid: fatal: unable to run
multilog_proba_za_error: file does not exist\nsetuidgid:
fatal: unable to run multilog_proba_za_error: file does not
exist\nsetuidgid: fatal: unable to run
multilog_proba_za_error: file does not exist\n
Struktura na direktoriite pri daemontools. Vseki otdelen
service se puska ot otdelna poddirektoriia na osnovnata za
daemontools - /service (pri Debian naprimer e
/etc/service).
Da kazhem, che iskate da pusnete programa prez daemontools,
kato tselta e programata da se sledi dali ne e priklyuchila, i
ako e - da se pusne nanovo. Za tselta suzdavame direktoriia v
udobno za nas miasto (Primera e puskane na sshd prez
daemontools).
mkdir -p /etc/svc/sshd
mkdir -p /etc/svc/sshd/log
Vsiaka edna ot tezi 2 direktorii triabva da sudurzha po edin
run - fail, v koito se osushtestviava samoto startirane na
programata. Iziskvaneto e programata da NE se puska vuv
fonov rezhim (background/daemon).
Daemontools shte se pogrizhi tia da si otide vuv fonov rezhim.
Ako programata zapisva v logovete prez syslog - sistemata,
triabva da potursite optsiia koiato ukazva greshkite, i logovete
da se pishat v stderr ili stdout. Ako ne napravite tova, to
multilog - programkata niama da mozhe da prihvane i zapishe
logovete v log - direktoriiata.
/etc/svc/sshd/run - faila, v koito startirame samiia
protses.
#!/bin/sh
exec 2>&1
exec /usr/local/sbin/sshd -D -e
Zabelezhka:
Optsiite na sshd sa, za da se spaziat iziskvaniiata na
daemontools (teksta otdolu e izvaden ot man stranitsata na
sshd).
-D When this option is specified, sshd will not detach and
does not become a daemon. This allows easy monitoring of
sshd.
-e When this option is specified, sshd will send the output
to the standard error instead of the system log.
exec 2>&1 - ukazva vsichki greshki otpechatani na stderr(2)
da se prenasochat kum stdout(1)
/etc/programa1/sshd/log/run - faila, v koito startirame
protsesa, koito zapazva logovete na sshd
#!/bin/sh
exec setuidgid root multilog t
/var/log/sshd
V sluchaiat programkata multilog se puska s pravata na
potrebitel root, t oznachava da dobavi timestamp (vuv format
tai64 koito shte bude obiasnen po-dolu) v nachaloto na vseki
red, i nakraia se ukazva direktoriiata, v koiato shte se
suhraniavat logovete. Multilog ima oshte niakolko dopulnitelni
optsii, koito sa polezni kato naprimer: n (broi log failove)
i s (razmer na log failovete). Ako promenim reda eto
taka:
exec setuidgid root multilog t s500000 n50
/var/log/sshd
to vseki log fail shte ima razmer 500000 bytes i maksimalniia
broi na log - failovete shte e 50. Kogato se zapulniat vsichkite
50 faila s po 500 000 bytes, se iztriva nai-stariiat fail i
se suzdava nov.
Logovete se zapisvat pod formata na timestamp kato ime na
fail osven tekushtiiat, koito e current. Eto izvadka ot spisuk
s logove:
-rwxr--r-- 1 qmaill nogroup 16775307 Mar 14
06:13 @400000004f601b0c36890194.s
-rwxr--r-- 1 qmaill nogroup 16775283 Mar 17
22:00 @400000004f64ed533284f5e4.s
-rwxr--r-- 1 qmaill nogroup 16775332 Mar 21
16:57 @400000004f69ec6132814c64.s
-rwxr--r-- 1 qmaill nogroup 16775234 Mar 26
16:32 @400000004f706ffb12df90dc.s
-rwxr--r-- 1 qmaill nogroup 16775255 Mar 30
07:42 @400000004f7539d52ef51c4c.s
-rwxr--r-- 1 qmaill nogroup 16775226 Apr
2 17:13 @400000004f79b3fb24fd9cb4.s
-rwxr--r-- 1 qmaill nogroup 16775247 Apr
4 12:27 @400000004f7c140f3760cbc4.s
-rw-r--r-- 1 qmaill nogroup 10108940 Apr 18
15:42 current
Edinstvenoto, koeto ostana za da startirame ssh service
prez daemontools e da napravim symbolic link na
direktoriiata, koiato suzdadohme (/etc/svc/sshd/) kum
/service/. Eto taka:
# ln -s /etc/svc/sshd/ /services/sshd
sled koeto tozi novosuzdaden ot nas service shte se startira
avtomatichno.
Mozhe bi zabeliazahte, che propusnah da obiasnia niakoi ot
izpolzvanite programki kato setuidgid ili puk svc. Neka
oburnem malko vnimanie i na dopulnitelnite programki, koito
idvat s daemontools.
svc - sluzhi za kontrol na services za koito se grizhi
supervise. S tazi programka na praktika izprashtate razlichni
signali kum dadeniiat service.
-u (up) Startira service. Ako ne e startiran - go startira.
Ako protsesut po niakakva prichina zavurshi - protsesut se
restartira.
-d (down) Spira service. Ako e startiran, mu izprashta signal
TERM. Sled kato e sprian, service ne se restartira.
-o (once) Startira se samo vednuzh. Pri spirane na service
ne se restartira.
-p (pause) Izprashta signal STOP..
-t (terminate) Izprashta signal TERM. Na praktika s tazi
optsiia se restartira daden service. Protsesut poluchava TERM -
signal koito bi triabvalo da go spre i sled niakolko sekundi
supervise shte go vdigne otnovo.
-k (kill) Izprashta signal KILL.
Ima i oshte optsii, i za poveche informatsiia poglednete man -
stranitsata, ili na http://cr.yp.to/daemontools/svc.html
. Primeri:
svc -t /service/* - restartira vsichki
services.
svc -d /service/qmail-send/ - spira dadeniiat
service.
svc -u /service/qmail-send/ - startira
dadeniiat service.
svok - proveriava dali daden service e startiran. Vrushta
stoinost 0 ako service e aktiven, i 100 - ako service
ne e aktiven. Mozhe da se izpolzva v skritove.
svstat - pokazva tekushtiia status na daden service(s). Mozhe
da sudurzha proizvolen broi argumenti, kato vseki ot tiah e
put kum daden service. Poddurzha i wildcards. Primer:
# svstat /service/qmail-send/
/service/qmail-smtpd/
/service/qmail-send/: up (pid 3540) 1891374
seconds
/service/qmail-smtpd/: up (pid 3539) 1891374
seconds
ili
# svstat /service/*/log
/service/qmail-send/log: up (pid 7695)
6134915 seconds
/service/qmail-smtpd/log: up (pid 15281)
3457319 seconds
setuidgid - Startira protses s prava na drug potrebitel. Ako
daden service ne sa mu nuzhni root prava, mozhem da go pusnem
s drug potrebitel s ogranicheni prava. Primerut ot
po-gore:
#!/bin/sh
exec setuidgid root multilog t
/var/log/sshd
startira multilog s pravata na potrebitel root. Kakto se
vizhda, ne e nuzhno multilog da se startira s root prava, i za
tselta mozhem da napravim slednoto: suzdavame nov potrebitel
(primerno sshlog), promeniame pritezhatelia na direktoriiata
/var/log/sshd na sshlog (chown sshlog /var/log/sshd), i sled
tova promeniame i reda ,s koito se startira multilog, za da
stane taka:
#!/bin/sh
exec setuidgid sshlog multilog t
/var/log/sshd
Taka protsesut za log - failovete shte e startiran s
ogranichenite prava na potrebitelia sshlog.
envuidgid - Startira protses s obkruzhenieto na daden
akaunt.
softlimit - Startira protses s ogranicheni resursi kato
maksimalna pamet koiato mozhe da zaema, golemina na
suzdadenite failove i t.n. (analog na ulimit). Primer:
# softlimit -m 2000000 /bin/sh
# mc
mc: error while loading shared libraries:
libslang.so.2: failed to map segment from shared object:
Cannot allocate memory
startira /bin/sh s ogranicheno izpolzvane na pamet ot 2 000
000 bytes. Pri opit da se startira neshto, koeto zaema pamet
(kato midnight commander) se vizhda kakuv e rezultata.
Tazi optsiia ia izpolzvam pri qmail za limitirane na
goleminata na poluchenite suobshteniia.
tai64nlocal - CHete ot stdin, tursi redove, koito zapochvat s
@ i sled tiah ima tai64 timestamp, kato gi preobrazuva vuv
format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. Primer:
originalen timestamp ot log fail na
multilog
@400000004eef68ef060b533c status: local 0/10
remote 2/20
# echo "@400000004eef68ef060b533c
status: local 0/10 remote 2/20"|tai64nlocal
2011-12-19 18:40:05.101405500 status: local
0/10 remote 2/20
TAI (Temps Atomique International) e mezhdunaroden standart
za izmervane na vreme, koito za momenta ne se izpolzva v
masovite operatsionni sistemi (http://cr.yp.to/proto/utctai.html).
Tai64 e implementatsiia, napravena ot Dan Bernstein, koiato se
izpolzva v negovite programi (http://cr.yp.to/proto/tai64.txt).
fghack - anti-backgrounding tool. Ako imate programa, koiato
vinagi se starira vuv fonov rezhim (background/daemon), s
tazi programka mozhete da "izluzhete" tia da se
startira vuv foreground rezhim. (ne sum go probval a i DJB
kazva, che ne raboti vuv vsichki sluchai)
pgrphack - poniakoga ima programi, koito pri izhod izprashtat
TERM - signal ne do protses - ID (pid), a do grupoviia ID
(gid), pri koeto signalut se poluchava i ot svscan, ot koeto
posledstviiata ne sa mnogo priiatni. Za primer e daden pppd
programata, koiato triabva da se puska tochno s pgrphack. (tova
lichno az ne sum go testval).
Polzvani resursi: http://cr.yp.to/daemontools.html
Alternativen adres (po-dobre formatiran) na statiiata: http://geroyblog.blogspot.com/2012/04/d...
<< Kak raboti DNS, chast 1 - Resolvers i Cache survuri. | DNSCurve, NaCl, CurveCP - suvremenen pogled vurhu zashtitata n >>
|
|