Content #

EnvironmentFile=-/etc/default/ssh

The minus sign (-) in front of the path to the file tells systemd that if the file doesn’t exist, don’t worry about it and start the service anyway.

没有[Install]意味着服务为static，将无法enable。

From #

Links #

Content #

Default location: /lib/systemd/system，如果要覆盖默认文件，可将自己的文件放在：/etc/systemd/system 目录下。 filename extension describes which type of unit it is.

Type of unit files #

1. service
2. socket Sockets can either enable communication between different system services or they can automatically wake up a sleeping service when it receives a connection requet.
3. slice Slice units are used when configuring cgroups.
4. mount and automount mount point information fro filesystems ahta are controlled by systemd.
5. target used during system startup, for grouping units and for providing wellknown synchronization points.
6. timer for scheduling jobs that run on a schedule. They replace the old cron system.
7. path You can use a path unit to have systemd monitor a certain file or directory to see when it changes. When systemd detects that the file or directory has changed, it will activate the specified service.
8. swap

state #

systemctl list-unit-files

展示系统中所有已经安装的unit file。

Content #

systemd unit files Service Units(systemd) unclean kill signal Masking a service Create a new container service with podman from user account systemd timers Changing the default locale Setting time and timezone parameters Shutdown and Reboot(systemd) The four default slices 需要执行daemon-reload的情形

自定义服务应当放在/etc/systemd/system目录下，放在/lib/systemd/system下的服务文件会被系统更新时覆盖。

user@.service文件中的@符号表示这是service template，配置文件中的"%i"会被替换为@后的参数。

systemd starts loading the bootup targets in the following order:

1. local-fs-pre.target
2. local-fs.target
3. sysinit.target
4. basic.target
5. multi-user.target
6. graphical.target

Within each target, processes start up in parallel.

systemd生成的unit文件位置：

/run/systemd/generator

Setting the hostname and machine information #

hostnamectl
sudo hostnamectl set-hostname "Donnie's Computer"

Get Help #

man systemd-system.conf
apropos systemd
man -k systemd
man systemd.unit
man systemd.directives #配置指令文档
man systemd.exec #Execution environment configuration
systemctl -h # quick reference
systemctl --state=help #see a list of all of the different states
systemctl show #show running configuration
systemctl show --property=DefaultLimitSIGPENDING

Links #

cook:systemd cook:journalctl sub:cgroups systemd-boot

Content #

Generate Diffie-Hellman(DH) parameter file

openssl dhparam -out dh2048.pem 2048

From #

Links #

Configuration #

1. copy vars.example to vars
2. define EASYRSA to something sensible, such as /usr/local/etc/easy-rsa

Procedure #

1. Initialize PKI

   ./easyrsa init-pki
   

2. Building the CA

   ./easyrsa build-ca
   

   check CA

   openssl x509 -in /path/to/ca.crt -text -noout
   

3. Generate an empty CRL(Certificate Revocation List)

   ./easyrsa gen-crl
   

   verify the CRL

   openssl crl -noout -text -in /path/to/crl.pem
   

4. Build server certificate Prevents one of your clent certificates from being used as a server in a Man-In-The_middle attack.

   ...

Content #

1. Client Makes Connection to Server, Client requests server certificate.
2. Server sends certificate to client.
3. Client reads certificate: Verifies certificate against CA
4. (optional)Client verifies sever Key Usage
5. Server reads certificate: Verifies certifies against CA
6. (optional)Server verifies client Key Usage
7. (optional) Server verifies against CRL
8. Client and Server exchange crypto details, accept connection

From #

Links #

Content #

The client-side network 192.168.4.0/24(client: 10.200.0.2) needs to be routed over the VPN tunnel to the server(10.200.0.1).

1. On the listening end(server)

openvpn --ifconfig 10.200.0.1 10.200.0.2 \
--dev tun --secret secret.key 0 \
--route 192.168.4.0 255.255.255.0 \
--daemon --log /var/log/movpn-server.log

a route statement was added to tell OpenVPN that the network 192.168.4.0/24 is founded at the other end of the tunnel. Instead of using route statement, we can also use iproute2 command:

Simplest and shortest example #

1. Start the first endpoint in the listening mode

   openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun
   

2. launch the OpenVPN client

   openvpn --ifconfig 10.200.0.2 10.200.0.1 --dev tun --remote first.endpoint
   

Using TCP Protocol #

The default protocol that OpenVPN uses is UDP, if the TCP protocol is required:

1. Start the first endpoint in the listening mode

   openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun --proto tcp-server
   

2. launch the OpenVPN client

   ...

Content #

Using a TCP-based application over a TCP-based VPN can result in double performance loss, especially if the underlying network connection is bad. In that case, a re-transmittance of lost packets is done for packets lost both inside and outside the tunnel, leading to a double performace hit. When choosing between UDP or TCP transport, the general rule of thumb is as follows: If UDP(mode udp) works for you, then use it; if not, then try TCP(mode tcp-server and mode tcp-client).

Content #

以下是在Linux下使用iptables和cgroup为Firefox进程及其子进程打上标记的步骤：

1. 确保已安装 `cgroup` 工具：

sudo apt install cgroup-tools

1. 创建一个新的cgroup组：

sudo cgcreate -g misc:firefox_cgroup

1. 确定Firefox进程的PID：

pgrep firefox

1. 将Firefox进程添加到新的cgroup组中：

sudo cgclassify -g misc:firefox_cgroup firefox_pid

1. 创建一个新的iptables规则:

sudo iptables -t mangle -A OUTPUT -m cgroup --path '/firefox_cgroup' -j MARK --set-mark 0x1

cgroup2中已经没有net_cls及classid，应该使用path参数。

现在，所有由Firefox进程及其子进程生成的网络包都将被标记为 `0x1`。

From #

Links #