Protection Process (or daemon, PID = 1 )

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# The boot process of Linux system
# BIOS --> Bootloader --> load system kernel --> init kernel --> init init processes --> init task
# System V (for old version, not used since centOS 7) --> newest version : systemd
man systemctl


# use systemd to manage the system events

# process start and end : systemctl, here we first install Samba on the centOS server
sudo yum -y install samba

# start the samba service
[root@localhost ~]# systemctl start smb
[root@localhost ~]# ps -aux | grep smb
root       1688  0.4  0.6 454396 12888 ?        Ss   21:03   0:00 /usr/sbin/smbd --foreground --no-process-group
root       1690  0.0  0.2 450244  3888 ?        S    21:03   0:00 /usr/sbin/smbd --foreground --no-process-group
root       1691  0.0  0.1 450236  3608 ?        S    21:03   0:00 /usr/sbin/smbd --foreground --no-process-group
root       1692  0.0  0.2 454396  4152 ?        S    21:03   0:00 /usr/sbin/smbd --foreground --no-process-group
root       1695  0.0  0.0 112812   972 pts/0    S+   21:03   0:00 grep --color=auto smb
[root@localhost ~]# systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-03-14 21:03:10 CST; 59s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1688 (smbd)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/smb.service
           ├─1688 /usr/sbin/smbd --foreground --no-process-group
           ├─1690 /usr/sbin/smbd --foreground --no-process-group
           ├─1691 /usr/sbin/smbd --foreground --no-process-group
           └─1692 /usr/sbin/smbd --foreground --no-process-group

Mar 14 21:03:10 localhost.localdomain systemd[1]: Starting Samba SMB Daemon...
Mar 14 21:03:10 localhost.localdomain smbd[1688]: [2021/03/14 21:03:10.938044...
Mar 14 21:03:10 localhost.localdomain systemd[1]: Started Samba SMB Daemon.
Mar 14 21:03:10 localhost.localdomain smbd[1688]:   daemon_ready: daemon 'smb...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# systemctl stop smb
[root@localhost ~]# systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)

Mar 14 21:03:10 localhost.localdomain systemd[1]: Starting Samba SMB Daemon...
Mar 14 21:03:10 localhost.localdomain smbd[1688]: [2021/03/14 21:03:10.938044...
Mar 14 21:03:10 localhost.localdomain systemd[1]: Started Samba SMB Daemon.
Mar 14 21:03:10 localhost.localdomain smbd[1688]:   daemon_ready: daemon 'smb...
Mar 14 21:04:18 localhost.localdomain systemd[1]: Stopping Samba SMB Daemon...
Mar 14 21:04:18 localhost.localdomain systemd[1]: Stopped Samba SMB Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-03-14 21:05:04 CST; 2s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1711 (smbd)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/smb.service
           ├─1711 /usr/sbin/smbd --foreground --no-process-group
           ├─1713 /usr/sbin/smbd --foreground --no-process-group
           ├─1714 /usr/sbin/smbd --foreground --no-process-group
           └─1715 /usr/sbin/smbd --foreground --no-process-group

Mar 14 21:05:04 localhost.localdomain systemd[1]: Starting Samba SMB Daemon...
Mar 14 21:05:04 localhost.localdomain smbd[1711]: [2021/03/14 21:05:04.988942...
Mar 14 21:05:04 localhost.localdomain systemd[1]: Started Samba SMB Daemon.
Mar 14 21:05:04 localhost.localdomain smbd[1711]:   daemon_ready: daemon 'smb...
Hint: Some lines were ellipsized, use -l to show in full.
# list all active units (or systemctl is the same)
[root@localhost ~]# systemctl list-units

[root@localhost ~]# systemctl list-units --type=service


# to view Samba service details
[root@localhost ~]# systemctl cat smb.service
# /usr/lib/systemd/system/smb.service
[Unit]
Description=Samba SMB Daemon
Documentation=man:smbd(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
After=network.target network-online.target nmb.service winbind.service

[Service]
Type=notify
NotifyAccess=all
PIDFile=/run/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity
Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba

[Install]
WantedBy=multi-user.target

# incase you want edit the samba service file (it will not write through the original file)
[root@localhost ~]# systemctl edit smb.service

# useful commands after modified the service file
systemctl edit --full smb.service
systemctl daemon -reload

# target and System V level targets 

# view all the target
[root@localhost ~]# systemctl list-units --type=target --all
  UNIT                      LOAD      ACTIVE   SUB    DESCRIPTION
  basic.target              loaded    active   active Basic System
  bluetooth.target          loaded    active   active Bluetooth
  cryptsetup.target         loaded    active   active Local Encrypted Volumes
  emergency.target          loaded    inactive dead   Emergency Mode
  final.target              loaded    inactive dead   Final Step
  getty-pre.target          loaded    inactive dead   Login Prompts (Pre)
  getty.target              loaded    active   active Login Prompts
  graphical.target          loaded    inactive dead   Graphical Interface
  initrd-fs.target          loaded    inactive dead   Initrd File Systems
  initrd-root-fs.target     loaded    inactive dead   Initrd Root File System
  initrd-switch-root.target loaded    inactive dead   Switch Root
  initrd.target             loaded    inactive dead   Initrd Default Target
  local-fs-pre.target       loaded    active   active Local File Systems (Pre)
  local-fs.target           loaded    active   active Local File Systems
  multi-user.target         loaded    active   active Multi-User System
  network-online.target     loaded    active   active Network is Online
  network-pre.target        loaded    active   active Network (Pre)
  network.target            loaded    active   active Network
  nss-user-lookup.target    loaded    inactive dead   User and Group Name Lookup
  paths.target              loaded    active   active Paths
  remote-fs-pre.target      loaded    inactive dead   Remote File Systems (Pre)
  remote-fs.target          loaded    active   active Remote File Systems
  rescue.target             loaded    inactive dead   Rescue Mode
  shutdown.target           loaded    inactive dead   Shutdown
  slices.target             loaded    active   active Slices
  sockets.target            loaded    active   active Sockets
  sound.target              loaded    active   active Sound Card
  swap.target               loaded    active   active Swap
  sysinit.target            loaded    active   active System Initialization
● syslog.target             not-found inactive dead   syslog.target
  time-sync.target          loaded    inactive dead   System Time Synchronized
  timers.target             loaded    active   active Timers
  umount.target             loaded    inactive dead   Unmount All Filesystems

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

33 loaded units listed.
lines 1-40/41 98%

# if you want to see all dependencies on one target

[root@localhost ~]# systemctl list-dependencies graphical.target
graphical.target
● ├─display-manager.service
● ├─network.service
● ├─systemd-update-utmp-runlevel.service
● └─multi-user.target
●   ├─auditd.service
●   ├─chronyd.service
●   ├─crond.service
●   ├─dbus.service
●   ├─firewalld.service
●   ├─irqbalance.service
●   ├─kdump.service
●   ├─network.service
●   ├─NetworkManager.service
●   ├─plymouth-quit-wait.service
●   ├─plymouth-quit.service
●   ├─postfix.service
●   ├─rhel-configure.service
●   ├─rsyslog.service
●   ├─sshd.service
●   ├─systemd-ask-password-wall.path
●   ├─systemd-logind.service
●   ├─systemd-readahead-collect.service
●   ├─systemd-readahead-replay.service
●   ├─systemd-update-utmp-runlevel.service
●   ├─systemd-user-sessions.service
●   ├─tuned.service
●   ├─basic.target
●   │ ├─microcode.service
●   │ ├─rhel-dmesg.service
●   │ ├─selinux-policy-migrate-local-changes@targeted.service
●   │ ├─paths.target
●   │ ├─slices.target
●   │ │ ├─-.slice
●   │ │ └─system.slice
●   │ ├─sockets.target
●   │ │ ├─dbus.socket
●   │ │ ├─dm-event.socket
●   │ │ ├─systemd-initctl.socket
●   │ │ ├─systemd-journald.socket
●   │ │ ├─systemd-shutdownd.socket
●   │ │ ├─systemd-udevd-control.socket
●   │ │ └─systemd-udevd-kernel.socket
●   │ ├─sysinit.target
●   │ │ ├─dev-hugepages.mount
●   │ │ ├─dev-mqueue.mount
●   │ │ ├─kmod-static-nodes.service
●   │ │ ├─lvm2-lvmetad.socket
●   │ │ ├─lvm2-lvmpolld.socket
●   │ │ ├─lvm2-monitor.service
●   │ │ ├─plymouth-read-write.service
●   │ │ ├─plymouth-start.service
●   │ │ ├─proc-sys-fs-binfmt_misc.automount
●   │ │ ├─rhel-autorelabel-mark.service
●   │ │ ├─rhel-autorelabel.service
●   │ │ ├─rhel-domainname.service
●   │ │ ├─rhel-import-state.service
●   │ │ ├─rhel-loadmodules.service
●   │ │ ├─sys-fs-fuse-connections.mount
●   │ │ ├─sys-kernel-config.mount
●   │ │ ├─sys-kernel-debug.mount
●   │ │ ├─systemd-ask-password-console.path
●   │ │ ├─systemd-binfmt.service
●   │ │ ├─systemd-firstboot.service
●   │ │ ├─systemd-hwdb-update.service
●   │ │ ├─systemd-journal-catalog-update.service
●   │ │ ├─systemd-journal-flush.service
●   │ │ ├─systemd-journald.service
●   │ │ ├─systemd-machine-id-commit.service
●   │ │ ├─systemd-modules-load.service
●   │ │ ├─systemd-random-seed.service
●   │ │ ├─systemd-sysctl.service
●   │ │ ├─systemd-tmpfiles-setup-dev.service
●   │ │ ├─systemd-tmpfiles-setup.service
●   │ │ ├─systemd-udev-trigger.service
●   │ │ ├─systemd-udevd.service
●   │ │ ├─systemd-update-done.service
●   │ │ ├─systemd-update-utmp.service
●   │ │ ├─systemd-vconsole-setup.service
●   │ │ ├─cryptsetup.target
●   │ │ ├─local-fs.target
●   │ │ │ ├─-.mount
●   │ │ │ ├─boot.mount
●   │ │ │ ├─rhel-readonly.service
●   │ │ │ └─systemd-remount-fs.service
●   │ │ └─swap.target
●   │ │   └─dev-mapper-centos\x2dswap.swap
●   │ └─timers.target
●   │   └─systemd-tmpfiles-clean.timer
●   ├─getty.target
●   │ └─getty@tty1.service
●   └─remote-fs.target
lines 53-92/92 (END)

[root@localhost ~]# systemctl get-default
multi-user.target
# switch to single-user mode / set target as default target
[root@localhost ~]# systemctl isolate rescue.target
[root@localhost ~]# systemctl set-default [target_name].target

# management journal
[root@localhost ~]# journalctl 
# journal from last boot
[root@localhost ~]# journalctl -b
# journal of kernel
[root@localhost ~]# journalctl -k

# boot time
[root@localhost ~]# systemd-analyze 
Startup finished in 934ms (kernel) + 1.529s (initrd) + 6.384s (userspace) = 8.848s
# see service that cost most time
[root@localhost ~]# systemd-analyze blame
          2.409s kdump.service
          1.363s dev-mapper-centos\x2droot.device
          1.286s lvm2-monitor.service
          1.196s tuned.service
           739ms postfix.service
           662ms dracut-initqueue.service
           659ms NetworkManager-wait-online.service
           626ms firewalld.service
           341ms initrd-switch-root.service
           334ms network.service
           239ms sysroot.mount
           197ms boot.mount
           189ms auditd.service
           178ms polkit.service
           161ms dracut-cmdline.service
           156ms dracut-pre-pivot.service
           140ms lvm2-pvscan@8:2.service
           127ms chronyd.service
           119ms systemd-udev-trigger.service
           107ms systemd-logind.service
           107ms rhel-readonly.service
            95ms sshd.service
            92ms systemd-user-sessions.service
            91ms rhel-dmesg.service
            85ms smb.service
            76ms systemd-udevd.service
            68ms NetworkManager.service
            66ms plymouth-start.service
            59ms systemd-tmpfiles-setup-dev.service
            58ms rhel-import-state.service
            54ms rsyslog.service
            53ms systemd-vconsole-setup.service
            52ms initrd-parse-etc.service
            49ms dracut-pre-udev.service
            49ms rhel-domainname.service
            45ms systemd-journald.service
            37ms dev-hugepages.mount
            37ms kmod-static-nodes.service
            35ms plymouth-quit-wait.service
            30ms systemd-sysctl.service
            28ms plymouth-read-write.service
            26ms systemd-remount-fs.service
            26ms plymouth-switch-root.service
            25ms dev-mqueue.mount
            25ms systemd-tmpfiles-setup.service
            24ms systemd-journal-flush.service
            23ms sys-kernel-debug.mount
            22ms plymouth-quit.service
            20ms initrd-cleanup.service
            20ms systemd-tmpfiles-clean.service
            19ms dev-mapper-centos\x2dswap.swap
            12ms systemd-update-utmp.service
            11ms systemd-fsck-root.service
            11ms systemd-random-seed.service
            11ms systemd-update-utmp-runlevel.service
             7ms systemd-rfkill@rfkill0.service
             6ms initrd-udevadm-cleanup-db.service
             5ms sys-kernel-config.mount

# you can disable the boot of some services
[root@localhost ~]# systemctl disable [xxx.service]
[root@localhost ~]# systemctl mask [xxx.service]

# you can cancel the mask op
[root@localhost ~]# systemctl unmask [xxx.service]

#Apache

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[root@localhost ~]# yum install -y httpd

# start /stop /restart Apache
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# systemctl stop httpd
[root@localhost ~]# systemctl restart httpd


[root@localhost ~]# ps -aux | grep httpd
root       1837  0.0  0.2 224084  5052 ?        Ss   21:31   0:00 /usr/sbin/httpd -DFOREGROUND
apache     1838  0.0  0.1 224084  2928 ?        S    21:31   0:00 /usr/sbin/httpd -DFOREGROUND
apache     1839  0.0  0.1 224084  2928 ?        S    21:31   0:00 /usr/sbin/httpd -DFOREGROUND
apache     1840  0.0  0.1 224084  2928 ?        S    21:31   0:00 /usr/sbin/httpd -DFOREGROUND
apache     1841  0.0  0.1 224084  2928 ?        S    21:31   0:00 /usr/sbin/httpd -DFOREGROUND
apache     1842  0.0  0.1 224084  2928 ?        S    21:31   0:00 /usr/sbin/httpd -DFOREGROUND
root       1857  0.0  0.0 112812   972 pts/0    S+   21:33   0:00 grep --color=auto httpd

# reload the Apache config file
[root@localhost ~]# systemctl reload httpd

# status
[root@localhost ~]# systemctl status httpd

# start when boot
[root@localhost ~]# systemctl enable httpd
[root@localhost ~]# systemctl disable httpd
[root@localhost ~]# systemctl is-enabled httpd

# why we are unable to access virtual machine and centos server? firewall!

# no fire wall open ports
[root@localhost ~]# firewall-cmd --list-ports

# option 1: shutdown the firewall
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Sun 2021-03-14 21:40:35 CST; 9s ago
     Docs: man:firewalld(1)
  Process: 709 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 709 (code=exited, status=0/SUCCESS)

Mar 14 21:00:09 localhost.localdomain systemd[1]: Starting firewalld - dynami...
Mar 14 21:00:09 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Mar 14 21:00:10 localhost.localdomain firewalld[709]: WARNING: AllowZoneDrift...
Mar 14 21:40:33 localhost.localdomain systemd[1]: Stopping firewalld - dynami...
Mar 14 21:40:35 localhost.localdomain systemd[1]: Stopped firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.

# option 2: open a port for http services permanently
[root@localhost ~]# firewall-cmd --get-active-zones
public
  interfaces: ens33
[root@localhost ~]# firewall-cmd --get-default-zone
public
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
# activate it immediately
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-ports
80/tcp

#check whether this port is open now
[root@localhost ~]# firewall-cmd --zone=public --query-port=80/tcp
yes

# in case you want to remove this port
[root@localhost ~]# firewall-cmd --zone=public --remove-port=80/tcp --permanent

Apache configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@mos-computer mo]# ls /etc/httpd
[root@mos-computer mo]# ls /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
[root@mos-computer mo]# ls /var/www/html
[root@mos-computer mo]# ls /var/log/httpd/access_log
/var/log/httpd/access_log
[root@mos-computer mo]# ls /var/log/httpd/error_log
/var/log/httpd/error_log

# Some common args: ServerRoot, Listen, User, ServerAdmin ... if you have no idea, google them 
[root@localhost ~]# echo "Welcome to Linux system" > /var/www/html/index.html
[root@localhost ~]# cat /var/www/html/index.html
Welcome to Linux system
# now open server to see what happened
[root@localhost ~]# mkdir /home/web
[root@localhost ~]# echo "New web directory" > /home/web/index.html
[root@localhost ~]# cat /home/web/index.html
New web directory
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 

# modify the conf file as
DocumentRoot: "/home/web"
<Directory "/home/web"/>
	AllowOverride None
	#Allow open access:
	Require all granted
</Directory>
# now reload
[root@localhost ~]# systemctl reload httpd

# It seems nothing changed ... it's because of SElinux, let's learn it in the next section

SElinux (Security-Enhanced Linux)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Mandatory Access Control
# some manner: Domain Limitation, Security Context, which makes SElinux more like a safe

#Three config modes:
#enforcing: blocking all illegal access
#permissive: only warning without blocking some accesses without permission
#disable: no warning and blocking
[root@localhost ~]# se status
-bash: se: command not found
[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@localhost ~]# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
#view the config file
[root@localhost ~]# vim /etc/selinux/config
[root@localhost ~]# getenforce 
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce 
Permissive
[root@localhost ~]# setenforce 1
[root@localhost ~]# getenforce 
Enforcing
[root@localhost ~]# ls -Zd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
[root@localhost ~]# ls -Zd /home/web
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/web

#modify se management
[root@localhost ~]# semanage
-bash: semanage: command not found
[root@localhost ~]# yum provides semanage
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.cqu.edu.cn
 * extras: mirrors.cqu.edu.cn
 * updates: mirrors.cqu.edu.cn
base/7/x86_64/filelists_db                               | 7.2 MB     00:00     
extras/7/x86_64/filelists_db                             | 226 kB     00:00     
updates/7/x86_64/filelists_db                            | 3.4 MB     00:00     
policycoreutils-python-2.5-34.el7.x86_64 : SELinux policy core python utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage
[root@localhost ~]# yum install policycoreutils-python

# some useful args for semanage
# -l search, -a add, -m modify, -d delete.
[root@localhost ~]# man semanage
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/web
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/web/*
[root@localhost ~]# restorecon -Rv /home/web
restorecon reset /home/web context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/web/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@localhost ~]# ls -Zd /home/web/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /home/web/
[root@localhost ~]# cat /home/web/index.html 
New web directory

DHCP assigned IP and static IP

1
2
3
4
5
6
7
8
9
10
11
12
13
DHCP will assign your machine a dynamic IP address.
However you are able to change your machine's IP as a static one.
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
[root@localhost ~]# systemctl restart network 

#nmtui: Network Manager Text User Interface

# DNS, Gateway and other options

#the hosts config file on Windows: C:\\Windows\System32\drivers\etc\hosts

Gateway ==> find on router or use 'ipconfig' on your pc to see your IP
DNS server ==> could be your pc's IP or Google's DNS was recommended 8.8.8.8

Servers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# Server, Virtual Host, VPS (Virtual Private Server), ECS (Elastic Computing Service, e.g. cloud)

# research: Github page + Hexo

# now we add two static IP addresses to server for study purpose
[root@localhost ~]# nmtui
[root@localhost ~]# systemctl restart network
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NM_CONTROLLED=yes
NAME=ens33
UUID=82b3a0c8-75e6-45b9-a813-304a9925a64f
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.0.120
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
DNS1=8.8.8.8
IPV6INIT=yes
USERCTL=no
PREFIX=24
# here
IPADDR1=192.168.0.10
PREFIX1=24
NETMASK1=255.255.255.0
IPADDR2=192.168.0.20
PREFIX2=24
NETMASK2=255.255.255.0

[root@localhost ~]# ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=0.046 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=64 time=0.112 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=64 time=0.057 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=64 time=0.063 ms
64 bytes from 192.168.0.10: icmp_seq=5 ttl=64 time=0.124 ms
^C
--- 192.168.0.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.046/0.080/0.124/0.032 ms
[root@localhost ~]# ping 192.168.0.20
PING 192.168.0.20 (192.168.0.20) 56(84) bytes of data.
64 bytes from 192.168.0.20: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 192.168.0.20: icmp_seq=2 ttl=64 time=0.123 ms
64 bytes from 192.168.0.20: icmp_seq=3 ttl=64 time=0.116 ms
^C
--- 192.168.0.20 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.045/0.094/0.123/0.036 ms
[root@localhost ~]# ls /home/web
index.html
[root@localhost ~]# cat /home/web/index.html 
New web directory
[root@localhost ~]# mkdir /home/web/10
[root@localhost ~]# mkdir /home/web/20
[root@localhost ~]# echo "IP: 192.168.0.10" > /home/web/10/index.html
[root@localhost ~]# echo "IP: 192.168.0.20" > /home/web/20/index.html
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 
[root@localhost ~]# systemctl restart httpd


# add these into the Apache config file after "User apache Group apache"
<VirtualHost 192.168.0.10>
        DocumentRoot /home/web/10
        ServerName www.linuxserver.com
        <Directory /home/web/10>
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

<VirtualHost 192.168.0.20>
        DocumentRoot /home/web/20
        ServerName bbs.linuxserver.com
        <Directory /home/web/20>
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

# now go to 192.168.0.10 and 192.168.0.20 see if they show the correct content

# if you have not set security context, do it as previous sections shown
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/web/10
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/web/10*
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/web/20
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/web/20*
[root@localhost ~]# restorecon -Rv /home/web

# domain name based assignment (note: do these on client machine rather than on server!)
[mo@mos-computer ~]$ sudo vim /etc/hosts
# add ip address and corresponding domain name to it, then ping to see what happened
[mo@mos-computer ~]$ ping www.linuxserver.com
[mo@mos-computer ~]$ ping bbs.linuxserver.com

#back to server and do the followings
[root@localhost ~]# ls /home/web
10  20  index.html
[root@localhost ~]# mkdir /home/web/www
[root@localhost ~]# mkdir /home/web/bbs
[root@localhost ~]# echo "WWW.linuxserver.com" > /home/web/www/index.html
[root@localhost ~]# echo "BBS.linuxserver.com" > /home/web/bbs/index.html
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# rm -rf /home/web/10
[root@localhost ~]# rm -rf /home/web/20
[root@localhost ~]# ls /home/web/
bbs  index.html  www

# add these in httpd.conf
<VirtualHost 192.168.0.10>
        DocumentRoot /home/web/www
        ServerName www.linuxserver.com
        <Directory /home/web/www>
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

<VirtualHost 192.168.0.10>
        DocumentRoot /home/web/bbs
        ServerName bbs.linuxserver.com
        <Directory /home/web/bbs>
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

# remember to remove all content about '10' '20' in the config file
# now access www.linuxserver.com and bbs.linuxserver.com see what happened

HTTPS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# default port: 80, SSL: Secure Socket Layer, TLS: Transport Layer Security, CA: Certificate Authorities

# Now we are going to set HTTPS for Apache server
[root@localhost ~]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-ports
80/tcp 443/tcp
[root@localhost ~]# yum install -y mod_ssl
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: ftp.twaren.net
base                                                     | 3.6 kB     00:00     
extras                                                   | 2.9 kB     00:00     
updates                                                  | 2.9 kB     00:00     
updates/7/x86_64/primary_db                                | 6.5 MB   00:47     
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-97.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package        Arch          Version                      Repository      Size
================================================================================
Installing:
 mod_ssl        x86_64        1:2.4.6-97.el7.centos        updates        114 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 114 k
Installed size: 224 k
Downloading packages:
mod_ssl-2.4.6-97.el7.centos.x86_64.rpm                     | 114 kB   00:05     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 1:mod_ssl-2.4.6-97.el7.centos.x86_64                         1/1 
  Verifying  : 1:mod_ssl-2.4.6-97.el7.centos.x86_64                         1/1 

Installed:
  mod_ssl.x86_64 1:2.4.6-97.el7.centos                                          

Complete!
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# ls /etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/ssl.conf

# some config fil[root@localhost ~]# ls /etc/pki/tls/private/localhost.key 
[root@localhost ~]# ls /etc/pki/tls/private/localhost.key
es for HTTPS certificate
[root@localhost ~]# ls /etc/pki/tls/certs/localhost.crt 
/etc/pki/tls/certs/localhost.crt

# MAKING a CA, StartSSL, CACERT (free), if you do this for start-up purposes, buy one
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# mkdir pki
[root@localhost httpd]# cd pki
[root@localhost pki]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
...............................+++
e is 65537 (0x10001)
[root@localhost pki]# cat server.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxU9wBv7mLY4zkfEcrWBevyJeBrNskfiGFez/3QWoF46LXJyP
5rcc0fnzyuTTfWswSF9so5EPARf5P5i1g7mqXTytAUhtHbVtQYZMkRM+J0jo9Ao1
awfwSaS0rjLvA+/kkPkcdfl4018SA6LHk4uq3yNKmZpubhsnWPgZ2Xgi5ouxyIiX
XieoAZ/ALVss8lqwg0Z1EwEL44vrKT/7B7QjZhb3daxBD0ev5zzxl5l6gHOrn8Jj
ORaECL4zNPbA01jvkdARQ0hJunmMUjYtzjeCvksP11QYmxQLVhyCXXZDjVfLbKIV
8Qye+onKTXt+AMnGUtUMexQG11hfIh+43WrhHQIDAQABAoIBAQCFJmBROD6Yy3ed
qvpRPdFyZnzRRM+lifLiZPcdbi3LB9SgAL9TUIrQYD7W0qit4GHK1Sp5DvDzKfx3
oFQNuoNvO/z7+qY4ADDkoP6WgEfXNuqNlT4LJmZPLCkJzTFilMbH1nQQYPPaoDOF
5JmNxhjfT++NzJttDkH1VigLi3jx3m9hHJxJqlmZ8hMMlfQWq8SNODFAScrqvvBb
xwYSCn6QAxQ7YWoDoRQTP1Hd9H3gFv91L7dyheNohvLIyA5t3OPeE00rQ18nMnLN
ebGGKh1MvSuPd6ybEff1x2kiZ+n8qjZhQySvTUDNBctlXqCbwuWH+KxqmcliTFuh
HeAk0jf5AoGBAPDbY6d9004ZMIvhPUx794Eus76iIsQujAHfpjmx4v+BvZ+KU0iz
Rw77QDur5rYXac5TALXMHMtaoQZmm9ZJIyw8Bo0oKEvglGn+mTdbsX5P2Jc+tWS9
/71rBoyShunf+ecE4l8XAtw6MFJHlLlXYIzw7C++XWIMci89GpKkrDWzAoGBANG3
KUgmB8M+lHnk0mFDcDahMkBOsuT82MNtSMClYbh6g9o29VTOdPpozRyN2pe+RjG9
nOrIKLNr/BGu1oQG4rY/ZAOfS5lw/8LOWTtmc22LdMXtGdtzyLlyLiaLSml0A35k
hY1efWPmdQrnbk+JN/IEda5yAax3so31wGjyZsXvAoGBAModIAQGN1I7GxzWdwz+
nhReb2ESR6Be+wf7eE7D8pu8cLY3amoAXym4Nw+b0e+NuDD2QAtOa/9NXwCzDCSG
nShaepjrUN1TaNeFWWc1370CHdvVOHyAX+HAtO8zallJpThyRc/LzI+nmLMC9E+P
firnZRsvYMeNcCgp22mhHA23AoGARwhZDT0EaBdsRxVARP2IpphW4v1FDtatvRPp
Dod13/xvaJww4LbFXIPe5YsOvVMPh42H9uYxEwTCbmLf+fwzEjPKdoegHarullc6
VipPco1H0jqLBY/kLxwDkb6gR7Op80etDMMyiYHnpvfYn0wFDQ6BpcKr2nT4n6jb
sTBZqzUCgYASMckOcXlNkjf22lbcSdvF8m8oeZtCi1ncVM+AhYXOiHUdK7xfRHn5
jXXVuXEvJZhp6VUge0BWbi5sCY0RIzuIOEM4tvgROQRd+WyNjtF1Ko2z0Kerm9x8
q2iHdvyqdCFxkovPeAEiqXmK88AC+3wW9jDWbyIzodsXAiZapOhniw==
-----END RSA PRIVATE KEY-----
[root@localhost pki]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Yunnan
Locality Name (eg, city) [Default City]:Kunming
Organization Name (eg, company) [Default Company Ltd]:Mo's Company
Organizational Unit Name (eg, section) []:Linux server
Common Name (eg, your name or your server's hostname) []:192.168.0.120
Email Address []:moshuheng922@google.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost pki]# cat server.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC5DCCAcwCAQAwgZ4xCzAJBgNVBAYTAkNOMQ8wDQYDVQQIDAZZdW5uYW4xEDAO
BgNVBAcMB0t1bm1pbmcxFTATBgNVBAoMDE1vJ3MgQ29tcGFueTEVMBMGA1UECwwM
TGludXggc2VydmVyMRYwFAYDVQQDDA0xOTIuMTY4LjAuMTIwMSYwJAYJKoZIhvcN
AQkBFhdtb3NodWhlbmc5MjJAZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMVPcAb+5i2OM5HxHK1gXr8iXgazbJH4hhXs/90FqBeOi1yc
j+a3HNH588rk031rMEhfbKORDwEX+T+YtYO5ql08rQFIbR21bUGGTJETPidI6PQK
NWsH8EmktK4y7wPv5JD5HHX5eNNfEgOix5OLqt8jSpmabm4bJ1j4Gdl4IuaLsciI
l14nqAGfwC1bLPJasINGdRMBC+OL6yk/+we0I2YW93WsQQ9Hr+c88ZeZeoBzq5/C
YzkWhAi+MzT2wNNY75HQEUNISbp5jFI2Lc43gr5LD9dUGJsUC1Ycgl12Q41Xy2yi
FfEMnvqJyk17fgDJxlLVDHsUBtdYXyIfuN1q4R0CAwEAAaAAMA0GCSqGSIb3DQEB
CwUAA4IBAQCwCkxCenVFeVJ5En45sWNnArc0srpvFDmEsAaOps5WOvcIANVT4AP7
S3KPHfIIAJVD7WmpSV8scOcOhXHiOUuFxlP0c2Yu1GuJCH7c8xwlXppbDJNXW1an
GbfFbEsHe+JQBCGyVJjhw6TdofLkeD1E+JzbXKMp2zd4qaLkVfsNTlp7dJPzsx6Z
IHNm+htFb2y+GQf36A2R22owXn+T2w/Nr4diAJzJYSIG2tWy7xaRoOAckbDUIbYM
SPCU4vez6MnvNzgSHiWMIf5l4t3/3X7x1gPp033MeIOTWFg8ZmlhUqF/10R1DvNB
nFzQ+xrLPdEzIOL+qShlSwM6xSRCwnRm
-----END CERTIFICATE REQUEST-----
[root@localhost pki]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=Yunnan/L=Kunming/O=Mo's Company/OU=Linux server/CN=192.168.0.120/emailAddress=moshuheng922@google.com
Getting Private key
[root@localhost pki]# cat server.crt
-----BEGIN CERTIFICATE-----
MIIDujCCAqICCQD7RCE9TJWfxjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMC
Q04xDzANBgNVBAgMBll1bm5hbjEQMA4GA1UEBwwHS3VubWluZzEVMBMGA1UECgwM
TW8ncyBDb21wYW55MRUwEwYDVQQLDAxMaW51eCBzZXJ2ZXIxFjAUBgNVBAMMDTE5
Mi4xNjguMC4xMjAxJjAkBgkqhkiG9w0BCQEWF21vc2h1aGVuZzkyMkBnb29nbGUu
Y29tMB4XDTIxMDMxOTE0MTU0M1oXDTMxMDMxNzE0MTU0M1owgZ4xCzAJBgNVBAYT
AkNOMQ8wDQYDVQQIDAZZdW5uYW4xEDAOBgNVBAcMB0t1bm1pbmcxFTATBgNVBAoM
DE1vJ3MgQ29tcGFueTEVMBMGA1UECwwMTGludXggc2VydmVyMRYwFAYDVQQDDA0x
OTIuMTY4LjAuMTIwMSYwJAYJKoZIhvcNAQkBFhdtb3NodWhlbmc5MjJAZ29vZ2xl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVPcAb+5i2OM5Hx
HK1gXr8iXgazbJH4hhXs/90FqBeOi1ycj+a3HNH588rk031rMEhfbKORDwEX+T+Y
tYO5ql08rQFIbR21bUGGTJETPidI6PQKNWsH8EmktK4y7wPv5JD5HHX5eNNfEgOi
x5OLqt8jSpmabm4bJ1j4Gdl4IuaLsciIl14nqAGfwC1bLPJasINGdRMBC+OL6yk/
+we0I2YW93WsQQ9Hr+c88ZeZeoBzq5/CYzkWhAi+MzT2wNNY75HQEUNISbp5jFI2
Lc43gr5LD9dUGJsUC1Ycgl12Q41Xy2yiFfEMnvqJyk17fgDJxlLVDHsUBtdYXyIf
uN1q4R0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAoPkUQ+iHyEsLj6TrNUFADRHr
oel/WtWMIMB/A8ht+K0/nIEnptXoD2sbEVJCKew/D6RKuTlVbgEtKUQK8oHZWDLr
ChE06ULMC5cVntY78E8tid8wQ0jF7bVqLnDIiTw6xzH+N0PgOS1/5eR3yqkJJ5xz
csOLXNlpqLFFsG5o2rVv0xlughpzDdwwOwdjHNkNvyIsDOmRQL7fuVYHzxE5Bs6h
b4cGX/DE3pNddBP5+90krXVjLfZq+FMiLMDEGGVGCqxI3/8dkrwtU9yjHT2xI9Ra
ASJL7wUoPAqocJd9JX398Xm5tu1Ct+DR4xX9XiPjD1JqHY11t48At7+KntYCRw==
-----END CERTIFICATE-----
[root@localhost pki]# ls
server.crt  server.csr  server.key

# now replace the original key, cer provided by OS
[root@localhost pki]# cp server.key /etc/pki/tls/private/
[root@localhost pki]# cp server.crt /etc/pki/tls/certs/
[root@localhost pki]# ls /etc/pki/tls/private/
localhost.key  server.key

# now config the server certificate, add the following into the config file
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

[root@localhost httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  pki  run
[root@localhost httpd]# vim conf.d/ssl.conf 
[root@localhost httpd]# systemctl restart httpd

Intro to DB: MariaDB (using MySQL)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
[root@localhost ~]# yum install mariadb mariadb-server
[root@localhost ~]# systemctl start mariadb
[root@localhost ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@localhost ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

[root@localhost ~]# vim /etc/my.cnf
# add these into this file
character_set_server=utf8
init_connect='SET NAMES utf8'
[root@localhost ~]# systemctl restart mariadb

# log in
[root@localhost ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.68-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]> show variables like '%character_set%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)

MariaDB [(none)]> Bye

# allow remote connect: mysql_secure_installation reset again, then open firewall
[root@localhost ~]# firewall-cmd --zone=public --add-port=3306/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success

# alternatives: firewall-cmd --zone=public --add-service=mysql --permanent

PHP and LAMP frame

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# static page--> no data upload, dynamic page--> upload data/ interactive 

# LAMP frame: Linux, Apache, MySQL, PHP (LNMP , need Nginx)
[root@localhost ~]# yum install php
[root@localhost ~]# yum install php-mysql
# now test the php installation
[root@localhost ~]# vim /home/web/info.php
<?php
        phpinfo();
?>
[root@localhost ~]# systemctl restart httpd

# now access your server with ip+info.php at the end of the address see what happened

# some useful config file
[root@localhost ~]# vim /etc/php.ini
[root@localhost ~]# vim /etc/httpd/conf.d/php.conf 
[root@localhost ~]# vim /etc/php.d/mysql.ini

A website: LAMP + WordPress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
[mo@mos-computer hgfs]$ ls
batch                                tutorial
htop-2.2.0.tar.gz                    wordpress-5.4.zip
sogoupinyin-2.4.0.3469-2.x86_64.rpm  youdao-dict_1.1.0-0-deepin_amd64.deb
sogoupinyin_2.4.0.3469_amd64.deb
[mo@mos-computer hgfs]$ scp wordpress-5.4.zip root@192.168.0.120:/root
wordpress-5.4.zip                             100%   13MB   6.3MB/s   00:02   
[root@localhost ~]# ls
anaconda-ks.cfg  name.txt  wordpress-5.4.zip
[root@localhost ~]# yum install unzip
[root@localhost ~]# unzip wordpress-5.4.zip 
[root@localhost ~]# cp -r wordpress /home/web
[root@localhost ~]# cd /home/web
[root@localhost web]# cd wordpress/
[root@localhost wordpress]# ls
index.php        wp-blog-header.php    wp-includes        wp-settings.php
license.txt      wp-comments-post.php  wp-links-opml.php  wp-signup.php
readme.html      wp-config-sample.php  wp-load.php        wp-trackback.php
wp-activate.php  wp-content            wp-login.php       xmlrpc.php
wp-admin         wp-cron.php           wp-mail.php

# now access server with https://192.168.0.120/wordpress/wp-admin/setup-config.php
Your server is running PHP version 5.4.16 but WordPress 5.4 requires at least 5.6.20.

# OK, fix this problem with the following commands
rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum remove php-common -y
yum install -y php56w php56w-opcache php56w-xml php56w-mcrypt php56w-gd php56w-devel php56w-mysql php56w-intl php56w-mbstring
# reference: https://blog.csdn.net/qq_34829953/article/details/78078790
[root@localhost wordpress]# php -v
PHP 5.6.40 (cli) (built: Jan 12 2019 13:11:15) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
[root@localhost wordpress]# systemctl restart httpd

# go to https://192.168.0.120/wordpress/wp-admin/setup-config.php and you will see the following info

Welcome to WordPress. Before getting started, we need some information on the database. You will need to know the following items before proceeding.

Database name
Database username
Database password
Database host
Table prefix (if you want to run more than one WordPress in a single database)
We’re going to use this information to create a wp-config.php file. If for any reason this automatic file creation doesn’t work, don’t worry. All this does is fill in the database information to a configuration file. You may also simply open wp-config-sample.php in a text editor, fill in your information, and save it as wp-config.php. Need more help? We got it.

# now you will need to do these in MariaDB
[root@localhost wordpress]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.68-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database wordpress;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]> GRANT ALL on wordpress.* To 'mo'@'192.168.0.120' IDENTIFIED BY"mannersmakethman";
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> 

# now go to the config file and change some settings
[root@localhost wordpress]# cp wp-config-sample.php wp-config.php
[root@localhost wordpress]# vim wp-config.php 
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'mo' );

/** MySQL database password */
define( 'DB_PASSWORD', 'mannersmakethman' );

/** MySQL hostname */
define( 'DB_HOST', '192.168.0.120' );

# to connect to database, we will need to set some SElinux config
[root@localhost wordpress]# systemctl restart httpd
[root@localhost wordpress]# getenforce
Enforcing
[root@localhost wordpress]# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
[root@localhost wordpress]# setsebool -P httpd_can_network_connect=1

# ok now go to https://192.168.0.120/wordpress/wp-admin/setup-config.php and follow the installation steps. After the installation you will see the dashboard.

#https://192.168.0.120/wordpress/ will be the main site

# now you can do some search on how to set up your own personal/blog site.