Product SiteDocumentation Site

8.9. 其他組態:時間同步、記錄、共享近用…

本節列出的細目對希望精通 GNU/Linux 系統組態極有幫助。這裡祗列出簡要的內容,詳情仍需參閱文件。

8.9.1. 時區

The timezone, configured during initial installation, is a configuration item for the tzdata package. To modify it, use the dpkg-reconfigure tzdata command, which allows you to choose the timezone to be used in an interactive manner. Its configuration is stored in the /etc/timezone file. Additionally, /etc/localtime becomes a symbolic link to the corresponding file in the /usr/share/zoneinfo; the file that contains the rules governing the dates where daylight saving time (DST) is active, for countries that use it.
暫時變更時區,可使用 TZ 環境變數,它的優先次序在預設的組態檔之前:
$ date
Thu Sep  2 22:29:48 CEST 2021
$ TZ="Pacific/Honolulu" date
Thu 02 Sep 2021 10:31:01 AM HST

8.9.2. 時間同步

時間同步,在單機時代是多餘,但在網路時代卻很重要。使用者無權修改日期與時間,所以需要精準的時間以免混亂。尤有甚者,網路上的電腦時間同步後,有助於安排社群工作者透過網路全球串聯。受到攻擊時,容易依序恢復原來的運作。由多部機器收集來的統計資料,必須有同步的時間,才能發揮作用。

8.9.2.1. 給工作站

工作經常需要重新開機 (雖然祗是節省能源),開機時以 NTP 同步就夠了。安裝 ntpdate 套件就可以。需要更換 NTP 伺服器時,再修改 /etc/default/ntpdate 檔案即可。

8.9.2.2. 供伺服器

伺服器很少重開機,系統時間必須絕對精準。為了永久維持時間的正確性,必須安裝由 ntp 套件提供的 NPT 伺服器。預設的組態方式係與 pool.ntp.org 同步,且回應在地網路的請求。可以編輯 /etc/ntp.conf 檔案改變原來的組態,NTP 伺服器依照該檔案的內容而變更。若有多個伺服器,最好有一個在地時間伺服器與公共的伺服器同步,並做為在地網路其他伺服器的同步的依據。

8.9.3. 輪轉日誌檔

日誌檔成長的速度很快,需要典藏它。最常的做法是循環典藏:祗保留最新的 X 部份。logrotate 是負責循環的程式,根據 /etc/logrotate.conf 檔案內的組態,把日誌檔儲存在 /etc/logrotate.d/ 資料夾內。管理者可以修改該等檔案,修改 Debian 預設的循環政策。logrotate(1) 手冊頁面描述該組態可用的選項。可以在循環的過程中,增加典藏的檔案數,或把檔案移至指定的資料夾而不是刪除它們。也可以電子郵件方式寄到別的地方。
logrotate 程式每日執行 cron 排程的要求 (詳情見 節 9.7, “以 cronatd 使用排定的工作”)。

8.9.4. 共享管理員權限

數個管理者共同在同個伺服器工作。共用同個根使用者密碼不是好主意,匿名引發的誤用很麻煩。解決方案是使用 sudo 程式,允許使用者對特定命令擁有專門的權力。在多數情況下,sudo 允許受信任的使用者以根的權限執行命令。使用者祗需執行 sudo command 並以個人的密碼通過認證。
When installed, the sudo package gives full root rights to members of the sudo Unix group. To delegate other rights, the administrator can use the visudo command, which allows them to modify the /etc/sudoers configuration file (here again, this will invoke the vi editor, or any other editor indicated in the EDITOR environment variable). Alternatively they might put rules in small files in /etc/sudoers.d/ as long as this directory is included by /etc/sudoers via @includedir /etc/sudoers.d, which is the default for Debian. Adding a line with username ALL=(ALL) ALL allows the user in question to execute any command as root.
More sophisticated configurations allow authorization of only specific commands to specific users. All the details of the various possibilities are given in the sudoers(5) manual page.

8.9.5. 掛載點清單

The /etc/fstab file gives a list of all possible mounts that happen either automatically on boot or manually for removable storage devices. Each mount point is described by a line with several space-separated fields:
  • file system: this indicates where the filesystem to be mounted can be found, it can be a local device (hard drive partition, CD-ROM) or a remote filesystem (such as NFS or even SSHFS).
    This field is frequently replaced with the unique ID of the filesystem (which you can determine with blkid device) prefixed with UUID=. This guards against a change in the name of the device in the event of addition or removal of disks, or if disks are detected in a different order. 節 8.8.1, “辨識磁碟” covers this topic in more detail.
  • 掛載點:這是把設備、遠端系統,或分區掛載於在地檔案系統的位置。
  • 類型:這個欄位定義掛載設備使用的檔案系統。ext4ext3vfatntfsbtrfsxfs 等。
    A complete list of known filesystems is available in the mount(8) manual page. The swap special value is for swap partitions; the auto special value tells the mount program to automatically detect the filesystem (which is especially useful for disk readers and USB keys, since each one might have a different filesystem);
  • 選項:依檔案系統的不同,而有多種選項,詳情見 mount 手冊頁面。最常用的是
    • rwro,表示該設備掛載後可以讀/寫,或祗有讀取的權限。
    • noauto 開機時關閉自動掛載。
    • nofail 允許在啟動時處理設備,即使該設備不存在。確認啟動時,該外接磁碟機可能未插入,因為 systemd 將確認所有掛載點在啟動完成前必須自動掛載。可將此與 x-systemd.device-timeout=5s 併用,告訴 systemd 不必等 5 秒以上的時間,直接進入下個作業階段 (見 systemd.mount(5))。
    • user 授權所有的使用者均可掛載此檔案系統 (若無此選項,則祗有根使用者才有此權限)。
    • defaults 表示預設的選項群組為:rwsuiddevexecautonouserasync,使用了 defaults 之後,還可以用 nosuid 命令、nodev 及其他類似的命令,中止 suiddev 等作用。加入 user 選項可再啟用它,因為 defaults 包括 nouser
  • dump: this field is almost always set to 0 and kind of a relic. When it is greater then zero, it tells the dump tool that the partition contains data that is to be backed up frequently. The tool supports Ext2/3/4 filesystems only and will use the value here when run via dump -W or dump -w to determine which partitions need to be backed up. Consider the examples in /usr/share/doc/dump/examples/ if you want to use this feature. But there are better alternatives to backup a filesystem, like fsarchiver.
  • pass: this last field indicates whether the integrity of the filesystem should be checked on boot, and in which order this check should be executed. If it is 0, no check is conducted. The root filesystem should have the value 1, while other permanent filesystems get the value 2.

範例 8.5. 範例 /etc/fstab 檔案

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system>                           <mount point>   <type>      <options>         <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=7a250fb8-c16d-4a4e-9808-ec08ae92b6c6 /               ext4        errors=remount-ro 0       1
# swap was on /dev/sda5 during installation
UUID=13f367ae-dbaf-40ed-85c0-4072a2ebe426 none            swap        sw                0       0
/dev/sr0                                  /media/cdrom0   udf,iso9660 user,noauto       0       0
/dev/fd0                                  /media/floppy   auto        rw,user,noauto    0       0
arrakis:/shared                           /shared         nfs         defaults          0       0
The last entry in the example corresponds to a network filesystem (NFS): the /shared/ directory on the arrakis server is mounted at /shared/ on the local machine.
The format of the /etc/fstab file is documented in the fstab(5) manual page.

8.9.6. locateupdatedb

The locate command can find the location of a file when you only know part of the name. It sends a result almost instantaneously, since it consults a database that stores the location of all the files on the system; this database is updated daily by the updatedb command. There are multiple implementations of the locate command and Debian picked mlocate for its standard system. If you want to consider an alternative, you can try plocate which provides the same command line options and can be considered a drop-in replacement.
locate is smart enough to only return files which are accessible to the user running the command even though it uses a database that knows about all files on the system (since its updatedb implementation runs with root rights). For extra safety, the administrator can use PRUNEDPATHS in /etc/updatedb.conf to exclude some directories from being indexed.