is a stream editor used to perform basic text transformations on an input
stream (file or pipe). sed
reads one line at a time, chops off
the terminating newline, puts what is left into the pattern space (buffer)
where ~
script can process it. Then, if there is anything
to print, it appends a newline and prints out the result (usually to stdout).
sed
[options] '
editing_cmds'
[file_list]
For backward compatibility with old scripts sed
uses BRE
by default. If you want ERE, specify -r
option. See
regex (regular expressions).
If no -e
, --expression
, -f
,
--file
options are given, then the first non-option arg is
taken as ~
script to interpret. All remaining args are the names
of the input files. If no input files are specified, stdin is read.
sed -n '/^[^#]/p' squid.conf > squid2.conf
remove comments from squid.conf (i.e. all lines beginning with #), and create a compact version (squid2.conf) of this config file (the original file is not changed);
sed 's/<prog>/<code>/g' man01.html > man02.html
replace all <prog> tags with
<code> tags in man01.html, save modified
version to man02.html (the initial file is not changed);
mind g
after the last slash:
without it only first match in each line is processed;
sed 's/<\/prog>/<\/code>/g' man02.html > man03.html
replace all </prog> tags with </code> tags in man02.html, save modified version to man03.html (the initial file is not changed);
The following big example converts a file of strings (summary.txt) that look like (each line is exactly 15 fields separated with TABs)
a322 1 A 163.840 1983.140 18080.360 2135.080 15.840 0.000 0.000 0.000 0.000 3174.630 60014.230 685.040 a327 3 N 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 a518 5 A NULL NULL NULL NULL NULL NULL NULL NULL 147100.730 144224.250 134254.820 9785.050
into an SQL script (summ_ins.sql) containing a sequence of SQL stmts:
INSERT INTO summary VALUES ( 'a518',5,'A',NULL,NULL,NULL,NULL,NULL, NULL,NULL,NULL,147100.730,144224.250, 134254.820,9785.050); ...
One simple way to perform this conversion may look like this:
sed "s/^[a-z]*[0-9]*/'&'/g" summary.txt > summ2.txt
put the first field in quotes (it starts with one or more letters followed by one or more digits);
sed "s/[A-Z]/'&'/" summ2.txt > summ3.txt
put the third field in quotes (it can only have a single
letter); note that due to missing g
, processing stops after the
first match, and any possible NULL words are not touched;
sed 's/\t/,/g' summ3.txt > summ4.txt
replace TABs with commas;
sed 's/.*/INSERT INTO summary VALUES (&);/' summ4.txt > summ_ins.sql
add all required SQL words and make it a valid SQL script; note that & in this and in the following example specifies where to put the whole content of the source line;
Other examples:
sed 's/.*<td>.*$/&@home.net<\/td><\/tr>/' file1.html > file2.html
add text @home.net</td></tr> to the end of each line containing HTML tag <td>; save modified file as file2.html;
sed '2 d' manual.txt
delete the 2nd line from manual.txt and send a modified version of this file to stdout (the initial file is not changed, all modifications are applied to the output stream only);
sed '3 s/any/some' manual.txt
replace any with some in the 3rd line of manual.txt and send a modified version of this file to stdout;
sed -e '1,10d' test.sh
delete the first 10 lines of test.sh and send the rest to stdout;
sed -e '11,$d' test.sh
print the first 10 lines of test.sh, delete the rest;
sed -n -e '1,7p' messages.txt
print the first 7 lines of messages.txt;
sed -e '7q'
print the first 7 lines of messages.txt;
sed -e '1,4d' -e '22,36' history.txt
delete lines 1-4 and 22-36 from history.txt and send the modified version to stdout;
sed -e '/debug/d' < log.txt
delete all lines containing word debug from the file log.txt and send the modified vesion to stdout;
sed -f prog1.sed < mesg1
use script prog1.sed to process the file mesg1;
prog1.sed: ---------- 10i\ This is 9th (insert a str before line #10) 10a\ This is 11th (insert a str after line #10) $a\ This is eof; (append the str to the eof)
sed -r 's/\s+$//' fc_upd.lst > fc_upd2.lst
remove trailing spaces and save edited lines to a new file;
sed 's/r\.php?\([0-9]*\)/mfchlp\1.html/'
mfchelp2.html > mfc02.html
for each line in mfchelp2.html substitute the part of the string that looks like <a href="r.php?XX"> with <a href="mfchelpXX.html"> and save the edited lines to a new file (mfc02.html);
sed 's/H:.*OG32[\]/\/\/SRV3\/USER\//' list.txt
for each line in the file list.txt substitute the substring that looks like H:\PROG32\ with //SRV3/USER/;
sed 's/.*/CREATE ROLE & IDENTIFIED BY pass;/'
roles.txt > roles.sql
convert a list of words (roles.txt) to an SQL script that can be used to create Oracle database roles with the corresponding names;
echo 1234567 | sed -n 's/^\(..\)\(.*\)/\1/p'
cut out the first two digits from '1234567' (the result is '12');
echo 1234567 | sed -n 's/^\(...\)\(.*\)/\2\1/p'
move the first three digits to the end (the result is '4567123');
count=`ifconfig eth1 |
sed -n 's/.*RX bytes://p' |
sed -n 's/\s.*//p'`
echo $count
fetch the number of the received bytes (RX) from
ifconfig
;
Apply substitution to the lines matching regexp:
the black cat was chased by the brown dog the black cat was often chased by the brown dog
sed -e '/often/s/black/white/g' file1.txt
the black cat was chased by the brown dog the white cat was often chased by the brown dog
Options
--help
--version
-n
, --quiet
suppress automatic printing of pattern space;
-e
script,
--expression=
script
add the specified script to the commands to be executed;
-f
script_file,
--file=
script_file
add contents of the script file to the cmds to be executed;
-i
[suffix],
--in-place
[=
suffix]
edit files in place (make backup if extension is supplied);
-l
length,
--line-length=
length
set the desired line-wrap length for the 'l
' cmd;
-r
, --regexp-extended
use extended regexp in the script;
-s
, --separate
consider files as separate, rather than as a single continuous long stream;
-u
, --unbuffered
load the minimal amounts of data from the input files and flush the output buffers more often;
Commands
Simple command = pattern + action. If no pattern is given, the action is applied to all lines, otherwise it is applied only to lines matching the pattern. General syntax for a command is:
[addr1[,addr2]] function [args]
If no address is given, a cmd is applied to all lines. If 1 address is given, then it is applied to all pattern spaces that match that address. If 2 addresses are given, then it is applied to all from addr1 to addr2 (including addr1 and addr2 themselves). Addresses may be line numbers or patterns. If patterns, then the substitution is applied to groups of lines from addr1 to the first match of addr2. If there are several groups like that in one file, they all will be affected. There are following cmds (first column is the number of args):
1 | ! cmd |
exec cmd only if the line has no matches; |
0 | # com |
comment; |
0 | : label |
label for b and t cmds; |
1 | = |
print the current line number; |
2 | D |
delete first part of the pattern space; |
2 | G |
append contents of the hold area; |
2 | H |
append pattern space on buffer; |
2 | N |
append next line; |
2 | P |
print first part of the pattern space; |
1 | a |
append text; |
2 | b label |
branch to a label; |
2 | c |
change lines; |
2 | d |
delete lines; |
2 | g |
get contents of the hold area; |
2 | h |
hold pattern space (in a hold buffer); |
1 | i |
insert lines; |
2 | l |
list lines; |
2 | n |
next line; |
2 | p |
print; |
1 | q |
quit ~ script, print only current pattern space, if auto-print is enabled; |
1 | Q |
quit immediately; |
1 | r file |
append text from a file; |
2 | t label |
test substitutions and branch on success; |
1 | w file |
write to a file; |
2 | x |
exchange buffer space with pattern space; |
2 | { |
group commands; |
2 | s/regexp/replacement/ [flags] |
substitute; |
2 | y/list1/list2/ |
translate list1 into list2; |
~
processes input line by line and does not keep large file
in memory, so expressions like $-10 have no sense, because
$ is unknown until the EOF is reached.
displays or manipulates the disk partition tables. It has 4 main uses:
- List the size of a partition.
- List the partitions on a device.
- Check the partitions on a device.
- Repartition a device (this is unsafe and must be done with care).
sfdisk
is supposed to be used in scripts. Starting with version
2.26 it supports GPT (GUID Partition Table), but does not provide functionality
for CHS (Cylinder-Head-Sector) addressing anymore.
sfdisk -s
show the sizes of all disks;
sfdisk -s /dev/sda2
show the size (in blocks) of the specified disk partition (/dev/sda2);
sfdisk -l /dev/sda
show (list) partition table of the first IDE drive (/dev/sda);
sfdisk -l
list partitions (show partition tables) of all HDDs;
sfdisk -g /dev/hda
show the geometry of /dev/hda;
sfdisk -V /dev/sdc
perform consistency checks to the partition tables on /dev/sdc;
sfdisk -d /dev/sda > sda.pt
save the partition table of /dev/sda to the file sda.pt;
sfdisk /dev/sda < sda.pt
create the partition table based on the data from sda.pt file (see man page for the format description);
sfdisk --print-id /dev/sda 2
show the ID (the type) of the partition 2 on /dev/sda;
sfdisk --change-id /dev/sda 2 83
change the ID of the partition 2 on /dev/sda to 83;
sfdisk
[options] [device]
sfdisk -s
[partition]
Options
-?
--help
-v
--version
-A n |
make the specified partition active, and all others inactive; |
-C n |
specify the number of cylinders (possibly overriding the kernel's idea of this parameter); |
-c
n,
--id
n
show the partition Id (the partition type);
-c
n id,
--id
n id
change the partition Id;
-D
, --DOS
(for DOS-compatibility) if a partition cannot contain
sector 0, e.g. because that is MBR, or contains the partition table of
an extended partition, then ~
would make it start the next
sector; however, when this option is given it skips to the start of the next
track, wasting some space;
-d |
dump partitions of the specified device in ~ special format; |
-E
, --DOS-extended
take the starting sector numbers of "inner" extended partitions to be relative to the starting cylinder boundary of the outer one (like some versions of DOS do), rather than to the starting sector (like Linux does); it means that extended partitions should start at cylinder boundaries if DOS and Linux should interpret partition table in the same way;
-f
, --force
do what is requested;
-g
, --show-geometry
show the kernel’s idea of the disk's geometry;
-H n |
specify the number of heads (possibly overriding the kernel's idea of it); |
-IBM
, --leave-last
do not allocate the last cylinder (some IBM diagnostic programs use the last cylinder for disk testing; in some cases it contains a bad sector table);
-I
file
restore the old (initial) disk state, if you earlier
preserved it using -O
option;
-i |
number cylinders (etc) starting from 1 instead of 0; |
-L
, --Linux
don't complain about things irrelevant for Linux;
-l
, --list
list the partitions;
-N n |
change only the single partition indicated; |
-n |
go through all steps, but do not actually write to disk; |
-O
file
before writing the new partition, save the sectors that are going to be overwritten in the specified file (that resides on another disk);
-q
, --quiet
suppress warning messages;
-R |
only execute the BLKRRPART ioctl to make
the kernel re-read the partition table; this is useful for checking
in advance that the final BLKRRPART will be successful,
and also when you changed the partition table by hand (e.g., using
dd from a backup); if kernel
complains ('device busy for revalidation (usage = 2)')
then something still uses the device, and you still have to unmount some
file system, or to say swapoff to some
swap partition; |
-S n |
specify the number of sectors (possibly overriding the kernel's idea of this parameter); |
-s
, --show-size
list the size of a partition;
-T
, --list-types
print the recognized types (system Id’s);
-u c |
accept/report values in the specified units, where c is one of: S (sectors), B (blocks), C (cylinders), M (megabytes); the default is cylinders; |
-V
, --verify
test whether the partitions seem correct;
-x
, --show-extended
list also non-primary extended partitions on output, and expect descriptors for them on input;
--no-reread
when starting a repartitioning, ~
checks
that disk is not mounted, or used as a swap device, and refuses to continue
if the check fails; this option suppresses the test;
queries the mount daemon on a remote host for info about the state of the NFS server on that machine.
/usr/sbin/showmount
[options] [host]
Without options ~
lists the set of clients who are mounting
from that host. ~
sorts output and removes duplicate entries.
/usr/sbin/showmount -e srv2
display export list of srv2 (assuming it's a NFS server);
Options
-h
--help
-v
--version
-a
, --all
list both client hostname and mounted dir;
-d
, --directories
list only dirs mounted by some client;
-e
, --exports
show the NFS server’s export list;
--no-headers
suppress the descriptive headings;
(halt, reboot, poweroff, suspend, hibernate)
With introduction of systemd, the old cmds were replaced by
systemctl
. They are still available [for backward compatibility]
but not recommended.
Old | New | Description |
---|---|---|
halt |
systemctl halt |
halts the system |
poweroff |
systemctl poweroff |
powers off the system |
reboot |
systemctl reboot |
restarts the system |
pm-suspend |
systemctl suspend |
suspends the system |
pm-hibernate |
systemctl hibernate |
hibernates the system |
pm-suspend-hybrid |
systemctl hybrid-sleep |
hibernates and suspends the system |
The old shutdown
description is left FYI.
The [new] shutdown
cmd calls the systemctl
utility to
perform the shutdown. However, it still accepts a time argument and allow to cancel
the shutdown.
You need superuser privs to exec the following cmds!
systemctl reboot
restart the system (no delay);
systemctl --no-wall reboot
restart the system (no delay), do not send warning messages to users (logged in);
systemctl halt
shut down the system but do not power off the computer (starting immediately);
systemctl poweroff
shut down the system and power off the computer (starting immediately);
systemctl --no-wall poweroff
shut down the system and power off the computer, do not send warning messages to users (logged in);
shutdown --halt +5
shut down the system in 5 minutes from now, but do not power off the computer;
shutdown --poweroff 17:30
shut down the system and power off the computer at the specified time;
shutdown -c
cancel a pending shutdown (assuming the timeout is not over yet);
Suspend / hibernate
There is suspend aka Suspend To RAM (STR), aka sleep mode. And there is hibernate aka Suspend To Disk (STD).
Shortly speaking, suspend is good, hibernate is bad! (especially if your system is on SSD). I'm gonna skip the discussion, there is a lot on Internet. And, to be honest, I never use hibernate, and I don't need it at all!
As to suspend, for laptop it's simple: you close the lid - suspend; you open the lid - resume (wake up from suspend). Desktops in GUI mode usually have menu item with "Suspend" (see power off menu at the top/bottom right side of the bar). And it (desktop) wakes up from suspend (at least, it must!) when you press some key on the keyboard or move your mouse. Alternatively, you can suspend your system by executing (as superuser):
systemctl suspend
And, at your risk, considering above warning, you can put your system into STD mode, i.e. hibernate, with the following cmd:
systemctl hibernate
There is also a hybrid sleep (or hybrid suspend) mode when your computer does both STR and STD at the same time. In most cases you will get the normal fast resume from sleep, but if there was a power loss (or battery depletion) during sleep, you will get not so fast resume from STD. It's convenient, and it's supposed to be more reliable than STR, but it's still not good for SSD. Anyway, if you want it:
systemctl hybrid-sleep
Shutdown (old, deprecated)
brings the system down safely; all logged-in users are notified, and within the last 5 minutes of time new logins are forbidden.
/sbin/shutdown
[options] time [msg]
The time arg can be an absolute time (hh:mm, 24h clock
format), relative time (+
m, which means m
minutes from now), now
, which is equivalent to +0
.
By default it's +1
(1 minute).
Pay attention to subtle differences in terminology: shutdown means termination of running apps and system services (daemons), halt means executing CPU halt cmd, power off means turning off power supply.
shutdown -h now
shutdown system immediately;
shutdown -h +5
start shutdown procedure in 5 min from now;
shutdown -h 20:00 "System stops at 20:00."
shutdown system at 20:00;
shutdown -r now
reboot system immediately;
shutdown -P now
shutdown and power off immediately;
shutdown -H +15
shutdown and halt system in 15 minutes from now;;
shutdown -c
cancel shutdown in progress;
Options
--help
-c |
cancel a pending shutdown; |
-h |
same as --poweroff ,
unless --halt is specified; |
-H |
halt the machine (--halt ); |
-k |
do not shutdown, just send warning msgs to everybody; |
-P |
power off the machine (default) (--poweroff ); |
-r |
reboot after shutdown (--reboot ); |
--no-wall
no messages before halt,
power-off, reboot;
delays for a specified amount of time. By default, n is
the number of seconds (can be non-integer), but suffix can
change the measure to minutes (m
), hours (h
),
days (d
).
sleep 5
delay for 5 seconds;
sleep 5s
delay for 5 seconds;
sleep 0.25m
delay for 15 seconds;
sleep
n[suffix]
Options
--help
--version
provides a secure way to index/search for files on the system.
slocate
[options] search_string
~
is a security enhanced version of GNU locate
and uses incremental encoding to compress its database to make searching
faster. However, unlike locate
, it will also store file
permissions and ownership so that users cannot see files they are not
allowed to see.
slocate -l 1 -U /usr --output=sloc-usr.db
create a secure slocate database for /usr directory;
slocate -i -d /usr mplayer
run the case insensitive search for mplayer using slocate database for /usr dir;
Options
-h
--help
-V
--version
-v
--verbose
-c |
parse /etc/updatedb.conf when updating ~ database; |
-d
path,
--database=
path
the path of db to search in;
-e dir1,dir2,...
exclude the specified dirs from db;
-f fstype1,...
exclude files on the filesystems of the specified types from db;
-i |
run a case insensitive search; |
-l n |
set security level: 0 turns security checks off and makes the search faster, 1 turns security checks on (default); |
-n m |
limit the amount of results shown to m; |
-o
file,
--output=
file
the database to create;
-q |
quiet mode, suppress error messages; |
-r
exp,
--regexp=
exp
search db using a basic POSIX regexp;
-U
dir
create ~
database starting at dir;
-u |
create ~
database starting at '/'; |
is the part of the smartmontools package which also includes smartd (SMART Disk Monitoring Daemon). S.M.A.R.T. means the Self-Monitoring, Analysis and Reporting Technology, and it is invisibly present in the majority of HDDs and SSDs.
You cannot get SMART data without daemon! Handle it as usually:
sudo systemctl status smartd
sudo systemctl start smartd
sudo systemctl stop smartd
To force this daemon to start auto at system startup, open config file /etc/defaults/smartmontools and uncomment the start_smartd line:
#start_smartd=yes #smartd_opts="--interval=1800"
The --interval (one of the options that can be passed to the daemon at startup) specifies the interval (in seconds) between checks. By default it is 1800, i.e. every 30 minutes.
Actually, smartd has its own config file /etc/smartd.conf.
Frontend apps and usage examples
(to understand SMART data see SMART IDs)
Most of the time SMART works silently and the majority of users never heard about it. However, if SMART detects a serious problem, your computer will pause during boot to display a warning. And probably some info will be written to logs.
But it can happen that you will need to dive deep. And this is why you should be
familiar with smartctl
, a text-mode frontend for smartd. There
is also a GUI frontend gsmartcontrol
, but it does not come with
the package and must be installed separately.
These frontends allow to control [mostly, it means "gather info"] S.M.A.R.T. system built into storage devices. The purpose of S.M.A.R.T. is to monitor the reliability of the hard (or solid state) drive, to predict drive failures, and to carry out different types of drive self-tests.
Note!
The majority of the following cmds require superuser privilege! Device name /dev/sda is used just for demo purposes!
To find if the target drive supports SMART:
smartctl -i /dev/sda
The following cmd turns SMART on (or does nothing if it's already enabled):
smartctl -s on /dev/sda
Most likely it's a waste of time because all modern drives have built-in SMART
support, and usually SMART daemon turns it ON. So, people ignore the above cmds
and go directly to health status (option -H
):
smartctl -H /dev/sda
If it fails then either the SMART daemon is not running, or your device really does not support SMART (what a shock!).
But this is not a big deal. The real problem (let's hope it will never happen!)
appears when your device reports failing health status. It means either
that the device has already failed or predicts its own failure
within the next 24 hours. In this situation you can use -a
option
to get the details, or you can immediately start the rescue operation, i.e.,
moving/copying the important stuff to a safe place.
To get all SMART info about drive, use option -a
(or
--all
):
smartctl -a /dev/sda
smartctl -a -d ata /dev/sda
A tricky -d
option specifies the type of the drive.
In most cases it's simple: ata (directly attached SATA HDD/SSD),
scsi (directly attached SCSI), nvme for NVMe cards
(marked as experimental in Ubuntu 19.xx). There are also convenient types
like auto (self-explaining; default) and test which
prints the guessed type, opens device and prints the (possibly changed)
type and then exits without performing any further cmds.
The difficulties with the drive type appear when the drive (like SAS/SCSI) is the part of the RAID. And then you have to use non-trivial cmds like:
smartctl -a -d megaraid,0 /dev/sda
smartctl -a -d megaraid,1 /dev/sda
The number after comma specifies the disk number in the MegaRAID controller (they say it works with Dell PERC too).
To slightly clear the situation with the drive types and names, you can use:
smartctl --scan
Some information can be found with the help of lspci
(it outputs
too much if you fail to specify the right search pattern):
lspci | egrep -i 'controller'
lspci | egrep -i 'SATA'
lspci | egrep -i 'raid|adaptec'
Understanding SMART info
There is no strict standard, and manufacturers have their own opinions about SMART data representation. That is, some values of some attributes may have different meaning depending on the model and the manufacturer. Experts advice to focus on critical attributes and deltas, i.e. relatively fast or sudden changes of attrib values that were stable before.
The following table shows some interesting SMART attributes.
Red color means critical, H - higher value is better, L - lower value is better.
ID | ID (hex) | Name | Val | Description |
---|---|---|---|---|
01 | 0x01 | Read Error Rate | L | (Vendor specific raw value.) Stores data related to the rate of hardware read errors that occurred when reading data from a disk surface. The raw value has different structure for different vendors and is often not meaningful as a decimal number. |
02 | 0x02 | Throughput Performance | H | Overall (general) throughput performance of a HDD. If the value of this attribute is decreasing there is a high probability that there is a problem with the disk. |
04 | 0x04 | Start/Stop Count | - | A tally of spindle start/stop cycles. The count is increased each time the spindle turns on (after power-off or when it returns from the sleep mode). |
05 | 0x05 | Reallocated Sectors Count | L | Count of reallocated sectors. The raw value represents a count of the bad sectors that have been found and remapped. Thus, the higher the value, the more sectors the drive has had to reallocate. This value is primarily used as a metric of the life expectancy of the drive; a drive which has had any reallocations at all is significantly more likely to fail in the immediate months. |
08 | 0x08 | Seek Time Performance | H | Average performance of seek operations of the magnetic heads. If this attribute is decreasing, it is a sign of problems in the mechanical subsystem. |
09 | 0x09 | Power-On Hours | - | Count of hours in power-on state. The raw value of this attribute shows total count of hours (or minutes, or seconds, depending on manufacturer) in power-on state. By default, the total expected lifetime of a hard disk in perfect condition is defined as 5 years (running every day and night on all days). This is equal to 1825 days in 24/7 mode or 43800 hours. |
10 | 0x0A | Spin Retry Count | L | Count of retry of spin start attempts. This attribute stores a total count of the spin start attempts to reach the fully operational speed (under the condition that the first attempt was unsuccessful). An increase of this attrib value is a sign of problems in the hard disk mechanical subsystem. |
11 | 0x0B | Recalibration Retries or Calibration Retry Count |
L | This attribute indicates the count that recalibration was requested (under the condition that the first attempt was unsuccessful). An increase of this value is a sign of problems in the hard disk mechanical subsystem. |
12 | 0x0C | Power Cycle Count | - | The count of full hard disk power on/off cycles. |
13 | 0x0D | Soft Read Error Rate | L | Uncorrected read errors reported to the operating system. |
171 | 0xAB | SSD Program Fail Count | - | (Kingston) The total number of flash program operation failures since the drive was deployed. Identical to attribute 181. |
172 | 0xAC | SSD Erase Fail Count | - | (Kingston) Counts the number of flash erase failures. This attribute returns the total number of Flash erase operation failures since the drive was deployed. This attribute is identical to attribute 182. |
173 | 0xAD | SSD Wear Leveling Count | - | Counts the maximum worst erase count on any block. |
174 | 0xAE | Unexpected Power Loss Count | - | Also known as "Power-off Retract Count" (HDD). Raw value reports the number of unclean shutdowns, cumulative over the life of an SSD, where an "unclean shutdown" is the removal of power without STANDBY IMMEDIATE as the last command (regardless of PLI activity using capacitor power). Normalized value is always 100. |
176 | 0xB0 | Erase Fail Count | - | The number of flash erase command failures. |
177 | 0xB1 | Wear Range Delta | - | Delta between most-worn and least-worn Flash blocks. It describes how good/bad the wearleveling of the SSD works on a more technical way. |
181 | 0xB5 | Program Fail Count Total or Non-4K Aligned Access Count |
L | Total number of Flash program operation failures since the drive was deployed. Or, number of user data accesses (both reads and writes) where LBAs are not 4 KiB aligned (LBA % 8 != 0) or where size is not modulus 4 KiB (block count != 8), assuming logical block size (LBS) = 512 B. |
182 | 0xB6 | Erase Fail Count | - | "Pre-Fail" attrib used at least in Samsung devices. |
184 | 0xB8 | End-to-End error/IOEDC | L | This attribute is a part of Hewlett-Packard's SMART IV technology, as well as part of other vendors' IO Error Detection and Correction schemas, and it contains a count of parity errors which occur in the data path to the media via the drive's cache RAM. |
187 | 0xBB | Reported Uncorrectable Errors | L | The count of errors that could not be recovered using hardware ECC (see attribute ID 195). |
188 | 0xBC | Command Timeout | L | The count of aborted operations due to HDD timeout. Normally this value should be 0. |
191 | 0xBF | G-sense Error Rate | L | The count of errors resulting from externally induced shock and vibration. |
195 | 0xC3 | Hardware ECC Recovered | ? | (Vendor-specific raw value.) The raw value has different structure for diff vendors and is often not meaningful as a decimal number. |
196 | 0xC4 | Reallocation Event Count | L | Count of remap operations. The raw value of this attribute shows the total count of attempts to transfer data from reallocated sectors to a spare area. Both successful and unsuccessful attempts are counted. |
197 | 0xC5 | Current Pending Sector Count | L | Count of "unstable" sectors (waiting to be remapped, because of unrecoverable read errors). If an unstable sector is subsequently read successfully, the sector is remapped and this value is decreased. Read errors on a sector will not remap the sector immediately (since the correct value cannot be read and so the value to remap is not known, and also it might become readable later); instead, the drive firmware remembers that the sector needs to be remapped, and will remap it the next time it's written. However, some drives will not immediately remap such sectors when written; instead the drive will first attempt to write to the problem sector and if the write operation is successful then the sector will be marked good (in this case, the "Reallocation Event Count" (0xC4) will not be increased). This is a serious shortcoming, for if such a drive contains marginal sectors that consistently fail only after some time has passed following a successful write operation, then the drive will never remap these problem sectors. |
198 | 0xC6 | (Offline) Uncorrectable Sector Count |
L | The total count of uncorrectable errors when reading/writing a sector. A rise in the value of this attribute indicates defects of the disk surface and/or problems in the mechanical subsystem. |
199 | 0xC7 | UltraDMA CRC Error Count | L | The count of errors in data transfer via the interface cable as determined by ICRC (Interface Cyclic Redundancy Check). |
201 | 0xC9 | Soft Read Error Rate or TA Counter Detected |
L | Count indicates the number of uncorrectable software read errors. |
206 | 0xCE | Flying Height | - | Height of heads above the disk surface. If too low, head crash is more likely; if too high, read/write errors are more likely. |
221 | 0xDD | G-Sense Error Rate | L | The count of errors resulting from externally induced shock and vibration. |
228 | 0xE4 | Power-Off Retract Cycle | L | The number of power-off cycles which are counted whenever there is a "retract event" and the heads are loaded off of the media such as when the machine is powered down, put to sleep, or is idle. |
231 | 0xE7 | Life Left (SSDs) or Temperature |
- | Indicates the approximate SSD life left, in terms of program/erase cycles or available reserved blocks. A normalized value of 100 represents a new drive, with a threshold value at 10 indicating a need for replacement. A value of 0 may mean that the drive is operating in read-only mode to allow data recovery. Previously (pre-2010) occasionally used for Drive Temperature (more typically reported at 0xC2). |
232 | 0xE8 | Endurance Remaining or Available Reserved Space |
- | Number of physical erase cycles completed on the SSD as a percentage of the maximum physical erase cycles the drive is designed to endure. Intel SSDs report the available reserved space as a percentage of the initial reserved space. |
233 | 0xE9 | Media Wearout Indicator (SSDs) or Power-On Hours |
- | Intel SSDs report a normalized value from 100, a new drive, to a minimum of 1. It decreases while the NAND erase cycles increase from 0 to the maximum-rated cycles. Previously (pre-2010) occasionally used for Power-On Hours (more typically reported in 0x09). |
249 | 0xF9 | NAND Writes (1GiB) | - | Total NAND Writes. Raw value reports the number of writes to NAND in 1 GB increments. |
250 | 0xFA | Read Error Retry Rate | L | Count of errors while reading from a disk. |
251 | 0xFB | Minimum Spares Remaining | - | The Minimum Spares Remaining attribute indicates the number of remaining spare blocks as a percentage of the total number of spare blocks available. |
252 | 0xFC | Newly Added Bad Flash Block | ? | The Newly Added Bad Flash Block attribute indicates the total number of bad flash blocks the drive detected since it was first initialized in manufacturing. |
254 | 0xFE | Free Fall Protection | L | Count of "Free Fall Events" detected. |
SMART Self-tests
Usually we limit our disk tests to filesystem checks. But sometimes you really want to test you storage device. And smartmontools is exactly what you need: SMART provides tests that are best suited for your specific device model.
The bad news: if test ends with errors it is usually bad!
There are several types of SMART self-tests. To find what tests are available for a specific drive, and how much time they are supposed to take, use
smartctl -c /dev/sda
In fact, -c
(or --capabilities
) shows what SMART
features are implemented and how the device responds to some cmds. For example,
it shows if device logs errors, if it supports offline surface scanning, etc.
If the device can perform self-tests, this option shows the estimated time
required to run a specific test.
The type of test to run is specified by -t
option. The most basic
is short (SMART Short Self Test):
smartctl -t short /dev/sda
Usually it takes no more than 10 minutes, runs in the background, checks the electrical and mechanical performance, the read performance of the disk.
The long (SMART Extended Self Test) can take several hours or, at least, tens of minutes:
smartctl -t long /dev/sda
This is a thorough version of the Short Self Test.
The conveyance [ATA only] runs a SMART Conveyance Self Test which can take several minutes. This routine is intended to identify damage incurred during transportation:
smartctl -t coveyance /dev/sda
All tests can be run during normal system operation unless you add -C
option, captive mode (or "foreground mode" for SCSI). However, running
self-test can [temporarily] degrade drive performance. On the other hand,
intensive use of device by the operating system can increase test time.
Important note! Do not use captive mode on drives with mounted partition/filesystem!
Since these tests run in the background, you cannot see the progress and must wait until the end. Then you can get your test results with
smartctl -l selftest /dev/sda
Note that some drives break the test procedure if you issue the above
cmd while the test is still running. Usually the appropriate warning is
present in the drive capabilities report (-c
).
sorts lines of the specified text files and writes the sorted concatenation of all files to stdout.
sort -b report04.txt
sort a text file ignoring leading blanks;
sort
[options] [file ...]
Ordering options
-b
,
--ignore-leading-blanks
ignore leading blanks;
-d
,
--dictionary-order
consider only blanks and alphanum chars;
-f
, --ignore-case
fold lower case to upper case;
-g
,
--general-numeric-sort
compare according to general numerical value;
-h
,
--human-numeric-sort
compare human readable numbers (e.g., 2K 1G);
-i
,
--ignore-nonprinting
consider only printable chars;
-M
, --month-sort
compare (unknown) < 'JAN' < ... < 'DEC';
-n
, --numeric-sort
compare according to string numerical value;
-R
, --random-sort
sort by random hash of keys;
--random-source=
file
get random bytes from file;
-r
, --reverse
reverse the results of the comparisions;
--sort=
word
sort according to word: general-numeric
-g
, human-numeric -h
, month -M
,
numeric -n
, random -R
, version -V
;
-V
, --version-sort
natural sort of (version) numbers within text;
General options
--help
--version
--batch-size=
n
merge at most n inputs at once; for more use temp files;
-c
, --check
don't sort, just check whether input is sorted;
-C
, --check=quiet
,
--check=silent
like prev, but do not report first bad line;
--compress-program=
prog
compress temporaries with prog; decompress with
prog -d
;
--files0-from=
file
read input from the files specified by NULL-terminated names in
file (-
means stdin);
-k
pos1[,
pos2],
--key=
pos1[,
pos2]
start a key at pos1 (by default it is position 1), end it at pos2 (by default it is EOL);
-m
, --merge
don't sort, just merge already sorted files;
-o
file,
--output=
file
write to a file instead of stdout;
-S
n,
--buffer-size=
n
set the size of mem buffer; n can be followed by % (perc of mem to use), b (bytes), K (kilobytes, default), M (megabytes), etc;
-s
, --stable
stabilize sort by disabling last-resort comparison;
-T
dir,
--temporary-directory=
dir
use dir for temporaries (instead of $TMPDIR or /tmp);
-t
sep,
--field-separator=
sep
use the specified separator instead of non-blank to blank transition;
-u
, --unique
with -c
, check for strict ordering;
without -c
, output only the first of an equal run;
-z
, --zero-terminated
end lines with a zero byte ('\0'), instead of a newline;
pos is f[.c][opts], where f is the field number and c is the char position in the field. opts is one or more single-letter ordering options, which override global ordering options for that key. If no key is given, use the entire line as the key.
The locale specified by env affects sort order, e.g., LC_ALL=C provides the traditional sort order that uses native byte values.
splits a file into fixed-size pieces.
split -b 1440k arc04.tar.gz
split arc04.tar.gz into separate files with the size no more than 1440 Kbytes each;
split
[options] [file [prefix]]
If file is missing, or '-
', the input data is taken
from stdin. By default, ~
puts 1000 lines of the input file into
each output file. The output names consist of prefix
('x' is default) followed by a group of chars
('aa', 'ab', ...). There is also
csplit
, which cuts file into sections determined by patterns.
Options
--help
--version
--verbose
-a
n,
--suffix-length=
n
use suffixes of length n (default is 2); the splitting process will be aborted if all possible char combinations of the specified length are used but end of the input file is not reached yet;
-b
n,
--bytes=
n
put n bytes into each output file;
-C
n,
--line-bytes=
n
put into each output file as many complete lines as possible without exceeding size of n bytes;
-d
,
--numeric-suffixes
use numeric suffixes;
-l
n,
--lines=
n
put n lines into each output file;
Size spec for -b
, -C
options may have a multiplier:
b
for 512 (block), k
for
1024 (1K), m
for 1048576
(1M).
displays socket statistics and other useful network-related info.
You must prepend it with sudo
to get full info.
ss -s
show socket summary stat;
ss -tulpn
similar to
netstat
, i.e.: show listening
sockets for tcp and udp protocols, do not resolve
names, show related programs;
ss -lp
show listening sockets and related processes;
ss -nlt
show listening TCP sockets only, and do not perform the name resolution;
ss -t -a
show all TCP sockets;
ss -u -a
show all UDP sockets;
ss -t state established
list all established TCP connections;
ss -t4 state established
list all established TCP IPv4 connections;
ss -t4 state closed
list all closed TCP IPv4 connections;
ss -o state established
'( dport = :http or sport = :http )'
display all established HTTP connections;
ss -o state established
'( dport = :ssh or sport = :ssh )'
display all established SSH connections;
ss -o state fin-wait-1
'( sport = :http or sport = :https )'
dst 192.168.0/24
list all TCP sockets in state
FIN-WAIT-1 for httpd
to the specified network and
look at their timers;
ss
[options] [filter]
Where
filter := [ state
tcp-state ] [ expression ]
Options
-h
--help
-V
--version
-0 |
(zero) show PACKET sockets; |
-4 |
show only IPv4 sockets; |
-6 |
show only IPv6 sockets; |
-A
query,
--query=
query
a comma-separated list of socket tables to dump: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram;
-a
, --all
show all sockets;
-D
file
apply filters and dump raw TCP sockets info to a file;
-d
, --dccp
show all DCCP sockets (Datagram Congestion Control Protocol);
-e
, --extended
show detailed socket info;
-f
family,
--family=
family
show sockets of type family; there are now: unix, inet, inet6, link, netlink;
-i
, --info
show internal TCP info;
-l
, --listening
show listening sockets only;
-m
, --memory
show socket memory usage;
-n
, --numeric
do not resolve service names;
-o
, --options
show timer info;
-p
, --processes
show processes using sockets;
-r
, --resolve
try to resolve numeric addr / port;
-s
, --summary
dump statistics summary;
-t
, --tcp
show TCP sockets only;
-u
, --udp
show UDP sockets only;
-w
, --raw
show RAW sockets only;
-x
, --unix
show UNIX domain sockets only;
(Secure Shell client program) provides remote access (tcp/22) to another host (remote login, cmd execution) using secure encrypted communication between two untrusted hosts over an insecure network.
ssh root@srv4
connect as user root to the host srv4;
ssh -v root@srv4
connect as user root to the host srv4, show debug messages during connection;
ssh -l root -C ws4.home.net
connect as user root to the host ws4.home.net and switch on the data compression;
ssh srv2 vmstat 3 5 > vmstat.txt
redirect the output of 'vmstat 3 5
' executed
on the remote host (srv2) to the file vmstat.txt
on the local host;
df | ssh srv2 cat \> hdd_info.txt
redirect the output of the locally executed cmd
(df
) to a file (hdd_info.txt) on the remote host
(srv2);
fdisk -l /dev/sda | ssh srv2 cat \>\> hdd_info.txt
redirect the output of the locally executed cmd
(fdisk -l /dev/sda
) and append it to an existing file
(hdd_info.txt) on the remote host (srv2);
tar zcf - ./doc | ssh srv4 tar zxft -
transfer the specified dir (./doc) to the remote host using compression and retaining the access rights;
ssh
[-l
user]
[user@
]host [cmd]
~
can also forward over the secure channel X11
connections and arbitrary TCP ports.
ssh -f -L 1234:localhost:6667 srv.acme.com sleep 10
irc -p 1234 ...
tunnel connection to IRC server srv.acme.com using tcp/1234; connection is forwarded to port 6667 on the remote server; remote cmd 'sleep 10' is specified to allow to start service which is to be tunnelled;
Other related programs are: scp
(provides secure file transfer
between two hosts), ssh-keygen
(auth key gen, management,
conversion), ssh-agent
(authentication agent),
sshd
(SSH daemon, tcp/22).
scp app.tar.gz root@srv2:app2.tar.gz
upload app.tar.gz as app2.tar.gz to root's home on srv2;
scp -p error.log root@srv5:error.log
upload error.log to the remote host srv5, preserving modif / access time and mode of the original file;
scp -r root@srv7:config/ config
download /root/config dir from the remote host srv7;
Options
-V |
version; |
-v |
verbose; |
-1 |
force ~ to try protocol version 1 only; |
-2 |
force ~ to try protocol version 2 only; |
-4 |
force ~ to use IPv4 addresses only; |
-6 |
force ~ to use IPv6 addresses only; |
-a |
disable forwarding of the authentication agent connection; |
-A |
enable forwarding of the authentication agent connection; |
-b
bind_addr
specify the interface to transmit from;
-c blowfish
| 3des
| des
select the cipher to encrypt this session; 3des is default;
-c
cipher_spec
like previous, but use comma-separated list of ciphers in order of preference (version 2);
-C |
compress all data (may be useful for slow connections); |
-e
ch | ^
ch | none
set the escape char for session with pty;
-f |
force ~ to go to background just before
cmd execution; |
-F
config
ignore system-wide /etc/ssh/ssh_config, use an alternative per-user config file (the default per-user config is $HOME/.ssh/config);
-g |
allow remote hosts to connect to local forwarded ports; |
-i
identity_file
select a file from which the identity (private key) for RSA/DSA auth is read; the defaults are:
$HOME/.ssh/identity (v.1)
$HOME/.ssh/id_rsa (v.2)
$HOME/.ssh/id_dsa (v.2);
-I
smartcard_device
use smart card device specified;
-l
user
use the specified user name to log in on the remote host; this also may be specified on a per-host basis in the config file;
-L
[bind_addr:
]port:
host:
port
forward given port on the local host to the specified host and port on the remote side;
-n |
redirect stdin from /dev/null; |
-N |
do not execute a remote cmd; |
-p
port
port to connect to on the remote machine;
-q |
quiet mode (suppress warnings and diagnostics); |
-R
[bind_addr:
]port:
host:
port
forward given port on the remote side to the specified host and port on the local side;
-s |
request invocation of a subsystem on the remote machine; |
-t |
force pseudo-tty allocation; |
-T |
disable pseudo-tty allocation; |
-x |
disable X11 forwarding; |
-X |
enable X11 forwarding; |
-Y |
enable trusted X11 forwarding; |
Escape characters
~. |
disconnect; |
~^Z |
background ssh ; |
~# |
list forwarded connections; |
~& |
background ssh at logout when waiting for
forwarded connection / X11 sessions to terminate; |
~? |
display a list of escape chars; |
~C |
open cmd line (only useful for adding port forwarding
with -L and -R options); |
~R |
request re-keying of the connection (v.2); |
Authentication methods
During connection user must prove his / her identity to the remote machine using one of the following methods (in the specified order):
- GSSAPI-based authentication;
- host-based authentication;
- public key authentication;
- challenge-response authentication;
- password authentication;
For host-based authentication, file /etc/hosts.equiv on the server (or /etc/ssh/shosts.equiv) must contain the name of the client computer, and user names on both sides must be the same. Also, server must be able to verify the client's host key. Host keys are stored in ~/.ssh/known_hosts in user's home dir at user's computer. A new key is added to this file automatically when you connect to a new server for the first time. There is also system-wide file /etc/ssh/ssh_known_hosts that in general should contain the public host keys of all machines in the organization.
To use public key authentication, you should run ssh-keygen
to create necessary authentication files (all in $HOME/.ssh/):
identity | SSH v.1 RSA auth identity of the user; |
identity.pub | SSH v.1 RSA public key for authentication; |
id_dsa | SSH v.2 DSA auth identity of the user; |
id_dsa.pub | SSH v.2 DSA public key for authentication; |
id_rsa | SSH v.2 RSA auth identity of the user; |
id_rsa.pub | SSH v.2 RSA public key for authentication; |
Files *.pub are not secret, their contents should be added to $HOME/.ssh/authorized_keys on all remote machines where user wants to log in using public key authentication. For example, you generate DSA public / private key pair [on your computer]:
ssh-keygen -t dsa
Then you upload DSA public key to your home dir at the remote machine and add it to authorized_keys file:
cat id_dsa.pub >> ./ssh/authorized_keys
Check rights for .ssh dir and authorized_keys, because OpenSSH does not accept key if access rights are incorrect (unsafe):
chmod 700 .ssh
chmod 600 ./.ssh/authorized_keys
rm id_dsa.pub
Now you can login to the remote machine from your computer without password, provided usernames here and there are the same.
Password authentication is the simplest of all.
It requires no manual config: you just initiate connection, ~
prompts you for password and sends it to the remote server; all
communications are encrypted.
displays file or filesystem status.
stat -f /var
show the status of the filesystem /var;
stat test.sh
show the status of test.sh in the default format;
stat -c '%A dev: %d type: %F %U/%G' test.sh
show the status of test.sh in the specified format;
stat
[options] file ...
Options
--help
--version
-f
, --filesystem
display filesystem status;
-c
frm,
--format=
frm
use the specified format;
-L
, --dereference
follow links;
-t
, --terse
display info in terse form;
-Z
, --context
display security context info for SELinux if available;
Format sequences (for files)
%A |
access rights in human readable (%a - octal) form; |
%B |
the size in bytes of each block reported by %b ; |
%b |
the number of blocks allocated; |
%C |
SELinux security context; |
%D |
device number in hex (%d - decimal); |
%F |
file type; |
%f |
raw mode in hex; |
%G |
group name (%g - group ID) of owner; |
%h |
the number of hard links; |
%i |
inode number; |
%N |
quoted file name (with dereference if symlink); |
%n |
file name; |
%o |
IO block size; |
%s |
total size in bytes; |
%T |
minor (%t - major) device type in hex; |
%U |
user name (%u - user ID) of the owner; |
%x |
time of last access (%X - as seconds since Epoch); |
%y |
time of last modification (%Y - as seconds since Epoch); |
%z |
time of last change (%Z - as seconds since Epoch); |
Format sequences (for filesystems)
%a |
free blocks available to non-superuser; |
%b |
total (%f - free) data blocks in a filesystem; |
%c |
total (%d - free) file nodes in a filesystem; |
%i |
filesystem id in hex; |
%l |
maximum length of file name; |
%n |
file name; |
%s |
optimal transfer block size; |
%T |
type in human readable (%t - hex) form; |
traces system calls and signals. It's a diagnostic and debugging tool.
strace
[options] [cmd [arg ...]]
~
runs the specified cmd until it exits, intercepts and records
system calls and signals which are received by a process. The name of each
system call, its args and return value are send to stderr (or to a file).
strace -e trace=network -o net.trc -p 2818
trace network-related system calls for the earlier started process with pid=2818; send the trace data to net.trc;
strace -T -o apptest.trc apptest conf.dat
trace apptest, send the trace output to apptest.trc; conf.dat is an argument to apptest executable;
strace -p 17055 2>&1 | grep -i io
trace the process with pid = 17055, search for lines containing 'io', redirect stderr to stdout;
Options
-h |
help; |
-V |
version; |
-v |
verbose; |
-c |
count time, calls, and errors for each syscall and report a summary on program exit; |
-f |
follow forks (trace child processes as they are created by currently traced processes as a result of the fork system call); |
-ff |
when -o file option is in effect,
each process trace is written to a separate file
file. pid; |
-F |
attempt to follow vforks; |
-i |
print the instruction pointer at the time of the system call; |
-q |
suppress messages about attaching, detaching, etc; |
-r |
print a relative timestamp upon entry to each syscall (time difference between the beginnings of successive syscalls); |
-t |
prefix each line of the trace with the time of day; |
-tt |
like prev, include microseconds; |
-ttt
like prev, but the leading portion will be printed as the number of seconds since the epoch;
-T |
show the time spent in each syscall; |
-x |
print all non-ASCII strings in hex string format; |
-xx |
print all strings in hex string format; |
-a n |
align return values in a specific column (default column 40); |
-e
expr
a qualifying expression that modifies which events to trace or how to trace them; the format of expr is:
[qualifier=
][!
]value1[,
value2]...
where qualifier is one of trace
,
abbrev
, verbose
, raw
,
signal
, read
, or write
and
value is a qualifier-dependent symbol or number (default qualifier
is trace
);
-e trace=
set
trace only the specified set of system calls, for example
trace=open,close,read,write
(by default trace=all
);
-e trace=file
trace all system calls which take a filename as arg;
-e trace=process
trace all system calls which involve process management;
-e trace=network
trace all network-related system calls;
-e trace=signal
trace all signal-related system calls;
-e trace=ipc
trace all IPC-related system calls;
-o
file
send the trace output to file instead of stderr;
-O n |
set the overhead for tracing syscalls to n microseconds; |
-p
pid
attach to the process with the process ID pid and begin tracing; the trace (not the process!) may be terminated at any time by a keyboard interrupt signal (CTRL+C);
-s n |
specify the max string size to print (the default is 32); |
-S
sortby
sort the output of the histogram printed when the
-c
option is set, by the specified criterion: time
(default), calls
, name
, nothing
;
-u
username
run cmd with the user ID, group ID, and supplementary groups of username;
-E
var=
value
run cmd with env variable var set to value;
-E
var
remove env variable var from the inherited list of env variables before passing it on to the cmd;
changes the effective user and group IDs to that of the specified user.
su -
become root (if you know the password); start a new [default] shell as root and work within root’s environment;
su - oracle
start a new [default] shell on behalf of the user oracle and work within the oracle’s environment;
su -c "make install"
perform a system-wide installation of a new application (regular users can only install software to their home dir);
su
[options] ...
[-
] [user [arg] ... ]
By default, user is root, '-
'
is equivalent to -l
(--login
).
Options
--help
--version
-c
cmd,
--command=
cmd
pass a single cmd to the shell;
-f
, --fast
pass -f
to csh
or tcsh
;
-l
, --login
make the shell a login shell;
-m
, -p
,
--preserve-environment
do not reset env vars;
-s
shell,
--shell=
shell
run the specified shell if /etc/shells allows it;
is a limited and restricted version of su
.
It allows some users to exec cmds that are usually supposed to be
executed by a superuser (or some other users).
sudo
cmd
sudo
[options] cmd
sudo apt install mc
sudo adduser gamer2
sudo shutdown -h +5
To work properly, ~
requires correct config file
/etc/sudoers. You should never edit this file with any
editor except visudo
(a "special
version" of vi
editor):
sudo visudo
Actually, you probably should not edit it at all! If you want to add something, create a file in /etc/sudoers.d/ dir and put your stuff in that file. Make sure this file has no extention, belongs to root/root, has 0440 mode, follows sudoers rules and is edited like this (file name can be different):
sudo visudo -f /etc/sudoers.d/appsrv
Note that the directive
#includedir /etc/sudoers.d
in /etc/sudoers must be exactly like this, i.e., prefixed with #, it's a directive, not a comment.
If, nevertheless, you messed up with your /etc/sudoers and
cannot run sudo
anymore, and you cannot login as superuser to
correct your foolish mistakes, then, maybe, the following command will save
you (not all Linux distros support it, but Ubuntu does):
pkexec visudo
The alternative is to reboot in single user mode, mount/remount root fs in r/w mode, etc .. obviously it will be longer and not so simple.
Note!
When ~
prompts you for password, it wants your account's pass,
not superuser's pass.
On success the return value is the ret val of the program that was
executed. Otherwise ~
quits with an exit value 1
(sometimes an err msg is sent to stderr).
In some Linux distributions (e.g. Ubuntu) root account is
disabled after installation, i.e. you cannot login directly or use
su
to become a superuser. But the account still exists, and it
is possible to exec cmds with superuser privs. Some of the following cmds
are marked BAD, because they defeat the purpose of ~
, and
because working in superuser mode is quite dangerous (for your system).
sudo !!
if the last command has failed due to unsifficient
permissions, run it again, this time as sudo
cmd;
sudo -s
start a root shell, but keep the current shell's env (bad!);
sudo -i
start a root shell, root's env and root's login scripts (bad!);
sudo gnome-terminal
start a new GNOME terminal with root prompt and privs (bad!);
Note!
For GUI apps you should use gksudo
(or kdesudo
for KDE env). These cmds set HOME=~root, and copy
.Xauthority to a tmp dir. This prevents files in your home dir
becoming owned by root.
gksudo nautilus
start a GUI app (nautilus
file browser)
with root privs (to enter this cmd in GUI mode, you can use
ALT+F2);
gksudo gedit /etc/fstab
edit system file that cannot be modified by a regular user;
Who can run sudo
The priv to exec ~
is given to members of group sudo.
In Ubuntu versions before 12.04 the group was admin.
To create a new user with the priv to run ~
:
adduser username sudo
To give the priv to an existing user:
usermod -a -G sudo username
Some notes on the subj
The real and effective uid and gid are set to match those of the target user as specified in the /etc/passwd.
By default you must authenticate yourself with your own
(not root's) password. After this you can use ~
for a limited period of time (5 .. 15 min), then you're once again prompted
for pass. To cut this timeout short:
sudo -k
For security reasons ~
removes form env some variables that are
passed to the program to be executed (sudo -V
on behalf of
root shows the list). Though in general ~
is much
safer than su
, there is risk that some user gets full
root privileges due to superuser mistake. This happens when user
is allowed to run some program with shell escape (some editors, for example),
or is granted permission to execute sudo su
or
sudo sh
.
Files
/etc/sudoers
defines authorized users; use
visudo
(special version of
vi
editor) to edit this file,
otherwise there'll be problems;
/var/run/sudo
this is a dir containing timestamps;
Some options
-h |
help; |
-V |
version; |
-b |
run the given cmd in the background (you cannot use shell job control to manipulate such process); |
-H |
set the HOME env variable to the homedir of the target user (root by default) as specified in passwd; |
-k |
invalidate the user’s timestamp; the next time
~ is run a password will be required; this option itself
does not require a password; |
-K |
remove the user’s timestamp entirely; |
-l |
list allowed and forbidden cmds for the current user; |
-L |
list params that may be set in a Defaults line; |
-P |
preserve user’s group vector (the real and effective group IDs are nevertheless set to match the target user); by default, the group vector will be initialized to the list of groups the target user is in; |
-r
role
set SELinux security context to have the specified role;
-s |
run shell specified by SHELL env var (if set), or by passwd; |
-S |
read the password from stdin instead of terminal device; |
-t
type
set SELinux security context to have the specified type (domain); if no type is given, the default type is derived from the specified role;
-u
usr
run cmd as the specified user (not root);
user can be given by the username or uid prefixed with '#
';
-v |
uptate the user’s timestamp, prompting for password
if necessary; it extends ~ timeout for another 5 min; |
-- |
stop processing command line arguments; |
You should not do this!
In Linux systems where root login is disabled (e.g. Ubuntu), you can return to old-style behaviour by setting root's pass:
sudo passwd root
GUI login must be configured separately:
System -> Administration -> Login screen, ...
But logging in to X as root may cause serious problems!
To re-disable root account:
sudo passwd -dl root
enables / disables devices (or files) for paging and swapping.
swapon /dev/sda6
enable swap area on the disk partition /dev/sda6;
swapoff /dev/sdb2
disable swap area on the disk partition /dev/sdb2;
swapon -a
enable all swap devices specified in /etc/fstab;
swapoff -a
disable all swap devices specified in /etc/fstab;
swapon -s
show swap usage summary for all available devices
(this is equivalent to cat proc/swaps
);
swapon
[options] special_file
Options
-h
-V
-v
-a |
make available for swapping all devices marked as "swap" in /etc/fstab; skip silently those that are used already; |
-e |
skip silently non-existing devices (can be used with -a ); |
-L
label
use the partition that has the specified label;
-p n |
set ~ priority (0..32767); higher numbers
mean higher priority; it also can be specified in /etc/fstab as
pri=n; |
-s |
show swap usage summary by device; |
-U
uuid
use the partition that has the specified uuid;
(do not confuse with systemctl
) is
used to modify kernel parameters at runtime. The params available are those
listed under /proc/sys/.
sysctl
options
sysctl
[options] var ...
sysctl
[options] -w
var=
value ...
var is the name of a key to read from
(like kernel.ostype); note that '/
' can be
used instead of '.
');
/sbin/sysctl -a
show all available values;
/sbin/sysctl -n kernel.hostname
show the current value of kernel.hostname;
/sbin/sysctl -w kernel.domainname="home.net"
set kernel.domainname to home.net;
sysctl -a | grep disable_ipv6
check if IPv6 support is disabled (there are usually several
lines, pay attention to net.ipv6.conf.all.disable_ipv6,
0 means "enabled", 1 - "disabled");
Options
-a |
display all values currently available; |
-A |
display all values currently available in table form; |
-e |
ignore errors about unknown keys; |
-n |
disable printing of the key name when printing values; |
-p
file
load settings from the specified file (by default it is /etc/sysctl.conf);
-w
var=
value
set a key to the specified value; value may be enclosed in double quotes, if it contains qoutes or some other chars parsed by shell;
is a front-end utility for systemd, and it is like it sounds: system control program, allowing to manage services, sockets, mount points, etc. In most cases it requires superuser priv, though cmds requesting status are usually available to regular users.
systemctl status
systemctl start $unit
systemctl stop $unit
systemctl restart $unit
systemctl show-environment
systemctl set-environment var=value
systemctl unset-environment var
systemctl list-dependencies --all
The last cmd shows relationships between services (pstree
-style).
Usage examples for apache2 (former httpd) service:
systemctl start apache2.service
systemctl restart apache2.service
systemctl stop apache2.service
systemctl reload apache2.service
systemctl status apache2.service
systemctl status apache2.service
Of the above cmds only status prints the output. reload asks to reload service-specific config.
systemctl kill apache2
sends a signal to one or more processes of the unit; to specify the
signal use --signal=sig
option;
The following cmds are used to configure service auto start at boot time: enable creates the required symlinks, but it does not start service immediately (you should do it manually, if necessary); disable removes symlinks, but does not stop the running service.
systemctl is-active apache2.service
systemctl enable apache2.service
systemctl disable apache2.service
Note that active means "running".
If some service is disabled it does not start at boot. However, you
still can start it manually. The following cmds control the service
availability: if service is masked, it cannot be started neither
manually nor auto. Usually it's better to mask with
--runtime
option (to be cleared after reboot).
systemctl mask apache2.service
systemctl --runtime mask apache2.service
systemctl unmask apache2.service
Other cmds:
systemctl list-unit-files
list all the available units;
systemctl list-units
list all running units;
systemctl list-unit-files --type=service
list all services (including enabled and disabled);
systemctl list-unit-files --type=mount
list all system mount points;
systemctl list-unit-files --type=socket
list all available system sockets;
See other usage examples: