diff --git a/docs/en/server/administration/administrator/using_dnf_to_manage_software_packages.md b/docs/en/server/administration/administrator/using_dnf_to_manage_software_packages.md
index 9790c9d0633b8b9ccfd5d8662ab404e9b1c1c769..07c6e4a4c7fabe1861c6d62e9535dd995c765be5 100644
--- a/docs/en/server/administration/administrator/using_dnf_to_manage_software_packages.md
+++ b/docs/en/server/administration/administrator/using_dnf_to_manage_software_packages.md
@@ -241,7 +241,7 @@ dnf install httpd
```
> [!NOTE]NOTE
-> If the RPM package fails to be installed, see [Installation Failure Caused by Software Package Conflict, File Conflict, or Missing Software Package](./faqs_and_solutions.md#issue-5-installation-failure-caused-by-software-package-conflict-file-conflict-or-missing-software-package).
+> If the RPM package fails to be installed, see [Installation Failure Caused by Software Package Conflict, File Conflict, or Missing Software Package](https://docs.openeuler.openatom.cn/en/docs/common/faq/server/administration_faqs.html#_5-installation-failure-caused-by-software-package-conflict-file-conflict-or-missing-software-package).
### Downloading Software Packages
diff --git a/docs/en/server/administration/sysmaster/devmaster_usage.md b/docs/en/server/administration/sysmaster/devmaster_usage.md
index ac3fc1cf5be0cd8a5a267010a56edb651ffb3ecd..ed0155370b5a31d7efbff0604d7b13c83ba96d69 100644
--- a/docs/en/server/administration/sysmaster/devmaster_usage.md
+++ b/docs/en/server/administration/sysmaster/devmaster_usage.md
@@ -112,7 +112,7 @@ devmaster rules consist of a group of rule files. After the devmaster daemon is
### Rule Examples
-The following describes several common rule examples. For details about the rule syntax, see the [devmaster manual](http://sysmaster.online/man/exts/devmaster/devmaster/).
+The following describes several common rule examples.
#### Example 1: Creating a Soft Link for a Block Device
@@ -251,4 +251,4 @@ The NIC configuration file contains the **\[Match]** matching section and **\[Li
The preceding default NIC configuration indicates that the configuration takes effect on all NICs and checks the NIC naming styles of the **onboard**, **slot**, and **path** styles in sequence. If an available style is found, the NIC is named in this style.
-For details about the NIC configuration, see the [devmaster manual](http://sysmaster.online/man/exts/devmaster/netif_config/#1).
+For details about the NIC configuration.
diff --git a/docs/en/server/development/application_dev/building_an_rpm_package.md b/docs/en/server/development/application_dev/building_an_rpm_package.md
index 52f4a0af4b6a5c9690df5ded3763a8f0e0058d05..6bb07836d8e9fca1c98d2f0e10bc88e045dc96a0 100644
--- a/docs/en/server/development/application_dev/building_an_rpm_package.md
+++ b/docs/en/server/development/application_dev/building_an_rpm_package.md
@@ -65,7 +65,7 @@ Run the **rpmbuild** command to build the software package. The **rpmbuild**
The format of the **rpmbuild** command is rpmbuild \[_option_...\]
-[Table 1](#table1342946175212) describes the common rpmbuild packaging options.
+Table 1 describes the common rpmbuild packaging options.
**Table 1** rpmbuild Packaging Options
diff --git a/docs/en/server/installation_upgrade/installation/installation_guide.md b/docs/en/server/installation_upgrade/installation/installation_guide.md
index cf490be6c2d968925c26d4c99d9d025cc3fcabad..d09ffc9fa8149cf4cae8e9e5bd741685f9ffb392 100644
--- a/docs/en/server/installation_upgrade/installation/installation_guide.md
+++ b/docs/en/server/installation_upgrade/installation/installation_guide.md
@@ -167,7 +167,7 @@ On the **INSTALLATION SUMMARY** page, click **INSTALLATION SOURCE** to locate th
You need to set up an NFS server, mount the **openEuler-{version}-x86_64-dvd.iso** image, and copy the mounted file to the shared directory on the NFS server. **x86_64** indicates the CPU architecture. Use the actual image.
-During the installation, if you have any questions about configuring the installation source, see [An Exception Occurs During the Selection of the Installation Source](https://gitee.com/openeuler/docs/blob/5232a58d1e76f59c50d68183bdfd3f6dc1603390/docs/en/docs/Installation/faqs.md#an-exception-occurs-during-the-selection-of-the-installation-source).
+During the installation, if you have any questions about configuring the installation source, see [An Exception Occurs During the Selection of the Installation Source](https://docs.openeuler.openatom.cn/en/docs/common/faq/server/installation_faq1.html#_4-an-exception-occurs-during-the-selection-of-the-installation-source).
After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page.
@@ -254,14 +254,14 @@ Click **Accept Changes** to go back to the **INSTALLATION SUMMARY** page.
On the **INSTALLATION SUMMARY** page, select **NETWORK & HOST NAME** to configure the system network functions.
-The installation program automatically detects a local access interface. The detected interface is listed in the left box, and the interface details are displayed in the right area, as shown in [Figure 14](#zh-cn_topic_0186390264_zh-cn_topic_0122145831_fig123700157297). You can enable or disable a network interface by clicking the switch in the upper right corner of the page. The switch is turned off by default. If the installation source is set to network, turn on the switch. You can also click **Configure** to configure the selected interface. Select **Connect automatically with priority** to enable the NIC automatic startup upon system startup, as shown in [Figure 15](#zh-cn_topic_0186390264_zh-cn_topic_0122145831_fig6).
+The installation program automatically detects a local access interface. The detected interface is listed in the left box, and the interface details are displayed in the right area, as shown in [Figure 14](#fig14). You can enable or disable a network interface by clicking the switch in the upper right corner of the page. The switch is turned off by default. If the installation source is set to network, turn on the switch. You can also click **Configure** to configure the selected interface. Select **Connect automatically with priority** to enable the NIC automatic startup upon system startup, as shown in [Figure 15](#fig15).
In the lower left box, enter the host name. The host name can be the fully quantified domain name (FQDN) in the format of *hostname.domain_name* or the brief host name in the format of *hostname*.
-**Figure 14** Setting the network and host name
+**Figure 14** Setting the network and host name
-**Figure 15** Configuring the network
+**Figure 15** Configuring the network
After the setting is complete, click **Done** in the upper left corner to go back to the **INSTALLATION SUMMARY** page.
@@ -297,12 +297,14 @@ After the settings are completed, click **Done** in the upper left corner to go
## Creating a User
-Click **User Creation**. [Figure 17](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig1237715313319) shows the page for creating a user. Enter a username and set a password. By clicking **Advanced**, you can also configure a home directory and a user group, as shown in [Figure 18](#zh-cn_topic_0186390266_zh-cn_topic_0122145909_fig128716531312).
+Click **User Creation**. [Figure 17](#fig17) shows the page for creating a user. Enter a username and set a password. By clicking **Advanced**, you can also configure a home directory and a user group, as shown in [Figure 18](#fig18).
+
+**Figure 17** Creating a user
-**Figure 17** Creating a user
-**Figure 18** Advanced user configuration
+**Figure 18** Advanced user configuration
+
After configuration, click **Done** in the left-upper corner to switch back to the **INSTALLATION SUMMARY** page.
@@ -319,6 +321,7 @@ After the installation starts, the overall installation progress and the progres
>If you click **Exit** or reset or power off the server during the installation, the installation is interrupted and the system is unavailable. In this case, you need to reinstall the system.
**Figure 19** Installation process
+
## Completing the Installation
diff --git a/docs/en/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md b/docs/en/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md
index e727d21bc3156d85d8831d08e32d6e1c30a6754f..abb9f6c72cabf5bbb22185456a5d6142ea75350b 100644
--- a/docs/en/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md
+++ b/docs/en/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md
@@ -166,7 +166,7 @@ To use kickstart to perform semi-automatic installation of openEuler, perform th
1. On the installation wizard page in [Starting the Installation](installation_modes.md#starting-the-installation), select **Install openEuler {version}** and press **e**.
2. Add **inst.ks=** to the startup parameters.
- 
+ 
3. Press **Ctrl**+**x** to start the automatic installation.
@@ -300,7 +300,6 @@ To use kickstart to perform full-automatic installation of openEuler, perform th
set timeout=60
-
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Install openEuler {version} ' --class red --class gnu-linux --class gnu --class os {
set root=(tftp,192.168.122.1)
diff --git a/docs/en/server/maintenance/kernel_live_upgrade/usage_guide.md b/docs/en/server/maintenance/kernel_live_upgrade/usage_guide.md
index d6367423a3f07028ed6f056a6be933aa9c90dca6..b26f09d634513c92a17192fe5f8fceee7f08bcaf 100644
--- a/docs/en/server/maintenance/kernel_live_upgrade/usage_guide.md
+++ b/docs/en/server/maintenance/kernel_live_upgrade/usage_guide.md
@@ -82,13 +82,13 @@
quick kexec accelerates image loading using kexec.
- To use quick kexec, you need to enable related options in the configuration file. For more information, see [Configurations](./installation-and-deployment.md#configurations).
+ To use quick kexec, you need to enable related options in the configuration file. For more information, see [Configurations](./installation_and_deployment.md#configurations).
3. pin_memory
pin memory accelerates the storage and recovery of the CRIU.
- To use pin memory, you need to enable related options in the configuration file. For more information, see [Configurations](./installation-and-deployment.md#configurations).
+ To use pin memory, you need to enable related options in the configuration file. For more information, see [Configurations](./installation_and_deployment.md#configurations).
## Generated Log Information
diff --git a/docs/en/server/memory_storage/hsak/hsak_c_apis.md b/docs/en/server/memory_storage/hsak/hsak_c_apis.md
index ccb1e774803c91c94e4aa95a760d157b6ba73aa7..47e4e2a8e1b6dabbba32a878f9ec9183198d28f9 100644
--- a/docs/en/server/memory_storage/hsak/hsak_c_apis.md
+++ b/docs/en/server/memory_storage/hsak/hsak_c_apis.md
@@ -1484,7 +1484,7 @@
| Parameter | Description |
| ----------------- | ------------------------------------------------------------ |
- | int32_t cb_status | I/O status code. The value **0** indicates success, a negative value indicates system error code, and a positive value indicates drive error code (for different error codes,
see [Appendixes](#Appendixes)). |
+ | int32_t cb_status | I/O status code. The value **0** indicates success, a negative value indicates system error code, and a positive value indicates drive error code (for different error codes,
see [Appendixes](#appendixes)). |
| int32_t sct_code | I/O status code type:
0: [GENERIC](#generic)
1: [COMMAND_SPECIFIC](#command_specific)
2: [MEDIA_DATA_INTERGRITY_ERROR](#media_data_intergrity_error)
7: VENDOR_SPECIFIC |
| void* cb_arg | Input parameter of the callback function. |
diff --git a/docs/en/server/network/gazelle/gazelle_user_guide.md b/docs/en/server/network/gazelle/gazelle_user_guide.md
index 66d26ad648dad56512ad4de4d2e89059b06e5da8..3679201627b93ae7c64d93e7b5438a6d4241c917 100644
--- a/docs/en/server/network/gazelle/gazelle_user_guide.md
+++ b/docs/en/server/network/gazelle/gazelle_user_guide.md
@@ -219,7 +219,7 @@ The `-u` option specifies the prefix of the Unix socket for communication betwee
**Packet Capturing Tool**
The NIC used by Gazelle is managed by DPDK. Therefore, tcpdump cannot capture Gazelle packets. As a substitute, Gazelle uses gazelle-pdump provided in the dpdk-tools software package as the packet capturing tool. gazelle-pdump uses the multi-process mode of DPDK to share memory with the lstack process.
-[Usage](https://gitee.com/openeuler/gazelle/blob/master/doc/pdump.md)
+[Usage](https://gitee.com/openeuler/gazelle/blob/master/doc/zh/pdump.md)
**Thread Binding**
When the starting a lstack process, you can specify a thread bound to lstack using the environment variable **GAZELLE_THREAD_NAME**. When there are multiple threads in the service process, you can use this variable to specify the thread whose network interface needs to be managed by lstack. Other threads will use the kernel-mode protocol stack. By default, this parameter is left blank, that is, all threads in the process are bound.
diff --git a/docs/en/server/quickstart/quickstart/quick_start.md b/docs/en/server/quickstart/quickstart/quick_start.md
index b1a7b0af2b0d2cd6b0d1d91148ccfc1379e67c8a..14ad070add0e03e7e37e34459254424a5f8ca8ab 100644
--- a/docs/en/server/quickstart/quickstart/quick_start.md
+++ b/docs/en/server/quickstart/quickstart/quick_start.md
@@ -247,7 +247,7 @@ After entering the GUI installation page, perform the following operations to in
- The **root** account is used to perform key system management tasks. You are not advised to use the **root** account for daily work or system access.
- If you select **Lock root account** on the **Root Password** page, the **root** account will be disabled.
- **Password Complexity**
+ **Password Complexity**
The password of the **root** user or a new user must meet the password complexity requirements. Otherwise, the password setting or user creation will fail. The password must meet the following requirements:
diff --git a/docs/en/server/releasenotes/releasenotes/key_features.md b/docs/en/server/releasenotes/releasenotes/key_features.md
index 015b9ea6fd6a93a22216b200e4530da3fcc5e700..8165b43037bad2692552df92c0bd09e38d89b41a 100644
--- a/docs/en/server/releasenotes/releasenotes/key_features.md
+++ b/docs/en/server/releasenotes/releasenotes/key_features.md
@@ -11,7 +11,7 @@ openEuler offers an efficient development and runtime environment that container
- AI framework images: Use an SDK image as the base and install AI framework software, such as PyTorch and TensorFlow. You can use an AI framework image to quickly build a distributed AI framework, such as Ray.
- Model application images: Provide a complete set of toolchains and model applications
- For details, see the [openEuler AI Container Image User Guide](https://gitee.com/openeuler/docs/blob/stable2-22.03_LTS_SP3/docs/en/docs/AI/ai_container_image_user_guide.md).
+ For details, see the [openEuler AI Container Image User Guide](https://gitee.com/openeuler/docs-centralized/blob/stable2-22.03_LTS_SP3/docs/en/docs/AI/ai_container_image_user_guide.md).
- **AI for OS**: AI is making openEuler smarter. openEuler Copilot System is an intelligent Q&A platform developed on foundation models and openEuler data. It is designed to streamline code generation, troubleshooting, and O&M.
@@ -28,7 +28,7 @@ openEuler offers an efficient development and runtime environment that container
4. Corpus governance:
- Corpus governance is a core RAG capability. It imports corpuses into the knowledge base in a supported format using fragment relationship extraction, fragment derivative construction, and optical character recognition (OCR). This increases the retrieval hit rate.
- For details, see the [openEuler Copilot System Intelligent Q&A Service User Guide](https://gitee.com/openeuler/docs/blob/stable2-22.03_LTS_SP4/docs/en/docs/AI/EulerCopilot_user_guide.md).
+ For details, see the [openEuler Copilot System Intelligent Q&A Service User Guide](https://gitee.com/openeuler/docs-centralized/blob/stable2-22.03_LTS_SP4/docs/en/docs/AI/EulerCopilot_user_guide.md).
- Intelligent tuning: openEuler Copilot System supports the intelligent shell entry. Through this entry, you can interact with the openEuler Copilot System using a natural language and perform heuristic tuning operations such as performance data collection, system performance analysis, and system performance tuning.
- Intelligent diagnosis:
diff --git a/docs/en/server/security/secharden/file_permissions.md b/docs/en/server/security/secharden/file_permissions.md
index 5df32f2dd6d32024863791a87b8a76b4c26bb702..268eaad6158be0eff7982c7d0de2255b64bc8ded 100644
--- a/docs/en/server/security/secharden/file_permissions.md
+++ b/docs/en/server/security/secharden/file_permissions.md
@@ -68,7 +68,7 @@ A symbolic link to **/dev/null** may be used by malicious users. This affects
### Special Scenario
-After openEuler is installed, symbolic links to **/dev/null** may exist. These links may have corresponding functions. \(Some of them are preconfigured and may be depended by other components.\) Rectify the fault based on the site requirements. For details, see [Implementation](#en-us_topic_0152100319_s1b24647cdd834a8eaca3032611baf072).
+After openEuler is installed, symbolic links to **/dev/null** may exist. These links may have corresponding functions. \(Some of them are preconfigured and may be depended by other components.\) Rectify the fault based on the site requirements. For details, see [Implementation](#implementation).
For example, openEuler supports UEFI and legacy BIOS installation modes. The GRUB packages supported in the two boot scenarios are installed by default. If you select the legacy BIOS installation mode, a symbolic link **/etc/grub2-efi.cfg** is generated. If you select the UEFI installation mode, a symbolic link **/etc/grub2.cfg** is generated. You need to process these symbolic links based on the site requirements.
diff --git a/docs/en/server/security/secharden/security_configuration_benchmark.md b/docs/en/server/security/secharden/security_configuration_benchmark.md
index 3d11a99607f7df7c1ce1002b45884307ef6fdfea..0278e7ed99a6f0803cada871f754d046a00e7195 100644
--- a/docs/en/server/security/secharden/security_configuration_benchmark.md
+++ b/docs/en/server/security/secharden/security_configuration_benchmark.md
@@ -1,3 +1,3 @@
# openEuler Security Configuration Description
-For details, see the [openEuler security configuration description](https://gitee.com/openeuler/security-committee/tree/master/secure-configuration-benchmark).
+For details, see the [openEuler security configuration description](https://gitee.com/openeuler/security-committee/tree/master/sub-projects/secure-configuration-benchmark).
diff --git a/docs/en/tools/desktop/dde/dde_userguide.md b/docs/en/tools/desktop/dde/dde_userguide.md
index b33fab70dd22c3096fb3a71a6163b52866f3d996..235c52c839592cfd2f962a127eb30eafd7d57a3d 100644
--- a/docs/en/tools/desktop/dde/dde_userguide.md
+++ b/docs/en/tools/desktop/dde/dde_userguide.md
@@ -67,7 +67,7 @@ You can set display scaling, screen resolution, brightness and so on from the de
1. Right-click the desktop.
2. Click **Display Settings** to open the settings in Control Center.
-> Notes: *For specific operations, please refer to [Display](#Display).*
+> Notes: *For specific operations, please refer to [Display](#display).*
### Change Wallpaper
diff --git a/docs/en/virtualization/_toc.yaml b/docs/en/virtualization/_toc.yaml
index 11ff5a4e4c45403d3a6a089270f91349cf517b7b..75b9fdd7e447aab1783ce312a80cb900c943f0b0 100644
--- a/docs/en/virtualization/_toc.yaml
+++ b/docs/en/virtualization/_toc.yaml
@@ -9,6 +9,5 @@ sections:
upstream: https://gitee.com/openeuler/Virt-docs/blob/openEuler-24.03-LTS-SP2/docs/en/virtualization_platform/stratovirt/_toc.yaml
path: ./virtulization_platform/stratovirt
- label: openStack User Guide
- href: >-
- https://openstack-sig.readthedocs.io/zh/latest/
+ href: https://openstack-sig.readthedocs.io/zh/latest/
description: Open source platform for cloud computing management
diff --git a/docs/zh/server/administration/administrator/faqs_and_solutions.md b/docs/zh/server/administration/administrator/faqs_and_solutions.md
index f3f17f289cbf600d2d64ea9a208ffe872ab7ff16..54da18b0d9bc7d71d037983e58d5ade67ad8e6d0 100644
--- a/docs/zh/server/administration/administrator/faqs_and_solutions.md
+++ b/docs/zh/server/administration/administrator/faqs_and_solutions.md
@@ -251,7 +251,7 @@ Python 3.7.2 及以下版本中的 Lib/zipfile.py 允许远程攻击者通过 zi
### 解决方案
-在 zipfile 文档中添加告警信息:
+在 zipfile 文档中添加告警信息:
## 问题9:不合理使用glibc正则表达式引起ReDoS攻击
diff --git a/docs/zh/server/administration/sysmaster/devmaster_usage.md b/docs/zh/server/administration/sysmaster/devmaster_usage.md
index 3d8b9998af05db05ad14f40a376afd599e03c842..e8af014aed560846748df4fe21cc5c56cdc78536 100644
--- a/docs/zh/server/administration/sysmaster/devmaster_usage.md
+++ b/docs/zh/server/administration/sysmaster/devmaster_usage.md
@@ -112,7 +112,7 @@
### 常用规则案例
-以下介绍几种常见的规则应用案例,规则语法详见官方文档中的[devmaster手册](http://sysmaster.online/man/exts/devmaster/devmaster/)。
+以下介绍几种常见的规则应用案例。
#### 示例1: 创建块设备软链接
@@ -250,5 +250,3 @@
网卡配置文件中包含 `[Match]`匹配节和 `[Link]`控制节,每节中包含若干配置项。匹配节的配置项用于匹配网卡设备,当网卡满足所有匹配条件时,将控制节中的所有配置项作用在网卡上,比如设置网卡名选取策略、调整网卡参数等等。
以上列举的默认网卡配置表示将该配置作用在所有网卡设备上,并依次检查 `onboard`、`slot`和 `path`风格的网卡命名风格,如果找到一个可用的风格,就以该风格对网卡进行命名。
-
-网卡配置的详细说明可以参考 `sysMaster`官方手册中的[devmaster手册](http://sysmaster.online/man/exts/devmaster/netif_config/#1)。
diff --git a/docs/zh/server/administration/sysmaster/sysmaster_usage.md b/docs/zh/server/administration/sysmaster/sysmaster_usage.md
index b39bef3db4da92c84ccb577a41a7130aac0a138b..8dd0ede2833a212eb7e82161abf2d2449a8ff6e9 100644
--- a/docs/zh/server/administration/sysmaster/sysmaster_usage.md
+++ b/docs/zh/server/administration/sysmaster/sysmaster_usage.md
@@ -50,7 +50,7 @@ RestartSec=42
WantedBy="multi-user.target"
```
-以下是对单元配置文件中选项配置的说明,更多可以查阅[官方手册](http://sysmaster.online/man/all/)。
+以下是对单元配置文件中选项配置的说明。
* `Description`:说明该 `unit`的主要功能。
* `Documentation`:说明该 `unit`的文档链接。
diff --git a/docs/zh/server/development/fangtian/fangtian_for_linux_waylan_and_openharmony_applications.md b/docs/zh/server/development/fangtian/fangtian_for_linux_waylan_and_openharmony_applications.md
index 0d3dcdc7be8b6252d146609d2856323f56c1574f..b81ec9b9daf45b283d00af13017ae6ec444b6f5b 100644
--- a/docs/zh/server/development/fangtian/fangtian_for_linux_waylan_and_openharmony_applications.md
+++ b/docs/zh/server/development/fangtian/fangtian_for_linux_waylan_and_openharmony_applications.md
@@ -10,7 +10,7 @@ FangTian 为了支持 Linux 原生应用,对 Wayland 应用做了兼容。由
### 应用运行
-1. 在启动[引擎](./FangTian环境配置.md#启动引擎)之后,启动 wayland 适配器的 sa。
+1. 在启动[引擎](./fangtian_environment_configuration.md#启动引擎)之后,启动 wayland 适配器的 sa。
```shell
mkdir -p ~/tmp
@@ -58,7 +58,7 @@ FangTian 当前支持 ArkUI 部分控件,如文本、按钮、图片等。开
解压之后的路径为`~/apps/tmp/eletronicAlbum`。
-3. 在启动[引擎](./FangTian环境配置.md#启动引擎)之后,运行 hap。
+3. 在启动[引擎](./fangtian_environment_configuration.md#启动引擎)之后,运行 hap。
```shell
hap_executor ~/apps/tmp/eletronicAlbum
diff --git a/docs/zh/server/diversified_computing/dpu_os/dpu_os_tailoring_guide.md b/docs/zh/server/diversified_computing/dpu_os/dpu_os_tailoring_guide.md
index cd1df639646d4187ef01836338444c824ab40a4b..543c8e27c3f254f483e8696d643f66a63ddc6c28 100644
--- a/docs/zh/server/diversified_computing/dpu_os/dpu_os_tailoring_guide.md
+++ b/docs/zh/server/diversified_computing/dpu_os/dpu_os_tailoring_guide.md
@@ -53,7 +53,7 @@ dpuos 1 rpm-dir euler_base
* `kiwi/minios/cfg_dpuos/rpm.conf`
-密码生成及修改方法可详见openEuler imageTailor手册[配置初始密码](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/docs/TailorCustom/imageTailor%E4%BD%BF%E7%94%A8%E6%8C%87%E5%8D%97.html#%E9%85%8D%E7%BD%AE%E5%88%9D%E5%A7%8B%E5%AF%86%E7%A0%81)章节。
+密码生成及修改方法可详见openEuler imageTailor手册[配置初始密码](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/tools/community_tools/image_tailor/imagetailor_userguide.html#配置初始密码)章节。
#### 执行裁剪命令
diff --git a/docs/zh/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md b/docs/zh/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md
index 0c3bf3072c65066e1719a23d137508968156a156..decabce2ffe1d748321238ea70fe4b8cdcfa1266 100644
--- a/docs/zh/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md
+++ b/docs/zh/server/installation_upgrade/installation/using_kickstart_for_automatic_installation.md
@@ -82,7 +82,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
1. httpd的安装与服务启动。
- ```
+ ```shell
# dnf install httpd -y
# systemctl start httpd
# systemctl enable httpd
@@ -90,7 +90,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
2. kickstart文件的准备。
- ```
+ ```shell
# mkdir /var/www/html/ks
# vim /var/www/html/ks/openEuler-ks.cfg ===>根据已安装openEuler系统自动生成的anaconda-ks.cfg修改得到
====================================
@@ -145,7 +145,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
> **说明:**
>密码密文生成方式:
>
- >```
+ >```shell
># python3
>Python 3.7.0 (default, Apr 1 2019, 00:00:00)
>[GCC 7.3.0] on linux
@@ -163,7 +163,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
**安装系统**
1. 启动系统进入安装选择界面。
- 1. 在“[启动安装](./安装指导.html#启动安装)”中的“安装引导界面”中选择“Install openEuler {version}”,并按下“e”键。
+ 1. 在“[启动安装](./installation_guide.html#启动安装)”中的“安装引导界面”中选择“Install openEuler {version}”,并按下“e”键。
2. 启动参数中追加“inst.ks= ip/ks/openEuler-ks.cfg”。
@@ -203,7 +203,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
1. httpd的安装与服务启动。
- ```
+ ```shell
# dnf install httpd -y
# systemctl start httpd
# systemctl enable httpd
@@ -211,7 +211,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
2. tftp的安装与配置。
- ```
+ ```shell
# dnf install tftp-server -y
# vim /etc/xinetd.d/tftp
service tftp
@@ -236,14 +236,14 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
3. 安装源的制作。
- ```
+ ```shell
# mount openEuler-{version}-aarch64-dvd.iso /mnt
# cp -r /mnt/* /var/www/html/openEuler/
```
4. 设置和修改kickstart配置文件 openEuler-ks.cfg,参考[3](#zh-cn_topic_0151920754_l1692f6b9284e493683ffa2ef804bc7ca)安装源的目录,此处选择http安装源。
- ```
+ ```shell
#vim /var/www/html/ks/openEuler-ks.cfg
====================================
***以下内容根据实际需求进行修改***
@@ -267,9 +267,9 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
...
```
-5. 修改pxe配置文件grub.cfg, 可参考如下内容(注意:openEuler当前不支持bls格式的cfg文件)。
+5. 修改pxe配置文件grub.cfg,可参考如下内容(注意:openEuler当前不支持bls格式的cfg文件)。
- ```
+ ```shell
# cp -r /mnt/images/pxeboot/* /var/lib/tftpboot/
# cp /mnt/EFI/BOOT/grubaa64.efi /var/lib/tftpboot/
# cp /mnt/EFI/BOOT/grub.cfg /var/lib/tftpboot/
@@ -299,8 +299,7 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
insmod ext2
set timeout=60
-
-
+
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Install openEuler {version} ' --class red --class gnu-linux --class gnu --class os {
set root=(tftp,192.168.122.1)
@@ -309,9 +308,9 @@ TFTP(Trivial File Transfer Protocol,简单文件传输协议),该协议
}
```
-6. DHCP的配置(可以使用dnsmasq代替 )。
+6. DHCP的配置(可以使用dnsmasq代替)。
- ```
+ ```shell
# dnf install dhcp -y
#
# DHCP Server Configuration file.
diff --git a/docs/zh/server/maintenance/kernel_live_upgrade/usage_guide.md b/docs/zh/server/maintenance/kernel_live_upgrade/usage_guide.md
index 1d58d32a73d4267e82fc05eff4a3a8ee219f5f48..da85113dbd5207836473dc079bc1b84c2c05b265 100644
--- a/docs/zh/server/maintenance/kernel_live_upgrade/usage_guide.md
+++ b/docs/zh/server/maintenance/kernel_live_upgrade/usage_guide.md
@@ -82,13 +82,13 @@
quick kexec,是对kexec加载镜像过程中的一种加速。
- 使用quick kexec,需要在配置文件中使能相关选项,更多信息参考\<<[安装与部署-配置介绍](./安装与部署.md#配置介绍)>>。
+ 使用quick kexec,需要在配置文件中使能相关选项,更多信息参考\<<[安装与部署-配置介绍](./installation_and_deployment.md#配置介绍)>>。
3. pin_memory(加速现场保存恢复过程)
pin memory,是对criu进行现场保存恢复过程中的一种加速。
- 使用pin memory,需要在配置文件中使能相关选项,更多信息参考\<<[安装与部署-配置介绍](./安装与部署.md#配置介绍)>>。
+ 使用pin memory,需要在配置文件中使能相关选项,更多信息参考\<<[安装与部署-配置介绍](./installation_and_deployment.md#配置介绍)>>。
## 产生的日志信息
diff --git a/docs/zh/server/memory_storage/hsak/hsak_c_apis.md b/docs/zh/server/memory_storage/hsak/hsak_c_apis.md
index e2a059eba4031808875fb287b924652b82d5297b..aaa4535cc60fc2b77b65a99e0734936d7510372f 100644
--- a/docs/zh/server/memory_storage/hsak/hsak_c_apis.md
+++ b/docs/zh/server/memory_storage/hsak/hsak_c_apis.md
@@ -848,8 +848,8 @@ struct cap_info子结构体成员:
| **成员** | **描述**|
|-------------------------------|--------------------------|
- |const char *name |注册的回调函数的业务层模块名字。|
- |void (*notifyFunc)(const struct libstorage_dpdk_init_notify_arg *arg) |DPDK内存初始化之后,通知业务层初始化完成的回调函数参数。|
+ |const char \*name |注册的回调函数的业务层模块名字。|
+ |void (\*notifyFunc)(const struct libstorage_dpdk_init_notify_arg \*arg) |DPDK内存初始化之后,通知业务层初始化完成的回调函数参数。|
|TAILQ_ENTRY(libstorage_dpdk_init_notify) tailq |存放回调函数注册的链表。|
#### ublock.h
@@ -1087,7 +1087,7 @@ struct cap_info子结构体成员:
| **成员** | **描述** |
|---------------------------------------|---------------------------------------------------------------------------|
- | ublock_callback_func ublock_callback | 表示回调时执行的函数,类型为bool func(void *info, void *user_data). |
+ | ublock_callback_func ublock_callback | 表示回调时执行的函数,类型为bool func(void \*info, void \*user_data). |
| void *user_data | 传给回调函数的用户参数 |
##### struct ublock_ctrl_iostat_info
@@ -1944,7 +1944,7 @@ struct cap_info子结构体成员:
| **参数成员** | **描述** |
|----------------|---------------------------------------------------------------------------------------------------|
| _name |业务层模块名称。 |
- | _notify |业务层注册的回调函数原型:void (*notifyFunc)(const struct libstorage_dpdk_init_notify_arg *arg); |
+ | _notify |业务层注册的回调函数原型:void (\*notifyFunc)(const struct libstorage_dpdk_init_notify_arg \*arg); |
4. 返回值
diff --git a/docs/zh/server/network/gazelle/gazelle_user_guide.md b/docs/zh/server/network/gazelle/gazelle_user_guide.md
index fc0b4dd0e5ec1acf102bda43ec968cce42d2f3a0..cc227dcce247986949d6d938ef60e63f30c7c963 100644
--- a/docs/zh/server/network/gazelle/gazelle_user_guide.md
+++ b/docs/zh/server/network/gazelle/gazelle_user_guide.md
@@ -131,8 +131,8 @@ gcc test.c -o test ${LSTACK_LIBS}
|:---|:---|:---|
|dpdk_args|--socket-mem(必需)
--huge-dir(必需)
--proc-type(必需)
--legacy-mem
--map-perfect
-d|dpdk初始化参数,参考dpdk说明
--map-perfect为扩展特性,用于防止dpdk占用多余的地址空间,保证有额外的地址空间分配给lstack。
-d参数加载指定so库文件|
|listen_shadow| 0/1 | 是否使用影子fd监听。单listen线程,多协议栈线程时是能|
-|use_ltran| 0/1 | 是否使用ltran ,功能已衰退,不再支持|
-|num_cpus|"0,2,4 ..."|lstack线程绑定的cpu编号,编号的数量为lstack线程个数(小于等于网卡多队列数量)。可按NUMA选择cpu|
+|use_ltran| 0/1 | 是否使用ltran,功能已衰退,不再支持|
+|num_cpus|"0,2,4 ..."|lstack线程绑定的cpu编号,编号的数量为lstack线程个数(小于等于网卡多队列数量)。可按NUMA选择cpu|
|low_power_mode|0/1|是否开启低功耗模式,暂不支持|
|kni_switch|0/1|rte_kni开关,默认为0。功能已衰退,不再支持|
|unix_prefix|"string"|gazelle进程间通信使用的unix socket文件前缀字符串,默认为空,和需要通信的ltran.conf的unix_prefix或gazellectl的-u参数配置一致。不能含有特殊字符,最大长度为128。|
@@ -150,8 +150,8 @@ gcc test.c -o test ${LSTACK_LIBS}
|bond_miimon|10|设置bond模式的监听间隔,默认值10,取值范围0~1500|
|udp_enable|0/1|是否开启udp功能,默认值1开启|
|nic_vlan_mode|-1|是否开启vlan模式,默认值-1关闭,取值范围-1~4095,0和4095是业界通用预留id无实际效果|
-|tcp_conn_count|1500|tcp的最大连接数,该参数乘以mbuf_count_per_conn是初始化时申请的mbuf池大小,配置过小会启动失败,tcp_conn_count * mbuf_count_per_conn * 2048字节不能大于大页大小 |
-|mbuf_count_per_conn|170|每个tcp连接需要的mbuf个数,该参数乘以tcp_conn_count是初始化时申请的mbuf地址池大小,配置过小会启动失败,tcp_conn_count * mbuf_count_per_conn * 2048字节不能大于大页大小|
+|tcp_conn_count|1500|tcp的最大连接数,该参数乘以mbuf_count_per_conn是初始化时申请的mbuf池大小,配置过小会启动失败,tcp_conn_count \* mbuf_count_per_conn \* 2048字节不能大于大页大小 |
+|mbuf_count_per_conn|170|每个tcp连接需要的mbuf个数,该参数乘以tcp_conn_count是初始化时申请的mbuf地址池大小,配置过小会启动失败,tcp_conn_count \* mbuf_count_per_conn \* 2048字节不能大于大页大小|
lstack.conf示例:
@@ -224,7 +224,7 @@ Usage: gazellectl [-h | help]
**抓包工具**
gazelle使用的网卡由dpdk接管,因此普通的tcpdump无法抓到gazelle的数据包。作为替代,gazelle使用dpdk-tools软件包中提供的gazelle-pdump作为数据包捕获工具,它使用dpdk的多进程模式和lstack进程共享内存。
-[详细使用方法](https://gitee.com/openeuler/gazelle/blob/master/doc/pdump.md)
+[详细使用方法](https://gitee.com/openeuler/gazelle/blob/master/doc/zh/pdump.md)
**线程名绑定**
lstack启动时可以通过指定环境变量GAZELLE_THREAD_NAME来指定lstack绑定的线程名,在业务进程中有多个不同线程时,可以通过使用此参数来指定需要lstack接管网络接口的线程名,未指定的线程将走内核态协议栈。默认为空,即绑定进程内的所有线程。
diff --git a/docs/zh/server/releasenotes/releasenotes/contribution.md b/docs/zh/server/releasenotes/releasenotes/contribution.md
index 73713101e427e48b0a47ffc8a35dd97e2b411c88..73e5009342c9f7f1756a24322711a6877aaf6476 100644
--- a/docs/zh/server/releasenotes/releasenotes/contribution.md
+++ b/docs/zh/server/releasenotes/releasenotes/contribution.md
@@ -6,7 +6,7 @@
openEuler将拥有共同兴趣的人们聚在一起,组成了不同的特别兴趣小组(SIG)。当前已有的SIG请参见《[SIG列表](https://www.openeuler.org/zh/sig/sig-list/)》。
-我们欢迎并鼓励你加入已有的SIG或创建新的SIG,创建方法请参见《[SIG管理指南](https://gitee.com/openeuler/community/blob/master/zh/technical-committee/governance/README.md)》。
+我们欢迎并鼓励你加入已有的SIG或创建新的SIG,创建方法请参见[《SIG管理指南》](https://gitee.com/openeuler/community/blob/master/zh/technical-committee/governance/README.md)。
## 邮件列表和任务
diff --git a/docs/zh/server/security/secharden/file_permissions.md b/docs/zh/server/security/secharden/file_permissions.md
index 62d889fb73050618b7e4eb63e76de8608e625b39..1c7012391f24463b5eced9a5900194d411a41f36 100644
--- a/docs/zh/server/security/secharden/file_permissions.md
+++ b/docs/zh/server/security/secharden/file_permissions.md
@@ -14,13 +14,13 @@ openEuler默认对系统中的常用目录、可执行文件和配置文件设
- 修改文件权限。例如将/bin目录权限设置为755。
- ```
+ ```shell
chmod 755 /bin
```
- 修改文件属主。例如将/bin目录的拥有者和群组设置为root:root。
- ```
+ ```shell
chown root:root /bin
```
@@ -36,13 +36,13 @@ openEuler默认对系统中的常用目录、可执行文件和配置文件设
1. 查找用户ID不存在的文件。
- ```
+ ```shell
find / -nouser
```
2. 删除查找到的文件。其中 filename 为用户ID不存在文件的文件名。
- ```
+ ```shell
rm -f filename
```
@@ -50,13 +50,13 @@ openEuler默认对系统中的常用目录、可执行文件和配置文件设
1. 查找群组ID不存在的文件。
- ```
+ ```shell
find / -nogroup
```
2. 删除查找到的文件。其中 filename 为群组ID不存在文件的文件名。
- ```
+ ```shell
rm -f filename
```
@@ -68,7 +68,7 @@ openEuler默认对系统中的常用目录、可执行文件和配置文件设
### 特殊场景
-openEuler系统安装完成后,可能存在空链接文件,这些空链接文件可能有对应用途(有些空链接文件是预制的,会被其他组件依赖)。请用户根据实际环境进行处理,处理方式请参见[实现](#zh-cn_topic_0152100319_s1b24647cdd834a8eaca3032611baf072)。
+openEuler系统安装完成后,可能存在空链接文件,这些空链接文件可能有对应用途(有些空链接文件是预制的,会被其他组件依赖)。请用户根据实际环境进行处理,处理方式请参见[实现](#实现)。
例如,openEuler支持UEFI和legacy BIOS两种安装模式,两种引导场景支持的grub相关包默认都安装,当用户选择legacy BIOS模式安装时,形成空链接文件“/etc/grub2-efi.cfg”;当用户选择UEFI模式安装时,会形成空链接文件“/etc/grub2.cfg”,需要用户根据实际情况处理空链接。
@@ -76,7 +76,7 @@ openEuler系统安装完成后,可能存在空链接文件,这些空链接
1. 通过如下命令查找系统中的空链接文件。
- ```
+ ```shell
find dirname -type l -follow 2>/dev/null
```
@@ -85,7 +85,7 @@ openEuler系统安装完成后,可能存在空链接文件,这些空链接
2. 如果此类文件无实际作用,可通过如下命令删除。
- ```
+ ```shell
rm -f filename
```
@@ -96,7 +96,7 @@ openEuler系统安装完成后,可能存在空链接文件,这些空链接
### 说明
-umask值用来为新创建的文件和目录设置缺省权限。如果没有设定umask值,则生成的文件具有全局可写权限,存在一定的风险。守护进程负责系统上某个服务,让系统可以接受来自用户或者是网络客户的要求。为了提高守护进程所创建文件和目录的安全性,建议设置其umask值为0027。umask值代表的是权限的“补码”,umask值和权限的换算方法请参见 "[附录 > umask值含义](附录.md/#umask值含义)" 。
+umask值用来为新创建的文件和目录设置缺省权限。如果没有设定umask值,则生成的文件具有全局可写权限,存在一定的风险。守护进程负责系统上某个服务,让系统可以接受来自用户或者是网络客户的要求。为了提高守护进程所创建文件和目录的安全性,建议设置其umask值为0027。umask值代表的是权限的“补码”,umask值和权限的换算方法请参见 "[附录 > umask值含义](appendix.md#umask值含义)" 。
> **说明:**
>openEuler默认已设置守护进程的umask值为0022。
@@ -115,13 +115,13 @@ umask值用来为新创建的文件和目录设置缺省权限。如果没有设
1. 搜索全局可写目录。
- ```
+ ```shell
find / -type d -perm -0002 ! -perm -1000 -ls | grep -v proc
```
2. 为全局可写目录添加粘滞位属性。dirname 为实际查找到的目录名。
- ```
+ ```shell
chmod +t dirname
```
@@ -135,21 +135,21 @@ umask值用来为新创建的文件和目录设置缺省权限。如果没有设
1. 列举系统中所有的全局可写文件。
- ```
+ ```shell
find / -type d ( -perm -o+w ) | grep -v proc
find / -type f ( -perm -o+w ) | grep -v proc
```
2. 查看步骤1列举的所有文件\(粘滞位的文件和目录可以排除在外\),删除文件或去掉其全局可写权限。使用以下命令去掉权限,其中filename为对应文件名:
- ```
+ ```shell
chmod o-w filename
```
> **说明:**
- >可通过如下命令确定对应文件或目录是否设置了粘滞位,若回显中包含T标记,则为粘滞位文件或目录。命令中的filename为需要查询文件或目录的名称。
->
- >```
+ >可通过如下命令确定对应文件或目录是否设置了粘滞位,若回显中包含T标记,则为粘滞位文件或目录。命令中的filename为需要查询文件或目录的名称。
+ >
+ >```shell
>ls -l filename
>```
@@ -163,20 +163,20 @@ at命令用于创建在指定时间自动执行的任务。为避免任意用户
1. 删除/etc/at.deny文件。
- ```
+ ```shell
rm -f /etc/at.deny
```
2. 创建/etc/at.allow文件并将/etc/at.allow的文件属主改为root:root。
- ```
+ ```shell
touch /etc/at.allow
chown root:root /etc/at.allow
```
3. 控制/etc/at.allow的文件权限,仅root可操作。
- ```
+ ```shell
chmod og-rwx /etc/at.allow
```
@@ -190,20 +190,20 @@ cron命令用于创建例行性任务。为避免任意用户通过cron命令安
1. 删除/etc/cron.deny文件。
- ```
+ ```shell
rm -f /etc/cron.deny
```
2. 创建/etc/cron.allow文件并将/etc/cron.allow的文件属主改为root:root。
- ```
+ ```shell
touch /etc/cron.allow
chown root:root /etc/cron.allow
```
3. 控制/etc/cron.allow的文件权限,仅root可操作。
- ```
+ ```shell
chmod og-rwx /etc/cron.allow
```
@@ -217,6 +217,6 @@ sudo命令用于普通用户以root权限执行命令。为了增强系统安全
sudo命令的使用控制通过修改/etc/sudoers文件实现,需要注释掉如下配置行:
-```
+```shell
#%wheel ALL=(ALL) ALL
```
diff --git a/docs/zh/server/security/secharden/security_configuration_benchmark.md b/docs/zh/server/security/secharden/security_configuration_benchmark.md
index 1f12011defdaf8af964a937023d798d6b08302b1..642d6480f44fe0e7b4ef51515c455192fc4e9bb5 100644
--- a/docs/zh/server/security/secharden/security_configuration_benchmark.md
+++ b/docs/zh/server/security/secharden/security_configuration_benchmark.md
@@ -1,3 +1,3 @@
# openEuler安全配置说明
-详细内容请参考[openEuler安全配置说明](https://gitee.com/openeuler/security-committee/tree/master/secure-configuration-benchmark)。
+详细内容请参考[openEuler安全配置说明](https://gitee.com/openeuler/security-committee/tree/master/sub-projects/secure-configuration-benchmark)。
diff --git a/docs/zh/server/security/trusted_computing/ima.md b/docs/zh/server/security/trusted_computing/ima.md
index 4d4b35c21f42399e202e446072064b461f93e678..d527ee78c2e8cdf5484c1677282d52bd6e5600cd 100644
--- a/docs/zh/server/security/trusted_computing/ima.md
+++ b/docs/zh/server/security/trusted_computing/ima.md
@@ -191,7 +191,7 @@ openEuler IMA/EVM机制提供的内核启动参数及说明如下:
**1) 原生IMA度量:**
-```
+```yaml
# 原生IMA度量+自定义策略
无需配置,默认开启
# 原生IMA度量+TCB默认策略
@@ -200,7 +200,7 @@ ima_policy="tcb"
**2) 基于摘要列表的IMA度量:**
-```
+```yaml
# 摘要列表IMA度量+自定义策略
ima_digest_list_pcr=11 ima_template=ima-ng initramtmpfs
# 摘要列表IMA度量+默认策略
@@ -209,7 +209,7 @@ ima_digest_list_pcr=11 ima_template=ima-ng ima_policy="exec_tcb" initramtmpfs
**3) 基于摘要列表的IMA评估,只保护文件内容:**
-```
+```yaml
# IMA评估+日志模式
ima_appraise=log ima_appraise_digest_list=digest-nometadata ima_policy="appraise_exec_tcb" initramtmpfs
# IMA评估+强制校验模式
@@ -218,7 +218,7 @@ ima_appraise=enforce ima_appraise_digest_list=digest-nometadata ima_policy="appr
**4) 基于摘要列表的IMA评估,保护文件内容和扩展属性:**
-```
+```yaml
# IMA评估+日志模式
ima_appraise=log-evm ima_appraise_digest_list=digest ima_policy="appraise_exec_tcb|appraise_exec_immutable" initramtmpfs evm=x509 evm=complete
# IMA评估+强制校验模式
@@ -364,38 +364,38 @@ digest-list-tools软件包提供IMA摘要列表文件生成和管理的工具,
- 场景1:为单个文件生成摘要列表/TLV摘要列表。
- ```
+ ```shell
gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./ -i i: gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./ -i i: -T
```
- 场景2: 为单个文件生成摘要列表/TLV摘要列表,并指定相对根目录。
- ```
+ ```shell
gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -A /usr/ -d ./ -i i: gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -A /usr/ -d ./ -i i: -T
```
- 场景3:为目录下的文件递归生成摘要列表/TLV摘要列表。
- ```
+ ```shell
gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ -d ./ -i i:
gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ -d ./ -i i: -T
```
- 场景4:为目录下的可执行文件递归生成摘要列表/TLV摘要列表。
- ```
+ ```shell
gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ -d ./ -i i: -i e:gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ -d ./ -i i: -i e: -T
```
- 场景5:为目录下的文件递归生成摘要列表/TLV摘要列表,排除部分子目录。
- ```
+ ```shell
gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/ -d ./ -i i: -i E:/usr/bin/gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/ -d ./ -i i: -i E:/usr/bin/ -T
```
- 场景6:rpmbuild回调脚本中,通过读取rpmbuild传入的列表文件生成摘要列表。
- ```
+ ```shell
gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
-i i: -o add -p -1 -m immutable -i L:$BIN_PKG_FILES -i u: \
-A $RPM_BUILD_ROOT -i e: \
@@ -441,7 +441,7 @@ manage_digest_lists命令行工具主要用于将二进制格式的TLV摘要列
查看TLV摘要列表信息:
-```
+```shell
manage_digest_lists -p dump -d /etc/ima/digest_lists.tlv/
```
@@ -451,7 +451,7 @@ manage_digest_lists -p dump -d /etc/ima/digest_lists.tlv/
IMA策略文件为文本文件,一个文件中可包含若干条按照换行符`\n`分隔的规则语句,每条规则语句都必须以 action 关键字代表的**动作**开头,后接**筛选条件**:
-```
+```shell
<筛选条件1> [筛选条件2] [筛选条件3]...
```
@@ -615,19 +615,19 @@ action表示该条策略具体的动作,一条策略只能选一个 action,
**步骤1:** 用户可通过配置启动参数或手动配置的方式,指定度量策略。通过启动参数配置IMA策略的示例如下:
-```
+```shell
ima_policy="tcb"
```
手动配置IMA策略的示例如下:
-```
+```shell
echo "measure func=BPRM_CHECK" > /sys/kernel/security/ima/policy
```
**步骤2:** 重启系统,用户可实时检查度量日志获取当前的度量情况:
-```
+```shell
cat /sys/kernel/security/ima/ascii_runtime_measurements
```
@@ -637,7 +637,7 @@ cat /sys/kernel/security/ima/ascii_runtime_measurements
**步骤1:** 配置启动参数,重启后进入fix模式:
-```
+```shell
ima_appraise=fix ima_policy=appraise_tcb
```
@@ -645,25 +645,25 @@ ima_appraise=fix ima_policy=appraise_tcb
对于不可变文件(如二进制程序文件)可以使用签名模式,将文件摘要值的签名写入IMA扩展属性中。举例如下(其中`/path/to/ima.key`指的是和IMA证书匹配的签名私钥):
-```
+```shell
find /usr/bin -fstype ext4 -type f -executable -uid 0 -exec evmctl -a sha256 ima_sign --key /path/to/ima.key '{}' \;
```
对于可变文件(如数据文件)可以使用哈希模式,将文件的摘要值写入IMA扩展属性中。IMA支持自动标记机制,即在fix模式下仅需触发文件访问,即可自动生成IMA扩展属性:
-```
+```shell
find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \;
```
可通过如下命令检查文件是否被成功标记了IMA扩展属性(security.ima):
-```
+```shell
getfattr -m - -d /sbin/init
```
**步骤3:** 配置启动参数,修改IMA评估为log或enforce模式后,重启系统:
-```
+```shell
ima_appraise=enforce ima_policy=appraise_tcb
```
@@ -673,7 +673,7 @@ ima_appraise=enforce ima_policy=appraise_tcb
IMA摘要列表特性使用前,用户需安装`ima-evm-utils`和`digest-list-tools`软件包:
-```
+```shell
yum install ima-evm-utils digest-list-tools
```
@@ -685,7 +685,7 @@ yum install ima-evm-utils digest-list-tools
**/etc/ima/digest_lists/0-metadata_list-compact-\**
-为IMA摘要列表文件,通过`gen_digest_lists`命令生成(生成方法详见[gen_digest_lists工具](#gen_digest_list工具)),该文件为二进制格式,包含header信息以及一连串SHA256哈希值,分别代表合法的文件内容摘要值和文件扩展属性摘要值。该文件被度量或评估后,最终被导入内核,并以该文件中的白名单摘要值为基准进行IMA摘要列表度量或评估。
+为IMA摘要列表文件,通过`gen_digest_lists`命令生成(生成方法详见[gen_digest_lists工具](#gen_digest_lists工具)),该文件为二进制格式,包含header信息以及一连串SHA256哈希值,分别代表合法的文件内容摘要值和文件扩展属性摘要值。该文件被度量或评估后,最终被导入内核,并以该文件中的白名单摘要值为基准进行IMA摘要列表度量或评估。
**/etc/ima/digest_lists/0-metadata_list-rpm-\**
@@ -711,19 +711,19 @@ yum install ima-evm-utils digest-list-tools
即原生的IMA签名机制,将签名信息按照一定格式,存放在`security.ima`扩展属性中。可通过`evmctl`命令生成并添加:
-```
+```shell
evmctl ima_sign --key /path/to/ima.key -a sha256
```
也可添加`-f`参数,将签名信息和头信息存入独立的文件中:
-```
+```shell
evmctl ima_sign -f --key /path/to/ima.key -a sha256
```
在开启IMA摘要列表评估模式下,可直接将摘要列表文件路径写入内核接口,实现摘要列表的导入/删除。该过程会自动触发评估,基于`security.ima`扩展属性完成对摘要列表文件内容的签名验证:
-```
+```shell
# 导入IMA摘要列表文件
echo > /sys/kernel/security/ima/digest_list_data
# 删除IMA摘要列表文件
@@ -738,11 +738,11 @@ openEuler 24.03 LTS版本开始支持IMA专用签名密钥,并采用CMS签名
其签名机制为:
-1) 将CMS签名信息追加到IMA摘要列表文件末尾;
+(1)将CMS签名信息追加到IMA摘要列表文件末尾;
-2) 填充结构体并添加到签名信息末尾,结构体定义如下:
+(2)填充结构体并添加到签名信息末尾,结构体定义如下:
-```
+```shell
struct module_signature {
u8 algo; /* Public-key crypto algorithm [0] */
u8 hash; /* Digest algorithm [0] */
@@ -754,11 +754,11 @@ struct module_signature {
};
```
-3) 添加魔鬼字符串`"~Module signature appended~\n"`
+(3)添加魔鬼字符串`"~Module signature appended~\n"`
此步骤的参考脚本如下:
-```
+```shell
#!/bin/bash
DIGEST_FILE=$1 # IMA摘要列表文件路径
SIG_FILE=$2 # IMA摘要列表签名信息保存路径
@@ -788,7 +788,7 @@ openEuler 22.03 LTS版本支持复用RPM签名机制实现IMA摘要列表文件
在开启IMA度量模式下,导入IMA摘要列表文件无需经过签名验证,可直接将路径写入内核接口,实现摘要列表的导入/删除:
-```
+```shell
# 导入IMA摘要列表文件
echo > /sys/kernel/security/ima/digest_list_data
# 删除IMA摘要列表文件
@@ -801,7 +801,7 @@ echo > /sys/kernel/security/ima/digest_list_data_del
对于已包含签名信息的IMA摘要列表文件(IMA扩展属性签名或IMA摘要列表追加签名),可直接将路径写入内核接口,实现摘要列表的导入/删除。该过程会自动触发评估,基于`security.ima`扩展属性完成对摘要列表文件内容的签名验证:
-```
+```shell
# 导入IMA摘要列表文件
echo > /sys/kernel/security/ima/digest_list_data
# 删除IMA摘要列表文件
@@ -812,7 +812,7 @@ echo > /sys/kernel/security/ima/digest_list_data_del
对于复用RPM签名的IMA摘要列表文件,需要调用`upload_digest_lists`命令实现导入。具体命令如下(注意指定的路径为对应的RPM摘要列表):
-```
+```shell
# 导入IMA摘要列表文件
upload_digest_lists add
# 删除IMA摘要列表文件
@@ -831,13 +831,13 @@ upload_digest_lists del
openEuler RPM工具链支持`%__brp_digest_list`宏定义,配置格式如下:
-```
+```shell
%__brp_digest_list /usr/lib/rpm/brp-digest-list %{buildroot}
```
当配置了该宏定义后,当用户调用`rpmbuild`命令进行软件包构建时,在RPM打包阶段会调用`/usr/lib/rpm/brp-digest-list`脚本进行摘要列表的生成和签名等流程。openEuler默认针对可执行程序、动态库、内核模块等关键文件生成摘要列表。用户也可以通过修改脚本,自行配置生成摘要列表的范围和指定签名密钥。如下示例使用用户自定义的签名密钥`/path/to/ima.key`进行摘要列表签名。
-```
+```shell
...... (line 66)
DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basename $BIN_PKG_FILES)"
[ -f $DIGEST_LIST_TLV_PATH ] || exit 0
@@ -858,19 +858,19 @@ echo $DIGEST_LIST_DIR.sig/0-metadata_list-compact-$(basename $BIN_PKG_FILES).sig
**步骤1:** 用户需要配置启动参数度量策略,开启IMA度量功能,具体步骤同**原生IMA度量**,不同的是需要单独配置度量所使用的TPM PCR寄存器,启动参数示例如下:
-```
+```shell
ima_policy=exec_tcb ima_digest_list_pcr=11
```
**步骤2:** 用户导入IMA摘要列表,以`bash`软件包的摘要列表为例:
-```
+```shell
echo /etc/ima/digest_lists/0-metadata_list-compact-bash-5.1.8-6.oe2203sp1.x86_64 > /sys/kernel/security/ima/digest_list_data
```
可查询到IMA摘要列表的度量日志:
-```
+```shell
cat /sys/kernel/security/ima/ascii_runtime_measurements
```
@@ -884,13 +884,13 @@ cat /sys/kernel/security/ima/ascii_runtime_measurements
**步骤1:** 执行`dracut`命令将摘要列表文件写入initrd:
-```
+```shell
dracut -f -e xattr
```
**步骤2:** 配置启动参数和IMA策略,典型的配置如下:
-```
+```shell
# 基于摘要列表的IMA评估log/enforce模式,只保护文件内容,配置默认策略为appraise_exec_tcb
ima_appraise=log ima_appraise_digest_list=digest-nometadata ima_policy="appraise_exec_tcb" initramtmpfs module.sig_enforce
ima_appraise=enforce ima_appraise_digest_list=digest-nometadata ima_policy="appraise_exec_tcb" initramtmpfs module.sig_enforce
@@ -907,7 +907,7 @@ ima_appraise=enforce-evm ima_appraise_digest_list=digest ima_policy="appraise_ex
**步骤1:** 配置启动参数,典型的配置如下:
-```
+```shell
# 基于摘要列表的IMA评估log/enforce模式,只保护文件内容,无默认策略
ima_appraise=log ima_appraise_digest_list=digest-nometadata initramtmpfs
ima_appraise=enforce ima_appraise_digest_list=digest-nometadata initramtmpfs
@@ -920,7 +920,7 @@ ima_appraise=enforce-evm ima_appraise_digest_list=digest initramtmpfs evm=x509 e
**步骤2:** 导入IMA策略,将策略文件的全路径写入内核接口:
-```
+```shell
echo /path/to/policy > /sys/kernel/security/ima/policy
```
@@ -930,7 +930,7 @@ echo /path/to/policy > /sys/kernel/security/ima/policy
>
> openEuler 22.03 LTS版本的策略模板如下(复用RPM签名场景):
>
-```
+```shell
# 不评估securityfs文件系统的访问行为
dont_appraise fsmagic=0x73636673
# 其他用户自定义的dont_appraise规则
@@ -947,7 +947,7 @@ appraise func=BPRM_CHECK appraise_type=imasig
>
> openEuler 24.03 LTS版本的策略模板如下(IMA扩展属性签名或追加签名场景):
>
-```
+```shell
# 用户自定义的dont_appraise规则
......
# 评估导入的IMA摘要列表文件
@@ -960,7 +960,7 @@ appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig
openEuler 22.03 LTS的摘要列表导入方式如下(复用RPM签名的IMA摘要列表):
-```
+```shell
# 导入digest_list_tools软件包的摘要列表
echo /etc/ima/digest_lists/0-metadata_list-compact-digest-list-tools-0.3.95-13.x86_64 > /sys/kernel/security/ima/digest_list_data
echo /etc/ima/digest_lists/0-parser_list-compact-libexec > /sys/kernel/security/ima/digest_list_data
@@ -972,7 +972,7 @@ cat /sys/kernel/security/ima/digests_count
openEuler 24.03 LTS的摘要列表导入方式如下(追加签名的IMA摘要列表):
-```
+```shell
find /etc/ima/digest_lists -name "0-metadata_list-compact-*" -exec echo {} > /sys/kernel/security/ima/digest_list_data \;
```
@@ -991,7 +991,7 @@ find /etc/ima/digest_lists -name "0-metadata_list-compact-*" -exec echo {} > /sy
**步骤1:** 生成根证书,以openssl命令为例:
-```
+```shell
echo 'subjectKeyIdentifier=hash' > root.cfg
openssl genrsa -out root.key 4096
openssl req -new -sha256 -key root.key -out root.csr -subj "/C=AA/ST=BB/O=CC/OU=DD/CN=openeuler test ca"
@@ -1001,20 +1001,20 @@ openssl x509 -in root.crt -out root.der -outform DER
**步骤2:** 获取openEuler kernel源码,以最新的OLK-5.10分支为例:
-```
+```shell
git clone https://gitee.com/openeuler/kernel.git -b OLK-5.10
```
**步骤3:** 进入源码目录,并将根证书拷贝至目录下:
-```
+```shell
cd kernel
cp /path/to/root.der .
```
修改config文件的CONFIG_SYSTEM_TRUSTED_KEYS选项:
-```
+```shell
CONFIG_SYSTEM_TRUSTED_KEYS="./root.crt"
```
@@ -1022,7 +1022,7 @@ CONFIG_SYSTEM_TRUSTED_KEYS="./root.crt"
**步骤5:** 重启后检查证书导入成功:
-```
+```shell
keyctl show %:.builtin_trusted_keys
```
@@ -1030,7 +1030,7 @@ keyctl show %:.builtin_trusted_keys
**步骤1:** 基于根证书生成子证书,以openssl命令为例:
-```
+```shell
echo 'subjectKeyIdentifier=hash' > ima.cfg
echo 'authorityKeyIdentifier=keyid,issuer' >> ima.cfg
echo 'keyUsage=digitalSignature' >> ima.cfg
@@ -1042,21 +1042,21 @@ openssl x509 -outform DER -in ima.crt -out x509_ima.der
**步骤2:** 将IMA证书拷贝到/etc/keys目录下:
-```
+```shell
mkdir -p /etc/keys/
cp x509_ima.der /etc/keys/
```
**步骤3:** 打包initrd,将IMA证书和摘要列表置入initrd镜像中:
-```
+```shell
echo 'install_items+=" /etc/keys/x509_ima.der "' >> /etc/dracut.conf
dracut -f -e xattr
```
**步骤4:** 重启后检查证书导入成功:
-```
+```shell
keyctl show %:.ima
```
@@ -1151,7 +1151,7 @@ IMA默认策略可能包含对应用程序执行、内核模块加载等关键
用户需要通过log模式进入系统进行问题定位和修复。重启系统,进入grub界面修改启动参数,采用log模式启动:
-```
+```shell
ima_appraise=log
```
@@ -1159,7 +1159,7 @@ ima_appraise=log
**步骤1:** 检查keyring中的IMA证书:
-```
+```shell
keyctl show %:.builtin_trusted_keys
```
@@ -1201,7 +1201,7 @@ keyctl show %:.builtin_trusted_keys
如果用户导入了其他内核根证书,也同样需要通过`keyctl`命令查询确认证书是否被成功导入。openEuler默认不使用IMA密钥环,如果用户存在使用的情况,则需要通过如下命令查询IMA密钥环中是否存在用户证书:
-```
+```shell
keyctl show %:.ima
```
@@ -1211,39 +1211,39 @@ keyctl show %:.ima
用户可通过如下命令查询当前系统中的摘要列表文件:
-```
+```shell
ls /etc/ima/digest_lists | grep '_list-compact-'
```
对于每个摘要列表文件,需要检查存在**以下三种之一**的签名信息:
-1) 检查该摘要列表文件存在对应的**RPM摘要列表文件**,且**RPM摘要列表文件**的ima扩展属性中包含签名值。以bash软件包的摘要列表为例,摘要列表文件路径为:
+(1)检查该摘要列表文件存在对应的**RPM摘要列表文件**,且**RPM摘要列表文件**的ima扩展属性中包含签名值。以bash软件包的摘要列表为例,摘要列表文件路径为:
-```
+```shell
/etc/ima/digest_lists/0-metadata_list-compact-bash-5.1.8-6.oe2203sp1.x86_64
```
RPM摘要列表路径为:
-```
+```shell
/etc/ima/digest_lists/0-metadata_list-rpm-bash-5.1.8-6.oe2203sp1.x86_64
```
检查RPM摘要列表签名,即文件的`security.ima`扩展属性不为空:
-```
+```shell
getfattr -n security.ima /etc/ima/digest_lists/0-metadata_list-rpm-bash-5.1.8-6.oe2203sp1.x86_64
```
-2) 检查摘要列表文件的`security.ima`扩展属性不为空:
+(2)检查摘要列表文件的`security.ima`扩展属性不为空:
-```
+```shell
getfattr -n security.ima /etc/ima/digest_lists/0-metadata_list-compact-bash-5.1.8-6.oe2203sp1.x86_64
```
-3) 检查摘要列表文件的末尾包含了签名信息,可通过检查文件内容末尾是否包含`~Module signature appended~`魔鬼字符串进行判断(仅openEuler 24.03 LTS及之后版本支持的签名方式):
+(3)检查摘要列表文件的末尾包含了签名信息,可通过检查文件内容末尾是否包含`~Module signature appended~`魔鬼字符串进行判断(仅openEuler 24.03 LTS及之后版本支持的签名方式):
-```
+```shell
tail -c 28 /etc/ima/digest_lists/0-metadata_list-compact-kernel-6.6.0-28.0.0.34.oe2403.x86_64
```
@@ -1253,7 +1253,7 @@ tail -c 28 /etc/ima/digest_lists/0-metadata_list-compact-kernel-6.6.0-28.0.0.34.
在确保摘要列表已携带签名信息的情况下,用户还需要确保摘要列表采用正确的私钥签名,即签名私钥和内核中的证书匹配。除用户自行进行私钥检查外,还可通过dmesg日志或audit日志(默认路径为`/var/log/audit/audit.log`)判断是否有签名校验失败的情况发生。典型的日志输出如下:
-```
+```shell
type=INTEGRITY_DATA msg=audit(1722578008.756:154): pid=3358 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:haikang_t:s0-s0:c0.c1023 op=appraise_data cause=invalid-signature comm="bash" name="/root/0-metadata_list-compact-bash-5.1.8-6.oe2203sp1.x86_64" dev="dm-0" ino=785161 res=0 errno=0UID="root" AUID="root"
```
@@ -1263,13 +1263,13 @@ type=INTEGRITY_DATA msg=audit(1722578008.756:154): pid=3358 uid=0 auid=0 ses=1 s
用户需要通过如下命令查询当前initrd中是否存在摘要列表文件:
-```
+```shell
lsinitrd | grep 'etc/ima/digest_lists'
```
如果未查询到摘要列表文件,则用户需要重新制作initrd,并再次检查摘要列表导入成功:
-```
+```shell
dracut -f -e xattr
```
@@ -1287,13 +1287,13 @@ dracut -f -e xattr
对于出现文件执行失败的场景,首先需要确定摘要列表文件已经成功导入内核,用户可以检查摘要列表数量判断导入情况:
-```
+```shell
cat /sys/kernel/security/ima/digests_count
```
然后用户可通过audit日志(默认路径为`/var/log/audit/audit.log`)判断具体哪个文件校验失败以及原因。典型的日志输出如下:
-```
+```shell
type=INTEGRITY_DATA msg=audit(1722811960.997:2967): pid=7613 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:haikang_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="bash" name="/root/test" dev="dm-0" ino=814424 res=0 errno=0UID="root" AUID="root"
```
@@ -1307,7 +1307,7 @@ type=INTEGRITY_DATA msg=audit(1722811960.997:2967): pid=7613 uid=0 auid=0 ses=1
建议用户确认当前内核中包含以下几本签名证书:
-```
+```shell
# keyctl show %:.builtin_trusted_keys
Keyring
566488577 ---lswrv 0 0 keyring: .builtin_trusted_keys
@@ -1318,7 +1318,7 @@ Keyring
如缺少证书,建议将内核升级至最新版本。
-```
+```shell
yum update kernel
```
@@ -1328,7 +1328,7 @@ openEuler 24.03 LTS及之后版本已具备IMA专用证书,且支持证书链
IMA摘要列表导入存在检查机制,如果某次导入过程中,摘要列表的签名校验失败,则会关闭摘要列表导入功能,从而导致后续即使正确签名的摘要列表文件也无法被导入。用户可检查dmesg日志中是否存在如下打印确认是否为该原因导致:
-```
+```shell
# dmesg
ima: 0-metadata_list-compact-bash-5.1.8-6.oe2203sp1.x86_64 not appraised, disabling digest lists lookup for appraisal
```
diff --git a/docs/zh/tools/devops/pkgship/pkgship.md b/docs/zh/tools/devops/pkgship/pkgship.md
index c08375b53b2a220360a5d7641b736af3b2cbc8a5..48ada6c3985848d3fc386205ef4394142aa64924 100644
--- a/docs/zh/tools/devops/pkgship/pkgship.md
+++ b/docs/zh/tools/devops/pkgship/pkgship.md
@@ -54,7 +54,7 @@ pkgship提供了公网地址
工具安装可通过以下两种方式中的任意一种实现。
- 方法一:通过dnf挂载repo源实现。
- 先使用dnf挂载pkgship软件所在repo源(具体方法可参考《[应用开发指南](https://openeuler.org/zh/docs/24.03_LTS_SP1/docs/ApplicationDev/%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87.html)》),然后执行如下指令下载以及安装pkgship及其依赖。
+ 先使用dnf挂载pkgship软件所在repo源(具体方法可参考《[应用开发指南](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/development/application_dev/application_development.html)》),然后执行如下指令下载以及安装pkgship及其依赖。
```bash
dnf install pkgship
@@ -79,19 +79,19 @@ pkgship提供了公网地址
脚本路径默认为:
-```
+```shell
/etc/pkgship/auto_install_pkgship_requires.sh
```
执行方法为
-```
+```shell
/bin/bash auto_install_pkgship_requires.sh elasticsearch
```
或者
-```
+```shell
/bin/bash auto_install_pkgship_requires.sh redis
```
@@ -106,7 +106,7 @@ pkgship提供了公网地址
1.在配置文件中对相应参数进行配置,系统的默认配置文件存放在 /etc/pkgship/package.ini,请根据实际情况进行配置更改。
-```
+```shell
vim /etc/pkgship/package.ini
```