Doc

https://www.debian.org/doc/

https://www.debian.org/doc/user-manuals#quick-reference

Command Doc

https://manpages.debian.org/

debian-reference

https://www.debian.org/doc/manuals/debian-reference/index.en.html

GNU/Linux tutorials

https://www.debian.org/doc/manuals/debian-reference/ch01.en.html

Console basics

1.1.1. The shell prompt

Upon starting the system, you are presented with the character based login screen if you did not install any GUI environment such as GNOME or KDE desktop system. Suppose your hostname is foo, the login prompt looks as follows.

If you installed a GUI environment, then you can still get to the character based login prompt by Ctrl-Alt-F3, and you can return to the GUI environment via Ctrl-Alt-F2 (see Section 1.1.6, “Virtual consoles” below for more).

1.1.4. The root shell prompt

Here are a few basic methods to gain the root shell prompt by using the root password.

• Type root at the character based login prompt.
• Type "su -l" from any user shell prompt.
  • This does not preserve the environment of the current user.
• Type "su" from any user shell prompt.
  • This preserves some of the environment of the current user.

1.2.3. Filesystem permissions

Filesystem permissions of Unix-like system are defined for three categories of affected users.

• The user who owns the file (u)
• Other users in the group which the file belongs to (g)
• All other users (o) also referred to as "world" and "everyone"

For the file, each corresponding permission allows following actions.

• The read (r) permission allows owner to examine contents of the file.
• The write (w) permission allows owner to modify the file.
• The execute (x) permission allows owner to run the file as a command.

For the directory, each corresponding permission allows following actions.

• The read (r) permission allows owner to list contents of the directory.
• The write (w) permission allows owner to add or remove files in the directory.
• The execute (x) permission allows owner to access files in the directory.

Here, the execute permission on a directory means not only to allow reading of files in that directory but also to allow viewing their attributes, such as the size and the modification time.

chown(1) is used from the root account to change the owner of the file. chgrp(1) is used from the file's owner or root account to change the group of the file. chmod(1) is used from the file's owner or root account to change file and directory access permissions. Basic syntax to manipulate a foo file is the following.

# chown newowner foo
# chgrp newgroup foo
# chmod  [ugoa][+-=][rwxXst][,...] foo

1.4.8. Using vim

The recent vim(1) starts itself in the sane "nocompatible" option and enters into the NORMAL mode.[1]

Table 1.16. List of basic Vim key strokes

mode	key strokes	action
NORMAL	`:help\	only`
NORMAL	:e filename.ext	open new buffer to edit filename.ext
NORMAL	:w	overwrite current buffer to the original file
NORMAL	:w filename.ext	write current buffer to filename.ext
NORMAL	:q	quit vim
NORMAL	:q!	force to quit vim
NORMAL	:only	close all other split open windows
NORMAL	:set nocompatible?	check if vimis in the sane nocompatiblemode
NORMAL	:set nocompatible	set vimto the sane nocompatiblemode
NORMAL	i	enter the INSERTmode
NORMAL	R	enter the REPLACEmode
NORMAL	v	enter the VISUALmode
NORMAL	V	enter the linewise VISUALmode
NORMAL	Ctrl-V	enter the blockwise VISUALmode
except TERMINAL-JOB	ESC-key	enter the NORMALmode
NORMAL	:term	enter the TERMINAL-JOBmode
TERMINAL-NORMAL	i	enter the TERMINAL-JOBmode
TERMINAL-JOB	Ctrl-W N(or Ctrl-\Ctrl-N)	enter the TERMINAL-NORMALmode
TERMINAL-JOB	Ctrl-W :	enter the Ex-mode in TERMINAL-NORMALmode

1.5.3. The "$PATH" variable

When you type a command into the shell, the shell searches the command in the list of directories contained in the "$PATH" environment variable. The value of the "$PATH" environment variable is also called the shell's search path.

In the default Debian installation, the "$PATH" environment variable of user accounts may not include "/usr/sbin" and "/usr/sbin". For example, the ifconfig command needs to be issued with full path as "/usr/sbin/ifconfig". (Similar ip command is located in "/usr/bin".)

You can change the "$PATH" environment variable of Bash shell by "~/.bash_profile" or "~/.bashrc" files.

1.5.4. The "$HOME" variable

Many commands stores user specific configuration in the home directory and changes their behavior by their contents. The home directory is identified by the environment variable "$HOME".

Table 1.20. List of "$HOME" values

value of "$HOME"	program execution situation
/	program run by the init process (daemon)
/root	program run from the normal root shell
/home/*normal_user*	program run from the normal user shell
/home/*normal_user*	program run from the normal user GUI desktop menu
/home/*normal_user*	program run as root with "sudo program"
/root	program run as root with "sudo -H program"

1.5.6. Shell glob

Often you want a command to work with a group of files without typing all of them. The filename expansion pattern using the shell glob, (sometimes referred as wildcards), facilitate this need.

Table 1.21. Shell glob patterns

shell glob pattern	description of match rule
*	filename (segment) not started with "."
.*	filename (segment) started with "."
?	exactly one character
[…]	exactly one character with any character enclosed in brackets
[a-z]	exactly one character with any character between "a" and "z"
[^…]	exactly one character other than any character enclosed in brackets (excluding "^")

1.5.7. Return value of the command

Each command returns its exit status (variable: "$?") as the return value.

Table 1.22. Command exit codes

command exit status	numeric return value	logical return value
success	zero, 0	TRUE
error	non-zero, -1	FALSE

For example, try the following.

$ [ 1 = 1 ] ; echo $?
0
$ [ 1 = 2 ] ; echo $?
1

1.5.8. Typical command sequences and shell redirection

Let's try to remember following shell command idioms typed in one line as a part of shell command.

Table 1.23. Shell command idioms

command idiom	description
command &	backgroundexecution of commandin the subshell
`command1 \	command2`
`command1 2>&1 \	command2`
command1 ; command2	execute command1and command2 sequentially
command1 && command2	execute command1; if successful, execute command2 sequentially(return success if both command1 and command2are successful)
`command1 \	command2`
command > foo	redirect standard output of commandto a file foo(overwrite)
command 2> foo	redirect standard error of commandto a file foo(overwrite)
command >> foo	redirect standard output of commandto a file foo(append)
command 2>> foo	redirect standard error of commandto a file foo(append)
command > foo 2>&1	redirect both standard output and standard error of commandto a file foo
command < foo	redirect standard input of commandto a file foo
command << delimiter	redirect standard input of commandto the following lines until "delimiter" is met (here document)
command <<- delimiter	redirect standard input of commandto the following lines until "delimiter" is met (here document, the leading tab characters are stripped from input lines)

1.6.1. Unix text tools

There are few standard text processing tools which are used very often on the Unix-like system.

• No regular expression is used:
  • cat(1) concatenates files and outputs the whole content.
  • tac(1) concatenates files and outputs in reverse.
  • cut(1) selects parts of lines and outputs.
  • head(1) outputs the first part of files.
  • tail(1) outputs the last part of files.
  • sort(1) sorts lines of text files.
  • uniq(1) removes duplicate lines from a sorted file.
  • tr(1) translates or deletes characters.
  • diff(1) compares files line by line.
• Basic regular expression (BRE) is used as default:
  • ed(1) is a primitive line editor.
  • sed(1) is a stream editor.
  • grep(1) matches text with patterns.
  • vim(1) is a screen editor.
  • emacs(1) is a screen editor. (somewhat extended BRE)
  • Extended regular expression (ERE) is used:
  • awk(1) does simple text processing.
  • egrep(1) matches text with patterns.
  • tcl(3tcl) can do every conceivable text processing: See re_syntax(3). Often used with tk(3tk).
  • perl(1) can do every conceivable text processing. See perlre(1).
    • pcregrep(1) from the pcregrep package matches text with Perl Compatible Regular Expressions (PCRE) pattern.
  • python(1) with the re module can do every conceivable text processing. See "/usr/share/doc/python/html/index.html".

Chapter 2. Debian package management

https://www.debian.org/doc/manuals/debian-reference/ch02.en.html

2.1. Debian package management prerequisites

2.1.1. Debian package management system

Debian is a volunteer organization which builds consistent distributions of pre-compiled binary packages of free software and distributes them from its archive.

The Debian archive is offered by many remote mirror sites for access through HTTP and FTP methods. It is also available as CD-ROM/DVD.

The current Debian package management system which can utilize all these resources is Advanced Packaging Tool (APT).

The Debian package management system, when used properly, offers the user to install consistent sets of binary packages to the system from the archive. Currently, there are 74165 packages available for the amd64 architecture.

The Debian package management system has a rich history and many choices for the front end user program and back end archive access method to be used. Currently, we recommend the following.

• apt(8) for all interactive command line operations, including package installation, removal and dist-upgrades.
• apt-get(8) for calling Debian package management system from scripts. It is also a fallback option when apt is not available (often with older Debian systems).
• aptitude(8) for an interactive text interface to manage the installed packages and to search the available packages.

Table 2.1. List of Debian package management tools

package	popcon	size	description
dpkg	V:912, I:999	6388	low level package management system for Debian (file based)
apt	V:865, I:999	4318	APT front-end to manage packages with CLI:apt/apt-get/apt-cache
aptitude	V:48, I:253	4389	APT front-end to interactively manage packages with full screen console:aptitude(8)
tasksel	V:34, I:980	347	APT front-end to install selected tasks:tasksel(8)
unattended-upgrades	V:182, I:278	301	enhancement package for APT to enable automatic installation of security upgrades
gnome-software	V:153, I:263	3085	Software Center for GNOME (GUI APT front-end)
synaptic	V:46, I:375	7627	graphical package manager (GTK APT front-end)
apt-utils	V:379, I:998	1065	APT utility programs:apt-extracttemplates(1),apt-ftparchive(1), and apt-sortpkgs(1)
apt-listchanges	V:358, I:872	398	package change history notification tool
apt-listbugs	V:6, I:8	477	lists critical bugs before each APT installation
apt-file	V:17, I:67	89	APT package searching utility — command-line interface
apt-rdepends	V:0, I:5	39	recursively lists package dependencies

2.1.5. Debian archive basics

Let's look into the Debian archive from a system user's perspective.

For a system user, the Debian archive is accessed using the APT system.

For the bookworm system with the typical HTTP access, the source list in one-line-style as the following:

deb http://deb.debian.org/debian/ bookworm main non-free-firmware contrib non-free
deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware contrib non-free

deb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free
deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free

Alternatively, the equivalent source list in deb822-style is the following.

Types: deb deb-src
URIs: http://deb.debian.org/debian/
Suites: bookworm
Components: main non-free-firmware contrib non-free

Types: deb deb-src
URIs: http://security.debian.org/debian-security/
Suites: bookworm-security
Components: main non-free-firmware contrib non-free

Key points of the source list are followings.

• One-line-style format
  • It's definition files are in the "/etc/apt/sources.list" file and "/etc/apt/sources.list.d/*.list" files.
  • Each line defines the data source for the APT system.
  • The "deb" line defines for the binary packages.
  • The "deb-src" line defines for the source packages.
  • The 1st argument is the root URL of the Debian archive.
  • The 2nd argument is the distribution name using either the suite name or the codename.
  • The 3rd and following arguments are the list of valid archive area names of the Debian archive.
• Deb822-style format
  • It's definition files are in "/etc/apt/sources.list.d/*.source" files.
  • Each block of lines separated by a blank line defines the data source for the APT system.
  • The "Types:" stanza defines the list of types such as "deb" and "deb-src".
  • The "URIs:" stanza defines the list of root URIs of the Debian archive.
  • The "Suites:" stanza defines the list of distribution names using either the suite name or the codename.
  • The "Components:" stanza defines the list of valid archive area names of the Debian archive.

The definition for "deb-src" can safely be omitted if it is just for aptitude which does not access source related meta data. It speeds up the updates of the archive meta data.

The URL can be "https://", "http://", "ftp://", "file://", ….

Lines starting with "#" are comments and ignored.

Here, I tend to use codename "bookworm" or "trixie" instead of suite name "stable" or "testing" to avoid surprises when the next stable is released.

Table 2.2. List of Debian archive sites

archive URL	suite name	codename	purpose of repository
Index of /debian	stable	bookworm	Quasi-static stablerelease after extensive checks
Index of /debian	testing	trixie	Dynamic testingrelease after decent checks and short waits
Index of /debian	unstable	sid	Dynamic unstablerelease after minimal checks and no waits
Index of /debian	experimental	N/A	Pre-release experiments by developers (optional, only for developer)
Index of /debian	stable-proposed-updates	bookworm-proposed-updates	Updates for the next stablepoint release (optional)
Index of /debian	stable-updates	bookworm-updates	Subset of stable-proposed-updatessuite needing urgent updates such as timezone data (optional)
http://deb.debian.org/debian/	stable-backports	bookworm-backports	Random collection of recompiled packages mostly from the testingrelease (optional)
Index of /debian-security	stable-security	bookworm-security	Security updates for the stablerelease (important)
Index of /debian-security	testing-security	trixie-security	This isn't actively supported nor used by the security team

suite name

Debian 的 Suite Name 是用于标识不同版本或开发阶段的名称，在软件源配置（如 sources.list）中起关键作用，帮助用户指定系统应使用哪个版本的软件包。

Suite Name 的含义

Suite Name 是 Debian 软件仓库中不同版本或开发分支的标识符，例如：

• stable：当前稳定版（生产环境推荐）。
• testing：下一个稳定版的候选版本（更新较快，但未完全测试）。
• unstable：开发中的版本（代号 sid，更新频繁，不稳定）。
• oldstable：上一个稳定版（已逐步淘汰）。
• experimental：实验性软件包（高风险，仅供测试）。

此外，每个 Debian 正式版本还有代号（如 bookworm、bullseye、trixie），这些代号既是版本名称，也可作为 Suite Name 使用。

---

Suite Name 的作用

1. 指定软件源版本
   在 /etc/apt/sources.list 中，Suite Name 用于定义系统从哪个版本的仓库获取软件包。例如：
   bash
   复制

   deb http://deb.debian.org/debian bookworm main         # 使用 Debian 12（bookworm）
   deb http://deb.debian.org/debian testing main         # 使用测试版
   

2. 控制软件更新策略
   • 使用 stable 会获得经过充分测试的软件包，适合生产环境。
   • 使用 testing 或 unstable 可获得新特性，但可能引入不稳定因素。
3. 支持版本升级
   当新版本发布时（如从 bullseye 升级到 bookworm），直接修改 Suite Name 即可触发版本升级流程。
4. 兼容旧版本
   通过 oldstable 或特定代号（如 buster），可继续获取旧版系统的安全更新。

---

常见 Suite Name 对照表

Suite Name	代号	Debian 版本	状态
stable	Bookworm	Debian 12	当前稳定版
oldstable	Bullseye	Debian 11	旧稳定版
testing	Trixie	Debian 13	测试阶段
unstable	Sid	持续开发	不稳定

---

使用注意事项

1. 生产环境谨慎选择
   除非有特殊需求，否则建议始终使用 stable 或具体版本代号（如 bookworm），避免意外升级到不稳定版本。
2. 混合 Suite 的风险
   不同 Suite 的软件包可能存在依赖冲突，不建议在 sources.list 中混合使用（如同时启用 stable 和 testing）。
3. 代号与 Suite 的绑定
   每个代号（如 bookworm）一旦发布为 stable，其对应的软件仓库会长期维护，适合固定版本需求。

---

示例：配置 sources.list

# 使用稳定版 Debian 12（bookworm）
deb http://deb.debian.org/debian bookworm main contrib non-free
deb http://security.debian.org/debian-security bookworm-security main

# 使用测试版（Trixie）
# deb http://deb.debian.org/debian trixie main

通过合理选择 Suite Name，可以平衡系统的稳定性与新特性需求。

Archive Area

Debian 的 Archive Area（归档区域）是软件仓库中根据软件包授权协议和自由程度划分的类别，用于明确软件包的法律合规性和维护责任。它在软件源配置（如 sources.list）中定义用户可访问的软件包范围，直接影响系统可安装的软件类型。

---

Archive Area 的分类

Debian 将软件包分为以下三类，主要依据其是否符合 Debian 自由软件指南 (DFSG)：

Area	含义	示例
main	完全自由软件：符合 DFSG，且不依赖非自由组件。	Linux 内核、GNU 工具链
contrib	自由软件但依赖非自由组件：符合 DFSG，但需要非自由软件才能运行。	某些显卡驱动、虚拟机工具
non-free	非自由软件：不符合 DFSG，可能有使用或分发限制。	闭源固件、专利编码器（如 MP3）

从 Debian 12（Bookworm）开始，新增了 non-free-firmware 区域，专门存放硬件所需的非自由固件（如 WiFi 驱动）。

---

Archive Area 的作用

1. 明确软件包的自由性
   • 用户可根据自身需求选择是否启用非自由软件（如 contrib 或 non-free）。
   • 企业或机构可依据合规要求限制软件包来源。
2. 控制软件源的访问范围
   在 /etc/apt/sources.list 中指定区域，例如：

deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

• 仅启用 main：系统仅安装完全自由软件。
• 启用 non-free：可安装闭源软件（如 NVIDIA 驱动）。

3. 分离维护责任
   • main 区域的软件由 Debian 官方完全支持。
   • non-free 和 contrib 的软件可能缺乏官方维护或安全更新。

---

配置示例

# Debian 12（bookworm）启用所有区域
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

---

注意事项

1. 默认仅启用 main
   Debian 安装镜像默认只包含 main 区域的软件包，需手动启用其他区域。
2. 非自由软件的风险
   • 法律风险：某些 non-free 软件可能受专利或许可证限制。
   • 安全风险：闭源软件无法审计代码，可能存在漏洞。
3. 安装非自由软件
   启用后，需配合 apt 参数安装：

sudo apt install firmware-linux-nonfree  # 安装非自由固件

4. 硬件兼容性
   部分硬件（如较新的 WiFi 芯片）需要 non-free-firmware 才能正常工作。

---

为什么需要 Archive Area？

Debian 坚持自由软件理念，但为满足实际需求，提供非自由软件的“妥协方案”。通过划分区域，用户可自主选择是否接受非自由组件，同时明确开发团队的支持范围。

2.1.8. The event flow of the package management

Here is a summary of the simplified event flow of the package management by APT.

• Update ("apt update", "aptitude update" or "apt-get update"):
  1. Fetch archive metadata from remote archive
  2. Reconstruct and update local metadata for use by APT
• Install ("apt install …", aptitude install …" or "apt-get install …"):
  1. Choose packages listed on the command line
  2. Make package dependency resolution
  3. Fetch selected binary packages from remote archive
  4. Unpack fetched binary packages
  5. Run preinst script
  6. Install binary files
  7. Run postinst script
• Remove ("apt remove …", "aptitude remove …" or "apt-get remove …"):
  1. Choose packages listed on the command line
  2. Make package dependency resolution
  3. Run prerm script
  4. Remove installed files except configuration files
  5. Run postrm script
• Purge ("apt purge", "aptitude purge …" or "apt-get purge …"):
  1. Choose packages listed on the command line
  2. Make package dependency resolution
  3. Run prerm script
  4. Remove installed files including configuration files
  5. Run postrm script

2.2.2. Basic package management operations with the commandline

Here are basic package management operations with the commandline using apt(8), aptitude(8) and apt-get(8) /apt-cache(8).

Table 2.6. Basic package management operations with the commandline using apt(8), aptitude(8) and apt-get(8) /apt-cache(8)

aptsyntax	aptitudesyntax	apt-get/apt-cachesyntax	description
apt update	aptitude update	apt-get update	update package archive metadata
apt install foo	aptitude install foo	apt-get install foo	install candidate version of "foo" package with its dependencies
apt upgrade	aptitude safe-upgrade	apt-get upgrade	install candidate version of installed packages without removing any other packages
apt full-upgrade	aptitude full-upgrade	apt-get dist-upgrade	install candidate version of installed packages while removing other packages if needed
apt remove foo	aptitude remove foo	apt-get remove foo	remove "foo" package while leaving its configuration files
apt autoremove	N/A	apt-get autoremove	remove auto-installed packages which are no longer required
apt purge foo	aptitude purge foo	apt-get purge foo	purge "foo" package with its configuration files
apt clean	aptitude clean	apt-get clean	clear out the local repository of retrieved package files completely
apt autoclean	aptitude autoclean	apt-get autoclean	clear out the local repository of retrieved package files for outdated packages
apt show foo	aptitude show foo	apt-cache show foo	display detailed information about "foo" package
apt search *regex*	aptitude search *regex*	apt-cache search *regex*	search packages which matchregex
N/A	aptitude why *regex*	N/A	explain the reason whyregexmatching packages should be installed
N/A	aptitude why-not *regex*	N/A	explain the reason whyregexmatching packages can not be installed
apt list --manual-installed	aptitude search '~i!~M'	apt-mark showmanual	list manually installed packages

Chapter 3. The system initialization

https://www.debian.org/doc/manuals/debian-reference/ch03.en.html

3.5. System management

The systemd offers not only init system but also generic system management operations with the systemctl(1) command.

Table 3.6. List of typical systemctl command snippets

Operation	Command snippets
List all available unit types	"systemctl list-units --type=help"
List all target units in memory	"systemctl list-units --type=target"
List all service units in memory	"systemctl list-units --type=service"
List all device units in memory	"systemctl list-units --type=device"
List all mount units in memory	"systemctl list-units --type=mount"
List all socket units in memory	"systemctl list-sockets"
List all timer units in memory	"systemctl list-timers"
Start "$unit"	"systemctl start $unit"
Stop "$unit"	"systemctl stop $unit"
Reload service-specific configuration	"systemctl reload $unit"
Stop and start all "$unit"	"systemctl restart $unit"
Start "$unit" and stop all others	"systemctl isolate $unit"
Switch to "graphical" (GUI system)	"systemctl isolate graphical"
Switch to "multi-user" (CLI system)	"systemctl isolate multi-user"
Switch to "rescue" (single user CLI system)	"systemctl isolate rescue"
Send kill signal to "$unit"	"systemctl kill $unit"
Check if "$unit" service is active	"systemctl is-active $unit"
Check if "$unit" service is failed	"systemctl is-failed $unit"
Check status of "`$unit\	$PID\
Show properties of "`$unit\	$job`"
Reset failed "$unit"	"systemctl reset-failed $unit"
List dependency of all unit services	"systemctl list-dependencies --all"
List unit files installed on the system	"systemctl list-unit-files"
Enable "$unit" (add symlink)	"systemctl enable $unit"
Disable "$unit" (remove symlink)	"systemctl disable $unit"
Unmask "$unit" (remove symlink to "/dev/null")	"systemctl unmask $unit"
Mask "$unit" (add symlink to "/dev/null")	"systemctl mask $unit"
Get default-target setting	"systemctl get-default"
Set default-target to "graphical" (GUI system)	"systemctl set-default graphical"
Set default-target to "multi-user" (CLI system)	"systemctl set-default multi-user"
Show job environment	"systemctl show-environment"
Set job environment "variable" to "value"	"systemctl set-environment variable=value"
Unset job environment "variable"	"systemctl unset-environment variable"
Reload all unit files and daemons	"systemctl daemon-reload"
Shut down the system	"systemctl poweroff"
Shut down and reboot the system	"systemctl reboot"
Suspend the system	"systemctl suspend"
Hibernate the system	"systemctl hibernate"

3.7. System configuration

3.7.1. The hostname

The kernel maintains the system hostname. The system unit started by systemd-hostnamed.service sets the system hostname at boot time to the name stored in "/etc/hostname". This file should contain only the system hostname, not a fully qualified domain name.

To print out the current hostname run hostname(1) without an argument.

3.7.2. The filesystem

The mount options of normal disk and network filesystems are set in "/etc/fstab". See fstab(5) and Section 9.6.7, “Optimization of filesystem by mount options”.

The configuration of the encrypted filesystem is set in "/etc/crypttab". See crypttab(5)

The configuration of software RAID with mdadm(8) is set in "/etc/mdadm/mdadm.conf". See mdadm.conf(5).

Chapter 5. Network setup

https://www.debian.org/doc/manuals/debian-reference/ch05.en.html

5.1. The basic network infrastructure

Let's review the basic network infrastructure on the modern Debian system.

Table 5.1. List of network configuration tools

packages	popcon	size	type	description
network-manager	V:392, I:459	15542	config::NM	NetworkManager(daemon): manage the network automatically
network-manager-gnome	V:121, I:369	5583	config::NM	NetworkManager(GNOME frontend)
netplan.io	V:1, I:5	319	config::NM+networkd	Netplan(generator): Unified, declarative interface to NetworkManager and systemd-networkd backends
ifupdown	V:608, I:979	199	config::ifupdown	standardized tool to bring up and down the network (Debian specific)
isc-dhcp-client	V:217, I:981	2875	config::low-level	DHCP client
pppoeconf	V:0, I:5	186	config::helper	configuration helper for PPPoE connection
wpasupplicant	V:353, I:513	3862	config::helper	client support for WPA and WPA2 (IEEE 802.11i)
wpagui	V:0, I:1	774	config::helper	Qt GUI client for wpa_supplicant
wireless-tools	V:179, I:244	292	config::helper	tools for manipulating Linux Wireless Extensions
iw	V:34, I:475	302	config::helper	tool for configuring Linux wireless devices
iproute2	V:736, I:972	3606	config::iproute2	iproute2, IPv6 and other advanced network configuration:ip(8),tc(8), etc
iptables	V:319, I:718	2414	config::Netfilter	administration tools for packet filtering and NAT (Netfilter)
nftables	V:106, I:701	182	config::Netfilter	administration tools for packet filtering and NAT (Netfilter) (successor to {ip,ip6,arp,eb}tables)
iputils-ping	V:194, I:997	122	test	test network reachability of a remote host byhostnameorIP address(iproute2)
iputils-arping	V:3, I:36	50	test	test network reachability of a remote host specified by theARPaddress
iputils-tracepath	V:2, I:30	47	test	trace the network path to a remote host
ethtool	V:95, I:267	739	test	display or change Ethernet device settings
mtr-tiny	V:5, I:46	156	test::low-level	trace the network path to a remote host (curses)
mtr	V:4, I:41	209	test::low-level	trace the network path to a remote host (curses and GTK)
gnome-nettool	V:0, I:17	2492	test::low-level	tools for common network information operations (GNOME)
nmap	V:25, I:199	4498	test::low-level	network mapper / port scanner (Nmap, console)
tcpdump	V:17, I:175	1340	test::low-level	network traffic analyzer (Tcpdump, console)
wireshark	I:45	10417	test::low-level	network traffic analyzer (Wireshark, GTK)
tshark	V:2, I:25	400	test::low-level	network traffic analyzer (console)
tcptrace	V:0, I:2	401	test::low-level	produce a summarization of the connections from tcpdumpoutput
snort	V:0, I:0	2203	test::low-level	flexible network intrusion detection system (Snort)
ntopng	V:0, I:1	15904	test::low-level	display network usage in web browser
dnsutils	V:16, I:280	276	test::low-level	network clients provided withBIND:nslookup(8),nsupdate(8),dig(8)
dlint	V:0, I:3	53	test::low-level	checkDNSzone information using nameserver lookups
dnstracer	V:0, I:1	59	test::low-level	trace a chain ofDNSservers to the source

5.1.1. The hostname resolution

The hostname resolution is currently supported by the NSS (Name Service Switch) mechanism too. The flow of this resolution is the following.

1. The "/etc/nsswitch.conf" file with stanza like "hosts: files dns" dictates the hostname resolution order. (This replaces the old functionality of the "order" stanza in "/etc/host.conf".)
2. The files method is invoked first. If the hostname is found in the "/etc/hosts" file, it returns all valid addresses for it and exits. (The "/etc/host.conf" file contains "multi on".)
3. The dns method is invoked. If the hostname is found by the query to the Internet Domain Name System (DNS) identified by the "/etc/resolv.conf" file, it returns all valid addresses for it and exits.

A typical workstation may be installed with its host name set to, e.g., "host_name" and its optional domain name set to an empty string. Then, "/etc/hosts" looks like the following.

127.0.0.1 localhost
127.0.1.1 host_name

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Each line starts with a IP address and it is followed by the associated hostname.

The IP address 127.0.1.1 in the second line of this example may not be found on some other Unix-like systems. The Debian Installer creates this entry for a system without a permanent IP address as a workaround for some software (e.g., GNOME) as documented in the bug #719621.

The host_name matches the hostname defined in the "/etc/hostname" (see Section 3.7.1, “The hostname”).

For a system with a permanent IP address, that permanent IP address should be used here instead of 127.0.1.1.

For a system with a permanent IP address and a fully qualified domain name (FQDN) provided by the Domain Name System (DNS), that canonical host_name.domain_name should be used instead of just host_name.

The "/etc/resolv.conf" is a static file if the resolvconf package is not installed. If installed, it is a symbolic link. Either way, it contains information that initialize the resolver routines. If the DNS is found at IP="192.168.11.1", it contains the following.

nameserver 192.168.11.1

5.1.2. The network interface name

The systemd uses "Predictable Network Interface Names" such as "enp0s25".

5.2. The modern network configuration for desktop

Network interfaces are typically initialized in "networking.service" for the lo interface and "NetworkManager.service" for other interfaces on modern Debian desktop system under systemd.

Debian can manage the network connection via management daemon software such as NetworkManager (NM) (network-manager and associated packages).

• They come with their own GUI and command-line programs as their user interfaces.
• They come with their own daemon as their backend system.
• They allow easy connection of your system to the Internet.
• They allow easy management of wired and wireless network configuration.
• They allow us to configure network independent of the legacy ifupdown package.

These modern network configuration tools need to be configured properly to avoid conflicting with the legacy ifupdown package and its configuration file "/etc/network/interfaces".

5.2.1. GUI network configuration tools

Official documentations for NM on Debian are provided in "/usr/share/doc/network-manager/README.Debian".

Essentially, the network configuration for desktop is done as follows.

2. Make desktop user, e.g. foo, belong to group "netdev" by the following (Alternatively, do it automatically via D-bus under modern desktop environments such as GNOME and KDE).
   $ sudo usermod -a -G foo netdev
3. Keep configuration of "/etc/network/interfaces" as simple as in the following.
   auto lo iface lo inet loopback
4. Restart NM by the following.
   $ sudo systemctl restart network-manager
5. Configure your network via GUI.

Note : Only interfaces which are not listed in "/etc/network/interfaces" are managed by NM to avoid conflict with ifupdown.

5.3. The modern network configuration without GUI

Under systemd, the network may be configured in /etc/systemd/network/ instead. See systemd-resolved(8), resolved.conf(5), and systemd-networkd(8).

This allows the modern network configuration without GUI.

A DHCP client configuration can be set up by creating "/etc/systemd/network/dhcp.network". E.g.:

[Match]
Name=en*

[Network]
DHCP=yes

A static network configuration can be set up by creating "/etc/systemd/network/static.network". E.g.:

[Match]
Name=en*

[Network]
Address=192.168.0.15/24
Gateway=192.168.0.1

3款管理工具的比较

3款网络管理工具如下：

NetworkManager、systemd-networkd 和 networking.service（传统的 ifupdown）

以下是 NetworkManager、systemd-networkd 和 networking.service（传统 ifupdown）在 Debian 系统中的对比，涵盖应用场景、配置文件、功能、优缺点等核心方面：

---

一、对比总表

特性	NetworkManager	systemd-networkd	networking.service (ifupdown)
定位	高级动态网络管理（桌面/移动场景）	轻量级基础网络管理（服务器/容器场景）	传统静态网络配置（旧系统兼容）
配置文件路径	/etc/NetworkManager/	/etc/systemd/network/	/etc/network/interfaces和 interfaces.d/
语法格式	Keyfile 或 nmcli命令	INI 格式（.network文件）	段落式语法（auto、iface）
服务管理	NetworkManager.service	systemd-networkd.service	networking.service
动态 IP (DHCP)	✔️ 支持（自动/手动）	✔️ 支持	✔️ 需手动配置
静态 IP	✔️ 支持	✔️ 支持	✔️ 主要用途
WiFi/蓝牙	✔️ 原生支持	❌ 不支持（需额外工具）	❌ 不支持
VPN/移动网络	✔️ 支持（OpenVPN、WireGuard 等）	❌ 不支持	❌ 不支持
网桥/VLAN	✔️ 支持（需配置）	✔️ 原生支持	✔️ 需手动脚本
DNS 管理	✔️ 自动更新 /etc/resolv.conf	✔️ 可配置 DNS	❌ 需手动编辑 /etc/resolv.conf
图形化界面	✔️ 集成 GNOME/KDE 等桌面环境	❌ 无	❌ 无
适用系统	桌面版、移动设备	服务器、容器、无图形界面系统	旧版 Debian（如 Debian 9 之前）

---

二、详细对比

1. 应用场景

• NetworkManager
  • 核心场景：桌面环境（如 GNOME、KDE）、笔记本电脑（频繁切换网络）、需要 VPN 或移动网络（4G/5G）的场景。
  • 优势：自动处理动态网络变化（如 WiFi 热点切换）、图形化配置、支持复杂网络拓扑。
• systemd-networkd
  • 核心场景：服务器、容器、嵌入式系统、无图形界面的轻量级环境。
  • 优势：低资源消耗、启动速度快、与 systemd 深度集成。
• networking.service (ifupdown)
  • 核心场景：旧版 Debian 系统、需要兼容传统脚本的服务器。
  • 优势：简单、稳定，适合静态网络配置。

---

2. 配置文件与语法

• NetworkManager
  • 配置方式：
    • 命令行工具：nmcli（推荐）、nmtui（文本界面）。
    • 配置文件：/etc/NetworkManager/NetworkManager.conf 和 /etc/NetworkManager/system-connections/*.nmconnection（Keyfile 格式）。
  • 示例配置（Keyfile）：
    ini
    复制

    [connection]
    id=eth0-static
    type=ethernet
    interface-name=eth0
    
    [ipv4]
    method=manual
    addresses=192.168.1.100/24
    gateway=192.168.1.1
    dns=8.8.8.8;
    

• systemd-networkd
  • 配置文件：/etc/systemd/network/*.network（按优先级排序）。
  • 语法示例：
    ini
    复制

    [Match]
    Name=eth0
    
    [Network]
    Address=192.168.1.100/24
    Gateway=192.168.1.1
    DNS=8.8.8.8
    

• networking.service (ifupdown)
  • 配置文件：/etc/network/interfaces 或 /etc/network/interfaces.d/*。
  • 语法示例：
    bash
    复制

    auto eth0
    iface eth0 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        gateway 192.168.1.1
    

---

3. 核心功能

功能	NetworkManager	systemd-networkd	networking.service
动态 IP (DHCP)	✔️	✔️	✔️（需配置）
静态 IP	✔️	✔️	✔️（主要用途）
WiFi/蓝牙	✔️	❌	❌
网桥/VLAN	✔️（需手动配置）	✔️（原生支持）	✔️（需脚本）
VPN 支持	✔️（多种协议）	❌	❌
热插拔设备检测	✔️	✔️	❌
DNS 自动管理	✔️	✔️	❌

---

4. 服务管理命令

• NetworkManager
  bash
  复制

  sudo systemctl restart NetworkManager
  # 查看状态
  nmcli general status
  

• systemd-networkd
  bash
  复制

  sudo systemctl restart systemd-networkd
  # 查看网络状态
  networkctl status
  

• networking.service
  bash
  复制

  sudo systemctl restart networking
  # 重启单个接口
  sudo ifdown eth0 && sudo ifup eth0
  

---

5. 优缺点总结

• NetworkManager
  • 优点：功能全面、支持动态网络、图形化界面。
  • 缺点：资源占用较高，不适合极简环境。
• systemd-networkd
  • 优点：轻量、启动快、与 systemd 集成。
  • 缺点：无高级功能（如 VPN、WiFi）。
• networking.service
  • 优点：简单、兼容性好。
  • 缺点：功能有限，无法处理动态网络变化。

---

三、如何选择？

1. 桌面用户：用 NetworkManager（尤其是需要 WiFi 或 VPN）。
2. 服务器/容器：用 systemd-networkd（轻量且高效）。
3. 旧系统兼容：用 networking.service（避免改动遗留配置）。

---

四、注意事项

• 避免冲突：同一时间只启用一个网络管理服务！

# 禁用其他服务（例如启用 systemd-networkd 时）
sudo systemctl disable NetworkManager
sudo systemctl disable networking

• 混合使用：可同时使用 NetworkManager 和 systemd-networkd，但需划分接口管理范围（通过 unmanaged-devices 配置）。

---

通过以上对比，可根据实际需求选择最合适的工具。

5.5. The low level network configuration

For the low level network configuration on Linux, use the iproute2 programs (ip(8), …) .

5.5.1. Iproute2 commands

Iproute2 commands offer complete low-level network configuration capabilities. Here is a translation table from obsolete net-tools commands to new iproute2 etc. commands.

Table 5.3. Translation table from obsolete net-tools commands to new iproute2 commands

obsolete net-tools	new iproute2 etc.	manipulation
ifconfig(8)	ip addr	protocol (IP or IPv6) address on a device
route(8)	ip route	routing table entry
arp(8)	ip neigh	ARP or NDISC cache entry
ipmaddr	ip maddr	multicast address
iptunnel	ip tunnel	tunnel over IP
nameif(8)	ifrename(8)	name network interfaces based on MAC addresses
mii-tool(8)	ethtool(8)	Ethernet device settings

See ip(8) and Linux Advanced Routing & Traffic Control.

5.5.2. Safe low level network operations

You may use low level network commands as follows safely since they do not change network configuration.

Table 5.4. List of low level network commands

command	description
ip addr show	display the link and address status of active interfaces
route -n	display all the routing table in numerical addresses
ip route show	display all the routing table in numerical addresses
arp	display the current content of theARPcache tables
ip neigh	display the current content of theARPcache tables
plog	display ppp daemon log
ping yahoo.com	check the Internet connection to "yahoo.com"
whois yahoo.com	check who registered "yahoo.com" in the domains database
traceroute yahoo.com	trace the Internet connection to "yahoo.com"
tracepath yahoo.com	trace the Internet connection to "yahoo.com"
mtr yahoo.com	trace the Internet connection to "yahoo.com" (repeatedly)
`dig [@dns-server.com] example.com [{a\	mx\
iptables -L -n	check packet filter
netstat -a	find all open ports
netstat -l --inet	find listening ports
netstat -ln --tcp	find listening TCP ports (numeric)
dlint example.com	check DNS zone information of "example.com"

5.7. Netfilter infrastructure

Netfilter provides infrastructure for stateful firewall and network address translation (NAT) with Linux kernel modules (see Section 3.9, “The kernel module initialization”).

Table 5.7. List of firewall tools

packages	popcon	size	description
nftables	V:106, I:701	182	administration tools for packet filtering and NAT (Netfilter) (successor to {ip,ip6,arp,eb}tables)
iptables	V:319, I:718	2414	administration tools fornetfilter(iptables(8) for IPv4,ip6tables(8) for IPv6)
arptables	V:0, I:1	100	administration tools fornetfilter(arptables(8) for ARP)
ebtables	V:14, I:29	276	administration tools fornetfilter(ebtables(8) for Ethernet bridging)
iptstate	V:0, I:2	119	continuously monitornetfilterstate (similar to top(1))
ufw	V:55, I:77	859	Uncomplicated Firewall (UFW)is a program for managing a netfilter firewall
gufw	V:5, I:10	3660	graphical user interface forUncomplicated Firewall (UFW)
firewalld	V:11, I:16	2613	firewalldis a dynamically managed firewall program with support for network zones
firewall-config	V:0, I:3	1163	graphical user interface forfirewalld
shorewall-init	V:0, I:0	88	Shoreline Firewallinitialization
shorewall	V:3, I:8	3090	Shoreline Firewall,netfilterconfiguration file generator
shorewall-lite	V:0, I:0	71	Shoreline Firewall,netfilterconfiguration file generator (light version)
shorewall6	V:0, I:1	1334	Shoreline Firewall,netfilterconfiguration file generator (IPv6 version)
shorewall6-lite	V:0, I:0	71	Shoreline Firewall,netfilterconfiguration file generator (IPv6, light version)

Main user space program of netfilter is iptables(8). You can manually configure netfilter interactively from shell, save its state with iptables-save(8), and restore it via init script with iptables-restore(8) upon system reboot.

Configuration helper scripts such as shorewall ease this process.

See documentations at Netfilter Documentation (or in "/usr/share/doc/iptables/html/").

NetworkManager的具体使用

Using NetworkManager (NMCLI) on Ubuntu and Debian | ComputingForGeeks

nmcli

https://manpages.debian.org/bookworm/network-manager/nmcli.1.en.html

比较Device & Connection

device指的是物理或虚拟的网络接口，比如以太网卡、Wi-Fi适配器或者虚拟的VPN接口。而connection可能是指配置好的网络连接设置，比如一个Wi-Fi网络的配置，包括SSID、密码、IP设置等。这样的话，一个设备（device）可以有多个connection配置，但同一时间可能只有一个处于激活状态？

比如，我的笔记本电脑有一个无线网卡（device），可能保存了家里、办公室、咖啡店等多个Wi-Fi的connection配置。当我在家时，激活家里的connection，连接到家里的Wi-Fi；到办公室后，切换到办公室的connection。所以，device是硬件或内核识别的接口，而connection是NetworkManager管理的配置集。

每个设备可能有多个connection，但同一时间只能有一个激活的connection。比如，一个以太网设备可能有动态IP和静态IP两种配置，保存为两个不同的connection，用户可以根据需要激活其中一个。

那它们之间的关系是怎样的呢？当激活一个connection时，NetworkManager会将其应用到对应的device上。例如，激活一个Wi-Fi连接时，对应的无线设备会被配置并使用该连接的参数。另外，当设备可用时（比如插入网线），NetworkManager可能会自动激活关联的connection，特别是如果设置了自动连接的话。

总结一下，device是物理或虚拟的网络接口，而connection是针对这些接口的配置集。一个设备可以有多个connection，但同一时间只能有一个活动的connection。这样用户可以根据不同场景切换不同的网络配置，而无需重新设置设备参数。

在NetworkManager的 nmcli工具中，connection（连接）和 device（设备）是两个核心概念，它们的作用和区别如下：

---

1. Device（设备）

• 定义：
  设备是物理或虚拟的网络接口，例如：
  • 物理网卡（如以太网卡 enp0s3、无线网卡 wlp2s0）。
  • 虚拟接口（如VPN隧道 tun0、桥接接口 virbr0）。
• 作用：
  • 表示系统中实际存在的网络硬件或内核模块提供的接口。
  • 设备的状态由内核或驱动控制（如连接/断开、信号强度等）。
• 关键特性：
  • 设备是“物理层”的实体，能被 ip link或 ifconfig等工具识别。
  • 同一时间一个设备只能激活一个连接。
  • 设备可能处于未托管状态（如果NetworkManager不管理它）。

常用命令：

bash

复制

# 查看所有设备及其状态
nmcli device status

# 查看某个设备的详细信息
nmcli device show <设备名>

---

2. Connection（连接）

• 定义：
  连接是一组网络配置的集合（如IP地址、DNS、SSID、密码等），用于控制如何通过设备访问网络。
• 作用：
  • 保存网络配置，供设备按需使用。
  • 支持多种连接类型：以太网、Wi-Fi、VPN、桥接等。
• 关键特性：
  • 连接是“逻辑层”的配置，与设备解耦。例如：
    • 一个Wi-Fi设备（如 wlp2s0）可以保存多个连接配置（如家庭Wi-Fi、公司Wi-Fi）。
    • 一个连接可以绑定到特定设备，也可以设置为“适用于任何匹配设备”。
  • 同一设备可保存多个连接，但同一时间只能激活一个。
  • 连接支持自动激活（如插入网线时自动启用以太网连接）。

常用命令：

bash

复制

# 查看所有保存的连接
nmcli connection show

# 激活某个连接
nmcli connection up <连接名>

# 创建新的Wi-Fi连接
nmcli connection add type wifi ssid <SSID> wifi-sec.key-mgmt wpa-psk wifi-sec.psk <密码>

---

3. 区别与联系

特性	Device（设备）	Connection（连接）
本质	物理/虚拟接口（硬件或内核模块）	网络配置的集合（逻辑配置）
多实例支持	一个设备对应一个硬件	一个设备可关联多个连接（但同一时间只能激活一个）
依赖关系	设备存在与否由系统硬件决定	连接可独立存在，无需设备实时在线
自动管理	NetworkManager可能自动创建设备对象	连接需手动创建或通过UI/工具自动生成（如扫描Wi-Fi）

---

4. 协作示例

1. 插入网线：
   • 系统检测到以太网设备（如 enp0s3）。
   • NetworkManager自动激活绑定到该设备的连接（如 有线连接1）。
2. 切换Wi-Fi网络：
   • 设备 wlp2s0已存在。
   • 用户激活另一个保存的连接（如从 家庭Wi-Fi切换到 公司Wi-Fi），设备会断开当前连接并应用新配置。
3. VPN连接：
   • 创建VPN连接时，会生成一个虚拟设备（如 tun0）。
   • VPN连接配置（如服务器地址、证书）保存在连接中，激活后绑定到虚拟设备。

---

5. 总结

• Device：是“硬”存在，表示网络接口硬件或虚拟接口。
• Connection：是“软”配置，决定设备如何连接到网络。
• 协作逻辑：通过为设备选择合适的连接，实现灵活的网络管理（如多场景切换、冗余配置）。

Chapter 6. Network applications

https://www.debian.org/doc/manuals/debian-reference/ch06.en.html

6.3. The remote access server and utilities (SSH)

The Secure SHell (SSH) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as openssh-client and openssh-server packages in Debian.

For the user, ssh(1) functions as a smarter and more secure telnet(1). Unlike telnet command, ssh command does not stop on the telnet escape character (initial default CTRL-]).

Table 6.7. List of remote access server and utilities

package	popcon	size	tool	description
openssh-client	V:866, I:996	4959	ssh(1)	Secure shell client
openssh-server	V:730, I:814	1804	sshd(8)	Secure shell server
ssh-askpass	I:23	102	ssh-askpass(1)	asks user for a pass phrase for ssh-add (plain X)
ssh-askpass-gnome	V:0, I:3	200	ssh-askpass-gnome(1)	asks user for a pass phrase for ssh-add (GNOME)
ssh-askpass-fullscreen	V:0, I:0	48	ssh-askpass-fullscreen(1)	asks user for a pass phrase for ssh-add (GNOME) with extra eye candy
shellinabox	V:0, I:1	507	shellinaboxd(1)	web server forbrowser accessible VT100 terminal emulator

Although shellinabox is not a SSH program, it is listed here as an interesting alternative for the remote terminal access.

6.3.1. Basics of SSH

The OpenSSH SSH daemon supports SSH protocol 2 only.

Please read "/usr/share/doc/openssh-client/README.Debian.gz", ssh(1), sshd(8), ssh-agent(1), and ssh-keygen(1), ssh-add(1) and ssh-agent(1).

Table 6.8. List of SSH configuration files

configuration file	description of configuration file
/etc/ssh/ssh_config	SSH client defaults, see ssh_config(5)
/etc/ssh/sshd_config	SSH server defaults, see sshd_config(5)
~/.ssh/authorized_keys	default public SSH keys that clients use to connect to this account on this SSH server
~/.ssh/id_rsa	secret SSH-2 RSA key of the user
~/.ssh/id_*key-type-name*	secret SSH-2key-type-namekey such as ecdsa,ed25519, ... of the user

6.3.3. Connecting without remote passwords

One can avoid having to remember passwords for remote systems by using "PubkeyAuthentication" (SSH-2 protocol).

On the remote system, set the respective entries, "PubkeyAuthentication yes", in "/etc/ssh/sshd_config".

Generate authentication keys locally and install the public key on the remote system by the following.

$ ssh-keygen -t rsa
$ cat .ssh/id_rsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"

You can add options to the entries in "~/.ssh/authorized_keys" to limit hosts and to run specific commands. See sshd(8) "AUTHORIZED_KEYS FILE FORMAT".