Studying for RHSCA and RHCE
My recent posts were about things that I was playing around and are related to topics that are covered in RHSCA and RHCE exams.
I'm preparing myself to take this exams in february/2012 and I need some place to store my notes. Here you will find small tips, tricks, common switches, commands, etc. This is all stuff that I need to know in order to succeed the exams. And it's also stuff that I know I have to play with and write down to help memory retain the information.
let the show begin....
any of the above can also have the -p switch. this will consider the xxx as a local rpm file. not an installed package
if you run rpm -qlp xxx and see the one file that you want you can extract it running the following:
Please don't forget the dot in front of the filename. otherwise no files will be extracted.
If you want to know if a package is installed use:
It will list the Installed Packages and also the Available Packages. Yum list only search for the packages name. Yum search searches also in the description of the package.
Extending/Reducing VGs
Moving extents from one disk to another
Make sure you VG has more than one disk. In this case I have sdc1 and sdc2 and will move the extents from sdc1 to sdc2
Taking Snapshots
-------------------------------------------------------------
FileSystems
ACLs:
dumpe2fs /dev/xxx | grep Defaults will show which are the default mouting options. acl, user_xattr must be listed to have acl support in first place.
These options are overwritten by /etc/fstab or options in the mount command line.
BTW, if you set the defaults mount options and mount the volume you won't be able to see the acl option listed in the output of mount. This can cause some confusion but acl will be enabled anyway.
----------------
Authentication
To enable LDAP authentication run
or
-------------------
kickstart
some options:
zerombr
clearpart --all
always use /root/anaconda-ks.cfg as a template.
-------------------
NFS
Firewall
TCP/2049
UDP/111,32769
TCP/32803,892
All ports but 111 and 2049 has to be specified in /etc/sysconfig/nfs
Adjusting SELinux ( this will allow directories to be exported as RO and RW:
Client side mounting option
soft -> means that if a timeout occurs the process will give up and try again later. the device will become unavailable meanwhile
hard -> in the same situation as state above, the process will never give up on mounting/accessing the device. it will hang there 'til it gets mounted.
intr -> usually used along the hard option. means the besides hard it can be interrupted. usually better have hard, intr than soft.
-------------------------------
automount
how to automount home directories:
/etc/auto.master
/home/guests /etc/auto.guests
/etec/auto.guests
* -rw,soft,intr instructor.example.com:/home/guests/&
service autofs reload
ls /home/guests/user1 -> will mount the user1 folder from the instructor box
-----------
SetUID and SetGID
setuid allows users to execute a file with privileges of the file's owner
chmod u+s file
chmod 4755 file
find / -perm -4000
SetGID
chmod g+s file
chmod 2755 file
find / -perm -2000
Sticky bit (set on directories, only owner and root can delete contentes in the dir)
chmod +t sticky/
chmod 1755 sticky/
find / -perm -1000
-------
Virtualization (only available in 64 bits OS)
yum install qemu-kvm qemu-img
virsh list
virshlist --all
virsh shutdown X
virsh start NAME
virt-viewer X
virsh autostart --disable X
virsh autostart X
virt-viewer X
Create a guess VM:
virt-install –-name Client03 –-ram 512 –-disk path=/var/lib/libvirt/images/client03.img,size=8 –-network network=default –-cdrom /dev/cdrom
it's recommended to use /var/lib/libvirt/images to hold the virtual disks. to use other directory you should configure SELinux to allow it.
Can also create via GUI with virt-manager.
Useful commands
SELinux
Make sure you have setroubleshoot-server so you will get nicer SELinux messages.
Check how SELinux is running:
[root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# getenforce Enforcing [root@zeus ~]# setenforce permissive [root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# setenforce enforcing [root@zeus ~]# getenforce Enforcing
-------------
Firewall
POSTROUTING -> SNAT --to-source x.x.x.x OR MASQUERADE
----------
Rsyslog
/etc/rsyslog.conf
forwarding message to other host:
------
Apache
Test/Parse the config file:
Password protected
CGI Scripts
OR
The script will need to produce HTML output. Usually means that the first line in your script needs to print out which mime type the script will produce. I.E:
Except that I found out that printing a blank line instead of content-type... also works great.
----------
Postfix
-----------
Bind
Master zone
Forward zone:
the directive Forwarders can also be used in the global context.
--------------
Samba
If you create a directory and would like to share it, run:
-P make the change to the boolean persistent across reboots.
OR
-----------
Vsftpd
Allow anonymoys upload
cat /etc/vsftpd/vstfpd.conf
asdf
VNC
server side:
/etc/sysconfig/vncservers
client side:
vncviewer -via server9 localhost:2
this will make a ssh tunnel to server9 and tunnel the vnc connection.
I'm preparing myself to take this exams in february/2012 and I need some place to store my notes. Here you will find small tips, tricks, common switches, commands, etc. This is all stuff that I need to know in order to succeed the exams. And it's also stuff that I know I have to play with and write down to help memory retain the information.
let the show begin....
- Querying RPMs
rpm -qi xxx -> query info. same as yum info xxx
rpm -q --scripts xxx -> query scripts
rpm -ql xxx -> list of files inside the rpm.
any of the above can also have the -p switch. this will consider the xxx as a local rpm file. not an installed package
rom -qf /sbin/service -> will show which packege contains the /sbin/service file
rpm -qa -> query all installed packages
- Extract files from rpm:
rpm2cpio xxx | cpio -idmv
if you run rpm -qlp xxx and see the one file that you want you can extract it running the following:
rpm2cpio xxx | cpio -idmv ./etc/apt/sources.list.d/rpmforge-extras.list
Please don't forget the dot in front of the filename. otherwise no files will be extracted.
- Querying installed packages
If you want to know if a package is installed use:
yum list "*http*"
It will list the Installed Packages and also the Available Packages. Yum list only search for the packages name. Yum search searches also in the description of the package.
- Installing RPMs
yum localinstall xxx.rpm works just like rpm -ivh xxx.rpm but will also solve the dependencies if necessary.
the former example works if you have the rpmmacros set correctly. then the package will be built and signed.
Instead of creating all those directories, create the .spec file and run with rpmbuild. it will create all the directory structure in ~/rpmbuild/. then move the .spec to ~/rpmbuild/SPECS and the tar to ~/rpmbuild/SOURCES and run rpmbuild again against the .spec.
OR
Install rpmdevtools and run rpmdev-setuptree. This will also create the folder structure in the home directory
in the SPEC file , under the sessino %files you should specify every file that this package is responsible for.
Instead of use cp to copy files to a specific location, use install -D
Run man rpm and search for macro.. this will show you what goes inside the .rpmmacros files.
all the keys imported into RPM DB are considered packages. take a look:
thus, to remove lutieri2 key. issue:
man yum.conf shows you the options that goes in the .repo files.
--------------------------------------------------
Network
on ifcfg-* files, the option NM_CONTROLLED="NO" will not allow network manager to manage this interface
Bonding:
To find out what options are necessary in the master interface do the follwing
find /usr/share/doc/kernel-doc* -iname "bond*"
less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/bonding.txt
miimon is required as well as mode. Mode 1=rr, 2=active/passive 3=broadcast
Master:
Slaves:
If you wanna see if the options in BONDING_OPTS were applied, take a look in
--------------------------------------------------
File Systems
TIP:
it lists all disk devices.
LUKS - Linux Unified Key Setup
make sure you have the partition unmount
Format the partition to be encrypted:
Open the FS and give it a name:
Format it to use:
Use it:
Lock it after use:
Make it the mounting persistent after reboot:
To avoid being prompted for a password you can create a key, save it in a file and use this key to open the device:
vim /etc/key
type anything in there
chmod 400 /etc/key
cryptsetup luksAddKey /dev/vda5 /etc/key
cryptsetup luksDump /dev/vda5
------------------
iSCSI
doc under: /usr/share/doc/iscsi*/README
take a look in /var/log/messages and see what block devices appear OR run
Make it persistent after reboots:
Cleaning the DBs:
Removing known portals:
----------------------------------
After managing partitions you should reload the partition table partprobe used to be a good choice but seems to be deprecated right now. partx ou kpartx seems to be the new options.
Please use fdisk -cu.. these switches will disable DOS-compatible mode and show sectors instead of cylinders
-------
LVM
- Creating RPMs
yum install rpm-build make -yOR
mkdir -p /usr/src/lutieri/{BUILD,RPMS,SOURCES,SPECS,SRPMS,tmp}
cd /usr/src/lutieri/
mkdir sample
cd sample/
touch first_file second_file keys config_file
cd ..
tar -cf sample.tar.gz sample/
mv sample.tar.gz SOURCES/
create a spec file in SPECS: run vim foo.spec -> vim will load a template for you :-D
rpmbuild -v -bb SPECS/sample.spec
rpmbuild -v -bb --sign SPECS/sample.spec
the former example works if you have the rpmmacros set correctly. then the package will be built and signed.
Instead of creating all those directories, create the .spec file and run with rpmbuild. it will create all the directory structure in ~/rpmbuild/. then move the .spec to ~/rpmbuild/SPECS and the tar to ~/rpmbuild/SOURCES and run rpmbuild again against the .spec.
OR
Install rpmdevtools and run rpmdev-setuptree. This will also create the folder structure in the home directory
in the SPEC file , under the sessino %files you should specify every file that this package is responsible for.
%files
%defattr(-,root,root,-)
%dir /root/package
%attr(755,root,root) /root/package/script.sh
Instead of use cp to copy files to a specific location, use install -D
- Signing a package
gpg-agent --daemon
gpg2 --gen-keys
gpg2 --list-keys
gpg2 --export -a lutieri2 > RPM-GPG-KEY-lutieri2
su -
rpm --import /home/lutieri/RPM-GPG-KEY-lutieri2
exit
vim ~/.rpmmacros
%_signature gpg
%_gpg_name lutieri2
rpm --addsign rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
rpm --resign rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
rpm --checksig rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
Run man rpm and search for macro.. this will show you what goes inside the .rpmmacros files.
all the keys imported into RPM DB are considered packages. take a look:
rpm -q gpg-pubkey --qf "%{name} - %{version} - %{release} -> %{summary}\n" gpg-pubkey - c105b9de - 4e0fd3a3 -> gpg(CentOS-6 Key (CentOS 6 Official Signing Key)) gpg-pubkey - 8cee003f - 4f03b71a -> gpg(lutieri ) gpg-pubkey - cf7fe955 - 4f03bacf -> gpg(lutieri2 ) rpm -qa gpg-pub* gpg-pubkey-cf7fe955-4f03bacf gpg-pubkey-8cee003f-4f03b71a gpg-pubkey-c105b9de-4e0fd3a3
thus, to remove lutieri2 key. issue:
rpm -e gpg-pubkey-cf7fe955-4f03bacf
- Create a repository:
yum install -y createrepo
mkdir /opt/myrepo
mv *.rpm /opt/myrepo
createrepo /opt/myrepo
vim /etc/yum.repos.d/lutieri.repo
[lutieri]
Baseurl=file:///opt/myrepo
name=lutierirepo
enabled=1
man yum.conf shows you the options that goes in the .repo files.
If later on you add new RPMs to the directory run the following to update de metadata:
createrepo -update /opt/myrepo
Network
on ifcfg-* files, the option NM_CONTROLLED="NO" will not allow network manager to manage this interface
Bonding:
vim /etc/modprobe.d/bonding.conf alias bond0 bonding
To find out what options are necessary in the master interface do the follwing
find /usr/share/doc/kernel-doc* -iname "bond*"
less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/bonding.txt
miimon is required as well as mode. Mode 1=rr, 2=active/passive 3=broadcast
Master:
vim /etc/sysconfig/network-scripts/ifcfg-bond0 TYPE=Ethernet DEVICE=bond0 BOOTPROTO=none IPADDR=1.1.1.1 NETMASK=255.255.255.0 USERCTL=yes IPV6INIT=no ONBOOT=yes BONDING_OPTS="miimon=100 mode=0"
Slaves:
vim /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=Ethernet DEVICE=eth1 BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes
If you wanna see if the options in BONDING_OPTS were applied, take a look in
[root@zeus ~]# cat /sys/class/net/bond0/bonding/miimon 100 [root@zeus ~]# cat /sys/class/net/bond0/bonding/mode balance-rr 0
--------------------------------------------------
File Systems
palimpsest
it's a graphic utility to manage disks.
TIP:
fdisk -cul /dev/?d?
it lists all disk devices.
LUKS - Linux Unified Key Setup
make sure you have the partition unmount
Format the partition to be encrypted:
cryptsetup luksFormat /dev/sdb1
Open the FS and give it a name:
cryptsetup luksOpen /dev/sdb1 hiddenData
Format it to use:
mkfs.ext4 /dev/mapper/hiddenData
Use it:
mkdir /mnt/hiddenData
mount /dev/mapper/hiddenData /mnt/hiddenData
touch /mnt/hiddenData/file1
Lock it after use:
umount /mnt/hiddenData
cryptsetup luksClose /dev/mapper/hiddenData
Make it the mounting persistent after reboot:
vim /etc/crypttab
hiddenData /dev/sda2 none
none means you will have to type the password during boot. any other value is interpreted as a file that contains the password for the FS
vim /etc/fstab
/dev/mapper/hiddenData /mnt/hiddenData ext4 defaults 0 0
To avoid being prompted for a password you can create a key, save it in a file and use this key to open the device:
vim /etc/key
type anything in there
chmod 400 /etc/key
cryptsetup luksAddKey /dev/vda5 /etc/key
cryptsetup luksDump /dev/vda5
vim /etc/crypttab
hiddenData /dev/sda2 /etc/key
------------------
iSCSI
doc under: /usr/share/doc/iscsi*/README
# yum install -y iscsi-initiator-utils
# iscsiadm -m discovery -t st -p 192.168.56.101
192.168.56.101:3260,1 iqn.2006-01.com.openfiler:tsn.cc35969be1c0
Login in the target
# iscsiadm -m node -T iqn.2006-01.com.openfiler:tsn.cc35969be1c0 -p 192.168.56.101 -l
Logging in to [iface: default, target: iqn.2006-01.com.openfiler:tsn.cc35969be1c0, portal: 192.168.56.101,3260] (multiple)
Login to [iface: default, target: iqn.2006-01.com.openfiler:tsn.cc35969be1c0, portal: 192.168.56.101,3260] successful.
take a look in /var/log/messages and see what block devices appear OR run
# find /sys/devices/platform/host* -name "block*"
/sys/devices/platform/host4/session1/target4:0:0/4:0:0:0/block
# ls /sys/devices/platform/host4/session1/target4\:0\:0/4\:0\:0\:0/block/
sdc
service iscsi status
will also show you, in the very bottom line, what devices iscsi is attached to.
Make it persistent after reboots:
vim /etc/fstab
/dev/sdc1 /mnt/openfiler ext4 _netdev 0 0
Cleaning the DBs:
Removing known portals:
[root@zeus ~]# iscsiadm -m discoverydb 192.168.56.102:3260 via sendtargets 192.168.56.101:3260 via sendtargets [root@zeus ~]# iscsiadm -m discovery -o delete -p 192.168.56.102 [root@zeus ~]# iscsiadm -m discovery -o delete -p 192.168.56.101 [root@zeus ~]# iscsiadm -m discovery [root@zeus ~]#
----------------------------------
After managing partitions you should reload the partition table partprobe used to be a good choice but seems to be deprecated right now. partx ou kpartx seems to be the new options.
partx -a /dev/sdawill add new partitions to the system. double check running cat /proc/partitions
partx -d /dev/sdawill remove all inactive partitions from the system.
Please use fdisk -cu.. these switches will disable DOS-compatible mode and show sectors instead of cylinders
-------
LVM
- Creating PVs
[root@zeus ~]# fdisk -l /dev/sdc Disk /dev/sdc: 1073 MB, 1073741824 bytes 34 heads, 61 sectors/track, 1011 cylinders Units = cylinders of 2074 * 512 = 1061888 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0000dfdc Device Boot Start End Blocks Id System /dev/sdc1 1 95 98484+ 8e Linux LVM /dev/sdc2 96 426 343247 83 Linux [root@zeus ~]# pvcreate /dev/sdc1 Physical volume "/dev/sdc1" successfully created [root@zeus ~]# pvcreate /dev/sdc2 Physical volume "/dev/sdc2" successfully created [root@zeus ~]#
The man page for pvcreate says a partition should be type 8e but it does not complain about /dev/sdc2 though. let's move on..
Note that -v switch brings up the PV that are part of the VG.
- Creating a VG
[root@zeus ~]# vgcreate mp3 /dev/sdc1 Volume group "mp3" successfully created [root@zeus ~]# vgdisplay -v mp3 Using volume group(s) on command line Finding volume group "mp3" --- Volume group --- VG Name mp3 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 1 VG Access read/write VG Status resizable MAX LV 0 Cur LV 0 Open LV 0 Max PV 0 Cur PV 1 Act PV 1 VG Size 92.00 MiB PE Size 4.00 MiB Total PE 23 Alloc PE / Size 0 / 0 Free PE / Size 23 / 92.00 MiB VG UUID tc1JKq-TBBw-zYax-51ET-2A5t-hK0t-wsWXTO --- Physical volumes --- PV Name /dev/sdc1 PV UUID XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI PV Status allocatable Total PE / Free PE 23 / 23
- Creating LVs
[root@zeus ~]# lvcreate -L 50M mp3 -n rock_and_roll Rounding up size to full physical extent 52.00 MiB Logical volume "rock_and_roll" created [root@zeus ~]# lvcreate -L 10M mp3 -n soul Rounding up size to full physical extent 12.00 MiB Logical volume "soul" created [root@zeus ~]# lvs LV VG Attr LSize Origin Snap% Move Log Copy% Convert rock_and_roll mp3 -wi-a- 52.00m soul mp3 -wi-a- 12.00m
- Observing the VG
[root@zeus ~]# vgdisplay -v mp3 Using volume group(s) on command line Finding volume group "mp3" --- Volume group --- VG Name mp3 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 3 VG Access read/write VG Status resizable MAX LV 0 Cur LV 2 Open LV 0 Max PV 0 Cur PV 1 Act PV 1 VG Size 92.00 MiB PE Size 4.00 MiB Total PE 23 Alloc PE / Size 16 / 64.00 MiB Free PE / Size 7 / 28.00 MiB VG UUID tc1JKq-TBBw-zYax-51ET-2A5t-hK0t-wsWXTO --- Logical volume --- LV Name /dev/mp3/rock_and_roll VG Name mp3 LV UUID EQ73g4-TFPw-6WTg-ufWp-RAXq-MVVU-fHSh9T LV Write Access read/write LV Status available # open 0 LV Size 52.00 MiB Current LE 13 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:2 --- Logical volume --- LV Name /dev/mp3/soul VG Name mp3 LV UUID nchsYN-2eSX-Z3Bw-WV5w-2xxV-5oQM-8Vh8xj LV Write Access read/write LV Status available # open 0 LV Size 12.00 MiB Current LE 3 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:3 --- Physical volumes --- PV Name /dev/sdc1 PV UUID XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI PV Status allocatable Total PE / Free PE 23 / 7
- Rename a LV:
[root@zeus ~]# lvcreate -L 10M mp3Rounding up size to full physical extent 12.00 MiBLogical volume "lvol0" created[root@zeus ~]# lvsLV VG Attr LSize Origin Snap% Move Log Copy% Convertlvol0 mp3 -wi-a- 12.00mrock_and_roll mp3 -wi-a- 52.00msoul mp3 -wi-a- 12.00m[root@zeus ~]# lvrename /dev/mp3/lvol0 /dev/mp3/celticRenamed "lvol0" to "celtic" in volume group "mp3"[root@zeus ~]# lvsLV VG Attr LSize Origin Snap% Move Log Copy% Convertceltic mp3 -wi-a- 12.00mrock_and_roll mp3 -wi-a- 52.00msoul mp3 -wi-a- 12.00m
- Resizing LVs
[root@zeus ~]# lvresize -L 15M /dev/mp3/celtic 4 Rounding up size to full physical extent 16.00 MiB Extending logical volume celtic to 16.00 MiB Logical volume celtic successfully resized [root@zeus ~]# lvresize -L 12M /dev/mp3/celtic WARNING: Reducing active logical volume to 12.00 MiB THIS MAY DESTROY YOUR DATA (filesystem etc.) Do you really want to reduce celtic? [y/n]: y Reducing logical volume celtic to 12.00 MiB Logical volume celtic successfully resized
Extending/Reducing VGs
[root@zeus ~]# vgs VG #PV #LV #SN Attr VSize VFree mp3 1 3 0 wz--n- 92.00m 16.00m vg_zeus 1 2 0 wz--n- 7.51g 0 [root@zeus ~]# vgextend mp3 /dev/sdc2 Volume group "mp3" successfully extended [root@zeus ~]# vgs VG #PV #LV #SN Attr VSize VFree mp3 2 3 0 wz--n- 424.00m 348.00m
[root@zeus ~]# vgreduce mp3 /dev/sdc2 Removed "/dev/sdc2" from volume group "mp3" [root@zeus ~]#
Make sure you VG has more than one disk. In this case I have sdc1 and sdc2 and will move the extents from sdc1 to sdc2
[root@zeus ~]# pvmove /dev/sdc1 /dev/sdc2 /dev/sdc1: Moved: 0.0% /dev/sdc1: Moved: 21.1% /dev/sdc1: Moved: 31.6% /dev/sdc1: Moved: 47.4% /dev/sdc1: Moved: 57.9% /dev/sdc1: Moved: 68.4% /dev/sdc1: Moved: 78.9% /dev/sdc1: Moved: 84.2% /dev/sdc1: Moved: 100.0%
If now you take a look at sdc1 no extents are found in this partition (disc)
[root@zeus ~]# pvdisplay -v /dev/sdc1Using physical volume(s) on command line--- Physical volume ---PV Name /dev/sdc1VG Name mp3PV Size 96.18 MiB / not usable 4.18 MiBAllocatable yesPE Size 4.00 MiBTotal PE 23Free PE 23Allocated PE 0PV UUID XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI
Taking Snapshots
lvcreate -s -L50M -n rock_snapshot /dev/mp3/rock_and_roll
mount the snapshot, copy the frozen data and delete it.
lvremove /dev/mp3/rock_snapshot
-------------------------------------------------------------
FileSystems
ACLs:
dumpe2fs /dev/xxx | grep Defaults will show which are the default mouting options. acl, user_xattr must be listed to have acl support in first place.
tune2fs -o acl,user_xattr /dev/xxxcan be issued to set the defaults mounting options.
tune2fs -o ^acl,^user_xattr /dev/xxxcan be issued to clear the defaults mounting options.
These options are overwritten by /etc/fstab or options in the mount command line.
BTW, if you set the defaults mount options and mount the volume you won't be able to see the acl option listed in the output of mount. This can cause some confusion but acl will be enabled anyway.
----------------
Authentication
To enable LDAP authentication run
authconfig-tui
or
vi /etc/openldap/ldap.conf OR vi /etc/ldap.confor
URI ldap://127.0.0.1/
BASE dc=lutierigabriel
vim /etc/nsswitch.conf
add ldap to group, shadow, passwd
system-config-authentication
-------------------
kickstart
some options:
zerombr
clearpart --all
always use /root/anaconda-ks.cfg as a template.
-------------------
NFS
Firewall
TCP/2049
UDP/111,32769
TCP/32803,892
All ports but 111 and 2049 has to be specified in /etc/sysconfig/nfs
yum install -y nfs-utils nfs4-acl-tools
chkconfig nfs on; chkconfig nfslock on; chkconfig rpcbind on
vim /etc/exports
/mnt *(ro,sync)
exportfs -avr -> reexport all directories
Adjusting SELinux ( this will allow directories to be exported as RO and RW:
getsebool -a | grep nfs
setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1
- mounting a NFS share:
mount localhost:/mnt /nfs
- Verifying the exported directories on the server side:
# cat /var/lib/nfs/etab /mnt *(ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
- Verifying the mount NFS share on the cliente side:
nfsstat -m
- Persistent NFS mounts:
vim /etc/fstab
rhel01:/opt/company_data /opt/company_data nfs4 rw,sync 0 0
Client side mounting option
soft -> means that if a timeout occurs the process will give up and try again later. the device will become unavailable meanwhile
hard -> in the same situation as state above, the process will never give up on mounting/accessing the device. it will hang there 'til it gets mounted.
intr -> usually used along the hard option. means the besides hard it can be interrupted. usually better have hard, intr than soft.
-------------------------------
automount
how to automount home directories:
/etc/auto.master
/home/guests /etc/auto.guests
/etec/auto.guests
* -rw,soft,intr instructor.example.com:/home/guests/&
service autofs reload
ls /home/guests/user1 -> will mount the user1 folder from the instructor box
-----------
SetUID and SetGID
setuid allows users to execute a file with privileges of the file's owner
chmod u+s file
chmod 4755 file
find / -perm -4000
SetGID
chmod g+s file
chmod 2755 file
find / -perm -2000
Sticky bit (set on directories, only owner and root can delete contentes in the dir)
chmod +t sticky/
chmod 1755 sticky/
find / -perm -1000
-------
Virtualization (only available in 64 bits OS)
yum install qemu-kvm qemu-img
virsh list
virshlist --all
virsh shutdown X
virsh start NAME
virt-viewer X
virsh autostart --disable X
virsh autostart X
virt-viewer X
Create a guess VM:
virt-install –-name Client03 –-ram 512 –-disk path=/var/lib/libvirt/images/client03.img,size=8 –-network network=default –-cdrom /dev/cdrom
it's recommended to use /var/lib/libvirt/images to hold the virtual disks. to use other directory you should configure SELinux to allow it.
Can also create via GUI with virt-manager.
Useful commands
virsh connect localhost
virsh start guest1-rhel6-64
virsh stop guest1-rhel6-64
virsh list -all
virsh console
virsh autostart X
virsh net-list------------------
virsh net-start X
SELinux
Make sure you have setroubleshoot-server so you will get nicer SELinux messages.
Check how SELinux is running:
[root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# getenforce Enforcing [root@zeus ~]# setenforce permissive [root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# setenforce enforcing [root@zeus ~]# getenforce Enforcing
you can also edit /etc/selinux/config. Regardless of the method you should reboot the system. When you change the mode the files must be relabed (their contexts will change) this is done on the boot process.
It is possible to disable enforcing mode, will only audit:
Check the boolean values or getsebool -a | grep http:
While I was reading about SELinux I found something very useful that I didn't know until now. Well, during the reading the author says to issue a commando called semanage that will explain each of the boolean options. However, I don't have semanage on my system and don't know which package provides it. So, the following command told me what package I should install to have semanage.
Here we go, from the output it's clear to me that policycoreutils-python-2.0.83-19.1.el6.i686 has the binary that I was looking for.
Ok. moving on... so, to see what each boolean value does, issue:
Changing boolean values:
Context is formed of:
User : role : domain
Users are usually one of these:
unconfined_u: Unprotected user
system_u: System user
user_u: Normal user
httpd_t: used for httpd process.
....
Roles do NOT have influence under files so object_r is used as a generic role for any file.
Checking files' context:
It is possible to disable enforcing mode, will only audit:
setenforcing 0
Check the boolean values or getsebool -a | grep http:
sestatus -b | grep http allow_httpd_anon_write off allow_httpd_mod_auth_ntlm_winbind off allow_httpd_mod_auth_pam off allow_httpd_sys_script_anon_write off httpd_builtin_scripting on httpd_can_check_spam off httpd_can_network_connect off httpd_can_network_connect_cobbler off httpd_can_network_connect_db off httpd_can_network_memcache off httpd_can_network_relay off httpd_can_sendmail off httpd_dbus_avahi on httpd_enable_cgi on httpd_enable_ftp_server off httpd_enable_homedirs off
While I was reading about SELinux I found something very useful that I didn't know until now. Well, during the reading the author says to issue a commando called semanage that will explain each of the boolean options. However, I don't have semanage on my system and don't know which package provides it. So, the following command told me what package I should install to have semanage.
yum whatprovides *bin/semanage
Here we go, from the output it's clear to me that policycoreutils-python-2.0.83-19.1.el6.i686 has the binary that I was looking for.
Ok. moving on... so, to see what each boolean value does, issue:
[root@zeus ~]# semanage boolean -l | grep http httpd_can_network_relay -> off Allow httpd to act as a relay httpd_can_network_connect_db -> off Allow HTTPD scripts and modules to connect to databases over the network. httpd_use_gpg -> off Allow httpd to run gpg in gpg-web domain httpd_enable_cgi -> on Allow httpd cgi support allow_httpd_mod_auth_pam -> off Allow Apache to use mod_auth_pam
Changing boolean values:
setsebool -P httpd_enable_homedirs=1
Context is formed of:
User : role : domain
Users are usually one of these:
unconfined_u: Unprotected user
system_u: System user
user_u: Normal user
Roles are usually one of these:
object_r: File
system_r: Users and processes
Domains (AKA type) are usually one of these:
unconfined_r: Unprotected file or process
httpd_t: used for httpd process.
....
Roles do NOT have influence under files so object_r is used as a generic role for any file.
Checking files' context:
# ls -Z -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg -rwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 a.out
Checking processes' context:
ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 14784 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14786 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 14787 ? 00:00:00 httpd
Changing contexts (domains) http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Targeted_policy-Unconfined_processes.html
Changing ports for services:
Every time you change a context it will be restored in the next file system relabel (next reboot).
To make changes permanentely run:
TIP:
some daemons have man pages talking about the contexts and booleans used by them. take a look:
[root@zeus ~]# touch myfile [root@zeus ~]# ls -Z myfile -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 myfile [root@zeus ~]# chcon -vu system_u myfile changing security context of `myfile' [root@zeus ~]# ls -Z myfile -rw-r--r--. root root system_u:object_r:admin_home_t:s0 myfile [root@zeus ~]# chcon -vt etc_t myfile changing security context of `myfile' [root@zeus ~]# ls -Z myfile -rw-r--r--. root root system_u:object_r:etc_t:s0 myfile [root@zeus ~]# chcon -vr system_r myfile changing security context of `myfile' [root@zeus ~]# ls -Z myfile -rw-r--r--. root root system_u:system_r:etc_t:s0 myfile
[root@zeus ~]# touch myfile2 [root@zeus ~]# ls -Z myfile2 -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 myfile2 [root@zeus ~]# chcon --reference myfile myfile2 [root@zeus ~]# ls -Z myfile2 -rw-r--r--. root root system_u:system_r:etc_t:s0 myfile2 [root@zeus ~]# restorecon myfile [root@zeus ~]# ls -Z myfile -rw-r--r--. root root system_u:object_r:admin_home_t:s0 myfile
Changing ports for services:
[root@zeus ~]# semanage port -l | grep http http_port_t tcp 80, 443, 488, 8008, 8009, 8443 [root@zeus ~]# semanage port -a -t http_port_t -p tcp 81 [root@zeus ~]# semanage port -l | grep http http_port_t tcp 81, 80, 443, 488, 8008, 8009, 8443
Every time you change a context it will be restored in the next file system relabel (next reboot).
To make changes permanentely run:
semanage fcontext -a -t httpd_sys_content_t file1
TIP:
some daemons have man pages talking about the contexts and booleans used by them. take a look:
[root@zeus ~]# apropos _selinux ftpd_selinux (8) - Security-Enhanced Linux policy for ftp daemons httpd_selinux (8) - Security Enhanced Linux Policy for the httpd daemon init_selinuxmnt (3) - initialize the global variable selinux_mnt is_selinux_enabled (3) - check whether SELinux is enabled kerberos_selinux (8) - Security Enhanced Linux Policy for Kerberos named_selinux (8) - Security Enhanced Linux Policy for the Internet Name server (named) daemon nfs_selinux (8) - Security Enhanced Linux Policy for NFS pam_selinux (8) - PAM module to set the default security context rsync_selinux (8) - Security Enhanced Linux Policy for the rsync daemon samba_selinux (8) - Security Enhanced Linux Policy for Samba ypbind_selinux (8) - Security Enhanced Linux Policy for NIS
semanage fcontext -a -t httpd_sys_content_t "/newweb(/.*)?"
restorecon -R -v /newweb
-------------
Firewall
iptables -p icmp -hshow all the possible icmp types :-)
POSTROUTING -> SNAT --to-source x.x.x.x OR MASQUERADE
----------
Rsyslog
/etc/rsyslog.conf
forwarding message to other host:
Remote machine There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard, the plain TCP based trans- port which loses messages only during certain situations but is widely available and the RELP transport which does not lose messages but is currently available only as part of rsyslogd 3.15.0 and above. To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the hostname. Example: *.* @192.168.0.1
Apache
Test/Parse the config file:
service httpd configtesteVirtualHost
NameVirtualHost 192.168.56.200:80 <VirtualHost 192.168.56.200:80> serverName site1.asdf.com DocumentRoot "/var/www/site1" </VirtualHost> <VirtualHost 192.168.56.200:80> Servername site2.asdf.com DocumentRoot "/var/www/site2" </VirtualHost>
Password protected
<Directory "/var/www/html/protected"> AuthType basic AuthName "You are out" AuthUserFile "/var/www/html/protected/.users" Require user lutieri Options Indexes Order deny,allow </Directory>
CGI Scripts
ScriptAlias /bin "/var/www/site1/bin"
OR
<Directory "/var/www/site1/bin/"> options ExecCGI Indexes </Directory> Addhandler cgi-script .lgb
The script will need to produce HTML output. Usually means that the first line in your script needs to print out which mime type the script will produce. I.E:
#!/bin/bash echo "Content-type: text/html\n\n"; echo "Hello, World.";
Except that I found out that printing a blank line instead of content-type... also works great.
----------
Postfix
alternatives --config mta
-----------
Bind
[root@zeus ~]# cat /var/named/dynamic/asdf.com $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 site1 A 192.168.56.201 site2 A 192.168.56.202
Master zone
[root@zeus ~]# cat /etc/named.conf ---SNIP--- zone "asdf.com" IN { type master; file "dynamic/asdf.com"; }; ---SNIP---
Forward zone:
the directive Forwarders can also be used in the global context.
zone "asdf.com" IN { type forward; forwarders { 66.33.206.206; }; };
--------------
Samba
If you create a directory and would like to share it, run:
chcon -t samba_share_t /pathAllowing home directories to be shared:
[root@zeus ~]# setsebool -P samba_enable_home_dirs on [root@zeus ~]# getsebool samba_enable_home_dirs samba_enable_home_dirs --> on [root@zeus ~]# semanage boolean -l | grep samba_enable_home_dirs samba_enable_home_dirs -> on Allow samba to share users home directories.
-P make the change to the boolean persistent across reboots.
OR
semanage boolean -m --on samba_enable_home_dirs
-----------
Vsftpd
Allow anonymoys upload
setsebool ftp_home_dir 1
chcon -t public_content_rw_t /var/ftp/pub
setsebool allow_ftpd_anon_write 1
chgrp -R ftp: /var/ftp/dropbox
chmod g=wx /var/ftp/dropbox
cat /etc/vsftpd/vstfpd.conf
anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. anon_upload_enable=YES
asdf
VNC
server side:
/etc/sysconfig/vncservers
client side:
vncviewer -via server9 localhost:2
this will make a ssh tunnel to server9 and tunnel the vnc connection.