Studying for RHSCA and RHCE

My recent posts were about things that I was playing around and are related to topics that are covered in RHSCA and RHCE exams.

I'm preparing myself to take this exams in february/2012 and I need some place to store my notes. Here you will find small tips, tricks, common switches, commands, etc. This is all stuff that I need to know in order to succeed the exams. And it's also stuff that I know I have to play with and write down to help memory retain the information.

let the show begin....

• Querying RPMs

rpm -qi xxx -> query info. same as yum info xxx
rpm -q --scripts xxx -> query scripts
rpm -ql xxx -> list of files inside the rpm.

any of the above can also have the -p switch. this will consider the xxx as a local rpm file. not an installed package

rom -qf /sbin/service -> will show which packege contains the /sbin/service file
rpm -qa -> query all installed packages

• Extract files from rpm:

rpm2cpio xxx | cpio -idmv 

if you run rpm -qlp xxx and see the one file that you want you can extract it running the following:

rpm2cpio xxx | cpio -idmv ./etc/apt/sources.list.d/rpmforge-extras.list

Please don't forget the dot in front of the filename. otherwise no files will be extracted.

• Querying installed packages

If you want to know if a package is installed use:

yum list "*http*"

It will list the Installed Packages and also the Available Packages. Yum list only search for the packages name. Yum search searches also in the description of the package.

• Installing RPMs

yum localinstall xxx.rpm works just like rpm -ivh xxx.rpm but will also solve the dependencies if necessary.

• Creating RPMs

yum install rpm-build make -y
mkdir -p /usr/src/lutieri/{BUILD,RPMS,SOURCES,SPECS,SRPMS,tmp}
cd /usr/src/lutieri/
mkdir sample
cd sample/
touch first_file second_file keys config_file
cd ..
tar -cf sample.tar.gz sample/
mv sample.tar.gz SOURCES/

create a spec file in SPECS: run vim foo.spec -> vim will load a template for you :-D

rpmbuild -v -bb SPECS/sample.spec

OR

rpmbuild -v -bb --sign SPECS/sample.spec

the former example works if you have the rpmmacros set correctly. then the package will be built and signed.

Instead of creating all those directories, create the .spec file and run with rpmbuild. it will create all the directory structure in ~/rpmbuild/. then move the .spec to ~/rpmbuild/SPECS and the tar to ~/rpmbuild/SOURCES and run rpmbuild again against the .spec.

OR

Install rpmdevtools and run rpmdev-setuptree. This will also create the folder structure in the home directory


in the SPEC file , under the sessino %files you should specify every file that this package is responsible for.

%files
%defattr(-,root,root,-)
%dir /root/package
%attr(755,root,root) /root/package/script.sh

Instead of use cp to copy files to a specific location, use install -D

• Signing a package

gpg-agent --daemon
gpg2 --gen-keys
gpg2 --list-keys
gpg2 --export -a lutieri2 > RPM-GPG-KEY-lutieri2
su -
rpm --import /home/lutieri/RPM-GPG-KEY-lutieri2
exit
vim ~/.rpmmacros
%_signature gpg
%_gpg_name lutieri2
rpm --addsign rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
rpm --resign rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm
rpm --checksig rpmbuild/RPMS/i386/lutieri-1.1-0.i386.rpm

Run man rpm and search for macro.. this will show you what goes inside the .rpmmacros files.


all the keys imported into RPM DB are considered packages. take a look:

rpm -q gpg-pubkey --qf "%{name} - %{version} - %{release} -> %{summary}\n"
gpg-pubkey - c105b9de - 4e0fd3a3 -> gpg(CentOS-6 Key (CentOS 6 Official Signing Key) )
gpg-pubkey - 8cee003f - 4f03b71a -> gpg(lutieri )
gpg-pubkey - cf7fe955 - 4f03bacf -> gpg(lutieri2 )

rpm -qa gpg-pub*
gpg-pubkey-cf7fe955-4f03bacf
gpg-pubkey-8cee003f-4f03b71a
gpg-pubkey-c105b9de-4e0fd3a3

thus, to remove lutieri2 key. issue:

rpm -e gpg-pubkey-cf7fe955-4f03bacf

• Create a repository:

yum install -y createrepo
mkdir /opt/myrepo
mv *.rpm /opt/myrepo
createrepo /opt/myrepo
vim /etc/yum.repos.d/lutieri.repo
[lutieri]
Baseurl=file:///opt/myrepo
name=lutierirepo
enabled=1

man yum.conf shows you the options that goes in the .repo files.

If later on you add new RPMs to the directory run the following to update de metadata:

createrepo -update /opt/myrepo 

--------------------------------------------------

Network

on ifcfg-* files, the option NM_CONTROLLED="NO" will not allow network manager to manage this interface

Bonding:

vim /etc/modprobe.d/bonding.conf
alias bond0 bonding

To find out what options are necessary in the master interface do the follwing
find /usr/share/doc/kernel-doc* -iname "bond*"

less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/bonding.txt

miimon is required as well as mode. Mode 1=rr, 2=active/passive 3=broadcast

Master:

vim /etc/sysconfig/network-scripts/ifcfg-bond0

TYPE=Ethernet
DEVICE=bond0
BOOTPROTO=none
IPADDR=1.1.1.1
NETMASK=255.255.255.0
USERCTL=yes
IPV6INIT=no
ONBOOT=yes
BONDING_OPTS="miimon=100 mode=0"

Slaves:

vim /etc/sysconfig/network-scripts/ifcfg-eth0

TYPE=Ethernet
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

If you wanna see if the options in BONDING_OPTS were applied, take a look in

[root@zeus ~]# cat /sys/class/net/bond0/bonding/miimon
100
[root@zeus ~]# cat /sys/class/net/bond0/bonding/mode
balance-rr 0

--------------------------------------------------
File Systems

palimpsest

it's a graphic utility to manage disks.

TIP:

fdisk -cul /dev/?d?

it lists all disk devices.



LUKS - Linux Unified Key Setup
make sure you have the partition unmount

Format the partition to be encrypted:

cryptsetup luksFormat /dev/sdb1

Open the FS and give it a name:

cryptsetup luksOpen /dev/sdb1 hiddenData

Format it to use:

mkfs.ext4 /dev/mapper/hiddenData

Use it:

mkdir /mnt/hiddenData
mount /dev/mapper/hiddenData /mnt/hiddenData
touch /mnt/hiddenData/file1

Lock it after use:

umount /mnt/hiddenData
cryptsetup luksClose /dev/mapper/hiddenData

Make it the mounting persistent after reboot:

vim /etc/crypttab
hiddenData     /dev/sda2  none

none means you will have to type the password during boot. any other value is interpreted as a file that contains the password for the FS

vim /etc/fstab
/dev/mapper/hiddenData /mnt/hiddenData  ext4 defaults 0 0 

To avoid being prompted for a password you can create a key, save it in a file and use this key to open the device:

vim /etc/key
type anything in there

chmod 400 /etc/key
cryptsetup luksAddKey /dev/vda5 /etc/key
cryptsetup luksDump /dev/vda5

vim /etc/crypttab
hiddenData      /dev/sda2 /etc/key

------------------

iSCSI


doc under: /usr/share/doc/iscsi*/README

# yum install -y iscsi-initiator-utils

# iscsiadm -m discovery -t st -p 192.168.56.101
192.168.56.101:3260,1 iqn.2006-01.com.openfiler:tsn.cc35969be1c0

Login in the target

# iscsiadm -m node -T  iqn.2006-01.com.openfiler:tsn.cc35969be1c0  -p 192.168.56.101 -l
Logging in to [iface: default, target: iqn.2006-01.com.openfiler:tsn.cc35969be1c0, portal: 192.168.56.101,3260] (multiple)
Login to [iface: default, target: iqn.2006-01.com.openfiler:tsn.cc35969be1c0, portal: 192.168.56.101,3260] successful.

take a look in /var/log/messages and see what block devices appear OR run

# find /sys/devices/platform/host* -name "block*"
/sys/devices/platform/host4/session1/target4:0:0/4:0:0:0/block
# ls /sys/devices/platform/host4/session1/target4\:0\:0/4\:0\:0\:0/block/
sdc

service iscsi status

will also show you, in the very bottom line, what devices iscsi is attached to.

Make it persistent after reboots:

vim /etc/fstab
/dev/sdc1    /mnt/openfiler   ext4 _netdev 0 0

Cleaning the DBs:

Removing known portals:

[root@zeus ~]# iscsiadm -m discoverydb
192.168.56.102:3260 via sendtargets
192.168.56.101:3260 via sendtargets
[root@zeus ~]# iscsiadm -m discovery -o delete -p 192.168.56.102
[root@zeus ~]# iscsiadm -m discovery -o delete -p 192.168.56.101
[root@zeus ~]# iscsiadm -m discovery
[root@zeus ~]#

----------------------------------



After managing partitions you should reload the partition table partprobe used to be a good choice but seems to be deprecated right now. partx ou kpartx seems to be the new options.

partx -a /dev/sda

 will add new partitions to the system. double check running cat /proc/partitions

partx -d /dev/sda

will remove all inactive partitions from the system.


Please use fdisk -cu.. these switches will disable DOS-compatible mode and show sectors instead of cylinders



-------

LVM

• Creating PVs

[root@zeus ~]# fdisk -l /dev/sdc
Disk /dev/sdc: 1073 MB, 1073741824 bytes
34 heads, 61 sectors/track, 1011 cylinders
Units = cylinders of 2074 * 512 = 1061888 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0000dfdc
   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1          95       98484+  8e  Linux LVM
/dev/sdc2              96         426      343247   83  Linux
[root@zeus ~]# pvcreate /dev/sdc1
  Physical volume "/dev/sdc1" successfully created
[root@zeus ~]# pvcreate /dev/sdc2
  Physical volume "/dev/sdc2" successfully created
[root@zeus ~]#

The man page for pvcreate says a partition should be type 8e but it does not complain about /dev/sdc2 though. let's move on..

• Creating a VG

[root@zeus ~]# vgcreate mp3 /dev/sdc1
  Volume group "mp3" successfully created
[root@zeus ~]# vgdisplay -v mp3
    Using volume group(s) on command line
    Finding volume group "mp3"
  --- Volume group ---
  VG Name               mp3
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  1
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                0
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               92.00 MiB
  PE Size               4.00 MiB
  Total PE              23
  Alloc PE / Size       0 / 0
  Free  PE / Size       23 / 92.00 MiB
  VG UUID               tc1JKq-TBBw-zYax-51ET-2A5t-hK0t-wsWXTO

  --- Physical volumes ---
  PV Name               /dev/sdc1
  PV UUID               XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI
  PV Status             allocatable
  Total PE / Free PE    23 / 23

Note that -v switch brings up the PV that are part of the VG.

• Creating LVs

[root@zeus ~]# lvcreate -L 50M mp3 -n rock_and_roll
  Rounding up size to full physical extent 52.00 MiB
  Logical volume "rock_and_roll" created
[root@zeus ~]# lvcreate -L 10M mp3 -n soul
  Rounding up size to full physical extent 12.00 MiB
  Logical volume "soul" created
[root@zeus ~]# lvs
  LV            VG      Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  rock_and_roll mp3     -wi-a- 52.00m
  soul          mp3     -wi-a- 12.00m

• Observing the VG

[root@zeus ~]# vgdisplay -v mp3
    Using volume group(s) on command line
    Finding volume group "mp3"
  --- Volume group ---
  VG Name               mp3
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  3
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                2
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               92.00 MiB
  PE Size               4.00 MiB
  Total PE              23
  Alloc PE / Size       16 / 64.00 MiB
  Free  PE / Size       7 / 28.00 MiB
  VG UUID               tc1JKq-TBBw-zYax-51ET-2A5t-hK0t-wsWXTO

  --- Logical volume ---
  LV Name                /dev/mp3/rock_and_roll
  VG Name                mp3
  LV UUID                EQ73g4-TFPw-6WTg-ufWp-RAXq-MVVU-fHSh9T
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                52.00 MiB
  Current LE             13
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2

  --- Logical volume ---
  LV Name                /dev/mp3/soul
  VG Name                mp3
  LV UUID                nchsYN-2eSX-Z3Bw-WV5w-2xxV-5oQM-8Vh8xj
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                12.00 MiB
  Current LE             3
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:3

  --- Physical volumes ---
  PV Name               /dev/sdc1
  PV UUID               XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI
  PV Status             allocatable
  Total PE / Free PE    23 / 7

• Rename a LV:

[root@zeus ~]# lvcreate -L 10M mp3
  Rounding up size to full physical extent 12.00 MiB
  Logical volume "lvol0" created
[root@zeus ~]# lvs
  LV            VG      Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  lvol0         mp3     -wi-a- 12.00m
  rock_and_roll mp3     -wi-a- 52.00m
  soul          mp3     -wi-a- 12.00m
[root@zeus ~]# lvrename /dev/mp3/lvol0 /dev/mp3/celtic
  Renamed "lvol0" to "celtic" in volume group "mp3"
[root@zeus ~]# lvs
  LV            VG      Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  celtic        mp3     -wi-a- 12.00m
  rock_and_roll mp3     -wi-a- 52.00m
  soul          mp3     -wi-a- 12.00m

• Resizing LVs

[root@zeus ~]# lvresize -L 15M /dev/mp3/celtic
4  Rounding up size to full physical extent 16.00 MiB
  Extending logical volume celtic to 16.00 MiB
  Logical volume celtic successfully resized
[root@zeus ~]# lvresize -L 12M /dev/mp3/celtic
  WARNING: Reducing active logical volume to 12.00 MiB
  THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce celtic? [y/n]: y
  Reducing logical volume celtic to 12.00 MiB
  Logical volume celtic successfully resized

Extending/Reducing VGs

[root@zeus ~]# vgs
  VG      #PV #LV #SN Attr   VSize  VFree
  mp3       1   3   0 wz--n- 92.00m 16.00m
  vg_zeus   1   2   0 wz--n-  7.51g     0
[root@zeus ~]# vgextend mp3 /dev/sdc2
  Volume group "mp3" successfully extended
[root@zeus ~]# vgs
  VG      #PV #LV #SN Attr   VSize   VFree
  mp3       2   3   0 wz--n- 424.00m 348.00m

[root@zeus ~]# vgreduce mp3 /dev/sdc2
  Removed "/dev/sdc2" from volume group "mp3"
[root@zeus ~]#

Moving extents from one disk to another

Make sure you VG has more than one disk. In this case I have sdc1 and sdc2 and will move the extents from sdc1 to sdc2

[root@zeus ~]# pvmove /dev/sdc1 /dev/sdc2
  /dev/sdc1: Moved: 0.0%
  /dev/sdc1: Moved: 21.1%
  /dev/sdc1: Moved: 31.6%
  /dev/sdc1: Moved: 47.4%
  /dev/sdc1: Moved: 57.9%
  /dev/sdc1: Moved: 68.4%
  /dev/sdc1: Moved: 78.9%
  /dev/sdc1: Moved: 84.2%
  /dev/sdc1: Moved: 100.0%

If now you take a look at sdc1 no extents are found in this partition (disc)

[root@zeus ~]# pvdisplay -v /dev/sdc1
    Using physical volume(s) on command line
  --- Physical volume ---
  PV Name               /dev/sdc1
  VG Name               mp3
  PV Size               96.18 MiB / not usable 4.18 MiB
  Allocatable           yes
  PE Size               4.00 MiB
  Total PE              23
  Free PE               23
  Allocated PE          0
  PV UUID               XUKAwo-eZRI-Gq12-7oUb-4w8w-25rN-t64cBI

Taking Snapshots

lvcreate -s -L50M -n rock_snapshot /dev/mp3/rock_and_roll
mount the snapshot, copy the frozen data and delete it.
lvremove /dev/mp3/rock_snapshot

-------------------------------------------------------------

FileSystems

ACLs:

dumpe2fs /dev/xxx | grep Defaults will show which are the default mouting options. acl, user_xattr must be listed to have acl support in first place.

tune2fs -o acl,user_xattr /dev/xxx

can be issued to set the defaults mounting options.

tune2fs -o ^acl,^user_xattr /dev/xxx

can be issued to clear the defaults mounting options.

These options are overwritten by /etc/fstab or options in the mount command line.
BTW, if you set the defaults mount options and mount the volume you won't be able to see the acl option listed in the output of mount. This can cause some confusion but acl will be enabled anyway.

----------------

Authentication

To enable LDAP authentication run

authconfig-tui

or

vi /etc/openldap/ldap.conf OR vi /etc/ldap.conf
URI ldap://127.0.0.1/
BASE dc=lutierigabriel
vim /etc/nsswitch.conf
add ldap to group, shadow, passwd

or

system-config-authentication

-------------------

kickstart

some options:

zerombr
clearpart --all

always use /root/anaconda-ks.cfg as a template.
-------------------

NFS

Firewall

TCP/2049
UDP/111,32769
TCP/32803,892
 All ports but 111 and 2049 has to be specified in /etc/sysconfig/nfs

yum install -y nfs-utils  nfs4-acl-tools
chkconfig nfs on; chkconfig nfslock on; chkconfig rpcbind on
vim /etc/exports
/mnt    *(ro,sync)

exportfs -avr -> reexport all directories

Adjusting SELinux ( this will allow directories to be exported as RO and RW:

getsebool -a | grep nfs
setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1

• mounting a NFS share:

mount localhost:/mnt /nfs

• Verifying the exported directories on the server side:

# cat /var/lib/nfs/etab
/mnt    *(ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)

• Verifying the mount NFS share on the cliente side:

nfsstat -m

• Persistent NFS mounts:

vim /etc/fstab
rhel01:/opt/company_data     /opt/company_data     nfs4   rw,sync  0 0

Client side mounting option

soft -> means that if a timeout occurs the process will give up and try again later. the device will become unavailable meanwhile
hard -> in the same situation as state above, the process will never give up on mounting/accessing the device. it will hang there 'til it gets mounted.
intr -> usually used along the hard option. means the besides hard it can be interrupted. usually better have hard, intr than soft.

-------------------------------

automount

how to automount home directories:

/etc/auto.master
/home/guests     /etc/auto.guests


/etec/auto.guests
*   -rw,soft,intr   instructor.example.com:/home/guests/&


service autofs reload

ls /home/guests/user1 -> will mount the user1 folder from the instructor box

 -----------

SetUID and SetGID

setuid allows users to execute a file with privileges of the file's owner

chmod u+s file
chmod 4755 file
find / -perm -4000

SetGID
chmod g+s file
chmod 2755 file
find / -perm -2000

Sticky bit (set on directories, only owner and root can delete contentes in the dir)
chmod +t sticky/
chmod 1755 sticky/
find / -perm -1000


-------

Virtualization (only available in 64 bits OS)


yum install qemu-kvm qemu-img

virsh list
virshlist --all

virsh shutdown X
virsh start NAME
virt-viewer X

virsh autostart --disable X
 virsh autostart X

virt-viewer X

Create a guess VM:

virt-install –-name Client03 –-ram 512 –-disk path=/var/lib/libvirt/images/client03.img,size=8 –-network network=default –-cdrom /dev/cdrom


it's recommended to use /var/lib/libvirt/images to hold the virtual disks. to use other directory you should configure SELinux to allow it.

Can also create via GUI with virt-manager.

Useful commands

virsh connect localhost
virsh start guest1-rhel6-64
virsh stop guest1-rhel6-64
virsh list -all
virsh console
virsh autostart  X

virsh net-list
virsh net-start X

------------------

SELinux

Make sure you have setroubleshoot-server so you will get nicer SELinux messages.


Check how SELinux is running:
[root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# getenforce Enforcing [root@zeus ~]# setenforce permissive [root@zeus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@zeus ~]# setenforce enforcing [root@zeus ~]# getenforce Enforcing

you can also edit /etc/selinux/config. Regardless of the method you should reboot the system. When you change the mode the files must be relabed (their contexts will change) this is done on the boot process.

It is possible to disable enforcing mode, will only audit:

setenforcing 0

Check the boolean values or getsebool -a | grep http:

 sestatus -b | grep http
allow_httpd_anon_write                      off
allow_httpd_mod_auth_ntlm_winbind           off
allow_httpd_mod_auth_pam                    off
allow_httpd_sys_script_anon_write           off
httpd_builtin_scripting                     on
httpd_can_check_spam                        off
httpd_can_network_connect                   off
httpd_can_network_connect_cobbler           off
httpd_can_network_connect_db                off
httpd_can_network_memcache                  off
httpd_can_network_relay                     off
httpd_can_sendmail                          off
httpd_dbus_avahi                            on
httpd_enable_cgi                            on
httpd_enable_ftp_server                     off
httpd_enable_homedirs                       off

While I was reading about SELinux I found something very useful that I didn't know until now. Well, during the reading the author says to issue a commando called semanage that will explain each of the boolean options. However, I don't have semanage on my system and don't know which package provides it. So, the following command told me what package I should install to have semanage.

yum whatprovides *bin/semanage

Here we go, from the output it's clear to me that policycoreutils-python-2.0.83-19.1.el6.i686 has the binary that I was looking for.

Ok. moving on... so, to see what each boolean value does, issue:

[root@zeus ~]# semanage boolean -l | grep http
httpd_can_network_relay        -> off   Allow httpd to act as a relay
httpd_can_network_connect_db   -> off   Allow HTTPD scripts and modules to connect to databases over the network.
httpd_use_gpg                  -> off   Allow httpd to run gpg in gpg-web domain
httpd_enable_cgi               -> on    Allow httpd cgi support
allow_httpd_mod_auth_pam       -> off   Allow Apache to use mod_auth_pam

Changing boolean values:

setsebool -P httpd_enable_homedirs=1

Context is formed of:
User :  role  :  domain

Users are usually one of these:

unconfined_u: Unprotected user
system_u: System user
user_u: Normal user

Roles are usually one of these:

object_r: File 

system_r: Users and processes 

Domains (AKA type) are usually one of these:

unconfined_r: Unprotected file or process 

httpd_t: used for httpd process.
....


Roles do NOT have influence under files so object_r is used as a generic role for any file.

Checking files' context:

# ls -Z
-rw-------. root  root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rwxr-xr-x. root  root unconfined_u:object_r:admin_home_t:s0 a.out

Checking processes' context:

 ps -eZ |  grep httpd
unconfined_u:system_r:httpd_t:s0 14784 ?       00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14786 ?       00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14787 ?       00:00:00 httpd

Changing contexts (domains) http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Targeted_policy-Unconfined_processes.html

[root@zeus ~]# touch myfile
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 myfile
[root@zeus ~]# chcon -vu system_u myfile
changing security context of `myfile'
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 myfile
[root@zeus ~]# chcon -vt etc_t myfile
changing security context of `myfile'
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:object_r:etc_t:s0       myfile
[root@zeus ~]# chcon -vr system_r myfile
changing security context of `myfile'
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:system_r:etc_t:s0       myfile

[root@zeus ~]# touch myfile2
[root@zeus ~]# ls -Z myfile2
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 myfile2
[root@zeus ~]# chcon --reference myfile myfile2
[root@zeus ~]# ls -Z myfile2
-rw-r--r--. root root system_u:system_r:etc_t:s0       myfile2

[root@zeus ~]# restorecon myfile
[root@zeus ~]# ls -Z myfile
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 myfile

Changing ports for services:

[root@zeus ~]# semanage port -l | grep http
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

[root@zeus ~]# semanage port -a -t http_port_t -p tcp 81

[root@zeus ~]# semanage port -l | grep http
http_port_t                    tcp      81, 80, 443, 488, 8008, 8009, 8443

Every time you change a context it will be restored in the next file system relabel (next reboot).
To make changes permanentely run:

semanage fcontext -a -t httpd_sys_content_t file1

TIP:
some daemons have man pages talking about the contexts and booleans used by them. take a look:

[root@zeus ~]# apropos _selinux
ftpd_selinux         (8)  - Security-Enhanced Linux policy for ftp daemons
httpd_selinux        (8)  - Security Enhanced Linux Policy for the httpd daemon
init_selinuxmnt      (3)  - initialize the global variable selinux_mnt
is_selinux_enabled   (3)  - check whether SELinux is enabled
kerberos_selinux     (8)  - Security Enhanced Linux Policy for Kerberos
named_selinux        (8)  - Security Enhanced Linux Policy for the Internet Name server (named) daemon
nfs_selinux          (8)  - Security Enhanced Linux Policy for NFS
pam_selinux          (8)  - PAM module to set the default security context
rsync_selinux        (8)  - Security Enhanced Linux Policy for the rsync daemon
samba_selinux        (8)  - Security Enhanced Linux Policy for Samba
ypbind_selinux       (8)  - Security Enhanced Linux Policy for NIS

semanage fcontext -a -t httpd_sys_content_t "/newweb(/.*)?"
restorecon -R -v /newweb

-------------


Firewall

 iptables -p icmp -h

show all the possible icmp types :-)

POSTROUTING -> SNAT --to-source x.x.x.x OR MASQUERADE

----------
Rsyslog

/etc/rsyslog.conf

forwarding message to other host:

 Remote machine
       There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard, the plain TCP based trans-
       port which loses messages only during certain situations but is widely available and the RELP transport which does not lose messages  but
       is currently available only as part of rsyslogd 3.15.0 and above.

       To  forward  messages  to another host via UDP, prepend the hostname with the at sign ("@").  To forward it via plain tcp, prepend two at
       signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the hostname.

       Example:
              *.* @192.168.0.1

------

Apache

Test/Parse the config file:

service httpd configteste

VirtualHost

NameVirtualHost 192.168.56.200:80


<VirtualHost 192.168.56.200:80>
serverName site1.asdf.com
DocumentRoot "/var/www/site1"
</VirtualHost>


<VirtualHost 192.168.56.200:80>
Servername site2.asdf.com
DocumentRoot "/var/www/site2"
</VirtualHost>

Password protected

<Directory "/var/www/html/protected">
        AuthType        basic
        AuthName "You are out"
        AuthUserFile    "/var/www/html/protected/.users"
        Require user lutieri
        Options Indexes

        Order deny,allow
</Directory>

CGI Scripts

ScriptAlias /bin "/var/www/site1/bin"

OR

<Directory "/var/www/site1/bin/">
options ExecCGI Indexes
</Directory>

Addhandler cgi-script .lgb

The script will need to produce HTML output. Usually means that the first line in your script needs to print out which mime type the script will produce. I.E:

#!/bin/bash

echo "Content-type: text/html\n\n";
echo "Hello, World.";

Except that I found out that printing a blank line instead of content-type... also works great.



----------


Postfix

alternatives --config mta

-----------

Bind

[root@zeus ~]# cat /var/named/dynamic/asdf.com
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
site1   A       192.168.56.201
site2   A       192.168.56.202

Master zone

[root@zeus ~]# cat /etc/named.conf
---SNIP---

zone "asdf.com"  IN {
        type master;
        file "dynamic/asdf.com";
};
---SNIP---

Forward zone:

the directive Forwarders can also be used in the global context.

zone "asdf.com"  IN {
        type forward;
        forwarders {  66.33.206.206; };
};

--------------

Samba

If you create a directory and would like to share it, run:

 chcon -t samba_share_t /path

Allowing home directories to be shared:

[root@zeus ~]# setsebool -P samba_enable_home_dirs on
[root@zeus ~]# getsebool samba_enable_home_dirs
samba_enable_home_dirs --> on
[root@zeus ~]# semanage boolean -l | grep  samba_enable_home_dirs
samba_enable_home_dirs         -> on    Allow samba to share users home directories.

-P make the change to the boolean persistent across reboots.

OR

 semanage boolean -m --on  samba_enable_home_dirs

-----------


Vsftpd

Allow anonymoys upload

setsebool ftp_home_dir 1
chcon  -t public_content_rw_t /var/ftp/pub
setsebool allow_ftpd_anon_write 1
chgrp -R ftp: /var/ftp/dropbox
chmod g=wx /var/ftp/dropbox

cat /etc/vsftpd/vstfpd.conf

anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES

asdf

VNC


server side:
/etc/sysconfig/vncservers

client side:
vncviewer -via server9 localhost:2

this will make a ssh tunnel to server9 and tunnel the vnc connection.

Playing with ACLs on File Systems

Enabling ACLs:

# mount -oremount,acl /

Before:

[root@zeus ~]# ll
total 20
-rw-------. 1 root root 1134 Oct 2 14:13 anaconda-ks.cfg
-rw-r--r--. 1 root root 8408 Oct 2 14:13 install.log
-rw-r--r--. 1 root root 3164 Oct 2 14:12 install.log.syslog
[root@zeus ~]# getfacl install.log
# file: install.log
# owner: root
# group: root
user::rw-
group::r--
other::r--

Giving user01 rwx permissions on install.log

[root@zeus ~]# setfacl -m u:user01:rwx install.log

After:

[root@zeus ~]# ll
total 24
-rw-------. 1 root root 1134 Oct 2 14:13 anaconda-ks.cfg
-rw-rwxr--+ 1 root root 8408 Oct 2 14:13 install.log
-rw-r--r--. 1 root root 3164 Oct 2 14:12 install.log.syslog
[root@zeus ~]# getfacl install.log
# file: install.log
# owner: root
# group: root
user::rw-
user:user01:rwx
group::r--
mask::rwx
other::r--

Removing the previous gaven permission:

[root@zeus ~]# setfacl -x u:user01 install.log
[root@zeus ~]# getfacl install.log
# file: install.log
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--

Assigning and removing multiple entries:

[user01@zeus ~]$ setfacl -m u:root:rw-,u:games:r-- a
[user01@zeus ~]$ getfacl a
# file: a
# owner: user01
# group: user01
user::rw-
user:root:rw-
user:games:r--
group::rw-
mask::rw-
other::r--
[user01@zeus ~]$ setfacl  -b a
[user01@zeus ~]$ getfacl a
# file: a
# owner: user01
# group: user01
user::rw-
group::rw-
other::r--

Managing File Systems

Volumes metadata:

# blkid
/dev/sda1: LABEL="Bootinho" UUID="7aa20f0f-49f4-4601-bd30-9067519bb6c5" TYPE="ext4"
/dev/sda2: UUID="sWPlWO-lcYm-SLk2-E5Ho-0a6T-kdBt-YZG79V" TYPE="LVM2_member"
/dev/mapper/vg_zeus-lv_root: UUID="0b494d0c-b2c2-4dbc-a73f-392bd4860ed4" TYPE="ext4"
/dev/mapper/vg_zeus-lv_swap: UUID="e6602180-14f2-4f22-811a-f9fedc7d0387" TYPE="swap"

Labeling a volume:

[root@zeus ~]# e2label /dev/sda1 Bootinho

OR

[root@zeus ~]# tune2fs -L booootinho /dev/sda1
tune2fs 1.41.12 (17-May-2010)
[root@zeus ~]# e2label /dev/sda1
booootinho
[root@zeus ~]#

Querying a volume's label

[root@zeus ~]# e2label /dev/sda1
Bootinho

Finding volumes with a specific name

[root@zeus ~]# findfs LABEL=Bootinho
/dev/sda1

Mount using volume's label

[root@zeus ~]# mount LABEL=Bootinho /boot/

Reparing an ext2/ext3/ext4 file system

[root@zeus ~]# umount /boot/
[root@zeus ~]# e2fsck -f /dev/sda1
e2fsck 1.41.12 (17-May-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
booootinho: 38/128016 files (2.6% non-contiguous), 43796/512000 blocks

Resizing an ext2/ext3/ext4 file system

[root@zeus ~]# resize2fs -p /dev/sda1
resize2fs 1.41.12 (17-May-2010)
The filesystem is already 512000 blocks long.  Nothing to do!

LUN Scanning on linux

COPIED FROM
http://support.dell.com/support/edocs/stor-sys/124t/en/124tvs16/install.html#enabling_lun_linux

References:
http://tldp.org/HOWTO/SCSI-2.4-HOWTO/mlproc.html


To verify the detection of a tape drive, administrators should check for its entry in /proc/scsi/scsi. Current versions of Linux may not scan the logical storage unit (LUN) ID of every device. This can result in some PowerVault devices not being identified or listed in the /proc/scsi/scsi output. Administrators can follow these steps to enable support for such devices.

1. Type cat/proc/scsi/scsi. The output will look similar to the following:
   Attached devices:
   Host: scsi3 Channel: 00 Id: 00 Lun: 00
      Vendor:   Quantum Model: DLT VS160   Rev: 3100
      Type:     Sequential-Access           ANSI SCSI revision: 03
2. Identify the host adapter, channel number, target ID number, and LUN number for the first LUN of the device to be configured. In this example, the Certance Ultrium 2 (a drive in the PowerVault 124T) is shown at the address, or nexus, 3 0 0 0 — which means host adapter 3, channel number 0, ID 0, and LUN 0. The PowerVault 124T always has the tape drive at LUN 0 and the robot at LUN 1.
3. For each LUN that needs to be discovered by Linux, issue the following command: echo "scsi add-single-device H C I L">/proc/scsi/scsi
   H C I L refers to the nexus described in step 2. So, with the PowerVault 124T robot configured at LUN 1, type:
   echo "scsi add-single-device 3 0 0 1">/proc/scsi/scsi The echo command will force a scan of each device at the given nexus.
   
4. Type cat /proc/scsi/scsi again to verify that all devices are now listed. The output will look similar to the following:
   Attached devices:
   Host: scsi3 Channel: 00 Id: 00 Lun: 00
      Vendor:   Quantum Model: DLT VS160   Rev: 3100
      Type:     Sequential-Access           ANSI SCSI revision: 03 Attached devices:
   Host: scsi3 Channel: 00 Id: 00 Lun: 01
      Vendor:   DELL Model: PV-124T   Rev: V31
      Type:     Sequential-Access           ANSI SCSI revision: 03
   Administrators should add the echo command to the Linux boot scripts because the device information is not persistent and must be created each time the system boots up. One example file that can be used for storing the commands is /etc/rc.local. Note that configuring additional devices on a server or a storage area network (SAN) can cause the devices to be reordered, which requires administrators to modify the commands. If the Fibre Channel adapter supports Persistent Bindings or an equivalent function, it can be enabled to reduce the chance of devices being reordered upon discovery.
   

NOTE: This procedure must be run each time the server is booted. Also, if backup application services are running (for example, they automatically start when the OS loads), they must be disabled and re-enabled after the above procedure.

The other way to enable LUN support is to recompile the kernel and enable LUN scanning in the Adaptec driver, but it requires advanced knowledge of Linux and will not be covered here. However, it will allow the server to always boot and see the device without any manual procedures.


This procedure also applies when a new Volume (LUN) is created in a storage system and is correctly mapped to the host. In this case is necessary to ReScan the target to update the LUNs in the OS.

In the former case partprobe can be issued to update the partition table.




 keywords: medium changer, linux, 124, TL2000, TL4000, tape device

mounting RAID devices on boot

if you already have a software RAID configured with mdadm it won't reassemble automatically on each boot. in order to have it reassembling do the following:

mdadm --detail --scan > /etc/mdadm.conf 

That's pretty much it!

Other useful commands:


Creating a RAID:

mdadm -Cv /dev/md1 -level=1 -n2 /dev/sdb1 /dev/sdc1

watching the building/rebuild status

cat /proc/mdstat

Check the RAID state:

mdadm -D /dev/md1

Simulates a failed drive:

mdadm /dev/md1 -f /dev/sdc1

Add a new drive (partition) to replaced the failed one:

mdadm --manage /dev/md1 -a /dev/sdb2

To reuse the failed drive one have to remove it and add it again to the array:

mdadm --manage /dev/md1 -r /dev/sdc1
mdadm --manage /dev/dm1 -a /dev/sdc1

Stopping a RAID:

mdadm -S /dev/md1

To "remount" a stopped or un-assembled RAID:

mdadm --assemble /dev/md1 /dev/sdb1 /dev/sdc1

OR

mdadm --assemble --scan

one more time the gentoo wiki has thousands of good info regarding software-based RAID:
http://en.gentoo-wiki.com/wiki/RAID/Software

Add horizontal/vertical line to a char in Excel

There are two methos:

Using dummy series or using dummy error bars.

http://peltiertech.com/Excel/Charts/AddLineHorzSeries.html

Tools for network analysis/traffic simulation for Linux

I always forget the name of these guys:

• Well known:

• iptraf
• darkstat
• iperf
• tcpstat
• ntop

• I never used before:

• tcpflow
• tcpslice
• tcptrace
• ngrep

Exchange 2k10: Installation Requirements

Instead of ticking dozens of checkboxes heres is a few commands that would help installing all(almost?) the req. for Exchange 2k10.

Open Powershell with elevated rights using "Run As Administrator", and run below cmdlets to install prerequisites...

Import-Module ServerManager

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

Set-Service NetTcpPortSharing -StartupType Automatic

This will install all the features and reboot the machine.

Here there is a table with each set of requirements and commands necessary for the role you plan to install:

http://www.messagingtalk.org/exchange-2010-rc-quick-installation-guide

---

Even better, there are a couple of XML file containing all the requirements for different installations:

Look at DVD:\Scripts and you will find these files:

• exchange-all.xml – all server roles
• exchange-base.xml – only the requirements for Forest and Domain prep operations
• exchange-cadb.xml – Central Admin Database role
• exchange-cas.xml – Client Access Server role
• exchange-eca.xml – Central Admin role
• exchange-edge.xml – Edge Transport Server role
• exchange-hub.xml – Hub Transport Server role
• exchange-mbx.xml – Mailbox Server role
• exchange-typical.xml – Typical Exchange server (Client Access, Hub Transport, and Mailbox Server roles)
• exchange-um.xml – Unified Messaging role

run, for instance:

servermanagercmd -ip exchange-typical.xml

include -restart if you want it to restart automatically.



Source:
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/0aefcc92-dc32-40cf-bf24-341d41974d0e

http://exchangeserverpro.com/installing-exchange-server-2010-pre-requisites-on-windows-server-2008