RHCSA Bootcamp Book
RHCSA Bootcamp Book
BOOT CAMP
A whole week of geeky fun!
Thursday, December 6, 12
ABOUT THE
INSTRUCTOR
Nathan Isburgh
RHCE, CISSP
Thursday, December 6, 12
ABOUT THE CLASS
40 hour boot-camp style prep course
Hours:
8:30am - 5:00pm
Thursday, December 6, 12
ABOUT THE COLLEGE
Rackspace Parking Sticker = good to go
Cafeteria
Do not speed!
Thursday, December 6, 12
ABOUT THE STUDENTS
Name?
Department?
Thursday, December 6, 12
EXPECTATIONS OF
STUDENTS
Strong foundation in basic Linux use and administration
Ask Questions!
Have fun
Learn something
Thursday, December 6, 12
ABOUT RHCSA EXAM
You will have 2.5 hours and access to all RHEL 6 Server
software.
Thursday, December 6, 12
AFTER RHCSA?
Thursday, December 6, 12
TO PASS EXAM:
Details specific to RHEL v. 6
Thursday, December 6, 12
SCHEDULE
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
The Boot Process
Thursday, December 6, 12
OVERVIEW
The boot process gets a machine from the useless off state to
the feature rich operating system we all know and love
Thursday, December 6, 12
BIRTH
Thursday, December 6, 12
INFANT
Searches for valid MBR, loads the software found there and
transfers control to the...
Thursday, December 6, 12
TODDLER
Thursday, December 6, 12
TEENAGER
Thursday, December 6, 12
ADULT
init loads the inittab, specifying what the default runlevel should
be, then additional configuration files specify what software needs
to be started. init starts running all of the specified startup scripts
at this point.
Thursday, December 6, 12
MORE ON INIT
RHEL 6 marks Red Hat’s departure from the old style SystemV
initialization framework. Time to [mostly] forget about inittab!
http://upstart.ubuntu.com
Thursday, December 6, 12
UPSTART
/etc/init
Thursday, December 6, 12
RUNLEVELS
Runlevels:
4: Unused
6: Reboot
Thursday, December 6, 12
RUNLEVELS
Thursday, December 6, 12
UPSTART OVERVIEW
So the basic flow of operation for Upstart is as follows:
Thursday, December 6, 12
UPSTART OVERVIEW
telinit emits the runlevel event, which fires off /etc/
init/rc.conf
WHEW!
Thursday, December 6, 12
INIT SCRIPTS
/etc/rcX.d
Thursday, December 6, 12
RC DIRECTORIES
Thursday, December 6, 12
ENTERING A
RUNLEVEL
Thursday, December 6, 12
INIT SCRIPTS
The main reason for this is so that there is only one copy of
each init script, reducing the chance that a script change
won’t be reflected in all runlevels.
Thursday, December 6, 12
MANAGING INIT
SCRIPTS
You can manage the links to the init scripts manually, or you
can use the chkconfig command to get the job done:
chkconfig --list
Thursday, December 6, 12
GRUB
Thursday, December 6, 12
GRUB
CONFIGURATION
GRUB’s configuration file is /boot/grub/grub.conf, which is configured as
follows:
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
! root (hd0,0)
! initrd /initrd
Thursday, December 6, 12
GRUB SHELL
Command mode – Pressing “c” while the boot menu is displayed will
provide the user with the GRUB shell, where a limited set of commands
can be used to explore the filesystem before booting. A full list of the
commands available can be found by pressing Tab while in command
mode.
Editing mode – Pressing “e” while the boot menu is displayed will provide
the user with the opportunity to edit a line in GRUB’s configuration file.
Append mode – Pressing “a” while the boot menu is displayed will allow
the user to append to the kernel line for the default kernel in GRUB’s
configuration file
Esc – can be pressed at any time to return you to the previous menu
Thursday, December 6, 12
BOOTING TO A GIVEN
RUNLEVEL
Also, adding the letter “s” or the word “single” to the end
of the command line is very important: this boots into single
user mode, which by default, will not require a password to
obtain a root shell.
Very important!
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Package Management
Thursday, December 6, 12
RPM
Thursday, December 6, 12
RPM
Thursday, December 6, 12
RPM QUERIES
Below are just a few examples of the types of queries you can run against
the RPM database.
rpm -ql! Queries the rpm database to determine which files are
associated with a particular rpm.
With any of these commands, you can add the -p option to run the
command against a package before it is installed.
Thursday, December 6, 12
RPM INSTALLATION
VERIFICATION
In addition to storing information about where a package is
installed, rpm also stores permissions, file sizes, md5sums,
and ownership information. This information can be easily
referenced to see if anything has been changed.
Thursday, December 6, 12
RPM VERIFY OUTPUT
S File Size differs
T mTime differs
Thursday, December 6, 12
EXTRACT RPM
CONTENTS
Use this technique to make a clean working copy of the files and directories
that would be installed with a package.
cd /temp/dir
Thursday, December 6, 12
YUM
RPM backend
Simple interface
Thursday, December 6, 12
REPOSITORIES
Repositories of packages must be listed in files in the /etc/
yum.repos.d directory with names ending in .repo and having a
format like:
[label-for-repo]
baseurl = protocol://path/to/directory/of/packages
Thursday, December 6, 12
LAB
1. Connect to http://server1.example.com and read the information
there.
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
System Administration
Thursday, December 6, 12
INSTALLATION
Thursday, December 6, 12
KICKSTART FILES
A Kickstart file is a flat text file which answers all of the installation
questions automatically. Therefore, logically, it contains details on:
Software packages
Thursday, December 6, 12
KICKSTART FILES
From scratch
Using system-config-kickstart
Thursday, December 6, 12
LAB
1. Examine /root/anaconda-ks.cfg
Thursday, December 6, 12
NETWORK
CONFIGURATION
There are two main approaches to configuring a machine for network
access:
Static configuration
Dynamic configuration
Thursday, December 6, 12
DYNAMIC
CONFIGURATION
Dynamic configuration is the easiest to use.
Thursday, December 6, 12
STATIC
CONFIGURATION
Static configuration requires four configuration parameters
in order to allow full network functionality:
IP Address
Netmask
DNS Server(s)
Thursday, December 6, 12
DNS?
Thursday, December 6, 12
STATIC
CONFIGURATION
ip addr list
Thursday, December 6, 12
GATEWAYS
ip route show
Thursday, December 6, 12
DNS SERVERS
/etc/resolv.conf
Thursday, December 6, 12
STATIC
CONFIGURATION
Once all four pieces of information are configured on the
system, full network service will be available.
Thursday, December 6, 12
CHANGING
NETWORKING
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network
Thursday, December 6, 12
/ETC/SYSCONFIG/NETWORK
NETWORKING={yes|no}
HOSTNAME=<fqdn>
Thursday, December 6, 12
IFCFG-* FILES
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
Thursday, December 6, 12
IFCFG-* FILES
To configure a device with static settings, the ifcfg file should contain the following:
DEVICE=eth0
BOOTPROTO=none
IPADDR=<ip>
ONBOOT=yes
GATEWAY=<gateway ip>
Thursday, December 6, 12
NETWORK MANAGER
In RHEL 6, Network interfaces are now handled via Network
Manager. Some notable commands/tools:
On the test, you should decide if you are going to use Network
Manager or not, and if so, only use NM and don’t edit the
config files by hand. Otherwise, disable NM and edit the files
by hand.
Thursday, December 6, 12
LAB
2. When you are satisfied with your configuration, restart the network
service to put your changes into effect.
3. Test your connectivity to server1 to make sure you are still online.
Thursday, December 6, 12
CRON
Thursday, December 6, 12
SYSTEM CRONS
/etc/crontab and /etc/cron.d/* define the system cron jobs.
Thursday, December 6, 12
USING CRON
Thursday, December 6, 12
CRONTAB
Root can work with the crontab for any user by specifying
the username on the command line:
crontab -e -u bob
Thursday, December 6, 12
CRONTAB SYNTAX
Thursday, December 6, 12
CRONTAB TIMESPECS
Thursday, December 6, 12
TIMESPEC EXAMPLES
Thursday, December 6, 12
EXAMPLE CRONTAB
01 4 * * * /usr/local/bin/restart-webserver
00 8 1 * * /usr/bin/mail-report [email protected]
*/5 * * * * /monitor/bin/check-site -e [email protected] -o /var/log/check.log
Thursday, December 6, 12
LAB
1. Create a cronjob for the user root that checks the amount
of available space on the system every Friday at 12:34pm.
Thursday, December 6, 12
LOGS
Thursday, December 6, 12
SYSLOG
rsyslog - The system logger. A framework consisting of a
library, a daemon, a configuration file and logs.
Any application can use the library and log messages through
rsyslog with simple function calls.
Facility
Level
Message
Thursday, December 6, 12
SYSLOG
The facility describes what part of the operating system
generated the message, and is selected by the software:
Thursday, December 6, 12
/ETC/RSYSLOG.CONF
/etc/rsyslog.conf defines where all of the log messages should go.
Destinations include files, screens of logged in users, console, other syslog
servers. Additional configuration is available as well.
facility.level destination
Examples:
*.err /dev/console
mail.* /var/log/maillog
*.info;mail.none;authpriv.none /var/log/messages
Thursday, December 6, 12
/VAR/LOG
messages: catch-all
Thursday, December 6, 12
LOGS
Thursday, December 6, 12
LOCATING
APPLICATION LOGS
To track down the log file location for an application, you need
to find it’s configuration file so you can see where the logs are
being written.
Thursday, December 6, 12
LOCATING
APPLICATION LOGS
Now that the configuration file location is known, it only
takes a few moments to scan through it and find out where
logs are being written.
Thursday, December 6, 12
MAINTAINING LOGS
/etc/logrotate.conf!
/etc/logrotate.d/!
Can be run as root at any time to force log rotation and check for errors.
Thursday, December 6, 12
TROUBLESHOOTING
Thursday, December 6, 12
TOP
top - 16:39:32 up 682 days, 10:41, 2 users, load average: 0.01, 0.00, 0.00
Tasks: 118 total, 1 running, 116 sleeping, 1 stopped, 0 zombie
Cpu(s): 0.1%us, 0.0%sy, 0.0%ni, 99.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.1%st
Mem: 262316k total, 258024k used, 4292k free, 7380k buffers
Swap: 524280k total, 74564k used, 449716k free, 67808k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 15 0 10316 648 592 S 0 0.2 0:06.24 init
2 root RT 0 0 0 0 S 0 0.0 0:04.88 migration/0
3 root 34 19 0 0 0 S 0 0.0 0:00.19 ksoftirqd/0
Thursday, December 6, 12
DF
[root@dev1 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 9.4G 7.2G 1.8G 81% /
none 129M 0 129M 0% /dev/shm
[root@dev1 ~]#
Thursday, December 6, 12
LDD, LDCONFIG
Thursday, December 6, 12
NICE LEVEL
The nice level represents one influence on the calculations
the kernel uses when assigning priorities.
Thursday, December 6, 12
LAB
1. Take a few minutes to browse through the various logs in /var/
log. Familiarize yourself with the kinds of information
available.
3. Find where the audit service keeps its log and add a
corresponding new entry to your logrotate configuration. Force
a rotation to see everything work.
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Filesystem Administration
Thursday, December 6, 12
PARTITIONING
What is partitioning?
Why?
Simplifies/speeds backups
Thursday, December 6, 12
FDISK
fdisk: partitioning tool
Thursday, December 6, 12
MKFS
Thursday, December 6, 12
EXT2
Benefits
Drawbacks
Thursday, December 6, 12
EXT3
Benefits
Default file system of the old 7.x Red Hat to RHEL 5.x releases
Drawbacks
Inodes allocated when file system is created (other file systems create
them dynamically as they are needed)
Not as efficient as other file systems when dealing with lots of small files
Thursday, December 6, 12
EXT4
Benefits
Drawbacks
Inodes allocated when file system is created (other file systems create
them dynamically as they are needed)
Thursday, December 6, 12
JOURNALING
Journaling - How does it help?
2. The file’s inode must be marked as free in the free space map.
If step 1 happens before a crash, an inode will be orphaned and the file will be lost.
If step 2 happens first before a crash, the inode will be marked free and will
possibly be overwritten.
Journaling keeps a journal of the changes that are planned for the file system
ahead of time. The journal can then replay the changes in the journal at any time
to keep the file system clean.
Thursday, December 6, 12
FILESYSTEM
INTEGRITY CHECKS
fsck: Filesystem Check
Mount count
Last check
Dirty
Thursday, December 6, 12
FILE SYSTEM TOOLS
Thursday, December 6, 12
FSTAB
Thursday, December 6, 12
LAB
Thursday, December 6, 12
AUTOMOUNT
Thursday, December 6, 12
AUTO.MASTER
/misc!! /etc/auto.misc
Thursday, December 6, 12
AUTOMOUNT PATH
CONFIG FILES
Basic syntax:
Thursday, December 6, 12
LAB
Thursday, December 6, 12
EXTENDED
ATTRIBUTES
The Linux Extended filesystem supports attributes that
affect how data can be manipulated.
Thursday, December 6, 12
COMMON EXTENDED
FILE ATTRIBUTES
Thursday, December 6, 12
ACL’S
The Linux Extended Filesystem supports access control lists,
which allow for more flexible permissions than standard file
system permissions.
To use ACLs, a file system must have the acl mount option.
Thursday, December 6, 12
ACL EXAMPLES
Thursday, December 6, 12
QUOTAS
Thursday, December 6, 12
ENABLING QUOTAS
usrquota and grpquota options must be enabled on the filesystem
mount
Two files will be created at the root of the filesystem: aquota.user and
aquota.group
Thursday, December 6, 12
LAB
1. Create a quota for the user student with:
Thursday, December 6, 12
DISK ENCRYPTION
Thursday, December 6, 12
LUKS
Thursday, December 6, 12
CRYPTSETUP
To create a new LUKS encrypted device:
This command will verify the password and setup a new dm-crypt
device mapper mapping of:
Creating /dev/mapper/mapname
Thursday, December 6, 12
CRYPTSETUP
Thursday, December 6, 12
LUKS PERSISTENCE
To make a LUKS encrypted device available at boot time, use the /etc/
crypttab file:
Thursday, December 6, 12
LAB
Thursday, December 6, 12
SELINUX
identity:role:domain/type
Thursday, December 6, 12
SELINUX
Adding the -Z option to several commands will show how they are
running in regards to SELinux:
To change the context of a file, you can use the chcon command:
Thursday, December 6, 12
LABELING
Thursday, December 6, 12
CONTROLLING
SELINUX
The tool system-config-selinux can be used to configure
SELinux.
To change the SELinux mode during boot, you can pass the
enforcing=0 option to the kernel in GRUB.
Thursday, December 6, 12
ADDITIONAL SELINUX
TOOLS
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Users and Groups
Thursday, December 6, 12
USERS AND GROUPS
Root is the super user, and the only user with special permissions
Thursday, December 6, 12
CONFIG FILES
/etc/passwd
/etc/shadow
/etc/group
Thursday, December 6, 12
/ETC/PASSWD
login:x:userid:groupid:gecos:homedir:shell
Examples:
root:x:0:0:root:/root:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
Thursday, December 6, 12
/ETC/SHADOW
Examples:
root:pB8msP1fCbCqc:13904:0:99999:7:::
nisburgh:vRoPw6a/jQsp.:14466:0:99999:7:::
Thursday, December 6, 12
/ETC/GROUP
Same colon-separated-column list of records format
groupname:grouppassword:groupid:secondarymembers
Examples:
daemon:x:2:root,bin,daemon
apache:x:48:jack,nisburgh
Thursday, December 6, 12
MANAGEMENT
Thursday, December 6, 12
USERADD
useradd lisa
Thursday, December 6, 12
USERMOD, USERDEL
userdel moe
Thursday, December 6, 12
GROUP COMMANDS
groupadd bullies
groupdel microsoft
Thursday, December 6, 12
PASSWORDS
Root can change the password for any user on the system
passwd -l mary
Thursday, December 6, 12
PASSWORD AGING
When a user’s password has expired, you can set the number
of days it can remain expired before disabling the account
completely:
Thursday, December 6, 12
IMPORTANT USER
ENVIRONMENT FILES
/etc/skel default template for a newly-added user’s
home directory
Thursday, December 6, 12
LAB
1. Create a new group ‘dev’. Create a new user ‘alice’ as a member of the ‘dev’
group, with a description of “Alice from Dev” and a default shell of ‘/bin/csh’.
Use the passwd command to set a password for alice, then log in as alice and
verify her access.
2. Set a maximum password lifetime of 4 weeks for the alice account. Look at the
passwd, shadow and group files.
3. Configure the users guido, linus, and richard. Set all their passwords to
“linux”.
5. Configure the directory /home/linux so that each user from the ru group can
read, create, and modify files.
6. Configure the directory /home/linux/work so that each user can create and read
files, but only the file’s owner can delete.
7. Use ACL’s to allow alice, not in ru, full r/w access to the work folder.
Thursday, December 6, 12
NIS
NIS Servers can be configured to centrally manage system and account information.
These servers can share the contents of /etc/passwd, /etc/shadow, /etc/
group, and several other files among any number of clients.
To configure a client, you must install the ypbind and portmap RPMs, and then
you can run system-config-authentication.
/etc/sysconfig/network
/etc/yp.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
Thursday, December 6, 12
LAB
Thursday, December 6, 12
LDAP
LDAP Servers can also be configured to centrally manage system and account
information. LDAP is much more secure and flexible than a default NIS
configuration, and as such is becoming much more popular.
To configure a client, you must install the nss-pam-ldapd and openldap RPMs,
and then you can run system-config-authentication.
/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Kernel Features
Thursday, December 6, 12
IMPORTANT KERNEL
DIRECTORIES
Thursday, December 6, 12
/PROC/*
See the manpage for proc for more information and descriptions
Thursday, December 6, 12
/PROC/*
Thursday, December 6, 12
SYSCTL
sysctl -w kernel.pid_max=65535
sysctl -a
sysctl -w vm.swappiness=100
Thursday, December 6, 12
LAB
Thursday, December 6, 12
LVM
Thursday, December 6, 12
LVM TERMINOLOGY
Physical Volume (pv) A physical volume is simply the
partition/RAID device for the LVM space.
Thursday, December 6, 12
LVM BASIC IDEA
Thursday, December 6, 12
PVCREATE
pvcreate /dev/sda4
Thursday, December 6, 12
VGCREATE
Thursday, December 6, 12
LVCREATE
Thursday, December 6, 12
RESIZING LV’S
Thursday, December 6, 12
RESIZING LV’S
resize2fs <logical volume>
Once the lv has been extended, you will need to extend the file
system
You can grow the file system while it is mounted, but before
shrinking it must first be unmounted.
Thursday, December 6, 12
LAB
1. Add logical volume management on top of a new partition. Use a
physical extent size of 16MB.
2. Use half the available space for a logical volume formatted with
ext4 and mounted persistently across reboots.
3. Take a snapshot of this logical volume and check the file system
for errors.
4. Assuming none are found, reset the counter for days and mounts
until a check is forced on the original file system.
5. Copy some data onto the LV, then expand it and the filesystem by
50MB. fsck, then re-mount the filesystem and verify it's
contents. Also try reducing by 50MB.
Thursday, December 6, 12
SWAP SPACE
Swap space allows the kernel to better manage limited system
memory by copying segments of memory onto disk
Performance gains
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
File Sharing Services
Thursday, December 6, 12
NFS
rpcinfo -p server1
showmount -e server1
Thursday, December 6, 12
ACCESSING NFS
SHARES
Thursday, December 6, 12
LAB
Thursday, December 6, 12
VSFTPD
VSFTPd is the default ftp server
/etc/vsftpd/ftpusers
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Web Services
Thursday, December 6, 12
APACHE
CONFIGURATION
Thursday, December 6, 12
APACHE
CONFIGURATION
You can find this example Apache VirtualHost definition at the bottom of httpd.conf:
<VirtualHost ____________>
! ServerName name
! ServerAlias alias
! DocumentRoot path
! ErrorLog /path/to/error_log
</VirtualHost>
Thursday, December 6, 12
LAB
Thursday, December 6, 12
SECURING APACHE
Apache support access control through allow and deny directives:
Thursday, December 6, 12
SECURING APACHE
<Directory>
<File>
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Network Security
Thursday, December 6, 12
TCP WRAPPERS
Thursday, December 6, 12
CHECKING TCP
WRAPPER SUPPORT
Determine which binary the application runs as. Check init script or:
# which sshd
/usr/sbin/sshd
If you see libwrap support in the output, then you can configure access
to the service with tcp_wrappers.
Thursday, December 6, 12
TCP WRAPPER
OPERATION
/etc/hosts.allow
/etc/hosts.deny
Thursday, December 6, 12
TCP WRAPPER
OPERATION
These files are parsed in the following order:
Thursday, December 6, 12
TCP WRAPPER
CONFIGURATION
<daemon>: <client>
sshd: 192.168.2.200
Thursday, December 6, 12
IPTABLES
NAT support
Port forwarding
Thursday, December 6, 12
IPTABLES RULE
MATCHING
Thursday, December 6, 12
IPTABLES TOOLS
iptables: View/modify current firewall rules
/etc/sysconfig/iptables
Thursday, December 6, 12
IPTABLES RULES
Thursday, December 6, 12
IPTABLES CHAINS
INPUT
OUTPUT
FORWARD
Thursday, December 6, 12
IPTABLES RULES
incoming interface -i
protocol -p
source ip address -s
destination ip address -d
Thursday, December 6, 12
IPTABLES RULES
ACCEPT Deliver
Thursday, December 6, 12
IPTABLES RULES
So to summarize the syntax:
iptables
-A INPUT
-s 192.168.2.100
-j REJECT
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12
RHCSA
BOOT CAMP
Virtualization
Thursday, December 6, 12
VIRTUALIZATION
RHEL 6 virtualization is accomplished via:
Thursday, December 6, 12
PACKAGES
Virtualization
Virtualization Client
Virtualization Platform
Virtualization Tools
Thursday, December 6, 12
LIBVIRT
libvirt is the management framework used in RHEL 6
virtualization.
Thursday, December 6, 12
SCHEDULE FOR
TOMORROW
Exam starts at 9:00am SHARP
Survey Monkey!
Thursday, December 6, 12
DEMONSTRATION
Thursday, December 6, 12
LAB
Thursday, December 6, 12
slideshow.end();
Thursday, December 6, 12