RH134
RH134
We will learn..
• Introduction to shell
• Shell scripting
• Basic shell scripts
• Input and Output of scripts
• If-then scripts
• for loop scripts
• Shell (#!/bin/bash)
• Comments (# comments)
• Commands (echo, cp, grep etc.)
• Statements (if, while, for etc.)
• Shell script should have executable permissions (e.g. -rwx r-x r-x)
• Shell script has to be called from absolute path (e.g /home/userdir/script.bash)
• If called from current location then ./script.bash
• Creating tasks
• Telling your id, current location, your files/directories, system info
• Creating files or directories
• Output to a file “>”
• Filters/Text processors through scripts (cut, awk, grep, sort, uniq, wc)
Linux system comes fined tunned by default when you install, however there are a few tweaks
that can be done based on system performance and application requirements
What is tuned?
balanced deal for systems that require a compromise between power saving and performance
desktop Derived from the balanced profile. Provides faster response of interactive applications
Latency-performance Ideal for server systems that require low latency at the expense of power consumption
network-latency Derived from the latency-performance profile. It enables additional network tuning parameters to
provide low network latency
Network-throughput Derived from the throughput-performance profile. Additional network tuning parameters are
applied for maximum network throughput
powersave Tunes the system for maximum power saving
oracle Optimized for Oracle database loads based on the throughput-performance profile
virtual-guest Tunes the system for maximum performance if it runs on a virtual machine
virtual-host Tunes the system for maximum performance if it acts as a host for virtual machines
Nice value is a user-space and priority PR is the process's actual priority that use by Linux kernel. In
Linux system priorities are 0 to 139 in which 0 to 99 for real time and 100 to 139 for users
• Process priority can be viewed through ps command as well with the right options
$ ps axo pid,comm,nice,cls --sort=-nice
Use of ACL :
• Think of a scenario in which a particular user is not a member of group created by you
but still you want to give some read or write access, how can you do it without making
user a member of group, here comes in picture Access Control Lists, ACL helps us to do
this trick
• From Linux man pages, ACLs are used to define more fine-grained discretionary access
rights for files and directories.
3) To allow all files or directories to inherit ACL entries from the directory it is within
setfacl -dm "entry" /path/to/dir
Note:
• As you assign the ACL permission to a file/directory it adds + sign at the end of the permission
• Setting w permission with ACL does not allow to remove a file
By: Imran Afzal
www.utclisolutions.com
Managing SELinux Security
• What is SELinux?
• Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting
access control security policies, including mandatory access controls. (Wikipedia)
• It is a project of the United States National Security Agency (NSA) and the SELinux community
chmod whatever!!
SELinux (MAC)
Mandatory Access Control
users /var/www/html
Memory
User = http
-rwx r-- r-- /var/www/cgi-bin
u g o
If the Apache HTTP Server is compromised, an
attacker cannot use that process to read files in
Socket user home directories, unless a specific SELinux
policy rule was added or configured to allow
such access
groups (DAC)
Discretionary
Access Control
By: Imran Afzal
www.utclisolutions.com
Managing SELinux Security
SELinux (Security Enhanced Linux)
• SELinux options?
• Enforcing = Enabled (enabled by default in Redhat, CentOS and Fedora)
• Permissive = Disabled but logs the activity
• Disable = Disabled and not activity logs
• SELinux setting
• # setenforce 0 = Permissive/Disable
• # setenforce 1 = Enable
Storage
• Local Storage
• SAN (Storage Area Network)
• NAS (Network Attached Storage)
C:
D:
E:
/oracle = 1.0G
/oracle = Full
Few Options:
• Delete older files to free up disk space
• Add new physical disk mount to /oracle2
• Create a new virtual disk and mount to /oracle2
• Or extend /oracle through LVM.
• Red Hat 8 introduces the next generation volume management solution called Stratis
• It uses thin provisioning by default
• It combines the process of creating logical volume management (LVM) and creation of
filesystems into one management
• In LVM if a filesystem system gets full you will have to extend it manually whereas stratis
extends the filesystem automatically if it has available space in its pool
• How to manage multiple storage layers using Stratis local storage management
Volume Group
Stratis
Filesystem
10G
30G
Pool
By: Imran Afzal
www.utclisolutions.com
Implement Advanced Storage Features with Stratis
• Add 2 x 5G new disks from virtualization software and verify at the OS level
Oracle virtualbox storage setting
lsblk
• NFS stands for Network File System, a file system developed by Sun Microsystems, Inc.
• It is a client/server system that allows users to access files across a network and treat them
as if they resided in a local file directory
• For example, if you were using a computer linked to a second computer via NFS, you could
access files on the second computer as if they resided in a directory on the first computer.
This is accomplished through the processes of exporting (the process by which an NFS
server provides remote clients with access to its files) and mounting (the process by which
client map NFS shared filesystem)
Approved
NFS Request
Server Client
By: Imran Afzal
www.utclisolutions.com
Access Network-Attached Storage
Network File System (NFS)
Steps for NFS Server Configuration
• It works exactly like NFS but the difference is NFS shares within Linux or Unix like system
whereas Samba shares with other OS (e.g. Windows, MAC etc.)
• For example, computer “A” shares its filesystem with computer “B” using Samba then
computer “B” will see that shared filesystem as if it is mounted as the local filesystem
Approved
mount request
Server Client
• Another protocol used to share Samba is through CIFS (Common Internet File System) invented by
Microsoft and NMB (NetBios Named Server)
• CIFS became the extension of SMB and now Microsoft has introduced newer version of SMB v2
and v3 that are mostly used in the industry
• In simple term, most people, when they use either SMB or CIFS, are talking about the same exact
thing
• systemd is the new service manager in CentOS/RHEL 7 that manages the boot sequence
• It is backward compatible with SysV init scripts used by previous versions of RedHat
Linux including RHEL 6
• To power off or reboot a system from the command line, you can use the systemctl
command
• systemctl poweroff = stops all running services, unmounts all file systems, and then
powers down the system
• systemctl reboot = stops all running services, unmounts all file systems, and then
reboots the system
• You can also use the shorter version of these commands, shutdown, poweroff and
reboot, which are symbolic links to their systemctl equivalents
Target Purpose
graphical.target System supports multiple users, graphical and text based logins
multi-user.target System supports multiple user, text-based logins only
rescue.target sulogin prompt, bashic system initialization completed
emergency.target sulogin prompt, initramfs pivot complete and system root mounted
on / read only
• A target can be a part of another target. e.g., the graphical.target includes multi-
user.target , which in turn depends on basic.target and others
• You can display the new runlevels/targets by issuing the following command:
• ls -al /lib/systemd/system/runlevel*
• In either of the above cases the systemd will not be able to boot the system in the defined target
and bring the system in emergency mode
• The following table lists some common errors and their results
Problem Result
Corrupt file system systemd attempts to repair the file system. If the problem is too severe for an automatic fix, the
system drops the user to an emergency shell
Nonexistent device or systemd waits for a set amount of time, waiting for the device to become available. If the device
UUID referenced in does not become available, the system drops the user to an emergency shell after the timeout
/etc/fstab
Nonexistent mount point The system drops the user to an emergency shell
in /etc/fstab
ncorrect mount option The system drops the user to an emergency shell
specified in /etc/fstab
By: Imran Afzal
www.utclisolutions.com
Control Boot Process
Repair Filesystem Corruption
• In any case administrators can use the emergency target to diagnose and fix the issue, because no file
systems are mounted before the emergency shell is displayed
• When using the emergency shell to fix filesystem issues, do not forget to run systemctl daemon-
reload after editing /etc/fstab . Without this reload, systemd may continue using the old version.
• What is Firewall
• A wall that prevents the spread of fire
• When data moves in and out of a server its packet information is tested against the
firewall rules to see if it should be allowed or not
• In simple words, a firewall is like a watchman, a bouncer, or a shield that has a set
of rules given and based on that rule they decide who can enter and leave
• Firewalld works the same way as iptables but of course it has it own commands
• firewall-cmd
• It has a few pre-defined service rules that are very easy to turn on and off
• Services such as: NFS, NTP, HTTPD etc.
• Start firewalld
• systemctl start/enable firewalld
• All services are pre-defined by firewalld. What if you want to add a 3rd party service
• /usr/lib/firewalld/services/allservices.xml
• Simply cp any .xml file and change the service and port number
Version of XML
Service
Service
Port
Description By: Imran Afzal
www.utclisolutions.com
Firewall (firewalld – Practical Examples) 2/3
• To remove a service
• firewall-cmd --remove-service=http
• To add a port
• firewall-cmd --add-port=1110/tcp
• To remove a port
• firewall-cmd --remove-port=1110/tcp
Introduction to Firewall
SSH = 22
Connection established
B
A
ftp = 21
Connection refused
B
A
Firewall (firewalld)
• Firewalld works the same way as iptables but of course it has it own commands
• firewall-cmd
• It has a few pre-defined service rules that are very easy to turn on and off
• Services such as: NFS, NTP, HTTPD etc.
Firewall (firewalld)
• You can run one or the other
• iptables or firewalld
• Start firewalld
• systemctl start/enable firewalld
• All services are pre-defined by firewalld. What if you want to add a 3rd party service
• /usr/lib/firewalld/services/allservices.xml
• Simply cp any .xml file and change the service and port number
Version of XML
Service
Service
Port
Description By: Imran Afzal
www.utclisolutions.com
Manage Network Security (Firewall)
2/3
Firewall (firewalld, practical examples)
• To add a service (http)
• firewall-cmd --add-service=http
• To remove a service
• firewall-cmd --remove-service=http
• To add a port
• firewall-cmd --add-port=1110/tcp
• To remove a port
• firewall-cmd --remove-port=1110/tcp
• The term container and the concept came from the shipping container
• These containers are shipped from city to city and country to country
• No matter which part of the world you go to, you will find these
containers with the exact same measurements… YOU KNOW WHY???
• Because around the world all docks, trucks, ships and warehouses are built
to easily transport and store them
Now when we are talking about containers in IT we are fulfilling somewhat similar purpose
In old days…
Please Note: Application
Production Server
Container technology is mostly used by developers or programmers
Application
As a
• Then system administrator
came the container your
technology which allowed job is
developers to
or install,
programmer to configure
test and build and
applications on any computer just by putting it in a container (bundled in with the software code, libraries and
manage
configuration files) and then run on another them.of its architecture
computer regardless
• You can move the application anywhere without moving its OS just like moving the actual physical
container anywhere that would fit on any dockyard, truck, ship or warehouse
• An OS can run single or multiple containers at the same time
By: Imran Afzal
www.utclisolutions.com
Run Containers
What are the Container Software?
Red Hat provides a set of command-line tools that can operate without a container engine, these include:
• podman - for directly managing pods and container images (run, stop, start, ps, attach, etc.)
• buildah - for building, pushing, and signing container images
• skopeo - for copying, inspecting, deleting, and signing images
• runc - for providing container run and build features to podman and buildah
• crun - an optional runtime that can be configured and gives greater flexibility, control, and security for rootless
containers.
• images – containers can be created through images and containers can be converted to images
• pods – Group of containers deployed together on the host. In the podman logo there are 3 seals grouped
together as a pod.
By: Imran Afzal
www.utclisolutions.com
Run Containers
Building, Running and Managing Containers
To install podman
• yum/dnf install podman –y
• yum install docker –y (For dockers)
Getting help
• podman -–help or man podman