RHCSA 7

(LiveLessons)

man ­k time | grep 1

find / which / whereis / locate (updatedb)
tar xvf archiv.tar ­C /cesta/pre/rozbalenie
tar xvf etc.tar ­C / etc/passwd ­ restore only passwd file
df ­T ­ show FS types
man 7 glob ­ globbing

ssh­copy­id server ­ transfer public key to the server

!!​
in /etc/shadow means that user has no password set or is locked

usermod ­aG account laura ­ add laura to the account group, without
removing her from other groups

/etc/login.defs ­ definitions for creating of the users

/etc/default/useradd ­ default settings for user creation
/etc/skel/ ­ copies it’s content to the user home dir

chage ­ like passwd (change user’s pass expire inf)

chage ­l user ­ show parameters of the user’s account

passwd ­x 90 user ­ expire user’s password after 90 days

chage ­M 90 user ­ expire user’s password after 90 days

7. LDAP CLIENT setup

ldd /bin/login ­ list libraries for the executable program
/lib/libpam.so.0 ­ library for authentifications
/etc/pam.d/ ­ dir with authent. modules
/etc/pam.d/login ­ how to handle login process
/etc/pam.d/system­auth
pam_unix.so ­ local host authent.
pam_ldap.so ­ ldap authentication

authconfig(authconfig­gui, authconfig­tui) ­ setup authentification

yum install nscd nss­pam­ldapd pam_ldap ­ needed to use ldap

AUTOMOUNT
yum install autofs ­y
/etc/auto.master
1
AUTOMOUNT with Samba
# cat /etc/auto.master
/home/guests /etc/auto.guests

# cat /etc/auto.guests
* ­fstype=cifs,username=ldapusers,password=password\
://server.rhatcertification.com/data/&

* means all directories under /home/guests

& means the accessed dirctory

AUTOMOUNT with NFS

# cat /etc/auto.guests
* ­rw nfsserver:/home/guests

NFS configure
# yum install nfs­utils
create​/etc/exports ­> /data ­rw *(rw,no_root_squash)
# mkdir /data
# systemctl start nfs
# systemctl status ­l nfs
# showmount ­e localhost

nslcd ­ Naming service LDAP client daemon

systemctl status nslcd
/etc/nsswitch.conf
/etc/pam.d/login
/etc/pam.d/system­auth
/etc/nslcd.conf ­ config file for LDAP client

8. Managing Permissions
chown / chgrp / chmod

ACL ­ Access Control Lists

­ needs to be set in ­ /etc/fstab ​ or​systemd
­ tune2fs ​ for ext FS
­​in XFS it is default
df ­T ­ show FS type
tune2fs ­l /dev/sda1 |grep Default ­ default mount options (if supports acl)

setfacl / getfacl
setfacl ­m g:sales:rx /data/account
setfacl ­R ­m g:sales:rx /data/account ­ recursive

2
setfacl ­m d:g:sales:rx /data/account ­ setting a default acl, which will be
inherited by newly created items under directory
­ ak chceme zmenit aktualne aj defaultne prava je potrebne spustit obidva commandy ​ ­m​
aj
­m d

9. NETWORKING

Network device naming:

­ BIOS naming ­ embedded NICs (​em[1­N]​
)
p<port_number>s<slot_number>​
­ PCI cards (​ )
­ Udev Naming: classical ​
ethX ​naming
­ Physical Naming: same as bios naming
­ Logical naming: ​
<vlan>​ and ​
<alias>

IP command
­ changes made with ip command will be active only untill the reboot !!!
ip help
ip addr help
ip link show, ip l
ip addr show, ip a
ip addr add dev ens33 10.0.0.10/24
ip route show, ip r
ip route add 20.0.0.0/8 via 192.168.4.141
ip ­s link ­ show network statistics

Network configuration files

/etc/sysconfig/network­scripts/ ­ config files for NICs
/etc/sysconfig/network­scripts/ifcfg­ens33
/etc/hostname ­ new in RHEL 7
/etc/resolv.conf ­ don’t change manually, generated by NetworkManager

Network Manager Utilities

­ makes permanent changes to the config.
nmcli
nmcli connection show
nmcli con add con­name testing ifname ens33 type ethernet ip4
10.0.0.15/24
nmcli conn down ens33
nmcli conn up testing

nmtui ­ network manager text user interface

systemctl restart NetworkManager
Routing
ip route show, ip r ­ show routes

3
ip route add 10.0.1.0/24 via 192.168.4.3 ­ add route(temporary)

/etc/sysconfig/network­scripts/ifcfg­ens33 ­ change gateway there

# nmcli con down ens33; nmcli con up ens33

DNS
/etc/sysconfig/network­scripts/ifcfg­ens33 ­ change DNS there

Network analysis tools

hostname / ping / traceroute / dig / nmap / netstat
netstat ­i ­ packet info for network cards
netstat ­tulpen ­ listening ports

Network troubleshooting
ip addr show, ip a ­ check IP addresses
ip route show, ip r ­ check routing (default route)
cat /etc/resolv.conf ­ check DNS
ping ­c1 10.0.2.1 ­ ping default route
ping ­c1 8.8.8.8 ­ ping DNS
ping ­f 192.168.4.2 ­ ping flood, bandwith test
traceroute 8.8.8.8
host ldap.rhatcertification.com ­ returns IP address
dig ldap.rhatcertification.com ­ to check if DNS works
ip ­s link ­ link statistics, check for errors

10. Process management

ps fax ­ show process tree
free ­m ­ memory in MB
uptime / w ­ load in 1, 5, 15 minutes (number of runnable processes)
killall dd ­ kill all processes with name dd
pkill dd
­ to use kill from the ​
top ​
command press “​ k​
”

yum install psmisc

­ installs following utilities: ​
fuser / killall / pstree / peekfd

Process priority
nice ­n 10 dd if=/dev/zero of=/dev/null ­ run command with lower priority
renice ­n ­10 5699 ­ increase of the priority of running job (pid 2699)
r​
­ for renice the “​” can be used in ​
top ​command
­ nice, renice values can be from ­20 (highest priority) to 19 (lowest priority)

4
11. Manage software

YUM
yum repolist ­ show available repositories
/etc/yum.repos.d/ ­ dir with repositories config files

/etc/yum.repos.d/myrepo.repo ­ create your own repository

[myrepo]
name=myrepo
baseurl=file:///repo
gpgcheck=0
createrepo /repo ­ create repo indexes

yum search something

yum install something
yum list all ­ list all available packages
yum list installed ­ show installed packages
yum whatprovides */semanage ­ search for files within packages
yum provides killall
yum remove package
yum remove ­y package
yum localinstall package ­ install package which is not in repository

RPM
rpm ­qf /sbin/chronyd
rpm ­ql chrony
rpm ­qc chrony
rpm ­qd chrony
rpm ­qa
rpm ­q ­­scripts httpd
rpm ­qpl something.rpm
rpm ­qp ­­scripts something.rpm
repoquery ­ql yp­tools
­ find to which package the file belongs
­ show everything what is in the package
­ query configuration files of the package
­ show documentation
­ lists all packages installed on the system
­ shows installation scripts of the package
­ query rpm file instead of repository
­ query packages in repository

12. Virtual machines

KVM
­ requirements
egrep ‘vmx|svm’ /proc/cpuinfo​
­ CPU compatibility (​ )
­ 64bit kernel arch​
(​ )
­​kvm, kvm­intel ­ linux kernel modules lsmod|grep kvm​
(​ )
­​libvirtd ­ manages virtualization systemctl status libvirtd​
(​ )
­​virt­manager ­ graphic tool
­​virsh ­ virtualization shell
­​virt­install ­ virt. install interface

5
 ­ special network device, virtual bridge ­ ​
virbr0 (ip link show)

Managing virtualisation
­ virsh
­ virsh list ­ show running VM
­ virsh list ­­all ­ show all VM
­ virsh destroy name ­ shut down VM
­ virsh start name ­ start VM
/etc/libvirt/ ­ config files for virt.
/etc/libvirt/quemu ­ conf. files of VM
virsh edit name ­ edit config of the VM name
­ networking
­ virbr0 ­ virtual bridge
­ vnet0 ­ virtual network card

virt­manager
­ graphic tool for VM management
­ Ctrl + Alt + L ­ exit from the VM

13. Scheduling tasks

/etc/crontab ­ crontab config file
crontab ­e ­ edit crontab
/etc/cron.daily | .monthly | .weekly | .hourly
­ shell scripts to run daily, monthly, weekly, hourly
/etc/cron.d/ ­ additional crontabs which are executed
/var/spool/cron/ ­ location of the users’ crontabs (created with ­e)

systemctl status atd ­l ­ shows status of the at daemon

/var/spool/at/ ­ at scripts
at
atq ­ at queue
atrm ­ remove at jobs

14. Logging
Services can use three ways of logging information:
­ direct write to a file (/somewhere/my.log)
­ through ​systemctl ​ ­>​​
​ journald ​ (new in RHEL7)
­ through ​rsyslogd ​ ­> ​
​ /var/log/​
​ ...

journald
­ information about the system’s start processes
­ written in binary file
systemctl status​
­ systemctl gets information from journald (​ )

6
journalctl ­ shows journald logs
journalctl ­b ­ shows boot information
journalctl ­xb
journalctl ­­since=yesterday ­ logs from yesterday
journalctl ­u sshd ­ logs for specific service (systemd unit)
journalctl ­u sshd ­o verbose ­ detailed information
journalctl _COMM=su ­ logs for specific command

rsyslogd
/var/log/secure | /var/log/messages | /var/log/cron

Log rotation
­ it runs as a cron job in ​
/etc/cron.daily/logrotate
/etc/logrotate.conf ­ config file for log rotation
/etc/logrotate.d/ ­ config files for the specific applications

15. Storage management

Managing partitions
cat /proc/partitions ­ to show all available partitions on the system
fdisk ­l
partprobe /dev/sdb ­ inform the OS of partition table changes
partprobe
Creating FS
mkfs.xfs ­L myfs /dev/sdb1 ­ create xfs FS on /dev/sdb1, with label myfs
mkfs.btrfs | mkfs.ext4 | mkfs.vfat
mount | mount ­a | umount
Mounting
mount /dev/sdb1 /mnt
mount LABEL=myfs /mnt
blkid ­ shows UUID of the devices
mount UUID=1cc1eaf­0… /mnt
/etc/fstab
xfs_admin ­L mynewfs /dev/sdb1 ­ change label for xfs FS

LUKS encryption
cryptsetup luksFormat /dev/sdb2 ­ creates encrypted partition
cryptsetup luksOpen /dev/sdb2 secret ­ opens encrypted partition, name it secret
­ creates new device ​
/dev/mapper/secret
mkfs.ext4 /dev/mapper/secret
mount /dev/mapper/secret /secret
umount /secret
cryptsetup luksClose /dev/mapper/secret

/etc/crypttab ­ list of encrypted partitions that will be luksOpen on boot

7
 secret /dev/sdb2 none
/etc/fstab
/dev/mapper/secret /secret ext4 defaults 12
systemctl reboot

16. LVM
Creating Logical Volumes
­ first setup partition type to Linux LVM (8e) in fdisk
pvcreate /dev/sdb3 ­ create physical volume in LVM
vgcreate vgmyvg /dev/sdb3 ­ create volume group
vgs ­ show volume groups
lvcreate ­n lvmylv ­L 196M vgmyvg ­ create logical volume
lvs ­ show logical volumes
mkfs.ext4 /dev/vgmyvg/lvmylv ­ create filesystem
mount /dev/vgmyvg/lvmylv /mnt
(mount /dev/mapper/vgmyvg­lvmylv /mnt)

kernel ­> device mapper ­> ​VM

L
­> multipath
­> LUKS
­> Raid
­> VirtualFS ­> ext4
­> xfs

Device mapper
/dev/dm­0, dm­1, ... ­ volumes
/dev/mapper/vg­lv ­ links to volumes provided by device mapper
/dev/vg/lv ­ links provided by the lvm subsystem

Growing LV
vgextend vgmyvg /dev/sdb5 ­ add new partiton into the VG
lvextend ­l +100%FREE ­r /dev/vgmyvg/lvmylv
­ add all available space in VG to the LV and resize filesystem (with ​
­r​
option)

Shrinking LV
­ XFS cannot be shrunk !
­ FS has to be unmounted first
e2fsck ­f /dev/vgmyvg/lvmylv ­ check the FS
resize2fs /dev/vgmyvg/lvmylv 100M ­ reduce the FS size (ext2,3,4 type)
lvreduce ­L 102400K /dev/vgmyvg/lvmylv ­ reduce LV
lvreduce ­L 50M ­r /dev/vgmyvg/lvmylv ­ reduce FS and LV in 1 step (­r)

8
17. Kernel
new HW ­> udev ­> kernel (loads module)
Kernel modules
udev ­ automatically loads modules that are necessary
udevadm monitor ­ trap all udev and kernel events
lsmod ­ list of the currently loaded modules
modprobe module ­ load kernel module
modprobe ­r module ­ remove kernel module
modinfo module ­ information about module; shows available parameters
/etc/modprobe.d/ ­ config dir for modprobe
man 5 modprobe.d
cat /etc/modprobe.d/cdrom.conf
options cdrom lockdoor=0
/sys/module/ ­ info about kernel modules and their parameters

­ example:
cat /etc/modprobe.d/iwlwifi_led.conf
options iwlwifi led_mode=1
modprobe iwlwifi
cat /sys/module/iwlwifi/parameters/led_mode
1

/proc/sys/ ­ info about the interfaces the kernel is offering

/proc/sys/kernel ­ core kernel parameters
/proc/sys/net/ ­ network parameters
echo 0 > /proc/sys/net/ipv4/ip_forward
/proc/sys/vm/ ­ memory optimization
echo 60 > /proc/sys/vm/swapiness
Sysctl tuning
sysctl ­a ­ all tunables that are set
/etc/sysctl.conf ­ config file for sysctl (deprecated in RHEL7)
/etc/sysctl.d/ ­ config files dir for sysctl
cat /etc/sysctl.d/50­ipforward.conf
net.ipv4.ip_forward = 1
Updating kernel
yum update kernel
rpm ­Uvh kernel ­ manual update from downloaded rpm file

18. Kickstart
­ kickstart file ­ on USB
­ on server (ftp)
­ kickstart files ­​anaconda­ks.cfg
­​initial­setup­ks.cfg
yum install system­config­kickstart ­y ­ install kickstart utility

9
system­config­kickstart ­ run GUI for kickstart
During the installation add ​
ks= ​
option to the boot options.
ks=ftp://myserver/dir/anaconda­ks.cfg

19. Boot procedure

Boot process
post ­> boot device ­> grub 2 ­> kernel & initrd ­> root fs ­>
systemd ­ logging
­ mounts
­ services
­ login shell

Grub2
/etc/default/grub ­ main config file for grub
/etc/grub.d ­ additional config.
grub2­mkconfig ­ update the boot loader from config. files

POST ­> MBR ​ (grub is loading)​ ­> ​ Press ​ Esc​to access boot menu​ ­>
Enter boot options at the end of the line starts with ​
linux16 (systemd.unit =
emergency.target)

To make permanent modifications:

­ write to​/etc/default/grup ​ or ​
/etc/grub.d/
­ apply modifications (run ​
grub2­mkconfig​)

Systemd
­ kernel starts systemd and it starts everything else (services, mounts, automount, …)
­ uses unit files ( the replacement for init scripts)
/usr/lib/systemd/ ­ default scripts for systemd
/etc/systemd/ ­ users’ scripts used by systemd
/usr/lib/systemd/system/ ­ default systemd services, targets
/etc/systemd/system/ ­ user defined systemd services, targets
systemctl ­ command for managing services
systemctl status | stop | start | disable | enable service
Targets​ ­ the collection of services
multi­user.target ­ runs on boot (without GUI)
graphical.target ­ runs on boot (with GUI)
Wants ­ what should be run on specific target (symbolic links for services)
­ symb. links are created|deleted using systemctl disable|enable command
/usr/lib/systemd/system/default.target ­ default target on boot

Systemd Targets
­ define the state that system enters
­ equivalent to runlevels:

10
 poweroff.target ­ shutdown
rescue.target ­ troubleshooting
multiuser.target ­ normal mode without GUI
graphical.target ­ GUI
reboot.target
emergency.target ­ more minimal that rescue.target
WantedBy​
­ every service knows by which target it is wanted (​ option)
Requires, Conflicts, After ​
­ order between targets is defined in targets (​ options)
systemctl list­units ­­type=target ­ which targets are running
systemctl isolate rescue.target ­ switch to the minimal mode
From Grub ­ enter boot option​(systemd.unit = rescue.target)

Mounting FS with Systemd

/usr/lib/systemd/system/*.mount
/etc/systemd/*.mount
­ mount file must have the same name like mount dir ! ​
(/test/dir ­> test­dir.mount)
­ add new mount in systemd:
cat /etc/systemd/system/lvdisk.mount
[Unit]
Description = My mountpoint
[Mount]
What = /dev/vgdisk/lvdisk
Where = /lvdisk
Type = xfs
[Install]
WantedBy = multi­user.target
systemctl start lvdisk.mount
systemctl enable lvdisk.mount

Automount in Systemd
­ to use automount the mount file must exists with the same name !
systemctl disable lvdisk.mount ; systemctl stop lvdisk.mount
cat lvdisk.automount
[Unit]
Description = Automount FS
[Automount]
Where = /lvdisk
[Install]
WantedBy = multi­user.target
systemctl enable lvdisk.automount ; systemctl start lvdisk.automount

20. Troubleshooting
Grub
grub2­* ­ utilities to work with grub

11
grub2­mkconfig ­o /boot/grub2/grub.cfg
­ save grub config that you applied during boot

Reset root password

­ in grub menu define parameter ​
rd.break ​
(at the end of the line starting with ​
linux16​
)
mount ­o remount,rw /sysroot
chroot /sysroot
echo newpassword | passwd ­­stdin root
touch / .autorelabel
exit
exit

21. HTTP
rpm ­qf `which httpd`
yum install httpd
rpm ­qc httpd
/etc/sysconfig/httpd
/etc/httpd/
/etc/httpd/conf/httpd.conf ­ main config file
systemctl start httpd ; systemctl enable httpd
yum install elinks ­ text browser

22. SELinux
/etc/sysconfig/selinux ­ controls the state (mode) of SELinux
SELinux modes:
­ disable ­ disable SELinux (activated on boot)
­ enforcing ­ secure policy
­ permissive ­ just logging, no restrictions
getenforce ­ show the current SELinux mode
setenforce Enforcing ­ switch to enforcing mode

Context
ls ­Z ­ displaying context on files(user:role:type)
ps zaux ­ context of processes
netstat ­Ztulpen ­ context of the network ports
When the file is moved it keeps his context settings, when it is copyed it will get new context from
the parent directory.
semanage ­ manage context, in the policy
restorecon ­ apply the policy to the object

Settings for apache DocumentRoot:

semanage fcontext ­a ­t httpd_sys_content_t “/web(/.*)?”
restorecon ­R ­v /web

12
semanage fcontext ­l ­ list all contexts on the system
yum install policycoreutils­devel ­ to install sepolicy
sepolicy manpage ­a ­p /usr/share/man/man8 ­ generate manpages
mandb
man ­k _selinux

chcon ­ changes context only for object and not in policy

­ do not use it, use ​
semanage ​ instead
Booleans
getsebool ­a ­ show SELinux booleans
setsebool ftp_home_dir on ­ set boolean to on (enable ftp home dir)
setsebool ­P ftp_home_dir on ­ make persistent change
semanage boolean ­l ­ show booleans’ description

SELinux logs
yum search setroubleshoot ­ SELinux troubleshoot packages
systemctl status auditd ­ daemon for logging
/var/log/audit/audit.log ­ audit log file
grep AVC /var/log/audit/audit.log ­ show SELinux messages
grep sealert /var/log/messages ­ SELinux alerts in messages
sealert ­l 23d2323232… ­ check the alert details

23. FIREWALL
­ netfilter in linux kernel
­ previous management tool = ​ iptables
­ new default management utility = ​
firewalld
Firewalld
­ it works with the zones and services
systemctl status firewalld
firewall­cmd ­­get­zones
firewall­cmd ­­get­services
firewall­cmd ­­get­default­zone
firewall­cmd ­­get­default­zone zonename
/usr/lib/firewalld/services/ ­ system’s default services
/etc/firewalld/services/ ­ dir for adding new services
firewall­cmd ­­zone=home ­­add­service=high­availability
­ add service to the zone
firewall­cmd ­­permanent ­­zone=home ­­add­service=high­availability
­ add service to the zone permanently
systemctl restart firewalld
firewall­cmd ­­list­all ­ get configuration for the current default zone

13
24. FTP
vsftpd ­ default ftp daemon in RHEL7
/etc/vsftpd/vsftpd.conf
/var/ftp ­ DocumentRoot for ftp (home dir of the ftp user)
yum install ­y lftp ­ ftp client

25. Time service

timedatectl status

timedatectl list­timezones
timedatectl set­timezone Europe/Bratislava
timedatectl set­time 14:50 ­ set time manually

­ configure automatic time synchro:

/etc/chrony.com ­ chrony config file
systemctl status chronyd.service
systemctl start chronyd
timedatectl set­ntp yes ­ enable ntp daemon chronyd

hwclock ­ show HW clock

hwclock ­­systohc ­ synchronize system time with HW time

26. VNC
Setup VNC server
yum ­y install tigervnc tigervnc­server
useradd vncuser
passwd vncuser
cd /usr/lib/systemd/system/
cp [email protected] vncserver\@:1.service
vi vncserver\@\:1.service
replace ​
<USER>​
with ​
vncuser
systemctl daemon­reload ­ reload configuration for systemd
su ­ vncuser
vncpasswd
systemctl start vncserver\@\:1 ­ do not use number 0 !!!
firewall­cmd ­­permanent ­­add­service vnc­server
firewall­cmd ­­reload

VNC client
vncviewer ­via user@remotehost localhost:1
vncviewer ­via vncuser@localhost localhost:1 ­ test on localhost

www.rhatcertification.com

14