sobota, 27 kwietnia 2013
piątek, 26 kwietnia 2013
RHCSA exam waiting for result ...
RHCSA exam waiting for result ...
That was big surprise at that exam for me.
Simple problems with more complicated...
I can't share more info due to RedHat accepted options.
But next time it's better to 1st open problems, set them from simple to difficult.
;)
I do not pass one thing :(
Waiting for result from RedHat :)
Regards!
m.
ps: need to learn more LVM ;)
That was big surprise at that exam for me.
Simple problems with more complicated...
I can't share more info due to RedHat accepted options.
But next time it's better to 1st open problems, set them from simple to difficult.
;)
I do not pass one thing :(
Waiting for result from RedHat :)
Regards!
m.
ps: need to learn more LVM ;)
czwartek, 25 kwietnia 2013
Red Hat Skills Assessment
Red Hat Skills Assessment
What are your learning goals for Red Hat training?
I am seeking an introduction to Linux system administration.
I am seeking Red Hat Certified System Administrator (RHCSA) certification.
I am seeking Red Hat Certified Engineer (RHCE) certification.
I currently have my RHCT and would like to obtain an RHCE certification.
What is your current level of Linux system administration knowledge?
I have limited experience with Linux system administration and wish to learn both graphical and command line approaches.
I have limited experience with Linux system administration and work at the command line interface only.
I regularly do Linux system administration in my current job role.
I am currently a full time Solaris System Administrator.
I am currently an HPUX, AIX or other Unix System Administrator.
Other
What is your purpose for taking this pre-assessment questionnaire?
Trying to select the right course. I have already purchased training units/corporate plan.
I plan on enrolling in a course in the next month.
I hope to enroll in a course in the next few months.
I'm just curious, nothing more.
==============================================================================================
Software Management
Question 1 of 25
Configuring yum to point to a custom repository can be done in either /etc/yum.conf or in which of the following?
* Any file name with a .repo extension in /etc/yum.repos.d/ directory.
Same directory as yum.conf but with a .repos extension
Any file under /etc/yum/ as long as it has a .repo extension
Any where in the file /etc/sysconfig/yum
Any file under /etc/sysconfig/ with a .repo extension
The command ???yum list all??? will list all available packages and available groups of packages in all enabled repositories.
TRUE
* FALSE
Which command would discover the names of packages that are not yet installed on your system but available in enabled repositories?
yum available -y
yum available
yum available list
yum find available
* yum list available
What approach could be used to construct a command, using yum, that would install multiple packages from enabled yum repositories?
Use yum install then list all package names encapsulated within double quotation marks.
* Use yum install then list the package names using a space delimiter.
This can only be done using the graphical user interface system-config-packages.
Use yum install then list the package names using a comma delimiter.
This can only be done using scripts.
Which of the following commands will install a package that is not part of a yum repository?
None of the above.
yum install --disablerepos <package name>
* yum localinstall <package name>
yum localrepo <package name>
yum local <package name>
Which of the following commands will list only documentation from the installed iptables rpm package?
rpm -ql iptables
rpm -qpd iptables
rpm -q --documentation iptables
* rpm -qd iptables
rpm -qa iptables
To create a private repository you should proceed as follows: - Install the createrepo software package - Create a <directory> where files can be shared (via FTP or HTTP) - Create a subdirectory called Packages and copy all packages to be published in Packages - run createrepo -v <directory>
FALSE
* TRUE
Consider the following settings when configuring persistent static TCP/IP settings in a network interface configuration file. Of the settings listed which, if any, are incorrect?
IPADDR=<ip address>
NETMASK=<network mask>
* BOOTPROTO=dhcp
ONBOOT=yes
DEVICE=<device name>
Which of the following files is used to configure client side DNS settings?
* /etc/resolv.conf
/etc/sysconfig/dns
/etc/resolve.conf
/etc/hosts
/etc/host
To assign a persistent machine hostname to a machine, modify or add an entry to the following file.
* /etc/sysconfig/network
/etc/hosts
/etc/sysconfig/hostname
/etc/resolve.conf
/etc/sysconfig/network-scripts/hostname
Which command would persistently enable routing in the kernel?
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward = 1
/proc/sys/net/ipv4/ip_forward
* Add the following line to the /etc/sysctl.conf file: net.ipv4.ip_forward = 1
Rebooting the system after any of these approaches will make the setting persistent.
Which of the following statements about SELinux permissive mode is TRUE?
permissive mode will block all access to resources.
* permissive mode will not block access to a resource.
permissive mode will allow access and does not log information.
permissive mode of for testing purposes only.
permissive mode will only block access to remote users and will log access information.
How do you check to see if SELinux is in 'enforcing' mode?
selinuxchk
getselinux
cat /proc/selinux
setenforce --check
* getenforce
How do you change the SELinux context of a file to its default context?
setselinuxcon -d <filename>
secon -d <filename>
chmod -default-context <filename>
chcon --defaults <filename>
* restorecon <filename>
To change to SELinux Booleans for a service you would use ???semanage boolean <service>???.
* FALSE
TRUE
tip: " semanage boolean whatever_blabla -> bad command, too short ;)"
What tool can be used to analyze SELinux audit logs?
getselogs
selogchk
There is no tool to analyze selinux log files.
analog
* sealert
tip: !!!sealert -a /var/log/audit/audit.log!
What SELinux context would need to be set to support a CIFS share?
* samba_share_t
smb_share_t
allow_smb_t
allow_cifs_t
cifs_share_t
Where can you find the primary configuration file used for time synchronization?
/etc/sysconfig/ntp.conf
* /etc/ntp.conf
/etc/sysconfig/ntpd.conf
/etc/ntp/ntpd.conf
/etc/ntpd.conf
Which critical mount option must be specified in /etc/fstab when persistently using filesystems on iSCSI storage?
iqn
* _netdev
scsi
cryptsetup
netfs
tip: Entries with fc- and _netdev sub-strings enable the mount_fcoe_disks_from_fstab function to identify FCoE disk mount entries.
Which Apache configuration directive controls whether CGI scripts are enabled?
httpd_enable_cgi
* ScriptAlias
ScriptCGI
httpd_exec
httpd_builtin_scripting
Which Postfix directive configures a mail server to direct all outgoing e-mail to the outbound relay?
smtp_relay
virtual_alias_map
* relayhost
inet_interfaces
outbound_host
Caching-Only DNS Server
What option in /etc/named.conf allows one name server behind a UDP restricted firewall to talk to another name server that can see out to the internet?
masters
forwarders
root_hints
recursion
allow_recursion
(no time for find it in google ..., probably forwarders)
File Sharing with NFS
Which file allows you to fixate the ports for NFS v2/3 services?
/etc/nfs.conf
/etc/sysconfig/netstat
/etc/sysconfig/services
/etc/services
* /etc/sysconfig/nfs
Securing Network Services
What are the two iptables modules needed for ftp stateful packet inspection?
nfnetlink and nf_conntrack_ftp
nf_state_ftp and nfnetlink
nf_nat_ftp and nf_state_ftp
nf_state_ftp and nfnetlink
* nf_conntrack_ftp and nf_nat_ftp
tip: redhat names ... bleeeee
Troubleshooting Boot Process
What command starts a new shell with a new root file-system context?
grub
/sbin/init
* chroot
fcontext
bash
AND FINAL RESULT
Red Hat Skills Assessment
Your Skills Assessment Results*
Topic Evaluation
Software Management Deep Understanding
Network Management Deep Understanding
Managing SELinux Deep Understanding
NTP Server Configuration Deep Understanding
Centralized and Secure Storage Deep Understanding
Web Server Additional Configuration Deep Understanding
Basic SMTP Configuration Deep Understanding
Caching-Only DNS Server Limited Knowledge
File Sharing with NFS Deep Understanding
Securing Network Services Deep Understanding
Troubleshooting Boot Process Deep Understanding
* The results represent a subset of the knowledge in the curriculum.
Recommendation
RHCE?? Rapid Track Course with RHCSA??? and RHCE Exams (RH300) is the recommended course
Next steps
Open Source Education Center offers a wide choice of Red Hat Training solutions to match your learning goals.
Classroom training: Nearly one million people from all over the world have taken Red Hat classroom training. The RHCE Rapid Track Course with RHCSA and RHCE Exams (RH300), a 5-day class, is available across Europe, the Middle East, and Africa.
Visit osec.pl/redhat/autoryzacja for course dates and locations near you..
Onsite: If you're interested in taking this course with colleagues or your entire team, the RHCE Rapid Track Course is also routinely delivered as onsite training. Whether at your facility or at one of our training venuest, Open Source Education Center on-site solutions offer flexible, cost-effective training options to meet your needs.
For pricing and more information please call us at +48 22 861 96 04 (Poland) or email redhat@osec.pl.
Thank You!
Open Source Education Center
What are your learning goals for Red Hat training?
I am seeking an introduction to Linux system administration.
I am seeking Red Hat Certified System Administrator (RHCSA) certification.
I am seeking Red Hat Certified Engineer (RHCE) certification.
I currently have my RHCT and would like to obtain an RHCE certification.
What is your current level of Linux system administration knowledge?
I have limited experience with Linux system administration and wish to learn both graphical and command line approaches.
I have limited experience with Linux system administration and work at the command line interface only.
I regularly do Linux system administration in my current job role.
I am currently a full time Solaris System Administrator.
I am currently an HPUX, AIX or other Unix System Administrator.
Other
What is your purpose for taking this pre-assessment questionnaire?
Trying to select the right course. I have already purchased training units/corporate plan.
I plan on enrolling in a course in the next month.
I hope to enroll in a course in the next few months.
I'm just curious, nothing more.
==============================================================================================
Software Management
Question 1 of 25
Configuring yum to point to a custom repository can be done in either /etc/yum.conf or in which of the following?
* Any file name with a .repo extension in /etc/yum.repos.d/ directory.
Same directory as yum.conf but with a .repos extension
Any file under /etc/yum/ as long as it has a .repo extension
Any where in the file /etc/sysconfig/yum
Any file under /etc/sysconfig/ with a .repo extension
The command ???yum list all??? will list all available packages and available groups of packages in all enabled repositories.
TRUE
* FALSE
Which command would discover the names of packages that are not yet installed on your system but available in enabled repositories?
yum available -y
yum available
yum available list
yum find available
* yum list available
What approach could be used to construct a command, using yum, that would install multiple packages from enabled yum repositories?
Use yum install then list all package names encapsulated within double quotation marks.
* Use yum install then list the package names using a space delimiter.
This can only be done using the graphical user interface system-config-packages.
Use yum install then list the package names using a comma delimiter.
This can only be done using scripts.
Which of the following commands will install a package that is not part of a yum repository?
None of the above.
yum install --disablerepos <package name>
* yum localinstall <package name>
yum localrepo <package name>
yum local <package name>
Which of the following commands will list only documentation from the installed iptables rpm package?
rpm -ql iptables
rpm -qpd iptables
rpm -q --documentation iptables
* rpm -qd iptables
rpm -qa iptables
To create a private repository you should proceed as follows: - Install the createrepo software package - Create a <directory> where files can be shared (via FTP or HTTP) - Create a subdirectory called Packages and copy all packages to be published in Packages - run createrepo -v <directory>
FALSE
* TRUE
Consider the following settings when configuring persistent static TCP/IP settings in a network interface configuration file. Of the settings listed which, if any, are incorrect?
IPADDR=<ip address>
NETMASK=<network mask>
* BOOTPROTO=dhcp
ONBOOT=yes
DEVICE=<device name>
Which of the following files is used to configure client side DNS settings?
* /etc/resolv.conf
/etc/sysconfig/dns
/etc/resolve.conf
/etc/hosts
/etc/host
To assign a persistent machine hostname to a machine, modify or add an entry to the following file.
* /etc/sysconfig/network
/etc/hosts
/etc/sysconfig/hostname
/etc/resolve.conf
/etc/sysconfig/network-scripts/hostname
Which command would persistently enable routing in the kernel?
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward = 1
/proc/sys/net/ipv4/ip_forward
* Add the following line to the /etc/sysctl.conf file: net.ipv4.ip_forward = 1
Rebooting the system after any of these approaches will make the setting persistent.
Which of the following statements about SELinux permissive mode is TRUE?
permissive mode will block all access to resources.
* permissive mode will not block access to a resource.
permissive mode will allow access and does not log information.
permissive mode of for testing purposes only.
permissive mode will only block access to remote users and will log access information.
How do you check to see if SELinux is in 'enforcing' mode?
selinuxchk
getselinux
cat /proc/selinux
setenforce --check
* getenforce
How do you change the SELinux context of a file to its default context?
setselinuxcon -d <filename>
secon -d <filename>
chmod -default-context <filename>
chcon --defaults <filename>
* restorecon <filename>
To change to SELinux Booleans for a service you would use ???semanage boolean <service>???.
* FALSE
TRUE
tip: " semanage boolean whatever_blabla -> bad command, too short ;)"
What tool can be used to analyze SELinux audit logs?
getselogs
selogchk
There is no tool to analyze selinux log files.
analog
* sealert
tip: !!!sealert -a /var/log/audit/audit.log!
What SELinux context would need to be set to support a CIFS share?
* samba_share_t
smb_share_t
allow_smb_t
allow_cifs_t
cifs_share_t
Where can you find the primary configuration file used for time synchronization?
/etc/sysconfig/ntp.conf
* /etc/ntp.conf
/etc/sysconfig/ntpd.conf
/etc/ntp/ntpd.conf
/etc/ntpd.conf
Which critical mount option must be specified in /etc/fstab when persistently using filesystems on iSCSI storage?
iqn
* _netdev
scsi
cryptsetup
netfs
tip: Entries with fc- and _netdev sub-strings enable the mount_fcoe_disks_from_fstab function to identify FCoE disk mount entries.
Which Apache configuration directive controls whether CGI scripts are enabled?
httpd_enable_cgi
* ScriptAlias
ScriptCGI
httpd_exec
httpd_builtin_scripting
Which Postfix directive configures a mail server to direct all outgoing e-mail to the outbound relay?
smtp_relay
virtual_alias_map
* relayhost
inet_interfaces
outbound_host
Caching-Only DNS Server
What option in /etc/named.conf allows one name server behind a UDP restricted firewall to talk to another name server that can see out to the internet?
masters
forwarders
root_hints
recursion
allow_recursion
(no time for find it in google ..., probably forwarders)
File Sharing with NFS
Which file allows you to fixate the ports for NFS v2/3 services?
/etc/nfs.conf
/etc/sysconfig/netstat
/etc/sysconfig/services
/etc/services
* /etc/sysconfig/nfs
Securing Network Services
What are the two iptables modules needed for ftp stateful packet inspection?
nfnetlink and nf_conntrack_ftp
nf_state_ftp and nfnetlink
nf_nat_ftp and nf_state_ftp
nf_state_ftp and nfnetlink
* nf_conntrack_ftp and nf_nat_ftp
tip: redhat names ... bleeeee
Troubleshooting Boot Process
What command starts a new shell with a new root file-system context?
grub
/sbin/init
* chroot
fcontext
bash
AND FINAL RESULT
Red Hat Skills Assessment
Your Skills Assessment Results*
Topic Evaluation
Software Management Deep Understanding
Network Management Deep Understanding
Managing SELinux Deep Understanding
NTP Server Configuration Deep Understanding
Centralized and Secure Storage Deep Understanding
Web Server Additional Configuration Deep Understanding
Basic SMTP Configuration Deep Understanding
Caching-Only DNS Server Limited Knowledge
File Sharing with NFS Deep Understanding
Securing Network Services Deep Understanding
Troubleshooting Boot Process Deep Understanding
* The results represent a subset of the knowledge in the curriculum.
Recommendation
RHCE?? Rapid Track Course with RHCSA??? and RHCE Exams (RH300) is the recommended course
Next steps
Open Source Education Center offers a wide choice of Red Hat Training solutions to match your learning goals.
Classroom training: Nearly one million people from all over the world have taken Red Hat classroom training. The RHCE Rapid Track Course with RHCSA and RHCE Exams (RH300), a 5-day class, is available across Europe, the Middle East, and Africa.
Visit osec.pl/redhat/autoryzacja for course dates and locations near you..
Onsite: If you're interested in taking this course with colleagues or your entire team, the RHCE Rapid Track Course is also routinely delivered as onsite training. Whether at your facility or at one of our training venuest, Open Source Education Center on-site solutions offer flexible, cost-effective training options to meet your needs.
For pricing and more information please call us at +48 22 861 96 04 (Poland) or email redhat@osec.pl.
Thank You!
Open Source Education Center
Part 7: Manage security
Part 7: Manage security
1) Configure firewall settings using system-config-firewall or iptables.
* yum install system-config-firewall
* system-config-firewall and click and clack ;)
* vim /etc/sysconfig/iptables ;)
2) Set enforcing and permissive modes for SELinux.
* yum whatprovides /usr/sbin/semanage > policycoreutils-python
yum install policycoreutils-python
* check status of SELinux
[root@redhat ~]# getenforce
Enforcing
* checking status
[root@redhat ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
* change status
setenforce 0 (disable) or echo 0 >/selinux/enforce
setenforce 1 (enable) or echo 1 >/selinux/enforce
* set default mode for SELinux in /etc/selinux/config
SELINUX=enforcing or what need
3) List and identify SELinux file and process context.
* file contexts
ls -lZ
* process context
ps -lZ
TIP: add -Z option to ls or ps
4) Restore default file contexts.
* ls -lZ then
* restorecon -vv filename
5) Use boolean settings to modify system SELinux settings.
* get list of settings
[root@redhat ~]# getsebool -a
......
postgresql_can_rsync --> off
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
puppet_manage_all_files --> off
......
Take what need
* how set boolean
[root@redhat ~]# setsebool -P allow_ftpd_full_access on (-P means that it will be saved in the policy files)
it will 'open ftpd' for files which has not correct SELinux properties on /var/ftp/pub ;)
* use togglesebool
[root@redhat ~]# togglesebool allow_ftpd_full_access
allow_ftpd_full_access: active
[root@redhat ~]# togglesebool allow_ftpd_full_access
allow_ftpd_full_access: inactive
6) Diagnose and address routine SELinux policy violations.
* yum install setroubleshoot-server for sealert command but it maybe is not need???? taken from google
* ls -Z and ps -Z and ps -AZ to see processes ;)
if there is no access to files on www/ftp or whatever exam will need
* maybe is better to change to mode permissive in dev/testing environment ;) ?
* check audit.log, there should be lines which can go to command audit2why, put lines to file
audit2why < file.audit, then can use audit2allow to prepare module which can be imported by 'semodule -i blabla.123'
* check what system can do for SELinux
man -k _selinux, choose what need, for example man ftpd_selinux
read man and do changes
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
restorecon -F -R -v /var/ftp
1) Configure firewall settings using system-config-firewall or iptables.
* yum install system-config-firewall
* system-config-firewall and click and clack ;)
* vim /etc/sysconfig/iptables ;)
2) Set enforcing and permissive modes for SELinux.
* yum whatprovides /usr/sbin/semanage > policycoreutils-python
yum install policycoreutils-python
* check status of SELinux
[root@redhat ~]# getenforce
Enforcing
* checking status
[root@redhat ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
* change status
setenforce 0 (disable) or echo 0 >/selinux/enforce
setenforce 1 (enable) or echo 1 >/selinux/enforce
* set default mode for SELinux in /etc/selinux/config
SELINUX=enforcing or what need
3) List and identify SELinux file and process context.
* file contexts
ls -lZ
* process context
ps -lZ
TIP: add -Z option to ls or ps
4) Restore default file contexts.
* ls -lZ then
* restorecon -vv filename
5) Use boolean settings to modify system SELinux settings.
* get list of settings
[root@redhat ~]# getsebool -a
......
postgresql_can_rsync --> off
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
puppet_manage_all_files --> off
......
Take what need
* how set boolean
[root@redhat ~]# setsebool -P allow_ftpd_full_access on (-P means that it will be saved in the policy files)
it will 'open ftpd' for files which has not correct SELinux properties on /var/ftp/pub ;)
* use togglesebool
[root@redhat ~]# togglesebool allow_ftpd_full_access
allow_ftpd_full_access: active
[root@redhat ~]# togglesebool allow_ftpd_full_access
allow_ftpd_full_access: inactive
6) Diagnose and address routine SELinux policy violations.
* yum install setroubleshoot-server for sealert command but it maybe is not need???? taken from google
* ls -Z and ps -Z and ps -AZ to see processes ;)
if there is no access to files on www/ftp or whatever exam will need
* maybe is better to change to mode permissive in dev/testing environment ;) ?
* check audit.log, there should be lines which can go to command audit2why, put lines to file
audit2why < file.audit, then can use audit2allow to prepare module which can be imported by 'semodule -i blabla.123'
* check what system can do for SELinux
man -k _selinux, choose what need, for example man ftpd_selinux
read man and do changes
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
restorecon -F -R -v /var/ftp
Self prepare for REDHAT RHCSA EX200 Part 6: Manage users and groups
Part 6: Manage users and groups
1) Create, delete, and modify local user accounts.
* maybe yum install system-config-users will do trick?
* getent passwd (list users)
* getent group (list groups)
* useradd
* userdel
* usermod
2) Change passwords and adjust password aging for local user accounts.
* passwd or chage
* passwd user
* echo "joe1:passsword1234" | chpasswd
* passwd -x 30 joe1 (password will expire in 30 days)
* passwd -S joe1 (shows some info about user password)
* chage -E "2013-05-05" joe4 (password for joe4 expire at 05/05/2013)
* chage -l joe4 (list some info about joe4)
* or use 'chage username' and go on options
* passwd -l (lock) or -u (unlock), passwd --help or chage --help
3) Create, delete, and modify local groups and group memberships.
* groupadd
* groupdel
* groupmod
* groupmems
TIP: use manual ;)
4) Configure a system to use an existing LDAP directory service for user and group information.
* yum -y install openldap-clients system-config-authentication nss-pam-ldapd
* then run: system-config-authentication
* or run authconfig-tui
1) Create, delete, and modify local user accounts.
* maybe yum install system-config-users will do trick?
* getent passwd (list users)
* getent group (list groups)
* useradd
* userdel
* usermod
2) Change passwords and adjust password aging for local user accounts.
* passwd or chage
* passwd user
* echo "joe1:passsword1234" | chpasswd
* passwd -x 30 joe1 (password will expire in 30 days)
* passwd -S joe1 (shows some info about user password)
* chage -E "2013-05-05" joe4 (password for joe4 expire at 05/05/2013)
* chage -l joe4 (list some info about joe4)
* or use 'chage username' and go on options
* passwd -l (lock) or -u (unlock), passwd --help or chage --help
3) Create, delete, and modify local groups and group memberships.
* groupadd
* groupdel
* groupmod
* groupmems
TIP: use manual ;)
4) Configure a system to use an existing LDAP directory service for user and group information.
* yum -y install openldap-clients system-config-authentication nss-pam-ldapd
* then run: system-config-authentication
* or run authconfig-tui
wtorek, 23 kwietnia 2013
Self prepare for REDHAT RHCSA EX200 Part 5: Deploy, configure, and maintain systems
Part 5: Deploy, configure, and maintain systems
1) Configure networking and hostname resolution statically or dynamically.
* set order in file: /etc/nsswitch.conf
* hostname resolution statically in /etc/hosts, example lines:
# localhost
127.0.0.1 localhost
# pld64 in vbox
172.16.200.11 pld64 pld64.abram.pl
# redhat in vbox
172.16.200.9 redhat redhat.abram.pl
Let's try it how it works using by ping command (in redhat box I add lines to /etc/hosts)
[root@redhat ~]# ping pld64.abram.pl -c 1
PING pld64 (172.16.200.11) 56(84) bytes of data.
64 bytes from pld64 (172.16.200.11): icmp_seq=1 ttl=64 time=0.739 ms
[root@redhat ~]# ping pld64 -c 1
PING pld64 (172.16.200.11) 56(84) bytes of data.
64 bytes from pld64 (172.16.200.11): icmp_seq=1 ttl=64 time=0.483 ms
[root@pld64 ~]# ping redhat
PING redhat (172.16.200.9) 56(84) bytes of data.
64 bytes from redhat (172.16.200.9): icmp_seq=1 ttl=64 time=1.24 ms
Try ping redhat.abram.pl from host which doesnt has lines in /etc/hosts and redhat doesnt exists in abram.pl ;)
[abram@pld64-laptop ~]$ ping redhat.abram.pl -c 1
ping: unknown host redhat.abram.pl
* hostname resolution dynamically in /etc/resolv.conf, file has lines:
domain abram.pl
search abram.pl abram.eu.org
nameserver 172.16.200.1
nameserver 172.16.11.1
* host order resolution is set in /etc/host.conf, two examples from redhat and pld
[root@pld64 ~]# cat /etc/host.conf
order hosts,bind
multi on
[root@redhat ~]# cat /etc/host.conf
multi on
* networking in /etc/sysconfig/network (in another distros that file can have more lines),
start networking or not, hostname ;)
[root@redhat ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=redhat.abram.pl
* networking dynamically (from dhcp)
[root@redhat ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
HWADDR=08:00:27:68:4b:ac
TYPE=Ethernet
#UUID=94823bdd-27b1-498a-ae17-4bb9c06b9733
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
* networking statically, in file /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
DNS1="10.1.1.1"
GATEWAY="10.1.1.1"
HWADDR="08:00:27:29:51:E8"
IPADDR="10.1.1.2"
IPV6INIT="yes"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="cee63504-36fa-483b-b272-c4736396bb40"
Sample file from PLD Linux:
IPADDR=192.168.100.234/24
IPADDR2=192.168.136.234/24
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
GATEWAY=192.168.100.1
GATEWAYDEV=eth1
* after change eth files:
ifdown eth1
ifup eth1
or
service network restart (which stop all devices and will start them again)
2) Schedule tasks using cron.
* files and dirs in redhat (in other distros, they can be little different ;) )
/etc/crontab
/etc/cron.d/0hourly
/etc/cron.hourly/0anacron
/etc/cron.daily/{logrotate,makewhatis.cron,rhsmd}
/etc/cron.weekly/
/etc/cron.monthly/
/etc/anacrontab
Just go to files ;), 1st find packages: rpm -qa | grep cron, then rpm -ql cronie and do job!!!
* /etc/cron.deny or in other distro find cron.deny and cron.allow, there put name of user which can use
crontab or can't use it! default in my redhat (Red Hat Enterprise Linux Server release 6.4 (Santiago))
user abram can do crontab. in other distro it is better to allow it ;)
* prepare user crontab
EDITOR=vim crontab -e or just crontab -e
* list crontab as owner
[abram@redhat ~]$ crontab -l
*/1 * * * * /home/abram/bin/x.sh
* list crontab as root for user
[root@redhat ~]# crontab -l -u abram
*/1 * * * * /home/abram/bin/x.sh
* root can edit crontab of user ;)
[root@redhat ~]# crontab -e -u abram
* fields in crontab, that 5 magic stars ;-)
minute (from 0 to 59)
hour (from 0 to 23)
day of month (from 1 to 31)
month (from 1 to 12)
day of week (from 0 to 6) (0=Sunday)
* some crazy sample ;)
*/10 * 4-6 2 * /bin/xxx (each 10 min, 4th,5th,6th day of month,at 2nd month run /bin/xxx)
3) Configure systems to boot into a specific runlevel automatically.
* go to /etc/inittab, find line: id:3:initdefault: and change 3 to whatever need!
4) Install Red Hat Enterprise Linux automatically using Kickstart.
* yum install system-config-kickstart
* run system-config-kickstart, save file
* share it somwhere, in my case my local rhel server in vbox
cp ks.cfg /var/www/html/
* run pc from cdrom, there should few options to boot, choose 1st from top, install new or somethig,
press tab and add
ks=http://172.16.200.9/ks.cfg
in httpd server logs:
==> /var/log/httpd/access_log <==
172.16.200.12 - - [24/Apr/2013:01:54:31 +0200] "GET /ks.cfg HTTP/1.1" 200 1070 "-" "anaconda/13.21.195"
* from NFS
ks=nfs:host:/ks.cfg
* linux ks=http://172.16.200.9/ks.cfg append ip=192.168.111.222 netmask=255.255.255.0
but it is not tested
* DVD drive ks=cdrom:/directory/ks.cfg
* Hard Drive ks=hd:/device/directory/ks.cfg
* Other Device ks=file:/device/directory/ks.cfg
* HTTP Server ks=http://server.mydomain.com/directory/ks.cfg
* FTP Server ks=ftp://server.mydomain.com/directory/ks.cfg
* NFS Server ks=nfs:server.mydomain.com:/directory/ks.cfg
5) Configure a physical machine to host virtual guests.
* probably system need some packages
yum groupinstall "Virtualization"
yum groupinstall "Virtualization Client"
yum install kvm
yum install qemu
6) Install Red Hat Enterprise Linux systems as virtual guests.
* X GUI
maybe need: yum groupinstall 'X Window System'
open virt-manager and click click ...
PICTURES ;) http://virt-manager.et.redhat.com/screenshots/install.html
* console commands, I wonder if it can be done on my VirtualBox RHEL ;)
from that site: http://manyrootsofallevilrants.blogspot.com/2011/06/install-red-hat-enterprise-linux_09.html
virt-install -n test -r 1024 --vcpu=1 -l nfs:10.168.20.227:/distro --os-type='linux' --os-variant='rhel6' --network network:default --file=/var/lib/libvirt/images/test.img --file-size=6 -x console=ttyS0
a lot of BLA BLA ;)
7) Configure systems to launch virtual machines at boot.
* see what virsh can do (man)
* virsh list
* virsh start MACHINE
* virsh shutdown MACHINE
* virsh destroy MACHINE (take power off ;) )
* virsh autostart MACHINE (will add MACINE to start when server boot ;) )
8) Configure network services to start automatically at boot.
* go to chkconfig command!
* maybe is ntsysv ???
9) Configure a system to run a default configuration HTTP server.
* REMEMBER ABOUT SELINUX ...
* install httpd using yum command
yum install httpd
* prepare simple html file
echo "redhat test http server" > /var/www/html/index.html; chmod 644 /var/www/html/index.html
* change ServerName in /etc/httpd/conf/httpd.conf
ServerName redhat.abram.pl:80
* check status of service and set it on when need it ;)
chkconfig httpd --list
chkconfig httpd on
or specify level: chkconfig httpd --level 5 on
* start httpd daemon
service httpd start
* check if that http server works
[root@redhat ~]# echo -e "GET /index.html HTTP/1.0\r\n" | nc redhat.abram.pl 80
HTTP/1.1 200 OK
Date: Tue, 23 Apr 2013 18:19:29 GMT
Server: Apache/2.2.15 (Red Hat)
Last-Modified: Tue, 23 Apr 2013 18:09:58 GMT
ETag: "1024-18-4db0b17e218d0"
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Content-Type: text/html; charset=UTF-8
redhat test http server
or just install lynx text webrowser and then:
lynx redhat.abram.pl
* maybe server need to open in iptables 80 port tcp for http?
[root@redhat ~]# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[root@redhat ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
or
system-config-firewall
10) Configure a system to run a default configuration FTP server.
* REMEMBER ABOUT SELINUX ...
* install ftpd daemon and ftp client
yum install vsftpd ftp
* service vsftpd start
* chkconfig vsftpd on (or choose level)
* iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
* iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
* service iptables save
* maybe on redhat it's ok to check that system load module nf_conntrack_ftp via iptables scripts?
in file /etc/sysconfig/iptables-config
* checking selinux
[root@redhat ~]# ls -lZ /var/| grep ftp
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 ftp
[root@redhat ~]# ls -lZ /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
[root@redhat ~]# echo 'test' > /var/ftp/pub/test.txt
[root@redhat ~]# echo 'test' > /var/ftp/pub/test.txt
[root@redhat ~]# ls -la /var/ftp/pub/test.txt
-rw-r--r--. 1 root root 5 04-23 22:33 /var/ftp/pub/test.txt
[root@redhat ~]# ls -lZ /var/ftp/pub/test.txt
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 /var/ftp/pub/test.txt
file test.txt can be downloaded via ftp
moved file from /root to /var/ftp/pub
[root@redhat ~]# ls -lZ install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
[root@redhat ~]# mv install.log /var/ftp/pub/
[root@redhat ~]# ls -lZ /var/ftp/pub/install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 /var/ftp/pub/install.log
file install.log has 644 but selinux doesnt allow it to see on ftp
lftp 172.16.200.9:/pub> get install.log
get: Access failed: 550 Failed to open file. (install.log)
in /var/log/xferlog:
==> xferlog <==
Tue Apr 23 22:43:11 2013 1 172.16.200.4 0 /pub/install.log b _ o a lftp@ ftp 0 * i
Tue Apr 23 22:43:18 2013 1 172.16.200.4 0 /pub/install.log b _ o a lftp@ ftp 0 * i
get test.txt
Tue Apr 23 22:44:01 2013 1 172.16.200.4 5 /pub/test.txt b _ o a lftp@ ftp 0 * c
* restore selinux context, two ways.
1st) using default context for /var/ftp
restorecon -RvF /var/ftp
restorecon reset /var/ftp/pub/test.txt context unconfined_u:object_r:public_content_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /var/ftp/pub/install.log context system_u:object_r:admin_home_t:s0->system_u:object_r:public_content_t:s0
2nd) command line
chcon -v -R -u system_u -r object_r -t public_content_t /var/ftp
changing security context of `/var/ftp/pub/test.txt'
changing security context of `/var/ftp/pub/install.log'
changing security context of `/var/ftp/pub'
changing security context of `/var/ftp'
* after change selinux things new file is ready to download
lftp 172.16.200.9:/pub> ls
-rw-r--r-- 1 0 0 9694 Apr 15 13:52 install.log
-rw-r--r-- 1 0 0 5 Apr 23 20:33 test.txt
11) Install and update software packages from Red Hat Network, a remote repository, or from the local file system.
* maybe need to import key from repo?
rpm --import gpgkey
* from local file system using rpm
cd /somewhere_for_packages
rpm -Uhv package-to-update.rpm (--test is OK ;) )
rpm -ihv package-to-install.rpm (--test is OK)
* from Red Hat Network, maybe need to register system?
rhn_register, then go, it should prepare yum to use RHN repos
[root@redhat ~]# yum repolist
Loaded plugins: downloadonly, product-id, rhnplugin, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
This system is receiving updates from RHN Classic or RHN Satellite.
rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00
rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00
rhel-6-server-rpms | 3.7 kB 00:00
repo id repo name status
rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 30
rhel-6-server-rhev-agent-rpms Red Hat Enterprise Virtualization Agents for RHEL 6 Server (RPMs) 16
rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 7934
rhel-i386-server-6 Red Hat Enterprise Linux Server (v. 6 for 32-bit x86) 7926
repolist: 15906
* prepare yum to use local repo from directory
create file /etc/yum.repos.d/local.repo with content
[local]
name=local
baseurl=file:///directory/path/to/repo/
enabled=1
gpgcheck=0
TIP: it could be mounted cdrom or copied ISO cdrom/dvd file mounted using loop to directory...
* prepare yum to use local repo from http server
create file /etc/yum.repos.d/from-http.repo
[remote]
name=remote
baseurl=http://10.1.1.1/repo/i386/
enabled=1
gpgcheck=0
* maybe directory with rpm files need to prepare to be repo? then go
cd /directory
createrepo .
* how to use created repo, it is simple
yum --disablerepo=* --enablerepo=remote --enablerepo=local install (packages)
12) Update the kernel package appropriately to ensure a bootable system.
* yum update kernel
* or maybe better is get fresh kernel from repo and then rpm -ihv kernel-*****rpm
* yum install yum-downloadonly (will add special plugin to yum)
yum update kernel -y --downloadonly (will download kernel package)
files goes to: /var/cache/yum/i386/6Server/rhel-6-server-rpms/packages/ (find / -iname "*.rpm" )
install them (check)
rpm -ihv kernel* --test
rpm -ihv kernel*A
CHECK grub! there should be added new kernel as default, reboot server, go!
13) Modify the system bootloader.
* always backup /boot/grub/menu.lst before editing
* cat /boot/grub/menu.lst
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-358.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.i686 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.i686.img
* some more grub from my laptop
# windows
title windows
rootnoverify (hd0,0)
makeactive
chainloader +1
# For installing GRUB into the hard disk
title Install GRUB into the hard disk
root (hd0,3)
setup (hd0)
1) Configure networking and hostname resolution statically or dynamically.
* set order in file: /etc/nsswitch.conf
* hostname resolution statically in /etc/hosts, example lines:
# localhost
127.0.0.1 localhost
# pld64 in vbox
172.16.200.11 pld64 pld64.abram.pl
# redhat in vbox
172.16.200.9 redhat redhat.abram.pl
Let's try it how it works using by ping command (in redhat box I add lines to /etc/hosts)
[root@redhat ~]# ping pld64.abram.pl -c 1
PING pld64 (172.16.200.11) 56(84) bytes of data.
64 bytes from pld64 (172.16.200.11): icmp_seq=1 ttl=64 time=0.739 ms
[root@redhat ~]# ping pld64 -c 1
PING pld64 (172.16.200.11) 56(84) bytes of data.
64 bytes from pld64 (172.16.200.11): icmp_seq=1 ttl=64 time=0.483 ms
[root@pld64 ~]# ping redhat
PING redhat (172.16.200.9) 56(84) bytes of data.
64 bytes from redhat (172.16.200.9): icmp_seq=1 ttl=64 time=1.24 ms
Try ping redhat.abram.pl from host which doesnt has lines in /etc/hosts and redhat doesnt exists in abram.pl ;)
[abram@pld64-laptop ~]$ ping redhat.abram.pl -c 1
ping: unknown host redhat.abram.pl
* hostname resolution dynamically in /etc/resolv.conf, file has lines:
domain abram.pl
search abram.pl abram.eu.org
nameserver 172.16.200.1
nameserver 172.16.11.1
* host order resolution is set in /etc/host.conf, two examples from redhat and pld
[root@pld64 ~]# cat /etc/host.conf
order hosts,bind
multi on
[root@redhat ~]# cat /etc/host.conf
multi on
* networking in /etc/sysconfig/network (in another distros that file can have more lines),
start networking or not, hostname ;)
[root@redhat ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=redhat.abram.pl
* networking dynamically (from dhcp)
[root@redhat ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
HWADDR=08:00:27:68:4b:ac
TYPE=Ethernet
#UUID=94823bdd-27b1-498a-ae17-4bb9c06b9733
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
* networking statically, in file /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
DNS1="10.1.1.1"
GATEWAY="10.1.1.1"
HWADDR="08:00:27:29:51:E8"
IPADDR="10.1.1.2"
IPV6INIT="yes"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="cee63504-36fa-483b-b272-c4736396bb40"
Sample file from PLD Linux:
IPADDR=192.168.100.234/24
IPADDR2=192.168.136.234/24
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
GATEWAY=192.168.100.1
GATEWAYDEV=eth1
* after change eth files:
ifdown eth1
ifup eth1
or
service network restart (which stop all devices and will start them again)
2) Schedule tasks using cron.
* files and dirs in redhat (in other distros, they can be little different ;) )
/etc/crontab
/etc/cron.d/0hourly
/etc/cron.hourly/0anacron
/etc/cron.daily/{logrotate,makewhatis.cron,rhsmd}
/etc/cron.weekly/
/etc/cron.monthly/
/etc/anacrontab
Just go to files ;), 1st find packages: rpm -qa | grep cron, then rpm -ql cronie and do job!!!
* /etc/cron.deny or in other distro find cron.deny and cron.allow, there put name of user which can use
crontab or can't use it! default in my redhat (Red Hat Enterprise Linux Server release 6.4 (Santiago))
user abram can do crontab. in other distro it is better to allow it ;)
* prepare user crontab
EDITOR=vim crontab -e or just crontab -e
* list crontab as owner
[abram@redhat ~]$ crontab -l
*/1 * * * * /home/abram/bin/x.sh
* list crontab as root for user
[root@redhat ~]# crontab -l -u abram
*/1 * * * * /home/abram/bin/x.sh
* root can edit crontab of user ;)
[root@redhat ~]# crontab -e -u abram
* fields in crontab, that 5 magic stars ;-)
minute (from 0 to 59)
hour (from 0 to 23)
day of month (from 1 to 31)
month (from 1 to 12)
day of week (from 0 to 6) (0=Sunday)
* some crazy sample ;)
*/10 * 4-6 2 * /bin/xxx (each 10 min, 4th,5th,6th day of month,at 2nd month run /bin/xxx)
3) Configure systems to boot into a specific runlevel automatically.
* go to /etc/inittab, find line: id:3:initdefault: and change 3 to whatever need!
4) Install Red Hat Enterprise Linux automatically using Kickstart.
* yum install system-config-kickstart
* run system-config-kickstart, save file
* share it somwhere, in my case my local rhel server in vbox
cp ks.cfg /var/www/html/
* run pc from cdrom, there should few options to boot, choose 1st from top, install new or somethig,
press tab and add
ks=http://172.16.200.9/ks.cfg
in httpd server logs:
==> /var/log/httpd/access_log <==
172.16.200.12 - - [24/Apr/2013:01:54:31 +0200] "GET /ks.cfg HTTP/1.1" 200 1070 "-" "anaconda/13.21.195"
* from NFS
ks=nfs:host:/ks.cfg
* linux ks=http://172.16.200.9/ks.cfg append ip=192.168.111.222 netmask=255.255.255.0
but it is not tested
* DVD drive ks=cdrom:/directory/ks.cfg
* Hard Drive ks=hd:/device/directory/ks.cfg
* Other Device ks=file:/device/directory/ks.cfg
* HTTP Server ks=http://server.mydomain.com/directory/ks.cfg
* FTP Server ks=ftp://server.mydomain.com/directory/ks.cfg
* NFS Server ks=nfs:server.mydomain.com:/directory/ks.cfg
5) Configure a physical machine to host virtual guests.
* probably system need some packages
yum groupinstall "Virtualization"
yum groupinstall "Virtualization Client"
yum install kvm
yum install qemu
6) Install Red Hat Enterprise Linux systems as virtual guests.
* X GUI
maybe need: yum groupinstall 'X Window System'
open virt-manager and click click ...
PICTURES ;) http://virt-manager.et.redhat.com/screenshots/install.html
* console commands, I wonder if it can be done on my VirtualBox RHEL ;)
from that site: http://manyrootsofallevilrants.blogspot.com/2011/06/install-red-hat-enterprise-linux_09.html
virt-install -n test -r 1024 --vcpu=1 -l nfs:10.168.20.227:/distro --os-type='linux' --os-variant='rhel6' --network network:default --file=/var/lib/libvirt/images/test.img --file-size=6 -x console=ttyS0
a lot of BLA BLA ;)
7) Configure systems to launch virtual machines at boot.
* see what virsh can do (man)
* virsh list
* virsh start MACHINE
* virsh shutdown MACHINE
* virsh destroy MACHINE (take power off ;) )
* virsh autostart MACHINE (will add MACINE to start when server boot ;) )
8) Configure network services to start automatically at boot.
* go to chkconfig command!
* maybe is ntsysv ???
9) Configure a system to run a default configuration HTTP server.
* REMEMBER ABOUT SELINUX ...
* install httpd using yum command
yum install httpd
* prepare simple html file
echo "redhat test http server" > /var/www/html/index.html; chmod 644 /var/www/html/index.html
* change ServerName in /etc/httpd/conf/httpd.conf
ServerName redhat.abram.pl:80
* check status of service and set it on when need it ;)
chkconfig httpd --list
chkconfig httpd on
or specify level: chkconfig httpd --level 5 on
* start httpd daemon
service httpd start
* check if that http server works
[root@redhat ~]# echo -e "GET /index.html HTTP/1.0\r\n" | nc redhat.abram.pl 80
HTTP/1.1 200 OK
Date: Tue, 23 Apr 2013 18:19:29 GMT
Server: Apache/2.2.15 (Red Hat)
Last-Modified: Tue, 23 Apr 2013 18:09:58 GMT
ETag: "1024-18-4db0b17e218d0"
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Content-Type: text/html; charset=UTF-8
redhat test http server
or just install lynx text webrowser and then:
lynx redhat.abram.pl
* maybe server need to open in iptables 80 port tcp for http?
[root@redhat ~]# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[root@redhat ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
or
system-config-firewall
10) Configure a system to run a default configuration FTP server.
* REMEMBER ABOUT SELINUX ...
* install ftpd daemon and ftp client
yum install vsftpd ftp
* service vsftpd start
* chkconfig vsftpd on (or choose level)
* iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
* iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
* service iptables save
* maybe on redhat it's ok to check that system load module nf_conntrack_ftp via iptables scripts?
in file /etc/sysconfig/iptables-config
* checking selinux
[root@redhat ~]# ls -lZ /var/| grep ftp
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 ftp
[root@redhat ~]# ls -lZ /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
[root@redhat ~]# echo 'test' > /var/ftp/pub/test.txt
[root@redhat ~]# echo 'test' > /var/ftp/pub/test.txt
[root@redhat ~]# ls -la /var/ftp/pub/test.txt
-rw-r--r--. 1 root root 5 04-23 22:33 /var/ftp/pub/test.txt
[root@redhat ~]# ls -lZ /var/ftp/pub/test.txt
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 /var/ftp/pub/test.txt
file test.txt can be downloaded via ftp
moved file from /root to /var/ftp/pub
[root@redhat ~]# ls -lZ install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
[root@redhat ~]# mv install.log /var/ftp/pub/
[root@redhat ~]# ls -lZ /var/ftp/pub/install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 /var/ftp/pub/install.log
file install.log has 644 but selinux doesnt allow it to see on ftp
lftp 172.16.200.9:/pub> get install.log
get: Access failed: 550 Failed to open file. (install.log)
in /var/log/xferlog:
==> xferlog <==
Tue Apr 23 22:43:11 2013 1 172.16.200.4 0 /pub/install.log b _ o a lftp@ ftp 0 * i
Tue Apr 23 22:43:18 2013 1 172.16.200.4 0 /pub/install.log b _ o a lftp@ ftp 0 * i
get test.txt
Tue Apr 23 22:44:01 2013 1 172.16.200.4 5 /pub/test.txt b _ o a lftp@ ftp 0 * c
* restore selinux context, two ways.
1st) using default context for /var/ftp
restorecon -RvF /var/ftp
restorecon reset /var/ftp/pub/test.txt context unconfined_u:object_r:public_content_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /var/ftp/pub/install.log context system_u:object_r:admin_home_t:s0->system_u:object_r:public_content_t:s0
2nd) command line
chcon -v -R -u system_u -r object_r -t public_content_t /var/ftp
changing security context of `/var/ftp/pub/test.txt'
changing security context of `/var/ftp/pub/install.log'
changing security context of `/var/ftp/pub'
changing security context of `/var/ftp'
* after change selinux things new file is ready to download
lftp 172.16.200.9:/pub> ls
-rw-r--r-- 1 0 0 9694 Apr 15 13:52 install.log
-rw-r--r-- 1 0 0 5 Apr 23 20:33 test.txt
11) Install and update software packages from Red Hat Network, a remote repository, or from the local file system.
* maybe need to import key from repo?
rpm --import gpgkey
* from local file system using rpm
cd /somewhere_for_packages
rpm -Uhv package-to-update.rpm (--test is OK ;) )
rpm -ihv package-to-install.rpm (--test is OK)
* from Red Hat Network, maybe need to register system?
rhn_register, then go, it should prepare yum to use RHN repos
[root@redhat ~]# yum repolist
Loaded plugins: downloadonly, product-id, rhnplugin, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
This system is receiving updates from RHN Classic or RHN Satellite.
rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00
rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00
rhel-6-server-rpms | 3.7 kB 00:00
repo id repo name status
rhel-6-server-cf-tools-1-rpms Red Hat CloudForms Tools for RHEL 6 (RPMs) 30
rhel-6-server-rhev-agent-rpms Red Hat Enterprise Virtualization Agents for RHEL 6 Server (RPMs) 16
rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) 7934
rhel-i386-server-6 Red Hat Enterprise Linux Server (v. 6 for 32-bit x86) 7926
repolist: 15906
* prepare yum to use local repo from directory
create file /etc/yum.repos.d/local.repo with content
[local]
name=local
baseurl=file:///directory/path/to/repo/
enabled=1
gpgcheck=0
TIP: it could be mounted cdrom or copied ISO cdrom/dvd file mounted using loop to directory...
* prepare yum to use local repo from http server
create file /etc/yum.repos.d/from-http.repo
[remote]
name=remote
baseurl=http://10.1.1.1/repo/i386/
enabled=1
gpgcheck=0
* maybe directory with rpm files need to prepare to be repo? then go
cd /directory
createrepo .
* how to use created repo, it is simple
yum --disablerepo=* --enablerepo=remote --enablerepo=local install (packages)
12) Update the kernel package appropriately to ensure a bootable system.
* yum update kernel
* or maybe better is get fresh kernel from repo and then rpm -ihv kernel-*****rpm
* yum install yum-downloadonly (will add special plugin to yum)
yum update kernel -y --downloadonly (will download kernel package)
files goes to: /var/cache/yum/i386/6Server/rhel-6-server-rpms/packages/ (find / -iname "*.rpm" )
install them (check)
rpm -ihv kernel* --test
rpm -ihv kernel*A
CHECK grub! there should be added new kernel as default, reboot server, go!
13) Modify the system bootloader.
* always backup /boot/grub/menu.lst before editing
* cat /boot/grub/menu.lst
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-358.el6.i686)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.i686 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.i686.img
* some more grub from my laptop
# windows
title windows
rootnoverify (hd0,0)
makeactive
chainloader +1
# For installing GRUB into the hard disk
title Install GRUB into the hard disk
root (hd0,3)
setup (hd0)
niedziela, 21 kwietnia 2013
Self prepare for REDHAT RHCSA EX200 Part 4: Create and configure file systems
Part 4: Create and configure file systems
1) Create, mount, unmount, and use ext2, ext3, and ext4 file systems.
* create fs (device can be /dev/sda1 or /dev/lvm/whatever)
mkfs.ext2 /dev/device
mkfs.ext3 /dev/device
mkfs.ext4 /dev/device
* tune2fs for changes on ext*
* mount /dev/device -o ro /mount_point
mount -o bind /source /destination
mount -o loop image-from-cd.iso /mount_point
* umount /mount_point
umount /dev/device
2) Mount, unmount, and use LUKS-encrypted file systems.
* prepare luks device (if not prepared)
cryptsetup luksFormat /dev/sdc1 (then enter password, 2x times)
after this open device using cryptsetup luksOpen /dev/sdc1 NameWhatever then
format it mkfs.ext4 /dev/mapper/NameWhatever
then that /dev/mapper/NameWhatever can be mounted somewhere in system
* if prepared it's better open it then prepare (like above ;) )
cryptsetup luksOpen /dev/sdc1 MyNameCanBeDifferentEachTime (give password),
it prepare device with name MyNameCanBeDifferentEachTime in /dev/mapper
* mount /dev/mapper/MyNameCanBeDifferentEachTime /crypteddevice
* umount /dev/mapper/MyNameCanBeDifferentEachTime
* if want automatic luks prepare device, put line with that content to /etc/crypttab
MyNewName /dev/sdc1
and put this to /etc/fstab if want automount at startup
/dev/mapper/MyNewName /luks ext4 defaults 1 1
Simple isn't it?
3) Mount and unmount CIFS and NFS network file systems.
* cifs (or smbfs or microsoft networking shares from windows)
mount -o rw,user=backup,password=backup -t cifs //172.16.200.41/tmp /cifs
or
mount -o rw,user=abram,password=aa -t cifs //172.16.200.41/tmp /cifs
* cifs automount from /etc/fstab, add that line to file
//172.16.200.41/tmp /cifs cifs rw,user=abram,password=aa 0 0
* nfs from cmdline
check rpcbind or portmap is running on system, then
mount -o rw -t nfs 172.16.200.41:/home /nfs/
* nfs automount from /etc/fstab (in PLD Linux there is very smart package nfs-utils-clients which
has rc.d/nfsfs ;) )
put this to /etc/fstab
172.16.200.41:/home /nfs nfs defaults 0 0
4) Configure systems to mount ext4, LUKS-encrypted, and network file systems automatically.
I will just show lines which one should be put to /etc/fstab
* ext4 or any fs ;) (xfs, ext2, ext3???)
/dev/sda2 /mountpoint ext4 defaults 1 1
/dev/LVM_VG_NAME/LVM_name /home ext4 defaults 1 1
UUID=96871128-21c3-4591-9632-973097cad8b5 /media/mydata ext4 defaults 1 1
LABEL=MyLabel /mynew_data ext4 defaults 1 1
* LUKS-encrypted (some examples are above with UUID)
1) in /etc/crypttab line like this
myname /dev/sdb1
2) in /etc/fstab line like this
/dev/mapper/myname /media/mydata ext4 defaults 1 1
* network files (cifs and nfs)
1) //172.16.200.41/tmp /cifs cifs rw,user=abram,password=aa 0 0
2) 172.16.200.41:/home /nfs nfs defaults 0 0
5) Extend existing unencrypted ext4-formatted logical volumes.
* lvdisplay /dev/XYZ/test (it shows 1GiB size)
* add some space to that device
check free space on VG
[root@localhost ~]# vgdisplay XYZ| grep PE
PE Size 4,00 MiB
Total PE 511
Alloc PE / Size 256 / 1,00 GiB
Free PE / Size 255 / 1020,00 MiB
resize (add 512)
lvextend -v -L +512M /dev/XYZ/test
and resize fs
resize2fs /dev/XYZ/test
TIP: resizing can be done on mounted fs
* set LV to specified size (from big one to small one or small one to big one) (DANGER!!!)
[root@localhost ~]# lvresize -L 400M /dev/XYZ/test
WARNING: Reducing active and open logical volume to 400,00 MiB
THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce test? [y/n]: n
Logical volume test NOT reduced
after y -> got this
[root@localhost ~]# mount /dev/XYZ/test /cifs/
mount: wrong fs type, bad option, bad superblock on /dev/mapper/XYZ-test,
and fs is broken ...
[root@localhost ~]# fsck.ext4 /dev/XYZ/test
e2fsck 1.41.12 (17-May-2010)
Error reading block 131072 (Invalid argument). Ignore error<y>? yes
Force rewrite<y>? yes
Error writing block 131072 (Invalid argument). Ignore error<y>? yes
Superblock has an invalid journal (inode 8).
Clear<y>? yes
*** ext3 journal has been deleted - filesystem is now ext2 only ***
Superblock has_journal flag is clear, but a journal inode is present.
Clear<y>? yes
The filesystem size (according to the superblock) is 393216 blocks
The physical size of the device is 102400 blocks
Either the superblock or the partition table is likely to be corrupt!
Abort<y>? no
/dev/XYZ/test contains a file system with errors, check forced.
Error writing block 131072 (Invalid argument). Ignore error<y>?
Pass 1: Checking inodes, blocks, and sizes
Journal inode is not in use, but contains data. Clear<y>? yes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Block bitmap differences: -(131072--139263)
Fix<y>?
then a lot of errors 8-) fix it fix it ... bla bla ;)
WITHOUT BACKUP OF DATA ;) it is ... BROKEN ;)
6) Create and configure set-GID directories for collaboration.
* Probably it could be like this, 4 users, one group to connect them, directory where they
can share files.
* [root@localhost ~]# for i in `seq 1 4`; do echo joe$i;useradd joe$i; done
joe1
joe2
joe3
joe4
[root@localhost ~]# id joe1
uid=500(joe1) gid=500(joe1) groups=500(joe1)
[root@localhost ~]# id joe2
uid=501(joe2) gid=501(joe2) groups=501(joe2)
...
* create group
[root@localhost ~]# groupadd union
[root@localhost ~]# getent group union
union:x:504:
* put joe2 and joe4 to that group
usermod -G union joe2; usermod -G union joe4
check it
[root@localhost ~]# id joe4
uid=503(joe4) gid=503(joe4) groups=503(joe4),504(union)
[root@localhost ~]# id joe2
uid=501(joe2) gid=501(joe2) groups=501(joe2),504(union)
* prepare catalog
mkdir /home/union
chown root:union /home/union
* add SGID to /home/union (set rwx for owner, rwx for group, no access to others)
chmod 2770 /home/union
[root@localhost ~]# ls -la /home/ | grep union
drwxrws---. 2 root union 4096 Apr 22 01:43 union
* login as joe1 and try create any file in /home/union
[root@localhost ~]# su - joe1 -c 'echo aa > /home/union/aa'
-bash: /home/union/aa: Permission denied
or su - joe1 then echo aa > /home/union/aa
[root@localhost ~]# su - joe1
[joe1@localhost ~]$ echo aa > /home/union/aa
-bash: /home/union/aa: Permission denied
* login as joe2 and create file
[root@localhost ~]# su - joe2 -c 'echo joe2 line > /home/union/joe2file'
[root@localhost ~]# cat /home/union/joe2file
joe2 line
[root@localhost ~]# ls -la /home/union/joe2file
-rw-rw-r--. 1 joe2 union 10 Apr 22 01:47 /home/union/joe2file
[root@localhost ~]# ls -lZ /home/union/joe2file
-rw-rw-r--. joe2 union unconfined_u:object_r:home_root_t:s0 /home/union/joe2file
* login as joe2 and create directory
[root@localhost ~]# su - joe2 -c 'mkdir /home/union/joe2dir'
[root@localhost ~]# ls -la /home/union/
total 20
drwxrws---. 3 root union 4096 Apr 22 01:48 .
drwxr-xr-x. 7 root root 4096 Apr 22 01:43 ..
drwxrwsr-x. 2 joe2 union 4096 Apr 22 01:48 joe2dir
* login as joe4 and create dir in joe2dir
[root@localhost ~]# su - joe4 -c 'mkdir /home/union/joe2dir/joe4dir'
[root@localhost ~]# ls -la /home/union/joe2dir/
total 12
drwxrwsr-x. 3 joe2 union 4096 Apr 22 01:49 .
drwxrws---. 3 root union 4096 Apr 22 01:48 ..
drwxrwsr-x. 2 joe4 union 4096 Apr 22 01:49 joe4dir
* login as joe4 and add one line to joe2file
su - joe2 -c 'echo joe4 line >> /home/union/joe2file'
cat /home/union/joe2file
[root@localhost ~]# su - joe2 -c 'echo joe4 line >> /home/union/joe2file'
[root@localhost ~]# cat /home/union/joe2file
joe2 line
joe4 line
[root@localhost ~]# ls -la /home/union/joe2file
-rw-rw-r--. 1 joe2 union 20 Apr 22 01:51 /home/union/joe2file
owner joe2 left on file, joe4 add line because of member in union group ;)
* joe3 can't add line to joe2file because is not member of union group
[root@localhost ~]# su - joe3 -c 'echo joe3 line >> /home/union/joe2file'
-bash: /home/union/joe2file: Permission denied
TIP: anyone in union group can do dirs/files and there is no problem with access ;)
7) Create and manage Access Control Lists (ACLs).
* check if file system support acl
mount
...
/dev/mapper/XYZ-test on /test type ext4 (rw)
* in fstab add ACL option
/dev/XYZ/test /test ext4 defaults,acl 1 1
mount -o remount /test
mount and then acl is in line
/dev/mapper/XYZ-test on /test type ext4 (rw,acl)
;)
* prepare catalog test and test.log with some info
mkdir /test/test/
dmesg > /test/test.log
* default permisions
[root@localhost ~]# ls -la /test/test.log
-rw-r--r--. 1 root root 24688 Apr 22 01:59 /test/test.log
[root@localhost ~]# ls -lZa /test/test.log
-rw-r--r--. root root unconfined_u:object_r:file_t:s0 /test/test.log
for directory
drwxr-xr-x. 2 root root 1024 Apr 22 01:58 test
* show acls
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
group::r--
other::r--
* allow user joe2 to edit test.log
setfacl --help as 1st step :)
setfacl -m u:joe2:rwx /test/test.log
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
user:joe2:rwx
group::r--
mask::rwx
other::r--
and try use that file ;)
[root@localhost ~]# su - joe2 -c 'echo test1 > /test/test.log'
[root@localhost ~]# su - joe2 -c 'echo test2 >> /test/test.log'
[root@localhost ~]# cat /test/test.log
test1
test2y
[root@localhost ~]# su - joe1 -c 'echo test > /test/test.log'
-bash: /test/test.log: Permission denied
* allow group xyz (which will have joe1 and joe3) to that file
dissallow group union (and then see that joe2 can work with that file but joe4 can not!)
[root@localhost ~]# setfacl -m g:xyz:rwx /test/test.log
[root@localhost ~]# setfacl -m g:union:- /test/test.log
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
user:joe2:rwx
group::r--
group:union:---
group:xyz:rwx
mask::rwx
other::r--
CHECKING!
[root@localhost ~]# su - joe1 -c 'echo joe1 can because is in xyz >> /test/test.log'
[root@localhost ~]# su - joe3 -c 'echo joe3 can because is in xyz >> /test/test.log'
[root@localhost ~]# su - joe2 -c 'echo joe2 can because is joe2 >> /test/test.log'
[root@localhost ~]# su - joe4 -c 'echo joe4 CAN not because is in union ... >> /test/test.log'
-bash: /test/test.log: Permission denied
[root@localhost ~]# cat /test/test.log
joe2 test1
joe2 test2
joe1 can
joe3 can
joe1 can because is in xyz
joe3 can because is in xyz
joe2 can because is joe2
* remove some acl from file
[root@localhost ~]# setfacl -x u:joe2 /test/test.log
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
group::r--
group:union:---
group:xyz:rwx
mask::rwx
other::r--
8) Diagnose and correct file permission problems.
* checking by
ls -la
ls -lZ
getfacl
* then repair ;)
1) Create, mount, unmount, and use ext2, ext3, and ext4 file systems.
* create fs (device can be /dev/sda1 or /dev/lvm/whatever)
mkfs.ext2 /dev/device
mkfs.ext3 /dev/device
mkfs.ext4 /dev/device
* tune2fs for changes on ext*
* mount /dev/device -o ro /mount_point
mount -o bind /source /destination
mount -o loop image-from-cd.iso /mount_point
* umount /mount_point
umount /dev/device
2) Mount, unmount, and use LUKS-encrypted file systems.
* prepare luks device (if not prepared)
cryptsetup luksFormat /dev/sdc1 (then enter password, 2x times)
after this open device using cryptsetup luksOpen /dev/sdc1 NameWhatever then
format it mkfs.ext4 /dev/mapper/NameWhatever
then that /dev/mapper/NameWhatever can be mounted somewhere in system
* if prepared it's better open it then prepare (like above ;) )
cryptsetup luksOpen /dev/sdc1 MyNameCanBeDifferentEachTime (give password),
it prepare device with name MyNameCanBeDifferentEachTime in /dev/mapper
* mount /dev/mapper/MyNameCanBeDifferentEachTime /crypteddevice
* umount /dev/mapper/MyNameCanBeDifferentEachTime
* if want automatic luks prepare device, put line with that content to /etc/crypttab
MyNewName /dev/sdc1
and put this to /etc/fstab if want automount at startup
/dev/mapper/MyNewName /luks ext4 defaults 1 1
Simple isn't it?
3) Mount and unmount CIFS and NFS network file systems.
* cifs (or smbfs or microsoft networking shares from windows)
mount -o rw,user=backup,password=backup -t cifs //172.16.200.41/tmp /cifs
or
mount -o rw,user=abram,password=aa -t cifs //172.16.200.41/tmp /cifs
* cifs automount from /etc/fstab, add that line to file
//172.16.200.41/tmp /cifs cifs rw,user=abram,password=aa 0 0
* nfs from cmdline
check rpcbind or portmap is running on system, then
mount -o rw -t nfs 172.16.200.41:/home /nfs/
* nfs automount from /etc/fstab (in PLD Linux there is very smart package nfs-utils-clients which
has rc.d/nfsfs ;) )
put this to /etc/fstab
172.16.200.41:/home /nfs nfs defaults 0 0
4) Configure systems to mount ext4, LUKS-encrypted, and network file systems automatically.
I will just show lines which one should be put to /etc/fstab
* ext4 or any fs ;) (xfs, ext2, ext3???)
/dev/sda2 /mountpoint ext4 defaults 1 1
/dev/LVM_VG_NAME/LVM_name /home ext4 defaults 1 1
UUID=96871128-21c3-4591-9632-973097cad8b5 /media/mydata ext4 defaults 1 1
LABEL=MyLabel /mynew_data ext4 defaults 1 1
* LUKS-encrypted (some examples are above with UUID)
1) in /etc/crypttab line like this
myname /dev/sdb1
2) in /etc/fstab line like this
/dev/mapper/myname /media/mydata ext4 defaults 1 1
* network files (cifs and nfs)
1) //172.16.200.41/tmp /cifs cifs rw,user=abram,password=aa 0 0
2) 172.16.200.41:/home /nfs nfs defaults 0 0
5) Extend existing unencrypted ext4-formatted logical volumes.
* lvdisplay /dev/XYZ/test (it shows 1GiB size)
* add some space to that device
check free space on VG
[root@localhost ~]# vgdisplay XYZ| grep PE
PE Size 4,00 MiB
Total PE 511
Alloc PE / Size 256 / 1,00 GiB
Free PE / Size 255 / 1020,00 MiB
resize (add 512)
lvextend -v -L +512M /dev/XYZ/test
and resize fs
resize2fs /dev/XYZ/test
TIP: resizing can be done on mounted fs
* set LV to specified size (from big one to small one or small one to big one) (DANGER!!!)
[root@localhost ~]# lvresize -L 400M /dev/XYZ/test
WARNING: Reducing active and open logical volume to 400,00 MiB
THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce test? [y/n]: n
Logical volume test NOT reduced
after y -> got this
[root@localhost ~]# mount /dev/XYZ/test /cifs/
mount: wrong fs type, bad option, bad superblock on /dev/mapper/XYZ-test,
and fs is broken ...
[root@localhost ~]# fsck.ext4 /dev/XYZ/test
e2fsck 1.41.12 (17-May-2010)
Error reading block 131072 (Invalid argument). Ignore error<y>? yes
Force rewrite<y>? yes
Error writing block 131072 (Invalid argument). Ignore error<y>? yes
Superblock has an invalid journal (inode 8).
Clear<y>? yes
*** ext3 journal has been deleted - filesystem is now ext2 only ***
Superblock has_journal flag is clear, but a journal inode is present.
Clear<y>? yes
The filesystem size (according to the superblock) is 393216 blocks
The physical size of the device is 102400 blocks
Either the superblock or the partition table is likely to be corrupt!
Abort<y>? no
/dev/XYZ/test contains a file system with errors, check forced.
Error writing block 131072 (Invalid argument). Ignore error<y>?
Pass 1: Checking inodes, blocks, and sizes
Journal inode is not in use, but contains data. Clear<y>? yes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Block bitmap differences: -(131072--139263)
Fix<y>?
then a lot of errors 8-) fix it fix it ... bla bla ;)
WITHOUT BACKUP OF DATA ;) it is ... BROKEN ;)
6) Create and configure set-GID directories for collaboration.
* Probably it could be like this, 4 users, one group to connect them, directory where they
can share files.
* [root@localhost ~]# for i in `seq 1 4`; do echo joe$i;useradd joe$i; done
joe1
joe2
joe3
joe4
[root@localhost ~]# id joe1
uid=500(joe1) gid=500(joe1) groups=500(joe1)
[root@localhost ~]# id joe2
uid=501(joe2) gid=501(joe2) groups=501(joe2)
...
* create group
[root@localhost ~]# groupadd union
[root@localhost ~]# getent group union
union:x:504:
* put joe2 and joe4 to that group
usermod -G union joe2; usermod -G union joe4
check it
[root@localhost ~]# id joe4
uid=503(joe4) gid=503(joe4) groups=503(joe4),504(union)
[root@localhost ~]# id joe2
uid=501(joe2) gid=501(joe2) groups=501(joe2),504(union)
* prepare catalog
mkdir /home/union
chown root:union /home/union
* add SGID to /home/union (set rwx for owner, rwx for group, no access to others)
chmod 2770 /home/union
[root@localhost ~]# ls -la /home/ | grep union
drwxrws---. 2 root union 4096 Apr 22 01:43 union
* login as joe1 and try create any file in /home/union
[root@localhost ~]# su - joe1 -c 'echo aa > /home/union/aa'
-bash: /home/union/aa: Permission denied
or su - joe1 then echo aa > /home/union/aa
[root@localhost ~]# su - joe1
[joe1@localhost ~]$ echo aa > /home/union/aa
-bash: /home/union/aa: Permission denied
* login as joe2 and create file
[root@localhost ~]# su - joe2 -c 'echo joe2 line > /home/union/joe2file'
[root@localhost ~]# cat /home/union/joe2file
joe2 line
[root@localhost ~]# ls -la /home/union/joe2file
-rw-rw-r--. 1 joe2 union 10 Apr 22 01:47 /home/union/joe2file
[root@localhost ~]# ls -lZ /home/union/joe2file
-rw-rw-r--. joe2 union unconfined_u:object_r:home_root_t:s0 /home/union/joe2file
* login as joe2 and create directory
[root@localhost ~]# su - joe2 -c 'mkdir /home/union/joe2dir'
[root@localhost ~]# ls -la /home/union/
total 20
drwxrws---. 3 root union 4096 Apr 22 01:48 .
drwxr-xr-x. 7 root root 4096 Apr 22 01:43 ..
drwxrwsr-x. 2 joe2 union 4096 Apr 22 01:48 joe2dir
* login as joe4 and create dir in joe2dir
[root@localhost ~]# su - joe4 -c 'mkdir /home/union/joe2dir/joe4dir'
[root@localhost ~]# ls -la /home/union/joe2dir/
total 12
drwxrwsr-x. 3 joe2 union 4096 Apr 22 01:49 .
drwxrws---. 3 root union 4096 Apr 22 01:48 ..
drwxrwsr-x. 2 joe4 union 4096 Apr 22 01:49 joe4dir
* login as joe4 and add one line to joe2file
su - joe2 -c 'echo joe4 line >> /home/union/joe2file'
cat /home/union/joe2file
[root@localhost ~]# su - joe2 -c 'echo joe4 line >> /home/union/joe2file'
[root@localhost ~]# cat /home/union/joe2file
joe2 line
joe4 line
[root@localhost ~]# ls -la /home/union/joe2file
-rw-rw-r--. 1 joe2 union 20 Apr 22 01:51 /home/union/joe2file
owner joe2 left on file, joe4 add line because of member in union group ;)
* joe3 can't add line to joe2file because is not member of union group
[root@localhost ~]# su - joe3 -c 'echo joe3 line >> /home/union/joe2file'
-bash: /home/union/joe2file: Permission denied
TIP: anyone in union group can do dirs/files and there is no problem with access ;)
7) Create and manage Access Control Lists (ACLs).
* check if file system support acl
mount
...
/dev/mapper/XYZ-test on /test type ext4 (rw)
* in fstab add ACL option
/dev/XYZ/test /test ext4 defaults,acl 1 1
mount -o remount /test
mount and then acl is in line
/dev/mapper/XYZ-test on /test type ext4 (rw,acl)
;)
* prepare catalog test and test.log with some info
mkdir /test/test/
dmesg > /test/test.log
* default permisions
[root@localhost ~]# ls -la /test/test.log
-rw-r--r--. 1 root root 24688 Apr 22 01:59 /test/test.log
[root@localhost ~]# ls -lZa /test/test.log
-rw-r--r--. root root unconfined_u:object_r:file_t:s0 /test/test.log
for directory
drwxr-xr-x. 2 root root 1024 Apr 22 01:58 test
* show acls
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
group::r--
other::r--
* allow user joe2 to edit test.log
setfacl --help as 1st step :)
setfacl -m u:joe2:rwx /test/test.log
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
user:joe2:rwx
group::r--
mask::rwx
other::r--
and try use that file ;)
[root@localhost ~]# su - joe2 -c 'echo test1 > /test/test.log'
[root@localhost ~]# su - joe2 -c 'echo test2 >> /test/test.log'
[root@localhost ~]# cat /test/test.log
test1
test2y
[root@localhost ~]# su - joe1 -c 'echo test > /test/test.log'
-bash: /test/test.log: Permission denied
* allow group xyz (which will have joe1 and joe3) to that file
dissallow group union (and then see that joe2 can work with that file but joe4 can not!)
[root@localhost ~]# setfacl -m g:xyz:rwx /test/test.log
[root@localhost ~]# setfacl -m g:union:- /test/test.log
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
user:joe2:rwx
group::r--
group:union:---
group:xyz:rwx
mask::rwx
other::r--
CHECKING!
[root@localhost ~]# su - joe1 -c 'echo joe1 can because is in xyz >> /test/test.log'
[root@localhost ~]# su - joe3 -c 'echo joe3 can because is in xyz >> /test/test.log'
[root@localhost ~]# su - joe2 -c 'echo joe2 can because is joe2 >> /test/test.log'
[root@localhost ~]# su - joe4 -c 'echo joe4 CAN not because is in union ... >> /test/test.log'
-bash: /test/test.log: Permission denied
[root@localhost ~]# cat /test/test.log
joe2 test1
joe2 test2
joe1 can
joe3 can
joe1 can because is in xyz
joe3 can because is in xyz
joe2 can because is joe2
* remove some acl from file
[root@localhost ~]# setfacl -x u:joe2 /test/test.log
[root@localhost ~]# getfacl /test/test.log
getfacl: Removing leading '/' from absolute path names
# file: test/test.log
# owner: root
# group: root
user::rw-
group::r--
group:union:---
group:xyz:rwx
mask::rwx
other::r--
8) Diagnose and correct file permission problems.
* checking by
ls -la
ls -lZ
getfacl
* then repair ;)
piątek, 19 kwietnia 2013
Self prepare for REDHAT RHCSA EX200 Part 3: Configure local storage
Part 3: Configure local storage
1) List, create, delete, and set partition type for primary, extended, and logical partitions.
* fdisk or parted. fdisk is better for me ;)
* fdisk -l /dev/sda (show/list)
[root@localhost ~]# fdisk -l /dev/sdb
Disk /dev/sdb: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
[root@localhost ~]# fdisk -l /dev/sda
Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00002249
Device Boot Start End Blocks Id System
/dev/sda1 * 1 64 512000 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 64 1045 7875584 8e Linux LVM
* fdisk /dev/sda(device) then do create, delete whatever
* for disks > 2TB -> use parted, then mklabel gpt, then can set default unit to TB -> 'unit TB'
then do partitions by "mkpart ..." in parted!
2) Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical volumes.
* for my examples in vbox on rhel I will go on sdb(4gb) + sdc(1gb) + sdd (1gb)
* main thing ;)
PV (physical volumes) (storage devices like /dev/sdb1 or /dev/hda1 ...)
VG (volume groups) (grouped storage devices, lets say that in group we can connect sdb1 and hda1 and as result got more place)
LV (logical volumes) (our partitions :) where we can store our data ;) )
* create PV
pvcreate /dev/sdb1 /dev/sdc1 /dev/sdd (yes! can be used sdd ;) )
[root@localhost ~]# pvcreate /dev/sdb1 /dev/sdc1 /dev/sdd
Physical volume "/dev/sdb1" successfully created
Physical volume "/dev/sdc1" successfully created
Physical volume "/dev/sdd" successfully created
* remove PV (at next example I will add sdd to show how to extend that PV ;) )
[root@localhost ~]# pvremove /dev/sdd
Labels on physical volume "/dev/sdd" successfully wiped
* display PV
[root@localhost ~]# pvdisplay
--- Physical volume ---
PV Name /dev/sdb1
VG Name MyName
PV Size 2.00 GiB / not usable 3.32 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 511
Free PE 511
Allocated PE 0
PV UUID rp0Dj3-KO1P-47FL-5XnE-5IVK-cV4m-9vFHIs
--- Physical volume ---
PV Name /dev/sdc1
VG Name MyName
PV Size 1019.72 MiB / not usable 3.72 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 254
Free PE 254
Allocated PE 0
PV UUID rsWkWp-wnOh-YoZ6-DDbj-ywZC-zByc-Yo7Oca
* create VG
[root@localhost ~]# vgcreate MyName /dev/sdb1 /dev/sdc1
Volume group "MyName" successfully created
* delete VG
[root@localhost ~]# vgremove -v MyName
Using volume group(s) on command line
Finding volume group "MyName"
Archiving volume group "MyName" metadata (seqno 1).
Removing physical volume "/dev/sdb1" from volume group "MyName"
Removing physical volume "/dev/sdc1" from volume group "MyName"
Volume group "MyName" successfully removed
* reduce VG
[root@localhost ~]# vgreduce -v MyName /dev/sdc1
Finding volume group "MyName"
Using physical volume(s) on command line
Archiving volume group "MyName" metadata (seqno 1).
Removing "/dev/sdc1" from volume group "MyName"
Creating volume group backup "/etc/lvm/backup/MyName" (seqno 2).
Removed "/dev/sdc1" from volume group "MyName"
New vg size is 2.00 GiB
* extend VG
[root@localhost ~]# vgextend -v MyName /dev/sdc1
Checking for volume group "MyName"
Archiving volume group "MyName" metadata (seqno 2).
Wiping cache of LVM-capable devices
Adding physical volume '/dev/sdc1' to volume group 'MyName'
Volume group "MyName" will be extended by 1 new physical volumes
Creating volume group backup "/etc/lvm/backup/MyName" (seqno 3).
Volume group "MyName" successfully extended
New extended size is ~3GB (2 + 1)
* change vg status by hand
vgchange -a y (activate all)
vgchange -n y (deactivate all)
* create LV (lvcreate -L SIZE -n NAME WHERE)
lvcreate -L 512M -n data MyName
[root@localhost ~]# lvcreate -L 512M -n data MyName
Logical volume "data" created
[root@localhost ~]# lvdisplay
--- Logical volume ---
LV Path /dev/MyName/data
LV Name data
VG Name MyName
LV UUID SAIzgv-J0hv-V0vs-KLIv-9fsS-eT1I-ORhQ6M
LV Write Access read/write
LV Creation host, time localhost.localdomain, 2013-04-20 01:24:31 +0200
LV Status available
# open 0
LV Size 512.00 MiB
Current LE 128
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:2
* extend LV
[root@localhost ~]# lvextend -v -L +512M /dev/MyName/data
Finding volume group MyName
Archiving volume group "MyName" metadata (seqno 4).
Extending logical volume data to 1.00 GiB
Found volume group "MyName"
Found volume group "MyName"
Loading MyName-data table (253:2)
Suspending MyName-data (253:2) with device flush
Found volume group "MyName"
Resuming MyName-data (253:2)
Creating volume group backup "/etc/lvm/backup/MyName" (seqno 5).
Logical volume data successfully resized
* another extend ;) (prepare small lv and then resize it to 100% of free on VG)
[root@localhost ~]# lvcreate -L 512M -n test MyName
Logical volume "test" created
[root@localhost ~]# lvextend -l 100%FREE /dev/MyName/test
Extending logical volume test to 1.49 GiB
Logical volume test successfully resized
* remove lv
[root@localhost ~]# lvremove /dev/MyName/test
Do you really want to remove active logical volume test? [y/n]: y
Logical volume "test" successfully removed
*** RESIZE fs system when resize LV ***
a) mkfs.ext4 /dev/MyName/data
mkfs.ext4 /dev/MyName/test
b) mkdir /XXX/
mkdir /XXX/data
mkdir /XXX/test
c) mount /dev/MyName/data /XXX/data
mount /dev/MyName/test /XXX/test
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
6.5G 1.1G 5.1G 18% /
tmpfs 250M 0 250M 0% /dev/shm
/dev/sda1 485M 30M 430M 7% /boot
/dev/mapper/MyName-data
1008M 34M 924M 4% /XXX/data
/dev/mapper/MyName-test
504M 17M 462M 4% /XXX/test
d) lets add some data to test (128m)
[root@localhost ~]# lvextend -v -L +128M /dev/MyName/test
Finding volume group MyName
Archiving volume group "MyName" metadata (seqno 9).
Extending logical volume test to 640.00 MiB
e) resize FS/ext4
[root@localhost ~]# resize2fs /dev/MyName/test
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/MyName/test is mounted on /XXX/test; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/MyName/test to 163840 (4k) blocks.
The filesystem on /dev/MyName/test is now 163840 blocks long.
f) final check using df -h command gives
/dev/mapper/MyName-test
630M 17M 582M 3% /XXX/test
was 504, now is 630 ;)
3) Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot
* one small partition for crypted data ;) sdd1 has 256M
* add some random data to partition (it can be also LVM ;)) (for 256M it take some time ...)
dd if=/dev/urandom of=/dev/sdd1
dd: writing to `/dev/sdd1': No space left on device
546148+0 records in
546147+0 records out
279627264 bytes (280 MB) copied, 75.4289 s, 3.7 MB/s
* cryptsetup luksFormat /dev/sdd1 (prepare luks format)
[root@localhost ~]# cryptsetup luksFormat /dev/sdd1
WARNING!
========
This will overwrite data on /dev/sdd1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
* add label for partition
cryptsetup luksOpen /dev/sdd1 mydata
Enter passphrase for /dev/sdd1: (enter passsword)
* preare filesystem on mydata (BUT USE LABELED DEVICE under /dev/mapper!!! CAN'T USE /dev/sdd1!!!!!)
[root@localhost ~]# mkfs.ext4 /dev/mapper/mydata
* mount it somewhere and copy some data
mount /dev/mapper/mydata /media/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/mydata 257M 11M 234M 5% /media
* preparing for automount in redhat system (remember about >>, because it can be some lines in /etc/crypttab!)
echo "mydata /dev/sdd1" >> /etc/crypttab
mkdir /media/mydata
echo "/dev/mapper/mydata /media/mydata ext4 defaults 1 1" >> /etc/fstab
reboot system to check it or if not need, mount -a
after reboot it should ask for password :D
* another option for that automount using UUID
[root@localhost ~]# blkid /dev/mapper/mydata
/dev/mapper/mydata: UUID="96871128-21c3-4591-9632-973097cad8b5" TYPE="ext4"
and that UUID goes to FSTAB!
take UUID from sdd1
[root@localhost ~]# blkid /dev/sdd1
/dev/sdd1: UUID="6051a2a2-37c6-456c-ad72-ea00edbbf442" TYPE="crypto_LUKS"
and that UUID goes to CRYPTTAB!!!
echo "mydata UUID=6051a2a2-37c6-456c-ad72-ea00edbbf442" >> /etc/crypttab
mkdir /media/mydata
echo "UUID=96871128-21c3-4591-9632-973097cad8b5 /media/mydata ext4 defaults 1 1" >> /etc/fstab
4) Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label.
* blkid
[root@localhost ~]# blkid
/dev/sda1: UUID="ca799f51-2805-43d2-a1aa-07c92d1d121d" TYPE="ext4"
/dev/sda2: UUID="bhUaaD-z1Sy-IijR-oC3H-Fhpw-Zfwf-OYmUTJ" TYPE="LVM2_member"
/dev/sdd1: UUID="6051a2a2-37c6-456c-ad72-ea00edbbf442" TYPE="crypto_LUKS"
/dev/mapper/VolGroup-lv_root: UUID="26e56548-0361-47a3-be1f-8d33f2f593df" TYPE="ext4"
/dev/mapper/VolGroup-lv_swap: UUID="9101544f-78c0-448b-96d6-7a0c1c77623e" TYPE="swap"
/dev/mapper/mydata: UUID="96871128-21c3-4591-9632-973097cad8b5" TYPE="ext4"
then in /etc/fstab something like this
UUID=96871128-21c3-4591-9632-973097cad8b5 /media/mydata ext4 defaults 1 1
* label option in 2 steps
mkfs.ext4 /dev/sdd2
e2label /dev/sdd2 MyLabel02
check it ;)
[root@localhost ~]# blkid /dev/sdd2
/dev/sdd2: LABEL="MyLabel02" UUID="41c9e8d1-edc1-4fa5-90ff-3678618bed63" TYPE="ext4"
* or label option in 1 step
mkfs.ext4 -L MyLabel /dev/sdd2
and check it ;)
[root@localhost ~]# blkid /dev/sdd2
/dev/sdd2: LABEL="MyLabel" UUID="2c8dc3db-87e5-465e-8c71-0fbbe0ab582c" TYPE="ext4"
then in /etc/fstab add something like this
LABEL=MyLabel /mynew_data ext4 defaults 1 2
then mount -a; mount to check mounted /mynew_data
result: /dev/sdd2 on /mynew_data type ext4 (rw)
5) Add new partitions and logical volumes, and swap to a system non-destructively.
* fdisk -cu /dev/disk, partitions, like swap, linux, lvm whatever
* do pg/vg/lv, whatever
* mkswap /dev/device; swapon /dev/device
* check swaps -> swapon -s
1) List, create, delete, and set partition type for primary, extended, and logical partitions.
* fdisk or parted. fdisk is better for me ;)
* fdisk -l /dev/sda (show/list)
[root@localhost ~]# fdisk -l /dev/sdb
Disk /dev/sdb: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
[root@localhost ~]# fdisk -l /dev/sda
Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00002249
Device Boot Start End Blocks Id System
/dev/sda1 * 1 64 512000 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 64 1045 7875584 8e Linux LVM
* fdisk /dev/sda(device) then do create, delete whatever
* for disks > 2TB -> use parted, then mklabel gpt, then can set default unit to TB -> 'unit TB'
then do partitions by "mkpart ..." in parted!
2) Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical volumes.
* for my examples in vbox on rhel I will go on sdb(4gb) + sdc(1gb) + sdd (1gb)
* main thing ;)
PV (physical volumes) (storage devices like /dev/sdb1 or /dev/hda1 ...)
VG (volume groups) (grouped storage devices, lets say that in group we can connect sdb1 and hda1 and as result got more place)
LV (logical volumes) (our partitions :) where we can store our data ;) )
* create PV
pvcreate /dev/sdb1 /dev/sdc1 /dev/sdd (yes! can be used sdd ;) )
[root@localhost ~]# pvcreate /dev/sdb1 /dev/sdc1 /dev/sdd
Physical volume "/dev/sdb1" successfully created
Physical volume "/dev/sdc1" successfully created
Physical volume "/dev/sdd" successfully created
* remove PV (at next example I will add sdd to show how to extend that PV ;) )
[root@localhost ~]# pvremove /dev/sdd
Labels on physical volume "/dev/sdd" successfully wiped
* display PV
[root@localhost ~]# pvdisplay
--- Physical volume ---
PV Name /dev/sdb1
VG Name MyName
PV Size 2.00 GiB / not usable 3.32 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 511
Free PE 511
Allocated PE 0
PV UUID rp0Dj3-KO1P-47FL-5XnE-5IVK-cV4m-9vFHIs
--- Physical volume ---
PV Name /dev/sdc1
VG Name MyName
PV Size 1019.72 MiB / not usable 3.72 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 254
Free PE 254
Allocated PE 0
PV UUID rsWkWp-wnOh-YoZ6-DDbj-ywZC-zByc-Yo7Oca
* create VG
[root@localhost ~]# vgcreate MyName /dev/sdb1 /dev/sdc1
Volume group "MyName" successfully created
* delete VG
[root@localhost ~]# vgremove -v MyName
Using volume group(s) on command line
Finding volume group "MyName"
Archiving volume group "MyName" metadata (seqno 1).
Removing physical volume "/dev/sdb1" from volume group "MyName"
Removing physical volume "/dev/sdc1" from volume group "MyName"
Volume group "MyName" successfully removed
* reduce VG
[root@localhost ~]# vgreduce -v MyName /dev/sdc1
Finding volume group "MyName"
Using physical volume(s) on command line
Archiving volume group "MyName" metadata (seqno 1).
Removing "/dev/sdc1" from volume group "MyName"
Creating volume group backup "/etc/lvm/backup/MyName" (seqno 2).
Removed "/dev/sdc1" from volume group "MyName"
New vg size is 2.00 GiB
* extend VG
[root@localhost ~]# vgextend -v MyName /dev/sdc1
Checking for volume group "MyName"
Archiving volume group "MyName" metadata (seqno 2).
Wiping cache of LVM-capable devices
Adding physical volume '/dev/sdc1' to volume group 'MyName'
Volume group "MyName" will be extended by 1 new physical volumes
Creating volume group backup "/etc/lvm/backup/MyName" (seqno 3).
Volume group "MyName" successfully extended
New extended size is ~3GB (2 + 1)
* change vg status by hand
vgchange -a y (activate all)
vgchange -n y (deactivate all)
* create LV (lvcreate -L SIZE -n NAME WHERE)
lvcreate -L 512M -n data MyName
[root@localhost ~]# lvcreate -L 512M -n data MyName
Logical volume "data" created
[root@localhost ~]# lvdisplay
--- Logical volume ---
LV Path /dev/MyName/data
LV Name data
VG Name MyName
LV UUID SAIzgv-J0hv-V0vs-KLIv-9fsS-eT1I-ORhQ6M
LV Write Access read/write
LV Creation host, time localhost.localdomain, 2013-04-20 01:24:31 +0200
LV Status available
# open 0
LV Size 512.00 MiB
Current LE 128
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:2
* extend LV
[root@localhost ~]# lvextend -v -L +512M /dev/MyName/data
Finding volume group MyName
Archiving volume group "MyName" metadata (seqno 4).
Extending logical volume data to 1.00 GiB
Found volume group "MyName"
Found volume group "MyName"
Loading MyName-data table (253:2)
Suspending MyName-data (253:2) with device flush
Found volume group "MyName"
Resuming MyName-data (253:2)
Creating volume group backup "/etc/lvm/backup/MyName" (seqno 5).
Logical volume data successfully resized
* another extend ;) (prepare small lv and then resize it to 100% of free on VG)
[root@localhost ~]# lvcreate -L 512M -n test MyName
Logical volume "test" created
[root@localhost ~]# lvextend -l 100%FREE /dev/MyName/test
Extending logical volume test to 1.49 GiB
Logical volume test successfully resized
* remove lv
[root@localhost ~]# lvremove /dev/MyName/test
Do you really want to remove active logical volume test? [y/n]: y
Logical volume "test" successfully removed
*** RESIZE fs system when resize LV ***
a) mkfs.ext4 /dev/MyName/data
mkfs.ext4 /dev/MyName/test
b) mkdir /XXX/
mkdir /XXX/data
mkdir /XXX/test
c) mount /dev/MyName/data /XXX/data
mount /dev/MyName/test /XXX/test
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
6.5G 1.1G 5.1G 18% /
tmpfs 250M 0 250M 0% /dev/shm
/dev/sda1 485M 30M 430M 7% /boot
/dev/mapper/MyName-data
1008M 34M 924M 4% /XXX/data
/dev/mapper/MyName-test
504M 17M 462M 4% /XXX/test
d) lets add some data to test (128m)
[root@localhost ~]# lvextend -v -L +128M /dev/MyName/test
Finding volume group MyName
Archiving volume group "MyName" metadata (seqno 9).
Extending logical volume test to 640.00 MiB
e) resize FS/ext4
[root@localhost ~]# resize2fs /dev/MyName/test
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/MyName/test is mounted on /XXX/test; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/MyName/test to 163840 (4k) blocks.
The filesystem on /dev/MyName/test is now 163840 blocks long.
f) final check using df -h command gives
/dev/mapper/MyName-test
630M 17M 582M 3% /XXX/test
was 504, now is 630 ;)
3) Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot
* one small partition for crypted data ;) sdd1 has 256M
* add some random data to partition (it can be also LVM ;)) (for 256M it take some time ...)
dd if=/dev/urandom of=/dev/sdd1
dd: writing to `/dev/sdd1': No space left on device
546148+0 records in
546147+0 records out
279627264 bytes (280 MB) copied, 75.4289 s, 3.7 MB/s
* cryptsetup luksFormat /dev/sdd1 (prepare luks format)
[root@localhost ~]# cryptsetup luksFormat /dev/sdd1
WARNING!
========
This will overwrite data on /dev/sdd1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
* add label for partition
cryptsetup luksOpen /dev/sdd1 mydata
Enter passphrase for /dev/sdd1: (enter passsword)
* preare filesystem on mydata (BUT USE LABELED DEVICE under /dev/mapper!!! CAN'T USE /dev/sdd1!!!!!)
[root@localhost ~]# mkfs.ext4 /dev/mapper/mydata
* mount it somewhere and copy some data
mount /dev/mapper/mydata /media/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/mydata 257M 11M 234M 5% /media
* preparing for automount in redhat system (remember about >>, because it can be some lines in /etc/crypttab!)
echo "mydata /dev/sdd1" >> /etc/crypttab
mkdir /media/mydata
echo "/dev/mapper/mydata /media/mydata ext4 defaults 1 1" >> /etc/fstab
reboot system to check it or if not need, mount -a
after reboot it should ask for password :D
* another option for that automount using UUID
[root@localhost ~]# blkid /dev/mapper/mydata
/dev/mapper/mydata: UUID="96871128-21c3-4591-9632-973097cad8b5" TYPE="ext4"
and that UUID goes to FSTAB!
take UUID from sdd1
[root@localhost ~]# blkid /dev/sdd1
/dev/sdd1: UUID="6051a2a2-37c6-456c-ad72-ea00edbbf442" TYPE="crypto_LUKS"
and that UUID goes to CRYPTTAB!!!
echo "mydata UUID=6051a2a2-37c6-456c-ad72-ea00edbbf442" >> /etc/crypttab
mkdir /media/mydata
echo "UUID=96871128-21c3-4591-9632-973097cad8b5 /media/mydata ext4 defaults 1 1" >> /etc/fstab
4) Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label.
* blkid
[root@localhost ~]# blkid
/dev/sda1: UUID="ca799f51-2805-43d2-a1aa-07c92d1d121d" TYPE="ext4"
/dev/sda2: UUID="bhUaaD-z1Sy-IijR-oC3H-Fhpw-Zfwf-OYmUTJ" TYPE="LVM2_member"
/dev/sdd1: UUID="6051a2a2-37c6-456c-ad72-ea00edbbf442" TYPE="crypto_LUKS"
/dev/mapper/VolGroup-lv_root: UUID="26e56548-0361-47a3-be1f-8d33f2f593df" TYPE="ext4"
/dev/mapper/VolGroup-lv_swap: UUID="9101544f-78c0-448b-96d6-7a0c1c77623e" TYPE="swap"
/dev/mapper/mydata: UUID="96871128-21c3-4591-9632-973097cad8b5" TYPE="ext4"
then in /etc/fstab something like this
UUID=96871128-21c3-4591-9632-973097cad8b5 /media/mydata ext4 defaults 1 1
* label option in 2 steps
mkfs.ext4 /dev/sdd2
e2label /dev/sdd2 MyLabel02
check it ;)
[root@localhost ~]# blkid /dev/sdd2
/dev/sdd2: LABEL="MyLabel02" UUID="41c9e8d1-edc1-4fa5-90ff-3678618bed63" TYPE="ext4"
* or label option in 1 step
mkfs.ext4 -L MyLabel /dev/sdd2
and check it ;)
[root@localhost ~]# blkid /dev/sdd2
/dev/sdd2: LABEL="MyLabel" UUID="2c8dc3db-87e5-465e-8c71-0fbbe0ab582c" TYPE="ext4"
then in /etc/fstab add something like this
LABEL=MyLabel /mynew_data ext4 defaults 1 2
then mount -a; mount to check mounted /mynew_data
result: /dev/sdd2 on /mynew_data type ext4 (rw)
5) Add new partitions and logical volumes, and swap to a system non-destructively.
* fdisk -cu /dev/disk, partitions, like swap, linux, lvm whatever
* do pg/vg/lv, whatever
* mkswap /dev/device; swapon /dev/device
* check swaps -> swapon -s
Self prepare for REDHAT RHCSA EX200 Part 2: Operate running systems
Part 2: Operate running systems
1) Boot, reboot, and shut down a system normally.
* reboot
* halt
* shutdown -r now (for reboot)
* shutdown -h now (for reboot)
some time and messages to users
* shutdown -r 19:45 'system is going for restart at 19:45'
* shutdown -r +5 'system is going for restart in 5 min'
* shutdown -h +5 'system is going down in 5 min'
* use init with level
init 0 for restart
init 6 for halt
2) Boot systems into different runlevels manually.
* init 0/1/2/3/4/5/6
;) from Part 1
init LEVEL_NUMER, where they are possible to set from 0 to 6
0 - halt (just shut down system)
1 - single user mode, no services, no network, probably can ask for root password to get /bin/bash or /bin/sh, used for maintance tasks, repairs ...
2 - multi user mode, no network
3 - normal multi user mode, working services, network, no X11 interface (no gdm or kdm ;) )
4 - not used
5 - same options like 3 but with X11 interface, started GDM or KDM login screen
6 - reboot
3) Use single-user mode to gain access to a system.
* at start time add letter s or word single to kernel cmd line in GRUB or LILO ;)
then system should give root shell, sometimes it ask for password (PLD Linux asks ;) )
4) Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes.
* top
* ps
ps -aux list all user process
ps -auxw(more wwww) shows long cmdline
ps -auxew shows environment
ps -e fZ shows tree
ps -u USER to see user process
ps fe -o pid,comm,nice
* pstree
* kill
kill -9 PID
kill -9 -1 ;)
* pkill
* killall -SIGNAL bla bla ;)
* renice, change priority of running program from -20 (very fast), 0 (normal) to +20 (very low)
renice +1 987 -u daemon root -p 32
would change the priority of process ID's 987 and 32, and all processes owned by users daemon and root
user can only do from 0 to -20
renice +10 4863
4863 (process ID) old priority 10, new priority 10
renice -10 4863
renice: failed to set priority for 4863 (process ID): Permission denied
sudo renice -10 4863
4863 (process ID) old priority 10, new priority -10
* nice, run CMD with modified sheduling priority
nice -n +10 /bin/whatever
5) Locate and interpret system log files.
* maybe redhat use some magics ... https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Using_the_Admin_Server/Administration_Server_Basics-Logging_Options.html
* but go to /var/log/ and there is all ;)
* rsyslog !!!
Log Files
/var/log/messages = Logs anything of the info level or higher except for mail and authentication messages.
/var/log/secure = Logs all of the authentication attempts on the server.
/var/log/cron = Logs all cron related information.
/var/log/maillog = Logs all mail messages.
/var/log/boot.log = Logs boot related messages.
* /etc/rsyslog.conf (usually it is syslog.conf file when syslog package is used ;) )
* facility
debug,
info,
notice,
warn,
err,
crit,
alert,
emerg
* basics logging facility
authpriv access-control-related messages
cron cronjob messages
kern kernel messages
mail mail messages
news news messages
user user messages
uucp uucp messages
* some redhat files
audit includes audit.log SELinux logging
boot.log services that start and shut down processes
btmp lists failed login attempts, readable with the utmpdump btmp command
cron information from the cron daemon
dmesg basic boot messages
maillog e-mail server messages
messages messages from other services as defined in /etc/syslog.conf
secure list login and access messages
setroubleshoot messages from the SELinux troubleshooting tool
spooler messages from the SELinux troubleshooting tool
Xorg.0.log setup messages for the X Window System, config problems
yum.log logs packages installed and updated with yum
6) Access a virtual machine's console.
* ssh
* vnc
* logon on text console
...
7) Start and stop virtual machines.
* some preparation on my redhat vbox ;)
virt-what will show some info
* open virt-manager then find VM
* find virtsh command
*
yum install virt-manager
yum install libvirt libvirt-python libvirt-python python-virtinst
or that ... yum groupinstall Virtualization
* now can use virsh list
[root@localhost ~]# virsh list
Id Name State
----------------------------------------------------
virsh start <virtualmachinename>
virsh shutdown <virtualmachinename>
virt-viewer domain_name
ssh username@virtual-ip-address-here
8) Start, stop, and check the status of network services.
* chkconfig
* ntsysv (ncurse gui ;) )
* service NAME (statuts, stop whatever ;) ) it does it like this: /etc/rc.d/init.d/NAME ...
* /etc/rc.d/init.d/NAME ... to do some job ;)
1) Boot, reboot, and shut down a system normally.
* reboot
* halt
* shutdown -r now (for reboot)
* shutdown -h now (for reboot)
some time and messages to users
* shutdown -r 19:45 'system is going for restart at 19:45'
* shutdown -r +5 'system is going for restart in 5 min'
* shutdown -h +5 'system is going down in 5 min'
* use init with level
init 0 for restart
init 6 for halt
2) Boot systems into different runlevels manually.
* init 0/1/2/3/4/5/6
;) from Part 1
init LEVEL_NUMER, where they are possible to set from 0 to 6
0 - halt (just shut down system)
1 - single user mode, no services, no network, probably can ask for root password to get /bin/bash or /bin/sh, used for maintance tasks, repairs ...
2 - multi user mode, no network
3 - normal multi user mode, working services, network, no X11 interface (no gdm or kdm ;) )
4 - not used
5 - same options like 3 but with X11 interface, started GDM or KDM login screen
6 - reboot
3) Use single-user mode to gain access to a system.
* at start time add letter s or word single to kernel cmd line in GRUB or LILO ;)
then system should give root shell, sometimes it ask for password (PLD Linux asks ;) )
4) Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes.
* top
* ps
ps -aux list all user process
ps -auxw(more wwww) shows long cmdline
ps -auxew shows environment
ps -e fZ shows tree
ps -u USER to see user process
ps fe -o pid,comm,nice
* pstree
* kill
kill -9 PID
kill -9 -1 ;)
* pkill
* killall -SIGNAL bla bla ;)
* renice, change priority of running program from -20 (very fast), 0 (normal) to +20 (very low)
renice +1 987 -u daemon root -p 32
would change the priority of process ID's 987 and 32, and all processes owned by users daemon and root
user can only do from 0 to -20
renice +10 4863
4863 (process ID) old priority 10, new priority 10
renice -10 4863
renice: failed to set priority for 4863 (process ID): Permission denied
sudo renice -10 4863
4863 (process ID) old priority 10, new priority -10
* nice, run CMD with modified sheduling priority
nice -n +10 /bin/whatever
5) Locate and interpret system log files.
* maybe redhat use some magics ... https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Using_the_Admin_Server/Administration_Server_Basics-Logging_Options.html
* but go to /var/log/ and there is all ;)
* rsyslog !!!
Log Files
/var/log/messages = Logs anything of the info level or higher except for mail and authentication messages.
/var/log/secure = Logs all of the authentication attempts on the server.
/var/log/cron = Logs all cron related information.
/var/log/maillog = Logs all mail messages.
/var/log/boot.log = Logs boot related messages.
* /etc/rsyslog.conf (usually it is syslog.conf file when syslog package is used ;) )
* facility
debug,
info,
notice,
warn,
err,
crit,
alert,
emerg
* basics logging facility
authpriv access-control-related messages
cron cronjob messages
kern kernel messages
mail mail messages
news news messages
user user messages
uucp uucp messages
* some redhat files
audit includes audit.log SELinux logging
boot.log services that start and shut down processes
btmp lists failed login attempts, readable with the utmpdump btmp command
cron information from the cron daemon
dmesg basic boot messages
maillog e-mail server messages
messages messages from other services as defined in /etc/syslog.conf
secure list login and access messages
setroubleshoot messages from the SELinux troubleshooting tool
spooler messages from the SELinux troubleshooting tool
Xorg.0.log setup messages for the X Window System, config problems
yum.log logs packages installed and updated with yum
6) Access a virtual machine's console.
* ssh
* vnc
* logon on text console
...
7) Start and stop virtual machines.
* some preparation on my redhat vbox ;)
virt-what will show some info
* open virt-manager then find VM
* find virtsh command
*
yum install virt-manager
yum install libvirt libvirt-python libvirt-python python-virtinst
or that ... yum groupinstall Virtualization
* now can use virsh list
[root@localhost ~]# virsh list
Id Name State
----------------------------------------------------
virsh start <virtualmachinename>
virsh shutdown <virtualmachinename>
virt-viewer domain_name
ssh username@virtual-ip-address-here
8) Start, stop, and check the status of network services.
* chkconfig
* ntsysv (ncurse gui ;) )
* service NAME (statuts, stop whatever ;) ) it does it like this: /etc/rc.d/init.d/NAME ...
* /etc/rc.d/init.d/NAME ... to do some job ;)
czwartek, 18 kwietnia 2013
Urls for RHCSA ;)
Urls for RHCSA ;)
1) http://osec.pl/szkolenia/redhat/rhce/ex200
2) https://www.redhat.com/training/courses/ex200/examobjective
3) http://www.guldmyr.com/blog/rhcsa-preparation/
4) http://www.linuxexplorers.com/2012/03/red-hat-enterprise-linux-6-kickstart-installation-via-http
5) http://sanketpadawe.blogspot.com/2011/07/use-grep-and-regular-expressions-to.html
6) http://rhcsastudy.com/wiki/index.php?title=Use_grep_and_regular_expressions_to_analyze_text.
7) http://sysadkodigo.blogspot.com/2011/06/rhcsa-use-grep-and-regular-expressions.html
8) http://linuxsuperuser07.blogspot.com/
9) http://commandline.co.uk/rhcsa.html
1) http://osec.pl/szkolenia/redhat/rhce/ex200
2) https://www.redhat.com/training/courses/ex200/examobjective
3) http://www.guldmyr.com/blog/rhcsa-preparation/
4) http://www.linuxexplorers.com/2012/03/red-hat-enterprise-linux-6-kickstart-installation-via-http
5) http://sanketpadawe.blogspot.com/2011/07/use-grep-and-regular-expressions-to.html
6) http://rhcsastudy.com/wiki/index.php?title=Use_grep_and_regular_expressions_to_analyze_text.
7) http://sysadkodigo.blogspot.com/2011/06/rhcsa-use-grep-and-regular-expressions.html
8) http://linuxsuperuser07.blogspot.com/
9) http://commandline.co.uk/rhcsa.html
Self prepare for REDHAT RHCSA EX200 PART 1: Understand and use essential tools
Just for fun ...
Part 1: Understand and use essential tools
1) Access a shell prompt and issue commands with correct syntax.
* on X system -> find xterm or Terminal or something terminal?
* on console just switch from F1 to F* by ALT + F*
* from X to console-> CTRL + ALT + F1
* just normal shell jobs ;) ls, ln, touch, who, which command, find and more ... pwd, cd ~, whereis -f aaaa
2) Use input-output redirection (>, >>, |, 2>, etc.).
* '>>' redirects and append to existing file!
/bin/whatever >> /tmp/log.big
* command output has 3 options, std input 0, std output 1 and error 2,
where numbers 0,1 and 2 are file descriptors,
* cmd output to log file
/bin/whatever > /tmp/log.txt
* cmd output to error file
/bin/whatever 2> /tmp/err.txt
* just take all to one file
/bin/whatever > /tmp/all.txt 2>&1
* take some data from cdm line
/bin/whatever < /tmp/data.txt > /tmp/log1 2> /tmp/err1
* use pipe |, its redirect output to another program
/bin/whatever | less
3) Use grep and regular expressions to analyze text.
* grep -vE '^(#|[ ]*$|$)' /etc/sysconfig/network
* grep '^\(wheel\|root\)' /etc/group
* egrep '^(wheel|root)' /etc/group
* grep -v ^# /etc/nsswitch.conf
+++++++++++++++++++++++++++++++
Searching for "network" in the file /usr/share/dict/words.
$grep network /usr/share/dict/words
Searching for "network" upper or lower case in the file /usr/share/dict/words.
$grep -i network /usr/share/dict/words
Searching for "network" or "computer" in the file /usr/share/dict/words.
$grep 'network|computer' /usr/share/dict/words
Regular Expression
Searching for words beginning with "network" in the file /usr/share/dict/words.
$grep ^network /usr/share/dict/words
Searching for words ending with "network" in the file /usr/share/dict/words.
$grep network$ /usr/share/dict/words
Search for words that contain "bash" in the file /usr/share/dict/words.
$grep ^network$ /usr/share/dict/words
Search for "network" or "Network" in the file /usr/share/dict/words.
$grep '[nN]etwork' /usr/share/dict/words
Search for "network0" to "network9" in the file /usr/share/dict/words.
$grep 'network[0-9]' /usr/share/dict/words
Search for "network0" to "network99" /usr/share/dict/words
$grep 'network[0-9][0-9]' /usr/share/dict/words
Search for a word with two characters in the file /usr/share/dict/words.
$grep '^..$' /usr/share/dict/words
Search for a word with three characters and has the letter "r" in the middle of the file /usr/share/dict/words.
$grep '^.r.$' /usr/share/dict/words
4) Access remote systems using ssh and VNC.
* get access to reemote host
ssh -vC user@remote
* run command on remote host
ssh user@remote -t 'slapcat > /tmp/data.ldiff'
* prepare ssh keys:
ssh-keygen -t dsa
* put to remote that file from local ~/.ssh/id_dsa.pub as remote -> user/.ssh/athorized_keys to gain access without prompting password (in case where is no password for id_dsa ;) )
* to get VNC access just wrote
vncviewer remote.host.ip.or.name
* prepare vncserver
vncserver :1 or something like that
5) Log in and switch users in multiuser runlevels.
* after login it is easy to check what current runlevel is, just type:
runlevel and after that it shows N 3 or what is set
* to change runlevel just wrote
init LEVEL_NUMER, where they are possible to set from 0 to 6
0 - halt (just shut down system)
1 - single user mode, no services, no network, probably can ask for root password to get /bin/bash or /bin/sh, used for maintance tasks, repairs ...
2 - multi user mode, no network
3 - normal multi user mode, working services, network, no X11 interface (no gdm or kdm ;) )
4 - not used
5 - same options like 3 but with X11 interface, started GDM or KDM login screen
6 - reboot
* in /etc/inittab go to line like this, where number says what runlevel goes as defautl, when change, just type
"init q" for reload if changes made in inittab file
id:3:initdefault:
* boot to single mode, just find grub or lilo, go to kernel cmd line and add word single (or maybe one letter "s" in redhat?)
* su (to get root with local env from user)
* su - (to get root with root shell ;) )
* su - user -c "/bin/whatever" to run cmd as user
* sudo!
6) Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2.
* gzip /tmp/file
* bzip2 /tmp/file
* gunzip /tmp/file.gz
* bunzip2 /tmp/file.bz2
* tar -cvf /tmp/archive.tar /dir1 /dir2 /d/a/b/c/
* tar -xvf /tmp/archive.tar -C /destination
* tar -j(bzip) or -z (gzip) to add compress option to tar command
* just check manual ;)
* tar over ssh
send some data to archive file
tar -zcvf - /data | ssh root@server "cat > /data/backup.tar.gz"
same option with dd
tar -zcvf - /data | ssh root@server "dd of=/data/backup.tar.gz"
get some data back from archive file
cd /local_directory
ssh root@server "cat /data/backup.tar.gz" | tar -zxvf -
send directory over ssh using tar with preserve user/group rights
tar -cf - /directory | ssh root@remote "tar -xf - -C /remotedir"
get directory from remote to local
ssh root@remote "tar -cf - /remotedir" | tar -xf - -C /where_put_it_local
7) Create and edit text files.
* mcedit
* pico
* nano
* vi
* vim
* joe (ugly crap!)
8) Create, delete, copy, and move files and directories.
* echo whatever > /tmp/test.txt
* cp -v /tmp/test.txt /tmp/another.txt
* cp -v /tmp/file1 /tmp/file2 /tmp/newdir
* cp -vR /tmp/dir01 /tmp/dir02
* mv (see above)
* rm
* touch
* mkdir
* rmdir
9) Create hard and soft links.
* soft links can be deleted but source 'file' stay on disk ;)
ln -s /source/name /destination/name
when used -f -> destination is override (ln -sf /from /to)
* hard links, it's all crap goes on inodes
ln -d /ddd /to.hard.link
10) List, set, and change standard ugo/rwx permissions.
* list permissions (-l = long format, more info)
ls -la /tmp/file
-rw-r--r-- 1 abram users 0 04-16 17:01 /tmp/aaa.txt
OWNER/GROUP/OTHERS -> READ.WRITE, READ, READ
ls -lZ /tmp/file (to see selinux properties)
-rw-r--r-- 1 abram users ? 0 04-16 17:01 /tmp/aaa.txt
"?" means there is no selinux settings ;)
ls -ln /tmp/file (to see numerics UID/GID)
-rw-r--r-- 1 1000 1000 0 04-16 17:01 /tmp/aaa.txt
CHECK THAT! IF THERE IS + THERE IS ACL'S!!!
ls -la /tmp/aaa.txt
-rw-r--r--+ 1 abram users 0 04-16 17:01 /tmp/aaa.txt
^^^ -> if that + exists it goest that file or dir has ACL's
* lsattr + chattr for ext2 (just go to man page)
Attribute Description
Append only (a) Prevents file to be deleted, can still write
No dump (d) Disables backups of the file from dump command
Extend format (e) Set with the ext4 filesystem
Immutable (i) Prevents deletion or any change to the file
Indexed (I) Set on directories for indexing with hashed trees
# lsattr testfile
-------------e- testfile
chattr +i testfile
rm testfile
rm: remove regular file `testfile'? y
rm: cannot remove `testfile': Operation not permitted
;)
* setfattr, getfattr, attr (XFS ...)
* setfacl, getfacl, acl (for redhat exam ;) )
[abram@pld64 ~]$ setfacl -m u:nobody:r /tmp/aaa.txt
[abram@pld64 ~]$ getfacl /tmp/aaa.txt
getfacl: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: tmp/aaa.txt
# owner: abram
# group: users
user::rw-
user:nobody:r--
group::r--
mask::r--
other::r--
[abram@pld64 ~]$ ls -la /tmp/aaa.txt
-rw-r--r--+ 1 abram users 0 04-16 17:01 /tmp/aaa.txt
^^^ -> if that + exists it goest that file or dir has ACL's
REMOVE ACL's -> setfacl -x u:UID_NUMBER /tmp/aaa.txt
REMOVE acl's -> for example go to that command: chacl
[abram@pld64 ~]$ chacl -R /tmp/aaa.txt
[abram@pld64 ~]$ getfacl /tmp/aaa.txt
getfacl: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: tmp/aaa.txt
# owner: abram
# group: users
user::rw-
group::r--
other::r--
ls -la /tmp/aaa.txt
-rw-r--r-- 1 abram users 0 04-16 17:01 /tmp/aaa.txt
(and that '+' goes away ;) )
* about permisions ...
Permission Number value Letter
Read 4 r
Write 2 w
Execute 1 x
No access 0
$ ls -li
total 8
20447265 drwxrwxr-x. 2 rob rob 4096 Feb 2 00:53 testdir
20447264 -rw-rw-r--. 1 rob rob 13 Feb 2 00:52 testfile
chmod + chgrp can use -R switch for recursive ;)
chmod 775 file (or something another then 775 ;) like 640)
chmod u+x file where u/g/o means: user/group/others + or - (x/r/w)
chmod o+rw-x file will add rw and remove execute from file ;)
chown user:group file
chown user file
chgrp group file
* SUID (Set owner User ID up on execution)
ls -la /usr/bin/passwd
-rwsr-xr-x 1 root root 81536 2012-05-26 /usr/bin/passwd
chmod u+s /bin/whatever
if get S in ls -la -> add x! for owner
chmod 4750 /bin/whatever -> will do like u+s (number 4)
TIP: find / -perm +4000
* SGID (Set Group ID up on execution)
chmod g+s (about S see above)
chmod 2750 /bin/whatever (number 2!!!)
TIP: find / -perm +2000
SGID can be set on directory, when user will create file or directory it will set grop (which has set SGID bit)
user doesn't need to be in that group ;)
* STICKY BIT set for directory, then only owner in that directory can delete own files/dirs
chmod +t /dir/dir_whatever
chmod 1777 /tmp ;)
TIP: find / -perm +1000
11) Locate, read, and use system documentation including man, info, and files in /usr/share/doc.
* man
* info or pinfo
* check files under specified directory
* apropos
* whatis
Part 1: Understand and use essential tools
1) Access a shell prompt and issue commands with correct syntax.
* on X system -> find xterm or Terminal or something terminal?
* on console just switch from F1 to F* by ALT + F*
* from X to console-> CTRL + ALT + F1
* just normal shell jobs ;) ls, ln, touch, who, which command, find and more ... pwd, cd ~, whereis -f aaaa
2) Use input-output redirection (>, >>, |, 2>, etc.).
* '>>' redirects and append to existing file!
/bin/whatever >> /tmp/log.big
* command output has 3 options, std input 0, std output 1 and error 2,
where numbers 0,1 and 2 are file descriptors,
* cmd output to log file
/bin/whatever > /tmp/log.txt
* cmd output to error file
/bin/whatever 2> /tmp/err.txt
* just take all to one file
/bin/whatever > /tmp/all.txt 2>&1
* take some data from cdm line
/bin/whatever < /tmp/data.txt > /tmp/log1 2> /tmp/err1
* use pipe |, its redirect output to another program
/bin/whatever | less
3) Use grep and regular expressions to analyze text.
* grep -vE '^(#|[ ]*$|$)' /etc/sysconfig/network
* grep '^\(wheel\|root\)' /etc/group
* egrep '^(wheel|root)' /etc/group
* grep -v ^# /etc/nsswitch.conf
+++++++++++++++++++++++++++++++
Searching for "network" in the file /usr/share/dict/words.
$grep network /usr/share/dict/words
Searching for "network" upper or lower case in the file /usr/share/dict/words.
$grep -i network /usr/share/dict/words
Searching for "network" or "computer" in the file /usr/share/dict/words.
$grep 'network|computer' /usr/share/dict/words
Regular Expression
Searching for words beginning with "network" in the file /usr/share/dict/words.
$grep ^network /usr/share/dict/words
Searching for words ending with "network" in the file /usr/share/dict/words.
$grep network$ /usr/share/dict/words
Search for words that contain "bash" in the file /usr/share/dict/words.
$grep ^network$ /usr/share/dict/words
Search for "network" or "Network" in the file /usr/share/dict/words.
$grep '[nN]etwork' /usr/share/dict/words
Search for "network0" to "network9" in the file /usr/share/dict/words.
$grep 'network[0-9]' /usr/share/dict/words
Search for "network0" to "network99" /usr/share/dict/words
$grep 'network[0-9][0-9]' /usr/share/dict/words
Search for a word with two characters in the file /usr/share/dict/words.
$grep '^..$' /usr/share/dict/words
Search for a word with three characters and has the letter "r" in the middle of the file /usr/share/dict/words.
$grep '^.r.$' /usr/share/dict/words
4) Access remote systems using ssh and VNC.
* get access to reemote host
ssh -vC user@remote
* run command on remote host
ssh user@remote -t 'slapcat > /tmp/data.ldiff'
* prepare ssh keys:
ssh-keygen -t dsa
* put to remote that file from local ~/.ssh/id_dsa.pub as remote -> user/.ssh/athorized_keys to gain access without prompting password (in case where is no password for id_dsa ;) )
* to get VNC access just wrote
vncviewer remote.host.ip.or.name
* prepare vncserver
vncserver :1 or something like that
5) Log in and switch users in multiuser runlevels.
* after login it is easy to check what current runlevel is, just type:
runlevel and after that it shows N 3 or what is set
* to change runlevel just wrote
init LEVEL_NUMER, where they are possible to set from 0 to 6
0 - halt (just shut down system)
1 - single user mode, no services, no network, probably can ask for root password to get /bin/bash or /bin/sh, used for maintance tasks, repairs ...
2 - multi user mode, no network
3 - normal multi user mode, working services, network, no X11 interface (no gdm or kdm ;) )
4 - not used
5 - same options like 3 but with X11 interface, started GDM or KDM login screen
6 - reboot
* in /etc/inittab go to line like this, where number says what runlevel goes as defautl, when change, just type
"init q" for reload if changes made in inittab file
id:3:initdefault:
* boot to single mode, just find grub or lilo, go to kernel cmd line and add word single (or maybe one letter "s" in redhat?)
* su (to get root with local env from user)
* su - (to get root with root shell ;) )
* su - user -c "/bin/whatever" to run cmd as user
* sudo!
6) Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2.
* gzip /tmp/file
* bzip2 /tmp/file
* gunzip /tmp/file.gz
* bunzip2 /tmp/file.bz2
* tar -cvf /tmp/archive.tar /dir1 /dir2 /d/a/b/c/
* tar -xvf /tmp/archive.tar -C /destination
* tar -j(bzip) or -z (gzip) to add compress option to tar command
* just check manual ;)
* tar over ssh
send some data to archive file
tar -zcvf - /data | ssh root@server "cat > /data/backup.tar.gz"
same option with dd
tar -zcvf - /data | ssh root@server "dd of=/data/backup.tar.gz"
get some data back from archive file
cd /local_directory
ssh root@server "cat /data/backup.tar.gz" | tar -zxvf -
send directory over ssh using tar with preserve user/group rights
tar -cf - /directory | ssh root@remote "tar -xf - -C /remotedir"
get directory from remote to local
ssh root@remote "tar -cf - /remotedir" | tar -xf - -C /where_put_it_local
7) Create and edit text files.
* mcedit
* pico
* nano
* vi
* vim
* joe (ugly crap!)
8) Create, delete, copy, and move files and directories.
* echo whatever > /tmp/test.txt
* cp -v /tmp/test.txt /tmp/another.txt
* cp -v /tmp/file1 /tmp/file2 /tmp/newdir
* cp -vR /tmp/dir01 /tmp/dir02
* mv (see above)
* rm
* touch
* mkdir
* rmdir
9) Create hard and soft links.
* soft links can be deleted but source 'file' stay on disk ;)
ln -s /source/name /destination/name
when used -f -> destination is override (ln -sf /from /to)
* hard links, it's all crap goes on inodes
ln -d /ddd /to.hard.link
10) List, set, and change standard ugo/rwx permissions.
* list permissions (-l = long format, more info)
ls -la /tmp/file
-rw-r--r-- 1 abram users 0 04-16 17:01 /tmp/aaa.txt
OWNER/GROUP/OTHERS -> READ.WRITE, READ, READ
ls -lZ /tmp/file (to see selinux properties)
-rw-r--r-- 1 abram users ? 0 04-16 17:01 /tmp/aaa.txt
"?" means there is no selinux settings ;)
ls -ln /tmp/file (to see numerics UID/GID)
-rw-r--r-- 1 1000 1000 0 04-16 17:01 /tmp/aaa.txt
CHECK THAT! IF THERE IS + THERE IS ACL'S!!!
ls -la /tmp/aaa.txt
-rw-r--r--+ 1 abram users 0 04-16 17:01 /tmp/aaa.txt
^^^ -> if that + exists it goest that file or dir has ACL's
* lsattr + chattr for ext2 (just go to man page)
Attribute Description
Append only (a) Prevents file to be deleted, can still write
No dump (d) Disables backups of the file from dump command
Extend format (e) Set with the ext4 filesystem
Immutable (i) Prevents deletion or any change to the file
Indexed (I) Set on directories for indexing with hashed trees
# lsattr testfile
-------------e- testfile
chattr +i testfile
rm testfile
rm: remove regular file `testfile'? y
rm: cannot remove `testfile': Operation not permitted
;)
* setfattr, getfattr, attr (XFS ...)
* setfacl, getfacl, acl (for redhat exam ;) )
[abram@pld64 ~]$ setfacl -m u:nobody:r /tmp/aaa.txt
[abram@pld64 ~]$ getfacl /tmp/aaa.txt
getfacl: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: tmp/aaa.txt
# owner: abram
# group: users
user::rw-
user:nobody:r--
group::r--
mask::r--
other::r--
[abram@pld64 ~]$ ls -la /tmp/aaa.txt
-rw-r--r--+ 1 abram users 0 04-16 17:01 /tmp/aaa.txt
^^^ -> if that + exists it goest that file or dir has ACL's
REMOVE ACL's -> setfacl -x u:UID_NUMBER /tmp/aaa.txt
REMOVE acl's -> for example go to that command: chacl
[abram@pld64 ~]$ chacl -R /tmp/aaa.txt
[abram@pld64 ~]$ getfacl /tmp/aaa.txt
getfacl: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: tmp/aaa.txt
# owner: abram
# group: users
user::rw-
group::r--
other::r--
ls -la /tmp/aaa.txt
-rw-r--r-- 1 abram users 0 04-16 17:01 /tmp/aaa.txt
(and that '+' goes away ;) )
* about permisions ...
Permission Number value Letter
Read 4 r
Write 2 w
Execute 1 x
No access 0
$ ls -li
total 8
20447265 drwxrwxr-x. 2 rob rob 4096 Feb 2 00:53 testdir
20447264 -rw-rw-r--. 1 rob rob 13 Feb 2 00:52 testfile
chmod + chgrp can use -R switch for recursive ;)
chmod 775 file (or something another then 775 ;) like 640)
chmod u+x file where u/g/o means: user/group/others + or - (x/r/w)
chmod o+rw-x file will add rw and remove execute from file ;)
chown user:group file
chown user file
chgrp group file
* SUID (Set owner User ID up on execution)
ls -la /usr/bin/passwd
-rwsr-xr-x 1 root root 81536 2012-05-26 /usr/bin/passwd
chmod u+s /bin/whatever
if get S in ls -la -> add x! for owner
chmod 4750 /bin/whatever -> will do like u+s (number 4)
TIP: find / -perm +4000
* SGID (Set Group ID up on execution)
chmod g+s (about S see above)
chmod 2750 /bin/whatever (number 2!!!)
TIP: find / -perm +2000
SGID can be set on directory, when user will create file or directory it will set grop (which has set SGID bit)
user doesn't need to be in that group ;)
* STICKY BIT set for directory, then only owner in that directory can delete own files/dirs
chmod +t /dir/dir_whatever
chmod 1777 /tmp ;)
TIP: find / -perm +1000
11) Locate, read, and use system documentation including man, info, and files in /usr/share/doc.
* man
* info or pinfo
* check files under specified directory
* apropos
* whatis
Subskrybuj:
Posty (Atom)