niedziela, 21 kwietnia 2013

Self prepare for REDHAT RHCSA EX200 Part 4: Create and configure file systems

Part 4:  Create and configure file systems

1) Create, mount, unmount, and use ext2, ext3, and ext4 file systems.
* create fs (device can be /dev/sda1 or /dev/lvm/whatever)
  mkfs.ext2 /dev/device
  mkfs.ext3 /dev/device
  mkfs.ext4 /dev/device

* tune2fs for changes on ext*

* mount /dev/device -o ro /mount_point
  mount -o bind /source /destination
  mount -o loop image-from-cd.iso /mount_point

* umount /mount_point
  umount /dev/device

2) Mount, unmount, and use LUKS-encrypted file systems.
* prepare luks device (if not prepared)
  cryptsetup luksFormat /dev/sdc1 (then enter password, 2x times)

  after this open device using cryptsetup luksOpen /dev/sdc1  NameWhatever then
  format it mkfs.ext4 /dev/mapper/NameWhatever

  then that /dev/mapper/NameWhatever can be mounted somewhere in system

* if prepared it's better open it then prepare (like above ;) )
 
  cryptsetup luksOpen /dev/sdc1 MyNameCanBeDifferentEachTime (give password),
  it prepare device with name MyNameCanBeDifferentEachTime in /dev/mapper

* mount /dev/mapper/MyNameCanBeDifferentEachTime /crypteddevice

* umount /dev/mapper/MyNameCanBeDifferentEachTime

* if want automatic luks prepare device, put line with that content to /etc/crypttab
  MyNewName /dev/sdc1
 
  and put this to /etc/fstab if want automount at startup
  /dev/mapper/MyNewName /luks ext4 defaults 1 1

 Simple isn't it?

3) Mount and unmount CIFS and NFS network file systems.
* cifs (or smbfs or microsoft networking shares from windows)

  mount -o rw,user=backup,password=backup -t cifs //172.16.200.41/tmp /cifs
  or
  mount -o rw,user=abram,password=aa -t cifs //172.16.200.41/tmp /cifs

* cifs automount from /etc/fstab, add that line to file

  //172.16.200.41/tmp /cifs cifs rw,user=abram,password=aa 0 0

* nfs from cmdline
 check rpcbind or portmap is running on system, then

 mount -o rw -t nfs 172.16.200.41:/home /nfs/

* nfs automount from /etc/fstab (in PLD Linux there is very smart package nfs-utils-clients which
  has rc.d/nfsfs ;) )
 
  put this to /etc/fstab
  172.16.200.41:/home /nfs nfs defaults 0 0

4) Configure systems to mount ext4, LUKS-encrypted, and network file systems automatically.

I will just show lines which one should be put to /etc/fstab
* ext4 or any fs ;) (xfs, ext2, ext3???)
  /dev/sda2                    /mountpoint    ext4 defaults 1 1
  /dev/LVM_VG_NAME/LVM_name            /home        ext4 defaults 1 1
  UUID=96871128-21c3-4591-9632-973097cad8b5    /media/mydata    ext4 defaults 1 1
  LABEL=MyLabel                    /mynew_data    ext4 defaults 1 1

* LUKS-encrypted (some examples are above with UUID)

  1) in /etc/crypttab line like this
     myname /dev/sdb1
  2) in /etc/fstab line like this
     /dev/mapper/myname /media/mydata ext4 defaults 1 1

* network files (cifs and nfs)
  1) //172.16.200.41/tmp /cifs cifs rw,user=abram,password=aa 0 0

  2) 172.16.200.41:/home /nfs nfs defaults 0 0

5) Extend existing unencrypted ext4-formatted logical volumes.

* lvdisplay /dev/XYZ/test (it shows 1GiB size)

* add some space to that device
 
  check free space on VG
  [root@localhost ~]# vgdisplay XYZ| grep PE
  PE Size               4,00 MiB
  Total PE              511
  Alloc PE / Size       256 / 1,00 GiB
  Free  PE / Size       255 / 1020,00 MiB

  resize (add 512)

  lvextend -v -L +512M /dev/XYZ/test
     
  and resize fs

  resize2fs /dev/XYZ/test

  TIP: resizing can be done on mounted fs

* set LV to specified size (from big one to small one or small one to big one) (DANGER!!!)

  [root@localhost ~]# lvresize  -L 400M /dev/XYZ/test
  WARNING: Reducing active and open logical volume to 400,00 MiB
  THIS MAY DESTROY YOUR DATA (filesystem etc.)
  Do you really want to reduce test? [y/n]: n
  Logical volume test NOT reduced


  after y -> got this
  [root@localhost ~]# mount /dev/XYZ/test /cifs/
  mount: wrong fs type, bad option, bad superblock on /dev/mapper/XYZ-test,
 
  and fs is broken ...

[root@localhost ~]# fsck.ext4  /dev/XYZ/test
e2fsck 1.41.12 (17-May-2010)
Error reading block 131072 (Invalid argument).  Ignore error<y>? yes

Force rewrite<y>? yes

Error writing block 131072 (Invalid argument).  Ignore error<y>? yes

Superblock has an invalid journal (inode 8).
Clear<y>? yes

*** ext3 journal has been deleted - filesystem is now ext2 only ***

Superblock has_journal flag is clear, but a journal inode is present.
Clear<y>? yes

The filesystem size (according to the superblock) is 393216 blocks
The physical size of the device is 102400 blocks
Either the superblock or the partition table is likely to be corrupt!
Abort<y>? no

/dev/XYZ/test contains a file system with errors, check forced.
Error writing block 131072 (Invalid argument).  Ignore error<y>?

Pass 1: Checking inodes, blocks, and sizes
Journal inode is not in use, but contains data.  Clear<y>? yes

Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Block bitmap differences:  -(131072--139263)
Fix<y>?

then a lot of errors 8-) fix it fix it ... bla bla ;)

WITHOUT BACKUP OF DATA ;) it is ... BROKEN ;)

6) Create and configure set-GID directories for collaboration.
* Probably it could be like this, 4 users, one group to connect them, directory where they
  can share files.

* [root@localhost ~]# for i in `seq 1 4`; do echo joe$i;useradd joe$i; done
  joe1
  joe2
  joe3
  joe4
  [root@localhost ~]# id joe1
  uid=500(joe1) gid=500(joe1) groups=500(joe1)
  [root@localhost ~]# id joe2
  uid=501(joe2) gid=501(joe2) groups=501(joe2)
  ...

* create group
  [root@localhost ~]# groupadd union
  [root@localhost ~]# getent group union
  union:x:504:

* put joe2 and joe4 to that group
  usermod -G union joe2; usermod -G union joe4

  check it
  [root@localhost ~]# id joe4
  uid=503(joe4) gid=503(joe4) groups=503(joe4),504(union)
  [root@localhost ~]# id joe2 
  uid=501(joe2) gid=501(joe2) groups=501(joe2),504(union)

* prepare catalog
  mkdir /home/union
  chown root:union /home/union
 
* add SGID to /home/union (set rwx for owner, rwx for group, no access to others)
  chmod 2770 /home/union

  [root@localhost ~]# ls -la /home/ | grep union
  drwxrws---.  2 root union 4096 Apr 22 01:43 union

* login as joe1 and try create any file in /home/union
  [root@localhost ~]# su - joe1 -c 'echo aa > /home/union/aa'
  -bash: /home/union/aa: Permission denied

  or su - joe1 then echo aa > /home/union/aa
  [root@localhost ~]# su - joe1
  [joe1@localhost ~]$ echo aa > /home/union/aa
  -bash: /home/union/aa: Permission denied

* login as joe2 and create file
  [root@localhost ~]# su - joe2 -c 'echo joe2 line > /home/union/joe2file'
  [root@localhost ~]# cat /home/union/joe2file
  joe2 line

  [root@localhost ~]# ls -la /home/union/joe2file
  -rw-rw-r--. 1 joe2 union 10 Apr 22 01:47 /home/union/joe2file
  [root@localhost ~]# ls -lZ /home/union/joe2file
  -rw-rw-r--. joe2 union unconfined_u:object_r:home_root_t:s0 /home/union/joe2file

* login as joe2 and create directory
  [root@localhost ~]# su - joe2 -c 'mkdir /home/union/joe2dir'
  [root@localhost ~]# ls -la /home/union/
   total 20
  drwxrws---. 3 root union 4096 Apr 22 01:48 .
  drwxr-xr-x. 7 root root  4096 Apr 22 01:43 ..
  drwxrwsr-x. 2 joe2 union 4096 Apr 22 01:48 joe2dir

* login as joe4 and create dir in joe2dir
  [root@localhost ~]# su - joe4 -c 'mkdir /home/union/joe2dir/joe4dir'
  [root@localhost ~]# ls -la /home/union/joe2dir/       
  total 12
  drwxrwsr-x. 3 joe2 union 4096 Apr 22 01:49 .
  drwxrws---. 3 root union 4096 Apr 22 01:48 ..
  drwxrwsr-x. 2 joe4 union 4096 Apr 22 01:49 joe4dir

* login as joe4 and add one line to joe2file
  su - joe2 -c 'echo joe4 line >> /home/union/joe2file'
  cat /home/union/joe2file
  [root@localhost ~]#   su - joe2 -c 'echo joe4 line >> /home/union/joe2file'
  [root@localhost ~]#   cat /home/union/joe2file
  joe2 line
  joe4 line
  [root@localhost ~]# ls -la /home/union/joe2file
  -rw-rw-r--. 1 joe2 union 20 Apr 22 01:51 /home/union/joe2file

  owner joe2 left on file, joe4 add line because of member in union group ;)

* joe3 can't add line to joe2file because is not member of union group
  [root@localhost ~]#   su - joe3 -c 'echo joe3 line >> /home/union/joe2file'
  -bash: /home/union/joe2file: Permission denied

TIP: anyone in union group can do dirs/files and there is no problem with access ;)

7) Create and manage Access Control Lists (ACLs).

* check if file system support acl
  mount
  ...
  /dev/mapper/XYZ-test on /test type ext4 (rw)

* in fstab add ACL option
  /dev/XYZ/test /test ext4 defaults,acl 1 1
 
  mount -o remount /test
  mount and then acl is in line
  /dev/mapper/XYZ-test on /test type ext4 (rw,acl)

  ;)

* prepare catalog test and test.log with some info
  mkdir /test/test/
  dmesg > /test/test.log

* default permisions
  [root@localhost ~]# ls -la /test/test.log
  -rw-r--r--. 1 root root 24688 Apr 22 01:59 /test/test.log
  [root@localhost ~]# ls -lZa /test/test.log
  -rw-r--r--. root root unconfined_u:object_r:file_t:s0  /test/test.log
 
  for directory
  drwxr-xr-x.  2 root root  1024 Apr 22 01:58 test

* show acls
  [root@localhost ~]# getfacl /test/test.log
  getfacl: Removing leading '/' from absolute path names
  # file: test/test.log
  # owner: root
  # group: root
  user::rw-
  group::r--
  other::r--

* allow user joe2 to edit test.log
  setfacl --help as 1st step :)

  setfacl -m u:joe2:rwx /test/test.log
  [root@localhost ~]# getfacl /test/test.log
  getfacl: Removing leading '/' from absolute path names
  # file: test/test.log
  # owner: root
  # group: root
  user::rw-
  user:joe2:rwx
  group::r--
  mask::rwx
  other::r--

  and try use that file ;)
 
  [root@localhost ~]# su - joe2 -c 'echo test1 > /test/test.log'
  [root@localhost ~]# su - joe2 -c 'echo test2 >> /test/test.log'
  [root@localhost ~]# cat /test/test.log
  test1
  test2y
  [root@localhost ~]# su - joe1 -c 'echo test > /test/test.log'
  -bash: /test/test.log: Permission denied

* allow group xyz (which will have joe1 and joe3) to that file
  dissallow group union (and then see that joe2 can work with that file but joe4 can not!)

  [root@localhost ~]#   setfacl -m g:xyz:rwx /test/test.log
  [root@localhost ~]#   setfacl -m g:union:- /test/test.log
  [root@localhost ~]# getfacl /test/test.log
  getfacl: Removing leading '/' from absolute path names
  # file: test/test.log
  # owner: root
  # group: root
  user::rw-
  user:joe2:rwx
  group::r--
  group:union:---
  group:xyz:rwx
  mask::rwx
  other::r--


  CHECKING!

  [root@localhost ~]# su - joe1 -c 'echo joe1 can because is in xyz >> /test/test.log'
  [root@localhost ~]# su - joe3 -c 'echo joe3 can because is in xyz >> /test/test.log'
  [root@localhost ~]# su - joe2 -c 'echo joe2 can because is joe2 >> /test/test.log'
  [root@localhost ~]# su - joe4 -c 'echo joe4 CAN not because is in union ... >> /test/test.log'
  -bash: /test/test.log: Permission denied

  [root@localhost ~]# cat /test/test.log
  joe2 test1
  joe2 test2
  joe1 can
  joe3 can
  joe1 can because is in xyz
  joe3 can because is in xyz
  joe2 can because is joe2

* remove some acl from file
  [root@localhost ~]# setfacl -x u:joe2 /test/test.log
  [root@localhost ~]# getfacl  /test/test.log
  getfacl: Removing leading '/' from absolute path names
  # file: test/test.log
  # owner: root
  # group: root
  user::rw-
  group::r--
  group:union:---
  group:xyz:rwx
  mask::rwx
  other::r--
 
8) Diagnose and correct file permission problems.
* checking by
  ls -la
  ls -lZ

  getfacl

* then repair ;)
Autor: o

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)