Blue Flower

copy the file test.conf to the directory /etc/tmpfiles.d and the system will create the folder for you upon rebooting

d /testing-temp 1777 root root 20d #this folder will be created upon reboot, then deleted after 20 days
L /root/ifcfg-wlan1 -  #creates a shortcut, when the permission are always 777

Put your *.conf file locations in /etc/tmpfiles.d/* for then to run

/usr/lib/tmpfiles.d/ - packages mangenet, normally the programs copy its temporarely idrectories here. The following is the hierarchy of the files, the ones on top will take preference over the other folders.

/etc/tmpfiles.d/ ;

/run/tmpfiles.d/ ;normally from run-time, dinamically use, don't worry about that

/usr/lib/tmpfiles.d/ ;for customisation done by us, copy the *.conf file from here to the /etc/tmpfiles.d/ so they don't get overriden when the system is updated

The above is all NEW in RH7

CHAPTER 1

The file  /root/anaconda-ks.cfg can be used as a template to install RH7

On a kickstart file you have these opints

  • COMMNAD
  • PACKAGE ;start from line 217 in the anaconda-ks.conf file (% packages .....................%end)
  • Pre-Install script (optional)  (%pre.....................%end) scripts to join a domain, etc
  • Post-install script (options) (%post ...........%end) scripts to create specific users, etc

User yum grouplist OR yum grouplist hidden ;find that "Core" is one of the packages

CHAPTER 5

When running top, see the column S (sleep) or R (running) for processes; don't let a single process dominate the CPU; check the "rt" for real time. To put stress on a system use these tasks:

md5sum /etc/passwd
md5sum /dev/zero &
dd if=/dev/zero of=/dev/null &
  • ps axo ;pid,user,ni,comm are these are columns, you'd need to thorught the man pages
  • ps -eo pid,user,ni,comm ;same as above

The actual priority is PR which we cannot change, but we can influence it by modifying the NICE value. Priority only takes effect when there is contention

CHAPTER 6

Even if you set the group:stoegs:rwx in the ACL, youll only get the effective permission of that minus the umask. Use the -k to remove the default settings of a folder, use -b to come backto square one. If Anaconda format the drive, mostl likely it will have ACL support, but on RHEL6 drives added after installation you need to add the "acl" entry on the /etc/fstab file. Note that vfat has no ACL support

Big X (when using chmod or setfacl the X will only mark the files with x with any of them alreayd has an x)

CHAPTER 7 - SELINUX

getenforce to check the way SELinux operate; the change the secuity levels you can use setenforce 0 (permissive) or setenforce  1( enforce); setenforce can only be set to 0 or 1, to disable this service visit /etc/selinux/config

If you cp a file with the -a it will reset the context of the file, and probably SELInux will block it, if you mv the context won't change. To troubleshoot you can use seteforce 0 and see if the service can access the files okay, but don't test this on live servers; curl http://localhost/index.html use the browser curl withing the cli.

get use to use the man pages a lot, there are available on the exam, see teh semanage-fcontext and other files. Fore RHCE must know real well how to use SELinux, but for RHCSA mostly how to operate the commands, etc

semanage -fcontext -l

getsebool -a | grep http ;notice how @httpd_use_nfs@ is disable, you must set the boolean on to allow this: setsebool -P httpd_use_nfs on (only add the -P if you want to make the change persistent). Another one to look for is "ftpd_anon_write" to allow anonymous users to write ; semanage boolen -l to manage all your booleans

 yum install selinux-policy-devel ;good for troubleshoting, man httpd_selinux you can use after for example, but remeber that run "mandb" to re-index the man pages; man -k _selinux

CHAPTER 8

After yum installa authconfig-gtk, do yum install sssd

yum list "ipa*"

CHAPTER 9

blkid /dev/sda ;it tells you if you are using 'dos' (MBR) or UFEI; the command lsblk shows you everything while the blkid only shows you the formatted partitions; on CentOS you should use fdisk -cu /dev/sda, in RH you don't need the -cu

Type 'mkfs' and double tab to see the options; extended partitions cannot be formatted, they are used only as containers

On /etc/fstab is better to put the UUID (which only changes if you format) and not the /dev/sda1 name, just in case you add a new drive, use the command blkid to find out the UUID, this is consider best practise

 BK is really good, he grep the line he needed from blkid and appended >> to the fstab file, so he has the UUID there on the file

sysctl -a | grep swap ;the value goes from 0 to 100, put it to 1 on DB system so the system will try not to swap

vmstat 2 ;shows you statiscits every 2 seconds; swapon -s shows you the device use for swapping

 ensure all partitions show in /proc/partitions , if not run partprobe to pass them to the kernel. In the /etc/fstab the higher number (pri=20) have got priority for swapping

 LVM ;first use pvcreate to create volumes out of the physical drives (pvdisplay to check); then use vgcreate to create a volume

 In the man pages the [    ] are optionsal ;you cannot reduce or should not recude xfs formatted volume drives

 CHAPTER 11

cat /etc/exports to see your nfs shares

iptables --flush ; firewall-cmd

in sec=sys the permission is determine by the user ID (UID)

in sec=krb5 the client needs to download the file etc/krb5. from the nfs server; keytab, systemctl enable nfs-secure

 yum instal ssd autoconfig krb-workstaiton = you must remember well in the exam!!!

wget -0 /etc/krb5.keytab http://lfjsfjsmycert.

CHAPTER 12

For Samba you need to install cifs-utils ;the server is in /etc/samba/smb.conf ;NFS don't have that concept, but for Samba you have the concepts of Share Name and Share Path, on NFS you only need the Share Path; to mount a samba share into the /mnt folder use: mount -o username:student,password=student //server13/public /mnt

//server13/public /abc cifs credentials=/root/mypasswd 0 0
#The above is an entry on the fstab that secure the credentials to mount

 yum provides "*/smbclient" ;query the repos to see what package you need in order to get the smbclient command

 find /lib/modules/3.10.0.5xxxx/ -name *.ko"

lsinitrd ;use to display the content of the modules used by the kernel

pstree ;shows parent-click relation

mount -o remount,rw / ;lovely command to know to re-mount the fs while in emergency mode

rd.break console=tty0 ;on rescue mode the /root (that contains the shadow file) is mounted as /sysroot

ls /sysroot/usr/bin/passwd ;this is where the passwd command reside in the rescue mode to reset the root password

touch / .autorelabel ;ensure you typed correctly

edit the file /boot/grub2/grub.cfg and visit the sections from menuentry ;the section "set root='hd0,msdos1' specifies which had drive and what partition the system will be using

grub2-mkconfig > book/grub2/grub.cfg ;to generate the file; grub also run the scripts foud in /etc/grb.do; you can also edit /etc/default/grub and then re-generate teh finsallatoion file.

 dd if=/dev/zero of=/dev/vda bs=400 count=1 ;this command erares teh oot loder! To fix it boot from DVD then run grub2-install /dev/vda

CHAPTER 14

on RH6 they use systemctl status iptables.service, bur from RHEL7 this service is disabled and they use instead firewalld

 A zone is just a set of rules

Zone matching:

1. match by source ip

2. march by nic

3.

firewall-cmd -- ;and you'll see all the options, most popular are : get-active-zones, get-active-zone (this will tall you what is matching), list-all (shows you the services that are allowed); remove-service=samba-client (remove from the runtime hat service) add-service then press tab-tab to see the services available (add the swtich --permanet to make it all permanent)

firewall-cmd --add-source:/24 --zone=dmz --permanent
any traffice from this range will go to dmz, while others will go to public

firewall-config to call the GUI

 

Globbing

* , ? , []

{} Brace expansion; echo a{1,2,3}

$(VARIABLE)     ??

$(CMMAND)

'COMMAND'

 

"" =  weak quote, prevent brace expansion but not command substitiution

' ' = strong quote, it prevents everything

 

 

 

NOTES FROM BK - DAY 1

    grep 'regex' FILE...

    COMMAND | grep 'regex'

    grep -iR  'regex'  DIRECTORY


    ------------------------------------------
 
    -v  - reverse logic (not)
    -i  - case-insensitive
    -Ax -
    -Bx -
     --color   - color code results
    -E  - support ext regex
    -e  - REGEX. can be used multiple times

Globbing != REgex

    /  - forward search
    ?  - reverse search


    RegEx Metacharacters
    ===============================================================================

    ^  - line starts with

    $  - line ends with
    [] - character set. match ONE character in the set
    [^] - not in the set
    .  - match one character, any character
    *  - multipler. previous character can be repeated 0 or more times

    +  - multipler. previous character can be repeated 1 or more times (extended)

    {X} - multiplier. exacty X times. (extended)

    <   - word starts with (extended)
    >   - word ends with (extended)

    \   - Escape next character.
    -------------------------------

    Basic regex  vs Extended regex    

    LAB pages 32 + 34

- - - - () --------

    LAB pages 44,55,57

Commands:
---------
i    - insert
G    - goto last line
gg    - goto first line
yy    - yank (copy) line
dd    - cut line
p/P    - paste after/before
u    - undo
ctrl-r  - redo
v,V,ctrl+v - visual char,visual line,visual block

Extended Commands
------------------
w
q
wq
q!
NUMBER
set number
register

:RANGEs/cat/dog/gi
:%s/cat/dog/gi
    %   ---> process entire file
    1,3 ---> process line 1 to line 3 inclusive
    - g ---> global replacement (per line basis)
    - i ---> case-insensitive
MULTIPLIER    ACTION        MOVEMENT
   2          y           w        - copy two words
   3          d           }        - delete/cut three paragraphs
                  c                w        - change a word

- - - -() - - - -


Review Day 1
------------

Kickstart
---------
- To automate Red Hat Installations
- Need a kickstart text file
    - use /root/anaconda-ks.cfg as a template
    - GUI: system-config-kickstart
- File has 4 sections: command,packages,pre,post
- ksvalidator can check the file syntax for errors
- You can place your kickstart file in a
    - usb drive, cdrom, upload to a webserver/ftp server
- Boot from DVD
    - Select the install option and press TAB
    - append:  ks=http://server/myks.cfg

Regular expressions
-------------------
- For string pattern matching
- grep, searching in man, searching in less/vim, and many more
- Special characters:
    ^     - line starts with
    $     - line ends with
    [akx]    - single character must be a OR k OR X
    [^akx]  - single character CANNOT be a OR k OR X
    .     - any single character
    \    - escape next character

- Multipliers
    *    - Previous character can be repeated 0 or more times
    +     - Previous character can be repeated 1 or more times    
            (with grep must use -E option), in vim must be escaped!
    \{X\}   - Previous character must occur EXACTLY X times

VIM
---
- Text editor
- Three modes: command, insert, ex
- Useful commands:
    u     - undo
    ctrl-r  - redo
    yy    - yank (copy) entire line
    dd     - cut entire line
    v     - visual mode
    p/P    - paste after/before
    i    - insert
    o    - open new line in insert mode
- ex
    :wq
    :q!
    :set number


Cron, at, systemd-tmpfile
--------------------------
- at for one time job
- cron for recurring jobs

- at TIMESPEC  (always time first before date)
    at 10pm
    at 3pm 31 July
- ctrl-d
- atq
- atrm  JOBID


- cron
    - user cron   --> crontab -e
    - system cron --> /etc/crontab , /etc/cron.d/
- anacron
    - executed hourly by cron (/etc/cron.hourly/0anacron)
    - /etc/anacrontab
    - controls /etc/cron.{daily,weekly,monthly)
    - Benefit: missed jobs will be executed
    - Con: Cannot control exact time the job is run


- systemd-tmpfiles --clean --remove
    -> executed once at boot time
    -> creates or delete files based on configuration
- systemd-tmpfiles --clean
    -> purges files based on aging
    -> executes once a day
- /etc/tmpfiles.d/
    --OVERRRIDES--
        /run/tmpfiles.d
            --OVERRRIDES--
                 /usr/lib/tmpfiles.d

- e.g.
    cat /etc/tmpfiles.d/test.conf
        d /testing 1777 root root 1d -

    cat /usr/lib/tmpfiles.d/test.conf    
        d /testing 1777 root root 20d -

    ==> files in /testing age will be 1d and not 20d because /etc has preference over /usr/lib
 

NOTES FROM BK - DAY 2

REVIEW day 2
------------

Process priorities:
-------------------
- can be affected by the NICE value
- (higher priority)  -20  --> +19 (lower priority)
    <-------increase priority (root) --------

    -------decrease priority (normal users) -->

- nice -n NICEVALUE  CMD
- renice -n NICEVALUE  PID
- top can also renice proceses:
    short-cut --> r

ACL
---
- To overcome basic permission limitations
    - more than one user
    - more than one group
- Three types of entries:
    - normal acl entries
    - default acl entries (only applies to dir)
        - files/subdir inherit the default acl
    - mask (does not affect original user owner and others)
- setfacl -m ACL_SPEC  FILE|DIR
- setfacl -x ACL_SPEC  FILE|DIR
- ACL_SPEC examples:
    u:john:rx
    g::rwx
    g:sales:rw
    o::-
- if BIG X is used, it only applies to subdirectories and existing files that
  have ANY execute bit
  (useful for recursions)

SELINUX
-------
- 3 modes: enforcing,permissive,disabled
- /etc/selinux/config
- getenforce
- setenforce 0|1   (will not survive a reboot)
- yum install selinux-policy-devel
    mandb
    man -k _selinux
- yum install setroubleshoot-server
    /var/log/messages
    sealert -l UUID
- restorecon -vFR  DIR
- man semanage-fcontext
    -> we can add custom rules to the file context

NETWORK USERS
-------------
- Centralize user account and authentication
- authconfig-gtk, sssd, krb5-workstation
- ldap for user info + kerberos for authentication
- LDAP:
    1. FQDN ldap server
    2. BASE DN
    3. CA cert (for tls encryption)
- KERBEROS:
    1. KDC
    2. REALM
    3. ADMIN servers
    (or dns could be used to auto detect settings
       if configured)

NOTES FROM BK - DAY 3

Review Day 3
-------------

Partitions and File Systems
---------------------------
- 2 partitioning schemes - MBR and GPT
    MBR                    GPT
    ---                    ---
    - fdisk                    - gdisk
    - Primary,extended,Logical        - N/A
    - Need extended partition to have     - N/A
      more than 4
    - Max 2 TB per partition        - Max 8 ZiB per partition

- For an existing disk that has been partitioned, DON'T simply convert
  the partitiong scheme (even though gdisk will offer to convert MBR to
  GPT for you)

    File system                Swap
    ------------                ------
    1. Create partition            1. Create partition
        - id: 83/8300                - id:  82/8200
    2. cat /proc/partitions            2. - SAME -
        - if not visible
            partprobe
    3. Format with a filesystem        3. Format as swap
        mkfs -t FSTYPE DEVICE            mkswap DEVICE
        (ext4,xfs,vfat,...)
    4. Create a mount point            4. - N/A -
        mkdir DIRECTORY
    5. Update /etc/fstab            5. - SAME with slightly diff settings -
    6. mount -a ; df -h            6. swapon -a ; swapon -s


LVM
---
- Provides the ability to group multiple storage as ONE
- Each storage is formatted  as a PV and then grouped together as a VG
- PE is the smallest unit/chunk in a VG. Specified when the VG is created
  with -s
- LV and VG can be extended or reduced (hence flexible)
- pvs,vgs,lvs
- pvdisplay,vgdisplay,lvdisplay
- pvcreate , vgcreate , lvcreate
- vgextend, pvmove , vgreduce
- lvextend
- resize2fs , xfs_growfs


Access NFS
----------
- Package required:  nfs-utils
- 5 security mechanisms:
    sec=none|sys|krb5|krb5i|krb5p
- If using krb5 stuff, needs:
    - Client must be authenticated with the same
       central authentication server as the nfs server
    - Client should enable and start nfs-secure service
    - Client needs a /etc/krb5.keytab file issued from the
      kerberos administrator
- Manual mount:
    mount -o sec=SEC_TYPE,sync  NFS_SERVER:SHARE_PATH   MOUNT_POINT
- Mount at boot time:
    /etc/fstab
        NFS_SERVER:SHARE_PATH   MOUNT_POINT   nfs   sec=SEC_TYPE,sync  0  0
- Mount on demand:
    yum install autofs
    systemctl enable autofs
    systemctl start autofs
    
    Indirect Map
    -------------
    NFS share    server1:/shares/public   
    Mount point  /myshares/pub   
        (indirect map needs a parent/child directory structure)

    /etc/auto.master.d/myfile.autofs
        /myshares    /etc/auto.myshares

    /etc/auto.myshares
        pub   -rw,sec=SEC_TYPE,sync   server1:/shares/public

    systemctl restart autofs

    Direct Map
    ----------
    NFS share    server1:/shares/public   
    Mount point  /pub
    
    /etc/auto.master.d/myfile.autofs
        /-    /etc/auto.pub

    /etc/auto.pub
        /pub   -rw,sec=SEC_TYPE,sync   server1:/shares/public

    systemctl restart autofs


Accessing SMB
-------------
- Required package: cifs-utils
- Optional      : samba-client (gives you the smbclient command)
- To identify the share:
    smbclient -L   //server
    (list the shares)

- Ways to connect:
    - manual mount
        mount -t cifs -o user=USERNAME //server/sharename  /MOUNT_POINT

    - mount at boot time:  /etc/fstab
        //server/sharename  /mount_point   cifs   user=USER,password=123  0  0
        OR
        //server/sharename  /mount_point   cifs   credentials=/root/myfile  0  0

        WHERE  /root/myfile        -> FILE MODE MUST BE 600
                username=USER
                password=123
                domain=DOMAIN <-- optional

    - via smbclient (similar to ftp client)
        smbclient -U USER   //server/share

    - Mount on demand (autofs)
        - install, start and enable autofs

             INDIRECT MAP example
          --------------------
            /etc/auto.master.d/shares.autofs
        /shares  /etc/auto.shares
         /etc/auto.shares
        pub    -fstype=cifs,credentials=/root/myfile,rw  ://server/public

             DIRECT MAP example
          --------------------
            /etc/auto.master.d/shares-direct.autofs
        /-  /etc/auto.shares
         /etc/auto.shares-direct
        /shares    -fstype=cifs,credentials=/root/myfile,rw  ://server/public

 

REVIEW DAY 4

Review Day 4
------------

Boot chapter
------------
- systemd replaces systemV
- no more run levels
    - instead we have targets
- systemd uses units
    - units have types
        autofs.service
        cupds.socket
        etc...
    - A target is a set of units grouped together
      to achieve a system state

- When we boot up the system we can a default target is used
  to setup the system
    graphical.target    (with GUI)
    multi-user.target    (NO GUI)
- To manually switch between targets:
    systemctl isolate graphical.target
    systemctl isolate multi-user.target

- You can set/get the default target:
    systemctl get-default
    systemctl set-default TARGET

- Targets can be set by passing in kernel argument at the booloader menu
    - systemd.unit=TARGET
    - e.g.    systemd.unit=rescue.target  OR systemd.unit=emergency.target

- Use rd.break when trying to reset root password:
    1. Interupt GRUB at boot time
    2. e to edit
    3. Pass in rd.break, then ctrl-x
    4. mount -o remount,rw /sysroot
    5. chroot /sysroot
    6. passwd
    7. touch /.autorelabel
    8. exit ; exit

- grub2-mkconfig regenerates the /boot/grub2/grub.cfg file
  based on settings in /etc/default/grub  and /etc/grub.d/

    

Firewall Chapter
-----------------
- Packet filtering handled by the kernel module netfilter
- Managed through EITHER iptables service or firewalld
- systemctl mask iptables.service
    -> ensures that iptables service does not get started (will disrupt firewalld)
- firewalld
    -> firewall-config (GUI tool)
    -> firewall-cmd  (command line)
        - if --zone not specified, use default zone

- For persistent changes:
    - Modify the PERMANENT settings  (firewall-cmd  .... --permanent )
    - Reload firewall  ( firewall-cmd --reload )
- A zone has a set of rules
- A packet is associated with a zone:
    - depending on the interface it arrives on
    - depending on its source IP
    - if the above 2 items does ot match, the use the default zone rules




Print Friendly, PDF & Email

Comments powered by CComment