Rhcsa working on

run levels and boot sequence
tar, star, gzip, and bzip2
Create hard and soft link
List, set, and change standard ugo/rwx permissions
nice and kill
fdisk
swap
iptables -Configure firewall settings using system-config-firewall or iptables.
Configure a system to run a default configuration FTP server
Access control lists
Configure a system to use time services.
SeLinux
SeLinux Troubleshooting
Create, delete, and modify local user accounts
Create, delete, and modify local groups and group memberships.
Change passwords and adjust password aging for local user accounts
Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label.
Modify the system bootloader.
Install and update software packages from Red Hat Network, a remote repository, or from the local file system.
Yum
Install Red Hat Enterprise Linux automatically using Kickstart.
Access remote systems using ssh and VNC
Diagnose and correct file permission problems
Add new partitions and logical volumes, and swap to a system non-destructively.
Notes from Rhcsa/Rhce Sixth edition
--Chapter1 ---Bits and pieces
--Chapter2 --- Kvm
--Chapter3
--Chapter4 -- permissions and selinux
misc

 

run levels

LEVEL NAME DESCRIPTION
0 Halt Immediately shuts down system and powers it off, if it can
1 Single user Brings system to a bare essentials mode for maintenance
2 User-defined Custom
3 Multi-user with console only All services are running but X11 (command line)
4 User-defined Custom
5 Multi-user with display and console All services are running including X11 (GUI)
6 Reboot Reboots the machine

current run level

To check your current run-level is: who -r
change to a different one runlevel: init 1

The Boot Sequence

bios > mbr>grub>kernel>init>runlevel (BMR-KIR)

mbr

  • It is located in the 1st sector of the bootable disk. Typically /dev/hda, or /dev/sda.
  • It contains information about GRUB
  • So, in simple terms MBR loads and executes the GRUB boot loader

GRUB has the knowledge of the filesystem

  • Mounts the root file system as specified in the “root=” in grub.conf
  • Kernel executes the /sbin/init program
  • initrd is used by kernel as temporary root file system until kernel is booted and the real root file system is mounted. It also contains necessary drivers compiled inside, which helps it to access the hard drive partitions, and other hardware

Init

  • /etc/rc.d/rc.sysinit is run first. (not not read in single user mode)
  • Looks at the /etc/inittab file to decide the Linux run level.
  • Init identifies the default initlevel from /etc/inittab and uses that to load all appropriate program.

Runlevel

  • The starting runlevel (specified in /etc/inittab) is found, and the /etc/rc.d/rc script is run, with the sole option being the runlevel we want to go to.
  • The rc program looks in the /etc/rc.d/rc3.d directory, executing any K* scripts (of which there are none in the rc3.d directory) with an option of stop.
  • Then, all the S* scripts are started with an option of start. Scripts are started in numerical order—thus, the S10network script is started before the S85httpd script. This allows you to choose exactly when your script starts without having to edit files. The same is true of the K* scripts.

Rename /etc/rc.d/rc3.d/S85httpd to something that does not start with a capital S or a capital K. To stop the daemon starting on boot.

=========================
tar, star, gzip, and bzip2

tar -cvf archive_name.tar dirname/ (uncompressed)
tar -cvfz prog-1-jan-2005.tar.gz /home/jerry/prog (-z compress using gzip)
tar -cvfj archive_name.tar.bz2 dirname/ (-j bzip)
tar -zxvf prog-1-jan-2005.tar.gz
tar -zxvf prog-1-jan-2005.tar.gz -C /tmp (extract to a directory)
tar tvf archive_name.tar -view an archive file
tar tvfz archive_name.tar.gz -view an archive file
tar xvf archive_file.tar /path/to/file (extract a specific file)
tar xvf archive_file.tar /path/to/dir/ (extract a specific folder)
tar rvf archive_name.tar newfile (add a file to en exisiting archive)
–delete (deletes from an archive)
tar -d to extract
zip -r zipdir.zip /home/xxx/ (to zip a dir)

gzip vs bzip2: bzip2 takes more time to compress and decompress than gzip. bzip2 archival size is less than gzip.
=======================================
Create hard and soft link

more reading at http://www.cyberciti.biz/tips/understanding-unixlinux-symbolic-soft-and-hard-links.html

Hard Links

A hard link is a link where two files are really the same file. The inodes (exact location on the harddisk) are the same.

touch file.txt ;ln file.txt file1.txt ; ls -li file* # will show the same i node
deleting the orginal file and the linked file will still be there with the same contents

That is because they are all the same file, when you make a hard link to it you are just putting another reference to it with a different name. Until the last file with that inode gets deleted, that file lives on.

Soft Links

Most people relate hard links to shortcuts in Windows. When you put a shortcut on your Desktop, it is just a link to the something on your computer. If you delete it no biggie, its just a link. Soft links are the same way.

touch testfile.txt ;ln -s testfile.txt testfile1.txt ; ls -li testfile* # will show a shortcut and different i nodes

Difference between soft and hard links

  • Hard links cannot link directories. (soft links can)
  • Hard links cannot cross file system boundaries.(soft links can)

=================
List, set, and change standard ugo/rwx permissions

Setting File Directory
Read displays file contents or copies contents to another file read displays contents with the ll command
Write modifies file contents write create/removes/renames files and subdirectoies
Execute executes a file cd in the directory

Setting Special Permissions

by default if you create a file in a directory it will have the user and owner of the current user

by putting sb on a directory no matter what the ugo permissions only you and root can delete/rename the files (example /tmp)
example members of the group test can delete other users files from the normal folder but not the sb folder
drwxrwxr-x 2 root test 4096 Apr 23 17:41 normal
drwxrwxr-t 2 root test 4096 Apr 23 17:39 sb

by putting suid on a file a user can run that command as the owner i.e it allows non root user to run root commands (for example the passwd which will allow the user to update /etc/shadow /etc/passwd ….)

example will allow anyone to run the updatedb command
chmod 4755 /usr/bin/updated

By putting Sgid on a folder it means any files created within it are owned by the group of the parent folder

example, members of the test group can create files and have it be accessible by any of the members.
drwxrwsr-x 2 root test 4096 Apr 23 17:53 sales
-rw-rw-r– 1 testuser1 test 0 Apr 23 17:52 test.txt
-rw-rw-r– 1 testuser2 test 0 Apr 23 17:53 test2.txt

Warning

Linux administrators may inhibit this behavior on a whole file system, by mounting it with the nosuid option.
tune2fs -l /dev/sda1 | grep Default will show you the current mount options or for lvm tune2fs -l /dev/mapper/name-lv_root | grep Default

numbers

suid=4 (chmod 4… filename)
sgid=2 (chmod 2… filename)
sb=1 (chmod 1… filename)

find

find / -perm /u+s # find suid
find / -perm /g+s # find sgid files
find / -perm /o+t # find sticky bit files

The problem with basic ACL’s is that they are not recursive by default.
The sticky bit option will work to a degree but ACL should be used to get this effect. see Access control lists

The default umask value is 0022, which decides the default permission for a new file or directory. (it is taken away from the default permission see below)

Default permission for a directory is 0777,
for files the permissions are 0666

To change umask permenantley edit /etc/profile or ~/.bashrc for a temp change run umask 077.Final default permission for a file is calculated as shown below:Default file permission: 666
Default umask : 022

Final default file permission: 644 Final default permission for a directory is calculated as shown below:Default directory permission: 777
Default umask: 022
Final default directory permission: 755

================================
nice and kill

kill -1 or -HUP - sends the "Hang Up" signal to the processes. (the safest kill command)
kill -9 1986
killall -9 firefox
pgrep -l sample # check whats there before you kill it
pkill - This command is a lot like killall except it allows partial names. So, "pkill -9 unity" will kill any process whose name begins with "unity".
kill -l shows kill flags

Order to kill misbehaving process
kill -i pid # safest way to kill a process
kill pid #which runs kill -15 soft termination, stop in an orderly fashion
kill -2 pid # like a ctrl c
kill -9 pid # force kill

nice -used when starting a process i.e nice -n 19 intensive_script
renice -used to change the priority of a current running process i.e renice -10 1234 or renice +20 18552

As a normal user you cannot renice a process to become be a minus value

a nice process of -20 has priority over everything else
the other end of the scale 19 basically has to wait for a free system to run
default nice value = 0
======================

fdisk

fdisk -l

example of editing non lvm spartition
http://linuxblog.info/disk-space-increase-non-lvm/

example of editing lvm partition
http://linuxblog.info/disk-space-increase-lvm/
=======================
swap

http://linuxblog.info/add-swap/
=======================
iptables

Its important to note the order of the rules is vital in effect the first rule it hits is actioned
system-config-firewall is a good way to get rules up quick
http://linuxblog.info/iptables/ includes iptables rules

iptables -A INPUT -p tcp –dport 22 -s 1.2.3.4 -j DROP (-A -p --dport -s -j Apdsj)
======================
Ftp

Configure a system to run a default configuration FTP server

1) yum install vsftpd ftp

2)service vsftpd start

3) chkconfig vsftpd on

4) iptables -I INPUT 5 -p tcp -m tcp --dport 20 -j ACCEPT

iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT

Then remember to always save your iptables rules so they survive a reboot.

5) You can check this by using the ftp client to connect anonymously to your ftp server, e.g.

ftp 127.0.0.1
======================
Access control lists

ACL allow you to give read/write/execute permissions to select files, it is a second level of control which support overriding of ugo/rwx permisions.

It is good for example if you want to stop the user David accessing a particular file rather than messing about with ugo permissions you can specifically stop just him accessing it. It also allows permissions to be set in new files created in a directory.(setfacl -Rm g:users:rwX,d:g:users:rwX data/)

setfacl -m u:sally:rwx testfile would stop the user sally accessing the testfile

To quickly check a file run ls -l and check if there is a + after the ugo permissions

A first step of access control is already in place (user and owner permissions)ls -l file or getfacl file will display the properties.

To configure the ACL you need to (note on step 1 acl is enabled by default running tune2fs -l /dev/mapper/Volgroup-lv_root | grep acl will show its a default mount option)

1) configure the filesystem with the acl option.

mount -o -remount -o acl /dev/sda3 /home or add acl to the fstab line i.e "defaults,acl 0 0"

then options 2 or 3 as appriorate

2) set execution permission on the associate directory

setfacl -m u:bob:x /home/test/ (add -Rto make it recursive)

3) configure ACL for relevant user

Apply ACLs to a file for a user

To check acl on a directory or file getfacl install.log

to set permission setfacl -m u:user2:rw install.log (to remove use -x,-b removes all ACL)

To check getfacl install.log

To add a group acl on the same file setfacl -m g:it:rwx install.log

to remove access setfacl-m u:guest:--- /etc/passwd
======================

Configuring a time server

1) yum install ntp ntpdate ntp-doc

2) chkconfig ntpd on

3) ntpdate pool.ntp.org

4) etc/init.d/ntpd start

======================

selinux

selinux goes beyond the Normal file permissions and ACL and allow fine granning of permissions good against security breaches

selinux assigns different contexts to each file known as:
subjects -process/application
objects -file
actions -what is done by the subject to the object

to see the context of a file run ls -Z

there are 3 modes
enforcing(default) - allows either targeted (default) or mls mode boolean =1
permissive - any SELinux rules that are violated are logged but the violation does not stop any action boolean=0
disabled

to edit change values permanently in /etc/sysconfig/selinux if auditd is running violations are logged in /var/log/audit
to edit changes real time run setenforce enforcing (or setenforce 1) or setenforce permissive (or setenforce 0)...
to see the current value run getenforce and sestatus shows more details

semanage login -l to review the status of current users to confirm you can also run id -Z
semanage login -a -s user_u bob # user-u gui and networking avaliable
restorecon -F /ftp restore the defaults

for a good page on the pro's and con's of disabling see

https://major.io/2013/04/15/seriously-stop-disabling-selinux/

troubleshooting

troubleshooting - don't disable selinux

You have three main tools for diagnosing SELinux policy violations:

audit log (/var/log/audit/audit.log)
ls -Z
ps -AZ

ausearch -m avc -c sudo # helps in an audit search

scenario
1) a file cannot be read/written to or exuected
review perms with ls -l, apply chown/chgrp/chmod
2) access to a secure file required for a single user
configure acl and then run setfacl to provide access
3) ssh not accessiable to a user
check iptables is not stopping access,check service is running
4) enforcing mode is not set
setenforce enforcing
5) restore selinux default file context on a directory
restorecon -F
6) unexpected failure when selinux is in enforcing
sealert -a /var/log/audit/audit.log
7) need to change selinux option for a user
setsebool -p

SELinux may create problem for network service if not configured properly. So you can turn off SELinux temporarily i.e. permissive mode for SELinux.
In this mode SELinux will continue its work and it will log message to system log files. But it will not block any network service or protected service.

If any files are added to say, /www/testsite/, and you are running SELinux in enforcing mode, then you will likely have an issue when trying to serve them via Apache.
This is because their SELinux file context is not that of httpd_sys_content_t in that custom directory.
SELinux is strict in that nature, and requires that you apply the proper context before it will allow Apache to use them.

The easiest thing to do is reference the man pages for specific syntax. I'll use the example of restoring context to files added into a directory that will be used by apache, but isnt the default system directory.
I copied an index.html file into /www/testsite

~] ls -laZ /www/testsite/
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html

You can see this file has a generic file context. When running in "Enforcing",
SELinux will throw permission errors if this page is served via apache. To set proper file contexts,
semanage is the tool to use.

Tip: "man -k _selinux" will show you the man pages for the main applications you will be using, ftpd, httpd, etc. There are good examples in there

First we set context of the directory...

~] semanage fcontext -a -t httpd_sys_content_t "/www/testsite(/.*)?"

Next we restore context recursively...

~] restorecon -F -R -v /www/testsite
restorecon reset /www/testsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/testsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Now Apache will have no problem serving files from that directory, because SELinux will be happy with the context.

NOTE: If this didnt happen, and you got an error that semanage isnt found, then you didnt install the package that provides this tool.

~] yum install policycoreutils-python

Make sure you remember this, it could kill your ability to properly perform SELinux tasks on an exam!

getsebool -a | grep httpd # shows selinux boolean items related to httpd

setsebool -P httpd_enable_cgi off # to turn of an item #-P is to make the change persistant across a reboot

So remember, if you are having issues with SELinux blocking applications like Apache, and all the file contexts are correct, you would next want to look at booleans

Going back to a previous example of trying to serve files from a directory other than the default apache directory, how would I be able to tell SELinux was the problem in that case?

I see a 403 error when I visit the domain after enabling SELinux. So first I would look in the apache error logs for a message as to why I am being denied.

[crit] [client 127.0.0.1] (13)Permission denied: /www/test/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

At this point it would be best to check permissions on the .htaccess file, and sure enough permissions are good. Apache user and Apache group owns it, and it is readable.

Next place to look would be the audit.log, which is the logfile that SELinux uses to log messages.

type=AVC msg=audit(1323618414.869:508): avc: denied { read } for pid=23407 comm="httpd" name=".htaccess" dev=dm-2 ino=1966097 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1323618414.869:508): arch=c000003e syscall=2 success=no exit=-13 a0=7fa80ef2f358 a1=80000 a2=1b6 a3=7469672f7777772f items=0 ppid=1345 pid=23407 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

I can see that /usr/sbin/httpd was denied access to '.htaccess'. At this point we know SELinux is the problem. Looking at the message a little closer, the context can be seen in the log entry, tcontext=unconfined_u:object_r:user_home_t, which is not the httpd_sys_content_t that can be seen on files in the deafult apache directory.

Lets look at the ftpd man page, which has the best example to pull from...

~] man ftpd_selinux

...
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
restorecon -F -R -v /var/ftp
...

Now replace the proper items in order to make this work:

public_content_t >> httpd_sys_content_t
"/var/ftp(/.*)?" >> "/www/test/public_html(/.*)?"
/var/ftp >> /www/test/public_html

The commands we would end up running would be:

semanage fcontext -a -t httpd_sys_content_t "/www/test/public_html(/.*)?"

And

restorecon -F -R -v /www/test/public_html

Finally, check the context of that .htaccess file.

~] ls -laZ /www/test/public_html
...
-rw-rw-r--. apache apache system_u:object_r:httpd_sys_content_t:s0 .htaccess
...

Looks good, now our page loads. This may seem kind of crazy, but practice with different application and after a while it will be second nature to troubleshoot this. This is a testable item now though, so you have to learn it.

I think that if you have realized that the issue lies with SELinux that is half the battle and the above can help you with that.

In order to address the policy violations that you might encounter, you will need the audit2why and audit2allow commands. You'll need to install policycoreutils-python

yum install policycoreutils-python

To illustrate how to use this, set SELinux to enforcing:

setenforce 1

Save your iptables configuration to a file:

iptables-save >myiptables.txt

This file is empty, so check the audit log and you'll see the following message:

type=AVC msg=audit(1307819809.595:16342): avc: denied { write } for pid=22969 comm="iptables-save" path="/root/mytables.txt" dev=sda3 ino=144189 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Copy this line to a file, say iptables.audit and run:

audit2why < iptables.audit

You'll get this ouput:

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

This confirms that the issue is with SELinux, so now let's resolve it:

audit2allow -M iptables -i iptables.audit

This will create a module called iptables.pp, that can be installed with this command:

semodule -i iptables.pp

Now you can safely save your iptables configuration.

As mentioned in a previous post, you should actually set SELinux to permissive in dev/testing as you might have more than one SELinux policy violation and then you'll end up creating loads of modules unnecessarily.
======================
Create, delete, and modify local user accounts

useradd username (By default a group with the username will also be created)

useradd -g groupname username (assign the user to an already existing group)

userdel -r username (-r will also delete home dir and mail spool)

usermod -s /bin/sh username (to modify the shell)

usermod -aG groupname1,groupname2 username (add to other groups)

usermod -l newusername oldusername (change the username)
======================
Create, delete, and modify local user accounts

List the groups a user is in run groups username

Add a group - groupadd sales

Delete a group - groupdel sales

Modify a group's name - groupmod -n salesfolk sales

Modify a group's GID - groupmod -g 217 sales

a UID less than 500 indicates a system account

======================
Change passwords and adjust password aging for local user accounts

The utility used for password aging is chage.

-m <days Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire.
-M <days> Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
-d <days> Specifies the number of days since January 1, 1970 the password was changed
-I <days> Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
-E <date> Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
-W <days> Specifies the number of days before the password expiration date to warn the user.

Examples:

List a users passwrd expiration info

~] chage --list username

To only allow a user to change their password every 10 days, and no more - chage -m 10 username

Apply immediate expiration - chage -d 0 username

======================

To find the UUID of a device just run:

blkid
/dev/sda1: UUID="f8b694a6-916d-4ffa-8e5c-a7ed8ab25b5d" TYPE="ext4"

Once you have the UUID you can head over to /etc/fstab to create the entry.

Inside of fstab we need to add a line.

UUID=f8b694a6-916d-4ffa-8e5c-a7ed8ab25b5d /mynew_data ext4 defaults 1 2

mount -a to mount and then run mount to check

To check the current label on a drive run e2label /dev/sda1

To mount a filesystem via label requires another step, to label the filesystem. Luckily this is done in one easy step using e2label. I am going to label the filesystem testdrive

e2label /dev/mapper/mynew_data testsdrive

Then edit /etc/fstab this time using LABEL=testdrive in place of UUID. So the line should look like:

LABEL=testdrive /mynew_data ext4 defaults 1 2

then mount -a ; mount
======================
Modify the system bootloader.

Most likely the change that you will be administering is boot order or timeout. Its always good to have a little bit of a timeout, in case you really hose your install with a kernel upgrade, ram disk, etc. This gives you that time (in seconds) to choose the old kernel and/or modify boot options.

I always make a backup before messing with this thing, that way if you have to boot into rescue, you can restore your backup and reboot. Never hurts to backup these things beforehand...
=====================

Install and update software packages from Red Hat Network, a remote repository, or from the local file system.

to register a machine with the redhat network run rhn_register and follow the instructions.

To setup a new repo in /etc/yum.repos.d/ create a file with a .repo extension and add

[myremote]
name=myremote
baseurl=http://myremote.com/repo/i386/
enabled=1
gpgcheck=0

Setting up a local repo with a disk is almost the same with a few steps before.

1) First the disk needs to be mounted,

2) the packages copied from Packages/ into another directory on the server. In this case we will use file:///directory/path/to/repo/ as the url, where /directory/path/to/repo/ is the directory that contains the rpm files.

3) Next the package creatrepo needs to be installed.

4) Once installed cd into the directory and run createrepo .

5) Now that you have a repo setup, yum needs to know about it. Create a file named mylocal.repo in the /etc/yum.repos.d/ directory.

[mylocal]
name=mylocal
baseurl=file:///directory/path/to/repo/
enabled=1
gpgcheck=0

In either case run a test to check it is working yum list httpd

======================
Yum

http://linuxblog.info/yum/

======================
Install Red Hat Enterprise Linux automatically using Kickstart.

There are a few ways to create a kickstart file:

1) system-config-kickstart (requires installing this application)

2) using the anaconda-ks.cfg (stored in /root) that was created during an installation.

Presuming its a premade kickstart file...

Lets say we have this info:

kickstart file = http://192.168.111.23/pub/ks/redhat6.kfg
ip of new install = 192.168.111.222 (same subnet)
netmask = 255.255.255.0

a) we would boot the system with some sort of boot media, most likely the RHEL 6 CD-ROM #1 and at the boot prompt (when it asks you what you want to do) you would type a command like this, substituting your own info:

linux ks=http://192.168.111.23/pub/ks/redhat6.kfg append ip=192.168.111.222 netmask=255.255.255.0
Install Red Hat Enterprise Linux automatically using Kickstart

Troubleshooting steps:
Make sure VM are on the same networks
Make available by ftp (install, service start, mv /root/anaconda.cfg /var/frp/pub,full permisisons,flush firewall) or httpd (install,service start /mv/root/anaconda.cfg /var/www/html/ ,full permissions ,flush firewall)
Start install at prompt tab and enter ftp://ip/pub/anaconda.cfg or http://ip/anaconda.cfg

If you get the error "unable to read package metadata this may be due to a missing repodata directory. Please ensure that your install tree has been correctley generated cannot find a valid baseurl for repo: Centos"

Try removing the following line from your kickstart file:
repo --name="CentOS" --baseurl=cdrom:sr0 --cost=100

======================
Access remote systems using ssh and VNC

ssh

ssh user@host
ssh -p port_number user@host
ssh -X user@host # X (required to run programs like system-config-users remotely)
ssh -v user@host # used to debug

SCP is a client tool that allows secure copy between hosts.
scp user@from-host:sourcefile user@remote-host:destinationfile -Access files from the remote host.
scp localhost user@server:/home/user/ -Copy files from the local computer to remote.
scp user@remotehost:file /home/user -Copy files from the remote computer to local.

scp 123.csv linuxblog.info:~ - to copy the file from the local to the remote machine

vnc

1) On the remote machine yum install tigervnc-server </code>

2) Edit /etc/sysconfig/vncservers

VNCSERVERS="2:myusername"
VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -nohttpd"

change username , and remove the "-localhost" directive.

3) su to the user you will use and run vncpasswd

4) service vncserver start

5) on the client yum install tigervnc

6) vncviewer rhel6.local:5901

troubleshooting tip if you vnc and get a black screen make sure you Gui is installed correctley

more on VNC at http://wiki.centos.org/HowTos/VNC-Server
======================

Diagnose and correct file permission problems

the following commands will be your friends:

ls -l directorypath (maybe run an id user to check which groups a user is part of)
getfacl filename
lsattr
selinux

also check log files (useful with appache)
======================

Add new partitions and logical volumes, and swap to a system non-destructively.

general steps

1) add disk
2) fdisk /dev/newdisk
3) at the wizard p,n,p,1,t,p,w
4) mkswap device or mkfs.ext4 device
5) add to fstab or mount manually

lvm http://linuxblog.info/disk-space-increase-lvm/

non lvm http://linuxblog.info/disk-space-increase-non-lvm/

add new swap partition http://linuxblog.info/add-swap/

======================

Notes from the book

chapter 1 -Bits and pieces

if "install or upgrading an existing system" fails, try "install system with basic video driver"
you can install in text or gui mode , but gui mode needs more than 512MB (to get to text you can tab the line and append text to the end of the vmlinuz line

hard disks are limited to 4 partitions, when 4 are not enough an extended partition can be subdivided into logical partitions. If you already have 4 primary partitions you cannot add any new ones you will need to delete one first.

recomended partions / , /boot and swap

to register redhat run rhn_register

selinux is enabled in enforcing mode by default, you can check with the sestatus command
iptables will have some default rules
you can ssh with ssh user@ip

on a kvm you may see additional rules to allow networking (page 51 but should also be covered un chapter 5)

you may be asked to setup ftp to share files
1) mount cd/dvd/ rom (mount -o loop adsa.iso /media # will mount the iso file)
2) cp -ar /mount point/ . /path/to/dir (. the dot includes hidden files and the -a includes archive files)

installing appche
1) mount
2) mkdir /var/www/html/inst
3) cp -ar /mount point/ . /var/www/html/inst
4) chcon -R --reference=/var/www/html /var/www/html/inst (appiles the default selinux context from html to the new folder)
5) open the firewall
6) start the service

ftp
1) yum install vsftpd
2) start the service
3) browse to ftp://127.0.0.1/ (default is /var/ftp/pub which is in a chroot jail)

chapter 2 -kvm

to make sure the right modules are loaded run
lsmod | grep kvm if it hasn't loaded modprobe kvm should load it

xen was the default hypervisor in redhat 5

right clicking on the hostname (QEMU) and going to details will give you a good breakdown of the vm's

command line

the service libvirtd is the key service

virt-install
virt-install --prompt will take you wizard like through the interface
virsh
virsh list --all
virsh start server1.example.com
virsh destory server1.example.com (stop a vm)
virt-clone

the following has some useful links:
http://virt-tools.org/learning/start-list-with-command-line/

kickstart

the kickstart config file can contain root passwords so be careful

**reread kickstart section after playing around myself**

command line tools

mutt -f pop//username@host (-f specifies which mailbox to load)
one way to test a local mail system is using the mail command. the system keeps each users mail in /var/mail
other mail readers store messages in different directroies

sending an email:
mail teddy (hit enter)
subject abc (hit enter)
content (hit enter then control d)

or

mail -s 'hosts file' < /etc/hosts root@localhost

in mail you can press the number of email and press enter to read it

lftp is better than ftp has slightly better security (it automatically attempts an anonymous connection) It also supports command completion lftp -u bob ftp.example.org

chapter 3

there are 6 command line consoles, if the gui is installed it takes over the first console ctrl alt and f2 moves to second console then alt and f3.....

default gui is gnome
root has a # prompt while non root has a $
to redirect an error run command 2> err-list
echo $PATH - the path is determined globallly by current setting in /etc/profile
alias can be used to simplify commands
named.conf is the key config file for dns
wildcards * (any) ? (single char) [] (range of options)
vi to search in the opposite directoion use ? instead of /
U restores text from a previous change
vipw vigw and visudo edit /etc/passwd /etc/group and /etc/sudoers
yum install gedit is a good gui tool
the less command can read .gz file
sed 's/Windows/Linux' textfile > newtextfile (first instance)
sed 's/Windows/Linux/g' textfile > newtextfile (all instances)
whatis passwd # shows brief output of what a command does
man 5 passwd will allow you to access different sections of the man pages
man -k ls will search all man pages for ks
the gateway is an ip which determines the junction between the local and external network, its attached to a system or router with an IP on a diffent network
running netstat -r or route will show you the
dhclient -r - releases an dhcp address
dhclient eth0 # calls a dhcp server for an ip and more (netmask/gateway)
ping6 -I eth0 fe80:.... # pings an ipv6 address note you need to include a nic
ifconfig eth0 - will show info on just eth0
ifconfig eth0 down and ifconfig eth0 up # will force eth0 up and down
ifconfig eth0 192.168.122.150 netmask 255.255.255.0 #sets the IP
arp shows the arp cache (a table of hardware and ip address on the local computer) it can show duplicate addresses on the network (can happen with badly cloned systems)
service network status # shows Configured devices & Currently active devices: if a device is not active but is configured

networking issues
1) run service network status
2) run ifconfig (if no output check /etc/sysconfig/network is setup & chkconfig --list network and make sure its turned on)

2 tools to configure network devices system-config-network and nm-connection-editor

4 key hostname config files:
/etc/nsswitch.conf - gives priority of what to search first for hostname (i.e hosts: files dns) where files is /etc/hosts and dns is /etc/resolv.conf
/etc/hosts -static database of lookups in the format ip hostname
/etc/resolv.conf - in format search example.com nameserver 192.168.122.1 (the search append the example.com domain name to searches for simple hostnames)

hostname is defined from /etc/sysconfig/network file or for realtime run hostname newname

scenarios

networking down - check physical connections , run ifconfig , run service network status ,review /etc/sysconfig.network
unable to access remote systems - ping locally then externally to narrow down the issue
current network settings lead to conflict -check /etc/sysconfig/network-scripts
network settings not consistent - check config in /etc/sysconfig/network-scripts files
hostname not regonsied - review /etc/sysconfig/network,run the hostname command, check /etc/hosts
remote hostames not regnoised - /etc/hosts,etc/resolv.conf use dig command
======================

--Chapter4 -- permissions and selinux

chapter 4 -permissions and files access

acl exercise p218
firewall p235

perms

ls -l /usr/bin/passwd if after the perms there is a

. that specifies control by selinux
+ it specfies ACL permissons have been applied
sgid example can be found on /usr/bin/ssh-agent
umask is controlled from /etc/profile (note if you have a UID under 200 you might have a slightly different mask)
to remount a directory say after you have edited fstab run mount -o remount /home
chmod 701 mean other people can read a file but they have to know it name (although with lots of users it does raise a security issue)
better to use setfacl and more grained permission on the directory
to unset facl permissions use -x (remove a specific entry) -b (remove all)
NFS Acl perms can be checked with nfs4_getfacl /directory/path in the output A=allow,D=Deny

firewall control

when you send a message over a network, the message is broken down into smaller packets, admin details (type of data,source address,destination address...) are included in each packet
the packets are reassembled when they reach the destination computer
A firewall examines these admin fields to determine if they should be allowed through.

at most basic
iptables -t tabletype -j

(the -t is for tabletype filter (default and used if not specified) or nat)
action direction -A append to the end of a chain
-D delete

*** more reading better section***

system-config-tui covers the gui side of firewalls

selinux

selinux is mandaotry access above and beyond discretoanry access (rwx perms and acl)
you cannot configure selinux during boot by default (enforcing and targeted are defaults)
selinux assigns different contexts to each file knowen as subjects (process i.e a command in action or an application),objects (file) and actions (what may be done to the object by the subject)
for example appache (subject) can take web pages (objects) and display them for the world to see (action)
to install semanage run yum -y install policycoreutils-python

you need to know:
1) how to set enforcing/permissive modes

there are 3 modes
enforcing (it protects in either tagerted (default) or mls mode)
- targeted allows you to customize what is protected in a fine grain way
- MLS very fine grained (levels c0-c3 (top secret)
permissive (violated rules are logged in /var/log/audit.log but it does not stop the action)
disabled

to change edit /etc/sysconfig/selinux and the SELINUX and SELINUXTYPE (targeted or mls)

commands

to see the context of a file run ls -Z
to see the current status run getenforce
to see more info run sestatus
to change the current mode setenforce permissive or setenforce enforcing (if its disabled setenforce will not work and you will have to change /etc/sysconfig/selinux and reboot **this may take time**)

to review the state of current users run semanage login -l (unconfined = no restrictions i.e full access) you can follow this up by running ls -Z
to change the sestaus for a user semanage login -a -s user_u david # -a adds, -s secifies the user role where user_u = gui and networking avaliable (see a full list below)

guest_u, no gio,no networking,no access to su or sudo
xguest_u, gui networking only via firefox
user_u, gui and networking avaliable
staff_u, gui,networking and sudo avaliable
unconfined_u, everything

most selinux setting are boolean once set the settings are in /selinux/booleans example user_ping is normally set to 1 (0=no pinging)
getsebool reads them settings and setsebool can set them (but selinux need to be enabled first for them to be set)
example to change setsebool allow_user_exec_content 0 # add the -P to make it surivie the reboot
to get more info on each boolean run semanage boolean -l

======================
misc

how do you install setup:

yum –y install setuptool
yum –y install system-config-network*

ifconfig eth0 192.168.1.5 netmask 255.255.255.0 up

stat -c '%a %n' * # shows files octal permission

enable a local repo from cd/dvd

  • mkdir -p /media/cdrom
  • mount /dev/cdrom / /media/cdrom
  • vi /etc/yum.repos.d/CentOS-Media.repo and change enabled to 1
  • yum --disablerepo=\* --enablerepo=c6-media install bc # where c6-media is the name within Centos-Media.repo

cat/proc/mounts shows all mounted file systems

mount -l mounts and shows labels

df -aTh shows human readable mounted partions (h=readable,a=all, t =type)

ls -l /dev/mapper #shows which files are linked to dm-n (where n is a number)

running yum whatprovides /usr/sbin/semanage on another system will show you what you need to install on your system to get the command installed

yum grouplist shows groups
yum groupinstall "Desktop" "Desktop Platform" "X Window System" "Fonts" #install gui

Linux filesystem type The default system id is "83".
82=swap
8e=lvm

3 ways to create a 1Gb file

fallocate -l 1G test.img
dd if=/dev/zero of=1g.img bs=1 count=0 seek=1G
dd if=/dev/zero of=1g.img bs=1024 count=1048576

chsh -l # shows available shells
usermod -s # changes a shell

passwd -l user and passwd -l user # lock and unlock a user
passwd -S user # shows the status of a user

/dev/dm files

it is part of device mapper It is used for consistent naming, rather than going to individual drives.
these files are created when you run lvcreate.

To check what setup run:

ls -l /dev/mapper
dmsetup ls

find ./ -name *.syslog |xargs stat -to run a command on the output of a stat command
find ./ -name 123 -exec mv {} {}.bak \; -to rename a file

du -sh --time /* finds the size off all the folders in the root directory and also includes a time stamp of when the file was last updated