0 оценок0% нашли этот документ полезным (0 голосов)
123 просмотров98 страниц
This document provides an overview of networking concepts and tasks in Red Hat Linux, including configuring network settings both graphically and through text files, setting up printing, and setting up NTP client and server. It discusses editing files using both the vi text editor and the gedit graphical editor, and transferring files between local and remote systems using Nautilus and FTP.
This document provides an overview of networking concepts and tasks in Red Hat Linux, including configuring network settings both graphically and through text files, setting up printing, and setting up NTP client and server. It discusses editing files using both the vi text editor and the gedit graphical editor, and transferring files between local and remote systems using Nautilus and FTP.
This document provides an overview of networking concepts and tasks in Red Hat Linux, including configuring network settings both graphically and through text files, setting up printing, and setting up NTP client and server. It discusses editing files using both the vi text editor and the gedit graphical editor, and transferring files between local and remote systems using Nautilus and FTP.
------------------------------------------ 01. Introduction and Orientation --------------------------------------------- 02. Linux History and Redhat Certification --------------------------------------------------------- 03. Linux Installation I - Graphical Installation ------------------------------------------------------------- You'll get a quick overview from screenshot given in following link:
04. Introduction to vi/vim editor --------------------------------------------- - vi (pronounced vee-EYE, short for visual) provides basic text editing capabilities. - Two Mode - Insert Mode and Command Mode - Insert mode by pressing "Insert". Command mode by pressing escape - You can type whatever you want in Insert Mode - Command mode by its name indicate you can command the vi editor to perform something - save,search and replace,move cursor,quit without saving,cut,copy,paste,remove etc - Being in Command Mode you can switch to Insert mode by simply pressing "i" - in command mode type: :q! --> to exit without saving :wq --> save and exit :w --> save
More detail about vi will be shown in our LAB Class when we will work with various files. Students are encouraged to visit: http://www.washington.edu/computing/unix/vi.html http://www.eng.hawaii.edu/Tutor/vi.html http://heather.cs.ucdavis.edu/~matloff/UnixAndC/Editors/ViIntro.html
05. Getting started with Bash --------------------------------------------------------------- Command = 1st on command line Option = starts with - or -- 1 / 2 RH124-Day01 Written by Razib Shahriar Rubence Argument = additional parameters For example with the command "yum install httpd* -y" yum = command install = argument httpd* = argument -y = option (which means my answer is always "yes") Basic Linux Commands: - pwd --> print working directory. to know in which directory you are in and the detail path (Absolute Path of working directory) - ls --> show the list of files and directories of current directory. - cd --> change directory - cat filename--> read a file - adduser username--> user add - passwd username --> set/change password for user and root - suusername --> change user (only su for super user, i.e root) - mkdir --> make directory - touch --> create file - rm --> remove file and directory - whereis, man and info --> information about command - cat -> to read a file - date --> show, edit date and time - history - id - !number For more Basic commands students are encouraged to visit: http://cri.ch/linux/docs/cg0007.html http://linuxlots.com/~jam/guide4.html http://freeengineer.org/learnUNIXin10minutes.html
2 / 2 RH124-Day02 Written by Razib Shahriar Rubence Change IP, Gateway, Hostname and DNS Information (We need this changing for client-server communication in LAB)
- File containing IP, Gateway and DNS Information: /etc/sysconfig/network-scripts/ifcfg-eth0 - File containing Hostname Information: /etc/sysconfig/network
1 / 4 RH124-Day02 Written by Razib Shahriar Rubence NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=station20.example.com
- Restart the network service to make each of the above information effective. Need to reboot machine for hostname change
# service network restart (or # /etc/init.d/network restart)
- Check the changes took effect
# ifconfig (for IP Information) # route -n (for Gateway Information) # hostname (for hostname information) # ping server1.example.com (checking your dns is resolving other computers' hostname) # dig server1.example.com (check the dns records ) 02. Graphical Way:
Open "Network Configuration Window" from System->Administration->Network or by typing following in terminal
# system-config-network
Edit Information from "Devices" GNOME Graphical Desktop and Editing File with gedit: ------------------------------------------------------------------ - GNOME is the graphical desktop environment which adds menus, icons,panels provided by the X windows system - It includes integrated applications - gedit, Nautilus File Manager, Graphical Administration Tool 2 / 4 RH124-Day02 Written by Razib Shahriar Rubence - gedit for file editing LAB Practice:
- edit file with gedit. /etc/issue (To change the starting message); /etc/grub.conf (Changing the First boot OS in dual/multipel booting machine)
- edit the same file with vi/vim # vim /etc/issue # vim /etc/grub.conf
Change the Default = 0 or 1 to select your starting OS
- Linux File Hierarchy Concepts: * Files and directories are organized into a single-rooted inverted tree structure * Filesystem begins at the root directory, represented by a lone / (forward slash) character * Names are case-sensetive * Paths are delimited by / * .. refers to the parent directory of any particular directory - one level up in the file hierarchy * . refres to the current directory - Some important directories: * Home Directories: /root, /home/username * User Executable (binary file): /bin, /usr/bin, /usr/local/bin (bin = binary) * System Executatble (system binary file): /sbin, /usr/sbin, /usr/local/sbin (sbin = system binary) * Other Mountpoings: /media, /mnt * Configuration: /etc * Temporary: /tmp * Kernels and Bootloader: /boot * Server Data: /var, /srv * System information: /proc, /sys (proc -> process information pseudo-filesystem * Shared Library: /lib, /usr/lib, /usr/local/lib - Absolute Pathnames: * Begin with a forward slash 3 / 4 RH124-Day02 Written by Razib Shahriar Rubence * Complete "road map" to file location * can be used anytime you wish to specify a file name - Relative Pathnames: * Do not begin with a slash * Specify location relative to our current workding directory * Can be used as a shorter way to specify a directory or filename Relative pathnames of a specific file /usr/share/doc/HTML/index.html relative to particular directories
Current Directory ---------------------------------------- Relative Path to index.html
4 / 4 RH124-Day03 Written by Razib Shahriar Rubence Nautilus ----------- Nutilus is a graphical file manager developed for Redhat. Within this file manager window you can crate file,folders, view proerties, copy move delete cut paste files and folders
Lab Practice: 01. moving around different folders and create new file and folder with Nautilus and Command prompt - Through nautilus create a file (urname_gedit) with gedit in /usr/geditpractice folder which contain your information - Through command prompt Create a file (urname_vim) with vim in /log/vimpractice folder which contain your information # mkdir /log/vimpractice # vim urname_vim
02. Managing Remote Files with Nautilus and command prompt - Select Places -> Connect to Server from the top panel: Server type - Public FTP. put your urname_gedit file into students folder
# cd /log/vimpractice # ftp server1.example.com. login with username: anonymous with no password
ftp> get trainer_info ftp> cd students ftp> put urname_vim ftp> quit # cat trainer_info (To read trainer information) NTP: Network Time Protocol ---------------------------------------- * Time synchronization makes system logs easier * Many Application require accurate timing * Configuration file: /etc/ntp.conf * Config tool: system-config-date * Usefull command: 1 / 4 RH124-Day03 Written by Razib Shahriar Rubence # date -s hours:minutes (to change date) # date (to check date) # ntpdate (use "man ntpdate" to check its uses) LAB Practice: 01. How to Configure NTP Client:
- Change the date to differ with NTP Server # date -s hour:minute Launch the Date & Time management tool - system -> Administration -> Date & Time or type in terminal # system-config-date
Click the Time Zone tab - Set the timezone Dhaka - Select System clock uses UTC Click the Date and Time tab - Select Synchronize date and time over the network - Delete the existing NTP Servers - Speed up initial syncronization - Add server1.example.com as NTP Server - Click OK to Sychronize Clock immediately
Check date with the command: # date 02. How to Configure NTP Server: This Topic is not covered in RH124. Interested students are encouraged to visit the following sites http://www.cyberciti.biz/faq/rhel-fedora-centos-configure-ntp-client-server/ http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Serv er Printer, Print jobs and queues ------------------------------------- * The Common Unix Printing System (CUPS) supports many advanced features of printing * Internet Printing Protocol (IPP) is the web based management console of CUPS which can be 2 / 4 RH124-Day03 Written by Razib Shahriar Rubence reached at port 631 * Configuration files: /etc/cups/cupsd.conf /etc/cups/printers.conf * Configuration Tools: system-config-printer http://localhost:631 * Usefull command: # lpr -P printer-name # lpq -a LAB Practice: 01. Configuring a Local Printer: # system-config-printer &
-Click New -LPD/LPR Host or Printer - Host: localhost Queue: dummy -Choose Driver: Generic -Choose text-only printer Short name : stationX-local - your printer will be shown in the Local Printer Section - Print a listing of your home directory with following command: # ls /root | lpr -P stationX-lp - Review the queue: # lpq -a - Review in browser http://localhost:631 - Share this Local Printer with other stations: Lunch system-config-printer -> click Server Settings -> Check box "Share publised printers 3 / 4 RH124-Day03 Written by Razib Shahriar Rubence connected..." 02. Configure Remote Printer (i.e printer StationX-lp created in previous LAB) : # system-config-printer & -Click New -Select Internet Printing Protocol Under Network Printer - Host: server1.example.com Queue: /printers/server1-lp -Click on Verify. It'll show the printer is accessible -Choose Driver : Generic -Choose text-only printer -Short name : stationX-remote -Click Apply - Print a listing of your home directory with following command: # ls /root | lpr -P stationX-remote - review the queue in remote printer machine # lpq -a - Review in browser
http://remote_machine_ip:631
4 / 4 RH124-Day04 Written by Razib Shahriar Rubence What is MBR, Primary Partion, Extended Partition and Logial partitions : *MBR (Master Boot Record)- The Master Boot Record, the first sector on the disk. Contains the partition tables (a list that describes the locations of partitions on the disk). Short for Master Boot Record, a small program that is executed when a computer boots up. Typically, the MBR resides on the first sector of the hard disk. The program begins the boot process by looking up the partition table to determine which partition to use for booting. It then transfers program control to the boot sector of that partition, which continues the boot process. *The Task of the MBR The normal job of the MBR program is to search the partition table for the active partition, copy the boot sector from the active partition into memory, and transfer control over to that program. If the MBR cannot accomplish this task successfully, it will print one of these error messages: Invalid partition table Error loading operating system Missing operating system *Primary partition- is a partition that is needed to store and boot an operating system, In general, you would install the operating system in a primary partition. A primary partition can be set "active", which allows the computer to locate the operating system that needs to be started. Only 1 primary partition can be active, but more primary partitions can exist. If more than 1 primary partition is set active, the computer will not boot. Also, when no primary partition is set active, the computer will not boot. Only the partition table in the MBR can contain primary partitions. *Extended partition - can be sub-divided into logical drives and is viewed as a container for logical drives, where data proper is located. An extended partition is not formatted or assigned a drive letter. The extended partition is used only for creating a desired number of logical partitions.. *Logical partitions - are the partitions that are created in the extended partition area. A logical partition is a way to extend the initial limitation of four partitions. An extended partition can contain up to 24 logical partitions.Logical partitions are used for storing data mainly, they can be formatted and assigned drive letters; their details are listed in the extended partitions table - EMBR (Extended Master Boot Record). 1 / 7 RH124-Day04 Written by Razib Shahriar Rubence To get a clear idea about boot sequence interested students are encouraged to visit the following site:
Manage Physical Storage Key points for PC Partition 01. MBR only permites 4 primary partitions 02. One primary cab be an extended partition, which is a container of other logical partition 03. Partition allow isolation and separation of data (for example system files vs user data) 04. Linux naming scheme - /dev/sda, /dev/sda1 05. /bin, /dev, /etc, /lib and /sbin can not be stored/mounted on other partitions LAB Practice: Steps for making a new disk partition that contains a ext4 filesystem that mounts persistenly in /sample 01. First we need to assess our current configuration and see if there is free spaces for new partition - Lunch Disk Utility tool from Applications -> System Tools -> Disk Utility - In the left pane highlight the hard disk where you want to create new partition - Under the "Drive" section in the right pane, see the Device name and see how much free space is available to create new partition 02. Creating partition - Click on "Free" space - Click Create Partition - Mention Size, Type (ext4) and Name - make sure encrypted "underlying device" is check out - Click Apply. you'll get a new partition for example /dev/sda10
We can do the above step 02from command line
2 / 7 RH124-Day04 Written by Razib Shahriar Rubence - Check the existing partitions # fdisk -l - Start partitioning # fdisk -cu /dev/sda Type "n" for new partition Take the default "First Cylender" by pressing ENTER Mantion the Size by typing (for example 50Mb Size) "+50M" Quit from fdisk by typing "q" - Check the partitions now # fdisk /dev/sda <--- u'll see a new partition for example /dev/sda10 - format the partition as ext4 # mkfs.ext4 /dev/sda10 - make the kernel recognize this partition # partprobe /dev/sda 03. Mount the partition - Create a directory /sample # mkdir /sample 03. Mounting the /dev/sda10 persistenly by typing following in /etc/fstab # vim /etc/fstab (At the last line add followings) /dev/sda10 /sample ext4 defaults 0 0 04. Reboot and check file system # df -h Manage Logical Volume: Logical Volume (LV) is a flexible storage system then traditional partitioning system. Logical Volume Management (LVM) is a layer of abstraction that allows easy manipulation of volumes, including resizing of filesystems. It allows reorganization of filesystems across multiple physical devices. - Devices are designated as Physical Volumes - One or more Physical Volumes are used to create a Volume Group - Volume Groups are defined with Physical Extents of a fixed size - Logical Volumes are created on Volume Groups and are composed of Physical Extents - Filesystems can be created on Logical Volume 3 / 7 RH124-Day04 Written by Razib Shahriar Rubence Steps in creating LV: - Create Physical Storage (type 08e) - Create Physical volume (PV) = Disk or partition marked as usable space for LVM - Create Volume Group (VG) = Collection of PVs, container of Logical Volume - Create Logical Volume LV = Storage partition which are flexibly made from VG LAB Practice: Creating a new physical volume, a new volume group and a new logical volume 01. Create new partition
- Use Disk Utility to create a new empty (select type=empty - it means without file system) partition (for example /dev/sda11) - Edit the partition and change its type to Linux LVM (0x8e)
02. Initialize new partition as a PV
- Go to System -> Adminitration -> Logical volume management - Expand uninitialized entities in the left panel - Expand disk (i.e /dev/sda) containing new partition (i.e /dev/sda11) - Select /dev/sda11 (partition created in previous step) . confirm partition type a 0X8e in right pane - Click initialize Entity - Confirm by clicking Yes, data will be erased
03. Create a new VG using the PV just created
- In Logical Volume Management window select "patition 11" under unallocated volumes - Click on Create new Volume Group - Specify Volume Group Name (for example vg1) , keep the rest default - Click OK
4 / 7 RH124-Day04 Written by Razib Shahriar Rubence 04. Create a new LV using the VG just created - Expand the new VG i.e vg1 - Select Logical View - Click Create New Logical Volume button - Specify the LV name (for example lv1) - Specify the LV size, or click Use remaining to uitilize the full vg space - Specify the file system properties (file system type - example ext4, mount point- example /data, mount when reboot etc) - Click OK - Confirm to create mount point if necessary,
05. varify with following commands
# vgdisplay # lvdisplay # df -h # cat /etc/fstab
LAB Practice:
Increase/ Decrease size of Logical Volume
01. Check the current size of the Logical Volume
# lvdisplay # df -h
02. Open Logical Volume Management window 03. Under Logical View Select the Logical Volume you want to decrease/increase 04. Click "Edit Properties" . Type your desired new size in LV Size text box. Click OK 05. Check the Logical Volume Size 5 / 7 RH124-Day04 Written by Razib Shahriar Rubence
# lvdisplay # df -h
If there is NO UNUSED space in your Volume Group, first you need to add some space in your Volume Group then you can increase the size of your Logical Volume. For example increase the LV at maximum in previous step. Now you need to perform the following step to increase the LV further.
01. Create new partition
- Use Disk Utility to create a new empty (select type=empty - it means without file system) partition (for example /dev/sda12) - Edit the partition and change its type to Linux LVM (0x8e)
02. Initialize new partition as a PV
- Go to System -> Adminitration -> Logical volume management - Expand uninitialized entities in the left panel - Expand disk (i.e /dev/sda) containing new partition (i.e /dev/sda12) - Select /dev/sda12 (partition created in previous step) . confirm partition type a 0X8e in right pane - Click initialize Entity - Confirm by clicking Yes, data will be earsed
03. Now add this PV to existing VG
- Select Partition 12 from Unallocated Volumes - Click Add to existing volume Group. Select the VG , click Add
6 / 7 RH124-Day04 Written by Razib Shahriar Rubence 04. Now click on Logical View, You'll see unused space 05. Click the Logical Volume (lv1), Click Edit Properties and you can extend the size of LV 06. Check the Logical Volume Size
# lvdisplay # df -h
7 / 7 RH124-Day05 Written by Razib Shahriar Rubence --------------------- Day 05 Date: 1st July, 2011 Time: 19:30 to 22:30 -----------------------------------
Monitor System Resources -Some key Points : 01. A process is a system or user task 02. Process consumes CPU and Memory resources 03. PID (Process Identification Numnber) is a unique number that lebels a process 04. When a process creates another process, the orginal is parent and the new process is child 05. Signals can be sent to processes to kill them 06. Nice value is used to determine priority (higher nice = less CPU resources) LAB Practice: -Launch System Monitor Tool Application -> System Tools -> System Monitor
Useful command for monitoring system resources # top
The top portion of the report lists information such as the system time, uptime, CPU usage, physical ans swap memory usage, and number of processes. # iostat The iostat will display the current CPU load average and disk I/O information. This is a great command to monitor your disk I/O usage. 1 / 6 RH124-Day05 Written by Razib Shahriar Rubence # vmstat The command vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity.
# ps ps command will report a snapshot of the current processes.
# free The command free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel. -Launch Disk Analysis Tool Application -> System Tools -> Disk Usage Analyzer Usefull Command for analyzing Disk Usages # df -h shows statistics about the amount of used and free disk space on the specified file system. -h= human readable format (mb)
# du /etc dudisplays the file system block usage. the above example finds out /etc dir disk usage statistics
Manage System Software Install = add funcionaliy to your system Update = plug security holes that could be exploied by crackers Remove = reclaim disk space yum is an interactive, rpm based, package manager. It can automatically perform system updates, including dependency analysis and obsolete processing based on "repository" metadata. It can also perform installation of new packages, removal of old packages and perform queries on the installed and/or available packages among many other commands/services. yum is similar to other high level package managers like apt-get and smart. 2 / 6 RH124-Day05 Written by Razib Shahriar Rubence LAB Pracice: 01. Create a .repo file in /etc/yum.repos.d/ # cd /etc/yum.repos.d/ # vim rhel6.repo [base] name=RHEL6 Server Repository baseurl=ftp://192.168.0.254/pub/rhel6/Packages enable=1 gpgcheck=0 02. Some command in using yum # yum clean all <--- clean yum cache # yum install package-name <---- Install a package with depandencies # yum update package-name <------ Update a package with depandencies # yum list all <----- list of all packages available for install/update # yum list package-name <--- list the individual package is available for download # yum remove package-name <--- Remove a installed package For more information check "man yum"
Administer User and Group
-Users Concept 01. Every user is assigned a unique user ID number (UID). UID 0 identifies root 02. Users' names and UIDs are stored in /etc/passwd 03. Users are assigned a home directory (usually /home/username) and a program that is run when they log in (usally a shell) 04. Users cannot read, write or eecute each others' files without permission -Group Concept: 01. Users are assigned to groups 02. Each group is assigned a unique Group ID number (GID) 03. GIDs are stored in /etc/group 04. Each user is given their own private group (primary group, usally the same name of user). user can be added to other groups (call secondary group for that user) 3 / 6 RH124-Day05 Written by Razib Shahriar Rubence 05. All users in a group can share files that belong to that group In Graphical Interface: User and Group administration can be done from System -> Administration -> User and Groups In Command Line: # adduser username <---- Create User # passwd username <---- change/set password for user # cat /etc/passwd <---- Check users' information # groupadd groupname <---- Create a Group # cat /etc/group <---- Check groups' information # usermod -g groupname username <---- change the primary group of a user # usermod -G groupname username <---- Create Secondary Group for a user # usermod -L username <---- Lock user # usermod -U username <---- Unlock user # usermod -d directory <---- change user home directory # usermod -s path_of_shell <---- change user's login shell # usermod -e YY:MM:DD <---- Date after which user's account will be disabled for more infomration check: # man adduser # man groupadd # man usermod LAB Practice: 01. Create a user student and a group rhce. set the group rhce as student's Secondary Group # adduser student # usermod -G rhce student
02. - Create three Users user1, user2,user3 with password "password" for all. # adduser user1 # passwd user1 # adduser user2 # passwd user2 4 / 6 RH124-Day05 Written by Razib Shahriar Rubence # adduser user3 # passwd user3 - Set Group user1 as user2's Secondary Group # chgrp -G user1 user2 - Login as user1 and create file1 in his home directory. # su - user1 $ echo "This line is by user1" > file1 - Login as user2 try to read,modify file1 # su - user2 # cat file1 # echo "This line is by user2" >> file1 - Login as user3 try to read,modify file1 # su - user3 # cat file1 # echo "This line is by user3" >> file1
Manage Files from Command Line: Recall the following commands # cd # cp # mv # mkdir # rmdir (remove emtpy directory) # rmdir -f (not empty directory) # touch # ln -s <--- Create symbolic Link LAB Practice: -Create two users: rahim and karim with password "password". # adduser rahim # adduser karim # passwd rahim # passwd karim -create two sub-directories (rahimdir and karimdir) in their home directory. 5 / 6 RH124-Day05 Written by Razib Shahriar Rubence # mkdir /home/rahim/rahimdir # mkdir /home/karim/karimdir -copy /etc/passwd file to rahimdir . # cp /etc/passwd /home/rahim/rahimdir -rename the file as rahimfile . # cd /home/rahim/rahimdir # mv passwd rahimile -make a symbolic link of rahimfile to karimfile in karimdir # cd /home/karim/karimdir # ln -s /home/rahim/rahimdir/rahimfile karimfile -read karimfile # cat karimfile <----- you'll see the /etc/passwd file writings in karimfile
6 / 6 RH124-Day06 Written by Razib Shahriar Rubence - Secure Linux File Access 01. UGO Cocepts: in respect to a file there are three classs of users: its owner (User), members of the group it blongs to (Group) and all other users (Other) 02. There bassic permissions for files and directories: read access (r), write access (w) and execute access (x). a minus (-) means no permission is set 03. File Permissions: r=read,view w=write,update x=execute,run 04. Directory Permissions: r=list contents, w=crate/delete contents, x=access 05. Changing Permission: Symbolic Method chmod WhoWhatWhich file/directory Who=u,g,o,a What=+,-,= and Which=r,w,x 06. Changing Permission: Numeric Method chmod #$% file/directory where # = sum of owner's permission : r(4)+w(2) +x(1) $ = sum of group's permission: r(4)+w(2) +x(1) % = sum of other's permission: r(4)+w(2) +x(1) 07. Manage Ownership # chown user file/directory # chgrp group file/directory 08. SGID bit: Normaly files created in a directory belong to the user's default group. When a file is created in a directory with the SGID bit set, it belongs to the same group as the directory # chmod g+s directory , or # chmod 2770 directory 09. Sticky Bit: Normally users with write permissions to a directory can delete any file in that directory regardless of that file's permissions or ownership. With the sticky bit set to a directory, only the owner of a file can delete the file # chmod o+t directory, or # chmod 1777 directory
10. SUID bit : If setuid bit is set, when the file will be executed by a user, the process will 1 / 4 RH124-Day06 Written by Razib Shahriar Rubence have the same rights as the owner of the file being executed. # chmod u+s directory, or # chmod 4777 directory
You can set the bits with a numeric mode. but can not clear bits in numeric mode. To clear sticky bit, SGID and SUID use # chmod a-st directory From RHEL6 numeric method can not be used to clear any bit. The reason behind changing this coreutils chmod command can be found in the following discussion forum: http://lists.gnu.org/archive/html/bug-coreutils/2011-03/msg00154.html 11. Check the permission and ownership information: # ls -l file/directory # stat file/directory LAB Practice: 01. Create three users curly, larry and moe who are members of a group called stooges. # groupadd stooges # adduser -G stooges curly # adduser -G stooges larry # adduser -G stooges moe 02. Creae a directory called /home/stooges where these three users can work collaboratively on files. # mkdir /home/stooges # chgrp stooges /home/stooges 03. Modify the permissions on this directory so only they can access, create and delete files in that directory. # chmod 775 /home/stooges # stat /home/stooges 04. Files created in this directory should automatically be assigned to a group ownership of stooges # chmod g+s /home/stooges # stat /home/stooges 05. Make sure that only the owner of the file in /home/stooges can delete the file # chmod o+t /home/stooges # stat /home/stooges 2 / 4 RH124-Day06 Written by Razib Shahriar Rubence 06. login as different users and check everything is working as above [root@station33 Desktop]# su - curly [curly@station33 ~]$ echo "this file is created by curly" > /home/stooges/filebycurly [curly@station33 ~]$ exit logout [root@station33 Desktop]# su - larry [larry@station33 ~]$ cat /home/stooges/filebycurly this file is created by curly [larry@station33 ~]$ echo "this line is by larry" >> /home/stooges/filebycurly [larry@station33 ~]$ cat /home/stooges/filebycurly this file is created by curly this line is by larry [larry@station33 ~]$ rm -Rf /home/stooges/filebycurly rm: cannot remove `/home/stooges/filebycurly': Operation not permitted Remote GNOME Desktop Access - Allow access to a runing desktop System -> Preferences -> Remote desktop - Access a running desktop Application -> Internet -> TigerVNC Viewer Remote SHELL Access # ssh root@remote_ip_address Remote File Copy # rsync orginal_file remote_ip_address:/target/new_file Using SSH Keys - Generate a SSH key pair # ssh-keygen - Install the ssh public key on a remote server # ssh-copy-id root@remote.host Service Enable/Disale/Restart 3 / 4 RH124-Day06 Written by Razib Shahriar Rubence 01. In Graphical User Interface System -> Administration -> Services 02. From Command Line # service service-name start/stop/restart # /etc/init.d/service-name start/stop/restart - Securing SSH access to a server # vim /etc/ssh/sshd_config PermitRootLogin no PasswordAuthentication no
4 / 4 RH124-Day07 Written by Razib Shahriar Rubence
---------------------------- Day 07 Date July 8. 2011 Time 19:00 - 22:30 ------------------------
Manage Physical storage
Some of the most usefull file system attributes used by Linux ext4 filesystem:
01. Journal :
A journaling file system keeps track of the changes that will be made in a journal (usally a circular log in a dedicated area of the file system) before committing them to the main file system. ext3 and ext4 file sysems journal the blocks they write to disk. In the event of a system crash or power failure, such file systems are quicker to bring back online and less likely to become corrupted. Inerested students are encouraged to visit the following url for more about journal filesystem:
Disks in Linux are assigned special device files. Anytime you replace a drive Linux is liable to 1 / 12 RH124-Day07 Written by Razib Shahriar Rubence change that file based on the order which it sees the new disk. Filesystem labels provide an alternative way for Linux to identify the partitions and drive and mount them where they belong.
On Red Hat systems partitions are automatically labeled if they are created during install.You can see this in /etc/fstab:
# cat /etc/fstab
As system administration goes though we create partitions with labels. We then put the path to the device file in /etc/fstab and point it to the mount point. This could present a problem when replacing a disk in your machine.
3. Options
- User_xattr: user specified extended attributes (in short user_xattr) is a file system feature that enables users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times).
- acl: Access Control List. Traditionally, a file object in Linux is associated with three sets of permissions. These sets assign read (r), write (w), and execute (x) permissions for the three user groups file owner, group, and other. Nine bits are used to determine the characteristics of all objects in a Linux file system. Additionally, the set user id, set group id, and sticky bits can be set for special cases. ACLs can be used for situations where the traditional file permission concept does not sufice. They allow the assignment of permissions to individual users or groups even if these do not correspond to the owner or the owning group.
LAB Practice:
- Create a new 256 MB partition and use ext4 as the file system type 2 / 12 RH124-Day07 Written by Razib Shahriar Rubence
Use disk utility to create the partition (say /dev/sda11)
- List the file system attributes
# tune2fs -l /dev/sda11
- Add a lael of /test to the file system
# tune2fs -L test /dev/sda11
- Add user_xattr and acl as default mount options
# tunefss -o user_xattr,acl /dev/sda11
- Mount the file system as /test
# mkdir /test
# mount /dev/sda11 /test
- Set default mount options
3 / 12 RH124-Day07 Written by Razib Shahriar Rubence # tunefs -o user_xattr,acl /dev/sda11
Linux Swap Space
Swap is used in liux to extend system virtual memory. it is used when the system begins to run out of RAM. Linux has two forms of swap space: the swap partition and the swap file. The swap partition is an independent section of the hard disk used solely for swapping; no other files can reside there. The swap file is a special file in the filesystem that resides amongst your system and data files.
Important Points:
01. Partition ID for swap: 0X82
02. Can reside in a logical volume
03. Access is controlled by swapon and swapoff command
LAB Practice:
01. With disk-utility create 1 GB swap Partition (say /dev/sda13)
02. give the following entry in the end of/etc/fstab
/dev/sda13(keep blank in mount point field) swap defaults 0 0 4 / 12 RH124-Day07 Written by Razib Shahriar Rubence
03. Active the swap space
#swapon -a
04. See the swap is activated
# swapon -s
05.To deactivate do the folowing command
# swaoff /dev/sda13
Linux Graphical Installation:
We'll see the graphical installation in our LAB Class
Control the Boot Process:
Bootloader: a program that loads an operating system kernel into memory and eecutes it
GRUB: GRand Unified Bootloader, the bootloader used by Red Hat Enterprise Linux
5 / 12 RH124-Day07 Written by Razib Shahriar Rubence Run Level: is the state of a system that defines which services are available
Common runlevels:
0 - halt (Do NOT set initdefault to this)
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you do not have networking)
3 - Full multiuser mode
4 - unused
5 - X11
6 - reboot (Do NOT set initdefault to this)
You can make the default runlevel in /etc/inittab file from last line
id:5:initdefault:
Interested students are encouraged to visit the following sites for more detail about boot process 6 / 12 RH124-Day07 Written by Razib Shahriar Rubence
- Get Control of a machine with an uknown root password
01. Interrupt the GRUB countdown by pressing [Esc] key
02. Use arrow keys to select the kernel
03. Press "e" key to edit the kernel
04. type "single" in the last of the kernel line
05. Hit [Enter]
06. press "b" to boot
07. you'll get the shell prompt without asking root password
08. change the root password
7 / 12 RH124-Day07 Written by Razib Shahriar Rubence # passwd
09. reboot the machine
- boot into an older kernel after installing a new kernel
01. install the new kernel through yum
#yum install new-kernel
02. check the new kernel is listed in grub.conf and select old kernel as DEFAULT
# vim /etc/grub.conf
change the value of DEFAULT so that older kernel boot
03. reboot the system
# init 6
Deploy File Sharing Service (FTP service)
Steps for Deploying File Transfer Protocol (FTP) Service 8 / 12 RH124-Day07 Written by Razib Shahriar Rubence
01. Install vsftpd package
# yum install vsftpd* -y
02. Check and Edit the configuration file
# vim /etc/vsftpd/vsftpd.conf
anonymous_enable = YES <---------- allow login with username anonymous ano no password
local_enable = NO <---------- no other user of this machine can log in
write_enable = NO <---------- loged in user have not the write permission on files/folder
03. place a file in public folder
# cd /var/ftp/pub
#echo "this file is in public folder" > myfile
04. start the vsftpd service
9 / 12 RH124-Day07 Written by Razib Shahriar Rubence # service vsftpd start
05. make vsftpd service persistent
# chkconfig vsftpd on
06. check ftp service
# ftp 192.168.0.253
login with anonymous (if anonymous_enable = YES) or a local username (if anonymous_enable = ON and local_enable=Yes)
ftp> cd pub <--- change the directory from /var/ftp to /var/ftp/pub
ftp> ls <--- list of files in this folder
ftp> get myfile <--- save the file in local computer
ftp> quit <--- To exit
Deploy Web Service (httpd service)
01. Install httpd package 10 / 12 RH124-Day07 Written by Razib Shahriar Rubence
# yum install httpd* -y
02. Check and Edit the configuration file
# vim /etc/httpd/conf/httpd.conf
ServerName station253.example.com
03. create index file in web server
# cd /var/www/html
#echo "this file is index file " > index.html
04. start the httpd service
# service httpd start
05. make httpd service persistent
# chkconfig httpd on
11 / 12 RH124-Day07 Written by Razib Shahriar Rubence 06. check web service
Launch firefox internet browser and browse to http://station253.example.com
12 / 12 RH124-Day08 Written by Razib Shahriar Rubence -------------------------------- Day 08 Review Class --------------------------------
Change the root password of your machine as redhat. Configure your machine to boot into runlevel 5 by default Configure network for your machine as per following information: IP Addrfess: 192.168.0.X/24 <----- ask your instructor for the value of X Gateway: 192.168.0.254 DNS: 192.168.0.254 Hostname: stationX.example.com You can get the packages by FTP service using the following information: Repository Server address: 192.168.0.254 Repository Directory: /var/ftp/pub/rhel6/Packages 01. Configure your station to synchronize with server1.example.com using NTP, set the timezone to the appropriate for your locale. Make the hardware clock store UTC Time 02. Cnfigure a network printer to send print jobs to an IPP print queue on server1.example.com called /printers/queue . your print queue should be called remote-test and should be the default print queue. 03. Create a new partition on your hard disk that is 512MB in size and doesn't render the rest of disk usable. It should not be encrypted and it should contain an Ext4 filesystem that mounts under the /extras mount point persistently when the system boots. 04. Create a 2 GB volume group called extra with a logical volume called iso that contains an ext4 file system and will be mounted as /iso. Allocate the file system so it can be migrated to a larger device and grown without downtime. 05. Create three accounts curly,larry and moe who are members of a group called stooges who has a GroupID 4000. Create a directory called /home/stooges where these three users can work collaboratively on files. Modify the permissions on this directory so only the user and group access, create and delete files in that directory. Files created in this directory should automatically be assigned a group ownership of stooges. 06. Create two new physical partitions 512 MB in size each. with the first partition, create swap 1 / 2 RH124-Day08 Written by Razib Shahriar Rubence space and make it persistent. with the second partition create and ext4 filesystem persistently mounted on /opt with acl as a default mount options 07. Create a folder curlyfolder in curly's home directory. Download "instructor_vim" file from ftp://192.168.0.254/pub and put it in curlyfolder. archive curlyfolder into /tmp/curlyfolderX.tar.bz2 . 08. Create a user "student" with password "password" in your station. create ssh key for student and copy student's public key to the student account on server1.example.com . the password of student account in server1.example.com is also "password" 09. Copy the file curlyfolderX.tar.bz2 created in question 7 to the student's home folder in server1.example.com 10. Configure your station to provide both FTP and web services. Disable non-anonymous FTP access. download the index.html file from ftp://192.168.0.254/pub/ . Configure your machine to server indentical file content to both anonymous FTP and HTTP users. The following URLs should both display the file you downloaded above: ftp://stationX.example.com/pub/index.html http://stationX.example.com/index.html
11. Download and install kernel-debug from ftp://server1.example.com/pub/Packages . make the older kernel default.
2 / 2 RH124-day09 Written by Razib Shahriar Rubence -------------------------------- Day 09 Solution for the Practice Exam -------------------------------- Change the root password of your machine as redhat. Configure your machine to boot into runlevel 5 by default
Solution: 01. Switch ON your station . Interrupt the GRUB countdown with ESC key. 02. use arrow keyes to select the kernel 03. Use "e" to edit the kernel configuration 04. Type "1" at the end of kernel line to boot in Single Mode 05. Hit Enter. Press "b" to boot 06. You'll get the command prompt without asking root password 07. Disable selinux and change the Password to "redhat"
# setenforce 0 # passwd 08. Type "reboot" after changing the password 09. After reboot change the default runlevel "5" # vim /etc/inittab id:5:initdefault
################################################################## Configure network for your machine as per following information: IP Addrfess: 192.168.0.X/24 <----- ask your instructor for the value of X Gateway: 192.168.0.254 DNS: 192.168.0.254 Hostname: stationX.example.com
1 / 10 RH124-day09 Written by Razib Shahriar Rubence Solution: 01. right-click on the NetworkManager applet to open its context menu, which is the main point of entry for interacting with NetworkManager to configure connections.
RH124-day09 Written by Razib Shahriar Rubence # dig server1.example.com # ping server1.example.com #########################################################################
You can get the packages by FTP service using the following information: Repository Server address: 192.168.0.254 Repository Directory: /var/ftp/pub/rhel6/Packages Solution: - You need to create a .repo file in /etc/yum.repos.d/ to get access in repository server # cd /etc/yum.repos.d # vim server.repo [base] name=Server1 Repository baseurl=ftp://192.168.0.254/pub/rhel6/Packages gpgcheck=0 - check yum is working nicely # yum list all # yum install vim* -y # yum clean all <-- remove cache data ############################################################ 01. Configure your station to synchronize with server1.example.com using NTP, set the timezone to the appropriate for your locale. Make the hardware clock store UTC Time Solution: - Open Date/Time Properties window # system-config-date & - Click on Time Zone Tab - Select Nearest city "dhaka" . click on "System Clock uses UTC" - On Date and Time Tab click Synchornize date and time.... - Delete existing NTP Servers - Click Add and add the NTP server server1.example.com 3 / 10 RH124-day09 Written by Razib Shahriar Rubence - Click Advanced Options and click Speed up initial synchronization
- Click OK ############################################################ 02. Cnfigure a network printer to send print jobs to an IPP print queue on server1.example.com called /printers/queue . your print queue should be called remote-test and should be the default print queue. Solution: - Open Printer configuration by clicking System->Administration->Printer or by typing "system-config-printer" in terminal - Click New button. - Click Network Printer - Select Internet Printing Protocol (ipp) and enter the following Host: server1.example.com Queue: /printers/queue - Click verify button. "Printer Share verified" button should apear - Click Forward and select Generic - Click Forward and select Text-only printer - Click forward . a describe printer screen should appear - Enter "remote-test" for the printer name. - Click Apply. If prompted to print test page click NO - sent a print command to remote-test printer and check if it is successfully sent # ls /tmp | lpr -P remote-test # lpq -s
03. Create a new partition on your hard disk that is 512MB in size and doesn't render the rest of disk usable. It should not be encrypted and it should contain an Ext4 filesystem that mounts under the /extras mount point persistently when the system boots.
- Create a 512 MB partition (say /dev/sda11) from Disk Utility and Select ext4 filesystem and make sure Encrypted option is NOT SELECTED - Create a directory /extras 4 / 10 RH124-day09 Written by Razib Shahriar Rubence # mkdir /extras - make this partition persistently mounted on /opt with acl option by editing /etc/fstab # vim /etc/fstab add the following line /dev/sda11 /extras ext4 defaults 0 0
04. Create a 2 GB volume group called extra with a logical volume called iso that contains an ext4 file system and will be mounted as /iso. Allocate the file system so it can be migrated to a larger device and grown without downtime. Solution: - Check and install system-config-lvm package # rpm -q system-config-lvm # yum install system-config-lvm -y - Using Disk-Utility create a new partition (say /dev/sda12) of 2 GB with Type=Empty - In Disk-Utility window click new partition /dev/sda12 . Open Edit window and set Type=Linux LVM (0X8e) - Open System->Administration->Logical Volume Management - Select Partition 12 (/dev/sda12 which is Linux LVM Type). Click Initialize Entry - In left panel, Under Unallocated Volume Select Partition 12 - Click Create New Volume Group - New Volume Group Name = Extra. keep the others default. click Create - In left panel, under Extra click on Logical View - Click Create New Logical Volume - Input the following values LV Name: iso LV Size: 0.75 GB (so it can be migrated to a larger device) File System: EXT4 Click on Mount and Mount When Rebooted Mount point: /iso - Click OK. ###################################################################### 05. Create three accounts curly,larry and moe who are members of a group called stooges who 5 / 10 RH124-day09 Written by Razib Shahriar Rubence has a GroupID 4000. Create a directory called /home/stooges where these three users can work collaboratively on files. Modify the permissions on this directory so only the user and group access, create and delete files in that directory. Files created in this directory should automatically be assigned a group ownership of stooges. Solution: # groupadd stooges # adduser -G stooges curly # adduser -G stooges larry # adduser -G stooges moe # vim /etc/group and change the group id of stooges to 4000 # mkdir /home/stooges # chgrp stooges /home/stooges # chmod 2775 /home/stooges
- Checking # su - curly # touch /home/stooges/curlyfile # stat /home/stooges/curlyfile <--- check the group of curlyfile is stooges
##################################################################### 06. Create two new physical partitions 512 MB in size each. with the first partition, create swap space and make it persistent. with the second partition create and ext4 filesystem persistently mounted on /opt with acl as a default mount options Solution: - check gnome-disk-utility is installed and if not install it # rpm -q gnome-disk-utility # yum install gnome-disk-utility* -y - Create a 512 MB partition (say /dev/sda10) from Disk Utility and Select Type=Linux Swap (0X82) - make this swap space persistent by editing /etc/fstab # vim /etc/fstab add the following line /dev/sda10 (keep the mountpoing blank) swap defaults 0 0 6 / 10 RH124-day09 Written by Razib Shahriar Rubence - Enable swap from /etc/fstab # swapon -a - Display all enabled swap space # swapon -s - Create a 512 MB partition (say /dev/sda11) from Disk Utility and Select ext4 filesystem - make this partition persistently mounted on /opt with acl option by editing /etc/fstab # vim /etc/fstab add the following line /dev/sda11 /opt ext4 defaults,acl 0 0 ######################################################################
07. Create a folder curlyfolder in curly's home directory. Download "instructor_vim" file from ftp://192.168.0.254/pub and put it in curlyfolder. archive curlyfolder into /tmp/curlyfolderX.tar.bz2 . Solution: # mkdir /home/curly/curlyfolder # cd /home/curly/curlyfolder # ftp server.example.com ftp> cd pub ftp> get instructor_vim # tar -cjf /tmp/curlyfolderX.tar.bz2 /home/curly/curlyfolder #####################################################################
8. Create a user "student" with password "password" in your station. create ssh key for student and copy student's public key to the student account on server1.example.com . the password of student account in server1.example.com is also "password" Solution: # adduser student 7 / 10 RH124-day09 Written by Razib Shahriar Rubence # passwd student # su - student $ ssh-keygen (Take the default answer to generate the key) $ ssh-copy-id student@server1.example.com <---- give the password "password" when asked ################################################################## 09. Copy the file curlyfolderX.tar.bz2 created in question 7 to the student's home folder in server1.example.com Solution: # sync /tmp/curlyfolderX.tar.bz2 server1.example.com:/home/student #################################################################### 10. Configure your station to provide both FTP and web services. Disable non-anonymous FTP access. download the index.html file from ftp://192.168.0.254/pub/ . Configure your machine to server indentical file content to both anonymous FTP and HTTP users. The following URLs should both display the file you downloaded above: ftp://stationX.example.com/pub/index.html http://stationX.example.com/index.html Solution: -check vsftpd and httpd are installed and if not install them # rpm -q vsftpd # rpm -q httpd # yum install vsftpd httpd -y -check vsftpd configuration file and make sure ANONYMOUS_ENABLE=YES # vim /etc/vsftpd.conf -download index.html in ftp public folder /var/ftp/pub # cd /var/ftp/pub # ftp server1.example.com ftp> cd pub ftp> get index.html 8 / 10 RH124-day09 Written by Razib Shahriar Rubence -start the ftp server and make sure ftp service automaticaly run at the time of server boot # service vsftpd restart; chkconfig vsftpd on -check httpd configuration file and make sure ServerName=stationX.example.com (where X = your station number) # vim /etc/httpd/conf/httpd.conf -Create a softlink of /var/ftp/pub/index.html into httpd public folder /var/www/html # cd /var/www/html # ln -s /var/ftp/pub/index.html index.html -start the httpd server and make sure httpd service automaticaly run at the time of server boot # service httpd restart; chkconfig httpd on
-Check you can login as anonymous in ftp server and index.html is published in webserver. You may need to disable selinux and delete (Flash) iptables rule # setenforce 0 # iptables -F # ftp stationX.example.com browse http://stationX.example.com from your mozila firefox browser
Note: - To disable Selinux permanently you need to make SELINUX=disabled in /etc/selinux.conf file - To disable Firewall permanently you need to disable firewall from system-config-firewall
################################################################### 11. Download and install kernel-debug from ftp://server1.example.com/pub/Packages . make the older kernel default. Solution: 9 / 10 RH124-day09 Written by Razib Shahriar Rubence - download and install kernel-debug # yum install kernel-debug* - make the older kernel default in /etc/grub.conf # vim /etc/grub.conf DEFAULT=1 <------ 1 is the sequence number of older kernel reboot the machine and press ESC key at the time of grub countdown. you'll see the new kernel and also the older kernel selected as default.
10 / 10 RH135-Day10 Written by Razib Shahriar Rubence --------- RH135 Day 10 --------- Automated Installation of Red Hat Enterprise Linux using kickstart, a system administrator can create a single file (.cfg file) which contains the answers to all the questions typically asked during an installation. this file can be accessed to the installer (for example RHEL cd/dvd or rhcectg file in our LAB) to automate installation of RedHat Enterprise Linux. Steps for kickstart installation 01. Create a kickstart file - Using system-config-kickstart - using /root/anaconda-ks.cfg file from a alrady insalled RHEL box 02. Make the Kickstart file available to the Installer - Network servers: FTP, HTTP, NFS - DHCP/TFTP server - USB Disk or CD-ROM - Local hard disk 03. Boot the installer - Installation Disks - PXE Boot - boot.iso 04. Point the installer to the kickstart file - ks=http://server/dir/file - ks=ftp://server/dir/file - ks=nfs:server:/dir/file - ks=hd:/device/dir/file - ks=cdrom:/dir/file LAB Practice: 1 / 4 RH135-Day10 Written by Razib Shahriar Rubence 01. Using Installation Disk do the kickstart nfs installation. The location of kickstart file is 192.168.0.254:/var/ftp/pub/rhel6.cfg -Step 01. The kickstart file is rhel6.cfg -Step 02. The kickstart file is availabel through nfs -Step 03. Put the Redhat Enterprise Linux Installation Disk in your CD/DVD ROM. And boot from cd/dvd -Step 04. When Prompt for Choosing Installation Method, Pres ESC. You'll get a black screen with the prompt "boot:". Type the following boot: linux ks=nfs:192.168.0.254:/var/ftp/pub/rhel6.cfg . Press Enter . The automatic installation will begin Archives and Comperession: Create Linux tar/gzip/bzip2 Archive Key tar options: 1. C = Create 2. x = Extract 3. t = List 4. v = Verbose 5. f = use archive File 6. z = gzip 7. j = bzip2 8. C = Extract in specific directory LAB Practice: - Create tar file tar -cvf myarchive.tar /tmp - View the content of myarchive.tar before extracting tar -tvf myarchive.tar - Extract this tar file tar -xvf myarchive.tar - Create tar.gzip file tar -zcvf myarchive.tar.gzip - View the content tar -tvfz myarchive.tar - Extract this tar.gzip file tar -xvfz myarchive.tar -C /home Hard Links and Soft Links: You're probably familiar with shortcuts in Microsoft Windows or aliases on the Mac. Linux has 2 / 4 RH135-Day10 Written by Razib Shahriar Rubence something, or actually some things similar, called hard links and symbolic links. Symbolic links (also called symlinks or softlinks) most resemble Windows shortcuts. They contain a pathname to a target file. Hard links are a bit different. They are listings that contain information about the file. Linux files don't actually live in directories. They are assigned an inode number, which Linux uses to locate files. So a file can have multiple hardlinks, appearing in multiple directories, but isn't deleted until there are no remaining hardlinks to it. Here are some other differences between hardlinks and symlinks: 1. You cannot create a hardlink for a directory. 2. If you remove the original file of a hardlink, the link will still show you the content of the file. 3. A symlink can link to a directory. 4. A symlink, like a Windows shortcut, becomes useless when you remove the original file.
LAB Practice
Hardlinks:
Make a new directory called Test and create FileA into it: $ mkdir Test $ cd Test $ vi FileA Make a hardlink to FileA. We'll call the hardlink FileB. $ ln FileA FileB Then use the "i" argument to list the inodes for both FileA and its hardlink. Type: $ ls -il FileA FileB 1482256 -rw-r--r-- 2 root root 21 July 20 15:55 FileA 1482256 -rw-r--r-- 2 root root 21 July 20 15:55 FileB You can see that both FileA and FileB have the same inode number (1482256). Also both files have the same file permissions and the same size. Because that size is reported for the same inode, it does not consume any extra space on your HD! Next, remove the original FileA: $ rm FileA And have a look at the content of the "link" FileB: $ cat FileB You will still be able to read the text you typed.
Symlink: Staying in the same test directory as above, let's make a symlink to FileB. Call the symlink 3 / 4 RH135-Day10 Written by Razib Shahriar Rubence FileC: $ ln -s FileB FileC Then use the i argument again to list the inodes. $ ls -il FileB FileC This is what you'll get: 1482256 -rw-r--r-- 1 bruno bruno 21 July 5 15:55 FileB 1482226 lrwxrwxrwx 1 bruno bruno 5 July 5 16:22 FileC -> FileB You'll notice the inodes are different and the symlink got a "l" before the rwxrwxrwx. The link has different permissions than the original file because it is just a symbolic link. Its real content is just a string pointing to the original file. The size of the symlink (5) is the size of its string. (The "-> FileB" at the end shows you where the link points to.) Now list the contents: $ cat FileB $ cat FileC They will show the same text. Now if we remove the original file: $ rm FileB and check the Test directory: $ ls You'll see the symlink FileC is still there, but if you try to list the contents: $ cat FileC It will tell you that there is no such file or directory. You can still list the inode. Typing: $ ls -il FileC will still give you: 1482226 lrwxrwxrwx 1 bruno bruno 5 May 5 16:22 FileC -> FileB But the symlink is obsolete because the original file was removed, as were all the hard links. So the file was deleted even though the symlink remains.
4 / 4 RH135-Day11 Written by Razib Shahriar Rubence Regular expressions and grep: A regular expression is a pattern that describes a set of strings. Regular Expressions is nothing but a pattern to match for each input line. A pattern is a sequence of characters. The grep command searches the given files for lines containing a match to a given pattern list. In other words, use the grep command to search words or strings in a text files. When it finds a match in a file, it will display those line on screen. the command grep supports extended regular expression Examples in Practice LAB: - Search for 'rhce' in /etc/passswd # grep -color 'rhce' /etc/passwd Sample outputs: rhce:x:1000:1000:rhce Gite,,,:/home/rhce:/bin/bash rhcegite:x:1001:1001::/home/rhcegite:/bin/sh giterhce:x:1002:1002::/home/giterhce:/bin/sh - Search rhce in any case (i.e. case insensitive search) # grep -i -w rhce /etc/passwd - Search rhce or datapark in any case # grep -E -i -w 'rhce|datapark' /etc/passwd The PATTERN in last example, used as an extended regular expression. -You can use ^ and $ to force a regex to match only at the start or end of a line, respectively. The following example displays lines starting with the rhce only: grep '^rhce' /etc/passwd Sample outputs: rhce:x:1000:1000:rhce Gite,,,:/home/rhce:/bin/bash rhcegite:x:1001:1001::/home/rhcegite:/bin/sh - You can display only lines starting with the word rhce only i.e. do not display rhcegite, rhceg etc: grep -w '^rhce' /etc/passwd - Find lines ending with word rhce: grep 'rhce$' filename - Match line only containing rhce: grep '^rhce$' filename 1 / 3 RH135-Day11 Written by Razib Shahriar Rubence -You can search for blank lines with the following examples: grep '^$' filename -You can search for users who has Shell grep ':/bin/bash$' /etc/passwd -Match rhce or Rhce: grep '[rR]hce' filename -You can also match digits (i.e match rhce1 or rhce2 etc): grep -w '[rR]hce[0-9]' filename -You can match two numeric digits (i.e. match rhce11, rhce12 etc): grep 'rhce[0-9][0-9]' filename -Display all the lines containing either a "w" or "n" character: grep [wn] filename - How Do I do OR with grep? grep 'word1|word2' filename How Do I do AND with grep? grep 'word1' filename | grep 'word2' The following will match both "col" and "cool": egrep 'co{1,2}l' filename How Do I Show Only The Matches, Not The Lines? grep -o regex filename Find Command: Apart from the basic operation of looking for files under a directory structure, you can also perform several practical operations using find command that will make your command line journey easy. 01. Find files using name This is a basic usage of the find command. This example finds all files with name MyCProgram.c in the current directory and all its sub-directories. # find -name "MyCProgram.c" 02. Other options with find commnand find /home -user datapark Find every file under the directory /home owned by the user datapark. 2 / 3 RH135-Day11 Written by Razib Shahriar Rubence find /usr -name *park Find every file under the directory /usr ending in "park". find /usr -name data* Find every file under the directory /usr starting with "data". find /var/spool -mtime +60 Find every file under the directory /var/spool that was modified more than 60 days ago. Pipelines and Redirection - ">" is used to redirect Standard Output to a file which will overrite all text (if any) in that file. grep "root" /etc/passwd > /tmp/newfile - ">>" is used to redirect Standard Output to a file which will add new lines with this output in that file grep "data" /etc/passwd >> /tmp/newfile - "2>" is used to redirect Standard Error to a file find /etc -name passwd 2> /tmp/errorfile find /etc -name passwd > /tmp/outputfile 2> /tmp/errorfile - "2> /dev/null" is used to discard the error messages by redirecting to /dev/null find /etc -name passwd > /tmp/outputfile 2>/dev/null - "2>&1" is used to combine OUTPUT and and ERROR find /etc -name passwd /tmp/all 2>&1 - | (pipe) is used to send OUTPUT from one command as INPUT of another command cat /etc/passwd | grep "root" First command shows all local users information from /etc/passwd the second command (grep "root") took this information and finaly dispalys only root user.
3 / 3 RH135-Day12 Written by Rajib Shahriar Rubence ------------------ Day 12 ------------------
Network Configuration and Troubleshooting:
-Change the IP, Subnet, Gateway and DNS Information from command prompt:
# cd /etc/sysconfig/network-scripts/ # vi ifcfg-eth0
-Change the HOSTNAME Information:
# cd /etc/sysconfig # vi network
-Add a hostname to IP Address mapping
# vi /etc/hosts
- Check the network information
# ip addr (same as ifconfig) # ip route # hostname # cat /etc/resolve.conf 1 / 5 RH135-Day12 Written by Rajib Shahriar Rubence
# cat /etc/hosts
Overview of Adding New Filesytem to the Filesystem Tree: 01. Identify device: The first step in adding a new filesystem is to identify the device to be used. This is usally something lik /dev/hda or /dev/sda. use the following command to check the devices and the existing partitions created : # fdisk -l 02. Partition device: We can do the partition with the utility tool fdisk to partition the device and choose the partition type. Linux-specific partitions would normally one of the following types: - 5 (or f) -- Extended Partition - 82 -- Linux Swap - 83 -- Linux - 8e -- Linux LVM While using the "fdisk" tool to partition "/dev/sda" device we need to declare the partition type by pressing "t" . We'll get a complete list of Partition type by pressing "L" partprobe: At system bootup, the kernel makes its own in-memroy copy of the partition tables from the disks. "fdisk" tools edit the on-disk copy of the partition tables. To update the in-memory copies we need to run partprobe # partprobe /dev/sda 03. Make filesystem The filesystem is what organizes files on a device. The filesystem type used on Redhat Enterprise Linux 6 is ext4. The following command will be used to make the filesystem (Format the partition /dev/sda11) # mkfs.ext4 /dev/sda11 04. Label the filesystem This step is not required. but highly recommended. Filesystem labeling creates a layer of abstraction that allows you to identify filesystem by a unique label rather then the device name. labeling is done with the following command: # e2label /dev/sda11 testlabel 2 / 5 RH135-Day12 Written by Rajib Shahriar Rubence 05. Create an entry in /etc/fstab /etc/fstab is referenced each time the system boots to create the desired filesystem hierarchy. It consists of six fields per line for each filesystem to be connected to the tree as follows: # cat /etc/fstab # device mount point FS_type Options dump_freq fsck_order UUID=5022bbc4-1c7c-420e-81ee-c9567741566b / ext4 defaults 1 1 UUID=ebebbade-25b1-480a-90fc-f46cfbaf392f /boot ext4 defaults 1 2 UUID=811168ec-7439-46ab-bdb2-e19df6fe2b27 swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 LABEL="testlabel" /newdir ext4 defaults 0 0 In device name we can use either the device name (/dev/sda11) or "LABEL="testlabel" or UUID (Universal Unique Identifier). to find the UUID run the following command # blkid (will show all partitions labeling and UUID) # blkid /dev/sda11 (for specific partition) 06. Mounting the filesystem : The filesystem cant be used to store and access data unless its not mounted . For mounting to a new directory the following command should be invoked # mkdir /newdir # mount /dev/sda11 /newdir
Managing Simple Partitions and Filesystem:
Creating and Formating Simple Partition from Command Prompt
# fdisk -cu /dev/sda 3 / 5 RH135-Day12 Written by Rajib Shahriar Rubence
Some questions will be asked after this command. Do the following:
# p --> Print the current partition table
# n --> for new partition
# l --> for logical partition
# First Sector --> Take the default Sector Number
# Last Sector: +2GB ---> This will create 2 GB Partition
# p --> Check if new partition is created
# w --> Write (save) your work in partition table
Now aware the kernel about new partition
# partprobe /dev/sda
Reboot your machine
4 / 5 RH135-Day12 Written by Rajib Shahriar Rubence check kernel is aware about the new partition
# cat /proc/partitions
Format the ext4 partition
# mkfs.ext4 /dev/sda11
configure the machine to automatically mount the partition on bootup
# mkdir /mountpoint
# vim /etc/fastab
/dev/sda11 /mountpoint ext4 defaults 0 0
5 / 5 rh135-day13 Written by Razib Shahriar Rubence Managing Swap Space and partition: 01. Creating a partition of swap space is like creating simple partition except declaring swap partition type "82" when we use fdisk utility. This can be done by pressing "t" and then "82" for that partition 02. Unlike Formating the simple partition we need to write special signature on partition using mkswap # mkswap /dev/sda12 03. Adding appropriate entry in fstab should be done before activating swap space. the entry should be like this UUID="The UUID of swap partition which can be found by blkid command" swap swap defaults 0 0 04. Activating the swap space with "swapon -a" . check the swap space with "swapon -s
Practice LAB:
Check the current swap areas:
# swapon -s
Creating a Partition for Swap Space
# fdisk -cu /dev/sda 1 / 9 rh135-day13 Written by Razib Shahriar Rubence
Some questions will be asked after this command. Do the followings:
# p --> print the current partition table
# n --> Create a new partition
# l --> for logical partition
# First Sector --> will be default Sector Number
# Last Sector --> +1GB (This will create a 1 GB Partition)
# p --> print and check the newly created partition (say new partition=sda12)
# t --> for changing the system type to Linux swap / solaris
# Partition Number: 12
# Hex Code: 82
# w --> For write and quit fdisk
2 / 9 rh135-day13 Written by Razib Shahriar Rubence Now aware the kernel about new partition
# partprobe /dev/sda
Check kernel is aware about the new partition
# cat /proc/partitions
Initialize the swap partition
# mkswap /dev/sda12
Entry in fstab to identify swap partition
# vim /etc/fstab
/dev/sda12swapswapdefaults0 0
Alternatively, you can use the UUID instead of partition name in swap space (recommended)
# blkid (to identify the UUID)
# vim /etc/stab 3 / 9 rh135-day13 Written by Razib Shahriar Rubence
UUID="UUID for swap partition found from blkid command" swap swap 0 0
Active the swap partition
# swapon -a
Check the swap partitions
# swapon -s
Implement LVM Storage with Command-line tools:
In Module 01 (RH124) we've learned about LVM implementation in graphical mode. Now we'll learn how to do this with command line tools.
What is Logical Volume Manager (LVM): LVM creates a higher-level layer of abstraction that traditional Linux disks and partitions. This allows for great flexibility in allocating storage. Logical volumes can be resized and moved between physical devices easily. Physical devices can be added and removed with relative ease. LVM managed volumes can also have sensible names linke "database" or "home" rather than the somewhat cryptic "sda" or "hda" device names. Steps for creating Logical volume: 4 / 9 rh135-day13 Written by Razib Shahriar Rubence 01. Create new partition. Declare this partition type "8e" when we use fdisk utility. This can be done by pressing "t" and then "8e" for the patition. 02. Device are designated as Physical Volumes # pvcreate /dev/sda11 03. One or more physical volumes are used to create volume group # vgcreate vg0 /dev/sda11 04. Logical Volumes are created on Volume Groups and composed of Physical Extents # lvcreate -L 256M -n data vg0 05. Filesystem may be created on Logical Volumes (format the logical volume) # mkfs.ext4 /dev/vg0/data 06. Mounting the logical volume: Logical volume need to mount to be in use. Mounting is as usal # mount /logicalvolume /dev/vg0/data 07. Entry in fstab Fstab entry can be done either by name "/dev/vg0/data" or by UUID . the UUID can be found by blkid command # vim /etc/fstab /dev/vg0/data /logicalvolume ext4 defaults 0
Practice LAB for creating a new Logical Volume
# fdisk -cu /dev/sda
5 / 9 rh135-day13 Written by Razib Shahriar Rubence Some questions will be asked after this command. Do the followings:
# p --> print the current partition table
# n --> Create a new partition
# l --> for logical partition
# First Sector --> will be default Sector Number
# Last Sector --> +1GB (This will create a 1 GB Partition)
# p --> print and check the newly created partition (say new partition=sda13)
# t --> for changing the system type to Linux LVM
# Partition Number: 13
# Hex Code: 8e
# w --> For write and quit fdisk
Now aware the kernel about new partition 6 / 9 rh135-day13 Written by Razib Shahriar Rubence
# partprobe /dev/sda
Check kernel is aware about the new partition
# cat /proc/partitions
Prepare the physical volume
# pvcreate /dev/ sda13
Check the created physical volume
# pvdisplay /dev/sda13
Create the Volume Group
# vgcreate vg0 /dev/sda13
Check the Volume Group
# vgdisplay vg0 7 / 9 rh135-day13 Written by Razib Shahriar Rubence Create the new logical volume from newly created volume group
# lvcreate -n lv0 -L 512M vg0
Check the Logical Volume
# lvdisplay lv0
Format the logical volume
# mkfs.ext4 /dev/vg0/lv0
Mount the logical volume for use
# mkdir /data
# mount /dev/vg0/lv0 /data
Make a entry in fstab
/dev/vg0/lv0 /data ext4defaults0 0
8 / 9 rh135-day13 Written by Razib Shahriar Rubence
Growing Logical Volumes (Extending Logical Volumes) If the volume's filesystem supports resizing (ext2, ext3, ext4 filesystem supports resizing) the Logical Volumes can be resized dynamically while preserving the data on the volume. the lvextend command is run first to grow the underlying logical volume # lvextend -L +500M /dev/vg0/data But as the filesystem still needs to be made aware of the additional space, resize2fs command can be used to grow the mounted or unmounted ext4 filesystem # resize2fs -p /dev/vg0/data Shrinking Logical Volumes (Reducing Logical Volume) Reducaing Logical Volume must be done offline. For this we need to umount the logical volume # umount /logicalvolume It requires a filesystem (e2fsck) check first # e2fsck -f /dev/vg0/data Filesystem then reduce # resize2fs /dev/vg0/data 512M Finaly, lvreduce is used to to reduce the volume # lvreduce -L 512M /dev/vg0/data
9 / 9 RH135-Day14 Written by Razib Shahriar Rubence Mounting NFS Filesystem (Linux-to-Linux) or CIFS Share (Common Internet File Share, for example Linux-to-Windows) Mounting NFS Filesystem or CIFS share means to make a remote NFS (Network File Sharing LINUX-to-LINUX Sharing) filesystem as though it were a local file system. Three Basic steps for accesssing a network share (Linux-to-Linux Share) 1. Identify the remote share to access # showmount -e nfsserver.domain (for NFS file share) # smbclient -L cifsserver.domain (for CIFS share) 2. Determine the mount point where it should be mounted and create the mount point's directory # mkdir /remote1 # mkdir /remote2 3. Mount the network file system with appropriate command # mount nfsserver.domain:/exported/path /remote1 (for NFS file share) # mount //cifsserver.domain/sharefolder /remote2 (for CIFS share) /etc/fstab can be used to specify persistent network mounts # vim /etc/fstab nfsserver.domain:/exported/path /remote1 nfs defaults 0 0 cifsserver.domain/sharefolder /remote2 cifs defaults 0 0 Practice LAB: mount the /var/ftp/pub directory presistently from server1.example.com in /extra directory - Check the remote share access # showmount -e server1.example.com - Create the /extra directory 1 / 4 RH135-Day14 Written by Razib Shahriar Rubence # mkdir /extra - Mount the nfs share # mount server1.example.com:/var/ftp/pub /extra - make fstab entry # vim /etc/fstab server1.example.com:/var/ftp/pub /extra nfs defaults 0 0 Automaticaly Mount Network Storage: Creating entry in /etc/ftab (as mantioned above) will keep connection to network server active always. Alternatively , the automounter or autofs service can be configured to mount network shares "on demand" and unmount after a certain amount of inactivity. There is two ways to configure the automounter service. Special Map / Net By default, with the autofs service running whenever you enter (that means cd) to the /net/nfsserver.domain directory you'll get the all NFS exports available from that NFS server. Once the directories underneath stop being used, the shares become unmounted and the nfsserver.domain subedirectory in /net is removed. Practice LAB: - Check the remote share access # showmount -e server1.example.com - Make sure autofs service is running # service autofs status # service autofs restart; checkconfig autofs on - Check the /net directory 2 / 4 RH135-Day14 Written by Razib Shahriar Rubence # ls /net <-- you'll see the directory is empty. because still we didnt browse into this directory - Enter into /net/server1.example.com # cd /net/server1.example.com # ls <---- you'll see all exported directory from server1.example.com - change the directory # cd ~ # ls /mnt/ <--- you'll get nothing in this folder Indirect Map: Indirect Maps allow the system administrator to identify a particular network share and determine the mount point in any directory as his wish (unlike direct MAP where the mount point is always /net directory) Indirect maps use a two tier configuration file syntax. 01. /etc/auto.master <-- This file exists 02. /etc/auto.demo <-- This file need to be created - /etc/auto.master will have one line for each "parent" directory to manage and the name of an individual second configuration file (i.e, /etc/auto.demo) # cat /etc/auto.master /demo /etc/auto.demo - /etc/auto.demo file contains the sub-directory (for example public) mount point and network share with mount opttions # cat /etc/auto.demo public -ro nfsservername.domain:/exported/path * Students are advised to follow page 101 and 10 for more detail
3 / 4 RH135-Day14 Written by Razib Shahriar Rubence Practice LAB: nfs server with shares: server1.example.com the share directory is: /var/ftp/pub Configure your workstation such that autofs automaticaly mounts that share as: /special/oshu - Add the following lines to /etc/auto.master /special /etc/auto.special - Create /etc/auto.special with following line # vim /etc/auto.special oshu -ro server1.example.com:/var/ftp/pub - Restart the automounter # service autofs restart; checkconfig autofs on
4 / 4 RH135-Day15 Written by Razib Shahriar Rubence Managing User Accounts: local users information are stored in a simple file /etc/passwd. Students are advised to follow page 107 and 108 for detail. Command to manage users: # useradd username <-- to add users # passwd username <-- to change the password of user # userdel -rf username <-- to delete user with recursively removing their home and mail directory # id username <-- Shows user's id # usermod is used to modify user's information. Some important uses of usermod is as follows: # usermod -D directoryname username <-- change user's home directory # usermod -S filename username <--- change user's login shell # usermod -G Groupname username <-- assign Groupname as supplementary Group of the user # usermod -L username <--- Locking user account # usermod -U username <--- To unlock user account Managing Password: Password Aging Policies By default passwords do not expires. To modify password aging for existing users, use the chage command # chage [options] username -m minimum days between password changes from last change date -M Maximum days between password changes from last change date -I Number of days inactive since password expired before locking account -E Date expire the account on this date (YYYY-MM-DD format) -W Number of days before a required change to start warnings -l List of settings -d Force users to change their password when first loging LAB Practice: For the user jack implement the following password aging policy: 1 / 2 RH135-Day15 Written by Razib Shahriar Rubence 01. Account will be expired on Dec 31st, 2011 02. Password must be changed within 30 days of last password change 03. If password doesn't change within 30days of last password change, the account will be inactive for next 7 days. # change -E 2011-12-31 -M 30 -I 7 jack # chage -l jack
2 / 2 RH135-Day16 Written by Razib Shahriar Rubence Managing Groups: Like users, groups have a name and a number (GUID). Local groups are defined in /etc/group # groupadd -g 601 groupname This will add a new group with GUID 601 # groupdel groupname <-- for deleting group # groupmod -n newgroup oldgroup <-- change the groupname Primary Group: - Every user has exactly one group. - Normaly, a primary group of the same name as the user is created and assigned when the user is created. Supplementary Group: - Users may be a member of zero or more supplementary Group - For local groups, membership is determined by a list of users found in the last field of the group's entry in /etc/group - Used to qualify for group access permissions when accessing files # usermod -aG groupname username This will add user username to the group groupname. if you dont use -a option the user would be removed from all other supplementary group Managing Filesystem Access Control List (ACL) # getfacl file <-- is used to display ACLs on a file # setfacl -m u:jack:rw- file1 : grants read write permission to user jack to file1 # setfacl -m g:student:r-- file1 : grants read permission to all members of group student # setfacl -m d:g:student:rwx directory1 :grants rwx permission to the directory1 and it contents To set acl on a file, the mounted filesystem (where file exists) should be ACL supported. The installer configures all ext4 file systems it creates at the time of installation automaticaly turn on ACL support. If you manually formated the file system, you need to mount it ith the acl mount option. 1 / 2 RH135-Day16 Written by Razib Shahriar Rubence # tune2fs -o acl,user_xattr /dev/sda11 You may also need to do a entry in /etc/fstab for automaticaly turn on ACL support at boot time on sda11 patirtion # vim /etc/fstab /dev/sda11 /mountpoint ext4 defaults,acl 0 0 LAB Practice: Create users and group as stated in page 132 and set ACL as stated in page 137 # mkdir /opt/research ; chgrp grads /opt/research # chmod 2770 /opt/research # setfacl -m g:profs:rwx /opt/research/ # setfacl -m g:interns:rx /opt/research/ # setfacl -m d:g:profs:rwx /opt/research/ # setfacl -m d:g:interns:rx /opt/research/ # setfacl -m d:grads:rwx /opt/research Note: The Execute permission (x) is taken as default. because without execute permission no one can create and file in this directory.
2 / 2 RH135-Day17 Written by Razib Shahriar Rubence what is SELinux: Security-enhanced Linux (SELinux) is an implementation of Mandatory Access Control mechanism. A MAC access control framework allowws you to define permissions for how all processes (called subjects) interact with other parts of the system such as files, devices, sockets, ports and other processes (called objects in SELinux). This is done through and administratively-defined security policy over all processes and objects. With this model, a process can be granted just the permissions it needs to be functional. Without SELinux, an attacker who gained access through a security hole in a public available web server whould have more broad access to the system. The attacker would then have a platform from which to exploit other valunerabilities on the system, perhaps gaining root access, and the attacker would be able to launch attacks on other systems within the internal network. With SELinux enabled, an attacker who exploited a security hole in the web server, would only have access to the files that the web server normally has access to. The Mandatory Access Control allows the web server only to access files of a certain type. Data from other confined processes are not accessible. Selinux has three modes, detrmined in /etc/sysconfig/selinux file: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - SELinux is fully disabled. Practice LAB: ------------- 01. Make SELinux enabled in Permissive mode # vim /etc/sysconfig/selinux SELINUX=permisive # reboot 02. Check the SELinux current mode # getenforce 03. Toggles SELinux from enforcing to permissive and vice-versa # setenforce 1 <-- from permissive to enforcing 1 / 6 RH135-Day17 Written by Razib Shahriar Rubence # getenforce # setenforce 0 <-- from enforcing to permissive # getenforce SElinx Architecture: 01. Security Context: Typically, the security context is displayed as a colon-separated triplet in this format: user_identity:role:type:sensitivity:catagory For example, the following security context is set for web server content: system_u:object_r:httpd_sys_content_t Note the sensitivity and catagory elements of the security context may not be displayed. User identity indicates the SELinux user account associated with an object or subject A role defines which SELinux user indentities are allowed access to which domains Processes (subjects) are running in domains. Resources (objects) are associated with a type. 02. Security Policy: A policy is a set of rules that guide the SELInux engine. Redhat supporst three policies: targeted, mls and strict. The SELinux default policy is Targeted Policy. Target Policy targets only specific daemons. Under the targeted policy, every subject and object runs in the unconfined_t domain except for the specific targeted domain. The objects that are in unconfined_t domain are allowed by SELinux to have no restrictions and fall back to using standard linux security. The policy is defined in /etc/sysconfig/selinux file # cat /etc/sysconfig/selinux # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Practice LAB: ------------- 2 / 6 RH135-Day17 Written by Razib Shahriar Rubence To get Security Context Information # id -Z <-- show what security context does root have # ps -ZC httpd <--- show what security context does httpd have # ls -Zd /var/www/html <--- What security context /var/www/html directory has
# ls -Z /etc/resolv.conf <--- What security context /etc/resolv.conf file has Changing Security Context: The security context of a given file can be changed with one of the command line tools - chcon, restorecon or fixfiles. We'll use restorecon in following LAB Practice Lab Practice: Facts: - The web server binary (/usr/sbin/httpd) has a type called httpd_exec_t # ls -Z /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd - The web server process, belongs to a domain called httpd_t # ps -ZC httpd unconfined_u:system_r:httpd_t:s0 2041 ? 00:00:00 httpd - The web server data is of the type httpd_sys_content_t # echo "this is index file in web server data directory /var/www/html" > /var/www/html/index.html A files initial SElinux Context is determined by the directory. thats why with above command when we create a index.html file in /var/www/html directory the index.html took the SELinux context of the context of the /var/www/html directory # ls -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html The default policy (targeted policy) allows subjects (the process) in the domain httpd_t to 3 / 6 RH135-Day17 Written by Razib Shahriar Rubence access files with the type httpd_sys_content_t. If it is a different type, the web server will get an AVC error, and will not be allowed access to those objects (files in /var/www/html) 01. Make sure SELinux is set in enforcing mode # vim /etc/selinux/config SELINUX=enforcing (reboot the system if you need to change SELinux mode from disable/permisive to enforcing) 02. Create a file in /tmp directory and view its security context # echo " This is tmp.html file created in /tmp directory" > /tmp/testfile.html # ls -Z /tmp/testfile.html 03. Move /tmp/testfile.html from /tmp directory to /var/www/html direcoty # mv /tmp/testfile.html /var/www/html Note that mv (move) command will move the file keeping orginal context 04. Check the security context of files in /var/www/html # ls -Z /var/www/html/ -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 testfile.html 05. Restart the httpd service # service httpd restart The security policy will allow the httpd process (in the domain httpd_t) to access files with the type httpd_sys_content_t . so we can view http://localhost/index.html file # elinks -dump http://localhost/index.html The security policy will not allow the httpd process (in the domain httpd_t) to access files other then the type httpd_sys_content_t. so we can not viw http://localhost/testfile.html # elinks -dump http://localhost/testfile.html Forbidden You don't have permission to access /testfile.html on this server. 4 / 6 RH135-Day17 Written by Razib Shahriar Rubence -------------------------------------------------------------------------- Apache/2.2.15 (Red Hat) Server at localhost Port 80 With the restorecon command we can change the security context of testfile.html as per the directory context. # restorecon -R /var/www/html/ # ls -Z /var/www/html/ -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 testfile.html
We can also use chcon command to relabel the testfile.html file
Now we can view the testfile.html in our browser # elinks -dump http://localhost/testfile.html This is tmp.html file created in /tmp directory SELInux Booleans: Booleans allow runtime modification of the security policy. The policy defines a default value for each boolean. We can change the booleans from true to false and vice versa with setsebool command. # getsebool -a <--- will list the current state of all seliunx booleans # setsebool httpd_enable_cgi 1 <-- will enable httpd_enable_cgi immediately but not parmanently # setsebool -P ftp_home_dir 1 <-- will enable ftp_home_dir boolean and makes it parmanent 5 / 6 RH135-Day17 Written by Razib Shahriar Rubence
6 / 6 RH135-Day18 Written by Razib Shahriar Rubence Installing and Managing Software: yum is a powerfull command-line tool that can be used to more flexibly manage software. Officily Red Hat packages are normally downloaded from Red hat Network (RHN). When you register your machine with RHN, yum is automatically configured to use it. We can also configure yum to get packages from third-party package repositories over the network (which we do in our LAB). Yum Configuration to get repositories over the network: Package repository means a yum server which contains all RHEL packages and ready to serve those packages to RHEL stations. In our LAB the repository server is server1.example.com . And the packages resides in /var/ftp/pub/rhel6/Packages folder in machine server1.example.com computer. the packages are delivered through ftp service. The configuration file (a file with .repo extansion in /etc/yum.repos.d/ folder)of stationX.example.com is as followings: # vim /etc/yum.repos.d/rhel6.repo [base] name=RHEL6 Server Repository baseurl=ftp://server1.example.com/pub/rhel6/Packages enable=1 gpgcheck=0 Basic Yum commands: yum install packagename --> obtains and installs a software package including any dependencies yum remove packagename --> remove an installed software package including any supported packages yum update packagename --> obtains and installs a newer version of the software package, including any dependencies. yum list available --> list all packages available to be installed yum list installed --> list installed packages yum list all --> list all packages available and installed Deploying Repository server 1 / 4 RH135-Day18 Written by Razib Shahriar Rubence 01. Install vsftpd service and createrepo package # yum install vsftpd* createrepo* 02. Copy all files from RHEL6 dvd to your /var/ftp/pub/rhel6 folder 03. Run the following command # createrepo -v /var/ftp/pub/rhel6 RPM quries: rpm utility is a low level tool that is usefull to get information about the contents of pcakage files and installed packages. Basic rpm quries: rpm -q PACKAGENAME --> currently installed packagename rpm -qa --> all installed packages rpm -qa Package* --> all installed packages named started with package rpm -ql PACKAGENAME --> list all files installed by the PACKAGENAME rpm -qf filename --> what package provides FILEnAME Manage Services: Deploying a new service on a RHEL system involves following steps: 01. Install the software 02. Configure the service related configuration file 03. Start the service 04. Enable the service at bootup 05. Test the service 01. Install the software: First we need to know which packages need to run the service. Then we'll install the software by yum # yum install package* 02. Configure the service configuration file: Usally the configuration file found in /etc folder and end with .conf extension. we need to change it to meet our requirement # vim /etc/vsftp/vsftpd.conf 03. Start the service: we need to start the service daemon. daemons are processes that perfor various task to run and continue service. 2 / 4 RH135-Day18 Written by Razib Shahriar Rubence conventionally, daemon executables aend in the letter "d". daemons are managed by service scripts which resides in the /etc/rc.d/init.d directory. service script expect to be called with a signle start, stop, restart, status or reload argument. service script should be invoked using the front-end service command. # service vsftpd restart OR # /etc/init.d/vsftpd restart 04. Enale the service at bootup: Services are enabled (configured to start automatically at boot time) or disabled with command # chkconfig vsftpd on # chkconfig vsftpd off We can check the list of service status in different runlevel # chkconfig --list vsftpd 05. Test the service: If the service is properly configured and running, it'll provide you the service properly. with vsftpd daemon you can ftp the server , with httpd daemon you can get the web service. still following commands are usefull to check the service availability: # ps aux |grep vsftpd --> confirm the vsftpd daemon process is running # lsof -i -n -P | GREP vsftpd --> confirm the vsftpd daemon is bound with correct port and is in LISTEN mode # netstat -tulpn |grep vsftpd LAB Practice: 01. Install httpd service and list which files are installed with httpd package # yum install httpd* -y # rpm -ql httpd 02. Deploy FTP server and check its listenting to the TCP port 21 # rpm -q vsftpd # yum installed vsftpd* <-- if found not installed from previous command 3 / 4 RH135-Day18 Written by Razib Shahriar Rubence # vim /etc/vsftpd/vsftpd.conf <-- Make suer ANONYMOUS loging is enabled # service vsftpd restart # chkconfig vsftpd on # lftp stationX # ps aux |grep vsftpd # ntestat -tulpn |grep vsftpd
4 / 4 RH135-Day19 Written by Razib Shahriar Rubence What is syslog ?
syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle.
- The first describes the function (facility) of the application that generated it. For example, applications such as mail and cron generate messages with easily identifiable facilities named mail and cron.
- The second describes the degree of severity of the message. There are eight in all and they are listed in following Table:
You can configure syslog's /etc/rsyslog.conf configuration file to place messages of differing severities and facilities in different files.
The files to which syslog writes each type of message received is set in the /etc/rsyslog.conf configuration file. 1 / 5 RH135-Day19 Written by Razib Shahriar Rubence
This file consists of two columns. The first lists the facilities and severities of messages to expect and the second lists the files to which they should be logged. By default, RedHat /etc/rsyslog.conf file is configured to put most of the messages in the file /var/log/messages. Here is a sample: *.info;mail.none;authpriv.none;cron.none /var/log/messages In this case, all messages of severity "info" and above are logged, but none from the mail, cron or authentication facilities/subsystems. You can make this logging even more sensitive by replacing the line above with one that captures all messages from debug severity and above in the /var/log/messages file. This example may be more suitable for troubleshooting. *.debug /var/log/messages In this example, all debug severity messages; except auth, authpriv, news and mail; are logged to the /var/log/debug file in caching mode.
Practice LAB:
01. Redirect all debuging level messages to a file named /var/log/debug.log
- Add the following line in /etc/rsyslog.conf
*.debug /var/log/debug.log
- Restart the service and monitor the debug.log file
# service syslogd restart # tail -f /var/log/debug.log
2 / 5 RH135-Day19 Written by Razib Shahriar Rubence 02. Redirect all mail related informative messages to a file named /var/log/mailinfo.log
mail.info /var/log/mailinfo
- Restart the service and monitor the mailinfo.log file
# service syslogd restart # tail -f /var/log/mailinfo.log
Rotating Logs:
The Linux utility logrotate renames and reuses system error log files on a periodic basis so that they don't occupy excessive disk space.
The /etc/logrotate.conf File
This is logrotate's general configuration file in which you can specify the frequency with which the files are reused.
- You can specify either a weekly or daily rotation parameter. In the case below the weekly option is commented out with a #, allowing for daily updates. - The rotate parameter specifies the number of copies of log files logrotate will maintain. In the case below the 4 copy option is commented out with a #, while allowing 7 copies. - The create parameter creates a new log file after each rotation
Therefore, our sample configuration file will create daily archives of all the logfiles and store them for seven days. The files will have the following names with, logfile being current active version: 3 / 5 RH135-Day19 Written by Razib Shahriar Rubence logfile logfile.0 logfile.1 logfile.2 logfile.3 logfile.4 logfile.5 logfile.6 Sample Contents of /etc/logrotate.conf # rotate log files weekly #weekly # rotate log files daily daily # keep 4 weeks worth of backlogs #rotate 4 # keep 7 days worth of backlogs rotate 7 # create new (empty) log files after rotating old ones create
Locate and Analyze Log Summary Report:
A program called logwatch can be installed which will automatically analyze the standard log files and send a summary email to root. logwatch runs as a daily cron job to generate its report of interesting log information.
The system wide default settings for logwatch are kept in /usr/share/logwatch/default.conf/logwatch.conf file.
/etc/logwatch/conf/logwatch.conf is an empty file which contains local logwatch settings.
LAB Practcie:
Configure logwatch to send log summary reports to user student rather than user root
- Modify /etc/logwatch/conf/logwatch.conf file
# vi /etc/logwatch/conf/logwatch.conf
4 / 5 RH135-Day19 Written by Razib Shahriar Rubence MailTo=student
5 / 5 RH135-Day20 Written by Rajib Shahriar Rubence Process: ------------ A process is a an instance of a running program. ps command can be used to list processes. By default only ps command gives you only processes started from this terminal (i.e, terminal from which we gave the ps command). to view ps all processes running in all terminal and behind terminals we issue : # ps aux where a = for all terminal x = for processes running behind terminal u = show the username under which the process is running You can use the ps command in combination with the grep command to see if a process is running. For example, to determine if Emacs is running, use the following command: # ps ax | grep emacs From the output of "ps aux" one of the very important information is PID (stands for process id) . reffering with this pid we can kill (terminate) a process sending single 9 # kill 9 1001 The above command will terminate the process containing pid 1001 Use of top ---------------- The top program provides a dynamic real-time view of a running system. It can display system summary information as well as a list of tasks currently being managed by the Linux kernel. The top command monitors CPU utilization, process statistics, and memory utilization. The top section contains information related to overall system status - uptime, load average, process counts, CPU status, and utilization statistics for both memory and swap space. By Default the output of "top" is sorted by cpu usages. But it can be interactively as followings: M = sort by resident memory use P = sort by CPU Usage N = sort by pid A = sort by age (newest first) You can also kill a process while using top by pressing "k". You'll be prompted for the PID of the task and the signal to send to it. For killing the process send single "9" 1 / 3 RH135-Day20 Written by Rajib Shahriar Rubence Process Scheduling (Niceness) ----------------------------- A Linux system can have as many process running at the same time as it has CPU cores. A primary task of the Linux kernel is scheduling processes. Every process has a niceness value that influences its scheduling. Niceness is a value which ranges from -20 through default 0 to 19 The higher the niceness the lower the priority The nice and renice commands can change a process's scheduling priority. "renice 0 2789" to change the niceness of process 2789 to 0 Practice LAB: 01. Type "tail -f /var/log/messages" in a terminal. Kill the process from another terminal. - Open a terminal and type "tail -f /var/log/messages" - Open another terinal - get the process id (pid) of running process in first terminal # ps aux |grep tail - kill the process by sending signal 9 # kill 9 1098 (assuming the process id is 1098) 02. Type "tail -f /var/log/messages" in a terminal. Change the nicessness of this process to 10 - Type "tail -f /var/log/messages" in a terminal. - open anoter terminal - get the process id (pid) running with the process # ps aux |grep tail - change the nicenss with renice command # renice 10 1098 (assuming the process id is 1098)
Cron : Managing Periodic Tasks
Linux Crontab Format 2 / 3 RH135-Day20 Written by Rajib Shahriar Rubence
MIN HOUR DOM MON DOW CMD MIN : Minute allowed field 0 to 59 HOUR: Hour allowed field 0 to 23 DOM: Day of Month allowed field 1-31 MON: Month of the year. allowed field 1-12 DOW Day Of Week. allowed field 0-6. where 0 =sunday and 6=satarday CMD Command Any command to be executed.
This will reboot your computer on 10th June 08:30 AM.