____________________________________ Ch1: Kickstart/Anaconda
---SECTIONS:
---1) Locations: url --url="http://classroom.example.com/..."; repo --baseurl="..."
2) Auth: rootp --plaintext PASSWORD 3) Partition: clearpart --all --initlabel;
zerombr
part / --fstype=ext4 --size=4096 --maxsize=100000 --grow part / --fstype="xfs" --ondisk=vda --size=5120
4) Network: network --device=eth0 --bootproto=dhcp etc
5) Config: lang en_US.UTF-8 timezone --utc
rootpw --plaintext redhat
services --disabled=network,iptables,ip6tables --enabled=Network Manager
group --name=admins --gid=1001 cd /usr/share/
find . -name '*kickstart*.txt' -print
./pykickstart-1.99.43.17/kickstart-docs.txt
** /usr/share/doc/pykickstart-1.99.43.17/kickstart-docs.txt
Sample File: /root/anaconda-ks.cfg
---echo "RUN_FIRSTBOOT=NO" >> /etc/sysconfig/firstboot
- press 'F12' to select the boot media, and choose 'pxe' boot
- on the boot menu, select the appropriate (usually the 1st one) and press 'tab' key to see options
- add/append to end of line: ks=http://desktopX.example.com/ks-config/kickstart .cfg
%packages :
: %end
lab kickstart setup
- installed the httpd web-server
- created the /var/www/html/ks-config/ directory
cp /home/student/kickstart.cfg /var/www/html/ks-config/ ____________________________________
Ch2: Regex / grep
---Regular Expression (regex) ^ = begining of the line anchor $ = end of line anchor
^$ = matches empty lines
[a-zA-Z] = match a range of characters, just ONE occurrence
[a-z0-9] = matches alphanumerics, letters (a-z), and num (0-9). ONE occurrence [a-z0-9]\{32\} = matches 32 alphanumeric characters.
\< = match the 'empty' string at the begining of word \> = match the 'empty' string at the end of word. cat
dog
concatenate dogma
They are my pets
My dog and cat live peacefully category
educated boondoggle vindication chilidog
# This is a comment using '#'(hash)
; This is a comment using ';' (semicolon) Example:
$string="My dog and cat live peacefully" grep -w dog $string <-- match
grep '\<dog\>' $string <-- also match
c[aou]t = c, followed by 'a' or 'o' or 'u' and ends with t c.*t = c, followed by ANY num.of characters, end with t c.\{2\}t = c, followed by exactly 2 characters, ends with t
Using 'grep'
-i = case IN-sensitive
-v = display lines that does NOT match
-r = search recursively in a directory or list of files -A <N> = display <N> of lines After regex match
-B <N> = display <N> of lines Before regex match
-w = matches the entire 'word' (word bounary) in the pattern -e = when you need to use multiple regex with the logical OR [0-9][0-9][0-9] = matches any 3 numbers
cat door.log |grep '1[345]:[0-9]\{2\}:[0-9]\{2\}' > door.out cat wall.log |grep '14:[345][0-9]:[0-9]\{2\}' > wall.out cat wall.out |grep -i -v 'no activity' > wall2.out
More examples: http://cyberciti.biz/faq/grep-regular-expressions ____________________________________
Ch3: More vim
---cmd mode: (default, when you first start vi/vim) insert mode: press 'i' (or 'a' or 'o' or 'O') yy = yank (copy)
Nx = del N characters, e.g. 9x = remove 9 characters from cursor position ctrl-v = 'visual mode'
v = visual/line-by-line mode Search & Replace:
a) go into cmd mode (press 'Esc') b) /pattern <-- to search for pattern
c) :1,$s/pattern/replace/gc <-- search for 'pattern' and replace with 'replace' note: "g" for global - replace all occurrences, 'c' to ask for confirmat ion b4
replacing
:1 <-- start from 1st line $s <-- go to end of file
d) :11,20s/pattern/replace/g <-- replace all occurences of 'pattern' with 'repla ce' FROM line 11 to line 20 only. Do not ask for confirmation.
____________________________________ Ch4: Scheduling - at & cron
---a) "at" command <-- scheduling One-time tasks at <TIME-SPEC> <CMD>
at now +5min <CMD> at noon +4 days <CMD> at 5pm August 3 2015 <CMD>
atq <-- to view jobs in the queue.
to View the actual commands of the job, use: at -c <jobnumber> atrm <jobnumber> <-- removes queued jobs
There are a total of 26 queues: a,b,c,d,e....x,y,z
at -q d teatime tomorrow <-- add a new job queue "d" to run at tea time(4pm) tom orrow
> <cmd> > <cmd> Ctrl-D
OR, pipe the command to 'at', e.g. "Run this command ..." | at now +5
echo "Hello world" >> out.txt | at now +5min
b) "crontab" / cronjob <-- scheduling regular/periodic tasks ___________
User Cron: ___________
5 fields, from left to right *memorize the fields on page 70
min | hour | (1-31) | (1-12) | (dayofWeek: 0-6)| <cmd-to-run> _______________
System Cron: _______________
/etc/crontab /etc/anacrontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
Shell scripts in the directories above will be run at those intervals *Files in the /etc/cron.d/ has the usual 5 time-specs
c) Managing tmp files with systemd - "systemd-tmpfiles" One of the first services that systemd starts is the
'systemd-tmpfiles-setup' - this service will run the following command: systemd-tmpfiles --create to create tmp files
systemd-tmpfiles --remove to remove tmp files Config files at:
/etc/tmpfiles.d/*.conf <-- admin defined.
/run/tmpfiles.d/*.conf <-- run-time configuration, usually set by the services/d aemons themselves
/usr/lib/tmpfiles.d/*.conf <-- system defined/installed. Do not edit. Config file format:
Type Path Mode UID GID Age Argument d /run/systemd/xtmp 755 root root -
d=to create 'd'irectory if does not exist at /run/systemd/xtmp The directory is owned by root, perm 755,
and is not automatically purged (the Age is '-') D /home/student/tmp 0700 student student 1d
create dir /home/student/tmp if does not exist. If exist, then del all contents. when systemd-tmpfiles --clean is run, remove all files which has not been accessed,changed or modified in more than 1 day. Syntax: view the man pages --> man 5 tmpfiles.d
*NOTE: after making changes to the tmpfiles config files, remember to check/test with:
# systemd-tmpfiles --clean <tmp-conf-file.conf> # systemd-tmpfiles --clean /etc/tmpfiles.d/tmp.conf
_______________________________________ Ch5: Priority Processes / nice, renice ---ps aux --sort=nice
nice -n 15 <process-name> & renice -n -<NICE_LEVEL> <PID>
renice -n -7 $(pgrep sha1sum) <-- change the nice levels of ALL the 'sha1sum' pr ocesses to -7
kill $(pgrep sha1sum) <-- to kill all process IDs with the pattern 'sha1sum' ____________________________________
Ch6: ACL
---Extends the basic 'rwx' permissions of users and groups 2 commands:
a) setfacl (to set the ACL permissions of resources) b) getfacl (to view the ACL permissions)
setfacl -m u:<name>:rwX <file|dir> setfacl -m g:<name>:rwX <file|dir>
setfacl -m o::- <file> <-- the dash '-' means no permission
* if <name> is left blank, then it applies to the file owner, otherwise <name> can be the username or UID.
Default ACL ~~~~~~~~~~~~
setfacl -m d:u:<name>:rx <directory>
setfacl -x d:u:<name> <directory> <-- remove default ACL on dir. set previously setfacl -b <dir>|<file> <-- removes ALL ACLs (including default ACL)
setfacl -k <directory> <-- removes default ACL on dir
** IMPORTANT: Always do 'chmod' first before setting the ACL via setfacl. <<<________>>>
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;chmod 660 cases/*;se tfacl -Rm g:scotlandyard:rwX cases;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g :scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;setfacl -Rm g:scotla ndyard:rwX cases;chmod 660 cases/*;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g :scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases ____________________________________
Ch7: SELinux
---Standard Linux Security (DAC - Discretionary Access Control) - only 2 privilege levels: "user" and "root"
- main problem: any process/programs launched as the 'user' (bob)
has the user bob's permission. Eg. Bob launches Firefox - can firefox read Bob's private-keys in ~/.ssh/id_rsa ? YES. So a compromised Firefox wreak havoc. (Another example, Apache privilege escalation)
SELinux - MAC (Mandatory Access Control) - default rule is everything is denied.
- every process ('subjects') has to be explicitly allowed to access the resources ('objects') - such as files, sockets, devices, etc. 3 Types of Access Control
~~~~~~~~~~~~~~~~~~~~~~~
a) Type/Targeted Enforcement (TE) - this is the main mechanism b) Role-Based Access Ctrl (RBAC)
c) Multi-Level Security (MLS) - usually in high security/Military Security Context
---In SELinux, all subjects (processes) and objects (system resources) are associat ed with a 'type' which taken together controls the access permissions for specif ic users. This combo of:
user:role:type is called the "Security Context" (SC) SELinux Access Rules are constructed based on these SC. TE (Type Enforcement)
~~~~~~~~~~~~~~~~~~~~~~
This is based on a single security property - 'type'
- is applied to processes (subject) and resources (objects), eg * Apache processes --> type is: httpd_t
* /var/www/html/index.php --> type is: httpd_sys_content_t - Access is allowed solely by types, eg:
* many processes (subj) and resources (obj) have same type
* processes with same type have same access to resources of the same type. Fo r example:
* httpd_t can read/access httpd_sys_content_t * Process types called "domains"
(sometimes applied to resources such as sockets) * Different resources can have same type
Targeted Policy uses the 'TE' (Type enforcement) - System where processes by default are 'un-confined' - Only targeted processes are confined
- Unconfined Domains
* default user processes runs in unconfined_t * system processes run in initrc_t
* 'unconfined' processes have the same access/privileges like a normal Linux system without SELinux
* Daemons (services) with defined policy transition to confined domains, e.g. - httpd started from 'unconfined_t' transitions to 'httpd_t' which has limit ed access. "Z" is your friend. ls -Z id -Z ps auxZ lsof -Z netstat -natZ find / -context= *NOTE:
cp - uses the security context of the destination directory mv - maintains the original source security context.
installation (via yum or rpm) - sets default security context based on system de faults/system policy.
Essential Software Packages to install ~~~~~~~~~~~~~~~~~~~~~~
yum install policycoreutils policycoreutils-python policycoreutils-gui yum install setroubleshoot setroubleshoot-server
Essential CMDs: ~~~~~~~~~~~~~~ getenforce setenforce 1 (enforcing) setenforce 0 (permissive) semanage boolean -l
semanage fcontext -l <-- to list all
semanage fcontext -l | grep 'httpd_.*content*' semanage fcontext -a -t <TYPE> '/directory(/.*)?' restorecon -Rv /directory
chcon -Rv --reference <good_dir_context> <destination_dir>
chcon -Rv --reference /var/www/html /custom <-- '-R' for recursive, 'v' verbose chcon -Rv --reference /var/www/html '/custom(/.*)?' <-- Cap.Hook doesn't work wi th chcon
example:
semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?' restorecon -RFv /virtual
ls -ldZ /var/www/html
semanage fcontext -a -t httpd_sys_content_t <-- "-a -t" (add type) semanage fcontext -d -t httpd_sys_content_t <-- "-d -t" (delete type) getsebool -l
setsebool -P httpd_enable_homedirs on <-- "-P" for permanent semanage boolean -l (to view all the booleans)
Booleans ~~~~~~~~
semanage boolean -l <-- show all default boolean values and their description semanage boolean -l -C <-- shows the variation of the boolean that differs from default
(this happens when we use the 'P' (permanent flag) to set a boolean value, e.g # setsebool -P httpd_enable_homedirs on (<-- "P" for permanent)
# semanage boolean -l -C
getsebool -a | less <-- to list the current boolean settings
Viewing SELinux Alerts ---tail -f /var/log/messages OR journalctl -f -l -p err Apache 101
---1) Config file: vi /etc/httpd/conf/httpd.conf
- search for "DocumentRoot" <-- this specify the location of the web (html) fil es.
default is /var/www/html
to change to another location, need to edit 2 lines, e.g. a) DocumentRoot /var/www/html => to: DocumentRoot /custom b) <Directory /var/www/html> => to: <Directory /custom>
- After editing the Apache config file, remember to restart Apache,i.e. "system ctl restart httpd"
- vi /etc/httpd/conf.d/userdir.conf
search for "UserDir disabled" <-- change this to: UserDir enabled
search for "#UserDir public_html" <-- default is commented,ieit has a '#' at t he begining,then uncomment it. It should read:
UserDir public_html
Example: Enabling User's (student) public_html directory ~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ mkdir /home/student/public_html $ su
-# semanage boolean -l|grep 'httpd.*home*'
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs # setsebool -P httpd_enable_homedirs on
# semanage boolean -l -C (<-- to view the change from the default settings) # vi /etc/httpd/conf.d/userdir.conf
Change "UserDir disabled" ---> TO: "UserDir enabled"
Uncomment: #UserDir public_html ---> TO: UserDir public_html (note: change the <Directory "/home/*/..."> entry accordingly)
# systemctl restart httpd <-- remember to restart httpd after making changes to the config file
The following 2 cmds are the 'manual' method to make non-standard httpd folders accessible on the web.
# semanage fcontext -a -t httpd_sys_content_t "/home/student/public_html(/.*)?" # restorecon -Rv /home/student/public_html
______________________________________________________ Ch8: Ldap,Kerberos/IPA (Identity,Policy & Audit server)
--- Centralized authentication/user login is vital in an enterprise environment - 2 methods: a) LDAP+Kerberos+sssd (b) IPA (Identity,Policy,Audit) Server - IPA is basically LDAP+Kerberos+web UI+extras (LDAP+Kerberos on steroids) Note: the server side is assumed already configured
a) on the client (e.g. desktopX)
# yum install sssd authconfig-gtk krb5-workstation # authconfig-gtk &
*** IMPORTANT: the 'REALM' must be in UPPERCASE b) on the client
# yum install ipa-client
# ipa-client-install --no-ntp --mkhomedir --domain=serverX.example.com
____________________________________ Ch9: FileSystems, Mounts, Swaps ---MBR (Master Boot Record) - use fdisk
- stores only 1 copy of the partition data at the begining of the hdd. - if lost or corrupted, then data is lost
GPT (GUID Partition Table) - use gdisk
GPT partitions are used in systems running the UEFI.
- stores partition data at begining of disk as well as backup partition tabl e at
the end of the disk with CRC32 checksums fdisk /dev/vda <-- note: there is no number, i.e. fdisk /dev/vda1 <-- wrong. gdisk /dev/vdb
FileSystems:
---mkfs -t xfs /dev/vda1 <-- specify partition '1', i.e. /dev/vda1 mkfs -t ext4 /dev/vdb2 <-- partition 2 on second hdd. "-t" is type mount /dev/vdb2 /mnt
Persistent: Mount points specified at /etc/fstab TO find "UUID": ---blkid /dev/vdb1 blkid /dev/vdb2 Swap Space ---mkswap /dev/vdb2
swapon /dev/vdb2 <-- turn on the swap space swapoff /dev/vdb2 <-- turn off swap
example /etc/fstab entry:
UUID=fadkasuyr...dfsc swap swap defaults 0 0 UUID=fadkasuyr...dfsc swap swap pri=1 0 0 (specify swap priority)
The last 2 digits represents: "dump flag" and "fsck" (fileSystem check) Since swap space does not need these 2 options, they are set to 0 0 For the root file system, it's 1 1
For the LOCALLY mounted file system (eg /dev/vdb1), they are usually 1 2 (but i t can also be: 0 0)
the 'fsck' order is '2' which has less priority over the root filesystem. BUT for network mounted (NFS or CIFS), use 0 0
because the remote disk is NOT under the local machine's control To recap:
=========
fdisk /dev/vdb <-- to create partitions. Do NOT specify partition num. n = create new partition. Then specify partition num.
accept the default first/starting sector specify the disk size, e.g +512M or +1G, etc p = print - display the changes you've made t = change the partition type
w = write the changes to disk Types, 't'
83 <-- default Linux partition 8e <-- LVM partition
82 <-- swap space
(for 'gdisk' - add 2 zeroes at the end, eg. 8e00 for LVM) Then run 'partprobe' to tell the kernel of the new partition create filesystem:
---mkfs -t xfs /dev/vdb1 mkfs -t ext /dev/vdb3 ...etc
Making Swap space
- create the partition using fdisk or gdisk. Change type to 82 - mkswap /dev/vdb2
- swapon /dev/vdb2
IF adding the swap entry into the /etc/fstab, then enable it by swapon -a <-- "-a" for all
To disable swap swapoff -a
To set a priority for the swap-space in /etc/fstab, use:
/dev/vdb2 swap swap defaults 0 0
/dev/vdb3 swap swap pri=1 0 0
**IMPORTANT NOTE:
- do NOT create different partitions using both fdisk and gdisk. It will confuse the system. If you had created the 1st partition using gdisk, then use gdisk fo r ALL other other partition on that disk. If you had created the 1st partition u sing fdisk, then use fdisk for all the other partitions on that disk.
____________________________________ Ch10: LVM
---5 steps in creating a usable LV
a) prepare the physical device - use fdisk/gdisk to create partitions. # fdisk /dev/vdb
# fdisk /dev/vdc
b) create the PV (initialize the partitions) # pvcreate /dev/vdb1 /dev/vdb2 /dev/vdc1 c) create the VG (called 'avengers')
# vgcreate avengers /dev/vdb1 /dev/vdb2 /dev/vdc1
d) create the LV (called 'hulk', 10G in size in the 'avengers' volume group) # lvcreate -n hulk -L 10G avengers
e) create the filesystem, e.g. # mkfs -t xfs /dev/avengers/hulk
then, create a mount point to mount this new filesystem, eg. # mkdir /mnt/hulk
# mount /dev/avengers/hulk /mnt/hulk # mount -a
/dev/avengers/hulk /mnt/hulk xfs defaults 1 2 PV cmds
~~~~~~~~
pvcreate /dev/vdb1 /dev/vdb2 pvremove /dev/vdb1 /dev/vdb2 pvdisplay /dev/vdb2
pvmove /dev/vdb1 <-- this will move all the data (in the phy.extents to other PV s in the same VG)
VG cmds ~~~~~~~
vgcreate <vgname> /dev/vdb1 /dev/vdb2 vgremove <vgname>
vgdisplay <vgname>
vgextend <vgname> /dev/vdc1 LV cmds
~~~~~~~
lvcreate -n <lvname> -L <SIZE> <vgname> lvremove /dev/vgname/lvname
lvdisplay /dev/vgname/lvname
lvextend -L +300M /dev/vgname/lvname
-> after running lvextend, remember to run 'xfs_growfs' to expand the file syste m to occupy the extended LV, e.g.
# xfs_growfs /mnt/storage
** alternatively, can use resize2fs, but instead of the mount point, it takes th e LV name,e.g
# resize2fs /dev/vgname/lvname <-- may not always work. use "xfs_growfs" first .
____________________________________ Ch11: NFS
---RHEL7 uses NFSv4 (uses TCP) by default and falls back to nfs3 or nfs2 if nfs4 is not available. (NFS 3 or 2 can use either tcp or udp)
* Manually mount a NFS share (via cmd line OR via /etc/fstab) * Automatic mount of NFS share via 'autofs' service
NFS shares are secured by various methods: 'none', 'sys', 'krb5', 'krb5i' and 'k rb5p'
The nfs client must connect to the exported share using one of the methods above as specified by the share (via the mount option, sec=<method>)
the Kerberos option will require at least /etc/krb5.keytab which will be provide d. It is outside the scope of this course. Just remember it's required!
The "nfs-secure" (part of the 'nfs-utils' package) service is used to manage com munication with the server when connecting to kerberos secured shares.
Steps in SEQUENCE:
---1. check if nfs-utils package is installed (yum list nfs-utils) If not installed, then 'yum install nfs-utils'
2. download the 'krb5.keytab' from the server/classroom and rename it to /etc/kr b5.keytab
# wget http://classroom.example.com/pub/keytabs/desktop0.keytab -O /etc/krb5. keytab
3. # systemctl enable nfs-secure # systemctl start nfs-secure
4. Create the mountpoints on the DesktopX # mkdir -p /mnt/public
For Manual Mounts: ~~~~~~~~~~~~~~~~~
a). Edit /etc/fstab and add the following line:
server0:/shares/public /mnt/public nfs sec=krb5p,sync 0 0 server0:/shares/public /mnt/manual nfs sec=sys,sync 0 0
# /dev/vda1 / xfs defaults 1 1
# /dev/shazam/storage /storage xfs defaults 0 2
b) Test it out:
# mount -a (to mount all the filesystem/shares in the /etc/fstab) # df -h
For AutoMounts: (autofs) ~~~~~~~~~~~~~~~~~~~~~~~~~~ yum -y install autofs
a) create the master-map (*.autofs) files in the /etc/auto.master.d/
b) create the corresponding map file /etc/ (eg. /etc/auto.shares, /etc/auto.dire ct, /etc/auto.work)
c) Enable and start autofs service: # systemctl enable autofs
# systemctl start autofs
Automounter Benefits:
- users do not need root privileges to run mount/umount cmds - nfs shares are not permanently connected via /etc/fstab - "autofs" is the service that handles all these
yum install autofs: will create the following files & dir: /etc/auto.master.d/ <-- directory /etc/autofs_ldap_auth.conf /etc/auto.master /etc/auto.misc /etc/auto.net /etc/auto.smb
1. create a 'master map' file (*.autofs) - which identifies the base directory u sed for mount points as well as identifies the mapping files (/etc/auto.*) used for creating the automounts
Auto-Map: =========
# vi /etc/auto.master.d/master.autofs (add the following entry)
/shares /etc/auto.work <-- /shares is the 'base directory' # vi /etc/auto.work
work -rw,sync,sec=krb5p serverX.example.com:/shares/work docs -rw,sync,sec=sys serverX.example.com:/shares/docs
'work' & 'docs' are the mount point that will be automatically created/remove d by the 'autofs' service. The full path is /shares/work & /shares/docs (remem ber that /shares is the base dir for the mount point)
OR, use wildcard: # vi /etc/auto.work
* -rw,sync,sec=krb5p serverX:/shares/& Direct-Map:
===========
The master-map file content: /etc/auto.master.d/direct.autofs /- /etc/auto.direct
The content for the mapping-file: /etc/auto.direct:
/mnt/public -rw,sync,sec=krb5p serverX:/shares/public note: you need to create the /mnt/public directory manually.
In the case of auto-map, you only have to create base dir (/shares)
and the autofs service will automatically create the 'works' and 'docs' director y when needed.
__________ IMPORTANT:
1) Use Fully Qualified Name, i.e. serverX.example.com:/shares and NOT serverX:/s hares
2) Double check the 'security' type,ie. sec=krb5p <-- don't for the 'p' if aske d to use encryption for security. (krb5i = for integrity check and 'sys' for loc alsystem security).
____________________________________ Ch12: SMB
--- Mount SMB file systems manually (cli and /etc/fstab) - Mount SMB file systems (CIFS) automatically - via autofs Required software packages: cifs-utils
Optional (but useful): samba-client package - has the 'sambaclient-*' cmd line u tilities
3 Steps:
---a) identify the remote share to access
b) determine the mount point where the share should be mounted (create it locall y if needed)
c) mount the SMB share via cli or appropriate config change Authentication:
- SMB shares can be flagged as non-browseable, and can be restricted to specific users, groups
- there are many authentication scheme supported by SMB, the most common is the username/pass combo.
(these can be stored in /etc/fstab itself or in a secret 'credentials' file, e g /etc/smbcred.smb)
Manual Mount ~~~~~~~~~~~~ CLI:
# mount -t cifs -o guest //serverX/share /mnt/share (in comparison to other filesystem/nfs)
mount -t nfs -o rw,sec=krb5p serverX:/shares /mnt/nfshare mount (-t xfs -o defaults) /dev/vdb1 /mnt/hdd2 mount (-t ext4 -o defaults) /dev/VG/lvname /mnt/lv1
# mount -t cifs -o username=watson //serverX/share /mnt/share <-- you'll be prom pted for passwd
# mount -t cifs -o cred=/etc/smbcred.smb //serverX/shre /mnt/share (username & passwd is stored in the /etc/smbcred file)
format for the credentials file: username=watson
password=sherlock domain=<domain>
** NOTE: the client needs to have the same UID/GID as the user/group on the SMB server.
AutoMount (autofs) ~~~~~~~~~~~~~~~~~~
- create a 'master map' file (*.autofs) in /etc/auto.master.d/ (eg. /etc/auto.ma ster.d/smb.autofs)
/shares /etc/auto.smb
- create the associated map file (auto.*) in the /etc/ directory, e.g. /etc/auto .smb
(For CIFS/samba - take note of the colon ":")
cases -fstype=cifs,credential=/etc/smbcred.smb ://serverX/cases (For NFS:)
cases -rw,sync,sec=krb5p serverX:/shares - # systemctl enable autofs
# systemctl start autofs NOTE: the file /etc/smbcred.smb: username=sherlock password=holmes123 domain=DETECTIVE ____________________________________ Ch13: Boot Process
---BIOS & UEFI are both 'firmware interfaces' that acts as an interperter between t he computer hardware/firmware with the Operating System. Both BIOS/UEFI are used at the startup to initialize the hardware components and load the OS "bootloade r" (grub, grub2,etc) stored on the hardisk.
BIOS: reads 1st sector of HDD. .
UEFI: modern hardware - all initialization code are kept in *.efi files on the H DD.
Detailed info: https://wiki.manjaro.org/index.php?title=Some_basics_of_MBR_v/s_G PT_and_BIOS_v/s_UEFI
(nice to know, but not essential)
What could go wrong with the boot process?
ie. same line as 'linux16...' - append: systemd.unit=emergency.target
the give root passwd and edit the /etc/fstab and remove the offending entry 2) corrupted /boot/grub2/grub.cfg (boot loader)
upon startup, select the boot entry and press 'e' to edit
then look for the offending grub2 entry and correct it, e.g. "os16" --> "linu x16"
after system had booted up, login and run: # grub2-mkconfig > grub-new.cfg
# diff grub-new.cfg /boot/grub2/grub.cfg <-- see the offending entries. # grub2-mkconfig > /boot/grub2/grub.cfg <-- install the new/corrected grub.cf g
3) Lost Root Passwd
- on the boot menu, select the appropriate entry and press 'e'
- on the 'linux16' line, append "rd.break" (without quotes). This will boot t he system
and mount the root filesystem as 'read only' on /sysroot # mount -o remount,rw /sysroot <-- remount for read-write # chroot /sysroot <-- make this the 'tmp' root filesystem # passwd root <-- change the root passwd
# touch /.autorelabel <-- tells SELinux to relabel (fixes permissions, etc) # exit; (exit from chroot)
# exit; (exit from the rescue shell) and continue booting
systemctl get-default
systemctl set-default graphical.target
systemctl isolate multi-user.target (runlevel6.target <-- reboot) important targets
---rescue.target : sulogin prompt, basic system initialization completed, system in read/write mode
emergency.target: sulogin prompt, initramfs pivot compete and system root mounte d on / (read only)
** To select a different target at boot time, a special option can be appended t o the kernel
command line from the boot loader: eg: systemd.unit=rescue.target Fix incorrect /etc/fstab entry
---1. Reboot
2. Interrupt the boot loader menu countdown by pressing any key
3. Move the cursor to the entry to be started. Press "e" to edit that entry 4. Move cursor to the line that starts with "linux16". This is the kernel cmd li ne
5. Append: systemd.unit=<desired.target> eg: systemd.unit=rescue.target 6. Press 'ctrl-X' to reboot
Recover root passwd
---1. Select the Boot-Entry (default or the rescue), and press 'e' to edit
2. Goto the the 'linux16' (the line that has /boot/vmlinuz-3.x.x <-- this is the kernel)
press the 'end' key to go to end of the line, and append: "rd.break" (without quotes)
l system
3. Ctrl-X to continue booting - a root shell is presented where the actual syste m is mounted
as 'read-only' on /sysroot
4. RE-mount /sysroot as read-write: # mount -o remount,rw /sysroot
# chroot /sysroot <-- switch into chroot jail,
where /sysroot is treated as the root of the file-system tree
# passwd root <-- reset root pass
# touch /.autorelabel <-- needed for SELinux relabelling for correct per m settings
6. # exit (to exit from chroot)
# exit (exit the initramfs debug shell)
Repairig Grub2
---grub2-mkconfig > /boot/grub2/grub.cfg
* in grub menu entries, "linux16" is valid. Anything else such as "os16" is wrong.
______ NOTES:
---to remount a 'read-only' filesystem: # mount -o remount,rw /
____________________________________ Ch14: FirewallD
--- old ways: iptables, ip6tables, ebtables <--- find out what's ebtables - firewalld - manages both ipv4 and ipv6
- All network traffic is classified into "zones".
- based on criteria such as source IP of packet, or the incoming NIC, traffic is diverted to the appropriate zones and the rules in that zone is then applied * every packet that comes into the system is first checked for the source IP add r.
if it matches a specific zone, then the rules in that zone is applied. If the so urce
IP is not tied to a zone, then the zone for the incoming network interface is us ed.
If the network interface is not associated with any zone for some reason, then t he
default zone will be used. The 'public' zone is used by default Pre-defined zones:
--- trusted
- internal: similar to home
- home: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client mdns,samba
- work: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client - public: reject all unless related to outoing or ssh, dhcpv6-client
- external: reject all unless related to outgoing or ssh. Outgoing ipv4 traffic thru this zone is
masq.
- block: reject all unless related to outgoing
- drop: drop all unless related to outgoing (do not respond with icmp err messag e)
Predefined Services: firewall-cmd --get-services (to view all)
---ssh: local ssh server. Port 22
dhcpv6-client: local DHCPv6 client. Port 546/udp ipp-client: local IPP priting. Port 631/udp
samba-client: local Windows file & print sharing client. Port 137/udp & 138/udp mdns: Multicast DNS (mDNS) local-link name resolution. Port 5353/udp to 224.0.0. 251
To configure firewalld
---firewall-config & (GUI) [yum -y install ---firewall-config] firewall-cmd (cli)
~~~~~~~~~~~~\
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=<ZONE>
firewall-cmd --add-source=<CIDR> --zone=<ZONE> (default zone is assumed if zone is not specified)
firewall-cmd --remove-source=<CIDR> --zone=<ZONE> firewall-cmd --add-interface=<IFACE> --zone=<ZONE> firewall-cmd --change-interface=<IFACE> --zone=<ZONE> firewall-cmd --add-service=<SERVICE> --zone=<ZONE> firewall-cmd --add-port=PORT/PROTO --zone=<ZONE> firewall-cmd --remove-service=<SERVICE> --zone=<ZONE> firewall-cmd --remove-port=PORT/PROTO --zone=<ZONE> To view the available services in a particular zone: firewall-cmd --list-services --zone=<ZONE>
_________________ Useful commands: ---whereis
(e.g. whereis tmpfiles.d; whereis sealert; whereis httpd) find
(e.g. find /usr/lib -iname "tmp*" -print)
Software packages to install yum -y install sssd
yum -y install authconfig-gtk yum -y install krb5-workstation yum -y install ipa-client
yum -y install nfs-utils yum -y install cifs-utils yum -y install autofs yum -y install httpd yum -y install mod_ssl
yum -y install system-config-kickstart yum -y install setroubleshoot
