diff --git a/.github/ISSUE_TEMPLATE/request-to-add-new-content.md b/.github/ISSUE_TEMPLATE/request-to-add-new-content.md new file mode 100644 index 0000000..6a112e4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/request-to-add-new-content.md @@ -0,0 +1,30 @@ +--- +name: Request to add new content +about: Add content via Git Hub issues +title: "[NEW]" +labels: documentation, enhancement +assignees: '' + +--- + +## New Content + + +**Objective:** + + +**Page:** + + +**Description:** + + +**Backup sources:** + +--- + +**New content:** + + + +--- diff --git a/.github/ISSUE_TEMPLATE/request-to-change-documentation.md b/.github/ISSUE_TEMPLATE/request-to-change-documentation.md new file mode 100644 index 0000000..e2aa58c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/request-to-change-documentation.md @@ -0,0 +1,38 @@ +--- +name: Request to change documentation +about: Make changes to content via Git Hub issues +title: "[CHANGE]" +labels: documentation, enhancement +assignees: '' + +--- + +## Current Content + + +**Objective:** + + +**Page name:** + +--- + +**Current content:** + + +--- +## New Content + + +**Description:** + + +**Backup sources:** + +--- + +**New content:** + + + +--- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..727bc05 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.directory diff --git a/README.md b/README.md index d737762..77459d4 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,41 @@ -# rhcsa-study-guide -RHCSA Community Study Guide +# RHCSA Community Study Guide + +This repo serves as a community study guide for anyone that wants to study for the RHCSA exam. The idea is that anyone preparing for the exam can use the information here, as well as contribute (add, update, correct) to make it better. The aim is to have a free and Open Source study guide that is always up to date and with the best content. + +Please adhere to the guidelines, and most importantly, Red Hat's NDA. + +**Current Version:** RHCSA v8 _(with container objectives)_ + +## How to use + +As a study guide it makes more sense to digest the content via your web browser. You can access it at the [Objectives](markdown/Objectives.md) page. + +If you want to edit the content, start by reviewing the [rules](markdown/Rules.md). After you can choose to edit the contents by following the proper procedure for contributing changes to a Git Hub repository (if you are not familiar with the Git Hub process you can find simple instructions [here](https://kbroman.org/github_tutorial/pages/fork.html)), or by creating a Git Hub [issue](https://github.com/victorbrca/rhcsa-study-guide/issues/new/choose). + +### Rules and FAQ + +Please review the rules before making any changes. + +[Rules](markdown/Rules.md) + +## Study Content + +This is where you will be able to find various information about the exam, study guide, labs, study environments, etc. + +### Exam Format + +The exam format for the current version of the exam. + +[Exam Format](markdown/Exam-Format.md) + +### Objectives + +The current objectives for the exam (in enumerated list). This is where you can access the study guide's content. + +[Objectives](markdown/Objectives.md) + +### Additional Resources + +This page will provide you additional resources that will greatly help with your study. Resources include instructional videos, environments, labs and much more. + +[Additional Resources](markdown/Additional-Resources.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1-Understand-and-use-essential-tools.md b/markdown/1-Understand-and-use-essential-tools/1-Understand-and-use-essential-tools.md new file mode 100644 index 0000000..99e2dec --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1-Understand-and-use-essential-tools.md @@ -0,0 +1,16 @@ +### 1. Understand and use essential tools + ++ [1.a Access a shell prompt and issue commands with correct syntax](1a-Access-a-shell-prompt-and-issue-commands-with-correct-syntax.md) ++ [1.b Use input-output redirection (>, >>, |, 2>, etc.)](1b-Use-input-output-redirection.md) ++ [1.c Use grep and regular expressions to analyze text](1c-Use-grep-and-regular-expressions-to-analyze-text.md) ++ [1.d Access remote systems using SSH](1d-Access-remote-systems-using-SSH.md) ++ [1.e Log in and switch users in multiuser targets](1e-Log-in-and-switch-users-in-multiuser-targets.md) ++ [1.f Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2](1f-Archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2.md) ++ [1.g Create and edit text files](1g-Create-and-edit-text-files.md) ++ [1.h Create, delete, copy, and move files and directories](1h-Create-delete-copy-and-move-files-and-directories.md) ++ [1.i Create hard and soft links](1i-Create-hard-and-soft-links.md) ++ [1.j List, set, and change standard ugo/rwx permissions](1j-List-set-and-change-standard-ugo_rwx-permissions.md) ++ [1.k Locate, read, and use system documentation including man, info, and files in /usr/share/doc](1k-Locate-read-and-use-system-documentation-including-man-info-and-files-in-_usr_share_doc.md) + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1a-Access-a-shell-prompt-and-issue-commands-with-correct-syntax.md b/markdown/1-Understand-and-use-essential-tools/1a-Access-a-shell-prompt-and-issue-commands-with-correct-syntax.md new file mode 100644 index 0000000..92ee958 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1a-Access-a-shell-prompt-and-issue-commands-with-correct-syntax.md @@ -0,0 +1,10 @@ +1.a Access a shell prompt and issue commands with correct syntax +=== + +You should know: ++ How to open the terminal ++ Execute very basic commands (pwd, ls, cd, mv, man) + + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1b-Use-input-output-redirection.md b/markdown/1-Understand-and-use-essential-tools/1b-Use-input-output-redirection.md new file mode 100644 index 0000000..8264af8 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1b-Use-input-output-redirection.md @@ -0,0 +1,59 @@ +1.b Use input-output redirection (>, >>, |, 2>, etc.) +=== + +stdin, stdout, stderr +--- + +Under normal circumstances every Linux program has three streams opened when it starts; one for input; one for output; and one for printing diagnostic or error messages. These are typically attached to the user's terminal (see man tty(4)) but might instead refer to files or other devices, depending on what the parent process chose to set up. + ++ stdin (0) - Keyboard ++ stdout (1) - Screen ++ stderr (2) - Device reserved for error output + + +Input Redirection +--- + +Redirection is used to redirect the stdout/stdin/stderr. + +| Operator | Redirect | +| ------------ |:----------------- | +| `1>`, `>` | stdout | +| `1>>`, `>>` | Append stdout | +| `2>`, | stderr | +| `2>>` | Append stderr | +| * `2>&1`, `&>` | stderr and stdout | + +\* *Here are two ways on how we would redirect stderr to stdout* + + command > output_file 2>&1 + #or + command &> output_file + +### Examples + +Cat the contents of myfirstscript (same as `cat myfirstscript`) + + $ cat < myfirstscript + +Create longlisting with the output of `ls -al myfirstscript` + + $ ls -al myfirstscript > longlisting + +Copy the contents of myfirstscript to mynewscript + + $ cat < myfirstscript > mynewscript + +Pipe +--- + +Pipes are used to give the output of a command as input to another command + + $ echo a b c | cut -f 2 -d ' ' + b + + + + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1c-Use-grep-and-regular-expressions-to-analyze-text.md b/markdown/1-Understand-and-use-essential-tools/1c-Use-grep-and-regular-expressions-to-analyze-text.md new file mode 100644 index 0000000..d936ffe --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1c-Use-grep-and-regular-expressions-to-analyze-text.md @@ -0,0 +1,30 @@ +1.c Use grep and regular expressions to analyze text +=== + +| Operator | Description | +| --------------- | --------------------------------------------------------------------------- | +| `^` | Match expr at the start of line | +| `$` | Match expr at the end of line | +| `\` | Turn off special meaning | +| `[ ]` | Match any of the enclosed chars | +| `[^ ]` | Match any char except the enclosed | +| `.` | Match a single char | +| `?` | Match zero or one chars | +| `+` | Match one or more chars | +| `*` | Match zero or more chars | +| `\{x,y\}` | Match x to y occurrences of preceding expr | +| `\{x\}` | Match x occurrences of preceding expr | +| `\{x,\}` | Match x or more occurrences of preceding expr | +| `[:class:]` | Matches all chars in class (alnum, alpha, digit, space, upper, lower, etc.) | + +#### Character Classes + +`[:alnum:], [:alpha:], [:cntrl:], [:digit:], [:graph:], [:lower:], [:print:], [:punct:], [:space:], [:upper:], and [:xdigit:]` + +**📌 EXAM TIP** ++ Use `man 7 regex` to get information on regex ++ You can find the character classes in grep's man page ++ Almost all character classes are defined with a 5 character word + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH.md b/markdown/1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH.md new file mode 100644 index 0000000..ba45a56 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH.md @@ -0,0 +1,73 @@ +1.d Access remote systems using SSH +=== + +## The SSH protocol + +The SSH protocol uses encryption to secure the connection between a client and a server. All user authentication, commands, output, and file transfers are encrypted to protect against attacks in the network. + +![](1d-Access-remote-systems-using-SSH/1d-Access-remote-systems-using-SSH-c3524.png) + +The new protocol replaced several legacy tools and protocols, including telnet, ftp, FTP/S, rlogin, rsh, and rcp. + +**Old Technologies that the SSH stack replaces** ++ Telnet -> SSH ++ RCP -> SCP ++ FTP -> SFTP + +## Usage + +SSH is typically used to log into a remote machine and execute commands, but it also can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols. SSH uses the client-server model. + +### Basic Syntax + +To connect to a remote system using SSH, we’ll use the ssh command. The most basic form of the command is: + + ssh remote_host + +The remote_host in this example is the IP address or domain name that you are trying to connect to. + +This command assumes that your username on the remote system is the same as your username on your local system. + +If your username is different on the remote system, you can specify it by using this syntax: + + ssh remote_username@remote_host + +Once you have connected to the server, you may be asked to verify your identity by providing a password. + +**Important command flags/options** ++ `-l` - login ++ `-i` - specify a private key to use ++ `-F` - specify config file ++ `-X` - enable X forwarding + +### Configuration Files + +**Client Config files** ++ `~/.ssh/config` ++ `/etc/ssh/ssh_config` + +**Server config file** ++ `/etc/ssh/sshd_config` + +## Other Important SSH Commands + +We will review these later. + ++ `ssh-keygen` ++ `ssh-copy-id` *(note that this is a script and not a binary)* + +## How to enable commonly used config + +The listed configuration is done at the server: `/etc/ssh/sshd_config`. + ++ X11 forwarding + + `X11Forwarding yes` ++ sftp subsytem + + `Subsystem sftp /usr/lib/ssh/sftp-server` ++ Root login + + `PermitRootLogin yes` ++ Password authentication + + `PasswordAuthentication yes` + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH/1d-Access-remote-systems-using-SSH-c3524.png b/markdown/1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH/1d-Access-remote-systems-using-SSH-c3524.png new file mode 100644 index 0000000..3d3faab Binary files /dev/null and b/markdown/1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH/1d-Access-remote-systems-using-SSH-c3524.png differ diff --git a/markdown/1-Understand-and-use-essential-tools/1e-Log-in-and-switch-users-in-multiuser-targets.md b/markdown/1-Understand-and-use-essential-tools/1e-Log-in-and-switch-users-in-multiuser-targets.md new file mode 100644 index 0000000..bdb3c9b --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1e-Log-in-and-switch-users-in-multiuser-targets.md @@ -0,0 +1,53 @@ +1.e Log in and switch users in multiuser targets +=== + +## Understanding Sell Types + +**Login Shells** + +A login shell (also an interactive shell) is the first process that executes under your user ID when you log in for an interactive session. + +Bash runs the following scripts on login: + +* /etc/profile +* The first found of ~/.bash_profile, ~/.bash_login, ~/.profile + +**Interactive Shells** + +An interactive shell reads commands from user input on a tty. Among other things, such a shell reads startup files on activation, displays a prompt, and enables job control by default. The user can interact with the shell. On entering an interactive terminal, Bash also executes: + +* /etc/bash.bashrc +* ~/.bashrc + +**Non-interactive shells** + +Non-interactive shells do not usually execute startup files, however different shells act differently. Bash always reads `~/.bashrc` when its invoked by rshd or sshd, even if its not interactive (but not if its called as sh). Zsh always reads `~/.zshenv`. + +Also note that aliases are not expanded when the shell is not interactive, unless the expand_aliases shell option is set using shopt: + +## Changing Users + +**Commands:** +- su (1) - run a command with substitute user and group ID +- sudo (8) - execute a command as another user + +_**Sudo and su commands and shell type**_ + +| Command | Interactive | Login | +| --------------- | ----------- | ----- | +| `su` | Y | N | +| `su -`, `su -l` | Y | Y | +| `sudo -i` | Y | Y | + +**su vs sudo** ++ sudo - asks for user password ++ su - asks for user password + +**Files to know** ++ `~/.bash_history` ++ `~/.bash_logout` ++ `~/.bashrc` ++ `~/.bash_profile` + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1f-Archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2.md b/markdown/1-Understand-and-use-essential-tools/1f-Archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2.md new file mode 100644 index 0000000..8bad8c7 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1f-Archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2.md @@ -0,0 +1,144 @@ +1.f Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2 +=== + +Definition +--- + ++ Compression - encoding information in fewer bits ++ Archive - a file that is a collection of other files that can be managed easier (sorted, moving, copying, etc...) + + +Archive +--- + +## tar + +'tar' stands for "TApe ARchive". + +### Usages + +Create a tar archive + + tax -cvf [archive].tar [file(s)|folder] + +Extract a tar archive + + tar -xvf [archive].tar + +Show all files of an archive: + + tar -tvf [archive].tar + +#### Tar with compression + +**With gunzip** + +Create a compressed tar archive + + tar -czvf [archive].tar.gz [file(s)|folder] + +Extract a compressed tar archive + + tar -xzvf [archive].tar.gz + +**With bzip2** + +Create compressed tar archive + + tar -cjvf [archive].tar.bz2 [file(s)|folder] + +Extract a compressed tar archive + + tar -xjvf [archive].tar.bz2 + +### star - unique standard tape archiver + +star is another implementation of tar. It looks like it supported SELinux context before tar (however tar now also supports extended file attributes as well as SELinux, so I'm not sure if this is really needed for the exam). + +#### Usage Examples + +Create an archive + + # star -c –f=compressed.star [file list] + +Extract archive + + # star –x –f=compressed.star + +Create an archive retaining SELinux context + + # star -xattr -H=exustar -c -f=test.star file{1,2,3} + +*Snippet from RHEL 6 documentation page* + +![](1f-archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2/image1.png) + +Compression +--- + +The main difference between the different compress commands is the algorithm that they use. + +**Compression commands:** ++ gzip (1) - compress or expand files ++ bzip2 (1) - a block-sorting file compressor, v1.0.6 ++ zip (1) - package and compress (archive) files ++ unzip (1) - list, test and extract compressed files in a ZIP archive + +### gunzip + +Create a compressed file + + gzip file + +_Result: `file.gz`_ + +Decompress a file: + + gzip -d file + +### bzip2 + +Create a compressed file + + bzip2 file + +_Result: `file.bz2`_ + +Decompress a file + + bzip2 -d file.bz2 + +### zip/unzip + +Combining individual files in a compressed archive: + + zip archive.zip file1 file2 + +Combining complete folders in a compressed archive: + + zip -r archive.zip folder1 folder2 folder3 + +Decompress and extract an archive: + + unzip archive.zip + +Show all files of an archive: + + unzip -l archive.zip + +Notes: ++ Use `-d` on both `gzip` and `bzip2` to extract. For `unzip`, the command itself specifies that it's extracting (`-d` is used for destination folder) ++ For gzip you can specify the compression level with a number (eg: `-5`) ++ Extension name is not required. It's only used for human reference + +### Viewing compressed files + +You can use the following commands to view compressed files: ++ `zcat` ++ `gunzip -c` ++ `bzip2 -c` ++ `zless` ++ `vim` + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1f-archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2/image1.png b/markdown/1-Understand-and-use-essential-tools/1f-archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2/image1.png new file mode 100644 index 0000000..1b995d0 Binary files /dev/null and b/markdown/1-Understand-and-use-essential-tools/1f-archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2/image1.png differ diff --git a/markdown/1-Understand-and-use-essential-tools/1g-Create-and-edit-text-files.md b/markdown/1-Understand-and-use-essential-tools/1g-Create-and-edit-text-files.md new file mode 100644 index 0000000..1f6a005 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1g-Create-and-edit-text-files.md @@ -0,0 +1,38 @@ +1.g Create and edit text files +=== + +## Editing files + +You should be familiar with at least one of the editors below: +- vi (1p) - screen-oriented (visual) display editor +- vim (1) - Vi IMproved, a programmer's text editor +- nano (1) - Nano's ANOther editor, an enhanced free Pico clone +- emacs - GNU Emacs text editor + +**📝 NOTE:** _Be aware that `vim` changes files by copying the file over (so the inode also changes)._ + +![](1g-create-and-edit-text-files/image1.png) + + +## Viewing files + +**Review the following commands:** +- cat (1) - concatenate files and print on the standard output +- less (1) - opposite of more +- more (1p) - display files on a page-by-page basis +- head (1) - output the first part of files +- tail (1) - output the last part of files + +## Text Manipulation + +**Review the following commands:** +- sort (1) - sort lines of text files +- wc (1p) - word, line, and byte or character count +- grep (1) - print lines matching a pattern +- sed (1) - stream editor for filtering and transforming text +- uniq (1) - report or omit repeated lines +- diff (1) - compare files line by line +- paste (1) - merge lines of files + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1g-create-and-edit-text-files/image1.png b/markdown/1-Understand-and-use-essential-tools/1g-create-and-edit-text-files/image1.png new file mode 100644 index 0000000..869d8a8 Binary files /dev/null and b/markdown/1-Understand-and-use-essential-tools/1g-create-and-edit-text-files/image1.png differ diff --git a/markdown/1-Understand-and-use-essential-tools/1h-Create-delete-copy-and-move-files-and-directories.md b/markdown/1-Understand-and-use-essential-tools/1h-Create-delete-copy-and-move-files-and-directories.md new file mode 100644 index 0000000..056509c --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1h-Create-delete-copy-and-move-files-and-directories.md @@ -0,0 +1,14 @@ +1.h Create, delete, copy, and move files and directories +=== + +**You should review the following commands:** +- ls (1) - list directory contents +- touch (1) - change file timestamps +- cp (1) - copy files and directories +- mv (1) - move (rename) files + - does not change inode +- rm (1) - remove files or directories + - removes the link between the file and inode + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1i-Create-hard-and-soft-links.md b/markdown/1-Understand-and-use-essential-tools/1i-Create-hard-and-soft-links.md new file mode 100644 index 0000000..c45419e --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1i-Create-hard-and-soft-links.md @@ -0,0 +1,55 @@ +1.i Create hard and soft links +=== + +**Commands:** +- ln (1) - make links between files +- unlink (1) - call the unlink function to remove the specified file + +## Definition + +### Hardlink + +You can think a hard link as an additional name for an existing file. Hard links are associating two or more file names with the same inode . You can create one or more hard links for a single file. Hard links cannot be created for directories and files on a different filesystem or partition. + +### Softlink/Symlinks + +A soft link is something like a shortcut in Windows. It is an indirect pointer to a file or directory. Unlike a hard link, a symbolic link can point to a file or a directory on a different filesystem or partition. + +### Hardlink vs softlink ++ Hardlink + + Points to the same inode (2 files with same inode) + + Cannot be directories + + Cannot cross filesystems + + Deleting the original (or hard link) file will not remove the inode (only if both are removed) ++ Softlink + + Is just a pointer + + Deleting a symlink will not delete the file + + Deleting the original file will not delete the link (but link will be broken) + + Permission is shown as `lrwxrwxrwx` and reflects the actual file permission + +_Deleting a link (hard or soft) does not delete the file_ + +## Working with Links + +### Hardlink + +Create a hard link to a given file (or directory) + + ln [source_file] [symbolic_link] + +### Softlink + +Create a symbolic link to a given file (or directory) + + ln -s [source_file] [symbolic_link] + +To delete/remove symbolic links use either the unlink or rm command. + + unlink symlink_to_remove + +Using the `rm` command achieves the same + + rm symlink_to_remove + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1j-List-set-and-change-standard-ugo_rwx-permissions.md b/markdown/1-Understand-and-use-essential-tools/1j-List-set-and-change-standard-ugo_rwx-permissions.md new file mode 100644 index 0000000..e5a08d4 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1j-List-set-and-change-standard-ugo_rwx-permissions.md @@ -0,0 +1,153 @@ +1.j List, set, and change standard ugo/rwx permissions +=== + +## Permission in Linux + +Linux divides the file permissions into 3 groups with read, write and execute denoted by r,w, and x respectively. + +Each file and directory has three user based permission groups: + +- **user** – The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users. +- **group** – The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users. +- **others** – The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most. + +And each user group has 3 permissions: + +- **Read** - This permission give you the authority to open and read a file. Read permission on a directory gives you the ability to lists its content. +- **Write** - The write permission gives you the authority to modify the contents of a file. The write permission on a directory gives you the authority to add, remove and rename files stored in the directory as well as the directory itself. +- **Execute** - In Windows, an executable program usually has an extension ".exe" and which you can easily run. In Unix/Linux, you cannot run a program unless the execute permission is set. If the execute permission is not set, you might still be able to see/modify the program code (provided read & write permissions are set), but not run it. Fon a directory the execute permission allows you to `cd` into the directory. + + r = read permission + w = write permission + x = execute permission + - = no permission + +On the example below we observe the following permission: + + # ls -l my_file.txt + -rwxr-xr-x. 1 root root 0 Dec 9 15:34 my_file.txt + +- **User root** - Can read, write and execute +- **Group root** - Can read and execute +- **Others** - Can read and execute + +Commands +--- + +### chmod + +Takes octal (0000) and symbolic version (ugo,-+=,rws) + +### chown + +Changing ownership: + + chown root.cloud_user [file] + +Which is the same as: + + chown root:cloud_user [file] + +umask +--- + +**📝 NOTES:** ++ Default permission is '666' for files and '777' for directories ++ umask value is subtracted from the default permission (666) ++ umask is not persistent. To make it persistent, add it to `/etc/profile` (login shells), `/etc/bashrc` (non-login shells) or `~/.bash_profile` ++ First digit of umask (if specifying with 4 digits) is for special permission (sticky bit, etc.) + +Example of umask configuration in `/etc/profile` so values are different for system accounts vs real users: + + # By default, we want umask to get set. This sets it for login shell + # Current threshold for system reserved uid/gids is 200 + # You could check uidgid reservation validity in + # /usr/share/doc/setup-*/uidgid file + if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then + umask 002 + else + umask 022 + fi + +Special Permissions +--- + +**📝 NOTE:** *It looks like special permission (except SGID) may not be part of the v8 exam* + +### SUID - Set-user Identification + +When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it. + + rws----- + +Note that SUID does not work on scripts that start with shebang ('#!'). + + # chmod u+s [file] + -rwsr--r--. 1 root root 0 Mar 16 21:48 test + + # chmod 4744 [file] + -rwsr--r--. 1 root root 0 Mar 16 21:48 test + +**📝 NOTE:** *A capital 'S' (`-rwSr--r--`) indicates that the execute bit is not set* + +### SGID - Set-group identification + +SGID permission is similar to the SUID permission, only difference is – when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member. + + rwxr-sr-- + +#### Setting SGID + + # chmod g+s [file] + -rwxr-sr--. 1 root root 0 Mar 16 21:48 test + + # chmod 2754 [file] + -rwxr-sr--. 1 root root 0 Mar 16 21:48 test + +**📝 NOTE:** *A capital 'S' (`-rwxr-Sr--`) indicates that the execute bit is not set* + + +### Sticky bit + +Anyone can write, but only owner can delete the files (like '/tmp'). + + drwxrwxrwt + +Sticky bit is usually set on directories. Setting the sticky bit on a folder does nothing (on Linux). + +#### Setting sticky bit + + # chmod o+t [file] + drwxrwrwt. 1 root root 0 Mar 16 21:48 testdir + + # chmod 1777 [file] + drwxrwxrwt. 1 root root 0 Mar 16 21:48 testdir + +**📝 NOTES:** ++ A capital 'T' indicates that the execute bit is not set ++ You should give write permission to make sure that the target users can write to the folder + +Cheat Table +--- + +| Mode | Octal | Symbolic | +| ---------- | ----- | -------- | +| SUID | 4755 | u+s | +| SGID | 2775 | g+s | +| Sticky Bit | 1777 | o+t | + + +Additional Special Permissions +--- + +A '.' can represent special permissions (SELinux related). + + -rw-rw-rw-. + +A '+' indicates ACLs are applied. + + -rw-rw-rw-+ + + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/1-Understand-and-use-essential-tools/1k-Locate-read-and-use-system-documentation-including-man-info-and-files-in-_usr_share_doc.md b/markdown/1-Understand-and-use-essential-tools/1k-Locate-read-and-use-system-documentation-including-man-info-and-files-in-_usr_share_doc.md new file mode 100644 index 0000000..f500237 --- /dev/null +++ b/markdown/1-Understand-and-use-essential-tools/1k-Locate-read-and-use-system-documentation-including-man-info-and-files-in-_usr_share_doc.md @@ -0,0 +1,215 @@ +1.k Locate, read, and use system documentation including man, info, and files in /usr/share/doc +=== + +## Using System Documentation + +Make sure you are familiar with the following content: + ++ help flags (-h, --help, -?) ++ man + + man -k - Search the short manual page descriptions for keywords (same as apropos) + + man -K - Search for text in all manual pages + + `/usr/share/man` - Location of man page files + + mandb - create or update the manual page index caches ++ whatis - display one-line manual page descriptions ++ apropos - Search the short manual page descriptions for keywords (same as man -k) ++ info - Read documentation in Info format + + info [command] + + `/usr/share/info` - Location of info files ++ whereis - locate the binary, source, and manual page files for a command ++ Additional documentation for packages and binaries + + `/usr/share/doc` + +## Finding Files + +**Commands:** ++ locate - Read documentation in Info format ++ find - Search for files in a directory hierarchy + +### Find + +Searches for files in a directory hierarchy. + +Common options for `find`: ++ `-f` - files ++ `-d` - directories ++ `-l` - links ++ `-user` - File is owned by user (numeric user ID allowed) ++ `!` Is the same as `-not` + + +### Using 'locate' + +'locate' is faster than 'find' because it has its own database (prepared by updatedb). + + # which locate + /usr/bin/locate + + +**📝 NOTE:** *it looks like `locate` is installed with the systemd timer and 'updatedb'. For the test if the binary `locate` is not installed, look for `mlocate` with dnf* + +Update the DB manually + + # updatedb + +If you need to enable automatic update of the locate database on RHEL 8, you can do so by enabling the systemd timer + + # systemctl status mlocate-updatedb.timer + ● mlocate-updatedb.timer - Updates mlocate database every day + Loaded: loaded (/usr/lib/systemd/system/mlocate-updatedb.timer; disabled; vendor preset: disabled) + Active: inactive (dead) + Trigger: n/a + + + # systemctl enable --now mlocate-updatedb.timer + systemctl enable --now mlocate-updatedb.timer + Created symlink /etc/systemd/system/timers.target.wants/mlocate-updatedb.timer → /usr/lib/systemd/system/mlocate-updatedb.timer. + + # systemctl status mlocate-updatedb.timer + ● mlocate-updatedb.timer - Updates mlocate database every day + Loaded: loaded (/usr/lib/systemd/system/mlocate-updatedb.timer; enabled; vendor preset: disabled) + Active: active (waiting) since Mon 2020-12-07 15:33:02 EST; 6s ago + Trigger: Tue 2020-12-08 00:00:00 EST; 8h left + + Dec 07 15:33:02 rhel8.localdomain systemd[1]: Started Updates mlocate database every day. + +> The mlocate version published in RHEL8 does not create the /etc/cron.daily/mlocate to automatically run the updatedb daily. A systemd.timer named mlocate-updatedb.timer has replaced the cron. However, in RHEL 8 the mlocate-updatedb.timer is disabled by default. + + +Getting Package Related Information +--- + +### What package provides + +Use `dnf whatprovides` to find out what package (in the repo) provides a file or package. + +#### Long listing + + # dnf whatprovides /etc/ssh/sshd_config + Updating Subscription Management repositories. + Last metadata expiration check: 2:37:05 ago on Thu 12 Nov 2020 01:52:19 PM EST. + openssh-server-7.8p1-4.el8.x86_64 : An open source SSH server daemon + Repo : rhel-8-for-x86_64-baseos-rpms + Matched from: + Filename : /etc/ssh/sshd_config + + openssh-server-8.0p1-3.el8.x86_64 : An open source SSH server daemon + Repo : rhel-8-for-x86_64-baseos-rpms + Matched from: + Filename : /etc/ssh/sshd_config + + openssh-server-8.0p1-4.el8_1.x86_64 : An open source SSH server daemon + Repo : rhel-8-for-x86_64-baseos-rpms + Matched from: + Filename : /etc/ssh/sshd_config + + openssh-server-8.0p1-5.el8.x86_64 : An open source SSH server daemon + Repo : @System + Matched from: + Filename : /etc/ssh/sshd_config + + openssh-server-8.0p1-5.el8.x86_64 : An open source SSH server daemon + Repo : rhel-8-for-x86_64-baseos-rpms + Matched from: + Filename : /etc/ssh/sshd_config + +#### Short listing + + # dnf repoquery whatprovides /etc/ssh/sshd_config + Updating Subscription Management repositories. + Last metadata expiration check: 2:37:52 ago on Thu 12 Nov 2020 01:52:19 PM EST. + openssh-server-0:7.8p1-4.el8.x86_64 + openssh-server-0:8.0p1-3.el8.x86_64 + openssh-server-0:8.0p1-4.el8_1.x86_64 + openssh-server-0:8.0p1-5.el8.x86_64 + +**📝 NOTE:** *You can use either the full path of the file/binary or a wildcard (like `*/sshd_config`)* + +### Files package provides + + # rpm –ql package name + +### Find manual page for package (-d) + + # rpm -qd openssh-server-8.0p1-5.el8.x86_64 + /usr/share/man/man5/moduli.5.gz + /usr/share/man/man5/sshd_config.5.gz + /usr/share/man/man8/sftp-server.8.gz + /usr/share/man/man8/sshd.8.gz + +--- + +**📌 EXAM TIP:** _If you can't remember where the docs or info files are, use `rpm` or `locate` with `grep`._ + +**Using `rpm`** + +Find the full package name + + # rpm -qa | grep rsync + rsync-3.1.3-9.el8.x86_64 + +Use `rpm -ql [package name]` + + # rpm -ql rsync-3.1.3-9.el8.x86_64 | egrep '(doc|man)' + /usr/share/doc/rsync + /usr/share/doc/rsync/NEWS + /usr/share/doc/rsync/OLDNEWS + /usr/share/doc/rsync/README + /usr/share/doc/rsync/support + /usr/share/doc/rsync/support/Makefile + /usr/share/doc/rsync/support/atomic-rsync + /usr/share/doc/rsync/support/cvs2includes + /usr/share/doc/rsync/support/deny-rsync + /usr/share/doc/rsync/support/file-attr-restore + /usr/share/doc/rsync/support/files-to-excludes + /usr/share/doc/rsync/support/git-set-file-times + /usr/share/doc/rsync/support/instant-rsyncd + /usr/share/doc/rsync/support/logfilter + /usr/share/doc/rsync/support/lsh + /usr/share/doc/rsync/support/lsh.sh + /usr/share/doc/rsync/support/mapfrom + /usr/share/doc/rsync/support/mapto + /usr/share/doc/rsync/support/mnt-excl + /usr/share/doc/rsync/support/munge-symlinks + /usr/share/doc/rsync/support/rrsync + /usr/share/doc/rsync/support/rsync-no-vanished + /usr/share/doc/rsync/support/rsync-slash-strip + /usr/share/doc/rsync/support/rsyncstats + /usr/share/doc/rsync/support/savetransfer.c + /usr/share/doc/rsync/tech_report.tex + /usr/share/man/man1/rsync.1.gz + + +**Using `locate`** + + # locate rsync | egrep '(doc|man)' + /usr/share/doc/rsync + /usr/share/doc/rsync/NEWS + /usr/share/doc/rsync/OLDNEWS + /usr/share/doc/rsync/README + /usr/share/doc/rsync/support + /usr/share/doc/rsync/tech_report.tex + /usr/share/doc/rsync/support/Makefile + /usr/share/doc/rsync/support/atomic-rsync + /usr/share/doc/rsync/support/cvs2includes + /usr/share/doc/rsync/support/deny-rsync + /usr/share/doc/rsync/support/file-attr-restore + /usr/share/doc/rsync/support/files-to-excludes + /usr/share/doc/rsync/support/git-set-file-times + /usr/share/doc/rsync/support/instant-rsyncd + /usr/share/doc/rsync/support/logfilter + /usr/share/doc/rsync/support/lsh + /usr/share/doc/rsync/support/lsh.sh + /usr/share/doc/rsync/support/mapfrom + /usr/share/doc/rsync/support/mapto + /usr/share/doc/rsync/support/mnt-excl + /usr/share/doc/rsync/support/munge-symlinks + /usr/share/doc/rsync/support/rrsync + /usr/share/doc/rsync/support/rsync-no-vanished + /usr/share/doc/rsync/support/rsync-slash-strip + /usr/share/doc/rsync/support/rsyncstats + /usr/share/doc/rsync/support/savetransfer.c + /usr/share/man/man1/rsync.1.gz + +--- +[⬅️ Back](1-Understand-and-use-essential-tools.md) diff --git a/markdown/10-manage-containers/10-manage-containers.md b/markdown/10-manage-containers/10-manage-containers.md new file mode 100644 index 0000000..b48cc20 --- /dev/null +++ b/markdown/10-manage-containers/10-manage-containers.md @@ -0,0 +1,14 @@ +# 10. Manage containers + ++ [10.a Find and retrieve container images from a remote registry](10a-find-and-retrieve-container-images-from-a-remote-registry.md) ++ [10.b Inspect container images](10b-inspect-container-images.md) ++ [10.c Perform container management using commands such as podman and skopeo](10c-perform-container-management-using-commands-such-as-podman-and-skopeo.md) ++ [10.d Perform basic container management such as running, starting, stopping, and listing running containers](10d-perform-basic-container-management-such-as-running-starting-stopping-and-listing-running-containers.md) ++ [10.e Run a service inside a container](10e-run-a-service-inside-a-container.md) ++ [10.f Configure a container to start automatically as a systemd service](10f-configure-a-container-to-start-automatically-as-a-systemd-service.md) ++ [10.g Attach persistent storage to a container](10g-attach-persistent-storage-to-a-container.md) + + + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry.md b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry.md new file mode 100644 index 0000000..9797ff4 --- /dev/null +++ b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry.md @@ -0,0 +1,202 @@ +# 10.a Find and retrieve container images from a remote registry + +## What is a Container + +A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. + +There are several competing Container Image formats (Docker, Appc, LXD), but the industry is moving forward with a standard governed under the Open Container Initiative – sometimes referred to simply as Open Containers or the OCI. + +### Image vs Container + +Images can exist without containers, whereas a container needs to run an image to exist. Therefore, containers are dependent on images and use them to construct a run-time environment and run an application. + +### Docker + +> Docker is a containerization stage where we can bundle our application with its libraries and conditions inside that container. Docker Container is a to some degree like a virtual machine. + +A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. + +![](10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-3f088.png) + +Container images become containers at runtime and in the case of Docker containers - images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging. + +#### Docker Engine + +Docker Engine is the industry’s de facto container runtime that runs on various Linux (CentOS, Debian, Fedora, Oracle Linux, RHEL, SUSE, and Ubuntu) and Windows Server operating systems. + +### Podman + +Podman is a daemon-less container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. + +Podman is a daemonless, open source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images. Podman provides a command line interface (CLI) familiar to anyone who has used the Docker Container Engine. Most users can simply alias Docker to Podman (alias docker=podman) without any problems. + +Similar to other common Container Engines (Docker, CRI-O, containerd), Podman relies on an OCI compliant Container Runtime (runc, crun, runv, etc) to interface with the operating system and create the running containers. This makes the running containers created by Podman nearly indistinguishable from those created by any other common container engine. + +### Docker vs Podman + +- **Podman** + - Does not use a daemon to develop, manage and run OCI containers, it must run on top of a Linux OS + - Containers can either be run as root or in rootless mode + - Commands are the same as docker-cli + - Can use the docker registry +- **Docker** + - Utilizes a daemon, which is a persistent background process that handles all container management duties on the host + - Can be run on Windows (however images are not interchangeable with Linux images + +![](10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-9f986.png) + +### Rootless Containers + +You can run containers as 'root' or as the unprivileged users (rootless container). Running as an unprivileged user is more secure but it has some restrictions (like not having access to privileged ports). + +### Container Registries + +A container registry is a repository for storing container images. A container image consists of many files, which encapsulate an application. After a host/developer puts an image into a registry, other hosts/users can download it . This allows the same application to be shipped from a host to another. + +Registries can be public or private (like for a corporate environment). And registries can have different rules in regards to how the image should be build. + +Red Hat provides two container registries to distribute certified container images (you can access with your Red Hat log in credentials): ++ registry.redhat.io for containers based on official Red Hat products. ++ registry.connect.redhat.com for containers based on third-party products. + +You can search the Red Hat images with the `podman` command, or even via a browser: + +https://catalog.redhat.com/software/containers/ + +![](10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-d8ca7.png) + +## Getting Started + +Make sure that the 'podman' package is installed. + +Display a help for podman + + # podman help + +Optionally you can install the 'container-tools' module which will install several container related tools + + # dnf module install container-tools + +**📌 EXAM TIP:** _If you are familiar with docker cli, because the commands are the same, you can create an alias for docker and use the bash complete for podman (as below)._ + + alias docker='podman' + complete -F _cli_bash_autocomplete podman + +### Configuration + +The default system configuration files can exist in either `/etc/containers/containers.conf` or `/usr/share/containers/containers.conf`. + +User configuration is saved at `$HOME/.config/containers` directory. And configuration in this file override the system-wide settings. + +Note container engines also use other configuration files for configuring the environment: +- `storage.conf` for configuration of container and images storage. +- `registries.conf` for definition of container registires to search while pulling container images. +- `policy.conf` for controlling which images can be pulled to the system. + +#### Registry + +Registry configuration for podman is saved at `/etc/containers/registries.conf`. + + # cat /etc/containers/registries.conf + # This is a system-wide configuration file used to + # keep track of registries for various container backends. + # It adheres to TOML format and does not support recursive + # lists of registries. + # The default location for this configuration file is /etc/containers/registries.conf. + # The only valid categories are: 'registries.search', 'registries.insecure', + # and 'registries.block'. + [registries.search] + registries = ['registry.redhat.io', 'quay.io', 'docker.io'] + # If you need to access insecure registries, add the registry's fully-qualified name. + # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. + [registries.insecure] + registries = [] + # If you need to block pull access from a registry, uncomment the section below + # and add the registries fully-qualified name. + # + [registries.block] + registries = [] + +You can also use the `podman system` commands to get information on a system +- podman-system-info (1) - Displays Podman related system information +- podman-system-df (1) - Show podman disk usage + +## Find and Retrieve Containers + +**Commands:** +- podman-search (1) - Search a registry for an image +- podman-pull (1) - Pull an image from a registry + +### Finding Images + +Use 'search' to search for images + + # podman search + INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED + | | | | | |-> "[OK]" if image is automated + | | | | |-> "[OK]" if image is official + | | | |-> Star count of image + | | |-> Image description + | |-> Image name + |-> Registry + +You can also filter the result (shows httpd images that have start of 5 and above) + + # podman search -f stars=5 httpd + INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED + docker.io docker.io/library/httpd The Apache HTTP Server Project 3269 [OK] + docker.io docker.io/centos/httpd-24-centos7 Platform for running Apache httpd 2.4 or bui... 36 + docker.io docker.io/centos/httpd 33 [OK] + docker.io docker.io/arm32v7/httpd The Apache HTTP Server Project 9 + docker.io docker.io/arm64v8/httpd The Apache HTTP Server Project 6 + +### Installing Images + +Find the image name + + # podman search squid -f stars=5 + INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED + docker.io docker.io/lucacri/squid-ext-conf Squid server on alpine, gathering configurat... 10 + docker.io docker.io/squidex/squidex Squidex Headless CMS 8 + docker.io docker.io/minimum2scp/squid squid3 cache service container running on de... 55 [OK] + docker.io docker.io/b4tman/squid Squid container based on Alpine Linux 11 [OK] + docker.io docker.io/sameersbn/squid 205 [OK] + docker.io docker.io/jacobalberty/squid A simple SSL bump capable squid image built ... 7 [OK] + docker.io docker.io/datadog/squid Squid proxy configurable container. 36 + docker.io docker.io/squidfunk/mkdocs-material A Material Design theme for MkDocs 75 [OK] + docker.io docker.io/malaohu/squid-with-net-speeder auto build squid proxy 15 [OK] + docker.io docker.io/jpetazzo/squid-in-a-can 31 [OK] + +Install it with 'podman pull' + + # podman pull docker.io/sameersbn/squid + Trying to pull docker.io/sameersbn/squid... + Getting image source signatures + Copying blob a31c3b1caad4 done + Copying blob 5b7339215d1d done + Copying blob 14ca88e9f672 done + Copying blob cdc767309668 done + Copying blob cdc767309668 skipped: already exists + Copying blob b054a26005b7 done + Copying blob fbd167be87d1 done + Copying config a68a19f689 done + Writing manifest to image destination + Storing signatures + a68a19f689c33fb5cdeeafbd217d4a3966892d9e2c45286e0413e0de8901ed5c + +You can also download and run the image at the same time + + [root@localhost ~]# docker run -it registry.access.redhat.com/ubi8/ubi + Trying to pull registry.access.redhat.com/ubi8/ubi... + Getting image source signatures + Copying blob 1b8dabac56ed done + Copying blob 6500ac87b29f done + Copying config 33df2983b0 done + Writing manifest to image destination + Storing signatures + [root@1fd9fa1e142b /]# + +💡 The `run` option will download the latest version of the specified image if it does not exist in the system + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-3f088.png b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-3f088.png new file mode 100644 index 0000000..0a7b4a2 Binary files /dev/null and b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-3f088.png differ diff --git a/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-9f986.png b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-9f986.png new file mode 100644 index 0000000..8bfdc75 Binary files /dev/null and b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-9f986.png differ diff --git a/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-d8ca7.png b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-d8ca7.png new file mode 100644 index 0000000..acc482c Binary files /dev/null and b/markdown/10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry/10a-find-and-retrieve-container-images-from-a-remote-registry-d8ca7.png differ diff --git a/markdown/10-manage-containers/10b-inspect-container-images.md b/markdown/10-manage-containers/10b-inspect-container-images.md new file mode 100644 index 0000000..d31b2ce --- /dev/null +++ b/markdown/10-manage-containers/10b-inspect-container-images.md @@ -0,0 +1,64 @@ +# 10.b Inspect container images + +## Inspecting Containers + +Inspecting containers is an important part of working with containers as it allows to understand a little more about how a container was built, it's capabilities and much more. + +For example, for the 'rhel8/mariadb-103' we can see the: + +- Architecture + - "x86_64" +- Usage - shows common usage, as well as ports and what variables can be passed to the container + - "podman run -d -e MYSQL_USER=user -e MYSQL_PASSWORD=pass -e MYSQL_DATABASE=db -p 3306:3306 rhel8/mariadb-103" +- Url - page in the Red Hat Container Catalog that documents environment variables, security information, packages that the image includes, the Dockerfile to build the image and other info + - "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel8/mariadb-103/images/1-116" + +![](10b-inspect-container-images/10b-inspect-container-images-ff33e.png) + +## Inspecting local images + +[RHEL > 8 > Building, running, and managing containers > Chapter 2. Working with container images > 2.10. Inspecting local images](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/working-with-container-images_building-running-and-managing-containers#inspecting-local-images_building-running-and-managing-containers) + +After you pull an image to your local system and before you run it, it is a good idea to investigate that image. + +### Inspect + +The podman inspect command displays basic information about what an image does. + +![](10b-inspect-container-images/10b-inspect-container-images-18965.png) + +### Mounting the Image/Container + +Using the podman command, mount an active container to further investigate its contents. + + # podman mount wonderful_jackson + /var/lib/containers/storage/overlay/bf3ba72175111741a16fa2db7b27e2f7fbd86965cf7931568bd5b6e22e002b05/merged + +### Checking the Image/Container Packages + +Use the rpm command to examine the packages installed on the container’s mount point + + # podman mount wonderful_jackson + /var/lib/containers/storage/overlay/bf3ba72175111741a16fa2db7b27e2f7fbd86965cf7931568bd5b6e22e002b05/merged + + # rpm -qa \ + --root=/var/lib/containers/storage/overlay/bf3ba72175111741a16fa2db7b27e2f7fbd86965cf7931568bd5b6e22e002b05/merged + +## Inspecting Remote Images + +[RHEL > 8 > Building, running, and managing containers > Chapter 2. Working with container images > 2.11. Inspecting remote images](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/working-with-container-images_building-running-and-managing-containers#inspecting-remote-images_building-running-and-managing-containers) + +**⚠️ WARNING:** _You will need to install 'skopeo'_ + +**📌 EXAM TIP:** _If you can't remember what to install, remember that you need a container inspector, so 'dnf search container | grep -i inspect' will give you the package name (it's easy if you are familiar with Linux)._ + +To inspect a container image before you pull it to your system, you can use the 'skopeo inspect' command. With 'skopeo inspect', you can display information about an image that resides in a remote container registry. + +The command format is very similar to 'podman inspect', however you will need to provide the registry name: + + # skopeo inspect docker://docker.io/sameersbn/squid + +![](10b-inspect-container-images/10b-inspect-container-images-c29b2.png) + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-18965.png b/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-18965.png new file mode 100644 index 0000000..4f93f08 Binary files /dev/null and b/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-18965.png differ diff --git a/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-c29b2.png b/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-c29b2.png new file mode 100644 index 0000000..98680f2 Binary files /dev/null and b/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-c29b2.png differ diff --git a/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-ff33e.png b/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-ff33e.png new file mode 100644 index 0000000..bdcfddc Binary files /dev/null and b/markdown/10-manage-containers/10b-inspect-container-images/10b-inspect-container-images-ff33e.png differ diff --git a/markdown/10-manage-containers/10c-perform-container-management-using-commands-such-as-podman-and-skopeo.md b/markdown/10-manage-containers/10c-perform-container-management-using-commands-such-as-podman-and-skopeo.md new file mode 100644 index 0000000..c5dc7cd --- /dev/null +++ b/markdown/10-manage-containers/10c-perform-container-management-using-commands-such-as-podman-and-skopeo.md @@ -0,0 +1,103 @@ +# 10.c Perform container management using commands such as podman and skopeo + +### Login to a Container Registry + +You can use `podman login [registry]` and `skopeo login [registry]` to login to registries. + +**📌 EXAM TIP:** _If you need to execute `podman {login,inspect,search}` and `skope [login,inspect]` as another user, make sure to use SSH (and not `sudo` or `su`) otherwise it will not work._ + +### List ports mappings for containers + +You can list ports for a running container + + # podman port [container] + +Or for all running containers + + # podman port -a + +Example: + + $ podman port -a + 3da879abc394 8080/tcp -> 0.0.0.0:8000 + +**📌 EXAM TIP:** _Anytime you open a port, remember to also open the port with `firewall-cmd`_ + +### Passing Variables to a Container + +As we have seen before, some images can consume variables when you create a container + + # skopeo inspect docker://registry.redhat.io/rhel8/mariadb-103 | egrep '(url|usage)' + "io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i", + "io.s2i.scripts-url": "image:///usr/libexec/s2i", + "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel8/mariadb-103/images/1-116", + "usage": "podman run -d -e MYSQL_USER=user -e MYSQL_PASSWORD=pass -e MYSQL_DATABASE=db -p 3306:3306 rhel8/mariadb-103 + +We can then create a container by feeding the variable values to `podman run` + + # podman run -d -e MYSQL_USER=admin_user -e MYSQL_PASSWORD=my_secure_passwd -e MYSQL_DATABASE=db1 -p 3306:3306 rhel8/mariadb-103 + Ac7554c6f7f8efd8a9dd93a7f9c05ec84e615c9a4902569afe08ce4fc5ed3905 + +Here we confirm that the container is running and that the port is up + + # podman ps + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + ac7554c6f7f8 registry.redhat.io/rhel8/mariadb-103:latest run-mysqld 32 seconds ago Up 29 seconds ago 0.0.0.0:3306->3306/tcp distracted_chaum + + # podman port -a + ac7554c6f7f8 3306/tcp -> 0.0.0.0:3306 + +And successfully connect to the DB (out of scope) + + # mysql -u admin_user -p -h 127.0.0.1 + Enter password: + Welcome to the MySQL monitor. Commands end with ; or \g. + Your MySQL connection id is 8 + Server version: 5.5.5-10.3.17-MariaDB MariaDB Server + + Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + + Oracle is a registered trademark of Oracle Corporation and/or its + affiliates. Other names may be trademarks of their respective + owners. + + Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + + mysql> show databases; + +--------------------+ + | Database | + +--------------------+ + | db1 | + | information_schema | + | test | + +--------------------+ + 3 rows in set (0.00 sec) + +### Detach from Containers + +If the container was run with -i and -t, you can detach from a container and leave it running using the CTRL-p CTRL-q key sequence. + +### Rename Container + + # podman rename [container] [new name] + +### Running Commands in Container + +You can use `podman exec` to run commands inside a running container. + +Run `ps –ef | grep sql` inside the 'mysql' container + + # podman exec mysql ps -ef | grep sql + | + mysql 1 0 0 01:22 ? 00:00:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf + mysql 131 0 0 01:43 ? 00:00:00 ps -ef + +Open an interactive shell (with Bash) inside the container + + [root@localhost ~]# podman exec -ti mysql /bin/bash + bash-4.4$ exit + exit + [root@localhost ~]# + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/10-manage-containers/10d-perform-basic-container-management-such-as-running-starting-stopping-and-listing-running-containers.md b/markdown/10-manage-containers/10d-perform-basic-container-management-such-as-running-starting-stopping-and-listing-running-containers.md new file mode 100644 index 0000000..e445a9f --- /dev/null +++ b/markdown/10-manage-containers/10d-perform-basic-container-management-such-as-running-starting-stopping-and-listing-running-containers.md @@ -0,0 +1,68 @@ +# 10.d Perform basic container management such as running, starting, stopping, and listing running containers + +## Listing Images + +You can use 'podman images' + + # podman images + REPOSITORY TAG IMAGE ID CREATED SIZE + docker.io/sameersbn/squid latest a68a19f689c3 17 months ago 168 MB + +Or 'podman image ls' + + # podman image ls + REPOSITORY TAG IMAGE ID CREATED SIZE + docker.io/sameersbn/squid latest a68a19f689c3 17 months ago 168 MB + +## Starting/Creating a Container + +Create a container from image without starting it + + # podman create docker.io/sameersbn/squid + d1e9a571aeda3e6dccbd2b12932ff7ba4a2530e0a7664d92e64d2a70a63decdb + +Create a container from image and start attached + + # podman run [image] + +**📝 NOTE:** _When using 'podman run', If the image doesn't exist it will try to pull it from the registry._ + +Create a container from image and start detached + + # podman run –d [image] + +Start a container + + # podman start [container ID] + +## Listing Running Containers + +List only running containers + + # podman ps + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 41cc3053faa0 docker.io/sameersbn/squid:latest 9 minutes ago Up 6 minutes ago awesome_meninsky + ff12876812fe docker.io/sameersbn/squid:latest 10 seconds ago Up 9 seconds ago nervous_kepler + +List all containers (even stopped containers) + + # podman ps -a + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 41cc3053faa0 docker.io/sameersbn/squid:latest 10 minutes ago Up 7 minutes ago awesome_meninsky + ff12876812fe docker.io/sameersbn/squid:latest About a minute ago Exited (137) 24 seconds ago nervous_kepler + +List containers that have stopped + + # podman ps -f "status=exited" + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + ff12876812fe docker.io/sameersbn/squid:latest 2 minutes ago Exited (137) About a minute ago nervous_kepler + +## Stopping a Container + + # podman stop ff12876812fe + ff12876812fe12919f227b2fcab596f2948097d6f8b1ae94f014976e06a86c36 + +**📝 NOTE:** _The stop commands attempts to stop the container, and if the container does not stop after 10s it will kill the container process._ + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/10-manage-containers/10e-run-a-service-inside-a-container.md b/markdown/10-manage-containers/10e-run-a-service-inside-a-container.md new file mode 100644 index 0000000..673d658 --- /dev/null +++ b/markdown/10-manage-containers/10e-run-a-service-inside-a-container.md @@ -0,0 +1,68 @@ +# 10.e Run a service inside a container + +## Pre-Setup + +Before we start, we need to enable systemd to be able to write to cgroups when running containers (by default blocked by SELinux). 'cgroups' (or Control Groups) are used for resource management. + +This can be done with 'setsebool': + + # setsebool container_manage_cgroup 1 + +**💡 TIP:** _If forget what boolean you need to change, just run 'getsebool -a | grep container'. The result will be small and should help you._ + +## Creating a Custom Image and Creating a Container + +### Dockerfile + +A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. Using docker build users can create an automated build that executes several command-line instructions in succession. + +Create a file named 'Dockerfile' in an empty folder with the following content (without the line numbers) + + 1 FROM registry.access.redhat.com/ubi8/ubi-init + 2 RUN dnf install -y httpd ; dnf clean all + 3 RUN systemctl enable httpd.service + 4 RUN echo "This is a test server" > /var/www/html/index.html + 5 RUN mkdir /etc/systemd/system/http.service.d/; echo -e '[Service]\nRestart=always' > /etc/systemd/system/http.service.d/override.conf + 6 EXPOSE 80 + 7 CMD ["/sbin/init"] + +**Break down of the Dockerfile ** +Line 1 (FROM): We specify what image will be used +Line 2 (RUN): We install httpd and remove all temporary files used to install httpd +Line 3 (RUN): We enable the httpd.service +Line 4 (RUN): We create an index file to help us test +Line 5 (RUN): We create an override file (drop-in unit) for systemd (see more about it here) +Line 6 (EXPOSE): We expose the default httpd port +Line 7 (CMD): We provide the default command for executing the container + +**💡 TIP1:** _If you can't remember all the Dockerfile instructions, try to remember the task. Then you can use 'podman history' with other images to try and figure out the instructions._ + +**💡 TIP2:** _Remember you want an image with systemd. So search for images with 'init' +Building the image._ + +Run 'podman build' from the same directory + + # podman build -t httpd_systemd . + +Image created + + # podman images + REPOSITORY TAG IMAGE ID CREATED SIZE + localhost/httpd_systemd latest 6c1db7fe4e73 39 minutes ago 247 MB + +### Create the container + +Create the container with attached output. You can disconnect from the container with 'Ctl+p+q' + + # podman run -ti --name httpd_systemd -p 8080:80 localhost/httpd_systemd + +Confirm that it's working + + # podman ps + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 443cbcf1ec10 localhost/httpd_systemd:latest /sbin/init 6 minutes ago Up 2 minutes ago 0.0.0.0:8080->80/tcp httpd_systemd + +Optionally, add it to systemd (not required) + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/10-manage-containers/10f-configure-a-container-to-start-automatically-as-a-systemd-service.md b/markdown/10-manage-containers/10f-configure-a-container-to-start-automatically-as-a-systemd-service.md new file mode 100644 index 0000000..6b6d3d3 --- /dev/null +++ b/markdown/10-manage-containers/10f-configure-a-container-to-start-automatically-as-a-systemd-service.md @@ -0,0 +1,127 @@ +# 10.f Configure a container to start automatically as a systemd service + ++ [RHEL > 8 > Building, running, and managing containers > Chapter 8. Porting containers to systemd using Podman](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/porting-containers-to-systemd-using-podman_building-running-and-managing-containers) ++ [Running containers with Podman and shareable systemd services](https://www.redhat.com/sysadmin/podman-shareable-systemd-services) ++ [How to run systemd in a container](https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/) + +**Commands:** +- podman-generate-systemd (1) - Generate systemd unit file(s) for a container or pod +- loginctl (1) - Control the systemd login manager +- systemctl (1) - Control the systemd system and service manager + +## Creating and Enabling a System Service + +We can use `podman generate systemd` to create a systemd unit file. + +Change into the Systemd unit files folder + + # cd /etc/systemd/system + +**📝 NOTE:** _The systemd unit files folder can be `/etc/systemd/system` or `/usr/lib/systemd/system`._ + +Create the systemd unit file + + # podman generate systemd -f -n -t 2 naughty_albattani + /etc/systemd/system/container-naughty_albattani.service + +The new systemd unit file looks like this + + # container-naughty_albattani.service + # autogenerated by Podman 2.0.5 + # Fri Dec 4 12:04:22 EST 2020 + + [Unit] + Description=Podman container-naughty_albattani.service + Documentation=man:podman-generate-systemd(1) + Wants=network.target + After=network-online.target + + [Service] + Environment=PODMAN_SYSTEMD_UNIT=%n + Restart=on-failure + ExecStart=/usr/bin/podman start naughty_albattani + ExecStop=/usr/bin/podman stop -t 2 naughty_albattani + ExecStopPost=/usr/bin/podman stop -t 2 naughty_albattani + PIDFile=/var/run/containers/storage/overlay-containers/435cb8153beaae5d92668bd83965d9169f8718fe0849bf398661f340d998e5cc/userdata/conmon.pid + KillMode=none + Type=forking + + [Install] + WantedBy=multi-user.target default.target + +Start and enable the service + + # systemctl enable –-now container-naughty_albattani.service + +Make sure that it's running + + # systemctl status container-naughty_albattani.service + ● container-naughty_albattani.service - Podman container-naughty_albattani.service + Loaded: loaded (/etc/systemd/system/container-httpd_systemd.service; enabled; vendor preset: disabled) + Active: active (running) since Sat 2020-12-05 18:12:39 EST; 34min ago + Docs: man:podman-generate-systemd(1) + Process: 55913 ExecStart=/usr/bin/podman start naughty_albattani (code=exited, status=0/SUCCESS) + Main PID: 56006 (conmon) + Tasks: 2 (limit: 12285) + Memory: 2.0M + CGroup: /system.slice/container-naughty_albattani.service + └─56006 /usr/bin/conmon --api-version 1 -c 443cbcf1ec10662140c904417ea36520418f6f8c02817c0f05746b07a3dea84b -u 443cbcf1ec10662140c904417ea36520418f6f8c02817c0f05746b07a3dea84b -r /usr/bin/runc -b /va> + Dec 05 18:12:38 rhel8-lab systemd[1]: Starting Podman container-naughty_albattani.service... + Dec 05 18:12:39 rhel8-lab podman[55913]: naughty_albattani + Dec 05 18:12:39 rhel8-lab systemd[1]: Started Podman container-naughty_albattani.service. + +And double check with 'podman ps' + + # podman ps -a + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 435cb8153bea docker.io/library/httpd:latest httpd-foreground 46 hours ago Up 24 hours ago 0.0.0.0:8080->80/tcp naughty_albattani + +## Creating and Enabling a User Service + +It's always a good approach to run rootless containers. This will provide another layer of security by downgrading the possible access that the container could have. + +**📝 IMPORTANT NOTES:** +- Users run the Systemd commands with `systemctl –user` +- User unit files are stored at `~/.config/systemd/user/` +- User Systemd services by default only run when a user logs in (they do not start with the server) +- When creating a new account, make sure to create a non-system account, otherwise you will not be able to start the services +- You cannot run `systemctl` as user after changing into the user with `sudo` or `su`. You will need to `ssh` or fully login as the user + +### Enabling User Service to Start with Server + +First let's enable the Systemd service to start with the server + + # loginctl enable-linger [user] + +### Creating the Service + +Login as the user + + # ssh [user]@localhost + +Now let's create the folder + + $ mkdir -p ~/.config/systemd/user + + $ cd !$ + +Create the unit file + + $ podman generate systemd –f –n [container] + +Enable the service + + $ systemctl –-user enable –now container-[container].service + +Check that the service is up + + $ systemctl –-user status container-[container].service + +Make sure that the container it's running + + $ podman ps + +**⚠️ WARNING:** _After creating the service file, you should not use `podman` to control the container._ + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/10-manage-containers/10g-attach-persistent-storage-to-a-container.md b/markdown/10-manage-containers/10g-attach-persistent-storage-to-a-container.md new file mode 100644 index 0000000..54e05c6 --- /dev/null +++ b/markdown/10-manage-containers/10g-attach-persistent-storage-to-a-container.md @@ -0,0 +1,48 @@ +# 10.g Attach persistent storage to a container + +## Privileged VS Labeling + +Many instructions advise you to use the `--privileged` option to allow mounts to work with podman. This however may not be the best approach because it gives full access to the host (based on the access of the user that started it). + +The reason that mounts do not work is due to SELinux (see below): + +> Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Podman does not change the labels set by the OS. +> +> To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two containers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. + +**The '--privileged' option** + +> --privileged=true|false + +> Give extended privileges to this container. The default is false. + +> By default, Podman containers are unprivileged (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is only allowed limited access to devices. A "privileged" container is given the same access to devices as the user launching the container. +> +> A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled. +> +> Rootless containers cannot have more privileges than the account that launched them. + +For more reading on this, see Privileged Docker containers—do you really need them? + +## Creating the Container with the Volume and Mount + +Create the folder that we will use + + # mkdir container_mount + +Create the container (with the '-v' option, the first field the host folder, the second field is the mount point on the container and the third the SELinux label 'Z') + + # podman run -ti -v /root/container_mount:/mnt/container_mnt:Z --name devil docker.io/library/httpd /bin/bash + +Once in the container, you can check that the mount point is working + + root@bcf532e9194c:/usr/local/apache2# ls -ld /mnt/container_mnt + drwxr-xr-x. 2 root root 6 Dec 6 01:42 /mnt/container_mnt + +And that the SELinux label has been added + + # ls -ldZ /root/container_mount + drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c427,c973 35 Dec 11 21:27 /root/container_mount + +--- +[⬅️ Back](10-manage-containers.md) diff --git a/markdown/2-Create-simple-shell-scripts/2-Create-simple-shell-scripts.md b/markdown/2-Create-simple-shell-scripts/2-Create-simple-shell-scripts.md new file mode 100644 index 0000000..b84a9ac --- /dev/null +++ b/markdown/2-Create-simple-shell-scripts/2-Create-simple-shell-scripts.md @@ -0,0 +1,10 @@ +### 2. Create simple shell scripts + ++ 2.a Conditionally execute code (use of: if, test, [], etc.) ++ 2.b Use Looping constructs (for, etc.) to process file, command line input ++ 2.c Process script inputs ($1, $2, etc.) ++ 2.d Processing output of shell commands within a script ++ 2.e Processing shell command exit codes + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/2-Create-simple-shell-scripts/2a-Conditionally-execute-code-(use-of_-if-test-[]-etc.).md b/markdown/2-Create-simple-shell-scripts/2a-Conditionally-execute-code-(use-of_-if-test-[]-etc.).md new file mode 100644 index 0000000..19f4d28 --- /dev/null +++ b/markdown/2-Create-simple-shell-scripts/2a-Conditionally-execute-code-(use-of_-if-test-[]-etc.).md @@ -0,0 +1,5 @@ +2.a Conditionally execute code (use of: if, test, [], etc.) +=== + +--- +[⬅️ Back](2-Create-simple-shell-scripts.md) diff --git a/markdown/2-Create-simple-shell-scripts/2b-Use-Looping-constructs-(for-etc.)-to-process-file-command-line-input.md b/markdown/2-Create-simple-shell-scripts/2b-Use-Looping-constructs-(for-etc.)-to-process-file-command-line-input.md new file mode 100644 index 0000000..52be6cb --- /dev/null +++ b/markdown/2-Create-simple-shell-scripts/2b-Use-Looping-constructs-(for-etc.)-to-process-file-command-line-input.md @@ -0,0 +1,5 @@ +2.b Use Looping constructs (for, etc.) to process file, command line input +=== + +--- +[⬅️ Back](2-Create-simple-shell-scripts.md) diff --git a/markdown/2-Create-simple-shell-scripts/2c-Process-script-inputs-($1-$2-etc.).md b/markdown/2-Create-simple-shell-scripts/2c-Process-script-inputs-($1-$2-etc.).md new file mode 100644 index 0000000..4c7b634 --- /dev/null +++ b/markdown/2-Create-simple-shell-scripts/2c-Process-script-inputs-($1-$2-etc.).md @@ -0,0 +1,5 @@ +2.c Process script inputs ($1, $2, etc.) +=== + +--- +[⬅️ Back](2-Create-simple-shell-scripts.md) diff --git a/markdown/2-Create-simple-shell-scripts/2d-Processing-output-of-shell-commands-within-a-script.md b/markdown/2-Create-simple-shell-scripts/2d-Processing-output-of-shell-commands-within-a-script.md new file mode 100644 index 0000000..d250f56 --- /dev/null +++ b/markdown/2-Create-simple-shell-scripts/2d-Processing-output-of-shell-commands-within-a-script.md @@ -0,0 +1,5 @@ +2.d Processing output of shell commands within a script +=== + +--- +[⬅️ Back](2-Create-simple-shell-scripts.md) diff --git a/markdown/2-Create-simple-shell-scripts/2e-Processing-shell-command-exit-codes.md b/markdown/2-Create-simple-shell-scripts/2e-Processing-shell-command-exit-codes.md new file mode 100644 index 0000000..58ccce7 --- /dev/null +++ b/markdown/2-Create-simple-shell-scripts/2e-Processing-shell-command-exit-codes.md @@ -0,0 +1,5 @@ +2.e Processing shell command exit codes +=== + +--- +[⬅️ Back](2-Create-simple-shell-scripts.md) diff --git a/markdown/3-Operate-running-systems/3-Operate-running-systems.md b/markdown/3-Operate-running-systems/3-Operate-running-systems.md new file mode 100644 index 0000000..95978e3 --- /dev/null +++ b/markdown/3-Operate-running-systems/3-Operate-running-systems.md @@ -0,0 +1,15 @@ +### 3. Operate running systems + ++ [3.a Boot, reboot, and shut down a system normally](3a-Boot-reboot-and-shut-down-a-system-normally.md) ++ [3.b Boot systems into different targets manually](3b-Boot-systems-into-different-targets-manually.md) ++ [3.c Interrupt the boot process in order to gain access to a system](3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system.md) ++ [3.d Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes](3d-Identify-CPU_memory-intensive-processes-adjust-process-priority-with-renice-and-kill-processes.md) ++ [3.e Adjust process scheduling](3e-adjust-process-scheduling.md) ++ [3.f Manage tuning profiles](3f-manage-tuning-profiles.md) ++ [3.g Locate and interpret system log files and journals](3g-locate-and-interpret-system-log-files-and-journals.md) ++ [3.h Preserve system journals](3h-preserve-system-journals.md) ++ [3.i Start, stop, and check the status of network services](3i-start-stop-and-check-the-status-of-network-services.md) ++ [3.j Securely transfer files between systems](3j-securely-transfer-files-between-systems.md) + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/3-Operate-running-systems/3a-Boot-reboot-and-shut-down-a-system-normally.md b/markdown/3-Operate-running-systems/3a-Boot-reboot-and-shut-down-a-system-normally.md new file mode 100644 index 0000000..c3bd80d --- /dev/null +++ b/markdown/3-Operate-running-systems/3a-Boot-reboot-and-shut-down-a-system-normally.md @@ -0,0 +1,38 @@ +# 3.a Boot, reboot, and shut down a system normally + +[RHEL 8 > Configuring basic system settings > Chapter 3. Managing services with systemd > 3.4. Shutting down, suspending, and hibernating the system](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-services-with-systemd_configuring-basic-system-settings#shutting-down-suspending-hibernating-system_managing-services-with-systemd) + +In Red Hat Enterprise Linux 7, the systemctl utility replaced a number of power management commands used in previous versions of Red Hat Enterprise Linux. The commands listed in Table 3.8, “Comparison of power management commands with systemctl” are still available in the system for compatibility reasons, but it is advised that you use systemctl when possible. + +![](3a-boot-reboot-and-shut-down-a-system-normally/image.png) + +**Reboot** ++ `reboot` ++ `systemctl reboot` ++ `shutdown –r {now|+m}` ++ `telinit 6` + +**Halt** ++ `halt` ++ `systemctl halt` ++ `shutdown –H now` + +**Shutdown** ++ `poweroff` ++ `systemctl poweroff` ++ `shutdown -P now` ++ `telinit 0` + +**Suspend** ++ `systemctl suspend` + +**Hybernate** ++ `systemctl hybernate` + +**Hibernates and suspends the system** ++ `systemctl hybrid-sleep` + +**📝 NOTE:** *Only one command should be needed for the exam* + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3a-boot-reboot-and-shut-down-a-system-normally/image.png b/markdown/3-Operate-running-systems/3a-boot-reboot-and-shut-down-a-system-normally/image.png new file mode 100644 index 0000000..953ede4 Binary files /dev/null and b/markdown/3-Operate-running-systems/3a-boot-reboot-and-shut-down-a-system-normally/image.png differ diff --git a/markdown/3-Operate-running-systems/3b-Boot-systems-into-different-targets-manually.md b/markdown/3-Operate-running-systems/3b-Boot-systems-into-different-targets-manually.md new file mode 100644 index 0000000..9431b25 --- /dev/null +++ b/markdown/3-Operate-running-systems/3b-Boot-systems-into-different-targets-manually.md @@ -0,0 +1,72 @@ +# 3.b Boot systems into different targets manually + +## Runlevels and Systemd Targets RHEL 8 + +**📝 NOTE:** *The comparison of SysV runlevels is mainly for reference.* + +### Older SysV runlevels + +"Runlevels" are an obsolete way to start and stop groups of services used in SysV init. Systemd provides a compatibility layer that maps runlevels to targets, and associated binaries like runlevel. + +`rc0.d/ rc1.d/ rc2.d/ rc3.d/ rc4.d/ rc5.d/ rc6.d/ rc.d/` + +![](3b-boot-systems-into-different-targets-manually/image.png) + +Commands related to SysV runlevel ++ `telinit` - Change SysV runlevel ++ `runlevel` - Print previous and current SysV runlevel + +## Systemd Targets + +[RHEL 8 > Configuring basic system settings > Chapter 3. Managing services with systemd > 3.3. Working with systemd targets](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-services-with-systemd_configuring-basic-system-settings#working-with-systemd-targets_managing-services-with-systemd) + +List systemd targets + + # systemctl list-units --type=target + UNIT LOAD ACTIVE SUB DESCRIPTION + basic.target loaded active active Basic System + cryptsetup.target loaded active active Local Encrypted Volumes + getty.target loaded active active Login Prompts + graphical.target loaded active active Graphical Interface + local-fs-pre.target loaded active active Local File Systems (Pre) + local-fs.target loaded active active Local File Systems + multi-user.target loaded active active Multi-User System + network-online.target loaded active active Network is Online + network-pre.target loaded active active Network (Pre) + network.target loaded active active Network + nfs-client.target loaded active active NFS client services + nss-user-lookup.target loaded active active User and Group Name Lookups + paths.target loaded active active Paths + remote-fs-pre.target loaded active active Remote File Systems (Pre) + remote-fs.target loaded active active Remote File Systems + rpc_pipefs.target loaded active active rpc_pipefs.target + rpcbind.target loaded active active RPC Port Mapper + slices.target loaded active active Slices + sockets.target loaded active active Sockets + sound.target loaded active active Sound Card + sshd-keygen.target loaded active active sshd-keygen.target + swap.target loaded active active Swap + sysinit.target loaded active active System Initialization + timers.target loaded active active Timers + +Get current systemd target + + # systemctl get-default + graphical.target + +Set systemd target for next boot + + # systemctl set-default [target] + +Change systemd target without reboot + + # systemctl isolate [target] + +Change into rescue/emergency mode + + # systemctl isolate [rescue|emergency] + +**📝 NOTE:** *You can also use `systemd.unit=rescue.target` (or emergency) in the boot parameters* + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3b-boot-systems-into-different-targets-manually/image.png b/markdown/3-Operate-running-systems/3b-boot-systems-into-different-targets-manually/image.png new file mode 100644 index 0000000..1dbaa65 Binary files /dev/null and b/markdown/3-Operate-running-systems/3b-boot-systems-into-different-targets-manually/image.png differ diff --git a/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system.md b/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system.md new file mode 100644 index 0000000..7a4ab4a --- /dev/null +++ b/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system.md @@ -0,0 +1,141 @@ +likely# 3.c Interrupt the boot process in order to gain access to a system + +## Rescue Modes + +As the name implies, rescue mode is there to rescue you from something. In normal operation, your Red Hat Linux system uses files located on your system's hard drive to do everything -- run programs, store your files, and more. + +However, there may be times when you are unable to get Linux running completely enough to access its files on your system's hard drive. By using rescue mode, it's possible to access the files stored on your system's hard drive. + +Normally, you'll need to get into rescue mode for one of two reasons: + ++ You are unable to boot Linux, and you'd like to fix it. ++ You are having hardware or software problems, and you want to get a few important files off your system's hard drive. ++ To reset the 'root' user password + +#### Types of rescue mode + +There are different types of rescue/emergency modes: ++ **Legacy** - `rescue`, `emergency`, `rd.break` ++ **Systemd** - `emergency.target`, `rescue.target` ++ **Installation program's (Anaconda) rescue mode** - `inst.rescue` + +## Getting into a Rescue Mode + +At the GRUB boot menu hit 'e' + +![](3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-d1eca.png) + +Look for the line starting with 'linux' and at the end of the line add the kernel parameter for the desired mode + +![](3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-28a10.png) + +Hit 'Ctrl+x' to continue + + +## Modes + +### emergency + +Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In emergency mode, the system mounts the root file system only for reading, does not attempt to mount any other local file systems, does not activate network interfaces, and only starts a few essential services. + +**Kernel paramenters:** ++ `emergency` ++ `systemd.unit=emergency.target` + +**Description:** ++ Requires root password to enter this mode ++ Mounts the root filesystem only (RO) ++ No network ++ Only essential services are started ++ The system does not load any init scripts ++ Multi-user mode + +### rescue + +Equivalent to the old single user mode, where some services are started and every disk is mounted. + +Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a regular booting process. In rescue mode, the system attempts to mount all local file systems and start some important system services, but it does not activate network interfaces or allow more users to be logged into the system at the same time. + +**Kernel paramenters:** ++ `rescue` ++ `systemd.unit=rescue.target` + +**Description:** ++ Requires root password to enter this mode ++ Mounts all local filesystems (RW) ++ No network ++ Starts important services ++ Single-user mode + +### rd.break + +Breaks to an interactive shell while in the 'initrd' allowing interaction before the system disk is mounted. The main '/' is available under '/sysroot'. Useful if you forgot root's password. + +**Kernel paramenters:** ++ `rd.break` + +### Recovering Root Password + +[RHEL 8 > Configuring basic system settings > Chapter 9. Changing and resetting the root password > 9.3. Resetting the forgotten root password on boot](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/changing-and-resetting-the-root-password-from-the-command-line_configuring-basic-system-settings#resetting-the-forgotten-root-password-on-boot_changing-and-resetting-the-root-password-from-the-command-line) + +**Commands:** +- mount (8) - mount a filesystem +- chroot (1) - run command or interactive shell with special root directory +- load_policy (8) - load a new SELinux policy into the kernel +- restorecon (8) - restore file(s) default SELinux security contexts. + + +The instructions here uses `rd.break` as kernel parameter on GRUB menu, `load_policy` and `restorecon`. + +a. At boot, hit `e` to edit the boot kernel parameters + +b. Add `rd.break` at the end of the line that starts with linux + +c. Press 'Ctrl + x' to start + +d. Mount sysroot + + switch_root:/# mount -o rw,remount /sysroot + +e. Chroot into sysroot + + #switch_root:/# chroot /sysroot + +f. Change the password for root + + sh-4.4# passwd + +g. Load SELinux + + sh-4.4# load_policy -i + +h. Fix SELinux context for `/etc/shadow` + + sh-4.4# restorecon -v /etc/shadow + +i. Exit chroot + + sh-4.4# exit + +j. Remount as RO + + #switch_root:/# mount -o ro,remount /sysroot + +k. Reboot + +**📌 TIP:** *For more methods on resetting the root password, see [RHCSA v8: Boot Targets, Systemd Targets and root Password Reset ](https://blog.victormendonca.com/2020/11/14/rhcsa8-boot-targets-system-targets-and-root-password-reset/)* + +### Anaconda rescue + +**📝 NOTE:** *Booting from the Anaconda rescue mode is most likelly not needed for the exam.* + +[RHEL 8 > Performing a standard RHEL installation > Appendix A. Troubleshooting > A.3.8. Using rescue mode](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_a_standard_rhel_installation/installer-troubleshooting_installing-rhel#using-rescue-mode_troubleshooting-after-installation) + +The installation program’s rescue mode is a minimal Linux environment that can be booted from the Red Hat Enterprise Linux DVD or other boot media. It contains command-line utilities for repairing a wide variety of issues. Rescue mode can be accessed from the Troubleshooting menu of the boot menu. In this mode, you can mount file systems as read-only, blacklist or add a driver provided on a driver disc, install or upgrade system packages, or manage partitions. + +a. Boot the system from either minimal boot media, or a full installation DVD or USB drive, and wait for the boot menu to be displayed. + +b. From the boot menu, either select Troubleshooting > Rescue a Red Hat Enterprise Linux system option, or append the inst.rescue option to the boot command line. To enter the boot command line, press the Tab key on BIOS-based systems or the e key on UEFI-based systems. + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-28a10.png b/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-28a10.png new file mode 100644 index 0000000..a68dcc6 Binary files /dev/null and b/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-28a10.png differ diff --git a/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-d1eca.png b/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-d1eca.png new file mode 100644 index 0000000..b81ea6d Binary files /dev/null and b/markdown/3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system-d1eca.png differ diff --git a/markdown/3-Operate-running-systems/3d-Identify-CPU_memory-intensive-processes-adjust-process-priority-with-renice-and-kill-processes.md b/markdown/3-Operate-running-systems/3d-Identify-CPU_memory-intensive-processes-adjust-process-priority-with-renice-and-kill-processes.md new file mode 100644 index 0000000..91f1860 --- /dev/null +++ b/markdown/3-Operate-running-systems/3d-Identify-CPU_memory-intensive-processes-adjust-process-priority-with-renice-and-kill-processes.md @@ -0,0 +1,144 @@ +# 3.d Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes + +## top + +The top program provides a dynamic real-time view of a running system. It can display system summary information as well as a list of processes or threads currently being managed by the Linux kernel. + + top - 12:32:15 up 11 days, 17:00, 2 users, load average: 0.01, 0.03, 0.00 + Tasks: 131 total, 1 running, 130 sleeping, 0 stopped, 0 zombie + %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st + MiB Mem : 821.2 total, 185.4 free, 216.3 used, 419.5 buff/cache + MiB Swap: 2116.0 total, 2095.9 free, 20.1 used. 465.3 avail Mem + + PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND + 1 root 20 0 179176 13480 9140 S 0.0 1.6 0:11.96 systemd + 2 root 20 0 0 0 0 S 0.0 0.0 0:00.18 kthreadd + 3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp + 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp + 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd + 8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq + 9 root 20 0 0 0 0 S 0.0 0.0 0:06.55 ksoftirqd/0 + 10 root 20 0 0 0 0 I 0.0 0.0 0:21.09 rcu_sched + 11 root rt 0 0 0 0 S 0.0 0.0 0:00.03 migration/0 + 12 root rt 0 0 0 0 S 0.0 0.0 0:00.14 watchdog/0 + 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0 + 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1 + 15 root rt 0 0 0 0 S 0.0 0.0 0:00.68 watchdog/1 + 16 root rt 0 0 0 0 S 0.0 0.0 0:00.02 migration/1 + 17 root 20 0 0 0 0 S 0.0 0.0 0:00.34 ksoftirqd/1 + 19 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/1:0H-kblockd + 21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs + 22 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 netns + 23 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kauditd + 25 root 20 0 0 0 0 S 0.0 0.0 0:00.21 khungtaskd + +Remember that `top` can display: ++ Load average ++ Number of tasks ++ Information about specific tasks (PID, nice, CPU%, MEM%, System time, etc..) + +**Important Keyboard shortcuts:** ++ `t` - change CPU display ++ `m` - Change memory display ++ `f` - Select sorting field ++ `<` `>` - Walk through sorting field ++ `u` - Filter by user ++ `r` - Renice task ++ `k` - Kill task ++ `R` - Reverse sort ++ `c` - Command/line ++ `1` - CPUs + +## ps + +`ps` displays information about a selection of the active processes. + + # ps + PID TTY TIME CMD + 27278 pts/1 00:00:00 bash + 27385 pts/1 00:00:00 ps + + # ps -ef | grep rsyslogd + root 1162 1 0 Nov28 ? 00:00:41 /usr/sbin/rsyslogd -n + root 27501 27278 0 12:42 pts/1 00:00:00 grep --color=auto rsyslogd + +This version of ps accepts several kinds of options: ++ 1 - UNIX options, which may be grouped and must be preceded by a dash. ++ 2 - BSD options, which may be grouped and must not be used with a dash. ++ 3 - GNU long options, which are preceded by two dashes. + +**Important Options:** ++ a- all user's processes which are attached to a terminal ++ u - display in user format ++ x - lists all the invoking user's processes + +> Note that `ps -aux` is distinct from `ps aux`. The POSIX and UNIX standards require that `ps -aux` print all processes owned by a user named "x", as well as printing all processes that would be selected by the `-a` option. If the user named "x" does not exist, this ps may interpret the command as `ps aux` instead and print a warning. This behavior is intended to aid in transitioning old scripts and habits. It is fragile, subject to change, and thus should not be relied upon. + +## kill (signals) + +The command kill sends the specified signal to the specified processes or process groups. If no signal is specified, the TERM signal is sent. + ++ SIGTERM (15) - Asks the process to exit cleanly (the default signal used with kill) ++ SIGKILL (9) - Stops the process immediately (dirty) ++ SIGHUP (1) - Stops process in a shell environment. Can make some services re-read configuration files ++ SIGINT (2) - Same as Ctrl+C ++ SIGCONT (18) - Starts a process that was paused with SIGSTOP or SIGTSTP ++ SIGSTOP (19) - (Ctrl+x) Pauses a process so it can be started later (does not rely on binary) ++ SIGTSTP (20) - Same as Ctrl-z, but relies on binary to know what to do + +**📌 EXAM TIP:** *Use `kill -l` to list all the kill signals.* + + # kill -l + 1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP + 6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1 + 11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM + 16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP + 21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU 25) SIGXFSZ + 26) SIGVTALRM 27) SIGPROF 28) SIGWINCH 29) SIGIO 30) SIGPWR + 31) SIGSYS 34) SIGRTMIN 35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3 + 38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8 + 43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13 + 48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12 + 53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7 + 58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2 + 63) SIGRTMAX-1 64) SIGRTMAX + +## pgrep/pkill + +`pgrep` looks through the currently running processes and lists the process IDs which match the selection criteria to stdout. + + # pgrep sshd + 857 + 22574 + 22591 + 27262 + 27277 + + +`pkill` will send the specified signal (by default SIGTERM) to each process instead of listing them on stdout + +## pidof - find the process ID of a running program + +`pidof` finds the process id's (pids) of the named programs. It prints those id's on the standard output. + +`pidof` is similar to `pgrep` but without kill and regex capability. + +## Listing Load Average + +You can use `top` + + # top -b -n 1 | grep "load average" + top - 21:36:13 up 1:06, 3 users, load average: 0.68, 0.96, 1.07 + +Or `w` + + # w | grep "load average" + 21:36:13 up 1:06, 3 users, load average: 0.68, 0.96, 1.07 + +Or `uptime` + + uptime | grep "load average" + 21:36:13 up 1:06, 3 users, load average: 0.68, 0.96, 1.07 + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3e-adjust-process-scheduling.md b/markdown/3-Operate-running-systems/3e-adjust-process-scheduling.md new file mode 100644 index 0000000..b7ce266 --- /dev/null +++ b/markdown/3-Operate-running-systems/3e-adjust-process-scheduling.md @@ -0,0 +1,264 @@ +# 3.e Adjust process scheduling + +## Process Priority vs Nice Value + +_From `top`'s man page_ + +> **PR** -- Priority The scheduling priority of the task. If you see 'rt' in this field, it means the task is running under 'real time' scheduling priority. +> +> **NI** -- Nice Value The nice value of the task. A negative nice value means higher priority, whereas a positive nice value means lower priority. Zero in this field simply means priority will not be adjusted in determining a task's dispatch-ability + +Every process requires a certain amount of system resources, such as CPU time and RAM, to be able to perform its tasks. Each process is assigned a process priority to determine how much CPU or processor time is allocated to it for execution. + +In addition to processes, in Linux, there are user processes. Linux allows us to set a level of 'niceness' (a nice value) on a per-user basis. Note that the nice value only controls how much CPU time each process is allocated, but not how much memory can be used or which I/O devices can be used. Bear in mind that the process priority may differ from the nice value. The nice value is how much priority the Linux kernel will grant to each named user, whereas the process priority is the actual priority of a running process. + +There are 140 possible process priorities; 0 to 99 for real time and 100 to 139 for users. + +Nice values ranges from -20 (highest priority) to 19 (lowest priority), with 0 being the default priority. + +In most cases PR value can be computed by the following formula: PR = 20 + NI. Thus the process with niceness 3 has the priority 23 (20 + 3) and the process with niceness -7 has the priority 13 (20 - 7). + +**Remember** ++ There are 140 possible process priorities: + + 0 to 99 for real time + + 100 to 139 for users ++ Nice values: + + Ranges from -20 (highest priority) to 19 (lowest priority) + + 0 is the default priority ++ PR is calculated: + + for normal processes: PR = 20 + NI (NI is nice and ranges from -20 to 19) + + for real time processes: PR = - 1 - real_time_priority (real_time_priority ranges from 1 to 99) + +## Changing the Nice Value + +### nice + +Set the nice value before starting the process. + + # nice -n [#] [command] + +### renice + +`renice` allows you to change the nice value of a running process. + + # renice -n [#] -p [PID] + +You can run 'renice' for multiple parameters. For example, the following command would change the priority of the processes with PIDs 987 and 32, plus all processes owned by the users daemon and root: + + # renice +1 987 -u daemon root -p 32 + +### top + +You can also change the nice value of running processes with `top`. + ++ `u` - Sort by user ++ `r` - Renice process + +## The Linux Process Scheduler + +The scheduler is the component of the kernel that selects which process to run next. The scheduler (or process scheduler, as it is sometimes called) can be viewed as the code that divides the finite resource of processor time between the runnable processes on a system. The scheduler is the basis of a multitasking operating system such as Linux. By deciding what process can run, the scheduler is responsible for best utilizing the system and giving the impression that multiple processes are simultaneously executing. + +### Linux Process Scheduler Types + +#### Real Time Schedulers + +They implement the fixed-priority real-time scheduling specified by the POSIX standard. Tasks with these policies preempt every other task, which can thus easily go into starvation (if they don't release the CPU). + +##### SCHED_FIFO (First In First Out) + +Tasks running in SCHED_FIFO will never be preempted. They will leave the CPU only for waiting sync kernel events or if an explicit sleep or reschedule has been requested from user space. + +SCHED_FIFO can be used only with static priorities higher than 0, which means that when a SCHED_FIFO thread becomes runnable, it will always immediately preempt any currently running SCHED_OTHER, SCHED_BATCH, or SCHED_IDLE thread + +##### SCHED_RR (Round Robin) + +SCHED_RR is a simple enhancement of SCHED_FIFO. Everything described above for SCHED_FIFO also applies to SCHED_RR, except that each thread is allowed to run only for a maximum time quantum. + +Tasks running in SCHED_RR are real time (RT), but they will leave the CPU if there is another real-time task in the run queue. + +#### Non Real Time Schedulers + +##### SCHED_DEADLINE (Sporadic task model deadline) + +A sporadic task is one that has a sequence of jobs, where each job is activated at most once per period. Each job also has a relative deadline, before which it should finish execution, and a computation time, which is the CPU time necessary for executing the job. The moment when a task wakes up because a new job has to be executed is called the arrival time (also referred to as the request time or release time). The start time is the time at which a task starts its execution. The absolute deadline is thus obtained by adding the relative deadline to the arrival time. + +##### SCHED_OTHER or SCHED_NORMAL (Default Linux time-sharing scheduling) + +SCHED_OTHER tasks are the normal user tasks (default). + +SCHED_OTHER can be used at only static priority 0 (i.e., threads under real-time policies always have priority over SCHED_OTHER processes). SCHED_OTHER is the standard Linux time-sharing scheduler that is intended for all threads that do not require the special real-time mechanisms. + +##### SCHED_BATCH (Scheduling batch processes) + +SCHED_BATCH can be used only at static priority 0. This policy is similar to SCHED_OTHER in that it schedules the thread according to its dynamic priority (based on the nice value). The difference is that this policy will cause the scheduler to always assume that the thread is CPU-intensive. Consequently, the scheduler will apply a small scheduling penalty with respect to wakeup behavior, so that this thread is mildly disfavored in scheduling decisions. + +This policy is useful for workloads that are noninteractive, but do not want to lower their nice value, and for workloads that want a deterministic scheduling policy without interactivity causing extra preemptions (between the workload's tasks). + +##### SCHED_IDLE (Scheduling very low priority jobs) + +SCHED_IDLE can be used only at static priority 0; the process nice value has no influence for this policy. + +This policy is intended for running jobs at extremely low priority (lower even than a +19 nice value with the SCHED_OTHER or SCHED_BATCH policies). + +### Managing Scheduler + +#### Changing the Scheduler for Running Processes + +**Commands:** ++ chrt (1) - manipulate the real-time attributes of a process ++ sched (7) - overview of CPU scheduling + +**Options:** +- `-b` - Used to set policy to SCHED_BATCH +- `-d` - Used to set policy to SCHED_DEADLINE +- `-f` - Used to set policy to SCHED_FIFO +- `-i` - Used to set policy to SCHED_IDLE +- `-o` - Used to set policy to SCHED_OTHER +- `-r` - Used to set policy to SCHED_RR + +Show priorities + + # chrt -m + SCHED_OTHER min/max priority : 0/0 + SCHED_FIFO min/max priority : 1/99 + SCHED_RR min/max priority : 1/99 + SCHED_BATCH min/max priority : 0/0 + SCHED_IDLE min/max priority : 0/0 + SCHED_DEADLINE min/max priority : 0/0 + +View a process scheduler setting + + # chrt -p [PID] + + # chrt -p 1 + pid 1's current scheduling policy: SCHED_OTHER + pid 1's current scheduling priority: 0 + + # chrt -p 39 + pid 39's current scheduling policy: SCHED_FIFO + pid 39's current scheduling priority: 99 + +Change a process to use FIFO + + # chrt -f -p [priority] [PID] + +Change a process to use RR + + # chrt -r -p [priority] [PID] + +Change back to other (needs to be set with priority 0. You can change the niceness after) + + # chrt -o -p 0 [PID] + +##### Example + +We will change the scheduler for the 'Brave' browser. + +First we get the main PID for the process tree + + # pidof -s brave + 281380 + +We can check that the current priority is set to 'SCHED_OTHER' + + # chrt -p 281380 + pid 281380's current scheduling policy: SCHED_OTHER + pid 281380's current scheduling priority: 0 + +And we can also use `top` to confirm the priority (1) and niceness (2) level + +![](3e-adjust-process-scheduling/3e-adjust-process-scheduling-5bd71.png) + +Let's change to round robin (SCHED_RR) with a priority 1 + + # chrt -r -p 1 281380 + +Confirm the change + + # chrt -p 281380 + pid 281380's current scheduling policy: SCHED_RR + pid 281380's current scheduling priority: 1 + +Check again with `top` + + top - 11:38:06 up 16:04, 2 users, load average: 2.33, 2.21, 2.08 + Tasks: 420 total, 1 running, 419 sleeping, 0 stopped, 0 zombie + %Cpu(s): 5.3 us, 2.0 sy, 0.0 ni, 92.2 id, 0.0 wa, 0.3 hi, 0.1 si, 0.0 st + MiB Mem : 31720.8 total, 5071.1 free, 10282.7 used, 16367.0 buff/cache + MiB Swap: 32768.0 total, 32768.0 free, 0.0 used. 17676.5 avail Mem + + PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND + 281380 victor -2 0 4578988 82420 65356 S 0.0 0.3 0:00.05 brave + + +Now let's change it to 'FIFO' with a priority of 99 (essentially making it real time, RT) + + # chrt -f -p 99 281380 + +Confirm the change + + # chrt -p 281380 + pid 281380's current scheduling policy: SCHED_FIFO + pid 281380's current scheduling priority: 99 + +We can confirm once again with `top`. The priority is now set to 'rt' + + top - 11:42:04 up 16:08, 2 users, load average: 1.96, 1.83, 1.94 + Tasks: 418 total, 3 running, 415 sleeping, 0 stopped, 0 zombie + %Cpu(s): 7.0 us, 3.2 sy, 0.0 ni, 89.1 id, 0.1 wa, 0.4 hi, 0.2 si, 0.0 st + MiB Mem : 31720.8 total, 5008.4 free, 10258.9 used, 16453.6 buff/cache + MiB Swap: 32768.0 total, 32768.0 free, 0.0 used. 17614.3 avail Mem + + PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND + 281380 victor rt 0 4578988 82420 65356 S 0.0 0.3 0:00.05 brave + +Let's change it back to 'SCHED_OTHER' + + # chrt -o -p 0 281380 + +And confirm + + # chrt -p 281380 + pid 281380's current scheduling policy: SCHED_OTHER + pid 281380's current scheduling priority: 0 + + +#### Starting a Process With a Different Scheduler + + # chrt -f [priority level] [command] + +Making a process use the DEADLINE scheduler + + # chrt -d --sched-runtime [value] --sched-deadline [value] --sched-period [value] 0 [command] + +The usual practice is to set Runtime to something bigger than the average computation time (or worst-case execution time for hard real-time tasks), Deadline to the relative deadline, and Period to the period of the task. + ++ `-T`, `--sched-runtime` - Specifies runtime parameter ++ `-D`, `--sched-deadline` - Specifies deadline parameter ++ `-P`, `--sched-period` - Specifies period parameter + + + arrival/wakeup absolute deadline + | start time | + | | | + v v v + -----x--------xooooooooooooooooo--------x--------x--- + |<-- Runtime ------->| + |<----------- Deadline ----------->| + |<-------------- Period ------------------->| + + +#### Setting scheduler priorities at boot (systemd) + +[8 > Tuning Guide> Chapter 3. Realtime-specific tuning > 3.1.1. Changing the priority of service during boot process ](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_for_real_time/8/html/tuning_guide/chap-realtime-specific_tuning#orde-Changing_The_Priority_Of_Service_During_Boot_Process) + +You can use the parameters `CPUSchedulingPolicy=` and `CPUSchedulingPriority=` to change the scheduler of a service. + + [SERVICE] + CPUSchedulingPolicy=fifo + CPUSchedulingPriority=20 + +**📌 EXAM TIP:** *If you can't remember the Systemd unit file options, you can use `man systemd.exec` and search for 'SCHEDULING'* + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3e-adjust-process-scheduling/3e-adjust-process-scheduling-5bd71.png b/markdown/3-Operate-running-systems/3e-adjust-process-scheduling/3e-adjust-process-scheduling-5bd71.png new file mode 100644 index 0000000..27d7f46 Binary files /dev/null and b/markdown/3-Operate-running-systems/3e-adjust-process-scheduling/3e-adjust-process-scheduling-5bd71.png differ diff --git a/markdown/3-Operate-running-systems/3f-manage-tuning-profiles.md b/markdown/3-Operate-running-systems/3f-manage-tuning-profiles.md new file mode 100644 index 0000000..d28ff35 --- /dev/null +++ b/markdown/3-Operate-running-systems/3f-manage-tuning-profiles.md @@ -0,0 +1,117 @@ +# 3.f Manage tuning profiles + +[RHEL 8 > Monitoring and managing system status and performance> Chapter 2. Getting started with tuned](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/monitoring_and_managing_system_status_and_performance/getting-started-with-tuned_monitoring-and-managing-system-status-and-performance) + +Tuned is a service that monitors your system and optimizes the performance under certain workloads. The core of Tuned are profiles, which tune your system for different use cases. + +## Tuned profiles + +A detailed analysis of a system can be very time-consuming. Tuned provides a number of predefined profiles for typical use cases. You can also create, modify, and delete profiles. + +The profiles provided with Tuned are divided into the following categories: ++ Power-saving profiles ++ Performance-boosting profiles + +## Pre-setup to Use Tuned + +Make sure that the package is installed with one of the commands below: + + [root@localhost systemd]# rpm -qa | grep tuned + tuned-2.14.0-3.el8.noarch + + [root@localhost systemd]# command -v tuned + /usr/sbin/tuned + + [root@localhost systemd]# command -v tuned-adm + /usr/sbin/tuned-adm + +Make sure the systemd service is running + + # systemctl status tuned.service + ● tuned.service - Dynamic System Tuning Daemon + Loaded: loaded (/usr/lib/systemd/system/tuned.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2020-11-14 14:10:34 EST; 2 days ago + Docs: man:tuned(8) + man:tuned.conf(5) + man:tuned-adm(8) + Main PID: 1030 (tuned) + Tasks: 4 (limit: 12285) + Memory: 17.1M + CGroup: /system.slice/tuned.service + └─1030 /usr/libexec/platform-python -Es /usr/sbin/tuned -l –P + +## Using Tuned + +### Getting Info + +List Profiles + + # tuned-adm list + Available profiles: + - accelerator-performance - Throughput performance based tuning with disabled higher latency STOP states + - balanced - General non-specialized tuned profile + - desktop - Optimize for the desktop use-case + - hpc-compute - Optimize for HPC compute workloads + - intel-sst - Configure for Intel Speed Select Base Frequency + - latency-performance - Optimize for deterministic performance at the cost of increased power consumption + - network-latency - Optimize for deterministic performance at the cost of increased power consumption, focused on low latency network performance + - network-throughput - Optimize for streaming network throughput, generally only necessary on older CPUs or 40G+ networks + - optimize-serial-console - Optimize for serial console use. + - powersave - Optimize for low power consumption + - throughput-performance - Broadly applicable tuning that provides excellent performance across a variety of common server workloads + - virtual-guest - Optimize for running inside a virtual guest + - virtual-host - Optimize for running KVM guests + Current active profile: virtual-guest + +Show current active profile + + # tuned-adm active + Current active profile: virtual-guest + +Verifies current profile against system settings + + # tuned-adm verify + Verfication succeeded, current system settings match the preset profile. + See tuned log file ('/var/log/tuned/tuned.log') for details. + +Recommend a profile suitable for your system + + # tuned-adm recommend + virtual-guest + +Get information on the profile + + # tuned-adm profile_info virtual-guest + Profile name: + virtual-guest + + Profile summary: + Optimize for running inside a virtual guest + + Profile description: + +### Switching Profiles + +Switches to the given profile + + # tuned-adm profile powersave + + # tuned-adm active + Current active profile: powersave + + +### Disabling Tuned + +#### Temporarily + + # tuned-adm off + +#### At Boot + +Use systemd + + # systemctl disable --now tuned + + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals.md b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals.md new file mode 100644 index 0000000..79c76c7 --- /dev/null +++ b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals.md @@ -0,0 +1,130 @@ +# 3.g Locate and interpret system log files and journals + +**What to know for the exam:** ++ Locations of the logs - /var/log ++ systemd-analyze ++ Journalctl ++ Rsyslog remote + +## Rsyslog + +Most logs are written to `/var/log`. + +Services that write to this folder are partially controlled by the rsyslog service. + +![](3g-locate-and-interpret-system-log-files-and-journals/image1.png) + +### Configuration File + +Configuration is saved in `/etc/rsyslog.conf`. + +Rsyslog can record logs from another servers, or send logs to other servers. + +_RHEL7_ + +![](3g-locate-and-interpret-system-log-files-and-journals/image3.png) + +_RHEL8_ + +![](3g-locate-and-interpret-system-log-files-and-journals/image2.png) + +Rsyslog can also be configured to read config (drop-in) files added by other services. + +_RHEL7_ + +![](3g-locate-and-interpret-system-log-files-and-journals/image5.png) + +_RHEL8_ + +![](3g-locate-and-interpret-system-log-files-and-journals/image4.png) + +### Logging Levels + ++ None – Do not log ++ 0 - Emergency/Panic ++ 1 - alerts ++ 2 - Critical ++ 3 - Error ++ 4 - Warnings ++ 5 - Notice ++ 6 - Info ++ 7 - Debug + +**📌 EXAM TIP** + +If you can't remember the logging levels, you can check `man rsyslog.conf ` + + The priority is one of the following keywords, in ascending order: debug, info, notice, warn‐ + ing, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as + emerg). The keywords error, warn and panic are deprecated and should not be used anymore. The + priority defines the severity of the message. + + +Or `man syslog` (`syslog`, not `rsyslog`) for details. + + Kernel constant Level value Meaning + KERN_EMERG 0 System is unusable + KERN_ALERT 1 Action must be taken immediately + KERN_CRIT 2 Critical conditions + KERN_ERR 3 Error conditions + KERN_WARNING 4 Warning conditions + KERN_NOTICE 5 Normal but significant condition + KERN_INFO 6 Informational + KERN_DEBUG 7 Debug-level messages + +## Log Rotation + +Configuration file is `/etc/logrotate.conf`. + +Logrotate can also read config files from other services/packages in `/etc/logrotate.d`: + + # RPM packages drop log rotation information into this directory + include /etc/logrotate.d + +## Systemd and Journalctl + +Systemd keeps logs stored in a binary format. + +Find error messages in all log files + + $ journalctl -p {err|[0-7]} + +Find errors since yesterday + + $ journalctl -p err --since yesterday + +Find all messages associated with UID 1000 + + $ journalctl _UID=1000 + +Logs for specific service/binary + + # journalctl -u [unit.service] + + # journalctl [/path/to/binary] + + +## systemd-analyze + +`systemd-analyze` may be used to determine system boot-up performance statistics and retrieve other state and tracing information from the system and service manager, and to verify the correctness of unit files. It is also used to access special functions useful for advanced system manager debugging. + + # systemd-analyze + Startup finished in 984ms (kernel) + 7.382s (initrd) + 1min 29.786s (userspace) = 1min 38.153s + graphical.target reached after 1min 29.703s in userspace + +This command prints a list of all running units, ordered by the time they took to initialize. + + # systemd-analyze blame | head + 50.216s vboxadd.service + 42.899s plymouth-quit-wait.service + 17.397s vdo.service + 17.318s udisks2.service + 15.495s polkit.service + 15.348s ModemManager.service + 13.668s sssd.service + 9.738s smartd.service + 9.700s systemd-machined.service + 9.591s NetworkManager-wait-online.service + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image1.png b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image1.png new file mode 100644 index 0000000..10372a0 Binary files /dev/null and b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image1.png differ diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image2.png b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image2.png new file mode 100644 index 0000000..4576d4c Binary files /dev/null and b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image2.png differ diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image3.png b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image3.png new file mode 100644 index 0000000..0cc0605 Binary files /dev/null and b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image3.png differ diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image4.png b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image4.png new file mode 100644 index 0000000..b929510 Binary files /dev/null and b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image4.png differ diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image5.png b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image5.png new file mode 100644 index 0000000..5aad5d1 Binary files /dev/null and b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image5.png differ diff --git a/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image6.png b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image6.png new file mode 100644 index 0000000..b1bacd1 Binary files /dev/null and b/markdown/3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals/image6.png differ diff --git a/markdown/3-Operate-running-systems/3h-preserve-system-journals.md b/markdown/3-Operate-running-systems/3h-preserve-system-journals.md new file mode 100644 index 0000000..c00b4c1 --- /dev/null +++ b/markdown/3-Operate-running-systems/3h-preserve-system-journals.md @@ -0,0 +1,96 @@ +# 3.h Preserve system journals + +Normally, 'journald' journals (for RHEL) don't persist through reboots ([RHEL KB](https://access.redhat.com/solutions/696893)). See below: + +![](3h-preserve-system-journals/image.png) + +*From the man page for systemd-journald* + +>The journal service stores log data either persistently below /var/log/journal or in a volatile way below /run/log/journal/ (in the latter case it is lost at reboot). By default, log data is stored persistently if /var/log/journal/ exists during boot, with an implicit fallback to volatile storage otherwise. Use Storage= in journald.conf(5) to configure where log data is placed, independently of the existence of /var/log/journal/. +> +> On systems where /var/log/journal/ does not exist yet but where persistent logging is desired (and the default journald.conf is used), it is sufficient to create the directory, and ensure it has the correct access modes and ownership: +> +> `mkdir -p /var/log/journal` +> +> `systemd-tmpfiles --create --prefix /var/log/journal` + +You can confirm that persistent journals are not enabled by asking `journalctl` to list boots (there should be more than one if it's enabled): + + # journalctl --list-boots + 0 a677aaa6bdf1407a99dd7d1375d88be1 Sun 2020-12-13 03:54:03 EST—Sun 2020-12-13 12:25:17 EST + +And by checking if the `/var/log/journal` folder exists + + # ll /var/log/journal + ls: cannot access '/var/log/journal': No such file or directory + +## Enabling Persistent Journals + +### Option 1: From 'systemd-journald' man page + +Create the required folder: + + # mkdir -p /var/log/journal + +Create systemd temp files for '/var/log/journal' + + # systemd-tmpfiles --create --prefix /var/log/journal + +Set a value for `SystemMaxUse=` in `/etc/systemd/journald.conf` (by default journalctl will use up to 10% of the folder mount point) + + # grep 'SystemMaxUse=' /etc/systemd/journald.conf + SystemMaxUse=100M + +Restart 'systemd' service + + # systemctl restart systemd-journald + +Or if you want to keep your current logs, run + + # killall -USR1 systemd-journald + +### Option 2: Red Hat's KB + +[How to enable persistent logging for the systemd journal](https://access.redhat.com/solutions/696893) + +Create the log folder + + # mkdir /var/log/journal + +Edit `/etc/systemd/journald.conf` and change the value of `Storage` and `SystemMaxUse=` + + Storage=persistent + SystemMaxUse=100M + +Restart the service + + # systemctl restart systemd-journald + +--- + +#### Additional Info + +**Man Pages:** +- systemd-journald (8) - Journal service +- journalctl (1) - Query the systemd journal +- journald.conf (5) - Journal service configuration files + + +_man journald.conf_ + + Storage= + + Controls where to store journal data. One of "volatile", "persistent", "auto" + and "none". If "volatile", journal log data will be stored only in memory, i.e. + below the /run/log/journal hierarchy (which is created if needed). If + "persistent", data will be stored preferably on disk, i.e. below the + /var/log/journal hierarchy (which is created if needed), with a fallback to + /run/log/journal (which is created if needed), during early boot and if the + disk is not writable. "auto" is similar to "persistent" but the directory + /var/log/journal is not created if needed, so that its existence controls where + log data goes. "none" turns off all storage, all log data received will be + dropped. Forwarding to other targets, such as the console, the kernel log + buffer, or a syslog socket will still work however. Defaults to "auto". + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3h-preserve-system-journals/image.png b/markdown/3-Operate-running-systems/3h-preserve-system-journals/image.png new file mode 100644 index 0000000..993b544 Binary files /dev/null and b/markdown/3-Operate-running-systems/3h-preserve-system-journals/image.png differ diff --git a/markdown/3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services.md b/markdown/3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services.md new file mode 100644 index 0000000..ffd4ce9 --- /dev/null +++ b/markdown/3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services.md @@ -0,0 +1,32 @@ +# 3.i Start, stop, and check the status of network services + +**Network Services** - Any services that rely on the network to run + +![](3i-start-stop-and-check-the-status-of-network-services/image.png) + +Important `systemctl` options ++ status ++ enable - Remember that it creates a symlink (`/etc/systemd/system/[target]/`) ++ disable ++ start ++ stop ++ mask ++ unmask ++ is-enabled + +## Mask vs Disable + +### Disable + +Disabling the service deletes the symlink, so the unit file itself is not affected, but the service is not loaded at the next boot, when systemd reads `/etc/systemd/system`. + +However, a disabled service can be loaded, and will be started if a service that depends on it is started; `enable` and `disable` only configure auto-start behaviour for units, and the state is easily overridden. + +### Mask + +A masked service is one whose unit file is a symlink to `/dev/null`. This makes it "impossible" to load the service, even if it is required by another, enabled service. + +When you mask a service, a symlink is created from `/etc/systemd/system` to `/dev/null`, leaving the original unit file elsewhere untouched. When you unmask a service the symlink is deleted. + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services/image.png b/markdown/3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services/image.png new file mode 100644 index 0000000..343b511 Binary files /dev/null and b/markdown/3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services/image.png differ diff --git a/markdown/3-Operate-running-systems/3j-securely-transfer-files-between-systems.md b/markdown/3-Operate-running-systems/3j-securely-transfer-files-between-systems.md new file mode 100644 index 0000000..1f04c11 --- /dev/null +++ b/markdown/3-Operate-running-systems/3j-securely-transfer-files-between-systems.md @@ -0,0 +1,53 @@ +# 3.j Securely transfer files between systems + +**Commands:** ++ SCP - Same as SSH but for files (built into SSH). Same flags can be used ++ SFTP - OpenSSH comes with a built-in SFTP server. By default it's already enabled + +## SCP + +SCP or secure copy allows secure transferring of files between a local host and a remote host or between two remote hosts. It uses the same authentication and security as the Secure Shell (SSH) protocol from which it is based. SCP is loved for it’s simplicity, security and pre-installed availability. + +### Examples + +Copy file from local host to a remote host + + $ scp file.txt username@to_host:/remote/directory/ + +Copy file from a remote host to local host + + $ scp username@from_host:file.txt /local/directory/ + +Copy directory recursively from local host to a remote host + + $ scp -r /local/directory/ username@to_host:/remote/directory/ + +Copy directory recursively from a remote host to local host + + $ scp -r username@from_host:/remote/directory/ /local/directory/ + + +**📌 TIP:** *When using `scp` with SSH keys setup between the local and remote systems, `[TAB]` will auto complete the path on the remote system* + +## SFTP + +The SSH File Transfer Protocol (SFTP), also known as the Secure File Transfer Protocol, enables secure file transfer capabilities between networked hosts. Unlike the Secure Copy Protocol (SCP), SFTP additionally provides remote file system management functionality, allowing applications to resume interrupted file transfers, list the contents of remote directories, and delete remote files. + +To enable 'sftp' you might need to edit `/etc/ssh/sshd_config` + + # override default of no subsystems + Subsystem sftp /usr/libexec/openssh/sftp-server + + +### Commands + +Connect + + $ sftp user@host + +Get help + + sftp> ? + +--- +[⬅️ Back](3-Operate-running-systems.md) diff --git a/markdown/4-Configure-local-storage/4-Configure-local-storage.md b/markdown/4-Configure-local-storage/4-Configure-local-storage.md new file mode 100644 index 0000000..2b7f4cb --- /dev/null +++ b/markdown/4-Configure-local-storage/4-Configure-local-storage.md @@ -0,0 +1,11 @@ +# 4. Configure local storage + ++ [4.a List, create, delete partitions on MBR and GPT disks](4a-list-create-delete-partitions-on-mbr-and-gpt-disks.md) ++ [4.b Create and remove physical volumes](4b-create-and-remove-physical-volumes.md) ++ [4.c Assign physical volumes to volume groups](4c-assign-physical-volumes-to-volume-groups.md) ++ [4.d Create and delete logical volumes](4d-create-and-delete-logical-volumes.md) ++ [4.e Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label](4e-configure-systems-to-mount-file-systems-at-boot-by-universally-unique-id-uuid-or-label.md) ++ [4.f Add new partitions and logical volumes, and swap to a system non-destructively](4f-add-new-partitions-and-logical-volumes-and-swap-to-a-system-non-destructively.md) + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/4-Configure-local-storage/4a-list-create-delete-partitions-on-mbr-and-gpt-disks.md b/markdown/4-Configure-local-storage/4a-list-create-delete-partitions-on-mbr-and-gpt-disks.md new file mode 100644 index 0000000..8befcc5 --- /dev/null +++ b/markdown/4-Configure-local-storage/4a-list-create-delete-partitions-on-mbr-and-gpt-disks.md @@ -0,0 +1,77 @@ +# 4.a List, create, delete partitions on MBR and GPT disks + +**Commands to know for the exam:** ++ `df` ++ `lsblk` ++ `blkid` ++ `fdisk` ++ `gdisk` ++ `partprobe` + +## MBR and GPT + +MBR (Master Boot Record) and GPT (GUID Partition Table) are two different ways of storing the partitioning information on a drive. This information includes where partitions start and begin, so your operating system knows which sectors belong to each partition and which partition is bootable. + +## MBR Partitions + +A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBRs was publicly introduced in 1983 with PC DOS 2.0. + +MBR - Master Boot Record ++ Can only hold 4 primary partitions ++ Can only address up to 4TB of disk space + +### Manipulating MBR Partitions + +**Commands:** +- fdisk (8) - manipulate disk partition table +- partprobe (8) - inform the OS of partition table changes + +List all disks and partitions + + # fdisk -l + +List partitions on device + + # fdisk -l /dev/sda + +#### Command Mode + +Allows you to manipulate/create a disk and it's paritions. + +Enter command mode + + # fdisk [disk] + +**Options:** +- `m` - print help menu +- `a` - toggle a bootable flag +- `p` - print partition table +- `d` - delete partition +- `l` - list known partition types +- `n` - add a new partition +- `t` - change a partition type +- `w` - write table to disk and exit +- `q` - quit without saving changes + +**📝 NOTE:** *You should be familiar using all this options to manage paritions* + + +## GPT Partitions + +The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive, using universally unique identifiers, which are also known as globally unique identifiers (GUIDs). + +Newer servers using UEFI can address GPT partitions, however older servers still using BIOS need additional software installed. + +GPT partitions can be significantly larger than MBR partitions: ++ Can have nearly unlimited number of partitions ++ Partition size is limited to what the OS can address (RHEL has certified GPT partitions on XFS at 500 TiB and theoretical up to 16EiB) + +### Manipulating GPT Partitions + +**Commands:** +- gdisk (8) - Interactive GUID partition table (GPT) manipulator + +**📝 NOTE:** *Options are the same as on fdisk* + +--- +[⬅️ Back](4-Configure-local-storage.md) diff --git a/markdown/4-Configure-local-storage/4b-create-and-remove-physical-volumes.md b/markdown/4-Configure-local-storage/4b-create-and-remove-physical-volumes.md new file mode 100644 index 0000000..4edf279 --- /dev/null +++ b/markdown/4-Configure-local-storage/4b-create-and-remove-physical-volumes.md @@ -0,0 +1,91 @@ +# 4.b Create and remove physical volumes + +## Logical Volume Manager + +Logical Volume Manager (LVM) is a device mapper target that provides logical volume management for the Linux kernel. LVM allows a pool of space to manage storage. + +![](4b-create-and-remove-physical-volumes/image.png) + ++ **PV** - Physical Volumes are directly related to hard drives or partitions ++ **VG** - A Volume Group can have multiple physical Volumes ++ **LV** - A Logical Volume sits inside a Volume Group and it's what is assigned to a file system (/root, /home, etc...) + +When a physical disk is setup for LVM, metadata is written at the beginning of the disk for normal usage, and at the end of the disk for backup usage. + +## Steps of Creating a Physical Volume + +First create initialize the disks to be used by LVM with pvcreate (Initialize physical volume(s) for use by LVM) + + # pvcreate /dev/device /dev/device2 /dev/device3 + +Then we create a volume group with vgcreate (Create a volume group) + + # vgcreate [vg name] /dev/device /dev/device2 /dev/device3 + +_Optionally use the '-s' switch to set the Physical Extent size (for LVM2, the only effect this flag has is that when using too many physical volumes, the LVM tools will perform better)_ + +And finally create the Logical Volume (4GB) + + # lvcreate -L 4g [vg name] -n [lv name] + +Flags: ++ `-n` - set the Logical Volume name ++ `-l` - use extents rather than a specified size + +Create the file system + + # mkfs.xfs /dev/[vgname]/[lvname] + + +## Creating and Deleting Physical Volumes + +**Commands:** ++ lvm (8) - LVM2 tools ++ pvcreate (8) - Initialize physical volume(s) for use by LVM ++ pvdisplay (8) - Display various attributes of physical volume(s) ++ pvremove (8) - Remove LVM label(s) from physical volume(s) ++ pvs (8) - Display information about physical volumes + +### Creating Physical Volumes + +Physical volumes can be created using full disks or partitions. + + # pvcreate /dev/part1 /dev/part2 + +Or + + # pvcreate /dev/sdb /dev/sdc + +### Deleting Physical Volumes + +`pvremove` wipes the label on a device so that LVM will no longer recognize it as a PV. A PV cannot be removed from a VG while it is used by an active LV. + +Removing a PV + + # pvremove /dev/sdb /dev/sdc + Labels on physical volume "/dev/sdb" successfully wiped. + Labels on physical volume "/dev/sdc" successfully wiped. + +Trying to remove a PV that has a VG and LV + + # pvremove /dev/sdb /dev/sdc + PV /dev/sdb is used by VG testvg so please use vgreduce first. + (If you are certain you need pvremove, then confirm by using --force twice.) + /dev/sdb: physical volume label not removed. + PV /dev/sdc is used by VG testvg so please use vgreduce first. + (If you are certain you need pvremove, then confirm by using --force twice.) + /dev/sdc: physical volume label not removed. + +You can try to force remove with `-ff` + + # pvremove -ff /dev/sdb /dev/sdc + WARNING: PV /dev/sdb is used by VG testvg. + Really WIPE LABELS from physical volume "/dev/sdb" of volume group "testvg" [y/n]? y + WARNING: Wiping physical volume label from /dev/sdb of volume group "testvg". + WARNING: PV /dev/sdc is used by VG testvg. + Really WIPE LABELS from physical volume "/dev/sdc" of volume group "testvg" [y/n]? y + WARNING: Wiping physical volume label from /dev/sdc of volume group "testvg". + + +--- +[⬅️ Back](4-Configure-local-storage.md) diff --git a/markdown/4-Configure-local-storage/4b-create-and-remove-physical-volumes/image.png b/markdown/4-Configure-local-storage/4b-create-and-remove-physical-volumes/image.png new file mode 100644 index 0000000..349a014 Binary files /dev/null and b/markdown/4-Configure-local-storage/4b-create-and-remove-physical-volumes/image.png differ diff --git a/markdown/4-Configure-local-storage/4c-assign-physical-volumes-to-volume-groups.md b/markdown/4-Configure-local-storage/4c-assign-physical-volumes-to-volume-groups.md new file mode 100644 index 0000000..4b62130 --- /dev/null +++ b/markdown/4-Configure-local-storage/4c-assign-physical-volumes-to-volume-groups.md @@ -0,0 +1,113 @@ +# 4.c Assign physical volumes to volume groups + +## Working with Volume Groups + +**Commands:** ++ lvm (8) - LVM2 tools ++ vgcreate (8) - Create a volume group ++ vgdisplay (8) - Display volume group information ++ vgextend (8) - Add physical volumes to a volume group ++ vgreduce (8) - Remove physical volume(s) from a volume group ++ vgremove (8) - Remove volume group(s) ++ vgs (8) - Display information about volume groups + +### Creating a Volume Group + +`vgcreate` creates a new VG on block devices. If the devices were not previously initialized as PVs with `pvcreate`, `vgcreate` will initialize them, making them PVs. The `pvcreate` options for initializing devices are also available with `vgcreate`. + +We create a volume group with `vgcreate` (Create a volume group) + + # vgcreate [vg name] /dev/device /dev/device2 /dev/device3 + +For example + + # vgcreate vg1 /dev/sdb /dev/sdc + Volume group "vg1" successfully created + +Listing the new volume group (with `vgs [volume group]`) + + # vgs vg1 + VG #PV #LV #SN Attr VSize VFree + vg1 2 0 0 wz--n- 5.99g 5.99g + +Listing all volume groups (`vgs`) + + # vgs + VG #PV #LV #SN Attr VSize VFree + rhel 1 2 0 wz--n- <29.00g 0 + vg1 2 0 0 wz--n- 5.99g 5.99g + +Or with more details + + # vgdisplay vg1 + --- Volume group --- + VG Name vg1 + System ID + Format lvm2 + Metadata Areas 2 + Metadata Sequence No 1 + VG Access read/write + VG Status resizable + MAX LV 0 + Cur LV 0 + Open LV 0 + Max PV 0 + Cur PV 2 + Act PV 2 + VG Size 5.99 GiB + PE Size 4.00 MiB + Total PE 1534 + Alloc PE / Size 0 / 0 + Free PE / Size 1534 / 5.99 GiB + VG UUID uvHpRZ-BdPH-Nzxy-Lp15-VMps-fzPZ-A1bebc + +Remember, you can also create a PV with `vgcreate` (bypassing the need to run `pvcreate`) + + # vgcreate vg2 /dev/sdd + Physical volume "/dev/sdd" successfully created. + Volume group "vg2" successfully created + +### Extending a Volume Group + +You can use `vgextend` to extend volume groups by adding physical volumes to it. + +Initialize the new drive as a physical volume + + # pvcreate /dev/sde + Physical volume "/dev/sde" successfully created. + +Add the new physical volume to the volume group + + # vgextend vg1 /dev/sde + Volume group "vg1" successfully extended + +### Reducing a Volume Group + +`vgreduce` removes one or more unused PVs from a VG. + +Let's look at our volume group. Note it has 8.99GB of space + + # vgs vg1 + VG #PV #LV #SN Attr VSize VFree + vg1 3 0 0 wz--n- <8.99g <8.99g + +Remove one of the physical volumes + + # vgreduce vg1 /dev/sde + Removed "/dev/sde" from volume group "vg1" + +List the volume group again and now it has 5.99GB + + # vgs vg1 + VG #PV #LV #SN Attr VSize VFree + vg1 2 0 0 wz--n- 5.99g 5.99g + +### Deleting/Removing a Volume Group + +`vgremove` removes one or more VGs. If LVs exist in the VG, a prompt is used to confirm LV removal. + + # vgremove vg1 + Volume group "vg1" successfully removed + +--- +[⬅️ Back](4-Configure-local-storage.md) diff --git a/markdown/4-Configure-local-storage/4d-create-and-delete-logical-volumes.md b/markdown/4-Configure-local-storage/4d-create-and-delete-logical-volumes.md new file mode 100644 index 0000000..dae3de7 --- /dev/null +++ b/markdown/4-Configure-local-storage/4d-create-and-delete-logical-volumes.md @@ -0,0 +1,74 @@ +# 4.d Create and delete logical volumes + +## Working with Logical Volumes + +**Commands:** ++ lvm (8) - LVM2 tools ++ lvcreate (8) - Create a logical volume ++ lvdisplay (8) - Display information about a logical volume ++ lvremove (8) - Remove logical volume(s) from the system ++ lvs (8) - Display information about logical volumes + +### Creating a Logical Volume + + # lvcreate -L 4g [vg name] -n [lv name] + +Flags: ++ `-n` - set the Logical Volume name ++ `-l` - use extents rather than a specified size + +**Example:** + +Create the LV + + # lvcreate -L 4g vg1 -n lv1 + Logical volume "lv1" created. + +Display simple information about the LV + + # lvs vg1 + LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert + lv1 vg1 -wi-a----- 4.00g + +Simple information with verbose + + # lvs -v vg1 + LV VG #Seg Attr LSize Maj Min KMaj KMin Pool Origin Data% Meta% Move Cpy%Sync Log Convert LV UUID LProfile + lv1 vg1 2 -wi-a----- 4.00g -1 -1 253 2 ADUPcG-YAuo-5vDC-7FEB-Cas9-4Gt0-hR1kVD + +Detailed information + + # lvdisplay vg1 + --- Logical volume --- + LV Path /dev/vg1/lv1 + LV Name lv1 + VG Name vg1 + LV UUID ADUPcG-YAuo-5vDC-7FEB-Cas9-4Gt0-hR1kVD + LV Write Access read/write + LV Creation host, time localhost.localdomain, 2020-11-18 08:07:29 -0500 + LV Status available + # open 0 + LV Size 4.00 GiB + Current LE 1024 + Segments 2 + Allocation inherit + Read ahead sectors auto + - currently set to 8192 + Block device 253:2 + +### Deleting/Removing a Logical Volume + +`lvremove` removes one or more LVs. For standard LVs, this returns the logical extents that were used by the LV to the VG for use by other LVs. + + # lvremove /dev/vg1/lv1 + Do you really want to remove active logical volume vg1/lv1? [y/n]: y + Logical volume "lv1" successfully removed + +You can also specify the logical volume with `[vg name]/[lv name]` + + # lvremove vg1/lv1 + Do you really want to remove active logical volume vg1/lv1? [y/n]: y + Logical volume "lv1" successfully removed + +--- +[⬅️ Back](4-Configure-local-storage.md) diff --git a/markdown/4-Configure-local-storage/4e-configure-systems-to-mount-file-systems-at-boot-by-universally-unique-id-uuid-or-label.md b/markdown/4-Configure-local-storage/4e-configure-systems-to-mount-file-systems-at-boot-by-universally-unique-id-uuid-or-label.md new file mode 100644 index 0000000..e387e11 --- /dev/null +++ b/markdown/4-Configure-local-storage/4e-configure-systems-to-mount-file-systems-at-boot-by-universally-unique-id-uuid-or-label.md @@ -0,0 +1,270 @@ +# 4.e Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label + +## Non-persistent naming attributes + +Traditionally, non-persistent names in the form of `/dev/sd*(major number)**(minor number)*` are used on Linux to refer to storage devices. The major and minor number range and associated `sd` names are allocated for each device when it is detected. This means that the association between the major and minor number range and associated `sd` names can change if the order of device detection changes. + +Such a change in the ordering might occur in the following situations: + ++ The parallelization of the system boot process detects storage devices in a different order with each system boot. ++ A disk fails to power up or respond to the SCSI controller. ++ A SCSI controller (host bus adapter, or HBA) fails to initialize, causing all disks connected to that HBA to not be detected. ++ The order of driver initialization changes if different types of HBAs are present in the system. ++ Disks connected to the system with Fibre Channel, iSCSI, or FCoE adapters might be inaccessible at the time the storage devices are probed, due to a storage array or intervening switch being powered off, for example. + +These reasons make it undesirable to use the major and minor number range or the associated `sd` names when referring to devices, such as in the `/etc/fstab` file. + +## Persistent naming attributes + +### udev Naming Mechanism + +The udev mechanism is used for all types of devices in Linux, not just for storage devices. In the case of storage devices, udev rules creates pemanent device identifiers via symbolic links in the `/dev/disk/` directory. This enables you to refer to storage devices by: + ++ Their content ++ A unique identifier ++ Their serial number. + +**📝 NOTE:** *Although `udev` naming attributes are persistent, in that they do not change on their own across system reboots, some are also configurable.* + +### File system identifiers + +**File system identifiers are tied to a particular file system** created on a block device. The identifier is also stored as part of the file system. If you copy the file system to a different device, it still carries the same file system identifier. On the other hand, if you rewrite the device, such as by formatting it with the `mkfs` utility, the device loses the attribute. + +File system identifiers include: ++ Unique identifier (UUID) ++ Label + +#### The UUID attribute in `/dev/disk/by-uuid/` + +Entries in this directory provide a symbolic name that refers to the storage device by a **unique identifier** (UUID). You can use the UUID to refer to the device in the `/etc/fstab` file using the following syntax: + + UUID=3e6be9de-8139-11d1-9106-a43f08d823a6 + +You can configure the UUID attribute when creating a file system, and you can also change it later on. + +#### The Label attribute in `/dev/disk/by-label/` + +Entries in this directory provide a symbolic name that refers to the storage device by a **label**. You can use the label to refer to the device in the /etc/fstab file using the following syntax: + + LABEL=Boot + +### Device identifiers + +**📝 NOTE:** *Device identifiers should not be needed for the exam, but it's good knowledge to have* + +Device identifiers are tied to a block device: for example, a disk or a partition. If you rewrite the device, such as by formatting it with the `mkfs` utility, the device keeps the attribute, because it is not stored in the file system. + +Device identifiers include: + ++ World Wide Identifier (WWID) ++ Partition UUID ++ Serial number + +#### PARTUUID vs UUID + ++ UUID is a filesystem-level UUID, which is retrieved from the filesystem metadata inside the partition. That can only be read if the filesystem type is known and readable. ++ PARTUUID is a partition-table-level UUID for the partition, a standard feature for all partitions on GPT-partitioned disks. Since it is retrieved from the partition table, it is accessible without making no assumptions at all about the actual contents of the partition. If the partition is encrypted using some unknown encryption method, this might be the only accessible unique identifier for that particular partition. + +Both 'UUID' and 'PARTUUID' can be used in `/etc/fstab`. + +## Getting the file system identifiers + +### Getting UUID + +There are different ways to get the UUID for a partition. + +Using `blkid` + + # blkid + /dev/sda1: UUID="375fcafb-dbf0-4e72-a1de-9bba811fc6d4" BLOCK_SIZE="512" TYPE="xfs" PARTUUID="f5953a5f-01" + /dev/sda2: UUID="fv8aQX-tfJD-3ieh-G2wo-GrnR-bcML-j41Dis" TYPE="LVM2_member" PARTUUID="f5953a5f-02" + /dev/mapper/rhel-root: UUID="cc50014d-ed1f-4785-a5f2-304ec6da9002" BLOCK_SIZE="512" TYPE="xfs" + /dev/mapper/rhel-swap: UUID="01d46e11-4725-4743-8d92-ca9fdd675a8e" TYPE="swap" + +Using `lsblk -f` + + # lsblk -f + NAME FSTYPE LABEL UUID MOUNTPOINT + sda + ├─sda1 xfs 375fcafb-dbf0-4e72-a1de-9bba811fc6d4 /boot + └─sda2 LVM2_member fv8aQX-tfJD-3ieh-G2wo-GrnR-bcML-j41Dis + ├─rhel-root xfs cc50014d-ed1f-4785-a5f2-304ec6da9002 / + └─rhel-swap swap 01d46e11-4725-4743-8d92-ca9fdd675a8e [SWAP] + +Using `ls /dev/disk/by-uuid/` + + # ll /dev/disk/by-uuid/ + total 0 + lrwxrwxrwx. 1 root root 10 Nov 17 16:48 01d46e11-4725-4743-8d92-ca9fdd675a8e -> ../../dm-1 + lrwxrwxrwx. 1 root root 10 Nov 17 16:48 375fcafb-dbf0-4e72-a1de-9bba811fc6d4 -> ../../sda1 + lrwxrwxrwx. 1 root root 10 Nov 17 16:48 cc50014d-ed1f-4785-a5f2-304ec6da9002 -> ../../dm-0 + +### Getting UUID for LVM + +You can also use `blkid` or `lsblkd -f` to get the UUID for logical volumes. + + # pvs + PV VG Fmt Attr PSize PFree + /dev/sda2 rhel lvm2 a-- <29.00g 0 + /dev/sdb vg1 lvm2 a-- <3.00g 0 + /dev/sdc vg1 lvm2 a-- <3.00g 1016.00m + /dev/sdd lvm2 --- 3.00g 3.00g + /dev/sde vg1 lvm2 a-- <3.00g <3.00g + +With `blkid` + + # blkid + /dev/sda1: UUID="375fcafb-dbf0-4e72-a1de-9bba811fc6d4" BLOCK_SIZE="512" TYPE="xfs" PARTUUID="f5953a5f-01" + /dev/sda2: UUID="fv8aQX-tfJD-3ieh-G2wo-GrnR-bcML-j41Dis" TYPE="LVM2_member" PARTUUID="f5953a5f-02" + /dev/mapper/rhel-root: UUID="cc50014d-ed1f-4785-a5f2-304ec6da9002" BLOCK_SIZE="512" TYPE="xfs" + /dev/mapper/rhel-swap: UUID="01d46e11-4725-4743-8d92-ca9fdd675a8e" TYPE="swap" + /dev/sdc: UUID="qIVN0M-bpnS-2nDK-SuTE-l3bD-8Y3d-52kVwz" TYPE="LVM2_member" + /dev/sdb: UUID="8vojd0-AgE9-fDqa-pVWq-X0sl-29ll-OChdzL" TYPE="LVM2_member" + /dev/sdd: UUID="8H5qa7-7UiT-ydRL-Jc50-BSdv-weoj-4TCVJo" TYPE="LVM2_member" + /dev/sde: UUID="WwyG65-4kn1-GKHN-pgW5-X2Os-UAFc-Ca2rfB" TYPE="LVM2_member" + /dev/mapper/vg1-lv1: LABEL="lv1" UUID="83435299-3439-4db6-a7fd-ba86bbdb2387" BLOCK_SIZE="4096" TYPE="ext4" + +Specifying the LV path + + # blkid /dev/mapper/vg1-lv1 + /dev/mapper/vg1-lv1: LABEL="lv1" UUID="83435299-3439-4db6-a7fd-ba86bbdb2387" BLOCK_SIZE="4096" TYPE="ext4" + +With `lsblk` + + # lsblk -f + NAME FSTYPE LABEL UUID MOUNTPOINT + sda + ├─sda1 xfs 375fcafb-dbf0-4e72-a1de-9bba811fc6d4 /boot + └─sda2 LVM2_member fv8aQX-tfJD-3ieh-G2wo-GrnR-bcML-j41Dis + ├─rhel-root xfs cc50014d-ed1f-4785-a5f2-304ec6da9002 / + └─rhel-swap swap 01d46e11-4725-4743-8d92-ca9fdd675a8e [SWAP] + sdb LVM2_member 8vojd0-AgE9-fDqa-pVWq-X0sl-29ll-OChdzL + └─vg1-lv1 ext4 lv1 83435299-3439-4db6-a7fd-ba86bbdb2387 + sdc LVM2_member qIVN0M-bpnS-2nDK-SuTE-l3bD-8Y3d-52kVwz + └─vg1-lv1 ext4 lv1 83435299-3439-4db6-a7fd-ba86bbdb2387 + sdd LVM2_member 8H5qa7-7UiT-ydRL-Jc50-BSdv-weoj-4TCVJo + sde LVM2_member WwyG65-4kn1-GKHN-pgW5-X2Os-UAFc-Ca2rfB + +### Getting the Label + +Like with UUID, you can get the label with `lsblk -f` + + # lsblk -f + NAME FSTYPE LABEL UUID MOUNTPOINT + sda + ├─sda1 xfs 375fcafb-dbf0-4e72-a1de-9bba811fc6d4 /boot + └─sda2 LVM2_member fv8aQX-tfJD-3ieh-G2wo-GrnR-bcML-j41Dis + ├─rhel-root xfs cc50014d-ed1f-4785-a5f2-304ec6da9002 / + └─rhel-swap swap 01d46e11-4725-4743-8d92-ca9fdd675a8e [SWAP] + sdb LVM2_member lJvOPK-AyOu-czH5-c96Y-xsmL-2Vnn-prLgpN + └─vg1-lv1 + sdc LVM2_member lAzsiO-trcw-BbGl-nbQe-bLo6-h4pr-wL09wa + └─vg1-lv1 + sdd + └─sdd1 ext4 ext4fs cae6fca6-e7b4-45b4-93ea-23430424ed7a + + +Or with `lsblk --output +LABEL` + + # lsblk --output +LABEL + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT LABEL + sda 8:0 0 30G 0 disk + ├─sda1 8:1 0 1G 0 part /boot + └─sda2 8:2 0 29G 0 part + ├─rhel-root 253:0 0 27G 0 lvm / + └─rhel-swap 253:1 0 2.1G 0 lvm [SWAP] + sdb 8:16 0 3G 0 disk + └─vg1-lv1 253:2 0 4G 0 lvm + sdc 8:32 0 3G 0 disk + └─vg1-lv1 253:2 0 4G 0 lvm + sdd 8:48 0 3G 0 disk + └─sdd1 8:49 0 3G 0 part ext4fs + +With `blkid` + + # blkid + /dev/sdd1: LABEL="ext4fs" UUID="cae6fca6-e7b4-45b4-93ea-23430424ed7a" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="Linux filesystem" PARTUUID="a866a6e2-30be-4f5e-86e7-b5ee2830467f" + /dev/sdc: UUID="lAzsiO-trcw-BbGl-nbQe-bLo6-h4pr-wL09wa" TYPE="LVM2_member" + /dev/sdb: UUID="lJvOPK-AyOu-czH5-c96Y-xsmL-2Vnn-prLgpN" TYPE="LVM2_member" + /dev/sda1: UUID="375fcafb-dbf0-4e72-a1de-9bba811fc6d4" BLOCK_SIZE="512" TYPE="xfs" PARTUUID="f5953a5f-01" + /dev/sda2: UUID="fv8aQX-tfJD-3ieh-G2wo-GrnR-bcML-j41Dis" TYPE="LVM2_member" PARTUUID="f5953a5f-02" + /dev/mapper/rhel-root: UUID="cc50014d-ed1f-4785-a5f2-304ec6da9002" BLOCK_SIZE="512" TYPE="xfs" + /dev/mapper/rhel-swap: UUID="01d46e11-4725-4743-8d92-ca9fdd675a8e" TYPE="swap" + +And with `ll /dev/disk/by-label/` + + # ll /dev/disk/by-label/ + total 0 + lrwxrwxrwx. 1 root root 10 Dec 13 17:15 ext4fs -> ../../sdd1 + + +## Configuring the Mount Point + +See [5.a Create, mount, unmount, and use vfat, ext4, and xfs file systems](../5-Create-and-configure-file-systems/5a-create-mount-unmount-and-use-vfat-ext4-and-xfs-file-systems.md) for information on the 'fstab' and mounting filesystems. + +### Mounting LVM + +Proceed as any other partition. + +After formating the logical volume, get the UUID + + # blkid /dev/mapper/vg1-lv1 + /dev/mapper/vg1-lv1: LABEL="lv1" UUID="83435299-3439-4db6-a7fd-ba86bbdb2387" BLOCK_SIZE="4096" TYPE="ext4" + +Create the mount point + + # mkdir /mnt/lv1 + +Add it to `/etc/fstb` + + # LV Mount + UUID=83435299-3439-4db6-a7fd-ba86bbdb2387 /mnt/lv1 ext4 defaults 0 2 + +Test the mount + + # mount -a + +Check that it worked + + # df /mnt/lv1/ + Filesystem 1K-blocks Used Available Use% Mounted on + /dev/mapper/vg1-lv1 5095040 20472 4796040 1% /mnt/lv1 + +**📝 NOTE:** *While you can safely use the device mapper path for LVMs, for the purposed of this objective we used the UUID.* + +--- + +## Changing FS Labels + +This is good knowledge to know for the exam. + +### For EXT4 + +**Commands:** ++ e2label - Change the label on an ext2/ext3/ext4 filesystem ++ tune2fs - adjust tunable filesystem parameters on ext2/ext3/ext4 filesystems + +With `e2label` + + # e2label /dev/mapper/vg1-lv1 logical-volume1 + +With `tune2fs` + + # tune2fs -L logical-volume1 /dev/mapper/vg1-lv1 + +### For XFS + +**Commands:** ++ xfs_admin - change parameters of an XFS filesystem + +Changing the label to 'lg-vm2' + + # xfs_admin -L lg-vm2 /dev/mapper/vg1-lv2 + writing all SBs + new label = "lg-vm2" + + # blkid /dev/mapper/vg1-lv2 + /dev/mapper/vg1-lv2: LABEL="lg-vm2" UUID="145c1d64-dc00-4568-9d6a-550cd60d035d" BLOCK_SIZE="512" TYPE="xfs" + +--- +[⬅️ Back](4-Configure-local-storage.md) diff --git a/markdown/4-Configure-local-storage/4f-add-new-partitions-and-logical-volumes-and-swap-to-a-system-non-destructively.md b/markdown/4-Configure-local-storage/4f-add-new-partitions-and-logical-volumes-and-swap-to-a-system-non-destructively.md new file mode 100644 index 0000000..47b025a --- /dev/null +++ b/markdown/4-Configure-local-storage/4f-add-new-partitions-and-logical-volumes-and-swap-to-a-system-non-destructively.md @@ -0,0 +1,64 @@ +# 4.f Add new partitions and logical volumes, and swap to a system non-destructively + +### Adding a New Swap Logical Volume + +**Commands:** ++ mkswap (8) - set up a Linux swap area ++ swapon (2) - start/stop swapping to file/device + +Create a physical volume + + # pvcreate /dev/sdd + Physical volume "/dev/sdd" successfully created. + +Create the volume group + + # vgcreate swap2 /dev/sdd + Volume group "swap2" successfully created + +Create the logical volume + + # lvcreate -l 100%FREE -n swap2 swap2 + Logical volume "swap2" created. + +Get the lv path + + # lvdisplay swap2 | grep 'LV Path' + LV Path /dev/swap2/swap2 + +Create the swap area + + # mkswap -L swap2 /dev/swap2/swap2 + Setting up swapspace version 1, size = 3 GiB (3217027072 bytes) + LABEL=swap2, UUID=02dac232-4bb8-4f18-8a29-c5c77756aaa0 + +You can list the swap devices for comparison + + # swapon -s + Filename Type Size Used Priority + /dev/dm-1 partition 2158588 36800 -2 + +Enable the device for paging + + # swapon /dev/swap2/swap2 + +Compare the list of swap device again + + # swapon -s + Filename Type Size Used Priority + /dev/dm-1 partition 2158588 36800 -2 + /dev/dm-4 partition 3141628 0 -3 + +Add it to fstab + + /dev/swap2/swap2 none swap defaults 0 0 + +**📌 EXAM TIP** + +Be prepared to: +- Add a standard partition to a device and mount it ([4.a List, create, delete partitions on MBR and GPT disks](4a-list-create-delete-partitions-on-mbr-and-gpt-disks.md)) +- Resize a standard partition ([5.c Extend existing logical volumes](..//5-Create-and-configure-file-systems/5-Create-and-configure-file-systems.md)) +- Add a new device to an existing volume group and create a new logical volume partition + +--- +[⬅️ Back](4-Configure-local-storage.md) diff --git a/markdown/5-Create-and-configure-file-systems/5-Create-and-configure-file-systems.md b/markdown/5-Create-and-configure-file-systems/5-Create-and-configure-file-systems.md new file mode 100644 index 0000000..c494bad --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5-Create-and-configure-file-systems.md @@ -0,0 +1,12 @@ +### 5. Create and configure file systems + ++ [5.a Create, mount, unmount, and use vfat, ext4, and xfs file systems](5a-create-mount-unmount-and-use-vfat-ext4-and-xfs-file-systems.md) ++ [5.b Mount and unmount network file systems using NFS](5b-mount-and-unmount-network-file-systems-using-nfs.md) ++ [5.c Extend existing logical volumes](5c-extend-existing-logical-volumes.md) ++ [5.d Create and configure set-GID directories for collaboration](5d-create-and-configure-set-gid-directories-for-collaboration.md) ++ [5.e Configure disk compression](5e-configure-disk-compression.md) ++ [5.f Manage layered storage](5f-manage-layered-storage.md) ++ [5.g Diagnose and correct file permission problems](5g-diagnose-and-correct-file-permission-problems.md) + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/5-Create-and-configure-file-systems/5a-create-mount-unmount-and-use-vfat-ext4-and-xfs-file-systems.md b/markdown/5-Create-and-configure-file-systems/5a-create-mount-unmount-and-use-vfat-ext4-and-xfs-file-systems.md new file mode 100644 index 0000000..d17687c --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5a-create-mount-unmount-and-use-vfat-ext4-and-xfs-file-systems.md @@ -0,0 +1,249 @@ +# 5.a Create, mount, unmount, and use vfat, ext4, and xfs file systems + +## Introduction + +### Superblock + +A superblock is a record of the characteristics of a filesystem, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups. + +### Fstab + +The file fstab contains descriptive information about the filesystems the system can mount. + +**See man pages for:** ++ fstab (5) - static information about the filesystems ++ mount (8) - mount a filesystem + + # + # /etc/fstab + # Created by anaconda on Wed May 16 20:44:20 2018 + # + # Accessible filesystems, by reference, are maintained under '/dev/disk' + # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info + # + UUID=5f1871e2-c19c-4f86-8d6c-04d5fda71a0a / xfs defaults 0 0 + | | | | | |- FS Check Order (0 to ...) + | | | | |- Dump Frequency (backups) + | | | |- Mount Options + | | |- FSType + | |- Mount Point + |- Device Identifier + +## Working with vfat Filesystems + +**Commands:** ++ mkfs.vfat (8) - create an MS-DOS filesystem under Linux ++ fsck.vfat (8) - check and repair MS-DOS filesystems + +### Creating and Mounting a VFAT Filesystem + +Creating a vfat filesystem + + # mkfs.vfat -n VFAT /dev/vg3/vfat + mkfs.fat 4.1 (2017-01-24) + +Get the label + + # blkid | grep vfat + /dev/mapper/vg3-vfat: LABEL="VFAT" UUID="E873-3EE5" BLOCK_SIZE="512" TYPE="vfat" + +Add it to fstab + + UUID=E873-3EE5 /mnt/vfat vfat defaults 0 2 + +Mount it + + # mount –a + +Confirm + + # df /mnt/vfat + Filesystem 1K-blocks Used Available Use% Mounted on + /dev/mapper/vg3-vfat 3135488 4 3135484 1% /mnt/vfat + +### Checking the VFAT filesystem + +For VFAT, this can be done with the filesystem mounted. + + # fsck.vfat /dev/mapper/vg3-vfat + fsck.fat 4.1 (2017-01-24) + /dev/mapper/vg3-vfat: 1 files, 1/783872 clusters + +## Working with XFS Flesystems + +**Commands:** ++ mkfs.xfs (8) - construct an XFS filesystem ++ xfs_repair (8) - repair an XFS filesystem ++ xfs_info (8) - display XFS filesystem geometry information ++ xfs_admin (8) - change parameters of an XFS filesystem + +### Creating and Mounting an XFS Filesystem + +Create the filesystem + + # mkfs.xfs -L xfs /dev/mapper/vg2-xfs + meta-data=/dev/mapper/vg2-xfs isize=512 agcount=4, agsize=392704 blks + = sectsz=512 attr=2, projid32bit=1 + = crc=1 finobt=1, sparse=1, rmapbt=0 + = reflink=1 + data = bsize=4096 blocks=1570816, imaxpct=25 + = sunit=0 swidth=0 blks + naming =version 2 bsize=4096 ascii-ci=0, ftype=1 + log =internal log bsize=4096 blocks=2560, version=2 + = sectsz=512 sunit=0 blks, lazy-count=1 + realtime =none extsz=4096 blocks=0, rtextents=0 + +Get the UUID + + # lsblk -f | grep xfs + ├─sda1 xfs 375fcafb-dbf0-4e72-a1de-9bba811fc6d4 /boot + ├─rhel-root xfs cc50014d-ed1f-4785-a5f2-304ec6da9002 / + └─vg2-xfs xfs xfs cfc57e17-8108-4215-9de1-1ad8ffcf2326 + └─vg2-xfs xfs xfs cfc57e17-8108-4215-9de1-1ad8ffcf2326 + +Add it to fstab + + UUID=cfc57e17-8108-4215-9de1-1ad8ffcf2326 /mnt/xfs xfs defaults 0 2 + +Mount it + + # mount -a + +Check it + + # df /mnt/xfs + Filesystem 1K-blocks Used Available Use% Mounted on + /dev/mapper/vg2-xfs 6273024 76796 6196228 2% /mnt/xfs + +### Checking the XFS filesystem + +**📝 NOTE:** *The filesystem needs to be unmounted.* + +Unmount if first + + # umount /mnt/xfs + +Run `xfs_repair` + + # xfs_repair /dev/mapper/vg2-xfs + Phase 1 - find and verify superblock... + Phase 2 - using internal log + - zero log... + - scan filesystem freespace and inode maps... + - found root inode chunk + Phase 3 - for each AG... + - scan and clear agi unlinked lists... + - process known inodes and perform inode discovery... + - agno = 0 + - agno = 1 + - agno = 2 + - agno = 3 + - process newly discovered inodes... + Phase 4 - check for duplicate blocks... + - setting up duplicate extent list... + - check for inodes claiming duplicate blocks... + - agno = 0 + - agno = 1 + - agno = 2 + - agno = 3 + Phase 5 - rebuild AG headers and trees... + - reset superblock... + Phase 6 - check inode connectivity... + - resetting contents of realtime bitmap and summary inodes + - traversing filesystem ... + - traversal finished ... + - moving disconnected inodes to lost+found ... + Phase 7 - verify and correct link counts... + done + +### Settings XFS Flags + +**Commands:** ++ xfs_admin (8) - change parameters of an XFS filesystem + +**Common options:** ++ `L` - Sets the FS label ++ `l` - Displays the FS label ++ `u`- Shows the current UUID ++ `U` - Sets the FS UUID + + `nil` - set the filesystem UUID to the null UUID + + `generate` - generate a new UUID for the filesystem + + `restore` - restore the original UUID and remove the incompatible feature flag as needed ++ `c` - Enables/disables lazy counter + +> With lazy counters enabled, the superblock is not modified or logged when changes are made to the free-space and inode counters. Information is stored in other parts of the file system to maintain the counter values. This provides significant performance improvements in some configurations. Enabling and disabling lazy counters is time-consuming on large file systems because the entire file system must be scanned. + +## Working with ext4 Filesystems + +**Commands:** ++ mkfs.ext4 (8) - create an ext2/ext3/ext4 filesystem ++ fsck.ext4 (8) - check a Linux ext2/ext3/ext4 file system ++ tune2fs (8) - adjust tunable filesystem parameters on ext2/ext3/ext4 filesystems ++ dumpe2fs (8) - dump ext2/ext3/ext4 filesystem information + +### Creating and Mounting an EXT4 Filesystem + +Create the filesystem + + # mkfs.ext4 -L ext4 /dev/vg1/ext4 + mke2fs 1.45.6 (20-Mar-2020) + Creating filesystem with 1570816 4k blocks and 393216 inodes + Filesystem UUID: 3e636509-d28a-49fd-91ff-33b7f56f9757 + Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736 + + Allocating group tables: done + Writing inode tables: done + Creating journal (16384 blocks): done + Writing superblocks and filesystem accounting information: done + +Get the label + + # lsblk -f | grep ext4 + └─vg1-ext4 ext4 ext4 3e636509-d28a-49fd-91ff-33b7f56f9757 + └─vg1-ext4 ext4 ext4 3e636509-d28a-49fd-91ff-33b7f56f9757 + +Add it to fstab + + UUID=3e636509-d28a-49fd-91ff-33b7f56f9757 /mnt/ext4 ext4 defaults 0 2 + +Mount it + + # mount –a + +Check it + + # df /dev/mapper/vg1-ext4 + Filesystem 1K-blocks Used Available Use% Mounted on + /dev/mapper/vg1-ext4 6118976 24536 5763896 1% /mnt/ext4 + +### Checking the EXT4 filesystem + +**📝 NOTE:** *The file system needs to be unmounted* + +Unmount it + + # umount /mnt/ext4 + +Run the check + + # fsck.ext4 /dev/mapper/vg1-ext4 + e2fsck 1.45.6 (20-Mar-2020) + ext4: clean, 11/393216 files, 47206/1570816 blocks + +### Settings ext4 Flags + +`tune2fs` allows the system administrator to adjust various tunable filesystem parameters on Linux ext2, ext3, or ext4 filesystems. ++ `L` - Sets the FS label ++ `l` - Displays the FS label ++ `U` - Sets the FS UUID + + `clear` - clear the filesystem UUID + + `random` - generate a new randomly-generated UUID + + `time` - generate a new time-based UUID + +--- + +**📌 EXAM TIP:** *Use `man fs` for an overview of the filesystems shown here* + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/5-Create-and-configure-file-systems/5b-mount-and-unmount-network-file-systems-using-nfs.md b/markdown/5-Create-and-configure-file-systems/5b-mount-and-unmount-network-file-systems-using-nfs.md new file mode 100644 index 0000000..42a1d45 --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5b-mount-and-unmount-network-file-systems-using-nfs.md @@ -0,0 +1,295 @@ +# 5.b Mount and unmount network file systems using NFS + +## Definition + +Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems (Sun) in 1984,[1] allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. + +**Commands and Man Pages:** ++ nfs (5) - fstab format and options for the nfs file systems ++ exports (5) - NFS server export table ++ exportfs (8) - maintain table of exported NFS file systems ++ showmount (8) - show mount information for an NFS server ++ mount.nfs (8) - mount a Network File System ++ auto.master (5) - Master Map for automounter consulted by autofs ++ autofs (5) - Format of the automounter maps ++ autofs (8) - Service control for the automounter ++ autofs.conf (5) - autofs configuration + +**📝 NOTES** ++ Make sure both client and server has `nfs-utils` installed ++ Avoid disabling the `no_root_squash` option (it's enabled by default and changes ownership of files from 'root' to 'nobody') + +## Simple NFS Setup (fstab) + +### On the Server + +Install NFS on the server + + # dnf install -y nfs-utils + +Add firewall rule for nfs, rpc-bind and mountd and reload + + # firewall-cmd --permanent --add-service=nfs --add-service=rpc-bind --add-service=mountd + success + + # firewall-cmd --reload + success + +Create directory and setup permission + + # mkdir /nfs/fstab + # chmod 777 /nfs/fstab + +Edit `/etc/exports` + + /nfs/fstab *(rw) + +**📌 EXAM TIP:** *If you can't remember the format for `/etc/exports` take a look at the examples at the end of `man exports`.* + +Setup SELinux for NFS + + # setsebool -P nfs_export_all_rw on + +Enable and start the service (this also starts 'rpcbind') + + # systemctl enable --now nfs-server + +Run `exportfs -a` to update the NFS table and then run `showmount -e` to list the mounts + + # exportfs -a + + # showmount -e localhost + Export list for localhost: + /nfs/fstab * + +**Additional Info on 'exportfs'** + +> The exportfs command maintains the current table of exports for the NFS server. The master export table is kept in a file named /var/lib/nfs/etab. This file is read by rpc.mountd when a client sends an NFS MOUNT request. +> +> Normally the master export table is initialized with the contents of /etc/exports and files under /etc/exports.d by invoking exportfs -a. However, a system administrator can choose to add or delete exports without modifying /etc/exports or files under /etc/exports.d by using the exportfs command. + +### On the Client + +Install `nfs-utils` if needed + + # dnf install -y nfs-utils + +Enable and `rpcbind` + + # systemctl enable --now rpcbind + +Check that you can see the mount from the server with 'showmount -e [server_IP]' + + # showmount -e [server_IP] + +Create the mount point + + # mkdir -p /mnt/nfs/fstab + +Mount the share + + # mount -t nfs [server_IP]:[server_path] [mount_path] + +#### Making the mount permanent + +Unmount the share + +Add it to `/etc/fstab` + + # NFS Mount + 10.0.2.15:/nfs/fstab /mnt/nfs/fstab nfs defaults 0 2 + +Muount it + + # mount -a + +Check that it was mounted + + # df -h | grep nfs + 10.0.2.15:/nfs/fstab 29G 2.5G 27G 9% /mnt/nfs/fstab + +#### Additional Info + +**Options:** ++ `no_root_squash` - Allows root users on client computers to have root access on the server. Mount requests for root are not be mounted to the anonymous user. This option is needed for diskless clients. ++ `root_squash` - Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive, such as user bin or group staff. + +## Configuring AutoFS + +The configuration for autofs is done on the client. We will be configuring both indirect and direct maps, as well as the use of variables (like when setting autofs for the `$HOME` of users). + +The main advantage of indirect map is that changes made to the map file are loaded automatically, while changes made to a direct map require a service reload. + +**📝 NOTE:** *For the server configuration on all 3 examples, it's assumed that firewall services have been enabled and that the SELinux NFS RW boolean is also enabled.* + +### Indirect + +With indirect map we edit the master map file (`/etc/auto.master`) and specify a root mount point and a map file. In the map file we can specify one of more mount with options. + +#### On the server + +Let's create a new share on the server so we don't have to change our previous work + + # mkdir /nfs/auto_indirect + + # chmod 777 /nfs/auto_indirect + + # echo -e "/nfs/auto_indirect\t\t*(rw)" >> /etc/exports + + # systemctl reload nfs-server.service + + # exportfs -a + +#### Client + +Install autofs + + # yum install autofs + +Create the base mount point + + # mkdir /mnt/nfs/autofs + +Modify `/etc/auto.master` + + /mnt/nfs/autofs /etc/auto.nfs --timeout 60 + | | |- optional + | |- Map file location + |- Root mount point on client (should exist) + +**📌 EXAM TIP:** *If you can't remember the format look at the example at the end of `man auto.master`* + +Next, create the indirect map file by adding the following line to `/etc/auto.nfs` + + auto_indirect -fstype=nfs,rw 10.0.2.15:/nfs/auto_indirect + | | | |- Share + | | |- Server + | |- Additional parameters + |- Subfolder of mount point (should not exist) + +**📌 EXAM TIP:** *If you can't remember the format look at the example at the end of `man 5 autofs`* + +Enable and start the autofs service + + # systemctl enable --now autofs.service + +Check if you can browse to the subfolder `/mnt/nfs/autofs/auto_indirect`. The folder only gets created when you browse to it. Once the connection is stale the share is unmounted and the folder is removed. + +### Direct + +With direct we still specify a map file in the master map file, but the full mount point is specified in the map file. + +Direct maps are specified with a `/-` in the master file. + +#### On the server + +Let's create a new share on the server + + # mkdir /nfs/auto_direct + + # chmod 777 /nfs/auto_direct + + # echo -e "/nfs/auto_direct\t\t*(rw)" >> /etc/exports + + # systemctl reload nfs-server.service + + # exportfs -a + +#### Client + +We already have the base folder + + # ls -l /mnt/nfs/autofs + +Modify `/etc/auto.master` and set the key to `/-` (tells auto.master that it's a direct file), and add the map file location (`/etc/auto.direct`) + + /- /etc/auto.direct + +In the auto.direct file we add the full local path, options and remote host and remote share + + /mnt/nfs/autofs/auto_direct -fstype=nfs,rw 10.0.2.15:/nfs/auto_direct + +Restart the autofs service and try to browse to the folder + + # systemctl restart autofs.service + + # cd /mnt/nfs/autofs/auto_direct + +We can check all 3 mounts (from all 3 exercises) + + # df | grep nfs + 10.0.2.15:/nfs/fstab 30320256 2583936 27736320 9% /mnt/nfs/fstab + 10.0.2.15:/nfs/auto_direct 30320256 2583936 27736320 9% /mnt/nfs/autofs/auto_direct + 10.0.2.15:/nfs/auto_indirect 30320256 2583936 27736320 9% /mnt/nfs/autofs/auto_indirect + +### Mounting Home + +Another good example of auto mount is configuring remote folders for users. Here's how we can do that. + +#### On the server + +Let's create a new user on the server and specify the UID + + # useradd -u 1001 user1 + +Now let's create a new share + + # mkdir /nfs/home + +Change the permission of the folder + + # chmod 777 /nfs/home + +Copy the user's home folder (we cold also have specified the home folder when creating the new user with `useradd -u 1001 -d /nfs/home/user1 user1`) + + # cp -a /home/user1 /nfs/home/. + +Add our share to `/etc/exports` + + # echo -e "/nfs/home\t\t*(rw)" >> /etc/exports + +Reload the service + + # systemctl reload nfs-server.service + +Update the nfs table + + # exportfs -a + + +#### Client + +Create the mount + + # mkdir /mnt/nfs/home + +Add the user with the same UID (we don't need to create a home folder) + + # useradd -M -u 1001 user1 + +Now we need to modify the user so his home is at `/mnt/nfs/home`. We can do that by changing `/etc/passwd` + + user1:x:1001:1001::/mnt/nfs/home/user1:/bin/bash + |change this section| + +Add the config tothe master map file using `/etc/auto.home` as the map file + + /mnt/nfs/home /etc/auto.home + +Create the map file. Note that we are using a wild card (`*`) for the mount path, and a variable (`&`) for the remote path. The variable points to the user asking for the mount + + * -fstype=nfs,rw 10.0.2.15:/nfs/home/& + +Restart the autofs service + + # systemctl restart autofs.service + +Try to login as the user and see if it works + + # su - user1 + + $ pwd + /mnt/nfs/home/user1 + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/5-Create-and-configure-file-systems/5c-extend-existing-logical-volumes.md b/markdown/5-Create-and-configure-file-systems/5c-extend-existing-logical-volumes.md new file mode 100644 index 0000000..96bc6e3 --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5c-extend-existing-logical-volumes.md @@ -0,0 +1,191 @@ +# 5.c Extend existing logical volumes + +**This topic includes:** ++ Resizing logical volumes ++ Resizing filesystem + + xfs + + ext4 + +**Commands:** ++ lvextend (8) - Add space to a logical volume ++ lvresize (8) - Resize a logical volume ++ lvreduce (8) - Reduce the size of a logical volume + + +## Logical Volumes + +### Extending a Logical Volume + +`lvextend` adds space to a logical volume. The space needs to be available in the volume group. + +When extending Logical Volumes, you do not need to unmount the partition (however you will need to extend the file system afterwards, or if the filesystems supports, use the '-r' flag to automatically resize the filesystem). + +Checking for available space + +Use `vgs` to see the available space of the volume group + + # vgs vg1 + VG #PV #LV #SN Attr VSize VFree + vg1 3 1 0 wz--n- <8.99g <4.99g + | |- Available VG space (not allocated to a LV) + |- Total size of VG + +You can use `lvs` to confirm that the LV is using the difference of the previous values + + # lvs vg1 + LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert + lv1 vg1 -wi-a----- 4.00g + +Or just use `vgdisplay` and check the PE sizes + + # vgdisplay vg1 | grep 'PE /' + Alloc PE / Size 1024 / 4.00 GiB + Free PE / Size 1277 / <4.99 GiB + +### Extending the Logical Volume + +Extend volume to specified size (k/m/g) + + # lvextend -L6G /dev/vg1/lv1 + Size of logical volume vg1/lv1 changed from 5.39 GiB (1381 extents) to 6.00 GiB (1536 extents). + Logical volume vg1/lv1 successfully resized. + +Extend the volume by 1GB + + # lvextend -L+1G /dev/vg1/lv1 + Size of logical volume vg1/lv1 changed from 6.00 GiB (1536 extents) to 7.00 GiB (1792 extents). + Logical volume vg1/lv1 successfully resized. + +Extend for the full available space in the VG + + # lvextend -l +100%FREE /dev/vg1/lv1 + Size of logical volume vg1/lv1 changed from 7.00 GiB (1792 extents) to <8.99 GiB (2301 extents). + Logical volume vg1/lv1 successfully resized. + +**⚠️ WARNING:** _`lvextend -l +100%FREE /dev/vg1/lv1` (without the plus size) will not work_ + +Extend to the percentage of the VG (60% or 8.99 = 5.394) + + # lvextend -l 60%VG /dev/vg1/lv1 + Size of logical volume vg1/lv1 changed from 4.00 GiB (1024 extents) to 5.39 GiB (1381 extents). + Logical volume vg1/lv1 successfully resized. + +You can also use the 'PE' size + + # lvextend -l +1740 /dev/RHCSA/pinehead + Size of logical volume RHCSA/pinehead changed from <3.20 GiB (818 extents) to 9.99 GiB (2558 extents). + Logical volume RHCSA/pinehead successfully resized. + +**📝 NOTE:** *The 'r' option will attempt to resize the filesystem (if possible)* + +### Shrinking a Logical Volume + +Be careful when reducing an LV's size, because data in the reduced area is lost. Ensure that any file system on the LV is resized before running lvreduce so that the removed extents are not in use by the file system. + +You can use two commands to shrink a logical volume: ++ `lvreduce` reduces the size of an LV. The freed logical extents are returned to the VG to be used by other LVs. ++ `lvresize` resizes an LV in the same way as `lvextend` and `lvreduce`. + +Shrink a logical volume by 2GB + + # lvresize -L-2G /dev/vg1/lv1 + WARNING: Reducing active logical volume to <6.99 GiB. + THIS MAY DESTROY YOUR DATA (filesystem etc.) + Do you really want to reduce vg1/lv1? [y/n]: y + Size of logical volume vg1/lv1 changed from <8.99 GiB (2301 extents) to <6.99 GiB (1789 extents). + Logical volume vg1/lv1 successfully resized. + +Shrink a logical volume to 30% of the volume group size + + # lvreduce -l 30%VG /dev/vg1/lv1 + WARNING: Reducing active logical volume to <2.70 GiB. + THIS MAY DESTROY YOUR DATA (filesystem etc.) + Do you really want to reduce vg1/lv1? [y/n]: y + Size of logical volume vg1/lv1 changed from <6.99 GiB (1789 extents) to <2.70 GiB (691 extents). + Logical volume vg1/lv1 successfully resized. + +## Filesystems + +**Commands:** ++ xfs_growfs (8) - expand an XFS filesystem ++ resize2fs (8) - ext2/ext3/ext4 file system resizer + +After extending the logical volume, if you did not use the `-r` option you will need to extend the filesystem manually. + +### Extending XFS Filesystems + +Check the size of the logical volume with 'lvs' or 'fdisk' + + # vgs vg2 + VG #PV #LV #SN Attr VSize VFree + vg2 3 1 0 wz--n- <6.99g 0 + + # fdisk -l /dev/vg2/xfs + Disk /dev/vg2/xfs: 7 GiB, 7503609856 bytes, 14655488 sectors + Units: sectors of 1 * 512 = 512 bytes + Sector size (logical/physical): 512 bytes / 512 bytes + I/O size (minimum/optimal): 512 bytes / 512 bytes + +Compare it to the filesystem size with 'df' + + # df -hT /mnt/xfs + Filesystem Type Size Used Avail Use% Mounted on + /dev/mapper/vg2-xfs xfs 6.0G 75M 6.0G 2% /mnt/xfs + +Resize the filesystem with 'xfs_growfs' by giving the mount point + + # xfs_growfs /mnt/xfs + meta-data=/dev/mapper/vg2-xfs isize=512 agcount=4, agsize=392704 blks + = sectsz=512 attr=2, projid32bit=1 + = crc=1 finobt=1, sparse=1, rmapbt=0 + = reflink=1 + data = bsize=4096 blocks=1570816, imaxpct=25 + = sunit=0 swidth=0 blks + naming =version 2 bsize=4096 ascii-ci=0, ftype=1 + log =internal log bsize=4096 blocks=2560, version=2 + = sectsz=512 sunit=0 blks, lazy-count=1 + realtime =none extsz=4096 blocks=0, rtextents=0 + data blocks changed from 1570816 to 1831936 + +Confirm that it has changed + + # df -hT /mnt/xfs + Filesystem Type Size Used Avail Use% Mounted on + /dev/mapper/vg2-xfs xfs 7.0G 83M 6.9G 2% /mnt/xfs + +### Extending EXT4 Filesystems + +Check the size of the logical volume with 'lvs' or 'fdisk' + + # lvs vg1 + LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert + ext4 vg1 -wi-ao---- <6.99g + + # fdisk -l /dev/vg1/ext4 + Disk /dev/vg1/ext4: 7 GiB, 7503609856 bytes, 14655488 sectors + Units: sectors of 1 * 512 = 512 bytes + Sector size (logical/physical): 512 bytes / 512 bytes + I/O size (minimum/optimal): 512 bytes / 512 bytes + +Compare it to the filesystem size with 'df' + + # df -hT /mnt/ext4/ + Filesystem Type Size Used Avail Use% Mounted on + /dev/mapper/vg1-ext4 ext4 5.9G 24M 5.5G 1% /mnt/ext4 + +Resize the filesystem with 'resize2fs' by giving the device name + + # resize2fs /dev/mapper/vg1-ext4 + resize2fs 1.45.6 (20-Mar-2020) + Filesystem at /dev/mapper/vg1-ext4 is mounted on /mnt/ext4; on-line resizing required + old_desc_blocks = 1, new_desc_blocks = 1 + The filesystem on /dev/mapper/vg1-ext4 is now 1831936 (4k) blocks long. + +Confirm that it has changed + + # df -hT /mnt/ext4 + Filesystem Type Size Used Avail Use% Mounted on + /dev/mapper/vg1-ext4 ext4 6.9G 27M 6.5G 1% /mnt/ext4 + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/5-Create-and-configure-file-systems/5d-create-and-configure-set-gid-directories-for-collaboration.md b/markdown/5-Create-and-configure-file-systems/5d-create-and-configure-set-gid-directories-for-collaboration.md new file mode 100644 index 0000000..40d906b --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5d-create-and-configure-set-gid-directories-for-collaboration.md @@ -0,0 +1,61 @@ +# 5.d Create and configure set-GID directories for collaboration + +This includes setting SGID and adding users to the same group. + +**Commands:** ++ chmod (1) - change file mode bits ++ usermod (8) - modify a user account ++ useradd (8) - create a new user or update default new user information + + +## SGID - Set-group identification + +SGID permission is similar to the SUID permission, only difference is – when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member. + +We can use SGID to allow for collaboration in a folder. When new files are created it will + + rwxr-sr-- + +Setting SGID + + # chmod g+s [file] + -rwxr-sr--. 1 root root 0 Mar 16 21:48 test + + # chmod 2754 [file] + -rwxr-sr--. 1 root root 0 Mar 16 21:48 test + +**📝 NOTE:** *A capital 'S' (`-rwxr-Sr--`) indicates that the execute bit is not set* + +## Setting a collaboration folder + +Create the group + + # groupadd collab + +Create two users + + # useradd -u 1001 user1 + # useradd -u 1002 user2 + +Add the two users to the group + + # gpasswd -a user1 collab + + # gpasswd -a user2 collab + +Create the folder + + # mkdir /mnt/collab + +Change the ownership + + # chown root.collab /mnt/collab + +Set group write and SGID on the folder + + # chmod g+ws /mnt/collab + +Login as the two users and create files in the folder. You should be able to have full access to all the files in the folder as any of the two users. + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression.md b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression.md new file mode 100644 index 0000000..3b82722 --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression.md @@ -0,0 +1,242 @@ +# 5e-configure-disk-compression + +## Definition + +Virtual Data Optimizer (VDO) provides inline data reduction for Linux in the form of deduplication, compression, and thin provisioning. When you set up a VDO volume, you specify a block device on which to construct your VDO volume and the amount of logical storage you plan to present. + +In the Red Hat Enterprise Linux 7.5 Beta, we introduced virtual data optimizer (VDO). VDO is a kernel module that can save disk space and reduce replication bandwidth. VDO sits on top of any block storage device and provides zero-block elimination, deduplication of redundant blocks, and data compression. + +VDO can be applied to a block device, and then normal disk operations can be applied to that device. LVM for example, can sit on top of VDO. + +Physical disk -> VDO -> Volume group -> Logical volume -> filesystem + +![](5e-configure-disk-compression/image.png) + +## Requirements and Recommendations + +### Memory + +Each VDO volume has two distinct memory requirements: + +The VDO module + +VDO requires 370 MB of RAM plus an additional 268 MB per each 1 TB of physical storage managed by the volume. + +The Universal Deduplication Service (UDS) index + +UDS requires a minimum of 250 MB of DRAM, which is also the default amount that deduplication uses. + +The memory required for the UDS index is determined by the index type and the required size of the de-duplication window: + +![](5e-configure-disk-compression/image2png) + +**📝 NOTE:** *Sparse is the recommended configuration.* + +### Storage + +#### Logical Size + +Specifies the logical VDO volume size. The VDO Logical Size is how much storage we tell the OS that we have. Because of reduction and deduplication, this number will be bigger than the real physical size. This ratio will vary according to the type of data that is being stored (binary, video, audio, compressed data will have a very low ratio). + +##### Red Hat's Recommendation + +_**For active VMs or container storage**_ + +Use logical size that is ten times the physical size of your block device. For example, if your block device is 1TB in size, use 10T here. + +_**For object storage**_ + +Use logical size that is three times the physical size of your block device. For example, if your block device is 1TB in size, use 3T here. + +#### Slab Size + +Specifies the size of the increment by which a VDO is grown. All of the slabs for a given volume will be of the same size, which may be any power of 2 multiple of 128 MB up to 32 GB. At least one entire slab is reserved by VDO for metadata, and therefore cannot be used for storing user data. + +The default slab size is 2 GB in order to facilitate evaluating VDO on smaller test systems. A single VDO volume may have up to 8096 slabs. Therefore, in the default configuration with 2 GB slabs, the maximum allowed physical storage is 16 TB. When using 32 GB slabs, the maximum allowed physical storage is 256 TB. + +![](5e-configure-disk-compression/image3.png) +_The table above is from RHEL 7 documentation_ + +#### Examples of VDO System Requirements by Physical Volume Size + +The following tables provide approximate system requirements of VDO based on the size of the underlying physical volume. Each table lists requirements appropriate to the intended deployment, such as primary storage or backup storage. + +![](5e-configure-disk-compression/image4.png) + +![](5e-configure-disk-compression/image5.png) + +### Deduplication, Indexing and Compression + +#### Deduplication and Index + +VDO uses a high-performance deduplication index called UDS to detect duplicate blocks of data as they are being stored. + +The UDS index provides the foundation of the VDO product. For each new piece of data, it quickly determines if that piece is identical to any previously stored piece of data. If the index finds match, the storage system can then internally reference the existing item to avoid storing the same information more than once. + +Deduplication is enabled by default. + +To disable deduplication during VDO block creation (so only compression is used), use the `--deduplication=disabled` option (you will not be able to use the 'sparseIndex' option) + + # vdo create --name=[name] --device=/dev/[device] --vdoLogicalSize=[VDO logical size] --deduplication=disabled + +To enable/disable deduplication on an existing block + + # vdo enableDeduplication --name=my_vdo + + # vdo disableDeduplication --name=my_vdo + +#### Compression + +In addition to block-level deduplication, VDO also provides inline block-level compression using the HIOPS Compression™ technology. + +VDO volume compression is on by default. + +Compression operates on blocks that have not been identified as duplicates. When unique data is seen for the first time, it is compressed. Subsequent copies of data that have already been stored are deduplicated without requiring an additional compression step. + +### Write Policy + +VDO supports different write modes. These modes can be set with `--writePolicy=policy`. The write policy can be specified during the creation of a VDO, or when modifying an existing VDO volume with the `changeWritePolicy` subcommand. + +- `sync` - Writes are acknowledged only after the data is guaranteed to persist. +- `async` - Writes are acknowledged when the data has been cached for writing to the underlying storage. Data which has not been flushed is not guaranteed to persist in this mode, however this mode is ACID compliant (after recovery from a crash any unflushed write is guaranteed either to have persisted all its data, or to have done nothing). Most databases and filesystems should use this mode. +- `async-unsafe` - Writes are handled like 'async' but there is no guarantee of the atomicity async provides. This mode should only be used for better performance when atomicity is not required. +- `auto` - VDO will check the storage device and determine whether it supports flushes. If it does, VDO will run in async mode, otherwise it will run in sync mode. This is the default. + +Setting the write policy when creating a VDO + + # vdo create --name=[name] --device=/dev/[device] --vdoLogicalSize=[VDO logical size] --writePolicy=sync + +Changing the write policy on an existing VDO + + # vdo changeWritePolicy --writePolicy=sync --name=[name] + +### Automatic Mounting + +[RHEL > 8 > Deduplicating and compressing storage > Chapter 1. Deploying VDO > 1.9 Mounting a VDO volume](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deduplicating_and_compressing_storage/deploying-vdo_deduplicating-and-compressing-storage#mounting-a-vdo-volume_deploying-vdo) + +Like more other filesystems, there are two ways to mount filesystems (on top of VDO blocks) automatically during system startup: either via `/etc/fstab`, or adding a mount unit to systemd (on systemd-based systems). + +For `/etc/fstab` mounting, in order to make sure the mount waits for the VDO service to start, use the mount option `x-systemd.requires=vdo.service`. For example, an `/etc/fstab` line involving VDO could be the following: + + /dev/mapper/vdo0 /vdo xfs defaults,discard,_netdev,x-systemd.device-timeout=0,x-systemd.requires=vdo.service 0 0 + +To add a mount it via systemd, modify the example in `/usr/share/doc/vdo/examples/systemd/VDO.mount.example` to match your mount point and configuration, and add it to `/etc/systemd/system` (and enabled/start it). + +For the exam, see man pages for 'systemd.mount': + + _netdev + Normally the file system type is used to determine if a mount is a "network mount", i.e. if + it should only be started after the network is available. Using this option overrides this + detection and specifies that the mount requires network + + x-systemd.device-timeout= + Configure how long systemd should wait for a device to show up before + giving up on an entry from /etc/fstab. Specify a time in seconds or + explicitly append a unit such as "s", "min", "h", "ms". + + x-systemd.requires= + Configures a Requires= and an After= dependency between the created mount + unit and another systemd unit, such as a device or mount unit. + +## Overview of Configuration + +Install 'vdo' (and if not installed by default 'kmod-vdo') + + # yum install vdo kmod-vdo + +Start/enable the service + + # systemctl enable --now vdo.service + +Create the volume + + # vdo create --name=vdo1 --device=/dev/sdg --vdoLogicalSize=30G + Creating VDO vdo1 + The VDO volume can address 6 GB in 3 data slabs, each 2 GB. + It can grow to address at most 16 TB of physical storage in 8192 slabs. + If a larger maximum size might be needed, use bigger slabs. + Starting VDO vdo1 + Starting compression on VDO vdo1 + VDO instance 0 volume is ready at /dev/mapper/vdo1 + +**📝 NOTE:** *Using `--sparseIndex=disabled` will enable 'dense' indexing* + +Optionally add LVM config, + + # pvcreate /dev/mapper/vdo1 + Physical volume "/dev/mapper/vdo1" successfully created. + + # vgcreate vdo1 /dev/mapper/vdo1 + Volume group "vdo1" successfully created + + # lvcreate -l +100%FREE -n vdo1 vdo1 + Logical volume "vdo1" created. + +Create the file system (make sure to use the option to not discard blocks) + +> Normally, when a filesystem is created, it runs a trim operation on the device. When using VDO, this is not ideal since the disk capacity is allocated on-demand. So we want to tell mkfs to not discard blocks during filesystem creation. For XFS, use the -K option, and for EXT4, use “-E nodiscard”. + +**📝 NOTE:** *We specify `nodiscard` when creating the filesystem on top of VDO. However, for mounting, as shown on `/usr/share/doc/vdo/examples/systemd/VDO.mount.example`, we the `discard` option.* + + # mkfs.ext4 -E nodiscard [LV Path|VDO dev mapper] + + # mkfs.xfs -K [LV Path|VDO dev mapper] + +If needed, update the system with the new device + + # udevadm settle + +Mount the device + + # mount [LV Path|VDO dev mapper] /mount/point + +To add it to `/etc/fstab`. As we mentioned before, you will need to add additional params so that systemd waits for VDO to start before mounting + + [LV Path|VDO dev mapper] /mount/point [fstype] defaults,discard,_netdev,x-systemd.device-timeout=0,x-systemd.requires=vdo.service 0 2 + +## Administration + +Check for real physical space usage + + # vdostats --human-readable + + Device Size Used Available Use% Space Saving% + /dev/mapper/my_vdo 1.8T 407.9G 1.4T 22% 21% + +And you can view detailed information with 'vdo status' + + # vdo status + +## Extending VDO Disks + +**📝 NOTE:** *You cannot shrink the physical size of a VDO volume* + +Check the VDO logical size (with 'df') and what VDO is actually configured with (`vdostats --human-readable`). + +#### Grow Physical + +Grow the VDO to its maximum size. This requires growing of the physical disk and due to the complexity it most likely will not show in the exam. + + # vdo growPhysical --name=[VDO name] + +#### Grow Logical + +If you have found that the compression or de-duplication of data was better than planned for you can increase the vdoLogicalSize of a device allowing VDO to show more space to the filesystem. + + # vdo growLogical --name=[VDO name] -vdoLogicalsize=[size] + +Extend the file system (`xfs_growfs`, `resize2fs`) + +--- + +### Additional Info + +See `/usr/share/doc/vdo/` for additional information + +**References:** ++ https://www.linuxsysadmins.com/setting-up-virtual-data-optimizer-on-centos/ ++ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/system_design_guide/deduplicating_and_compressing_storage#deploying-vdo_system-design-guide ++ https://www.theurbanpenguin.com/vdo-data-optimizer/ + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image.png b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image.png new file mode 100644 index 0000000..cf70f92 Binary files /dev/null and b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image.png differ diff --git a/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image2.png b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image2.png new file mode 100644 index 0000000..c92ae77 Binary files /dev/null and b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image2.png differ diff --git a/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image3.png b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image3.png new file mode 100644 index 0000000..0c8f47f Binary files /dev/null and b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image3.png differ diff --git a/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image4.png b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image4.png new file mode 100644 index 0000000..2e2d374 Binary files /dev/null and b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image4.png differ diff --git a/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image5.png b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image5.png new file mode 100644 index 0000000..38733e8 Binary files /dev/null and b/markdown/5-Create-and-configure-file-systems/5e-configure-disk-compression/image5.png differ diff --git a/markdown/5-Create-and-configure-file-systems/5f-manage-layered-storage.md b/markdown/5-Create-and-configure-file-systems/5f-manage-layered-storage.md new file mode 100644 index 0000000..61ec90d --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5f-manage-layered-storage.md @@ -0,0 +1,169 @@ +# 5.f Manage layered storage + +[RHEL > 8 > Managing storage devices > Chapter 19. Managing layered local storage with Stratis](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_storage_devices/managing-layered-local-storage-with-stratis_managing-storage-devices) + +## Stratis Definition + +Stratis automates the management of local storage. On a system with just a single disk, Stratis can make it more convenient to logically separate /home from /usr, and enable snapshot with rollback on each separately. On larger configurations, Stratis can make it easier to create a multi-disk, multi-tiered storage pool, monitor the pool, and then manage the pool with less administrator effort. + +Stratis is not a traditional filesystem like ext4, XFS, or FAT32. Stratis manages block devices and filesystems to support features akin to “volume-managing filesystems” (VMFs) like ZFS and Btrfs. Whereas a traditional filesystem acts to support directory and file operations on top of a single block device, VMFs can incorporate multiple block devices into a “pool”. Multiple independent filesystems can be created, each backed by the storage pool. + +![](5f-manage-layered-storage/image.png) + +### Supported block devices + +Stratis pools have been tested to work on these types of block devices: ++ LUKS ++ LVM logical volumes ++ MD RAID ++ DM Multipath ++ iSCSI ++ HDDs and SSDs ++ NVMe devices + +## Commands and Usage + +### Getting Started + +Install `stratid` and `stratis-cli` + + # dnf install -y stratis-cli stratisd + +Enable and start the service + + # systemctl enable --now stratisd.service + +### Pool + +Create pool named 'pool1' + + # stratis pool create pool1 /dev/sdd /dev/sde + +List pool + + # stratis pool list + Name Total Physical Properties + pool1 6 GiB / 41.63 MiB / 5.96 GiB ~Ca,~Cr + +List devices in pool + + # stratis blockdev list + Pool Name Device Node Physical Size Tier + pool1 /dev/sdd 3 GiB Data + pool1 /dev/sde 3 GiB Data + +Add device to pool + + # stratis pool add-data pool1 /dev/sde + +Delete the pool + + # stratis pool destroy pool1 + +### Filesystem + +Create a filesystem labelled 'fs1' on 'pool1' + + # stratis fs create pool1 fs1 + +When we create a new filesystem, stratis formats it with XFS and we do not specify the size. The filesystem acts as a Thin LVM Volume that can dynamically grow to the Pool Size (we only use the space that we need). Each new filesystem will use close to 500MiB of storage space for the XFS log. + +List the filesystem + + # stratis fs list + Pool Name Name Used Created Device UUID + pool1 fs1 546 MiB Nov 21 2020 21:06 /stratis/pool1/fs1 0b685a81af254ec38688c4d3bc3523f1 + +Delete the filesystem + + # stratis fs destroy pool1 fs1 + +### Snapshots + +#### Creating Snapshots + +Create a snapshot + + # stratis fs snapshot pool1 fs1 snapshot_$(date '+%Y%m%d_%H%M') + +List snapshots + + # stratis fs list + Pool Name Name Used Created Device UUID + pool1 fs1 546 MiB Nov 21 2020 21:06 /stratis/pool1/fs1 0b685a81af254ec38688c4d3bc3523f1 + pool1 snapshot_20201121_2117 546 MiB Nov 21 2020 21:17 /stratis/pool1/snapshot_20201121_2117 bf903b2f29b54a579c5e0b4947a536f0 + +**📝 NOTE:** *You can mount the snapshot independently* + +#### Restoring a snapshot + +Optionally, back up the current state of the file system to be able to access it later + + # stratis filesystem snapshot pool1 fs1 fs1-backup + +Unmount and remove the original file system: + + # umount /stratis/pool1/fs1 + + # stratis filesystem destroy pool1 fs1 + +Create a copy of the snapshot under the name of the original file system: + + # stratis filesystem snapshot pool1 snapshot_20201121_2117 fs1 + +Mount the snapshot, which is now accessible with the same name as the original file system: + + # mount /stratis/pool1/fs1 [mount-point] + +Deleting a snapshot + + # stratis fs destroy snapshot pool1 snapshot_20201121_2117 + +## Overview of All Steps + +Start by Installing Stratis + + # dnf install -y stratis-cli stratisd + +Start and enable the service + + # systemctl enable --now stratisd.service + +Create the pool + + # stratis pool create pool1 /dev/sdd /dev/sde + +Create the filesystem + + # stratis fs create pool1 fs1 + +Get the UUID and mount the filesystem (assuming the mount point exists) + + # blkid | grep stratis + /dev/sde: UUID="aee3ff3fd5224f83a2241a70fd77d7ae" POOL_UUID="1225651149d040bdbbfdc74135f075e1" BLOCKDEV_SECTORS="6291456" BLOCKDEV_INITTIME="1606010576" TYPE="stratis" + /dev/sdd: UUID="5927888d9f8e46babb3587e55657cbf4" POOL_UUID="1225651149d040bdbbfdc74135f075e1" BLOCKDEV_SECTORS="6291456" BLOCKDEV_INITTIME="1606010558" TYPE="stratis" + /dev/mapper/stratis-1-1225651149d040bdbbfdc74135f075e1-thin-fs-f8cebd43c677467a847543d756685305: UUID="f8cebd43-c677-467a-8475-43d756685305" BLOCK_SIZE="512" TYPE="xfs" + +Add it to fstab + + UUID=f8cebd43-c677-467a-8475-43d756685305 /mnt/stratis xfs defaults,x-systemd.requires=stratisd.service 0 2 + +> You can use `/stratis//` but each time you rename a pool or file system you will need to update `/etc/fstab`, thus using file system UUID is recommended. + +Regenerate mount units so that your system registers the new configuration (this is in the official documentation by Red Hat, however it should not be needed as we are not using systemd mount files) + + # systemctl daemon-reload + +Try mounting the file system to verify that the configuration works + + # mount -a + +--- + +**References:** ++ https://stratis-storage.github.io/ ++ https://www.theurbanpenguin.com/stratis-storage-management/ + + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/5-Create-and-configure-file-systems/5f-manage-layered-storage/image.png b/markdown/5-Create-and-configure-file-systems/5f-manage-layered-storage/image.png new file mode 100644 index 0000000..c567ee2 Binary files /dev/null and b/markdown/5-Create-and-configure-file-systems/5f-manage-layered-storage/image.png differ diff --git a/markdown/5-Create-and-configure-file-systems/5g-diagnose-and-correct-file-permission-problems.md b/markdown/5-Create-and-configure-file-systems/5g-diagnose-and-correct-file-permission-problems.md new file mode 100644 index 0000000..15fbcc6 --- /dev/null +++ b/markdown/5-Create-and-configure-file-systems/5g-diagnose-and-correct-file-permission-problems.md @@ -0,0 +1,24 @@ +# 5.g Diagnose and correct file permission problems + +It looks like this topic includes troubleshooting around knowledge covered in the following topics: + ++ 1.Understand and use essential tools + + [1.j List, set, and change standard ugo/rwx permissions](../1-Understand-and-use-essential-tools/1j-List-set-and-change-standard-ugo_rwx-permissions.md) ++ 8.Manage users and groups + + [8.c Create, delete, and modify local groups and group memberships](../8-Manage-users-and-groups/8c-Create-delete-and-modify-local-groups-and-group-memberships.md) ++ 9.Manage security + + [9.b Create and use file access control lists](../9b-create-and-use-file-access-control-lists) + + [9.e List and identify SELinux file and process context](../9-Manage-security/9e-list-and-identify-selinux-file-and-process-context.md) + + [9.f Restore default file contexts](../9-Manage-security/9f-restore-default-file-contexts.md) + +**Commands:** ++ ls (1) - list directory contents ++ chmod (1) - change file mode bits ++ chown (1) - change file owner and group ++ groupadd (8) - create a new group ++ usermod (8) - modify a user account ++ getfacl (1) - get file access control lists ++ setfacl (1) - set file access control lists + +--- +[⬅️ Back](5-Create-and-configure-file-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6-deploy-configure-and-maintain-systems.md b/markdown/6-deploy-configure-and-maintain-systems/6-deploy-configure-and-maintain-systems.md new file mode 100644 index 0000000..3cce3c3 --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6-deploy-configure-and-maintain-systems.md @@ -0,0 +1,13 @@ +# 6. Deploy, configure, and maintain systems + ++ [6.a Schedule tasks using at and cron](6a-schedule-tasks-using-at-and-cron.md) ++ [6.b Start and stop services and configure services to start automatically at boot](6b-start-and-stop-services-and-configure-services-to-start-automatically-at-boot.md) ++ [6.c Configure systems to boot into a specific target automatically](6c-configure-systems-to-boot-into-a-specific-target-automatically.md) ++ [6.d Configure time service clients](6d-configure-time-service-clients.md) ++ [6.e Install and update software packages from Red Hat Network, a remote repository, or from the local file system](6e-install-and-update-software-packages-from-red-hat-network-a-remote-repository-or-from-the-local-file-system.md) ++ [6.f Work with package module streams](6f-work-with-package-module-streams.md) ++ [6.g Modify the system bootloader](6g-modify-the-system-bootloader.md) + + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6a-schedule-tasks-using-at-and-cron.md b/markdown/6-deploy-configure-and-maintain-systems/6a-schedule-tasks-using-at-and-cron.md new file mode 100644 index 0000000..8af951b --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6a-schedule-tasks-using-at-and-cron.md @@ -0,0 +1,177 @@ +# 6.a Schedule tasks using at and cron + +**⚠️ WARNING:** _For tasks to work, it's important that the user credentials have not expired. Use 'chage -l [user]' to check._ + + [root@rhel8 system]# chage -l root + Last password change : Nov 11, 2020 + Password expires : never + Password inactive : never + Account expires : never + Minimum number of days between password change : 0 + Maximum number of days between password change : 99999 + Number of days of warning before password expires : 7 + + +## Scheduled Tasks with 'at' + +**Commands:** +- at (1) - queue, examine or delete jobs for later execution +- atq - Lists the user's pending jobs (part of 'at') +- atrm (1) - queue, examine or delete jobs for later execution +- at.allow (5) - determine who can submit jobs via at or batch +- at.deny (5) - determine who can submit jobs via at or batch + +### Getting Started + +You might need to install 'at' + + # dnf install -y at + +Start and enable the service + + # systemctl enable --now atd.service + +### Usage + +You can feed at: +- a command +- file with commands +- script + +When you run 'at' by itself (with a timespec) it will prompt you for the commands with an interactive prompt. Use 'Ctrl+d' to exit. + +**Common commands:** +- at now +1 minute - Run the job in 1 minute +- at 12:00am - Run at 12am +- atq - Shows the at job queue +- atrm [job number] - Removes the job number +- at -c [job number] - Shows the command the job is running + +#### User Control for 'at' + +at.allow, at.deny - determine who can submit jobs via at or batch +The /etc/at.allow and /etc/at.deny files determine which user can submit commands for later execution via 'at' or 'batch' + +## Cron + +**Commands:** +- cron (8) - daemon to execute scheduled commands +- cronnext (1) - time of next job cron will execute + +### Understanding the Difference Between Cron, Crontab and Anacron + +**Cron/crond** - daemon to execute scheduled commands + +**Crontab** - Crontab is the program used to install a crontab table file, remove or list the existing tables used to serve the cron(8) daemon + +**Anacron** - Anacron is used to execute commands periodically, with a frequency specified in days. Unlike cron, it does not assume that the machine is running continuously. Hence, it can be used on machines that are not running 24 hours a day to control regular jobs as daily, weekly, and monthly jobs. + +Cron checks these files and directories: +- **/etc/crontab** - System crontab. Nowadays the file is empty by default. Originally it was usually used to run daily, weekly, monthly jobs. By default these jobs are now run through anacron which reads /etc/anacrontab configuration file. See anacrontab(5) for more details. +- **/etc/cron.d/** - Directory that contains system cronjobs stored for different users. +- **/var/spool/cron** - Directory that contains user crontables created by the crontab command. +- **/etc/cron.hourly** - This is where cron executed Anacron from + + cron (crond.service) + ├─> /etc/crond.hourly/* + │ └─> 0anacron + │ └─> /usr/sbin/anacron -s + │ └─> /etc/anacrontab + │ ├─> run-parts -> /etc/cron.daily/* + │ ├─> run-parts -> /etc/cron.weekly/* + │ └─> run-parts -> /etc/cron.monthly/* + │ + ├─> /etc/crontab (system crontab - obsolete) + │ + ├─> /etc/cron.d/* (system cronjobs for users) + │ + └─> /var/spool/cron/ (user crontabs) + ├─> user1 + └─> user2 + +### Crontab + +**Commands:** +- crontab (1) - maintains crontab files for individual users + +**📝 NOTES** +- Variables (like PATH, SHELL and MAILTO) can be setup in the crontab file +- Jobs that are not user specific are usually added to '/etc/cron.d' and they usually include the user name + +Example crontab template + + #SHELL=/bin/bash + #PATH=/sbin:/bin:/usr/sbin:/usr/bin + #MAILTO=root + #=============================================================================== + # +--------- Minute (0-59) | Output Dumper: >/dev/null 2>&1 + # | +------- Hour (0-23) | Multiple Values Use Commas: 3,12,47 + # | | +----- Day Of Month (1-31) | Do every X intervals: */X -> Example: */15 * * * * Is every 15 minutes + # | | | +--- Month (1 -12 or Jan-Dec) | Aliases: @reboot -> Run once at startup; @hourly -> 0 * * * *; + # | | | | +- Day Of Week (0-6) (Sunday = 0) | @daily -> 0 0 * * *; @weekly -> 0 0 * * 0; @monthly ->0 0 1 * *; + # | | | | | | @yearly -> 0 0 1 1 *; + # * * * * * COMMAND | + #=============================================================================== + +To show the contents of a the crontab without editing + + # crontab -l + +Edit crontab + + # crontab -e + +To edit the crontab of another user + + # crontab -u [user] -e + +To list the crontab of another user + + # crontab -u [user] -l + +#### User Control for 'crontab' + +You can use '/etc/cron.deny' and '/etc/cron.allow' + +### Anacron + +**Commands:** +- anacron (8) - runs commands periodically +- anacrontab (5) - configuration file for Anacron + +Anacron is used to execute commands periodically, with a frequency specified in days. Unlike cron(8), it does not assume that the machine is running continuously. Hence, it can be used on machines that are not running 24 hours a day to control regular jobs as daily, weekly, and monthly jobs. + +Anacron reads a list of jobs from the `/etc/anacrontab` configuration file (see anacrontab(5)). This file contains the list of jobs that Anacron controls. Each job entry specifies a period in days, a delay in minutes, a unique job identifier, and a shell command + + # cat /etc/anacrontab + # /etc/anacrontab: configuration file for anacron + + # See anacron(8) and anacrontab(5) for details. + + SHELL=/bin/sh + PATH=/sbin:/bin:/usr/sbin:/usr/bin + MAILTO=root + # the maximal random delay added to the base delay of the jobs + RANDOM_DELAY=45 + # the jobs will be started during the following hours only + START_HOURS_RANGE=3-22 + + #period in days delay in minutes job-identifier command + 1 5 cron.daily nice run-parts /etc/cron.daily + 7 25 cron.weekly nice run-parts /etc/cron.weekly + @monthly 45 cron.monthly nice run-parts /etc/cron.monthly + +Run status: + + # ll /var/spool/anacron/ + total 12 + -rw-------. 1 root root 9 Mar 11 14:28 cron.daily + -rw-------. 1 root root 9 Mar 10 18:02 cron.monthly + -rw-------. 1 root root 9 Mar 10 17:42 cron.weekly + +#### Disabling Anacron + +In case you want to disable Anacron, add a line with `0anacron` which is the name of the script running the Anacron into the /etc/cron.hourly/jobs.deny file. + +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6b-start-and-stop-services-and-configure-services-to-start-automatically-at-boot.md b/markdown/6-deploy-configure-and-maintain-systems/6b-start-and-stop-services-and-configure-services-to-start-automatically-at-boot.md new file mode 100644 index 0000000..25e5c58 --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6b-start-and-stop-services-and-configure-services-to-start-automatically-at-boot.md @@ -0,0 +1,35 @@ +# 6.b Start and stop services and configure services to start automatically at boot + +**Systemctl options to Know** +- status - Show terse runtime status information about one or more units +- list-unit-files - List unit files installed on the system +- list-units - List units that systemd currently has in memory +- enable - Enable one or more units or unit instances +- Remember that it creates a symlink (/etc/systemd/system/[target]/) +- disable - Disables one or more units. +- start - Start (activate) one or more units specified on the command line +- stop - Stop (deactivate) one or more units specified on the command line +- restart - Stop and then start one or more units specified on the command line +- mask - Mask one or more units, as specified on the command line +- unmask - Unmask one or more unit files, as specified on the command line +- reload - Asks all units listed on the command line to reload their configuration +- daemon-reload - Reload the systemd manager configuration +- is-enabled - Checks whether any of the specified unit files are enabled +- is-failed - Check whether any of the specified units are in a "failed" state +- cat - Show backing files of one or more units +- list-dependencies - Shows units required and wanted by the specified unit + +## Mask vs Disable + +### Disable + +Disabling the service deletes the symlink, so the unit file itself is not affected, but the service is not loaded at the next boot, when systemd reads `/etc/systemd/system`. +However, a disabled service can be loaded, and will be started if a service that depends on it is started; `enable` and `disable` only configure auto-start behaviour for units, and the state is easily overridden. + +### Mask + +A masked service is one whose unit file is a symlink to /dev/null. This makes it "impossible" to load the service, even if it is required by another, enabled service. +When you mask a service, a symlink is created from /etc/systemd/system to /dev/null, leaving the original unit file elsewhere untouched. When you unmask a service the symlink is deleted. + +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6c-configure-systems-to-boot-into-a-specific-target-automatically.md b/markdown/6-deploy-configure-and-maintain-systems/6c-configure-systems-to-boot-into-a-specific-target-automatically.md new file mode 100644 index 0000000..3df7451 --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6c-configure-systems-to-boot-into-a-specific-target-automatically.md @@ -0,0 +1,52 @@ +# 6.c Configure systems to boot into a specific target automatically + +## Systemd Targets + +[RHEL 8 > Configuring basic system settings > Chapter 3. Managing services with systemd > 3.3. Working with systemd targets ](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-services-with-systemd_configuring-basic-system-settings#working-with-systemd-targets_managing-services-with-systemd) + +List systemd targets + + # systemctl list-units --type=target + UNIT LOAD ACTIVE SUB DESCRIPTION + basic.target loaded active active Basic System + cryptsetup.target loaded active active Local Encrypted Volumes + getty.target loaded active active Login Prompts + graphical.target loaded active active Graphical Interface + local-fs-pre.target loaded active active Local File Systems (Pre) + local-fs.target loaded active active Local File Systems + multi-user.target loaded active active Multi-User System + network-online.target loaded active active Network is Online + network-pre.target loaded active active Network (Pre) + network.target loaded active active Network + nfs-client.target loaded active active NFS client services + nss-user-lookup.target loaded active active User and Group Name Lookups + paths.target loaded active active Paths + remote-fs-pre.target loaded active active Remote File Systems (Pre) + remote-fs.target loaded active active Remote File Systems + rpc_pipefs.target loaded active active rpc_pipefs.target + rpcbind.target loaded active active RPC Port Mapper + slices.target loaded active active Slices + sockets.target loaded active active Sockets + sound.target loaded active active Sound Card + sshd-keygen.target loaded active active sshd-keygen.target + swap.target loaded active active Swap + sysinit.target loaded active active System Initialization + timers.target loaded active active Timers + +Get current systemd target + + # systemctl get-default + graphical.target + +Set systemd target for next boot + + # systemctl set-default [target] + +Reboot + # systemctl reboot + +or + + # reboot +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients.md b/markdown/6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients.md new file mode 100644 index 0000000..33bf206 --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients.md @@ -0,0 +1,232 @@ +# 6.d Configure time service clients + +## NTP Overview + +The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. + +NTP synchronizes the clocks of computer systems. It can read the time from a reference source, then transmit the reading to one or more clients and adjust each client clock as required + +### Stratum + +Large computer networks can have many devices acting as NTP servers. Where multiple NTP sources are available, NTP clients need some way of (a) judging which time sources are likely to be the most accurate, and (b) preventing timing loops*. The NTP protocol achieves these aims by including a simple measure of the synchronisation distance from the primary time source. This is known as the Stratum level. + +Stratum 1 indicates a computer that has a true real-time reference directly connected to it (e.g. GPS, atomic clock, etc.), such computers are expected to be very close to real time. Stratum 2 computers are those which have a stratum 1 server; stratum 3 computers have a stratum 2 server and so on. A value of 10 indicates that the clock is so many hops away from a reference clock that its time is fairly unreliable. + +![](6d-configure-time-service-clients/6d-configure-time-service-clients-3f5d6.png) + +### Servers and clients + +An NTP server is a source of time information, and an NTP client is a system/device that is attempting to synchronize its clock to a server. Servers can be either a primary or secondary server + ++ A primary server receives UTC time signals directly from a very accurate source such as an atomic clock or more commonly - a GPS signal source.A secondary server receives its time signal from one or more upstream servers, and distributes its time signals to one or more downstream servers and clients. ++ Secondary servers are arranged in a strict hierarchy in terms of upstream and downstream, and the stratum terminology is often used to assist in this process. + +### 127.127.1.0 + +127.127.1.0 is an ntpd-specific way to enable the local refclock driver (note that this is not supported in chrony and it's only here as Reference). + + +## Data and Time Commands + +### date + +Display the current time in the given FORMAT, or set the system date. + + $ date + Thu Dec 10 13:58:14 EST 2020 + +### timedatectl + +Use `timedatectl` to manage time and timezones. + +Main commands: +- `status` - Show current settings of the system clock and RTC, including whether network time synchronization through systemd-timesyncd.service is active +- `show` - Show the same information as status, but in machine readable form +- `set-time [TIME]` - Set the system clock to the specified time +- `set-timezone [TIMEZONE]` - Set the system time zone to the specified value +- `list-timezones` - List available time zones, one per line +- `set-ntp [BOOL]` - Enables/disables NTP + + # timedatectl + Local time: Mon 2020-11-23 17:27:11 EST + Universal time: Mon 2020-11-23 22:27:11 UTC + RTC time: Mon 2020-11-23 22:27:11 + Time zone: America/Toronto (EST, -0500) + System clock synchronized: no + NTP service: active + RTC in local TZ: no + +**📝NOTE:** _To use NTP the 'chrony' service needs to be running. You may also need to restart the service after enabling NTP with `timedatectl`._ + +### tzselect + +You can also use '`tzselect`' to select the timezone. This script will ask you questions through multiple menus. + + # tzselect + Please identify a location so that time zone rules can be set correctly. + Please select a continent, ocean, "coord", or "TZ". + 1) Africa + 2) Americas + 3) Antarctica + 4) Asia + 5) Atlantic Ocean + 6) Australia + 7) Europe + 8) Indian Ocean + 9) Pacific Ocean + 10) coord - I want to use geographical coordinates. + 11) TZ - I want to specify the time zone using the Posix TZ format. + #? + +### hwclock + +`hwclock` is an administration tool for the time clocks. + +`hwclock` can: +- display the Hardware Clock time +- set the Hardware Clock to a specified time +- set the Hardware Clock from the System Clock +- set the System Clock from the Hardware Clock +- compensate for Hardware Clock drift +- correct the System Clock timescale +- set the kernel's timezone, NTP timescale, and epoch (Alpha only) +- predict future Hardware Clock values based on its drift rate + +### Chrony + +The Chrony daemon, chronyd, runs in the background and monitors the time and status of the time server specified in the `chrony.conf` file. If the local time needs to be adjusted, chronyd does it smoothly without the programmatic trauma that would occur if the clock were instantly reset to a new time. + +Configuration for chronyd can be made by editing `/etc/chrony.conf`. + +> **chronyd** - chronyd is a daemon for synchronisation of the system clock. It can synchronise the clockwith NTP servers, reference clocks (e.g. a GPS receiver), and manual input using wristwatchand keyboard via chronyc. + +Chrony's `chronyc` tool allows someone to monitor the current status of Chrony and make changes if necessary. The `chronyc` utility can be used as a command that accepts subcommands, or it can be used as an interactive text-mode program. + +> **chronyc** - chronyc is a command-line interface program which can be used to monitor chronyd’s performance and to change various operating parameters whilst it is running + +#### Configuring chrony to use a NTP Server + +Edit '/etc/chrony.conf' and comment out the line starting with 'pool' + + # pool 2.rhel.pool.ntp.org iburst + +Add a line with 'server [hostname|ip]' after pool + + # pool 2.rhel.pool.ntp.org iburst + server 10.13.17.2 + +Restart chronyd + + # systemctl restart chronyd.service + +Use 'chronyc sources' to check that it's trying to connect to the new server + + # chronyc sources + 210 Number of sources = 4 + MS Name/IP address Stratum Poll Reach LastRx Last sample + =============================================================================== + ^- 10.13.17.2 2 6 377 41 +1987us[+1977us] +/- 41ms + +#### Syncing Chrony to the local clock + +The `local` keyword is used to allow chronyd to appear synchronized to real time from the viewpoint of clients polling it, even if it has no current synchronization source. This option is normally used on the "master" computer in an isolated network, where several computers are required to synchronize to one another, and the "master" is kept in line with real time by manual input. + +##### Example isolated network configuration + +**_Master_** + +`/etc/chrony.conf` + + driftfile /var/lib/chrony/drift + commandkey 1 + keyfile /etc/chrony.keys + initstepslew 10 client1 client3 client6 + local stratum 8 + manual + allow 192.0.2.0 + +_Where 192.0.2.0 is the network or subnet address from which the clients are allowed to connect._ + +**_Slave_** + +`/etc/chrony.conf` + + server master + driftfile /var/lib/chrony/drift + logdir /var/log/chrony + log measurements statistics tracking + keyfile /etc/chrony.keys + commandkey 24 + local stratum 10 + initstepslew 20 master + allow 192.0.2.123 + +_Where 192.0.2.123 is the address of the master._ + + +#### chronyc - Common Options + +The chronyc command, when used with the tracking subcommand, provides statistics that report how far off the local system is from the reference server. + + # chronyc tracking + Reference ID : C06302AC (draco.spiderspace.co.uk) + Stratum : 3 + Ref time (UTC) : Wed Mar 11 14:24:19 2020 + System time : 0.000012882 seconds slow of NTP time + Last offset : -0.000013424 seconds + RMS offset : 0.000063391 seconds + Frequency : 17.800 ppm slow + Residual freq : -0.004 ppm + Skew : 0.380 ppm + Root delay : 0.008013672 seconds + Root dispersion : 0.003327465 seconds + Update interval : 128.2 seconds + Leap status : Normal + +The sources subcommand is also useful because it provides information about the time source configured in chrony.conf + + # chronyc sources + 210 Number of sources = 4 + MS Name/IP address Stratum Poll Reach LastRx Last sample + =============================================================================== + ^- dc1-recdns02.bellmtsdata> 2 7 377 114 -109us[ -109us] +/- 56ms + ^- 154.11.146.39 2 7 377 115 -2050us[-2050us] +/- 66ms + ^* draco.spiderspace.co.uk 2 7 377 118 -93us[ -112us] +/- 7960us + ^- ns2.switch.ca 2 7 377 115 +3974us[+3974us] +/- 50ms + +You can also get a legend with the `-v` flag + + # chronyc sources -v + 210 Number of sources = 8 + + .-- Source mode '^' = server, '=' = peer, '#' = local clock. + / .- Source state '*' = current synced, '+' = combined , '-' = not combined, + | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. + || .- xxxx [ yyyy ] +/- zzzz + || Reachability register (octal) -. | xxxx = adjusted offset, + || Log2(Polling interval) --. | | yyyy = measured offset, + || \ | | zzzz = estimated error. + || | | \ + MS Name/IP address Stratum Poll Reach LastRx Last sample + =============================================================================== + ^? dc1-recdns02.bellmtsdata> 0 7 0 - +0ns[ +0ns] +/- 0ns + ^* time.cloudflare.com 3 6 17 58 -690us[ +533us] +/- 20ms + ^+ time.cloudflare.com 3 6 17 58 +469us[+1294us] +/- 19ms + ^+ ntp.nyy.ca 1 6 17 58 +830us[+1878us] +/- 34ms + ^? time.cloudflare.com 0 6 0 - +0ns[ +0ns] +/- 0ns + ^? 2001:470:b2de::1 0 6 0 - +0ns[ +0ns] +/- 0ns + ^? time.cloudflare.com 0 6 0 - +0ns[ +0ns] +/- 0ns + ^? bgp-router00-van.van.the> 0 6 0 - +0ns[ +0ns] +/- 0ns + +--- + +#### Additional Info + +**See man pages for:** +- chronyd (8) - chrony daemon +- chrony.conf (5) - chronyd configuration file +- chronyc (1) - command-line interface for chrony daemon +- timedatectl (1) - Control the system time and date +- tzselect (8) - select a timezone +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients/6d-configure-time-service-clients-3f5d6.png b/markdown/6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients/6d-configure-time-service-clients-3f5d6.png new file mode 100644 index 0000000..5f8a8d2 Binary files /dev/null and b/markdown/6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients/6d-configure-time-service-clients-3f5d6.png differ diff --git a/markdown/6-deploy-configure-and-maintain-systems/6e-install-and-update-software-packages-from-red-hat-network-a-remote-repository-or-from-the-local-file-system.md b/markdown/6-deploy-configure-and-maintain-systems/6e-install-and-update-software-packages-from-red-hat-network-a-remote-repository-or-from-the-local-file-system.md new file mode 100644 index 0000000..a30a5d6 --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6e-install-and-update-software-packages-from-red-hat-network-a-remote-repository-or-from-the-local-file-system.md @@ -0,0 +1,242 @@ +# 6.e Install and update software packages from Red Hat Network, a remote repository, or from the local file system + +## Red Hat Package Manager (RPM) + +Originally how to install software on the RHEL servers, and it's still a way to manage software on the server. +Flags: +- i- Install +- U - Upgrade +- h - Progress +- v - Verbose +- e - Remove +- nodeps - Ignore dependencies +- force - Ignore errors + +## Yellowdog Updater Modified (YUM) v4 / DNF + +**📝NOTE:** _On Red Hat Enterprise Linux (RHEL) 8, installing software is ensured by the new version of the YUM tool, which is based on the DNF technology (YUM v4). The file '/bin/yum' is a symbolic link to '/bin/dnf'_ + +YUM configuration is in '/etc/yum.conf -> dnf/dnf.conf'. + +### Useful Commands + + # dnf + check-update groupinfo groupupdate list provides search whatprovides + clean groupinstall help localinstall remove shell + deplist grouplist info localupdate repolist update + erase groupremove install makecache resolvedep upgrade + +#### Search/Get Info on Packages + +Search for a package (by name and description) on enabled repos + + # dnf search chrony + Updating Subscription Management repositories. + Last metadata expiration check: 2:02:27 ago on Mon 23 Nov 2020 03:55:56 PM EST. + ===================================== Name Exactly Matched: chrony ====================================== + chrony.x86_64 : An NTP client/server + +Lists packages that match name on enabled repos or RPMDB (RPM database) + + # dnf list chrony + Updating Subscription Management repositories. + Last metadata expiration check: 2:07:31 ago on Mon 23 Nov 2020 03:55:56 PM EST. + Installed Packages + chrony.x86_64 3.5-1.el8 @anaconda + +Gets information about a package + + # dnf info chrony + Updating Subscription Management repositories. + Last metadata expiration check: 2:07:06 ago on Mon 23 Nov 2020 03:55:56 PM EST. + Installed Packages + Name : chrony + Version : 3.5 + Release : 1.el8 + Architecture : x86_64 + Size : 634 k + Source : chrony-3.5-1.el8.src.rpm + Repository : @System + From repo : anaconda + Summary : An NTP client/server + URL : https://chrony.tuxfamily.org + License : GPLv2 + Description : chrony is a versatile implementation of the Network Time Protocol (NTP). + : It can synchronise the system clock with NTP servers, reference clocks + : (e.g. GPS receiver), and manual input using wristwatch and keyboard. It + : can also operate as an NTPv4 (RFC 5905) server and peer to provide a time + : service to other computers in the network. + +#### Install + +dnf can also be used to install local rpm (instead of the 'rpm' command), and it will automatically check for deps and install them. + + # dnf install ~/Downloads/tito-0.6.2-1.fc22.noarch.rpm + +You can use the 'install' command to install a repo. + + # dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm + +Install a group + + # dnf group install file-server + +#### Remove + +Removes a package + + # dnf remove chrony + +Removes a group + + # dnf group remove file-server + +#### History + +The history command allows the user to view what has happened in past transactions and act according to this information. +Show the history of transactions + + # dnf history + Updating Subscription Management repositories. + ID | Command line | Date and time | Action(s) | Altered + --------------------------------------------------------------------------------------------------------- + 8 | install -y stratis-cli stratisd | 2020-11-21 20:52 | Install | 11 + 7 | install -y autofs | 2020-11-20 17:48 | Install | 1 + 6 | install -y tuna | 2020-11-16 16:32 | Install | 1 + 5 | update -y | 2020-11-14 13:41 | Upgrade | 1 + 4 | install kernel-devel elfutils-libelf-devel | 2020-11-11 13:37 | Install | 2 + 3 | groupinstall Development Tools | 2020-11-11 13:37 | Install | 1 + 2 | update | 2020-11-11 13:09 | I, U | 35 EE + 1 | | 2020-11-11 12:15 | Install | 1491 EE + +Redo the last transaction (repeats the specified transaction) + + # dnf history redo [0-9] + +Rollback the last transaction (undo all transactions performed after the specified transaction) + + # dnf history rollback [0-9] + +Undo the last transaction (removes all changes performed by the specified transaction) + + # dnf history undo [0-9] + +### Working with Repos + +Repos are configured in '/etc/yum.repos.d'. + +List repos + + # dnf repolist + Updating Subscription Management repositories. + repo id repo name + rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) + rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) + +Get information about repos + + # dnf repoinfo + Updating Subscription Management repositories. + Last metadata expiration check: 1:55:31 ago on Mon 23 Nov 2020 03:55:56 PM EST. + Repo-id : rhel-8-for-x86_64-appstream-rpms + Repo-name : Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) + Repo-revision : 1605729343 + Repo-updated : Wed 18 Nov 2020 02:55:42 PM EST + Repo-pkgs : 15,106 + Repo-available-pkgs: 13,502 + Repo-size : 33 G + Repo-baseurl : https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os + Repo-expire : 86,400 second(s) (last: Mon 23 Nov 2020 03:55:56 PM EST) + Repo-filename : /etc/yum.repos.d/redhat.repo + Repo-id : rhel-8-for-x86_64-baseos-rpms + Repo-name : Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) + Repo-revision : 1605087736 + Repo-updated : Wed 11 Nov 2020 04:42:14 AM EST + Repo-pkgs : 6,129 + Repo-available-pkgs: 6,126 + Repo-size : 8.1 G + Repo-baseurl : https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os + Repo-expire : 86,400 second(s) (last: Mon 23 Nov 2020 03:55:56 PM EST) + Repo-filename : /etc/yum.repos.d/redhat.repo + Total packages: 21,235 + +#### Manually Adding a Repo + +Browse to '/etc/yum.repos.d' + + # cd /etc/yum.repos.d + +Create a new file with extension of '.repo'. You can use the existing files as templates + + [repo name] + name=[description of the repo] + baseurl=[path file:///path/to/reo/; url http://url; ftp ftp://url; for the repo] + enabled=[1=yes, 0=no] + +#### Using dnf config-manager + +**📝 NOTE:** *You can also use `yum-config-manager`, however it's not installed by default. You will need to install either `dnf-utils` or `yum-utils`.* + +Add a repository + + # dnf config-manager --add-repo [repo url] + +Enable a repo + + # dnf config-manager --enable [repo name] + +Disable a repo + + # dnf config-manager --disable [repo name] + +#### Creating a Repo with 'createrepo' + +Install 'createrepo' + + # dnf install -y createrepo + +Create a folder + + # mkdir /root/my_repo + +Add all the binaries that you would like to have on that repo + + # dnf install -y --downloadonly --downloaddir=/root/my_repo nmap httpd mysql + +Use 'createrepo' to create a repo database + + # createrepo --database /root/my_repo/ + +Add the repo + + # dnf config-manager --add-repo file:///root/my_repo/ + Updating Subscription Management repositories. + Adding repo from: file:///root/my_repo/ + +Check that repo was added + + # dnf repolist + Updating Subscription Management repositories. + repo id repo name + rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) + rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) + root_my_repo created by dnf config-manager from file:///root/my_repo/ + +Check that you can see the files + + # dnf repository-packages root_my_repo list + +Disable the repo + + # dnf config-manager --disable root_my_repo_ + Updating Subscription Management repositories. + +--- + +#### Commands and Programs +- dnf repolist - Depending on the exact command lists enabled, disabled or all known repositories +- dnf-config-manager (8) - DNF config-manager Plugin +- createrepo_c.x86_64 : Creates a common metadata repository + +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams.md b/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams.md new file mode 100644 index 0000000..39ff266 --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams.md @@ -0,0 +1,366 @@ +# 6.f Work with package module streams + +## Definition + +RHEL 8 content is distributed through two main repositories: BaseOS and AppStream. + +**BaseOS** + +Content in the BaseOS repository is intended to provide the core set of the underlying OS functionality that provides the foundation for all installations. This content is available in the RPM format and is subject to support terms similar to those in previous releases of Red Hat Enterprise Linux. + +**AppStream** + +Content in the AppStream repository includes additional user-space applications, runtime languages, and databases in support of the varied workloads and use cases. Content in AppStream is available in one of two formats - the familiar RPM format and an extension to the RPM format called modules. + +Components made available as Application Streams can be packaged as modules or RPM packages and are delivered through the AppStream repository in Red Hat Enterprise Linux 8. Each AppStream component has a given life cycle. + +### Modules + +Modules allow you to install a specific version and/or type of an application in your system. For example, for 'postgresql' you can choose to install from multiple versions (stream), and client/server type (profile). + + # dnf module list postgresql + Last metadata expiration check: 0:20:44 ago on Sat 14 Mar 2020 08:59:58 PM UTC. + CentOS-8 - AppStream + Name Stream Profiles Summary + postgresql 9.6 client, server [d] PostgreSQL server and client module + postgresql 10 [d] client, server [d] PostgreSQL server and client module + postgresql 12 client, server PostgreSQL server and client module + Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled + +![](6f-work-with-package-module-streams/6f-work-with-package-module-streams-f6795.png) + +For httpd on Centos8, currently only one stream (version) is available, and profiles are the package type (common, minimal, development) + + # dnf module list httpd + Last metadata expiration check: 0:21:46 ago on Sat 14 Mar 2020 08:59:58 PM UTC. + CentOS-8 - AppStream + Name Stream Profiles Summary + httpd 2.4 [d][e] common [d], devel, minimal Apache HTTP Server + Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled + +![](6f-work-with-package-module-streams/6f-work-with-package-module-streams-29a56.png) + +## Working with Modules + +### Getting Information on Modules + +Listing all modules + + # dnf module list + +Listing module summary for one module + + # dnf module list [module] + + # dnf module list httpd + Last metadata expiration check: 0:21:46 ago on Sat 14 Mar 2020 08:59:58 PM UTC. + CentOS-8 - AppStream + Name Stream Profiles Summary + httpd 2.4 [d][e] common [d], devel, minimal Apache HTTP Server + +Listing info on a module + + # dnf module info [module] + + # dnf module info httpd + Last metadata expiration check: 0:35:45 ago on Sat 14 Mar 2020 08:59:58 PM UTC. + Name : httpd + Stream : 2.4 [d][e][a] + Version : 8010020191223202455 + Context : cdc1202b + Architecture : x86_64 + Profiles : common [d], devel, minimal + Default profiles : common + Repo : AppStream + Summary : Apache HTTP Server + Description : Apache httpd is a powerful, efficient, and extensible HTTP server. + Artifacts : httpd-0:2.4.37-16.module_el8.1.0+256+ae790463.src + : httpd-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : httpd-debuginfo-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : httpd-debugsource-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : httpd-devel-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : httpd-filesystem-0:2.4.37-16.module_el8.1.0+256+ae790463.noarch + : httpd-manual-0:2.4.37-16.module_el8.1.0+256+ae790463.noarch + : httpd-tools-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : httpd-tools-debuginfo-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_http2-0:1.11.3-3.module_el8.1.0+213+acce2796.src + : mod_http2-0:1.11.3-3.module_el8.1.0+213+acce2796.x86_64 + : mod_http2-debuginfo-0:1.11.3-3.module_el8.1.0+213+acce2796.x86_64 + : mod_http2-debugsource-0:1.11.3-3.module_el8.1.0+213+acce2796.x86_64 + : mod_ldap-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_ldap-debuginfo-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_md-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_md-debuginfo-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_proxy_html-1:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_proxy_html-debuginfo-1:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_session-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_session-debuginfo-0:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_ssl-1:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + : mod_ssl-debuginfo-1:2.4.37-16.module_el8.1.0+256+ae790463.x86_64 + +Listing profiles + + # dnf module info --profile [module] + + # dnf module info --profile httpd + Last metadata expiration check: 0:36:28 ago on Sat 14 Mar 2020 08:59:58 PM UTC. + Name : httpd:2.4:8010020191223202455:cdc1202b:x86_64 + common : httpd + : httpd-filesystem + : httpd-tools + : mod_http2 + : mod_ssl + devel : httpd + : httpd-devel + : httpd-filesystem + : httpd-tools + minimal : httpd + +You can also filter the information with '[module_name]:[stream]' + + # dnf module info --profile php:7.3 + +### Changing Stream and Profile + +**⚠️ WARNING:** _Switching module streams will not alter installed packages. You will need to remove a package, reset the module stream and then install the new module stream for the package._ + +#### Via 'module enable/disable' + +Enable the stream for 'postgresql' v9.6 + + # dnf module enable postgresql:9.6 + +Enable the httpd devel profile + + # dnf module enable --profile httpd:2.4/devel + Last metadata expiration check: 0:47:51 ago on Sat 14 Mar 2020 08:59:58 PM UTC. + Ignoring unnecessary profile: 'httpd/devel' + Dependencies resolved. + Nothing to do. + Complete! + +Then install the package + + # yum install postgresql httpd + +To change a module stream again, you will need to run `yum module reset [module name]`, and then enable the new module. + + # yum module enable postgresql:10 + Last metadata expiration check: 0:06:07 ago on Sat 14 Mar 2020 09:57:50 PM UTC. + Dependencies resolved. + The operation would result in switching of module 'postgresql' stream '9.6' to stream '10' + Error: It is not possible to switch enabled streams of a module. + It is recommended to remove all installed content from the module, and reset the module using 'dnf module reset ' command. After you reset the module, you can install the other stream. + + # yum module reset postgresql + Last metadata expiration check: 0:06:15 ago on Sat 14 Mar 2020 09:57:50 PM UTC. + Dependencies resolved. + ================================================================================================= + Package Architecture Version Repository Size + ================================================================================================= + Resetting modules: + postgresql + Transaction Summary + ================================================================================================= + Is this ok [y/N]: y + Complete! + +#### Directly with `dnf module install` + +Here we see that the stream is setup to use postgresql 10 + + # dnf module list postgresql + Updating Subscription Management repositories. + Last metadata expiration check: 1:21:21 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) + Name Stream Profiles Summary + postgresql 9.6 client, server [d] PostgreSQL server and client module + postgresql 10 [d] client, server [d] PostgreSQL server and client module + postgresql 12 client, server [d] PostgreSQL server and client module + Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled + +Install another version with 'dnf module install' + + # dnf module install postgresql:9.6 + Updating Subscription Management repositories. + Last metadata expiration check: 1:22:00 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Dependencies resolved. + ========================================================================================================= + Package Arch Version Repository Size + ========================================================================================================= + Installing group/module packages: + postgresql-server x86_64 9.6.10-1.module+el8+2470+d1bafa0e rhel-8-for-x86_64-appstream-rpms 5.0 M + Installing dependencies: + libpq x86_64 12.4-1.el8_2 rhel-8-for-x86_64-appstream-rpms 195 k + postgresql x86_64 9.6.10-1.module+el8+2470+d1bafa0e rhel-8-for-x86_64-appstream-rpms 1.4 M + Installing module profiles: + postgresql/server + Enabling module streams: + postgresql 9.6 + Transaction Summary + ========================================================================================================= + Install 3 Packages + Total download size: 6.6 M + Installed size: 27 M + Is this ok [y/N]: y + Downloading Packages: + (1/3): libpq-12.4-1.el8_2.x86_64.rpm 502 kB/s | 195 kB 00:00 + (2/3): postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64.rpm 1.0 MB/s | 1.4 MB 00:01 + (3/3): postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64.rpm 2.5 MB/s | 5.0 MB 00:02 + --------------------------------------------------------------------------------------------------------- + Total 3.2 MB/s | 6.6 MB 00:02 + Running transaction check + Transaction check succeeded. + Running transaction test + Transaction test succeeded. + Running transaction + Preparing : 1/1 + Installing : libpq-12.4-1.el8_2.x86_64 1/3 + Installing : postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 2/3 + Running scriptlet: postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 3/3 + Installing : postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 3/3 + Running scriptlet: postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 3/3 + Verifying : postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 1/3 + Verifying : postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 2/3 + Verifying : libpq-12.4-1.el8_2.x86_64 3/3 + Installed products updated. + Installed: + libpq-12.4-1.el8_2.x86_64 + postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 + postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 + Complete! + +You can see now that the stream for 9.6 is enabled + + # dnf module list postgresql + Updating Subscription Management repositories. + Last metadata expiration check: 1:25:13 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) + Name Stream Profiles Summary + postgresql 9.6 [e] client, server [d] [i] PostgreSQL server and client module + postgresql 10 [d] client, server [d] PostgreSQL server and client module + postgresql 12 client, server [d] PostgreSQL server and client module + Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled + +If you try to install another stream it will error out + + # dnf module install postgresql:10 + Updating Subscription Management repositories. + Last metadata expiration check: 1:25:55 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Dependencies resolved. + The operation would result in switching of module 'postgresql' stream '9.6' to stream '10' + Error: It is not possible to switch enabled streams of a module. + It is recommended to remove all installed content from the module, and reset the module using 'dnf module reset ' command. After you reset the module, you can install the other stream. + +Uninstall the package + + # dnf module remove -y postgresql + Updating Subscription Management repositories. + Last metadata expiration check: 1:31:35 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Dependencies resolved. + ========================================================================================================= + Package Arch Version Repository Size + ========================================================================================================= + Removing: + postgresql-server x86_64 9.6.10-1.module+el8+2470+d1bafa0e @rhel-8-for-x86_64-appstream-rpms 21 M + Removing unused dependencies: + libpq x86_64 12.4-1.el8_2 @rhel-8-for-x86_64-appstream-rpms 719 k + postgresql x86_64 9.6.10-1.module+el8+2470+d1bafa0e @rhel-8-for-x86_64-appstream-rpms 5.2 M + Disabling module profiles: + postgresql/server + Transaction Summary + ========================================================================================================= + Remove 3 Packages + Freed space: 27 M + Running transaction check + Transaction check succeeded. + Running transaction test + Transaction test succeeded. + Running transaction + Preparing : 1/1 + Running scriptlet: postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 1/1 + Running scriptlet: postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 1/3 + Erasing : postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 1/3 + Running scriptlet: postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 1/3 + Erasing : postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 2/3 + Erasing : libpq-12.4-1.el8_2.x86_64 3/3 + Running scriptlet: libpq-12.4-1.el8_2.x86_64 3/3 + Verifying : libpq-12.4-1.el8_2.x86_64 1/3 + Verifying : postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 2/3 + Verifying : postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 3/3 + Installed products updated. + Removed: + libpq-12.4-1.el8_2.x86_64 + postgresql-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 + postgresql-server-9.6.10-1.module+el8+2470+d1bafa0e.x86_64 + Complete! + +Reset the module + + # dnf module reset -y postgresql + Updating Subscription Management repositories. + Last metadata expiration check: 1:27:18 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Dependencies resolved. + ========================================================================================================= + Package Architecture Version Repository Size + ========================================================================================================= + Disabling module profiles: + postgresql/server + Resetting modules: + postgresql + Transaction Summary + ========================================================================================================= + Complete! + +Install the new module stream for the package + + # dnf module install -y postgresql + Updating Subscription Management repositories. + Last metadata expiration check: 1:33:29 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Dependencies resolved. + ========================================================================================================= + Package Arch Version Repository Size + ========================================================================================================= + Installing group/module packages: + postgresql-server x86_64 10.14-1.module+el8.2.0+7801+be0fed80 rhel-8-for-x86_64-appstream-rpms 5.0 M + Installing dependencies: + libpq x86_64 12.4-1.el8_2 rhel-8-for-x86_64-appstream-rpms 195 k + postgresql x86_64 10.14-1.module+el8.2.0+7801+be0fed80 rhel-8-for-x86_64-appstream-rpms 1.5 M + Installing module profiles: + postgresql/server + Enabling module streams: + postgresql 10 + Transaction Summary + ========================================================================================================= + Install 3 Packages + Total download size: 6.7 M + Installed size: 26 M + Downloading Packages: + (1/3): postgresql-10.14-1.module+el8.2.0+7801+be0fed80.x86_64.rpm 2.5 MB/s | 1.5 MB 00:00 + (2/3): libpq-12.4-1.el8_2.x86_64.rpm 291 kB/s | 195 kB 00:00 + (3/3): postgresql-server-10.14-1.module+el8.2.0+7801+be0fed80.x86_64.rpm 6.3 MB/s | 5.0 MB 00:00 + --------------------------------------------------------------------------------------------------------- + Total 8.3 MB/s | 6.7 MB 00:00 + Running transaction check + Transaction check succeeded. + Running transaction test + Transaction test succeeded. + Running transaction + Preparing : 1/1 + Installing : libpq-12.4-1.el8_2.x86_64 1/3 + Installing : postgresql-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 2/3 + Running scriptlet: postgresql-server-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 3/3 + Installing : postgresql-server-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 3/3 + Running scriptlet: postgresql-server-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 3/3 + Verifying : postgresql-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 1/3 + Verifying : postgresql-server-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 2/3 + Verifying : libpq-12.4-1.el8_2.x86_64 3/3 + Installed products updated. + Installed: + libpq-12.4-1.el8_2.x86_64 + postgresql-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 + postgresql-server-10.14-1.module+el8.2.0+7801+be0fed80.x86_64 + Complete! + +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams/6f-work-with-package-module-streams-29a56.png b/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams/6f-work-with-package-module-streams-29a56.png new file mode 100644 index 0000000..cfda385 Binary files /dev/null and b/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams/6f-work-with-package-module-streams-29a56.png differ diff --git a/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams/6f-work-with-package-module-streams-f6795.png b/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams/6f-work-with-package-module-streams-f6795.png new file mode 100644 index 0000000..34e5fd0 Binary files /dev/null and b/markdown/6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams/6f-work-with-package-module-streams-f6795.png differ diff --git a/markdown/6-deploy-configure-and-maintain-systems/6g-modify-the-system-bootloader.md b/markdown/6-deploy-configure-and-maintain-systems/6g-modify-the-system-bootloader.md new file mode 100644 index 0000000..abd674d --- /dev/null +++ b/markdown/6-deploy-configure-and-maintain-systems/6g-modify-the-system-bootloader.md @@ -0,0 +1,166 @@ +# 6.g Modify the system bootloader + +## GRUB2 + +https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_the_GRUB_2_Boot_Loader/ + +> GRUB 2 reads its configuration from the /boot/grub2/grub.cfg file on traditional BIOS-based machines and from the /boot/efi/EFI/fedora/grub.cfg file on UEFI machines. This file contains menu information. +> +> The GRUB 2 configuration file, grub.cfg, is generated during installation, or by invoking the /usr/sbin/grub2-mkconfig utility, and is automatically updated by grubby each time a new kernel is installed. When regenerated manually using grub2-mkconfig, the file is generated according to the template files located in /etc/grub.d/, and custom settings in the /etc/default/grub file. Edits of grub.cfg will be lost any time grub2-mkconfig is used to regenerate the file, so care must be taken to reflect any manual changes in /etc/default/grub as well. + +**Configuration files:** +- /boot/grub2/grub.cfg - Configuration file (generated from '/etc/grub.d/' and '/etc/defaulg/grub') +- /etc/default/grub - Settings file + +`/boot/grub2/grub.cfg` + + # + # DO NOT EDIT THIS FILE + # + # It is automatically generated by grub2-mkconfig using templates + # from /etc/grub.d and settings from /etc/default/grub + # + ### BEGIN /etc/grub.d/00_header ### + set pager=1 + ...[break]... + +`/etc/default/grub` + + GRUB_TIMEOUT=5 + GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" + GRUB_DEFAULT=saved + GRUB_DISABLE_SUBMENU=true + GRUB_TERMINAL_OUTPUT="console" + GRUB_CMDLINE_LINUX="resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet" + GRUB_DISABLE_RECOVERY="true" + GRUB_ENABLE_BLSCFG=true + +After making changes to `/etc/default/grub`, you need to regenerate the GRUB config file with `grub2-mkconfig` + + # grub2-mkconfig -o /boot/grub2/grub.cfg + Generating grub configuration file ... + done + +## Managing Grub from the OS + +### Listing kernels + +There are different ways to get information on what kernels are available: +- dnf +- rpm +- grubby + +#### dnf + +You can list the available kernels with dnf. It checks the configured repos to see if there's an available kernel to download: + + # dnf list kernel + Updating Subscription Management repositories. + Last metadata expiration check: 2:15:49 ago on Tue 24 Nov 2020 01:34:58 PM EST. + Installed Packages + kernel.x86_64 4.18.0-240.el8 @anaconda + kernel.x86_64 4.18.0-240.1.1.el8_3 @rhel-8-for-x86_64-baseos-rpms + +#### RPM + +RPM checks what the systems has installed: + + # rpm -qa | grep kernel-[0-9] + kernel-4.18.0-240.1.1.el8_3.x86_64 + kernel-4.18.0-240.el8.x86_64 + +#### grubby + +grubby checks what's is configured in GRBU and what can be bootable from: + + # grubby --info=ALL + index=0 + kernel="/boot/vmlinuz-4.18.0-240.1.1.el8_3.x86_64" + args="ro resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet $tuned_params" + root="/dev/mapper/rhel-root" + initrd="/boot/initramfs-4.18.0-240.1.1.el8_3.x86_64.img $tuned_initrd" + title="Red Hat Enterprise Linux (4.18.0-240.1.1.el8_3.x86_64) 8.3 (Ootpa)" + id="b31bb9e7fc544e65beae56247bdd423f-4.18.0-240.1.1.el8_3.x86_64" + index=1 + kernel="/boot/vmlinuz-4.18.0-240.el8.x86_64" + args="ro resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet $tuned_params" + root="/dev/mapper/rhel-root" + initrd="/boot/initramfs-4.18.0-240.el8.x86_64.img $tuned_initrd" + title="Red Hat Enterprise Linux (4.18.0-240.el8.x86_64) 8.3 (Ootpa)" + id="b31bb9e7fc544e65beae56247bdd423f-4.18.0-240.el8.x86_64" + index=2 + kernel="/boot/vmlinuz-0-rescue-b31bb9e7fc544e65beae56247bdd423f" + args="ro resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet" + root="/dev/mapper/rhel-root" + initrd="/boot/initramfs-0-rescue-b31bb9e7fc544e65beae56247bdd423f.img" + title="Red Hat Enterprise Linux (0-rescue-b31bb9e7fc544e65beae56247bdd423f) 8.3 (Ootpa)" + id="b31bb9e7fc544e65beae56247bdd423f-0-rescue" + +### Using a Different Boot Option + +#### Grub Boot Prompt + +Use the arrows to select an option +You can use 'e' to edit additional parameters and boot + +#### Grubby + +To identify what the current index is, use `grubby --default-index` and it will show you: + + # grubby --default-index + 0 + +To change the default use + + # grubby --set-default-index [#] + +Or + + # grubby --set-default [boot kernel line] + +#### Grub2 + +To change the default kernel use + + # grub2-set-default 0 + + +## To Boot Into the GRUB Shell + +**📝 NOTE:** *This section might be out of scope for the RHCSA exam* + +Steps: +- Reboot +- Edit the kernel line +- Hit 'Ctrl+c' + + +#### GRUB commands +https://www.ibm.com/developerworks/library/l-GRUB2-features/index.html + +Show mounts and partitions on drive + +`ls` + +Allows GRUB to handle LVM partitions (like for ls) + +`insmod lvm` + +Search partitions for config file + +`search.file /grub2/grub.cfg` + +View config file + +`cat` + +--- + +#### Additional Info + +**See man pages for:** +- grubby (8) - command line tool used to configure bootloader menu entries across multiple ... +- grub2-set-default (8) - Set the default boot menu entry for GRUB. +- grub2-mkconfig (8) - Generate a GRUB configuration file +--- +[⬅️ Back](6-deploy-configure-and-maintain-systems.md) diff --git a/markdown/7-manage-basic-networking/7-manage-basic-networking.md b/markdown/7-manage-basic-networking/7-manage-basic-networking.md new file mode 100644 index 0000000..b0b7ad7 --- /dev/null +++ b/markdown/7-manage-basic-networking/7-manage-basic-networking.md @@ -0,0 +1,9 @@ +# 7. Manage basic networking + ++ [7.a Configure IPv4 and IPv6 addresses](7a-configure-ipv4-and-ipv6-addresses.md) ++ [7.b Configure hostname resolution](7b-configure-hostname-resolution.md) ++ [7.c Configure network services to start automatically at boot](7c-configure-network-services-to-start-automatically-at-boot.md) ++ [7.d Restrict network access using firewall-cmd/firewall](7d-restrict-network-access-using-firewall-cmd-firewall.md) + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses.md b/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses.md new file mode 100644 index 0000000..8239bf1 --- /dev/null +++ b/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses.md @@ -0,0 +1,261 @@ +# 7.a Configure IPv4 and IPv6 addresses + +**📌 EXAM TIPs** + +- Check if 'bash-completion' is installed. If it's not, install it +- Use 'man nmcli-examples' to get usage examples + +## Nmcli - NetworkManager Command Line Interface + +nmcli is a command-line tool for controlling NetworkManager and reporting network status. Connections are added under the default location '/etc/sysconfig/network-scripts'. + +Nmcli allows you to use shorthand for the commands: + +![](7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-424ae.png) + +### Viewing Connections + +Showing a detailed summary for all connections + + # nmcli + enp0s3: connected to enp0s3 + "Intel 82540EM" + ethernet (e1000), 08:00:27:88:D9:41, hw, mtu 1500 + ip4 default + inet4 10.0.2.15/24 + route4 0.0.0.0/0 + route4 10.0.2.0/24 + inet6 fe80::8ae2:af6:2a08:da9f/64 + route6 fe80::/64 + route6 ff00::/8 + virbr0: connected (externally) to virbr0 + "virbr0" + bridge, 52:54:00:23:91:BD, sw, mtu 1500 + inet4 192.168.122.1/24 + route4 192.168.122.0/24 + enp0s8: disconnected + "Intel 82540EM" + 1 connection available + ethernet (e1000), 08:00:27:13:B0:B4, hw, mtu 1500 + lo: unmanaged + "lo" + loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536 + virbr0-nic: unmanaged + "virbr0-nic" + tun, 52:54:00:23:91:BD, sw, mtu 1500 + DNS configuration: + servers: 10.13.15.1 + domains: localdomain + interface: enp0s3 + Use "nmcli device show" to get complete information about known devices and + "nmcli connection show" to get an overview on active connection profiles. + Consult nmcli(1) and nmcli-examples(7) manual pages for complete usage details. + +Show connections + + # nmcli connection show + NAME UUID TYPE DEVICE + enp0s3 705f36b0-b830-41bd-9c6e-f6fa9172f5b4 ethernet enp0s3 + Wired connection 1 573da91e-f3a4-3022-8d8a-f50724cba81b ethernet enp0s8 + virbr0 67335241-6637-4453-8bd1-14b5513c5178 bridge virbr0 + +Show only active + + # nmcli con show --active + NAME UUID TYPE DEVICE + System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0 + +Show device status + + # nmcli device status + DEVICE TYPE STATE CONNECTION + enp0s3 ethernet connected enp0s3 + enp0s8 ethernet connected Wired connection 1 + virbr0 bridge connected (externally) virbr0 + lo loopback unmanaged -- + virbr0-nic tun unmanaged -- + +Show information for device + + # nmcli device show enp0s8 + GENERAL.DEVICE: enp0s8 + GENERAL.TYPE: ethernet + GENERAL.HWADDR: 08:00:27:13:B0:B4 + GENERAL.MTU: 1500 + GENERAL.STATE: 100 (connected) + GENERAL.CONNECTION: eth1 + GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/7 + WIRED-PROPERTIES.CARRIER: on + IP4.ADDRESS[1]: 10.0.2.3/24 + IP4.ADDRESS[2]: 10.0.3.15/24 + IP4.GATEWAY: -- + IP4.ROUTE[1]: dst = 10.0.2.0/24, nh = 0.0.0.0, mt = 101 + IP4.ROUTE[2]: dst = 10.0.3.0/24, nh = 0.0.0.0, mt = 101 + IP4.DNS[1]: 10.13.15.1 + IP4.DNS[2]: 8.8.8.8 + IP4.DOMAIN[1]: localdomain + IP6.ADDRESS[1]: fe80::c67a:fc98:efeb:4501/64 + IP6.GATEWAY: -- + IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 101 + IP6.ROUTE[2]: dst = ff00::/8, nh = ::, mt = 256, table=255 + +### Adding New Connections + +DHCP + + # nmcli con add con-name [connection name] autoconnect no type ethernet ifname eth1 + +Static IP + + # nmcli con add con-name [connection name] autoconnect no type ethernet ifname eth1 ip4 10.0.0.2 gw4 10.0.0.1 + +Static IP with DNS + + # nmcli connection add con-name eth0 type ethernet ifname enp0s8 ip4 10.0.2.3/24 gw4 10.0.2.2 ipv4.dns 8.8.8.8 + Connection 'eth0' (ebca0337-945e-4b63-957b-bd0da2e65232) successfully added. + +**Common options:** +- autoconnect - Connection comes up automatically at boot +- method + - auto - DHCP asigned + - manual - static IP + - disabled - connection is disabled + - shared - connection sharing +- type - ethernet, wifi, bluetooth, vlan, tun, dummy, etc... +- ifname - Interface that will be used for activation + + # cat /etc/sysconfig/network-scripts/ifcfg-eth1 + TYPE=Ethernet + PROXY_METHOD=none + BROWSER_ONLY=no + BOOTPROTO=dhcp + IPADDR=10.0.2.3 + PREFIX=24 + DNS1=8.8.8.8 + DEFROUTE=no + IPV4_FAILURE_FATAL=yes + IPV6INIT=yes + IPV6_AUTOCONF=yes + IPV6_DEFROUTE=yes + IPV6_FAILURE_FATAL=no + IPV6_ADDR_GEN_MODE=stable-privacy + NAME=eth1 + UUID=42995f47-e0b1-4c81-aa22-7662cba404c7 + DEVICE=enp0s8 + ONBOOT=yes + +### Modify Connection + +Delete secondary IP for connection + + # nmcli connection modify eth1 -ipv4.addresses 10.0.2.4/32 + +Delete IP and GW + + # nmcli connection modify eth1 -ipv4.addresses 10.0.3.15/24 -ipv4.gateway 10.0.3.0/24 + +Restart the interface + + # nmcli connection down eth1 && nmcli connection up eth1 + Connection 'eth1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) + Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4) + +### Enable/Disable Connections + +To bring up connections + + # nmcli con up [connection name] + +To take down connection + + # nmcli connection down eth1 + Connection 'eth1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7) + +### Deleting Connections + +Delete "Wired connection 1" + + # nmcli connection delete "Wired connection 1" + Connection 'Wired connection 1' (573da91e-f3a4-3022-8d8a-f50724cba81b) successfully deleted. + +### Adding new IPv6 Connections + +You can use an IPv4 address as part of an IPv6 address to make it easier to understand things + + # nmcli connection modify enp0s8 ip6 ::fff:10.0.2.3/64 ipv6.gateway ::fff:10.0.2.2 + +### nmcli interactive connection editor + +With the 'edit' option, nmcli presents you with a iteractive editor. The interactive editor will guide you through the connection editing and allow you to change connection parameters according to your needs by means of a simple menu-driven interface. + + # nmcli connection edit eth1 + + ===| nmcli interactive connection editor |=== + + Editing existing '802-3-ethernet' connection: 'eth1' + + Type 'help' or '?' for available commands. + Type 'print' to show all the connection properties. + Type 'describe [.]' for detailed property description. + + You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy + nmcli> + +Configure the IP + + nmcli> set ipv4.addresses + Enter 'addresses' value: 10.0.2.4/24 + +Configure default route + + nmcli> set ipv4.gateway 10.0.2.2 + +Configure DNS + + nmcli> set ipv4.dns 8.8.8.8 + +Check that it's working, save and quit + + nmcli> verify + Verify connection: OK + + nmcli> save + Connection 'eth1' (42995f47-e0b1-4c81-aa22-7662cba404c7) successfully updated. + + nmcli> quit + +## Nmtui - NetworkManager Text Based User Interface + +nmtui is a curses‐based TUI application for interacting with NetworkManager. + +### Adding a connection + +![](7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-0546b.png) + +## IP Command + +The 'ip' command will also accept shorthand +Changes are not persistent + +**Common used commands:** +- ip addr - Shows addresses assigned to all network interfaces. +- ip neigh - Shows the current neighbour table in kernel (ARP table). +- ip link set x up - Bring up interface x. +- ip link set x down - Bring down interface x. +- ip route - Show table routes. + +Adding a new IP + + # ip addr add 10.0.0.2 dev eth0 + +Deleting the IP + + # ip addr del 10.0.0.2/32 dev eth0 + +--- + +#### Additional Info: + +[Configure IPv4 addresses and perform basic IPv4 troubleshooting](https://www.certdepot.net/rhel7-configure-ipv4-addresses/) +--- +[⬅️ Back](7-manage-basic-networking.md) diff --git a/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-0546b.png b/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-0546b.png new file mode 100644 index 0000000..c126c9d Binary files /dev/null and b/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-0546b.png differ diff --git a/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-424ae.png b/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-424ae.png new file mode 100644 index 0000000..5276258 Binary files /dev/null and b/markdown/7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses/7a-configure-ipv4-and-ipv6-addresses-424ae.png differ diff --git a/markdown/7-manage-basic-networking/7b-configure-hostname-resolution.md b/markdown/7-manage-basic-networking/7b-configure-hostname-resolution.md new file mode 100644 index 0000000..381dc1b --- /dev/null +++ b/markdown/7-manage-basic-networking/7b-configure-hostname-resolution.md @@ -0,0 +1,148 @@ +# 7.b Configure hostname resolution + +## Hostname + +**Commands:** +- hostnamectl (1) - Control the system hostname +- hostname (1) - show or set the system's host name + +Viewing the hostname with 'hostname' - hostname {-f|-s} + + # hostname + localhost.localdomain + +Viewing the hostname with 'hostnamectl' + + # hostnamectl + Static hostname: localhost.localdomain + Icon name: computer-vm + Chassis: vm + Machine ID: b31bb9e7fc544e65beae56247bdd423f + Boot ID: 876d1a6703d0469384df37a4855fa1f0 + Virtualization: oracle + Operating System: Red Hat Enterprise Linux 8.3 (Ootpa) + CPE OS Name: cpe:/o:redhat:enterprise_linux:8.3:GA + Kernel: Linux 4.18.0-240.1.1.el8_3.x86_64 + Architecture: x86-64 + +### Change the Hostname + +#### hostname + +When used with an argument, the command 'hostname' temporarily sets the hostname until the next reboot + + # hostname rhel8-lab + + # hostname + rhel8-lab + +#### /etc/hostname + +You can edit '/etc/hostname' to change the hostname permanently. + +#### hostnamectl + +Sets the hostname permanently. + + # hostname rhel8-lab + + # hostname + rhel8-lab + +## DNS + +**📌 EXAM TIP:** *For the test, make sure that 'bind-utils' is installed so you have the 'host' resolution utility.* + +### Changing the DNS entry + +Update it with 'nmcli' + + # nmcli con mod [connection name] ipv4.dns [DNS IP] + +Restart the connection or the network + + # nmcli connection down [conn name] && nmcli connection up [conn name] + +Or + + # systemctl restart NetworkManager + +Optionally, if you need to add a secondary DNS server, add a '+' before 'ipv4.dns + + # nmcli con mod [connection name] +ipv4.dns [secondary DNS IP] + +**📝 Notes** +- You can confirm the DNS changes in '/etc/resolv.conf' after restarting the connection or the network +- Using a '+' will add a second entry (max of 3) +- Using a '-' will remove the entry + +### Overwriting DNS Resolutions + +The '/etc/hosts' file is a simple text file that associates IP addresses with hostnames, one line per IP address. You can use '/etc/hosts' to overwrite DNS resolution (for programs that use the GNY C library). + + # cat /etc/hosts + 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 + ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + + 127.0.0.1 myhost myhost.com + +**Reference:** +- hosts (5) - static table lookup for hostnames + +### DNS Resolutions + +**Commands:** +- nsswitch.conf (5) - Name Service Switch configuration file +- nslookup (1) - query Internet name servers interactively +- host (1) - DNS lookup utility +- dig (1) - DNS lookup utility + +#### Name Service Switch configuration file + +The Name Service Switch (NSS) configuration file `/etc/nsswitch.conf` is used by the GNU C Library and certain other applications to determine the sources from which to obtain name-service information in a range of categories, and in what order. + +By default, '/etc/hosts' (files) is given priority over DNS queries: + + # grep hosts /etc/nsswitch.conf + # hosts: files dns + # hosts: files dns # from user file + # Valid databases are: aliases, ethers, group, gshadow, hosts, + hosts: files dns myhostname + +Both 'nslookup' and 'host' commands do not use C library, thus are not affected by nsswitch.conf (or `/etc/hosts`). + +#### nslookup + +You can use 'nslookup' for name resolution + + # nslookup google.ca + Server: 10.13.15.1 + Address: 10.13.15.1#53 + Non-authoritative answer: + Name: google.ca + Address: 172.217.165.3 + Name: google.ca + Address: 2607:f8b0:400b:802::2003 + +#### host + +You can also use 'host' for name resolution + + # host google.ca + google.ca has address 172.217.165.3 + google.ca has IPv6 address 2607:f8b0:400b:802::2003 + google.ca mail is handled by 40 alt3.aspmx.l.google.com. + google.ca mail is handled by 10 aspmx.l.google.com. + google.ca mail is handled by 30 alt2.aspmx.l.google.com. + google.ca mail is handled by 50 alt4.aspmx.l.google.com. + google.ca mail is handled by 20 alt1.aspmx.l.google.com. + +#### dig + +dig is an advanced DNS tool and is here mainly for reference + + # dig google.ca +noall +answer + google.ca. 210 IN A 172.217.165.3 + +--- +[⬅️ Back](7-manage-basic-networking.md) diff --git a/markdown/7-manage-basic-networking/7c-configure-network-services-to-start-automatically-at-boot.md b/markdown/7-manage-basic-networking/7c-configure-network-services-to-start-automatically-at-boot.md new file mode 100644 index 0000000..4e71505 --- /dev/null +++ b/markdown/7-manage-basic-networking/7c-configure-network-services-to-start-automatically-at-boot.md @@ -0,0 +1,25 @@ +# 7.c Configure network services to start automatically at boot + +## Enable a Service to Start on Boot + +As we have seen before, use 'systemctl enable' + + # systemctl enable httpd + Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. + +Confirmation that it's enabled + + # systemctl status httpd + ● httpd.service - The Apache HTTP Server + Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) + Active: inactive (dead) + Docs: man:httpd.service(8) + +## Enable a Network Connection to Start on Boot + +With 'nmcli' + + # nmcli connection modify [conn name] autoconnect yes + +--- +[⬅️ Back](7-manage-basic-networking.md) diff --git a/markdown/7-manage-basic-networking/7d-restrict-network-access-using-firewall-cmd-firewall.md b/markdown/7-manage-basic-networking/7d-restrict-network-access-using-firewall-cmd-firewall.md new file mode 100644 index 0000000..ab2bd5c --- /dev/null +++ b/markdown/7-manage-basic-networking/7d-restrict-network-access-using-firewall-cmd-firewall.md @@ -0,0 +1,86 @@ +# 7.d Restrict network access using firewall-cmd/firewall + +**📝 NOTE:** _For firewall configuration with 'firewall-cmd', see "[9-Manage security => Configure firewall settings using firewall-cmd/firewalld](../9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables.md)"_ + +**Reference:** +- firewalld (1) - Dynamic Firewall Manager +- firewall-cmd (1) - firewalld command line client + +## Creating a new Zone and Adding Services and Interface + +Create a new zone + + # firewall-cmd --permanent --new-zone=server + success + +Add the http service + + # firewall-cmd --permanent --zone=server --add-service=http + success + +Add an interface to the zone + + # firewall-cmd --change-interface=enp0s8 --zone=server --permanent + The interface is under control of NetworkManager, setting zone to 'server'. + success + +Add another service to the zone + + # firewall-cmd --add-service=ssh --zone=server --permanent + success + +Reload the configuration + + # firewall-cmd --reload + success + +Check that the zone was added + + # firewall-cmd --get-zones + block dmz drop external home internal libvirt nm-shared public server trusted work + +Check the zone configuration + + # firewall-cmd --list-all --zone=server + server (active) + target: default + icmp-block-inversion: no + interfaces: enp0s8 + sources: + services: http ssh + ports: + protocols: + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: + +## Add a new Port + +Add the port + + # firewall-cmd --add-port=8888/tcp --zone=server --permanent + success + +Confirm that the new rule was added + + # firewall-cmd --zone=server --list-ports --permanent + 8888/tcp + +Reload the configuration + + # firewall-cmd --reload + success + +Close a Port + + # firewall-cmd --remove-port=[port/protocol] {--permanent} + +Reload the configuration + + # firewall-cmd --reload + success + +--- +[⬅️ Back](7-manage-basic-networking.md) diff --git a/markdown/8-Manage-users-and-groups/8-Manage-users-and-groups.md b/markdown/8-Manage-users-and-groups/8-Manage-users-and-groups.md new file mode 100644 index 0000000..17897cf --- /dev/null +++ b/markdown/8-Manage-users-and-groups/8-Manage-users-and-groups.md @@ -0,0 +1,11 @@ +# 8 Manage users and groups + + ++ [8.a Create, delete, and modify local user accounts](8a-Create-delete-and-modify-local-user-accounts.md) ++ [8.b Change passwords and adjust password aging for local user accounts](8b-Change-passwords-and-adjust-password-aging-for-local-user-accounts.md) ++ [8.c Create, delete, and modify local groups and group memberships](8c-Create-delete-and-modify-local-groups-and-group-memberships.md) ++ [8.d Configure superuser access](8d-Configure-superuser-access.md) + + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/8-Manage-users-and-groups/8a-Create-delete-and-modify-local-user-accounts.md b/markdown/8-Manage-users-and-groups/8a-Create-delete-and-modify-local-user-accounts.md new file mode 100644 index 0000000..7a88f38 --- /dev/null +++ b/markdown/8-Manage-users-and-groups/8a-Create-delete-and-modify-local-user-accounts.md @@ -0,0 +1,91 @@ +8.a Create, delete, and modify local user accounts +=== + +**Important Files:** ++ `/etc/skell` - Skeleton folder ++ `/etc/passwd` - Password file ++ `/etc/group` - Group file ++ `/etc/default/useradd` - Default variables for useradd ++ `/etc/login.defs` - The /etc/login.defs file defines the site-specific configuration for the shadow password suite. This file is required. Absence of this file will not prevent system operation, but will probably result in undesirable operation. + +*Note that the shadow file, no one has permission:* + + $ ll /etc/shadow + ----------. 1 root root 887 Jan 29 2019 /etc/shadow + +**Commands:** ++ id (1) - print real and effective user and group IDs ++ getent (1) - get entries from Name Service Switch libraries ++ useradd (8) - create a new user or update default new user information ++ usermod (8) - modify a user account ++ whoami (1) - print effective userid ++ logname (1) - print user's login name ++ lslogins (1) - display information about known users in the system + + +Commands +--- + +### id - Print real and effective user and group IDs + + $ id + uid=1000(victor) gid=1000(victor) groups=1000(victor),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + +**📝 NOTE:** *When running for your own user, the highlighted text is shown* + + +### getent - get entries from Name Service Switch libraries + +This can be used to show information on local and directory services. + +Shows /etc/passwd entry for user 'victor' + + # getent passwd victor + victor:x:1000:1000:victor:/home/victor:/bin/bash + +Shows /etc/shadow entry for user 'user1' + + # getent shadow user1 + user1:$6$i5IgGA0XFP/f3Hv3$./zCBLGuL24fc8njwvsGJlsgrB.QJzf1srrHMUpDzxgYyqwlepHrKUhbu.k9iwOMxLsdRuu.oNiRItGZiKNZE.:18592:0:99999:7::: + +Shows all users in the system + + # getent passwd + +Shows all groups in the system + + # getent group + +### useradd - Create a new user or update default new user information + +**Useful command options:** ++ `c` - Comment ++ `d` - Set home directory ++ `g` - Set the GID ++ `G` - Secondary groups ++ `k` - Skeleton directory ++ `p` - The encrypted password, as returned by crypt ++ `r` - Create a system account ++ `s` - Default login shell ++ `u` - Set the UID + +Add a user named 'user1' with uid '1001' and the existing 'users' group + + # useradd -u 1001 -g 100 user1 + + # id user1 + uid=1001(user1) gid=100(users) groups=100(users) + +### usermod - Modify a user account + +**Useful command options:** ++ `c` - Modify user's comment ++ `d`- change the user's home directory ++ `G` - chage the user's secondary group ++ `L` - Locks the account ++ `U` - Unlocks the account + +**📝 NOTE:** *Locking the account adds a '!' at the beginning of the hash in `/etc/shadow`* + +--- +[⬅️ Back](8-Manage-users-and-groups.md) diff --git a/markdown/8-Manage-users-and-groups/8b-Change-passwords-and-adjust-password-aging-for-local-user-accounts.md b/markdown/8-Manage-users-and-groups/8b-Change-passwords-and-adjust-password-aging-for-local-user-accounts.md new file mode 100644 index 0000000..e27ac38 --- /dev/null +++ b/markdown/8-Manage-users-and-groups/8b-Change-passwords-and-adjust-password-aging-for-local-user-accounts.md @@ -0,0 +1,130 @@ +8.b Change passwords and adjust password aging for local user accounts +=== + +Commands +--- + +### passwd + +Change users password. Only root can change the password for another user. + +### chage + +chage - Change user password expiry information + +Common options: ++ `d` - Set date of last password change to `LAST_DAY` ++ `E` - Set the account to expire on date ++ `M` - Maximum days the password will be valid for ++ `I` - Number of days of inactivity after expiration where account will be locked ++ `W` - Number of days to warn that password is expiring + +**📝 NOTE:** *Having an expired password doesn't mean that the account is locked. It means that the user can still login, but is prompted to change the password* + +#### Examples + +List users accounts aging information + + # chage -l user1 + Last password change : Nov 26, 2020 + Password expires : never + Password inactive : never + Account expires : never + Minimum number of days between password change : 0 + Maximum number of days between password change : 99999 + Number of days of warning before password expires : 7 + +Force user to change password on next login + + # chage -d 0 user1 + +Set account to expire on December 31st 2020 + + # chage -E 2020-12-31 user1 + + # chage -l user1 | grep 'Account expires' + Account expires : Dec 31, 2020 + +Remove account expiration + + # chage -E -1 user1 + + # chage -l user1 | grep 'Account expires' + Account expires : never + +Set the password to expire in 30 days + + # chage -M 30 user1 + + # chage -l user1 | grep 'Password expires' + Password expires : Dec 26, 2020 + +Remove password expiration + + # chage -M -1 user1 + + # chage -l user1 | grep 'Password expires' + Password expires : never + +**Interactive Mode** + +You can also run 'chage' in interactive mode by calling it with a username and not other arguments. + + # chage user1 + Changing the aging information for user1 + Enter the new value, or press ENTER for the default + + Minimum Password Age [0]: 0 + Maximum Password Age [-1]: + Last Password Change (YYYY-MM-DD) [2020-11-26]: + Password Expiration Warning [7]: + Password Inactive [-1]: 1 + Account Expiration Date (YYYY-MM-DD) [-1]: + + +### Configuring Defaults + +Default password age and requirements configuration can be made in '/etc/login.defs' + + # Password aging controls: + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. + # PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 + PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +Additional password configuration, like inactivity and expiration date, can be set in `/etc/default/useradd`. + +By default, `/etc/default/useradd` usually looks like this: + + # useradd defaults file + GROUP=100 + HOME=/home + INACTIVE=-1 + EXPIRE= + SHELL=/bin/bash + SKEL=/etc/skel + CREATE_MAIL_SPOOL=yes + +Edit the `INACTIVE` line and add the `EXPIRE` line if needed: + + INACTIVE=3 # Expires after 3 days of inactivity + EXPIRE=2020-12-31 # Expires on Dec 31 2020 + +Password Complexity +--- + +Password complexity can be achieved with 'pam_pwquality.so'. + +**Man page:** ++ pam_pwquality (8) - PAM module to perform password quality checking + +**📝NOTE:** *Understanding and managing pam is not part of RHCSA exam.* + +--- +[⬅️ Back](8-Manage-users-and-groups.md) diff --git a/markdown/8-Manage-users-and-groups/8c-Create-delete-and-modify-local-groups-and-group-memberships.md b/markdown/8-Manage-users-and-groups/8c-Create-delete-and-modify-local-groups-and-group-memberships.md new file mode 100644 index 0000000..0c95a4e --- /dev/null +++ b/markdown/8-Manage-users-and-groups/8c-Create-delete-and-modify-local-groups-and-group-memberships.md @@ -0,0 +1,96 @@ +8.c Create, delete, and modify local groups and group memberships +=== + +Example Commands +--- + +### Getting Group Information + +Get user's group + + $ id user2 + uid=1002(user2) gid=1002(user2) groups=1002(user2),100(users) + +Or + + $ groups + user2 users + +Get user's primary group (you can also use the previous commands) + + # getent group user2 + user2:x:1002: + +Get a list of all users and their groups + + # lslogins -G + +Show all groups in the system + + # cat /etc/group + +Or + + # getent [group] + +Show users belonging to a group + + # lslogins -g [group] + +Or with groupmems (needs to be root to use '-g') + + # groupmems -l -g [group] + +### Creating Groups + +Create group with specified GID + + # groupadd -g [id] [name] + +Create a system group + + # groupadd -r [name] + + +### Managing Groups + +Change the group name + + # groupmod -n [new name] [group] + +Change the group ID + + # groupmod -g [ID] [group] + +**📝 NOTE:** *Changing a group id will result in group users not having access to existing files* + +Add user to group (overwrites primary group) + + # usermod -g [group] [user] + +Add user to secondary group (overwrites all secondary groups) + + # usermod -G [group] + +Add user to secondary group (append to secondary without overwriting) + + # usermod -aG [group] + +Add user to multiple secondary groups (overwrites existing secondary groups) + + # usermod -G [group1,group2,group3] + +Remove user from secondary group + + # gpasswd -d [user] [group] + +### Removing Groups + +Use `groupdel` + + # groupdel [group] + +**📝 NOTE:** *You cannot remove groups that are assigned as primary groups for existing users* + +--- +[⬅️ Back](8-Manage-users-and-groups.md) diff --git a/markdown/8-Manage-users-and-groups/8d-Configure-superuser-access.md b/markdown/8-Manage-users-and-groups/8d-Configure-superuser-access.md new file mode 100644 index 0000000..3a6eecb --- /dev/null +++ b/markdown/8-Manage-users-and-groups/8d-Configure-superuser-access.md @@ -0,0 +1,82 @@ +8.d Configure superuser access +=== + +**Commands:** ++ visudo (8) - edit the sudoers file ++ sudoers (5) - default sudo security policy plugin + +**Files:** ++ `/etc/sudo.conf` - Specifies security policies and plugin (not needed for the exam) ++ `/etc/sudoers` - Main configuration file for sudo (list of who can run what) ++ `/etc/sudoers.d/` - Drop-in files. Allows additional configuration files to be added, separately, on top of the main configuration file (`/etc/sudoers`) + +**⚠️ WARNING:** *Always make sure to edit the sudoers files (`/etc/sudoers` or `/etc/sudoers.d/*`) with `visudo` as it checks for potential mistakes* + +Example Usages +--- + +Allow root to run any commands anywhere + + root ALL=(ALL) ALL + +Allows people in group wheel to run all commands + + %wheel ALL=(ALL) ALL + +**📝 NOTE:** _Adding a user to the 'wheel' group (`usermod -a -G wheel user`) will effectively give him superuser access_ + +Allows people in group wheel to run all commands without a password + + %wheel ALL=(ALL) NOPASSWD: ALL + +Read drop-in files from `/etc/sudoers.d` (the # here does not mean a comment) + + #includedir /etc/sudoers.d + +The drop-in file below give the user 'victor' sudo access without the need of a password + + # cat /etc/sudoers.d/00_victor + victor ALL=(ALL) NOPASSWD: ALL + +Give user1 sudo access to run `fdisk -l` and `reboot` + + user1 ALL=(ALL) /sbin/fdisk -l, /sbin/reboot, /bin/passwd, !/bin/passwd root + +Give user1 sudo access to run `passwd` except `passwd root` (allows to change the password for all other users, except root) + + user1 ALL=(ALL) /bin/passwd, !/bin/passwd root + +Give user sudo access to a list of commands via a command alias + + Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + user1 ALL = STORAGE + +Allow user1 to run all commands as user2 + + user1 ALL=(user2) ALL + +``` +$ whoami +user1 +$ sudo -i -u user2 +$ whoami +user2 +``` + +Show sudo access + +``` +$ sudo -l +Matching Defaults entries for user1 on rhel8-lab: + !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, + env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME + LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", + env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE + LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin + +User user1 may run the following commands on rhel8-lab: + (user2) ALL +``` + +--- +[⬅️ Back](8-Manage-users-and-groups.md) diff --git a/markdown/9-Manage-security/9-manage-security.md b/markdown/9-Manage-security/9-manage-security.md new file mode 100644 index 0000000..ae759fb --- /dev/null +++ b/markdown/9-Manage-security/9-manage-security.md @@ -0,0 +1,14 @@ +# 9. Manage security + ++ [9.a Configure firewall settings using firewall-config, firewall-cmd, or iptables](9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables.md) ++ [9.b Create and use file access control lists](9b-create-and-use-file-access-control-lists) ++ [9.c Configure key-based authentication for SSH](9c-configure-key-based-authentication-for-ssh.md) ++ [9.d Set enforcing and permissive modes for SELinux](9d-set-enforcing-and-permissive-modes-for-selinux.md) ++ [9.e List and identify SELinux file and process context](9e-list-and-identify-selinux-file-and-process-context.md) ++ [9.f Restore default file contexts](9f-restore-default-file-contexts.md) ++ [9.g Use boolean settings to modify system SELinux settings](9g-use-boolean-settings-to-modify-system-selinux-settings.md) ++ [9.h Diagnose and address routine SELinux policy violations](9h-diagnose-and-address-routine-selinux-policy-violations.md) + + +--- +[⬅️ Back](../Objectives.md) diff --git a/markdown/9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables.md b/markdown/9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables.md new file mode 100644 index 0000000..63a2c61 --- /dev/null +++ b/markdown/9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables.md @@ -0,0 +1,179 @@ +# 9.a Configure firewall settings using firewall-config, firewall-cmd, or iptables + +## IPv4 Forwarding + +I'm not sure why this is a topic that is covered on many online and study sources, but it appears that enabling IP forwarding is part of the RHCSA exam, even thou it's not listed in the exam objectives (it may be left over from RHCSA v7 exam). + +Enabling IP forwarding is something that you would on a router, or potentially on a VPN server. It allows incoming traffic directed to a different IP to flow through the configured interface. With firewalld enabled, you would also need to configure rules for this to work. + +### Enabling IPv4 Forwarding + +#### Runtime + + # sysctl -w net.ipv4.ip_forward=1 + net.ipv4.ip_forward = 1 + +#### Permanent + +Add 'net.ipv4.ip_forward = 1' to '/etc/sysctl.conf + +Load sysctl + + # sysctl -p + net.ipv4.ip_forward = 1 + +**📌 EXAM TIP:** _If you can't remember the option, run `sysctl -a | grep ipv4 | grep forward` to get a list of options_ + +## Definitions + +Firewall interaction in kernel is handled by netfilter + +>"Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers." + +Pre RHEL 7, `iptables` was the way to interact with netfilter. + +Today, `firewall-cmd` (`firewalld`) is the new way to interact with netfilter. + +## firewalld and firewall-cmd + +Install the two packages if needed: +- firewalld +- firewall-config + +Start and enable the service if needed. + +### Firewalld Service + +Listing service status via systemd + + # systemctl status firewalld.service + ● firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) + Active: active (running) since Wed 2020-11-25 14:45:39 EST; 3 days ago + Docs: man:firewalld(1) + Main PID: 1155 (firewalld) + Tasks: 3 (limit: 12285) + Memory: 11.3M + CGroup: /system.slice/firewalld.service + └─1155 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid + +Listing service status via firewall-cmd + + # firewall-cmd --state + running + +### Runtime vs Persistent (Permanent) + +The runtime configuration is the actual effective configuration and applied to the firewall in the kernel. At firewalld service start the permanent configuration becomes the runtime configuration. Changes in the runtime configuration are not automatically saved to the permanent configuration. + +- **Runtime** - Change is automatic +- **Permanent** - Change stays with reboot + +To remove current changes, or reload changes (overrides all runtime changes with config from permanent config) + + # firewall-cmd --reload + +To save changes to permanent, without adding it to runtime (for port 80 TCP) + + # firewall-cmd --add-port=80/tcp --permanent + +Add changes to runtime + + # firewall-cmd --add-port=80/tcp + +To save changes from runtime to permanent + + # firewall-cmd --runtime-to-permanent + +Save changes to permanent and then to runtime + + # firewall-cmd --add-port=80/tcp --permanent + + # firewall-cmd --reload + +### Firewall Zones + +The firewalld daemon manages groups of rules using entities called “zones”. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. + +#### Commands + +List zones + + # firewall-cmd --get-zones + +Get default zone + + # firewall-cmd --get-default-zone + +List everything added for or enabled in all zones + + # firewall-cmd --list-all-zones + +List everything added for or enabled in zone + +**📝 NOTES** *Most of the commands, without a zone name will list/change the default zone* + + # firewall-cmd --list-all {--zone=[zone]} + +Add the http service (runtime) + + # firewall-cmd --add-service=http {--zone=[zone]} + +Add the http service (permanent, not runtime) + + # firewall-cmd --add-service=http --permanent {--zone=[zone]} + +### Services + +List enabled services in a zone + + # firewall-cmd {--zone=[zone]} --list-services + +List all predefined services + + # firewall-cmd --get-services {--zone=[zone]} + +Get predefined ports of a service + + # firewall-cmd --permanent --service=ssh --get-ports + 22/tcp + +## GUI Interface + +You can also use a GUI (`firewall-config`) to configure the firewall. The UI is very intuitive. + +It may not be installed by default, but you should be able to install it. + + # dnf list firewall-config + Updating Subscription Management repositories. + Last metadata expiration check: 0:00:59 ago on Wed 16 Dec 2020 09:01:00 AM EST. + Available Packages + firewall-config.noarch 0.8.2-2.el8 rhel-8-for-x86_64-appstream-rpms + +![](9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables-97b60.png) + +### Using firewall-confid via SSH + +RHEL 8 by default is using Wayland. While you should not have any issues in running `firewall-config` on the box, if for some reason you need to run it via SSH, follow the steps below. + +If X11 does not work, check if either X11 or Wayland are installed `rpm -qa`. If they are not, you will need to install: +- xorg-x11-server-Xorg +- xorg-x11-xauth + +Make sure that X11 forwarding (`/etc/ssh/sshd_config`) and/or X11 trusted forwarding (`/etc/ssh/ssh_config.d/05-redhat.conf`) are enabled. + +SSH with `-X` or `-Y` and you should be able to run `firewall-config`. + + + +--- + +#### Additional Info + +**See man pages for:** +- firewalld (1) - Dynamic Firewall Manager +- firewall-cmd (1) - firewalld command line client +- firewall-config (1) - firewalld GUI configuration tool + +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables-97b60.png b/markdown/9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables-97b60.png new file mode 100644 index 0000000..58fe722 Binary files /dev/null and b/markdown/9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables-97b60.png differ diff --git a/markdown/9-Manage-security/9b-create-and-use-file-access-control-lists.md b/markdown/9-Manage-security/9b-create-and-use-file-access-control-lists.md new file mode 100644 index 0000000..870ada9 --- /dev/null +++ b/markdown/9-Manage-security/9b-create-and-use-file-access-control-lists.md @@ -0,0 +1,162 @@ +# 9.b Create and use file access control lists + +## ACLS + +**Commands:** +- acl (5) - Access Control Lists +- getfacl (1) - get file access control lists +- setfacl (1) - set file access control lists + +ACLs allows for a more granular permission structure on top of the existing file permission. It is designed to assist with the default/basic UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource. +While a 'dot' indicates that it has an extended attribute (usually related to 'selinux') + + # ls -l /etc/profile + -rw-r--r--. 1 root root 2078 Sep 10 2018 /etc/profile + +A plus it indicates that an ACL is applied to it. + + # ll logins.txt + -rwxr-xr--+ 1 root root 4.1K Nov 29 14:40 logins.txt + +You can get the current ACL attribute of a file with 'getfacl': + + # getfacl /etc/profile + getfacl: Removing leading '/' from absolute path names + # file: etc/profile + # owner: root + # group: root + user::rw- + group::r-- + other::r-- + +Example 1 + + # ll + total 0 + drwxr-xr-x+ 2 smith agents 6 Mar 10 19:41 agents + drwxr-xr-x. 2 morpheus resistance 6 Mar 10 19:41 resistance + +The folder 'agents' has: +- Basic permission: u:rwx, g:rx, o:rx +- ACL + - Group resistance: rx + + # getfacl * + # file: agents + # owner: smith + # group: agents + user::rwx + group::r-x + group:resistance:r-x + mask::r-x + other::r-x + +The folder 'resistance' has: +- Basic permission: u:rwx, g:rx, o:rx +- ACL: none + + # file: resistance + # owner: morpheus + # group: resistance + user::rwx + group::r-x + other::r-x + +### Masks + +ACL masks show the current maximum permission. The ACL permission will always be dependent on standard permission. + + # ll logins.txt + -rwxr-xr--+ 1 root root 4.1K Nov 29 14:40 logins.txt + +The file 'logins.txt' has: +- Basic permission: u:rwx, g:rx, o:r +- ACL + - Group users: rx + - Group it-sup: w (modified by the mask essentially removing all permission) + - Mask: rx + + # getfacl logins.txt + # file: logins.txt + # owner: root + # group: root + user::rwx + group::r-x + group:users:r-- + group:it-sup:-w- #effective:--- + mask::r-x + other::r-- + +### Enabling ACL + +ACL should be enabled by default on newer versions of ext4 and xfs. If it's not, you can enable as a mount option: + + UUID=d207977a-8541-4cd3-b4e4-ea9b9ef13ca9 /mnt/ext4 ext4 defaults,acl 0 2 + +## Commands + +### Adding permission + +Add user permission ACL (`-m` to modify) + + # setfacl -m u:username:rwx [file] + +Add group permission ACL + + # setfacl -m g:groupname:rwx [file] + +You can also set the basic permission with setfacl + + # setfacl -m g::rw logins.txt + +Is the same as + + # chomod g=rw logins.txt + +When adding ACL permission, you can specify multiple rules + + # setfacl u::rw-,u:lisa:rw-,g::r--,g:toolies:rw-,m::r--,o::r-- [file] + +Adding a mask + + # setfacl -m m:rw [file] + +Set a default ACL for new files created. All new files in the directory will have the specified ACL + + # setfacl -d -m u:username:rwx [dir] + +**📝 NOTE:** _Only directories can have default ACL_ + +### Removing ACL + +Remove specific ACL + + # setfacl -x u:username:rwx [file] + +Remove all ACLs + + # setfacl -b [file] + +Use '-R' to run recursively + + # setfacl -R -m u:username:rwx [file] + +Remove the default ACL + + # setfacl -k [dir] + +### Other Options + +Copy ACL from one file to another + + # getfacl [file1] | setfacl --set-file=- file2 + +Backup ACL of all files in a folder + + # getfacl -R [dir] > [backup file] + +Restore ACL for all files in a folder from a backup file (you don't have to specify the folder. Just make sure you are in the parent folder of the target folder) + + # setfacl --restore=[backup file] +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9c-configure-key-based-authentication-for-ssh.md b/markdown/9-Manage-security/9c-configure-key-based-authentication-for-ssh.md new file mode 100644 index 0000000..135f22d --- /dev/null +++ b/markdown/9-Manage-security/9c-configure-key-based-authentication-for-ssh.md @@ -0,0 +1,111 @@ +# 9.c Configure key-based authentication for SSH + +## Overview of SSH + +**Packages** +- openssh-server +- openssh-clients + +**Service** +- sshd.service + +**Server Configuration Files** +- System - /etc/ssh/sshd_config +- User - ~/.ssh/authorized_keys + +**Client Configuration Files** +- System - /etc/ssh/ssh_config +- User - ~/.ssh/config + +**Commands:** +- sshd_config (5) - OpenSSH SSH daemon configuration file +- ssh_config (5) - OpenSSH SSH client configuration files +- ssh (1) - OpenSSH SSH client (remote login program) +- ssh-keygen (1) - authentication key generation, management and conversion +- ssh-copy-id (1) - use locally available keys to authorize logins on a remote machine + +## Server Configuration + +Commonly used configuration (good to know). They reside in '/etc/ssh/sshd_config'. + +Enable 'root' login + + PermitRootLogin yes + +Enable password authentication (keyless login) + + PasswordAuthentication yes + +Change the port for SSH + + Port 22 + +Change the listen IP for SSH + + ListenAddress 0.0.0.0 + +## Keyless Login + +With keyless login you specify the remote user and the remote server to login to. SSH will prompt for the remote user password (if password login is allowed in '/etc/ssh/sshd_config'). + + # ssh user@server + +## Key-based Login + +a. First you need to create the keys on the client with 'ssh-keygen' + +This command will: +- Create the ~/.ssh folder with the proper permissions (0700) +- Create the public key (used on the server) with the proper permissions (0600) +- Create the private key (used on the client machine) + +**📝 NOTES:** +- You can give a passphrase (similar to a password) to the key upon creation. You will need to supply the passphrase when trying to access the server +- Multiple key types can be used (RSA, DSA, etc.) + + # ssh-keygen + Generating public/private rsa key pair. + Enter file in which to save the key (/root/.ssh/id_rsa): + Created directory '/root/.ssh'. + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_rsa. + Your public key has been saved in /root/.ssh/id_rsa.pub. + The key fingerprint is: + SHA256:UKiiZrSSEpTHK4OTavsyrXjLe2DXUk6nF4IXYuZgPzY root@rhel8-lab + The key's randomart image is: + +---[RSA 3072]----+ + | o .. | + | ooo+ o. | + |oo.*.+.. | + |=+..E =.o | + |o=+o O +S. | + |*=o o + . | + |*.oo . . | + |.=... | + |.oO= | + +----[SHA256]-----+ + +b. After you can use the `ssh-copy-id` script to copy the public key to the server + +The script will: ++ Attempt to login with the key (to avoid copies) ++ Prompt you for the remote user password ++ Create `~/.ssh` on the remote server with the right permission (0700) ++ Create `~/.ssh/authorized_keys` (if needed) on the remote server with the right permission (0600) ++ Copy the public key to `~/.ssh/authorized_keys` on the remote server + + # ssh-copy-id root@server + /bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" + The authenticity of host 'server (::1)' can't be established. + ECDSA key fingerprint is SHA256:+Smq+fuyAF6UYeB0C7SxZSVgUg/s/gOFziZlh7dhA+o. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed + /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys + root@server's password: + Number of key(s) added: 1 + + Now try logging into the machine, with: "ssh 'root@server'" + and check to make sure that only the key(s) you wanted were added. +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9d-set-enforcing-and-permissive-modes-for-selinux.md b/markdown/9-Manage-security/9d-set-enforcing-and-permissive-modes-for-selinux.md new file mode 100644 index 0000000..9085ef2 --- /dev/null +++ b/markdown/9-Manage-security/9d-set-enforcing-and-permissive-modes-for-selinux.md @@ -0,0 +1,112 @@ +# 9.d Set enforcing and permissive modes for SELinux + +**Commands:** +- selinux (8) - NSA Security-Enhanced Linux (SELinux) +- sestatus (8) - SELinux status tool +- setenforce (8) - modify the mode SELinux is running in +- getenforce (8) - get the current mode of SELinux +- selinuxenabled (8) - tool to be used within shell scripts to determine if selinux is enabled +- system-config-selinux (8) - SELinux Management tool (GUI) + +## SELinux Definition + +Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls. SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. + +SELinux defines what process can have access to what files on a system. It does that by labeling every file, port, and socket with a context. + +### How does SELinux work? + +SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy. + +When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects. + +If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied. + +If permission is denied, an "avc: denied" message will be available in /var/log/messages. + +### Labeling + +SELinux works as a labeling system, which means that all of the files, processes, and ports in a system have an SELinux label associated with them. Labels are a logical way of grouping things together. The kernel manages the labels during boot. + +Labels are in the format 'user:role:type:level' (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS. Label type is the most important for targeted policy. + +### Modes + +- **enforcing** - SELinux security policy is enforced. +- **permissive** - SELinux prints warnings instead of enforcing. Great for troubleshooting. +- **disabled** - No SELinux policy is loaded + +**⚠️ WARNING:** _Disabling SELinux is strongly discouraged. Best approach is to run it in 'permissive' mode and work to fix possible issues._ + +### Policies + +You can define which policy you will run by setting the SELINUXTYPE environment variable within `/etc/selinux/config`. You must reboot and possibly relabel if you change the policy type to have it take effect on the system. The corresponding policy configuration for each such policy must be installed in the `/etc/selinux/{SELINUXTYPE}/` directories. + +- **targeted** - Targeted processes are protected (default) +- **minimum** - Modification of targeted policy. Only selected processes are protected. +- **mls** - Multi Level Security protection. + +## Working With Modes + +### Viewing the Current Mode + +Use `getenforce` + + # getenforce + Enforcing + +Or for more info, `sestatus` + + # sestatus + SELinux status: enabled + SELinuxfs mount: /sys/fs/selinux + SELinux root directory: /etc/selinux + Loaded policy name: targeted + Current mode: enforcing + Mode from config file: enforcing + Policy MLS status: enabled + Policy deny_unknown status: allowed + Memory protection checking: actual (secure) + Max kernel policy version: 32 + +### Changing Modes + +If you are enabling SELinux for the first time it's advisable to enable (preferably set to permissive) it in `/etc/selinux/config`, set the filesystem to auto relabel and then reboot. + +#### Via Command Line + +Allows you to change between permissive and enforcing. + +To enable enforcing + + # setenforce = 1 + +To enable permissive + + # setenforce = 0 + +#### On Next Boot + +Edit `/etc/selinux/config` and set `SELINUX=` to either 'enforcing', 'permissive' or 'disabled' + + SELINUX=enforcing + +Reboot + + # reboot + +#### Changing SELinux Modes at Boot Time + +On boot, you can set several kernel parameters to change the way SELinux runs: + ++ `enforcing=1` + + Setting this parameter causes the machine to boot in enforcing mode. ++ `enforcing=0` + + Setting this parameter causes the machine to boot in permissive mode, which is useful when troubleshooting issues. ++ `selinux=0` + + This parameter causes the kernel to not load any part of the SELinux infrastructure. + +**⚠️ WARNING:** _Using the selinux=0 parameter is not recommended. To debug your system, prefer using permissive mode._ + +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9e-list-and-identify-selinux-file-and-process-context.md b/markdown/9-Manage-security/9e-list-and-identify-selinux-file-and-process-context.md new file mode 100644 index 0000000..c43d6d0 --- /dev/null +++ b/markdown/9-Manage-security/9e-list-and-identify-selinux-file-and-process-context.md @@ -0,0 +1,67 @@ +# 9.e List and identify SELinux file and process context + +**Commands:** +- ls (1) - list directory contents +- secon (1) - See an SELinux context, from a file, program or user input. + +## SELinux Contexts + +All files, directories, devices have a security context/label associated with them. These context are stored in the extended attributes of the file system. + +### List All Contexts + + # semanage fcontext -l + +### Viewing Context of Files + +You can use the 'ls' command to view context of files. + +Viewing context of files + + # ls -Z + system_u:object_r:admin_home_t:s0 anaconda-ks.cfg + system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg + unconfined_u:object_r:admin_home_t:s0 install.file + unconfined_u:object_r:admin_home_t:s0 install.file.rpm + unconfined_u:object_r:admin_home_t:s0 my_repo + unconfined_u:object_r:admin_home_t:s0 test_file.txt + +Viewing context for a file with long listing + + # ls -lZ /etc/ssh/ssh_config.d/05-redhat.conf + -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 831 Feb 4 16:01 05-redhat.conf + +Viewing the context of a file with 'secon' + + # secon -f /etc/ssh/ssh_config.d/05-redhat.conf + user: system_u + role: object_r + type: etc_t + sensitivity: s0 + clearance: s0 + mls-range: s0 + +### Viewing Context of Processes + +Viewing context for a process (`ps auxZ`, `ps -efZ` or `ps -efM`) + + # ps -efZ | grep httpd + system_u:system_r:httpd_t:s0 root 12462 1 0 17:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND + system_u:system_r:httpd_t:s0 apache 12463 12462 0 17:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND + system_u:system_r:httpd_t:s0 apache 12464 12462 0 17:42 ? 00:00:01 /usr/sbin/httpd -DFOREGROUND + system_u:system_r:httpd_t:s0 apache 12465 12462 0 17:42 ? 00:00:01 /usr/sbin/httpd -DFOREGROUND + system_u:system_r:httpd_t:s0 apache 12466 12462 0 17:42 ? 00:00:01 /usr/sbin/httpd -DFOREGROUND + system_u:system_r:httpd_t:s0 apache 12803 12462 0 18:45 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND + unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 12883 11680 0 18:47 pts/0 00:00:00 grep --color=auto httpd + +Displaying process context with 'secon' + + # secon -p 1495 + user: system_u + role: system_r + type: httpd_t + sensitivity: s0 + clearance: s0 + mls-range: s0 +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9f-restore-default-file-contexts.md b/markdown/9-Manage-security/9f-restore-default-file-contexts.md new file mode 100644 index 0000000..b53e3fb --- /dev/null +++ b/markdown/9-Manage-security/9f-restore-default-file-contexts.md @@ -0,0 +1,100 @@ +# 9.f Restore default file contexts + +## Changing SELinux Context + +### Temporarily Changing Context + +You can use `chcon` to temporarily change the context of files. + +**⚠️ WARNING:** _Changes with `chcon` will not survive `restorecon` or system relabel._ + +Changing the context of a file + + # chcon unconfined_u:object_r:tmp_t:s0 test_file.txt + +Changing just the context type of a file + + # chcon -t [context_type] [file] + +For example + + # ls -lZ /tmp/test + -rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 403 Dec 1 13:48 /tmp/test + +Change the context from 'user_tmp_t' to 'tmp_t' + + # chcon -t tmp_t /tmp/test + +Confirm the changes + + # ls -lZ /tmp/test + -rw-r--r--. 1 root root unconfined_u:object_r:tmp_t:s0 403 Dec 1 13:48 /tmp/test + +Changing a the context of a directory recursively + + # chcon -R [context] [dir] + +### Persistently Changing Context + +Make change persistent, even after relabeling (use absolute path) + + # semanage fcontext -a -t [context_type] [/absolut/path/to/file] + + # restorecon [/absolut/path/to/file] + +Changes context of all files in '/root/my_web' (existing and future files) (use absolute path) + + # semanage fcontext -a -t httpd_sys_content_t '/root/my_web(/.*)?' + + # restorecon -R my_web + + # lz my_web/ + unconfined_u:object_r:httpd_sys_content_t:s0 httpd + +️**⚠️ WARNING:** _`semanage` only changes SELinux database. After running `semanage` you will need to run `restorecon` to apply the configuration from the SELinux DB._ + +## Restore Context + +### Restore File Context + +`restorecon` can also be run at any other time to correct inconsistent labels, to add support for newly installed policy or, by using the -n option, to passively check whether the file contexts are all set as specified by the active policy (default behavior). + +If a file object does not have a context, restorecon will write the default context to the file object's extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. The -F option will force a replacement of the entire context. + +Relabeling will restore back context for files. You can restore the context for specific files and directories, or for the whole system (like when booting with 'rd.break' after reseting the root password). + +Restore context of a file + + # restorecon [file] + +Restore the context of a directory recursively with verbose + + # restorecon -R -v [dir] + +### Restore System Context / System Relabel and Restore + +You can restore the SELinux context for the whole filesystem with 3 ways: + +#### autorelabel + + # touch /.autorelabel + + # reboot + +#### fixfiles + +'fixfiles onboot' will setup the machine to relabel on the next reboot. + + # fixfiles onboot + + # reboot + +#### On boot + +Use the 'autorelabel' boot parameter to force a system relabel. + +- `autorelabel=1` + - This parameter forces the system to relabel similarly to the previous commands + +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9g-use-boolean-settings-to-modify-system-selinux-settings.md b/markdown/9-Manage-security/9g-use-boolean-settings-to-modify-system-selinux-settings.md new file mode 100644 index 0000000..49c495f --- /dev/null +++ b/markdown/9-Manage-security/9g-use-boolean-settings-to-modify-system-selinux-settings.md @@ -0,0 +1,87 @@ +# 9.g Use boolean settings to modify system SELinux settings + +## SELinux Booleans + +Booleans are on/off settings for functions in SELinux. There are hundreds of settings that can turn SELinux capabilities on or off, and many are already predefined. + +### Listing Booleans + +Use 'getsebool' to get current booleans and their values. + +Get status on a specific boolean + + # getsebool httpd_enable_cgi + httpd_enable_cgi --> on + +List all booleans + + # getsebool -a | head -n 4 + abrt_anon_write --> off + abrt_handle_event --> off + abrt_upload_watch_anon_write --> on + antivirus_can_scan_system --> off + +_You can also use 'semanage'_ + + # semanage boolean -l | head -n 4 + SELinux boolean State Default Description + abrt_anon_write (off , off) Allow ABRT to modify public files used for public file transfer services. + abrt_handle_event (off , off) Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts. + +_Or 'sestatus -b'_ + + # sestatus -b | tail -n 4 + zarafa_setrlimit off + zebra_write_config off + zoneminder_anon_write off + zoneminder_run_sudo off + +**Examples** + +List all enabled booleans + + # getsebool -a | grep ' on' + +Getting info on SQL booleans + + # getsebool -a | grep -i sql + mysql_connect_any --> off + mysql_connect_http --> off + postgresql_can_rsync --> off + postgresql_selinux_transmit_client_label --> off + postgresql_selinux_unconfined_dbadm --> on + postgresql_selinux_users_ddl --> on + selinuxuser_mysql_connect_enabled --> off + selinuxuser_postgresql_connect_enabled --> off + +Getting additional information on boolean (not part of RHCSA v8 and requires the `setools-console` package) + + # sesearch -b httpd_execmem -A + allow httpd_suexec_t httpd_suexec_t:process { execmem execstack }; [ httpd_execmem ]:True + allow httpd_sys_script_t httpd_sys_script_t:process { execmem execstack }; [ httpd_execmem ]:True + allow httpd_t httpd_t:process { execmem execstack }; [ httpd_execmem ]:True + +### Changing Boolean Values + +Booleans can be set for runtime or persistent (survives reboots) + +#### Runtime + +Configures a policy for runtime + + # setsebool httpd_enable_cgi on + +In some systems you can also use `togglesebool` + + # togglesebool httpd_enable_cgi + +**💡 TIP:** _switching booleans on runtime only is fast and helps you to debug problems_ + +#### Persistent + +To make the change persistent, use the `-P` option with `setsebool` + + # setsebool -P httpd_enable_cgi on + +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/9-Manage-security/9h-diagnose-and-address-routine-selinux-policy-violations.md b/markdown/9-Manage-security/9h-diagnose-and-address-routine-selinux-policy-violations.md new file mode 100644 index 0000000..e3c2be7 --- /dev/null +++ b/markdown/9-Manage-security/9h-diagnose-and-address-routine-selinux-policy-violations.md @@ -0,0 +1,141 @@ +# 9.h Diagnose and address routine SELinux policy violations + +## Troubleshooting SELinux Issues + +### Sealert (setroubleshoot) + +`sealert` is the user interface component (either GUI or command line) to the setroubleshoot system. setroubleshoot is used to diagnose SELinux denials and attempts to provide user friendly explanations for a SELinux denial (e.g. AVC) and recommendations for how one might adjust the system to prevent the denial in the future. + +Requires the packages: +- setroubleshoot-server +- setroubleshoot-plugins + + +**📌 EXAM TIP:** _Use `dnf provides sealert` if you can't remember the package name_ + +You can ask `sealert` to analyze errors in a log file + + # sealert -a /var/log/audit/audit.log + 100% done + found 0 alerts in /var/log/audit/audit.log + +If problems are found, 'sealert' will provide with a possible solution + + -------------------------------------------------------------------------------- + SELinux is preventing /usr/bin/chcon from using the mac_admin capability. + ***** Plugin catchall (100. confidence) suggests ************************** + If you believe that chcon should have the mac_admin capability by default. + Then you should report this as a bug. + You can generate a local policy module to allow this access. + Do + allow this access for now by executing: + # ausearch -c 'chcon' --raw | audit2allow -M my-chcon + # semodule -X 300 -i my-chcon.pp + Additional Information: + Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 + 023 + Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 + 023 + Target Objects Unknown [ capability2 ] + Source chcon + Source Path /usr/bin/chcon + Port + Host + Source RPM Packages coreutils-8.30-8.el8.x86_64 + Target RPM Packages + SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch + Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch + Selinux Enabled True + Policy Type targeted + Enforcing Mode Enforcing + Host Name rhel8-lab + Platform Linux rhel8-lab 4.18.0-240.1.1.el8_3.x86_64 #1 SMP + Fri Oct 16 13:36:46 EDT 2020 x86_64 x86_64 + Alert Count 1 + First Seen 2020-12-01 13:47:36 EST + Last Seen 2020-12-01 13:47:36 EST + Local ID c7afc8cf-fce0-44e6-9c78-cb72ee617c6b + +### ausearch + +`ausearch` is a tool that can query the audit daemon logs ('/var/log/audit/audit.log') for events based on different search criteria. + +Search all denials + + # ausearch -m avc + +Search for denials for today + + # ausearch -m avc -ts today + +Search for denials from the last 10 minutes + + # ausearch -m avc -ts recent + +To search for SELinux denials for a particular service + + # ausearch -c httpd + +Looking at the same error that we saw with 'sealert' for 'chcon' + + # ausearch -c chcon + ---- + time->Tue Dec 1 13:47:36 2020 + type=PROCTITLE msg=audit(1606848456.637:8732): proctitle=6368636F6E002D740074656D705F7400746573745F66696C652E747874 + type=SYSCALL msg=audit(1606848456.637:8732): arch=c000003e syscall=188 success=no exit=-22 a0=55ae4005e4f0 a1=7f52bd1fadde a2=55ae4005fbf0 a3=20 items=0 ppid=3146 pid=43817 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) + type=SELINUX_ERR msg=audit(1606848456.637:8732): op=setxattr invalid_context="unconfined_u:object_r:temp_t:s0" + type=AVC msg=audit(1606848456.637:8732): avc: denied { mac_admin } for pid=43817 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 + +### Systemd + +You can also use `journalctl` to get information on SELinux issues (looking at the same message that we saw in `sealert` for `chcon`) + + Dec 01 13:47:42 rhel8-lab setroubleshoot[43819]: SELinux is preventing chcon from using the mac_admin capability. For complete SELinux messages run: sealert -l e30f49b8-93b4-403f-9fc2-f0cf4aa98732 + Dec 01 13:47:42 rhel8-lab setroubleshoot[43819]: SELinux is preventing chcon from using the mac_admin capability. + ***** Plugin catchall (100. confidence) suggests ************************** + If you believe that chcon should have the mac_admin capability by default. + Then you should report this as a bug. + You can generate a local policy module to allow this access. + Do + allow this access for now by executing: + # ausearch -c 'chcon' --raw | audit2allow -M my-chcon + # semodule -X 300 -i my-chcon.pp + +### Getting More Information + +We can use `audit2why` to get a description from a denied message. + +Here we analyze the same `chcon` message that we saw before + + # ausearch -c chcon | audit2why + type=AVC msg=audit(1606848456.637:8732): avc: denied { mac_admin } for pid=43817 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 + + Was caused by: + Missing type enforcement (TE) allow rule. + + You can use audit2allow to generate a loadable module to allow this access. + +You can also list all the errors with + + # auditwhy -a + +## Adding a New Module + +Sometimes adding a new context might not be the best option, so you can create and install a new module instead. + +Run `ausearch` for a specific command name (for example, httpd). This should give you additional information on something that might be blocked by SELinux. + + # ausearch -c 'httpd' + +You can then pipe the output of that commad to `audit2allow` (which generates SELinux policy from logs) + + # ausearch -c 'httpd' --raw | audit2allow -M myhttpd + +This generates 2 module files, 'myhttpd.pp' (binary) and 'myhttpd.te' (text) + +To enable the module use + + # semodule -i myhttpd.pp + +--- +[⬅️ Back](9-manage-security.md) diff --git a/markdown/Additional-Resources.md b/markdown/Additional-Resources.md new file mode 100644 index 0000000..1bec146 --- /dev/null +++ b/markdown/Additional-Resources.md @@ -0,0 +1,68 @@ +Additional Resouces +=== + +Videos +--- + +Computers, Security & Gadgets has compiled an amazing content for the RHCSA v8 exam. There are a total of 68 videos that cover all the objectives for the exam. This is a must for anyone preparing for the exam. + +[RHCSA RHEL 8 - (Red Hat Certified System Administrator) - YouTube](https://www.youtube.com/playlist?list=PLsSTa0x6YacC2jNX9iV1ukbA8g4mcTfdE) + +Chats +--- + +These are Red Hat certification study chat groups that can greatly help you with your study and any questions you might have. + +#### Slack - Red Hat Certs + +https://redhat-certs.slack.com/ + +This study group was created by rd.break and has almost 4k users. The group includes separate channels for RHCSA, RHCE and RHCA. + +#### Discord - Computers, Security & Gadgets + +Invite Link - https://discord.com/invite/kBQ6Jry + +This another group, created by 'Computers, Security & Gadgets', that aims to help on the videos as well as study content for the RHCSA exam. + +Environments +--- + +Virtualized environments with Red Hat Enterprise 8 that you can use to practice everything that you will learn. + +#### Official VirtualBox Install from Red Hat +[RHEL 8 VirtualBox Quick Install](https://developers.redhat.com/rhel8/install-rhel8-vbox) + +Official guide from Red Hat on installing RHEL 8 with a Developer subscription on VirtualBox. + +#### Vagrant Boxes + +[Vagrant Cloud](https://app.vagrantup.com/boxes/search?utf8=%E2%9C%93&sort=downloads&provider=&q=rhel8) + +You can use existing pre-built images from Vagrant Cloud. + +**📌 TIP:** *After you build the box, you can also subscribe to a Red Hat developer subscription so you can run 'dnf' (and many other commands)* + +Labs +--- + +#### RHCSA 8 Automated Practice Deployment + +[GitHub - rdbreak/rhcsa8env](https://github.com/rdbreak/rhcsa8env) + +This is a RHCSA8 study environment built with Vagrant/Ansible. + +The aim is to have a reusable exam environment to take different practice exams without having to build it up manually every time. + +#### RHCSA 8 Lab environment +[GitHub - johnrwhitaker/rhcsa8lab](https://github.com/johnrwhitaker/rhcsa8lab) + +RHCSA 8 Lab environment. Powered by Ansible, Vagrant & VirtualBox + +Practice Questions +--- + ++ [rhcsa-practice-questions · GitHub](https://github.com/chlebik/rhcsa-practice-questions/tree/master/questions) + +--- +[⬅️ Back](../README.md) diff --git a/markdown/Exam-Format.md b/markdown/Exam-Format.md new file mode 100644 index 0000000..714eb98 --- /dev/null +++ b/markdown/Exam-Format.md @@ -0,0 +1,20 @@ +Exam Format +=== + +**Duration:** 3 hours + +**Cost:** $400 USD + +**Exam Types:** ++ Individual Exam + - Remote Exam (***new***) ++ Classroom Exam ++ On-site Exam + +***More details on remote exam*** + ++ [Getting Ready for your Red Hat Remote Exam](https://learn.redhat.com/t5/Certification-Resources/Getting-Ready-for-your-Red-Hat-Remote-Exam/ba-p/12690) ++ [Red Hat Certification remote exams frequently asked questions](https://www.redhat.com/en/resources/certification-remote-exams-FAQ) ++ [Questions about getting ready for your Red Hat remote exam?](https://learn.redhat.com/t5/General/Questions-about-getting-ready-for-your-Red-Hat-remote-exam/m-p/13216#M866) +--- +[⬅️ Back](../README.md) diff --git a/markdown/Objectives.md b/markdown/Objectives.md new file mode 100644 index 0000000..fcd4b1d --- /dev/null +++ b/markdown/Objectives.md @@ -0,0 +1,112 @@ +Objectives +=== +[Red Hat Certified System Administrator (RHCSA) exam - EX200](https://www.redhat.com/en/services/training/ex200-red-hat-certified-system-administrator-rhcsa-exam?section=Objectives#Objectives) + +## Study points for the exam. + +RHCSA exam candidates should be able to accomplish the tasks below without assistance. These have been grouped into several categories. + +**📝 NOTE:** *The first few objectives are currently a bit crude with very short info. Feel free to add your study notes and help improve the documentation.* + +### [1. Understand and use essential tools](1-Understand-and-use-essential-tools/1-Understand-and-use-essential-tools.md) + ++ [1.a Access a shell prompt and issue commands with correct syntax](1-Understand-and-use-essential-tools/1a-Access-a-shell-prompt-and-issue-commands-with-correct-syntax.md) ++ [1.b Use input-output redirection (>, >>, |, 2>, etc.)](1-Understand-and-use-essential-tools/1b-Use-input-output-redirection.md) ++ [1.c Use grep and regular expressions to analyze text](1-Understand-and-use-essential-tools/1c-Use-grep-and-regular-expressions-to-analyze-text.md) ++ [1.d Access remote systems using SSH](1-Understand-and-use-essential-tools/1d-Access-remote-systems-using-SSH.md) ++ [1.e Log in and switch users in multiuser targets](1-Understand-and-use-essential-tools/1e-Log-in-and-switch-users-in-multiuser-targets.md) ++ [1.f Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2](1-Understand-and-use-essential-tools/1f-Archive-compress-unpack-and-uncompress-files-using-tar-star-gzip-and-bzip2.md) ++ [1.g Create and edit text files](1-Understand-and-use-essential-tools/1g-Create-and-edit-text-files.md) ++ [1.h Create, delete, copy, and move files and directories](1-Understand-and-use-essential-tools/1h-Create-delete-copy-and-move-files-and-directories.md) ++ [1.i Create hard and soft links](1-Understand-and-use-essential-tools/1i-Create-hard-and-soft-links.md) ++ [1.j List, set, and change standard ugo/rwx permissions](1-Understand-and-use-essential-tools/1j-List-set-and-change-standard-ugo_rwx-permissions.md) ++ [1.k Locate, read, and use system documentation including man, info, and files in /usr/share/doc](1-Understand-and-use-essential-tools/1k-Locate-read-and-use-system-documentation-including-man-info-and-files-in-_usr_share_doc.md) + +### 2. Create simple shell scripts + ++ 2.a Conditionally execute code (use of: if, test, [], etc.) ++ 2.b Use Looping constructs (for, etc.) to process file, command line input ++ 2.c Process script inputs ($1, $2, etc.) ++ 2.d Processing output of shell commands within a script ++ 2.e Processing shell command exit codes + +### [3. Operate running systems](3-Operate-running-systems/3-Operate-running-systems.md) + ++ [3.a Boot, reboot, and shut down a system normally](3-Operate-running-systems/3a-Boot-reboot-and-shut-down-a-system-normally.md) ++ [3.b Boot systems into different targets manually](3-Operate-running-systems/3b-Boot-systems-into-different-targets-manually.md) ++ [3.c Interrupt the boot process in order to gain access to a system](3-Operate-running-systems/3c-Interrupt-the-boot-process-in-order-to-gain-access-to-a-system.md) ++ [3.d Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes](3-Operate-running-systems/3d-Identify-CPU_memory-intensive-processes-adjust-process-priority-with-renice-and-kill-processes.md) ++ [3.e Adjust process scheduling](3-Operate-running-systems/3e-adjust-process-scheduling.md) ++ [3.f Manage tuning profiles](3-Operate-running-systems/3f-manage-tuning-profiles.md) ++ [3.g Locate and interpret system log files and journals](3-Operate-running-systems/3g-locate-and-interpret-system-log-files-and-journals.md) ++ [3.h Preserve system journals](3-Operate-running-systems/3h-preserve-system-journals.md) ++ [3.i Start, stop, and check the status of network services](3-Operate-running-systems/3i-start-stop-and-check-the-status-of-network-services.md) ++ [3.j Securely transfer files between systems](3-Operate-running-systems/3j-securely-transfer-files-between-systems.md) + +### [4. Configure local storage](4-Configure-local-storage/4-Configure-local-storage.md) + ++ [4.a List, create, delete partitions on MBR and GPT disks](4-Configure-local-storage/4a-list-create-delete-partitions-on-mbr-and-gpt-disks.md) ++ [4.b Create and remove physical volumes](4-Configure-local-storage/4b-create-and-remove-physical-volumes.md) ++ [4.c Assign physical volumes to volume groups](4-Configure-local-storage/4c-assign-physical-volumes-to-volume-groups.md) ++ [4.d Create and delete logical volumes](4-Configure-local-storage/4d-create-and-delete-logical-volumes.md) ++ [4.e Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label](4-Configure-local-storage/4e-configure-systems-to-mount-file-systems-at-boot-by-universally-unique-id-uuid-or-label) ++ [4.f Add new partitions and logical volumes, and swap to a system non-destructively](4-Configure-local-storage/4f-add-new-partitions-and-logical-volumes-and-swap-to-a-system-non-destructively.md) + +### [5. Create and configure file systems](5-Create-and-configure-file-systems/5-Create-and-configure-file-systems.md) + ++ [5.a Create, mount, unmount, and use vfat, ext4, and xfs file systems](5-Create-and-configure-file-systems/5a-create-mount-unmount-and-use-vfat-ext4-and-xfs-file-systems.md) ++ [5.b Mount and unmount network file systems using NFS](5-Create-and-configure-file-systems/5b-mount-and-unmount-network-file-systems-using-nfs.md) ++ [5.c Extend existing logical volumes](5-Create-and-configure-file-systems/5c-extend-existing-logical-volumes.md) ++ [5.d Create and configure set-GID directories for collaboration](5-Create-and-configure-file-systems/5d-create-and-configure-set-gid-directories-for-collaboration.md) ++ [5.e Configure disk compression](5-Create-and-configure-file-systems/5e-configure-disk-compression.md) ++ [5.f Manage layered storage](5-Create-and-configure-file-systems/5f-manage-layered-storage.md) ++ [5.g Diagnose and correct file permission problems](5-Create-and-configure-file-systems/5g-diagnose-and-correct-file-permission-problems.md) + +### [6. Deploy, configure, and maintain systems](6-deploy-configure-and-maintain-systems/6-deploy-configure-and-maintain-systems.md) + ++ [6.a Schedule tasks using at and cron](6-deploy-configure-and-maintain-systems/6a-schedule-tasks-using-at-and-cron.md) ++ [6.b Start and stop services and configure services to start automatically at boot](6-deploy-configure-and-maintain-systems/6b-start-and-stop-services-and-configure-services-to-start-automatically-at-boot.md) ++ [6.c Configure systems to boot into a specific target automatically](6-deploy-configure-and-maintain-systems/6c-configure-systems-to-boot-into-a-specific-target-automatically.md) ++ [6.d Configure time service clients](6-deploy-configure-and-maintain-systems/6d-configure-time-service-clients.md) ++ [6.e Install and update software packages from Red Hat Network, a remote repository, or from the local file system](6-deploy-configure-and-maintain-systems/6e-install-and-update-software-packages-from-red-hat-network-a-remote-repository-or-from-the-local-file-system.md) ++ [6.f Work with package module streams](6-deploy-configure-and-maintain-systems/6f-work-with-package-module-streams.md) ++ [6.g Modify the system bootloader](6-deploy-configure-and-maintain-systems/6g-modify-the-system-bootloader.md) + +### [7. Manage basic networking](7-manage-basic-networking/7-manage-basic-networking.md) + ++ [7.a Configure IPv4 and IPv6 addresses](7-manage-basic-networking/7a-configure-ipv4-and-ipv6-addresses.md) ++ [7.b Configure hostname resolution](7-manage-basic-networking/7b-configure-hostname-resolution.md) ++ [7.c Configure network services to start automatically at boot](7-manage-basic-networking/7c-configure-network-services-to-start-automatically-at-boot.md) ++ [7.d Restrict network access using firewall-cmd/firewall](7-manage-basic-networking/7d-restrict-network-access-using-firewall-cmd-firewall.md) + +### [8. Manage users and groups](8-Manage-users-and-groups/8-Manage-users-and-groups.md) + ++ [8.a Create, delete, and modify local user accounts](8-Manage-users-and-groups/8a-Create-delete-and-modify-local-user-accounts.md) ++ [8.b Change passwords and adjust password aging for local user accounts](8-Manage-users-and-groups/8b-Change-passwords-and-adjust-password-aging-for-local-user-accounts.md) ++ [8.c Create, delete, and modify local groups and group memberships](8-Manage-users-and-groups/8c-Create-delete-and-modify-local-groups-and-group-memberships.md) ++ [8.d Configure superuser access](8-Manage-users-and-groups/8d-Configure-superuser-access.md) + +### [9. Manage security](9-Manage-security/9-manage-security.md) + ++ [9.a Configure firewall settings using firewall-config, firewall-cmd, or iptables](9-Manage-security/9a-configure-firewall-settings-using-firewall-config-firewall-cmd-or-iptables.md) ++ [9.b Create and use file access control lists](9-Manage-security/9b-create-and-use-file-access-control-lists) ++ [9.c Configure key-based authentication for SSH](9-Manage-security/9c-configure-key-based-authentication-for-ssh.md) ++ [9.d Set enforcing and permissive modes for SELinux](9-Manage-security/9d-set-enforcing-and-permissive-modes-for-selinux.md) ++ [9.e List and identify SELinux file and process context](9-Manage-security/9e-list-and-identify-selinux-file-and-process-context.md) ++ [9.f Restore default file contexts](9-Manage-security/9f-restore-default-file-contexts.md) ++ [9.g Use boolean settings to modify system SELinux settings](9-Manage-security/9g-use-boolean-settings-to-modify-system-selinux-settings.md) ++ [9.h Diagnose and address routine SELinux policy violations](9-Manage-security/9h-diagnose-and-address-routine-selinux-policy-violations.md) + +### [10. Manage containers](10-manage-containers/10-manage-containers.md) + ++ [10.a Find and retrieve container images from a remote registry](10-manage-containers/10a-find-and-retrieve-container-images-from-a-remote-registry.md) ++ [10.b Inspect container images](10-manage-containers/10b-inspect-container-images.md) ++ [10.c Perform container management using commands such as podman and skopeo](10-manage-containers/10c-perform-container-management-using-commands-such-as-podman-and-skopeo.md) ++ [10.d Perform basic container management such as running, starting, stopping, and listing running containers](10-manage-containers/10d-perform-basic-container-management-such-as-running-starting-stopping-and-listing-running-containers.md) ++ [10.e Run a service inside a container](10-manage-containers/10e-run-a-service-inside-a-container.md) ++ [10.f Configure a container to start automatically as a systemd service](10-manage-containers/10f-configure-a-container-to-start-automatically-as-a-systemd-service.md) ++ [10.g Attach persistent storage to a container](10-manage-containers/10g-attach-persistent-storage-to-a-container.md) + + +--- +[⬅️ Back](../README.md) diff --git a/markdown/Rules.md b/markdown/Rules.md new file mode 100644 index 0000000..6493ca3 --- /dev/null +++ b/markdown/Rules.md @@ -0,0 +1,42 @@ +Rules and FAQ +=== + +## FAQ: + +#### What exam version does the study covers? + +RHCSA v8 with container objectives. + +#### Who can edit this project? + +Anyone is welcome to edit the content + +## Rules + +### 1. Make sure to follow Red Hat's NDA + +### 2. Behaviour +- Be courteous +- Clear explanations +- Try to be biased on your opinions + +### 3. Editing Content +- Use proper markdown formatting +- Make sure you have checked and confirmed that the information is correct + +You can make changes via normal [git procedure](https://kbroman.org/github_tutorial/pages/fork.html), or by creating a new [issue](https://github.com/victorbrca/rhcsa-study-guide/issues/new/choose). + +#### 4.1 Adding content + +#### 4.2 Editing content + +#### 4.3. Removing content +- You are allowed to remove content that: + - Is no longer part of the exam + - Provides the wrong information + - Provides too much information, as long as: + - The information will not be relevant to the student in the future + - Will **definitely** cause confusion for new Linux users + +--- +[⬅️ Back](../README.md)