Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Accessing the command line:
- ---------------------------
- - Virtual-consoles (ctrl+alt+F1-6)
- - Terminal
- - Shell --> bash
- - cmd options arguments
- - Useful bash features:
- - history (!x , !string, ctrl-r, up/down arrow keys)
- - TAB completion
- - alt+. (repeat last argument)
- SSH
- ---
- - SSH server
- - sshd
- - Port 22 (TCP)
- - ssh client:
- - ssh user@host --> interactive ssh
- - ssh user@host "CMD" --> non-interactive ssh
- - Authentication:
- 1. Password Authentication
- 2. key-based Authentication
- ssh-keygen --> generate your own public/private keys
- ssh-copy-id --> copy your public key over
- Managing Files
- --------------
- - Root directory: /
- - Absolute path always starts with /
- - Relative path depends on your current directory
- - cd, ls [-al] , pwd, touch ,
- - mv , cp [-r] , mkdir [-p] , rmdir, rm [-rf]
- - Hard links (ln) , Symbolic Links (ln -s)
- ln [-s] EXISTING_FILE SHORTCUT_NAME
- User and group management
- -------------------------
- - /etc/passwd, /etc/group, /etc/shadow
- - useradd, usermod, userdel [-r]
- - groupadd, groupmod [-n name] [-g gid] , groupdel
- - Primary group vs Supplementary group
- - Password aging:
- /etc/login.defs (login defaults)
- /etc/default/useradd (defaults for the useradd command)
- chage -l USER
- -m, -M , -W, -E , -I , -d 0
- - Special shell: /sbin/nologin
- CENTRALIZED USERS MANAGEMENT
- -----------------------------
- - Centralize user account and authentication
- - authconfig-gtk, sssd, krb5-workstation
- - ldap for user info + kerberos for authentication
- - LDAP:
- 1. FQDN ldap server
- 2. BASE DN
- 3. CA cert (for tls encryption)
- - KERBEROS:
- 1. KDC
- 2. REALM
- 3. ADMIN servers
- (or dns could be used to auto detect settings
- if configured)
- - ipa-client-install (yum install ipa-client)
- File permissions
- ----------------
- - Basic permissions: r , w , x
- - Special permissions: suid, sgid, sticky bit
- - chown, chgrp, chmod
- - chmod --> symbolic way + numerical way
- - if BIG X is used, it only applies to subdirectories and existing files that
- have ANY execute bit
- (useful for recursions)
- - umask determines the default permission (mode) of a file/dir
- (General guide: files are always 666 by default and subtracted by the umask
- directories are always 777 by default and subtracted by the umask)
- - To globally set the umask:
- /etc/profile
- /etc/bashrc
- - To set umask per user:
- ~/.bashrc
- ACL
- ---
- - To overcome basic permission limitations
- - more than one user
- - more than one group
- - Three types of entries:
- - normal acl entries
- - default acl entries (only applies to dir)
- - files/subdir inherit the default acl
- - mask (does not affect original user owner and others)
- - setfacl -m ACL_SPEC FILE|DIR
- - setfacl -x ACL_SPEC FILE|DIR
- - ACL_SPEC examples:
- u:john:rx
- g::rwx
- g:sales:rw
- o::-
- SELINUX
- -------
- - 3 modes: enforcing,permissive,disabled
- - /etc/selinux/config
- - getenforce
- - setenforce 0|1 (will not survive a reboot)
- - yum install selinux-policy-devel
- mandb
- man -k _selinux
- - yum install setroubleshoot-server
- /var/log/messages
- sealert -l UUID
- - restorecon -vFR DIR
- - man semanage-fcontext
- -> we can add custom rules to the file context
- - getsebool -a
- setsebool [-P] BOOLEAN on|off -> Remember -P for persistency!
- Processes
- ---------
- - Sending signals to processes
- kill -l -> list signals
- - best to send signals by name rather than by number
- - SIGTERM (15) , SIGKILL(9)
- - kill PID...
- - killall CMD
- - pkill [COMMAND_PATTERN]
- pkill -u USER
- pkill -t TERMINAL
- pkill -u john gedit -> terminate all gedit processes for john
- Use pgprep -l PATTERN to determine which process pkill will
- send signal to
- - top
- P - sort by CPU
- M - sort by memory
- h - help
- k - kill
- q quit
- Process priorities:
- -------------------
- - can be affected by the NICE value
- - (higher priority) -20 --> +19 (lower priority)
- <-------increase priority (root) --------
- -------decrease priority (normal users) -->
- - nice -n NICEVALUE CMD
- - renice -n NICEVALUE PID
- - top can also renice proceses:
- short-cut --> r
- Software
- --------
- - yum list | search | install | info | remove | update PKGNAME...
- - yum help
- YUM REPO file rule!
- ------------------
- - File should be in /etc/yum.repos.d/
- - file should have extension of .repo
- - contents of file:
- [repoid] <--- no spaces, unique, NOT "main"
- name=UPTOYOU
- baseurl=URL_TO_REPO
- gpgcheck=0|1 <-- Signature check ?
- enabled=0|1 <-- enabled or not ?
- Partitions and File Systems
- ---------------------------
- - 2 partitioning schemes - MBR and GPT
- MBR GPT
- --- ---
- - fdisk - gdisk
- - Primary,extended,Logical - N/A
- - Need extended partition to have - N/A
- more than 4
- - Max 2 TB per partition - Max 8 ZiB per partition
- - For an existing disk that has been partitioned, DON'T simply convert
- the partitiong scheme (even though gdisk will offer to convert MBR to
- GPT for you)
- File system Swap
- ------------ ------
- 1. Create partition 1. Create partition
- - id: 83/8300 - id: 82/8200
- 2. cat /proc/partitions 2. - SAME -
- - if not visible
- partprobe
- 3. Format with a filesystem 3. Format as swap
- mkfs -t FSTYPE DEVICE mkswap DEVICE
- (ext4,xfs,vfat,...)
- 4. Create a mount point 4. - N/A -
- mkdir DIRECTORY
- 5. Update /etc/fstab 5. - SAME with slightly diff settings -
- 6. mount -a ; df -h 6. swapon -a ; swapon -s
- Services
- --------
- - systemd is new in RHEL7
- - systemctl status|start|stop|restart UNIT
- - systemctl enable|disable|mask|unmask UNIT
- - enable means service will start at BOOT TIME
- - masking means the service cannot be start EITHER and BOOT TIME OR MANUALLY
- Boot process
- ------------
- - systemd replaces systemV
- - no more run levels
- - instead we have targets
- - systemd uses units
- - units have types
- autofs.service
- cupds.socket
- etc...
- - A target is a set of units grouped together
- to achieve a system state
- - When we boot up the system a default target is used
- to setup the system
- graphical.target (with GUI)
- multi-user.target (NO GUI)
- - To manually switch between targets:
- systemctl isolate graphical.target
- systemctl isolate multi-user.target
- - You can set/get the default target:
- systemctl get-default
- systemctl set-default TARGET
- - Targets can be set by passing in kernel argument at the bootloader menu
- - systemd.unit=TARGET
- - e.g. systemd.unit=rescue.target OR systemd.unit=emergency.target
- - Use rd.break when trying to reset root password:
- 1. Interupt GRUB at boot time
- 2. e to edit
- 3. Pass in rd.break, then ctrl-x
- 4. mount -o remount,rw /sysroot
- 5. chroot /sysroot
- 6. passwd
- 7. touch /.autorelabel
- 8. exit ; exit
- - grub2-mkconfig regenerates the /boot/grub2/grub.cfg file
- based on settings in /etc/default/grub and /etc/grub.d/
- Networking
- ----------
- - DHCP or static (manual)
- - If static:
- IP address
- Netmask (CIDR)
- DNS
- Default gateway
- - If using NetworkManager daemon: --> nmcli command to manage
- nmcli
- -> use TAB (auto-complete to help)
- -> connection and device
- -> connections have names and must be associated with
- an interface (device)
- -> Do we want the connection to auto start at boot time?
- connection.autoconnect yes|no
- -> ipv4 settings:
- ipv4.method --> dhcp or manual
- ipv4.addresses --> IP address,subnet and def. gateway
- "192.168.9.10/24 192.168.0.1"
- ipv4.dns --> DNS servers
- - When displaying connection settings:
- lowercase properties means what is configured
- UPPERCASE properties means runtime configuration
- - We can also edit the config file:
- /etc/sysconfig/network-scripts/
- ifcfg-DEVICE OR ifcfg-CONNAME
- nmcli connection reload --> inform NM that there are changes
- nmcli connection down CONNAME
- nmcli connection up CONNAME
- - hostnamectl set-hostname HOSTNAME
- Logging and Time
- ----------------
- - Two services handle logging:
- - rsyslog
- /var/log/
- - systemd-journald (new in RHEL7)
- /run/log/journal - non-persistent
- /var/log/journal - if made persistent
- - journalctl
- - journalctl -p PRIORITY
- - journalctl --since DATE --until DATE
- - journalctl -b
- -> only show messages during last boot (if journal is persistent)
- - timedatectl (new RHEL7)
- set-time
- set-timezone
- list-timezones
- set-ntp
- ...
- - /etc/chrony.conf (Diff RHEL6 , /etc/ntp.conf)
- server NTP_SERVER iburst
- systemctl restart chronyd.service (in RHEL6 service ntpd restart)
- timedatectl set-ntp true
- LVM
- ---
- - Provides the ability to group multiple storage as ONE
- - Each storage is formatted as a PV and then grouped together as a VG
- - PE is the smallest unit/chunk in a VG. Specified when the VG is created
- with -s
- - LV and VG can be extended or reduced (hence flexible)
- - pvs,vgs,lvs
- - pvdisplay,vgdisplay,lvdisplay
- - pvcreate , vgcreate , lvcreate
- - vgextend, pvmove , vgreduce
- - lvextend
- - resize2fs , xfs_growfs
- Cron, systemd-tmpfile
- --------------------------
- - cron for recurring jobs
- - cron
- - user cron --> crontab -e
- - system cron --> /etc/crontab , /etc/cron.d/
- - anacron
- - executed hourly by cron (/etc/cron.hourly/0anacron)
- - /etc/anacrontab
- - controls /etc/cron.{daily,weekly,monthly)
- - Benefit: missed jobs will be executed
- - Con: Cannot control exact time the job is run
- - systemd-tmpfiles --clean --remove
- -> executed once at boot time
- -> creates or delete files based on configuration
- - systemd-tmpfiles --clean
- -> purges files based on aging
- -> executes once a day
- - /etc/tmpfiles.d/
- --OVERRRIDES--
- /run/tmpfiles.d
- --OVERRRIDES--
- /usr/lib/tmpfiles.d
- - e.g.
- cat /etc/tmpfiles.d/test.conf
- d /testing 1777 root root 1d -
- cat /usr/lib/tmpfiles.d/test.conf
- d /testing 1777 root root 20d -
- ==> files in /testing age will be 1d and not 20d
- Access NFS
- ----------
- - Package required: nfs_utils
- - 5 security mechanisms:
- sec=none|sys|krb5|krb5i|krb5p
- - If using krb5 stuff, needs:
- - Client must be authenticated with the same
- central authentication server as the nfs server
- - Client should enable and start nfs-secure service
- - Client needs a /etc/krb5.keytab file issued from the
- kerberos administrator
- - Manual mount:
- mount -o sec=SEC_TYPE,sync NFS_SERVER:SHARE_PATH MOUNT_POINT
- - Mount at boot time:
- /etc/fstab
- NFS_SERVER:SHARE_PATH MOUNT_POINT nfs sec=SEC_TYPE,sync 0 0
- - Mount on demand:
- yum install autofs
- systemctl enable autofs
- systemctl start autofs
- Indirect Map
- -------------
- NFS share server1:/shares/public
- Mount point /myshares/pub
- (indirect map needs a parent/child directory structure)
- /etc/auto.master.d/myfile.autofs
- /myshares /etc/auto.myshares
- /etc/auto.myshares
- pub -rw,sec=SEC_TYPE,sync server1:/shares/public
- systemctl restart autofs
- Direct Map
- ----------
- NFS share server1:/shares/public
- Mount point /pub
- /etc/auto.master.d/myfile.autofs
- /- /etc/auto.pub
- /etc/auto.pub
- /pub -rw,sec=SEC_TYPE,sync server1:/shares/public
- systemctl restart autofs
- Accessing SMB
- -------------
- - Required package: cifs-utils
- - Optional : samba-client (gives you the smbclient command)
- - To identify the share:
- smbclient -L //server
- (list the shares)
- - Ways to connect:
- - manual mount
- mount -t cifs -o user=USERNAME //server/sharename /MOUNT_POINT
- - mount at boot time: /etc/fstab
- //server/sharename /mount_point cifs user=USER,password=123 0 0
- OR
- //server/sharename /mount_point cifs credentials=/root/myfile 0 0
- WHERE /root/myfile -> FILE MODE MUST BE 600
- username=USER
- password=123
- domain=DOMAIN <-- optional
- - via smbclient (similar to ftp client)
- smbclient -U USER //server/share
- - Mount on demand (autofs)
- - install, start and enable autofs
- INDIRECT MAP example
- --------------------
- /etc/auto.master.d/shares.autofs
- /shares /etc/auto.shares
- /etc/auto.shares
- pub -fstype=cifs,credentials=/root/myfile,rw ://server/public
- DIRECT MAP example
- --------------------
- /etc/auto.master.d/shares-direct.autofs
- /- /etc/auto.shares
- /etc/auto.shares-direct
- /shares -fstype=cifs,credentials=/root/myfile,rw ://server/public
- Firewall Chapter
- -----------------
- - Packet filtering handled by the kernel module netfilter
- - Managed through EITHER iptables service or firewalld
- - systemctl mask iptables.service
- -> ensures that iptables service does not get started (will disrupt firewalld)
- - firewalld
- -> firewall-config (GUI tool)
- -> firewall-cmd (command line)
- - if --zone not specified, use default zone
- - For persistent changes:
- - Modify the PERMANENT settings (firewall-cmd .... --permanent )
- - Reload firewall ( firewall-cmd --reload )
- - A zone has a set of rules
- - A packet is associated with a zone:
- - depending on the interface it arrives on
- - depending on its source IP
- - if the above 2 items does ot match, the use the default zone rules
- Kickstart
- ---------
- - To automate Red Hat Installations
- - Need a kickstart text file
- - use /root/anaconda-ks.cfg as a template
- - GUI: system-config-kickstart
- - File has 4 sections: command,packages,pre,post
- - ksvalidator can check the file syntax for errors
- - You can place your kickstart file in a
- - usb drive, cdrom, upload to a webserver/ftp server
- - Boot from DVD
- - Select the install option and press TAB
- - append: ks=http://server/myks.cfg
- Using Virtualized systems
- --------------------------
- - KVM is Red Hat's virtualization technology
- - KVM requires:
- 1. CPU that supports VT
- (/pro/cpuinfo --> vmx|svm)
- 2. Enable VT at BIOS
- 3. Hypervisor must be 64-bit for Red Hat to support
- 4. Install neccessary software on Hypervisor
- yum grouplist hidden | grep -i virtual
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement