SHOW:
|
|
- or go back to the newest paste.
1 | Interrupt the Boot Process in Order to Gain Access to a System | |
2 | To start the system in the Rescue target, during boot process edit the grub config kernel line by adding to the end: systemd.unit=rescue.target | |
3 | 1. During boot process, edit grub config kernel line “linux16” by adding to the end: rd.break | |
4 | 2. mount –o remount,rw /sysroot | |
5 | 3. chroot /sysroot | |
6 | 4. passwd | |
7 | 5. touch /.autorelabel | |
8 | 6. exit then exit again | |
9 | ||
10 | REDIRECTION | |
11 | &> == Redirect both | |
12 | 2>&1 == Redirect standard error to output | |
13 | ||
14 | UMASK | |
15 | Default: 666 files / 777 directories | |
16 | Permanent adjust for users: /etc/profile and /etc/bashrc | |
17 | ||
18 | SHUTDOWN/REBOOT | |
19 | shutdown [flags/arguments] | |
20 | -r == reboot | |
21 | -h / P == halt / power-off | |
22 | +# / 00:00 == in minutes / military time | |
23 | systemctl [halt/poweroff/reboot] | |
24 | ||
25 | PERMISSIONS | |
26 | chmod | |
27 | g+s [directory] // chmod 2xxx == all files/dir created inside will be created with the group ownership of this directory | |
28 | u+s [file] // chmod 4xxx [file] == execute as owner of file | |
29 | 1xxx [directory] == files/dir inside cannot be deleted except by owner of that file/dir | |
30 | capital letter == apply only to directories | |
31 | ||
32 | NICE | |
33 | 19 (least) to -20 (most) | |
34 | nice | |
35 | –n # [name] == start process with specific process, the -n IS required | |
36 | renice | |
37 | –n # [pid] == renice a specific process by id | |
38 | -n # $(pgrep [name]) == renice every process found by pgrep ($ creates a subshell) | |
39 | ||
40 | ||
41 | PROCESSES | |
42 | pgrep [flag] [name] == shows process id and name | |
43 | -l == list process name | |
44 | -u [username] == find only those owned by [username] | |
45 | -v == inverse results (Ex: pgrep –v –u root == all processes not owned by root) | |
46 | -t [pts/#] == kill all process started by that user/terminal window, but user stays logged in | |
47 | ||
48 | SIGHUP/1 == Closing terminal | |
49 | SIGINT/2 == Keyboard interrupt (ctrl + c) | |
50 | SIGQUI/3 == Parent process tells it to quit | |
51 | SIGKILL/9 == Murder the process. Do not pass go. | |
52 | SIGTERM/15 == Stop, cleanup, and quit. DEFAULT used when kill/pkill | |
53 | SIGCONT/18 == Continue | |
54 | SIGSTOP/19 == Stop | |
55 | kill [pid] == kill a specific process | |
56 | pkill [name] == kill all processes of that name | |
57 | ps axo nice,comm,pid,user | |
58 | ||
59 | LOAD | |
60 | 0.00 , 0.00, 0.00 == 1 minute, 5 minutes, 15 minutes | |
61 | 0.00 (min) / # of processors == % of cpu usage | |
62 | 1 cpus w/ 1.00 == 100% cpu power | |
63 | 2 cpus w/ 1.50 == ~75% cpu power | |
64 | ||
65 | ||
66 | USERS/GROUPS | |
67 | useradd // usermod // userdel // chage | |
68 | groupadd // groupmod // groupdel | |
69 | newgrp == change my current group ID during this login session | |
70 | /etc/passwd == username: x: user id: group id: nickname: home dir: login | |
71 | /etc/shadow == username: pw hash: last pw change unix epoc: min days before pw change: max days before required pw change: # of days of warning before pw expire: max active days after pw expire: account expiration date | |
72 | /etc/skel == skeleton user directory | |
73 | user login defaults == /etc/login.defs | |
74 | Other defaults == /etc/defaults/ | |
75 | ||
76 | TAR/GZIP | |
77 | **Extracting by default overwrites local files** | |
78 | tar -cvzf NAME.tar.gz [files/directories] | |
79 | -c == create | |
80 | -v == verbose | |
81 | -z == gzip | |
82 | -x == gunzip | |
83 | -f == name the file | |
84 | -t = look inside without unpacking | |
85 | -d == see difference between local and archived | |
86 | ||
87 | TRANSFERING FILES | |
88 | scp /path/to/local/file user@remotehost:/path/to/destination | |
89 | sftp user@remotehost | |
90 | -can use basic CLI commands such as ls and mkdir | |
91 | -“get” == download file from remote | |
92 | -“put” == upload file to remote | |
93 | -“?” == help/commands | |
94 | To Push: | |
95 | rsync -a /path/to/file_or_dir user@remotehost:/path/to/destination | |
96 | To Pull: | |
97 | rsync -a user@remotehost:/path/to/remote/dir_or_file /path/to/local/destination | |
98 | -a == stands for "archive" and syncs recursively and preserves symbolic links, special and device files, modification times, group, owner, and permissions | |
99 | -nv == verbose dry run | |
100 | -z == compress first | |
101 | -P == combines progress and partial flag, gives a progress bar for the transfers and allows you to resume interrupted transfers | |
102 | --exclude=/what/to/exclude | |
103 | By default, rsync does not delete anything from the destination directory, but can change this behavior with the --delete option | |
104 | AT, CRON, ANACRON | |
105 | AT does not create reoccurring events, only a one time scheduled future event. | |
106 | If system is off during cron time, cron is missed. | |
107 | Anacron checks last time cron was run. | |
108 | yum install at | |
109 | (then make sure to enable & start the service) | |
110 | at.deny OR at.allow | |
111 | ||
112 | at | |
113 | now +## [minutes/hours/days] | |
114 | >[command] then ctrl+d | |
115 | at [time am/pm] | |
116 | >[command] then ctrl+d | |
117 | ||
118 | atq == list at queue | |
119 | atrm # == remove job | |
120 | ------------------------- | |
121 | cron.d == custom crons / crons that are managed by a program | |
122 | –--------------------------- | |
123 | anacron == only privileged users | |
124 | /var/spool/anacron/ == logs kept by anacron for last run cycle of a cron | |
125 | anacron -f == Run all anacronjobs regardless of their last run timestamp | |
126 | ||
127 | TARGETS/SERVICES | |
128 | /usr/lib/systemd/system/ == location of services, targets, etc | |
129 | systemctl | |
130 | is-enabled [service] == check if service is enabled on boot | |
131 | is-active [service] == is the service active/on right now | |
132 | enable/disable [service] == enable/disable service to start on boot | |
133 | --type=target == list all active targets | |
134 | --type=service == list all active services | |
135 | set-default == set default runlevel at boot | |
136 | get-default == what is the default target to run at boot? | |
137 | -t help == list all available system config units | |
138 | list-dependencies [target]/[service] == list all dependencies (if no [target]/ [service] specified, then the dependencies of target you are in now are listed) | |
139 | ||
140 | /etc/systemd/system/[target_name].target.wants/[name].service == enabled services. Symlink from here to /usr/lib/systemd/system/[service] is created to enable | |
141 | ||
142 | ||
143 | systemctl XXXXX name.target | |
144 | isolate == Move from one target to another (i.e. from multi-user to graphical interface to rescue mode, etc.) | |
145 | ||
146 | ||
147 | ACLs (Access Control Lists) | |
148 | default working filesystems= xfs. Ext works too but must be specified when mounted | |
149 | Gives user access to specific file/dir without making them part of the group or the owner. Adds a + to permissions to show this for users/groups but not world. | |
150 | getfacl == get ACL info | |
151 | Can use to copy ACL info: | |
152 | getfacl file1 | setfacl --set-file=- file2 | |
153 | (note the - after the =, this implies coming from std input) | |
154 | >mask == maximum level permissions; overrides specific ACL; modified by chmod. | |
155 | setfacl [flags+arguments] file/dir | |
156 | -m == modify | |
157 | u (notice no -) == user, used this way == u:username:permissions | |
158 | g (notice no -) == group, see “u” flag for usage | |
159 | >Note: u and g map to the UID/GID respectively, so if either one is changed for a user/group, ACL will no longer apply to that user/group! | |
160 | m (notice no -) == mask. Used this way == m::permissions | |
161 | -d == set defaults for user inside directory (goes before -m) | |
162 | Default ACL on directory == all files/dir created under will have this ACL, but the user still needs to have their own ACL permission on the directory | |
163 | In other words, ACL affects how the directory can be used (read, write, execute), and default ACL affects the files/dirs the user makes inside | |
164 | -x == remove ACL for user/group | |
165 | --remove-default == removes all defaults | |
166 | -R == recursive | |
167 | You can combine, ex: | |
168 | setfacl -m g:mygroup:rwx,u:myuser:rw directory | |
169 | cp doesn’t preserve ACL rules | |
170 | mv does preserve ACL rules | |
171 | ||
172 | Configure a System to Use an Existing Authentication Service | |
173 | yum upgrade –y | |
174 | yum install –y realmd | |
175 | realm discover [hostname] | |
176 | yum install –y [required packages] | |
177 | realm join [hostname] | |
178 | vim /etc/ssh/sshd_config == uncomment + allow authentication (kerberos?) | |
179 | systemctl sshd restart | |
180 | ||
181 | LOGS/JOURNALD | |
182 | journalctl == systemd logs everything here (man systemd-journald). It is not persistent, it clears out after every reboot. | |
183 | ||
184 | --since=yesterday == all logs since that day (only if persistent or hasn’t been rebooted) | |
185 | ||
186 | /etc/system/journald.conf == journald config file | |
187 | /etc/rsyslog.conf | |
188 | mail.* == “mail” is a facility, the type of program creating log | |
189 | *.emerg == “emerg” is priority. Info, debug, warning, etc. | |
190 | systemd-analyze == boot times | |
191 | systemd-analyze blame == specific times for boot processes | |
192 | ||
193 | VIRTUAL MACHINES | |
194 | To install VM packages: | |
195 | yum grouplist hidden (This will show virtualization packages) | |
196 | yum groupinstall "Virtualization Client" "Virtualization Tools" "Virtualization Platform" | |
197 | ||
198 | systemctl enable libvirtd | |
199 | systemctl start libvirtd | |
200 | ||
201 | virsh == CLI virtual machine manager | |
202 | help | |
203 | list --all | |
204 | shutdown [vmname] | |
205 | start [vmname] | |
206 | autostart [vm-name] | |
207 | virt-manager == GUI virtual machine manager (applications > system tools > virtual machine manager) | |
208 | ||
209 | FIREWALLD | |
210 | yum install firewalld firewall-config | |
211 | ||
212 | firewall-cmd [options]… | |
213 | --help == help/info | |
214 | --get-zones == shows you the zones available. all rules are saved in “zones” | |
215 | --get-default-zone == youre always working in a zone, this shows you the default one a rule is applied to unless you specify a zone | |
216 | ||
217 | ||
218 | --list-all == list all current rules for the default zone, unless you specify the zone: | |
219 | --zone=[zone] -- list-all | |
220 | --list-all-zones == list all current rules for all zones | |
221 | ||
222 | --reload == reload firewalld | |
223 | --permanent == make rule permanent. Permanent rules are not applied until you reload | |
224 | ||
225 | --add-port=[port #]/[tcp or udp] == add port with either tcp or udp | |
226 | --add-source=[IP] == add source IP | |
227 | --remove-port=[port #]/[tcp/udp] == remove port # | |
228 | --remove-source=[IP] == remove source IP | |
229 | ||
230 | SELINUX | |
231 | Modes: | |
232 | Enabled == monitoring + enforcing | |
233 | Passive == monitoring + logging but not enforcing | |
234 | Disabled == Not monitoring or logging or enforcing (reboot required to go into disabled mode) | |
235 | getenforce == what mode are we in? | |
236 | setenforce 0 == change to Passive/Permissive mode (if its not the default, it will revert on reboot) | |
237 | setenforce 1 == change to Enabled/Enforcing mode (if its not the default, it will revert on reboot) | |
238 | /etc/selinux/config == Change default level, and ability to Disable (must reboot to apply disable) | |
239 | ls –Z == list SELinux info | |
240 | -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file.out | |
241 | Permissions / user:group / user / role / type / filename | |
242 | type = specific program or permissions allowed to access | |
243 | semanage fcontext -l | grep [process/file/directory] == list all files/dirs associated with [ ] in SELinux | |
244 | restorecon [file/dir] == “restore” context of [ ] based on where it currently is located | |
245 | touch /.autorelabel == force relabel everything on reboot | |
246 | semanage fcontext -a -t [context] '[file/path]' | |
247 | -a (add) -t (type) : add a file/path to SELinux context rules. | |
248 | For example, adding a path with optional recursive to all files/dirs to the main httpd context rule: | |
249 | semanage fcontext -a -t httpd_sys_content_t '/content(/.*)?' | |
250 | semanage fcontext -d "[file/path]" == -d (remove) : remove SELinux rule. Must restorecon in that directory or the file to apply | |
251 | getsebool -a == list SELinux boolean values currently set | |
252 | semanage boolean -l == list SELinux boolean default values | |
253 | setsebool [-P] [bolean_rule] on/off == change Boolean rule. By default its for this session only, but if you set [-P] then it because permanent. | |
254 | yum install setroubleshoot-server == not pre-installed by default. Creates /var/log/audit/audit.log but not user friendly so use: sealert -a /var/log/audit/audit.log | |
255 | ||
256 | ||
257 | Key-Based Authentication for SSH | |
258 | ssh-keygen == generate RSA private and public keys | |
259 | ssh-copy-id [user]@[IP] == copy the public key (id_rsa.pub) to a remote machine | |
260 | ||
261 | ssh-agent bash && ssh-add == cache ssh passphrase for this session | |
262 | ||
263 | MANAGING NETWORK | |
264 | nmcli con show == show connected network devices | |
265 | nmcli dev status == like above, but cleaner + state | |
266 | nmtui == connection editor wizard | |
267 | ||
268 | nmcli con [add/del] [use tab for options] == add/delete connections | |
269 | nmcli con [up/down] “[connection name]” == bring up/down connection | |
270 | nmcli con mod “[connection name]” (use tab-tab to search) == modify connection | |
271 | +ipv4.dns [IP] == add DNS resolver to specific connection | |
272 | ||
273 | ||
274 | /etc/sysconfig/network-scripts/ == network and device scripts | |
275 | ||
276 | ip addr == show connections | |
277 | show [device] == optional for seeing info one only specific device | |
278 | -s [what] show [device] == stats of device | |
279 | ss == see listening ports + established connections | |
280 | -a == all listening/established | |
281 | -t / u == tcp / udp | |
282 | -n == include port. External on left, internal on right. | |
283 | hostname [hostname] temporary hostname change | |
284 | vi /etc/hostname == permanent hostname change | |
285 | ||
286 | KERNEL | |
287 | yum list kernel == list available/installed kernels | |
288 | grub2-set-default [#] == change kernel used to boot | |
289 | # == 0 most recent, 1 older, 2 even older, etc | |
290 | yum update kernel == update kernel | |
291 | yumdownloader kernel == download kernel rpm | |
292 | rpm -ivh kernel..[tab] == install new kernel (reboot to take effect) | |
293 | ||
294 | INSTALL REDHAT w/ KICKSTART | |
295 | A Kickstart file automatically gets created by the anaconda installer at the end of a RHEL installation. It is saved at the root user s home directory, and has the name /root/anaconda-ks.cfg | |
296 | ||
297 | yum install system-config-kickstart == install kickstart config tool, use same name to start tool | |
298 | TAB at boot install, ks=[http/ftp]://path/to/file | |
299 | ||
300 | TIME SERVICES | |
301 | chronyd == what ntp uses as a daemon, instead of ntp.d | |
302 | timedatectl == time/date services | |
303 | set-timezone [America/Los_Angeles] | |
304 | set-time [hour:minute:second] | |
305 | ||
306 | tzselect = timezone selection assistance (does not actually set it for you) | |
307 | chronyc | |
308 | sources -v == show ntp servers | |
309 | tracking == verbose info on synchronization | |
310 | /etc/chrony.conf == chrony config, pool of servers being used for sync | |
311 | ||
312 | ||
313 | INSTALL/UPDATE/MANAGE PACKAGES/REPOS | |
314 | yum == yellow-dog updater modified | |
315 | yum | |
316 | check-update == list updates only, don't attempt to install | |
317 | info == info of package | |
318 | list installed [package] == check if specific packaged installed, not a result of everything named [package] | |
319 | provides/whatprovides [path/file] == what created this file/directory | |
320 | yumdownloader == download package | |
321 | ----------------------------- | |
322 | rpm -[flag below] [package] | |
323 | -i == install | |
324 | -e == erase | |
325 | -vh == verbose + progress bar | |
326 | -U == update package | |
327 | -qa == check if package installed | |
328 | -ql == list files installed | |
329 | -c == config files | |
330 | -d == documentation files | |
331 | rpm localinstall [package] == install using yum | |
332 | -------------------------------------- | |
333 | yum repolist all == list all enabled and disabled repos | |
334 | yum-config-manager | |
335 | add-repo [url] == add repo file | |
336 | --disabled [repo ID from yum repolist all] | |
337 | ------------------------------------------ | |
338 | Repo files must end in .repo : | |
339 | [repo id] | |
340 | name=name of my repo | |
341 | baseurl=file:///path/to/directory OR https://url.domain.com | |
342 | enabled=1 | |
343 | gpgcheck=0 | |
344 | OR | |
345 | gpgcheck=1 | |
346 | gpgkey=file:///etc/pki/rpm-gpg/GPGKEYURL | |
347 | gpg keys location = /etc/pki/rpm-gpg/ (use wget to dowload) | |
348 | ||
349 | STORAGE | |
350 | fdisk /path/to/mount == mbr partitions only | |
351 | For “last sector” (i.e. size of partition), you can do +#M/G . Example: +500M is 500 MB, +25G is 25GB | |
352 | Don't forget to hit ‘w’ to write changes! | |
353 | mkfs [flag and option] /path/to/partition | |
354 | -t [type] == specify type of filesystem, red hat defaults as xfs | |
355 | blkid == see device info | |
356 | >Need to create location to mount device, generally done in /mnt/ | |
357 | mount -U [UUID] ← this method is preferred but can also do mount [device path] [mount path] | |
358 | umount [mount path] ← NOT device path | |
359 | partprobe == have linux reload partition table | |
360 | ---------------------------------------------- | |
361 | gdisk /path/to/mount == newer, better. does GPT entries. Do not use on mbr drives or it will automatically convert the mbr to gpt | |
362 | >Same steps as fdisk to setup a partition | |
363 | --------------------------------------------- | |
364 | Physical Drives >> LVG >> LVM >> Application | |
365 | LVG == Logical Volume Group. Combination of physical drives as one group. | |
366 | LVM == Logical Volume Manager. Works between the OS and physical drive to virtually combine physical drives to act together as one. | |
367 | ||
368 | tl;dr : | |
369 | Partition drives as LVM, create physical volumes, create volume group(s), create logical volume(s), mkfs | |
370 | >fdisk/gdisk the drives but change partition type to Linux LVM | |
371 | pvcreate /path/to/partiton1 /path/to/partition2 … | |
372 | vgcreate [volume group name to create] /path/to/partition1 /path/to/partition2 ... | |
373 | lvcreate -n [LV name to create] -L [size wanted, ex: 10G] [name of volume group to use] | |
374 | >mkfs to setup filesystem to be used | |
375 | >mount it somewhere | |
376 | ||
377 | lvremove /path/to/logical/volume == remove logical volume | |
378 | vgremove [volume group name] | |
379 | pvremove /path/to/parition1 /path/to/partition2 | |
380 | ||
381 | pvdisplay == view physical volumes | |
382 | vgdisplay == view volume groups | |
383 | lvdisplay == view logical volumes | |
384 | ||
385 | To add physical volumes to a group volume: | |
386 | vgextend [group name] /path/to/partition | |
387 | To remove physical volumes from a group volume: | |
388 | vgreduce [groupname] /path/to/partition | |
389 | ||
390 | To extend logical volume: | |
391 | lvextend -L [# in B/M/G] /path/to/logicalvolume | |
392 | >can use -l to specify extends instead of specific disk space) | |
393 | >if no + is used before # then you're changing the max, otherwise a + means you want to grow the partition by that amount | |
394 | ||
395 | This extends size of volume, not size of filesystem, so: | |
396 | for xfs: xfs_growfs /path/to/mount | |
397 | (remember xfs cannot be shrunk!) | |
398 | for ext: resize2fs /path/to/mount | |
399 | ||
400 | -------------------------------------------------------------- | |
401 | xfs_admin (for xfs) // tune2fs (for ext) | |
402 | -L [name] /path/to/partition == label partition | |
403 | -l /path/to/partition == show label name | |
404 | /etc/fstab == persistent mounts; self-explanatory; (each separated by a space or tab) | |
405 | UUID= or LABEL= or /path/to/partition mount point filesystem_type defaults 1 # | |
406 | ----------------------------------------------------------------- | |
407 | To make swap: | |
408 | from logical volume: pvcreate, vgcreate, lvcreate | |
409 | OR | |
410 | from physical mount: partition like normal, but using swap as type/system id | |
411 | Then mkswap [/path/to/volume-group/logical-group] or [/path/to/parition] | |
412 | swapon/swapoff /path/to/mount/ == swapon is NOT persistent | |
413 | For persistence, in fstab: | |
414 | UUID=xxxxx swap swap 0 0 | |
415 | swapon/swapoff -a == mount/unmount all swaps | |
416 | ----------------------------------------------------------------- | |
417 | dumpe2fs == dump a bunch of info on the partition | |
418 | xfs == parallel processing, throughput | |
419 | vfat == deprecated, but accessible by windows + linux | |
420 | ext4 == default for new linux based OS | |
421 | ----------------------------------------------------------------- | |
422 | CIFS == common internet file system, creating shares among internet/intranet | |
423 | (ex: samba) | |
424 | NFS == network file system | |
425 | yum install cifs-utils nfs-utils | |
426 | CIFS: | |
427 | Temporary | |
428 | mount -t cifs -o username=xxxx //server_IP/sharename /path/to/mount | |
429 | Persistant (fstab) (following way is insecure but it passes RHCSA) | |
430 | //server_IP/sharename /path/to/local/mount cifs username=xxxx,password=xxxx 0 0 | |
431 | NFS: | |
432 | Temporary | |
433 | mount -t nfs server_IP:/shareroot /path/to/mount | |
434 | Persistant (fstab) | |
435 | server_IP:/remote/mount/location /local/mount/destination nfs defaults 0 0 | |
436 | Test these with: mount -a (after manual umount) | |
437 | ||
438 | OTHER | |
439 | cat /proc/cpuinfo == show system/cpu info | |
440 | In RHEL 7.0, you could write: | |
441 | # nmcli con mod myConn ipv4.addresses "10.0.0.10/24 10.0.0.1" | |
442 | Since RHEL 7.1, you have to do it in two steps: | |
443 | # nmcli con mod myConn ipv4.addresses 10.0.0.10/24 | |
444 | # nmcli con mod myConn ipv4.gateway 10.0.0.1 |