Interrupt the Boot Process in Order to Gain Access to a System

To start the system in the Rescue target, during boot process edit the grub config kernel line by adding to the end: systemd.unit=rescue.target

1. During boot process, edit grub config kernel line “linux16” by adding to the end: rd.break

2. mount –o remount,rw /sysroot

3. chroot /sysroot

4. passwd

5. touch /.autorelabel

6. exit then exit again

REDIRECTION

&> == Redirect both

2>&1 == Redirect standard error to output

UMASK

Default: 666 files / 777 directories

Permanent adjust for users: /etc/profile and /etc/bashrc

SHUTDOWN/REBOOT

shutdown [flags/arguments]

	-r == reboot

	-h / P == halt / power-off

	+# / 00:00 == in minutes / military time

systemctl [halt/poweroff/reboot]

PERMISSIONS

chmod 

	g+s [directory] // chmod 2xxx == all files/dir created inside will be created 				with the group ownership of this directory

	u+s [file] // chmod 4xxx [file] == execute as owner of file

	1xxx [directory] == files/dir inside cannot be deleted except by owner of that 				file/dir

	capital letter == apply only to directories

NICE

19 (least) to -20 (most)

nice 

	–n # [name] == start process with specific process, the -n IS required

renice 

	–n # [pid] == renice a specific process by id 

	-n # $(pgrep [name]) == renice every process found by pgrep ($ creates a subshell)

PROCESSES

pgrep [flag] [name] == shows process id and name

	-l == list process name

	-u [username] == find only those owned by [username]

	-v == inverse results (Ex: pgrep –v –u root == all processes not owned by 		root)

	-t [pts/#] == kill all process started by that user/terminal window, but user 			stays logged in

SIGHUP/1 == Closing terminal

SIGINT/2 == Keyboard interrupt (ctrl + c)

SIGQUI/3 == Parent process tells it to quit

SIGKILL/9 == Murder the process. Do not pass go.

SIGTERM/15 == Stop, cleanup, and quit. DEFAULT used when kill/pkill

SIGCONT/18 == Continue

SIGSTOP/19 == Stop

kill [pid] == kill a specific process

pkill [name] == kill all processes of that name

ps axo nice,comm,pid,user

LOAD

0.00 , 0.00, 0.00 == 1 minute, 5 minutes, 15 minutes

0.00 (min) / # of processors == % of cpu usage

	1 cpus w/ 1.00 == 100% cpu power

	2 cpus w/ 1.50 == ~75% cpu power

USERS/GROUPS

useradd // usermod // userdel // chage

groupadd // groupmod // groupdel

newgrp == change my current group ID during this login session

/etc/passwd == username: x: user id: group id: nickname: home dir: login

/etc/shadow == username: pw hash: last pw change unix epoc: min days before pw change: max days before required pw change: # of days of warning before pw expire: max active days after pw expire: account expiration date

/etc/skel == skeleton user directory

user login defaults == /etc/login.defs

Other defaults == /etc/defaults/

TAR/GZIP

**Extracting by default overwrites local files**

tar -cvzf NAME.tar.gz [files/directories]

	-c == create

	-v == verbose

	-z == gzip

	-x == gunzip 

	-f == name the file

	-t = look inside without unpacking

	-d == see difference between local and archived

TRANSFERING FILES

scp /path/to/local/file user@remotehost:/path/to/destination

sftp user@remotehost

	-can use basic CLI commands such as ls and mkdir

	-“get” == download file from remote

	-“put” == upload file to remote

	-“?” == help/commands

To Push:

rsync -a /path/to/file_or_dir user@remotehost:/path/to/destination

To Pull:

rsync -a user@remotehost:/path/to/remote/dir_or_file /path/to/local/destination

	-a == stands for "archive" and syncs recursively and preserves symbolic 		links, special and device files, modification times, group, owner, and 		permissions

	-nv == verbose dry run

	-z == compress first

	-P == combines progress and partial flag, gives a progress bar for the 			transfers and allows you to resume interrupted transfers

	--exclude=/what/to/exclude

By default, rsync does not delete anything from the destination directory, but can change this behavior with the --delete option

AT, CRON,  ANACRON

AT does not create reoccurring events, only a one time scheduled future event. 

If system is off during cron time, cron is missed. 

Anacron checks last time cron was run.

yum install at 

(then make sure to enable & start the service)

at.deny OR at.allow

at

	now +## [minutes/hours/days]

		>[command] then ctrl+d

	at [time am/pm]

		>[command] then ctrl+d

atq == list at queue

atrm # == remove job

-------------------------

cron.d == custom crons / crons that are managed by a program

–---------------------------

anacron == only privileged users

/var/spool/anacron/ == logs kept by anacron for last run cycle of a cron

anacron -f == Run all anacronjobs regardless of their last run timestamp

TARGETS/SERVICES

/usr/lib/systemd/system/ == location of services, targets, etc

systemctl 

	is-enabled [service] == check if service is enabled on boot

	is-active [service] == is the service active/on right now

	enable/disable [service] == enable/disable service to start on boot

	--type=target == list all active targets

	--type=service == list all active services

	set-default == set default runlevel at boot

	get-default == what is the default target to run at boot?

	-t help == list all available system config units

	list-dependencies [target]/[service] == list all dependencies (if no [target]/	[service] specified, then the dependencies of target you are in now are listed)

/etc/systemd/system/[target_name].target.wants/[name].service == enabled services. Symlink from here to /usr/lib/systemd/system/[service] is created to enable

systemctl XXXXX name.target

	isolate == Move from one target to another (i.e. from multi-user to graphical 	interface to rescue mode, etc.)

ACLs (Access Control Lists)

default working filesystems= xfs. Ext works too but must be specified when mounted

Gives user access to specific file/dir without making them part of the group or the owner. Adds a + to permissions to show this for users/groups but not world.

getfacl == get ACL info

	Can use to copy ACL info:

		getfacl file1 | setfacl --set-file=- file2

		(note the - after the =, this implies coming from std input)

	>mask == maximum level permissions; overrides specific ACL; modified by chmod.

setfacl [flags+arguments] file/dir

	-m == modify

	u (notice no -) == user, used this way == u:username:permissions

	g (notice no -) == group, see “u” flag for usage

>Note: u and g map to the UID/GID respectively, so if either one is changed for a user/group, ACL will no longer apply to that user/group!

	m (notice no -) == mask. Used this way == m::permissions

	-d == set defaults for user inside directory (goes before -m)

Default ACL on directory == all files/dir created under will have this ACL, but the user still needs to have their own ACL permission on the directory

In other words, ACL affects how the directory can be used (read, write, execute), and default ACL affects the files/dirs the user makes inside

	-x == remove ACL for user/group

	--remove-default == removes all defaults

	-R == recursive

You can combine, ex:

	setfacl -m g:mygroup:rwx,u:myuser:rw directory

cp doesn’t preserve ACL rules

mv does preserve ACL rules

Configure a System to Use an Existing Authentication Service

yum upgrade –y

yum install –y realmd

realm discover [hostname]

yum install –y [required packages]

realm join [hostname]

vim /etc/ssh/sshd_config == uncomment + allow authentication (kerberos?)

systemctl sshd restart

LOGS/JOURNALD

journalctl == systemd logs everything here (man systemd-journald). It is not 			persistent, it clears out after every reboot. 

	--since=yesterday == all logs since that day (only if persistent or hasn’t been 					rebooted)

/etc/system/journald.conf == journald config file

/etc/rsyslog.conf

	mail.* == “mail” is a facility, the type of program creating log

	*.emerg == “emerg” is priority. Info, debug, warning, etc.

systemd-analyze == boot times

systemd-analyze blame == specific times for boot processes

VIRTUAL MACHINES

To install VM packages:

yum grouplist hidden (This will show virtualization packages)

yum groupinstall "Virtualization Client" "Virtualization Tools" "Virtualization Platform"

systemctl enable libvirtd

systemctl start libvirtd

virsh == CLI virtual machine manager

	help

	list --all

	shutdown [vmname]

	start [vmname]

	autostart [vm-name]

virt-manager == GUI virtual machine manager (applications > system tools 			> virtual machine manager)

FIREWALLD

yum install firewalld firewall-config

firewall-cmd [options]…

--help == help/info

--get-zones == shows you the zones available. all rules are saved in “zones”

--get-default-zone == youre always working in a zone, this shows you the default one a rule is applied to unless you specify a zone

--list-all == list all current rules for the default zone, unless you specify the zone:

--zone=[zone] -- list-all

--list-all-zones == list all current rules for all zones

--reload == reload firewalld

--permanent == make rule permanent. Permanent rules are not applied until you reload

--add-port=[port #]/[tcp or udp] == add port with either tcp or udp

--add-source=[IP] == add source IP

--remove-port=[port #]/[tcp/udp] == remove port #

--remove-source=[IP] == remove source IP

SELINUX

Modes:

	Enabled == monitoring + enforcing

	Passive == monitoring + logging but not enforcing

	Disabled == Not monitoring or logging or enforcing (reboot required to go 			into disabled mode)

getenforce == what mode are we in?

setenforce 0 == change to Passive/Permissive mode (if its not the default, it will 			revert on reboot)

setenforce 1 == change to Enabled/Enforcing mode (if its not the default, it will 			revert on reboot)

/etc/selinux/config == Change default level, and ability to Disable (must reboot to 				apply disable)

ls –Z == list SELinux info

	-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file.out

	Permissions / user:group / user / role / type / filename

	type = specific program or permissions allowed to access

semanage fcontext -l | grep [process/file/directory] == list all files/dirs associated with [ ] 									in SELinux

restorecon [file/dir] == “restore” context of [ ] based on where it currently is located

touch /.autorelabel == force relabel everything on reboot

semanage fcontext -a -t [context] '[file/path]'

	-a (add) -t (type) : add a file/path to SELinux context rules. 

	For example, adding a path with optional recursive to all files/dirs to the main httpd 	context rule:

	semanage fcontext -a -t httpd_sys_content_t '/content(/.*)?'

semanage fcontext -d "[file/path]" == -d (remove) : remove SELinux rule. Must restorecon in 						that directory or the file to apply

getsebool -a == list SELinux boolean values currently set

semanage boolean -l == list SELinux boolean default values

setsebool [-P] [bolean_rule] on/off == change Boolean rule. By default its for this session only, 						but if you set [-P] then it because permanent.

yum install setroubleshoot-server == not pre-installed by default. Creates 									/var/log/audit/audit.log but not user friendly so use: 						sealert -a /var/log/audit/audit.log

Key-Based Authentication for SSH

ssh-keygen == generate RSA private and public keys

ssh-copy-id [user]@[IP] == copy the public key (id_rsa.pub) to a remote machine

ssh-agent bash && ssh-add == cache ssh passphrase for this session

MANAGING NETWORK

nmcli con show == show connected network devices

nmcli dev status == like above, but cleaner + state

nmtui == connection editor wizard

nmcli con [add/del] [use tab for options] == add/delete connections

nmcli con [up/down] “[connection name]” == bring up/down connection

nmcli con mod “[connection name]” (use tab-tab to search) == modify connection

	+ipv4.dns [IP] == add DNS resolver to specific connection

/etc/sysconfig/network-scripts/ == network and device scripts

ip addr == show connections

	show [device] == optional for seeing info one only specific device

	-s  [what] show [device] == stats of device

ss == see listening ports + established connections

	-a == all listening/established

	-t / u == tcp / udp

	-n == include port. External on left, internal on right.

hostname [hostname] temporary hostname change

vi /etc/hostname == permanent hostname change

KERNEL

yum list kernel == list available/installed kernels

grub2-set-default [#] == change kernel used to boot

	# == 0 most recent, 1 older, 2 even older, etc

yum update kernel == update kernel

yumdownloader kernel == download kernel rpm

rpm -ivh kernel..[tab] == install new kernel (reboot to take effect)

INSTALL REDHAT w/ KICKSTART

A Kickstart file automatically gets created by the  anaconda installer at the end of a RHEL installation. It is saved at the root user s home directory, and has the name /root/anaconda-ks.cfg

yum install system-config-kickstart == install kickstart config tool, use same name 						to start tool

TAB at boot install, ks=[http/ftp]://path/to/file

TIME SERVICES

chronyd == what ntp uses as a daemon, instead of ntp.d

timedatectl == time/date services

	set-timezone [America/Los_Angeles]

	set-time [hour:minute:second]

tzselect = timezone selection assistance (does not actually set it for you)

chronyc 

	sources -v == show ntp servers

	tracking == verbose info on synchronization

/etc/chrony.conf == chrony config, pool of servers being used for sync

INSTALL/UPDATE/MANAGE PACKAGES/REPOS

yum == yellow-dog updater modified

yum

	check-update == list updates only, don't attempt to install

	info == info of package

	list installed [package] == check if specific packaged installed, not a result of 				everything named [package]

	provides/whatprovides [path/file] == what created this file/directory

yumdownloader == download package

-----------------------------

rpm -[flag below] [package]

	-i == install

	-e == erase

	-vh == verbose + progress bar

	-U == update package

	-qa == check if package installed

	-ql  == list files installed

	-c == config files

	-d == documentation files

rpm localinstall [package] == install using yum

--------------------------------------

yum repolist all == list all enabled and disabled repos

yum-config-manager 

	add-repo [url] == add repo file

	--disabled [repo ID from yum repolist all]

------------------------------------------

Repo files must end in .repo :

[repo id]

name=name of my repo

baseurl=file:///path/to/directory OR https://url.domain.com

enabled=1

gpgcheck=0 

OR

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/GPGKEYURL

gpg keys location = /etc/pki/rpm-gpg/  (use wget to dowload)

STORAGE

fdisk /path/to/mount == mbr partitions only

	For “last sector” (i.e. size of partition), you can do +#M/G . Example: +500M 		is 500 MB, +25G is 25GB

	Don't forget to hit ‘w’ to write changes!

mkfs [flag and option] /path/to/partition

	-t [type] == specify type of filesystem, red hat defaults as xfs

blkid == see device info

>Need to create location to mount device, generally done in /mnt/

mount -U [UUID] ← this method is preferred but can also do mount [device path] 			[mount path]

umount [mount path] ← NOT device path

partprobe == have linux reload partition table

----------------------------------------------

gdisk /path/to/mount == newer, better. does GPT entries. Do not use on mbr drives or it will automatically convert the mbr to gpt

>Same steps as fdisk to setup a partition

---------------------------------------------

Physical Drives >> LVG >> LVM >> Application

LVG == Logical Volume Group. Combination of physical drives as one group.

LVM == Logical Volume Manager. Works between the OS and physical drive to 	virtually combine physical drives to act together as one. 

tl;dr : 

Partition drives as LVM, create physical volumes, create volume group(s), create logical volume(s), mkfs

>fdisk/gdisk the drives but change partition type to Linux LVM

pvcreate /path/to/partiton1 /path/to/partition2 …

vgcreate [volume group name to create] /path/to/partition1 /path/to/partition2 ...

lvcreate -n [LV name to create] -L [size wanted, ex: 10G] [name of volume group to use]

>mkfs to setup filesystem to be used

>mount it somewhere

lvremove /path/to/logical/volume == remove logical volume

vgremove [volume group name]

pvremove /path/to/parition1 /path/to/partition2

pvdisplay == view physical volumes

vgdisplay == view volume groups

lvdisplay == view logical volumes

To add physical volumes to a group volume:

vgextend [group name] /path/to/partition

To remove physical volumes from a group volume:

vgreduce [groupname] /path/to/partition

To extend logical volume:

lvextend -L [# in B/M/G] /path/to/logicalvolume

	>can use -l to specify extends instead of specific disk space)

	>if no + is used before # then you're changing the max, otherwise a + 	means you want to grow the partition by that amount

This extends size of volume, not size of filesystem, so:

for xfs: xfs_growfs /path/to/mount

	(remember xfs cannot be shrunk!)

for ext: resize2fs /path/to/mount

--------------------------------------------------------------

xfs_admin (for xfs) // tune2fs (for ext)

	-L [name] /path/to/partition == label partition

	-l /path/to/partition == show label name

/etc/fstab == persistent mounts; self-explanatory; (each separated by a space or tab)

UUID= or LABEL= or /path/to/partition		mount point		filesystem_type	defaults	1 #  

-----------------------------------------------------------------

To make swap:

	from logical volume: pvcreate, vgcreate, lvcreate

	OR

	from physical mount: partition like normal, but using swap as type/system id

Then mkswap [/path/to/volume-group/logical-group] or [/path/to/parition]

swapon/swapoff /path/to/mount/ == swapon is NOT persistent

For persistence, in fstab:

	UUID=xxxxx		swap		swap		0 0

swapon/swapoff -a == mount/unmount all swaps

-----------------------------------------------------------------

dumpe2fs == dump a bunch of info on the partition

xfs == parallel processing, throughput

vfat == deprecated, but accessible by windows + linux

ext4 == default for new linux based OS

-----------------------------------------------------------------

CIFS == common internet file system, creating shares among internet/intranet 

	(ex: samba)

NFS == network file system

yum install cifs-utils nfs-utils

CIFS:

Temporary

mount -t cifs -o username=xxxx //server_IP/sharename /path/to/mount

Persistant (fstab) (following way is insecure but it passes RHCSA)

//server_IP/sharename	/path/to/local/mount	cifs	username=xxxx,password=xxxx	0 0

NFS:

Temporary

mount -t nfs server_IP:/shareroot /path/to/mount

Persistant (fstab)

server_IP:/remote/mount/location	/local/mount/destination	nfs	defaults	0 0

Test these with: mount -a  (after manual umount)

OTHER

cat /proc/cpuinfo == show system/cpu info

In RHEL 7.0, you could write:

# nmcli con mod myConn ipv4.addresses "10.0.0.10/24 10.0.0.1"

Since RHEL 7.1, you have to do it in two steps:

# nmcli con mod myConn ipv4.addresses 10.0.0.10/24

# nmcli con mod myConn ipv4.gateway 10.0.0.1