Linux System Administration Guide

Posted on May 6, 2024 in Computers

CHAPTER 1

SSH

ssh-keygen
ssh-copy-id server0
connect:
ssh server0
know the hostname:
ssh server0 hostname
HELP FROM RED HAT
redhat-support-tool
opencase –product=”Red Hat Enterprise Linux” –version=”7.0″
listcases
modifycase
to attacht sosreport do sosreport
sosreport
send attachment
JFI: find / -type f -name “asdfasdf.Txt”
CHAPTER 2
MANAGING FILES USING COMMAND-LNE TOOLS
Basic operations
cp
mv
rm
mkdir
Making Links Between Files
Differences between symbolic link and hard link
Let’s summarize our findings. The list bellow summarizes some differences between symlink and hard link:
Hardlink or hardlinks cannot be created for directories (folders). Hard link can only be created for a file.

Symbolic links or symlinks can link to a directory (folder).
Removing the original file that your hard link points to does not remove the hardlink itself; the hardlink still provides the content of the underlying file.
If you remove the hard link or the symlink itself, the original file will stay intact.
Removing the original file does not remove the attached symbolic link or symlink, but without the original file, the symlink is useless (the same concept like Windows shortcut).
Example:
$ ln fileA fileB
CHAPTER 3
USERS AND GROUPS
USER
id – current logged user information
uid=1016(alice) gid=100(users) groups=100(users)
ps – process information
ps au
MANAGING LOCAL USER ACCOUNTS
useradd username
Example adding user:
useradd dolly
passwed dolly
$ # would create user gert and group gert
$ sudo adduser gert
$ # same, but no group ‘gert’ will be created, but made member of the existing
$ # group ‘adm’
$ sudo adduser gert –ingroup adm
usermod
/etc/login.Defs
usermod
-a –append – adding to Supplemental group without removing from other groups.
user with -G like -aG
-d – specify a new Home directory
-m – move Home directory
used with -d like -dm /anotherhome
-L – lock
-U – unlock
userdel
userdel username
userdel -r – removes user with home directory [dangerous if not -r, files would be owned by assigning the same UID #]
specify -u ID – user id for security
id
displays user information
id username
passwd username
UID ranges
0 root
1-200 system users assigned to system processes by redhat
201-999 system users assigned to system processes
1000+ regular users
SUPPLEMENTARY GROUPS
GROUPADD creates groups
groupadd groupname
-g GID specify GID
sudo groupadd -g 5000 ateam
-r option will take GID from queue
-n user to newname
GROUPMOD modifies existing groups
-n new group name
groupmod -n javaapp appusers
-g new GID
groupmod -g 6000 ateam
GROUPDEL deletes a groups
groupdel javaapp
USERMOD alters group membership
usermod -g student student
ADD TO SUPPLEMENTARY GROUP
usermod -aG wheel elvis
usermod -G or -aG supergroup,amazinggroup adds to several supplementary groups
!! Id shows list of primary and supp groups
MANAGING USER PASSWORDS
SHADOW PASSWORD AND PASSWORD POLICY
Manual lock or by setting password-aging policy in the shadow password file
1 hasing algorithm. 1 is MD5. 6 is SHA-512
5 is SHA-256
PASSWORD AGING
ACCOUNT EXPIRATION – CHAGE
chage -d 0 student
force changing on next login
chage -l student
list current settings
chage -e 2020-12-12 student
account expires
RESTRICTING ACCESS
usermod -L student
usermod -U student
THE NOLOGIN SHELL
usermod -s /sbin/nologin student
usermod -s /bin/bash student [back to shell]
USING IDENTITY MANAGEMENT SERVICES
USER INFO AND AUTH SERVICES
2 services at least:
account information like id info and home dir …
auth information like crypted pass code ldap info…
ATTACHING A SYSTEM TO CENTRALIZED LDAP AND KERBEROS SERVERS
Damn various files need to be configured, so RH made some utilities:
authconfig – automate across of number of systems
authconfig-tui – with text UI
authconfig-gtk – graphic interface, also can launched system-config-authentication
NECESSARY LDAP PARAMETERS
authconfig needs from LDAP connection:
LDAP hostname
base DN of tree where users located
encryption info
sssd installed package
NECESSARY KERBEROS PARAMETERS
authconfig needs from KERBEROS connection:
realm domain name of KERBEROS machine
key distribution center (KDC)m e.I.Hostname
hostname of one or more admin servers
package:
krb5-workstation
USING autoconfig-gtk
Fill forms … And go to practice )
ATTACHING A SYSTEM TO AN IPA SERVER
Red Hat IPA server
Using IPA client
ipa-client-install is specialized tool
ipa-client package
ipa takes info from DNS at first start
defaul user is admin
JOINING A SYSTEM TO ACTIVE DIRECTORY
Admins may configure it by 2 ways:
authconfig using samba-winbind (winbind) or
sssd and realmd packages
realm discover domain.Example.Com
realm join domain.Example.Com
–user for login by another user account
AD is ready, but logins still disabled:
sudo realm permit –realm domain.Example.Com –all
to only certain users replace –all:
sudo realm permit –realm domain.Example.Com DOMAIN\\Itchy DOMAIN\Scratchy
CHAPTER 4
FILE PERMISSIONS
MANAGING FROM THE COMMAND LINE
CHANGING FILE/DIRECTORY PERMISSIONS
chmod – change mode
mode – is also permissions called
chmod ### file|directory
r = 4, w = 2, x = 1
421
7
u g o = all
+ – = exactly
rws
chmod -R option is for entire directory files
X – only directories
x – also files
ex: chmod -R g+rwX demodir
chown -R student dir
chown :admins dir
chown gani:admins dir
MANAGING DEFAULT PERMISSIONS AND FILE ACCESS
SPECIAL PERMISSIONS
setuid (or setgid) ex: passwd
setuid = s+u
setgid = g+s
sticky = o+t
4 2 1
! Ex: chmod g+s dir
chmod 2770 dir
DEFAULT FILE PERMISSIONS
umask is default setter for permissions
umask default is 0002 – it is naoborot tsifry, 0002 – clears write permissions for others
077 – clears group and other permissions
007 – clears others permissions
027 – clear group write and all other permissions
POSIX ACCESS CONTROL LISTS (ACLS)
ACL CONCEPTS
VIEW AND INTERPRET ACL PERMS
ls -l
+ mark is ACL on
rwsrw—-
user permissions
!! But not group permissions, it is ACL settings
and others are have nothing
getfacl filename
to set group perms: setfacl -m g::perms file
VIEW ACLS
getfacl file
Ex: named users: user:james:—:gani:rwx
named users: user:1005:rwx mask-rw
!!! Mask is not giving rwx access
SECURING FILES WITH ACLS
CHANGING ACL FILE PERMS
setfacl
rwx or “-” – means perm is absent
X – only dirs
x – files also
ADDING OR MODIFYING AN ACL
-m or -M for modify
USER:
setfacl -m u:gani:rX file
if the name is blank = owner perms setted
GROUP:
setfacl -m g:student:rw file
if the name is blank = owner perms setted
OTHER:
setfacl -m o::- file
MULTIPLE:
setfacl -m u::rws,g:sodor:rX,o::- file
!!! MASK:
setfacl -m m::r file
!!! Mask is reseted after any changes maded.
add -n option !!
RECURSIVE ACL:
setfacl -R …
DELETE:
setfacl -x perms may not be specified
setfacl -x u:name,g:name file
DELETE WHOLE ACL on a file:
setfacl -b file
SET DEFAULT ACLS:
use -d option
or
setfacl -m d:u:name:rx directory
DELETE DEFAULT ACL:
setfacl -x d:u:name dir
CHAPTER 5
SELINUX PERMISSIONS
ENABLING AND MONITORING
SELINUX is a set of security rules that determines which process can access which files, dirs or ports.
context: user, role, type and sensitivity
context ends with _t usually
many linux commands use -Z option to display SELinux perms
SELINUX modes:
– ENFORCING MODE
– PERMISSIVE MODE
– DISABLED
SELINUX BOOLEANS:
getsebool -a (-a is all)
CHANGING SELINUX MODES
CURRENT MODE:
getenforce – displays status
setenforce 0 – going to permissive
DEFAULT MODE:
/etc/selinux/config
CHANGING SELINUX CONTEXTS
to display:
ls -Zd /var/www/html
ls -Z /var/www/html/index.Html
2 commands: chcon and restorecon
chcon is explicitly specifies
restorecon using main rules to specify context
DEFINING SELINUX DEFAULT FILE CONTEXT RULES
semanage fcontext shows, modifies rules, that restorecon sets by default to files
semanage fcontext -a -t httpd_sys_content_t ‘custom(/.*)?’
to restore:
restorecon -Rv /custom
CHANGING SELINUX BOOLEANS
going to that dir
getsebool -a | grep home
httpd_enable_homedirs –< off=””>
setsebool -P ….Enable_homedirs on
TROUBLESHOOTING WITH SEALERT
Apache web server gots access denials.
Troubleshoot with sealert
See /var/log/messages
find selinux alert id
sealert -l 87y485hs8e7t8s7eght7ge54
find error and dir
do httpd syscontent…_t to that file
CHAPTER 6
PROCESS MANAGEMENT
PRACTICE: KILLING PROCESSES
kill -SIGSTOP %number – to suspend
kill -SIGCONT %number – to continue
kill -SIGTERM %number
pkill -SIGTERM tail
MONITORING PROCESS ACTIVITY
top, w, uptime .. Are shows users and load average
NICE AND RENICE FOR PRIORITIES
nice -n 15 sshd
renice -n 0 sshd
CHAPTER 7
UPDATING SOFTWARE PACKAGES
YUM manage software
yum list ‘http*’
yum search ‘http*’
yum search all ‘httpd’
yum info ‘httpd’
yum update httpd
yum remove httpd
yum group list
yum group info
YUM enabling repos
yum repolist all
yum-config-manager –enable rhel7-public-beta-debug-rpms
yum-config-manager –disable …
yum-config-manager –add-repo=http…
CHAPTER 8
CREATING AND MOUNTING FILE SYSTEMS
MANUALLY
blkid – info UUID
mount … …
mount “UUID=…” /mnt/folder
umount …
lsof – shows open files and processes
ADDING PARTITIONS, FILE SYSTEMS, AND PERSISTENT MOUNTS
MBR MANAGING
fdisk /dev/sda
partprobe /dev/sda
GPT MANAGING
gdisk /dev/sdb
partprobe /dev/sdb
CREATING FILESYSTEMS
mkfs -t xfs /dev/sda1
MOUNTING FSs
mount /dev/vdb1 /mnt
/etc/fstab for persistently mount
UUID=….. / xfs defaults 1 1
!!! Mount -a = check
MANAGING SWAP SPACE
fdisk …
!!! Partprobe /dev…
mkswap /dev…
swapon /dev…
swapon -a activates all swap spaces listed in fstab
CHAPTER 9
SERVICE MANAGEMENT AND BOOT TROUBLESHOOTING
AUTOMATICALLY STARTED SERICES
LISTING COMMANDS
systemctl status name.Type
systemctl –type=service–
L option shows full output
systemctl is-active sshd
systemctl is-enabled sshd
systemctl list-units –type=service
systemctl list-unit-files –type=service enabled and disabled
START/STOP ON RUNNING SYSTEM
systemctl stop
systemctl start
systemctl restart
systemctl reload
BOOT STARTUP ENABLE/DISABLE
systemctl disable
systemctl enable
MASKING SERVICES
systemctl mask
systemctl unmask
BOOT PROCESS
RHEL7 BOOT PROCESS
boot–
Loader is configured by grub2-install utility.
katisti faildar:
/etc/grub.D/
/etc/default/grub
/boot/grub2/grub.Cfg (not manually)
SELECTING SYSTEM TARGET
systemctl list-dependencies graphical.Target | grep.Target
SET AT RUNTIME:
systemctl isolate multi-user.Target
SET DEFAULT TARGET:
systemctl get-default
systemctl set-default
Ex: systemctl set-default graphical.Target
SET AT BOOT TIME:
!!! After linux16:
!!! Systemd.Unit=desired.Target
REPAIRING COMMON BOOT ISSUES
RECOVERING ROOT PASSWORD
after linux16:
rd.Break
TO RECOVER ROOT PASSWORD:
1. Remount /sysroot as RW:
mount -o remount,rw /sysroot
2. Go into chroot jail, where the /sysroot is root dir
chroot /sysroot
3. Passwd root
4. Do selinux relabel!
touch /.Autorelabel
exit
exit
USING JOURNALCTL
To look at the logs of previous boot (failed boots)
mkdir -p -m2775 /var/log/messages
chown :systemd-journal /var/log/journal
killall -USR1 systemd-journal
journalctl -b-1 -p err
DIAGNOSE AND REPAIR SYSTEMD BOOT ISSUES
EARLY DEBUG SHELL
By running
systemctl enable debug-shell.Service a root shell will be spawned
on (CTRL ALT F9) at early during the boot
Then disable it!!!
EMERGENCY AND RESCUE TARGETS
By apending
systemd.Unit=rescue.Target
systemd.Unit=emergency.Target
It is for fixinf FSTAB or loop error in services…
STUCK JOBS
systemctl list-jobs
REPAIRING FILE SYSTEM ISSUES AT BOOT
OBJECTIVES
Like errors in FSTAB, by default systemd drops to emergency shell, requiring root password
!! Linux16 … Put “emergency”
verify with “mount -a”
REPAIRING BOOTLOADER ISSUES
grub2
grub2 – main config is – /boot/grub2/grub.Cfg (not manually)
grub2-mkconfig
grub2-mkconfig is used to configure
/etc/default/grub
kernel commands and default menu timeout
/etc/grub.D
generate configuration
DO LIKE THIS:
grub2-mkconfig > /boot/grub2/grub.Cfg
CHAPTER 10
NETWORK CONFIGURATION
VALIDATING NETWORK CONFIGURATION
DISPLAY IP ADDRESS
ip addr
ip addr show eth0
ip -s
ip -s for statistics
ip route
ss
ss to see sockets information
similar to netstat
CONFIGURING NETWORKING WITH NMCLI
NETWORK MANAGER
/etc/sysconfig/network-scripts
nmcli con show
nmcli con show –active
nmcli con show “eth0”
CREATING CONNECTION WITH NMCLI
nmcli con add con-name “System eth0” ifname eth0 autoconnect no type ethernet ip4 192 192 192 192 gw4 192 192 192 192
nmcli con up “System eth0”
nmcli con down “System eth0”
nmcli con mod “System eth0” +ipv4.Dns 8.8.8.8
nmcli con mod “System eth0” +ipv4.Dns 4.4.4.4
nmcli con mod “System eth0” connection.Autoconnect on
! Nmcli con reload
! Nmcli con up “System eth0”
CHANIGIN HOSTNAME
hostname
hostnamectl set-hostname gani
hostnamectl status
CONFIGURING NAME RESOLUTION
/etc/hosts
CHAPTER 11
SYSTEM LOGGING AND NTP
SYSTEM LOG ARCHITECTURE
SYSTEM LOGGING
/var/log
systemd-journald and rsyslogd
REVIEWING SYSLOG FILES
SYSLOG FILES
syslog protocol to log events
8 priorities:
emerg
alert
crit
err
warning
notice
info
debug
rsyslog.D is for conf files
LOG FILE ROTATION
logrotate
logrotate renames file to keep system from filling up
LOGGER
logger
logger can send messages to rsyslog service
logger -p local7.Notice “Log entry created on serverX”
REVIEWING SYSTEMD JOURNAL ENTRIES
FINDING EVENTS WITH JOURNALCTL
journalctl
journalctl -n
journalctl -n 5
journalctl -p err
journalctl -f
journalctl –since “” –until “”
journalctl _SYSTEMD_UNIT=sshd.Service _PID=1234
PRESERVING THE SYSTEMD JOURNAL
PERSISTANT SYSTEM JOURNAL STORE
/var/log/journal
DO:
mkdir -p /var/log/journal
chown root:systemd-journal /var/log/journal
! Chmod 2755 /var/log/journal
killall -USER systemd-journald
journalctl -b -1 … -2 days
CHAPTER 12
LOGICAL VOLUME MANAGEMENT
ADDING A LOGICAL VOLUME
fdisk /dev/vdb
2 partitions created
partprobe
pvcreate /dev/vdb1 /dev/vdb2
vgcreate shazam /dev/vdb1 /dev/vdb2
lvcreate -n storage -L 400M shazam
mkfs -t xfs /dev/shazam/storage
mkdir /storage
vi /etc/fstab /dev/shazam/storage /storage xfs defaults 0 0
mount -a
fdisk -l /dev/vdb
pvdisplay /dev/vdb2
vgdisplay shazam
lvdisplay /dev/shazam/storage
mount
df -h /storage
EXTENDING LVs
EXTENDING VG
EXTENDING VG
fdisk /dev/vdb
pvcreate /dev/vdb2
vgextend vg-alpha /dev/vdb2
vgdisplay vg-alpha
REDUCING VG
pvmove /dev/vdb2
vgreduce vg-alpha /dev/vdb2
EXTEND A LV AND XFS
EXTENDING A LV
Verify the VG has space available
vgdisplay vg-alpha
lvextend -L +300M /dev/vg-alpha/hercules
xfs_growfs /mnt/hercules
EXTEND A LV AND EXT4
vgdisplay vgname
lvextend -l +1000M /dev/vgname/lvname
resize2fs /dev/vgname/lvname
CHAPTER 13
SCHEDULED PROCESSES
SCHEDULING CRON JOBS
SYSTEM CRON JOBS
/etc/cron.Hourly
/etc/cron.D
PRACTICE:
sudo vim /etc/cron.Daily/usercount
make some scripts
! Chmod +x /etc/cron.Daily/usercount
check if sysstat installed jobber
yum -y install sysstat
rpm -qc sysstat
open sysstat
vim /etc/cron.D/sysstat
monitor the files size and timestamps
watch ls -l /var/log/sa
MANAGING TEMPORARILY FILES
MANAGING TEMPORARILY FILES WITH SYSTEMD-TMPFILES
When system starts:
systemd-tmpfiles does
systemd-tmpfiles –create –remove
reads confs in directories:
/usr/lib/tmpfiles.D/*,conf
/run/tmpfiles.D/*.Conf
/etc/tmpfiles.D/*.Conf
REGULAR CLEANING
*.Timer files with timer in it
runs regular interval
systemd-tmpfiles –clean
IMPORTANT
atime – last time was accessed
mtime – last time was modified
ctime – last time was changed (chmod, chown and so on)
CHAPTER 14
MOUNTING NETWORK FILE SYSTEMS
MOUNTING NFS
MANUALLY MOUNTING AND UNMOUNTING NFS SHARES
WAYS:
manual mounting
automounting at boot /etc/fstab
process automounting
SECURITY METHODS:
none all access
sys usual linux permissions
krb5 kerberos authentication and linux perms
krb5i cryptograpchially strong guarantee
krb5p encryption
NEED:
nfs-secure service (nfs-utils package)
MOUNTING:
mkdir /mountpoint
mount server0:/ /mountpoint
MANUALLY MOUNTING:
mount -t nfs -o sync server0:/share /mountpoint
/ETC/FSTAB:
sersver0:/share /mountpoint nfs sync 0 0
AUTOMOUNTING NETWORK STORAGE WITH NFS
MOUNTING NFS SHARES WITH THE AUTOMOUNTER
AUTOMOUNTER BENEFITS
NEED:
autofs service installed
CREATE AN AUTOMOUNT:
create master map file:
vim /etc/auto.Master.D/direct.Autofs
insert:
/- /etc/auto.Direct
vim /etc/auto.Direct
insert:
/mnt/public -rw,sync,sec=krb5p server0:/shares/public
INDIRECT map:
create master map file:
vim /etc/auto.Master.D/shares.Autofs
insert:
/shares /etc/auto.Shares
vim /etc/auto.Shares
insert:
* -rw,sync,sec=krb5p server0:/shares/&
mkdir /mnt/public
systemctl enable autofs.Service
ssh ldapuser0@localhost
password: kerberos
touch moucht files check access
ACESSING NETWORK STORAGE WITH SMB
MANUALLY MOUNTING AND UNMOUNTING SMB FILE SYSTEMS
CONNECTING TO SMB/CIFS SHARES
NEED:
cifs-utils
samba-client
MOUNT SMB SHARE:
Check available shares:
smbclient -L //serverX
mkdir -p /mountpoint
MANUAL MOUNT:
mount -t cifs -o guest //server0/share /mountpoint
/ETC/FSTAB
//server0/share /mountpoint cifs guest 0 0
AUTHENTICATION TO SMB SHARES:
-o guest
-o username=watson
-o credentials=/secure/sherlock
! Sherlock file (only root access chmod 600):
username=username
password=password
domain=domain
MOUNTING SMB FILE SYSTEMS WITH THE AUTOMOUNTER
We can use fstab but it will always connected, instead of “on demand” of autofs
NEED:
autofs installed
cifs-utils
MAPPING FILE:
File system type must be specified:
-fstype=cifs
vim /etc/auto.Master.D/bakerst.Autofs
/bakerst /etc/auto.Bakerst
vim /etc/auto.Bakerst
cases -fstype=cifs,credentials=/secure/sherlock ://server0/cases
systemctl enable autofs
! Systemctl start autofs (start after configurin master file)
CHAPTER 15
FIREWALL CONFIGURATION
LIMITTING NETWORK CONFIGURATION
NETFILTER AND FIREWALLD CONCEPTS
NETFILTER SUBSYSTEM
Filtering subsystem Netfilter can be configured by firewalld (iptables old)
FIREWALLD
Daemon. Has zones.
Predefined zones:
TRUSTED
HOME
INTERNAL
WORK
PUBLIC
EXTERNAL
DMZ
BLOCK
DROP
CONFIGURE FIREWALL SETTINGS
Terminal firewall setting:
firewall-cmd –set-default-zone=dmz
firewall-cmd –permanent –zone=internal –add-source=192.168.0.0./24
firewall-cmd –permanent –zone=internal –add-service-mysql
firewall-cmd reload
CHAPTER 16
VIRTUALIZATION AND KICKSTART
DEFINING THE ANACONDA KICKSTART SYSTEM
INTRODUCTION TO KICKSTART INSTALLATIONS
Admin can automate the installation of RHEL usin a KICKSTART
Partition disks, configure network interfaces, packages to install and etc.
KICKSTART CONFIGURATION FILE COMMANDS:
url –url=”ftp://installserver.Example.Com/pub/RHEL7/dvd”
repo –name=”Custom Packages” –baseurl=”ftp://repo.Example.Com/custom”
vnc –password=redhat
clearpart –all –drives=sda,sdb –initlabel
part /home –fstype=ext4 –label=homes –size=4096 –maxsize=8192 –grow
ignoredisk –drives=sdc
bootloader –location=mbr –boot-drives=sda
and many of other…
INSTALLING A SYSTEM USING KICKSTART
vim /root/anaconda-ks.Cfg (or copy to home if no permission)
url ..
network …
…
ksvalidator kickstart.Cfg
not the end of file, lazyness…….