EXTRAS Flashcards
mount an ISo
mount -o loop media.iso /media
Set same SELinux context for a directory
chcon -R –reference=/var/www/html/ /var/www/html/inst
FTP and http file location
vsftp server is /var/ftp/pub
HTML is /var/www/html
example setting up a VSFTP server and upload DVD installation
#yum install vsftpd #service vsftpd start test that you can connect to ftp://127.0.0.1 #chkconfig vsftp on # mkdir /var/ftp/pub/inst -> create directory to copy files #mount -ro loop download.iso /media -> use iso or DVD #mount /dev/cdrom /media -> mount dvd # cp -ar /media/. /var/ftp/pub/inst #chcon -R -t public_content_t /var/ftp/ -recursively set SELinux context #service vsftpd restart
add/remove software tool is located
System -> administration -> add/Remove Software
List of packages needed for virtualization
qemu-kvm - the main kvm package
python-virtinst - command line tools and libraries for creating VMS
virt-manager - GUI VM administration tool
virt-top - command for VM statistics
virt-viewer - GUI connection to configure VMs
libvirt - c language toolkit with the libvirtd service
libvirt-client - c language toolkit for VM client
check if the right VM modules are located
#lsmod | grep kvm output should return either kvm-intel or kvm-adm if the output is different or no output run this command to add: #modprobe kvm
virt-install
You can also use the virt-install --prompt command to set virtual machines, just enter information as asked such as RAM, CPU, and so forth # virt-install --prompt
virt-install to install a VM with a kickstart file
The virt-install –prompt command can be used to install from a kickstart. Example
# virt-install -n outside1.example.org -r 768 –dis \
path=/var/lib/libvirt/images/outsider1.example.org.img \
-l ftp://192.168.122.1/pub/inst \
-x “ks=ftp://192.168.122.1/pub/ks1.cfg”
switches for the virt-install command
- n (–name) sets the name of a VM
- r (–ram) configures the amount of RAM in MB
- -disk defins the virtual disk
- l (–location) specifies the directory or URL wit hthe installation files
- x (–extra-args=) includes extra data, such as the url of a kickstart file.
virt-clone –prompt
the virt-clone –prompt command can be used t oclone an existing VM. Make sure the system to be cloned is shutdown.
Tools of interest for administrative purposes
- telnet and nmap to verify remove access to open ports
- mutt as an email client to verify the functionality of an email server
- elinks as a web browser to make sure web services are accessible
- lftp to access ftp servers with command completion
#telnet localhost 21 # nmap localhost #mutt -f pop://username@host you can also use the mail command as: $mail Michael subject: test cc: marth@example.com $mail -s 'host file' < /etc/hosts root@localhost $elinks http://127.0.0.1/inst $lftp ftp.example.org -u frany
lftp standard commands
cd - changes the current working directory at the remote host
ls - list files at the remote host
get - retrieve one file from the remote host
mget - retrieve a group of files from the remote host
put - uploads one file from your computer to remote host
mput - uploads a group of files to remote host
pwd - list current working directory to the remote host
quit - ends the FTP session
!ls - list files on your host computer in the current directory
!cd - change the local host directory fur upload/download
!pwd - list current working directory on local host computer
The Alias command examples
some alias command examples: #alias cp='cp -i' #alias l.='ls -d .* --color-=auto' #alias ll='ls -l --color=auto' #alias rm='rm -i' #alias rm ='mv -t ~/.trash'
the locate command database
the locate command database is normally updated only once each day base on this cron /etc/cron.daily/mlocate.cron (might have to manually run)
Specialized variations on the vi command:
vipw - edit /etc/passwd vigw - edit /etc/group visudo - etdit /etc/sudoers vipw -s - edit /etc/shadow vigr -s - edit /etc/gshadow
arp command
The arp command displays a table of hardware and IP addresses on the local computer. ARP can help detect problem such as duplicate addresses on the network
displaying routing table
#netstat -r -> displays routing table, similar to route #route -n -> similar to #netstat -rn
get dhcp info
dhclient eth0
two tools that can be used to configure network devices:
System-config-network -GUI
nm-connection-edit - GUI command line
System-preferences-network connections
check DNS server
if in doubt about whether the DNS server is operational: #dig @192.168.122.1 mheducation.com
default umask
The default umask is driven by the /etc/bashrc file
remount a file system
mount -o remount /home
common ports
21 - FTP 22 - secure shell (SSH) 23 - telnet 25 - SMTP 53 - DNS 80 - http 88 - kerberos 110 - pop 139 - netbios 143 - IMAP 443 - https 993 - IMAP over SSL 2049 - NFS4 995 - POP over SSL 69 - TFTP 139 & 445 as well as UDP 137 & 138 - SAMBA
diagnose error when running semanage login -l
#yum whatprovides /usr/sbin/semanage #yum -y install policycoreutils-python
options for SELinux user roles
- guest_u no GUI, no networking, no access to the SU or sudo command
- xguest_u GUI, networking only via the firefox web browser
- user_u GUI and networking available
- staff_u GUI, networking, and the sudo command available
- unconfined_u Full system access
tools to search /var/log/audit
#ausearch -m avc -c sudo #sealert -a /var/log/audit/audit.log
other facl command
#getfacl file | setfacl --set-file = - file2 -> copy acl from file1 to file2 #getfacl --access dir | setfacl -d -M-dir -> copy the access acl into the default ACL
GRUB common errors
error 15: file not found - the partition was mounted; the kernel was not found on that partition. Cause: root(hdx,y) directive does not point to the partition with /boot directory
ERROR 17: cannot mount selected partition: the partition is not formatted to a filesystem with files. Cause: the root(hdx,y) directive points to a partition formatted to a system such as linux swap
ERRO 22: no such partition: there is no partition specified by the root (hdx,y) directive.
list commands at group command line
To see a list of commands at the GRUB command line, press the tab key at the grub > prompt.
To find the grub.conf file (find the /boot directory)
grub > find /grub/grub.conf
Another way to find the /boot directory
grub > root
to confirm the location of grub.conf, run the cat command:
grub > cat (hd0,0) /grub/grub.conf
to see the files installed with a package
rpm -ql upstart
runlevel control commands
halt -> moves to runlevel 0
init -> manages the current runlevel(different from init daemon)
initctl -> controls the init daemon
poweroff -> moves to runlevel 0
runlevel -> list current and previous runlevel
telinit -> manages the current runlevel
parameters in /etc/sysconfig/init
The parameters in the /etc/sysconfig/init specify how the system looks and feels during the boot process
virtual consoles
virtual consoles are configured in files /etc/sysconfig/init and the /etc/init directory.
System-config-services
Can also be used to start/stop services at boot. It’s a gui tool.
ifconfig
Any changes made with the ifconfig command is temporary
examples for the route command
#route add default gw 192.168.122.1 > adding a default route #route add default gw 0.0.0.0 #route add -net 192.168.0 netmask 255.255.255.0 dev eth1 -----> sets up a route to the noted network/subnet mask combination through the second ethernet device
Netstat
Netstat can do a lot more such as identifying open services on the local system #netstat atnp
adding an arp entry
arp -s buggy 00.00.00.cf.a1.33
delete an arp entry
arp -d buggy
/etc/sysconfig/network directives
**NETWORKING - > can be yes or no, to configure or not configure networking
NETWORKING_IPV6 -> can be yes or no for ipv6
NSDOMAIN -> set the name of NIS domain, if connected to a NIS network
**HOSTNAME -> set the hostname of the local computer (can be set by the DHCP server)
GATEWAY -> set the IP address for the gateway(can be set by the DHCP server)
GATEWAYDEV - > sets the network device, such as eth0, that this computer uses to reach a gateway. there’s no need fo rthis directive if there is only one network card.
using the GUI network manager configuration tool
You may need to first install the associated package: #yum install NetworkManager-gnome you can start GUI network connections tool #nm-connection-editor
Creating a swap partition example using fdisk
#fdisk /dev/sdb command (m for help): n p partition number(1-4): 1 first sector default:... last sector:200MB command(m for help): p command(m for help): t HEX code (type L to list codes): 82 command(m for help): w
when done follow by #mkswap /dev/sdb1 #swapon /dev/sdb1
set a partition to a different type in parted
(parted)set
partition number? 1
flag to Invert? lvm
new state? [on]/off on
to see the swap space currently configured
run the command: #cat /proc/swaps
checking a partition
#umount /var #fsck -t ext4 /dev/sda7 #mount /dev/sda7 /var
disk utility GUI
One graphical tool that you can use for storage management is the disk utility, which is available from the gnome-disk-utility package. To access from the command line #palimpsest
empty partition
For parted for a new empty partition, you need to create a label. You will get this message “unrecognized disk label” error; run first the mklabel command
(parted) mklabel msdos
(parted) mkpart
formatting partitions
-remember: for these command below, you need the appropriate partition #mkfs.cramfs - create a compressed ROM filesystem #mkfs.ext2 - formats a volume to the ext2 fs #mkfs.ext3 - formats a volume to the ext3 fs #mkfs.ext4 - formats a volume to the text4 fs #mkfs.msdos -> or mkfs.vfat, or mkdosfs microsoft vfat, not bootable #mkfs.exfs - formats a volume to the xfs fs #mkswap - format a volume to the linux swap file system
Physical volume Management commands
pvchange - changes attributes of a PV: the pvchange -x /dev/sda10 command disables the use of PEs from the /dev/sda10 partition
pvck - checks the integrity of a physical volume
pvcreate - initializes a disk or partition as a PV; the partition should be flagged with the LVM file type
pvdisplay - displays currently configured PVs
pvmove - moves PVs in a VG from the specified partition to free locations on other partitions; prerequisite to disabling a PE. one example: pvmove /dev/sdda10
pvremove : removes a give PV from a list of recognized volume: for example, pvremove /dev/sda0
pvresize - change the amount of a partition allocated to a PV. If you’ve expanded partition /dev/sda10, pvresize /devsda10 takes advantage of the additional space. Alternatively, pvresize –set physical volumesize 100M /dev/sda10 reduces the amount of PVs taken from that partition to the noted space
PVS - list configured PVs and the associated VGs, if so assigned
PVscan - similar to PVS with more details
Volume group command
vgcfg backup - and vgcfg restore - backups up and restore the configuration file associated with LVMs, by default, they’re in /etc/lvm directory
vgchange - similar to pvchange, allows you to activate or deactivate a VG. for example, vgchange-a
vgck - checks the integrity of a volume group
vgconvert - supports conversions from LVM1 systems to LVM2. vgconvert - M2 volgroup00 converts volgroup00
vgcreate - creates a VG, from two or more configured PVs. for example vgcreate vgroup0 /dev/sda10 /dev/sda11 creates vgroup00 from PVs as defined on /dev/sda10 /dev/sda11
vgdisplay - displays characteristics of currently configured VGs
vgexport - and vgimport - exports & imports unused VGs from those available for LVs; the vgexport -a command exports all inactive VGs
vgextend - if you’ve created a new PV. vgextend vgroup00 /dev/sda11 adds the space from /dev/sda11 to vgroup00
vgmerge - if you have an unused vgroup01, you can merge it into vgroup00 with the following command. vgmerge vgroup00 vgroup01
vgmknodes - run this command if you have a problem with vg device files
vgreduce - the vgreduce vgroup00 /dev/sda11 command removes the /dev/sda11 PV from vgroup00, assuming sufficient free space is available
vgremove - removes a VG
vgrename - rename VGs
vgs - displays basic information on configured vgs
vgscan - scans and displays basic information on configured VGs
vgsplit - splits a volume gorup
Logical volume commands
lvchange - similar to pvchange, changes the attributes of an LV. For example, lvchange -a n vgroup00/lvol00 command disables the use of the LV labeled lvol00
lvconvert - if there are sufficient available PVs, the lvconvert -ml vgroup00/lvol00 command mirrors the LV
lvcreate - creates a new LV in an existing VG. for example: lvcreate -l 200 volume01 -n lvol01 creates lvol01 from 200 extents in a VG named volume01
lvdisplay - displays currently configured LVs
lvextend - adds space to an LV. the lvextend -L 4G /dev/volume01/lvol01 command extends lvol01 to 4GB, assuming space is available
lvreduce: reduces the size of an LV; if there’s data in the reduced area, it is lost
lvremote - removes an active LV. the LVremove volume01/lvol01 command removes all lvol01 from
volume01
lvrename - renames an LV
lvresize - resizes an LV; can be done by -L for size. lvresize -L 4GB volume01/lvol01 changes the size of lvol01 to 4GB
lvs - lists all configured LVs
lvscan - scans for all active LVs
LVM command installed(many exists, but only four are active)
LVM - brings you an LVM prompt to run other commands, type help to see a list
lvmconf - can modify the default settings in the related configuration file /etc/lvm/lvm.conf
lvmdiskscan - scans all available drives for LVM-configured partitions
lvmdump - sets up a configuration report in the root administrative user’s home directory(/root)
To use the GUI logical volume management tool
yum install system-config-lvm
Volume encryption with the linux unified key setup (LUKS)
LUKS works on a block level
LUKS-protected system requires either a passphrase or a keyfile
encrypting a filesystem mounted on a specific directory
You need the dm_crypt module #lsmod | grep dm_crypt if you don't see an output regarding dm_crypt run: #modprobe dm_crypt You'll need to install the cryptsetup-luks RPM package #yum install cryptsetup-luks
Create a LUKS-based filesystem with cryptsetup
cryptsetup luksformat /dev/sda1 -> first create a passphrase
- once the partition is encrypted, it can’t be read. Before you can format it, it must be mapped
First you need the UUID of the device. This command creates a UUID for the newly encrypted /dev/sda1 device:
#cryptsetup luksUUID /dev/sda1 -> generates a UUID
#cryptsetup luksopen /dev/sda uuid number - the mapped device should now appear in the /dev/mapper directory
(instead of using a UUID you can use a word like test, unless required in the exam)
find the UUID associated with a particular encrypted filesystem
#dumpe2fs /dev/mapper/test | grep UUID You can also use the blkld command to get the UUID
mounting a luks formatted filesystem
If the LUKS formatted filesystem /dev/mapper/test is to be mounted on the directory named /shared, you could add the following lines in /etc/cryptttab: shared /dev/mapper/test none shared UUID=uuidnumber none -You can verify how partitions are actually mounted in the /etc/mtab #cat /etc/mtab
description of entries in /etc/fstab example
/dev/dsa1 (device) /home (mount point) ext4 (fs format) defaults(mount option) 0 0 ( Dump value followed by FS check order)
dump value
Either 0 or 1. A value of 1 means that data is automatically saved to disk by the dump command when you exit Linux
filesystem check order
Determines the order that filesystems are checked by fsck command during the boot process. The root directory(/) should be set to 1, and other local filesystems should be set to 2. Removable filesystems such as those associated with CD/DVD devices should be set to 0, which means they are not checked during the Linux boot process
Mount command and /etc/fstab options
async - data is read and written asynchronously
utime - the inode associated with each file is updated each time the file is accessed
auto - searches through /etc/filesystem for the appropriate format for the partition; normally associated with Floppy or removable media
defaults - uses default mount options rw,suid,dev,exec,auto,nouser,async
dev - permits access to character devices such as terminals or consoles and block devices such as drives
exec - allows binaries (compile programs) to be run on the File system
noatime - the inode associated with each file is not updated when accessed
noauto - requires explicit mounting common option for CD and floppy drives
nodev - devices on this Filesystem are not read or interpreted
noexec - binaries cannot be run on this filesystem
nosuid - disallows setuid or setgid permissions on this filesystem
nouser - only root users are allowed to mount the specified filesystem
remount - remounts a currently mounted filesystem also an option for the mount command
ro - mounts the filesystem as read-only
rw - mounts the filesystem as read/write
suid - allows setuid or setgid permissions on programs on this filesystem
sync - reads and writes are done at the same speed (synchronously) on this filesystem
user - allows non root users to mount this filesystem.
List of virtual filesystems in /etc/fstab
tmpfs - a virtual memory filesystem that uses both RAM & swap space
devpts - filesystem relates to Pseudo - terminal devices
sysfs - filesystem provides dynamic info about system devices. Explore the associated /sys directory
proc - provides dynamically configurable options for changing the behavior of the kernel
mount a cd/dvd
mount -t iso 9660 /dev/sr0 /mnt
best option to mount nfs
#mount -t nfs server1:/pub share fsmount nfs or add to /etc/fstab server1:pub /share nfs rsize=8192,wsize=8192,time=14,intr,udp 00
option for mounting samba directories
in /etc/fstab
//server/pub /share cifs rw,username=user,password=passd, 0 0
or
//server/pub /share cifs rw,credentials/etc/secret 0 0
then your /etc/secrent content:
username=user
password = password
automount
default automounter settings are configured in /etc/sysconfig/autofs
- the automount daemon also known as the automounter or autofs can automatically mount specific directories as needed.
- the relevant confguration files are auto.master, auto.misc, auto.net, and auto.smb, all in the /etc/ directory
- if you use the automounter, keep the /misc and /net directories free. you won’t even see the /misc and or /net directories unless you properly configure /etc/auto.master and the autofs daemon is running
/etc/auto.master (content a series of comments with 3 default commands)
/misc /etc/auto.misc configuration file for this directory
/net -hosts -> allows you to specify the hosts to automount a network directory as specified in the /etc/auto.net
+auto.master
One example to mount
/shared /etc/auto.home
yum-config-manager
To get the full list of yum configuration directives and their current values, run the following command #yum-config-manager This command requires the installation of the yum-util package.
additional yum commands
#yum info samba -> similar to #rpm -qi samba (query about samba #yum erase package -> removes package #yum whatprovides */*.repo #yum grouplist #yum groupinfo "Remote desktop clients" #yum group install groupPackage name #yum group install "print server" -x paps -x gutenprint-cups -> exclude paps & gutenprint from being installed #yum groupremove "Print Server" #yum createrepo -> helps you setup a local directory #yum downloader cups #yum-config-manager -> can display all current settings for each repository as well as downloaded individual RPM packages #yum downloader
local access
local access is regulated in the /etc/security file
to set a password for a group
gpasswd group
configure a client as an LDAP client
you can edit /etc/openldap/ldap.conf and add URL ldap:127.0.0.1 HOST tester.example.com BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts
The name service switch file
/etc/nsswitch.conf, governs how a computer seachers for key files as password databases. It can be configured to look through LDAP and other server databases such as /etc/hosts hosts: files ldap dns You can also add settings passwd: files ldap shadow: files ldap group : files ldap
VNC
vnc communication normally proceeds on port 5900, must be open to enable communication.
The gnome-base VNC server is known as vino. TigerVNC server, based on tightvnc server also exists
Install vnc
yum install vinagre tigernc tigernc-server
once installed you can start the configuration proces in the /etc/sysconfig/vncservers file
- sample configuration directives
#VNCSERVERS=”2:myusername”
#VNCSERVERARGS[2]=”-geometry 800 X 600 -no listen tcp -localhost”
$vncserver:2 -geometry 640 x 400
stop the vnc server
/etc/init.d/vncserver stop
vnc gnome
you can use the vncviewer command to connect to a vnc server #vncviewer 192.168.122.1 :2
To use the GNOME-based vino server, after it's installed #vino-preferences
password protect grub
First create an md5 passwd #grub-md5-crypt passwod:
Then edit /boot/grub/grub.conf under the timeout line in the main section enter
passwd –md5
Setup NFS server and NFS partition
#yum install nfs-utils nfs-utils-lib #chkconfig nfs on #service rpcbind start #service nfs start
#mkdir /shareFiles #vi /etc/exports enter /shareFiles tester1(rw,sync,no_root_squash,no_subtree_check) #exportfs -a
Installing a Samba Server
yum install samba
add a user #useradd visitor -s /sbin/nologin
set smb password #smbpasswd -a visitor
make the directory to be shared #mkdir /smbshare
change ownership directory #chown -R visitor:root /smbshare
add this entry iinto /etc/samba/smb.conf [smbshare] comment = Share path = /smbshare writable = yes valid users = shareuser
Start the smb service #service smb start
add it at startup #chkconfig --level 235 smb on
test that it works #testparm
setup ftp to only allow specific IPs
service vsftpd restart
#yum install -y vsftp* #vi /etc/vsftpd/vsftpd.conf verify that this is present or add: tcp_wrappers=YES
In /etc/hosts.deny deny everyone for vsftpd :
vsftpd: ALL
Then, in /etc/hosts.allow add the authorized IPs :
vsftpd:192.168.0.39 192.168.0.50
