System Configuration and Management Flashcards
Route IP traffic and create static routes Option 2
Configure a Default Route A default route is assigned normally with the dynamic IP address #route -n #netstat -rn
to temporarily add a default route
$route add default gw 192.168.122.1
if multiple network devices exist on the local system, you can specify it
$route add default gw 192.168.122.1 dev eth1
Configure a special route
using the Network connections tool
to tart it
$ nm-connection-editor
Select an existing wired or wireless network device, click edit
Under either the IPv4 or IPv6 tab, click the route button for special routes
The network connections tool does not work unless the networkManager service in the /etc/init.d directory is active
Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)
To implement NAT on a server with two network cards (eth0:192.168.1.1/24 connected to the Internet and eth1:192.168.2.1/24 connected to the internal network) several steps are required.
Edit the /etc/sysctl.conf file and assign 1 to the ‘net.ipv4.ip_forward‘ option:
net.ipv4.ip_forward = 1
Update the system:
$ sysctl -p
Add a new rule to the firewall:
$ iptables -t nat -I POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE
Save the firewall configuration:
$ service iptables save
Use /proc/sys and sysctl to modify and set kernel runtime parameters
Edit the /etc/sysctl.conf file and add the following lines:
net.ipv4.ip_forward = 1 #allow IPv4 forwarding
net.ipv4.icmp_echo_ignore_all = 1 #don’t respond to a ping
net.ipv4.icmp_echo_ignore_broadcasts = 1 #don’t respond to a ping to the broadcast address
Put the changes into practice:
$ sysctl -p
Check the changes:
$ cat /proc/sys/net/ipv4/ip_forward
$ cat /proc/sys/net/ipv4/icmp_echo_ignore_all
$ cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Configure a system as an iSCSI initiator that persistently mounts an iSCSI target
In order to test an iSCSI initiator, you will need to configure an iSCSI target.
Install the following package: #yum install -y iscsi-initiator-utils
Discover the available iSCSI targets from your already installed ‘targetserver‘: #iscsiadm -m discoverydb -t st -p targetserver -D
Start the iSCSI service: #service iscsi start
start at boot #chkconfig iscsi on
Retrieve the new iSCSI disk name (here /dev/sda):
#grep “Attached SCSI” /var/log/messages
Nov 22 10:28:38 testvm kernel: sd 2:0:0:1: [sda] Attached SCSI disk
Create a file system on this disk:
#mkfs.ext4 /dev/sda
Note: if you are connecting remotely, set up a console access before.
Retrieve the UUID of this disk: #blkid | grep "/dev/sda"
Add the disk UUID to the /etc/fstab file: #echo "UUID=..." >> /etc/fstab
Edit the /etc/fstab file and add mount point, file system type and mount options (_netdev):
UUID=… /mnt ext4 _netdev 0 0
Produce and deliver reports on system utilization (processor, memory, disk, and network
sadf -d /var/log/sa/sa11 – -u -r -dp -n DEV
sar appears to be the tool to save the day here. Installed and running by default, the sysstat package contains tools that capture system performance throughout the day, and automatically summarizes it for you. Generating utilization reports is then a simple matter of knowing the right sar command to execute. If all else fails, simply try man sar
Processor Basic processor report: sar or sar -u Basic report every second for the next 10 seconds: sar 1 10 Load average: sar -q Per processor statistics: sar -P ALL Power management (not enabled by default): sar -m Memory Kernel paging: sar -B Unused memory: sar -r Swap space: sar -S Disk Disk IO stats (avg): sar -b Disk IO stats: sar -d (-p to use pretty names) Network Network statistics: sar -n DEV Network errors: sar -n EDEV Everything All reports simultaneously: sar -A
OR
Install the sysstat package if it’s not already the case:
#yum install -y sysstat Activate the sysstat service at boot:
#chkconfig sysstat on Produce a report for a given day (here the 11th) (-u for CPU usage, -r for memory usage, -dp for disk activity, -n DEV for network activity):
Use shell scripting to automate system maintenance tasks
good place to find help is the man bash page
Doing something to each file in a directory
for i in [ls
]; do echo $i; done
Doing something for each line in a file
while read i; do echo $i; done
SYS: Configure a system to log to a remote system
Edit the /etc/rsyslog.conf file and uncomment the following lines at the end of the file where remote-host is the name of the syslog server: #$WorkDirectory /var/lib/rsyslog #$ActionQueueFileName fwdRule1 #$ActionQueueMaxDiskSpace 1g #$ActionQueueSaveOnShutdown on #$ActionQueueType LinkedList #$ActionResumeRetryCount -1 #*.* @@remote-host:514
Restart the syslog service: #service rsyslog restart
After setting up the syslog server, test the configuration #logger -p local0.notice -t TEST "Test"
On the syslog server, check the TEST string in the /var/log/messages file: #grep "TEST" /var/log/messages
SYS: Configure a system to accept logging from a remote system
Edit the /etc/rsyslog.conf file and uncomment the following lines to allow TCP syslog reception: #$ModLoad imtcp #$InputTCPServerRun 514
Restart the Syslog service: #service rsyslog restart
Add a new rule to the firewall: #iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
Save the firewall configuration: #service iptables save
Route IP traffic and create static routes
netstat -nr
Route IP traffic and create static routes
There are two main ways of setting a route with this method,
assuming you want the routes set for eth0.
- echo “10.10.11.0/24 via 10.168.20.227 dev eth0”»_space; /etc/sysconfig/network-scripts/route-eth0
- echo “10.10.11.0/24 dev eth0”»_space; /etc/sysconfig/network-scripts/route-eth0
You can activate the routes with the following command:
/etc/sysconfig/network-scripts/ifup-routes eth0
The first way will provide a route to the 10.10.11.0 network and set 10.168.20.227 as the gateway for that route, in other words,
it expects 10.168.20.227 to be able to route those packages to the 10.10.11.0 network (or at least to forward them to a server/router that can),
you can check the routing table in a myriad of ways, for instance (only showing relevant line):
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.10.11.0 10.168.20.227 255.255.255. 0 UG 0 0 0 eth0
The second way will provide a similar route to the 10.10.11.0, but will not set a gateway for that
route. So that instead of sending the packages to the gateway,
it will simply send them directly to the 10.10.11.0 network.
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
For completeness, the commands needed to achieve the same as above are the following:
route add -net 10.10.11.0 netmask 255.255.255.0 gw 10.168.20.227 eth0
route add -net 10.10.11.0 netmask 255.255.255.0 eth0
Note, that a reboot will clear these from the routing table, so you should use them only for testin before writing them to the interface route file.
Setup a Kerberos Client
yum install -y krb5-workstation pam_krb5
backup the /etc/sssd directory as well as the /etc/nsswitch.conf
using graphical authentication configuration tool
One way to open the GUI version
#authconfig-gtk
You can also use the console authentication configuration Tool # authconfig-tui