Saturday, 26 July 2014

RHCSA7 Exam Notes #3: Configure local storage

Word version available here:
https://drive.google.com/file/d/0B9WPh0iDN4KwM0ptNTlXWnlPcDQ/edit?usp=sharing

List, create, delete partitions on MBR and GPT disks

MBR older method used with BIOS computers < 2.2TB, 4 Primary Partitions Max, < 12 logical partitions per drive recommended

GPT part of UEFI standard, < 2 ZetaBytes, 128 Primary Partitions

/dev/xxyN (/device file directory/xx=type of device -usually sd, y=which device, N=partition number – first 4 are for primary/extended – logical partitions start at 5 and upwards)

Disk Partitions are mounted to a Directory to make them usable – i.e. if /dev/sda5 is mounted on /usr/ all files written under /usr/ would reside on /dev/sda5

Read: Linux 7 Installation Guide – section – “An Introduction to Disk Partitions” for an excellent primer in Linux Disk Partitions

Run command “parted /dev/sd[a-z]” with root privileges to target a particular disk with the following commands:

print (lists partitions - number=partition number, i.e. 1 is /dev/sda1)

mklabel msdos (needed on all new disks)

mkpart primary ext3 1 2001 (creates a primary partition with an ext3 filesystem from 1MB to 2001MB on disk)

You can also just use the mklabel and mkpart commands on their own and step through the prompts. Next: Exit parted with q

partprobe /dev/sdc (force the kernel to re-read the updated partition table)

parted /dev/sdc print (check partitions)

/usr/sbin/mkfs –t ext3 /dev/sdc1 (create the file system)

Now give the partition a label to help identify the associated mount point to create later:

e2label /dev/sdc1 /work

mkdir /work (creates /work directory)

partprobe /dev/sdc (force kernel to re-read updated partition table)

mount /dev/sdc1 /work

Now to make the mount permanent:

blkid –o list (gives list of UUIDs – use the terminal copy and paste commands here)

vi /etc/fstab (edit to add new partition mount, use boot one as template but change xfs to ext3 as highlighted below!!)

UUID=XXXX /work ext3 defaults 1 2

“mount –a” to test and “mount | grep /work” to check

To remove unmounts the partitions and run “parted sdc” and list partitions with print

rm 1 (deletes partition 1)

Quit with q and edit /etc/fstab to remove the line added earlier. Reboot

Now if you run “cat /proc/partitions” you should no longer see sdc1

Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical Volumes

system-config-lvm was dropped with GNOME3 in RHEL7 so good luck finding that! All work has to be command line with LVM as a result.

Add a new disk to your test system. Reboot and check using “fdisk -l” what the name is, in my case it appeared as /dev/sdb

pvcreate /dev/sdb (creates a partition on sdb to initialise the disk)
pvdisplay /dev/sdb (Displays details of the physical volumes)

vgcreate -s 8 vg01 /dev/sdb (creates vg01 volume group with 8MB PE size, can add other partitions also by appending /dev/sdc1 /dev/sdf etc to command)

vgdisplay -v vg01                    (displays details of vg01)
lvcreate -L 3000 -n dbvol vg01           (creates 3GB logical volume dbvol in volume group vg01)lvcreate -L 1500 -n myball vg01         (creates second logical volume)
lvdisplay -v vg01         (Displays details of vg01 volume group)

To Extend Space:
pvcreate /dev/sdc
vgextend vg01 /dev/sdc          (adds sdc to vg01 volume group)
lvextend -L +2GB /dev/vg01/dbvol     (extends dbvol by 2GB, or set absolute size with 5GB)
lvresize -L 2.5GB /dev/vg01/myball   (resizes myball to 2.5GB, or use + to add space, can also reduce space by lowering figure or using -1GB for instance)

Remove Volumes:
lvremove /dev/vg01/myball   (Do this for dbvol also then proceed to the next step)
vgreduce vg01 /dev/sdc /dev/sdb      (removes sdb/sdc from vg01)
vgremove vg01                                   (removes vg01)
pvremove /dev/sdb /dev/sdc              (removes sdb/sdc partitions)

Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot

rpm -qa | grep cryptsetup      (confirms encryption packages are install, should be by default)
I recreated the logical volumes used in the last section to test against:
cryptsetup -v -y luksFormat /dev/vg01/dbvol (ensure the F in luksFormat is uppercase!)
cryptsetup –v luksOpen /dev/vg01/dbvol dbvol_luks (ensure the O in luksOpen is uppercase! Assigns name to volume to create a device file in /dev/mapper directory)
ls -l /dev/mapper | grep dbvol_luks   (checks device is present in mapper file)
mkfs -t ext4 /dev/mapper/dbvol_luks            (construct ext4 file system in the logical volume)
mkdir /dbvol_luks       (create mount point)
mount /dev/mapper/dbvol_luks /dbvol_luks (mount file system, check with “df”)

edit /etc/crypttab file and add the following line:

dbvol_luks /dev/vg01/dbvol_luks none (this will prompt for password on startup)

edit /etc/fstab and add the following line:
/dev/mapper/dbvol_luks /dbvol_luks ext4 defaults 1 2

Reboot, supply password on startup and check mount status:
mount | grep dbvol_luks

NOTE: when rebooting it hangs, tried volume group and partition but it’s not working out for me. Will troubleshoot and update when I have a stable config. (took out fstab from partition method and got prompted at gui!?!)

Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label

blkid -o list (make sure you run this command as root, gives device UUIDs)
e2label /dev/sdb myball2 (labels partition myball2)
Use either of the two methods in /etc/fstab to mount file systems on bootup:
UUID=xxxx /home ext4 defaults 1 2
LABEL=myball2 /hiccup ext4 defaults 1 2

Add new partitions and logical volumes, and swap to a system non-destructively

parted /dev/sdb
mklabel / msdos / yes             (Assign a label to the disk, must be done on new disk)
mkpart / primary / [ext4/linux-swap] / 1 / 2g           (Create a ext4 / Swap partition of 2GB)print                                        (Verify)
partprobe /dev/sdb     (force kernel to re-read the updated partition table)
grep sdb /proc/partitions

mkswap /dev/sdc                                swapon /dev/sdc
mkswap /dev/vg01/myball                 swapon /dev/vg01/myball
swapon -s                    (confirm new swap areas are activated)

vmstat -s

Edit /etc/fstab to activate on system boot:
UUID=XXXX swap   swap defaults 0 0
/dev/vg01/myball swap   swap defaults 0 0
swapoff /dev/sdc                    swapoff /dev/vg01/myball

Edit /etc/fstab to remove swap entries and reboot to validate

Friday, 18 July 2014

RHCSA7 Exam Notes #4: Create and configure file system

Word version available here:

https://drive.google.com/file/d/0B9WPh0iDN4KwdWFDOUVidVMzNEk/edit?usp=sharing

Create, mount, unmount, and use vfat, ext4 and xfs file systems

mkfs.vfat /dev/sdc

mkfs.ext4 /dev/sdb

mkfs.xfs /dev/sdd

Mount, unmount, and use LUKS-encrypted file systems

rpm -qa | grep cryptsetup (confirms encryption packages are install, should be by default)

I recreated the logical volumes used in the last document to test against:

cryptsetup -v -y luksFormat /dev/vg01/dbvol (ensure the F in luksFormat is uppercase!)

cryptsetup –v luksOpen /dev/vg01/dbvol dbvol_luks (ensure the O in luksOpen is uppercase! Assigns name to volume to create a device file in /dev/mapper directory)

ls -l /dev/mapper | grep dbvol_luks (checks device is present in mapper file)

mkfs -t ext4 /dev/mapper/dbvol_luks (construct ext4 file system in the logical volume)

mkdir /dbvol_luks (create mount point)

mount /dev/mapper/dbvol_luks /dbvol_luks (mount file system, check with “df”)

check mount status:

mount | grep dbvol_luks

umount /dbvol_luks

Mount and unmount CIFS and NFS network file systems

I used a Windows Server 2012 R2 VM to host the CIFS Share and NFS Target. I added the following Roles:

File and Storage Services\File and iSCSI Services\File Server

File and Storage Services\File and iSCSI Services\Server for NFS

I configured two separate folders and use the file share wizard to set one up as a standard share (CIFS) and the other as an NFS share. I then edited the RHEL /etc/hosts file to enable name resolution making up a name for the windows server but using its IP Address, then testing pings. I also created a local user student on the Windows Serer and granted it full permissions to both folders. The remaining effort was to test the following commands to access the text file I had placed in each of the two shared locations.

CIFS:

rpm -qa | grep samba (Check “samba-client-XXXX” is installed, otherwise the command smbclient will not work)

yum -y install samba-client cifs-utils (need both of these to list and mount cifs shares)

mkdir -p /physical/cifs/remote (creates a local mount point for the remote cifs share)

smbclient -L //WIN-22QL3RAM8IH/cifs -U student (Lists available resources on remote server, you will be prompted for password of student account, I used the default temporary windows server computer name to get this to work, any other “nicer” alias in the hosts file failed with NT_STATUS_RESOURCE_NAME_NOT_FOUND)

mount -t cifs //WIN-22QL3RAM8IH/cifs /physical/cifs/remote -o username=student

(The default is to mount as RW so no extra switch is required. You will be required to enter password for student account. Test creating file in remote cifs share. I had to relax windows share permissions to permit Everyone Full Contol before I could get write access)

Use “df -h” or “mount” command to get info on CIFS share

umount /physical/cifs/remote (If you get an error make sure you current working directory isn’t /physical/cifs/remote!! Just “cd ~” to change back to your home dir and the command to unmount will work!!)

To automatically mount the shares see the next section

NFS:

rpm -qa | egrep ‘rpcbind|nfs-utils’ (unlike samba stuff above, both appear to be installed by default but who’s to say the exam will be that nice?!)

mkdir -p /physical/nfs/remote

showmount -e WIN-22QL3RAM8IH

mount -t nfs WIN-22QL3RAM8IH:/nfs /physical/nfs/remote

To check use the commands “mount | grep nfs” or “df -h”

I got Permission Denied trying to cd into the new mount, had to grant anonymous user full control at NTFS level on Windows Server and then it worked. For Authentication make sure you use the Server Manager GUI to edit the “No Server Authentication” option, I set mine to allow unmapped user access by UID/GID and was able to successfully create and edit files in a subdirectory but only edit files in the root, couldn’t create new ones. At least it sorta works but it’s a windows permission issue, the process works. Next “cd ~” and unmounts as follows:

umount /physical/nfs/remote

Job Done!!

Configure systems to mount LUKS-encrypted, and network file systems automatically

I didn’t have much luck getting this to work after a reboot, will revert when I’ve finished the other section to test a solution.

CIFS:

vi /etc/fstab (add the following line)

// WIN-22QL3RAM8IH/cifs /physical/cifs/remote cifs credentials=/etc/samba/smbcred 0 0

vi /etc/samba/smbcred (create the following lines)

username=student

password=mypassword

mount -a (This tests fstab by mounting everything in that file without a reboot, use “df -h” to confirm CIFS share mounted)

NFS:

vi /etc/fstab (add the following line)

WIN-22QL3RAM8IH:/nfs /physical/nfs/remote nfs ro,intr 0 0

mount -a (Test fstab, should list both CIFS and NFS mounts, use df-h or mount | grep cifs/nfs to check)

Extend existing unencrypted logical volumes

pvcreate /dev/sdc

vgextend vg01 /dev/sdc (adds sdc to vg01 volume group)

lvextend -L +2GB /dev/vg01/dbvol (extends dbvol by 2GB, or set absolute size with 5GB)

lvresize -L 2.5GB /dev/vg01/myball (resizes myball to 2.5GB, or use + to add space, can also reduce space by lowering figure or using -1GB for instance)

Create and configure set-GID directories for collaboration

Let’s create a test folder and group and see how we can set this option. It permits new files and directories in a folder to be opened by other users, by default only the owner would have full control otherwise.

mkdir /myball

groupadd -g 2014 myballgrp (“groups student” to confirm membership)

usermod -G myballgrp student

chown nobody:myballgrp /myball

ll -d /myball (Look for s in group permissions)

chmod g+s /myball (You may need to set overall folder permissions using chmod 775 /myball)

ll -d /myball (Look for s in group permission, should now be present as shown below)

drwxrwsr-x. 2 nobody myballgrp 21 Jul 18 11:33 /myball

Create and manage Access Control Lists (ACLs)

To get a handle on what users are defined on the system use the command “cat /etc/passwd”. The user accounts are listed as the bottom starting with ID 1000 and upwards. Create a file text.txt in a folder to use in the following commands.

getfacl test.txt (Shows ACL entries on file text.txt)

setfacl -m u:student:7 test.txt (Grants RWX ACLs to user student on the file)

setfacl -x u:derek test.txt (Removes ACL entries for Derek on the file)

setfacl -b test.txt (Removes all ACL entries on test.txt)

setfacl -m u::7,g::4,o:0,u:student:5 test.txt (Go figure this one out!! Owner has rwx, Group had r, public has none, student has rw. Delete )

Create a subdirectory called hello which we’re going to use to test default permissions on next.Make sure ou are in the directory directly one level up from the folder you create.

setfacl -m d:u:student:6,d:u:derek:6 hello (Verify permissions with getfacl hello)

setfacl -k hello (Deletes all Default permissions from directory)

Diagnose and correct file permission problems

No idea what could be asked here but let’s sum up what we should know and how to check various permissions and then a summary of commands to fix the issue. The following is the permissions on a file, followed by a folder.

-rwxr-----. 1 michael myballgrp 0 Jul 18 11:33 test.txt

drwxrwsr-x. 2 nobody myballgrp 21 Jul 18 11:33 /myball

The permission structure is as follows:

{d-directory/l-shortcut or symbolic link/p-named pipe file/s-socket file}{owner permissions}{group permissions}{public permissions}

chmod XXX filename (0=no permissions,4=Read,5=Read+Execute,6=Read+Write,7=All)

You can also use chmod {g=group/o=public/u=owner/a=all}+/-{r/w/x} filename

Examples: chmod {go+rx/g-w/a=rwx} test.txt

o+t = sticky bit so public can’t move or delete

u+s = setuid bit to run as owner

g+s = run as group

chown derek:myballgrp filename (Changes ownership of file filename to user Derek & group myballgrp)

chown -R derek:myballgrp DirectoryName (Changes ownership of DirectoryName to user derek & group myballgrp)

chgrp myballgrp filename (Changes group membership of file filename to myballgrp)

umask is used in the current shell only to change default permissions on new files and folders. umask -S shows permissions in old rwx notation. The number used in subtracted from 777 for Dirs and 666 for Files, example umask 022=755 fir Dir & 644 for Files

Sunday, 13 July 2014

RHCSA 7 Exam Notes #2: Operate running systems

Word Version available here:
https://drive.google.com/file/d/0B9WPh0iDN4KwekpZekF6TmZXQ0k/edit?usp=sharing

Boot, reboot, and shut down a system normally

systemctl halt systemctl reboot systemctl --nowall poweroff (no broadcast)

shuttdown -[h/r] [now/20] (halt/reboot, now/20 minutes)

Boot systems into different targets manually

Runlevels have been replaced with system targets controlled by the systemctl command.

Runlevel	Target Units	Description
0	runlevel0.target, poweroff.target	Shut down and power off the system.
1	runlevel1.target, rescue.target	Set up a rescue shell.
2	runlevel2.target, multi-user.target	Set up a non-graphical multi-user system.
3	runlevel3.target, multi-user.target	Set up a non-graphical multi-user system.
4	runlevel4.target, multi-user.target	Set up a non-graphical multi-user system.
5	runlevel5.target, graphical.target	Set up a graphical multi-user system.
6	runlevel6.target, reboot.target	Shut down and reboot the system.

systemctl set-default multi-user.target (Sets default to non-graphical multi-user system, set it back with graphical.target, watch for proper placement of – and . symbols!)
systemctl isolate multi-user.target (switches to non-graphical multi-user system immediately)systemctl rescue/emergency (switches to rescue/emergency shell immediately)systemctl can also be used against remote systems:
systemctl -H root@server-01.example.com status crond.service

Interrupt the boot process in order to gain access to a system

Note: this broke the root password for me. Ensure you use visudo to give another account full access to avoid being locked out! I was able to recover by using sudo passwd root in the graphical session later. All attempts to use the method below to set the root password failed!

To reset root account as an example:

Press any key at the Grub boot loader and then e to edit the default option

Scroll down to the line starting with initrd16 and press the left arrow once until you get to the end of the line ending in LANG=en_IE.UTF-8 and append as follows:
LANG=en_IE.UTF-8 init=/bin/sh
Press CTRL-X to boot and you’ll get to a sh-4.2# prompt

/usr/sbin/load_policy -I
mount -o remount,rw /
passwd root
mount -o remount,ro /

Now reboot the system. Note: commands entered in the bash prompt are not echoed to screen. I got palindrome errors when attempting to change the root password but the default password policies may need to be relaxed a bit for this to work.

Identify CPU/memory intensive processes, adjust process priority with renice, and kill
Processes

TOP is your buddy!

Load average: last minute, 5 minutes, 15 minutes (Anchor value = 1 per Cpu Core)

Press 1 to show all Cores in a multi CPU system

CPU: us=user space apps not run with root priority, sy=system space used by kernel, id=idle time, wa=waiting on I/O if over 30% issues, st=Virtualization stealing cpu from host, move those pesky VMs somewhere else!

Memory: watch out for used Swap, is normal for Oracle/SAP though

Processes: USER is who started process, PRiority rt=realtime, VIRT=memory claimed when process first started, RES=resident memory is how much process is using now, SHR=memory shared with other process

Press f and scroll down to highlight & select P = Last Used Cpu (SMP) to see context switches by a process in action

vmstat vmstat –s (good sampling utility –s is since boot, use -d for disk activity of iostat, netstat for network)

free –m (free memory) slabtop (kernel memory usage, yes that’s spelled “s-l-a-b….”!!)

ps -efl to show processes and niceness (NI column: valued from -20 critical, 0 default to +19 don’t care)
pidof crond      (shows process ID of crond process)
ps -U root        (shows all processes owned by root)
nice --2 tail -f /var/log/messages       (use to launch new process with specified niceness, notice -2 would mean +2 but --2 means -2 !)
ps -efl | grep tail         (let’s see in another terminal what the niceness of the tail process is)
renice -4 3057             (this change niceness to -4, to set +4 drop the -)
ps -p 3057 -fl               (let’s see the niceness of process 3057)
pgrep tail / kill 3057               (find tail’s process id / kill process 3057, use –p if process stuck waiting on input)
pkill tail                       (kill process tail, use –p if process stuck waiting on input)

Locate and interpret system log files and journals

Most log files are in /var/log
cat /var/log/boot.log              (checks for service startup on boot)
tail -f /var/log/messages                    dmesg             (check messages file,useful for USB info)
/etc/logrotate.conf     /etc/logrotate.d/<subfolder>             (controls log rotation, specific service amendments in subfolders)
journalctl -n 20                       (shows last 20 log entries generated with their entry point, -f for realtime, -p and either word or number: debug (0), info (1), notice(2), warning (3), err (4), crit (5), alert (6), and emerg (7))

Access a virtual machine's console

Click Applications, System Tools, Virtual Machine Manager and double click on the VM to open the console. CTRL+ALT to release the cursor.
virt-manager (Main Virtual Machine Manager program – same as above)
virt-viewer myvm (opens VMs console)
virsh is the command line utility. Some useful commands are:

virsh list (list VMs, called domains here)
virsh -v (get kvm version info)
virsh autostart myvm (starts VM on host bootup)
virsh dominfo myvm (get vm info)
virt-top (yes, you guessed it, TOP for VMs!)

Start and stop virtual machines

Invoke virt-manager or use virsh commands below:
virsh [reboot/reset/screenshot/shutdown/start] myvm

Start, stop, and check the status of network services

systemctl [start/stop/status] vsftpd.service (replace vsftpd with service name)
systemctl list-units –type service (displays the status of all services)

systemctl [enable/disable/is-enabled] vsftpd.service (sets vsftpd service to start / stop on system startup, is-enabled checks status)

Securely transfer files between systems

Default install of RHEL7 should have the following line in /etc/ssh/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server

Test remote SSH connection first to cache client certificate:
ssh student@192.168.31.52

Now choose one of the following:

SFTP:

sftp student@192.168.31.52 (Setup secure sftp connection)

ls                                                          (check remote directory listing)
cd Desktop                                          (Let’s drop the file into the Desktop folder)lls                                                         (Checks LOCAL directory for file to transfer)
put iometer.iso                                   (Transfers File iometer.iso)
ls                                                          (Check remote directory that file now exists)quit                                                      (Closes connection)

So the basic commands (Remote vs Local) are cd/lcd, ls/lls. You can use Put/Get to transfer files in either direction. Also mkdir/rmdir work on REMOTE system.

SCP:

Enter command below to transfer iso file from one Desktop to the other remote system:
scp ~/Desktop/iometer.iso student@192.168.31.52:~/Desktop
You will be prompted for student’s password where if accepted the file will be transferred.