RHCSA7 Exam Notes #4: Create and configure file system
Word version available here:
mkfs.vfat /dev/sdc
mkfs.ext4 /dev/sdb
mkfs.xfs /dev/sdd
Mount,
unmount, and use LUKS-encrypted file systems
rpm -qa | grep cryptsetup (confirms
encryption packages are install, should be by default)
I recreated the logical volumes used in the last document to
test against:
cryptsetup -v -y luksFormat /dev/vg01/dbvol (ensure the F in luksFormat is uppercase!)
cryptsetup –v luksOpen /dev/vg01/dbvol dbvol_luks (ensure the O in luksOpen is uppercase! Assigns
name to volume to create a device file in /dev/mapper directory)
ls -l /dev/mapper | grep dbvol_luks (checks device is present in mapper file)
mkfs -t ext4 /dev/mapper/dbvol_luks (construct ext4 file system in the logical volume)
mkdir /dbvol_luks (create
mount point)
mount /dev/mapper/dbvol_luks /dbvol_luks (mount file system, check with “df”)
check mount status:
mount | grep dbvol_luks
umount /dbvol_luks
Mount and
unmount CIFS and NFS network file systems
I used a Windows Server 2012 R2 VM to host the CIFS Share and
NFS Target. I added the following Roles:
File and Storage Services\File and iSCSI Services\File Server
File and Storage Services\File and iSCSI Services\Server for
NFS
I configured two separate folders and use the file share
wizard to set one up as a standard share (CIFS) and the other as an NFS share.
I then edited the RHEL /etc/hosts file to enable name resolution making up a
name for the windows server but using its IP Address, then testing pings. I
also created a local user student on the Windows Serer and granted it full
permissions to both folders. The remaining effort was to test the following
commands to access the text file I had placed in each of the two shared
locations.
CIFS:
rpm -qa | grep samba (Check
“samba-client-XXXX” is installed, otherwise the command smbclient will not work)
yum -y install samba-client cifs-utils (need both of these to list and mount cifs shares)
mkdir -p /physical/cifs/remote (creates a local mount point for the remote cifs share)
smbclient -L //WIN-22QL3RAM8IH/cifs -U student (Lists available resources on remote server,
you will be prompted for password of student account, I used the default
temporary windows server computer name to get this to work, any other “nicer”
alias in the hosts file failed with NT_STATUS_RESOURCE_NAME_NOT_FOUND)
mount -t cifs //WIN-22QL3RAM8IH/cifs /physical/cifs/remote -o username=student
(The default is to mount as RW so no extra switch is
required. You will be required to enter password for student account. Test
creating file in remote cifs share. I had to relax windows share permissions to
permit Everyone Full Contol before I could get write access)
Use “df -h” or “mount” command to get info on CIFS share
umount /physical/cifs/remote (If
you get an error make sure you current working directory isn’t
/physical/cifs/remote!! Just “cd ~” to change back to your home dir and the
command to unmount will work!!)
To automatically mount the shares see the next section
NFS:
rpm -qa | egrep ‘rpcbind|nfs-utils’ (unlike samba stuff above, both appear to be installed by default
but who’s to say the exam will be that nice?!)
mkdir -p /physical/nfs/remote
showmount -e WIN-22QL3RAM8IH
mount -t nfs WIN-22QL3RAM8IH:/nfs /physical/nfs/remote
To check use the commands “mount | grep nfs” or “df -h”
I got Permission Denied trying to cd into the new mount, had
to grant anonymous user full control at NTFS level on Windows Server and then
it worked. For Authentication make sure you use the Server Manager GUI to edit
the “No Server Authentication” option, I set mine to allow unmapped user access
by UID/GID and was able to successfully create and edit files in a subdirectory
but only edit files in the root, couldn’t create new ones. At least it sorta
works but it’s a windows permission issue, the process works. Next “cd ~” and
unmounts as follows:
umount /physical/nfs/remote
Job Done!!
Configure
systems to mount LUKS-encrypted, and network file systems automatically
I didn’t have much
luck getting this to work after a reboot, will revert when I’ve finished the
other section to test a solution.
CIFS:
vi /etc/fstab (add
the following line)
// WIN-22QL3RAM8IH/cifs
/physical/cifs/remote cifs credentials=/etc/samba/smbcred 0 0
vi /etc/samba/smbcred (create
the following lines)
username=student
password=mypassword
mount -a (This
tests fstab by mounting everything in that file without a reboot, use “df -h”
to confirm CIFS share mounted)
NFS:
vi /etc/fstab (add
the following line)
WIN-22QL3RAM8IH:/nfs
/physical/nfs/remote nfs ro,intr
0 0
mount -a (Test
fstab, should list both CIFS and NFS mounts, use df-h or mount | grep cifs/nfs
to check)
Extend
existing unencrypted logical volumes
pvcreate /dev/sdc
vgextend vg01 /dev/sdc (adds
sdc to vg01 volume group)
lvextend -L +2GB /dev/vg01/dbvol (extends dbvol by 2GB, or set absolute size with 5GB)
lvresize -L 2.5GB /dev/vg01/myball (resizes myball to 2.5GB, or use + to add space, can also reduce
space by lowering figure or using -1GB for instance)
Create and
configure set-GID directories for collaboration
Let’s create a test folder and group and see how we can set
this option. It permits new files and directories in a folder to be opened by
other users, by default only the owner would have full control otherwise.
mkdir /myball
groupadd -g 2014 myballgrp (“groups
student” to confirm membership)
usermod -G myballgrp student
chown nobody:myballgrp /myball
ll -d /myball (Look
for s in group permissions)
chmod g+s /myball (You
may need to set overall folder permissions using chmod 775 /myball)
ll -d /myball (Look
for s in group permission, should now be present as shown below)
drwxrwsr-x. 2
nobody myballgrp 21 Jul 18 11:33 /myball
Create and
manage Access Control Lists (ACLs)
To get a handle on what users are defined on the system use
the command “cat /etc/passwd”. The user accounts are listed as the bottom
starting with ID 1000 and upwards. Create a file text.txt in a folder to use in
the following commands.
getfacl test.txt (Shows
ACL entries on file text.txt)
setfacl -m u:student:7 test.txt (Grants RWX ACLs to user student on the file)
setfacl -x u:derek test.txt (Removes
ACL entries for Derek on the file)
setfacl -b test.txt (Removes
all ACL entries on test.txt)
setfacl -m u::7,g::4,o:0,u:student:5 test.txt (Go figure this one out!! Owner has rwx,
Group had r, public has none, student has rw. Delete )
Create a subdirectory called hello which we’re going to use
to test default permissions on next.Make sure ou are in the directory directly
one level up from the folder you create.
setfacl -m d:u:student:6,d:u:derek:6 hello (Verify permissions with getfacl hello)
setfacl -k hello (Deletes
all Default permissions from directory)
Diagnose
and correct file permission problems
No idea what could be asked here but let’s sum up what we
should know and how to check various permissions and then a summary of commands
to fix the issue. The following is the permissions on a file, followed by a
folder.
-rwxr-----. 1 michael myballgrp 0 Jul 18 11:33 test.txt
drwxrwsr-x. 2
nobody myballgrp 21 Jul 18 11:33 /myball
The permission structure is as follows:
{d-directory/l-shortcut or symbolic link/p-named pipe
file/s-socket file}{owner permissions}{group permissions}{public permissions}
chmod XXX filename
(0=no permissions,4=Read,5=Read+Execute,6=Read+Write,7=All)
You can also use chmod {g=group/o=public/u=owner/a=all}+/-{r/w/x}
filename
Examples: chmod {go+rx/g-w/a=rwx} test.txt
o+t = sticky bit so public can’t move or delete
u+s = setuid bit to run as owner
g+s = run as group
chown derek:myballgrp filename (Changes ownership of file filename to user Derek & group
myballgrp)
chown -R derek:myballgrp DirectoryName (Changes ownership of DirectoryName to user derek & group
myballgrp)
chgrp myballgrp filename (Changes
group membership of file filename to myballgrp)
umask is used in the current shell only to change default
permissions on new files and folders. umask -S shows permissions in old rwx
notation. The number used in subtracted from 777 for Dirs and 666 for Files,
example umask 022=755 fir Dir & 644 for Files
