Centos7-RHEL9
Contents
Relationship with Fedora, Redhat
Fedora --> Redhat --> Centos, all run by the Redhat company.
- Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
- Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
- CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.
Redhat Developer
Development SELinux
To make life super easy for the first cut of something
see selinux current settings
sestatus
Disable selinux (till next reboot)
- centos 7
sudo setenforce 0
- RHEL 9
grubby --update-kernel ALL --args selinux=0
Disable firewall
service firewalld stop systemctl disable firewalld
Disable SELinux
/etc/selinux/config SELINUX=enforcing --> permissive Reboot
Redhat SVC Alerts
grep sealert /var/log/messages
Selinux contexts
- Files --> fcontext
- Ports --> port
- boolean --> boolean
fcontext
show context
$ ls -Z file1 -rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 user:role:type:level
SELinux user
semanage login -l
level
/etc/selinux/targeted/setrans.conf
copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.
change context (temporary as in will last till default labels are reset
chcon -R -t [fcontext] /dir.
change context (permanant)
semanage fcontext -a -t [context] /dir'(/.*)?' restorecon -FvR /dir <----------- REMEMBER TO APPLY the new context
List contexts
semanage fcontext -l | grep [thing]
List temporary customisations (not written to selinux db)
semanage fcontext -l -C
Booleans
getsebool -a setsebool -P httpd_enable_homedirs on. (-P permanant)
Interfaces
el7
vi /etc/sysconfig/network-scripts/ifcfg-eth0
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows: DEVICE=eth0. BOOTPROTO=none. ONBOOT=yes. PREFIX=24. IPADDR=192.168.2.203. Restart network service: systemctl restart network
Default Route
Temporary
$ route del default gw <default_gateway_ip> $ route add default gw <default_gateway_ip>
Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>
> el8
ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated,
el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections
nmtui <- gui interface
Profile settings are applied to an interface (interfaces can only accept settings from one profile)
Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently.
nmcli dev state nmcli con show nmcli con show --active nmcli con up static-ens3 (uses connection name, not interface name) nmcli dev disconnect ens3
Most connections have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic.
nmcli con mod "profile name" connection.autoconnect no
Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection
nmcli con add con-name eno2 type ethernet ifname eno2 nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254 nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual
Modify existing.
nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes nmcli con mod static-ens3 +ipv4.dns 2.2.2.2 nmcli con reload "profile name"
nmcli con del static-ens3
To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method.
VM interfaces
VMWare interfaces are created in the following order
- ens192
- ens224
- ens256
- ens161
Static Routes
Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0
ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005
/etc/sysconfig/network-scripts/route-eth0
172.16.5.0/24 via 10.0.0.101 dev eth0
Remember to bounce the interface after
ifdown eth0 ifup eth0
Blackhole
ip route add blackhole <ip or range>
Dummy Interface
$ cat /etc/modules-load.d/dummy.conf # Load dummy.ko at boot dummy $ cat /etc/modprobe.d/dummy.conf install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0 $ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1 NAME=ethdummy1 DEVICE=ethdummy1 MACADDR=00:22:22:ff:ff:ff IPADDR=10.10.10.1 NETMASK=255.255.255.0 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no
Process to Port/Sockets
ps -ef | grep nginx root 20501 1 0 Mar24 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf sudo lsof -nnp 20501 OMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 20501 root cwd DIR 253,0 224 64 / nginx 20501 root rtd DIR 253,0 224 64 / nginx 20501 root txt REG 253,0 1342640 50764597 /usr/sbin/nginx nginx 20501 root 8u IPv4 61372 0t0 TCP 172.29.17.4:http (LISTEN)
Optics Diagnostics
Output is similar to a Juniper
ethtool -m [interface]
Tools
- mtr - traceroute
- ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp)
- ss -ta : connections
interface statistics
ip -s link show ens3 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 269850 2931 0 0 0 0 TX: bytes packets errors dropped carrier collsns 300556 3250 0 0 0 0
ipv6
- ip -6 a
- ip -6 r
dns
upto 3 sufixes for searching and upto 3 dns servers sufixes are searched in order (left to right) /etc/resolv.conf
search lab.example.com example.com nameserver 172.35.200.200
Hostname
Static Hostname
/etc/hostname
Set Hostname
hostnamectl hostname blah.example.com hostnamectl status
Transient Hostnames come from dhcp allocation
Screen
Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/
Start a 'window' screen
or to give the session a name screen -S 'hello_world'
To exit exit [enter]
To detach from the session ctrl + a , d)
Show windows/terminals screen -ls
Re-attach screen -r [number or sesssion_name]
Scrollback start with -h [numlines]
to access - use copy mode
ctrl-A, Esacpe
, [then up/down], Escape
to return.
Locale Problems
This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8
, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)
export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 export LC_CTYPE=en_US.UTF-8
Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.
Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)
sudo locale-gen en_US.UTF-8 sudo update-locale LANG=en_US.UTF-8
Packages / rpms
list installed yum list installed
Remember to stop the service first :)
systemctl stop httpd
Add a specific package version
Show what versions are available
yum list httpd --showduplicates Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.xnet.co.nz * centos-sclo-rh: mirror.xnet.co.nz * centos-sclo-sclo: mirror.xnet.co.nz * epel: mirror.xnet.co.nz * extras: mirror.xnet.co.nz * remi-php73: mirrors.mediatemple.net * remi-safe: mirrors.mediatemple.net * updates: mirror.xnet.co.nz Available Packages httpd.x86_64 2.4.6-90.el7.centos base httpd.x86_64 2.4.41-4.codeit.el7
To install a particular one
sudo yum install httpd-2.4.6-90.el7.centos
Use yum to download an rpm and not install it
yum install --downloadonly --downloaddir=<directory> <package>
Extract contents of an rpm
rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv
Downgrade package
yum downgrade vsftpd-2.0.5-12.el5
Creating rpms / packages
https://rpm-packaging-guide.github.io/
Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.
EPEL Packages
Example, source: https://github.com/phaag/nfdump
EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011
Get source rpm and extract
rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv
Signing local packages
Resign packages that have sha1 gpg keys
gpg --gen-key gpg -a --export KEYID > /root/CUSTOMER-GPG-KEY ~/.rpmmacros %_signature gpg %_gpg_name KEYID rpm --resign rpmname.rpm And share GPG-KEY and resigned RPM in new repository
Security Related
yum updateinfo | less -NFiX yum check-update --security yum updateinfo --security yum updateinfo list --security | less -NFiX yum updateinfo list updates | grep Critical yum list available kernel uname -r yum update --security reboot yum update-minimal --advisory RHSA-2018:1965 --security yum updateinfo RHSA-2018:1965 | less -NFiX yum updateinfo list cve | less -NFiX yum updateinfo list security all yum updateinfo list sec yum updateinfo list security installed yum updateinfo list --cve CVE-2018-1111 yum update --cve CVE-2018-1111 yum --security list updates yum list-sec yum --security check-update rpmkeys --checksig package_file.rpm yum install -advisory yum updateinfo list --security --sec-severity=Low # References How to Install or list only errata using Yum on Red Hat Enterprise Linux ? - https://access.redhat.com/solutions/10021 Red Hat Product Security Center - https://access.redhat.com/security/ Security Contacts and Procedures - https://access.redhat.com/security/team/contact/#contact Notifications and Advisories -https://access.redhat.com/security/updates/advisory Understanding Red Hat security ratings - https://access.redhat.com/security/updates/classification Backporting Security Fixes - https://access.redhat.com/security/updates/backporting/ Common Vulnerabilities and Exposures - https://cve.mitre.org/ National Vulnerability Database - https://nvd.nist.gov/ Red Hat CVE Database - https://access.redhat.com/security/security-updates/#/cve Keeping Your System Up-to-Date chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#chap-Keeping_Your_System_Up-to-Date
Logging
To logs going to /var/log/messages for a particular service
sudo journalctl -u openli-provisioner.service
To watch a services logs
sudo journalctl --follow -u openli-provisioner.service
Firewall
History
- ipchains
- iptables
- nftables (based upon netfilter framework) - applies to both ipv4 and ipv6
- firewalld
Source address defines the zone, if no match the interface defines the zone, else the default zone is used
non-persistant
firewall-cmd --get-default-zone firewall-cmd --list-all
installed with package
/usr/lib/firewalld/zones/public.xml /usr/lib/firewalld/services/RH-Satellite-6.xml
Persistent
firewall-cmd --zone=public --add-port=3000/tcp --permanent firewall-cmd --reload firewall-cmd --runtime-to-permanent
/etc/firewalld/zones/public.xml
el9 iptables --> nftables
sudo systemctl status nftables
Systemd
Systemd daemon(pid=1)
- Path (watches files)
- systemctl list-units -t path
- Mount (controls mounts)
- Timer (scheduling)
- Slice (resource management)
- Socket (listens on port)
- Target (groups units)
- Service (Daemons)
- systemctl list-units --type=service
Dont edit the unit files in
/usr/lib/systemd/system/[service].service
instead use drop-in files (will be shown when systemctl status [service] is run
/etc/systemd/system/[service].service.d/99-custom.conf
systemd Dependencies
systemctl list-dependencies graphical.target | grep target
systemctl
List all enabled services
sudo systemctl list-unit-files | grep enabled
After a service is changed or fstab, systemd needs to be reloaded to register the new configuration
sudo systemctl daemon-reload
Selinux Policies
Look at audit log for deny messages
sudo ausearch -c 'process/context' --raw
Readable rules
grep context_t /var/log/audit/audit.log | audit2allow -w
Generate rules
grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy
Refer to the following for possible permissions
cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt
Modify the te file, then place it in a folder and run in the same folder:
make -f /usr/share/selinux/devel/Makefile
Import the policy
sudo semodule -i somepolicy.pp
Temporary
1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:
setenforce 0
Permanant
Crete a Module
File Types in the module
sepolicy generate --init /usr/local/bin/mydaemon Created the following files: /home/example.user/mysepol/mydaemon.te # Type Enforcement file /home/example.user/mysepol/mydaemon.if # Interface file /home/example.user/mysepol/mydaemon.fc # File Contexts file /home/example.user/mysepol/mydaemon_selinux.spec # Spec file /home/example.user/mysepol/mydaemon.sh # Setup Script
Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/
Port Labelling
semanager port -l semanager port -m -t ssh_port -p tcp 23
Local Modifications
semanage port -l -C
Networking
USE THIS IPROUTE COMMAND INSTEAD OF THIS NET-TOOL COMMAND ip addr ifconfig -a ss netstat ip route route ip maddr netstat -g ip link set eth0 up ifconfig eth0 up ip -s neigh arp -v ip link set eth0 mtu 9000 ifconfig eth0 mtu 9000
ntp
ntpd el6, chrony el7,8,9
sudo sntp -sS ntp_server sudo sntp -sS 130.217.74.61
can use internetnz (is part of public pool) 202.46.177.18
Stratum
- 0 = Reference Clock
- 1 = Directly attached to Reference Clock
- 2 = a server that synchronizes time from a ntp server
Find/set timezones
timedatectl list-timezones | grep -i auckland timedatectl set-timezone Pacific/Auckland
check with
timedatectl
Disable ntp
timedatectl set-ntp false
chronyd service tracks RTC to ntp servers offset/drift
chronyc sources -v
RHEL 9
- Satellite Server - repo mirror for RHEL Packages
DNF
DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9
yum was based on Python2, dnf is using python3. DNF resolves software dependencies
dnf search all 'web server' dnf info httpd dnf provides /var/www/html dnf history dnf group install GROUPNAME dnf localinstall [path].rpm
dnf repos
Add repos by adding a file under /etc/yum.repos.d/[blah].repo
cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo [dl.fedoraproject.org_pub_epel_9_Everything_x86_64_] name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ enabled=1 [EPEL] name=EPEL 9 baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
dnf repolist all dnf config-manager --enable 'reponame'
Creating a local repo
download rpms (and depenencies)
dnf download --resolve [package]
dnf install createrepo createrepo
This creates a repodata folder with the repo data.
[customrepo] name=long name of customrepo baseurl=https://localpath/custom_repo/ enabled=true gpgcheck=false
Reset root password
Reboot system, Interrupt the boot-loader
Move the curser to the kernel entry with rescue in its name, 'e' to edit
append 'rd.break' to the line starting with 'linux' - ctrl-x
mount -o remount,rw /sysroot chroot /sysroot passwd root touch /.autorelabel
exit (chroot jail) then again to exit initramfs debug shell (n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot)
load_policy -i restorecon -FvR /etc/shadow
Check is package has been patched for cve
rpm -q --changelog [package] | grep CVE
Disk management
Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem
Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume.
Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume).
- Physical Volume commands start with `pv`
- pvs - Physical Volume Show
- pvdisplay /dev/vdb1
- Volume Group commands start with `vg`
- vgs - Volume Group Show
- vgdisplay vg01
- Logical Volume commands start with `lv`
- lvs Logical Volume show
Build LVM Storage
Optional Partitioning
parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB parted /dev/vdb mkpart primary 770MiB 1026MiB parted /dev/vdb set 1 lvm on parted /dev/vdb set 2 lvm on udevadm settle
Create Physical Volumes
pvcreate /dev/vdb1 /dev/vdb2
Create a Volume Group
vgcreate vg01 /dev/vdb1 /dev/vdb2
Create a Logical Volume
lvcreate -n lv01 -L 300M vg01
Extend LVM Storage
Prepare / add new physical volumes to a Volume Group
parted /dev/vdb mkpart primary 1072MiB 1648MiB parted /dev/vdb set 3 lvm on udevadm settle pvcreate /dev/vdb3
Extend the Volume group
vgextend vg01 /dev/vdb3
Extend the Logical Volume
lvextend -L +500M /dev/vg01/lv01
Extend the XFS File System (note xfs can not be shrunk!)
xfs_growfs /mnt/data
Extend the ext4 File system to the LV Size
resize2fs /dev/vg01/lv01
Containers
- Container Images
- buildah
- podman
- registries
- registry.redhat.io - images/products maintained by redhat
- registry.community.redhat.com - 3rd party
- quay.io - community contributed
- Management tools
- podman - manages containers and container images
- skopeo - inspects, copies, deletes and signs images
- buildah - creates container images
- kubernetes (openshift)
- Container runtimes
- runc
- cri-o
- docker
Container tools
sudo dnf install container-tools
Redhat Container Catalog https://access.redhat.com/containers Redhat UBI (Universal Base Image) - minimized container image to deploy as first layer
podman login --username [username] --password-stdin registry.access.redhat.com
Container Registries
/etc/containers/registries.conf $HOME/.config/containers/registries.conf podman pull registry.access.redhat.com/ubi8/ubi:latest
container files = docker compose, instructions on how to build an image Containerfile
FROM registry.access.redhat.com/ubi8/ubi:latest RUN dnf install -y python3 CMD ["/bin/bash", "-c", "echo hello"]
View information about an image
skopeo inspect docker://registry.path/image
podman build Build a container image with a container file. podman run Run a command in a new container. podman images List images in local storage. podman ps Print information about containers. podman inspect Display configuration of a container, image, volume, network, or pod. podman pull Download an image from a registry. podman cp Copy files or directories between a container and the local file system. podman exec Execute a command in a running container. podman rm Remove one or more containers. podman rmi Remove one or more locally stored images. podman search Search a registry for an image.
Show all containers including those that have exited.
podman ps -a
(-d disconnected)
podman run -d registry/path/image:lastest podman exec -it [image name] bash <--- interactive terminal
podman cp /host/dir/file [image_name}:/container_path/file
Storage
$HOME/.local/share/containers/storage
- selinux context for volume mounts `container_file_t`
- el9 - podman4 had dns lookup for IP's -so can reach containers in the same network by name
podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/17 test_net podman exec -it client01 dnf install -y iputils iproute podman exec -it client01 ping -c3 otherhost02
podman container logs [container_name]
Forwarding Ports + Volumes
Port Forwarding
podman run -d --name web -p [container_host_port]:[container/image_port] path/to/image:latest podman run -d --name web -p 8081:8080 -v [container_host_dir]:[container/mount]:Z path/to/image:latest podman run -d --name web -p 8081:8080 -v /home/kiosk/web1:/var/www/html:Z qyau.io/image/httpd:latest
environment variables -e KEY=value
volume `:Z` applies the selinux context of it doesn't exist.
set volume permissions for container process uid and gid
prodman unshare chown uid:gid /container/host/dir
where uid:gid are from the running user inside the container
podman systemd
podman generate systemd --name [container] --files --new --> $HOME/.config/systemd/user systemctl --user daemon-reload loginctl enable-linger