Centos7-RHEL9

From neil.tappsville.com
(Redirected from Centos7)
Jump to navigationJump to search

Relationship with Fedora, Redhat

Fedora --> Redhat --> Centos, all run by the Redhat company.

  1. Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
  2. Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
  3. CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.

Redhat Developer

redhat-developer

Development SELinux

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts

To make life super easy for the first cut of something

see selinux current settings

sestatus

Disable selinux (till next reboot)

  • centos 7
sudo setenforce 0
  • RHEL 9
grubby --update-kernel ALL --args selinux=0

Disable firewall

service firewalld stop
systemctl disable firewalld

Disable SELinux

 /etc/selinux/config
 SELINUX=enforcing  --> permissive
 Reboot

Redhat SVC Alerts

grep sealert /var/log/messages


Selinux contexts

  • Files --> fcontext
  • Ports --> port
  • boolean --> boolean

fcontext

show context

$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

user:role:type:level

SELinux user

semanage login -l

level

/etc/selinux/targeted/setrans.conf

copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.


change context (temporary as in will last till default labels are reset

chcon -R -t [fcontext] /dir.

change context (permanant)

semanage fcontext -a -t [context] /dir'(/.*)?'

restorecon -FvR /dir           <----------- REMEMBER TO APPLY the new context

List contexts

semanage fcontext -l | grep [thing]

List temporary customisations (not written to selinux db)

semanage fcontext -l -C

Booleans

getsebool -a
setsebool -P httpd_enable_homedirs on.    (-P permanant)

Interfaces

el7

 vi /etc/sysconfig/network-scripts/ifcfg-eth0
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows:
DEVICE=eth0.
BOOTPROTO=none.
ONBOOT=yes.
PREFIX=24.
IPADDR=192.168.2.203.
Restart network service: systemctl restart network


Default Route

Temporary

$ route del default gw <default_gateway_ip>
$ route add default gw <default_gateway_ip>

Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>

> el8

ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated,

el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections

nmtui <- gui interface

Profile settings are applied to an interface (interfaces can only accept settings from one profile)

Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently.

nmcli dev state
nmcli con show
nmcli con show --active
nmcli con up static-ens3 (uses connection name, not interface name)
nmcli dev disconnect ens3

Most connections have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic.

nmcli con mod "profile name" connection.autoconnect no

Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection

nmcli con add con-name eno2 type ethernet ifname eno2
nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254
nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual

Modify existing.

nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes
nmcli con mod static-ens3 +ipv4.dns 2.2.2.2
nmcli con reload "profile name"
nmcli con del static-ens3

To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method.

VM interfaces

VMWare interfaces are created in the following order

  • ens192
  • ens224
  • ens256
  • ens161


Static Routes

Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0 ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005

/etc/sysconfig/network-scripts/route-eth0

 172.16.5.0/24 via 10.0.0.101 dev eth0

Remember to bounce the interface after

ifdown eth0
ifup eth0

Blackhole

ip route add blackhole <ip or range>

Dummy Interface

$ cat /etc/modules-load.d/dummy.conf
# Load dummy.ko at boot
dummy
$ cat /etc/modprobe.d/dummy.conf 
install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0
$ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1
NAME=ethdummy1
DEVICE=ethdummy1
MACADDR=00:22:22:ff:ff:ff
IPADDR=10.10.10.1
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
NM_CONTROLLED=no

Process to Port/Sockets

 ps -ef | grep nginx
root     20501     1  0 Mar24 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf

sudo lsof -nnp 20501
OMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
nginx   20501 root  cwd    DIR              253,0      224       64 /
nginx   20501 root  rtd    DIR              253,0      224       64 /
nginx   20501 root  txt    REG              253,0  1342640 50764597 /usr/sbin/nginx
nginx   20501 root    8u  IPv4              61372      0t0      TCP 172.29.17.4:http (LISTEN)

Optics Diagnostics

Output is similar to a Juniper

ethtool -m [interface]

Tools

  • mtr - traceroute
  • ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp)
  • ss -ta : connections


interface statistics

 ip -s link show ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    269850     2931     0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    300556     3250     0       0       0       0

ipv6

  • ip -6 a
  • ip -6 r

dns

upto 3 sufixes for searching and upto 3 dns servers sufixes are searched in order (left to right) /etc/resolv.conf

search lab.example.com example.com
nameserver 172.35.200.200

Hostname

Static Hostname

/etc/hostname

Set Hostname

hostnamectl hostname blah.example.com
hostnamectl status

Transient Hostnames come from dhcp allocation

Screen

Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/

Start a 'window' screen or to give the session a name screen -S 'hello_world' To exit exit [enter] To detach from the session ctrl + a , d)

Show windows/terminals screen -ls Re-attach screen -r [number or sesssion_name]

Scrollback start with -h [numlines] to access - use copy mode ctrl-A, Esacpe , [then up/down], Escape to return.

Locale Problems

This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)

export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8

Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.

Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)

sudo locale-gen en_US.UTF-8
sudo update-locale LANG=en_US.UTF-8

Packages / rpms

list installed yum list installed

Remember to stop the service first :)

 systemctl stop httpd

Add a specific package version

Show what versions are available

 yum list httpd --showduplicates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.xnet.co.nz
 * centos-sclo-rh: mirror.xnet.co.nz
 * centos-sclo-sclo: mirror.xnet.co.nz
 * epel: mirror.xnet.co.nz
 * extras: mirror.xnet.co.nz
 * remi-php73: mirrors.mediatemple.net
 * remi-safe: mirrors.mediatemple.net
 * updates: mirror.xnet.co.nz
Available Packages
httpd.x86_64                                                                              2.4.6-90.el7.centos                                                                               base
httpd.x86_64                                                                              2.4.41-4.codeit.el7          

To install a particular one

sudo yum install httpd-2.4.6-90.el7.centos

Use yum to download an rpm and not install it

yum install --downloadonly --downloaddir=<directory> <package>

Extract contents of an rpm

rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv

Downgrade package

yum downgrade vsftpd-2.0.5-12.el5


Creating rpms / packages

https://rpm-packaging-guide.github.io/

Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.


EPEL Packages

Example, source: https://github.com/phaag/nfdump

EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011

Get source rpm and extract

rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv


Signing local packages

Resign packages that have sha1 gpg keys

gpg --gen-key
gpg -a --export KEYID > /root/CUSTOMER-GPG-KEY
~/.rpmmacros
%_signature gpg
%_gpg_name KEYID
rpm --resign rpmname.rpm

And share GPG-KEY and resigned RPM in new repository

Security Related

yum updateinfo | less -NFiX
yum check-update --security
yum updateinfo --security
yum updateinfo list --security | less -NFiX
yum updateinfo list updates | grep Critical
yum list available kernel
uname -r
yum update --security
reboot
yum update-minimal --advisory RHSA-2018:1965 --security
yum updateinfo RHSA-2018:1965 | less -NFiX
yum updateinfo list cve | less -NFiX
yum updateinfo list security all
yum updateinfo list sec
yum updateinfo list security installed
yum updateinfo list --cve CVE-2018-1111
yum update --cve CVE-2018-1111
yum --security list updates
yum list-sec
yum --security check-update
rpmkeys --checksig package_file.rpm
yum install -advisory
yum updateinfo list --security --sec-severity=Low


# References
How to Install or list only errata using Yum on Red Hat Enterprise Linux ?  - https://access.redhat.com/solutions/10021
Red Hat Product Security Center - https://access.redhat.com/security/
Security Contacts and Procedures - https://access.redhat.com/security/team/contact/#contact
Notifications and Advisories -https://access.redhat.com/security/updates/advisory
Understanding Red Hat security ratings - https://access.redhat.com/security/updates/classification
Backporting Security Fixes - https://access.redhat.com/security/updates/backporting/
Common Vulnerabilities and Exposures - https://cve.mitre.org/
National Vulnerability Database - https://nvd.nist.gov/
Red Hat CVE Database - https://access.redhat.com/security/security-updates/#/cve
Keeping Your System Up-to-Date chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#chap-Keeping_Your_System_Up-to-Date 

Logging

To logs going to /var/log/messages for a particular service

sudo journalctl -u openli-provisioner.service

To watch a services logs

sudo journalctl --follow -u openli-provisioner.service

Firewall

History

  • ipchains
  • iptables
  • nftables (based upon netfilter framework) - applies to both ipv4 and ipv6
    • firewalld

Source address defines the zone, if no match the interface defines the zone, else the default zone is used

non-persistant

firewall-cmd --get-default-zone
firewall-cmd --list-all

installed with package

/usr/lib/firewalld/zones/public.xml
/usr/lib/firewalld/services/RH-Satellite-6.xml

Persistent

firewall-cmd --zone=public --add-port=3000/tcp --permanent
firewall-cmd --reload
firewall-cmd --runtime-to-permanent

/etc/firewalld/zones/public.xml


el9 iptables --> nftables

sudo systemctl status nftables

Systemd

Systemd daemon(pid=1)

  • Path (watches files)
    • systemctl list-units -t path
  • Mount (controls mounts)
  • Timer (scheduling)
  • Slice (resource management)
  • Socket (listens on port)
  • Target (groups units)
  • Service (Daemons)
    • systemctl list-units --type=service

Dont edit the unit files in

/usr/lib/systemd/system/[service].service

instead use drop-in files (will be shown when systemctl status [service] is run

 /etc/systemd/system/[service].service.d/99-custom.conf

systemd Dependencies

systemctl list-dependencies graphical.target | grep target

systemctl

List all enabled services

sudo systemctl list-unit-files | grep enabled

After a service is changed or fstab, systemd needs to be reloaded to register the new configuration

sudo systemctl daemon-reload

Selinux Policies

Look at audit log for deny messages

sudo ausearch -c 'process/context' --raw

Readable rules

grep context_t /var/log/audit/audit.log | audit2allow -w

Generate rules

grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy

Refer to the following for possible permissions

cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt

Modify the te file, then place it in a folder and run in the same folder:

make -f /usr/share/selinux/devel/Makefile

Import the policy

sudo semodule -i somepolicy.pp

Temporary

1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:

 setenforce 0

Permanant

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux

Crete a Module

File Types in the module

sepolicy generate --init /usr/local/bin/mydaemon
Created the following files:
/home/example.user/mysepol/mydaemon.te # Type Enforcement file
/home/example.user/mysepol/mydaemon.if # Interface file
/home/example.user/mysepol/mydaemon.fc # File Contexts file
/home/example.user/mysepol/mydaemon_selinux.spec # Spec file
/home/example.user/mysepol/mydaemon.sh # Setup Script

Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/

Port Labelling

semanager port -l
semanager port -m -t ssh_port -p tcp 23

Local Modifications

semanage port -l -C

Networking

USE THIS IPROUTE COMMAND     INSTEAD OF THIS NET-TOOL COMMAND
ip addr                     ifconfig -a
ss                             netstat
ip route                     route
ip maddr                     netstat -g
ip link set eth0 up         ifconfig eth0 up
ip -s neigh                    arp -v
ip link set eth0 mtu 9000    ifconfig eth0 mtu 9000

ntp

ntpd el6, chrony el7,8,9

sudo sntp -sS ntp_server
sudo sntp -sS 130.217.74.61

can use internetnz (is part of public pool) 202.46.177.18

Stratum

  • 0 = Reference Clock
  • 1 = Directly attached to Reference Clock
  • 2 = a server that synchronizes time from a ntp server

Find/set timezones

timedatectl list-timezones | grep -i auckland
timedatectl set-timezone Pacific/Auckland

check with

timedatectl

Disable ntp

timedatectl set-ntp false

chronyd service tracks RTC to ntp servers offset/drift

chronyc sources -v

RHEL 9

  • Satellite Server - repo mirror for RHEL Packages

DNF

DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9

yum was based on Python2, dnf is using python3. DNF resolves software dependencies


dnf search all 'web server'
dnf info httpd
dnf provides /var/www/html
dnf history
dnf group install GROUPNAME
dnf localinstall [path].rpm

dnf repos

Add repos by adding a file under /etc/yum.repos.d/[blah].repo

cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo
[dl.fedoraproject.org_pub_epel_9_Everything_x86_64_]
name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
enabled=1

[EPEL]
name=EPEL 9
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9

dnf repolist all
dnf config-manager --enable 'reponame'

Creating a local repo

download rpms (and depenencies)

dnf download --resolve [package]
dnf install createrepo
createrepo

This creates a repodata folder with the repo data.

 [customrepo]
name=long name of customrepo
baseurl=https://localpath/custom_repo/
enabled=true
gpgcheck=false


Reset root password

Reboot system, Interrupt the boot-loader

Move the curser to the kernel entry with rescue in its name, 'e' to edit

append 'rd.break' to the line starting with 'linux' - ctrl-x

mount -o remount,rw /sysroot
chroot /sysroot
passwd root
touch /.autorelabel

exit (chroot jail) then again to exit initramfs debug shell (n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot)

load_policy -i
restorecon -FvR /etc/shadow

Check is package has been patched for cve

rpm -q --changelog [package] | grep CVE

Disk management

Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem

Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume.

Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume).

  • Physical Volume commands start with `pv`
    • pvs - Physical Volume Show
    • pvdisplay /dev/vdb1
  • Volume Group commands start with `vg`
    • vgs - Volume Group Show
    • vgdisplay vg01
  • Logical Volume commands start with `lv`
    • lvs Logical Volume show

Build LVM Storage

Optional Partitioning

parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB
parted /dev/vdb mkpart primary 770MiB 1026MiB
parted /dev/vdb set 1 lvm on
parted /dev/vdb set 2 lvm on
udevadm settle

Create Physical Volumes

pvcreate /dev/vdb1 /dev/vdb2

Create a Volume Group

vgcreate vg01 /dev/vdb1 /dev/vdb2

Create a Logical Volume

lvcreate -n lv01 -L 300M vg01

Extend LVM Storage

Prepare / add new physical volumes to a Volume Group

parted /dev/vdb mkpart primary 1072MiB 1648MiB
parted /dev/vdb set 3 lvm on
udevadm settle
pvcreate /dev/vdb3

Extend the Volume group

vgextend vg01 /dev/vdb3

Extend the Logical Volume

lvextend -L +500M /dev/vg01/lv01

Extend the XFS File System (note xfs can not be shrunk!)

xfs_growfs /mnt/data

Extend the ext4 File system to the LV Size

resize2fs /dev/vg01/lv01

Containers

  • Container Images
    • buildah
    • podman
    • registries
      • registry.redhat.io - images/products maintained by redhat
      • registry.community.redhat.com - 3rd party
      • quay.io - community contributed
  • Management tools
    • podman - manages containers and container images
    • skopeo - inspects, copies, deletes and signs images
    • buildah - creates container images
    • kubernetes (openshift)
  • Container runtimes
    • runc
    • cri-o
    • docker

Container tools

sudo dnf install container-tools

Redhat Container Catalog https://access.redhat.com/containers Redhat UBI (Universal Base Image) - minimized container image to deploy as first layer

podman login --username [username] --password-stdin registry.access.redhat.com

Container Registries

/etc/containers/registries.conf
$HOME/.config/containers/registries.conf
podman pull registry.access.redhat.com/ubi8/ubi:latest

container files = docker compose, instructions on how to build an image Containerfile

FROM registry.access.redhat.com/ubi8/ubi:latest
RUN dnf install -y python3
CMD ["/bin/bash", "-c", "echo hello"]

View information about an image

skopeo inspect docker://registry.path/image


podman build	Build a container image with a container file.
podman run	Run a command in a new container.
podman images	List images in local storage.
podman ps	Print information about containers.
podman inspect	Display configuration of a container, image, volume, network, or pod.
podman pull	Download an image from a registry.
podman cp	Copy files or directories between a container and the local file system.
podman exec	Execute a command in a running container.
podman rm	Remove one or more containers.
podman rmi	Remove one or more locally stored images.
podman search	Search a registry for an image.

Show all containers including those that have exited.

podman ps -a

(-d disconnected)

podman run -d registry/path/image:lastest
podman exec -it [image name] bash             <--- interactive terminal
podman cp /host/dir/file [image_name}:/container_path/file

Storage

$HOME/.local/share/containers/storage
  • selinux context for volume mounts `container_file_t`
  • el9 - podman4 had dns lookup for IP's -so can reach containers in the same network by name
podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/17 test_net
podman exec -it client01 dnf install -y iputils iproute
podman exec -it client01 ping -c3 otherhost02
podman container logs [container_name]

Forwarding Ports + Volumes

Port Forwarding

podman run -d --name web -p [container_host_port]:[container/image_port] path/to/image:latest
podman run -d --name web -p 8081:8080 -v [container_host_dir]:[container/mount]:Z  path/to/image:latest
podman run -d --name web -p 8081:8080 -v /home/kiosk/web1:/var/www/html:Z qyau.io/image/httpd:latest
environment variables -e KEY=value

volume `:Z` applies the selinux context of it doesn't exist.

set volume permissions for container process uid and gid

prodman unshare chown uid:gid /container/host/dir

where uid:gid are from the running user inside the container

podman systemd

podman generate systemd --name [container] --files --new    --> $HOME/.config/systemd/user
systemctl --user daemon-reload
loginctl enable-linger