Difference between revisions of "Centos7-RHEL9"

From neil.tappsville.com
Jump to navigationJump to search
m
 
(87 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Development =
+
=Relationship with Fedora, Redhat=
 +
 
 +
Fedora --> Redhat --> Centos, all run by the Redhat company.
 +
 
 +
# Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
 +
# Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
 +
# CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.
 +
 
 +
= Development SELinux=
 +
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts
 +
 
 
To make life super easy for the first cut of something
 
To make life super easy for the first cut of something
 +
 +
see selinux current settings
 +
sestatus
 +
 +
Disable selinux (till next reboot)
 +
* centos 7
 +
sudo setenforce 0
 +
* RHEL 9
 +
grubby --update-kernel ALL --args selinux=0
  
 
Disable firewall
 
Disable firewall
Line 10: Line 29:
 
   SELINUX=enforcing  --> permissive
 
   SELINUX=enforcing  --> permissive
 
   Reboot
 
   Reboot
 +
 +
Redhat SVC Alerts
 +
grep sealert /var/log/messages
 +
 +
 +
==Selinux contexts==
 +
 +
* Files --> fcontext
 +
* Ports --> port
 +
* boolean --> boolean
 +
 +
=== fcontext ===
 +
show context
 +
$ ls -Z file1
 +
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
 +
 +
user:role:type:level
 +
 +
====SELinux user====
 +
semanage login -l
 +
 +
====level====
 +
/etc/selinux/targeted/setrans.conf
 +
copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.
 +
 +
 +
change context (temporary as in will last till default labels are reset
 +
chcon -R -t [fcontext] /dir.
 +
 +
change context (permanant)
 +
semanage fcontext -a -t [context] /dir'(/.*)?'
 +
 +
restorecon -FvR /dir          <----------- REMEMBER TO APPLY the new context
 +
 +
List contexts
 +
semanage fcontext -l | grep [thing]
 +
List temporary customisations (not written to selinux db)
 +
semanage fcontext -l -C
 +
 +
====Booleans====
 +
getsebool -a
 +
setsebool -P httpd_enable_homedirs on.    (-P permanant)
  
 
= Interfaces =
 
= Interfaces =
 +
 +
 +
==el7==
 +
 
   vi /etc/sysconfig/network-scripts/ifcfg-eth0
 
   vi /etc/sysconfig/network-scripts/ifcfg-eth0
 +
<pre>
 +
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows:
 +
DEVICE=eth0.
 +
BOOTPROTO=none.
 +
ONBOOT=yes.
 +
PREFIX=24.
 +
IPADDR=192.168.2.203.
 +
Restart network service: systemctl restart network
 +
</pre>
 +
 +
 +
===Default Route===
 +
Temporary
 +
$ route del default gw <default_gateway_ip>
 +
$ route add default gw <default_gateway_ip>
 +
 +
Permanent /etc/sysconfig/network
 +
GATEWAY=<new_default_gateway_ip>
 +
 +
==> el8==
 +
ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated,
 +
 +
el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections
 +
 +
nmtui <- gui interface
 +
 +
Profile  settings are applied to an interface (interfaces can only accept settings from one profile)
 +
 +
Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently.
 +
 +
nmcli dev state
 +
nmcli con show
 +
nmcli con show --active
 +
nmcli con up static-ens3 (uses connection name, not interface name)
 +
nmcli dev disconnect ens3
 +
Most connections have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic.
 +
nmcli con mod "profile name" connection.autoconnect no
 +
 +
Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection
 +
nmcli con add con-name eno2 type ethernet ifname eno2
 +
nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254
 +
nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual
 +
 +
Modify existing.
 +
nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes
 +
nmcli con mod static-ens3 +ipv4.dns 2.2.2.2
 +
nmcli con reload "profile name"
 +
 +
nmcli con del static-ens3
 +
 +
To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method.
  
 
== VM interfaces ==
 
== VM interfaces ==
Line 20: Line 136:
 
* ens256
 
* ens256
 
* ens161
 
* ens161
 +
 +
  
 
== Static Routes ==
 
== Static Routes ==
Temporary <code>ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0</code>
+
Temporary <code>ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0</code>    <code> ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005 </code>
  
 
<code>/etc/sysconfig/network-scripts/route-eth0</code>
 
<code>/etc/sysconfig/network-scripts/route-eth0</code>
 
   172.16.5.0/24 via 10.0.0.101 dev eth0
 
   172.16.5.0/24 via 10.0.0.101 dev eth0
 +
Remember to bounce the interface after
 +
ifdown eth0
 +
ifup eth0
 +
 +
===Blackhole===
 +
ip route add blackhole <ip or range>
  
 
==Dummy Interface==
 
==Dummy Interface==
Line 44: Line 168:
 
NM_CONTROLLED=no
 
NM_CONTROLLED=no
 
</pre>
 
</pre>
 +
 +
==Process to Port/Sockets==
 +
<pre>
 +
ps -ef | grep nginx
 +
root    20501    1  0 Mar24 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
 +
 +
sudo lsof -nnp 20501
 +
OMMAND  PID USER  FD  TYPE            DEVICE SIZE/OFF    NODE NAME
 +
nginx  20501 root  cwd    DIR              253,0      224      64 /
 +
nginx  20501 root  rtd    DIR              253,0      224      64 /
 +
nginx  20501 root  txt    REG              253,0  1342640 50764597 /usr/sbin/nginx
 +
nginx  20501 root    8u  IPv4              61372      0t0      TCP 172.29.17.4:http (LISTEN)
 +
</pre>
 +
 +
==Optics Diagnostics==
 +
Output is similar to a Juniper
 +
ethtool -m [interface]
 +
 +
==Tools==
 +
* mtr - traceroute
 +
* ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp)
 +
* ss -ta : connections
 +
 +
 +
interface statistics
 +
<pre>
 +
ip -s link show ens3
 +
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 +
link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff
 +
    RX: bytes  packets  errors  dropped overrun mcast
 +
    269850    2931    0      0      0      0
 +
    TX: bytes  packets  errors  dropped carrier collsns
 +
    300556    3250    0      0      0      0
 +
</pre>
 +
 +
=== ipv6===
 +
* ip -6 a
 +
* ip -6 r
 +
 +
==dns==
 +
upto 3 sufixes for searching and upto 3 dns servers
 +
sufixes are searched in order (left to right)
 +
/etc/resolv.conf
 +
search lab.example.com example.com
 +
nameserver 172.35.200.200
 +
 +
==Hostname==
 +
Static Hostname
 +
/etc/hostname
 +
Set Hostname
 +
hostnamectl hostname blah.example.com
 +
hostnamectl status
 +
Transient Hostnames come from dhcp allocation
  
 
= Screen =
 
= Screen =
Line 52: Line 229:
  
 
Show windows/terminals <code> screen -ls </code>  Re-attach <code>screen -r [number or sesssion_name]</code>
 
Show windows/terminals <code> screen -ls </code>  Re-attach <code>screen -r [number or sesssion_name]</code>
 +
 +
Scrollback  start with <code>-h [numlines]</code>
 +
to access - use copy mode
 +
<code>ctrl-A, Esacpe </code>, [then up/down], <code>Escape</code> to return.
  
 
= Locale Problems =
 
= Locale Problems =
Line 62: Line 243:
 
export LC_CTYPE=en_US.UTF-8
 
export LC_CTYPE=en_US.UTF-8
 
</pre>
 
</pre>
 
+
Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8  (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.
  
 
Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)
 
Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)
 
  sudo locale-gen en_US.UTF-8
 
  sudo locale-gen en_US.UTF-8
 
  sudo update-locale LANG=en_US.UTF-8
 
  sudo update-locale LANG=en_US.UTF-8
 +
 +
= Packages / rpms =
 +
 +
list installed <code>yum list installed</code>
 +
 +
Remember to stop the service first :)
 +
<pre> systemctl stop httpd</pre>
 +
 +
== Add a specific package version ==
 +
 +
Show what versions are available
 +
<pre> yum list httpd --showduplicates
 +
Loaded plugins: fastestmirror
 +
Loading mirror speeds from cached hostfile
 +
* base: mirror.xnet.co.nz
 +
* centos-sclo-rh: mirror.xnet.co.nz
 +
* centos-sclo-sclo: mirror.xnet.co.nz
 +
* epel: mirror.xnet.co.nz
 +
* extras: mirror.xnet.co.nz
 +
* remi-php73: mirrors.mediatemple.net
 +
* remi-safe: mirrors.mediatemple.net
 +
* updates: mirror.xnet.co.nz
 +
Available Packages
 +
httpd.x86_64                                                                              2.4.6-90.el7.centos                                                                              base
 +
httpd.x86_64                                                                              2.4.41-4.codeit.el7         
 +
</pre>
 +
 +
To install a particular one
 +
<pre>
 +
sudo yum install httpd-2.4.6-90.el7.centos
 +
</pre>
 +
 +
Use yum to download an rpm and not install it
 +
yum install --downloadonly --downloaddir=<directory> <package>
 +
 +
Extract contents of an rpm
 +
rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv
 +
 +
== Downgrade package ==
 +
yum downgrade vsftpd-2.0.5-12.el5
 +
 +
 +
== Creating rpms / packages ==
 +
 +
https://rpm-packaging-guide.github.io/
 +
 +
Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.
 +
 +
 +
=== EPEL Packages ===
 +
 +
Example,
 +
source: https://github.com/phaag/nfdump
 +
 +
EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011
 +
 +
Get source rpm and extract
 +
rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv
 +
 +
 +
==Signing local packages==
 +
 +
Resign packages that have sha1 gpg keys
 +
<pre>
 +
gpg --gen-key
 +
gpg -a --export KEYID > /root/CUSTOMER-GPG-KEY
 +
~/.rpmmacros
 +
%_signature gpg
 +
%_gpg_name KEYID
 +
rpm --resign rpmname.rpm
 +
 +
And share GPG-KEY and resigned RPM in new repository
 +
</pre>
 +
 +
=Logging=
 +
To logs going to /var/log/messages for a particular service
 +
 +
<pre>sudo journalctl -u openli-provisioner.service</pre>
 +
 +
To watch a services logs
 +
<pre>sudo journalctl --follow -u openli-provisioner.service</pre>
 +
 +
=Firewall=
 +
 +
History
 +
* ipchains
 +
* iptables
 +
* nftables (based upon netfilter framework) - applies to both ipv4 and ipv6
 +
** firewalld
 +
 +
Source address defines the zone, if no match the interface defines the zone, else the default zone is used
 +
 +
non-persistant
 +
<pre>
 +
firewall-cmd --get-default-zone
 +
firewall-cmd --list-all
 +
 +
</pre>
 +
 +
installed with package
 +
/usr/lib/firewalld/zones/public.xml
 +
/usr/lib/firewalld/services/RH-Satellite-6.xml
 +
 +
Persistent
 +
firewall-cmd --zone=public --add-port=3000/tcp --permanent
 +
firewall-cmd --reload
 +
firewall-cmd --runtime-to-permanent
 +
/etc/firewalld/zones/public.xml
 +
 +
 +
el9 iptables --> nftables
 +
sudo systemctl status nftables
 +
 +
=Systemd=
 +
Systemd daemon(pid=1)
 +
* Path (watches files)
 +
** systemctl list-units -t path
 +
* Mount (controls mounts)
 +
* Timer (scheduling)
 +
* Slice (resource management)
 +
* Socket (listens on port)
 +
* Target (groups units)
 +
* Service (Daemons)
 +
** systemctl list-units --type=service
 +
 +
Dont edit the unit files in
 +
<pre>/usr/lib/systemd/system/[service].service</pre>
 +
instead use drop-in files (will be shown when systemctl status [service] is run
 +
<pre> /etc/systemd/system/[service].service.d/99-custom.conf</pre>
 +
 +
==systemd Dependencies==
 +
 +
systemctl list-dependencies graphical.target | grep target
 +
 +
=systemctl=
 +
List all enabled services
 +
sudo systemctl list-unit-files | grep enabled
 +
 +
After a service is changed or fstab, systemd needs to be reloaded to register the new configuration
 +
sudo systemctl daemon-reload
 +
 +
=Selinux Policies=
 +
 +
Look at audit log for deny messages
 +
sudo ausearch -c 'process/context' --raw
 +
 +
Readable rules
 +
grep context_t /var/log/audit/audit.log | audit2allow -w
 +
Generate rules
 +
grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy
 +
Refer to the following for possible permissions
 +
cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt
 +
 +
Modify the te file, then place it in a folder and run in the same folder:
 +
make -f /usr/share/selinux/devel/Makefile
 +
 +
Import the policy
 +
sudo semodule -i somepolicy.pp
 +
 +
==Temporary==
 +
1. Set SELinux mode to Permissive temporary (without reboot)
 +
The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:
 +
 +
  setenforce 0
 +
 +
==Permanant==
 +
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux
 +
 +
===Crete a Module===
 +
File Types in the module
 +
<pre>
 +
sepolicy generate --init /usr/local/bin/mydaemon
 +
Created the following files:
 +
/home/example.user/mysepol/mydaemon.te # Type Enforcement file
 +
/home/example.user/mysepol/mydaemon.if # Interface file
 +
/home/example.user/mysepol/mydaemon.fc # File Contexts file
 +
/home/example.user/mysepol/mydaemon_selinux.spec # Spec file
 +
/home/example.user/mysepol/mydaemon.sh # Setup Script
 +
</pre>
 +
 +
Detailed process
 +
https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/
 +
 +
==Port Labelling==
 +
 +
semanager port -l
 +
semanager port -m -t ssh_port -p tcp 23
 +
 +
Local Modifications
 +
semanage port -l -C
 +
 +
= Networking=
 +
 +
<pre>
 +
USE THIS IPROUTE COMMAND    INSTEAD OF THIS NET-TOOL COMMAND
 +
ip addr                    ifconfig -a
 +
ss                            netstat
 +
ip route                    route
 +
ip maddr                    netstat -g
 +
ip link set eth0 up        ifconfig eth0 up
 +
ip -s neigh                    arp -v
 +
ip link set eth0 mtu 9000    ifconfig eth0 mtu 9000
 +
</pre>
 +
 +
=ntp=
 +
 +
ntpd el6, chrony el7,8,9
 +
 +
sudo sntp -sS ntp_server
 +
sudo sntp -sS 130.217.74.61
 +
 +
can use internetnz (is part of public pool) 202.46.177.18
 +
 +
Stratum
 +
* 0 = Reference Clock
 +
* 1 = Directly attached to Reference Clock
 +
* 2 = a server that synchronizes time from a ntp server
 +
 +
==Find/set timezones==
 +
timedatectl list-timezones | grep -i auckland
 +
timedatectl set-timezone Pacific/Auckland
 +
check with
 +
timedatectl
 +
Disable ntp
 +
timedatectl set-ntp false
 +
 +
chronyd service tracks RTC to ntp servers offset/drift
 +
chronyc sources -v
 +
 +
=RHEL 9=
 +
 +
* Satellite Server - repo mirror for RHEL Packages
 +
 +
==DNF==
 +
DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9
 +
 +
yum was based on Python2, dnf is using python3.
 +
DNF resolves software dependencies
 +
 +
 +
dnf search all 'web server'
 +
dnf info httpd
 +
dnf provides /var/www/html
 +
dnf history
 +
dnf group install GROUPNAME
 +
dnf localinstall [path].rpm
 +
 +
===dnf repos===
 +
Add repos by adding a file under /etc/yum.repos.d/[blah].repo
 +
 +
<pre>
 +
cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo
 +
[dl.fedoraproject.org_pub_epel_9_Everything_x86_64_]
 +
name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
 +
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
 +
enabled=1
 +
 +
[EPEL]
 +
name=EPEL 9
 +
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
 +
enabled=1
 +
gpgcheck=1
 +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
 +
 +
</pre>
 +
 +
dnf repolist all
 +
dnf config-manager --enable 'reponame'
 +
 +
==Creating a local repo==
 +
 +
download rpms (and depenencies)
 +
dnf download --resolve [package]
 +
 +
dnf install createrepo
 +
createrepo
 +
This creates a repodata folder with the repo data.
 +
 +
<pre>
 +
[customrepo]
 +
name=long name of customrepo
 +
baseurl=https://localpath/custom_repo/
 +
enabled=true
 +
gpgcheck=false
 +
</pre>
 +
 +
 +
==Reset root password==
 +
 +
Reboot system, Interrupt the boot-loader
 +
 +
Move the curser to the kernel entry with rescue in its name, 'e' to edit
 +
 +
append 'rd.break' to the line starting with 'linux' - ctrl-x
 +
 +
mount -o remount,rw /sysroot
 +
chroot /sysroot
 +
passwd root
 +
touch /.autorelabel
 +
exit (chroot jail) then again to exit initramfs debug shell
 +
(n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot)
 +
load_policy -i
 +
restorecon -FvR /etc/shadow
 +
 +
==Check is package has been patched for cve==
 +
rpm -q --changelog [package] | grep CVE
 +
 +
=Disk management=
 +
Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem
 +
 +
Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume.
 +
 +
Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume).
 +
 +
* Physical Volume commands start with `pv`
 +
** pvs - Physical Volume Show
 +
** pvdisplay /dev/vdb1
 +
* Volume Group commands start with `vg`
 +
** vgs - Volume Group Show
 +
** vgdisplay vg01
 +
* Logical Volume commands start with `lv`
 +
** lvs Logical Volume show
 +
 +
==Build LVM Storage==
 +
Optional Partitioning
 +
<pre>
 +
parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB
 +
parted /dev/vdb mkpart primary 770MiB 1026MiB
 +
parted /dev/vdb set 1 lvm on
 +
parted /dev/vdb set 2 lvm on
 +
udevadm settle
 +
</pre>
 +
 +
Create Physical Volumes
 +
pvcreate /dev/vdb1 /dev/vdb2
 +
 +
Create a Volume Group
 +
vgcreate vg01 /dev/vdb1 /dev/vdb2
 +
 +
Create a Logical Volume
 +
lvcreate -n lv01 -L 300M vg01
 +
 +
==Extend LVM Storage==
 +
Prepare / add new physical volumes to a Volume Group
 +
<pre>
 +
parted /dev/vdb mkpart primary 1072MiB 1648MiB
 +
parted /dev/vdb set 3 lvm on
 +
udevadm settle
 +
pvcreate /dev/vdb3
 +
</pre>
 +
 +
Extend the Volume group
 +
vgextend vg01 /dev/vdb3
 +
 +
Extend the Logical Volume
 +
lvextend -L +500M /dev/vg01/lv01
 +
 +
Extend the XFS File System (note xfs can not be shrunk!)
 +
xfs_growfs /mnt/data
 +
 +
Extend the ext4 File system to the LV Size
 +
resize2fs /dev/vg01/lv01
 +
 +
=Containers=
 +
* Container Images
 +
** buildah
 +
** podman
 +
** registries
 +
*** registry.redhat.io - images/products maintained by redhat
 +
*** registry.community.redhat.com - 3rd party
 +
*** quay.io - community contributed
 +
 +
* Management tools
 +
** podman - manages containers and container images
 +
** skopeo - inspects, copies, deletes and signs images
 +
** buildah - creates container images
 +
** kubernetes (openshift)
 +
 +
*Container runtimes
 +
** runc
 +
** cri-o
 +
** docker
 +
 +
Container tools
 +
sudo dnf install container-tools
 +
 +
Redhat Container Catalog https://access.redhat.com/containers
 +
Redhat UBI (Universal Base Image) - minimized container image to deploy as first layer
 +
podman login --username [username] --password-stdin registry.access.redhat.com
 +
 +
Container Registries
 +
/etc/containers/registries.conf
 +
$HOME/.config/containers/registries.conf
 +
podman pull registry.access.redhat.com/ubi8/ubi:latest
 +
 +
container files = docker compose, instructions on how to build an image
 +
Containerfile
 +
<pre>
 +
FROM registry.access.redhat.com/ubi8/ubi:latest
 +
RUN dnf install -y python3
 +
CMD ["/bin/bash", "-c", "echo hello"]
 +
</pre>
 +
 +
View information about an image
 +
skopeo inspect docker://registry.path/image
 +
 +
 +
<pre>
 +
podman build Build a container image with a container file.
 +
podman run Run a command in a new container.
 +
podman images List images in local storage.
 +
podman ps Print information about containers.
 +
podman inspect Display configuration of a container, image, volume, network, or pod.
 +
podman pull Download an image from a registry.
 +
podman cp Copy files or directories between a container and the local file system.
 +
podman exec Execute a command in a running container.
 +
podman rm Remove one or more containers.
 +
podman rmi Remove one or more locally stored images.
 +
podman search Search a registry for an image.
 +
</pre>
 +
 +
Show all containers including those that have exited.
 +
podman ps -a
 +
 +
(-d disconnected)
 +
podman run -d registry/path/image:lastest
 +
podman exec -it [image name] bash            <--- interactive terminal
 +
 +
podman cp /host/dir/file [image_name}:/container_path/file
 +
 +
Storage
 +
$HOME/.local/share/containers/storage
 +
 +
* selinux context for volume mounts `container_file_t`
 +
 +
* el9 - podman4 had dns lookup for IP's -so can reach containers in the same network by name
 +
podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/17 test_net
 +
podman exec -it client01 dnf install -y iputils iproute
 +
podman exec -it client01 ping -c3 otherhost02
 +
 +
podman container logs [container_name]
 +
 +
== Forwarding Ports + Volumes==
 +
Port Forwarding
 +
podman run -d --name web -p [container_host_port]:[container/image_port] path/to/image:latest
 +
podman run -d --name web -p 8081:8080 -v [container_host_dir]:[container/mount]:Z  path/to/image:latest
 +
podman run -d --name web -p 8081:8080 -v /home/kiosk/web1:/var/www/html:Z qyau.io/image/httpd:latest
 +
 +
environment variables -e KEY=value
 +
volume `:Z` applies the selinux context of it doesn't exist.
 +
 +
set volume permissions for container process uid and gid
 +
prodman unshare chown uid:gid /container/host/dir
 +
where uid:gid are from the running user inside the container
 +
 +
==podman systemd==
 +
podman generate systemd --name [container] --files --new    --> $HOME/.config/systemd/user
 +
systemctl --user daemon-reload
 +
loginctl enable-linger

Latest revision as of 22:13, 24 September 2023

Relationship with Fedora, Redhat

Fedora --> Redhat --> Centos, all run by the Redhat company.

  1. Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
  2. Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
  3. CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.

Development SELinux

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts

To make life super easy for the first cut of something

see selinux current settings

sestatus

Disable selinux (till next reboot)

  • centos 7
sudo setenforce 0
  • RHEL 9
grubby --update-kernel ALL --args selinux=0

Disable firewall

service firewalld stop
systemctl disable firewalld

Disable SELinux

 /etc/selinux/config
 SELINUX=enforcing  --> permissive
 Reboot

Redhat SVC Alerts

grep sealert /var/log/messages


Selinux contexts

  • Files --> fcontext
  • Ports --> port
  • boolean --> boolean

fcontext

show context

$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

user:role:type:level

SELinux user

semanage login -l

level

/etc/selinux/targeted/setrans.conf

copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.


change context (temporary as in will last till default labels are reset

chcon -R -t [fcontext] /dir.

change context (permanant)

semanage fcontext -a -t [context] /dir'(/.*)?'

restorecon -FvR /dir           <----------- REMEMBER TO APPLY the new context

List contexts

semanage fcontext -l | grep [thing]

List temporary customisations (not written to selinux db)

semanage fcontext -l -C

Booleans

getsebool -a
setsebool -P httpd_enable_homedirs on.    (-P permanant)

Interfaces

el7

 vi /etc/sysconfig/network-scripts/ifcfg-eth0
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows:
DEVICE=eth0.
BOOTPROTO=none.
ONBOOT=yes.
PREFIX=24.
IPADDR=192.168.2.203.
Restart network service: systemctl restart network


Default Route

Temporary

$ route del default gw <default_gateway_ip>
$ route add default gw <default_gateway_ip>

Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>

> el8

ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated,

el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections

nmtui <- gui interface

Profile settings are applied to an interface (interfaces can only accept settings from one profile)

Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently.

nmcli dev state
nmcli con show
nmcli con show --active
nmcli con up static-ens3 (uses connection name, not interface name)
nmcli dev disconnect ens3

Most connections have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic.

nmcli con mod "profile name" connection.autoconnect no

Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection

nmcli con add con-name eno2 type ethernet ifname eno2
nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254
nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual

Modify existing.

nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes
nmcli con mod static-ens3 +ipv4.dns 2.2.2.2
nmcli con reload "profile name"
nmcli con del static-ens3

To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method.

VM interfaces

VMWare interfaces are created in the following order

  • ens192
  • ens224
  • ens256
  • ens161


Static Routes

Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0 ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005

/etc/sysconfig/network-scripts/route-eth0

 172.16.5.0/24 via 10.0.0.101 dev eth0

Remember to bounce the interface after

ifdown eth0
ifup eth0

Blackhole

ip route add blackhole <ip or range>

Dummy Interface

$ cat /etc/modules-load.d/dummy.conf
# Load dummy.ko at boot
dummy
$ cat /etc/modprobe.d/dummy.conf 
install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0
$ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1
NAME=ethdummy1
DEVICE=ethdummy1
MACADDR=00:22:22:ff:ff:ff
IPADDR=10.10.10.1
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
NM_CONTROLLED=no

Process to Port/Sockets

 ps -ef | grep nginx
root     20501     1  0 Mar24 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf

sudo lsof -nnp 20501
OMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
nginx   20501 root  cwd    DIR              253,0      224       64 /
nginx   20501 root  rtd    DIR              253,0      224       64 /
nginx   20501 root  txt    REG              253,0  1342640 50764597 /usr/sbin/nginx
nginx   20501 root    8u  IPv4              61372      0t0      TCP 172.29.17.4:http (LISTEN)

Optics Diagnostics

Output is similar to a Juniper

ethtool -m [interface]

Tools

  • mtr - traceroute
  • ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp)
  • ss -ta : connections


interface statistics

 ip -s link show ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    269850     2931     0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    300556     3250     0       0       0       0

ipv6

  • ip -6 a
  • ip -6 r

dns

upto 3 sufixes for searching and upto 3 dns servers sufixes are searched in order (left to right) /etc/resolv.conf

search lab.example.com example.com
nameserver 172.35.200.200

Hostname

Static Hostname

/etc/hostname

Set Hostname

hostnamectl hostname blah.example.com
hostnamectl status

Transient Hostnames come from dhcp allocation

Screen

Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/

Start a 'window' screen or to give the session a name screen -S 'hello_world' To exit exit [enter] To detach from the session ctrl + a , d)

Show windows/terminals screen -ls Re-attach screen -r [number or sesssion_name]

Scrollback start with -h [numlines] to access - use copy mode ctrl-A, Esacpe , [then up/down], Escape to return.

Locale Problems

This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)

export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8

Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.

Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)

sudo locale-gen en_US.UTF-8
sudo update-locale LANG=en_US.UTF-8

Packages / rpms

list installed yum list installed

Remember to stop the service first :)

 systemctl stop httpd

Add a specific package version

Show what versions are available

 yum list httpd --showduplicates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.xnet.co.nz
 * centos-sclo-rh: mirror.xnet.co.nz
 * centos-sclo-sclo: mirror.xnet.co.nz
 * epel: mirror.xnet.co.nz
 * extras: mirror.xnet.co.nz
 * remi-php73: mirrors.mediatemple.net
 * remi-safe: mirrors.mediatemple.net
 * updates: mirror.xnet.co.nz
Available Packages
httpd.x86_64                                                                              2.4.6-90.el7.centos                                                                               base
httpd.x86_64                                                                              2.4.41-4.codeit.el7          

To install a particular one

sudo yum install httpd-2.4.6-90.el7.centos

Use yum to download an rpm and not install it

yum install --downloadonly --downloaddir=<directory> <package>

Extract contents of an rpm

rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv

Downgrade package

yum downgrade vsftpd-2.0.5-12.el5


Creating rpms / packages

https://rpm-packaging-guide.github.io/

Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.


EPEL Packages

Example, source: https://github.com/phaag/nfdump

EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011

Get source rpm and extract

rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv


Signing local packages

Resign packages that have sha1 gpg keys

gpg --gen-key
gpg -a --export KEYID > /root/CUSTOMER-GPG-KEY
~/.rpmmacros
%_signature gpg
%_gpg_name KEYID
rpm --resign rpmname.rpm

And share GPG-KEY and resigned RPM in new repository

Logging

To logs going to /var/log/messages for a particular service

sudo journalctl -u openli-provisioner.service

To watch a services logs

sudo journalctl --follow -u openli-provisioner.service

Firewall

History

  • ipchains
  • iptables
  • nftables (based upon netfilter framework) - applies to both ipv4 and ipv6
    • firewalld

Source address defines the zone, if no match the interface defines the zone, else the default zone is used

non-persistant

firewall-cmd --get-default-zone
firewall-cmd --list-all

installed with package

/usr/lib/firewalld/zones/public.xml
/usr/lib/firewalld/services/RH-Satellite-6.xml

Persistent

firewall-cmd --zone=public --add-port=3000/tcp --permanent
firewall-cmd --reload
firewall-cmd --runtime-to-permanent

/etc/firewalld/zones/public.xml


el9 iptables --> nftables

sudo systemctl status nftables

Systemd

Systemd daemon(pid=1)

  • Path (watches files)
    • systemctl list-units -t path
  • Mount (controls mounts)
  • Timer (scheduling)
  • Slice (resource management)
  • Socket (listens on port)
  • Target (groups units)
  • Service (Daemons)
    • systemctl list-units --type=service

Dont edit the unit files in

/usr/lib/systemd/system/[service].service

instead use drop-in files (will be shown when systemctl status [service] is run

 /etc/systemd/system/[service].service.d/99-custom.conf

systemd Dependencies

systemctl list-dependencies graphical.target | grep target

systemctl

List all enabled services

sudo systemctl list-unit-files | grep enabled

After a service is changed or fstab, systemd needs to be reloaded to register the new configuration

sudo systemctl daemon-reload

Selinux Policies

Look at audit log for deny messages

sudo ausearch -c 'process/context' --raw

Readable rules

grep context_t /var/log/audit/audit.log | audit2allow -w

Generate rules

grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy

Refer to the following for possible permissions

cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt

Modify the te file, then place it in a folder and run in the same folder:

make -f /usr/share/selinux/devel/Makefile

Import the policy

sudo semodule -i somepolicy.pp

Temporary

1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:

 setenforce 0

Permanant

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux

Crete a Module

File Types in the module

sepolicy generate --init /usr/local/bin/mydaemon
Created the following files:
/home/example.user/mysepol/mydaemon.te # Type Enforcement file
/home/example.user/mysepol/mydaemon.if # Interface file
/home/example.user/mysepol/mydaemon.fc # File Contexts file
/home/example.user/mysepol/mydaemon_selinux.spec # Spec file
/home/example.user/mysepol/mydaemon.sh # Setup Script

Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/

Port Labelling

semanager port -l
semanager port -m -t ssh_port -p tcp 23

Local Modifications

semanage port -l -C

Networking

USE THIS IPROUTE COMMAND     INSTEAD OF THIS NET-TOOL COMMAND
ip addr                     ifconfig -a
ss                             netstat
ip route                     route
ip maddr                     netstat -g
ip link set eth0 up         ifconfig eth0 up
ip -s neigh                    arp -v
ip link set eth0 mtu 9000    ifconfig eth0 mtu 9000

ntp

ntpd el6, chrony el7,8,9

sudo sntp -sS ntp_server
sudo sntp -sS 130.217.74.61

can use internetnz (is part of public pool) 202.46.177.18

Stratum

  • 0 = Reference Clock
  • 1 = Directly attached to Reference Clock
  • 2 = a server that synchronizes time from a ntp server

Find/set timezones

timedatectl list-timezones | grep -i auckland
timedatectl set-timezone Pacific/Auckland

check with

timedatectl

Disable ntp

timedatectl set-ntp false

chronyd service tracks RTC to ntp servers offset/drift

chronyc sources -v

RHEL 9

  • Satellite Server - repo mirror for RHEL Packages

DNF

DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9

yum was based on Python2, dnf is using python3. DNF resolves software dependencies


dnf search all 'web server'
dnf info httpd
dnf provides /var/www/html
dnf history
dnf group install GROUPNAME
dnf localinstall [path].rpm

dnf repos

Add repos by adding a file under /etc/yum.repos.d/[blah].repo

cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo
[dl.fedoraproject.org_pub_epel_9_Everything_x86_64_]
name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
enabled=1

[EPEL]
name=EPEL 9
baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9

dnf repolist all
dnf config-manager --enable 'reponame'

Creating a local repo

download rpms (and depenencies)

dnf download --resolve [package]
dnf install createrepo
createrepo

This creates a repodata folder with the repo data.

 [customrepo]
name=long name of customrepo
baseurl=https://localpath/custom_repo/
enabled=true
gpgcheck=false


Reset root password

Reboot system, Interrupt the boot-loader

Move the curser to the kernel entry with rescue in its name, 'e' to edit

append 'rd.break' to the line starting with 'linux' - ctrl-x

mount -o remount,rw /sysroot
chroot /sysroot
passwd root
touch /.autorelabel

exit (chroot jail) then again to exit initramfs debug shell (n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot)

load_policy -i
restorecon -FvR /etc/shadow

Check is package has been patched for cve

rpm -q --changelog [package] | grep CVE

Disk management

Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem

Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume.

Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume).

  • Physical Volume commands start with `pv`
    • pvs - Physical Volume Show
    • pvdisplay /dev/vdb1
  • Volume Group commands start with `vg`
    • vgs - Volume Group Show
    • vgdisplay vg01
  • Logical Volume commands start with `lv`
    • lvs Logical Volume show

Build LVM Storage

Optional Partitioning

parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB
parted /dev/vdb mkpart primary 770MiB 1026MiB
parted /dev/vdb set 1 lvm on
parted /dev/vdb set 2 lvm on
udevadm settle

Create Physical Volumes

pvcreate /dev/vdb1 /dev/vdb2

Create a Volume Group

vgcreate vg01 /dev/vdb1 /dev/vdb2

Create a Logical Volume

lvcreate -n lv01 -L 300M vg01

Extend LVM Storage

Prepare / add new physical volumes to a Volume Group

parted /dev/vdb mkpart primary 1072MiB 1648MiB
parted /dev/vdb set 3 lvm on
udevadm settle
pvcreate /dev/vdb3

Extend the Volume group

vgextend vg01 /dev/vdb3

Extend the Logical Volume

lvextend -L +500M /dev/vg01/lv01

Extend the XFS File System (note xfs can not be shrunk!)

xfs_growfs /mnt/data

Extend the ext4 File system to the LV Size

resize2fs /dev/vg01/lv01

Containers

  • Container Images
    • buildah
    • podman
    • registries
      • registry.redhat.io - images/products maintained by redhat
      • registry.community.redhat.com - 3rd party
      • quay.io - community contributed
  • Management tools
    • podman - manages containers and container images
    • skopeo - inspects, copies, deletes and signs images
    • buildah - creates container images
    • kubernetes (openshift)
  • Container runtimes
    • runc
    • cri-o
    • docker

Container tools

sudo dnf install container-tools

Redhat Container Catalog https://access.redhat.com/containers Redhat UBI (Universal Base Image) - minimized container image to deploy as first layer

podman login --username [username] --password-stdin registry.access.redhat.com

Container Registries

/etc/containers/registries.conf
$HOME/.config/containers/registries.conf
podman pull registry.access.redhat.com/ubi8/ubi:latest

container files = docker compose, instructions on how to build an image Containerfile

FROM registry.access.redhat.com/ubi8/ubi:latest
RUN dnf install -y python3
CMD ["/bin/bash", "-c", "echo hello"]

View information about an image

skopeo inspect docker://registry.path/image


podman build	Build a container image with a container file.
podman run	Run a command in a new container.
podman images	List images in local storage.
podman ps	Print information about containers.
podman inspect	Display configuration of a container, image, volume, network, or pod.
podman pull	Download an image from a registry.
podman cp	Copy files or directories between a container and the local file system.
podman exec	Execute a command in a running container.
podman rm	Remove one or more containers.
podman rmi	Remove one or more locally stored images.
podman search	Search a registry for an image.

Show all containers including those that have exited.

podman ps -a

(-d disconnected)

podman run -d registry/path/image:lastest
podman exec -it [image name] bash             <--- interactive terminal
podman cp /host/dir/file [image_name}:/container_path/file

Storage

$HOME/.local/share/containers/storage
  • selinux context for volume mounts `container_file_t`
  • el9 - podman4 had dns lookup for IP's -so can reach containers in the same network by name
podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/17 test_net
podman exec -it client01 dnf install -y iputils iproute
podman exec -it client01 ping -c3 otherhost02
podman container logs [container_name]

Forwarding Ports + Volumes

Port Forwarding

podman run -d --name web -p [container_host_port]:[container/image_port] path/to/image:latest
podman run -d --name web -p 8081:8080 -v [container_host_dir]:[container/mount]:Z  path/to/image:latest
podman run -d --name web -p 8081:8080 -v /home/kiosk/web1:/var/www/html:Z qyau.io/image/httpd:latest
environment variables -e KEY=value

volume `:Z` applies the selinux context of it doesn't exist.

set volume permissions for container process uid and gid

prodman unshare chown uid:gid /container/host/dir

where uid:gid are from the running user inside the container

podman systemd

podman generate systemd --name [container] --files --new    --> $HOME/.config/systemd/user
systemctl --user daemon-reload
loginctl enable-linger