Difference between revisions of "Centos7-RHEL9"
m |
m (→RHEL 9) |
||
(84 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | = Development = | + | =Relationship with Fedora, Redhat= |
+ | |||
+ | Fedora --> Redhat --> Centos, all run by the Redhat company. | ||
+ | |||
+ | # Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality. | ||
+ | # Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free. | ||
+ | # CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself. | ||
+ | |||
+ | = Development SELinux= | ||
+ | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts | ||
+ | |||
To make life super easy for the first cut of something | To make life super easy for the first cut of something | ||
+ | |||
+ | see selinux current settings | ||
+ | sestatus | ||
+ | |||
+ | Disable selinux (till next reboot) | ||
+ | * centos 7 | ||
+ | sudo setenforce 0 | ||
+ | * RHEL 9 | ||
+ | grubby --update-kernel ALL --args selinux=0 | ||
Disable firewall | Disable firewall | ||
Line 10: | Line 29: | ||
SELINUX=enforcing --> permissive | SELINUX=enforcing --> permissive | ||
Reboot | Reboot | ||
+ | |||
+ | Redhat SVC Alerts | ||
+ | grep sealert /var/log/messages | ||
+ | |||
+ | |||
+ | ==Selinux contexts== | ||
+ | |||
+ | * Files --> fcontext | ||
+ | * Ports --> port | ||
+ | * boolean --> boolean | ||
+ | |||
+ | === fcontext === | ||
+ | show context | ||
+ | $ ls -Z file1 | ||
+ | -rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 | ||
+ | |||
+ | user:role:type:level | ||
+ | |||
+ | ====SELinux user==== | ||
+ | semanage login -l | ||
+ | |||
+ | ====level==== | ||
+ | /etc/selinux/targeted/setrans.conf | ||
+ | copied files, inherit the parent directory fcontext, moved files retain their initial fcontext. | ||
+ | |||
+ | |||
+ | change context (temporary as in will last till default labels are reset | ||
+ | chcon -R -t [fcontext] /dir. | ||
+ | |||
+ | change context (permanant) | ||
+ | semanage fcontext -a -t [context] /dir'(/.*)?' | ||
+ | |||
+ | restorecon -FvR /dir <----------- REMEMBER TO APPLY the new context | ||
+ | |||
+ | List contexts | ||
+ | semanage fcontext -l | grep [thing] | ||
+ | List temporary customisations (not written to selinux db) | ||
+ | semanage fcontext -l -C | ||
+ | |||
+ | ====Booleans==== | ||
+ | getsebool -a | ||
+ | setsebool -P httpd_enable_homedirs on. (-P permanant) | ||
= Interfaces = | = Interfaces = | ||
+ | |||
+ | |||
+ | ==el7== | ||
+ | |||
vi /etc/sysconfig/network-scripts/ifcfg-eth0 | vi /etc/sysconfig/network-scripts/ifcfg-eth0 | ||
+ | <pre> | ||
+ | Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows: | ||
+ | DEVICE=eth0. | ||
+ | BOOTPROTO=none. | ||
+ | ONBOOT=yes. | ||
+ | PREFIX=24. | ||
+ | IPADDR=192.168.2.203. | ||
+ | Restart network service: systemctl restart network | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ===Default Route=== | ||
+ | Temporary | ||
+ | $ route del default gw <default_gateway_ip> | ||
+ | $ route add default gw <default_gateway_ip> | ||
+ | |||
+ | Permanent /etc/sysconfig/network | ||
+ | GATEWAY=<new_default_gateway_ip> | ||
+ | |||
+ | ==> el8== | ||
+ | ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated, | ||
+ | |||
+ | el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections | ||
+ | |||
+ | nmtui <- gui interface | ||
+ | |||
+ | Profile settings are applied to an interface (interfaces can only accept settings from one profile) | ||
+ | |||
+ | Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently. | ||
+ | |||
+ | nmcli dev state | ||
+ | nmcli con show | ||
+ | nmcli con show --active | ||
+ | nmcli con up static-ens3 (uses connection name, not interface name) | ||
+ | nmcli dev disconnect ens3 | ||
+ | Most connections have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic. | ||
+ | nmcli con mod "profile name" connection.autoconnect no | ||
+ | |||
+ | Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection | ||
+ | nmcli con add con-name eno2 type ethernet ifname eno2 | ||
+ | nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254 | ||
+ | nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual | ||
+ | |||
+ | Modify existing. | ||
+ | nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes | ||
+ | nmcli con mod static-ens3 +ipv4.dns 2.2.2.2 | ||
+ | nmcli con reload "profile name" | ||
+ | |||
+ | nmcli con del static-ens3 | ||
+ | |||
+ | To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method. | ||
== VM interfaces == | == VM interfaces == | ||
Line 20: | Line 136: | ||
* ens256 | * ens256 | ||
* ens161 | * ens161 | ||
+ | |||
+ | |||
== Static Routes == | == Static Routes == | ||
Line 29: | Line 147: | ||
ifdown eth0 | ifdown eth0 | ||
ifup eth0 | ifup eth0 | ||
+ | |||
+ | ===Blackhole=== | ||
+ | ip route add blackhole <ip or range> | ||
+ | |||
==Dummy Interface== | ==Dummy Interface== | ||
<pre> | <pre> | ||
Line 46: | Line 168: | ||
NM_CONTROLLED=no | NM_CONTROLLED=no | ||
</pre> | </pre> | ||
+ | |||
+ | ==Process to Port/Sockets== | ||
+ | <pre> | ||
+ | ps -ef | grep nginx | ||
+ | root 20501 1 0 Mar24 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf | ||
+ | |||
+ | sudo lsof -nnp 20501 | ||
+ | OMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME | ||
+ | nginx 20501 root cwd DIR 253,0 224 64 / | ||
+ | nginx 20501 root rtd DIR 253,0 224 64 / | ||
+ | nginx 20501 root txt REG 253,0 1342640 50764597 /usr/sbin/nginx | ||
+ | nginx 20501 root 8u IPv4 61372 0t0 TCP 172.29.17.4:http (LISTEN) | ||
+ | </pre> | ||
+ | |||
+ | ==Optics Diagnostics== | ||
+ | Output is similar to a Juniper | ||
+ | ethtool -m [interface] | ||
+ | |||
+ | ==Tools== | ||
+ | * mtr - traceroute | ||
+ | * ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp) | ||
+ | * ss -ta : connections | ||
+ | |||
+ | |||
+ | interface statistics | ||
+ | <pre> | ||
+ | ip -s link show ens3 | ||
+ | 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 | ||
+ | link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff | ||
+ | RX: bytes packets errors dropped overrun mcast | ||
+ | 269850 2931 0 0 0 0 | ||
+ | TX: bytes packets errors dropped carrier collsns | ||
+ | 300556 3250 0 0 0 0 | ||
+ | </pre> | ||
+ | |||
+ | === ipv6=== | ||
+ | * ip -6 a | ||
+ | * ip -6 r | ||
+ | |||
+ | ==dns== | ||
+ | upto 3 sufixes for searching and upto 3 dns servers | ||
+ | sufixes are searched in order (left to right) | ||
+ | /etc/resolv.conf | ||
+ | search lab.example.com example.com | ||
+ | nameserver 172.35.200.200 | ||
+ | |||
+ | ==Hostname== | ||
+ | Static Hostname | ||
+ | /etc/hostname | ||
+ | Set Hostname | ||
+ | hostnamectl hostname blah.example.com | ||
+ | hostnamectl status | ||
+ | Transient Hostnames come from dhcp allocation | ||
= Screen = | = Screen = | ||
Line 56: | Line 231: | ||
Scrollback start with <code>-h [numlines]</code> | Scrollback start with <code>-h [numlines]</code> | ||
− | to access ctrl-A, Esacpe , [then up/down], Escape to return. | + | to access - use copy mode |
+ | <code>ctrl-A, Esacpe </code>, [then up/down], <code>Escape</code> to return. | ||
= Locale Problems = | = Locale Problems = | ||
Line 72: | Line 248: | ||
sudo locale-gen en_US.UTF-8 | sudo locale-gen en_US.UTF-8 | ||
sudo update-locale LANG=en_US.UTF-8 | sudo update-locale LANG=en_US.UTF-8 | ||
+ | |||
+ | = Packages / rpms = | ||
+ | |||
+ | list installed <code>yum list installed</code> | ||
+ | |||
+ | Remember to stop the service first :) | ||
+ | <pre> systemctl stop httpd</pre> | ||
+ | |||
+ | == Add a specific package version == | ||
+ | |||
+ | Show what versions are available | ||
+ | <pre> yum list httpd --showduplicates | ||
+ | Loaded plugins: fastestmirror | ||
+ | Loading mirror speeds from cached hostfile | ||
+ | * base: mirror.xnet.co.nz | ||
+ | * centos-sclo-rh: mirror.xnet.co.nz | ||
+ | * centos-sclo-sclo: mirror.xnet.co.nz | ||
+ | * epel: mirror.xnet.co.nz | ||
+ | * extras: mirror.xnet.co.nz | ||
+ | * remi-php73: mirrors.mediatemple.net | ||
+ | * remi-safe: mirrors.mediatemple.net | ||
+ | * updates: mirror.xnet.co.nz | ||
+ | Available Packages | ||
+ | httpd.x86_64 2.4.6-90.el7.centos base | ||
+ | httpd.x86_64 2.4.41-4.codeit.el7 | ||
+ | </pre> | ||
+ | |||
+ | To install a particular one | ||
+ | <pre> | ||
+ | sudo yum install httpd-2.4.6-90.el7.centos | ||
+ | </pre> | ||
+ | |||
+ | Use yum to download an rpm and not install it | ||
+ | yum install --downloadonly --downloaddir=<directory> <package> | ||
+ | |||
+ | Extract contents of an rpm | ||
+ | rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv | ||
+ | |||
+ | == Downgrade package == | ||
+ | yum downgrade vsftpd-2.0.5-12.el5 | ||
+ | |||
+ | |||
+ | == Creating rpms / packages == | ||
+ | |||
+ | https://rpm-packaging-guide.github.io/ | ||
+ | |||
+ | Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched. | ||
+ | |||
+ | |||
+ | === EPEL Packages === | ||
+ | |||
+ | Example, | ||
+ | source: https://github.com/phaag/nfdump | ||
+ | |||
+ | EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011 | ||
+ | |||
+ | Get source rpm and extract | ||
+ | rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv | ||
+ | |||
+ | |||
+ | ==Signing local packages== | ||
+ | |||
+ | Resign packages that have sha1 gpg keys | ||
+ | <pre> | ||
+ | gpg --gen-key | ||
+ | gpg -a --export KEYID > /root/CUSTOMER-GPG-KEY | ||
+ | ~/.rpmmacros | ||
+ | %_signature gpg | ||
+ | %_gpg_name KEYID | ||
+ | rpm --resign rpmname.rpm | ||
+ | |||
+ | And share GPG-KEY and resigned RPM in new repository | ||
+ | </pre> | ||
+ | |||
+ | =Logging= | ||
+ | To logs going to /var/log/messages for a particular service | ||
+ | |||
+ | <pre>sudo journalctl -u openli-provisioner.service</pre> | ||
+ | |||
+ | To watch a services logs | ||
+ | <pre>sudo journalctl --follow -u openli-provisioner.service</pre> | ||
+ | |||
+ | =Firewall= | ||
+ | |||
+ | History | ||
+ | * ipchains | ||
+ | * iptables | ||
+ | * nftables (based upon netfilter framework) - applies to both ipv4 and ipv6 | ||
+ | ** firewalld | ||
+ | |||
+ | Source address defines the zone, if no match the interface defines the zone, else the default zone is used | ||
+ | |||
+ | non-persistant | ||
+ | <pre> | ||
+ | firewall-cmd --get-default-zone | ||
+ | firewall-cmd --list-all | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | installed with package | ||
+ | /usr/lib/firewalld/zones/public.xml | ||
+ | /usr/lib/firewalld/services/RH-Satellite-6.xml | ||
+ | |||
+ | Persistent | ||
+ | firewall-cmd --zone=public --add-port=3000/tcp --permanent | ||
+ | firewall-cmd --reload | ||
+ | firewall-cmd --runtime-to-permanent | ||
+ | /etc/firewalld/zones/public.xml | ||
+ | |||
+ | |||
+ | el9 iptables --> nftables | ||
+ | sudo systemctl status nftables | ||
+ | |||
+ | =Systemd= | ||
+ | Systemd daemon(pid=1) | ||
+ | * Path (watches files) | ||
+ | ** systemctl list-units -t path | ||
+ | * Mount (controls mounts) | ||
+ | * Timer (scheduling) | ||
+ | * Slice (resource management) | ||
+ | * Socket (listens on port) | ||
+ | * Target (groups units) | ||
+ | * Service (Daemons) | ||
+ | ** systemctl list-units --type=service | ||
+ | |||
+ | Dont edit the unit files in | ||
+ | <pre>/usr/lib/systemd/system/[service].service</pre> | ||
+ | instead use drop-in files (will be shown when systemctl status [service] is run | ||
+ | <pre> /etc/systemd/system/[service].service.d/99-custom.conf</pre> | ||
+ | |||
+ | ==systemd Dependencies== | ||
+ | |||
+ | systemctl list-dependencies graphical.target | grep target | ||
+ | |||
+ | =systemctl= | ||
+ | List all enabled services | ||
+ | sudo systemctl list-unit-files | grep enabled | ||
+ | |||
+ | After a service is changed or fstab, systemd needs to be reloaded to register the new configuration | ||
+ | sudo systemctl daemon-reload | ||
+ | |||
+ | =Selinux Policies= | ||
+ | |||
+ | Look at audit log for deny messages | ||
+ | sudo ausearch -c 'process/context' --raw | ||
+ | |||
+ | Readable rules | ||
+ | grep context_t /var/log/audit/audit.log | audit2allow -w | ||
+ | Generate rules | ||
+ | grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy | ||
+ | Refer to the following for possible permissions | ||
+ | cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt | ||
+ | |||
+ | Modify the te file, then place it in a folder and run in the same folder: | ||
+ | make -f /usr/share/selinux/devel/Makefile | ||
+ | |||
+ | Import the policy | ||
+ | sudo semodule -i somepolicy.pp | ||
+ | |||
+ | ==Temporary== | ||
+ | 1. Set SELinux mode to Permissive temporary (without reboot) | ||
+ | The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode: | ||
+ | |||
+ | setenforce 0 | ||
+ | |||
+ | ==Permanant== | ||
+ | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux | ||
+ | |||
+ | ===Crete a Module=== | ||
+ | File Types in the module | ||
+ | <pre> | ||
+ | sepolicy generate --init /usr/local/bin/mydaemon | ||
+ | Created the following files: | ||
+ | /home/example.user/mysepol/mydaemon.te # Type Enforcement file | ||
+ | /home/example.user/mysepol/mydaemon.if # Interface file | ||
+ | /home/example.user/mysepol/mydaemon.fc # File Contexts file | ||
+ | /home/example.user/mysepol/mydaemon_selinux.spec # Spec file | ||
+ | /home/example.user/mysepol/mydaemon.sh # Setup Script | ||
+ | </pre> | ||
+ | |||
+ | Detailed process | ||
+ | https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/ | ||
+ | |||
+ | ==Port Labelling== | ||
+ | |||
+ | semanager port -l | ||
+ | semanager port -m -t ssh_port -p tcp 23 | ||
+ | |||
+ | Local Modifications | ||
+ | semanage port -l -C | ||
+ | |||
+ | = Networking= | ||
+ | |||
+ | <pre> | ||
+ | USE THIS IPROUTE COMMAND INSTEAD OF THIS NET-TOOL COMMAND | ||
+ | ip addr ifconfig -a | ||
+ | ss netstat | ||
+ | ip route route | ||
+ | ip maddr netstat -g | ||
+ | ip link set eth0 up ifconfig eth0 up | ||
+ | ip -s neigh arp -v | ||
+ | ip link set eth0 mtu 9000 ifconfig eth0 mtu 9000 | ||
+ | </pre> | ||
+ | |||
+ | =ntp= | ||
+ | |||
+ | ntpd el6, chrony el7,8,9 | ||
+ | |||
+ | sudo sntp -sS ntp_server | ||
+ | sudo sntp -sS 130.217.74.61 | ||
+ | |||
+ | can use internetnz (is part of public pool) 202.46.177.18 | ||
+ | |||
+ | Stratum | ||
+ | * 0 = Reference Clock | ||
+ | * 1 = Directly attached to Reference Clock | ||
+ | * 2 = a server that synchronizes time from a ntp server | ||
+ | |||
+ | ==Find/set timezones== | ||
+ | timedatectl list-timezones | grep -i auckland | ||
+ | timedatectl set-timezone Pacific/Auckland | ||
+ | check with | ||
+ | timedatectl | ||
+ | Disable ntp | ||
+ | timedatectl set-ntp false | ||
+ | |||
+ | chronyd service tracks RTC to ntp servers offset/drift | ||
+ | chronyc sources -v | ||
+ | |||
+ | =RHEL 9= | ||
+ | |||
+ | * Satellite Server - repo mirror for RHEL Packages | ||
+ | |||
+ | ==DNF== | ||
+ | DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9 | ||
+ | |||
+ | yum was based on Python2, dnf is using python3. | ||
+ | DNF resolves software dependencies | ||
+ | |||
+ | |||
+ | dnf search all 'web server' | ||
+ | dnf info httpd | ||
+ | dnf provides /var/www/html | ||
+ | dnf history | ||
+ | dnf group install GROUPNAME | ||
+ | dnf localinstall [path].rpm | ||
+ | |||
+ | ===dnf repos=== | ||
+ | Add repos by adding a file under /etc/yum.repos.d/[blah].repo | ||
+ | |||
+ | <pre> | ||
+ | cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo | ||
+ | [dl.fedoraproject.org_pub_epel_9_Everything_x86_64_] | ||
+ | name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ | ||
+ | baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ | ||
+ | enabled=1 | ||
+ | |||
+ | [EPEL] | ||
+ | name=EPEL 9 | ||
+ | baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ | ||
+ | enabled=1 | ||
+ | gpgcheck=1 | ||
+ | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9 | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | dnf repolist all | ||
+ | dnf config-manager --enable 'reponame' | ||
+ | |||
+ | ==Creating a local repo== | ||
+ | |||
+ | download rpms (and depenencies) | ||
+ | dnf download --resolve [package] | ||
+ | |||
+ | dnf install createrepo | ||
+ | createrepo | ||
+ | This creates a repodata folder with the repo data. | ||
+ | |||
+ | <pre> | ||
+ | [customrepo] | ||
+ | name=long name of customrepo | ||
+ | baseurl=https://localpath/custom_repo/ | ||
+ | enabled=true | ||
+ | gpgcheck=false | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ==Reset root password== | ||
+ | |||
+ | Reboot system, Interrupt the boot-loader | ||
+ | |||
+ | Move the curser to the kernel entry with rescue in its name, 'e' to edit | ||
+ | |||
+ | append 'rd.break' to the line starting with 'linux' - ctrl-x | ||
+ | |||
+ | mount -o remount,rw /sysroot | ||
+ | chroot /sysroot | ||
+ | passwd root | ||
+ | touch /.autorelabel | ||
+ | exit (chroot jail) then again to exit initramfs debug shell | ||
+ | (n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot) | ||
+ | load_policy -i | ||
+ | restorecon -FvR /etc/shadow | ||
+ | |||
+ | ==Check is package has been patched for cve== | ||
+ | rpm -q --changelog [package] | grep CVE | ||
+ | |||
+ | =Disk management= | ||
+ | Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem | ||
+ | |||
+ | Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume. | ||
+ | |||
+ | Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume). | ||
+ | |||
+ | * Physical Volume commands start with `pv` | ||
+ | ** pvs - Physical Volume Show | ||
+ | ** pvdisplay /dev/vdb1 | ||
+ | * Volume Group commands start with `vg` | ||
+ | ** vgs - Volume Group Show | ||
+ | ** vgdisplay vg01 | ||
+ | * Logical Volume commands start with `lv` | ||
+ | ** lvs Logical Volume show | ||
+ | |||
+ | ==Build LVM Storage== | ||
+ | Optional Partitioning | ||
+ | <pre> | ||
+ | parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB | ||
+ | parted /dev/vdb mkpart primary 770MiB 1026MiB | ||
+ | parted /dev/vdb set 1 lvm on | ||
+ | parted /dev/vdb set 2 lvm on | ||
+ | udevadm settle | ||
+ | </pre> | ||
+ | |||
+ | Create Physical Volumes | ||
+ | pvcreate /dev/vdb1 /dev/vdb2 | ||
+ | |||
+ | Create a Volume Group | ||
+ | vgcreate vg01 /dev/vdb1 /dev/vdb2 | ||
+ | |||
+ | Create a Logical Volume | ||
+ | lvcreate -n lv01 -L 300M vg01 | ||
+ | |||
+ | ==Extend LVM Storage== | ||
+ | Prepare / add new physical volumes to a Volume Group | ||
+ | <pre> | ||
+ | parted /dev/vdb mkpart primary 1072MiB 1648MiB | ||
+ | parted /dev/vdb set 3 lvm on | ||
+ | udevadm settle | ||
+ | pvcreate /dev/vdb3 | ||
+ | </pre> | ||
+ | |||
+ | Extend the Volume group | ||
+ | vgextend vg01 /dev/vdb3 | ||
+ | |||
+ | Extend the Logical Volume | ||
+ | lvextend -L +500M /dev/vg01/lv01 | ||
+ | |||
+ | Extend the XFS File System (note xfs can not be shrunk!) | ||
+ | xfs_growfs /mnt/data | ||
+ | |||
+ | Extend the ext4 File system to the LV Size | ||
+ | resize2fs /dev/vg01/lv01 | ||
+ | |||
+ | =Containers= | ||
+ | * Container Images | ||
+ | ** buildah | ||
+ | ** podman | ||
+ | ** registries | ||
+ | *** registry.redhat.io - images/products maintained by redhat | ||
+ | *** registry.community.redhat.com - 3rd party | ||
+ | *** quay.io - community contributed | ||
+ | |||
+ | * Management tools | ||
+ | ** podman - manages containers and container images | ||
+ | ** skopeo - inspects, copies, deletes and signs images | ||
+ | ** buildah - creates container images | ||
+ | ** kubernetes (openshift) | ||
+ | |||
+ | *Container runtimes | ||
+ | ** runc | ||
+ | ** cri-o | ||
+ | ** docker | ||
+ | |||
+ | Container tools | ||
+ | sudo dnf install container-tools | ||
+ | |||
+ | Redhat Container Catalog https://access.redhat.com/containers | ||
+ | Redhat UBI (Universal Base Image) - minimized container image to deploy as first layer | ||
+ | podman login --username [username] --password-stdin registry.access.redhat.com | ||
+ | |||
+ | Container Registries | ||
+ | /etc/containers/registries.conf | ||
+ | $HOME/.config/containers/registries.conf | ||
+ | podman pull registry.access.redhat.com/ubi8/ubi:latest | ||
+ | |||
+ | container files = docker compose, instructions on how to build an image | ||
+ | Containerfile | ||
+ | <pre> | ||
+ | FROM registry.access.redhat.com/ubi8/ubi:latest | ||
+ | RUN dnf install -y python3 | ||
+ | CMD ["/bin/bash", "-c", "echo hello"] | ||
+ | </pre> | ||
+ | |||
+ | View information about an image | ||
+ | skopeo inspect docker://registry.path/image | ||
+ | |||
+ | |||
+ | <pre> | ||
+ | podman build Build a container image with a container file. | ||
+ | podman run Run a command in a new container. | ||
+ | podman images List images in local storage. | ||
+ | podman ps Print information about containers. | ||
+ | podman inspect Display configuration of a container, image, volume, network, or pod. | ||
+ | podman pull Download an image from a registry. | ||
+ | podman cp Copy files or directories between a container and the local file system. | ||
+ | podman exec Execute a command in a running container. | ||
+ | podman rm Remove one or more containers. | ||
+ | podman rmi Remove one or more locally stored images. | ||
+ | podman search Search a registry for an image. | ||
+ | </pre> | ||
+ | |||
+ | Show all containers including those that have exited. | ||
+ | podman ps -a | ||
+ | |||
+ | (-d disconnected) | ||
+ | podman run -d registry/path/image:lastest | ||
+ | podman exec -it [image name] bash <--- interactive terminal | ||
+ | |||
+ | podman cp /host/dir/file [image_name}:/container_path/file | ||
+ | |||
+ | Storage | ||
+ | $HOME/.local/share/containers/storage | ||
+ | |||
+ | * selinux context for volume mounts `container_file_t` | ||
+ | |||
+ | * el9 - podman4 had dns lookup for IP's -so can reach containers in the same network by name | ||
+ | podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/17 test_net | ||
+ | podman exec -it client01 dnf install -y iputils iproute | ||
+ | podman exec -it client01 ping -c3 otherhost02 | ||
+ | |||
+ | podman container logs [container_name] | ||
+ | |||
+ | == Forwarding Ports + Volumes== | ||
+ | Port Forwarding | ||
+ | podman run -d --name web -p [container_host_port]:[container/image_port] path/to/image:latest | ||
+ | podman run -d --name web -p 8081:8080 -v [container_host_dir]:[container/mount]:Z path/to/image:latest | ||
+ | podman run -d --name web -p 8081:8080 -v /home/kiosk/web1:/var/www/html:Z qyau.io/image/httpd:latest | ||
+ | |||
+ | environment variables -e KEY=value | ||
+ | volume `:Z` applies the selinux context of it doesn't exist. | ||
+ | |||
+ | set volume permissions for container process uid and gid | ||
+ | prodman unshare chown uid:gid /container/host/dir | ||
+ | where uid:gid are from the running user inside the container | ||
+ | |||
+ | ==podman systemd== | ||
+ | podman generate systemd --name [container] --files --new --> $HOME/.config/systemd/user | ||
+ | systemctl --user daemon-reload | ||
+ | loginctl enable-linger |
Latest revision as of 22:13, 24 September 2023
Contents
Relationship with Fedora, Redhat
Fedora --> Redhat --> Centos, all run by the Redhat company.
- Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
- Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
- CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.
Development SELinux
To make life super easy for the first cut of something
see selinux current settings
sestatus
Disable selinux (till next reboot)
- centos 7
sudo setenforce 0
- RHEL 9
grubby --update-kernel ALL --args selinux=0
Disable firewall
service firewalld stop systemctl disable firewalld
Disable SELinux
/etc/selinux/config SELINUX=enforcing --> permissive Reboot
Redhat SVC Alerts
grep sealert /var/log/messages
Selinux contexts
- Files --> fcontext
- Ports --> port
- boolean --> boolean
fcontext
show context
$ ls -Z file1 -rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 user:role:type:level
SELinux user
semanage login -l
level
/etc/selinux/targeted/setrans.conf
copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.
change context (temporary as in will last till default labels are reset
chcon -R -t [fcontext] /dir.
change context (permanant)
semanage fcontext -a -t [context] /dir'(/.*)?' restorecon -FvR /dir <----------- REMEMBER TO APPLY the new context
List contexts
semanage fcontext -l | grep [thing]
List temporary customisations (not written to selinux db)
semanage fcontext -l -C
Booleans
getsebool -a setsebool -P httpd_enable_homedirs on. (-P permanant)
Interfaces
el7
vi /etc/sysconfig/network-scripts/ifcfg-eth0
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows: DEVICE=eth0. BOOTPROTO=none. ONBOOT=yes. PREFIX=24. IPADDR=192.168.2.203. Restart network service: systemctl restart network
Default Route
Temporary
$ route del default gw <default_gateway_ip> $ route add default gw <default_gateway_ip>
Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>
> el8
ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated,
el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections
nmtui <- gui interface
Profile settings are applied to an interface (interfaces can only accept settings from one profile)
Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently.
nmcli dev state nmcli con show nmcli con show --active nmcli con up static-ens3 (uses connection name, not interface name) nmcli dev disconnect ens3
Most connections have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic.
nmcli con mod "profile name" connection.autoconnect no
Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection
nmcli con add con-name eno2 type ethernet ifname eno2 nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254 nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual
Modify existing.
nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes nmcli con mod static-ens3 +ipv4.dns 2.2.2.2 nmcli con reload "profile name"
nmcli con del static-ens3
To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method.
VM interfaces
VMWare interfaces are created in the following order
- ens192
- ens224
- ens256
- ens161
Static Routes
Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0
ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005
/etc/sysconfig/network-scripts/route-eth0
172.16.5.0/24 via 10.0.0.101 dev eth0
Remember to bounce the interface after
ifdown eth0 ifup eth0
Blackhole
ip route add blackhole <ip or range>
Dummy Interface
$ cat /etc/modules-load.d/dummy.conf # Load dummy.ko at boot dummy $ cat /etc/modprobe.d/dummy.conf install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0 $ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1 NAME=ethdummy1 DEVICE=ethdummy1 MACADDR=00:22:22:ff:ff:ff IPADDR=10.10.10.1 NETMASK=255.255.255.0 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no
Process to Port/Sockets
ps -ef | grep nginx root 20501 1 0 Mar24 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf sudo lsof -nnp 20501 OMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 20501 root cwd DIR 253,0 224 64 / nginx 20501 root rtd DIR 253,0 224 64 / nginx 20501 root txt REG 253,0 1342640 50764597 /usr/sbin/nginx nginx 20501 root 8u IPv4 61372 0t0 TCP 172.29.17.4:http (LISTEN)
Optics Diagnostics
Output is similar to a Juniper
ethtool -m [interface]
Tools
- mtr - traceroute
- ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp)
- ss -ta : connections
interface statistics
ip -s link show ens3 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 269850 2931 0 0 0 0 TX: bytes packets errors dropped carrier collsns 300556 3250 0 0 0 0
ipv6
- ip -6 a
- ip -6 r
dns
upto 3 sufixes for searching and upto 3 dns servers sufixes are searched in order (left to right) /etc/resolv.conf
search lab.example.com example.com nameserver 172.35.200.200
Hostname
Static Hostname
/etc/hostname
Set Hostname
hostnamectl hostname blah.example.com hostnamectl status
Transient Hostnames come from dhcp allocation
Screen
Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/
Start a 'window' screen
or to give the session a name screen -S 'hello_world'
To exit exit [enter]
To detach from the session ctrl + a , d)
Show windows/terminals screen -ls
Re-attach screen -r [number or sesssion_name]
Scrollback start with -h [numlines]
to access - use copy mode
ctrl-A, Esacpe
, [then up/down], Escape
to return.
Locale Problems
This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8
, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)
export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 export LC_CTYPE=en_US.UTF-8
Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.
Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)
sudo locale-gen en_US.UTF-8 sudo update-locale LANG=en_US.UTF-8
Packages / rpms
list installed yum list installed
Remember to stop the service first :)
systemctl stop httpd
Add a specific package version
Show what versions are available
yum list httpd --showduplicates Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.xnet.co.nz * centos-sclo-rh: mirror.xnet.co.nz * centos-sclo-sclo: mirror.xnet.co.nz * epel: mirror.xnet.co.nz * extras: mirror.xnet.co.nz * remi-php73: mirrors.mediatemple.net * remi-safe: mirrors.mediatemple.net * updates: mirror.xnet.co.nz Available Packages httpd.x86_64 2.4.6-90.el7.centos base httpd.x86_64 2.4.41-4.codeit.el7
To install a particular one
sudo yum install httpd-2.4.6-90.el7.centos
Use yum to download an rpm and not install it
yum install --downloadonly --downloaddir=<directory> <package>
Extract contents of an rpm
rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv
Downgrade package
yum downgrade vsftpd-2.0.5-12.el5
Creating rpms / packages
https://rpm-packaging-guide.github.io/
Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.
EPEL Packages
Example, source: https://github.com/phaag/nfdump
EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011
Get source rpm and extract
rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv
Signing local packages
Resign packages that have sha1 gpg keys
gpg --gen-key gpg -a --export KEYID > /root/CUSTOMER-GPG-KEY ~/.rpmmacros %_signature gpg %_gpg_name KEYID rpm --resign rpmname.rpm And share GPG-KEY and resigned RPM in new repository
Logging
To logs going to /var/log/messages for a particular service
sudo journalctl -u openli-provisioner.service
To watch a services logs
sudo journalctl --follow -u openli-provisioner.service
Firewall
History
- ipchains
- iptables
- nftables (based upon netfilter framework) - applies to both ipv4 and ipv6
- firewalld
Source address defines the zone, if no match the interface defines the zone, else the default zone is used
non-persistant
firewall-cmd --get-default-zone firewall-cmd --list-all
installed with package
/usr/lib/firewalld/zones/public.xml /usr/lib/firewalld/services/RH-Satellite-6.xml
Persistent
firewall-cmd --zone=public --add-port=3000/tcp --permanent firewall-cmd --reload firewall-cmd --runtime-to-permanent
/etc/firewalld/zones/public.xml
el9 iptables --> nftables
sudo systemctl status nftables
Systemd
Systemd daemon(pid=1)
- Path (watches files)
- systemctl list-units -t path
- Mount (controls mounts)
- Timer (scheduling)
- Slice (resource management)
- Socket (listens on port)
- Target (groups units)
- Service (Daemons)
- systemctl list-units --type=service
Dont edit the unit files in
/usr/lib/systemd/system/[service].service
instead use drop-in files (will be shown when systemctl status [service] is run
/etc/systemd/system/[service].service.d/99-custom.conf
systemd Dependencies
systemctl list-dependencies graphical.target | grep target
systemctl
List all enabled services
sudo systemctl list-unit-files | grep enabled
After a service is changed or fstab, systemd needs to be reloaded to register the new configuration
sudo systemctl daemon-reload
Selinux Policies
Look at audit log for deny messages
sudo ausearch -c 'process/context' --raw
Readable rules
grep context_t /var/log/audit/audit.log | audit2allow -w
Generate rules
grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy
Refer to the following for possible permissions
cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt
Modify the te file, then place it in a folder and run in the same folder:
make -f /usr/share/selinux/devel/Makefile
Import the policy
sudo semodule -i somepolicy.pp
Temporary
1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:
setenforce 0
Permanant
Crete a Module
File Types in the module
sepolicy generate --init /usr/local/bin/mydaemon Created the following files: /home/example.user/mysepol/mydaemon.te # Type Enforcement file /home/example.user/mysepol/mydaemon.if # Interface file /home/example.user/mysepol/mydaemon.fc # File Contexts file /home/example.user/mysepol/mydaemon_selinux.spec # Spec file /home/example.user/mysepol/mydaemon.sh # Setup Script
Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/
Port Labelling
semanager port -l semanager port -m -t ssh_port -p tcp 23
Local Modifications
semanage port -l -C
Networking
USE THIS IPROUTE COMMAND INSTEAD OF THIS NET-TOOL COMMAND ip addr ifconfig -a ss netstat ip route route ip maddr netstat -g ip link set eth0 up ifconfig eth0 up ip -s neigh arp -v ip link set eth0 mtu 9000 ifconfig eth0 mtu 9000
ntp
ntpd el6, chrony el7,8,9
sudo sntp -sS ntp_server sudo sntp -sS 130.217.74.61
can use internetnz (is part of public pool) 202.46.177.18
Stratum
- 0 = Reference Clock
- 1 = Directly attached to Reference Clock
- 2 = a server that synchronizes time from a ntp server
Find/set timezones
timedatectl list-timezones | grep -i auckland timedatectl set-timezone Pacific/Auckland
check with
timedatectl
Disable ntp
timedatectl set-ntp false
chronyd service tracks RTC to ntp servers offset/drift
chronyc sources -v
RHEL 9
- Satellite Server - repo mirror for RHEL Packages
DNF
DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9
yum was based on Python2, dnf is using python3. DNF resolves software dependencies
dnf search all 'web server' dnf info httpd dnf provides /var/www/html dnf history dnf group install GROUPNAME dnf localinstall [path].rpm
dnf repos
Add repos by adding a file under /etc/yum.repos.d/[blah].repo
cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo [dl.fedoraproject.org_pub_epel_9_Everything_x86_64_] name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ enabled=1 [EPEL] name=EPEL 9 baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
dnf repolist all dnf config-manager --enable 'reponame'
Creating a local repo
download rpms (and depenencies)
dnf download --resolve [package]
dnf install createrepo createrepo
This creates a repodata folder with the repo data.
[customrepo] name=long name of customrepo baseurl=https://localpath/custom_repo/ enabled=true gpgcheck=false
Reset root password
Reboot system, Interrupt the boot-loader
Move the curser to the kernel entry with rescue in its name, 'e' to edit
append 'rd.break' to the line starting with 'linux' - ctrl-x
mount -o remount,rw /sysroot chroot /sysroot passwd root touch /.autorelabel
exit (chroot jail) then again to exit initramfs debug shell (n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot)
load_policy -i restorecon -FvR /etc/shadow
Check is package has been patched for cve
rpm -q --changelog [package] | grep CVE
Disk management
Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem
Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume.
Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume).
- Physical Volume commands start with `pv`
- pvs - Physical Volume Show
- pvdisplay /dev/vdb1
- Volume Group commands start with `vg`
- vgs - Volume Group Show
- vgdisplay vg01
- Logical Volume commands start with `lv`
- lvs Logical Volume show
Build LVM Storage
Optional Partitioning
parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB parted /dev/vdb mkpart primary 770MiB 1026MiB parted /dev/vdb set 1 lvm on parted /dev/vdb set 2 lvm on udevadm settle
Create Physical Volumes
pvcreate /dev/vdb1 /dev/vdb2
Create a Volume Group
vgcreate vg01 /dev/vdb1 /dev/vdb2
Create a Logical Volume
lvcreate -n lv01 -L 300M vg01
Extend LVM Storage
Prepare / add new physical volumes to a Volume Group
parted /dev/vdb mkpart primary 1072MiB 1648MiB parted /dev/vdb set 3 lvm on udevadm settle pvcreate /dev/vdb3
Extend the Volume group
vgextend vg01 /dev/vdb3
Extend the Logical Volume
lvextend -L +500M /dev/vg01/lv01
Extend the XFS File System (note xfs can not be shrunk!)
xfs_growfs /mnt/data
Extend the ext4 File system to the LV Size
resize2fs /dev/vg01/lv01
Containers
- Container Images
- buildah
- podman
- registries
- registry.redhat.io - images/products maintained by redhat
- registry.community.redhat.com - 3rd party
- quay.io - community contributed
- Management tools
- podman - manages containers and container images
- skopeo - inspects, copies, deletes and signs images
- buildah - creates container images
- kubernetes (openshift)
- Container runtimes
- runc
- cri-o
- docker
Container tools
sudo dnf install container-tools
Redhat Container Catalog https://access.redhat.com/containers Redhat UBI (Universal Base Image) - minimized container image to deploy as first layer
podman login --username [username] --password-stdin registry.access.redhat.com
Container Registries
/etc/containers/registries.conf $HOME/.config/containers/registries.conf podman pull registry.access.redhat.com/ubi8/ubi:latest
container files = docker compose, instructions on how to build an image Containerfile
FROM registry.access.redhat.com/ubi8/ubi:latest RUN dnf install -y python3 CMD ["/bin/bash", "-c", "echo hello"]
View information about an image
skopeo inspect docker://registry.path/image
podman build Build a container image with a container file. podman run Run a command in a new container. podman images List images in local storage. podman ps Print information about containers. podman inspect Display configuration of a container, image, volume, network, or pod. podman pull Download an image from a registry. podman cp Copy files or directories between a container and the local file system. podman exec Execute a command in a running container. podman rm Remove one or more containers. podman rmi Remove one or more locally stored images. podman search Search a registry for an image.
Show all containers including those that have exited.
podman ps -a
(-d disconnected)
podman run -d registry/path/image:lastest podman exec -it [image name] bash <--- interactive terminal
podman cp /host/dir/file [image_name}:/container_path/file
Storage
$HOME/.local/share/containers/storage
- selinux context for volume mounts `container_file_t`
- el9 - podman4 had dns lookup for IP's -so can reach containers in the same network by name
podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/17 test_net podman exec -it client01 dnf install -y iputils iproute podman exec -it client01 ping -c3 otherhost02
podman container logs [container_name]
Forwarding Ports + Volumes
Port Forwarding
podman run -d --name web -p [container_host_port]:[container/image_port] path/to/image:latest podman run -d --name web -p 8081:8080 -v [container_host_dir]:[container/mount]:Z path/to/image:latest podman run -d --name web -p 8081:8080 -v /home/kiosk/web1:/var/www/html:Z qyau.io/image/httpd:latest
environment variables -e KEY=value
volume `:Z` applies the selinux context of it doesn't exist.
set volume permissions for container process uid and gid
prodman unshare chown uid:gid /container/host/dir
where uid:gid are from the running user inside the container
podman systemd
podman generate systemd --name [container] --files --new --> $HOME/.config/systemd/user systemctl --user daemon-reload loginctl enable-linger