Centos7-RHEL9
Contents
Relationship with Fedora, Redhat
Fedora --> Redhat --> Centos, all run by the Redhat company.
- Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
- Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
- CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.
Development
To make life super easy for the first cut of something
see selinux current settings
sestatus
Disable selinux (till next reboot)
sudo setenforce 0
Disable firewall
service firewalld stop systemctl disable firewalld
Disable SELinux
/etc/selinux/config SELINUX=enforcing --> permissive Reboot
Interfaces
vi /etc/sysconfig/network-scripts/ifcfg-eth0
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows: DEVICE=eth0. BOOTPROTO=none. ONBOOT=yes. PREFIX=24. IPADDR=192.168.2.203. Restart network service: systemctl restart network
VM interfaces
VMWare interfaces are created in the following order
- ens192
- ens224
- ens256
- ens161
Default Route
Temporary
$ route del default gw <default_gateway_ip> $ route add default gw <default_gateway_ip>
Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>
Static Routes
Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0
ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005
/etc/sysconfig/network-scripts/route-eth0
172.16.5.0/24 via 10.0.0.101 dev eth0
Remember to bounce the interface after
ifdown eth0 ifup eth0
Blackhole
ip route add blackhole <ip or range>
Dummy Interface
$ cat /etc/modules-load.d/dummy.conf # Load dummy.ko at boot dummy $ cat /etc/modprobe.d/dummy.conf install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0 $ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1 NAME=ethdummy1 DEVICE=ethdummy1 MACADDR=00:22:22:ff:ff:ff IPADDR=10.10.10.1 NETMASK=255.255.255.0 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no
Process to Port/Sockets
ps -ef | grep nginx root 20501 1 0 Mar24 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf sudo lsof -nnp 20501 OMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 20501 root cwd DIR 253,0 224 64 / nginx 20501 root rtd DIR 253,0 224 64 / nginx 20501 root txt REG 253,0 1342640 50764597 /usr/sbin/nginx nginx 20501 root 8u IPv4 61372 0t0 TCP 172.29.17.4:http (LISTEN)
Optics Diagnostics
Output is similar to a Juniper
ethtool -m [interface]
Screen
Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/
Start a 'window' screen
or to give the session a name screen -S 'hello_world'
To exit exit [enter]
To detach from the session ctrl + a , d)
Show windows/terminals screen -ls
Re-attach screen -r [number or sesssion_name]
Scrollback start with -h [numlines]
to access - use copy mode
ctrl-A, Esacpe
, [then up/down], Escape
to return.
Locale Problems
This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8
, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)
export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 export LC_CTYPE=en_US.UTF-8
Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.
Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)
sudo locale-gen en_US.UTF-8 sudo update-locale LANG=en_US.UTF-8
Packages / rpms
list installed yum list installed
Remember to stop the service first :)
systemctl stop httpd
Add a specific package version
Show what versions are available
yum list httpd --showduplicates Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.xnet.co.nz * centos-sclo-rh: mirror.xnet.co.nz * centos-sclo-sclo: mirror.xnet.co.nz * epel: mirror.xnet.co.nz * extras: mirror.xnet.co.nz * remi-php73: mirrors.mediatemple.net * remi-safe: mirrors.mediatemple.net * updates: mirror.xnet.co.nz Available Packages httpd.x86_64 2.4.6-90.el7.centos base httpd.x86_64 2.4.41-4.codeit.el7
To install a particular one
sudo yum install httpd-2.4.6-90.el7.centos
Use yum to download an rpm and not install it
yum install --downloadonly --downloaddir=<directory> <package>
Extract contents of an rpm
rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv
Downgrade package
yum downgrade vsftpd-2.0.5-12.el5
Creating rpms / packages
https://rpm-packaging-guide.github.io/
Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.
EPEL Packages
Example, source: https://github.com/phaag/nfdump
EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011
Get source rpm and extract
rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv
Logging
To logs going to /var/log/messages for a particular service
sudo journalctl -u openli-provisioner.service
To watch a services logs
sudo journalctl --follow -u openli-provisioner.service
Firewall
firewall-cmd --zone=public --add-port=3000/tcp --permanent firewall-cmd --reload
systemctl
List all enabled services
sudo systemctl list-unit-files | grep enabled
Selinux Policies
Look at audit log for deny messages
sudo ausearch -c 'process/context' --raw
Readable rules
grep context_t /var/log/audit/audit.log | audit2allow -w
Generate rules
grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy
Refer to the following for possible permissions
cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt
Modify the te file, then place it in a folder and run in the same folder:
make -f /usr/share/selinux/devel/Makefile
Import the policy
sudo semodule -i somepolicy.pp
Temporary
1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:
setenforce 0
Permanant
Crete a Module
File Types in the module
sepolicy generate --init /usr/local/bin/mydaemon Created the following files: /home/example.user/mysepol/mydaemon.te # Type Enforcement file /home/example.user/mysepol/mydaemon.if # Interface file /home/example.user/mysepol/mydaemon.fc # File Contexts file /home/example.user/mysepol/mydaemon_selinux.spec # Spec file /home/example.user/mysepol/mydaemon.sh # Setup Script
Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/
Networking
USE THIS IPROUTE COMMAND INSTEAD OF THIS NET-TOOL COMMAND ip addr ifconfig -a ss netstat ip route route ip maddr netstat -g ip link set eth0 up ifconfig eth0 up ip -s neigh arp -v ip link set eth0 mtu 9000 ifconfig eth0 mtu 9000
ntp
sudo sntp -sS ntp_server sudo sntp -sS 130.217.74.61
can use internetnz (is part of public pool) 202.46.177.18