Centos7-RHEL9
Contents
Relationship with Fedora, Redhat
Fedora --> Redhat --> Centos, all run by the Redhat company.
- Fedora - Free - the main project, and it’s a communitity-based, free distro focused on quick releases of new features and functionality.
- Redhat - Paid - the corporate version based on the progress of that project, and it has slower releases, comes with support, and isn’t free.
- CentOS - Free - essentially the community version of Redhat. So it’s pretty much identical, but it is free and support comes from the community as opposed to Redhat itself.
Development SELinux
To make life super easy for the first cut of something
see selinux current settings
sestatus
Disable selinux (till next reboot)
- centos 7
sudo setenforce 0
- RHEL 9
grubby --update-kernel ALL --args selinux=0
Disable firewall
service firewalld stop systemctl disable firewalld
Disable SELinux
/etc/selinux/config SELINUX=enforcing --> permissive Reboot
Redhat SVC Alerts
grep sealert /var/log/messages
Selinux contexts
- Files --> fcontext
- Ports --> port
- boolean --> boolean
fcontext
show context
$ ls -Z file1 -rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 user:role:type:level
SELinux user
semanage login -l
level
/etc/selinux/targeted/setrans.conf
copied files, inherit the parent directory fcontext, moved files retain their initial fcontext.
change context (temporary as in will last till default labels are reset
chcon -R -t [fcontext] /dir.
change context (permanant)
semanage fcontext -a -t [context] /dir'(/.*)?' restorecon -FvR /dir <----------- REMEMBER TO APPLY the new context
List contexts
semanage fcontext -l | grep [thing]
List temporary customisations (not written to selinux db)
semanage fcontext -l -C
Booleans
getsebool -a setsebool -P httpd_enable_homedirs on. (-P permanant)
Interfaces
el7
vi /etc/sysconfig/network-scripts/ifcfg-eth0
Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 as follows: DEVICE=eth0. BOOTPROTO=none. ONBOOT=yes. PREFIX=24. IPADDR=192.168.2.203. Restart network service: systemctl restart network
>el8
el8,el9 ifcfg format configuration in /etc/sysconfig/network-scripts is deprecated, el8,el9 should use network manager ini style files in /etc/NetworkManager/system-connections
Static connection properties are stored in /etc/NetworkManager/system-connections/, Dynamic connections (set by dhcp) are not stored persistently.
nmcli dev state nmcli con show nmcli con show --active nmcli con up static-ens3 (uses connection name, not interface name) nmcli dev disconnect ens3
Most connectio have autoconnect enabled, `nmcli connection down` is ineffective for stopping traffic.
Add interface (/etc/NetworkManager/system-connections/[interface].nmconnection
nmcli con add con-name eno2 type ethernet ifname eno2 nmcli con add con-name eno3 type ethernet ifname eno3 ipv4.method manual ipv4.addresses 192.168.0.5/24 ipv4.gateway 192.168.0.254 nmcli con add con-name eno4 type ethernet ifname eno4 ipv6.addresses 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv6.method manual ipv4.addresses 192.0.2.7/24 ipv4.gateway 192.0.2.1 ipv4.method manual
Modify existing.
nmcli con mod static-ens3 ipv4.addresses 192.0.2.2/24 ipv4.gateway 192.0.2.254 connection.autoconnect yes nmcli con mod static-ens3 +ipv4.dns 2.2.2.2 nmcli con reload eno2
nmcli con del static-ens3
To change DHCP to be static. set ipv4.method=manual (vs auto or dhcp), same for ipv6.method.
VM interfaces
VMWare interfaces are created in the following order
- ens192
- ens224
- ens256
- ens161
Default Route
Temporary
$ route del default gw <default_gateway_ip> $ route add default gw <default_gateway_ip>
Permanent /etc/sysconfig/network GATEWAY=<new_default_gateway_ip>
Static Routes
Temporary ip route add 172.16.5.0/24 via 10.0.0.101 dev eth0
ip route delete 192.168.0.0/16 dev ens256 scope link metric 1005
/etc/sysconfig/network-scripts/route-eth0
172.16.5.0/24 via 10.0.0.101 dev eth0
Remember to bounce the interface after
ifdown eth0 ifup eth0
Blackhole
ip route add blackhole <ip or range>
Dummy Interface
$ cat /etc/modules-load.d/dummy.conf # Load dummy.ko at boot dummy $ cat /etc/modprobe.d/dummy.conf install dummy /sbin/modprobe --ignore-install dummy; /sbin/ip link set name ethdummy1 dev dummy0 $ cat /etc/sysconfig/network-scripts/ifcfg-ethdummy1 NAME=ethdummy1 DEVICE=ethdummy1 MACADDR=00:22:22:ff:ff:ff IPADDR=10.10.10.1 NETMASK=255.255.255.0 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no
Process to Port/Sockets
ps -ef | grep nginx root 20501 1 0 Mar24 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf sudo lsof -nnp 20501 OMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 20501 root cwd DIR 253,0 224 64 / nginx 20501 root rtd DIR 253,0 224 64 / nginx 20501 root txt REG 253,0 1342640 50764597 /usr/sbin/nginx nginx 20501 root 8u IPv4 61372 0t0 TCP 172.29.17.4:http (LISTEN)
Optics Diagnostics
Output is similar to a Juniper
ethtool -m [interface]
Tools
- mtr - traceroute
- ss -plunt : socket state (p=process, l=listening, u=udp, n=names to numbers, t=tcp)
- ss -ta : connections
interface statistics
ip -s link show ens3 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:00:00:0a brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 269850 2931 0 0 0 0 TX: bytes packets errors dropped carrier collsns 300556 3250 0 0 0 0
ipv6
- ip -6 a
- ip -6 r
Screen
Terminal multiplexer. https://linuxize.com/post/how-to-use-linux-screen/
Start a 'window' screen
or to give the session a name screen -S 'hello_world'
To exit exit [enter]
To detach from the session ctrl + a , d)
Show windows/terminals screen -ls
Re-attach screen -r [number or sesssion_name]
Scrollback start with -h [numlines]
to access - use copy mode
ctrl-A, Esacpe
, [then up/down], Escape
to return.
Locale Problems
This is an issue with Mobaxterm/WSL/Ubuntu not centos which sets the locale as C.UTF-8
, but here is a work around - add the following to your .bashrc file (seriously, there is something wrong with mobaxterm and this was the only fix (read: crude workaround)
export LANGUAGE=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 export LC_CTYPE=en_US.UTF-8
Appears mobaxterm is built from cygwin sources which defaults to C.UTF-8 (which is an extended char set of en_US.UTF-8) - however some centos boxes do not know about the C variant so complain.
Normal fix (that Mobaxterm seems to ignore and set to C.UTF.8)
sudo locale-gen en_US.UTF-8 sudo update-locale LANG=en_US.UTF-8
Packages / rpms
list installed yum list installed
Remember to stop the service first :)
systemctl stop httpd
Add a specific package version
Show what versions are available
yum list httpd --showduplicates Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.xnet.co.nz * centos-sclo-rh: mirror.xnet.co.nz * centos-sclo-sclo: mirror.xnet.co.nz * epel: mirror.xnet.co.nz * extras: mirror.xnet.co.nz * remi-php73: mirrors.mediatemple.net * remi-safe: mirrors.mediatemple.net * updates: mirror.xnet.co.nz Available Packages httpd.x86_64 2.4.6-90.el7.centos base httpd.x86_64 2.4.41-4.codeit.el7
To install a particular one
sudo yum install httpd-2.4.6-90.el7.centos
Use yum to download an rpm and not install it
yum install --downloadonly --downloaddir=<directory> <package>
Extract contents of an rpm
rpm2cpio ./rrdtool-1.7.2-14.el7.src.rpm | cpio -idmv
Downgrade package
yum downgrade vsftpd-2.0.5-12.el5
Creating rpms / packages
https://rpm-packaging-guide.github.io/
Noting that `Source0` can be a compressed archive that will be uncompressed once it is fetched.
EPEL Packages
Example, source: https://github.com/phaag/nfdump
EPEL EL9 Build https://koji.fedoraproject.org/koji/buildinfo?buildID=2105011
Get source rpm and extract
rpm2cpio nfdump-1.7.1-1.el9.src.rpm | cpio -idmv
Logging
To logs going to /var/log/messages for a particular service
sudo journalctl -u openli-provisioner.service
To watch a services logs
sudo journalctl --follow -u openli-provisioner.service
Firewall
firewall-cmd --zone=public --add-port=3000/tcp --permanent firewall-cmd --reload
Systemd
Systemd daemon(pid=1)
- Path (watches files)
- systemctl list-units -t path
- Mount (controls mounts)
- Timer (scheduling)
- Slice (resource management)
- Socket (listens on port)
- Target (groups units)
- Service (Daemons)
- systemctl list-units --type=service
Dont edit the unit files in
/usr/lib/systemd/system/[service].service
instead use drop-in files (will be shown when systemctl status [service] is run
/etc/systemd/system/[service].service.d/99-custom.conf
systemd Dependencies
systemctl list-dependencies graphical.target | grep target
systemctl
List all enabled services
sudo systemctl list-unit-files | grep enabled
After a service is changed or fstab, systemd needs to be reloaded to register the new configuration
sudo systemctl daemon-reload
Selinux Policies
Look at audit log for deny messages
sudo ausearch -c 'process/context' --raw
Readable rules
grep context_t /var/log/audit/audit.log | audit2allow -w
Generate rules
grep context_t /var/log/audit/audit.log | audit2allow -M somepolicy
Refer to the following for possible permissions
cat /usr/share/selinux/devel/include/support/obj_perm_sets.spt
Modify the te file, then place it in a folder and run in the same folder:
make -f /usr/share/selinux/devel/Makefile
Import the policy
sudo semodule -i somepolicy.pp
Temporary
1. Set SELinux mode to Permissive temporary (without reboot) The setenforce command is used to change between enforcing and permissive mode. To change to permissive mode:
setenforce 0
Permanant
Crete a Module
File Types in the module
sepolicy generate --init /usr/local/bin/mydaemon Created the following files: /home/example.user/mysepol/mydaemon.te # Type Enforcement file /home/example.user/mysepol/mydaemon.if # Interface file /home/example.user/mysepol/mydaemon.fc # File Contexts file /home/example.user/mysepol/mydaemon_selinux.spec # Spec file /home/example.user/mysepol/mydaemon.sh # Setup Script
Detailed process https://blog.pythian.com/selinux-and-mysql-log-rotation-issue/
Networking
USE THIS IPROUTE COMMAND INSTEAD OF THIS NET-TOOL COMMAND ip addr ifconfig -a ss netstat ip route route ip maddr netstat -g ip link set eth0 up ifconfig eth0 up ip -s neigh arp -v ip link set eth0 mtu 9000 ifconfig eth0 mtu 9000
ntp
ntpd el6, chrony el7,8,9
sudo sntp -sS ntp_server sudo sntp -sS 130.217.74.61
can use internetnz (is part of public pool) 202.46.177.18
Stratum
- 0 = Reference Clock
- 1 = Directly attached to Reference Clock
- 2 = a server that synchronizes time from a ntp server
Find/set timezones
timedatectl list-timezones | grep -i auckland timedatectl set-timezone Pacific/Auckland
check with
timedatectl
Disable ntp
timedatectl set-ntp false
chronyd service tracks RTC to ntp servers offset/drift
chronyc sources -v
RHEL 9
- Satellite Server - repo mirror for RHEL Packages
DNF
DNF (Dandified YUM) replaced YUM as the package manager in Red Hat Enterprise Linux 9
yum was based on Python2, dnf is using python3. DNF resolves software dependencies
dnf search all 'web server' dnf info httpd dnf provides /var/www/html dnf history dnf group install GROUPNAME dnf localinstall [path].rpm
dnf repos
Add repos by adding a file under /etc/yum.repos.d/[blah].repo
cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_9_Everything_x86_64_.repo [dl.fedoraproject.org_pub_epel_9_Everything_x86_64_] name=created by dnf config-manager from https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ enabled=1 [EPEL] name=EPEL 9 baseurl=https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
dnf repolist all dnf config-manager --enable 'reponame'
Creating a local repo
download rpms (and depenencies)
dnf download --resolve [package]
dnf install createrepo createrepo
This creates a repodata folder with the repo data.
[customrepo] name=long name of customrepo baseurl=https://localpath/custom_repo/ enabled=true gpgcheck=false
Reset root password
Reboot system, Interrupt the boot-loader
Move the curser to the kernel entry with rescue in its name, 'e' to edit
append 'rd.break' to the line starting with 'linux' - ctrl-x
mount -o remount,rw /sysroot chroot /sysroot passwd root touch /.autorelabel
exit (chroot jail) then again to exit initramfs debug shell (n.n /.autolabel file causes all files to be relabelled, alternative is to do the following before exiting chroot)
load_policy -i restorecon -FvR /etc/shadow
Disk management
Physical Volume (disk / block dev) --> Volume Group --> Logical Volume --> Filesystem
Add Physical Volumes to Volume Group. Device Volume Group into Logical Volumes. Add a filesystem to the Logical Volume.
Can keep adding Physical Volumes (disks) to the volume group to grow it (and in-turn grow the logical volume).
- Physical Volume commands start with `pv`
- pvs - Physical Volume Show
- pvdisplay /dev/vdb1
- Volume Group commands start with `vg`
- vgs - Volume Group Show
- vgdisplay vg01
- Logical Volume commands start with `lv`
- lvs Logical Volume show
Build LVM Storage
Optional Partitioning
parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB parted /dev/vdb mkpart primary 770MiB 1026MiB parted /dev/vdb set 1 lvm on parted /dev/vdb set 2 lvm on udevadm settle
Create Physical Volumes
pvcreate /dev/vdb1 /dev/vdb2
Create a Volume Group
vgcreate vg01 /dev/vdb1 /dev/vdb2
Create a Logical Volume
lvcreate -n lv01 -L 300M vg01
Extend LVM Storage
Prepare / add new physical volumes to a Volume Group
parted /dev/vdb mkpart primary 1072MiB 1648MiB parted /dev/vdb set 3 lvm on udevadm settle pvcreate /dev/vdb3
Extend the Volume group
vgextend vg01 /dev/vdb3
Extend the Logical Volume
lvextend -L +500M /dev/vg01/lv01
Extend the XFS File System (note xfs can not be shrunk!)
xfs_growfs /mnt/data
Extend the ext4 File system to the LV Size
resize2fs /dev/vg01/lv01