You are on page 1of 17

____________________________________

Ch1: Kickstart/Anaconda
-----------------------------------SECTIONS:
-------1) Locations:

url --url="http://classroom.example.com/...";
repo --baseurl="..."

2) Auth:

rootp --plaintext PASSWORD

3) Partition:

clearpart --all --initlabel;


zerombr
part / --fstype=ext4 --size=4096 --maxsize=100000 --grow
part / --fstype="xfs" --ondisk=vda --size=5120

4) Network:

network --device=eth0 --bootproto=dhcp


etc
lang en_US.UTF-8
timezone --utc
rootpw --plaintext redhat
services --disabled=network,iptables,ip6tables --enabled=Network

5) Config:

Manager
group --name=admins --gid=1001
cd /usr/share/
find . -name '*kickstart*.txt' -print
./pykickstart-1.99.43.17/kickstart-docs.txt
** /usr/share/doc/pykickstart-1.99.43.17/kickstart-docs.txt
Sample File: /root/anaconda-ks.cfg
-----------echo "RUN_FIRSTBOOT=NO" >> /etc/sysconfig/firstboot
- press 'F12' to select the boot media, and choose 'pxe' boot
- on the boot menu, select the appropriate (usually the 1st one) and
press 'tab' key to see options
- add/append to end of line: ks=http://desktopX.example.com/ks-config/kickstart
.cfg
%packages
:
:
%end
lab kickstart setup
- installed the httpd web-server
- created the /var/www/html/ks-config/ directory
cp /home/student/kickstart.cfg /var/www/html/ks-config/
____________________________________
Ch2: Regex / grep
------------------------------------

Regular Expression (regex)


^ = begining of the line anchor
$ = end of line anchor
^$ = matches empty lines
[a-zA-Z] = match a range of characters, just ONE occurrence
[a-z0-9] = matches alphanumerics, letters (a-z), and num (0-9). ONE occurrence
[a-z0-9]\{32\} = matches 32 alphanumeric characters.
\<
\>

= match the 'empty' string at the begining of word


= match the 'empty' string at the end of word.

cat
dog
concatenate
dogma
They are my pets
My dog and cat live peacefully
category
educated
boondoggle
vindication
chilidog
# This is a comment using '#'(hash)
; This is a comment using ';' (semicolon)
Example:
$string="My dog and cat live peacefully"
grep -w dog $string <-- match
grep '\<dog\>' $string <-- also match
c[aou]t = c, followed by 'a' or 'o' or 'u' and ends with t
c.*t
= c, followed by ANY num.of characters, end with t
c.\{2\}t = c, followed by exactly 2 characters, ends with t
Using 'grep'
-i
= case IN-sensitive
-v
= display lines that does NOT match
-r
= search recursively in a directory or list of files
-A <N> = display <N> of lines After regex match
-B <N> = display <N> of lines Before regex match
-w
= matches the entire 'word' (word bounary) in the pattern
-e
= when you need to use multiple regex with the logical OR
[0-9][0-9][0-9] = matches any 3 numbers
cat door.log |grep '1[345]:[0-9]\{2\}:[0-9]\{2\}' > door.out
cat wall.log |grep '14:[345][0-9]:[0-9]\{2\}' > wall.out
cat wall.out |grep -i -v 'no activity' > wall2.out
More examples: http://cyberciti.biz/faq/grep-regular-expressions
____________________________________
Ch3: More vim
-----------------------------------cmd mode: (default, when you first start vi/vim)
insert mode: press 'i' (or 'a' or 'o' or 'O')
yy = yank (copy)
dd = delete line

Nx = del N characters, e.g. 9x = remove 9 characters from cursor position


ctrl-v = 'visual mode'
v = visual/line-by-line mode
Search & Replace:
a) go into cmd mode (press 'Esc')
b) /pattern <-- to search for pattern
c) :1,$s/pattern/replace/gc <-- search for 'pattern' and replace with 'replace'
note: "g" for global - replace all occurrences, 'c' to ask for confirmat
ion b4
replacing
:1 <-- start from 1st line
$s <-- go to end of file
d) :11,20s/pattern/replace/g <-- replace all occurences of 'pattern' with 'repla
ce' FROM line 11 to line 20 only. Do not ask for confirmation.
____________________________________
Ch4: Scheduling - at & cron
-----------------------------------a) "at" command <-- scheduling One-time tasks
at <TIME-SPEC> <CMD>
at now +5min <CMD>
at noon +4 days <CMD>
at 5pm August 3 2015 <CMD>
atq <-- to view jobs in the queue.
to View the actual commands of the job, use: at -c <jobnumber>
atrm <jobnumber> <-- removes queued jobs
There are a total of 26 queues: a,b,c,d,e....x,y,z
at -q d teatime tomorrow <-- add a new job queue "d" to run at tea time(4pm) tom
orrow
> <cmd>
> <cmd>
Ctrl-D
OR, pipe the command to 'at', e.g.
"Run this command ..." | at now +5
echo "Hello world" >> out.txt | at now +5min
b) "crontab" / cronjob <-- scheduling regular/periodic tasks
___________
User Cron:
___________
5 fields, from left to right
*memorize the fields on page 70
min | hour | (1-31) | (1-12) | (dayofWeek: 0-6)| <cmd-to-run>
_______________
System Cron:
_______________

/etc/crontab
/etc/anacrontab
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
Shell scripts in the directories above will be run at those intervals
*Files in the /etc/cron.d/ has the usual 5 time-specs

c) Managing tmp files with systemd - "systemd-tmpfiles"


One of the first services that systemd starts is the
'systemd-tmpfiles-setup' - this service will run the following command:
systemd-tmpfiles --create to create tmp files
systemd-tmpfiles --remove to remove tmp files
Config files at:
/etc/tmpfiles.d/*.conf <-- admin defined.
/run/tmpfiles.d/*.conf <-- run-time configuration, usually set by the services/d
aemons themselves
/usr/lib/tmpfiles.d/*.conf <-- system defined/installed. Do not edit.
Config file format:
Type
Path
Mode UID GID Age Argument
d /run/systemd/xtmp 755 root root d=to create 'd'irectory if does not exist at /run/systemd/xtmp
The directory is owned by root, perm 755,
and is not automatically purged (the Age is '-')
D /home/student/tmp 0700 student student 1d
create dir /home/student/tmp if does not exist. If exist, then del
all contents. when systemd-tmpfiles --clean is run, remove all files
which has not been accessed,changed or modified in more than 1 day.
Syntax: view the man pages --> man 5 tmpfiles.d
*NOTE: after making changes to the tmpfiles config files, remember
to check/test with:
# systemd-tmpfiles --clean <tmp-conf-file.conf>
# systemd-tmpfiles --clean /etc/tmpfiles.d/tmp.conf
_______________________________________
Ch5: Priority Processes / nice, renice
--------------------------------------ps aux --sort=nice
nice -n 15 <process-name> &
renice -n -<NICE_LEVEL> <PID>
renice -n -7 $(pgrep sha1sum) <-- change the nice levels of ALL the 'sha1sum' pr
ocesses to -7
kill $(pgrep sha1sum) <-- to kill all process IDs with the pattern 'sha1sum'
____________________________________

Ch6: ACL
-----------------------------------Extends the basic 'rwx' permissions of users and groups
2 commands:
a) setfacl (to set the ACL permissions of resources)
b) getfacl (to view the ACL permissions)
setfacl -m u:<name>:rwX <file|dir>
setfacl -m g:<name>:rwX <file|dir>
setfacl -m o::- <file> <-- the dash '-' means no permission
* if <name> is left blank, then it applies to the file owner, otherwise
<name> can be the username or UID.
Default ACL
~~~~~~~~~~~~
setfacl -m d:u:<name>:rx <directory>
setfacl -x d:u:<name> <directory> <-- remove default ACL on dir. set previously
setfacl -b <dir>|<file> <-- removes ALL ACLs (including default ACL)
setfacl -k <directory> <-- removes default ACL on dir
** IMPORTANT: Always do 'chmod' first before setting the ACL via setfacl.
<<<________>>>
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;chmod 660 cases/*;se
tfacl -Rm g:scotlandyard:rwX cases;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g
:scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;setfacl -Rm g:scotla
ndyard:rwX cases;chmod 660 cases/*;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g
:scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases
____________________________________
Ch7: SELinux
-----------------------------------Standard Linux Security (DAC - Discretionary Access Control)
- only 2 privilege levels: "user" and "root"
- main problem: any process/programs launched as the 'user' (bob)
has the user bob's permission. Eg. Bob launches Firefox - can firefox
read Bob's private-keys in ~/.ssh/id_rsa ? YES. So a compromised Firefox
wreak havoc. (Another example, Apache privilege escalation)
SELinux - MAC (Mandatory Access Control)
- default rule is everything is denied.
- every process ('subjects') has to be explicitly allowed to access
the resources ('objects') - such as files, sockets, devices, etc.
3 Types of Access Control
~~~~~~~~~~~~~~~~~~~~~~~
a) Type/Targeted Enforcement (TE) - this is the main mechanism
b) Role-Based Access Ctrl (RBAC)
c) Multi-Level Security (MLS) - usually in high security/Military
Security Context
---------------In SELinux, all subjects (processes) and objects (system resources) are associat
ed with a 'type' which taken together controls the access permissions for specif
ic users. This combo of:

user:role:type is called the "Security Context" (SC)


SELinux Access Rules are constructed based on these SC.
TE (Type Enforcement)
~~~~~~~~~~~~~~~~~~~~~~
This is based on a single security property - 'type'
- is applied to processes (subject) and resources (objects), eg
* Apache processes --> type is: httpd_t
* /var/www/html/index.php --> type is: httpd_sys_content_t
- Access is allowed solely by types, eg:
* many processes (subj) and resources (obj) have same type
* processes with same type have same access to resources of the same type. Fo
r example:
* httpd_t can read/access httpd_sys_content_t
* Process types called "domains"
(sometimes applied to resources such as sockets)
* Different resources can have same type
Targeted Policy uses the 'TE' (Type enforcement)
- System where processes by default are 'un-confined'
- Only targeted processes are confined
- Unconfined Domains
* default user processes runs in unconfined_t
* system processes run in initrc_t
* 'unconfined' processes have the same access/privileges like
a normal Linux system without SELinux
* Daemons (services) with defined policy transition to confined domains, e.g.
- httpd started from 'unconfined_t' transitions to 'httpd_t' which has limit
ed access.
"Z" is your friend.
ls -Z
id -Z
ps auxZ
lsof -Z
netstat -natZ
find / -context=
*NOTE:
cp - uses the security context of the destination directory
mv - maintains the original source security context.
installation (via yum or rpm) - sets default security context based on system de
faults/system policy.
Essential Software Packages to install
~~~~~~~~~~~~~~~~~~~~~~
yum install policycoreutils policycoreutils-python policycoreutils-gui
yum install setroubleshoot setroubleshoot-server
Essential CMDs:
~~~~~~~~~~~~~~
getenforce
setenforce 1 (enforcing)
setenforce 0 (permissive)
semanage boolean -l
semanage boolean -l -C <-- shows variation from the default

semanage fcontext -l <-- to list all


semanage fcontext -l | grep 'httpd_.*content*'
semanage fcontext -a -t <TYPE> '/directory(/.*)?'
restorecon -Rv /directory
chcon -Rv --reference <good_dir_context> <destination_dir>
chcon -Rv --reference /var/www/html /custom <-- '-R' for recursive, 'v' verbose
chcon -Rv --reference /var/www/html '/custom(/.*)?' <-- Cap.Hook doesn't work wi
th chcon
example:
semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'
restorecon -RFv /virtual
ls -ldZ /var/www/html
semanage fcontext -a -t httpd_sys_content_t <-- "-a -t" (add type)
semanage fcontext -d -t httpd_sys_content_t <-- "-d -t" (delete type)
getsebool -l
setsebool -P httpd_enable_homedirs on <-- "-P" for permanent
semanage boolean -l (to view all the booleans)
Booleans
~~~~~~~~
semanage boolean -l <-- show all default boolean values and their description
semanage boolean -l -C <-- shows the variation of the boolean that differs from
default
(this happens when we use the 'P' (permanent flag) to set a boolean value, e.g
# setsebool -P httpd_enable_homedirs on (<-- "P" for permanent)
# semanage boolean -l -C
getsebool -a | less <-- to list the current boolean settings
Viewing SELinux Alerts
----------------------tail -f /var/log/messages
OR
journalctl -f -l -p err
Apache 101
---------1) Config file: vi /etc/httpd/conf/httpd.conf
- search for "DocumentRoot" <-- this specify the location of the web (html) fil
es.
default is /var/www/html
to change to another location, need to edit 2 lines, e.g.
a) DocumentRoot /var/www/html => to: DocumentRoot /custom
b) <Directory /var/www/html> => to: <Directory /custom>
- After editing the Apache config file, remember to restart Apache,i.e. "system
ctl restart httpd"
2) Publish web content from User's home directory:

- vi /etc/httpd/conf.d/userdir.conf
search for "UserDir disabled" <-- change this to:
UserDir enabled
search for "#UserDir public_html" <-- default is commented,ieit has a '#' at t
he begining,then uncomment it. It should read:
UserDir public_html

Example: Enabling User's (student) public_html directory


~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ mkdir /home/student/public_html
$ su # semanage boolean -l|grep 'httpd.*home*'
httpd_enable_homedirs
(off , off) Allow httpd to enable homedirs
# setsebool -P httpd_enable_homedirs on
# semanage boolean -l -C (<-- to view the change from the default settings)
# vi /etc/httpd/conf.d/userdir.conf
Change "UserDir disabled" ---> TO: "UserDir enabled"
Uncomment: #UserDir public_html ---> TO: UserDir public_html
(note: change the <Directory "/home/*/..."> entry accordingly)
# systemctl restart httpd <-- remember to restart httpd after making changes to
the config file
The following 2 cmds are the 'manual' method to make non-standard httpd folders
accessible on the web.
# semanage fcontext -a -t httpd_sys_content_t "/home/student/public_html(/.*)?"
# restorecon -Rv /home/student/public_html
______________________________________________________
Ch8: Ldap,Kerberos/IPA (Identity,Policy & Audit server)
---------------------------------------------------- Centralized authentication/user login is vital in an enterprise environment
- 2 methods: a) LDAP+Kerberos+sssd (b) IPA (Identity,Policy,Audit) Server
- IPA is basically LDAP+Kerberos+web UI+extras (LDAP+Kerberos on steroids)
Note: the server side is assumed already configured
a) on the client (e.g. desktopX)
# yum install sssd authconfig-gtk krb5-workstation
# authconfig-gtk &
*** IMPORTANT: the 'REALM' must be in UPPERCASE
b) on the client
# yum install ipa-client
# ipa-client-install --no-ntp --mkhomedir --domain=serverX.example.com
____________________________________
Ch9: FileSystems, Mounts, Swaps
-----------------------------------MBR (Master Boot Record) - use fdisk

- stores only 1 copy of the partition data at the begining of the hdd.
- if lost or corrupted, then data is lost
GPT (GUID Partition Table) - use gdisk
GPT partitions are used in systems running the UEFI.
- stores partition data at begining of disk as well as backup partition tabl
e at
the end of the disk with CRC32 checksums
fdisk /dev/vda <-- note: there is no number,
i.e. fdisk /dev/vda1 <-- wrong.
gdisk /dev/vdb
FileSystems:
----------mkfs -t xfs /dev/vda1 <-- specify partition '1', i.e. /dev/vda1
mkfs -t ext4 /dev/vdb2 <-- partition 2 on second hdd. "-t" is type
mount /dev/vdb2 /mnt
Persistent: Mount points specified at /etc/fstab
TO find "UUID":
--------------blkid /dev/vdb1
blkid /dev/vdb2
Swap Space
------------mkswap /dev/vdb2
swapon /dev/vdb2 <-- turn on the swap space
swapoff /dev/vdb2 <-- turn off swap
example /etc/fstab entry:
UUID=fadkasuyr...dfsc swap
UUID=fadkasuyr...dfsc swap

swap
defaults
0 0
swap
pri=1
0 0
(specify swap priority)

The last 2 digits represents: "dump flag" and "fsck" (fileSystem check)
Since swap space does not need these 2 options, they are set to 0 0
For the root file system, it's 1 1
For the LOCALLY mounted file system (eg /dev/vdb1), they are usually 1 2 (but i
t can also be: 0 0)
the 'fsck' order is '2' which has less priority over the root filesystem.
BUT for network mounted (NFS or CIFS), use 0 0
because the remote disk is NOT under the local machine's control
To recap:
=========
fdisk /dev/vdb <-- to create partitions. Do NOT specify partition num.
n = create new partition. Then specify partition num.
accept the default first/starting sector
specify the disk size, e.g +512M or +1G, etc
p = print - display the changes you've made
t = change the partition type
w = write the changes to disk
Types, 't'

83 <-- default Linux partition


8e <-- LVM partition
82 <-- swap space
(for 'gdisk' - add 2 zeroes at the end, eg. 8e00 for LVM)
Then run 'partprobe' to tell the kernel of the new partition
create filesystem:
----------------mkfs -t xfs /dev/vdb1
mkfs -t ext /dev/vdb3
...etc
Making Swap space
- create the partition using fdisk or gdisk. Change type to 82
- mkswap /dev/vdb2
- swapon /dev/vdb2
IF adding the swap entry into the /etc/fstab, then enable it by
swapon -a <-- "-a" for all
To disable swap
swapoff -a
To set a priority for the swap-space in /etc/fstab, use:
/dev/vdb2
swap
swap
defaults
0 0
/dev/vdb3
swap
swap
pri=1
0 0
**IMPORTANT NOTE:
- do NOT create different partitions using both fdisk and gdisk. It will confuse
the system. If you had created the 1st partition using gdisk, then use gdisk fo
r ALL other other partition on that disk. If you had created the 1st partition u
sing fdisk, then use fdisk for all the other partitions on that disk.
____________________________________
Ch10: LVM
-----------------------------------5 steps in creating a usable LV
a) prepare the physical device - use fdisk/gdisk to create partitions.
# fdisk /dev/vdb
# fdisk /dev/vdc
b) create the PV (initialize the partitions)
# pvcreate /dev/vdb1 /dev/vdb2 /dev/vdc1
c) create the VG (called 'avengers')
# vgcreate avengers /dev/vdb1 /dev/vdb2 /dev/vdc1
d) create the LV (called 'hulk', 10G in size in the 'avengers' volume group)
# lvcreate -n hulk -L 10G avengers
e) create the filesystem, e.g.
# mkfs -t xfs /dev/avengers/hulk
then, create a mount point to mount this new filesystem, eg.
# mkdir /mnt/hulk
# mount /dev/avengers/hulk /mnt/hulk
# mount -a
OR add entry in /etc/fstab (to make the mount permanent/survive a reboot)

/dev/avengers/hulk

/mnt/hulk xfs defaults

1 2

PV cmds
~~~~~~~~
pvcreate /dev/vdb1 /dev/vdb2
pvremove /dev/vdb1 /dev/vdb2
pvdisplay /dev/vdb2
pvmove /dev/vdb1 <-- this will move all the data (in the phy.extents to other PV
s in the same VG)
VG cmds
~~~~~~~
vgcreate <vgname> /dev/vdb1 /dev/vdb2
vgremove <vgname>
vgdisplay <vgname>
vgextend <vgname> /dev/vdc1
LV cmds
~~~~~~~
lvcreate -n <lvname> -L <SIZE> <vgname>
lvremove /dev/vgname/lvname
lvdisplay /dev/vgname/lvname
lvextend -L +300M /dev/vgname/lvname
-> after running lvextend, remember to run 'xfs_growfs' to expand the file syste
m to occupy the extended LV, e.g.
# xfs_growfs /mnt/storage
** alternatively, can use resize2fs, but instead of the mount point, it takes th
e LV name,e.g
# resize2fs /dev/vgname/lvname <-- may not always work. use "xfs_growfs" first
.
____________________________________
Ch11: NFS
-----------------------------------RHEL7 uses NFSv4 (uses TCP) by default and falls back to nfs3 or nfs2 if nfs4 is
not available. (NFS 3 or 2 can use either tcp or udp)
* Manually mount a NFS share (via cmd line OR via /etc/fstab)
* Automatic mount of NFS share via 'autofs' service
NFS shares are secured by various methods: 'none', 'sys', 'krb5', 'krb5i' and 'k
rb5p'
The nfs client must connect to the exported share using one of the methods above
as specified by the share (via the mount option, sec=<method>)
the Kerberos option will require at least /etc/krb5.keytab which will be provide
d. It is outside the scope of this course. Just remember it's required!
The "nfs-secure" (part of the 'nfs-utils' package) service is used to manage com
munication with the server when connecting to kerberos secured shares.
Steps in SEQUENCE:
--------------------1. check if nfs-utils package is installed (yum list nfs-utils)
If not installed, then 'yum install nfs-utils'
2. download the 'krb5.keytab' from the server/classroom and rename it to /etc/kr
b5.keytab

# wget http://classroom.example.com/pub/keytabs/desktop0.keytab -O /etc/krb5.


keytab
3. # systemctl enable nfs-secure
# systemctl start nfs-secure
4. Create the mountpoints on the DesktopX
# mkdir -p /mnt/public
For Manual Mounts:
~~~~~~~~~~~~~~~~~
a). Edit /etc/fstab and add the following line:
server0:/shares/public
server0:/shares/public
# /dev/vda1
# /dev/shazam/storage

/mnt/public
/mnt/manual
/
/storage

nfs
nfs
xfs
xfs

sec=krb5p,sync
sec=sys,sync
defaults
defaults

0
0
1
0

0
0
1
2

b) Test it out:
# mount -a (to mount all the filesystem/shares in the /etc/fstab)
# df -h
For AutoMounts: (autofs)
~~~~~~~~~~~~~~~~~~~~~~~~~~
yum -y install autofs
a) create the master-map (*.autofs) files in the /etc/auto.master.d/
b) create the corresponding map file /etc/ (eg. /etc/auto.shares, /etc/auto.dire
ct, /etc/auto.work)
c) Enable and start autofs service:
# systemctl enable autofs
# systemctl start autofs
Automounter Benefits:
- users do not need root privileges to run mount/umount cmds
- nfs shares are not permanently connected via /etc/fstab
- "autofs" is the service that handles all these
yum install autofs: will create the following files & dir:
/etc/auto.master.d/ <-- directory
/etc/autofs_ldap_auth.conf
/etc/auto.master
/etc/auto.misc
/etc/auto.net
/etc/auto.smb
1. create a 'master map' file (*.autofs) - which identifies the base directory u
sed for mount points as well as identifies the mapping files (/etc/auto.*) used
for creating the automounts
Auto-Map:
=========
# vi /etc/auto.master.d/master.autofs
(add the following entry)
/shares
/etc/auto.work <-- /shares is the 'base directory'
# vi /etc/auto.work
work -rw,sync,sec=krb5p
docs -rw,sync,sec=sys

serverX.example.com:/shares/work
serverX.example.com:/shares/docs

'work' & 'docs' are the mount point that will be automatically created/remove
d by the 'autofs' service. The full path is /shares/work & /shares/docs (remem
ber that /shares is the base dir for the mount point)
OR, use wildcard:
# vi /etc/auto.work
*
-rw,sync,sec=krb5p

serverX:/shares/&

Direct-Map:
===========
The master-map file content: /etc/auto.master.d/direct.autofs
//etc/auto.direct
The content for the mapping-file: /etc/auto.direct:
/mnt/public -rw,sync,sec=krb5p
serverX:/shares/public
note: you need to create the /mnt/public directory manually.
In the case of auto-map, you only have to create base dir (/shares)
and the autofs service will automatically create the 'works' and 'docs' director
y when needed.
__________
IMPORTANT:
1) Use Fully Qualified Name, i.e. serverX.example.com:/shares and NOT serverX:/s
hares
2) Double check the 'security' type,ie. sec=krb5p <-- don't for the 'p' if aske
d to use encryption for security. (krb5i = for integrity check and 'sys' for loc
alsystem security).
____________________________________
Ch12: SMB
------------------------------------ Mount SMB file systems manually (cli and /etc/fstab)
- Mount SMB file systems (CIFS) automatically - via autofs
Required software packages: cifs-utils
Optional (but useful): samba-client package - has the 'sambaclient-*' cmd line u
tilities
3 Steps:
-------a) identify the remote share to access
b) determine the mount point where the share should be mounted (create it locall
y if needed)
c) mount the SMB share via cli or appropriate config change
Authentication:
- SMB shares can be flagged as non-browseable, and can be restricted to specific
users, groups
- there are many authentication scheme supported by SMB, the most common is the
username/pass combo.
(these can be stored in /etc/fstab itself or in a secret 'credentials' file, e
g /etc/smbcred.smb)
Manual Mount
~~~~~~~~~~~~
CLI:

# mount -t cifs -o guest

//serverX/share /mnt/share

(in comparison to other filesystem/nfs)


mount -t nfs -o rw,sec=krb5p serverX:/shares /mnt/nfshare
mount (-t xfs -o defaults)
/dev/vdb1
/mnt/hdd2
mount (-t ext4 -o defaults) /dev/VG/lvname /mnt/lv1
# mount -t cifs -o username=watson //serverX/share /mnt/share <-- you'll be prom
pted for passwd
# mount -t cifs -o cred=/etc/smbcred.smb //serverX/shre /mnt/share
(username & passwd is stored in the /etc/smbcred file)
format for the credentials file:
username=watson
password=sherlock
domain=<domain>
** NOTE: the client needs to have the same UID/GID as the user/group on the SMB
server.
AutoMount (autofs)
~~~~~~~~~~~~~~~~~~
- create a 'master map' file (*.autofs) in /etc/auto.master.d/ (eg. /etc/auto.ma
ster.d/smb.autofs)
/shares /etc/auto.smb
- create the associated map file (auto.*) in the /etc/ directory, e.g. /etc/auto
.smb
(For CIFS/samba - take note of the colon ":")
cases -fstype=cifs,credential=/etc/smbcred.smb ://serverX/cases
(For NFS:)
cases -rw,sync,sec=krb5p

serverX:/shares

- # systemctl enable autofs


# systemctl start autofs
NOTE: the file /etc/smbcred.smb:
username=sherlock
password=holmes123
domain=DETECTIVE
____________________________________
Ch13: Boot Process
------------------------------------BIOS & UEFI are both 'firmware interfaces' that acts as an interperter between t
he computer hardware/firmware with the Operating System. Both BIOS/UEFI are used
at the startup to initialize the hardware components and load the OS "bootloade
r" (grub, grub2,etc) stored on the hardisk.
BIOS: reads 1st sector of HDD. .
UEFI: modern hardware - all initialization code are kept in *.efi files on the H
DD.
Detailed info: https://wiki.manjaro.org/index.php?title=Some_basics_of_MBR_v/s_G
PT_and_BIOS_v/s_UEFI
(nice to know, but not essential)
What could go wrong with the boot process?
1) corrupted /etc/fstab => boot into emergency.target

ie. same line as 'linux16...' - append: systemd.unit=emergency.target


the give root passwd and edit the /etc/fstab and remove the offending entry
2) corrupted /boot/grub2/grub.cfg (boot loader)
upon startup, select the boot entry and press 'e' to edit
then look for the offending grub2 entry and correct it, e.g. "os16" --> "linu
x16"
after system had booted up, login and run:
# grub2-mkconfig > grub-new.cfg
# diff grub-new.cfg /boot/grub2/grub.cfg <-- see the offending entries.
# grub2-mkconfig > /boot/grub2/grub.cfg <-- install the new/corrected grub.cf
g
3) Lost Root Passwd
- on the boot menu, select the appropriate entry and press 'e'
- on the 'linux16' line, append "rd.break" (without quotes). This will boot t
he system
and mount the root filesystem as 'read only' on /sysroot
# mount -o remount,rw /sysroot <-- remount for read-write
# chroot /sysroot <-- make this the 'tmp' root filesystem
# passwd root <-- change the root passwd
# touch /.autorelabel <-- tells SELinux to relabel (fixes permissions, etc)
# exit; (exit from chroot)
# exit; (exit from the rescue shell) and continue booting
systemctl get-default
systemctl set-default graphical.target
systemctl isolate multi-user.target (runlevel6.target <-- reboot)
important targets
---------------rescue.target : sulogin prompt, basic system initialization completed, system
in read/write mode
emergency.target: sulogin prompt, initramfs pivot compete and system root mounte
d on / (read only)
** To select a different target at boot time, a special option can be appended t
o the kernel
command line from the boot loader: eg: systemd.unit=rescue.target
Fix incorrect /etc/fstab entry
-----------------------------1. Reboot
2. Interrupt the boot loader menu countdown by pressing any key
3. Move the cursor to the entry to be started. Press "e" to edit that entry
4. Move cursor to the line that starts with "linux16". This is the kernel cmd li
ne
5. Append: systemd.unit=<desired.target>
eg: systemd.unit=rescue.target
6. Press 'ctrl-X' to reboot
Recover root passwd
-------------------1. Select the Boot-Entry (default or the rescue), and press 'e' to edit
2. Goto the the 'linux16' (the line that has /boot/vmlinuz-3.x.x <-- this is the
kernel)
press the 'end' key to go to end of the line, and append: "rd.break" (without
quotes)
=> this will break just before ctrl is handed from the initramfs t othe actua

l system
3. Ctrl-X to continue booting - a root shell is presented where the actual syste
m is mounted
as 'read-only' on /sysroot
4. RE-mount /sysroot as read-write:
# mount -o remount,rw /sysroot
# chroot /sysroot <-- switch into chroot jail,
where /sysroot is treated as the root of the file-system
tree
# passwd root <-- reset root pass
# touch /.autorelabel <-- needed for SELinux relabelling for correct per
m settings
6. # exit (to exit from chroot)
# exit (exit the initramfs debug shell)
Repairig Grub2
---------------grub2-mkconfig > /boot/grub2/grub.cfg
* in grub menu entries, "linux16" is valid. Anything else
such as "os16" is wrong.
______
NOTES:
-----to remount a 'read-only' filesystem:
# mount -o remount,rw /
____________________________________
Ch14: FirewallD
------------------------------------ old ways: iptables, ip6tables, ebtables <-- find out what's ebtables
- firewalld - manages both ipv4 and ipv6
- All network traffic is classified into "zones".
- based on criteria such as source IP of packet, or the incoming NIC, traffic is
diverted to the appropriate zones and the rules in that zone is then applied
* every packet that comes into the system is first checked for the source IP add
r.
if it matches a specific zone, then the rules in that zone is applied. If the so
urce
IP is not tied to a zone, then the zone for the incoming network interface is us
ed.
If the network interface is not associated with any zone for some reason, then t
he
default zone will be used. The 'public' zone is used by default
Pre-defined zones:
------------------ trusted
- internal: similar to home
- home: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client
mdns,samba
- work: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client
- public: reject all unless related to outoing or ssh, dhcpv6-client
- external: reject all unless related to outgoing or ssh. Outgoing ipv4 traffic
thru this zone is
masq.
- dmz: reject all unless related to outgoing or ssh

- block: reject all unless related to outgoing


- drop: drop all unless related to outgoing (do not respond with icmp err messag
e)
Predefined Services: firewall-cmd --get-services (to view all)
-------------------ssh: local ssh server. Port 22
dhcpv6-client: local DHCPv6 client. Port 546/udp
ipp-client: local IPP priting. Port 631/udp
samba-client: local Windows file & print sharing client. Port 137/udp & 138/udp
mdns: Multicast DNS (mDNS) local-link name resolution. Port 5353/udp to 224.0.0.
251
To configure firewalld
------------------------firewall-config & (GUI) [yum -y install firewall-config]
firewall-cmd (cli)
~~~~~~~~~~~~\
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=<ZONE>
firewall-cmd --add-source=<CIDR> --zone=<ZONE> (default zone is assumed if zone
is not specified)
firewall-cmd --remove-source=<CIDR> --zone=<ZONE>
firewall-cmd --add-interface=<IFACE> --zone=<ZONE>
firewall-cmd --change-interface=<IFACE> --zone=<ZONE>
firewall-cmd --add-service=<SERVICE> --zone=<ZONE>
firewall-cmd --add-port=PORT/PROTO --zone=<ZONE>
firewall-cmd --remove-service=<SERVICE> --zone=<ZONE>
firewall-cmd --remove-port=PORT/PROTO --zone=<ZONE>
To view the available services in a particular zone:
firewall-cmd --list-services --zone=<ZONE>
_________________
Useful commands:
---------------whereis
(e.g. whereis tmpfiles.d; whereis sealert; whereis httpd)
find
(e.g. find /usr/lib -iname "tmp*" -print)
Software packages to install
yum -y install sssd
yum -y install authconfig-gtk
yum -y install krb5-workstation
yum -y install ipa-client
yum -y install nfs-utils
yum -y install cifs-utils
yum -y install autofs
yum -y install httpd
yum -y install mod_ssl
yum -y install system-config-kickstart
yum -y install setroubleshoot
yum -y install setroubleshoot-server