System D and More Commands

command not
found
new gnu/linux commands
you need to know
command not
found
but not that new
:)
agenda
 systemd
 systemd
 unit files
 journald
 networking
 NetworkManager
 firewalld
 ip, ss, tracepath
 hardware identification
 lscpu, lsmem, lspci, lsusb, lsblk, lscsi
 misc utils
systemd
 replacement for unix sysv and bsd-
sytle init systems (…upstart, etc)
 started by lennart poettering and kay
sievers at red hat in 2010
 became the default init system in
fedora in may of 2011
 enables parallel startup of services
 uses service dependencies
 adoption has been controversial
systemd
 controversy:
 doesn’t follow the unix philosophy
 complicated creeping-featurism
 read all about it:
 https://en.wikipedia.org/wiki/Systemd
 http://without-systemd.org
 http://www.zdnet.com/article/linus-torvalds-and-others-
on-linuxs-systemd/
 http://0pointer.de/blog/projects/the-biggest-myths.html
systemd
 controversy:
 doesn’t follow the unix philosopy
complicated creeping-featurism
doesn`t

 read all about it:
matter!
https://en.wikipedia.org/wiki/Systemd

 http://without-systemd.org
 http://www.zdnet.com/article/linus-torvalds-and-others-
on-linuxs-systemd/
 http://0pointer.de/blog/projects/the-biggest-myths.html
systemd
 enabled by default:
 fedora (2011)
 red hat enterprise (2014)
 centos (2014)
 oracle enterprise (2014)
 debian (2015)
 ubuntu (2015)
 mint (2016)
 elementary (2016)
 arch (2012)
 opensuse (2012)
 suse linux enterprise (2014)
systemd
 service initialization – systemd
 init
 rc / upstart
 runlevel management - systemctl
 init / telinit
 shutdown / poweroff / reboot / halt
 service management - systemctl
 service / invoke-rc.d
 chkconfig / update-rc.d
 logging – journald
 syslogd / rsyslogd
systemd
 log review – journalctl
 cat/grep/less/more/vi /var/log/*
 socket activation – systemd
 inetd / xinetd
 login management systemd-logind
 inittab
 system hostname - hostnamectl
 hostname
 dynamic devices – systemd-udevd
 udevd
systemd
 start / stop services:
 systemctl start myservice
 systemctl stop myservice
 systemctl restart myservice
 reread configuration:
 systemctl reload myservice
 enable / disable services on boot:

 systemctl enable myservice
 systemctl disable myservice
systemd
 show service status
 systemctl status myservice
 systemctl show myservice
 script-able service status

 systemctl is-enabled myservice
 systemctl is-active myservice
 systemctl is-failed myservice
systemd
 default runlevel (target)
 systemctl get-default
 systemctl set-default graphical
 runlevel changes (targets):

 systemctl isolate rescue
 systemctl isolate multi-user
 systemctl isolate graphical
systemd
 shutdown/suspend:
 systemctl reboot
 systemctl poweroff
 systemctl suspend
 systemctl hibernate
systemd
 configuration files:
 /etc/systemd/system.conf
 ctrl-alt-delete action
 /etc/systemd/logind.conf
 power button actions
 lid switch actions
systemd
$ sudo systemctl start sshd
$ sudo systemctl stop sshd
$ sudo systemctl disable sshd

Removed /etc/systemd/system/multi-user.target.wants/sshd.service.
$ sudo systemctl enable sshd

Created symlink /etc/systemd/system/multi-user.target.wants/sshd.service →
/usr/lib/systemd/system/sshd.service.
systemd
$ systemctl status sshd
● sshd.service - OpenSSH Daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2017-10-02 18:43:20 CDT; 3h 17min ago
Main PID: 480 (sshd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/sshd.service
└─480 /usr/bin/sshd -D
Oct 02 21:40:47 hitman sshd[1068]: pam_unix(sshd:auth): check pass; user unknown

Oct 02 21:40:47 hitman sshd[1068]: pam_unix(sshd:auth): authentication failure; logname= uid=0
Oct 02 21:40:49 hitman sshd[1068]: Failed password for invalid user oracle from 212.129.23.95
Oct 02 21:41:13 hitman sshd[1068]: error: Received disconnect from 212.129.23.95 port 55494:3:
Oct 02 21:41:13 hitman sshd[1068]: Disconnected from invalid user oracle 212.129.23.95 port 55
systemd
$ sudo systemctl reload sshd
$ systemctl status sshd
● sshd.service - OpenSSH Daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2017-10-29 15:38:30 CDT; 7min ago
Process: 23139 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 21818 (sshd)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/sshd.service
├─21818 /usr/bin/sshd -D
├─23141 sshd: root [priv]
└─23142 sshd: root [net]
Oct 29 15:45:23 hitman systemd[1]: Reloading OpenSSH Daemon.

Oct 29 15:45:23 hitman sshd[21818]: Received SIGHUP; restarting.
Oct 29 15:45:23 hitman systemd[1]: Reloaded OpenSSH Daemon.
Oct 29 15:45:23 hitman sshd[21818]: /etc/ssh/sshd_config line 109: Deprecated option UsePrivil
Oct 29 15:45:23 hitman sshd[21818]: Server listening on 0.0.0.0 port 22.
Oct 29 15:45:23 hitman sshd[21818]: Server listening on :: port 22.
Oct 29 15:45:23 hitman sshd[23141]: rexec line 109: Deprecated option UsePrivilegeSeparation
systemd
 unit files
 types:
 services
 socket
 mount
 path
 timer
 locations:
 /etc/systemd/system
 /usr/lib/systemd/system
 don’t forget to reload the configuration
 systemctl daemon-reload
systemd
 systemctl list-units
$ systemctl list-units ssh*
UNIT LOAD ACTIVE SUB DESCRIPTION
sshd.service loaded active running OpenSSH server daemon
LOAD = Reflects whether the unit definition was properly loaded.

ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
1 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
systemd
 unit file for service
(httpd.service)
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target
systemd
 environment files for service
# (httpd)
# This file can be used to set additional environment variables for
# the httpd process, or pass additional options to the httpd
# executable.
#
# Note: With previous versions of httpd, the MPM could be changed by
# editing an "HTTPD" variable here. With the current version, that
# variable is now ignored. The MPM is a loadable module, and the
# choice of MPM can be changed by editing the configuration file
# /etc/httpd/conf.modules.d/00-mpm.conf.
#
#
# To pass additional options (for instance, -D definitions) to the
# httpd binary at startup, set OPTIONS here.
#
#OPTIONS=
#
# This setting ensures the httpd process is started in the "C" locale
# by default. (Some modules will not behave correctly if
# case-sensitive string comparisons are performed in a different
# locale.)
#
LANG=C
systemd
service with systemd demo

journald
 replaces (r)syslog / text log files
 will forward to syslog by default
 config in
/etc/systemd/journald.conf
journalctl
 last 10 lines (tail
/var/log/messages):
 journalctl -n 10
 follow (tail -f /var/log/message):

 journalctl -f
 view one specific service (unit):

 journalctl -u myservice
journalctl
 logs since specific times:
 journalctl -S ‘5 minutes ago’
 journalctl -S ‘2017-10-29 18:00’
 logs between specific times:

 journalctl -S ‘2017-10-29 18:00’ \
-U ‘2017-10-29 18:01’
journalctl
 json output:
$ journalctl -n 1 -o json-pretty
{
"__CURSOR" :
"s=33a7b1039e5c45a7b631379caea900bc;i=5636;b=ba33928d7ae34ceda89366cef3aaaf77;m=176c20e19f;t=5
"__REALTIME_TIMESTAMP" : "1509316072876208",
"__MONOTONIC_TIMESTAMP" : "100598342047",
"_BOOT_ID" : "ba33928d7ae34ceda89366cef3aaaf77",
"_TRANSPORT" : "syslog",
"SYSLOG_FACILITY" : "10",
"SYSLOG_IDENTIFIER" : "sshd",
"_UID" : "0",
"_GID" : "0",
"_COMM" : "sshd",
"_EXE" : "/usr/sbin/sshd",
"_CAP_EFFECTIVE" : "1fffffffff",
"_SYSTEMD_CGROUP" : "/system.slice/sshd.service",
"_SYSTEMD_UNIT" : "sshd.service",
"_SYSTEMD_SLICE" : "system.slice",
"_MACHINE_ID" : "fd8cf26e06e411e4a9d004010897bd01",
"_HOSTNAME" : "grid.systemj.net",
"PRIORITY" : "5",
"_CMDLINE" : "sshd: unknown [priv]",
"MESSAGE" : "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ss
"SYSLOG_PID" : "15754",
"_PID" : "15754",
"_SOURCE_REALTIME_TIMESTAMP" : "1509316072875211"
}
systemd
 systemd handles legacy init scripts
 /etc/init.d/*
 /etc/rc.d/*
 redirected legacy commands:

 service
 init
 telinit
 reboot
 shutdown
 ...
systemd
 tutorial:
https://www.digitalocean.com/community/tutorials/how-to-
use-systemctl-to-manage-systemd-services-and-units
 understanding unit files:

https://www.digitalocean.com/community/tutorials/underst
anding-systemd-units-and-unit-files
 converting sysv init scripts:

https://www.redhat.com/en/blog/converting-traditional-
sysv-init-scripts-red-hat-enterprise-linux-7-systemd-
unit-files
 cheat sheet:
https://access.redhat.com/articles/systemd-cheat-sheet
NetworkManager
 started by red hat in 2004
 to address modern networking (wireless)
 two components:
 NetworkManager daemon
 client configuration utils:
 nmtui
 nmcli
 control-center (gnome shell)
 plasma-nm (kde)
 etc
NetworkManager
 based around connection profiles (connections)
 config in /etc/NetworkManager
 executes scripts in dispatcher.d in response to
network events
 Script types
 up/down
 pre-up/pre-down
 vpn-up/down
 dhcp4-change
 etc…
 probably never need manually configure these
things
NetworkManager
 uses plugins to support connection
profiles in various formats:
 keyfile (default/native format)
 ifcfg-rh (redhat family)
 ifupdown (debian/ubuntu family)
 https://wiki.gnome.org/Projects/Networ
kManager/SystemSettings
NetworkManager
 connection profile (keyfile format)
# cat /etc/NetworkManager/system-connections/rootbeer
[connection]
id=rootbeer
uuid=7d71243d-7202-41dd-87c5-b7b0ba4e82a4
type=wifi
permissions=
[wifi]
mac-address=A4:17:31:CA:4D:D7
mac-address-blacklist=
mode=infrastructure
ssid=rootbeer
[wifi-security]
auth-alg=open
key-mgmt=wpa-psk
psk=notmypass
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
NetworkManager
 nmtui
NetworkManager
 nmcli - list connections
$ nmcli con show
NAME UUID TYPE DEVICE
2WIRE312 2a014226-6b7b-41e3-87e6-46ead85b6c02 802-11-wireless wlp2s0
Wired connection 1 8fb7ac50-f062-3921-8b8b-52ea14e32179 802-3-ethernet enp14s0
docker0 c367a1cd-f2d7-4d4b-83eb-8dbd3e5d07ba bridge docker0
2WIRE817 ce3b8db9-6bf6-4ae3-aa63-68c58906d534 802-11-wireless --
Brainspace-Guest ae9b4b30-6945-404c-9f0e-c19ff1587695 802-11-wireless --
DMS Guest 21a193c8-1530-4f7b-809f-e64dc5a28565 802-11-wireless --
DMS Member 84f9ec33-6482-43de-adfd-9340222d6a8b 802-11-wireless --
NetworkManager
 nmcli - device status
$ nmcli device status
DEVICE TYPE STATE CONNECTION
docker0 bridge connected docker0
enp14s0 ethernet connected Wired connection 1
wlp2s0 wifi connected 2WIRE312
lo loopback unmanaged --
$ nmcli dev
wlp2s0 wifi connected 2WIRE312
enp14s0 ethernet disconnected --
NetworkManager
 nmcli - list wifi access points
$ nmcli device wifi list
* SSID MODE CHAN RATE SIGNAL BARS SECURITY
* 2WIRE312 Infra 1 54 Mbit/s 93 ▂▄▆█ WPA2
rootbeer Infra 6 54 Mbit/s 64 ▂▄▆_ WPA2
Terrells Infra 9 54 Mbit/s 49 ▂▄__ WPA2
Terrells2 Infra 9 54 Mbit/s 47 ▂▄__ WPA2
MySpectrumWiFif0-2G Infra 11 54 Mbit/s 44 ▂▄__ WPA2
dlink-1322 Infra 4 54 Mbit/s 39 ▂▄__ WPA1 WPA2
ATT2AdZ9Jv Infra 11 54 Mbit/s 35 ▂▄__ WPA2
ATT4upXtxi Infra 1 54 Mbit/s 32 ▂▄__ WPA2
-- Infra 9 54 Mbit/s 32 ▂▄__ WPA2
tla7db12 Infra 4 54 Mbit/s 30 ▂___ WPA2
ATT3QHf3lu Infra 4 54 Mbit/s 30 ▂___ WPA2
-- Infra 11 54 Mbit/s 30 ▂___ WPA2
HP-Print-34-Photosmart 6520 Infra 1 54 Mbit/s 29 ▂___ --
MySpectrumWiFiac-2G Infra 1 54 Mbit/s 29 ▂___ WPA2
Topfuel1 Infra 1 54 Mbit/s 27 ▂___ WPA1 WPA2
Brewerwifi Infra 1 54 Mbit/s 27 ▂___ WPA1 WPA2
MyCharterWiFi03-2G Infra 6 54 Mbit/s 27 ▂___ WPA2
NetworkManager
 nmcli - connect to wireless network
$ sudo nmcli -a device wifi connect rootbeer
Password:
Device 'wlp2s0' successfully activated with '7d71243d-7202-41dd-87c5-b7b0ba4e82a4'.
$ nmcli con
Wired connection 1 8fb7ac50-f062-3921-8b8b-52ea14e32179 802-3-ethernet enp14s0
rootbeer 7d71243d-7202-41dd-87c5-b7b0ba4e82a4 802-11-wireless wlp2s0
2WIRE312 2a014226-6b7b-41e3-87e6-46ead85b6c02 802-11-wireless --
NetworkManager
 nmcli - show connection details
$ nmcli con show rootbeer
connection.id: rootbeer
connection.uuid: 4128b983-bd50-47cc-a37f-7635c5907632
connection.stable-id: --
connection.interface-name: --
connection.type: 802-11-wireless
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.autoconnect-retries: -1 (default)
connection.timestamp: 1509582532
connection.read-only: no
connection.permissions: --
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries: --
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: -1 (default)
802-11-wireless.ssid: rootbeer
NetworkManager
 nmcli - show connection details
(brief)
$ nmcli -g ip4.address,ip4.gateway con show rootbeer
192.168.0.112/24
192.168.0.1
$ nmcli -g ip4 con show rootbeer

IP4:192.168.0.112/24:192.168.0.1::192.168.0.1::
NetworkManager
 nmcli - add a connection
$ sudo nmcli con add con-name wired ifname enp14s0 type ethernet \
ip4 192.168.0.120/24 gw4 192.168.0.1
Connection 'wired' (02ea571a-ae80-43eb-911e-0fc2822894bc) successfully added.
$ nmcli con show

wired 02ea571a-ae80-43eb-911e-0fc2822894bc 802-3-ethernet enp14s0
NetworkManager
 nmcli - modify a connection
$ nmcli -g ip4.address,ip4.gateway con show wired
192.168.0.120/24
192.168.0.1
$ sudo nmcli con mod wired ipv4.address 192.168.0.125/24

192.168.0.120/24
192.168.0.1
NetworkManager
 nmcli - set connection up/down
$ sudo nmcli con down wired
Connection 'wired' successfully deactivated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/14)
$ sudo nmcli dev

wlp2s0 wifi connected rootbeer
enp14s0 ethernet disconnected --
$ sudo nmcli con up wired

Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/15)

192.168.0.125/24
192.168.0.1
NetworkManager
 nmcli - delete connection
$ sudo nmcli con del wired
Connection 'wired' (02ea571a-ae80-43eb-911e-0fc2822894bc) successfully deleted.
[jcs@gnulap ~]$ nmcli con
NetworkManager
 many more capabilities not covered:
 bridge interfaces
 vlan interfaces
 bonding / teams
 vpn / tun / ip-tunnel
 wwan (mobile broadband gsm / cdma)
 advanced routing
 see also:
 https://developer.gnome.org/NetworkManager/stabl
e/nmcli-examples.html
 https://wiki.gnome.org/Projects/NetworkManager
firewalld
 started by thomas woerner and jiri popelka at
red hat in 2010
 front-end for iptables
 uses services to define rule sets for various
network services
 uses zones as predefined sets of services and
rules for connections at various levels of
trust
 works with NetworkManager, docker, fail2ban,
libvirt, etc
 command line interface: firewall-cmd
 written in python
firewalld
 firewalld zones
 defines a level of trust for a connection
 public
 dmz
 internal
 home
 etc..
 each connection has a zone defined (the
“public” zone by default)
 probably not important for simple setups,
just use public :-)
firewalld
 services
 a firewalld service is predefined set
of rules needed by a particular
network service
 the rule definitions are in service
files written in xml
 /usr/lib/firewalld/services/
 you can create your own custom
services
firewalld
 example service files
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SSH</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on
remote machines. It provides secure encrypted communications. If you plan on accessing your
machine remotely via SSH over a firewalled interface, enable this option. You need the
openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="22"/>
</service>
<?xml version="1.0" encoding="utf-8"?>

<service>
<short>DNS</short>
<description>The Domain Name System (DNS) is used to provide and request host and domain
names. Enable this option, if you plan to provide a domain name service (e.g. with
bind).</description>
<port protocol="tcp" port="53"/>
<port protocol="udp" port="53"/>
</service>
firewalld
 firewall-cmd
 command line interface to firewalld
 important command line options:
 --zone=
 --permanent
 don’t forget to reload (keeps state)
 firewall-cmd --reload
 useful but potentially harmful:
 firewall-cmd --runtime-to-permanent
firewalld
 list zones and services
# firewall-cmd --get-default
public
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc
bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6
dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps
freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http
https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd
kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe
ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis
pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind
rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap
spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks
transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
firewalld
 list services (default zone=public)
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewalld
 iptables has a lot of chains now
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
...
Chain IN_public (2 references)

IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)

...
firewalld
 add a service
# firewall-cmd --zone=public --add-service=https
success
public (active)
target: default
interfaces: enp0s3
sources:
services: ssh dhcpv6-client https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewalld
 iptables rule in place
# iptables -L -n
Chain INPUT (policy ACCEPT)
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
...
Chain IN_public (2 references)

IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)

firewalld
 remove a service
# firewall-cmd --zone=public --remove-service=https
success
public (active)
target: default
interfaces: enp0s3
sources:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewalld
 add a port without a service
# firewall-cmd --zone=public --add-port=8000/tcp
success
public (active)
target: default
interfaces: enp0s3
sources:
ports: 8000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewalld
 remove a port without a service
# firewall-cmd --zone=public --remove-port=8000/tcp
success
public (active)
target: default
interfaces: enp0s3
sources:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewalld
 misc
# firewall-cmd --list-services
ssh dhcpv6-client
# firewall-cmd --list-ports
8000/tcp
# firewall-cmd --get-active-zones
public
interfaces: enp0s3
firewalld
 use in scripts
# firewall-cmd --zone=public --query-service=ssh
yes
# echo $?
0
# firewall-cmd --zone=public --query-port=8000/tcp

yes
# firewall-cmd --zone=public --permanent --query-port=8000/tcp

no
# echo $?
1
firewalld
 not covered:
 rich rules (beyond basic syntax)
 direct rules (passthrough using iptables
syntax)
 resources
 http://www.firewalld.org/
 https://fedoraproject.org/wiki/Firewalld
 https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/7/html/security
_guide/sec-using_firewalls
ip
 replaces ifconfig, arp, route
 not really new (linux 2.2 / april
1999)
 why are you still using ifconfig?
 written by:
Alexey N. Kuznetsov
Institute for Nuclear Research, Moscow
kuznet@ms2.inr.ac.ru
ip
 list interfaces/ip addresses
(ifconfig)
$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 04:01:69:c8:3d:01 brd ff:ff:ff:ff:ff:ff
inet 104.131.150.132/20 brd 104.131.159.255 scope global eth0
inet6 2604:a880:1:20::b6:a001/64 scope global
ip
 list interface stats (ifconfig)
$ ip -s address

RX: bytes packets errors dropped overrun mcast
18149 144 0 0 0 0
TX: bytes packets errors dropped carrier collsns
18149 144 0 0 0 0

RX: bytes packets errors dropped overrun mcast
12602579 86537 0 0 0 0
TX: bytes packets errors dropped carrier collsns
18126172 100002 0 0 0 0
ip
 list links (ifconfig)
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT
qlen 1000
ip
 set link up/down (ifconfig)
$ sudo ip link set eno1 down
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
qlen 1000
3: eno1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc fq_codel master br0 state DOWN mode
DEFAULT group default qlen 1000
link/ether 60:a4:4c:52:37:81 brd ff:ff:ff:ff:ff:ff
$ sudo ip link set eno1 up
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
qlen 1000
3: eno1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP
mode DEFAULT group default qlen 1000
link/ether 60:a4:4c:52:37:81 brd ff:ff:ff:ff:ff:ff
ip
 configure ip address (ifconfig)
$ sudo ip addr add 10.1.2.3/27 dev eth0
$ ip address

inet 10.1.2.3/27 scope global eth0
ip
 remove ip address (ifconfig)
$ sudo ip addr del 10.1.2.3/27 dev eth0
$ ip address

ip
 list routes (route)
$ ip route
default via 192.168.0.1 dev br0 src 192.168.0.100 metric 204

192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.100 metric 204
ip
 add routes (route)
$ sudo ip route add 10.10.1.0/24 via 192.168.0.10
$ ip route
10.10.1.0/24 via 192.168.0.10 dev br0
ip
 remove routes (route)
$ sudo ip route del 10.10.1.0/24 via 192.168.0.10
$ ip route
ip
 show neighbors (arp)
$ ip neighbor
192.168.0.101 dev br0 lladdr 28:56:5a:79:d0:9f STALE

192.168.0.1 dev br0 lladdr f4:f2:6d:70:e2:46 REACHABLE
192.168.0.105 dev br0 lladdr 7c:c7:09:b6:09:92 REACHABLE
ss
 replaces netstat
 command arguments very similar to
netstat
 not really new (linux 2.4, Sept 2001)
 does not resolve ips to names by
default
 written by:
Alexey N. Kuznetsov
:-)
ss
 show listening / established tcp
sockets
# ss -tl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:ssh *:*
LISTEN 0 100 127.0.0.1:smtp *:*
LISTEN 0 128 :::ssh :::*
LISTEN 0 100 ::1:smtp :::*
# ss -t
ESTAB 0 0 192.168.0.111:ssh 192.168.0.100:53910
ss
 show listening tcp sockets with
processes
# ss -tlp
users:(("sshd",pid=954,fd=3))
LISTEN 0 100 127.0.0.1:smtp *:*
users:(("master",pid=1056,fd=13))
LISTEN 0 128 :::ssh :::*
users:(("sshd",pid=954,fd=4))
LISTEN 0 100 ::1:smtp :::*
users:(("master",pid=1056,fd=14))
ss
 add selinux contexts
# ss -tlpZ
users:(("sshd",pid=954,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=3))
LISTEN 0 100 127.0.0.1:smtp *:*
users:(("master",pid=1056,proc_ctx=system_u:system_r:postfix_master_t:s0,fd=13))
LISTEN 0 128 :::ssh :::*
users:(("sshd",pid=954,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=4))
LISTEN 0 100 ::1:smtp :::*
users:(("master",pid=1056,proc_ctx=system_u:system_r:postfix_master_t:s0,fd=14))
# ss -tpZ
ESTAB 0 0 192.168.0.111:ssh 192.168.0.100:53910
users:(("sshd",pid=1626,proc_ctx=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,fd=3))
tracepath
 alternative to traceroute
 more limited options
 does not require root permissions
 written by:
Alexey N. Kuznetsov!
tracepath
 simple trace
$ tracepath -n grid.systemj.net
1?: [LOCALHOST] pmtu 1500
1: 192.168.0.1 3.228ms
1: 192.168.0.1 6.227ms
2: no reply
3: 96.34.112.145 13.645ms
4: 96.34.112.180 16.916ms
5: 96.34.113.116 14.815ms
6: 96.34.2.32 23.709ms
7: 213.248.100.97 24.779ms
8: 62.115.123.137 54.422ms
9: 62.115.116.40 55.784ms
10: no reply
11: 138.197.249.168 61.223ms asymm 12
12: 104.131.150.132 62.503ms reached
Resume: pmtu 1500 hops 12 back 15
misc utils
 util-linux
 lscpu
 lsmem
 lsblk
 pciutils
 lspci
 usbutils
 lsusb
 lsscsi
 lsscsi
lscpu
 alternative to: cat /proc/cpu
$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 2
Core(s) per socket: 2
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 58
Model name: Intel(R) Core(TM) i7-3537U CPU @ 2.00GHz
Stepping: 9
CPU MHz: 2494.307
CPU max MHz: 3100.0000
CPU min MHz: 800.0000
BogoMIPS: 4990.47
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 4096K
NUMA node0 CPU(s): 0-3
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon
pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor
ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer
aes xsave avx f16c rdrand lahf_lm cpuid_fault epb tpr_shadow vnmi flexpriority ept vpid
fsgsbase smep erms xsaveopt dtherm ida arat pln pts
lsmem
 alternative to:
 free
 cat /proc/meminfo
$ lsmem
RANGE SIZE STATE REMOVABLE BLOCK
0x0000000000000000-0x0000000007ffffff 128M online no 0
0x0000000008000000-0x000000002fffffff 640M online yes 1-5
0x0000000030000000-0x0000000037ffffff 128M online no 6
0x0000000038000000-0x00000000afffffff 1.9G online yes 7-21
0x0000000100000000-0x0000000227ffffff 4.6G online yes 32-68
0x0000000228000000-0x000000024fffffff 640M online no 69-73
Memory block size: 128M

Total online memory: 8G
Total offline memory: 0B
lspci
$ lspci
00:00.0 Host bridge: Intel Corporation 3rd Gen Core processor DRAM Controller (rev 09)
00:02.0 VGA compatible controller: Intel Corporation 3rd Gen Core processor Graphics Controlle
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Co
00:16.0 Communication controller: Intel Corporation 7 Series/C216 Chipset Family MEI Controlle
00:1a.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Contr
00:1b.0 Audio device: Intel Corporation 7 Series/C216 Chipset Family High Definition Audio Con
00:1c.0 PCI bridge: Intel Corporation 7 Series/C216 Chipset Family PCI Express Root Port 1 (re
00:1c.1 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Por
00:1c.2 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Por
00:1d.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Contr
00:1f.0 ISA bridge: Intel Corporation HM76 Express Chipset LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 7 Series Chipset Family 6-port SATA Controller [AHC
00:1f.3 SMBus: Intel Corporation 7 Series/C216 Chipset Family SMBus Controller (rev 04)
02:00.0 Network controller: Qualcomm Atheros AR9485 Wireless Network Adapter (rev 01)
08:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS5209 PCI Express Card Read
0e:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gig
lspci
$ lspci -tv
-[0000:00]-+-00.0 Intel Corporation 3rd Gen Core processor DRAM Controller
+-02.0 Intel Corporation 3rd Gen Core processor Graphics Controller
+-14.0 Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Control
+-16.0 Intel Corporation 7 Series/C216 Chipset Family MEI Controller #1
+-1a.0 Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Controller
+-1b.0 Intel Corporation 7 Series/C216 Chipset Family High Definition Audio Contro
+-1c.0-[02-07]----00.0 Qualcomm Atheros AR9485 Wireless Network Adapter
+-1c.1-[08-0d]----00.0 Realtek Semiconductor Co., Ltd. RTS5209 PCI Express Card Re
+-1c.2-[0e]----00.0 Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express
+-1d.0 Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Controller
+-1f.0 Intel Corporation HM76 Express Chipset LPC Controller
+-1f.2 Intel Corporation 7 Series Chipset Family 6-port SATA Controller [AHCI mode
\-1f.3 Intel Corporation 7 Series/C216 Chipset Family SMBus Controller
lsusb
$ lsusb
Bus 002 Device 003: ID 0566:4006 Monterey International Corp.
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 005: ID 05ca:18c4 Ricoh Co., Ltd
Bus 001 Device 004: ID 0489:e036 Foxconn / Hon Hai
Bus 001 Device 003: ID 04f3:002d Elan Microelectronics Corp.
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 002: ID 2516:0011
lsusb
$ lsusb -t
/: Bus 04.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 5000M
/: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 480M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/2p, 480M
|__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/6p, 480M
|__ Port 3: Dev 3, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/2p, 480M
|__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/6p, 480M
|__ Port 2: Dev 4, If 0, Class=Wireless, Driver=, 12M
|__ Port 2: Dev 4, If 1, Class=Wireless, Driver=, 12M
|__ Port 3: Dev 5, If 0, Class=Video, Driver=uvcvideo, 480M
|__ Port 3: Dev 5, If 1, Class=Video, Driver=uvcvideo, 480M
lsscsi
$ lsscsi
[0:0:0:0] cd/dvd ASUS BC-12B1ST 1.02 /dev/sr0
[1:0:0:0] disk ATA Samsung SSD 840 6B0Q /dev/sda
[9:0:0:0] disk ATA WDC WD5000HHTZ-0 6A00 /dev/sdb
lsblk
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 25G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 24G 0 part
├─centos-root 253:0 0 22G 0 lvm /
└─centos-swap 253:1 0 2G 0 lvm [SWAP]
sr0 11:0 1 1024M 0 rom
end of line

System D and More Commands

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System D and More Commands

Uploaded by

Copyright:

Available Formats

command not

 read all about it:

 read all about it:

 enable / disable services on boot:

 script-able service status

 runlevel changes (targets):

$ sudo systemctl stop sshd

$ sudo systemctl disable sshd

$ sudo systemctl enable sshd

Oct 02 21:40:47 hitman sshd[1068]: pam_unix(sshd:auth): check pass; user unknown

Oct 29 15:45:23 hitman systemd[1]: Reloading OpenSSH Daemon.

LOAD = Reflects whether the unit definition was properly loaded.

service with systemd demo

 will forward to syslog by default

 follow (tail -f /var/log/message):

 view one specific service (unit):

 logs between specific times:

 redirected legacy commands:

 understanding unit files:

 converting sysv init scripts:

$ nmcli -g ip4 con show rootbeer

$ nmcli con show

$ sudo nmcli con mod wired ipv4.address 192.168.0.125/24

$ nmcli -g ip4.address,ip4.gateway con show wired

$ sudo nmcli dev

$ sudo nmcli con up wired

$ nmcli -g ip4.address,ip4.gateway con show wired

<?xml version="1.0" encoding="utf-8"?>

Chain IN_public (2 references)

Chain IN_public_allow (1 references)

Chain IN_public_deny (1 references)

Chain IN_public (2 references)

Chain IN_public_allow (1 references)

# firewall-cmd --zone=public --query-port=8000/tcp

# firewall-cmd --zone=public --permanent --query-port=8000/tcp

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

$ sudo ip link set eno1 up

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

default via 192.168.0.1 dev br0 src 192.168.0.100 metric 204

192.168.0.101 dev br0 lladdr 28:56:5a:79:d0:9f STALE

Memory block size: 128M

You might also like