User:Tom/RHCE EX300
RHCSA & RHCE Red Hat Enterprise Linux 7: Training and Exam Preparation Guide (EX200 and EX300) third edition march 2015 by Asghar Ghori
RHCE
Hoofdstuk 14 Writing Shell Scripts
nl Number lines of files bash -x Debug script
Command line arguments $0 $1, $#, $*, $$ (scriptname,first argument, # of arguments, all arguments,PID of the script). ${10} for arguments above 9.
shift Move arguments
echo -e Enables interprestation of backslash escapes
read Var Read user input from the keyboard
$? Exit code test Test conditions (man test) int1 -eq int2 if condition then action else action fi if condition then action elif condition then action else action fi
for-do done while do done until do done
Hoofdstuk 15 Configuring Bonding, Teaming, IPv6 and Routing
Link Aggregation
Link aggregation is a term to combine the capabilities of two or more physical or virtual Ethernet network interfacesto function as a single network pip. RHEL7 supports two link aggregation methods that are referred to as bonding and teaming.
Interface Bonding
Interface bonding provides the ability to bind two or mor network interfaces together into a single logical bonded channel that acts as the master for all slave interfaces that are added to it. The support for bonding is integrated entirely into the kernel as a loadable module. This module is called bonding.
Interface Teaming
Interface teaming is introduced in RHEL7 as an additional choice to implement enhance troughput and fault tolerance at the network interface level. Teaming is a new implementation. Teaming handels the flow of network packets faster that bonding does.And, unline bonding, which is accomplished purely in the kernel space and provides no user control over its operation, teaming only requires the integration of the essential code into the kernel and the rest is implemented via the teamd daemon, whihc gives users the ability to control it with the teamdctl command.
modprobe bonding Add and remove modules from the kernel modinfo bonding Show information about a kernel module uuidgen eth2 Generate UUIDs
systemctl status NetworkManager nmcli dev status nmcli con add type bond con-name bond0 ifname bond0 mode balance-rr ip4 192.168.122.112 gw4 192.168.122.1 nmcli con add type bond-slave ifname eth1 master bond0 nmcli con up bond0 nmcli con show nmtui Indien NetworkManager aktief is
yum install teamd software modprobe team modinfo team nmcli con add type team con-name team0 ifname team0 ip4 192.168.122.122/24 gw4 192.168.122.1 nmcli con add type team-slave con-name eth4 ifname eth4 master team0
nmtui nm-connection-editor Graphical Network Administration Tool, including bonding and teaming teamd teamdctl teamnl IPv6 128bit 1204:bab1:21d1:bb43:23a1:9bde:87df:bac9 Zowel IPv4 als IPv6 adressen kunnen op een adapter gezet worden. ping6
RIP Routing Information protocol OSPF Open Shortest Path First ip route, route, netstat -rn ip route add ip route del
Files
/etc/sysconfig/network-scripts/ifcfg-bond0
/ifcfg-eth2
/ifcfg-eth3
Hoofdstuk 16 Synchronzing Time with NTP
ntpd used UDP over well-known port 123
NTP roles: Primary NTP server, Secondary NTP server, NTP peer, NTP client.
NTP Client can be configured as a polling, broadcast, multicast or manycast client.
Packages ntp and ntpdate Commands ntpdate, ntpq, ntpd and ntpstat.
NTP Configuration file /etc/ntp.conf. Key directives driftfile, logfile restrict, server, peer, broadcast, crypto, includefile, keys. See man ntp.conf. firewall-cmd --permanent --add-service ntp;reload
Package system-config-date for system-config-date tool Output ntpq -p is important
Hoofdstuk 17 Working with Firewalld and Kerberos
Network Zones
Firewalld zones classify incoming network traffic for simplified firewall management. Zones define the level of trust for network connections based on principles such as a source IP or network interface for incoming network traffic. The inbound traffic is checked against zone settings and it is handled appropiately as per configured riles in the zone. Each zone can have its own list of services and ports that are opened or closed.
Firewalld proves nine zones by default. These system-defined zones file are XML-formatted and are located in the /usr/lib/firewalld/zones directory. By default, the public zone is the default zone.
Services
A service typically contains a port number, protocol, and an IP address. Service configuration is stored in separate XML files located in /usr/lib/firewalld/services. The configuration files in the user-defined service directory take precedence over the ones located in the other directory.
Ports can also be defined directly without using the service configuration technique. In essence, defining network ports does not require the presence of a service or a service configuration file.
Direct Interface and Rich Language
Firewalld offers the possibility to pass security rles directly to iptables using the direct interface mode, but these rules are not persistent. To address this problem, Firewalld provides the support for a high-level language, called the rich language, that allows us to build complex rules without the knowledge of iptables syntax.
Rich Language uses several elements to set rules and name them. These elements includes a source address or tange with an appropiate netmask, destination address or range, service name, port number or range, protocol, masquerade (enable ordisable); forward-port (destination port or rangeto divert traffic to), log and loglevel, and an action (accept, reject, drop).
Network Address Translation and IP Masquerading
Network Address Translation (NAT) refers to the process of altering the IP address of a source or destination network that is enclosed in a datagram packet header while it passes through a device that supports this type of modification. In other words, NAT allows a system on the internal network (home or corporate network) to access an external network (the internet) usign a single registered IP address configured on an intermediary device (a router or firewall).
IP Masquerading is a variant of NAT and it allows several systems on the internal network (192.168.0.0) to access the Internet using that single IP of the intermediary device.
Port Forwarding
We may have to redirect inbound traffic to a port to access an application servicing on that port on our internal system. This port is defined on the intermediary device (router or netfilter module on RHEL). For example, to allow external access to the HTTP service listening on port 8080 on an internal system, both internal system IP and port number are defined on the intermediary device to ensure inbound requests are forwarded to the desired destination. This feature is referred to as port forwarding or port mapping.
Managing Firewalld
Firewalld Commands
firewall-cmd --state Check if firewalld is running. firewall-cmd --reload Reload the permanent rules.
systemctl status firewalld Check if firewalld is running. systemctl restart firewalld Restart the service.
Firewall Command Options for Zone Management
firewall-cmd --get-default-zone or --set-default-zone
--get-active-zones or --get-zones
--list-all or --list-all-zones
--new-zone or --delete-zone
--permanent Used to male a permanent change. Creates or updates appropiatezone files.
--zone Used for operations on a non-default zone.
Firewall Command Options for Service Management
firewall-cmd --get-services Displays available services.
--list-services List services for a zone.
--query-services Tells wether a service is added.
--add-service Adds a service to the zone.
--remove-service Removes a service from a zone.
--new-service Adds a new service.
--delete-service Deletes an existing service.
--zone Used for operations on a non-defailt zone.
Firewall Command Options for Port Management
firewall-cmd --list-ports Lists ports added to a zone.
--add-port Adds a port to a zone.
--remove-port Removes a port from a zone.
--query-port Checks whether a port is added to a zone.
--permanent Used with the add and remove options for persistence.
--zone Used for operations on a non-default zone.
Firewall Command Options for Using Rich Language Rules
firewall-cmd --list-rich-rules
--add-rich-rule
--remove-rich-rule
--query-rich-rule
--permanent
--zone
Add a persistent rich rule to the default zone to allow inbound HTTP access from network 192.168.3.0/24. This rule should log messages with prefix "HTTP Allow rule" at the info level.
firewall-cmd --add-rich-rule 'rule family=ïpv4" source addres="192.168.3.0/24" \
service name="http" log prefix="HTTP Allow Rule" level="info" accept --permanent
Firewalld Command Options for Masquerade Management
firewall-cmd --add-masquerade Adds a masquerade to a zone.
--remove-masquerade
--query-masquerade
--permanent
--zone
Add masquerading support to the external zone:
firewall-cmd --add-masquerade --zone external
Firewalld Command Options for Port Forwarding
firewall-cmd --list-forward-ports
--add-forward-port
--remove-forward-port
--query-forward-port
--permanent
--zone
Forward inbound telnet traffic to port 1000 on the same system:
firewall-cmd --zone external --add-forward-port port=23:proto=tcp:toport=1000 --permanent
Forward inbound ftp traffic to port range 1001 to 1005 on the same system:
firewall-cmd --zone external --permanent --add-forward-port port=21:proto=tcp:toport=1001-1005
Forward inbound smtp traffic to the same port number but to IP 192.168.0.121:
firewall-cmd --zone -external --permanent --add-forward-port port=25:proto=tcp:toaddr=192.168.0.121
Forward inbound tftp traffic to 192.168.0.121:1010
firewall-cmd --zone external --permanent --add-forward-port port=69:proto=tcp:toport=1010:toaddr=192.168.0.121
Firewalld Command Summary
firewall-config Firewalld GUI configuration tool.
firewall-cmd --state, --get-default-zone, --get-active-zones, --get-zones, --list-all, --list-all-zones
--list-all -zone public,
--net-zone testzone --permanent, --delete-zone testzone --permanent
--get-services
--list-services
--query-service
--list-ports --add-port --remove-port --query-port --permanent --zone
--list-rich-rules --add-rich-rule --remove-rich-rule --query-rich-rule --permanent --zone
--add-masquerade --remove-masquerade --query-masquerade --permanent --zone
--list-forward-ports --add-forward-port --remove-forward-port query-forward-port --permanent --zone
Firewalld Files
firewall-config Firewalld GUI configuration tool.
/etc/firewalld Firewalld configuration files. /etc/firewalld/zones User-defines zones. /etc/firewalld/services User-defined services.
/usr/lib/firewalld/zones System-defined zones. /usr/lib/firewalld/services Service configuration.
/var/log/messages /var/log/secure
Understanding and Managing Kerberos
Kerberos uses port 88 for general communication and port 749 for the administration of Kerberos database via commands such as kadmin and kpasswd. The Kerberos ticketing system relies heavily on resolving hostanmes and on accurate timestamps to issue and expire tickets. Therefore it requires adequate clock synchronisation and a working DNS or an accurate /etc/hosts too function correctly.
Terminology
- Authentication: The proces of verifying the identity of a user or service.
- Authentication Service (AS): A service that runs on the Key Distribution Center (KDC) server to authenticate clients and issue initial tickets.
- Client: A user or service (suchs as NFS or Samba) that requests for the issuance of tickets to use network services.
- Credentials: A ticket along with relevant encryption keys.
- Principal: A verified client (user or service) that is recorded in the KDC databaseand to which the KDC can assign tickets.
- Realm: The administrative territory of a KDC, with one or more KDCs and several principals.
- Service Host: A system that runs a kerberized service that clients can use.
- Session key: An encrypted key that is used to secure communication among clients, KDCs and service hosts.
- Service Ticket: An encrypted digital certificate used to authenticate a uuser to a specific network service. It is issued by the TGS after validating a user's TGT and it contains a session key, the principal name, and expiration time and more.
- Ticket Granting Service (TGS): A service that runs on the KDC to generate and issue service tickets to clients.
- Ticket Granting Ticket (TGT): An initial encrypted digital certificate that is used to identify tha client to TGS at the time of requesting service tickets. It is issued by the AS after validationg the client's presence in the KDC database.
How Kerberos Authenticates clients
The Kerberos authentication process can be separated into three parts; an initial stage of getting a TGT (passport), a service stage to obtain a service ticket (visa) and access the service (travel to the visa issuing country).
A user contacts the AS for initial authentication via the kinit command. The AS asks for the user's password, validates it and generates a TGT for the user. The AS aslo produces a sesion key using the user's password. The AS returns the credentials (TGT plus session key) to the user. THe credentials are saved in he clients credential cache.
Later, when the user needs to access a service running on a remote service host, they send the TGT and the session key to the TGS asking to grant the desired access. The TGS verfies the user's credentials by decrypting the TGT and assembles a service ticket for the desired service and encrypts it with the hosts secret key. It transmits the service ticket to the user along with a session key. The user stors the service ticket in their credential cache. Yhe user presents these credentials to the service host, which decrypts the service ticket with iits secret key and validatees the users identy and the authorisation to access the service. The user is then allowed to access the service.
Kerberos Packages and Utilities
Packages krb5-server krb5-workstation
kinit Obtains and caches TGT kdestroy Destroys tickets stored in credential cache. klist List cached tickets kpasswd Changes a principal's password kadmin Administers Kerberos database via the kadmind daemon kadmin.local Same as kadmin, but performs operations directly on the KDC database
Configure a Client to Authenticate Using Kerberos
Install the required package with #yum install krb5-workstation and ensure that /etc/krb5.conf has the following directives set:
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
Login as the root principal (assumed to be added as part of KKerberos server setup) and add server1 as a host principal to the KDC database:
#kadmin -p root/admin kadmin:addprinc -randkey host/server1.example.com
While logged in, extract the principal's key and store it locally in a keytab file called krb5.keytab in the /etc directory.
kadmin:ktadd -l /etc/krb5/keytab host/server1.example.com
Activate the use of Kerberos for authentication:
#authconfig --enablekrb5 --update
Edit the /etc/ssh/ssh_config client configuration file and ensure te following two lines are set as shown:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Login as user1 annd execure the kinit command to obtain a TGT from the KDC. Enter the passowrd for user1 when prompted
$kinit Password for user1@exemple.com:
List the TGT details received in the previous step:
$klist
Hoofdstuk 18 Tuning Kernel Parameters, Reporting System Usage and Logging Remotely
Understanding and Tuning Kernel Parameters
Run-Time Parameters
Run-time parameters control the kernel behaviour while the system is operation. The current list of active run-time parameters may be viewed with the command sysctl -a.
Runtime values for these parameters are stored in variuous files located under sub-directories in the proc-sys directory and can be altered on the fly by changing associated files. temporary changes can be accomplished with the sysctl or echo command. To make the change survive accross system-boots, the value must be defined in the /etc/sysctl.conf file or in a file under the /etc/sysctl.d directory.
Boot-Time Parameters
Boot-time parameters, also referred to as command-line options, affect the boot behaviour of the kernel. Their purpose is to pass any hardware specific information that the kernel would not be able to determine automatically. Boot-time parameters are supplied to the kernel via the GRUB2 interface. The entire boot string along with the command-line options can be viewed after boot with cat /proc/cmdline. Defaults are stored in /boot/grub2/grub.cfg.
Generation System Usage Reports
The sysstat Toolset
The sysstat toolset includes several additional monitoring and performance reporting commands such as cifsiostat, iosta, mpstat,nfsiostat,pidstat,sadf and sar. The sysstat service references two configuration files, sysstat and sysstat.ioconf, located in directory /etc/sysconfig.
In addition to the two configuration files, a cron job file/etc/cron.d/sysstat is available.
The dstat Tool
The dstat package includes a single monitoring and reporting tool, wich is called dstat.
Logging System Messages Remotely
Local and remote logging is supported by the rsyslogd service. Configuration files are /etc/rsyslog.conf and the /etc/rsyslog.d directory.
Configure a System as a Loghost
Open /etc/rsyslog.conf and uncomment the following two directives:
# Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
Add TCP port 514 to the default firewalld zone, and load the new rule:
#firewall-cmd --permanent --add-port 514/tcp #firewall-cmd --reload
Set the correct SELinux port type on TCP port 514
#semanage port -a -t syslogd_port_t -p tcp 514
And enable and restart the rsyslog service
#systemctl enable rsyslog #systemctl restart rsyslog
Configure a System as a Loghost Client
Open /etc/rsyslog.conf file and add the following to the bottom of the file:
*.* @@192.168.0.120:514
Set the rsyslog service to autostart at each system reboot, rstart rsyslog and check it's operating state:
#systemctl enable rsyslog #systemctl restart rsyslog #systemctl status rsyslog
Generate a custom log message:
#logger -i "This is a test message from root on server 1"
Log on to the loghost and tail the /var/log/messages file:
#tail /var/log/messages
...
sysctl -a, sysctl -p
/proc/sys
echo 18 >/proc/sys/...
/etc/sysctl.conf /etc/sysctl.d /usr/lib/sysctl.d/00-system.conf
/boot/grub2/grub.cfg /proc/cmdline Boot-Time parameters aka command-line options
df, vmstat, top
Package sysstat: cifsiostat, iostat, mpstat,nfsiostat, pidstat, sa1, sa2, sadc, sadf, sar, dstat /etc/sysconfig/sysstat /etc/sysconfig/sysstat.ioconf /etc/cron.d/sysstat
Package dstat, dstat
Chapter 19 Sharing Block Storage with iSCSI
iSCSI is a storage networking protocol used to share a computer's local storage with remote clients using the SCSI commandset over an existing IP network infrastructure. The client sees the shared stroage as a locally attached harddisk and can use any available tool to manage it.
Understanding the iSCSI Protocol
The 'Ínternet Small Computer System Interface (iSCSI) is a storage networking transport protocol that carries SCSI commands over IP networks, including the internet.
Unlike the NFS and CIFS protocols that are used for network filesharing, iSCSI presents the network storage to clients as a local raw block disk drive. In iSCSI nomenclature, a storage server is referred to as a target and a client is referred to as an initiator.
Terminology
The iSCSI technology has several terms. The most important terms are described below.
- ACL: An ACL (Access Control List) controls an iSCSI client access to target LUNs.
- Addressing: iSCSI assigns a unique address to each target server. It supports muliple addressing formats. The IQN (iSCSI Qualified Name) is most common.
- Alias: An alias is an optional string of up to 255 characters that may be defined to give a description to an iSCSI LUN.
- Authentication: Authentication allows initiators and targets to prove their identity at the time of discovery and normal access. CHAP-based authentication (Challenge-Handshake Authentication Protocol) uses usernames and passwords, but hide the network transmission of passwords. These methods are referred to as CHAP initiator authentication and mutual CHAP authentication. The third option, demo mode, is the default option and it is used to disable the authentication feature.
- Backstore: A backstore is a local storage resource that serves as the backend foro the LUN presented to the initiator. A backstore can be any physical or virtual disk (block) or a plain file (fileio) or a ramdisk image.
- Initiator: An initiator is a client system that accesses LUNs presented by a target server. Initiators are either software- or hardware-driven. A software initiator is a kernel module that uses the iSCSI protocol to emulate a discovered LUN as a block SCSI disk. A hardware initiator uses a dedicated piece of hardware called an HBA. An HBA offloads system processors, resulting in improved system performance.
- íSNS': An iSNS (Internet Storage Name Service) is a protocol that is used by an initiator to discover shared LNs.
- LUN: A LUN (Logical Unit Number) represents a single addressable logical SCSI disk that is exported on the target server.
- Node: A node is a single discoverable object on the iSCSI SAN. It may represent a target serer or an initiator. A node is idnetified by its IP address or a unique iSCSI address.
- Portal: A portal is a combination of an IP address and TCP port that s target server listens on and initiators connect to. iSCS uses TCP port 3260 by default.
- Target: A target is a server that emualtes a backstore as a LUN for use by an initiator over an iSCSI SAN. A target may be a dedicated hardware RAID array or a RHEL server with appropiate software support loaded.
- TPG: A TPG (Target Portal Group) represents one or more network portals assigned to a target LUN for running iSCSI sessions for that LUN.
Packages
A single package, targetcli, needs to be installed on the target server in order to provide the iSCSI target functionality. On the client side iscsi-initiator-utils package is installed. This package brings the iscsiadm management command and /etc/iscsi/iscsid.conf file.
Managing iSCSI Target Server and Initiator
Managing iSCSI on the target servers involves setting up a backstore, building an iSCSI target on the backstore, assigning a network portal, creating a LUN, exporting the LUN, establishing an ACL, and saving the configuration.
Managing iSCSI on the initiator involves discovering a target server for LUNs, logging on to discovered target LUNs, and using disk management tools to partition, format and mount the LUNs.
Unerstanding the targetcli Command for Target Administration
The targetcli command is an administration shell that allows you to display , create, modify and delete target LUNs. Several kernel modles load in the memory to support the setup and operation. You can view the modules that are currently loaded by running the lsmod command:
#lsmod|grep target [root@server2 ~]# lsmod|grep target target_core_pscsi 19318 0 target_core_file 27472 2 target_core_iblock 27510 2 iscsi_target_mod 295398 9 target_core_mod 371914 19 target_core_iblock,target_core_pscsi,iscsi_target_mod,target_core_file crc_t10dif 12714 1 target_core_mod [root@server2 ~]#
Command targetcli invokes a shell interface. Available subcommands can be view with subcommand help.
ls Shows the downward view of the tree from the current location. pwd Displays the current location in the tree. cd Navigates in the tree. exit Quits the interface. saveconfig Saves the modifications. get/set Gets (or sets) configuration attributes. sessions Displays details for open sessions.
Use the ls, pwd and cd commands to navigate in the object hierarchy.
[root@server2 ~]# targetcli targetcli shell version 2.1.fb41 Copyright 2011-2013 by Datera, Inc and others. For help on commands, type 'help'.
/> pwd / /> ls o- / ................................................................................................ [...] o- backstores ..................................................................................... [...] | o- block ......................................................................... [Storage Objects: 1] | | o- iscsidisk1 .............................................. [/dev/vdb (2.0GiB) write-thru activated] | o- fileio ........................................................................ [Storage Objects: 1] | | o- iscsifile1 .................................. [/usr/iscsifile1.img (50.0MiB) write-back activated] | o- pscsi ......................................................................... [Storage Objects: 0] | o- ramdisk ....................................................................... [Storage Objects: 0] o- iscsi ................................................................................... [Targets: 2] | o- iqn.2016-01.com.example.server2:iscsifile1 ............................................... [TPGs: 1] | | o- tpg1 ......................................................................... [gen-acls, no-auth] | | o- acls ................................................................................. [ACLs: 0] | | o- luns ................................................................................. [LUNs: 1] | | | o- lun0 ............................................... [fileio/iscsifile1 (/usr/iscsifile1.img)] | | o- portals ........................................................................... [Portals: 1] | | o- 192.168.122.102:3260 .................................................................... [OK] | o- iqn.2016-01.roggeware.nl.server2:iscsidisk1 .............................................. [TPGs: 1] | o- tpg1 ......................................................................... [gen-acls, no-auth] | o- acls ................................................................................. [ACLs: 0] | o- luns ................................................................................. [LUNs: 1] | | o- lun0 ........................................................... [block/iscsidisk1 (/dev/vdb)] | o- portals ........................................................................... [Portals: 1] | o- 192.168.122.102:3260 .................................................................... [OK] o- loopback ................................................................................ [Targets: 0] />
TOM
targetcli for target administration, package targetclt targetcli saveconfig iscsiadm for initiator administration, package iscsi-initiator-utils
iscsiadm -m discovery -t st -p 192.168.122.102 Locate available targets iscsiadm -m node -T iqn.2016-01.roggeware.nl.server2:iscsidisk1 -p 192.168.122.102 -l Login (-l) to target (-T) in node mode (-m) at portal (-p) iscsiadm -m session
systemctl enable iscsid
/etc/iscsi/iscsi.conf /var/lib/iscsi/
Chapter 20 Sharing File Storage with NFS
yum install nfs-utils
getsebool -a|grep nfs_export setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1 firewall-cmd --add-service nfs firewall-cmd --reload firewall-cmd --list-services
systemctl enable rpcbind nfs-server
/etc/exports /common server2.example.com(rw,no_root_squash) /etc/fstab server1.example.com:/common /nfsrhcemnt nfs _netdev,rw 0 0 /var/lib/nfs/etab /etc/sysconfig/nfs exportfs -avr exportfs -u server2.example.com:/common
man exports
nfsstat nfsiostat mountstats
Chapter 21 Sharing File Storage with Samba
Server Message Block (SMB) now widely known as the Common Internet File System (CIFS). The Samba daemon smbd uses TCP port 445
Samba Commands
mount Mounts a Samba share. Adds an entry to /etc/mtab mount.cifs Mounts a Samba share on the client. pdbedit Maintains a local user database in /var/lib/samba/private/smbpasswd on the server. smbclient Connects to a Samba share to perform FTP-like operations. smbpasswd Changes Samba user passwords. testparm Tests syntax of smb.conf file/ umount
smbclient -L //server1/common -U user10
Samba Configuration and functional files
/etc/samba/smb.conf Samba server configuration file. /etc/samba/smbusers Maintains Samba and Linux user mappings. /etc/sysconfig/samba Contains directives used at Samba startup. /var/lib/samba/private/smbpasswd Maintains Samba user passwords. /var/log/samba Directory location for Samba logs.
Samba Software Packages
samba Provides the Samba server support. samba-client Includes utilities for performing various operations on server and client. samba-common Provides Samba man pages, commands and configuration files. samba-libs Contains library routines used by Samba server and client. cifs-utils Client-side utilities for mounting and managing CIFS shares.
SELinux Requirements for Samba Operation
....
Chapter 22 Hosting Websites with Apache
Apache Commands
apachectl Starts, stops and checks status of the httpd process. Systemctl may also be used.
htpasswd Create and updates files to store usernames and passwords for basic authentication of Apache users.
httpd Server program for the Apache webservice.
-t verify configuration file
-D vhosts verify vhost configuration file
Apache Configuration Files
/etc/httpd Default directory for all configuration files. /run/httpd Runtime information. /usr/lib64/httpd/modules Additional Apache modules. /var/log/httpd Apache logfiles. /usr/share/doc/httpd-2.4.6
Apache Software Packages
httpd httpd-manual html pages in /usr/share/httpd/manual accessible with links or elinks. httpd-tools
Configuring Apache Web Servers
system-config-selinux SELinux Configuration Tool getsebool -a|grep httpd
firewall-cmd --permanent -add-service=http firewall-cmd --reload firewall-cmd --permanent -add-port 8900/tcp semanage fcontext -at httpd_sys_content_t "/var/vhost2(/.*)?" restorecon -Rv /var/vhost2
elinks http://localhost
Understanding and Configuring Apache Web Servers over SSL/TLS
CA Certificate Authority. CSR Certificate Signing Request.
OpenSSL logfiles are in /etc/httpd/logs which is a symbolic link to /var/log/httpd/
Software Packages
mod_ssl openssl
Commands
openssl list-standard-commands openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out server1.example.com.key Generate private key. openssl req -new -key server1.example.com.key -out server1.example.com.csr openssl x509 -req -days 120 -signkey server1.example.com.key -in server1.example.com.csr -out server1.example.com.crt openssl s_client -coonect localhost:443 -state httpd -D DUMP_VHOSTS restorecon -Rv /var/www/html firewall-cmd --permanent --add-servce https
Files
/etc/httpd/conf.d/ssl.conf Installed by package mod_ssl. /etc/pki/tls/certs Default location for certificates.
Chapter 23 Sending and Receiving Electronic Mail
MUA Mail User Agent. MSA Mail Submission Agent. MTA Mail transport Agent. MDA Mail Delivery Agent
POP Post Office Protocol. IMAP Internet Message Access Protocol.
Postfix daemons
master, nqmgr, pickup, smtpd
Postfix Commands
alternatives Displays and sets the default MTA.
--set mta
--display mta
mail/mailx Sends and receives email.
postalias/newalias Processes the alias database (/etc/aliases by default).
postconf Displays and modifies the Postfix configuration stored in the main.cf file.
-d Display default settings.
-n Display settings defined in main.cf.
postfix Controls operation of Postfix servcies, including start, stop, health, and reload config.
check Check main.cf for syntax errors.
postmap Process and converts some configuration files into Postfix-compatible databases.
postqueue/mailq Lists and controls Postfix queue.
Files
/etc/postfix Postfix directory with configuration files. /etc/postfix/access Establish access control based on emailaddress, hosts, domains or network address. man 5 access. /etc/postfix/access.db Run postmap /etc/postfix/access to update this database. /etc/postfix/canonical Run postmap /etc/postfix/canonical to update this database. man 5 canonical. /etc/postfix/generic establish mapping for local and non-local mailaddresses. Syntax identical to canonical. /etc/postfix/main.cf /etc/postfix/master.cf /etc/postfix/relocated /etc/postfix/transport /etc/postfix/virtual
/etc/aliases
/var/lib/postfix /var/log/maillog
/var/spool/postfix /var/spool/mail
Managing Postfix
SElinux requirements for the postfix operation
ps -eZ|grep postfix ls -lZd /etc/postfix /var/lib/postfix /var/spool/postfix semanage port -l|grep smtp getsebool -a|grep postfix
Packages
postfix
Configuring DNS
Determining the IP address of a hostname is referred to as forward name resolution or simply name resolution and determining the hostname associated with an IP address is reffered to as reverse name resolution.
DNS Name Space and Domains
The DNS Name Space is an hierarchical organization of all the domains on the internet. The root of the name space is represented by a dot. The hierarchy right below the root represents top-level domains (TLD) that are either generic, such as .com, .net , .org and .gov, and referred to as gTLDs or specific to a two-letter country-code, such as .ca and .uk and referred to as ccTLDs. Sub-domains fall under domains and are separated by a dot.
BIND Software Packages and Service Daemon
bind Provides software to configure a DNS server. bind-libs Contains library files for bind and bind-utils packages. bind-utils Comprises of resolver tools, such as dig, host and nslookup
Daemon named listens on well-know port 53 and supports both TCP and UDP protocols for operation. See /usr/share/doc/bind for example named configuration files.
DNS Commands
systemctl enable named systemctl start named named-checkconf
/etc/named.conf /usr/share/doc/bind /var/log/messages /var/named.rfc1912.zones /var/named/ Zone files
SeLinux requirements
ps -eZ |grep named shows domain type named_t. semanage port -l|grep dns getsebool -a |grep ^named
Chapter 25 Managing MariaDB
Packages
mariadb Provides MariaDB client programs and a configuration file mariadb-server Contains MariaDB server, tools, and configuration and logfiles mariadb-libs Comprises of essential library files for MariaDB client programs
The MariaDB server package also loads the mysql daemon binary file . This daeom process listens on port 3306 and supports both TCP and UDP protocols for operation.. It must run on the system to allow client access.
MariaDB Commands
mysql Command line shell interface for administration and query. mysql_secure_installation Improves the security of MariaDB installation. mysqldump Backs up or restores one or more tables or database.
Maria DB Configuration Files
/etc/my.cnf Global defaults. Primary configuration file /etc/my.cnf.d/ Directory for configuration files. /etc/my.cnf.d/client.cnf /etc/my.cnf.d/mysql-clients.cnf /etc/my.cnf.d/server.cnf
/var/log/mariadb/mariadb.log
SELinux Requirements for MariaDB Operation
By default the mysqld daemon runs confined in its own domain with domain-type mysqld_t.
ps -eZ|grep mysqld --> system_u:system_r:mysqld_t:s0 5245 ? 00:06:00 mysqld
The SELinux filetype associated with the mysqld daemon file is mysql_exec_t, configuration files in the /etc/my.cnf.d directory is etc_t, database files in the /var/lib/mysql directory is mysqld_db_t and logfiles in /var/log/mariadb is mysql_log_t.
ll -dZ /usr/libexec/mysqld /etc/my.cnf.d /var/lib/mysql /var/log/mariadb drwxr-xr-x. root root system_u:object_r:mysqld_etc_t:s0 /etc/my.cnf.d -rwxr-xr-x. root root system_u:object_r:mysqld_exec_t:s0 /usr/libexec/mysqld drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql drwxr-x---. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb
semanage port -l|grep mysql mysqld_port_t tcp 1186, 3306, 63132-63164
getsebool -a|grep mysql mysql_connect_any --> off selinuxuser_mysql_connect_enabled --> off
Install MariaDB
yum install mariadb-server systemctl enable mariadb mysql_secure_installation firewall-cmd --permanent --add-service mysql;firewall-cmd --reload systemctl start mariadb
Start the MariaDB Shell and Understand its Usage
mysql -u root -p Start the MariaDB shell help status
Subcommands for Database and Table Operations
create, drop, show delete, describe insert, rename, select , update
show databases; create database database; use database;
create table scientists(Sno int,FirstName varchar(20), LastName varchar(20), City varchar(20),Country varchar(20),Age int);
describe scientists;
insert into scientists values('1','Albert','Einstein','Ulm','Germany','76');
select * from scientists where FirstName='Albert';
select * from scientists where Age>77;
select * from scientists where Country='Poland' or Country='Germany';
select * from scientists order by FirstName;
select * from scientists order by LastName desc;
select * from scientists where Contry like 'U%'; where Age like '7%';
rename table scientists to science; update science set FirstName='Benjamin',LastName='Franklin' where Sno='1'; delete from science where Sno='1' or Sno='7';
Backing Up and Restoring a Database or Table
mysqldump -u root -p --all-databases >db.all.sql Backup all. mysqldump -u root -p rhce1 >db.rhce1.sql Backup specific database. mysql: create database rhce1 Create database to be restored (if it does not exists). mysql -u root -p rhce1 <db.all.sql Restore specific database. mysqldump -u root -p DB1 tbl1 tbl2 >db.tbl12.sql Backup specific tables. mysql -u root -p DB1 tbl1 <db.tbl12.sql Restore specific table.