yum repo file, create file and use gpg key yum install --nogpgcheck sysctl -w -- writes a value to memory only echo “” >> /etc/sysctl.conf sysctl -p – reread /etc/sysctl.conf and make active Crypt LUKS create virtual interface /etc/sysconfig/network-scripts/ifcfg-eth0:0 IPADDR=10.1.1.1 NETMASK=255.255.255.0 ONPARENT=yes Use partx -a /dev/ to discover disk partition changes after using fdisk encfs – lookup for userspace encrypted filesystem ISCSI specify type of iscsi attach method, this is using discovery method send targets iscsiadm -m discovery -t -p login to an ISCSI target iscsiadm -m node -T -p -l Mount at boot vi /etc/fstab UUID= ext4 _netdev 1 2 Find the path ls -l /dev/disk/by-path/*iscsi* Logout of IQN lun iscsiadm -m node -T -p -u iscsiadm -m node -T -p -o delete LVM create the partition to be used /dev/vda3 make sure the partition type is 8e Linux LVM pvcreate /dev/vda3 vgcreate /dev/vda3 lvcreate -n -L 256M EXTEND AN LVM lvextend -l +32 /dev// resize2fs -p /dev// REDUCE A FILESYSTEM umount FS fsck -f /dev/mapper/ resize2fs -p /dev/mapper/vgname-lvname 512M lvreduce -L 512M /dev/mapper/ mount -a EXTEND AN VG add a partition to the VG to add to total space vgextend /dev/vda5 MOVE AND MIGRATE evacuate the physical extents on the disk listed below pvmove /dev/vda3 (this is the disk to move data off of) REMOVE DISK FROM VG – removes /dev/vda3 from VG vgreduce /dev/vda3 SET PASSWORD/USER POLICY chage SET ACLS setfacl -m u:bob:rw filename (adds permissions) setfacl -x u:bob:rx filename (removes permissions) setfacl -m g:group1:rw directoryname (this applies to access to the directory) setfacl -m d:g:group1:rw directoryname (this applies to new files within the directory) LDAP CLIENT yum groupinstall “directory client” system-config-authentication fill in info and save, sssd service should start. AUTOFS showmount -e (displays the available auto mount directories on server) getend passwd (shows homedirectory for user) cat /etc/auto.master /home/guests /etc/auto.guests cat /etc/auto.guests (this will work for only ldapuser1) ldapuser1 -rw instructor.example.com:/home/guests/ldapuser1 service autofs reload OR cat /etc/auto.master /home/guests /etc/auto.guests cat /etc/auto.guests (this will work for all users logging in that exist) * -rw,soft,intr,vers=3 instructor.example.com:/home/guests/& BOOT MANAGEMENT cat /proc/cmdline (shows what was executed during the boot process from grub) /etc/inittab (what runlevel to boot to) /etc/boot/grub.conf (what kernel/initrd to use) Add init=/bin/bash to the kernel line (to get before single-user mode) BOOT PROBLEMS Check /etc/fstab syntax /etc/inittab /boot/grub/menu.lst CREATE REPO FILE [reponame] name=This is a text description of the repo baseurl=ftp://instructor.example.com/pub/rhel6/Errata gpgcheck=0 enabled=0 (to disable the repo) gpgkey= mount -o remount,rw / (in maintenance mode, remount / as rw) SELINUX show context of running processes. Ps -efZ ls -alZ (show context) semanage fcontext -l (show contexts and locations) semanage fcontext -a -t httpd_sys_content_t:s0 “/web(/.*)?” (set this context to everything below /web) restorecon -R -v /web OR semanage fcontext -a -e /var/www/html /web (copy the context from /var/www/html and set it for /web) restorecon -R -v /web (this applies the contexts recursively in /web) **check the /var/log/messages for the denial reason and and run sealert -l fix. **detailed selinux log /var/log/audit/audit.log (nearly useless, but maybe helpful) Man -k _selinux (finds all manpages for service related selinux) getsebool setsebool boolean -l yum install setroubleshoot-server sealert -a /var/log/audit/audit.log (generates a report off of everything found in the log) IPTABLES iptables -nL (show running firewall) iptables -F (flush running firewall config) cat /etc/sysconfig/iptables (persistent file) iptables-save (save runtime config to persistent file) system-config-firewall NTP vi /etc/ntp.conf service ntp restart ntpq -p (test NTP peers) SYSLOG /etc/rsyslog.conf – client side syntax .<critical_level/*(all) (* in location, means all open ttys) e.g. Mail.* /var/log/maillog e.g. *.info;mail.none;authpriv.none;cron.non /var/log/messages e.g. *.crit @192.168.0.254 (udp = @, tcp=@@) e.g. *.=crit (=crit says only for crit level) @192.168.0.254 (udp = @, tcp=@@) **critical levels are that level and all levels higher service rsyslog restart (restarting rsyslog service) logger -p crit 'this is a test' /etc/rsyslog.conf – server side uncomment the modload lines for tcp and udp receiving APACHE /etc/httpd/conf/httpd.conf create virtual hosts, no worry about ssl semanage fcontext -a -e /var/www /www3 restorecon -RFvv POSTFIX /etc/postfix/main.cf inet_interfaces = all (this allows sending and receiving on all interfaces) service postfix restart NFS Server-side /exports (file to contain exported mount points) 192.168.1.0/24(rw,no_root_squash) 127.0.0.1(rw,sync) service nfs start chkconfig nfs on exportfs -a (export all) exportfs -r (reexport all) exportfs -v (list exports) **Use semanage fcontext to set public_content_rw_t **requires nfs and netfs services to be enabled. Client-side /etc/fstab server:/exports /mount-point nfs defaults,soft,intr,vers=3 0 0 CIFS/SAMBA Server-side /etc/samba/smb.conf hosts allow = 192.168.1.1 192.168.0. ** there is sebool info in the /etc/samba/smb.conf (samba_enable_home_dirs 1 AND use_samba_home_dirs 1) ** if you dont want a Unix user with your samba user use, useradd -s /sbin/nologin , before running the smbpasswd -a command yum install samba chkconfig smb on service smb start Client-side /etc/fstab //server/share /mount-point cifs credentials=/etc/filename 0 0 mount //server/sharename /mount-point -o user=bill FTP Server-side /etc/vsftpd/vsftpd.conf Change the following for anon upload anon_upload_enable=yes chown_uploads=YES chown_username=daemon anon_umask=077 **Allow ftp through iptables /etc/sysconfig/iptables-config IPTABLES_MODULES=”nf_conntrack_ftp nf_nat_ftp” /etc/sysconfig/iptables iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT SSH vi /etc/sshd_config AllowUsers= (allows only particular users) DenyUsers= (allows all users, but the ones listed) ssh-copy-id root@server3.example.com (copy ssh key to destination host)
Recent Comments