Short Notes – RH134

Author
Shanuka Jayakodi
Created
Updated
Comments
0
Reading time
13 min
Views
125
Categories: Uncategorized

—- Improve Command Line Productivity —-

  • if any command is used everyday we could write a shell script to automate

— introduction to shell —

shell?

  • its like a container
  • interface between users and kernel/OS
  • cli is a shell

echo $0

  • shows the current shell type

cat /etc/shells

  • list available shells

cat /etc/passwd

  • shows the user shell
  • Windows GUI is a shell
  • Linux KDE is a shell
  • Linux sh, bash etc is a shell

— Shell Scripting —

!/bin/bash

  • always define the shell
  • shell script should have executable permission
  • shell script has to be called from the absolute path
    (/home/user/script.bash)
  • if it is in the current location then, ./script.bash

— Shell script – Basic scripts —

echo

filters/text processors:
cut
awk
grep
sort
uniq
wc

— input/output —
read
echo

— if-then script —

count=100
if [ $count -eq 100]
then
echo count is 100
else
echo count is not 100
fi

if [ -e /path/of/a/file.txt ]

then
echo “The file is Available!”
else
echo “No file has been found.”

fi

— FOR loop scripts —

for i in 1 2 3 4 5
do
echo “Welcome $i Times”
done

for i in eat run jump play
do
echo See Donkey
done

grep means global regular expression print

grep username /etc/passwd
cat /etc/passwd | grep username

grep -c username /etc/passwd

  • -c aruguemt will count the outputs for the grep command and show the count

grep -i

  • ignore case sensitive

grep -n

  • shows the greped word and where it was found

grep -vi

  • shows the rest without grepped words

cat /etc/passwd | awk ‘{print S1}’

  • print only the first column of the output

cat /etc/passwd | awk ‘{print S1}’ | cut -c1-3

  • print only the first 3 letters

egrep

  • search two words

cat /etc/passwd | egrep -i “username1|username2”

  • greps for the two words mentioned

—– Scheduling future Linux tasks —–

crontab
at.

at. is onetime basis or ad-hoc process

crontab -e

  • to edit the crontab

crontab -l

  • view the crontab entries

22 13 * * echo “First Cron Entry” > crontab-entry

  • minutes hour day month year
  • * is the every

—– Tune system performance —–

  • optimize system performance by selecting a tuning profile managed by the tuned daemon
  • prioritize or de-prioritize specific processes with the nice and renice commands

tuned?

  • comes with predefined profiles and settings
  • tune is for system tuning and d for daemon

tuned-adm

  • command to change setting for tuned daemon

tuned-adm active

  • to check which profile is active

tuned-adm list

  • to list the available profiles

tuned-adm profile profile-name

  • to change to the desired profile

tuned-adm recommend

  • to check the tuned recommendation

tuned-adm off

  • turn off tuned recommendation

—- nice and renice —-

  • priority can be set at 40 different levels
  • nice level values range from -20 (highest priority) to 19 (lowest priority) and by default processes inherit their nice level from their parent, which is usually 0
  • Linux priorities are 0 to 139 in which 0 to 99 for real time and 100 to 139 for users
  • process priority can be viewed through ps command as well with the right options
    ps axo pid,comm,nice,cls –sort=nice
  • to set the process priority
    nice -n # process-name
    nice -n -15 top

renice -n # process-name
renice -n 12 PID

—- ACL – Access Control Lists —-

setfacl
getfacl

  • to add permission for user
    setfacl -m u:username:rwx /path/to/file
  • to add permission for a group
    setfacl -m g:groupname:rw /path/to/file
  • to allow all files or directories to inherit ACL entries from the directory it is within (R means recursive)
    setfacl -Rm “entry” /path/to/dir
  • to remove specific entry (for specific user)
    setfacl -x u:user /path/to/file
  • to remove all entries (for all users)
    setfacl -b /path/to/file

— SELinux (Security Enhanced Linux) —

  • Linux kernel security module

DAC – Discretionary Access Control

  • examples for DAC is files permissions

SELinux (MAC) – Mandatory Access Control

— SELinux Options —

Enforcing = enabled, enabled by default in rhel
Permissive = disabled but logs the activity
Disabled = disabled and not activity logs

  • to check SELinux status
    sestatus
    getenforce
  • SELinux settings
    setenforce 0 (permissive/disable)
    setenforce 1 (enable)

Modify SELinux config for permanent setting:
/etc/selinux/config
SELINUX=enforcing
SELINUX=disabled

Before restart after enforcing selinux create a file named
/.autorelabel

— Two main types of SELinux —

Labeling
Type enforcement

ls -lZ /user/bin/httpd

  • to list the label of the file

ls -dZ /etc/httpd

  • to list the label of the directory

— Command to manage SELinux setting —

semanage –> to label
login
user
port
interface
module
node
file context
Boolean
permissive state
dontaudit

— Boolean —

  • list all of booleans
    getsebool -a
    semanage boolean -l
  • to enable Booleans
    setsebool -P boolean-name on
  • to check any errors related to selinux
    journalctl
  • to change the type in a label
    chcon -t httpd_sys_content_t FILENAME
    semanage -t httpd_sys_content_t FILENAME

—- Storage —-

local storage
SAN (Storage Area Network)
NAS (Network Attached Storage)

— Disk Partition —

df -h
fdisk -l

— Adding disk and creating partition —

fdisk -l
fdisk /dev/sdb

m
n

lsblk

mkfs /dev/sdb

mount /dev/sdb /data

df -h

vi /etc/fstab

/dev/sdb /data xfs defaults 0 0

man fstab

umount /data

mount -a

  • check this

—- Manage Logical Volume Management (LVM) —

  • Software based

PV – Physical Volume
VG – Volume Group
LG – Logical Volume

Add disk and create lvm partition

    file system
    Logical volumes
    Volume Groups

Physical Volume1 PV2 PV3
Partitions1 Par2 Par3
HDD1 HDD2 HDD3

fdisk /de/sdb
t
L
8e

pvcreate /dev/sdb

pvdisplay

vgcreate vg-name /dev/sdb
lvcreate -n lv-name –size 1G vg-name

mount /dev/vg-name/lv-name /filename-to-mount

—- Add extend disk using lvm —-

if mount has done through the lvm it is possible to extend the partition

fdisk -l

fdisk /dev/sdd
n
p

t
L
8e

p
w

reboot

pvdisplay
pvs

vgdisplay

pvcreate /dev/sdd
vgextend vg-name /dev/sdd

lvedtend -L+1024M /file/system/name

xfs_grows /file/system/name

—– Implement advanced storage features —–

  • next generation volume management solution named stratis
  • enabled by default

yum install stratis-cli stratisd -y
systemctl enable stratisd
systemctl start stratisid

lsblk

stratis pool create pool-name /dev/sdb
stratis pool list

stratis pool add-data pool-name /dev/sdc
stratis pool list

stratis filesystem create pool-name fs1
stratis filesystem list

mount /dev/stratis/pool-name/fs1 /directory/to/mount
lsblk
df -h

stratis filesystem snapshot pool-name fs1 snap-name

stratis filesystem list

UUID=”” /foldername xfs defaults, x-system.requires=stratisd.service 0 0

  • add entry to the /etc/fstab to mount at boot

—– Access network-attached storage (NFS and Samba) —–

— Network File System (NFS) —

Steps for NFS server configuration

  • install nfs packages
    yum install nfs-utils libnfsidmap

systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind, nfs-server, rpc-statd, nfs-idmapd

mkdir /folder-name
chmod a+rwx /folder-name

  • modify /etc/exports (for only 1 host)
    /folder-name 192.168.1.12 (rw,sync,no_root_squash)
  • export filesystem – CHECK WHAT IS THIS
    exportfs -rv
  • NFS Share – IP address of the client
    /foldername
  • if use * to the ip it means all of the hosts

Steps for NFS client configuration

yum install nfs-utils libnfsidmap
service rpcbind start

  • stop if running mentioned services
    ps -ef | egrep “firewall|iptable”
  • show mount from the NFS server
    showmount -e 192.168.1.100 (NFS server IP)
  • create a mount point
    mkdir /mnt/point
  • mount the nfs filesystem
    mount 192.168.1.100:/filename /mnt/point

df -h

  • to unmount
    umount /mnt/point

—— Samba ——

— Samba (smb vs CIFS) — It’s the same thing

  • SMB (Server Message Block) protocol by IBM
  • CISFS (Common Internet File System) by Microsoft

/etc/samba/smb.conf

  • configuration file

yum install samba samba-client samba-common
firewall-cmd –permanent –zone=public –add-service=samba
firewall-cmd –reload

mkdir -p /samba/folder
chmod a+rwx /samba/folder
chown -R nobody:nobody /samba

sestatus
vi /etc/selinux/config

  • change smb config file
    /etc/samba/smb.conf

[global]
workgroup = WORKGROUP
NetBIOS name = centos
security = user
map to guest = bad user
dns proxy = no

[Anonymous]
path = /samba/folder
browsable = yes
writable = yes
guest ok = yes
guest only = yes
read only = no

testparm

  • verify command in the config file is ok

systemctl enable smb
systemctl start smb
systemctl start nmb

— Samba client —
yum -y install cifs-utils samba-client
mkdir /mnt/sambashare
mount -t cifs //192.168.1.100/Anonymous /mnt/sambashare
— CHECK HOW TO ADD THIS IN FSTAB, incase pc is restarted – check it own

—— Control Boot Process ——

  • Boot sequence may change in different os of Linux
  • system is the new service manager, that manages boot process

BIOS – Firmware
POST – Power on self test
MBR – Master boot record
GRUB2 – Grand Unified Boot Loader v2 /boot/grub2/grub.cfg
Kernal – loads required drivers from initrd.img
system = reads /etc/systemd/system/default.target to bring the system to the run-level (total of 7 run levels 0 to 6)

systemctl poweroff
systemctl reboot

— selecting a system target —

  • to check the current target or run-level
    systemctl get-default
    who -r

systemctl list-dependencies graphical.target | grep target

  • shows the dependencies of the mentioned target

ls -al /lib/systemd/system/runlevel*

  • display the new run levels

systemctl set-default graphical.target

  • setting a default target

— Recover root password —

  • restart the computer
  • edit grub
  • change password
  • reboot

press shift when system is rebooting
press e to edit the bootfile
delete where it says ro and replace it with below;
rw init=/sysroot/bin/sh

press ctrl x
chroot /sysroot
passwd root
touch /.autorelabel
exit
reboot

Netflix#123

— Repair filesystem corruption —

  • file corruption can occur when making mistakes in /etc configuration files or filesystem become corrupted at the disk level
  • refer to the common types of errors and Linux behaviors in redhat documentation
  • when using the emergency shell to fix filesystem issues do not forget to run systemctl daemon-reload after reading /etc/fstab

fsck

  • check and repair Linux filesystem

—- Introduction to Firewall —-

  • same works as the iptables

firewall-cmd

  • firewalld has following;
  • table
  • chains
  • rules
  • targets
  • start firewall
    systemctl start firewalld
  • check the rules of firewalld
    firewall-cmd –list-all
  • get the listings of all services firewalld aware of
    firewall-cmd –get-services
  • reload the firewall service
    firewall-cmd –reload
  • before stating the firewall make sure to stop iptables
  • list firewall zones
    firewall-cmd –get-zones
  • list the active firewall zones
    firewall-cmd –get-active-zones
  • to list the firewall rules for a specific zone
    firewall-cmd –zone=public –list-all
  • all services are specified on:
    /usr/lib/firewalld/services/*.xml
  • to add a service
    firewall-cmd –add-service=http
  • to remove a service
    firewall-cmd –remove-service=http
  • to add or remove service permanently
    firewalld-cmd –add-service=http –permanent
  • to add a port
    firewall-cmd –add-port=4434/tcp –permanent
  • if we not add the permanent tag it will remove the policy once the firewalld service is reloaded
  • to remove a port
    firewall-cmd –remove-port=4434/tcp –permanent
  • to reject incoming traffic form an IP address
    firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ reject’
  • to block and unblock icmp traffic
    firewall-cmd –add-icmp-block-inversion
    firewall-cmd –remove-icmp-block-inversion
  • to block outgoing traffic
    firewall-cmd –direct –add-rule ipv4 filter OUTPUT 0 -d 31.13.71.36 -j DROP
  • similar what to nslookup
    host -t a www.facebook.com

—— Run containers ——

docker, podman

  • podman is developed by redhat
  • docker is not supported in rhel8

— Redhat container Technology —
podman – for directly managing pods and container images (run, stop, start, ps, attach, etc.)
buildah – for building, pushing and signing container images
skopeo – for copying, inspecting, deleting and signing images
runc – for providing container run and build features to podman and buildah
crun – an optional runtime that can be configured and gives greater flexibility, control, and security for rootless containers

— podman container technology —

images – containers can be created through images and containers can be converted to images
pods – group of containers deployed together on the host. In the podman logo there are 3 seals grouped together as a pod

— building running and managing containers —

Author photo
Publication date:
Hi! I’m Shanuka, a skilled Network Engineer working for an IT-based company in Sri Lanka. I specialize in designing, implementing, and securing complex networks, with a keen interest in emerging technologies such as cloud computing, automation, and AI-driven system optimization.

Leave a Reply

Your email address will not be published. Required fields are marked *