Redhat RHCSA(EX200) Memo
RedHat Certified System Administrator(EX200) is the 1st to acquire for most of Redhat advanced certificates(non-cloud, regular system admin path), Here are some hints and memo for learning and preparing for RHCSA.
hard link and
ln newfile.txt /tmp/newfile-hlink2.txt
will create a
hard link of
hard link means full copy of the original file, the
hard link file will exist even if the original file got deleted. Furthermore, when multiple
hard link files of the same original exist, any modification done on any of these
hard link file will be synced on all
hard link files.
ln -s /root/newfile-link2.txt /tmp/newfile-symlink.txt
will create a
soft link, it will point to nonexist if the original got deleted.
usermod -l newname oldname will change username.
By default, when a new user got created by
useradd, it will automatically belongs to itself name group as primary group. To change its primary group, use:
usermod -g newgroup username
To join other sub groups, for example making user join root and enable
usermod -aG root username
User Login and Expiration Management
To disable user student login without deleting the user account:
usermod -s /sbin/nologin student
This way, a user can no longer login the system, but still get his account valid to login webservers(when login webserver with local account enabled).
/etc/login.defs defines default login parameters, including password expiration date.
To force a password change on the first login:
sudo chage -d 0 username
Each file has 3 digits representing
other. And each of them is a sum of r=4, w=2, and x=1.
The following command will recursively set read and write access on
demodir and all its children for their group owner, but will only apply group execute permissions to directories and files which already have execute set for user, group, and/or other.
chmod -R g+rwX demodir
Advanced options for file running ownership replacing
setuid = u+s; setgid = g+s; sticky = o+t. And can be convert to digits:
setuid = 4; setgid = 2; sticky = 1.
To make files created in the directory inherits the group affiliation from the directory, rather than inheriting it from the creating user:
chmod g+s directory
this is equal to:
chmod 2770 directory
as 2 represents
setgid which is
Default File Permissions
umask can change default file permission when user creates files or folders. By default
umask=0002 will make files other set without wirte permission, this results in:
-rw-rw-r--. 1 student student 0 May 9 01:54 newfile1
drwxrwxr-x. 2 student student 0 May 9 01:54 newdir1
if change current folder
umask value to 027:
[[email protected] ~]$ umask 027 [[email protected] ~]$ touch newfile4 [[email protected] ~]$ ls -l newfile4 -rw-r-----. 1 student student 0 May 9 01:55 newfile4 [[email protected] ~]$ mkdir newdir4 [[email protected] ~]$ ls -ld newdir4 drwxr-x---. 2 student student 0 May 9 01:54 newdir4
Redhat7 stores this default and persistent
umask value under
/etc/bashrc for global system or inside
~/.bashrc for individual users.
ACL File Permission
Another advanced way to control file accessbilities is to user ACl. This way besides basic
chmod file permissions, it provides an extra layer of controlling who can access. If you want multiple users(belongs to different group) or groups to be able to access a file, ACL is a good option.
To make usergroup sodor be able to access this file even if
chmod 700 has been set for default file owner group.
setfacl -m u::rwx,g:sodor:rX,o::- file
Here group sodor must already have
x permission on file’s current folder(i.e
/redhat/test), so that sodor can bypass
cat file content. Only having
rw permission on
/redhat/test is not enought and will end with erro
Same rule applies to individual users as well.
To make all files in a directory created later on have same ACL:
setfacl -m d:u:name:rx directory
To make all existing files in a directory have same ACL:
setfacl -R -m u:name:rX directory
To explicitly deny a user to access a file, but keep user alive and accessibility to other files:
setfacl -Rm u:james:- /shares/steamies
Security Enhanced Linux provides extra layer of file access management, instead of limiting access from user level(chown/setfacl), it bans access from Application side. A good example is that when we install
named/bind9 on RHEL7, it comes with SELinux enalbed default values, make
/var/named/ as its customized DNS content folder and all files in it will have context
named_zone_t, but if we manually put all DNS files in any other folders,
named won’t be able to read those files unless changing their context to be
SELinux labels have several contexts:
sensitivity. We usually focus on 3rd context: type.
Default SELinux mode stores at
Usually most of the commands have an option
-Z to disply SELinux information. E.g:
ps -auxZ or
chcon can change SELinux context of any file, while
restorecon will restore any file’s context to its default value which inherit from the folder it belongs to.
[[email protected] ~]# mkdir /virtual [[email protected] ~]# ls -Zd /virtual drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual [[email protected] ~]# chcon -t httpd_sys_content_t /virtual [[email protected] ~]# ls -Zd /virtual drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /virtual [[email protected] ~]# restorecon -v /virtual restorecon reset /virtual context unconfined_u:object_r:httpd_sys_content_t:s0-> unconfined_u:object_r:default_t:s0 [[email protected] ~]# ls -Zd /virtual drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual
semanage is a python app that can control SELinux context via Regular Expression. Install via
yum install policycoreutils-python.
To change all files context type in
semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'
getsebool -a will only gives you current status of a context, while
semanage boolean -lC can tell what has been changed in the system and if it’s enabled by default.
[[email protected] ~]# getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off ... [[email protected] ~]# getsebool httpd_enable_homedirs httpd_enable_homedirs --> off [[email protected] ~]# setsebool httpd_enable_homedirs on [[email protected] ~]# semanage boolean -l | grep httpd_enable_homedirs httpd_enable_homedirs (on , off) Allow httpd to enable homedirs [[email protected] ~]# getsebool httpd_enable_homedirs httpd_enable_homedirs --> on [[email protected] ~]# setsebool -P httpd_enable_homedirs on [[email protected] ~]# semanage boolean -l | grep httpd_enable_homedirs httpd_enable_homedirs (on , on) Allow httpd to enable homedirs
To find out what context a file needs to have for named to read, we can use:
semanage fcontext -l | grep named /etc/rndc.* regular file system_u:object_r:named_conf_t:s0 /var/named(/.*)? all files system_u:object_r:named_zone_t:s0 /etc/unbound(/.*)? all files system_u:object_r:named_conf_t:s0 /var/run/bind(/.*)? all files system_u:object_r:named_var_run_t:s0 /var/log/named.* regular file system_u:object_r:named_log_t:s0 /var/run/named(/.*)? all files system_u:object_r:named_var_run_t:s0
And you’ll see that ideally files under
/var/named should have
named_zone_t, so if any file functions as files in
/var/named but don’t have correct context will fail.
kill can actually do more then just kill.
[[email protected] ~]$ kill -l 1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP 6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1 11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM 16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP
kill -9 is the brutal kill, while
kill is default to
kill -15 as soft kill.
pkill can kill multiple process at the same time, e.g stop all process that hacker runs,
pkill -U hacker.
Few tools used related to linux partition:
fdisk: Main partition program to partition MBR size < 2TB.
gdisk: Partition GPT dev.
parted: Better tool to partition for dev size > 2TB.
dd: File convertor, can create image from a dev.
mkfs: Format tool,
ext4is used as default in most linux system,
xfsis better for storage usage as it supports >16TB.
To create a swap, we can use a dedicated partition to store swap or making a file storing swap caches(
/dev/zero can be loopback).
fdisk /dev/vdbto create a new partition for swap, and then
dd if=/dev/zero of=/path/to/swapfile bs=1M count=1Kto create a 1G swap file, then
To permanently activate a swap, edit
#for dd /swapfile swap swap defaults 0 0 #for fdisk partition UUID=fbd7fa60-b781-44a8-961b-37ac3ef572bf swap swap defaults 0 0
Here the last 2 digits
0 0 indicate:
dump: used by the dump utility to decide when to make a backup. When installed,
dumpchecks the entry and uses the number to decide if a file system should be backed up. Possible entries are 0 and 1. If 0, dump will ignore the file system, if 1,
dumpwill make a backup. Most users will not have
dumpinstalled, so they should put 0 for the
pass: fsck reads the
passnumber and determines in which order the file systems should be checked. Possible entries are 0, 1, and 2. The root file system should have the highest priority, 1, all other file systems you want to have checked should get a 2. File systems with a
passvalue 0 will not be checked by the fsck utility.
Dynamically created devices/folders won’t be automacially mounted, and may include complex manual task such as editing
/etc/fstab for them to be loaded at boot.
autofs is a tool to automate all these and has been widely used against NFS mounted folders. To use it:
/etc/auto.master.d/*.autofs, this file identifies the base directory used for mount points and identifies the mapping file used for creating the automounts.
direct.autofsfor direct(pre-exist) mounting,
shares.autofsfor dynamic mouting.
Write content like this:
#filename: /etc/auto.master.d/shares.autofs # to define which files will contain dynamic mounting points definition /shares /etc/auto.demo
#filename: /etc/auto.master.d/direct.autofs # to define which files will contain direct(pre-exist) mouting points definition, /- means absolute path needs to be provided in auto.direct, if we use /mnt here then only docs needs to be provided in auto.direct. /- /etc/auto.direct
#filename: /etc/auto.home # if want to mount work dynamically, meaning creating and deleting /shares/work after use work -rw,sync serverX:/shares/work # if NFS has multiple exports, we can use following * -rw,sync serverX:/shares/&
#filename: /etc/auto.direct # If mounting point already exists, use following /mnt/docs -rw,sync serverX:/shares/docs
RHEL Boot Process
How to Recover Lost Root Password
On Red Hat Enterprise Linux 7, it is possible to have the scripts that run from the
initramfs pause at certain points, provide a
root shell, and then continue when that shell exits. While this is mostly meant for debugging, it can also be used to recover a lost root password:
- Reboot the system.
- Interrupt the boot loader countdown by pressing any key.
- Move the cursor to the entry that needs to be booted.
eto edit the selected entry.
- Move the cursor to the kernel command line (the line that starts with linux16).
rd.break(this will break just before control is handed from the initramfs to the actual system).
Ctrl+xto boot with the changes. At this point, a root shell will be presented, with the root file system for the actual system mounted read-only on
To recover the root password from this point, use the following procedure:
#Remount /sysroot as read-write. /sysroot contains real system disk, /etc, /root, /home, etc. switch_root:/# mount -o remount,rw /sysroot #Switch into a chroot jail, where /sysroot is treated as the root of the file system tree. So that you can change root password of real system from pre-boot root user. switch_root:/# chroot /sysroot #Set a new root password: sh-4.2# passwd root #Make sure that all unlabeled files (including /etc/shadow at this point) get relabeled during boot sh-4.2# touch /.autorelabel #Type exit twice. The first will exit the chroot jail, and the second will exit the initramfs debug shell. exit exit
Emergency and Rescue Targets
By appending either
systemd.unit=emergency.target to the kernel command line from the boot loader, the system will spawn into a special rescue or emergency shell instead of starting normally. Both of these shells require the
root password. The emergency target keeps the root file system mounted read-only, while
rescue.target waits for
sysinit.target to complete first so that more of the system will be initialized (e.g., logging, file systems, etc.).
To use this method of selecting a different target, use the following procedure for Red Hat Enterprise Linux 7 systems:
- (Re)boot the system.
- Interrupt the boot loader menu countdown by pressing any key.
- Move the cursor to the entry to be started.
- Press e to edit the current entry.
- Move the cursor to the line that starts with linux16. This is the kernel command line.
Ctrl+xto boot with these changes.
These shells can be used to fix any issues that prevent the system from booting normally; for example, a dependency loop between services, or an incorrect entry in
/etc/fstab. Exiting from these shells will continue with the regular boot process.
The way to create a lv is similar as how kubernetes claim storage in the backend.
Steps to create a valid LV:
fdisk /dev/sdato partition a disk, don’t need to format it now.
pvcreate /dev/sda1to create a
Physical Volume, it will be functioning as a label for lvgroup to select.
vgcreate vgname /dev/sda1 /dev/sdb1to create a
lvcreate -n lvname -L 2G vgnameto claim 2G size from above vg.
mkfs -t xfs /dev/vgname/lvnameto format newly created lv.
To extend a lv and acquire the extended space:
lvextend -rL +300M /dev/vg-alpha/hercules
Besides using partition as LVM PV, LVM can also use local file. Simply using
dd create a file mirror then mount and part:
dd if=/dev/zero of=/path/to/file.img bs=512M count=1to create a file.
fdisk /path/to/file.imgto create new partition and change type to
losetup /path/to/file.img /dev/loopxmount file onto empty loop slot.
vgcreate test /dev/loopx,
lvcreate -n test -L 512M testto create lvm using file mounted.