=a =a = RED HAT TRAINING & redhat. =4 & CERTIFICATION TRAINING PATHS AL ME LP LE UL kh WINDOWS ADMIN corns cert eee Cocke era nie ies onc (crt Red Hat Certified Systems Administrator (RHCSA™) ear yn er om LINUX/UNIX ADMIN SR. LINUX ADMIN crea SOLARIS ADMIN Penner Deere entre Tras eer Red Hat Certified Engineer (RHCE*) Red Hat Training gives you the skills you need to manage, scale, and secure your Red Hat enterprise deployments. Unlike most vendors, we orient our training and certifications around real world job roles and tasks. Our system administration courses use the best-of-breed contemporary teaching approaches, such as task-focused activities and labs, to ensure students have maximized skills transfer and retention. This approach, combined with Red Hat's performance-based certification program, ensures an exceptional return on all training investments. Whether you need to train a team of IT profession: als or just yourself, Red Hat offers a variety of learning styles, delivery methods, certifications, savings programs, and customized solutions to maximize return on your Red Hat investment. Find out more at redhat.com/training. CORE RED HAT SYSTEM ADMINISTRATION TRAINING COURSES Red Hat System Administration | (RH124) is a five-day course designed for IT professionals who are new to Linux and require core Red Hat Enter- prise Linux skills. Focusing on administration tasksbb bb sk kl LP LP sll ALD LP kl LE Ll aL ill il AY li AN} il il ll RED HAT ENTERPRISE LINUX FOR SOLARIS ADMINISTRATORSGLU GUILE LE GLP kD LE abl abd ak ob kd add ald kb ak) kd bd dD MD Introduction vil Welcome to class! .. About Red Hat Enterprise Linux vil Additional Red Hat Enterprise Linux Software vill Contacting Red Hat Technical Support .. x About This Course xt Red Hat Enterprise Linux for Solaris Administrators .. xi Structure of the Course 7 xii Orientation to the Classroom Network xiv Internationalization xvii Language Support xvii ‘System-wide Default Language xvii Per-user Language Selection xvii Input Methods xvill Language Codes Reference. ‘inux Hierarchy, Support and Virtualization The Linux File System Hierarchy .... Read Documentation Using pinfo Documentation in /usr/share/doc .. Research On-line Documentation Getting the Most from Red Hat Global Support Services Manage Virtual Machines ...... : Criterion Test 2. Network Configuration Understanding Network Configuration Files .. Network Interface Configuration - Bonding. Criterion Test Managing Passwords... Criterion Test .... 4. Software Management 43 Register with Red Hat Network (RHN) Using yum Using yum to Revert to Older Software Criterion Test 5. System Initialization Manage Services .. Booting an Alternate Kernel . Booting into a Different Runlevel Changing the Default Runlevel.. Resolve GRUB Issues .. Making Persistent GRUB Changes Passing Kernel Arguments .. Criterion Test Criterion Test 6. Kernel Maintenance and Tuning aRH290 Supported Architectures and Kernel Identification Upgrading Your Kernel Tuning Kernel Network Parameters .. Criterion Test 7. Local Storage Management 93 Describe MBR, Primary, Extended, and Logical Partitions ... 94 ‘Simple Partitions and File Systems .. 97 Criterion Test 102 8. Network Storage Management 105 Accessing ISCSI Storage 106 m 13 6 Managing Devices with udev Device Mapper Multipath .. Criterion Test 9. Logical Volume Management 119 Recognize the Components of LVM 120 Implement LVM Storage with Commande Tools 124 Extend a Logical Volume and Ext File System 2 Criterion Test 131 10. System Monitoring 35 Deploying cron Jobs 136 Deploying sar 139 Determine Log Destinations 1 14 Criterion Test .. 145 1 Linux Security 149 Packet Filtering 150 Basic SELinux Security Concepts 156 SELinux Modes 159 Display and Modify SELinux Modes 162 isplay and Modify SELinux File Contexts 164 Monitoring SELinux Violations .. 167 Criterion Test 170 12, Enterprise Deployment 173 rating a Klkatart Fle by Hodtyng Template 4 Criterion Test ne 78 13, Enterprise Troubleshooting 181 Analyzing @ Crash with kdump .. . 182 Using SystemTap . 186 A Solutions 193 Linux Hierarchy, Support and Virtualization ..... 193 Network Configuration .. . 198 User Administration. 202 Software Management .. 204 System Initialization 208 Kernel Maintenance and Tuning . 27 Local Storage Management 220 Network Storage Management .. 224 Ww RH290-G-en-F2010516web vk) blob! ch! ak! gh) vk) abl vb) abl skl abl hl sk ak) shl hl sll yh) al! Logical Volume Management 231 System Monitoring . 237 Linux Security 242 Enterprise Deployment 250 Enterprise Troubleshooting .. 254 RH290-6-en-+-20T10516 v) ud ch) ub uel ok) ob ab) oh hl sb) kd kd aL) kd skh LD LD cL) st) aL) t) 85 a ‘The Linux File System Hierarchy Comparison On Solaris, the root user has a detault shell of /sbin/sh and normal users have a default shell of /bin/sh. On Linux, all users (including root) have a default shell of /bin/bash. To change the default for every new account, edit the SHELL variable in /ete/default/ useradd. To change the shell for an existing user run usermod -5 SHELL USERNANE, which changes the ete/passud file. Every user has a home directory. All of the user's personal files (configuration, data, or even applications) go here. Root's home directory is /root. Most non-root home directories are in the Zhone tree, usually named after the user. Note ‘The (oot user's home directory is called /root, yet the / directory is called the "root directory" since itis at the root of the file system hierarchy. This is a possible source of confusion. (At one time, some UNIXlike systems actually used / as the root user's home directory, further confusing matters.) ‘/tmp is usually used by applications for storing temporary data. Once a day the wen} ern ‘automatically deletes any fies over ten days oldin tmp. ¢ ‘ o ‘The boot loader is in charge of loading the core of Red Hat Enter} into memory. The boot loader, kernel and loader’s configuration files, are stored i One fundamental principle of Linux and UNIX-like systems is that “everything isa file", including] hardware devices. This enables some very powerful things to be done with simple tools. In any case, there are special fles and the system which represent hardware devices, which are kept in ote ee Tele uel eld dries) eee ae tee ee ee Wel i Tab completion allows you to quickly complete file names once you have typed enough at the Chee € prompt to make it unique. If the characters you typed are not unique, use two Tab presses to ptr cisplay all commands that begin withthe characters already typed. For example, ype 1s /u and ; hit the Tab key. Type s (1s /usr/s and hit the Tab key twice. On Yah aa ee root@serverx ~1¥ 1s Augr/srabTab sbin/. share? sre/ oe es [restesorverk ~]# 1s /ustssnap : te frootiservers =} As fusr/shareés i RH290-6-en-+-20110516 3LL Lol ‘The Linux File System Hierarchy Aur Practice Quiz Linux File System Hierarchy eer Akt see 1 Cee contains most of the system configuration files. ys ft! is the root directory. User home directories are found below _/}977. but root's home directory is frie The VA at directory contains variable data like web sites and FTP sites. Temporary files are stored in / tng and [var] tmp He devices are normally mounted on Device files are kept i in_ [de el Fi ia during the boot process are stored in fo. ° RH290-G-en-F- 20110516 5a Te ee 1 Chapter2, ) redhat. UNIT TWO NETWORK CONFIGURATION Introduction Topics covered in this unit: + Network Configuration Files + Configuring bonded network interfaces RH290-6-en-+-20710516 2Chapter2. Network Configuration Understanding Network Configuration Files Network Interface Names The Linux kernel names interfaces with a specific prefix depending on the type of interface For example, all Ethernet interfaces start with eth, regardless of the specific hardware vendor. Following the prefix, each interface is numbered, starting at zero. For example, etho, eth, and etha would refer to the first, second, and third Ethernet interfaces. Other interface names include w1ano for the first wireless device, virbr@ for the internal bridge set up for virtual hosts, bonds for the first bonded network device, and so on, Network Interface Configuration ‘Jsbin/ip is used to show or temporarily modify devices, routing, policy routing, and tunnels Comparison Linux, like Solaris, does include the ifconfig command that can be used to print or temporarily change the network configuration. However, using the ip command is preferred as it provides better information about IP aliases and it can also be used to view and configure routing (ke the route command), tunnels, et. aaa Pee Ree A Mer wat caer ie is amee rate wc OL eagle au ae eee ee ee tera : er A el ey at Sie Got XK ite fens uc thefts EELS SS pad Ye vonte’® ne fe Then sitet ies watt tea d ; inoue yy omen ce Lala nt ce a ee eee ba on Me inetia amie ces ier ee ee ete ee pitas s28 ee eae ‘TK: bytes packets errors. dropped carrier collsns 14620998 eo ote [root@deno ~Jy ip route : 192.168.9.8/24 dev eth proto Kernel scope Link are 192.168. efaut via 192.168.6.254 dev otha. proto static 250 metric 1 Note [25 ip -6 route shows tne IPv6 routing table. Hostname Resolution The hostname command displays or temporarily modifies the system's fully-qualified hostname. [rootsdeno ~]H hostname 2 RH290~Coe e edd dddddddddago eh lipeerboype hero, > yo he bdbave Hostname Resolution dono exaniple.:con : soe i 8 The stub resolver is used to convert hostnames to IP addresses or the reverse. The contents of the file /ete/hostss are checked first. [root@deno -}# eat /ete/nosts a : 192.168.0.250 deso.example.con ‘dew. # Added by NetworkManager 327-0.0.1 localhost, localdonain localhost dezo example.com dens. localhoste, localdonains 1ocalhost® Comparison /ete/hosts, /etc/resolv. conf and /ete/nsswitch.conf on Red Hat Enterprise Linux all pertorm similar function to the equivalent files on Solaris. If an entry is not found in that file the stub resolver looks for the information from a DNS nameserver. The /ete/resolv. conf file controls how this query is done: + nameserver: the IP address of a nameserver to query. Up to three nameserver directives may be given to provide backups if one is down, + search:a list of domain names to try with a short hostname. Both this and domain should not be set in the same file; if they are, the last instance wins. See resolv. conf(S) for details. a a tg, 28 jy pha nm ot yp Reet ete oc “hte 6, The ake hosts — can besised to test hostname resolutio NG http HOR pete pe PUPAE RH290-6-en-F-20T10516 23mi RED SB) GE) sei oki ukl uk) abl abl ak) kl abl abl all all ab! all! Dey nae, Sent op ag dns | 2 al UE, fh fe OGM “tg Wh js wiehins th-M f Comparison h dat o§ ‘The 4fefg-* files on Red Hat Enterprise Linux contain the information that the /ete/ hostname.* and /etc/dhep. * files do on Solaris. Note If you need to configure static routes, the configuration is stored per interface in /ete/ sysconfig/network-scripts/route-name, Detalls can be found in the Red Hat. Enterprise Linux Deployment Guide, see below. Kk Comparison /ete/sysconfig/network-scripts/route-name on Red Hat Enterprise Linux is. ‘equivalent to the /ete/inet/static_routes file on Solaris, fuller disable yh Pbgeher important} NetworkManager runs by default on Red Hat Enterprise Linux 6 and may cause conflicts with your network configuration. If you want to permanently manage the network settings ‘manvally, add NM_CONTROLLED=no to the ifcfg-* file for each network interface. @Q 7g /ete/sysconfig/network is used to specify the fully qualified hostname and may specify a static default route if DHCP is not in use: Creotadeno in eat ete /oyetnt inate ae mech tenet auGryes . et i See HOSTNANE=deno. exanp10.com i oo ‘GATEWAY=192,169.0.254 Comparison /ete/sysconfig/network on Red Hat Enterprise Linux contains the information you would place in the /ete/defaultrouter and /ete/nodenane files on Solaris. ‘As we saw above, /ete/resolv.conf specifies the IP addresses of DNS servers and the search domain, RH290-6-en-+-Z0T10516 25Chapter2. Network Configuration Modifying Network Configuration NetworkManager may be installed on Red Hat Enterprise Linux 6. It consists of a core daemon, ‘a GNOME Notification Area applet that provides network status information, and graphical configuration tools that can create, edt and remove connections and interfaces. To change a NetworkManager-managed eth0 interface from using DHCP to using a static IP address: Right-client the NetworkManager icon in the top Panel and select Edit connections... On the Wired tab, select System ethO and click the Edit... button Select the IPv4 Settings tab A won On the Method drop-down menu, change Automatic (DHCP) to Manual Under Addresses click Add and enter the IPv4 address, netmask (in VLSN or CIDR notation), gateway router, and DNS server to use 6. IMPORTANT: make sure that Connect automatically is checked so the interface starts at boot (rather than when the user logs in), and Available to all users is checked so that itis, available system-wide 7. Click Apply to apply your changes. Its also possible to configure the network by editing interface configuration files. interface t configuration files control the software interfaces for individual network devices. These files are usually named /ete/sysconfig/network-scripts/ifcfg-name, where name refers to the name of the device that the configuration file controls. The following are standard variables found in the file used for static or dynamic configuration. ‘BOOTPROTO=static BOOTPROT 92.168.0,250 00: FA | ww corrmoLLeD-yes | Table2.. Configuration Options for ifefg file 7 / => Note : & It NetworkManager is running, any changes made to the ifefg-* files take affect immediately. 24 RH290-6-en-t-20T10516t ZOWEL Chapter 2. Network Configuration Important DHCP isin use, /ete/resolv.conf is automatically rewritten as interfaces are started unless you specify PEERDNS=no inthe relevant interface configuration files, be rut dow nth HCE tdou) eto conmae ar rua bck up with éne/ifup the command, whether managed by NetworkManager or by unmanaged ‘When changing the system configuration you must remember to: 1. Modify a configuration file 2. Restart a service 3. Veritythe change References Red Hat Enterprise Linux Deployment Guide + Section 411: Network Configuration Files Red Hat Enterprise Linux Deployment Guide * Section 42: interface Configuration Files Red Hat Enterprise Linux Deployment Guide + Section 4.4: Configuring Static Routes Red Hat Enterprise Linux Deployment Guide * Chapter 5: Network Configuration /usr/share/doc/initscripts-*/sysconfig. txt Network Manager Hop (wil cag et gn nba ; [table 208 of alld tel anagee cdf CC ible dents) 26 RH290-6-ene+-20110516Chapter2. Network Configuration Network Interface Configuration - Bonding (its Comparison Aggregate interfaces ot IP Trunking on Solaris is called network bonding in Red Hat Enterprise oe ff dat Enterprise Linux allows administrators to bind multiple network Interfaces together cone, Increasing bandwidth and/or providing redundancy, depending on the bonding mode chosen. Physical Identification of a NIC When working with multiple network cards, it i useful to be able to identify particular network cards physically. One method of physically identifying a NIC is to cause one or more of its LEDS to blink. To blink the LEDs on eth@ for 30 seconds, run ethtool -p etho 30, Selected Linux Ethernet Bonding Modes + Mode 0 (balance-rt)- Round robin policy, all nterfaces are used. Packets are transmitted ina round-robin fashion through all slaves; ay slave can receive. + Mode 1 (active-backup) - Fault tolerant. Only one slave interface is in use at a time, but if it falls another slave takes aver. + Mode 3 (broadcast) - Fault tolerant. All packets are broadcast from all slave interfaces. Other bonding modes are described in the kernel documentation networking/bonding. txt. file Example Active-Backup Configuration + /ete/sysconfig/network-scripts/ifcfg-bondo This ile configures the network information for the bonded interfaces, as if it were a normal network interface file: Devrcesponde IPADOR=38. 1,1.250 REED ‘ovsooT=yes : e ‘BOOTPROTO=none “ UsERCTLEno BONDING OPTS="mode=t miinon-so" 2 + /etc/sysconfig/network-seripts/ifcfg-name Each slave interface name needs a file (such as /etc/sysconfig/network-scripts/ifcfg-eth0) containing the following configuration: 28 RH290-6-en-1-20110516dbl dl kd ee Example Active-Backup Configuration ee References Red Hat Enterprise Linux Deployment Gulde + Section 4.22: Channel Bonding interfaces Red Hat Enterprise Linux Deployment Guide + Section 22.7.2: Using Channel Bonding /usr/share/doc/kernel-*/Documentation/networking/bonding. txt RH290-6-en-F 20110516 2Chapter2. Network Configuration Practice Quiz Network Bonding Configuration 1. Which mode of Linux Ethernet bonding primarily uses one slave interface and changes Interface upon failure? (elect one of the following...) a, Mode 0 (balance-rr) Mode 1 (active-backup) Mode 3 (broadcast) 2. Which mode of Linux Ethernet bonding uses all interfaces in a round robin fashion to achieve more throughput? elect one of the following...) GF Neco amncet) B — Mode 1 (active-backup) ©. Mode 3 (broadcast) 3. When creating a bonded network interface, which configuration file contains the IP address and netmask definitions for the interface? (select one of the following...) 2 /ete/sysconfig/network /ete/sysconfig/network-scripts/ifefg-bondo A /etc/sysconfig/network-scripts/ifctg-iface None of the above 4. When creating a bonded network interface, which configuration file defines the type of bonding? (select one of the folowing...) 3. /ete/sysconfig/network @® __/ete/sysconfig/network-scripts/ifefg-bonde —_ /ete/sysconfig/network-scripts/ifefg-iface 4. None of the above When creating a bonded network interface, which variable definitions must be speci in the /ete/sysconfig/network-scripts/ifetg-iface configuration file? (select one of the following...) a. GATEWAY b. PADDR o MASTER None of the above 30 RH290-6-en-t-20110516UL LE LE LE hah aad Chapter 3, & redhat. UNIT THREE USER ADMINISTRATION Introduction Topics covered in this unit: + Password Management and Expiration RH290-6-en-F 20710516 35Chapter3. User Administration Managing Passwords Comparison Red Hat Enterprise Linux users are very similar to Solaris users. Users are used to provide ‘access to files and directories, and they are grouped into groups. Red Hat Enterprise Linux Uses the user private group (UPG) scheme for users such that every user has its own private primary group. If you create a new user named bob, there will be a new group created by the name of bob. Users may belong to up to 65 536 groups. User names may be up to 255 alphanumeric characters. The UIDs and GiDs are 32-bit numbers, but they are capped at 60 000 by default. {in /ete/login. defs) to provide backward compatibility. UIDs below 500 are reserved for system accounts, so human user accounts typically beain at 500. The reserved system account IDs will soon be 0-999, Historically, passwords were stored in the /etc/passwd file. However, /etc/passwd must be world readable because commands such as 1s need to access that file to map UIDs to user names. Passwords were migrated to a more secure etc/shadow file where several different password encryption algorithms are supported. As long as encrypted passwords are being stored in a dedicated file, password aging policy and data can be stored as well, What 3 pieces of information are stored in a password hash? ‘$189CjLa2/ZS6PUdEKEAZFC§xjv2hoLOB/ 1. 4 The hashing algorithm (indicates MDS hash) 2, gejLa2/z - The salt used to encrypt the hash 3, GPUBEKOAZFC}xj vZhoLOB/ - The encrypted hash Note Red Hat Enterprise Linu} 6 supgorts two new Strong passWord hashing algorithms, SHA256 {algorithm 8), and SHA-Si2 (algorithm 6). These may be enabled as the default for /etc/ shadow using system-conf'ig-authent ication to select it from the Password Hashing ‘Algorithm drop-down menu an the Advanced Options tab. /etc/shadow Fields 1. Username 2. Password hash 36 RH290-6-en-1 20110516Chapter 3.User Ad The following diagram relates the relevant password a using chage to implement a password aging policy. parameters which can be adjusted max days ( : inactive days co) }_____—1 min days cm) ——— warn days coy bo time last change password inactive date() expiration date date ‘As your instructor discusses these parameters, fill n the parentheses in the diagram above with the relevant (short) chage command line switch, ‘As an example, -m has been added to the min days parameter to get you started. Inn mad wath Inéel}vl chage nb References Red Hat Enterprise Linux Deployment Gulde * Chapter 1: Yum ns now yum(8), yum..conf(5) man pages What ney te & ne 6 col neposi ifetg ade nese poltil. [fudbesth yen Bem gid up > Giga a ener tertfe 50 RH290-G-ens+-Z0T10516Chapter 4,Software Management Using yum to Revert to Older Software Downgrade packages ‘There are times when software updates cause other applications to cease to function. yum downgrade can be used to revert to older versions of the software. Demonstration: [rootadeno -]# yum 1ist upstart Installed Packages Upstart 86.64 8.6.5 Available Packages Upstart xas_64 9,6.5-6-1.616 0.1 Updates [rootesiemo =]# yun update -y upstart [root@deno =] yum ist upstart Installed Packages lpstart.x86_64 9.6.5-6.1.016 0.1 updates [rootadéno =]* yum downgrade upstart [root@dero —J» yum list upstart Installed Packages els base, Upstart 06.84 0.6:5-6.1.016 tase Rallabie Packages Upstart 96 64 €.6.5-0-1.616 9.4 Updates Note yum downgrade will automatically choose the previously highest version. To choose a different version to which to downgrade, specify the version of the package. I there were three versions of the foo package in my repository: and foo-1.0-3.x86_64 is currently installed, yum downgrade foo would revert to fo0-1.0-2.x86_64. To downgrade to release 1, run yum downgrade foo-1.0-1.x86_64 Use the - -showduplicates option to yum List to show all versions of a package that are available, By default only the latest version is shown with a yum List. Warning yun downgrade is not needed for install-only packages like the kernel. Simply use yum install kerne1-VERSION_NUMBER to instal any available kernel. 52 RH290-6-en-}2OTIOSIS Pre Fre Fre Fre FEE PEL TEL PRD PRL PPL PPL Ph rh ert ten rrr ret bhb ck kk cb) cb ck cbt abd abl skh kt ak kl ikl kh ak ak) uk) all ath alt! Reinstall packages Reinstall packages If you accidentally remove a file that was installed from a software package, you can use yum reinstal1 to reinstall al files from a package. Demonstration: [rootadeno = reaneers + overcome bootloader misconfigurations » Ce Gin a sf, + fooot/grub/grub.cont Lye ie * Kernel boot parameters: _ y “haces of he 4FL z= Xia lyin FY 2h Ol enRWel S felyebecord ford A A bat foom “Ofe fave mul “ ban f Re seri wt ay th gt ad SO # sacokyh a "95 te wan E008 eK In itlel defn: § m a Gites fen ceed %x ye nop uted _ &- web bot é, Leal Sh Me S egen, fc Ube S & ha . —~ en€ pS tile oe 46 ib 5 dae hd “pal Wher pdb Le RH290-6-en-T-20T10516 58 | {Chapter 5. System Initialization Manage Services = ‘Daemons are processes that wait or run in the background performing various tasks. Generally, = daemons start automatically at boot time and continue to run until shutdown or they are = ‘manually stopped. By convention, the names of many daemon programs end in the letter "a! an Daemons are managed by service scripts, which are kept in the /ete/re .d/init .d/ directory. = Service scripts are usually called with a single start, stop, restart, status, or reload = argument. The easiest way to run service scripts is to use the service command, = = Services are enabled (configured to start automatically at boot time) with chkconfig service = ‘on. Services are disabled (configured not to start automatically at boot time) with chkconfig - service off. More sophisticated control over whether a service is on or off in particular = runlevels Is also possible. Without arguments, ehkconfig lists the current configuration of all services. The runlevels in = which a service is enabled can be observed with chkconfig --list service. Running the chkconfig command does not immediately affect the state of a daemon started from a service script: Note Daemons are background processes that do things. A service scnpt may start one or more daemons, but service scripts may instead make a one time change to the state of the system (for example, to configure network interfaces) which does not involve leaving a daemon process running afterward. The network and iptables scripts are examples of this second Kind of service script. Installing New Services What command is commonly used to perform each ofthese steps of deploying a new service o a Red Hat Enterprise Linux system? e SS po 4 £ wer + install the software: _ Year > ¢ be x ' 4 nar + startne service 422010 inks > poles /removed parkip Ibs Test the services: + Enable the service at bootup: F SS Ow GH) GEL GB] GR] Gh GBL bl bbl whl hl bbl hl 60 RH290-whl the hh ohd obd hb bk bak bh bb chk bh ahd abt Akl abt abl! ib ih th hh Manage Services |4_ | References TR | reatotenernise nx Deployment cule <5) + Chapter 7: Controlling Access to Services 2Lf, ‘man pages 4 , ohe Helng + hleonths Lye in foe Serj Lv hetve fo ib fevat Golf a fe Pls Py £ fr 74 oe VY pe spot A dil pochect Sho, ‘ ch cooly - RH290-6-en-+ 20110516 ain § Chapter. System Initialization Booting an Alternate Kernel The heart of the Linux operating system is the kernel, which acts as the interface between user code and system hardware. From time to time, a newer version of the kernel for Red Hat Enterprise Linux is released, which may enable new features or fix software bugs. In order to use a new kernel, the system must be rebooted. Normally, the newest version of the kernel installed on the system is used. However, Red Hat Enterprise Linux allows multiple kernel versions to be installed at the same time. This allows you to test a kernel update, and if there is. a critical regression or other problem with the update, you can easily fall back to a kernel that is known to work for your system. In this section, we will look at how to manually select what kernel to boot when the system is. started. Later, we will look at how you can make this selection permanent. Write a definition for each of these key terms: 1. bootloader 2 GRUB Comparison Solaris 10 update 1 (86) introduced GRUB. It works on Red Hat Enterprise Linux just like it does on Solaris. /boot /grub/menu .1st |s a symlink pointing to /boot /grub/ grub. conf. /boot must be on a physical partition or a software RAID 1 set. It cannot be a logical volume (LVN) nor on another type of software RAID. & hardware RAID should appear to be a normal disk to Red Hat Enterprise Linux, so you can paritition it as nortnat and use it for the /boot partition. tis only necessary to create a separate /boot partition ifthe root ‘(Z) pattition uses LVM, software RAID or other devices that GRUB would not be able to read inl ant a /boot , oF a You can use the bootloader to: + Boot into an older kernel if @ new kernel is incompatible with your hardware due to a regression * Boot into single user mode when doing system maintenance or to get control of a machine with an unknown root password Procedure To Boot an Alternate Kernel @ RH290-G-en-+-20110516 ttt be br brie fe he et le le nh nl Ol atbb kh LE kd LE ahd LD kd kD kd skh kd kb kk kh GLE QLD LI Lt ald ull! Hr ionic ne merWd Wh On /; // Comparison Instead of patching a kernel lke Soforis, Red Hat Enterprise Linux has the ability to instal several different kernels. 1. Interrupt the GRUB countdown: Esc key — 2. Use arrow keys to select alternate kernels. 3, Hit Enter when the kernel you want to boot is highlighted References Red Hat Enterprise Linux installation Guide * Appendix €: The GRUB Boot Loader ZL 4 [lk Vea aa boenels aveite. h, Hal beonrly 0, He re wilt Se tt bie vel fb thy Waa => Juicy ¥ we My aevision) 7 intel reo} not peg wemove VY, he da pe Pugepads ve Mins (Une 4) 6 AE th deg >: se il find J, bet foere ms lanl RH290-G-en-FZ0110516 63Chapter. ystem Initialization Practice Performance Checklist @ Booting an Alternate Kernel Perform all ofthe following steps on server. [rootdeerveix “J+ west http://anstructor/pub/eis/errata.repo -0 /ete/yun. repos. errata.repo i 1D __ install the kernel update that is available. This will take over 3 minutes to install. 1 Boot into the new kernel. Reboot and choose the old kernel wen Bat sgh = weg PYG n tel 4 2 46, spirit + veld senftt = nosy Yle 44me cae, lamas ha nhs ib i “Gols pum GP ; ‘hen ih run Cevel it, the end do a lage “EG 4 Wo? mn Pr tyy fe i, will work , one tine ant), For P in Thy hy, 4 beont? grb Sing [see 3 toes» ot ash pssied a RH290-6-en-1-20110516bbl OAR! bbb a Booting into a Different Runlevel Booting into a Different Runlevel Runlevel Definitions Write a definition rome terr runlevel > wis oa of deems be isle with fl van, Ny onhy QtB 72. In Red Hat Enterprise Linux, what are each of these runlevels ty lly used for? runlevel 5 - Multi-user, network services, graphical desktop runteves-_pae uct? + WES. runevelt-_ SG sete, ee, Comparison 27 weed Wag oF Runlevel 1s or $ on Red Hat Enterprise Linux works like it does on Solaris. Runievel 0 is halt and power off in Red Hat Enterprise Linux, rulevel 6 is reboot. Runlevel 2 on Red Hat Enterprise Linux is similar to Solaris in that itis multi-user and no network services are started, but on Red Hat Enterprise Linux it does not start the graphical environment. The same applies to runlevel 3. Runlevel 5 is where we Include the graphical desktop in Red Hat Enterprise Linux. Most systems where the user logs in directly to the console run in runlevel 5. Most systems where: users normally log in remotely boot to runtevel 3 by default. Changing Runlevels + Execute init rInum at the shell prompt, where rnum is the runlevel number. This will change the runtevel immediately. + Pass the runlevel number as an argument to the kernel via GRUB at boot time. This will [oblin Pd wx difor lf ante RH290-6-en-F-20T10516 65a Booting into a Different Runievel Practice Performance Checklist wf Changing the root Password ‘This timed drill is designed to give you practice changing the root password on a system with an unknown root password. Perform all of the following steps on server. Begin by running the 1ab-setu} reak-4 script. This will change the root password to something unknown anf mark the current time. 1D Get into the system and reset the root password to redhat. Important At the release of Red Hat Enterprise Linux 6, there was an SELinux bug which blocked the passwd command from working in single-user mode. This is fixed by a bus fix update (see http://+hn.redhat.com/errata/RHBA-2010-0845.htm). If you have the original selinux-policy package installed, you must run the Sa} setenforce 0 command in runieve!1 before the passwd command for it to work. After changing the password you should run setenforce 2 again to put SELinux back in enforcing mode. [Once you have reset the password, change the system into runtevel 5 and run the lab- grade-bootbreak-4 script. (View the feedback from the script to ensure you completed the task correctly. The grading script will display a time, write it down. (Repeat the process again at least five times. Circle your best time. ee a7 di a, o neo ve Enable passwd cheng wine bt Yo , eT oe loth infih @ sane 45 Ging Ub sig Vim bene inet RH290-6-en-20710516 7Chapter 5.System Initialization Important Note that while runlevels are numbered, only one runlevel is entered at boot time. (In other ‘words, ifthe system is booting to runlevel 5 it does not pass through runlevels 1 through 4 first!) A runievel specifies a particular state the system and its services shoul be in once it has been completely entered. References Red Hat Enterprise Linux Installation Guide + Technical Appendix €.8: Changing Runlevels at Boot Time 66 RH290-6-en-T-20110516Chapter 5. System Initialization Changing the Default Runlevel The runtevel determines which services are started automatically on your Linux system, Most Linux desktop systems are set to boot to runlevel 5 (multi-user, networking, graphical interface. Many server systems boot to runlevel 3 (multi-user, networking, no graphical login), where the system comes up to a text-based interface. The command who -F will return the runtevel the system is currently using, as will the right- hand number in the output of runlevel. The default runlevel is read from the /ete/inittab file. For example, the line below would ‘cause the system to boot to runlevel 5 by default. ritdeFault : i Note In Red Hat Enterprise Linux 6, the new Upstart boot system is configured to read the defauit runlevel from /ete/init tab for backward compatibility purposes. None of the other services formerly controlled from that file, including login prompts, can be set up in that file in RHEL 6, Those settings are kept in /ete/init/ directory instead. For more information see the init(8) and init(S) man pages. References Red Hat Enterprise Linux Installation Guide + Technical Appendix E.8: Changing Runlevels at Boot Time ‘Comments in /ete/inittab 6 RH290-G-en-t-20T10516 Priori ori Frio Friorri Fri Fri Fl oFR1 ofFI FRI PRT fRE pee rviChapter 5. System Initialization Resolve GRUB Issues The GRand Unified Bootloader (GRUB) provides the bridge in the boot process between the hardware and the Linux kernel. When the system boots, the BIOS starts and normally loads GRUB in stages from the hard drive; from the first 446 bytes of the disk, then from the space between the first sector and the start of the first partition, then from files in /boot. GRUB then reads its configuration file, /boot /grub/grub.. conf, which controls what operating systems and kernels - are avallable to boot. The GRUB Boot Screen = ‘When GRUB starts up, a graphical splash screen can be accessed by pressing Return, Space or any other key. This screen has a list of menu entries, normally bootable images. You can select between the different images with the up and down arrow keys, and press Return to select a particular entry for booting. if you want to pass arguments to boot images through menu editing . mode or access the GRUB command line, and 2 GRUB password is set, you will need to type p = followed by your GRUB password. ~ Each menu entry which boots Red Hat Enterprise Linux typically has three GRUB directives: + root, which indicates the location of the file system containing /boot + kernel, which indicates the location of the kernel to boot relative to root and any command line options or arguments to pass to the kernel cz Temporary GRUB Correction x zc 2, Use e to edit current configuration a = = Important i _ Typing Ese at this point takes you back to the menu, throwing your changes away. = = = ete is uA thers) = > to 7 get! : = wb 60h = : -_ : 70 RH290-6-en-1-20110516. aMaking Persistent GRUB Changes iy we) weY ab) uel eb! ub) abl abl kt vet abt abl abl ikl abl abl hl hl ob! ad Making Persistent GRUB Changes ‘The second stage of GRUB uses /boot /grub/grub .conf which has a format of global options followed by boot stanzas. Here Is a sample grub. conf file: [root@dano ~# eat /boot/orub/arub: cont W Note that you do not have to rerun grub after making changes to this file NOTICE: You have & /boot partition. This weans that” ‘ all kernel and initrd paths are relative to /boot/, eg. © Foot (ha8,0) * Kernel /viliniz.version ro root=/dev/mapper/vasrv-r00t ‘ anterd /anitrd (generic version 9g boot=/dev/vie dorauit=e z St fimeout=s : Sp lashinage=(hie,0)/0rub/=plash.¥on.02 it 4 2 hddeoment “ Eitle Red Hat enterprise Linx (2.6.32-71.016.x60.64) root (hdo,@).— P ar : ernel /velinu2-2.6.92-73.016,306.64 ro root=/sev/napper/vgsrv-root Fo_LVM_W-vgsev/root rd_LVM_Lv=vgery/ swap) rd_NO_LUKS rd_ND MO rd.NO_OM LANG-en_US.UTE-8 ‘SYSFONT=1atarcyrheb-suni6 KEYBOARDTYPE=pe KEYTABLE-us crasikernel=auto righ quiet Anited /anitran?s-2.6.92-71,€16.x00_64.1eg + Comment tines begin with a # character + default=number - number isthe default boot stanza (starting from 0) + timeout=number -specties how long the countdown occurs + hhiddenmenu - hides the menu display until a key is struck + rhgb quiet - consider removing these kernel arguments to view more diagnostic information, during boot References Red Hat Enterprise Linux Installation Guide + Technical Appendix E.7: GRUB Menu Configuration File Red Hat Enterprise Linux Deployment Guide * Section 23.6: Verifying the Boot Loader info grub RH290-6-en-F20110516 73ake akE seb cbt kl cb! ckl ckl kl kl okt okt ckl cbt okt ckl ckl ckl hl oh) ct! Chapteré. @ redhat. UNIT SIX KERNEL MAINTENANCE AND TUNING Introduction Topics covered in this unit: + Kernel Upgrades + Supported Architectures RH290-6-en-t-2ON10ST6 aial! Whi wkd ib ab ikE GbE GEE kL gkT abt abl all bht bt bhed hbk bbe vee i System Limits Red Hat Enterprise Linux 6 Support on the Public Cloud For private in-house cloud computing deployments, standard support applies. Red Hat also certifies running Red Hat Enterprise Linux on the platform of various public cloud computing providers as part of our Cloud Partner Program. At the time of writing, Certified Cloud Providers included: + Amazon EC2 (http://www.redhat.com/solutions/cloud/amazon/) + IBM (http://wwwibm.com/ibm/cloud/) + Savvis (http://wwwsavvis.com/) System Limits ‘Supported system limits depend on architecture and product variant and version implemented. The URL http://www. redhat .com/rhel/compare is updated as new versions are released and new hardware is qualified. Identifying the Running Kernel 1. cat /ete/redhat-release - installed Red Hat Enterprise Linux release 2 uname -r- Kernel version currently running 3. yum list installed kerne1\* - installed kernel versions 4, uname -mor arch - processor architecture currently running on Occasionally, the kernel emits log messages. These messages are logged in the /var/log/ messages file, labeled as the kernel service. References | Red Hat Server and Desktop Version Comparisons E nttp://uwwredhat.comihel/compares | Virtuatization Support in Red Hat Enterprise Linux | ttn/Avawredhat.com/rhel/server/virtualization. support itil | Red Hat Hardware Catalog | htte-/hardvate.redhat.com/ | Cloud Partner Program | http:/Avnw.redhat.com/solutions/cloug/partners/ ‘uname(1) and areh(}) man pages RH290-6-en-1 20110516 3Chapter 6. Kernel Maintenance and Tuning Upgrading Your Kernel Demonstration on Upgrading a Kernel Fill in the blanks below as your instructor discusses the following topics. What (famil Tee eee eel update? nim _updafe lL nse] a New kernels are woth , not updated. Because every file owned by the kernel package is versioned, or resides in a versioned directory, RPM is willing to have concurrent versions installed. 3 By default, when "updating" a kernel, yum will keep a total of 3 versions installed, automatically removing any older version. 4 In order to use your new kernel, you must _ 4 your machine. 5. While the machine will automatically reboot to your upgraded kernel, you may still choose an _ 0/4 kernel from the GRUB bootloader's menu. If removing a kernel manually, you must specify not only the package name (kernel), but also the VEt$i Or AP Ulin C fern — KYL. Warning Do not attempt to run yum remove kernel without further specitying which kernel package to remove from the system! The command will attempt to remove all kernel packages installed on the system as well as all packages which depend on kernel, This will result in a broken and unbootable system, tpn 4h \gup wound > ek uel pane a4 RH290-6-en-F- 20110516 rll ret ret oper rer ore rl—-s Chapter 6. Kernel Maintenance and Tuning Tuning Kernel Network Parameters Kernel parameters provide a mechanism to adjust the functioning of the Linux kernel. Generally speaking, whenever a kernel developer selects an arbitrary constant or implements functionality that may not be generally desired, a sysct1 will be made available to adjust it. Commonly useful parameters will be documented online, In kerne1-doc or in this and other Red Hat courses. ‘These parameters can be viewed or set via the /proc/sys/ directory tree or the syset. ‘command, Comparison The sysct command is similar in funtion to sysdef, mdb and ndd on Solaris. Search & Learn: Kernel Tuning 1. Perform the following steps on serverX. 2. Install the kerne-doc RPM If itis not already installed. 3. How would you use sysct1 to identity kernel parameters that control ping, or ICMP echo, behavior? Which parameters look promising? 5. What command would you use to identity and/or examine kernel documentation that describes what those parameters are for? How would you use syset to adjust kernel parameters to “hide” es rs from ping oy ih requests?, — fey sa ee Pipthip donde > aE Hheliyt oC of + ? —_——. ae aii 7. How would you configure sysct1 to persistently adjust kernel parameters to survive a reboot? S 86 RHZ90-G-en-F 20110516 ieb bh ret sel cb! cel cbt scl ckl kb ake uk) okt vkb ak uk) ok) cb) abl ukl cb System Limits References Red Hat Enterprise Linux Deployment Guide + Section 19.39.4: /procisys/net/ Red Hat Enterprise Linux Deployment Guide + Section 19.4: Using the sysctl Command. Zusr/share/doc/kerne1-doc-*/Documentation/sysct1/ /usr/share/doc/kernel-doc-* /Documentation/networking/ip-sysctl.txt sysct (6) man page (ete =. fr command) wv bg hoe . A } atl /) ree/ ys /nell jw fp fw i bee anning keene oN yoy eben lf C4 cherg ing yatee >a hy alo, 4” : 7 0 Use wy tl pew ° RH290-6-en-+-20110516 a7beth 1hD bE bbe pel wn Kernel Maintenance and Tuning Kernel Maintenance and Tuning Demonstration on Upgrading a Kernel Fill in the blanks below as your instructor discusses the following topics. 1. What (familiar) command performs a kernel update? yum update 2. New kernels are installed, not updated. Because every file owned by the kernel package is versioned, or resides in a versioned directory, RPM is willing to have concurrent versions. Installed. 3. By default, when "updating" a kernel, yum will Keep a total of 3 versions installed, automatically removing any older version. 4, Inorder to use your new kernel, you must reboot your machine. 5. While the machine will automatically reboot to your upgraded kernel, you may still choose an older kernel from the GRUB bootloader's menu. 6. _Ifremoving a kernel manually, you must specify not only the package name (kernel), but also the version number. Search & Lear! : Kernel Tuning 1. Perform the following steps on serverx. 2, Install the kerned.-doc RPM iit isnot already installed. {reotlserverk —}# yum -) install kernel-doe Se 3. How would you use syset to identify kernel parameters that control ping, or ICMP. echo, behavior? [rootlserverx “Jé sysctl -a | grep iesp ae 4. Which parameters look promising? net . ipv4.icmp_echo_ignore_all or net. ipv4.iemp_echo_ignore broadcasts 5. What command would you use to identify and/or examine kernel documentation that describes what those parameters are for? [yootoserverk Iv grep “AS dexp’/usr/share/doc/kernel- ape" /ocumentationy. Retworking/ip-sysetl. tt | : 6. How would you use sysctl to adjust kernel parameters to "hide" your system from ping requests? iiooudea elie ig eyveet ae nat inva oceanorse at arAppendix A. Solutions 7. How would you configure sysctl to persistently adjust kernel parameters to survive a reboot? [rootaserverx -}# echo et ipv4. 1enp_echo_agnere all = 1° >> /ete/ sysctl.conf 8 i Practice Performance Checklist Enable Ping Broadcast The default configuration for Red Hat Enterprise Linux 6 configures the kernel to Ignore ping broadcast requests. You will work with a partner to tune the kernel on serverX to respond to them instead, Find a partner to work with. If there is an odd number of students, a group of three will work. Senda broadcast ping to the 192168.0.0/24 network. Note which hosts respond to the ping request. {rooteserverk ~]H ping -b-492.168.0.255 (Tune serverX so that it will respond to ping broadcasts. [rooteserverk ~]# sysctl -w net. tpv4, Lenp_echo_1snore broadcaster 1 Send another broadcast ping to the 192:168.0.0/24 network. Did your hosts respond? [rooedserverx ~1" ping -b 192.16 1 Persistently configure your serverx machines to respond to ping broadcasts and reboot. Ioordserverk -1# soho “net. Apu Seap_ecto_Sgnare_broadéasts Spectiscent [pedtasetvarx 14 retook === >> /ete/ Send another ping broadcast. Did your configuration changes persist the reboot? [feou@serverx ~]* ping -b 192.168.0.255 Case Study 218 RH290-6-en-t-20710516aL} sLIVLILIT/ AL Ld UE kd ahd akP ahd oD MD MT MT AT Ll iL} tl Kernel Maintenance and Tuning Configure Kernel Settings Before you begin... Run the Lab-setup-server script on desktopx to prepare serverX for the exercise. There is an online chat system for fans of Big Buck Bunny. In order to join the site they have two requirements, listed below. 1. To fulfill the first requirement, you must prove your ability to "disappear" a server. You will do this by modifying the configuration on serverX so that it does not respond to any ping requests. Make this change persistent so that it will still be in effect after 2 reboot. 2, The second requirement is to update your kernel to the latest version. When you have fulfilled the requirements, run 1ab-grade-bunny on desktopx to check your work. 4 [rotedesktopx-]4 lab-setupsserver 2. Add the following to /ete/sysct1..conf Fersipes. tempuectelignote. «li ease ea a 3. Enable the setting [rootdserverk ~1 sysett -p : 4. Upgrade your kernel. eee Sie pane [rootpsesktopx -1¥ lab-grade-bunny 219Chapter. wT kl abl bP abl abl abl vk all all all aL) dW) a) aL a! VEE kL abl tkt @ redhat. UNIT SEVEN LOCAL STORAGE MANAGEMENT Introduction Topics covered in this unit: + IBM PC storage model + Adding file system space RH290-G-en-t- 20110516 33Chapter7.Local Storage Management Describe MBR, Primary, Extended, and Logical Partitions ay Hard disks and storage devices are normally divided up into smaller chunks called partitions. A partition is a way to compartmentalize a disk, so that different parts of it can be formatted with different file systems or used for different purposes. For example, one partition could contain ser home directories while another could contain system data and logs; by placing the data in two separate file systems on two separate partitions, even if a user fils up the home directory partition with data, the system data partition may have space. Most Red Hat Enterprise Linux systems on the x86 and x86-64 processor architectures use the MBR partitioning format for their hard disks. This is the same format that is used by most Microsoft Windows systems, and dates back to the IBM PC. Comparison ‘The bootblock on Solaris is lke the MBR executable code on Red Hat Enterprise Linux. zl Storage device: /dev/sda Al zd sdal sda2 sda3 sda4 = 2 Lided bs ok OY P = Primary partition -7 Ys E = Extended partition > 00% ene L = Logical partition first 446 bytes contain the first part of the bootloader that starts the system, followed by oO thocanbe se If more partitions are needed, one of the primary partitions can be converted into an extended Partition which, rather than having a file system itself is divided into multiple /ogical partitions. 3a RH290-6en-F-20110516 » PCWer ihr UbE MRE URE ALE ALE ALE ALT ALI Describe MBR, Primary, Extended, and Logical Partitions For various reasons, typically you are limited to no more than 15 partitions in total; fourteen are usable for file systems, counting three primaries, the extended, and eleven logical. Important Do not confuse logical partitions with logical volumes. Logical volumes will be discussed in the next unit Storage devices are represented by device files In /dev. In Red Hat Enterprise Linux 6, the first [uifehex SCSI, PATA/SATA, or USB hard drive detected is /dev/sda, the second is /dev/sdb, and so Gdisk on. This name represents the whole drive. The first primary partition on /dew/sdais /dev/ Whol? ib ‘sdat, the second partition is dev/sda2, and so on. Partitions I through 4 are the primary partitions; 4is usually used asthe extended partition if one is used: 5 and higher are always logical partitions. os My da ngs Be Note RHEL Exe e @ One exception are patavirtualized hard drives in guest virtual machines, which instead show up as /dev/vd?. Also, in earlier versions of Red Hat Enterprise Linux, some PATA and SATA drives may appear as /dev/hd? instead, Use this space for notes References | Red Hat Enterprise Linux installation Guide : 2 Sc | + Appendix A: An Introduction to Disk Partitions wn SF WEF fd ib defoceo ob beled $2572. count peste aA — eta RH290-6-ene+-20710516 35‘ sll abl alt al WEE WEE abE Gk ak oabE ak abL GbE GbE GbE abd abt kk bl int ‘imple Partitions and File Systems Simple Partitions and File Systems Storage is a basic need of every computer system. Red Hat Enterprise Linux includes powerful tools for managing many types of storage devices in a wide range of scenarios. a utility to manage disk partitions. You can view disks and their partitioning by running utility with the -1 option and the name of the disk (fdisk -cul /dev/vda). Changes can be made by running the utility interactively and choosing appropriate menu options (Fdisk - ‘cu /dev/vda). -c cisables legacy DOS-compatibility mode and -u displays output in sectors (not cylinders, which are obsolete). Important Red Hat Enterprise Linux 6 automaticaly aligns the first partition to start at sector 2048, instead of sector 63 (the "traditional" start of cylinder 1) This is to ensure maximum performance on new 4 KIB sector hard drives as well a legacy 512 byte sector hard drives, ‘and is compatible with the behavior of other recent operating systems that use the MER partitioning scheme. Partition misalignment can lead to significant performance loss, so be careful adjusting these settings. For your virtual server, serverx, verify the current storage configuration. Look for information in the output of the following command: fdisk -cul /dev/vda Primary Disk: 1. Name: /dev/vda, 2. Size: 6442 MB 4, Last used sector: 9914367 [root@serverx -]# Faisk -cu? bisk /dev/vdaQ: 6442 wo®, eaazasensa bytes 46 heads, 63 sectors/track, 12483 cylinders, total 12587912 sectorsO Units = Sectors of 1 S12°= 512 bytes Sector. Size (logical/pnysical): 512 oytes / S12 bytes 1/0 5i2e (winisun/optinal): 512 bytes / 512 bytes Disk identifier: exs00a9b2 Dewice Boot start End Blocks Id. systew feviveat + ze 26335 2ezida 83 Linux Hev/vda2 526336 9914967 agage16 fe Linux Lvm © Name of disk © Total size of disk © Total sectors RH290-6-en-1-20110516 7Chapter7.Local Storage Management © Lastused sector jeffole ( ie (cer, 52 4) Wid = Create a New Partition [rooteserverx ~In fdisk -cu /dev/vaa ‘consaid (u for help): m oniand action ie extended primary ‘action (154) 2 Partition number (apt a First sector (9034g68-47507011, default 9914368); Enter Using defaute value goxA368 - Last sector, +sectors or #size(K,M,6} (9914368-12582011, default 12582911): +46 Command (a for help)? w ‘The partition table has been altered) Calling toctt() to ad partition rable. WARNING: Re-reading the partition table Tailed with error 18: Device or resource busy. ‘Tho Kernel Still uses the old table. The new table wAll be used at the next reboot or after you ru partprobe(s) or kpartx(8) Sci te, —— een pute 7 FE rpgee ele File System Comparison pure + extAis the standard ile system for Red Hat Enterprise Linux 6. Is very robust and reliable, Srid has many festurestomprove performance for modern worNloads. + ext2 is an older file system commonly used in Linux; it is simple and rellable, and works well for small storage devices, but is not as efficient as ext 4. + vfat support covers a family of related file systems (VFAT/FATI6, FAT32) developed for older versions of Microsoft Windows and supported on a wide varlety of systems and devices, sing a New File System 1. mkfs -t filesystem /dev/partition creates the type of file system requested. 2. blkid displays information about the contents of block devices (partitions and logical volumes) including the UUID of the fie system. 3. mkdir /mountpoint creates a directory to link the new file system to. 4, Add an entry to /ete/fstab using the obtained UUID from the b1kid command: wuId=uuid fmountpoint exta- defaults 1 2 Goeonye beviee pene mh bohege” on neve Bot wi ig USe ber adil ; nhbel ” ed id Hela i hbel 4 ps egihioe Apel s=/daty Spindler way pre 98 RH290-6-en-F 20110516 Pry oprt pri ore: ery ore ret ert ere nee oe Prom ormorrorrorri rpnornm ernit Get Get ckl cel cel cet veD ckD EP kt eb akL GbE akL ak ekD Gk) abl abl all & > Example of File System Creation Warning ‘The /ete/fstab file on Red Hat Enterprise Linux and the /ete/vFstab file on Solaris have a different layout. See fstab(S) for information about the fields in /ete/Fstab, The fields are separated by any number of spaces or tabs (spacing is not important in the file). 5. Mount the new file system with mount /mountpoint. Comparison The mount and mkfs.commands are very similar in Solaris and Red Hat Enterprise Linux Warning When adding new file systems to /ete/Fstab, you should use b1Kid to determine its! UID. and mount by UUID. You should nor mount file systems on simple partitions by standard device name (such as /dev/sda3). Disk device names may change depending on the devices Visible at boot time, which may cause your system to attempt to mount the wrong flle system for the wrong purpose, which at worst could lead to data loss. This is especially important when SAN devices (iSCSI, Fiber Channel) are involved which may be detected by the system Ina different order from boot to boot depending on SAN traffic, but it can also matter when Temovable media such as USB devices may be in use. Note that Red Hat Enterprise Linux 6 uses UUID instead of LABEL in /ete/fstab to reduce the likelihood of naming collisions. The installer no longer uses e2Label to set labels on Red Hat Enterprise Linux 6 file systems by default: Example of File System Creation [raat@serverx ~}y akfs -t Erooteserverx ~]# bikia /dev/vaas : 5 (sev/vdaa; WTO="s11fadb0-2tSb-4de8-nags-13de7S00d300" TYPE-Nexta” [roota@serverx ~]¥ mkdir /test i : ‘Add an entry to /ete/fstab: Ae seer ears Test the mount: 98Example of File System Creation iy adl Practice Quiz Add a New File System ib ey = Fillin the blank with the command that accomplishes the task listed. i 1 Identify a disk that has some free space ih, he ? a = {uh seo flev/hs _ e Create titi isk Wf or reate a new partition on that Gish -cG a > Update the kernel partition table yf = = 4 Create a file system on the partition L [y = mh tS cs Determine the UUID of the file system z stem Lif. = 6 Create a mount point ., 2 mbdite 2 Z Add an entry to the file system table file 7 eS bth fe ek z ® Mount the file system - i Opn i i RH290-6-en-F- 20110516 101tk} ch! ike ikk kk ikke ckt kl ee Fedeas Chapter. E/T es 2 clone of & redhat. RHEL Orutle > another otet UNIT EIGHT USE = gt fee DN NETWORK STORAGE af > la pige OSE MANAGEMENT a Mba Az pat es Introduction \ Topics covered in this unit: + Access iSCSI storage lo bo ‘+ Managing devices with udev + Device Mapper Multipath RHZ50-G-ens+-Z0T10516 105Chapter 8. Network Storage Management Accessing iSCSI Storage iSCSI (Internet SCSI) supports sending SCSI commands from clients (initiators) over IP to SCSI storage devices (targets) on remote servers. An iSCSI Qualified Name is used to identify initiators and targets and follows the format of: iqn. yyyy-mm. {reverse domain}: label. Network communication by default is cleartext to port 3260/tcp on the iSCSI target. + ISCSI initiator: a client that needs access to raw SAN-St6TaGe WAS soon + iSCSI target: a remote hard disk presented from an iSCSI server, or "target portal" ISCSI target portal: a server that provides targets over the network to an initiator 1QN: "iSCSI Qualified Name". Each initiator and target needs a unique name to identify it; best practice is to use one likely to be unique on the internet. Warning If you allow two initiators to log in to the same iSCSI target (remote hard disk) at the same time. its important not to allow both initiators to mount the same file system from the same target at the same time. Unless a cluster fle system such as GFS2 isin use, you risk fle system corruption. To access a new target with an iSCSI initiator: + Install SCSI initator software: iscsi-nitiator-utils Set initiator’s ION in /ete/iscsi/initiatornane. iscsi (Usually a unique label in a namespace matching a DNS name controlled by the organization. Set randomly when iscsi-nitiator-utis is installed.) + Discover iSCSI targets provided by the iSCSI server (target portal) iscsiada -m discovery “€ St. -p 192,268 + Log in to one oF more iSCSI targets on the server SSL a ‘Nana ls na Fade Dp aio Identify which device is the iSCSI target Look at the output of dmesg or tail /var/1og/messages. Alternately, look at where the iscsi symlinks point with 1s. -1 /dev/disk/by-path/*iscsi*, or check the status of iscsi: service iscsi status. + At this point the iSCSI disk can be used as if it were a locally-attached hard drive, 106 RH290-6-en-t-20110516KE RE kk ved okt vkE akk ak} vet akE ake kk uk ak kk kh ck ck! ckh tkl ct! Accessing iSCSI Storage Existing file systems can be mounted. If the disk is unformatted it can be partitioned with fdisk, and the partitions formatted with a file system or as an LVM physical volume, for example, Important When persistently mounting a file system on an iSCSI target in /ete/Fstab: | 1. Use blkid to determine the file systerMUUID dnd mount using UUID, not /dev/sd* device name. (The device name can come Updifferently from boot to boot depending ‘on the order in which ISCSI devices respond over the network. This can cause the wrong device to be used if mounting by device name.) 2. Use _netdev as a mount optign in /ete/Fstab, (This ensures that the client will not ‘attempt to mount the file sys ve ru orking isjup. Otherwise the system will have ‘errors at boot.) Zs wneraey 3. Ensure the iscsi and iscsid services 4 start at boot time. Note The isesi service logs into iSCSI targets found in /var/1ib/iscsi/nodes which include node. startup = automatic. The isesid service provides the iSCSI daemon. To list iSCSI targets: + Run service iscsi status. The output provides the IQN of the iSCSI target, the IP address of the iSCSI target and the local device name: [root@serverk ~}l service isesi status 80ST. Transport ‘Class version 2.0-676 Version 2.0672 ‘Target: [email protected] : Current Portal: 192.168.9.254:3269,1. Persistent Portal}, 192-360.¢. 2542000, eee ‘face Nane: default Soe = Hface Transport: top = Z 5 RH290-6-en-+-2010516 107Chapter 8. Network Storage Management To discontinue use of an iSCSI target: + Make sure none of the devices provided by the target are in use. + Make sure all persistent references to use the target are removed from places like /ete/ fstab. + Log out of the iSCSI target to temporarily disconnect. Comparison Solaris 10 uses the ee isesiadm too! that Red Hat Enterprise Linux does for the iSCSI initiator 108 RH290-6-en-F 20110516Accessing iSCSI Storage References Red Hat Enterprise Linux Storage Administration Guide + Chapter 21: Online Storage Management L& Jusr/share/doc/iscsi- initiator -utils-*/README | Knowiedgebase: "Can | put a swap device or fle on iSCSI storage?" yes | nttpsi//access.redhat:com/kb/docs/D0C 4135. Von Oo FD “s ewnpfon 4 fox fa kk aE abk abt okt cbt sEL cbt cEL abE aR cbt okt GbE GEE ab ckD cE} ebb ct ct! RH290-6-en-1-20110516 109Appendix A. Solutions Network Storage Management a Practice Performance Checklist Configuring iSCSI Configure your server to us iSCSI storage existing on instructorexample.com, Perform the following steps on server unless directed otherwise. Verify that the iscsi-nitiator-utils package is installed, and install it if needed. [rooteserverk ~]W yum install -y iscei-initiator-utils. (Discover iSCSI targets on the iSCSI server on 192168.0.254. [rooseserverx ~Jp Asesindn -m discovery -k st -p 192.188.0,208 Starting isesia: To 1 492, 108.8.254:8260,1 ign. 2018-89, com-axample:rdisks.surverx 1 Log into the iSCst target iqn.2610-09.com. example: rdisks.serverx on 192168.0.254, [rooteserverx ~}# iscsiadm -m node 1 ign. 201 192,268,0.254 2 Louging in to [itace: default, target: iqn.7919-09.com.example:raisks.serverx, portal: 192,168.0.254,9760) Login to (iface: default, target: ign,2010-09.con.example:rdisks.serverx, portal: 402, 268,6.254, 3260] successful. con. example :rdisks server - 1D dentity the device file for your new iSCSI disk on your initiator. JET Controller 9001 @ Ansr: 8 Direct-Access TET _—--VIRTUAL-OTSK e991 PQ: @ ANSI: 5 a3 sda] Attached Sosr disk 1D Setup a single partition on your new storage device, format the partition as ext4, and configure it to persistently mount on /mnt/iscsi at boot. (Note: Do not forget to use _netdev as a mount option, or to mount by filesystem UUID and not by standard device name.) [rootOserverx ~]a fdisk -cu /dev/sia Conard (m for help): A. Conard action fe extended p prinary partition (2-8) fe Partition number (4-4): 4 First sector (2048-63538, default 2045); enter Using derauit Value 2843 Fast sector, ‘sectors or +size(k,¥,c) (2048-68635, default 65595): Enter 224 RH290-6-en-1-20110516 PRL PRL PRL TFL Pr) Td Trt Ep TF mmmmmeee soSETA WE kD UA RE OR RE ad th Ud Uhh Uhh thd thD UL Criterion Test Remove the line from /ete/fstab. Logout and delete the entry for the iSCSI target. % [rbotpsarverk udev Search & Learn ‘The class will be divided into groups. Each group will be assigned a topic below. Take notes ‘on your topic to explain to the rest of the class. Take notes on the other sections as the other ‘groups explain their findings. 1. Look through the files in /etc/udev/rules.d/ and find files that include one of the following keywords: Use the udev(7) man page to determine the function of those keywords RH290-6-en--20110516 225wr Appendix A Solutions & s 2. Open the udevadn’é) man page and search for the udevadn info section. Determine é how to print everything about a device such as /devisda, é E mi Practice Quiz 1. The directory that contains the udev rules is /etc/udev/rules.d/ — 2. The command to print all udev information for the /devivda device is udevadm info - all_-n /dev/vda iz 3. The udev rule to create a device with 2 mode of 0755 would include MODE=0755 z 4, Toget audev rule to run only when a device is added to the system, use 5 i : Device Mapper Multipath with iSCSI 1. Discover the iSCSI target from 192,168.0.254 and 192.168:.254, [root@eerverk J dgcsiada -m discovery -t st -p 192.168,0.254 {[roor@serverx —]e iscsiada -m discovery -t st -p 192 168.1. 254 2. Login to the two iSCSI targets found above. [rootaserverx “]# isesiada -m node -T iqn.2610-09.com.example:rdisks.cerverx -p 1192.168.0,254 -2 {root@serverX ~]# iscsiads -m node -T ign. 2010-1 392,160.1.254 -1 -on.exanplesrdisks.serverx -p. 3. Partition one of the disks with a single partition. Place a file system on the partition [rootdserverX ~]# fdisk -eu /dev/sda Comand (1 For help): m ~ é Command action g i © extended 4 ' primary partition (3-4) : P Partition number (1-4): First sector (2048-05535, default 2e4e): enter ‘ Using default value 2048 Last sector, sectors of =Size(KM.6) (26: -05635, default 65535): Enter 226El it okt sek kt skE aE skL ck stl kl ckl ck! iE ek iE cel cel kl kL cl Device Mapper Multipath Device Mapper Multipath Device mapper multipath is used to configure multiple paths to a single device. This can be done by combining two or more paths to a disk using a Fibre Channel SAN or iSCSI, for example, For this demonstration, the instructor will create multiple paths to the iSCSI target found on instructorexample.com, Normally, you would want to use multiple network cards, but your desktopx and serverX machines may only have one network card, Therefore, the instructor will demonstrate using two different IP addresses on instructor.example.com, Comparison Device mapper multipath is similar to Sun StorEdge Trattic Manager Software (SSTMS) on, Solaris. Demonstration of device mapper multipath 1. Discover the iSCSI targets and login, [rootadeno =] isesiadn -m discovery -t st -p 192.160.0.254 [rootiidemo ~JH isesiady -m discovery -t st -p 192.168.1.254 Eroot@lteno ~10 Ssesiagm -m node -T qn, 2019-09.com.exanple;rdisks deno -p 54 1 iisteions IF teestna ute + gn cosa in ce eae diem 192.168.1254 -1 2. Partition one of the iSCSI devices and create an ext4 file system on it. [footldeno -]# fdisk -cu /dev/sda froot@ceno =11 akfs.exts /dev/edaa 3. Install the device-mapper-muttipath package (it may have been installed for you). 4. To configure the multipathd service, start by running the multipath -11 (those are two letter 's) command. It will give you a warning that /etc/multipath..conf does not exist, and that /usr/share/doc/device-mapper [email protected]/multipath.conf can be used to configure the service. Copy the sample fie to the correct location. Lroetedon Je en /usr/share/do/device-nagpet-mitinath-6.4-2/multLpAUh.cont tel futtipath.cont Bis i 5. Start and enable the multipathd service. Verify that it picked up the iSCSI devices, [rootiideno “I service qultipathd start [rootédeno JH ehkcontig multipatha on. multipath «11 patha (3IET 99620001) dn-3 LET, Vz size-32H featuress'8" hwhandler='6" wp [ete policys!round-robin 8 prio-t status-enabied RH290-6-en-+ 20710516 113Chapter 8. Network Storage Management polieys'eaund-rapin 8° eesti sea-8i8- active ready Find the nw device naan te /dev/aapper/ and moun th new mult dec. apy iebenceceeeceacee, 7. When he instructor takes down one ofthe IP adress ofthe ISI target, notice thatthe _ directory and file ae stil available. (¢_ |. References RedHat Enterprise Linux DM Multipath multipath. conf(5), multipath(8) manpages The /usr/share/doc/device-mapper-multipath-*/multipath..conf* files m4 RH290-6-en-1-20110516 :a = 4 a a a = a =a x = = a a = x x a = m= = Device Mapper Multipath Practice Exercise Device Mapper Multipath with iSCSI Carefully perform the following steps. Ask your instructor it you have problems or questions. 1. Discover the iSCSI target from 192.168.0254 and 19216811254. 2. Login to the two iSCSI targets found above, 3 4 5. 6. Partition one of the disks with a single partition. Place a file system on the partition. Configure, start and enable the multipathd service. Mount the new device mapper multipath device on /mnt., Copy a file into the new file system. Let your instructor know when you are complete. When everyone has completed the previous steps, your instructor will disable one of the IP addresses of the ISCSI target which will cause one of the iSCSI disks to become faulty. Which iSCSI disk became faulty? RAZ90-G-ent-Z20T10516 15Appendix A.Solutions ‘Open the udevadm8) man page and search for the udevadm info section. Determine how to print everything about a device such as /dev/sda. & Practice Quiz 1. The directory that contains the udev rules is /etc/udev/rules.d/ 2. The command to print all udev information for the /dev/vda device is udevadm info - qall -n /dev/vda 3, The udev rule to create a device with a mode of 0755 would include MODE=0755 4, To get a udev rule to run only when a device is added to the system, use Practice Exercise Device Mapper Multipath with iSCSI 1. Discover the iSCSI target from 192.168.0.254 and 1921681254, [rootlserverx ~1¥ isesiadm -m discovery -t st -p 192.168.0.264 [rootoserverk =] isesiadn -m discovery -t st -p 192 168,1.264 : 2. Login to the two ISCSI targets found above. [rootaserverx JW ascsiade -m node -T ign. 201 254-1 jerk ~]# iscsiadn - node -T ign.2010-09.con.exanple:rdisks.serverX -p 1,284 -1 3. Partition one of the disks with a single partition. Place a file system on the partition. Erootesorverk -]# faisk -cu /dev/sda. Coenand (w for help): m oenand action @ extended : primary partition (1-4) ® Partition nuiber (1-4): 2 First sector (2048-65535, default 2048): Enter : Using default value 2046 : 4 Last sector, +sectors or #8ize(k,M,6} (2848-65595, default 69535): Enter 226 RH290-6-en-F-Z0110516AL EE LD kD al) al th lh Wl oabb akt ak tt ad al ry We kk Ld Criterion Test stig woraune! value" 65535; ; hase ae 4. Congr start and enable the multipath service [rootiserverx ~j¥ ep /usr/share/doc/device-napper-multipath- Se [rocteserverx -}# service multipathd start [rootasorverx -]¥ ehkeonfig multipathd on 5. Mount the new device mapper multipath device on fan. aie 6. Copya file into the new file system, [rootaserverk =]# ep Zetesmosts: fant : t 7. Let your instructor know when you are complete. When everyone has completed the previous steps, your instructor will disable one of the IP addresses of the iSCSI target which will cause one of the iSCSI disks to become faulty. Which iSCSI disk became faulty? Use the multipath command to determine which iSCSI disk is faulty. It will take about ‘two minutes for the ISCSI disk to timeout. If you run the multipath command before the timeout period, it will show active faulty. If you run the multipath command after the timeout period, it will show failed faulty (as below) [rootOserverx “Je mitipath Ty ree E fpatha (1TET 09026964) oe-3 Ter, vaRTWAL-DISK Slzen32H featuress'0" hyhandler='6" so=rw ‘poliey-"roundsrobin 0" priow® statusractive f sib 0:18 failed faulty runing es + policy="round-robin 0 prinst atatuasenabled Es “210:0:1 sda 8:0. active reagy runing = os Test Criterion Test Case Study Centralized Storage Before you begi Run lab-setup-centralstore on desktopx to prepare serverX for the exercise. Cold Storage, an appliances retailer, recently acquired new SAN storage that utilizes the iSCSI protocol. We will begin deployment with your server that will be configured to access its own dedicated iscsi target: RH290-6-en-F- 20110516 227Appendix A.Solutions + ISCSI Target IP Address: 1921680.254 + iSCSI Target: Aqn.2010-09.con. example:rdisks. serverX Partition entire device, format, and persistently mount to /coldstorage. When you are ready to check your work, run Lab-grade-centralstore on serverk. Challenge: Can you create a udev rule that will create a symlink name /dev/iscsi when an iSCSI device is added to the system? 1, Run lab-setup-centralstore on desktopx to prepare serverx for the exercise: [evotedesktonx —) 2, Log into serverX and become root 3. Install necessary packages: otdserve Uroottserverx “Je isesiaee -492.168.0,254 -1 5. Partition, format and persistently mount new device with an ext4 file system: + Determine the device name (/dev/sda) of the iSCSI device in the log files + Determine UUID of partition + Create an entry in /ete/fstab 228 RH290-6-en-T20110516(babe EH) UUs ee A We ke it tbh Criterion Test 6. When you are ready to check your work, run Lab-grade-centralstore on serverx. 7. Challenge: Can you create a udev rule that will create a symlink name /dev/iscsi when an ISCSI device is added to the system? To devise a udev rule that will create a symlink name /dev/iscsi when an iSCSI device is added to the system, start by creating a file in /ete/udev/rules..d/. The file name must end in rules. Use udevadm info to find some unique information about the iSCSI disk when It is attached: ‘The ID_VENDOR and ID_NODEL will probably be enough for this device, so the following is an example file named 99-iscsi-rules that includes these two pieces of information: RH290-6-en--20110516 229Appendix A. Solutions # 90-1se81. rues: Trootes [rootdserverx -}¥ Asesiads -m node -1 ign. 2010-09. con. loontee vera 1 ta ie ‘ wire. 1 FOO: 230 RH290-6-en-t-20110516 ibed ddd dada Chapter 9, & redhat. UNIT NINE LOGICAL VOLUME MANAGEMENT Introduction Topics covered in this unit: + Review LVM Components + Implement LVM Storage * Grow a File System RH290-6-ens-Z0T10516 19Chapter 9. Logical Volume Management Recognize the Components of LVM Unused Space Joly med volime gteyf off. Review LVM Definitions * Physical Panitions or Disks are the first building block of LVM. These could be partitions, whole disks, RAID sets or SAN disks. + Physical Volumes are the underlying "physical" storage used with LVM. This is typically a block device such as a partition or whole disk. A device must be initialized as an LVM Physical Volume in order to be used with LVM. + Volume Groups are storage pools made up of one or more Physical Volumes. + Physical Extents are small chunks of data stored on Physical Volumes that act as the back end of LYM storage. + Logical Extents map to Physical Extents to make up the front end of LVM storage. By default, each Logical Extent will map to one Physical Extent. Enabling some options will change this mapping. Mirroring, for example, causes each Logical Extent to map to two Physical Extents. s lee 120 RH290-6-en- 2010516 -ei ahh ah bl abl bi abl abl ub! Why Use Logical Volumes? + Logical Volumes are groups of Logical Extents. A Logical Volume may be used in the same manner as a hard drive partition. Why Use Logical Volumes? Logical volumes, and logical volume management make it easier to manage disk space. If a file system needs more space, it can be allocated to its logical volume from the free space in its volume group and the file system can be resized. Ifa disk starts to fail, a replacement disk can be registered as a physical volume with the volume group and the logical volumes extents can be migrated to the new disk. Comparison LVM is similar to the thirc-party Veritas Volume Manager on Solaris, Although not covered in this class, you can create read-only and read-write snapshots using LVM tools. References Red Hat Enterprise Linux Logical Volume Manager Administration RH290-6-en-F 20110516 iChapter 9.Logical Volume Management Implement LVM Storage with Command-line Tools Prepare a Physical Volume 1. fdisk is used to create a new partition for use with LVM. Always set the Type to 6 a6 Seton pti ote ww fhe. th fh Meeda 2 thingé wpe Note Alternatively, you can use a whole disk, a RAID array, or @ SAN isk. Heide of 2. pyereate /dev/vdaw is used to initialize the partition (or other physical device) for use with LVM as a Physical Volume. A header to store LVM configuration data is created directly in the Physical Volume. Creating a Volume Group (ar Ald moll 2 het 1. vgereate vgname /dev/vdan will create a volume group named vgname made up of the physical volume /dev/vdav. You can specify additional space-delimited physical volumes at the time of creation or add new physical volumes ao ih yooxcend es, Create and Use a New Logical Volume bt aS 4 1. Ivereate -n Ivname -L 26 vgname creates a new 2 GB logical volume named mame from the avallable physical extents on vgname. Important Different tools wil display the logical volume name using either the traditional name, fe Dagame Wals 2 he int ope he 7a Lael uaa rem dev, "44 ng Jongh >, find Ae ip "e/ wy yig— yl > ,, [4m 2. mkfs -t exta ‘acwigana nce will cede anexta file system on the new logical volume, % ir fatamotesdrecorynededasamount oan 9 f/ MS neene Q aster . poe (eviasprer/voriane inae data ets. deraults 12 5, Run mount -a to mount all the file systems in /ete/stab, including the entry you just added 24 RH290-6-en-F-20T10516 ARE fpr rrr ree ree tH aa PR OPPL PPL PPL PRL PPL PEL TEL TEL THteh cdo) oduct) ot) ch) uh) ah) ab) h) ch) chk! ch! ih! Implement LVM Storage with Comman¢line Tools, Review LVM Status Information 1. pvdisplay /dev/vdan will display information about the specific physical volume. he Vb ig ‘7 2. vodisplay vonane will display information about the specifi volume group. —V Example vgdisplay output: In or lg j te ved *+--Volume group x=< V6 wane system 10 Format Netacace areas “Metadata Sequence No “VG Access: "ve Status: cur wy | Open Ly = wax py ur ct Py yo size “PE Size O total Pe Alloc PE / size O Free PE / size O ye woo eo0co00 woes “1s71de / 731.07 08 vat b Lp nS me ie : ie ; read/write resizante 1.28 70, 4,00 MB 1007727 4720867 / 6.56 18 "TERSCA-WaWa-<5nd0> The name of the Volume Group The total size of the “physical” storage in the Volume Group Physical Extent size Total Physical Extents in Volume Group ‘Total Physical Extents used by Logical Volumes. Physical Extents available 3. lvdisplay /dev/vgname/Ivname will display information about the specific logical References I R ged Hat Enterprise Linux Logical Volume Manager Administration vm) man page RH290-6-en-F 20110516 125ee Extend a Logical Volume and Extd File System Extend a Logical Volume and Ext4 File System ‘One benefit of logical volumes is the ability to increase their size without experiencing downtime. Free physical extents in a volume group can be added to a logical volume to “extend!” its capacity, which can then be used to extend the file system it cont Growing a Logical Volume Basic Steps : Verify available space in the 7 Extend the 3 Extend the Extending the Logical Volume and File System 1. Verity the current size of the mounted fle system /data: at oh fata 2. Verify that there are sufficient "Physical Extents available" for us vodtsplay voname Refer tothe sample output inte “Review LVM Status Information” section found earlier in. = this unit to see how to identity available free physical extents. if 4e ade 3. Extend the logical volume using some or alof the available extents: 74 Fleattond ae Zaewe e/a a 4. Grow the associated file system mounted on /data: # resizeate: -p /dev/vgnane/Ivnase tees ae The -p option displays progress during the operation, &_ > Note (22S het system can remain mounted and be used while resize2fe is beng run RH290-6-en-F- 20110516 27Chapter 9. Logical Volume Management Important ‘A common mistake is to run Ivextend but forget to run resize2ts, 5. Verify the new size of the mounted file system /data: Wat -n fasta Reducing a File System and Logical Volume This process is similar to extending, but in reverse: resize2fs, then 1vreduce. Warning Its essential you have a solid backup before undertaking a reduction in the logical volume, 1s typographical errors in the command line can cause data loss. 1. While extending a logical volume can be done while the file system is in use, reducing an ext4 file system must be done offline, umount /data to unmount the file system you want shrink, 2. fsck -f /dev/mapper/vgname-1vname to verify that all file system data structures are clean prior to resizing. u 3. resize2fs -p /dev/mapper /vgname-Ivnamsg12H will resize the file system to be 512 MB, presuming that the logical volume is larger than 512 MB. = Note: If you omit the size from the resize2fs command, it defaults to the size of the logical volume, perfect for extending the logical volume like done previously. 4, Ivreduce -L 512M /dev/mapper /vgname-Ivnane will shrink the logical volume to S12, MB, = Warning vreduce has no knowledge of your file system data structures, and, without warning, will discard elements of your file system if you did not first use resize2fs to make the file system smaller than the intended logical volume size, 5, mount. -a will remount all the file systems listed in /ete/fstab, including your now smaller logical volume assuming it is listed in 128 RH290-6-en1- 20110516Wt amt Wot il wh whl ak oh abl kl okl sb abl cbt kd skl ikl okt abl abl gb! Extend a Logical Volume and Ext4 File System ~ , Note 55 Although we mainly focus on the ext4 file system, there are other file systems available for: Red Hat Enterprise Linux that can be extended as wel including XFS and GFs2 References Red Hat Enterprise Linux Logical Volume Manager Administration Aym(@) man page wer Lond nye Jhb, > db Ld heel ehVcel > & Le ute apr th of bodes Ma [ahs ae tale hsb Aj, Vg eae? pYmnove [de v4 yedvee my Us RH290-6-en-F20T10516 129Wa bh abd abd abd abd ak ad! Ll ALl ALE Wd tk Ld Wb) bb Uk ULLAL Logical Volume Management Practice Exercise Implement LVM and Create a Logical Volume Before you begin... ‘Make sure to run the lab-setup-Jvm from your desktopx system, which will prepare your serverX system for the practice exercise. Al of these steps will be performed on serverX. 1. Create a new partition of 512 MB and prepare it for use with LVM as a Physical Volume. Important —- e 4 = To have room for creating additional partitions in the future, if needed, be sure to create ‘an Extended partition beforehand. es step. 3. Create and format with ext4, a new Logical Volume of 256 MB called /dev/shazam/ storage. RH290-6-en-1- 20110516 233,5° Appendix A. Solutions [rootOserverx =]# Ivereate -n storage -L 256N shazan Logical volune "storage" create [roor@serverx ~]# mkfs -t exté /dev/shazan/storage ike2#9 1.41.12 (17-May-2610) Output Gaited 4, Modify your system such that /dev/shazam/storage is mounted at boot time as / storage. [root@serverx -]# mkdir /storage ‘Add the following line to the bottom of /ete/Fstab on serverX: ‘Yev/sbazan/storage /sterage ext Wefaults 1 2 Growing a Logical Volume Basic Steps 1. Verify available space in the volume group 2 Extend the fogical volume 3. Extend the file system Practice Exercise Extend a Logical Volume All of these steps will be performed on serverk. 1. Determine the amount of free space in Volume Group shazam. [rootserverx +}# vodisplay shazam VG Name system 10 Format ‘Output Omitted... Vo size Pe Size Total Pe = Alloc FE / Size 64 / 256.00 MiB. Free PE/ size 63 / 252.00 MiB Ve wut acevye-3hnt-}KS-og7U-4sAL-ARRg-1 70030 2. Extend the logical volume /dev/shazam/storage with haif the available extents in the volume group using commandline tools. [rootaserverx =]# 1vextend -1 +32 /dew/shazan/storage Extending Logical ‘volume storage to 364.00 Mid Lagical volune storage successfully resized 234) RH290-G-en-F-20110516 oe PL ORL Pr rl PRI FI 5Wi WE WE ALE EE ALE AR hE wt Criterion Test 3. Extend the file system mounted on /storage using command-line tools. {roovoserverx ~J0 resize2ts /dev/shazan/storage Fesize2ts 1.41.32 (47-hay-2018) ESleaystem at. /dev/shavan/starage 25 mount Oli dese blocks ="4, new dese. blocks = 2 Pertorming an on-line resize of /dov/snazan/storage to 993236 (2K) Docks. She felesystem on /dev/shazam/storege 4s now 986246 blocks Ton. fon /storage} on-line resizing reauired Test Criterion Test Case Study Manage Logical Volumes Before you begin. Run lab-setup-server on desktopx to prepare serverX for the exercise Perform the following steps on serverX unless directed otherwise. You have just been assigned to administer a freshly installed server - serverX. Management would like some adjustments made to the disk allocation according to the following specifications: + The /home file system is too small and should be expanded to take 500 MB total space. + Connect to the iSCSI targets on 192.168,.0.254 and 192.1681.254, Remove the current partitions ‘on the iSCSI disks if they have any. Partition the disks with a single partition consuming the entire disk. Configure, start and enable the multipathd service. Use the multipath device to create a volume group called extra. Create a logical volume called iso that contains an ext4 file system that is mounted on /iso. Make these changes persistent as you will reboot your machine before checking your work. When you have completed the tasks, reboot server and run the 1ab-grade-1vm-3 grading script on serverX. 1. Run lab-setup-server on desktopx to prepare serverX for the exercise. [ropetuesktapx ~T# lab-setup-server To resize the /home file system on server, start by enlarging the logical volume, then grow tte file system to match: [rootiservyerx'—J# Ivextend -L 500M /dev/vasrv/hone [jootwserverk “Jb cesizeate /dev/ugerv/hone ectdservers -}0 ah =m fname Fusesyiten “Glge Used aval Usew Wouneed an RH290-6-en-- 2010516 235Appendix A.Solutions cannons 3. Connect to the iSCSI targets on 192:168.0.254 and 192.168:1254. Partition the disks with a single partition consuming the entire disk. Eton umber wi FEESU sector (2548-05535, Using default value 2948. Lage seceor, ssectors seize ee ee “value . [rootiserverk ‘/share/doc/device-nap eromltipath- maeapeth Pee a eee tare . : i 5. Use the multipath device to create a volume group called extra. Create a logical volume il called iso that contains an ext4 file system that is mounted on /iso. Make these changes ‘ persistent as you will reboot your machine before checking your work. ae s 236 RH290-6-en-- 20710516thi otbt kt ab) chi abb thb cb) th) ub) oh) os oe tel tel ikh ikl eb tee ike t ier at SoS Chapter 0. & redhat. UNIT TEN SYSTEM MONITORING Introduction Topics covered in this unit: * Deploy cron jobs + System Activity Reporter (sar) + Manage Logs RH290-6-en-1 20110516 135i x backsnap KIN pets Cum in keteforen d fbathinaf Chapter 10. System Monitoring Deploying cron Jobs Creating cron jobs is an easy and powerful way to set up recurring tasks in Linux. Many Linux services rely on cron to gather data or clean up temporary files on an on-going basis. AS a system administrator or user, you can create your own cron jobs to do system backups, run reports, oF monitor your system. ‘The cron facility should already be up and running in most Red Hat Enterprise Linux installations. Itt is not, here is what you do: + Install the cronie package: The cronie package replaced the older vi Hat Enterprise Linux 6. ‘cron package in Red + Start the crond service: Most likely, the crond service was set up to start at boot time, Type chkconfig --1ist crond (to see if it was set to run) and service crond status (to make sure the crond daemon is running now). ° once the cron act is unning ere are some ways you can use it x + Create a cron job: A crontab file consists of tv fields (designating date and time) followed by tthe command you want to run. By default, any user can create a personal crontab file using the crontab -e command. The root user can also place files in crontab format in the /ete/ cron.d directory. ‘Add hourly, daily, weekly or monthly cron jobs: Instead of creating a file in crontab format, simply place a shell script or other executable in the /ete/cron. hourly, /ete/ cron. daily, /etc/eron.weekly, or /etc/cron.monthly directory. The script you added will run once an hour, day, week, or month, respectively, based on the settings in the /ete/ anacrontab fle = ‘As an administrator, you can restrict who can create cron jobs. By default, any user can create a cron job. To keep users trom creating cron jobs, add their user names to the /ete/eron. deny file. By creating a /ete/cron. allow file, only those users who are listed in that file are allowed to create cron jobs. Comparison ‘As a Solaris administrator, you will find the format of crontab flles and behavior of the crond Hiehs heard iG exe iff Hey were steep When methine was doth ‘Scheduling cron jobs a This opens the user's personal crontab file In the vi editor. The following text illustrates the six fields in a crontab entry, along with descriptions of what you can put in those fields, 0-0 -© 0-0 1.0 i fee cers Minute. Valid values are 0-59 Hour. Valid values are 0-23. 20 means 8 PM. Day of month, Valid values are 31 Month. Valid values are 112 or the first three letters of the name (e.g. Jan) Day of week. Valid values are 0-7 (O or 7 is Sunday) or the first three letters of the name (eg. Sun) =—— Command. Add the command as you would type it on the commandline. Use the semi-colon (to separate multiple commands to run at the same time. Add a separate line to run a command at a different time. et BT IBD © co0o0°e In the first five crontab file fields, you can match all date/time designations, multiple entries, ranges or skips. An asterisk (*) in a field matches every value, Add a comma-separated list of values or ranges. For example, 1,312-14 in the first field causes a job to run at 1, 3,12, 13, and 14 minutes after the hour. With */15 in the first field, the job runs at the top of the hour, then 15, 30, and 45 inte ater PROT fur. Typeman § crontab for further descriptions of the crontab file @ format.) The sixth field contains the command to run. If there is output from the command (that isn't directed to a file or piped to another command), that output is emailed to the user who created the cron job. To email the output to someone else, you could pipe output to the mail command for example, 1s | mail -s "1s output from cron” [email protected]) or add a i; MAILTO line to your crontab fie: MAILTO=someuser@examplecom i ‘Adda many entries as you ke toa crontab fe After you save the fil, the cron jobs you entered are immediately active (no need to restart the crond service). The following table shows examples of cron table entries. i Every hour at § minutes past the hour oe Everyday at 205 AM i ees a> 30pm on the fist of every month 00 07 25 12° December 25th at 700 AM } 3e16** 5 Every Friday at 4:30pm, Teanee Every 5 minutes (03510.485055) */10 9-16 1,15 * * Every 10 minutes between 9am and Spm (it will not run at Spmthe last instance wl run at 4S0pm) on the fst and fifteenth ofthe month oot jane January tat midnight and every Sunday in Janvary (not ust January 1is on Sunday) RH290-6-en- 20110516 37Chapter 10. System Monitoring Practice Quiz cronie Scheduling 1. When will the fotlowing jobs run? 89 07 25 12 * /usr/1ocal/bin/open_presents */g + ** + fusr/local/oin/take stats 07 03 = * + /abin/service xend restart 9016 | * 5 /usr/tocai/bin/mail checks 2, Devise a cron entry which would run the script /usr/1ocal/bin/vacuum_db once @ month on the first day of the month, 3. What if the machine in the previous question was down for maintenance on February first? What would be a better way to insure the database doesn't operate 2 (or more) months between vacuuming? -¢ Zz ‘4 at -¢ 2 atm / CU fine | Uf deena fie phoniiyht he Ad 138 RH290-6-en-}- 20110516Deploying sar vpn 4 Lyf at => Ire hh enfe nd a Deploying sar KE _ The System Activity Reporter (sa facility can be used to gather and report statistics on your a Linx sytem. With sar, you can elther watch statistics on sytem activites live o splay system = activity data from stored log files. a Using options to the sar command, you can cspay statisti related to VO and transfer rates, = block device activity, power management, network interfaces, processor activity, memory usage, 7 and various kernel tables. Statistics canbe gathered at st interval (suchas every 10 seconds) a and elthe displayed continuously or fora set nurnber of ines, The sar command is contained in the sysstt package. Deploying sar can be as simple as ust aa installing the sysstat package. Once installed, that package is automaticaly configured to gather # statistics every 10 minutes and save them to lg files, This allows you to fok back at system S activites over the pest several days. u u Jo get a feel for how sar works, here are examples of several sar command fines. The sar -b B 7 3-5 command shows input/output and transfer rate statistics taken 5 times every 3 seconds. The a an output includes read and write transfers rtps and wtps), total transfers (tps) and blocks read and -_ written (bread/s and bwrtn/s). u [restéserverx -]# sar -b3s ss al Linux 2.6, 32-72.14.1,¢18.x86_64 (hosti) 9/7/2011 x86 64. (4 CPU) 8 ftps wtpsbread/s 2 yess be soot 97 eee nee tae tt ‘ fetes aoanies a eae oe : ' a see andy eee: a anaes “gue n4s0e2 “ = Using the sar -r you can watch how memory usage changes over set intervals. The following command dspays tree and used memory In klobytes (Rbmernttee and kbmemused), percentage a of used memory @tmemused, the amount of memory sed fr kernel butlers and cache data, a (kobutfers and Kbcached), and the amount and percentage of memory needed forthe curent workload (kbcommit and %commit). uw ss 2 Poseurs ee fee : Linux 2,6,92-71.14.1.e16.%86_64 tatty 93/17/2012 -x86_64_(4 CPU) | e:52i01 4 Koneofree kbnesised amewused Kbbufters Kicached kbcommit —xcopmit g:52:60 AK 1700128 2a1eies 8.73 701004 146008 2072900 21.18 - OB:sa:14 AN a690864 2419Bed —Ga7a — 2e1s24 | 1an9440 BoreSER Ade a ‘Average: 4700064 2410228 80.79 1014 aasa774 2ea28 2.16 - Instead of cspay data ve, sar can also output data saved previously In og fles by te sade a command, When the sysstat package is insalleg, the sadc command is run every 10 minutes from a cron jb using the sa script Here isan example of how to spay that NFS-elated data from . the sat gle: a at aes nad i sh 7 Hemi aicroel cc sit noel ruse aaron salts oases (4 Su ‘i “a a RH290-6-en-+-Z20T10516 139Chapter 10. System Monitoring 12:09:61 Am eall/s retrans/s read/s write/s access/s getatt/s 9.68 9,00 9.00 0.09 8.86, Y 9.60. 6.99 8.80 9.00 4.08 : ee 101 | 0.00 ae: 2.02 = 0.09 2.07 8.08 ts 3198 i Configuring sar Search & Learn i Login as the root user on serverX and make sure that the System Activity Reporter (sar) feature Is installed on your system, Determine what the sar facility is setup to do and then generate a i few useful sar reports. ' 1. What package does the sar command come in? 7 2. Runa few commands to find out if the sar command is installed on serverX. If the package Is not installed, install it. i 3. Determine how the sar facility is configured to run. Hint: Look for configuration files in the package that contains the sar command, - 4, From the sar man page, look in the EXAMPLES section for sar commands to: E + report current CPU ul ization + show memory and network statistics from a saved daily data file. mae rr 140 RH290-6-en-- 20110516(ee EE tS GS BE TBE IBS IGS WBE TRE BS IBS BT GB) th) ER) Gh) Ga! Ves cL Ss snsle Her pana Deterdhine Log Destinations Determine Log Destinations Wis € Many programs use a standard protocol to send messages to rsyslogd. Each message is, described by a faciliy (the type of message itis) and a severity (how important itis). The names of available facilities and levels of severity are standardized. The /ete/rsyslog. conf file uses the facility and severity of a log message to determine where it should be sent (to a log file, for example). The rsyslog. conf files documented by the rsyslog. conf(5) man page and by extensive HTML documentation in usr/share/doc/rsyslog-*/manual html. The ##i## RULES iti section of /ete/rsyslog .conf contains directives that define where log messages are saved, The left-hand side of each line indicates the facility and severity of the log message the directive matches. The right-hand side of each line indicates what file to save the log message in. Note that log messages are normally saved in files in the /var/1og directory. Sample rsyslog.conf file ree NODULES #6 ae ‘odLond imaxsock.$0 provides support for Local aystea looping (6.0. via Logger ‘connand) Shodiand inkiop. so provides kerfel logging support (previously done by rklogd) fed ond imark. 36) provides --Mmt-= nessge capability ee ee ee . mee ee - QO wm re « TP ns#odLoad intcp.so ‘#SEnputTerservermun 514 sHiH4 GLOBAL DIRECTIVES he Use default Finestasp forsat ‘Actors lever ailtTenplate R5YSLOD_traditionalFileFornet save ss vei : i = : Cello ae Lo eeea te eee, if 4 don't Jog: pravate authentication messages! © infoseai .nane;authpriv.noneseran.none # the authpriv file has restricted access. authprivs a tvacdog/ secure log hie nll menage oo plas : dee ae - fia irate ie Ce aene = 2) 4 og Eron stutt spel 2 me of (pee = = Ok. RH290-6-en-t-20T10516 141 - War/togferenChapter 10. ystem Monitoring # Everybouy gers emergeney nessages Foner, * z 4 Save news errors of level erit and nigher in a special fate ‘uuep, news. erat i ‘vas /og/ spooler 4 Save boot fessages also to boot.tog A Toca? s ‘War /Loy/bo0t 109 Default Log Files Fill in the name of the fog file as you review the contents of /ete/rsyslog.. conf on server. 1. all authentication-related messages go to a Anything e-mail related goes to 3 Messages related to cron go to 4 All other messages sent at info priority or higher are saved in Rotating Logs + Logs are "rotated" to keep them from filling up the file system containing /var/Log/. + When a fog file is rotated, itis renamed with an extension indicating the date on which it was rotated: the old /var /Log/messages file may become /var/log/messages-20101030 it itis rotated on October 30, 2010. + Once the old fog file is rotated, a new log file is created and the service that writes to itis, notified, + After a certain number of rotations (typically after four weeks), the old log file is discarded to conserve disk space. + Acron job runs the logrotate program dally to see if any logs need to be rotated. + Most log files are rotated weekly, but logrotate rotates some faster, or slower, or when they reach a certain size. 142 RH290-6-en-F-Z0110516ALL LL ALL kL kT KE ME ghd abd ob abd abl bd abba RT ab abl abl all GF! ‘System Monitoring output to a plain text file named /var/log/sar?? file, where 2? is replaced by a ‘number representing the current day. From the sar man page, look in the EXAMPLES section for sar commands to: + report current CPU utilization + show memory and network statistics from a saved daily data file, Under the EXAMPLES heading, run the following commands: ootserverk —}# sar -u 25 inux 2.6.82-71-24.4.e16.x86.64 (ost) 63/10/2611 x86 64 (4 Cru) 15 PM CPU Suser nice ASystem Kionait xsteal Pu all 19.78 9,90. 6.04 3.20 6.80 PR all 10,92 0.60. tas PH all 12.58 0,00 6.98 6,05 PM All i4as. 6.0e 78 3.69. Pu all 33165 6.00 9.64 14a sll 43,08 9.00 9.67 4,78 9.09 [roocaservarx -Ip sar or -n OEY -f /var/log/sn/sai6 i Linux 2.6.92+7514.1.0l6 306.64 (hosts) 03/1e/2ext _xa6b4_(4 chu} 12:00 AM Komenfree Kbmenused Seomused kbbuffer's Kocached Kbcomnlt Nconmit 32:40 AN 1035725. 253240 73,09 208752 1109524 1951500 23.02 432:20,AM 1633015 2615348 79,15 299076 1199016 1850572 23.02 32:30 AM 4033832 2515132 73.14 209440. 1490636 1554792 23.08 If sa46 is not available, use another file name with a number representing a recent date (trom 01 through 31). Default Log Files Fillin the name ofthe logfile as you review the contents of /ete/rsyslog.conf on serverk. 1. Allauthenticationelated messages go to /var/log/secure 2. Anything e-mail related goes to /var/log/naillog 3. Messages related to cron go to_/var/Log/eron 4. Allother messages sent at info priority or higher are saved in /var/log/messages Review rsyslog Answers the following questions: Which two flelds are used to match log events? Facility and Priority What is the effect of a wildcard in the first field? RH290-6-ens-20110516 239= = = = = = = = = a =a a a what ° SE Conk Chapter, & redhat. UNIT ELEVEN LINUX SECURITY Introduction wh pee bol Pew + evew ase Linux concepts + Displaying and setting SELinux modes + Displaying and setting SELinux file contexts + Monitoring SELinux policy violations RH290-6-en-+- 20110516 149Chapter t.Linux Security Packet Filtering There are many reasons that you may want to configure @ local firewall on a server. A firewall may be a requirement at your datacenter, or perhaps you want to protect your system from other systems on you network. The same iptables command used to configure a firewall is also used to configure masquerading and NAT. The following is a list of key concepts you will need to know in order to setup a firewall. Pay attention as the class discusses each one and take notes in your books because you will have to Use all of these keywords when creating your firewall in lab. iptables Basics : = criteria determining which packets to match and a target, or action, Geter mining what to do with those packets. + QUAS$ _-alistot ales which wil be checked in order, fist match takes effect. 5 + ALES tne detaut action, ACCEPT or DROP, taken if no rue matches ina any pe » YebCS st orenansused or pacar purpose Faker Het ta nat to modify the destination or apparent source of a packet. 450 -en-F20110516iL all aL! wl A kL kD GRD LD kD KY LT LL LY ey oeL aL aed kl ak Packet Filtering Built-in Chains (filter table) inghcthen pot = (CHAIN) COMMON a ow + _jrpy ~ packets addressed to the firewall + bn L ~ packets originating from a service on the firewall (not forwarded) . wed = packets originating from another machine, that are inot addressed to the firewall but are being forwarded (routed) elsewhere when net. ipv4. ip_forward=1) Targets =e to take when packets match rules) LALPT te pater passes tne chain « ROP se poctetis rpped sit was neve sen » Bo3¢ =the packet i reletee andthe reall sends an error message (an ICMP port unreachable message by default) . LOG we aboyt the packet Is lagged to syslog; we go on tothe next rule in the chain —f ea + rete Yale rn Gharn RH290-6-en-F- 20110516 151Chapter .Linux Security iptables Command You may have used system-config-firewall, a graphical tool in Red Hat Enterprise Linux 6, to configure simple firewalls. Creating and managing more advanced configurations can be accomplished with the command line tool, 3 iptables is.used to set or vie rules in kernel memory, iptables Options Pea -vnt_--Line-numbers lists al rules, fully, in numeric mode “A CHAIN -j ‘adds a rule to the end of CHAIN “I CHAIN # -j inserts a rule as rule # in CHAIN: i no #, then as the first rule =D CHAIN # deletes rule # from CHAIN “CHAIN deletes al rules from CHAIN ‘Table Ti. iptables Example Syntax Rule (matching criteria) Syntax {An iptables rule includes matching criteria that can compares to header Information found in the packet, Source IP or network -s 192.0.2.0/24 Destination IP or network -d 10.0.0.1 UDP/TCP and ports =p udp --sport 68 --dport 67 ICMP and types =p icmp --icmp-type echo-reply Inbound network interface -i ethe Outbound network interface -o ethe Connection tracking ~m state --state ESTABLISHED, RELATED ‘Table 2. iptables Matching Criteria Connection tracking stores information about previously seen communications to make matching decisions. After a connection is allowed, information is placed in a connection tracking table until a timeout occurs, connections closes, or we see more matching traffic (reset timer), While this takes additional kernel memory, the benefit is to simplify rule design. State Pym NEW packet starts a new communication, adds a rule to the connection tracking table ESTABLISHED any packet that matches a rule in the connection tracking table RELATED traffic "related" in some way to ESTABLISHED traffic; protocols like FTP 182bb ILL kb kt LI kt aL?) ad! tbl Vek BR ee) ed) iD tel thd) tk) thd ibk Rule (matching criteria) Syntax INVALID packet cannot be identified; normally these should be rejected or dropped TableTl-3. Connection Tracking States ‘To help RELATED rules work, you may need to enable helper modules in /ete/sysconfig/ iptables-config Important Running the iptables command changes the ntfter Kernel module ules in-memory, but will NOT persist across a reboot Running service iptables save will take the current rules in memory and weite them to /ete/sysconfig/iptables which is read during startup. Alternatively, some administrators directly edit (or copy) the /ete/sysconfig/iptables file, then run service iptables restart to activate. References Red Hat Enterprise Linux Security Guide + Section 25: Firewalls Red Hat Enterprise Linux Security Guide + Section 2.6: IPTables Aptables(8) man page | Nettilter home page nttoy//wmwnetfitecora/ RH290-6-en-F-20n10516 153 #Wl System Monitoring i (Actions to take when packets match rules) ad + ACCEPT - the packet passes the chain = + DROP - the packet is dropped as ifit was never seen 7 * REJECT - the packet is rejected, and the firewall sends an error message (an ICMP port = ‘unreachable message by default) - + LOG - information about the packet is logged to syslog; we go on to the next rule in the chain es -, Practice Exercise _ Implement a Firewall In this exercise you will implement a firewall on serverX that rejects all packets, except that it wll = allow ICMP traffic for example.com and allow SSH for everyone. 1. Log into serverx as root using virt-viewer or virt-manager. s 2. Create a simple deny all (except loop back) firewall by creating /root/bin/reset fw. sh that: = sets the INPUT chain's default policy to DROP, _ 2, flushes al rules in the filter table, and = 3. will ACCEPT all packets from the loopback interface = frootasecverx “Je eat /root/oin/resettn,sh i fi = {7einfbash : . Get TWPUT chain default policy to oRo® ae 5 = Eotasies < snPur onan re a A Flushes all rule in che Filter cable ‘ i iptables =F e = W'wia1 ACCEPT all packet's from Loopback interface. : Z 3 Sptables “A iN#ut "i Io

You might also like

• Gigabit Ethernet and Atm, A Technology Perspective PDF

  

  No ratings yet

  Gigabit Ethernet and Atm, A Technology Perspective PDF

  28 pages
• RH202-3

  

  No ratings yet

  RH202-3

  63 pages
• Introduction To Red Hat Enterprise Linux: Deepesh Sinnya M.E Computer NCIT Rhce, Rhcsa Cypher Technology P. LTD

  

  100% (1)

  Introduction To Red Hat Enterprise Linux: Deepesh Sinnya M.E Computer NCIT Rhce, Rhcsa Cypher Technology P. LTD

  42 pages
• Redhat Complete Notes

  

  100% (1)

  Redhat Complete Notes

  208 pages
• RHCT Study Guide On Redhat Enterprise Linux 5

  

  No ratings yet

  RHCT Study Guide On Redhat Enterprise Linux 5

  102 pages
• BuetcseiacLSA I

  

  No ratings yet

  BuetcseiacLSA I

  263 pages
• Xcat

  

  No ratings yet

  Xcat

  2 pages
• RHCE Syllabus PDF

  

  No ratings yet

  RHCE Syllabus PDF

  4 pages
• Linux - A Quick Primer: - Abhay Dandekar

  

  100% (1)

  Linux - A Quick Primer: - Abhay Dandekar

  12 pages
• RHCE Syllabus: General Information

  

  No ratings yet

  RHCE Syllabus: General Information

  4 pages
• Internet of Things Tutorial

  

  100% (2)

  Internet of Things Tutorial

  53 pages
• Shell Programming

  

  No ratings yet

  Shell Programming

  29 pages
• Linux Based Networks Course Outline

  

  No ratings yet

  Linux Based Networks Course Outline

  6 pages
• OpenRHCE Slides

  

  No ratings yet

  OpenRHCE Slides

  367 pages
• First Off All You Have To Crack Root Password.: IP Address 172.15.92.4/24 Gateway 172.15.92.254 DNS 172.15.92.1 Hostname

  

  100% (1)

  First Off All You Have To Crack Root Password.: IP Address 172.15.92.4/24 Gateway 172.15.92.254 DNS 172.15.92.1 Hostname

  8 pages
• System Administration 2

  

  100% (1)

  System Administration 2

  334 pages
• Cloud Reference Architecture - Linux

  

  No ratings yet

  Cloud Reference Architecture - Linux

  193 pages
• Websphere Application Server: Muhammad Qasim

  

  No ratings yet

  Websphere Application Server: Muhammad Qasim

  24 pages
• Red Hat Enterprise Linux-7-Windows Integration Guide-en-US

  

  No ratings yet

  Red Hat Enterprise Linux-7-Windows Integration Guide-en-US

  116 pages
• Red Hat Enterprise Linux 7: Kernel Administration Guide

  

  100% (1)

  Red Hat Enterprise Linux 7: Kernel Administration Guide

  98 pages
• TP Nagios

  

  No ratings yet

  TP Nagios

  9 pages
• HPE StoreOnce Catalyst Store - InfraPCS

  

  No ratings yet

  HPE StoreOnce Catalyst Store - InfraPCS

  6 pages
• Cloud Computing Service Level Agreements: Exploitation of Research Results

  

  100% (1)

  Cloud Computing Service Level Agreements: Exploitation of Research Results

  61 pages
• Tripwire Cheatsheet

  

  No ratings yet

  Tripwire Cheatsheet

  6 pages
• Rhce Exams

  

  No ratings yet

  Rhce Exams

  8 pages
• Baseline+Checklist+-+RHEL+v1 0

  

  No ratings yet

  Baseline+Checklist+-+RHEL+v1 0

  30 pages
• RH134

  

  No ratings yet

  RH134

  69 pages
• Linux Interview Questions

  

  No ratings yet

  Linux Interview Questions

  21 pages
• RHCSA Study Notes

  

  No ratings yet

  RHCSA Study Notes

  13 pages
• Proxy Server: Navigation Search

  

  No ratings yet

  Proxy Server: Navigation Search

  11 pages
• CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0

  

  No ratings yet

  CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0

  711 pages
• Rhel Exercises

  

  No ratings yet

  Rhel Exercises

  31 pages
• Linux Academy Content 05-28-2020

  

  No ratings yet

  Linux Academy Content 05-28-2020

  47 pages
• Unix & Linux Admin

  

  No ratings yet

  Unix & Linux Admin

  5 pages
• Whitepaper

  

  No ratings yet

  Whitepaper

  115 pages
• Cloud Computing

  

  No ratings yet

  Cloud Computing

  27 pages
• Install LAMP Server

  

  No ratings yet

  Install LAMP Server

  6 pages
• WAN Technologies

  

  No ratings yet

  WAN Technologies

  35 pages
• User Administration

  

  50% (2)

  User Administration

  18 pages
• Step-By-Step Guide: Samba: Last Updated: 12 October 2006 Author: Colleen Romero

  

  No ratings yet

  Step-By-Step Guide: Samba: Last Updated: 12 October 2006 Author: Colleen Romero

  10 pages
• Rhel Advanced Linux Cheat Sheet r3v1

  

  No ratings yet

  Rhel Advanced Linux Cheat Sheet r3v1

  5 pages
• RHCE Notes

  

  No ratings yet

  RHCE Notes

  58 pages
• 10Gb/s XFP Optical Transceiver Module SXP3104EX-M: Features

  

  No ratings yet

  10Gb/s XFP Optical Transceiver Module SXP3104EX-M: Features

  24 pages
• Freeipa 1.2.1 Administration Guide: Ipa Solutions From The Ipa Experts

  

  No ratings yet

  Freeipa 1.2.1 Administration Guide: Ipa Solutions From The Ipa Experts

  48 pages
• Huawei GLBP Replacement Technology White Paper

  

  No ratings yet

  Huawei GLBP Replacement Technology White Paper

  16 pages
• Operational Best Practices For NSX in Vmware: Environments

  

  No ratings yet

  Operational Best Practices For NSX in Vmware: Environments

  67 pages
• Linux Learning Centre

  

  No ratings yet

  Linux Learning Centre

  1 page
• Network File System

  

  No ratings yet

  Network File System

  29 pages
• Openflow Configuration Lab: Apnic SDN Workshop Lab

  

  No ratings yet

  Openflow Configuration Lab: Apnic SDN Workshop Lab

  12 pages
• Patchbay Blank Template

  

  No ratings yet

  Patchbay Blank Template

  52 pages
• Vmware Certification Platform Interface: Exam Ui Guide

  

  No ratings yet

  Vmware Certification Platform Interface: Exam Ui Guide

  8 pages
• Huawei UPS2000-G Series 1-20kVA Uninterruptible Power Systems Brochure

  

  No ratings yet

  Huawei UPS2000-G Series 1-20kVA Uninterruptible Power Systems Brochure

  16 pages
• Red Hat Enterprise Linux-6-Storage Administration Guide-En-US

  

  No ratings yet

  Red Hat Enterprise Linux-6-Storage Administration Guide-En-US

  224 pages
• VXVM Interview Questions

  

  100% (3)

  VXVM Interview Questions

  18 pages
• RHEL7 RHCSA Exam Objectives

  

  No ratings yet

  RHEL7 RHCSA Exam Objectives

  11 pages
• Mysql Monitoring Nagios

  

  No ratings yet

  Mysql Monitoring Nagios

  4 pages
• Websphere Interview Questions

  

  No ratings yet

  Websphere Interview Questions

  5 pages
• How To Set Linux Process Priority Using Nice and Renice Commands

  

  No ratings yet

  How To Set Linux Process Priority Using Nice and Renice Commands

  19 pages
• Anti Virus Best Practices PDF

  

  No ratings yet

  Anti Virus Best Practices PDF

  8 pages
• Senior Systems Engineer KPI: Interview Questions and Answers - Free Download/ PDF and

  

  No ratings yet

  Senior Systems Engineer KPI: Interview Questions and Answers - Free Download/ PDF and

  6 pages
• Aix Quick Sheet

  

  No ratings yet

  Aix Quick Sheet

  2 pages
• Deploying Jupyter Notebooks For Students and Researchers

  

  No ratings yet

  Deploying Jupyter Notebooks For Students and Researchers

  35 pages
• Southern African Internet Governance Forum Issue Papers No. 5 of 5 Managing Critical Internet Resources

  

  No ratings yet

  Southern African Internet Governance Forum Issue Papers No. 5 of 5 Managing Critical Internet Resources

  4 pages
• RHCA Syllabus

  

  No ratings yet

  RHCA Syllabus

  13 pages
• AdvFS Admin

  

  No ratings yet

  AdvFS Admin

  231 pages
• Resize Disk Linux

  

  No ratings yet

  Resize Disk Linux

  2 pages
• Exdump 3

  

  No ratings yet

  Exdump 3

  5 pages
• VRRP

  

  No ratings yet

  VRRP

  8 pages
• RHEL 8.5 - Packaging and Distributing Software

  

  No ratings yet

  RHEL 8.5 - Packaging and Distributing Software

  83 pages
• LinuxCBT Firewall Notes

  

  No ratings yet

  LinuxCBT Firewall Notes

  6 pages
• Redhat Enterprise Linux System Administration

  

  No ratings yet

  Redhat Enterprise Linux System Administration

  178 pages
• MT 7610 OnePage

  

  No ratings yet

  MT 7610 OnePage

  2 pages
• Protecting Business-Critical Applications in A Vmware Infrastructure 3 Environment Using Veritas™ Cluster Server For Vmware Esx

  

  No ratings yet

  Protecting Business-Critical Applications in A Vmware Infrastructure 3 Environment Using Veritas™ Cluster Server For Vmware Esx

  18 pages
• RH442: Red Hat® System Monitoring and Performance Tuning: Includes

  

  No ratings yet

  RH442: Red Hat® System Monitoring and Performance Tuning: Includes

  1 page
• LinuxCBT Moni-Zab Edition Classroom Notes

  

  No ratings yet

  LinuxCBT Moni-Zab Edition Classroom Notes

  5 pages
• Pages From RedHat - EX300 PDF

  

  No ratings yet

  Pages From RedHat - EX300 PDF

  14 pages