RogerRHCE: June 2012

Friday, June 15, 2012

Chapter 9 - RHCSA Level System Administration

Configure Access with VNC

yum install vinagre tigetvnc tigervnc-server -y

[root@server01 ~]# tail /etc/sysconfig/vncservers
# http://kbase.redhat.com/faq/docs/DOC-7028
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.
# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"

[root@server01 ~]# service vncserver status
Xvnc is stopped
[root@server01 ~]# chkconfig --list vncserver
vncserver 0:off 1:off 2:off 3:off 4:off 5:off 6:off

VNC Client

NOTE : Better and more complete VNC Client + Server Config examples later !!!

# vncviewer

Configure the firewall

[root@server01 ~]# iptables -L | grep -i vnc
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:vnc-server:5905
[root@server01 ~]#

Process Control :

List all of a user's processes

[root@server01 ~]# ps -u dick
PID TTY          TIME CMD
4638 pts/1    00:00:00 bash
4662 pts/1    00:00:00 vim

top command

Elementary System Admin Commands

Process Displays :

[root@server01 ~]# ps -ef | head
UID        PID PPID C STIME TTY          TIME CMD
root         1     0 0 09:23 ?        00:00:01 /sbin/init
root         2     0 0 09:23 ?        00:00:00 [kthreadd]
root         3     2 0 09:23 ?        00:00:00 [migration/0]
root         4     2 0 09:23 ?        00:00:00 [ksoftirqd/0]
root         5     2 0 09:23 ?        00:00:00 [migration/0]
root         6     2 0 09:23 ?        00:00:00 [watchdog/0]
root         7     2 0 09:23 ?        00:00:00 [events/0]
root         8     2 0 09:23 ?        00:00:00 [cpuset]
root         9     2 0 09:23 ?        00:00:00 [khelper]
[root@server01 ~]# ps aux | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1 0.0 0.0 19324 1504 ?        Ss   09:23   0:01 /sbin/init
root         2 0.0 0.0      0     0 ?        S    09:23   0:00 [kthreadd]
root         3 0.0 0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         4 0.0 0.0      0     0 ?        S    09:23   0:00 [ksoftirqd/0]
root         5 0.0 0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         6 0.0 0.0      0     0 ?        S    09:23   0:00 [watchdog/0]
root         7 0.0 0.0      0     0 ?        S    09:23   0:00 [events/0]
root         8 0.0 0.0      0     0 ?        S    09:23   0:00 [cpuset]
root         9 0.0 0.0      0     0 ?        S    09:23   0:00 [khelper]
[root@server01 ~]#

That was exciting....tell me I haven't run those two commands about a million times in my career ... :) ....zzzzZZZzzzzzz..Zzzz

ahhh...ooohh..(just like at the fireworks display, except two colors only :)

[root@server01 ~]# ps eux | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1 0.0 0.0 19324 1504 ?        Ss   09:23   0:01 /sbin/init HOME=/ TERM=linux PATH=/sbin:/bin:/usr/sbin:/usr/bin
root         2 0.0 0.0      0     0 ?        S    09:23   0:00 [kthreadd]
root         3 0.0 0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         4 0.0 0.0      0     0 ?        S    09:23   0:00 [ksoftirqd/0]
root         5 0.0 0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         6 0.0 0.0      0     0 ?        S    09:23   0:00 [watchdog/0]
root         7 0.0 0.0      0     0 ?        S    09:23   0:00 [events/0]
root         8 0.0 0.0      0     0 ?        S    09:23   0:00 [cpuset]
root         9 0.0 0.0      0     0 ?        S    09:23   0:00 [khelper]
[root@server01 ~]#

[root@server01 ~]# ps axl | head
F   UID   PID PPID PRI NI    VSZ   RSS WCHAN STAT TTY        TIME COMMAND
4     0     1     0 20   0 19324 1504 poll_s Ss   ?          0:01 /sbin/init
1     0     2     0 20   0      0     0 kthrea S    ?          0:00 [kthreadd]
1     0     3     2 -100 -      0     0 migrat S    ?          0:00 [migration/0]
1     0     4     2 20   0      0     0 ksofti S    ?          0:00 [ksoftirqd/0]
1     0     5     2 -100 -      0     0 cpu_st S    ?          0:00 [migration/0]
5     0     6     2 -100 -      0     0 watchd S    ?          0:00 [watchdog/0]
1     0     7     2 20   0      0     0 worker S    ?          0:00 [events/0]
1     0     8     2 20   0      0     0 worker S    ?          0:00 [cpuset]
1     0     9     2 20   0      0     0 worker S    ?          0:00 [khelper]
[root@server01 ~]#

System Activty Reporter

  [root@server01 ~]# sar -A | head
Linux 2.6.32-131.0.15.el6.x86_64 (server01)     06/15/2012      _x86_64_       (1 CPU)
08:33:11 AM       LINUX RESTART
08:40:01 AM     CPU      %usr     %nice      %sys   %iowait    %steal      %irq     %soft    %guest     %idle
08:50:02 AM     all     14.50      0.00     17.16      2.70      0.00      0.93     38.19      0.00     26.52
08:50:02 AM       0     14.50      0.00     17.16      2.70      0.00      0.93     38.19      0.00     26.52
09:00:01 AM     all      0.03      0.00      0.09      0.15      0.00      0.00      0.06      0.00     99.68
09:00:01 AM       0      0.03      0.00      0.09      0.15      0.00      0.00      0.06      0.00     99.68
09:10:02 AM     all      0.07      0.00      0.12      0.16      0.00      0.00      0.06      0.00     99.59
[root@server01 ~]#

Daily repots are in /var/log/sa directory

[root@server01 ~]# ls -lrt /var/log/sa
total 3992
-rw-r--r--. 1 root root 83700 Jun 6 19:30 sa06
-rw-r--r--. 1 root root 226676 Jun 7 23:50 sa07
-rw-r--r--. 1 root root 277187 Jun 7 23:53 sar07
-rw-r--r--. 1 root root 337956 Jun 8 23:50 sa08
-rw-r--r--. 1 root root 358721 Jun 8 23:53 sar08
-rw-r--r--. 1 root root 342612 Jun 9 23:50 sa09
-rw-r--r--. 1 root root 362358 Jun 9 23:53 sar09
-rw-r--r--. 1 root root 342612 Jun 10 23:50 sa10
-rw-r--r--. 1 root root 362358 Jun 10 23:53 sar10
-rw-r--r--. 1 root root 78876 Jun 11 05:20 sa11
-rw-r--r--. 1 root root 206116 Jun 12 23:50 sa12
-rw-r--r--. 1 root root 252127 Jun 12 23:53 sar12
-rw-r--r--. 1 root root 333396 Jun 13 23:50 sa13
-rw-r--r--. 1 root root 371080 Jun 13 23:53 sar13
-rw-r--r--. 1 root root 43580 Jun 14 02:40 sa14
-rw-r--r--. 1 root root 34740 Jun 15 11:10 sa15

[root@server01 ~]# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 -S DISK 1 1
# 0 * * * * root /usr/lib64/sa/sa1 -S DISK 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A

IOstat usage to monitor disk activity :

[root@server01 ~]# iostat /dev/sdb1
Linux 2.6.32-131.0.15.el6.x86_64 (server01)     06/15/2012      _x86_64_        (1 CPU)
avg-cpu: %user   %nice %system %iowait %steal   %idle
           0.30    0.01    0.52    0.61    0.00   98.56
Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sdb1              0.03         0.20         0.00       1384          0
[root@server01 ~]#

Nice and Renice :

[root@server01 ~]# ps -u dick
PID TTY          TIME CMD
4638 pts/1    00:00:00 bash
4890 pts/1    00:00:00 vim
[root@server01 ~]# top -u dick
top - 11:29:18 up 2:05, 3 users, load average: 0.00, 0.04, 0.02
Tasks: 155 total,   1 running, 154 sleeping,   0 stopped,   0 zombie
Cpu(s): 0.3%us, 0.4%sy, 0.0%ni, 98.7%id, 0.6%wa, 0.0%hi, 0.1%si, 0.0%st
Mem:   2055876k total,   685640k used, 1370236k free,    50324k buffers
Swap: 4128760k total,        0k used, 4128760k free,   305288k cached
PID USER      PR NI VIRT RES SHR S %CPU %MEM    TIME+ COMMAND
4638 dick      20   0 105m 1792 1452 S 0.0 0.1   0:00.01 bash
4890 dick      20   0 140m 3700 2536 S 0.0 0.2   0:00.04 vim

[root@server01 ~]# renice -10 4890
4890: old priority 0, new priority -10

[root@server01 ~]# top -u dick
top - 11:32:05 up 2:08, 3 users, load average: 0.00, 0.02, 0.01
Tasks: 155 total,   1 running, 154 sleeping,   0 stopped,   0 zombie
Cpu(s): 0.3%us, 0.4%sy, 0.0%ni, 98.7%id, 0.5%wa, 0.0%hi, 0.1%si, 0.0%st
Mem:   2055876k total,   685764k used, 1370112k free,    50340k buffers
Swap: 4128760k total,        0k used, 4128760k free,   305288k cached
PID USER      PR NI VIRT RES SHR S %CPU %MEM    TIME+ COMMAND
4638 dick      20   0 105m 1792 1452 S 0.0 0.1   0:00.01 bash
4890 dick      10 -10 140m 3700 2536 S 0.0 0.2   0:00.04 vim

Run the web server with less priority in scheduler (normal = 0)

[root@server01 ~]# nice -n 12 /etc/init.d/httpd start
Starting httpd:                                            [ OK ]
[root@server01 ~]#

root      4973     1 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4975 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4976 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4977 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4978 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4979 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4980 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4981 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4982 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
root      4984 2148 0 11:34 pts/0    00:00:00 grep httpd
[root@server01 ~]#

[root@server01 ~]# top -p 4973
top - 11:36:09 up 2:12, 3 users, load average: 0.00, 0.00, 0.00
Tasks:   1 total,   0 running,   1 sleeping,   0 stopped,   0 zombie
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem:   2055876k total,   726540k used, 1329336k free,    50400k buffers
Swap: 4128760k total,        0k used, 4128760k free,   309740k cached
PID USER      PR NI VIRT RES SHR S %CPU %MEM    TIME+ COMMAND
4973 root      32 12 291m 12m 6700 S 0.0 0.6   0:00.06 httpd

Kill command and signals :

[root@server01 ~]# kill -l
1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3
38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8
43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7
58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2
63) SIGRTMAX-1 64) SIGRTMAX
[root@server01 ~]#

[root@server01 ~]# service vsftpd start
Starting vsftpd for vsftpd:                                [ OK ]
[root@server01 ~]# ps -ef | grep ftp
root      5043     1 0 11:39 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root      5046 2148 0 11:39 pts/0    00:00:00 grep ftp
[root@server01 ~]#

[root@server01 ~]# kill -1 5043
[root@server01 ~]# ps -ef | grep ftp
root      5043     1 0 11:39 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root      5077 2148 0 11:42 pts/0    00:00:00 grep ftp

[root@server01 ~]# kill -15 5043
[root@server01 ~]# ps -ef | grep ftp
root      5087 2148 0 11:43 pts/0    00:00:00 grep ftp

[root@server01 ~]# service vsftpd start
Starting vsftpd for vsftpd:                                [ OK ]
[root@server01 ~]# ps -ef | grep ftp
root      5101     1 0 11:43 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root      5103 2148 0 11:43 pts/0    00:00:00 grep ftp
[root@server01 ~]#
NOTE : kill -HUP <pidno> will not 'kill the process' but will cause an internal restart of the application and re-reading of it's config files .

[root@server01 ~]# ps -ef | grep httpd
root      4973     1 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4975 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4976 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4977 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4978 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4979 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4980 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4981 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4982 4973 0 11:34 ?        00:00:00 /usr/sbin/httpd
root      5062 2148 0 11:40 pts/0    00:00:00 grep httpd
[root@server01 ~]#
[root@server01 ~]#
[root@server01 ~]# killall httpd
[root@server01 ~]# ps -ef | grep httpd
root      5065 2148 0 11:41 pts/0    00:00:00 grep httpd

Examples with gzip bzip2 and tar commands :

[root@server01 img]# ls -l IMG00673-20120601-1026.jpg
-rw-r--r--. 1 root root 327533 Jun 15 15:40 IMG00673-20120601-1026.jpg
[root@server01 img]#
[root@server01 img]# gzip IMG00673-20120601-1026.jpg
[root@server01 img]# ls -lrt IMG00673-20120601-1026.jpg
ls: cannot access IMG00673-20120601-1026.jpg: No such file or directory
[root@server01 img]# ls -lrt IMG00673-20120601-1026.jpg.gz
-rw-r--r--. 1 root root 327133 Jun 15 15:40 IMG00673-20120601-1026.jpg.gz

[root@server01 img]# ls -lrt
total 2348
-rw-r--r--. 1 root root 327133 Jun 15 15:40 IMG00673-20120601-1026.jpg.gz
-rw-r--r--. 1 root root   81084 Jun 15 15:40 rhce10.png
-rw-r--r--. 1 root root 1688479 Jun 15 15:40 rhce1.png
-rw-r--r--. 1 root root   99753 Jun 15 15:40 rhce12.png
-rw-r--r--. 1 root root   92287 Jun 15 15:40 rhce13.png
-rw-r--r--. 1 root root 103120 Jun 15 15:40 rhce11.png
[root@server01 img]#
[root@server01 img]# bzip2 rhce1.png
[root@server01 img]# ls -lrt rhce1.png
ls: cannot access rhce1.png: No such file or directory
[root@server01 img]# ls -lrt rhce1.png.bz2
-rw-r--r--. 1 root root 1689708 Jun 15 15:40 rhce1.png.bz2
[root@server01 img]#

Unpacking :

[root@server01 img]# gzip -d IMG00673-20120601-1026.jpg.gz

[root@server01 img]# ls -lrt IMG00673-20120601-1026.jpg
-rw-r--r--. 1 root root 327533 Jun 15 15:40 IMG00673-20120601-1026.jpg

[root@server01 img]# bzip2 -d rhce1.png.bz2
[root@server01 img]# ls -l rhce1.png
-rw-r--r--. 1 root root 1688479 Jun 15 15:40 rhce1.png

[root@server01 img]# tar czvf dick.home.tar.gz /home/dick
tar: Removing leading `/' from member names
/home/dick/
/home/dick/newdir4/
/home/dick/.bash_logout
/home/dick/newdir777/
/home/dick/newfile1000.txt
/home/dick/.gnome2/
/home/dick/.mozilla/
/home/dick/.mozilla/plugins/
/home/dick/.mozilla/extensions/
/home/dick/.file1.txt.swp
/home/dick/.viminfo
/home/dick/.bash_profile
/home/dick/.bashrc
/home/dick/file1.txt
/home/dick/.bash_history
/home/dick/newfile1.txt

[root@server01 img]# ls -lrt dick.home.tar.gz
-rw-r--r--. 1 root root 1381 Jun 15 16:28 dick.home.tar.gz
Just view contents inside the tar file :

[root@server01 img]# tar -tzvf dick.home.tar.gz
drwx------ dick/dick         0 2012-06-15 11:26 home/dick/
drwxrwxr-x dick/dick         0 2012-06-15 09:27 home/dick/newdir4/
-rw-r--r-- dick/dick        18 2011-01-27 07:41 home/dick/.bash_logout
drwx------ dick/dick         0 2012-06-15 09:30 home/dick/newdir777/
-rw------- dick/dick         0 2012-06-15 10:23 home/dick/newfile1000.txt
drwxr-xr-x dick/dick         0 2010-07-14 10:55 home/dick/.gnome2/
drwxr-xr-x dick/dick         0 2012-06-06 06:51 home/dick/.mozilla/
drwxr-xr-x dick/dick         0 2009-12-02 20:21 home/dick/.mozilla/plugins/
drwxr-xr-x dick/dick         0 2009-12-02 20:21 home/dick/.mozilla/extensions/
-rw-r--r-- dick/dick     12288 2012-06-15 11:26 home/dick/.file1.txt.swp
-rw------- dick/dick       761 2012-06-15 11:06 home/dick/.viminfo
-rw-r--r-- dick/dick       187 2012-06-15 09:29 home/dick/.bash_profile
-rw-r--r-- dick/dick       124 2011-01-27 07:41 home/dick/.bashrc
-rw-rw-r-- dick/dick         0 2012-06-15 09:27 home/dick/file1.txt
-rw------- dick/dick       620 2012-06-15 10:35 home/dick/.bash_history
-rw------- dick/dick         0 2012-06-15 09:30 home/dick/newfile1.txt

[root@server01 img]# yum install star -y

[root@server01 img]# star -xattr -H=exustar -c -f=dick.home.star /home/dick
star: 5 blocks + 0 bytes (total of 51200 bytes = 50.00k).

[root@server01 img]# ls dick.home.star
dick.home.star

To unpack a star archive

[root@server01 img]# cp -p dick.home.star /home/gina/
[root@server01 img]# cd /home/gina/
[root@server01 gina]# ll
total 52
-rw-r--r--. 1 root root 51200 Jun 15 16:32 dick.home.star
[root@server01 gina]# star -x -f=dick.home.star
star: WARNING: skipping leading '/' on filenames.
star: 5 blocks + 0 bytes (total of 51200 bytes = 50.00k).

[root@server01 gina]# ls -lrt
total 56
-rw-r--r--. 1 root root 51200 Jun 15 16:32 dick.home.star
drwxr-xr-x. 3 root root 4096 Jun 15 16:35 home
[root@server01 gina]#

Automate System Administration : cron and at

The crontab conf file is :

/etc/crontab

[root@server01 gina]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * command to be executed

The directory /var/spool/cron is where user cronjobs go to :

[root@server01 gina]# ls -ld /var/spool/cron/
drwx------. 2 root root 4096 Mar 4 2011 /var/spool/cron/

The anacron system in new to RHEL6, and will help run crontabs on machines that were power off at cron job time, after systems are booted back up :

[root@server01 gina]# cat /etc/anacrontab
# /etc/anacrontab: configuration file for anacron
# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22
#period in days   delay in minutes   job-identifier   command
1       5       cron.daily              nice run-parts /etc/cron.daily
7       25      cron.weekly             nice run-parts /etc/cron.weekly
@monthly 45     cron.monthly            nice run-parts /etc/cron.monthly

Also another directory for cron jobs :

[root@server01 gina]# ls -lrt /etc/cron.d
total 16
-rw-r--r--. 1 root root 459 Mar 17 2010 sa-update
-rw-r--r--. 1 root root 113 Mar 4 2011 0hourly
-rw-r--r--. 1 root root 108 Mar 28 2011 raid-check
-rw-r--r--. 1 root root 251 Mar 31 2011 sysstat

Cronjob example :

[root@server01 gina]# crontab -e
no crontab for root - using an empty one
*/3 * 15 6 * /bin/date >> /tmp/`uname -n`.date.report

every 3 minutes, every hour, on the 15th of june, dow does not matter, run following command.

[root@server01 gina]# crontab -l
*/2 * 15 6 * /bin/date >> /tmp/`uname -n`.`date +%m%d%y%H%M`.report

[root@server01 gina]# ls -lrt /tmp/*.report
ls: cannot access /tmp/*.report: No such file or directory

Ooops ...heh heh ...

[root@server01 gina]# mail
Heirloom Mail version 12.4 7/29/08. Type ? for help.
"/var/spool/mail/root": 17 messages 15 new
    1 Cron Daemon           Wed Jun 6 08:01 25/824   "Cron <root@server01> run-parts /etc/cron.hourly"
    2 Cron Daemon           Wed Jun 6 19:01 25/824   "Cron <root@server01> run-parts /etc/cron.hourly"
>N 3 Cron Daemon           Thu Jun 7 06:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 4 Cron Daemon           Fri Jun 8 05:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 5 Cron Daemon           Fri Jun 8 06:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 6 Cron Daemon           Tue Jun 12 08:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 7 Cron Daemon           Wed Jun 13 05:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 8 abrt@localhost.local Wed Jun 13 06:00 107/2669 "[abrt] new crash was detected"
N 9 Cron Daemon           Wed Jun 13 06:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 10 Cron Daemon           Wed Jun 13 10:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 11 Cron Daemon           Wed Jun 13 11:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 12 Cron Daemon           Fri Jun 15 09:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 13 Cron Daemon           Fri Jun 15 10:01 24/813   "Cron <root@server01> run-parts /etc/cron.hourly"
N 14 Cron Daemon           Fri Jun 15 17:10 22/856   "Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +"
N 15 Cron Daemon           Fri Jun 15 17:12 22/856   "Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +"
N 16 Cron Daemon           Fri Jun 15 17:14 22/856   "Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +"
N 17 Cron Daemon           Fri Jun 15 17:16 22/856   "Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +"
& 17
Message 17:
From root@server01.localdomain Fri Jun 15 17:16:02 2012
Return-Path: <root@server01.localdomain>
X-Original-To: root
Delivered-To: root@server01.localdomain
From: root@server01.localdomain (Cron Daemon)
To: root@server01.localdomain
Subject: Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Date: Fri, 15 Jun 2012 17:16:02 -0500 (CDT)
Status: R
/bin/sh: -c: line 0: unexpected EOF while looking for matching ``'
/bin/sh: -c: line 1: syntax error: unexpected end of file
New mail has arrived.
Loaded 1 new message
N 18 Cron Daemon           Fri Jun 15 17:18 22/856   "Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +"
&
...wait for it , wait for it ...

[root@server01 gina]# watch -n 5 "ls -lrt /tmp/*.report"

...nothin...

Had to change to ...

[root@server01 gina]# crontab -l
*/2 * 15 6 * /bin/date >> /tmp/`uname -n`.$(date \+\%m\%d\%y\%H\%M).report

What a pain in the ass crontab thy are !!!

[root@server01 gina]# watch -n 5 "ls -lrt /tmp/*.report"

Every 5.0s: ls -lrt /tmp/*.report Fri Jun 15 17:30:30 2012
-rw-r--r--. 1 root root 29 Jun 15 17:28 /tmp/server01.0615121728.report
-rw-r--r--. 1 root root 29 Jun 15 17:30 /tmp/server01.0615121730.report
Yeah baby...yeah ..!

Ranges can be defined in fields like :

*/5 = Every 5 minutes, hours, whatever the field is
5,15,20 = 5, 15, 20 minutes past the hour
7-10 = 7, 8th, 9th, 10th

Crontab switches :

-u user
-l list all current crontab entries
-r removes crontab entries
-e edit crontab

Anacron job format :

# period in days delay_in_minutes job-id command

At Command Examples :

[root@server01 gina]# at now + 2 minute
at> /sbin/ifconfig eth0 >> /tmp/eth0.txt
at> <EOT>
job 1 at 2012-06-15 17:34
[root@server01 gina]# atq
1       2012-06-15 17:34 a root

[root@server01 gina]# ls -lrt /tmp/eth0.txt
-rw-r--r--. 1 root root 494 Jun 15 17:34 /tmp/eth0.txt
[root@server01 gina]# cat /tmp/eth0.txt
eth0      Link encap:Ethernet HWaddr 00:0C:29:3A:FF:14
          inet addr:192.168.0.12 Bcast:192.168.0.255 Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe3a:ff14/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:414016 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9463 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29177222 (27.8 MiB) TX bytes:1427051 (1.3 MiB)
[root@server01 gina]#

Removing an 'at' job :

[root@server01 gina]# at now + 1 hour
at> date >> /tmp/date.txt
at> <EOT>
job 2 at 2012-06-15 18:35
[root@server01 gina]# atq
2       2012-06-15 18:35 a root
[root@server01 gina]# atrm 2
[root@server01 gina]# atq
[root@server01 gina]#

Securing at and cron :

/etc/cron.allow      only users listed in here can run crontab
/etc/cron.deny       all uses listed in here CANNOT use crontab

[root@server01 gina]# ls -lrt /etc | grep cron
drwxr-xr-x. 2 root root   4096 Dec 2 2009 cron.weekly
-rw-r--r--. 1 root root    448 Dec 2 2009 crontab
-rw-r--r--. 1 root root      0 Mar 4 2011 cron.deny
-rw-r--r--. 1 root root    541 Mar 4 2011 anacrontab
drwxr-xr-x. 2 root root   4096 Jun 6 06:56 cron.monthly
drwxr-xr-x. 2 root root   4096 Jun 6 06:57 cron.d
drwxr-xr-x. 2 root root   4096 Jun 6 06:57 cron.daily
drwxr-xr-x. 2 root root   4096 Jun 6 06:57 cron.hourly

/etc/cron.allow does NOT exist by default

If cron.allow file exists, then you must be listed therein in order to be allowed to use this command. If the cron.allow file does not exist but the cron.deny file does exist, then you must not be listed in the cron.deny file in order to use this command.
-----------------------------------------------------------------------------
/etc/at.allow
/etc/at.deny

If the file /etc/at.allow exists, only usernames mentioned in it are allowed to use at. If /etc/at.allow does not exist, /etc/at.deny is checked, every username not mentioned in it is then allowed to use at.

Local Log File Analysis

rsyslog daemon on rhel6 handles logging :

/etc/init.d/rsyslog
/etc/rsyslog.conf

The main configuration file for rsyslog is /etc/rsyslog.conf. It is essentially divided in the following parts:

Modules
Global directives
Rules
Templates
Filter conditions
Output channels

Good link for rsyslog : http://en.gentoo-wiki.com/wiki/Rsyslog

Facility

Numerical Code	Facility	Description
0	kern	kernel messages
1	user	user-level messages
2	mail	mail system
3	daemon	system daemons
4	auth	security/authorization messages
5	syslog	messages generated internally by syslogd
6	lpr	line printer subsystem
7	news	network news subsystem
8	uucp	UUCP subsystem
9	cron	clock daemon
10	security	security/authorization messages
11	ftp	FTP daemon
12	ntp	NTP subsystem
13	logaudit	log audit
14	logalert	log alert
15	clock	clock daemon (note 2)
16	local0	local use 0 (local0)
17	local1	local use 1 (local1)
18	local2	local use 2 (local2)
19	local3	local use 3 (local3)
20	local4	local use 4 (local4)
21	local5	local use 5 (local5)
22	local6	local use 6 (local6)
23	local7	local use 7 (local7)

Severity

Severity
Numerical Code	Severity	Description
0	emerg	system is unusable
1	alert	action must be taken immediately
2	crit	critical conditions
3	error	error conditions
4	warning	warning conditions
5	notice	normal but significant condition
6	info	informational messages
7	debug	debug-level messages

Format is then like :

*.info;mail.none;authpriv.none;cron.none /var/log/messages

Log Rotation and Log File Management :

/etc/logrotate.conf
/etc/logrotate.d

Logrotate config file is fairly straightforward :

[root@server01 gina]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}
/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}
# system-specific logs may be also be configured here.

Most servrices are logged into the /var/log directory by default .

Some services like vsftp and apache httpd have their own logging mechanisms and don't use logrotate facility .

Chapter 8 - User Administration

User Account Mgt

The files for user mgt :

[root@server01 downloads]# tail /etc/passwd
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:496:490:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
rhill:x:500:501:Roger Hill:/home/rhill:/bin/bash

[root@server01 downloads]# tail /etc/group
stapdev:x:492:
stapusr:x:491:
webalizer:x:67:
sshd:x:74:
dovecot:x:97:
dovenull:x:490:
tcpdump:x:72:
oprofile:x:16:
slocate:x:21:
rhill:x:501:
[root@server01 downloads]# tail /etc/shadow
avahi:!!:15497::::::
pulse:!!:15497::::::
gdm:!!:15497::::::
webalizer:!!:15497::::::
sshd:!!:15497::::::
dovecot:!!:15497::::::
dovenull:!!:15497::::::
tcpdump:!!:15497::::::
oprofile:!!:15497::::::
rhill:$6$kym9CJ0RrYEiecH6$gN0jATgidcLC8YDC0TFUVaCtAFDYnmHDz7.hjeDE9d3Rg5axjWgPZRBpPm6qfKrWmGIhdx5lPekUT65KyyIuZ/:15497:0:99999:7:::

[root@server01 downloads]# tail /etc/gshadow
stapdev:!::
stapusr:!::
webalizer:!::
sshd:!::
dovecot:!::
dovenull:!::
tcpdump:!::
oprofile:!::
slocate:!::
rhill:!!::
[root@server01 downloads]# tail /etc/login.defs
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

Command Examples :

[root@server01 downloads]# useradd bob
[root@server01 downloads]# id bob
uid=501(bob) gid=502(bob) groups=502(bob)
[root@server01 downloads]# grep bob /etc/passwd
bob:x:501:502::/home/bob:/bin/bash

[root@server01 downloads]# groupadd project1
[root@server01 downloads]#

[root@server01 downloads]# grep project1 /etc/group
project1:x:503:
[root@server01 downloads]# groupdel project1

# system-config-users

Administrative Control

/etc/sudoers

Ability to login is controlled by files :
[root@server01 downloads]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11

and ability to login

[root@server01 downloads]# tail /etc/security/access.conf
#+ : john : 2001:4ca0:0:101::1
#
# User "john" should get access from ipv6 host address (same as above)
#+ : john : 2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 net/mask
#+ : john : 2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
#- : ALL : ALL

# system-config-users

[root@server01 downloads]# useradd -u 550 -d /home/mary1 -c "Mary Ann" mary
[root@server01 downloads]# id mary
uid=550(mary) gid=550(mary) groups=550(mary)

[root@server01 downloads]# userdel mary

[root@server01 downloads]# useradd -u 550 -d /home/jobe1234 -c "Jobe" jobe
[root@server01 downloads]# useradd fred
[root@server01 downloads]# useradd tom
[root@server01 downloads]# useradd dick
[root@server01 downloads]# useradd gina
[root@server01 downloads]# usermod -e 2012-07-15 gina
[root@server01 downloads]# groupadd project2
[root@server01 downloads]# usermod -G project2 fred
[root@server01 downloads]# usermod -G project2 tom

[root@server01 downloads]# groupmod -g 60002 project2

[root@server01 downloads]# groupmod -n project3 project2

Proper use of the su command configurations :

su - '/sbin/ifconfig -a

SU admin control steps :

Add user into respective group by either vipw or groupadd -G grouptobeaddedto username
Use 'visudo' to access the /etc/sudoers file
Add in the proper permissions, the fiole follows the format of :

Basic format ---
##      user    MACHINE=COMMANDS

user   host = commands_allowed_to_run
OR
%mygroup host = commands_allowed_to_run

The group "mygroup" must exist .

boris   ALL=(ALL) ALL

give root admin privs to boris.

There are many examples within the default /etc/sudoers file

A coomand alias :

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

A Host alias :

User and Shell Configuration

The /etc/skel directory contains default env files for new accounts .

.bashrc = basic bash config file . , aliases, startup commands placed here
.bash_logout = file executed when a user logs off
.bash_profile = PATH and other env variables set here
.gnome2/ = Settings for the GNOME desktop
.kde/ = settings for the KDE Desktop
.mozilla/ = options for firefox browser

The /etc/bashrc is a global file read by all bash users, contains aliaes , functions, sets umask , defines a prompt , and includes settings from *.sh in the /etc/profile.d/ directory .

/etc/profile is also used for system wide env and startup files

The /etc/profile.d/ dir contains scripts executed by the /etc/profile file

Controlling the umask

[root@server01 ~]# cp /etc/bashrc /root/bashrc.orig
[root@server01 ~]# vi /etc/bashrc

     59     # By default, we want umask to get set. This sets it for non-login shell.
     60     # Current threshold for system reserved uid/gids is 200
     61     # You could check uidgid reservation validity in
     62     # /usr/share/doc/setup-*/uidgid file
     63     if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
     64        #umask 002
     65        umask 077
     66     else
     67        umask 022
     68     fi

Testing this, it doesn't work ???

[root@server01 ~]# su - tom
[tom@server01 ~]$ touch file1.txt
[tom@server01 ~]$ mkdir newdir2
[tom@server01 ~]$ ls -lrt
total 4
-rw-rw-r--. 1 tom tom    0 Jun 15 09:18 file1.txt
drwxrwxr-x. 2 tom tom 4096 Jun 15 09:18 newdir2

reboot the machine and retry ??? hmmm....well wait a minute ?[tom@server01 ~]$ id
uid=552(tom) gid=552(tom) groups=552(tom),60002(project3) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tom@server01 ~]$

Still nothing ??

[root@server01 ~]# reboot
Broadcast message from root@server01
        (/dev/pts/1) at 9:23 ...
The system is going down for reboot NOW!

[root@server01 ~]# id dick
uid=553(dick) gid=553(dick) groups=553(dick)
[root@server01 ~]# su - dick
[dick@server01 ~]$ touch file1.txt
[dick@server01 ~]$ mkdir newdir4
[dick@server01 ~]$ ls -lrt
total 4
-rw-rw-r--. 1 dick dick    0 Jun 15 09:27 file1.txt
drwxrwxr-x. 2 dick dick 4096 Jun 15 09:27 newdir4

[dick@server01 ~]$ echo $SHELL
/bin/bash
Not too sure why this doesn't work, but to rememdy the problem, thinking back, we just put the umask desired into the individual users .bash_profile ???

[dick@server01 ~]$ vi .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs
umask 077

PATH=$PATH:$HOME/bin
export PATH

[root@server01 ~]# su - dick
[dick@server01 ~]$
[dick@server01 ~]$ touch newfile1.txt
[dick@server01 ~]$ mkdir newdir777
[dick@server01 ~]$ ls -lrt
total 8
-rw-rw-r--. 1 dick dick    0 Jun 15 09:27 file1.txt
drwxrwxr-x. 2 dick dick 4096 Jun 15 09:27 newdir4
-rw-------. 1 dick dick    0 Jun 15 09:30 newfile1.txt
drwx------. 2 dick dick 4096 Jun 15 09:30 newdir777
...works now, go figure...if you know why this doesn't work in the /etc/bashrc file, send me an email

Users and Network Authentication

LDAP Stuff :

LDAP Client Configuration :

/etc/pam_ldap.conf

[root@server01 ~]# cat /etc/pam_ldap.conf
cat: /etc/pam_ldap.conf: No such file or directory

[root@server01 ~]# yum search ldap
Loaded plugins: downloadonly, product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
===================================================================== N/S Matched: ldap ======================================================================
apr-util-ldap.x86_64 : APR utility library LDAP support
bind-dyndb-ldap.x86_64 : LDAP back-end plug-in for BIND
compat-openldap.i686 : OpenLDAP compatibility shared libraries
compat-openldap.x86_64 : OpenLDAP compatibility shared libraries
krb5-server-ldap.i686 : The LDAP storage plugin for the Kerberos 5 KDC
krb5-server-ldap.x86_64 : The LDAP storage plugin for the Kerberos 5 KDC
ldapjdk.x86_64 : The Mozilla LDAP Java SDK
mod_authz_ldap.x86_64 : LDAP authorization module for the Apache HTTP Server
openldap.i686 : LDAP support libraries
openldap.x86_64 : LDAP support libraries
openldap-clients.x86_64 : LDAP client utilities
openldap-devel.i686 : LDAP development libraries and header files
openldap-devel.x86_64 : LDAP development libraries and header files
openldap-servers.x86_64 : LDAP server
pam_ldap.i686 : PAM module for LDAP
pam_ldap.x86_64 : PAM module for LDAP
perl-LDAP.noarch : LDAP Perl module
perl-Mozilla-LDAP.x86_64 : LDAP Perl module that wraps the OpenLDAP C SDK
php-ldap.x86_64 : A module for PHP applications that use LDAP
python-ldap.x86_64 : An object-oriented API to access LDAP directory servers
libldb.i686 : A schema-less, ldap like, API and database
libldb.x86_64 : A schema-less, ldap like, API and database
migrationtools.noarch : Migration scripts for LDAP
nss-pam-ldapd.i686 : An nsswitch module which uses directory servers
nss-pam-ldapd.x86_64 : An nsswitch module which uses directory servers
Name and summary matches only, use "search all" for everything.

[root@server01 ~]# yum install openldap openldap-clients -y

... File was still missing ...

[root@server01 ~]# yum search pam
Loaded plugins: downloadonly, product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
====================================================================== N/S Matched: pam ======================================================================
PyPAM.x86_64 : PAM bindings for Python
fprintd-pam.i686 : PAM module for fingerprint authentication
fprintd-pam.x86_64 : PAM module for fingerprint authentication
gnome-keyring-pam.i686 : Pam module for unlocking keyrings
gnome-keyring-pam.x86_64 : Pam module for unlocking keyrings
pam-devel.i686 : Files needed for developing PAM-aware applications and modules for PAM
pam-devel.x86_64 : Files needed for developing PAM-aware applications and modules for PAM
pam_ldap.i686 : PAM module for LDAP
pam_ldap.x86_64 : PAM module for LDAP
pam_pkcs11.i686 : PKCS #11/NSS PAM login module
pam_pkcs11.x86_64 : PKCS #11/NSS PAM login module
spamassassin.x86_64 : Spam filter for email which can be invoked from mail delivery agents
nss-pam-ldapd.i686 : An nsswitch module which uses directory servers
nss-pam-ldapd.x86_64 : An nsswitch module which uses directory servers
pam.i686 : An extensible library which provides authentication for applications
pam.x86_64 : An extensible library which provides authentication for applications
pam_krb5.i686 : A Pluggable Authentication Module for Kerberos 5
pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5
pam_passwdqc.i686 : Pluggable password quality-control module
pam_passwdqc.x86_64 : Pluggable password quality-control module
passwd.x86_64 : An utility for setting or changing passwords using PAM
sssd-client.i686 : SSSD Client libraries for NSS and PAM
sssd-client.x86_64 : SSSD Client libraries for NSS and PAM
Name and summary matches only, use "search all" for everything.
[root@server01 ~]#
[root@server01 ~]#
[root@server01 ~]# yum install pam_ldap -y

That's better :

[root@server01 ~]# cat /etc/pam_ldap.conf | egrep -v "#|^$"
host 127.0.0.1
base dc=example,dc=com

Two more directives are important here :

[root@server01 ~]# grep -A2 -B2 "ssl start_tls" /etc/pam_ldap.conf
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

[root@server01 ~]# grep -A2 -B2 "pam_password" /etc/pam_ldap.conf | head
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

The ldap.conf file is also needed :

[root@server01 ~]# find /etc -name ldap.conf
/etc/openldap/ldap.conf
[root@server01 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com/ ldap://ldap-master.example.com:666/
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

The Name Service Switch File:

determines name resolution, among some other things

/etc/nsswitch.conf

[root@server01 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files
shadow:     files
group:      files
#hosts:     db files nisplus nis dns
hosts:      files dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols: files
rpc:        files
services:   files
netgroup:   nisplus
publickey: nisplus
automount: files nisplus
aliases:    files nisplus

GUI Stuff for Network Authentication Tools :

# system-config-authentication

# authconfig-tui

Special Groups :

SGID Bit on directories means every file created in or copied into this directory will assume the group ownership of the same as the directory :

[root@server01 ~]# groupadd -g 70000 accounting
[root@server01 ~]# usermod -G accounting bob
[root@server01 ~]# usermod -G accounting dick
[root@server01 ~]# usermod -G accounting gina
[root@server01 ~]# usermod -G accounting fred

[root@server01 ~]# mkdir /home/accshared

[root@server01 ~]# chown nobody.accounting /home/accshared
[root@server01 ~]# chmod 2770 /home/accshared
[root@server01 ~]# ls -l /home/accshared
total 0
[root@server01 ~]# ls -ld /home/accshared
drwxrws---. 2 nobody accounting 4096 Jun 15 10:14 /home/accshared

[dick@server01 ~]$ touch /home/accshared/dicksfile1.txt
[dick@server01 ~]$ cp *.txt /home/accshared
[dick@server01 ~]$ ls -lrt /home/accshared
total 0
-rw-------. 1 dick accounting 0 Jun 15 10:20 dicksfile1.txt
-rw-------. 1 dick accounting 0 Jun 15 10:22 newfile1.txt
-rw-------. 1 dick accounting 0 Jun 15 10:22 file1.txt

... except ...not with the 'cp -p' option ....

[dick@server01 ~]$ touch newfile1000.txt
[dick@server01 ~]$ ls -ltr newfile1000.txt
-rw-------. 1 dick dick 0 Jun 15 10:23 newfile1000.txt

[dick@server01 ~]$ cp -p newfile1000.txt /home/accshared/
[dick@server01 ~]$ ls -l /home/accshared/newfile1000.txt
-rw-------. 1 dick dick 0 Jun 15 10:23 /home/accshared/newfile1000.txt

The commands 'exit' , 'logout' and CTRL+D all do the same thing, log the user account off the system.

Wednesday, June 13, 2012

Chapter 7 - Package Management

Getting RPM's from da internat ...(good luck with the deps....doh!)

[root@server01 downloads]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/6/x86_64/freetds-0.91-1.el6.x86_64.rpm
--2012-06-13 11:17:35-- ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/6/x86_64/freetds-0.91-1.el6.x86_64.rpm
           => âfreetds-0.91-1.el6.x86_64.rpmâ
esolving ftp://ftp.pbone.net/... 85.14.85.4
Connecting to ftp://ftp.pbone.net%7c85.14.85.4%7c/... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /mirror/download.fedora.redhat.com/pub/fedora/epel/6/x86_64 ... done.
==> SIZE freetds-0.91-1.el6.x86_64.rpm ... 579776
==> PASV ... done.    ==> RETR freetds-0.91-1.el6.x86_64.rpm ... done.
Length: 579776 (566K) (unauthoritative)
100%[====================================================================================================================>] 579,776      432K/s   in 1.3s
2012-06-13 11:17:44 (432 KB/s) - âfreetds-0.91-1.el6.x86_64.rpmâ
[root@server01 downloads]# ls -lrt
total 568
-rw-r--r--. 1

The Redhat Package Manager

Installing : rpm -ihv (or just rpm -i )
Upgrading : rpm -U (install if not existing)
Upgrading : rpm -F (only upgrade, do not install if doesn't exist)
Erase a Package : rpm -e

Installing remotely with rpm :

[root@server01 downloads]# rpm -ihv ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/6/x86_64/freetds-0.91-1.el6.x86_64.rpm
Retrieving ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/6/x86_64/freetds-0.91-1.el6.x86_64.rpm
warning: /var/tmp/rpm-tmp.Luh69z: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
error: Failed dependencies:
        libodbc.so.2()(64bit) is needed by freetds-0.91-1.el6.x86_64
        libodbcinst.so.2()(64bit) is needed by freetds-0.91-1.el6.x86_64

[root@server01 downloads]# ls -lrt /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-rw-r--r--. 1 root root 3211 Apr 27 2011 /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[root@server01 downloads]#

[root@server01 downloads]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[root@server01 downloads]# rpm -qa gpg-pubkey
gpg-pubkey-2fa658e0-45700c69
gpg-pubkey-fd431d51-4ae0493b

[root@server01 downloads]# ls /boot/
config-2.6.32-131.0.15.el6.x86_64         lost+found
efi                                       symvers-2.6.32-131.0.15.el6.x86_64.gz
grub                                      System.map-2.6.32-131.0.15.el6.x86_64
initramfs-2.6.32-131.0.15.el6.x86_64.img vmlinuz-2.6.32-131.0.15.el6.x86_64
[root@server01 downloads]#

Installing a new kernel : (always !):

rpm -ihv

OR

yum install kernel

/boot/grub/grub.conf is automatically updated, and the new kernel is the new default to boot .

More RPM Commands

[root@server01 downloads]# rpm -q upstart
upstart-0.6.5-10.el6.x86_64

[root@server01 downloads]# rpm --checksig freetds-0.91-1.el6.x86_64.rpm
freetds-0.91-1.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#0608b895)
[root@server01 downloads]# rpm --checksig unicap-0.9.5-4.el6.x86_64.rpm
unicap-0.9.5-4.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

[root@server01 downloads]# rpm -K unicap-0.9.5-4.el6.x86_64.rpm
unicap-0.9.5-4.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK[root@server01 downloads]# cp -p /var/www/html/inst/RHEL_6.1_x86_64_Disc_1/Packages/unicap-0.9.5-4.el6.x86_64.rpm
Verify :

[root@server01 downloads]# rpm --verify vsftpd-2.2.2-6.el6_0.1.x86_64

[root@server01 downloads]# rpm --verify --file /bin/ls
[root@server01 downloads]# rpm --verify -p unicap-0.9.5-4.el6.x86_64.rpm
missing     /usr/lib64/libucil.so.2
missing     /usr/lib64/libucil.so.2.1.8
missing     /usr/lib64/libunicap.so.2
missing     /usr/lib64/libunicap.so.2.1.8
missing     /usr/lib64/libunicapgtk.so.2
missing     /usr/lib64/libunicapgtk.so.2.1.8
missing     /usr/lib64/unicap2
missing     /usr/lib64/unicap2/cpi
missing     /usr/lib64/unicap2/cpi/libdcam.so
missing     /usr/lib64/unicap2/cpi/libdcam.so.0
missing     /usr/lib64/unicap2/cpi/libdcam.so.0.0.0
missing     /usr/lib64/unicap2/cpi/libv4l.so
missing     /usr/lib64/unicap2/cpi/libv4l.so.0
missing     /usr/lib64/unicap2/cpi/libv4l.so.0.0.0
missing     /usr/lib64/unicap2/cpi/libv4l2cpi.so
missing     /usr/lib64/unicap2/cpi/libv4l2cpi.so.0
missing     /usr/lib64/unicap2/cpi/libv4l2cpi.so.0.0.0
missing     /usr/lib64/unicap2/cpi/libvid21394.so
missing     /usr/lib64/unicap2/cpi/libvid21394.so.0
missing     /usr/lib64/unicap2/cpi/libvid21394.so.0.0.0
missing     /usr/share/doc/unicap-0.9.5
missing   d /usr/share/doc/unicap-0.9.5/AUTHORS
missing   d /usr/share/doc/unicap-0.9.5/COPYING
missing   d /usr/share/doc/unicap-0.9.5/ChangeLog
missing   d /usr/share/doc/unicap-0.9.5/README
missing     /usr/share/locale/de/LC_MESSAGES/unicap.mo
missing     /usr/share/locale/fr/LC_MESSAGES/unicap.mo
missing     /usr/share/locale/ru/LC_MESSAGES/unicap.mo

Show all installed packages :

rpm -qa

[root@server01 downloads]# ls /root/install.log
/root/install.log
[root@server01 downloads]# tail /root/install.log
Installing ql2100-firmware-1.19.38-3.1.el6.noarch
Installing ql2500-firmware-5.03.16-1.el6.noarch
Installing zd1211-firmware-1.4-4.el6.noarch
Installing ipw2100-firmware-1.3-11.el6.noarch
Installing ql23xx-firmware-3.03.27-3.1.el6.noarch
Installing ipw2200-firmware-3.1-4.el6.noarch
Installing ivtv-firmware-20080701-20.2.noarch
Installing man-pages-3.22-17.el6.noarch
Installing words-3.0-17.el6.noarch
*** FINISHED INSTALLING PACKAGES ***[root@server01 downloads]#

[root@server01 yum]# rpm -qi httpd
Name        : httpd                        Relocations: (not relocatable)
Version     : 2.2.15                            Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Sat 09 Apr 2011 08:00:13 AM CDT
Install Date: Wed 06 Jun 2012 06:54:27 AM CDT      Build Host: x86-010.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: httpd-2.2.15-9.el6.src.rpm
Size        : 3056498                          License: ASL 2.0
Signature   : RSA/8, Thu 21 Apr 2011 02:47:47 PM CDT, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

[root@server01 downloads]# rpm -qpi freetds-0.91-1.el6.x86_64.rpm
warning: freetds-0.91-1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Name        : freetds                      Relocations: (not relocatable)
Version     : 0.91                              Vendor: Fedora Project
Release     : 1.el6                         Build Date: Thu 27 Oct 2011 08:47:52 AM CDT
Install Date: (not installed)               Build Host: x86-11.phx2.fedoraproject.org
Group       : System Environment/Libraries   Source RPM: freetds-0.91-1.el6.src.rpm
Size        : 2699105                          License: LGPLv2+ and GPLv2+
Signature   : RSA/8, Thu 27 Oct 2011 04:27:40 AM CDT, Key ID 3b49df2a0608b895
Packager    : Fedora Project
URL         : http://www.freetds.org/
Summary     : Implementation of the TDS (Tabular DataStream) protocol
Description :
FreeTDS is a project to document and implement the TDS (Tabular
DataStream) protocol. TDS is used by Sybase(TM) and Microsoft(TM) for
client to database server communications. FreeTDS includes call
level interfaces for DB-Lib, CT-Lib, and ODBC.

Dependancies and the yum command

[root@server01 downloads]# yum install yum-plugin-downloadonly.noarch -y

[root@server01 downloads]# cat /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
# It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
[root@server01 downloads]#

[root@server01 downloads]# cd /etc/yum
[root@server01 yum]# ls -l
total 16
drwxr-xr-x. 2 root root 4096 Jun 13 11:19 pluginconf.d
drwxr-xr-x. 2 root root 4096 Apr 28 2011 protected.d
drwxr-xr-x. 2 root root 4096 Apr 28 2011 vars
-rw-r--r--. 1 root root 444 Apr 28 2011 version-groups.conf

[root@server01 yum]# pwd
/etc/yum
[root@server01 yum]# find ./ -name rhnplugin.conf
./pluginconf.d/rhnplugin.conf
[root@server01 yum]# cat ./pluginconf.d/rhnplugin.conf
[main]
enabled = 0
gpgcheck = 1
# You can specify options per channel, e.g.:
#
#[rhel-i386-server-5]
#enabled = 1
#
#[some-unsigned-custom-channel]
#gpgcheck = 0

[root@server01 yum]# ls -lrt /etc/yum.repos.d/
total 16
-r--r--r--. 1 root root 114 May 10 2011 packagekit-media.repo
-rw-r--r--. 1 root root 106 Jun 6 12:38 iso.repo
-rw-r--r--. 1 root root 621 Jun 7 06:25 rhel-source.repo
-rw-r--r--. 1 root root 67 Jun 13 11:44 redhat.repo
[root@server01 yum]# cat /etc/yum.repos.d/iso.repo
[localRepo]
name=localRepo
baseurl=file:///var/www/html/inst/RHEL_6.1_x86_64_Disc_1/
enabled=1
gpgcheck=0

More yum commands :

yum install samba
yum update samba
yum erase samba
yum whatprovides */*.repo
yum update (update ALL existing packages on this system)
yum grouplist
yum groupinfo
yum groupinstall

[root@server01 var]# yumdownloader unicap
Loaded plugins: product-id, refresh-packagekit
unicap-0.9.5-4.el6.x86_64.rpm | 154 kB 00:00
[root@server01 var]# ls unicap-0.9.5-4.el6.x86_64.rpm
unicap-0.9.5-4.el6.x86_64.rpm

# createrepo

[root@server01 downloads]# createrepo /root/downloads/
2/2 - unicap-0.9.5-4.el6.x86_64.rpm
Saving Primary metadata
Saving file lists metadata
Saving other metadata
[root@server01 downloads]

[root@server01 downloads]# yum install gnome-packagekit
Loaded plugins: downloadonly, product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
Setting up Install Process
Package gnome-packagekit-2.28.3-3.el6.x86_64 already installed and latest version
Nothing to do

More Package Mgt Tools

# gpk-update-viewer

# gpk-prefs

# gpk-application

NOTE : More with GUI pkg tools later !!