The Linux Source - New pages [en]

Permissions

2020-05-11T16:55:44Z

Support:

=== Basic perms ===

Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)

Limitations/Issues
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)

Multiple users/processes needing access to a single account (or an application account)

1. Add users to proper group

# usermod -aG appuser nrpe
OR if you have many users
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done

2. Set directory perms so that new files all belong to the same group

read-only
# find /home/appuser -type d -exec chmod g=rxs '{}' ;
read/write
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;

3. Optionally set write access, for read/write option

# find /home/appuser -type f -exec chmod g+w '{}' ;

Single user/process needing access to a multiple accounts

1. Add users to proper group

# usermod -aG buildapp1 scmadmins
OR if you have many users
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done

2. Set directory perms so that new files all belong to the same group

read-only
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;
read/write
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;
OR if you have many users
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done

3. Optionally set write access, for read/write option

# find /home/buildapp1 -type f -exec chmod g+w '{}' ;
OR if you have many users
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done

=== ACL's ===

Limitations/Issues
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)

Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)

For a directory tree;

Read/write users;

# setfacl -Rm u:joe:rw /home/Shared/Reports
# setfacl -dRm u:joe:rw /home/Shared/Reports

Read-Only users;

# setfacl -Rm u:gary:r /home/Shared/Reports
# setfacl -dRm u:gary:r /home/Shared/Reports

For a file;

# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml

=== Reference ===

ls output

Note: the + means some ACL's have been set

# ls -ld somedir
drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir

# ls -l somefile
-rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile

getfacl output

# getfacl somedir
# file: somedir/
# owner: lisa
# group: staff
# flags: -s-
user::rwx
user:joe:rwx #effective:r-x
group::rwx #effective:r-x
group:cool:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:joe:rwx #effective:r-x
default:group::r-x
default:mask::r-x
default:other::---

=== chmod details/usage ===

The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]

The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed
'u' (user) permissions for the user who owns the file/directory (u)
'g' (group) permissions for other users who are members of the group (g)
'o' (other) other users that are not in the group permissions (o) (aka world readable)
'a' (all) all of the above
The '+-=' operators control how the permissions are set on the file or directory
'+' (add) causes the selected permissions to be added to the existing permissions
'-' (remove) causes them to be removed
'=' (set) causes them to be the only permissions

The letters 'rwxXst' select the new permissions for the affected users:
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)
'X' execute/search only if the file is a directory or already has execute permission for some user
's' set user or group ID on execution
't' restricted deletion flag or sticky bit

Options (some)
-c like verbose but report only when a change is made
-R change files and directories recursively

=== setfacl details/usage ===

Options (some)
-b remove all extended ACL entries
-d operations apply to the default ACL
-k remove the default ACL
-m modify the current ACL(s) of file(s)
-n don't recalculate the effective rights mask
-R recurse into subdirectories
-x remove entries from the ACL(s) of file(s)
--mask do recalculate the effective rights mask
--set set the ACL of file(s), replacing the current ACL
--test test mode (ACLs are not modified)

Convert RH/OL To CentOS

2017-06-14T19:59:42Z

Support:

Note: 'cat /etc/redhat-release' shows RedHat or Oracle before these steps

1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url
http://mirror.centos.org/centos/5/os/x86_64/CentOS
http://mirror.centos.org/centos/6/os/x86_64/Packages
http://mirror.centos.org/centos/7/os/x86_64/Packages
2. wget the package/url (may need to specify a proxy, or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')
ENT 5
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm
ENT 6
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-9.el6.centos.12.3.x86_64.rpm
ENT 7
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release 
Note: 'cat /etc/redhat-release' shows CentOS after this step
RedHat 5
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm
# rpm -e redhat-release-5Server redhat-release-notes-5Server
RedHat 6
# rpm -i --force centos-release-6-9.el6.centos.12.3.x86_64.rpm
# rpm -e redhat-release-server
RedHat 7
# rpm -e --nodeps redhat-release-server
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave
# rpm -i --force centos-release-7-3.1611.el7.centos.2.10.x86_64.rpm
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo

5. remove additional RedHat packages and replace with corresponding CentOS packages
RedHat 5
# yum update redhat-logos
# rpm -e redhat-support-tool redhat-support-lib-python redhat-menus htmlview Deployment_Guide-en-US
NOTE : order is important for RPM dependencies
RedHat 6
# rpm -e --nodeps redhat-indexhtml
# yum install centos-indexhtml
# yum update redhat-logos
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml
# yum reinstall lynx
RedHat 7
# rpm -e --nodeps redhat-indexhtml redhat-logos
# yum install centos-indexhtml centos-logos
# yum update abrt redhat-menus
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager Red_Hat_Enterprise_Linux-Release_Notes-7-en-US

Distro

2017-06-14T19:59:28Z

Support: Created page with "CentOS RedHat OracleLinux Convert RH/OL To CentOS"

[[CentOS]]

[[RedHat]]

[[OracleLinux]]

[[Convert RH/OL To CentOS]]

LogAnalyzer Mods

2017-06-12T20:44:16Z

Support:

PARENT PAGE LINK: [[LogAnalyzer]]

=== Purging mySQL database ===
This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to manage the log files, but if you wish to manage or periodically purge the mySql data, you can set up the following cron job (thanks to Michael Meckelein for posting this in a forum): 
NOTE: you may want to setup another user which has delete permissions (like syslog-purge) to do the periodic cleanup for this cron process
mysql -u syslog-purge -p somepwA -e “delete from SystemEvents where ReceivedAt < date_add(current_date, interval -28 day)” Syslog

LogAnalyzer

2017-06-12T20:40:14Z

Support:

PARENT PAGE LINK: [[Syslog]]

[[LogAnalyzer Setup]]

[[LogAnalyzer Mods]]

SSH

2017-06-01T00:36:03Z

Support:

=== Policy ===
{include:SSH-Policy}

=== Key Usage/Issues ===
* Only public keys should be on the various servers (required for external facing systems; ex: app systems, proxy servers, sc9-admin1), and the critical private keys should be on an internal 'admin' type box (such as a grid server, puppet master, or other trusted host system).

* Our laptops must not be configured with a key such that it can automatically connect to an externally available server. This is required, due to the security around our products, since we're allowed to take our laptops outside of the office, and they occasionally get stolen.

* Keys should not be automatically invoked. when generating keys, do not take the default filename (which will automatically get used for all ssh related connections), but use a different filename which includes the name of the system it was generated on, and a name for the function the key will be used for (ex; id_dsa-app1_named for syncing DNS/named configs to the various nameservers, 'named' is the user that the process is running under).

* When keys are used, they should be locked down to access from specific systems (authorized_keys file), and disallow any port forwarding that can be initiated by a user or hacker, AND if possible, locked down to a specific command, ex;
# cat authorized_keys
# remote commands, no ssh (no pty) but works with scp/sftp
from="200.140.190.210,172.170.180.120",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...
OR
# remote commands & ssh (w/pty)
from="200.140.190.210,172.170.180.120",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...
OR
# a single remote command (you would need an entry for each command allowed, or have one key per command)
command="/bin/myscript",from="200.140.190.210,172.170.180.120",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...
OR
# a single remote scp copy (you would need an entry for each directory allowed, or have one key per directory)
command="/usr/bin/scp -p -t /home/appuser/data",from="200.140.190.210,172.170.180.120",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...
OR
# a single remote rsync copy (you would need an entry for each directory allowed, or have one key per directory)
command="/usr/bin/rsync --server -logDtpre.iLs --partial . /home/appuser/data",from="200.140.190.210,172.170.180.120",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...

* Keys should not be under a normal application user account, if possible.. 
Explanation/example; 
The appuser contains the perms for the app (for the app running as appuser), plus this acct is used generally for deployments and making any changes to the app. Anyone using this account, or breaching this acct, would have access to all the other envs/servers, if such a key existed.

Solution: 
The applog user is used to pull logs out of an appuser log dir and the transfer keys are owned by applog user, appuser does not have access/perms to the key to get to all the other envs. In this particular case, the group for the appuser home dir was set to applog, and the group perms were set to read-only (r-x for dir, r-- for files). The applog user is not an actual account (cannot login directly, like the appuser acct cannot login directly), but is used by an automated script that is pulling the logs. To further define 'pulling', only public keys exist on the individual servers (must be this way (w/a public key), if system is external facing), and the logs are copied from a central/internal system (appadmin1).

=== Key Setup Example / Trusted Host Setup Example ===
example for hostname gwikip-nhpm1 
1. generate key on an internal/admin system/trusted host system (not allowed on systems with public IP's), naming convention is id_rsa-`hostname -s`_`whoami` OR (optional) id_rsa-`hostname -s`_`whoami`-keyfunctionORscriptname 
Note: as mentioned above; default path/default keys MUST NOT BE USED (keys must not be automatically picked up/used by ssh), using a particular key must be specified with ssh/scp/sftp/rsync options, hostname field in the naming convention can be `hostname -s` or another abbreviated representation of the host (enough to distinguish that particular host)
# ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa-nhpm1_root

2. remove domain info (leave `hostname -s` at end of key but remove the domain, .prd.example.com, .stg.example.net, etc.) and lock down the pub key (the key that gets pushed out to the various systems) 
Note: check the list of possible lockdown strings above, use of the non-shell (non-tty) lockdown is preferred, but may not work for your use case (scenario)
# vi /root/.ssh/id_rsa-nhpm1_root.pub
CHANGE (example)
...BtJ9bww== ice@gwikip-nhpm1.prd.example.net
TO
...BtJ9bww== ice@gwikip-nhpm1
AND add
from="172.220.210.130",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...
OR
from="172.220.210.130",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1...

3. setup the .pub key on the other systems which this internal box needs to access
3a. copy the .pub key to another system
# scp -pP 222 /root/.ssh/id_rsa-nhpm1_root.pub yourlogin@glis1p-nhpm1r1:/tmp/
3b. connect to that system to setup the key
# ssh -p 222 yourlogin@gwikip-nhpm1r1
3c. become the user you are setting up the key for (usually an app user), in this case; root
# su -
OR
# sudo su - webapp
3d. make sure the .ssh dir exists, if not, you can have it automatically generated with the proper permissions for SSH 
Note: answer 'yes' but don't login (simply answering 'yes' creates the dir and sets the perms)
# ssh -p 222 localhost
3e. copy the .pub key into the .ssh dir and copy it into/append it to the authorized_keys file
# cat /tmp/id_rsa-nhpm1_root.pub >~/.ssh/id_rsa-nhpm1_root.pub
# cp ~/.ssh/id_rsa-nhpm1_root.pub ~/.ssh/authorized_keys

4. On Trusted Host systems for an application, we normally add all application users (wikiapp, webapp, hornetq, oracle, etc.) to the trusted host, and setup keys for each user to be able to connect to the nodes/systems which have one of those accounts. For general accounts like root and monitoring users (monupdate), the keys would be distributed to all systems in that application env (Beagle Production, Squawk QA, etc.).
!th.jpg|thumbnail!

=== Reference ===
Locking Down Specific Users 
Note: this is just some additional info on how to do something like this, this is not currently used on any of our systems 
User Fred cannot access anything outside of his home directory (cannot see /tmp/, /etc/, etc..)
Match User fred.jones
ChrootDirectory %h
Note: %h refers to the home directory of the user

Trusted Host Reverse Copy (forall suite of scripts)
# forall p-all 'cp -p /etc/postfix/main.cf /tmp/main.cf-$(hostname -s)'
# forcpr p-all /tmp/main.cf-* /tmp/

=== SSH Clients ===
If you are using a windows system, you should be able to run putty (Google for putty) 
If you are using a Mac (or Linux) system, you can use command line ssh if you open a Terminal window. Syntax would be something like:
# ssh -p 222 user@hostname
# ssh -p 222 jerry.jones@ops-smail1.prd.example.com

Tricks/Reference

2017-05-30T20:58:26Z

Support: /* Developer Mode */

=== Developer Mode ===
On the Settings screen, scroll down to the bottom and select About phone or About tablet. Find the Build number and tap on it seven times. A Developer options menu will now appear in the Settings screen

=== System UI Tuner ===
More fine-grained control of notifications, more control over your status bar and its pull-down menus, etc
1. Pull down the notification shade twice (to expose the Quick Settings menu), then press and hold the cog icon for a few seconds. 
It will begin to spin, then a little wrench icon will appear next to it—this is your indicator that the System UI Tuner has been enabled

2. Scroll all the way down to the bottom of the Settings menu. Depending on what version of Android you’re using, “System UI Tuner” will either be the last or next-to-last option in this menu

ADB

2017-05-30T20:57:03Z

Support:

=== Useful Docs ===
ADB is part of the Platform Tools software - https://developer.android.com/studio/releases/platform-tools.html 
Update Images/Manual update steps/commands - https://developers.google.com/android/ota 
Factory Images/Manual update steps/commands - https://developers.google.com/android/images 
USB Vendor Device ID List - https://developer.android.com/studio/run/device.html#VendorIds

=== Update (OTA) Image Steps ===
Note: requires adb tool, download an appropriate image, and verify checksum 
1. With the device powered on and USB debugging enabled (in Developer mode/menu on the phone), reboot into recovery mode
# adb reboot recovery
2. Ready the device to accept an update 
Hold the Power button and press Volume Up once, and a menu will appear. Select: Apply update from ADB. 
3. Check if you system see the device and that it is ready, should show up with "sideload" next to its name
# adb devices
4. Update the device
# adb sideload ota_file.zip
5. Once the update finishes, reboot the device by choosing: Reboot system now
6. Disable USB debugging on the Developer menu, for security, it should not be active when the device is not being updated

=== Factory Image Steps ===
Note: requires adb tool, unlock the bootloader, download an appropriate image, verify checksum, and unzip the image 
1. Run the flash-all script. This script installs the necessary bootloader, baseband firmware(s), and operating system
# ./flash-all.sh
2. Lock your bootloader

=== Unlock Bootloader ===
1. With the device powered on and USB debugging and OEM unlocking enabled (in Developer mode/menu on the phone), reboot into fastboot mode
# adb reboot bootloader
2. Unlock the bootloader. The target device will show you a confirmation screen. (This erases all data on the target device.)
2a. If you are updating a newer device (2015 and later devices, like Nexus 5X or Nexus 6P using hammerhead or angler builds)
# fastboot flashing unlock
2b. OR, If you are updating an older device (2014 and earlier)
# fastboot oem unlock

=== Lock Bootloader ===
1. With the device powered on and USB debugging and OEM unlocking enabled (in Developer mode/menu on the phone), reboot into fastboot mode
# adb reboot bootloader
2. Lock the bootloader. This will wipe the data (not the OS) on some devices.
2a. If you are updating a newer device (2015 and later devices, like Nexus 5X or Nexus 6P using hammerhead or angler builds)
# fastboot flashing lock
2b. OR, If you are updating an older device (2014 and earlier)
# fastboot oem lock
3. Disable OEM unlocking (in Developer mode/menu on the phone)

=== Adding ADB To Path ===
Temporary
# export PATH=$PATH:/path/to/adb/dir
Permanent 
add the Temporary line to the end of the .bashrc for the user
# vi ~/.bashrc

=== Linux udev Rules ===
If running adb on Linux, you may need to setup udev to allow access to your android device over USB 
Add a udev rules file that contains a USB configuration for each device you want to use for adb/development (you may want to view files in /etc/udev/rules.d/ to check syntax for your specific udev version). Each device manufacturer is identified by a unique vendor ID, as specified by the ATTR{idVendor} property. There is a list of these ID's available, but you can get this information from dmesg (dmesg|tail) after plugging in your device via USB. 
As root, create /etc/udev/rules.d/51-android.rules with contents similar to this
SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0666", GROUP="plugdev"
Note: MODE specifies read/write permissions, GROUP defines which Unix group owns the device node.

Rsyslog

2017-05-22T23:46:11Z

Support: /* Docs */

PARENT PAGE LINK: [[Syslog]]

=== Docs ===
http://www.rsyslog.com/guides-for-rsyslog/

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Viewing_and_Managing_Log_Files.html (7.4.x) 
http://www.rsyslog.com/doc/v7-stable/

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Viewing_and_Managing_Log_Files.html (5.8.x) 
http://www.rsyslog.com/doc/v5-stable/

=== Logfile Format ===
Older Rsyslog versions were not logging in a traditional syslog format, and fields like time & date were not human-readble. To modify its behaviour and make the logs more decipherable, we would add or uncomment the following line (this may be the default on newer Rsyslog versions, but has not been verified)
# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Katello

2017-05-22T17:59:48Z

Support:

Note: Katello has been merged into Foreman as a Foreman plugin https://theforeman.org/plugins/katello

=== Installation ===
Install Foreman https://theforeman.org/manuals/latest/quickstart_guide.html 
Install/setup the Katello plugin https://theforeman.org/plugins

Satellite/Spacewalk/Katello

2017-05-22T17:28:38Z

Support:

[[Satellite]]

[[Spacewalk]]

[[Foreman/Katello]]

Rsyslog client

2017-05-19T23:17:52Z

Support: Support moved page Rsyslog client to Rsyslog Client without leaving a redirect

PARENT PAGE LINK: [[Syslog]]

1. See generic [[Rsyslog]] page for other config options

2. /etc/rsyslog.conf, add @sys.log.server.ip lines to the bottom of the file (optionally add logging rules, example lines are commented out at the bottom of a default rsyslog.conf file)
UDP:
# centralized logging
*.* @172.160.135.160:514
OR TCP:
# centralized logging
*.* @@172.160.135.160:514

3. Restart rsyslog service
ENT 7
# systemctl restart rsyslog
BEFORE Ent 7
# service rsyslog restart

Rsyslog server

2017-05-19T21:41:38Z

Support:

PARENT PAGE LINK: [[Syslog]]

1. See generic [[Rsyslog]] page for other config options

2. Update /etc/rsyslog.conf, add the following line to end of ModLoad/MODULES section to enable the desired server mode
UDP:
# UDP server module
$ModLoad imudp
# enable UDP server and port
$UDPServerRun 514
OR TCP:
# TCP server module
$ModLoad imtcp
# enable TCP server and port
$InputTCPServerRun 514

3. Restart rsyslog service
ENT 7
# systemctl restart rsyslog
BEFORE Ent 7
# service rsyslog restart

MySQL/MariaDB Reference

2017-05-19T21:17:34Z

Support:

*List Databases
mysql> show databases;

*List Tables
mysql> show tables;

*Change Passwords 
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running
# mysqladmin -u root password 'new-password'

*Delete Database
mysql> drop database test;

*Creating a new DB and assigning permissions

Command line/scripted 
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running
# mysqladmin -p create wikidb
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p

mySQL command line 
Note: this is added to the mysql command history (not a good idea to leave the password exposed):
# mysql -p
mysql> create database wikidb;
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';

*Table Structure
describe SystemEvents;

*View Data (Some Query Examples)
select * from user;
select Host,User,Grant_priv from user;
select Host,Db,User,Grant_priv from db;
select * from SystemEvents where SysLogTag='CROND';
select * from SystemEvents limit 5;
select * from SystemEvents where SysLogTag like '%[%' limit 5;

*Modify Data
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';

*Delete From Table
delete from SystemEvents where SysLogTag='CROND';

MySQL/MariaDB

2017-05-19T21:15:04Z

Support:

=== Overview ===
mySQL is depreciated in favor of the mariaDB replacement in newer OS version (i.e. >=7). mariaDB is created by the previous mySQL team, but the mySQL name is now owned by Oracle Corporation (so they had to change it). The new server package (yum install) is now mariadb, but the client/command line names are still mysql.

[[MySQL/MariaDB Setup]]

[[MySQL/MariaDB Reference]]

LogAnalyzer

2017-05-18T00:08:11Z

Support:

PARENT PAGE LINK: [[LogAnalyzer]]

Note: this document has been used with the following loganalyzer versions: 3.0.2 (and a few before 3.0.2), 4.1.5

=== Prerequisites ===
Rsyslog - any version that supports/includes the mySQL module or has the rsyslog-mysql rpm available
MySQL/MariaDB - See [[MySQL/MariaDB Setup]] to make sure you have MySQL or MariaDB set up/running
Apache - any version, but please use something recent, or the version included with a distro that is still receiving updates
PHP - most versions, but please use something recent, or the version included with a distro that is still receiving updates

=== Software Setup ===
1. Install rsyslog and PHP mySQL modules
# yum install rsyslog-mysql php-mysql

2. Get the latest loganalyzer package (http://loganalyzer.adiscon.com/) and copy to /tmp

3. Uncompress and move to standard RedHat/CentOS compatible 3rd party software location (/usr/share) 
NOTE: 4.1.5 is probably not the version being installed, please use the version number being installed in place of 4.1.5
# mkdir /tmp/work-syslog ; cd /tmp/work-syslog/
# tar xzvf /tmp/loganalyzer-4.1.5.tar.gz
# mkdir /usr/share/loganalyzer-4.1.5 /usr/share/doc/loganalyzer-4.1.5
# mv loganalyzer-4.1.5/* /usr/share/doc/loganalyzer-4.1.5/
# mv /usr/share/doc/loganalyzer-4.1.5/src/* /usr/share/loganalyzer-4.1.5/
# mv /usr/share/doc/loganalyzer-4.1.5/doc/* /usr/share/doc/loganalyzer-4.1.5/
# rm -rf /usr/share/doc/loganalyzer-4.1.5/doc /usr/share/doc/loganalyzer-4.1.5/src /usr/share/loganalyzer-4.1.5/doc
# ln -s /usr/share/loganalyzer-4.1.5 /usr/share/loganalyzer
# touch /usr/share/loganalyzer-4.1.5/config.php
# chown apache.apache /usr/share/loganalyzer-4.1.5/config.php

=== Rsyslog Server Setup ===
1. set up user and grant proper perms;
# mysql -p mysql
mysql> grant insert on Syslog.* to 'syslog-insert'@'localhost' identified by 'somepwA';
mysql> flush privileges;

2. Update /etc/rsyslog.conf, make sure the following lines are added 
Add the following to the end of the ModLoad/MODULES section
# enable mySql plugin/module
$ModLoad ommysql
Add the following to the beginning of the logging/RULES section (before #kern.* line)
# log all to mySql
*.* :ommysql:127.0.0.1,Syslog,syslog-insert,somepwA

3. Create database/tables
# mysql -p </usr/share/doc/rsyslog-mysql-*/createDB.sql

4. Restart rsyslog service
# service rsyslog restart

=== Apache Setup ===
NOTE: this assumes this is on the company image, which creates most of the needed dirs/files/configs) 
1. setup doc root 
NOTE: syslog1 is the short hostname (hostname -s) of the system you are installing on
# cd /home/httpd/syslog1/
# rm -rf public_html
# ln -s /usr/share/loganalyzer-3.0.2 public_html
2. setup vhost file 
add the following to /etc/httpd/conf/vhost-ssl.d/0-syslog1 (hostname -s) after ServerAdmin and before proxy section 
Note: enabling the use of a symlink is done for the dir in which the symlink resides
<Directory /home/httpd/syslog1>
Options FollowSymLinks
</Directory>
3. enable php
# cp -p /etc/httpd/conf.d/php.conf /etc/httpd/conf.d-run/
4. start up or restart apache (and make sure it starts on boot)
ENT 7
# systemctl start httpd
# systemctl enable httpd
BEFORE Ent 7
# service httpd restart
# chkconfig httpd on

=== Web Interface Setup ===
1. setup user and permissions
# mysql -p
mysql> grant select, update, insert, create, drop, alter on Syslog.* to 'syslog-read'@'localhost' identified by 'somepwB';
mysql> flush privileges;

2. web interface configuration 
2a. go to the new URL (configured in; Web Interface setup, step 3a) in a browser, you will get the following message;
Error, main configuration file is missing!
2b. click 'here' on the following message;
Click here to Install Adiscon LogAnalyzer!
2c. click 'next' on the following page;
Step 1 - Prerequisites
2d. click 'next' on the following page;
Step 2 - Verify File Permissions
2e. click 'next' on the following page;
Step 3 - Basic Configuration
2f. Fill in the following and click 'next';
Source Type: MYSQL Native
Database Name: Syslog
Database Tablename: SystemEvents
Database User: syslog-read
Database Password: somepwB
2g. Click 'here' on the following message;
Step 8 - Done
Click here to go to your installation.

=== Web Interface Fix ===
There was an issue (in older vers), that appeared more than once (possibly due to apache or php settings), where a config was populated but was not usable due to missing values. The following needed to be set in this situation to configure these settings for their default values 
1. fix config.php 
1a. edit config.php
# vi /usr/share/loganalyzer-3.0.2/config.php
1b. set ViewMessageCharacterLimit
$CFG['ViewMessageCharacterLimit'] = 80;
1c. set ViewStringCharacterLimit
$CFG['ViewStringCharacterLimit'] = 30;
1d. set ViewEntriesPerPage
$CFG['ViewEntriesPerPage'] = 50;
1e. set ViewEnableDetailPopups
$CFG['ViewEnableDetailPopups'] = 1;
1f. set EnableIPAddressResolve
$CFG['EnableIPAddressResolve'] = 1;

=== Client Rsyslog Setup ===
configure clients to connect to this central syslog server [[Rsyslog Client]]

=== Recreating mySQL database ===
If you have to recreate mySQL data from scratch (due to corruption, or other issues) 
1. make sure mysql is down
ENT 7
# systemctl stop mariadb
BEFORE Ent 7
# service mysqld stop

2. wipe out all the data (make sure this is what you want to do, otherwise if you are wiping it out due to running out of diskspace or database corruption, google how to repair mysql/mariadb innodb databases)
# rm -rf /var/lib/mysql/* /var/lib/mysql/.my*

3. restart mysql
ENT 7
# systemctl start mariadb
BEFORE Ent 7
# service mysqld start

4. purge unneeded users (link)

5. rebuild mysql & loganalyzer tables 
Rerun the following steps from above
Rsyslog Server Setup; step 1
Server mySQL Setup; steps 2-4
Web Interface Setup; step 1

Syslog

2017-05-17T21:49:17Z

Support:

[[Rsyslog]]

[[Rsyslog Client]]

[[Rsyslog Server]]

[[LogAnalyzer]]

Kickstart

2017-05-10T06:27:54Z

Support: Created page with "=== Policy === {{Kickstart-Policy}} === Running Kickstart === *Preamble* Instructions assume you have logged into one of the local kickstart servers (on example.net) and ha..."

=== Policy ===
{{Kickstart-Policy}}

=== Running Kickstart ===
*Preamble*
Instructions assume you have logged into one of the local kickstart servers (on example.net) and have sudo'd to the ks user, ex;
# ssh -p 222 sj-ks1
# sudo su - ks

1a. When building a new system, our standard is CentOS. Please try to use Enterprise 7 for everything, unless there is a specific requirement to use 6 (even when rebuilding older env's that were built under 5, per Dev Teams requirements, we've been building them under 6 instead).

When building a hadoop mgmt node, use the app image and specify these users;
hadoop hdfs mapred hbase zookeeper hue cloudera-scm hive

When building a hadoop slave node (data/jobtracker/mapreduce nodes), use the hadoop image for the hardware you're using, and specify these users (note: hadoop image now adds these users, add these users if not using the hadoop image);
hadoop hdfs mapred hbase

1b. Run the config build script (it is OK to ^C out of the process and run it again);
# mkks

2a. If you are building a VM, please configure at least the following minimum requirements (also required for physical systems, but they are normally higher than these values by default).
{{defaults}}

2b. Connect a server to the build network. If this is a new VM with an new unformatted disk, you should get the PXE menu upon booting. Alternately, you can hit F12 during the BIOS screen to get the PXE menu. If your VM already has a formatted disk and you are having trouble PXE booting; hit F12 to PXE boot, hit ESC for boot menu, or delete and re-add your hard disk. 
Note: use Firefox if kicking a Dell, IE has issues with the F12 button

3. choose the entry with the new hostname from the PXE menu

4. reboot

5. login to your new system, change the password (for the new/secure password settings, it was changed to; changeM3now!), and check for OS security updates;
# ssh -p 222 `newsystem`
# passwd
note: see the Updates section below about pushing updates back into kickstart for your next build
# yum update

6. all avail space is allocated to /home, due to this, we would normally move other user/process dirs requiring space to /home (normally ice & mysql, do not move /var/www - this dir should not be used for any of our sites/functionality). Please do not change configs or home paths (passwd file), and please continue to refer to these dirs via their original location (/var/lib/ice, /var/lib/mysql, etc). There will be many many scripts/configs that would have to be changed, it's much easier to stay with their current path designations (as long as you have the link for the existing configs/scripts to continue working). Examples;
# cd /var/lib ; mv ice /home/ ; ln -s /home/ice
# cd /var/lib ; mv mysql /home/ ; ln -s /home/mysql

7. cleanup; remove your new hostname from the PXE menu on kickstart, move your hostname.cfg file to the "old" dir (don't delete it), kickstart is now efi enabled, which has it's own/separate PXE menu (now there are 2 PXE menu files)
# mv ~/ks.cfg/hostname.cfg ~/ks.cfg/old/
On older 5.x systems (:wn to get to next file);
# vi /tftpboot/pxelinux.cfg/default /tftpboot/efidefault
On newer 6.x systems (:wn to get to next file);
# vi /var/lib/tftpboot/pxelinux.cfg/default /var/lib/tftpboot/efidefault

8. maintenance; kickstart is highly customized for our company, and patching can break bug fixes.
Please refer to /home/ks/scripts/* on any kickstart server as a reference. Of special note is the OSfixes script.

=== Suggestions ===
If you run into any issues or have suggestions, please email support, and/or add them to:
[[Kickstart ToDo List]]

=== Layout ===
iso (OS) files are in ~/iso/
mkks configs are in ~/bin/
lists of profiles/configs avail are in ~/bin/mkks.lists
list of iso's avail are in ~/bin/mkks.iso
ks.cfg configs are in ~/ks.cfg/
software (non-OS) is in ~/software/ (java, nrpe, etc..)
boot menu is at /tftpboot/pxelinux.cfg/default or /var/lib/tftpboot/pxelinux.cfg/default (depending on OS ver)
boot (pxe) files are in /tftpboot/images/ or /var/lib/tftpboot/images/ (depending on OS ver)
(the iso & pxe dir (images) tree's should be an identical directory structure)

=== Replicating kickstart files ===
tar up the master ks home dir, and use scripts/ksdiff to audit, when updating ks servers (should be a svn checkout/export);
cd ; tar cjvf /tmp/ks.tbz --exclude=.svn --exclude=iso --exclude=bin/mkks.conf --exclude=bin/mkks.iso --exclude=ks.cfg/comps --exclude=ks.cfg/old --exclude=ks.cfg/*.cfg --exclude=ks.cfg/*.prf --include=hostname.prf-sample* --exclude=ks.cfg/templates/old --exclude=stage --exclude=software/desktop *
Note: if creating a new kickstart server, a bin/mkks.iso will have to be created for the iso's that have been downloaded/copied to that system (see bin/mkks.iso-sample). Also, the tftp path may need to be modified in bin/mkks.conf (both examples are there for 6.x, or a pre-6.x env). The following packages are required; dhcp tftp-server xinetd syslinux (nfs is also, but is part of kernel / is already there). The ~/scripts/kson may be helpful, to startup services for the 1st time. Example configs are in ~/ks.cfg/etc/ (so they can be checked into subversion), and tftp boot files are in ~/ks.cfg/tftpboot/.

=== Updates ===
1. Updates can be pushed to the kickstart system and they'll get applied to a new system during build time. Normally the updates are not saved and are removed from the system after the update process. To save updates (so they can be pushed to kickstart), edit yum.conf and change keepcache to 1, before applying any of the updates;
# vi /etc/yum.conf

2. After updating your system, the update files can be pushed to kickstart. The files from the 'cachedir' defined in yum.conf (usually /var/cache/yum/updates/packages/ or /var/cache/yum/x86_64/6Server/rhel-x86_64-server-6/packages/ for RedHat 6.x) will need to be copied to the kickstart server, into the appropriate iso/`distro`/`ver`/updates dir (note, if you built a CentOS 5.2 system and have updated it to 5.3, put the updates under 5.2, NOT 5.3 - if you built a CentOS 5.5 system, the updates would go in iso/CentOS/5.5/updates/)

3. Make sure and turn off the keepcache setting and remove the leftover updates files;
# vi /etc/yum.conf
# rm -f /var/cache/yum/updates/packages/* (or /var/cache/yum/x86_64/6Server/rhel-x86_64-server-6/packages/* for RedHat 6.x)

=== Files we touch ===
[[Kickstart Files Changed]]

=== ISO Integration ===
1. periodically new Distro versions need to be added to the iso & tftpboot/images dir. Here is an example with a fictitious CentOS 9.7;
# mkdir -p ~/iso/CentOS/9.7/x86_64
# mkdir -p path-to-tftpboot-dir/images/CentOS/9.7/x86_64
# cd ~/iso/CentOS/9.7/x86_64
(download new iso(s) into this dir)
# sudo mount -o loop CentOS-9.7-x86_64-bin-DVD.iso /mnt/cdrom
# cp -p /mnt/cdrom/images/pxeboot/[org8io8public:iv]* path-to-tftpboot-dir/images/CentOS/9.7/x86_64/
(there is a new step for 6.x; mkdir images ; cp -p /mnt/cdrom/images/install.img images/ ; cp -p /mnt/cdrom/images/product.img images/)
# sudo umount /mnt/cdrom
(add new iso versions to /home/ks/bin/mkks.iso, convention is to have the highest/latest version only)
# vi ~/bin/mkks.iso

=== New Kickstart Server Setup ===
1. Kickstart a new system with latest CentOS (currently 6.x) and add the ks user and the ksadmins group

2. Install needed packages
# yum install dhcp tftp-server xinetd syslinux

3. Grab lastest kickstart setup from subversion under ks user, OR, on sj-ks1, cd to and tar the /home/work/ks dir excluding the subversion tracking files (cd /home/work/ks ; tar cjvf /tmp/ks.tbz [!i]* --exclude=.svn)

4. As root, copy various configs;
# chmod o+r /home/ks
# chown ks:ks /var/lib/tftpboot/
# cat /home/ks/ks.cfg/etc/exports >/etc/exports
# cp -p /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf-original
# cat /home/ks/ks.cfg/etc/dhcpd.conf >/etc/dhcp/dhcpd.conf

5. setup secondary network interface on 192.168.0.1 per example NIC config;
# cat /home/ks/ks.cfg/etc/ifcfg-eth1
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
# ifup eth1

6. startup services
/home/ks/scripts/kson

7. As ks user, copy various configs;
# rsync -a ~/ks.cfg/tftpboot/ /var/lib/tftpboot/
# mkdir -p /var/lib/tftpboot/images/{CentOS,RedHat,Oracle}
# mkdir -p ~/iso/{CentOS,RedHat,Oracle}

8. Create mkks.conf and mkks.iso files in bin from the sample files provided, mkks.iso has the list of iso files that were downloaded to the new system based on the steps in the ISO section (previous section above). The main build script (mkks) will also look for a mkks.lists-$DOMDEF (if it's set to xyz.com, it will look for a mkks.lists-xyz.com), which may be helpful if you're not using a company domain, but still syncing with a company kickstart.

=== Building Custom ISO/USB Flash Image ===
1. extract the DVD into a temporary work area
# mkdir /home/kickstart/iso ; cd /home/kickstart/iso
# mount -o loop /home/kickstart/CentOS-7-x86_64-DVD-1511.iso /mnt/cdrom
# rsync -a /mnt/cdrom/* .
# cp -p /mnt/cdrom/.discinfo .
IF there's a 2nd DVD:
# mount -o loop /home/kickstart/CentOS-6-x86_64-DVD2.iso /mnt/cdrom
# rsync -a /mnt/cdrom/Packages/* Packages/

2. modify isolinux/isolinux.cfg file
2a. set timeout, change the following (timeout 0 means to never timeout, so don't set it to 0 unless you want to sit at the menu, and not jump right into the automated installation);
FROM:
timeout 600
TO:
timeout 1

2b. change 'linux' menu section; 
NOTE: label must match the original distro iso's label
CHECK/ADD (under "menu label .." line), if not there already:
menu default
CHANGE, remove the "quiet" argument on the append line, ex:
append initrd=initrd.img inst.stage2=hd:LABEL=CentOSx207x20x86_64 quiet
TO, and add a kickstart line:
append initrd=initrd.img inst.stage2=hd:LABEL=CentOSx207x20x86_64 inst.ks=hd:LABEL=CentOSx207x20x86_64:/ks.cfg/ks-c7a.cfg

2c. remove the following line from all other menu sections (like the DVD "check" menu);
menu default

3. copy the needed files from a kickstart system (the software tarball will be quite large);
Note: in your temporary work area for building your iso or USB image, you might want to remove 'software' files for other releases, i.e. if you are building a CentOS 7 image, remove all the el5 & el6 files, ex; rm -f software/*/*.el[56].*
IN /home/ks on a kickstart system;
# tar cjvf /tmp/ks-min.tbz ks.cfg/ks-c7a.cfg scripts
# tar cjvf /tmp/ks-sw.tbz software
IN /home/kickstart/iso on your build system;
# tar xjf /home/kickstart/ks-min.tbz
# tar xjf /home/kickstart/ks-sw.tbz
REMOVE the following;
# rm -rf software/certs.prd
(assuming you're not installing any of these)
# rm -rf software/jboss
# rm -rf software/oracle
# rm -rf software/hornetq
# rm -rf software/ice
# rm -rf software/vmware
IF not needed (if not doing a Desktop install/etc);
# rm -rf software/desktop
SETUP users & groups files (remove unneeded users, add needed users);
# vi scripts/mkusers/users scripts/mkusers/groups
REMOVE rest of company user info;
# rm -f scripts/mkusers/users[.-]*
# rm -f scripts/mkusers/ufx-*
# rm -f scripts/mkusers/groups-master

4. build the bootable media
4a. build a DVD .iso file. make sure the mkiso software is installed, and run the mkiso command;
# yum install genisoimage
# mkisofs -o /home/iso/CentOS-7.2-x86_64-kick-20160114a.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -V 'CentOS 7 x86_64' -boot-load-size 4 -boot-info-table -R -J -v -T iso/
OR
4b. build a bootable USB Flash drive. plug a USB Flash into your system, make it linux bootable (will be ext2)
# fdisk /dev/sdb
# mkfs /dev/sdb1
NOTE: label must match the original distro iso's label
# e2label /dev/sdb1 "CentOS 7 x86_64"
# yum install syslinux syslinux-extlinux
# cat /usr/share/syslinux/mbr.bin >/dev/sdb
# mount /dev/sdb1 /mnt/cdrom/
# rsync -a iso/ /mnt/cdrom/
# mv /mnt/cdrom/isolinux /mnt/cdrom/syslinux
# mv /mnt/cdrom/syslinux/
# cd /mnt/cdrom/syslinux/isolinux.cfg /mnt/cdrom/syslinux/syslinux.cfg
# extlinux -i .

Optional: Minimizing packages (.rpm's)
To save room on the DVD disk or USB Flash drive (and to make it easier to copy/replicate), you might want to minimize the repository of available packages (after the install it pulls any new packages from the internet). The easiest way to determine the list of packages needed, is to do an install based on your current ks.cfg. Once you have an installed system, you can just save the 'rpm -qa' output and remove all files except the ones needed for your install (this saved us over 3.5G on our first DVD).
# cd Packages
# for OLDFILE in * ; do FILE=$(echo "$OLDFILE" | sed 's/.rpm$//') ; if ! grep "^$FILE$" /home/kickstart/rpm-qa_c7a.txt >/dev/null ; then echo "deleting $OLDFILE.." ; rm -f $OLDFILE ; fi ; done
# cd ..
# cp repodata/*-comps.xml.gz ../comps.xml.gz
# gunzip ../comps.xml.gz
# yum install createrepo
# createrepo -g ../comps.xml .
# rm -f repodata/*-comps.xml*

=== Setting grub password ===
Enterprise 7
1. The following command will ask for a password and change grub config files (creates /boot/grub2/user.cfg)
# grub2-setpassword

Ent 4/5/6
1. create password hash. The following will ask for a password and display a sha512 hash of the password
# grub-crypt

2. edit grub config and add/change the password
# vi /boot/grub/grub.conf
ADD/edit the following line (should be after the timeout line)
password --encrypted $6$XrbtG7T7KxjKCYEz$uo4QGG9d5kEJkvVv7JBg3jB.kphXGpanpdDj7MGqsHHcdZpCOUP2dJjFI1db7RdcD.CzesOpmEEIjdqwAOEY2/

=== Reference ===
Disks >2Tb 
when using kickstart on systems that have drives greater than 2.2Tb (tested on ent 6, probably not needed on ent 7), add the following to the ks.cfg profile that was generated for the system being kicked (if modifying partitions on these systems, use gdisk, don't use fdisk)
%pre
parted -s /dev/sda mklabel gpt
%end

Legacy eth* NIC Names 
to force NIC naming to legacy eth* convention, use the following kernel params
BEFORE ENT 7
biosdevname=0
ENT 7
net.ifnames=0

Legacy INIT vs systemd

2017-05-10T06:01:52Z

Support:

Preamble 
SysVinit (before Enterprise 7) was the standard init scripts & init structure everyone has gotten familiar with, using service & chkconfig commands, with Enterprise 7 we have systemd which no longer uses the traditional init scripts or SysVinit init script location, and uses the systemctl command

=== Init Scripts Locations ===
(existing ones are good examples for creating new ones) 
SysVinit:
/etc/init.d/ - the actual init scripts
/etc/rc.d/rc#.d/ - # for the different run levels, having symlinks to the actual init scripts in /etc/init.d/

systemd:
/usr/lib/systemd/system/ - for system/OS related config files (analogous to init scripts)
/etc/systemd/system/ & /etc/systemd/system/*/ - symlinks to the actual init scripts (there are no "run levels" per se, at least not "run level" numbers)
/run/systemd/system/ - temporary runtime generated scripts (overrides system scripts)
/etc/systemd/user/ - user created scripts (overrides runtime scripts)

=== Quick Reference ===
(.service is optional, and is assumed)
# systemctl status name[.service]
# systemctl enable name[.service]
# systemctl disable name[.service]
# systemctl start name[.service]
# systemctl stop name[.service]
# systemctl restart name[.service]
# systemctl reload name[.service]
# systemctl is-active name[.service]
# systemctl list-units --type service --all
# systemctl list-units --type target --all
# systemctl get-default
# systemctl set-default graphical.target

=== systemd Logging ===

Find

2017-05-10T05:55:55Z

Support: Created page with "Cleanup/remove files older than 14 days # find /path/dir -daystart -mtime +14 -type f -delete Find/change dir perms (or execute a command based on find) # find /path/dir -t..."

Cleanup/remove files older than 14 days
# find /path/dir -daystart -mtime +14 -type f -delete

Find/change dir perms (or execute a command based on find)
# find /path/dir -type d -exec chmod g+rxs '{}'\;

Shell

2017-05-10T05:55:21Z

Support: Created page with "Awk Bash Find Perl - command line quickies Sed"

[[Awk]]

[[Bash]]

[[Find]]

[[Perl]] - command line quickies

[[Sed]]

MySQL/MariaDB

2017-05-10T04:15:27Z

Support:

1. install packages
ENT 7
# yum install mariadb-server mariadb
BEFORE Ent 7
# yum install mysql-server mysql

2. set to start at bootup
ENT 7
# systemctl enable mariadb
BEFORE Ent 7
# chkconfig mysqld on

3. start mysql server
ENT 7
# systemctl start mariadb
BEFORE Ent 7
# service mysqld start

4. secure mysql; setup root password, disallow root remote access, remove test database
# mysql_secure_installation
answer Y to all of the questions and set root password (sometimes same as OS root pw - NOT A GOOD IDEA!)
OR (see [[Changing Passwords]] for issues before running)
# mysqladmin -u root password 'new-password'
# mysql -p mysql
mysql> delete from user where User!='root';
mysql> delete from user where Host!='localhost';
mysql> delete from db;
mysql> drop database test;

5. remove additional/unneeded root acct
# mysql -p
mysql> use mysql;
mysql> delete from user where Host='127.0.0.1';

6. move database directory 
6a. stop mysql first
ENT 7
# systemctl stop mariadb
BEFORE Ent 7
# service mysqld stop
6b. move db directory to a partition that has space (/home or the partition which has space allocated for applications)
# cd /var/lib ; mv mysql /home/ ; ln -s /home/mysql
6c. start mysql
ENT 7
# systemctl start mariadb
BEFORE Ent 7
# service mysqld start

ABRT

2017-05-10T04:08:53Z

Support: Created page with "==== Disabling Correctly ==== To disable correctly, all abrt services should be disabled via chkconfig (or systemctl) and the services stopped (Note: ccpp is a kernel loadabl..."

==== Disabling Correctly ====
To disable correctly, all abrt services should be disabled via chkconfig (or systemctl) and the services stopped (Note: ccpp is a kernel loadable module, the stop command should rmmod it, and status should show that it is unloaded):
ENT 6 or earlier:
# chkconfig abrtd off
# chkconfig abrt-ccpp off
# chkconfig abrt-oops off
# service abrt-ccpp stop
# service abrt-oops stop
# service abrtd stop
OR, more correctly (some systems have more abrt modules installed)
# for FILE in /etc/init.d/abrt-* ; do SERVICE=$(basename $FILE) ; chkconfig $SERVICE off ; service $SERVICE stop ; done ; chkconfig abrtd off ; service abrtd stop
ENT 7
# for SERVICE in $(systemctl list-unit-files | grep 'abrt-' | awk '{print $1}') ; do systemctl disable $SERVICE ; systemctl stop $SERVICE ; done ; systemctl disable abrtd ; systemctl stop abrtd

==== Running/Fixing Email ====
If enabled, it needs to be setup to have a valid From: (EmailFrom=) address (defaults to user@localhost, which causes it to bounce/not be accepted by our mail servers)
# cat /etc/libreport/plugins/mailx.conf

# Uncomment and specify these parameters if you want to use
# reporter-mailx tool outside of libreport's GUI
# (i.e. from command line or in custom scripts)
# and you don't want to specify parameters in every tool invocation.
#
# String parameters:
# Subject=
# EmailFrom=
# EmailTo=
#
# Boolean parameter:
# SendBinaryData=yes/no
SET THESE (minimal settings needed to fix email routing):
EmailFrom=sa-general@example.net
EmailTo=sa-general@example.net

Apache

2017-05-10T02:59:18Z

Support: /* Files/Directories Layout */

=== Policy ===
{{Apache-Policy}}

=== Overview ===
Our Changes 
The Apache configuration has been modified slightly to address several security concerns. 
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run). 
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page. 
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added. 
SSL/Certificates 
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP). 
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve. 
Note: 2.2.9 added support for ProxyPassReverse balancer://

=== Documentation References ===
Enterprise 6
http://httpd.apache.org/docs/2.2/
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
http://httpd.apache.org/docs/2.2/howto/auth.html

Enterprise 7
http://httpd.apache.org/docs/2.4/
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html
http://httpd.apache.org/docs/2.4/howto/auth.html

=== VHost Example ===
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)

# mask server name & url's
<VirtualHost 172.16.1.11:443>
ServerName 172.16.1.11
DocumentRoot /home/httpd/syslog1/public_html

# ssl settings
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem

# uncomment if used for the real url's below
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt
</VirtualHost>

# real url's below
<VirtualHost 172.16.1.11:443>
ServerName syslog.example.com
ServerAlias syslog1.prd.example.net syslog1
DocumentRoot /home/httpd/syslog1/public_html
ServerAdmin webmaster@example.com

SetOutputFilter DEFLATE

# settings for being a proxy
#ProxyTimeout 1200
#ProxyStatus Full
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
# load balancer settings for multiple app servers
#<Proxy balancer://cluster1>
# BalancerMember http://172.16.1.12:8080 route=1
# BalancerMember http://172.16.1.13:8080 route=2
# ProxySet stickysession=ROUTEID
#</Proxy>
#ProxyPass /apache-info !
#ProxyPass /apache-status !
#ProxyPass /balancer-manager !
#ProxyPass /jmx-console !
#ProxyPass /web-console !
# single app server settings
#ProxyPass / http://172.16.1.12:8080/app-path/
#ProxyPassReverse / http://172.16.1.12:8080/app-path/
# multiple app servers settings
#ProxyPass / balancer://cluster1/app-path/
#ProxyPassReverse / balancer://cluster1/app-path/

# turn on some minimal caching (on disk) - causes issues where authentication is used
#CacheEnable disk /
#CacheRoot "/var/cache/mod_proxy"
#CacheDirLevels 3
#CacheDirLength 5
#CacheIgnoreCacheControl On
#CacheMaxFileSize 100000
#CacheIgnoreNoLastMod On
#CacheMaxExpire 1209600
#CacheIgnoreQueryString On

# ssl settings
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem

# require client certs
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt

# logging
ErrorLog logs/syslog1-error_log
# for log analyzers
CustomLog logs/syslog1-access_log combined
# for humans
CustomLog logs/syslog1-custom_log custom
</VirtualHost>

VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)
All SSL* lines are ssl only, do not include these if not ssl/https
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)

=== Proxy VHost Example ===
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)

# mask server name & url's
<VirtualHost 172.16.1.11:443>
ServerName 172.16.1.11
DocumentRoot /home/httpd/syslog1/public_html

# ssl settings
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem

# uncomment if used for the real url's below
# require client certs
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt
</VirtualHost>

# real url's below
<VirtualHost 172.16.1.11:443>
ServerName syslog1.example.com
ServerAlias syslog1.prd.example.net syslog1
DocumentRoot /home/httpd/syslog1/public_html
ServerAdmin webmaster@example.com

SetOutputFilter DEFLATE

# settings for being a proxy
ProxyTimeout 1200
ProxyStatus Full
SSLProxyEngine on
# load balancer settings for multiple app servers
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
#<Proxy balancer://cluster1>
# BalancerMember http://172.16.1.12:8080 route=1
# BalancerMember http://172.16.1.13:8080 route=2
# ProxySet stickysession=ROUTEID
#</Proxy>
ProxyPass /apache-info !
ProxyPass /apache-status !
ProxyPass /balancer-manager !
ProxyPass /jmx-console !
ProxyPass /web-console !
# single app server settings
#ProxyPass / http://172.16.1.12:8080/app-path/
#ProxyPassReverse / http://172.16.1.12:8080/app-path/
# multiple app servers settings (requires Header & Proxy balancer section above)
#ProxyPass / balancer://cluster1/app-path/
#ProxyPassReverse / balancer://cluster1/app-path/

# turn on some minimal caching (on disk) - causes issues where authentication is used
#CacheEnable disk /
#CacheRoot "/var/cache/mod_proxy"
#CacheDirLevels 3
#CacheDirLength 5
#CacheIgnoreCacheControl On
#CacheMaxFileSize 100000
#CacheIgnoreNoLastMod On
#CacheMaxExpire 1209600
#CacheIgnoreQueryString On

# ssl settings
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem

# require client certs
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt

# logging
ErrorLog logs/syslog1-error_log
# for log analyzers
CustomLog logs/syslog1-access_log combined
# for humans
CustomLog logs/syslog1-custom_log custom
</VirtualHost>

=== httpd.conf Example ===
We change the following lines in the default httpd.conf file 
Note: for ent 7: many of these lines are not in the main httpd.conf file any longer (as they were split out into several additional files that could be copied into a conf.d type dir), and the last line is: Include conf.vhost.d/*.conf
ServerTokens Prod

KeepAlive On

#LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so

#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so

#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule include_module modules/mod_include.so

#LoadModule logio_module modules/mod_logio.so
#LoadModule env_module modules/mod_env.so
#LoadModule ext_filter_module modules/mod_ext_filter.so

#LoadModule expires_module modules/mod_expires.so

#LoadModule dav_module modules/mod_dav.so

#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule negotiation_module modules/mod_negotiation.so

#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule userdir_module modules/mod_userdir.so

#LoadModule substitute_module modules/mod_substitute.so
#LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so

#LoadModule suexec_module modules/mod_suexec.so

#LoadModule cgi_module modules/mod_cgi.so
#LoadModule version_module modules/mod_version.so

Include conf.d-run/*.conf

ExtendedStatus On

Options FollowSymLinks

<Directory /home/httpd/*/public_html>
AllowOverride None
Options FollowSymLinks
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio

ServerSignature Off

Options MultiViews FollowSymLinks

#AddLanguage ca .ca
#AddLanguage cs .cz .cs
#AddLanguage da .dk
#AddLanguage de .de
#AddLanguage el .el
#AddLanguage en .en
#AddLanguage eo .eo
#AddLanguage es .es
#AddLanguage et .et
#AddLanguage fr .fr
#AddLanguage he .he
#AddLanguage hr .hr
#AddLanguage it .it
#AddLanguage ja .ja
#AddLanguage ko .ko
#AddLanguage ltz .ltz
#AddLanguage nl .nl
#AddLanguage nn .nn
#AddLanguage no .no
#AddLanguage pl .po
#AddLanguage pt .pt
#AddLanguage pt-BR .pt-br
#AddLanguage ru .ru
#AddLanguage sv .sv
#AddLanguage zh-CN .zh-cn
#AddLanguage zh-TW .zh-tw

#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

#ForceLanguagePriority Prefer Fallback

#AddHandler type-map var

#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 10.117.100
</Location>

<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 127.0.0.1 10.117.100
</Location>

# Security Directives
# note: FileETag changes break DAV
FileETag MTime Size
TraceEnable Off
Header always append X-Frame-Options SAMEORIGIN

Include conf/vhost.d/*

=== SSL Example ===
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect) 
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf
#<VirtualHost _default_:443>

#SSLEngine on

SSLProtocol all -SSLv2 -SSLv3

Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
SSLInsecureRenegotiation off
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#<Files ~ ".(cgi|shtml|phtml|php3?)$">
# SSLOptions +StdEnvVars
#</Files>
#<Directory "/var/www/cgi-bin">
# SSLOptions +StdEnvVars
#</Directory>

#</VirtualHost>

Include conf/vhost-ssl.d/*

=== Files/Directories Layout ===

Files

(before ent 7)
/etc/httpd/conf/httpd.conf - main config (available from subversion)
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here)
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)
/etc/httpd/conf/vhost.d/0-mask (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)
/etc/httpd/conf/vhost.d/`hostname -s` (non-https config - DISCOURAGED - default virtual host config)

(ent 7)
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here) - we put additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)
/etc/httpd/conf.vhost.d/0-mask.conf (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)
/etc/httpd/conf.vhost.d/`hostname -s`.conf (non-https config - DISCOURAGED - default virtual host config)
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)
/usr/share/doc/httpd-2.4.6/httpd-default.conf - additional config directives we use/change (see httpd.conf Example above), copied to conf.d-run
/usr/share/doc/httpd-2.4.6/httpd-info.conf - additional config directives we use/change (see httpd.conf Example above), copied to conf.d-run
/usr/share/doc/httpd-2.4.6/httpd-mpm.conf - additional config directives we use/change (see httpd.conf Example above), copied to conf.d-run
/usr/share/doc/httpd-2.4.6/proxy-html.conf - additional config directives we use/change, copied to conf.d (as a reference and/or if needed as a proxy, and copied to conf.d-run)

Dirs

Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).

(before ent 7)
/etc/httpd/
|-- conf : (main apache conf dir)
| |-- vhost-ssl.d : (ssl virtual host files)
| `-- vhost.d : (non-ssl virtual host files)
|-- conf.d : (unused, new installs/updates go here)
|-- conf.d-run : (real/runtime conf.d dir)
|-- logs : (link to /var/log/httpd/)
|-- modules : (link to /usr/lib64/httpd/modules/)
`-- run : (link to /var/run/httpd/)

(ent 7)
/etc/httpd/
|-- conf : (main apache conf dir)
|-- conf.d : (unused, new installs/updates go here)
|-- conf.d-run : (real/runtime conf.d dir)
|-- conf.modules.d : (unused, new installs/updates go here)
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)
|-- conf.vhost-ssl.d : (ssl virtual host files)
|-- conf.vhost.d : (non-ssl virtual host files)
|-- logs : (link to /var/log/httpd/)
|-- modules : (link to /usr/lib64/httpd/modules/)
`-- run : (link to /run/httpd/)

=== Apache Quick Reference ===

Commands

Preferred Restart (does not disconnect users/no downtime)
# service httpd graceful

Status
# service httpd status

Test Configuration
# service httpd configtest

Misc Settings

Port 80/http redirect to https
Redirect Permanent / https://wiki.example.com/

redirect to login page
Redirect Permanent / https://beagle.example.com/WORMS/login.htm

Enable compression
SetOutputFilter DEFLATE

Interesting URL's
https://hostname/apache-status (current traffic)
https://hostname/apache-info (configuration)

OS Security Configuration Policy

2017-05-10T01:20:17Z

Support:

=== OS / Kickstart Policy ===
{{Kickstart-Policy}}

=== User / Password Policy ===
{{User-Policy}}

=== Sudo Policy ===
{{Sudo-Policy}}

=== Security Policy ===
{{Security-Policy}}

=== SSH Policy ===
{{SSH-Policy}}

=== Software Policy ===
{{Software-Policy}}

=== Mail Policy ===
{{Mail-Policy}}

=== Apache Policy ===
{{Apache-Policy}}

LVM

2017-05-09T20:09:06Z

Support:

(all of these apply to both VM and physical systems)

=== Resizing Existing Mountpoints (adding more space) ===
1. if this is Enterprise 3 or older, umount partition (not needed under Ent 4 and newer)
# umount /home/arsystem

2. check free space available
# vgdisplay pri | grep "Free PE"
Free PE / Size 1413 / 44.16 GB

3. add desired space to partition
Ent 7
# lvextend -l +1413 -r /dev/pri/arsystem
OR
# lvextend -l +1413 /dev/pri/arsystem
# xfs_growfs /dev/pri/arsystem

Ent 5/6
# lvextend -l +1413 -r /dev/pri/arsystem
OR
# lvextend -l +1413 /dev/pri/arsystem
# resize2fs /dev/pri/arsystem

Ent 4 only (e2fsadm not avail on Ent 4);
# lvextend -l +1413 /dev/pri/arsystem
# ext2online /dev/pri/arsystem

Ent 3 only;
# e2fsadm -l +1413 /dev/pri/arsystem
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)

4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)
# mount /arsystem

=== Resizing Existing Mountpoints (reducing space) ===
1. if this is Ent 3 or older, umount partition (not needed under Ent 4 and newer)
# umount /home/arsystem

2. check free space available
# df -h | grep arsystem
/dev/mapper/pri-arsystem 199G 13M 198G 1% /home/arsystem

3. set desired space of partition
Ent 7
NOTE: if reducing xfs, backup your data, you have to recreate the filesystem, all will be lost!
# lvreduce -L 10G /dev/pri/arsystem
# mkfs -t xfs /dev/pri/arsystem

Ent 5/6
# lvreduce -L 10G /dev/pri/arsystem
# resize2fs /dev/pri/arsystem

Ent 4 only (e2fsadm not avail on Ent 4);
# lvreduce -L 10G /dev/pri/arsystem
# ext2online /dev/pri/arsystem

Ent 3 only;
# e2fsadm -L 10G /dev/pri/arsystem
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)

4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)
# mount /home/arsystem

=== Resizing SWAP ===
1. unmount swap (the one you want to resize - 'usually' there is only one)
# swapoff /dev/pri/swap

2. check free space, then add desired space to partition
# vgdisplay pri | grep "Free PE"
Free PE / Size 1413 / 44.16 GB
# lvextend -L +4g /dev/pri/swap

3. rebuild swap filesystem (there is no swap resize command)
# mkswap /dev/pri/swap

4. re-enable swap
# swapon /dev/pri/swap

5. verify using 'free' command that new size is in use
# free | grep Swap
Swap: 4192924 0 4192924

=== Adding Partitions (existing space available) ===
1. create new logical volume;
# lvcreate -L 8G -n arsystem pri
OR;
to use all of the remaining space, check "Free PE" from vgdisplay, then use -l option instead of -L, example;
# vgdisplay pri | grep "Free PE"
Free PE / Size 1413 / 44.16 GB
# lvcreate -l 1413 -n arsystem pri

2. create filesystem;
Ent 7
# mkfs -t xfs /dev/pri/arsystem
Ent 6
# mkfs -t ext4 /dev/pri/arsystem
Ent 5 or earlier
# mkfs -t ext3 /dev/pri/arsystem

3. make mountpoint;
# mkdir /home/arsystem

4. add to fstab;
# vi /etc/fstab

5. test fstab entry by mounting w/fstab info;
# mount /home/arsystem

=== Removing Partitions (for re-allocating/freeing up space) ===
1. umount partition
# umount /u001

2. remove LVM volume
# lvremove /dev/pri/u001

3. remove from fstab
# vi /etc/fstab

=== Snapshot Partitions ===
create a snapshot of an existing LVM partition
# lvcreate -L 1G -s -n remedyss /dev/pri/remedy
Note: this can now be mounted and used to back up this frozen copy of your filesystem. To remove when done, follow Removing Partitions (above)

=== Restore Snapshots ===
1. unmount the partition to make sure nothing else can write to it while restoring
# umount /dev/pri/remedy
2. merge the snapshot back into the original partition
# lvconvert --merge /dev/pri/remedyss

=== Adding New Drives (existing space NOT available) ===
(this step assumes you added a new drive, whether physical for a physical sys, or virtual for a virtual sys)
1. create a single partition as type LVM (8e) for the whole drive
# fdisk /dev/sdb
Note: if the new drive was added to a 'live' system, and it is not showing under 'fdisk -l', rescan with (may need to do this with more than host0, i.e. host0, host1, etc.):
echo "- - -" > /sys/class/scsi_host/host0/scan

2. initialize new drive as LVM
# pvcreate /dev/sdb1

3. add new drive to existing LVM volume
# vgextend pri /dev/sdb1
OR
# vgcreate sec /dev/sdb1

=== Renaming Volume Group & Logical Volume Names ===
*Rename Logical Volume (partition name)*
# lvrename /dev/pri/HomeVol home
(make sure to update fstab with the change)

*Rename Volume Group*
# vgrename VolGroup00 pri
(make sure to update fstab with the change)

Filesystem

2017-05-09T19:56:37Z

Support: Created page with "=== create filesystem === Before enterprise 6 # mke2fs -t ext3 /dev/pri/arsystem OR for ent6 # mke2fs -t ext4 /dev/pri/arsystem OR for ent7 # mke2fs -t xfs /dev/pri/ars..."

=== create filesystem ===
Before enterprise 6
# mke2fs -t ext3 /dev/pri/arsystem
OR for ent6
# mke2fs -t ext4 /dev/pri/arsystem
OR for ent7
# mke2fs -t xfs /dev/pri/arsystem

=== increasing inodes ===
if a filesystem has run out of inodes (df -i), the filesystem has to be recreated, there is currently no way to increase the inode limit on an existing filesystem. when the filesystem is created, the bytes per inode ratio (16384 is the default) needs to be modified (use appropriate filesystem type, see "create filesystem" above)
# mke2fs -t ext4 -i 4096 /dev/pri/arsystem

Disk

2017-05-09T19:55:35Z

Support:

=== add new drive ===
this step assumes a new drive was added, whether physical for a physical sys, or virtual for a virtual sys. if adding to a system using LVM, set the partition type to 8e (LVM), see "LVM Quick Reference" for adding to the LVM Disk Group for use with LVM partitions
# fdisk /dev/sdb

Note: if the new drive was added to a 'live' system, and it's not showing under 'fdisk -l', rescan with (may need to do this with more than host0, i.e. host0, host1, etc.);
# echo "- - -" > /sys/class/scsi_host/host0/scan

=== drives greater than 2Tb ===
MBR (<=2.2Tb/32bit):
# fdisk /dev/sda
GPT (<=2.2Zb/64bit):
# gdisk /dev/sda

using kickstart on systems that have drives greater than 2.2Tb (tested on ent 6, probably not needed on ent 7) 
add the following to the ks.cfg profile that was generated for the system being kicked

%pre
parted -s /dev/sda mklabel gpt
%end

Filesystems

2017-05-09T19:53:27Z

Support: Created page with "Disk Filesystem LVM"

[[Disk]]

[[Filesystem]]

[[LVM]]

Multi-NIC

2017-05-09T19:29:43Z

Support:

=== Multi-NIC Routing (ent 7) ===
The multi-NIC routing scenario has not yet been tried/tested on Enterprise 7. Things may work correctly based on (possibly) proper gateway settings per NIC (if this works correctly under ent 7). If not, we know how to add static routes on ent 7, and can replicate the configuration for pre-ent 7 envs via Network Manager (nmcli).

There was some testing done here, we ended up doing the Source-based Routing (below).

=== Multi-NIC Routing (before ent 7) ===
Before Enterprise 7, since we could not have a gateway (that works) per interface (even though it lets you set a gateway in every interface config file; but which overwrites the default gateway), we have to set the default gateway to the outside or customer facing network (since we cannot possibly know all IP's/networks these connections would be coming from), and then set static routes to every possible network and host it needs access to for our inside network. Here is an example for /etc/sysconfig/network-scripts/route-eth1 (where the eth0/default is the primary/outside/customer network, and eth1 is the secondary/internal/private network).

Static list for NOTEL (example, the NOTEL data center no longer exists)
# default network (set this for your specific env/stack)
ADDRESS0=172.200.200.0
NETMASK0=255.255.255.0
GATEWAY0=172.200.200.1
# VPN network
ADDRESS1=10.100.100.0
NETMASK1=255.255.255.0
GATEWAY1=172.200.200.1
# DNS host 1
ADDRESS2=210.210.90.80
NETMASK2=255.255.255.255
GATEWAY2=172.200.200.1
# DNS host 2
ADDRESS3=210.210.120.140
NETMASK3=255.255.255.255
GATEWAY3=172.200.200.1
# spacewalk host
ADDRESS4=172.200.90.60
NETMASK4=255.255.255.255
GATEWAY4=172.200.200.1
# trusted host
ADDRESS5=172.200.90.50
NETMASK5=255.255.255.255
GATEWAY5=172.200.200.1

=== Teaming (ent 7) ===
1. add the teaming inferface
# nmcli con add type team con-name team0 ifname team0 config '{"runner": {"name": "loadbalance"}}'

2. set IP address info
# nmcli con mod team0 ipv4.method manual ipv4.addresses 172.100.200.140/24

3. add the first NIC
# nmcli con add type team-slave con-name team0-slave1 ifname em1 master team0

4. add the second NIC
# nmcli con add type team-slave con-name team0-slave2 ifname em2 master team0

=== Bonding (before ent 7) ===
Before Enterprise 7, interface Bonding was configured via various config files in /etc/sysconfig/network-scripts/ (this has been rewritten in ent 7 and is now called Teaming), example setup;

eth0 config (ifcfg-eth0)
# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=D4:BE:D9:AA:D7:16
MASTER=bond0
SLAVE=yes

eth1 config (ifcfg-eth1)
# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
HWADDR=D4:BE:D9:AA:D7:18
MASTER=bond0
SLAVE=yes

bond0 config (ifcfg-bond0)
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
BONDING_OPTS="miimon=100 mode=1"
IPADDR=172.200.110.140
NETMASK=255.255.255.0

Additional bond IP's
bond0:0 config (ifcfg-bond0:0)
DEVICE=bond0:0
BOOTPROTO=none
ONBOOT=yes
IPADDR=172.200.110.200
NETMASK=255.255.255.0

ifconfig output
bond0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16
inet addr:172.200.110.140 Bcast:172.200.110.255 Mask:255.255.255.0
inet6 addr: fe80::d6be:d9ff:feaa:d716/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:951518061 errors:0 dropped:244110 overruns:0 frame:0
TX packets:377721364 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:868579848472 (808.9 GiB) TX bytes:88332253777 (82.2 GiB)

bond0:0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16
inet addr:172.200.110.200 Bcast:172.200.110.255 Mask:255.255.255.0
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:244110 errors:0 dropped:244110 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15623040 (14.8 MiB) TX bytes:0 (0.0 b)

eth1 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:18
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:3095102322 errors:0 dropped:0 overruns:0 frame:0
TX packets:2613440853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2651544232860 (2.4 TiB) TX bytes:1948544659918 (1.7 TiB)

=== Renumbering Ports (ent 6) ===
Example is from a R630 system used as an appliance with 4 ports on the motherboard that had 2 coppper & 2 fiber. For this appliance they wanted the 2 copper ports to be eth0/1 and the fiber be eth2/3, but a recently built system had them designated in reverse. The renaming/mapping went as follows;
eth0 (fiber) -> eth2
eth1 (fiber) -> eth3
eth2 (copper) -> eth0
eth3 (copper) -> eth1

Relabel the ports by changing the udev net rules file, change eth0 to eth2, etc, change only the NAME= lines (as mentioned in the comment at the top of the file)
# vi /etc/udev/rules.d/70-persistent-net.rules

Rename all the network config files
# cd /etc/sysconfig/network-script/
# cp ifcfg-eth* /tmp/
# cp /tmp/ifcfg-eth0 ifcfg-eth2
etc

Fix the device names in each file, new ifcfg-eth0 has DEVICE=eth2, change this to say eth0, etc
# vi ifcfg-eth?

Reboot when done to properly pick up all the udev/network config changes/etc

=== Source-based Routing (ent 7) ===
Note: using NetworkManager

In this scenario, the system is using the gateway on the primary NIC. Any incoming packets on the 2nd interface end up going out the primary interface, and packets are not returning to devices on the 2nd network.

Note: table '2' was chosen since this is the 2nd NIC. Names can be used if the proper mapping is set in /etc/iproute2/rt_tables

1. Add policy routing to NetworkManager
# yum install NetworkManager-dispatcher-routing-rules
# systemctl enable NetworkManager-dispatcher.service
# systemctl start NetworkManager-dispatcher.service

2. Add policy rule 
Note: ens33 is the 2nd NIC, 10.160.130.250 is the NIC IP
# vi /etc/sysconfig/network-scripts/rule-ens33
iif ens33 table 2
from 10.160.130.250 table 2

3. Add static routes using policy rules (may be able to do this w/nmcli) 
Note: 10.60.130.0/24 is the subnet/cidr of the 2nd network, 10.160.130.1 is the gateway
# vi /etc/sysconfig/network-scripts/route-ens33
10.160.130.0/24 dev ens33 table 2
default via 10.160.130.1 dev ens33 table 2

4. Load the new/changed config files
# nmcli connection reload
# nmcli connection down ens33 ; nmcli connection up ens33

Network

2017-05-09T19:28:13Z

Support: Created page with "General - basic network configuration Multi-NIC - multiple NIC related config (Teaming / Bonding / Etc.) Firewall"

[[General]] - basic network configuration

[[Multi-NIC]] - multiple NIC related config (Teaming / Bonding / Etc.)

[[Firewall]]

Cert Mgmt

2017-05-09T18:16:40Z

Support: Created page with "==== Convert a certificate file (.crt) to .pem ==== # openssl x509 -in cert.crt -outform pem -out cert.pem ==== Convert a certificate file and a private key with a CA cert..."

==== Convert a certificate file (.crt) to .pem ====
# openssl x509 -in cert.crt -outform pem -out cert.pem

==== Convert a certificate file and a private key with a CA cert or intermediate bundle to PKCS#12 (.pfx .p12) ====
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

==== Convert a certificate file and a private key to PKCS#12 (.pfx .p12) ====
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

==== Convert a certificate file and a private key to PKCS#12 (.pfx .p12) with a friendlyName (used for Remedy cert) ====
# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -name mycert

==== Convert a certificate file, or a CA cert, or an intermediate bundle to PKCS#12 (.pfx .p12) ====
# openssl pkcs12 -export -out certificate.pfx -nokeys -nodes -in certificate.crt

==== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ====
Note: you can add -nocerts to only output the private key or add -nokeys to only output the certificates
# openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

==== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to separate .crt/.key files ====
# openssl pkcs12 -in keyStore.pfx -out keyStore.key -nocerts
# openssl pkcs12 -in keyStore.pfx -out keyStore.crt -nokeys

==== Convert a CRL/Certificate Revocation List file (.crl) to PEM (allows grep'ing for serial numbers) ====
# openssl crl -inform DER -text -in gds1-53.crl -out gds1-53.pem

==== Convert a OpenSSL >= 1.0 key file to a OpenSSL < 1.0 format key file ====
# openssl rsa -in privateKey.pem -des3 -out newPrivateKey.pem

==== Remove a passphrase from (or decrypt) a private key ====
# openssl rsa -in privateKey.pem -out newPrivateKey.pem

==== View expiry dates on a cert (works on most certs, .crt, .pem, etc.) ====
# openssl x509 -noout -dates -in certificate.crt

==== View URL/CN on a cert (works on most certs, .crt, .pem, etc.) ====
# openssl x509 -noout -subject -in certificate.crt

==== View a text dump of a cert's settings and configuration (works on most certs, .crt, .pem, etc.) ====
# openssl x509 -noout -text -in certificate.crt

==== View a text dump of a p7b cert ====
# openssl pkcs7 -text -noout -print_certs -in gd_iis_intermediates.p7b

==== View all ciphers available in the currently installed openssh ====
# openssl ciphers 'ALL:eNULL' | sed -e 's/:/n/g' | sort

==== View a cert bundle (file with many certs) ====
the problem with trying to query a cert bundle, openssl will only read the first cert in the bundle, so to query all of the certs, they would all need to be broken out into many files each containing only one of the certs from the bundle. But, here's how you can do that:
Note: you should do this in a temp dir/temp work area. ca-bundle.crt currently has approx. 170 certs, so this will gen approx. 170 files
SCRIPT:
# cat certsplit
F=$1
csplit -k -f $F -b '-%03d' -z $F '/END CERTIFICATE/+1' {*}
# ./certsplit ca-bundle.crt
# for C in ca-bundle.crt-* ; do echo $C ; openssl x509 -noout -subject -dates -in $C ; done
OR command line:
# F=ca-bundle.crt ; csplit -k -f $F -b '-%03d' -z $F '/END CERTIFICATE/+1' {*}
# for C in ca-bundle.crt-* ; do echo $C ; openssl x509 -noout -subject -dates -in $C ; done

==== Certificate Authority setup ====
A CA tree already exists on every system under /etc/pki/CA, to generate certs;
# /etc/pki/tls/misc/CA -?

Running the CA script with a modified openssl.cnf
# SSLEAY_CONFIG="-config /tmp/openssl.cnf" /etc/pki/tls/misc/CA -newca

Generating sha256 certs
Make a copy of openssl.cnf
openssl.cnf, set [ CA_default ] and [ req ] sections
75c75
< default_md = sha256 # use public key default MD
---
> default_md = default # use public key default MD
107c107
< default_md = sha256
---
> default_md = sha1

Change number of days
Make a copy of the CA script and openssl.cnf
openssl.cnf, set [ CA_default ] section
73c73
< default_days = 1825 # how long to certify for
---
> default_days = 365 # how long to certify for

CA, set CADAYS

64c64
< CADAYS="-days 1825" # 5 years
---
> CADAYS="-days 1095" # 3 years

==== Generating certs with extended attributes ====
Example for multiple DNS names (CN's)

1. make a copy of the openssl config file (the changes will be specific to this one new cert being generated)
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf-www

2. modify the new config file
# vi /etc/pki/tls/openssl.cnf-www
UNDER [ req ] section, uncomment/change;
# req_extensions = v3_req # The extensions to add to a certificate request
TO
req_extensions = v3_req # The extensions to add to a certificate request
UNDER [ v3_req ] section, add your extended attributes, add the following line;
subjectAltName = DNS:www.example.com, DNS:example.com

3. run a openssl cert generation command using the new config file
# openssl req -config /etc/pki/tls/openssl.cnf-www -utf8 -new -key www.example.com.key -out www.example.com.csr

==== Add / Remove Certs To / From a Keystore ====
Note : default passwords are "changeit" or "changeme", default alias is "mykey"
# keytool -import -file cert.crt -keystore keystorefilename -alias certalias
# keytool -delete -alias certalias -keystore keystorefilename

==== List Certs in a Keystore ====
# keytool -list -keystore keystorefilename
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry

somecertalias, Dec 6, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 8D:5F:25:16:F0:53:99:FF:35:64:9E:9B:1D:FC:27:FF

==== Export a Cert from a Keystore ====
Note : default passwords are "changeit" or "changeme", default alias is "mykey"
# keytool -export -alias certalias -file cert.crt -keystore keystorefilename
Example:
# keytool -export -alias ci-test-1 -file /tmp/ci-test.crt -keystore jssecacerts

Hint : check content of exported cert
# keytool -printcert -v -file star.example.com

==== Jar Signing ====
# jarsigner -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword jarfilenametosign.jar aliasinkeystoreforcertkey
OR with Date Stamp, "-tsa" = Time Stamp Authority (below -tsa option specific for Godaddy certs)
# jarsigner -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword -tsa [http://tsa.starfieldtech.com/] jarfilenametosign.jar aliasinkeystoreforcertkey
OR if proxy is required
# jarsigner -J-Dhttp.proxyHost=sc9-proxy.example.net -J-Dhttp.proxyPort=3128 -verbose -keystore keystorefilename -storepass keystorepassword -keypass certkeypassword -tsa [http://tsa.starfieldtech.com/] jarfilenametosign.jar aliasinkeystoreforcertkey

updating: META-INF/MANIFEST.MF
adding: META-INF/PRODUCTI.SF
requesting a signature timestamp
TSA location: [http://tsa.starfieldtech.com/]
adding: META-INF/PRODUCTI.RSA
adding: org/
adding: org/openoces/
adding: org/openoces/opensign/
adding: org/openoces/opensign/client/
adding: org/openoces/opensign/client/applet/
adding: org/openoces/opensign/wrappers/microsoftcryptoapi/
signing: org/openoces/opensign/wrappers/microsoftcryptoapi/MicrosoftCryptoApi.class
signing: it-practice.license
signing: opensign.license
signing: opensign.version

==== Verify Jar Signing ====
# jarsigner -verify signedjarfilename.jar
jar verified.
OR for more info
# jarsigner -verify -verbose -certs signedjarfilename.jar

==== Troubleshooting ====

===== Test a ssl connection (https/imaps/pops/etc.s) =====
# openssl s_client -connect 163.120.170.50:443

===== TXT_DB error number 2 =====
failed to update database
TXT_DB error number 2
openssl command failed

The cert you are trying to generate was already generated and is already listed in index.txt (ca/db/index.txt), you can edit index.txt and remove the line for the cert you are trying to generate. You should only get this error if you have set up a CA, and you are signing certs under that CA.

===== unknown pbe algorithm: TYPE=PBES2 =====
unable to load private key
unknown pbe algorithm: TYPE=PBES2
pkcs12 algor cipherinit error
pkcs12 pbe crypt error
ASN1 lib
PEM lib

The key file was generated with openssl >= 1.0, a program built with OpenSSL < 1.0 fails to open the key file. OpenSSL >= 1.0 uses a different format for storing private keys and earlier versions are unable to open the file. Older versions are apparently able to open OpenSSL >= 1.0 key files which are not password protected. The key file needs to be converted to the pre OpenSSL >= 1.0 key file format.

Work Apps

2017-05-09T17:56:01Z

Support:

Apps being used on Tablet or Phone for Work envs

=== Work Software ===

keyboard - Hacker's Keyboard 
vpn client - AnyConnect 
ssh client - JuiceSSH 
scp client - DroidSCP (has probs, need better client) 
remote desktop client - Remote RDP (preferred, but doesn't allow android copy/paste, need better client) 
remote desktop client - aRDP Free (seems better, but android copy/paste still being worked on) 
VNC client - VNC Viewer (RealVNC client) 
IM - Skype 
IM - xabber (for internal jabber IM) 
soft phone/VOIP client - Bria (pay for app, expensed) 
compressing/archiving files - ZArchiver 

=== Conferencing ===

e-Meeting 
GoToMeeting 
join.me 
WebEx 
ReadyTalk 
Sococo? 

=== Troubleshooting ===

device performance - PerformanceMonitor 
device performance - Quadrant Standard 
internet connection performance - Ookla Speedtest 
wireless performance - Wifi Analyzer 
network/wireless settings - WiFi Overview 360 

=== Other ===

terminal - Terminal Emulator (or just use JuiceSSH) 
shell env - BusyBox (non-root) 
tethering - PdaNet Tablet (needed where provider blocks this functionality, like Sprint) 
hardware info - device info live wallpaper

Android

2017-05-09T17:49:45Z

Support:

[[ADB]] - Android Debug Bridge, control your android device from a computer via USB

[[Tricks/Reference]]

[[Work Apps]] - APPS used in a corporate work env to replicate apps normally run from a computer

VI Quick Reference

2017-05-09T02:32:18Z

Support: Created page with "=== search and replace === global :%s/search/replace/ global, multiple occurrences on each line :%s/search/replace/g remove end of line spaces :%s/ +$// === global com..."

=== search and replace ===
global
:%s/search/replace/

global, multiple occurrences on each line
:%s/search/replace/g

remove end of line spaces
:%s/ +$//

=== global commands ===
global delete
:g/some text in lines to delete/d

=== automatic formatting ===
check autoformat options
:set formatoptions

set autoformat options
:set formatoptions=croql

format options
1 - single letter words on next line
2 - keep 2nd line indent
c - comments (plus leader)
n - numbered lists
q - allow 'gq' to work
r - (in mail) comment leader after
t - textwidth

other format options
:set autoindent
:set noautoindent
:set expandtab
:set noexpandtab
:set shiftwidth=3
:set smartindent
:set nosmartindent
:set tabstop=3
:set textwidth
:set wrapmargin
:set nowrapmargin

Editors

2017-05-09T02:29:52Z

Support:

[[VI Quick Reference]]

Network

2017-05-08T23:04:55Z

Support:

=== Enterprise 7 Note ===
Networking drastically changed under Enterprise 7, which now has Network Manager fully integrated (which was recommended to be uninstalled in previous releases when used on a server/static configuration). On 7, the convention is now not to modify any config files (which may be auto-generated, and/or will get overwritten by updates), but to use command-line utilities to modify any of the configuration settings/parameters (which normally does not modify the primary config file, but creates an override config file usually in a separate location).

=== Network Setup (ent 7) ===
1. determine interface and connection name setup for the subsequent nmcli commands, use what it shows for the Connection name (Device and Connection name are normally the same, but not always the same - this needs to be checked to verify what to use). 
Note: "show" is a default argument in most cases, and does not need to be specified, unless other "show" arguments/details are needed (as in: nmcli dev show eno16777728)
# nmcli dev

2. configure the interface, IP, and gateway (defaults to "automatic" (DHCP), change to "manual" to be able to configure static parameters - settings saved in an ifcfg-interface file in /etc/sysconfig/network-scripts/, in this example; ifcfg-eno16777728)
# nmcli con mod eno16777728 ipv4.method manual ipv4.addresses 172.100.200.140/24 ipv4.gateway 172.100.200.1

3. configure hostname (saved in /etc/hostname) and domain (saved in an ifcfg-interface file in /etc/sysconfig/network-scripts/ and in /etc/resolv.conf)
# nmcli gen hostname ks-c7a.lab.example.com
# nmcli con mod eno16777728 ipv4.dns-search lab.example.com

4. configure DNS servers ((use DNS servers appropriate for your internet provider, for your own internal network, or for your local data center - saved in an ifcfg-interface file in /etc/sysconfig/network-scripts/ and in /etc/resolv.conf)
# nmcli con mod eno16777728 ipv4.dns 172.100.170.90,172.100.130.90

5. optional, list networking/connection info
# nmcli con show eno16777728

=== Network Setup (before ent 7) ===
most of this is common knowledge, but some of these additional steps have been added (moreso) as a comparison to the new ent 7 listing/steps (above)

1. configure the IP and gateway
1a. set the following in an ifcfg-interface file (usually ifcfg-eth0) under /etc/sysconfig/network-scripts/
Note: ent 6 defaults to/prefers quotes around the params, i.e. BOOTPROTO="none", ent 6 also introduced CIDR notation, ex; PREFIX="24" to replace the old/longer netmask convention (NETMASK="255.255.255.0")
BOOTPROTO=none
IPADDR=172.200.110.140
NETMASK=255.255.255.0

1b. configure the default gateway and disable the dynamic link-local (DHCP network) address in /etc/sysconfig/network 
Note: ent 6 defaults to/prefers quotes around the params, i.e. GATEWAY="172.100.130.1"
GATEWAY=172.100.130.1
NOZEROCONF=yes

2. configure hostname
2a. set the FQDN hostname in /etc/sysconfig/network
HOSTNAME=ks-c7a.lab.example.com

2b. set the domain in /etc/resolv.conf
domain lab.example.com

2c. set the IP and hostname info in /etc/hosts (required for 'hostname -s' and other types of resolution)
172.100.200.140 ks-c7a.lab.example.com ks-c7a

3. configure the DNS servers in /etc/resolv.conf (use DNS servers appropriate for your internet provider, for your own internal network, or for your local data center)
nameserver 172.100.170.90
nameserver 172.100.130.90

4. optional, list interface info
Ent 5 or older
# ifconfig
Ent 6
# ip addr

=== Changing the IP (ent 7) ===
1. set the new IP and netmask 
Note: if the IP is not getting set, please check or go through the Network Setup steps (above), specifically see the note on the default setting with DHCP/manual mode
# nmcli con mod eno16777728 ipv4.addresses 172.100.200.140/24 ipv4.gateway 172.100.200.1
OR
# nmcli con mod eno16777728 ipv4.addresses 172.100.200.140/24
# nmcli con mod eno16777728 ipv4.gateway 172.100.200.1

2. restart networking 
Note: this has worked remotely over ssh, as long as the two commands are entered together as per this example, otherwise doing the single down command will cause you to lose your connection and require console access to resolve/fix
# nmcli con down eno16777728 ; nmcli con up eno16777728

=== Changing the IP (before ent 7) ===
1. set the new IP and netmask in the ifcfg-interface file (usually ifcfg-eth0) under /etc/sysconfig/network-scripts/ 
Note: ent 6 defaults to/prefers quotes around the params, i.e. NETMASK="255.255.255.0", ent 6 also introduced CIDR notation, ex; PREFIX="24" to replace the old/longer netmask convention (NETMASK="255.255.255.0")
IPADDR=172.200.110.140
NETMASK=255.255.255.0

2. set the new default gateway in /etc/sysconfig/network 
Note: ent 6 defaults to/prefers quotes around the params, i.e. GATEWAY="172.100.130.1"
GATEWAY=172.100.130.1

3. set the IP info in /etc/hosts (required for 'hostname -s' and other types of resolution)
172.100.200.140 ks-c7a.lab.example.com ks-c7a

4. restart networking 
Note: recommended to use "&" when connected remotely so the command will continue after the network gets disconnected (your session is normally not lost in this case, and you would normally stay connected)
# service network restart &

=== Adding Additional IP's/Aliases (ent 7) ===
1. add the additional IP
# nmcli con mod eno16777728 +ipv4.addresses 172.100.200.140/24

2. restart networking 
Note: this has worked remotely over ssh, as long as the two commands are entered together as per this example, otherwise doing the single down command will cause you to lose your connection and require console access to resolve/fix
# nmcli con down eno16777728 ; nmcli con up eno16777728

=== Adding Additional IP's/Aliases (before ent 7) ===
1. create an ifcfg-interface:aliasnumber file in /etc/sysconfig/network-scripts/ (ifcfg-eth0:0 for this example), with the following contents
DEVICE="eth0:0"
IPADDR="172.100.200.140"
NETMASK="255.255.255.0"
ONPARENT="yes"

2. restart networking 
Note: recommended to use & when connected remotely so the command will continue after the network gets disconnected (your session is normally not lost in this case, and you would normally stay connected)
# service network restart &

=== Adding Static Routes (ent 7) ===
Set the address range and gateway address (saved in a route-interface file in /etc/sysconfig/network-scripts/, in this example; route-eno16777728)
# nmcli con mod eno16777728 ipv4.routes "172.200.210.0/24 172.200.210.120"

=== Adding Static Routes (before ent 7) ===
Create a route-interface file (for IPv4), example /etc/sysconfig/network-scripts/route-eth0 (or route-bond0 for a bonding interface);
ADDRESS0=172.200.210.0
NETMASK0=255.255.255.0
GATEWAY0=172.200.210.120

=== Quick Reference ===
past what is shown above, here are a few additional/helpful commands

Show IP Info (before ent 6)
# ifconfig

Show IP Info (ent 6 and newer)
# ip addr

Show IP Configuration (before ent 7)
# cat /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-e*

Show IP Configuration (ent 7) 
Note: run 'nmcli dev' to find the device name
# nmcli dev
DEVICE TYPE STATE CONNECTION
ens32 ethernet connected ens32
lo loopback unmanaged --
# nmcli con show ens32

Show Listening Ports (only) 
Note: the : in the output normally denotes a listening port
# lsof -nP | grep ":"

Show Network Connections (before ent 7)
# netstat -an

Show Network Connections (ent 7)
# ss -an

Firewall

2017-05-08T02:14:38Z

Support:

=== Overview / Gotcha's ===
Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could simply be rebooted (if it became unavailable) to get it back to the previous working state. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a 'firewall-cmd --reload', though is not recommended.

=== iptables examples (before ent 7) ===
Allow https port:
TEMPORARY
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
PERMANENT
do temporary step and "service iptables save", OR
# vi /etc/sysconfig/iptables
ADD
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# service iptables restart

Allow a custom ssh port:
TEMPORARY
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
PERMANENT
do temporary step and "service iptables save", OR
# vi /etc/sysconfig/iptables
ADD
-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
# service iptables restart

Allow samba
figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples

=== firewalld examples (ent 7) ===
Allow https port:
TEMPORARY
# firewall-cmd --add-port 443/tcp
PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
# firewall-cmd --add-port 443/tcp --permanent
Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need

Allow a custom ssh port:
TEMPORARY
# firewall-cmd --add-port 222/tcp
PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
# firewall-cmd --add-port 222/tcp --permanent

Allow samba:
# firewall-cmd --add-service smb --permanent

=== firewalld - running/enabling firewalld ===
when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service gets started/enabled, this will cause problems/contention between the two services. To ensure this doesn't happen accidentally after you've gotten a firewalld setup configured/working correctly, it is recommended to 'mask' the conflicting services (where they could not just be enabled without someone finding out they've been masked, and explicitly having to disable the masking to enable iptables). Recommended enable procedure for firewalld:
# systemctl mask iptables
# systemctl mask ip6tables
# systemctl mask ebtables
# systemctl enable firewalld
# systemctl start firewalld

=== firewalld - zones ===
The following is a description of the default zones that currently come preconfigured on a system:
{| class="wikitable"
! Zone !! Description
|-
| drop || Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
|-
| block || Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
|-
| public || For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
|-
| external || For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
|-
| dmz || For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
|-
| work || For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
|-
| home || For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
|-
| internal || For use on internal networks. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
|-
| trusted || All network connections are accepted.
|}
The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone, unless the zone is specified.

=== firewall-cmd Quick Reference ===
Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld):
# nmcli con mod em1 connection.zone trusted

Creating new Zones example (adding new zone, setting to ACCEPT (like the trusted zone) and accepting connections from a subnet for these rules):
# firewall-cmd --new-zone=pinemgmt --permanent
# firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent
# firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent
# firewall-cmd --add-port=222/tcp --zone=pinemgmt --permanent

Viewing default Zone info:
# firewall-cmd --list-all

Viewing Zone info for a specific zone:
# firewall-cmd --list-all --zone=trusted

Viewing all Zones:
# firewall-cmd --list-all-zones

Removing a service
# firewall-cmd --remove-service=ssh
# firewall-cmd --remove-service=http

Remove a port
# firewall-cmd --remove-port=80/tcp

Add a port (not recommended to add a service like http, which adds 8443/8080/etc/etc)
# firewall-cmd --add-port=443/tcp
# firewall-cmd --add-port=222/tcp

Disallow connections from a hacking IP
# firewall-cmd --add-source 98.200.183.180 --zone drop
OR
# firewall-cmd --add-source 98.200.183.180 --zone block

=== Zone Examples ===
Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface):
# nmcli con mod em1 connection.zone public
# nmcli con mod p2p1 connection.zone trusted
# systemctl mask iptables
# systemctl mask ip6tables
# systemctl enable firewalld
# systemctl start firewalld
# firewall-cmd --remove-service=ssh --permanent
# firewall-cmd --new-zone=pinemgmt --permanent
# firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent
# firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent
# firewall-cmd --reload
OPTIONAL/FYI:
# firewall-cmd --list-all
# firewall-cmd --list-all --zone=trusted
# firewall-cmd --list-all --zone=pinemgmt

=== iptables Quick Reference ===
NAT'ing/forwarding 
We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables)
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 163.120.170.170:1101
-A POSTROUTING -d 163.120.170.170/32 -p tcp -m tcp -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
Note: the PREROUTING rule looks at anything (TCP) coming in to the local port 1904 and passes it on to 163.120.170.170 port 1101, the MASQUERADE rule is for anything going to/from 163.120.170.170 (only one MASQUERADE line is needed for all/any rules forwarding traffic to 163.120.170.170)

MediaWiki

2017-05-07T05:09:04Z

Support:

MediaWiki Issues/Notes

CentOS 7

The default CentOS 7 MediaWiki version does not work with InnoDB, even though docs strongly recommend InnoDB. To be able to use this version, select MyISAM during the online setup.

Rename Main page

# Move Main page to new/desired name.
# Edit MediaWiki:Mainpage contents from "Main page" to your new/desired name.
# If you wish to also change the sidebar menu, edit MediaWiki:Sidebar.

Documentation

https://www.mediawiki.org/wiki/Help:FAQ 
https://www.mediawiki.org/wiki/Help:Formatting 
https://www.mediawiki.org/wiki/Manual:Contents 
https://www.mediawiki.org/wiki/Category:Manual 

User Mgmt

https://www.mediawiki.org/wiki/Manual:User_rights
https://www.mediawiki.org/wiki/Special:UserRights
https://www.mediawiki.org/wiki/Help:Assigning_permissions
https://www.mediawiki.org/wiki/Manual:Setting_user_groups_in_MediaWiki

Sevices

2017-05-07T04:40:07Z

Support:

Starting and Stopping Services (including bootup configuration)

[[Legacy INIT vs systemd]]

Security

2017-05-07T04:39:45Z

Support:

Security related topics

[[OS Security Configuration Policy]]

[[SSH & Key Usage]]

[[SELinux]]

[[ACL's]]

[[Firewall]]

Misc Apps

2017-05-07T04:39:30Z

Support: Created page with "Misc Apps MediaWiki IPPlan"

Misc Apps

[[MediaWiki]]

[[IPPlan]]

Mail

2017-05-07T04:39:16Z

Support: Created page with "Mail Server & other Mail related configuration Postfix Dovecot Maildir Mail Client Configuration - preferred configuration once server services are optimal..."

Mail Server & other Mail related configuration

[[Postfix]]

[[Dovecot]]

[[Maildir]]

[[Mail Client Configuration]] - preferred configuration once server services are optimally configured

DNS

2017-05-07T04:39:00Z

Support: Created page with "DNS Servers Bind Unbound IPPlan"

DNS Servers

[[Bind]]

[[Unbound]]

[[IPPlan]]

Config Mgmt

2017-05-07T04:38:38Z

Support:

[[Ansible]]

[[Ambari]]

[[Puppet]]

[[Salt]]

Database

2017-05-07T04:37:59Z

Support: Created page with "Info on Databases MySQL/MariaDB PostgreSQL MemCache"

Info on Databases

[[MySQL/MariaDB]]

[[PostgreSQL]]

[[MemCache]]

Notes

2017-05-07T04:37:24Z

Support:

Notes / Overview

Documentation on this site

The documents on this site comprise information compiled over the last 25 years or so by many many Admins. Alot of this follows conventions of the companies we've worked for, and may or may not be the way you would do it, or the way you would want to do it. We will attempt to explain why and where you would want or wouldn't want to utilize some of these conventions.

Linux Distros

Initially these docs are based on what we've seen/used in enterprise environments at the companies we've worked for. So far, this has been RedHat Linux and RedHat Linux compatibles (CentOS Linux / Scientific Linux / OracleLinux / Whitebox Linux). While we have seen on job reqs, and understand there is also a demand for Admins who also use Suse or Ubuntu in Enterprise env's, we've not actually seen this in the Enterprise for the hundreds of companies we've worked for.
That being said, we wish that The Linux Source would be Distro agnostic, and would appreciate any help adding docs/details for some of these other major Distros as well.

The term Enterprise mentioned in the docs is a general term for RHEL (RedHat Enterprise Linux) and compatibles (CentOS / OracleLinux / etc.). This is just a generic way to refer to a release without mentioning a specific Distro, since RHEL / CentOS / OracleLinux / etc. Release 5 aka Enterprise 5 is basically identical and where Enterprise 5 is mentioned, that command can be used on all of the RedHat compatible Distros. Fedora is slightly different, as the versioning is not in sync with these other distros. If using Fedora, it would be best to determine the applicable version the doc refers to by checking wikipedia release history to see which Fedora version coincides with which Enterprise version.

Conventions

Many examples show commands typed at a prompt. The convention is something like; 
# commandtodosomething
This is not a comment, please don't include the # if copying/pasting from one of these documents. Also, note that the normal prompt as a non-priveledged user is $ and the normal prompt when root is # however the convention here is to use # for all prompts so please ignore the fact that the # prompt in the documents are also shown for a non-root user AND/OR don't assume that since the prompt is # that it means the command is typed in as root.

All data on /home

Most of the documentation follows various companies convention of separating their code and processes from the OS by dumping everything on/under /home and keeping data/logs/etc. there. This is fine if that is the convention you wish to follow, however, this is difficult to deal with if you are running a secure env using SELinux. There are some advantages with keeping everything on /home, primarily it is easy to reinstall the OS and reformat/rebuild all OS partitions without touching /home and keeping all your code/data/logs/etc. intact. One other primary reason to keep OS and application separate by using /home, when application logs fill up /tmp or /var, you don't crash the OS when it no longer has space left for temp files, or losing OS logs when there's no space left to record issues the OS is having when things go awry with the application.

Whether you choose to keep app and OS separate and run your non-OS specifics from /home is up to you, if you don't (or if you are running SELinux), please ignore and DO NOT do the steps for moving items to home. For example, and using mySQL as a case in point, ignore the commands to move it off of /var; 
mv /var/lib/mysql /home/ ; ln -s /home/mysql /var/lib/

Main Page

2017-05-07T04:28:41Z

Support:

Welcome to The Linux Source

Feel free to add pages/comments/etc.

Due to excessive spam abuse, adding/editing/etc. now requires an approved login, which will also be verified via a valid email address. When creating an account, please state your desire to add appropriate Linux related content.

Any Linux OS and any Linux subject matter is welcome here. If you do not see an appropriate section, please add it (though things may get reorganized/moved around from time-to-time as pages proliferate). If you have suggestions/input on the content or how things are organized, we would appreciate some input.

[[Notes]] <- read this first!! Overview of some of the info / steps covered in the documentation on this site (i.e. you may not need/want to do all of the steps documented and why)

[[ABRT]]

[[Android]] - it runs Linux

[[Apache]]

[[Authorization]] - LDAP / IPA / Etc. (PAM?)

[[Cert Mgmt]] - OpenSSL / Java / KeyTool

[[Config Mgmt]] - Ansible / Puppet / Salt / Etc.

[[Cron]]

[[Database]]

[[Distro]] - distro specific procedures

[[DNS]] - Bind / Unbound / IPPlan / Etc.

[[Docker]]

[[Editors]] - VI / Etc.

[[Filesystems]] - Disk / Filesystem / LVM / RAM disks / Etc.

[[FTP]]

[[GPG]]

[[Hardware]] - Dell Systems / SuperMicro / Etc.

[[Kickstart]] - Automating Installation

[[Mail]] - Postfix / Dovecot / Etc.

[[Misc]]

[[Misc Apps]]

[[Misc OS]] - Logwatch / Logrotate / Etc.

[[Monitoring]] - Nagios / SNMP / Etc.

[[Network]] - Linux Network Configuration

[[NFS]]

[[Permissions]] (file / dir perms)

[[Registration]] - registering a commercial Linux distro

[[Samba]]

[[Security]]

[[Services]]

[[Shell]] - Bash primarily

[[Software Mgmt]] - YUM / DNF / RPM / Etc.

[[Squid]]

[[SSH]] - Server / Client / Keys / Trusted Host

[[Standards]] - some Standards & Conventions

[[Sudo]]

[[Syslog]]

[[TCPwrappers]]

[[Time Services]] - NTP / Chrony / Timezones / Etc.

[[Update Mgmt]] - Satellite / Spacewalk / Foreman / Katello

[[User Mgmt]]

[[Versioning]] - Subversion / GIT / Etc.

[[VPN]]

[[Vulnerabilities]] - some Vulnerabilities mentioned, mainly some of the recent biggies