CentOS Guide - based on the RHCSA exam objectives
Configure a CentOS installation to run as a hypervisor
Install the below group packages:yum groupinstall virtualization "virtualization platform" "virtualization client" "virtualization tools"
Next you need to start libvirtd (turn it on by default with chkconfig) and configure your virtual network. I like to create my VM guests using a kickstart file. This is a quick and easy way to automatically install CentOS. The path below is the default location for VM disks. You need to specify qcow2 if you want to do snapshots of your guest VMs. Size is in GB. Location refers to the CentOS installer and -x indicates the location of the kickstart file. Note, I have found in the past that I have had to stop the iptables service running on the host that has the kickstart file to allow clients to access the kickstart file. Also, make sure your installer and kickstart files have 755 permissions. An easy way to configure a kickstart file via the GUI is to use system-config-kickstart. If you want your guests to access any external networks such as the Internet, modify /etc/sysctl.conf on the host and set net.ipv4.ip_forward=1
Install a guest using a kickstart file:
virt-install --name server02.nickbeare.com --ram 512 --disk path=/var/lib/libvirt/images/server02.qcow2,format=qcow2,bus=virtio,cache=none,size=8 --location=ftp://192.168.1.10/pub -x ks=ftp://192.168.1.10/pub/kickstart/ks.cfg
Some useful KVM commands to control VMs
virt-manager - opens the GUI Virtual Machine Manager to manage VMs.
virsh list --all - list all VMs regardless of state.
virsh list --autostart - list all VMs that have autostart enabled.
virsh list --with-snapshot --all - list all VMs that have snapshots. Leave off --all to show only running VMs..
virsh list --without-snapshot -all - list all VMs that don't have snapshots. Leave of --all to view only running VMs..
virsh start example.nickbeare.com - start a VM.
virsh reboot example.nickbeare.com - gracefully restart a VM.
virsh shutdown example.nickbeare.com - gracefully shutdown a VM.
virsh autostart example.nickbeare.com - set a guest to turn on automatically when the host boots. You can turn this off by adding --disable at the end of the command.
virsh destroy example.nickbeare.com - force a VM to shutdown, like cutting the power to a machine.
virt-top - show the current CPU/memory utilisation of all hosts and their uptime.
virt-clone -o original.nickbeare.com -n new.nickbeare.com -f /var/lib/libvirt/images/new.qcow2 - clones the original VM and creates a new VM with its HD stored in the location indicated in -f. There is also a --auto-clone flag for this command.
virsh pool-list - shows active VM pools.
virsh vol-list --pool pool_name - shows all of the guest virtual hard drives stored in that pool.
virsh undefine example.nickbeare.com - remove a guest from virt-manager.
virsh vol-delete --pool pool_name example.nickbeare.com.img - delete the virtual hard drive.
virsh snapshot-create-as whitehat.example.net base_snapshot - takes a snapshot of a guest and names the snapshot base_snapshot. Note, the VM must be powered down and I have only got snapshots to work on qcow2 format.
virsh snapshot-list gamma.example.net - list all snapshots on a guest.
virsh snapshot-delete gamma.example.net run5 - delete a snapshot. In this example the snapshot is named run5.
virsh snapshot-revert gamma.example.net run5 - revert gamma to a stored snapshot named run5.
Launch a bash session from GRUB
Sometimes you can get stuck in a situation where you are unable to boot your system due to an issue with a configuration file such as /etc/fstab or /boot/grub/grub.conf. You can launch an interactive session by typing 'a' at the GRUB boot menu and adding the below line. Note, this doesn't seem to work if /etc/inittab is set to boot into run level 5.init=/bin/sh
You will notice that / is mounted, but only as read only. You can mount it as read write by typing:
mount -o remount /
You can also mount other directories such as /boot:
mount /boot
Install a usable desktop
yum groupinstall desktop "desktop platform" "x window system" "fonts"
Searching with find
The below command searches the root directory for a file named inittab (case insensitive). Note you can use regular expressions here for the file name.
find / -type f -iname inittab
The following command searches the /opt directory for a directory named nick.
find /opt -type d -name nick
You can also search for files using locate. Note, you need to run updatedb if you want to index new files. locate is a fast way of finding files.
yum install mlocate
updatedb
locate /etc/inittab
Setting up VNC
Run the below command to install VNC server. The client is named tigervnc.
yum install tigervnc-server
Edit the below configuration file:
/etc/sysconfig/vncservers
The below config file changes configure 4 vnc sessions for users nick, vnc, root and bob. Note, the arguments relate to the appropriately numbered VNC connection. The number also relate to port number eg nick's connection runs on port 5901, root runs on 5903. VNC runs on port 5900 under the TCP protocol.
VNCSERVERS="1:nick 2:vnc 3:root 4:bob"
VNCSERVERARGS[1]="-geometry 800x600"
VNCSERVERARGS[2]="-geometry 800x600"
VNCSERVERARGS[3]="-geometry 800x600"
VNCSERVERARGS[4]="-geometry 800x600"
Start the VNC service:
service vncserver start
List active VNC server sessions:
vncserver -list
Show help:
vncserver -h
Remember to set the vncpasswd for each individual user who has a session using the vncpasswd command.
You can start a particular vnc session by calling the appropriate session number:
vncserver :1
You can also kill it:
vncserver -kill :1
Minimalist text based browser
yum install elinks
elinks nickbeare.com
Setting the correct date and time
Install ntpdate and ntp:
yum install ntp ntpdate
You can install and use tzselect to select your timezone. Call the program using tzselect and follow the prompts to select the correct timezone.
The next step is to sync your time with an ntp server (make sure ntpd is stopped):
ntpdate pool.ntp.org
Next start your ntpd service and turn it on by default (chkconfig). This will ensure your system continues to keep the correct time.
service ntpd start
Physical Volumes, Volume Groups and Logical Volumes
List physical volumes:
pvs
Add a physical volume:
pvcreate /dev/sda1
List volume groups:
vgs
Create a volume group:
vgcreate vg_name /dev/sda1
Extend a volume group:
vgextend vg_name /dev/sda2
List all logical volumes:
lvs
Create a logical volume named lv_volume1 under vg_name and make it 10Gb in size.
lvcreate -n lv_volume1 -L 10G vg_name
Resize an existing logical volume to 10Gb:
lvresize -L 10G vg_server/lv_home
Extend an existing logical volume by 50Gb:
lvextend -L +50G /dev/vg_server/lv_volume1
Note, after you extend or resize a logical volume you will need to run resize2fs /dev/vg_server/lv_name for the change to take effect. If the resize2fs command does not work, use xfs_growfs.
To rename lvold in volume group vg02 to lvnew:
lvrename /dev/vg02/lvold vg02/lvnew
An alternate syntax to rename this logical volume is:
lvrename vg02 lvold lvnew
Making SWAP space
mkswap /dev/sda3
swapon /dev/sda3
swapon -s
Show the UUID for a drive
blkid /dev/vg_lappy/lv_root
Label a ext filesystem with a name
e2label /dev/sda1 label_name
You can use the label name in /etc/fstab to automatically mount filesystems (just like with UUIDs) eg:
LABEL=label_name /some_dir ext4 rw,acl 0 0
SELinux
Has 3 modes listed in /etc/selinux/config. Modifications made here will not take place until a reboot:enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
View the current SELinux mode using sestatus. You can turn enforcing mode on and off using setenforce 0 (permissive mode) and setenforce 1 (enforcing mode).
List all SELinux rules:
getsebool -a
Usually you pipe this into grep to find rules you are interested in:
getsebool -a | grep httpd
Turn a rule on. You can use on or off, or 1 or 0 (1=on)
setsebool -P httpd_read_user_content on
You can see all changed SELinux rules in the below file:
cat /etc/selinux/targeted/modules/active/booleans.local
# This file is auto-generated by libsemanage
# Do not edit directly.
httpd_read_user_content=1
List SELinux file labels using -Z (you can also use this for processes), note the user_home_t section:
[root@localhost nick]# ls -Z /var/www/html/index.html
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 /var/www/html/index.html
Set a label on a file or folder:
chcon -t httpd_sys_content_t /var/www/html/index.html
You can do this recursively. I like to use the verbose flag -v
chcon -vRt httpd_sys_content_t /var/www/html/index.html
You can reference the SELinux label on another folder/file and apply it to a target:
[root@host ~]# chcon -vR --reference /root/Public test/
changing security context of `test/tes.txt'
changing security context of `test/'
Recover original labels for a folder and its contents:
restorecon -Rv /var/www/
Note to allow users to ftp to their home directories you need to run:
setsebool -P ftp_home_dir 1
Troubleshooting SELinux
Sometimes things will just not work no matter what you do. To determine if SELinux is causing your issue you can use a program called setroubleshoot there is also setroubleshoot-server
yum install setroubleshoot
After installing setroubleshoot you need to restart the audit daemon
service auditd restart
Now that setroubleshoot is installed, if SELinux blocks anything from now on, detailed logging, including an actual command to fix the problem, will be appended to the /var/log/messages log.
Turning services on by default
Turn httpd on in all run levels:chkconfig httpd on
Turn httpd on in only run levels 3 and 5:
chkconfig httpd --level 35 on
List all run level startup options for httpd:
chkconfig httpd --list
You can view all of the installed services in /etc/init.d
The services that run at startup for each run level are defined in the /etc/rcx.d directories. K stands for killing a service and S stands for starting the service. The numbers after the letter indicate the order in which this occurs.
Configuring firewall rules with iptables
system-config-firewall-tui is a simple and effective way to configure iptables. However, learning to write iptables commands is very useful. iptables is a service and can be started via service iptables start. It should be turned on by default via chkconfig. When you add a rule and you want that rule to survive a reboot or service restart, make sure you type service iptables save followed by service iptables restart to confirm that your rule has been saved. To see active iptables rules from the iptables configuration file type cat /etc/sysconfig/iptables
The below command allows all hosts to access port 22. Note, the number 1 places the rule at the start of the /etc/sysconfig/iptables rules. The order of iptables rules is important because they are processed in order. There is an implicit deny all statement at the end.
iptables -I INPUT 1 -p tcp -m tcp --dport 22 -j ACCEPT
The following rule allows only host 192.168.122.20 to access port 22. Note, if I changed the the IP to 192.168.122.0/24 the whole class C network would be permitted access.
iptables -I INPUT 1 -s 192.168.122.20/32 -p tcp -m tcp --dport 22 -j ALLOW
Run the below command to list the line numbers of corresponding rules. This information is useful when you want to replace or delete rules.
iptables -L --line-numbers
Replace an existing rule. Note the use of the line number, 3 in this example.
iptables -R INPUT 3 -s 192.168.122.20/32 -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT
Delete a rule. In this example we delete the rule on line 3.
iptables -D INPUT 3
Show well known ports and services
cat /etc/servicesACLs
ACLs over-rule standard file permissions. You can check a file or folder to see if acls exist by running ls -l, a + symbol will exist at the end of the permissions if an acl is set. To view more information about the acl type getfacl file.txt.
The below command grants the user nick rw access over /home/folder, and it gives a group name groupie r access on /home/folder:
setfacl -m u:nick:rw,g:groupie:r /home/folder
The -b flag removes an entire acl from a folder/file:
setfacl -b /home/folder
Remove just an individual reference within an acl:
setfacl -x u:bob virsh.txt
Set the default acl on a folder, d flag. All newly created direct children (one level down) will have the same acl. Existing children are not affected.:
setfacl -m d:u:user1:rw /home/folder
Remove a default acl:
setfacl -k /home/folder
User administration
The below commands handle the bulk of user administration eg creating users and groups, setting password expiry dates etc. The man commands are essential when dealing with these commands.
useradd - create a user. Important related files include /etc/passwd and /etc/shadow. Noteworthy flags include:
-s - sets the users shell. Eg if you don't want them to have an interactive login useradd -s /bin/false username or -s /bin/nologin
-G - add the user to secondary groups eg useradd -G group1,group2 username
-b -m - used to specify an alternative home base directory and create it eg useradd -b /opt -m username
usermod - change a user. Noteworthy flags:
-e - set the expiry date for a user account eg usermod -e YYYY/MM/DD username
-u - change the user's UID eg usermod -u 3000 username
Adding groups. Refer to the man page for groupadd for more info. The /etc/group file is quite useful for viewing group membership. This file can be manually edited to add users to groups. The commands id username and groups username will both show what groups a user is a member of.
You can set and view password information using chage.
chage -l username - lists password information relating to a user account.
chage -d 0 username - force a user to change their password at login.
chage -M 30 -m 2 username - sets passwords to expire after 30 days and prevents users from changing their password more than once every 2 days.
Locking and unlocking accounts. You can tell an account is locked by looking at the /etc/shadow file. If the encrypted password, which begins after the username, begins with a ! then the account is locked. A !! means no password is set. A user with a locked account will not be able to log in.
Lock an account:
usermod -L username
Unlock an account:
usermod -U username
Links
Hard links are persistant and refer to the inode. This means that they will still work even if the target file is moved or deleted. Soft links refer to the target file and will break if that file is moved or deleted.
Hard link:
ln folder/target hardlink_file
Soft link:
ln -s folder/target softlink_file
yum and rpm
Installing packages with yum will resolve software dependencies and download the files from your repository:yum install firefox
You can also download the installer locally and then install. Dependencies are still resolved.
yumdownloader firefox
yum localinstall firefox-17.0.10-1.el6.centos.x86_64.rpm
You can also install packages with rpm, but dependencies will not be resolved.
rpm -ivh firefox-17.0.10-1.el6.centos.x86_64.rpm
Removing packages with yum
yum erase firefox
Removing packages with rpm
rpm -e firefox
List all installed software with rpm
rpm -qa | sort | more
Search for a particular piece of installed software.
rpm -qa | grep firefox
Adding a software repository
A repository is where yum will look to download packages. To add your own repository you need to add a .repo file to /etc/yum.repos.d/ I have included a sample file below. Note, if your repository is offered via http or ftp your base url would be baseurl=http://repo.com or baseurl=ftp://repo.com respectively. Note, after adding a repository you should run yum clean all To list your current repo files type yum repolist
[sample_repo]
name=nicks_repo
baseurl=file:///var/ftp/pub
gpgcheck=0
enabled=1
Archiving and compression
The below tar command uses gzip compression and archives the entire folder named documents and its contents.tar -zcvf archive.tar.gz Documents/
The following command archives and compresses two files into a single file using bzip2 compression.
tar -jcvf archive.tar.bz2 file1.txt file2.txt
View the contents of a compressed archive. Also works with uncompressed archives.
tar -tvf archive.tar.bz2
Decompressing bzip and gzip files:
bunzip2 file.tar.bz2
gunzip file.tar.gz
Tar can store acls, selinux and extended attributes.
tar --selinux --xattrs --acls -zcvf archive.tar.gz myfolder/
Decompress using tar (the -x flag).
tar -zxvf archive.tar.gz
tar -jxvf archive.tar.bz2
You can also use the popular Windows zip compression.
yum install zip
Adding multiple files to a zip file.
[nick@localhost new]$ zip newzip.zip win.txt win2.txt
adding: win.txt (stored 0%)
adding: win2.txt (stored 0%)
Add a folder and its children to a zip file.
[nick@localhost new]$ zip -r zippedfile.zip papers/
adding: papers/ (stored 0%)
adding: papers/new3.txt (stored 0%)
adding: papers/new.txt (stored 0%)
adding: papers/new2.txt (stored 0%)
Uncompress a zip file.
unzip zippedfile.zip
Network configuration
When setting a static IP make sure you turn off the NetworkManager service:service NetworkManager stop
chkconfig NetworkManager off
Modify your network card settings for eth0 etc in /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
IPADDR=192.168.1.3
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
NAME=loopback
TYPE=ethernet
HWADDR=00:26:B9:7C:32:A0
NM_CONTROLLED=no
Edit /etc/sysconfig/network Make sure networking is turned on. You put your default gateway and hostname here.
NETWORKING=yes
HOSTNAME=host_centos.nickbeare.com
GATEWAY=192.168.1.1
Enter your DNS servers in /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
Once you have completed your configuration you can bounce the interface:
ifdown eth0; ifup eth0
OR, restart the network service which restarts all network interfaces:
service network restart
You can enter name resolution in your hosts file and set resolution to be used before DNS. To add a host just append a line like the below to /etc/hosts
192.168.122.130 whitehat white.example.net
Make sure /etc/nsswitch.conf is configured to check the host file before the DNS nameserver in regards to name resolution. The below line is configured by default in /etc/nsswitch.conf Files comes before dns (files indicates /etc/hosts, dns referes to the nameservers in /etc/resolv.conf
hosts: files dns
Updating the kernel
Updating your kernel using RPM. Note that there is a kernel.firmware dependency. Make sure that you do not use the -U flag (upgrade). This will REPLACE your current kernel! You will want to keep the old kernel in case the new one doesn't work as expected.rpm -ivh kernel-firmware-2.6.32-220.17.1.el6.noarch.rpm
You can also install the new kernel, whilst keeping your old one, using yum. Remember to set the default kernel accordingly in /boot/grub/grub.conf You can check to see if there is a newer kernel version using yum info kernel
yum install kernel
Change the default run level
Edit /etc/inittab The below line will set the computer to start in run level 3 by default.id:3:initdefault:
Editing the GRUB configuration file
This file is located at /boot/grub/grub.confThe default flag indicates which kernel will be loaded by default. Each title section indicates a kernel, so default=0 will start the first title (kernel) in the list, default=1 would start the second title in the list and so on.
When the computer boots users can modify GRUB arguments by hitting the a or e key at the GRUB boot menu. You can prevent users from making amendments by setting a password. Enter password=some_password at the beginning of your grub file near default, timeout etc. The timeout flag refers to how many seconds will pass before the default kernel is loaded.
You can also set a password on a particular kernel so that users will need to enter the correct password to start that kernel. Just add password=some_password underneath the title flag for the particular kernel you want to lock down.
Resetting the root password
At the GRUB boot menu select your desired kernel and hit the a key. Scroll to the end of the kernel argument and hit space and enter either 1 or singleYou will now have root access to the machine and can reset the root password.
Ctrl + Alt + Del
By default ctrl+alt+del restarts the computer, which is dangerous on servers. To disable this edit the /etc/init/control-alt-delete.conf file and add # to comment out the shutdown command. You should create a file named control-alt-delete.override in the same directory if you want to override the settings in this file, for example if you want to set ctrl+alt+del to restart the computer instead.Mounting
Mount an ISOmount -o loop /home/nick_beare/Downloads/CentOS-6.5-x86_64-bin-DVD1.iso /mnt/DVD
Mount an NFS share. Note, -o nfsvers=3 specifies the nfs version to use.
mount -t nfs -o nfsvers=3 123.456.123.123:/opt/source /mnt/my_destination
Mount a CIFS share
mount -t cifs -o username=USERNAME,password=PASSWD,domain=DOMAIN //192.168.1.88/source /mnt/my_destination
Mounting an ext4 filesystem
mount -t ext4 /dev/sda1 /mnt/my_destination
The mount command shows all currently mounted drives.
mount -a will attempt to mount all drives listed in /etc/fstab, the file where drives to be mounted at startup are defined. Lines in /etc/fstab use a particular format. An easy way to add a currently mounted drive into /etc/fstab is to consult /etc/mtab This file lists all currently mounted drives in the /etc/fstab format. I like to use variations of the below command to add lines to /etc/fstab:
cat /etc/mtab | grep /dev/sda5 >> /etc/fstab
Creating partitions with fdisk
fdisk -l - lists all disksfdisk /dev/sda - replace sda with the relevant drive. This will allow you to access the below options in fdisk.
p - shows the partition table of the selected drive.
n - create a new partition
p or e - you can have up to 4 primary (p) partitions. Extended (e) partitions allow you to create logical partitions starting from sda5.
Enter the partition number
Select the first cylinder
Enter the size of the partition eg +400M
l - selection the partition type from the available menu eg 83 for Linux (ext).
Type p to confirm your intended changes followed by w to write them to disk.
When you return to the command line type partprobe /dev/sdx Sometimes you may have to unmount other partitions on the drive to allow the partition table to be read.
Making filesystems
Once you have a partition you need to write a filesystem to it to make it mountable. Physical and logical partitions aren't treated any differently when writing filesystems to them. Type the below command to write an ext4 filesystem. Note mkfs allows you to write other filesystems such as vfat.mkfs.ext4 /dev/sda1
You can check the consistancy of your file systems with e2fsck /dev/sda. Note do NOT run this on a mounted filesystem!
Listing and killing processes
ps -aux shows all current processes belonging to all users. Nice once to use with grep eg ps -aux | grep process_namepgrep firefox shows all processes with firefox in their name.
pkill firefox kills all process with firefox in their name.
kill -9 6892 kills process 6982 forcibly. Leave off the -9 to kill the process politely (sigterm 15).
Process nice levels
Nice levels refer to the priority that is given to processes. Priority refers to dedication of the CPU to a particular process. The default nice levels for processes is 0. -20 is the highest priority and positive 19 is the lowest. In the below example I start a process with a nice level of -20 and then renice it to 19. The -elf switches confirm the current nice level of the process.
[root@host ~]# nice -n -20 firefox
[1] 7588
[root@host ~]# ps -elf | grep firefox
4 S root 7588 2410 7 60 -20 - 184452 poll_s 07:15 pts/0 00:00:00 /usr/lib64/firefox/firefox
[root@host ~]# renice -n 19 7588
7588: old priority -20, new priority 19
[root@host ~]# ps -elf | grep firefox
4 S root 7588 2410 12 99 19 - 194986 poll_s 07:15 pts/0 00:01:04 /usr/lib64/firefox/firefox
top
The top command shows how hard the system is working. You can see CPU and memory utilisation for particular processes. You can sort on these headings by moving accross with the less than and greater than keys. You can also view memory utilisation with the free -m command. Within top in the CPU row at the beginning of the output, there is an attribute called wa. This refers to wait time of the CPU, as in the CPU is waiting for things to be written to disk. High disk I/O will lead to high wait time for the CPU. To check I/O you need to yum install iotop. Run the program by typing iotop. iotop will show the I/O of individual commands and who is running them.cron
crond is the cron daemon. You can copy scripts directly into the /etc/cron.hourly daily, weekly and monthly folders and have them run on that schedule. Begin your scripts with #!/bin/bash if you write in bash. The #! stands for hash bang. Make sure you also reference commands in your scripts with their full path, eg cp would be /bin/cp. You can confirm the full location of commands by running whereis enter_command_here.
You can also add cron jobs directly to /etc/crontab. The file has nice help information within it as listed below. Note when using /etc/crontab you need to specify a username for the task to run as.
.---------------- minute (0 - 59)
| .------------- hour (0 - 23)
| | .---------- day of month (1 - 31)
| | | .------- month (1 - 12) OR jan,feb,mar,apr ...
| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
* * * * * user-name command to be executed
Users can also have their own personal crontab files. In the below example root creates (-e, also used for editing crontab files), lists (-l) and then deletes (-r) a crontab files for user bob. Note, bob could perform the same tasks with his own crontab file, the '-u bob' part would just need to be left off. User crontab files are stored in /var/spool/cron
[root@host ~]# crontab -u bob -e
[root@host ~]# crontab -u bob -l
* * * * * echo "bob"
[root@host ~]# crontab -u bob -r
Encrypting drives with LUKS
Encrypt a drive or partition using:cryptsetup luksFormat /dev/sda3
Type yes in UPPERCASE letters to confirm the encryption. This process wipes everything on the disk.
Enter your LUKS passphrase. You will use this to access the encrypted drive so don't forget it!
Unencrypt the drive:
cryptsetup luksOpen /dev/sda3 your_name
Enter your pass phrase. Note, the name that you specified above will now appear in /dev/mapper/ This is what you refer to when making your file system on the unencrypted drive and mounting it.
Make a filesystem on the unencrypted drive and mount it.
mkfs.ext4 /dev/mapper/your_name
mount /dev/mapper/your_name /mnt/encrypted
To mount the encrypted drive automatically at startup you need to make a reference to /dev/mapper/your_name in the /etc/fstab file as you would with any other drive. However, you also need to edit /etc/crypttab to unencrypt the drive at startup. The file is blank and you need to add your_name /dev/sda3 none. The your_name is the name you specified when using luksFormat, then it's the device name, none refers to not using a key for the password (you will need to type it in manually at startup).
Instead of entering a passphrase at boot to unlock your luks encrypted volume, you can do this automatically using a key. First create the key.
dd if=/dev/random of=/root/luks.key bs=32 count=1
Associate the key with the luks encrypted volume:
cryptsetup luksAddKey /dev/sda3 /root/luks.key
Edit the /etc/crypttab file to load the volume using the key at startup:
echo "your_name /dev/sda3 /root/luks.key" > /etc/crypttab
Redirecting standard error and standard output
Redirect standard error to a file[nick@localhost input]$ ls bob
ls: cannot access bob: No such file or directory
[nick@localhost input]$ ls bob 2> newfile.txt
[nick@localhost input]$ cat newfile.txt
ls: cannot access bob: No such file or directory
Redirect standard error and standard output to a file
ls bob > output2.txt 2>&1
LDAP authentication
You can enter LDAP authentication details by running authconfig-tui. Tick the 'Use LDAP' and 'Use LDAP Authentication' checkboxes and then enter your server name (can be an IP address) and Distinguished Name (DN). You can check the TLS box to use Transport Layer Security, this can require a certificate. You need to install nss-pam-ldapd and openldap to use LDAP authentication. Changes that you make using this tool will appear in the LDAP configuration file /etc/openldap/ldap.conf.SUID, SGID, and Sticky Bits
SUIDSUID is a permission that is set on files, they have no effect on folders. They allow users to execute a binary file with the same permissions as the file's owner (includes root). Examples of files with SUID set include the binary passwd, ping and crontab files. You can set the SUID using chmod
The numerical way, SUID equals 4:
chmod 4755 file.txt
The symbolic way, SUID is s in the executable bit location. If the executable bit is off then SUID is a capital S.
chmod u+s file.txt
SGID
SGID can be used to make collaborative folders. It can also be used on files to have a similar effect as a SUID, but with group permissions. When set on folders, all files created under the folder will have the same group permissions as the parent folder, no matter which user creates the files. This allows multiple users to share a folder and access each others documents. You can set the SGID using chmod.
The numerical way, SGID equals 2:
chmod 2755 /home/shared
The symbolic way, note when the executable bit is not set SGID is displayed as a capital S just like the SUID:
chmod g+s /home/shared
Sticky bits
Sticky bits are mainly set on directories. If the sticky bit is set for a directory, only the owner of that directory or the owner of a file can delete or rename a file within that directory. This prevents users from deleting each other's file. This can be used in conjuction with SGID to have a combined effect. You can set the sticky bit using chmod.
The numerical way, the sticky bit equals one.
chmod 1755 /home/shared
The symbolic way, the sticky bit is represented as a t, when the executable bit is not set it is T:
chmod +t /home/shared