____________________________________________________________________
1969 - 1st unix distro
1991 - gnu linux
CENTOS - Community enterprise O.S
igdrizzle = first version of linux distro was named
------------------------------------------------------------------------------------------
Scaling CPU Performance.
cd /sys/devices/system/cpu/cpu0/cpufreq/
ls
affected_cpus
cpuinfo_cur_freq
cpuinfo_max_freq
cpuinfo_min_freq
scaling_available_frequencies
scaling_available_governors
scaling_cur_freq
scaling_driver
scaling_max_freq
scaling_min_freq
scaling_governor
cat cpuinfo_cur_freq
2000000
cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
performance
echo "powersave" > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
[root@station3 cpufreq]# cat cpuinfo_cur_freq
1000000
[root@station3 cpufreq]# echo performance > scaling_governor
[root@station3 cpufreq]# cat cpuinfo_cur_freq
2000000
----------------------------------------------------------------------------------------------
Manual pages and command helps..
whatis grub
is the same as
man -f grub
the above commands will search for the whole word grub,
man -k grub
will search for the pattern grub anywhere in the string..
apropos grub
info grub
man -f signal
signal (2) - ANSI C signal handling
signal (3p) - signal management
signal (7) - list of available signals
signal.h [signal] (0p) - signals
man signal will show you the first man page..
man 7 signal will take you to the category 7 man page of signal
/usr/share/doc
www.tdlp.org
/usr - operating system shared resources..
-----------------------------------------------
command line tips and tricks
/rhome/station4/nisuser4
[root@station3 ~]# echo camel
camel
[root@station3 ~]# ^m^ram
echo caramel
caramel
The ^m^ram replaces m with ram
[root@station3 ~]# echo cow dog
cow dog
[root@station3 ~]# ^cow
echo dog
dog
The ^cow command replaces cow with nothing so the command becomes "echo dog"
history
!45 (runs the 45th command in the history)
!-3 run the 3rd command from the bottom..
!! runs the last command in the history
!hi runs the last command that start with hi
ctrl l
will clear the screen..
-------------------------------------------------------------------------------------
Filesystem.
man hier
/etc
/bin
/sbin
/lib
/dev
needs to be part of the / partition.. and cannot reside on a separate partition.
dd
(copy and covert)
file
the file command will give you informa/rhome/station4/nisuser4tion about what type of file it is..
dumpe2fs /dev/hdb1 | less
the command dumps the superblock..
stat /etc/passwd
dumps the information in the inode of the /etc/passwd
df -i
lists the available list of inodes.. on each partition..
ls -i
gives you the inode number of the files..
---------------
available channels.
STDIN 0 <>
STDERR 2 2>
find /etc/ -name passwd 2 > errors 1> results
find /etc/ -name passwd 2>&1 1> results
is the same as
find /etc/ -name passwd & > results
tee
is like a t piece which can be used to direct output of a command to both a file and to the stdout
tr command
echo "some random text" ? | tr 'aeiou' 'AEIOU'
stat
the stat command can be used to display file or filesystem status
if you want to make sure that you bypass the alias when you run a command. you can escape the command with a \
ls on its own will use the alias which possible includes "ls --color"
\ls will run the native command ls bypassing the alias setting.
reset
reset command can be used to reset the terminal. specially when your command prompt is all messed up.
login shell - will process the following startup scripts
/etc/profile
~/.bash_profile
non login shells will use the below startup scripts
/etc/bashrc
~/.bashrc
But in redhat login scripts will process all the 4 scripts.
custom scripts for all users should go into /etc/profiles.d/
user specific ones will go into the user related ones..
paste
the paste command is used to take 2 files and combine them as delimited columns
aspell check
used to spell check a file.
"look" command can also be used for spell checks..
-----------------------------
regex
\
\< => beginning of word
\> => ending of word
so \
if you want to search for a bigger string you can use the below
\(sample\|test\)
can be used to search for the string "sample" or "test"
----------------------------------------------
Unit - 4
bios uses the IPL (initial program loader) to find the boot loader..
partprobe - gets the kernel to re-read the partition table.
ext3 has several journaling modes..
1. ordered - this is the default.. setting.
2. journaled - journals data and metadata --- you need a separate journal device (need to check this out.)
3. writeback (redhat disables it)
mount options noatime, and nodirtime increases performance.
fuser -vm /boot
fuser -k /boot can be used to kill any process which has got access to /boot.
makes it easy to umount a device which i busy.
e2label.. can be used to label a partition.
rhce exam they love messing with labels..
dd if=/dev/zero of=fakedisk b=1M count=128
mkfs -t ext3 fakedisk
mount -o loop fakedisk /mnt/fakedisk
mount aliases
mount --bind /mnt/stuff /mnt/usb
allows you to have multiple location where the device appears to be mounted..
nfsserver mounts
showmount -e server1
smbclient -U'eur\sushil.suresh' -L lonfs01
auto mounting..
/etc/auto.master
/etc/autofs/auto.master
laattr /etc/passwd
chattr +i /etc/passwd
attributes
+i immutable
+a append mode only
tune2fs - can be used change the max mount count etc.
dumpe2fs - can be used to dump the superblock etc.
debugfs - low level filesystem repair tool
parted - partitioning tool.
Unit 6
Rpm installation
-i install (typical for kernel install as the old version is left as it is.. )
-U upgrade
-F freshen
RPM removal
-e erase
RPM queries
-q query
-qa query all
-ql obtain a list of files installed by package
-qlp query the package file for a list of files..
-qi query for information
-qip query for information from the package file
-q --changelog show you the change lock of the package
-q --script shows you the script that is run when you install the rpm package or uninstall it.
-qf search the origin of a file..
-q --provides will list libraries that are provided by the
-q --whatrequires will tell you what requires the library
-q --whatprovides
-K perform a keycheck on the rpm package filename
rpm --import
gpg --import
rpm -V initscripts
.......T c /etc/inittab
S.5....T c /etc/rc.d/rc
S.5....T c /etc/sysctl.conf
T indicates time stamp has changed
5 indicated that the md5 checksum has changed or in other words contect ha changed.
c indicates that the file is a config file.
rpm -Va will verify every package file..
extracting an rpm file
rpm2cpio filename.rpm
rpm2cpio initscripts-8.45.19.EL-1.el5.centos.1.x86_64.rpm | cpio --extract --make-directories *inittab*
Kickstart file has got several sections
the config section has got configuration information
package section(which contains categories and individual pacakges)
%pre (section)
This section will contain information to be used and peformed before installation
%post (section)
This section will contain information to be used and performed post installation
----------------------------------------------
Unit - 7
system-config-authentication
can be used to change the authentication method between local auth, ldap, nis etc..
you might have to use --nox if you want to run it in text mode.
supported account information services
local files, NIS, LDAP, Hesiod, Windbind
Supported authentication mechanisms..
NSS, Kerberos, LDAP, SMB, Winbind
Nis.
ACL or access control list..
mount -o acl
you need to mount the filesystem with acl option inorder for acls to work.
getfacl
setfacl -m u:
setfacl -m u:
setfacl -m d:u:
setfacl -x u:
SELinux
each process or object has an SElinux context.
context :- identity:role:domain/type
3 modes of operation
1) completely off,
2) on, but permissive mode,
3) on , and is restrictive
the default log file for selinux is /var/log/audit/audit.log
getenforce
setenforce
setsebool (set boolean values in a persistent manner)
/etc/sysconfig/selinux edi
from grub append enforcing=0 or selinux=0
usefull to have setroubleshoot-server
yum install setroubleshoot-server
service setroubleshoot start
ls -Z /etc/passwd
-rw-r--r-- root root system_u:object_r:etc_t /etc/passwd
ps -Zax
The Z switch is used to get hold of the contexts for a file or process..
chcon -t etc_t anaconda-ks.cfg
chcon - change SELinux security context
system-config-securitylevel
system-config-selinux(part of policycoreutils-gui)
if selinux is swiched on.. then there should be
/selinux
/selinux/booleans
selinux policy editor... can be used to edit the policy..
default policies are targeted and strict which is provided by redhat.
if you divulge from this .. then you are in violation of the support contract.
the policy editor to install it you do
yum install policycoreutils-gui
setroubleshoot-server
cups
/etc/cups/cupsd.conf
/etc/cups/printers.conf
lpadmin
system-config-printer
or localhost:631
to configure printers..
gtklp great utility to send print jobs.
gtklp.sf.net
Crontab.
/etc/cron.allow
/etc/cron.deny
only one file needs to exist.
allow takes precedence over deny..
star
star is the equivalent of tar but is aware of SE linux contexts ...
so ifyou want to backup selinux enabled disks.. always use star
----------------------------------------------
Unit 8
Software Raid(meta devices)
mdadm /dev/md0 -C
mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda7 /dev/sda8
I tend to prefer the longer version of the options as it is self explanator, and easier to remember or recollect, especially when you don't use it on a daily basis. The shorter version of the command would be
mdadm -C /dev/md0 -l=1 -n=2 /dev/sda7 /dev/sda8
In the above commands level (or raid level) could be
linear, raid0, 0, stripe, raid1, 1, mirror, raid4, 4, raid5, 5, raid6, 6, raid10, 10, multipath, mp, faulty
mdadm --detail /dev/md0
will give you information about the raid device md0
cat /proc/mdstat will give you the same information.
if you want to force a disk in an array to fail..
mdadm /dev/md0 -f /dev/sda1
and to add a drive back.
mdadm /dev/md0 -a /dev/sda1
______________________________________________________
stride = filesystem block size divided by chunksize.
Logical Volumes (LVM)
The basic cocept of lvm consists of 3 components
Physical Volumes
Volume Groups (made up of one or more physical volumes)
Logical Volumes (created from space available in a volume group)
Creating LVMs
pvcreate
vgcreate
lvcreate
lvm-greats
Displaying information about LVMs
pvdisplay
vgdisplay
lvdisplay
lvcreate
-L sizein MB/Gb etc ..
-l Size in physical extend.
Resizing logical volumes
vgextend
lvextend
vgreduce
pvmove
ext2online (only to be used on RHEL4 systems)
resize2fs (available from RHEL5 onwards)
ext2online only to be used with RHEL4 and below
resize2fs is to be used with RHEL5 and above
Example:
pvcreate /dev/sda9
pvcreate /dev/sda10
vgcreate lvmgroup /dev/sda9 /dev/sda10
lvcreate --size 200M lvmgroup --name lvm_disk
pvcreate /dev/sda11
vgextend lvmgroup /dev/sda11
lvextend -L +50M /dev/lvmgroup/lvm_disk /dev/sda11
resize2fs -p /dev/lvmgroup/lvm_disk
----------------------------------------------
Quota system in Linux.
user qoutas and group qoutas can be setup.
quota's are generally applied on a per user basis than per group.
mount -o remount,usrquota /home
You can remount the partition with the relevant quota options or for more permanent setup add usrquota and/or grpquota to the options column in fstab.
When setting quota's for the first time, make sure you run quotacheck command to create the quota database for first use. The -c option creates the "aquota.user" and "aquota.group" database which are necessary to facilitate the usage of quotas.
quotacheck -cm /home
Once the quota database is setup, you need to enable or switch on quotas.
quotaon /home
quotaoff command can be used to switch quota's off
edquota can be used to edit the quota setting for a user or group
edquota bob (can be used to edit the quota setting for bob)
one can use -u for user quota or -g for group quota
The -p option can be used to replicate or copy quota setting of an existing user to another.
edquota -p bob joe
(copies bobs quotas to joe)
repquota generes a report on all user based quotas
repquota /home (reports on all user based quotas.. )
Warkquota can be used to send emails to all users exceeding their quota
warnquota /home
Quotas can be set at a block level and at an inode level.
Each of the above levels have a hard and soft limit.
Soft limit can be exceeded, but hard limits cannot.
Block level limits are are set in 1K blocks.
The default grace period once the soft limits are exceeded by are user is 7 days.
If exceeded, the user;s soft limits become his hard lmit
One can set or reset the grace period by using the
edquota -t or edquta -T
commands.
----------------------------------------------
troubleshooting
X -probeonly -log verbose 5
service --status-all
----------------------------------------------
iptables..
firewalling happens at the kernel level.
iptables is just used to interface with the kernel
Architecture..
netfilter
three main tables.
nat, filter, mangle,
each table contain chains..
for NAT the chains are
pre-routing
post-routing
output
for FILTER table the chains are
input (affects packets for me)
output (affects packets orginating from me)
forward (affects packets that are going through me.. or routed through me)
1. incoming packet
2. crc/sanity check
3. pre-routing check
4. routing decision ?
5. is this packet "to me", "through me", or "from me"
"to me" packets
gets passed to the INPUT chain of the filter table
it then goes to the relevant application
"through me" packets
get passed to the FORWARD chain in the filter table
which then gets passed to the POSTROUTING chain in the NAT table
then it gets delivered
"from me" packets
Application generates from me packets
it gets passed to the OUTPUT chain in filter table
these packets then go through a routing decision
it then becomes a "from me" packet
This packet then goes through the OUTPUT chain of the nat table
and then get delivered.
different types of NAT
DNAT
SNAT
MASQUERADING
DNAT can only be applied at PREROUTING
SNAT and MASQUERADE can only be applied at POSTROUTING
Rule targets
builtin targets - DROP, ACCEPT
extension targets - LOG,REJECT, custom
I - insert.. always adds it to the top
A- append.. always adds it to the bottom
R-replace replace rule number n from the chain
D-delete delete rule number n from the chain
preparing iptables rules
Where i am putting the rule.
. specify which table you are going to work with
. specify the operation to perform Insert, Append, Replace. With Insert and replace you can use a number. for insert if you don't give number it will assume 1
Specify what type of packet you are looking for
Type of packet source/destination (-s/-d)
Specify the interface incoming/outgoing (-i/-o)
Protocol (-p)
port (--dport/--sport)
match rule extensions.. used to extend the funcationality of iptables matching (-m)
match rule extenstions - eg: state,mac,tcp,udp,multiport
Where to send it.. to
DNAT --to-dest - if you chose pre-routing chain in nat table
SNAT --to-dest - if you chose post-routing chain in nat table
MASQUERADE - if you chose post-routing chain in nat table
ACCEPT - if it is filter table
REJECT - if it is filter table
DROP - if it is filter table
LOG - if it is filter table
To change the the default policy of a table you can use the -P flag
iptables -P FORWARD DROP
iptables -P INPUT DROP
----------------------------------------------
file sharing
----------------------------------------------
Bind on redhat
required packages
bind-utils, bind-chroot, bind, caching-nameserver
caching-nameserver installs a sample/skeleton config
if you want to install chroot.. always.. install bind-chroot before you install bind
selinux requires the slave zones should be in the directory "slaves/"
if not selinux will throw an error, and you will be lost
format for a zone record.
host/domain TTL RCLASS RTYPE RDATA
----------------------------------------------
----------------------------------------------
sysadmin
User Authentication (PAM) Pluggable Authentication Module.
Documentation is in
/usr/share/doc/pam-versionnumber/txts/
2 types of information .. Account info, and authentication
glibc initially carried out the authentication..
then modular versions of the library came about for authentication.
/etc/nsswitch.conf was used to link m
getent let your retriew information from various nsswitch databases.
The newer and much better/modular method is using PAM
they talk to the nsswitch using the pam_unix module.
PAM allows to reconfigure authentication without rewriting applications.
libpam handles checks based on the pam configuration files.
/etc/pam.d/
there is a separate configuration file for each application
the configuration file is broken into 3 columns
right most column is the name of the module called.
PAM sees authentication as a 4 steps
1. auth - Establishes the identity of the user.
2. account - Allows/denies access based on account policies - time, password expiration, or specific list of restricted users
3. password - Manages password policies.
4. session - Applies application/session related information.
Any PAM configuration file has 4 columns
The first column Module type will be one of the 4 stages of PAM authentication process discussed above (auth,account,password,session). It dictates which phase of the authentication is handled by the line.
The second column Control_flag dictates how the module is resolved..
The control flag dictates how the configuration file reacts when a module returns a success or failure.
The various control flags are
1. required - If the module passes, the commands proceeds. If it fails PAM proceeds to the next command in the configuration file, but the command controlled by PAM will still fail.
2. requisite - Stops the process if the module fails
3. sufficient - If the module succeeds, no other commands need to be processed.
4. optional -
5. include - (indicates that the following module needs to be loaded as well)
The third column or Module_Path indicates which module is invoked or used to verify the current phase of the pam authentication.
Note: if the file /etc/nologin file exists, regular users are not allowed to login into the local console. Any regular user that tries to log in gets to the contents of the /etc/nologin as a message.
/etc/security/
pam_time is configured in /etc/security/time.conf
pam limits /etc/security/limits.conf you can allocate cpu time for users etc..
/etc/security/limits.conf can restrict access to your machine for user accounts.
/etc/securetty
This file configures/lists the consoles from where you can login as the root user. This does not affect the regular users.
-----
pam_listfile.so
This module can be used to configure pam to limit access to specif users
auth required pam_listfile.so onerr=succeed item=user sense=allow file=/etc/special
If the item(user) is found in file /etc/special and as sense is allow, PAM will allow the user to run the application.
__________________________________________________________________________
find / \( -nouser -o -nogroup \)
search for files not owned by any user or any group
find / -f -perm -2
search for files with write permisions to other..
-----------------------
turn on process accounting
accton /var/account/pacct
lastcomm
ac
ac --daily-totals --individual-totals
-----------------------
Email Server
THe RHEL exam expects you to have a decent understanding of mail services
sendmail, dovecot, postfix, and procmail.
Dovecot provides IMAP, POP3, and POP3S services.
system-switch-mail
system-switch-mail-gnome
above commands can be used to switch between the various mail systems.
sendmail
Main configuration files are located in /etc/mail
There are 2 main configuration files
sendmail.cf - for incoming mails
submit.cf - for outgoing mails.
/etc/mail/sendmail.mc
sendmail.cf is the original configuration file for sendmail.
as it was too cryptic and complicated, the sendmail.mc configuration file, which is a macro language file used to configure sendmail.cf
so once you edit the sendmail.mc file you need to regenerate the sendmail.cf file
This can be done in one of the 2 way below.
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
OR
make -C /etc/mail
/etc/aliases
/etc/mail/local-host-names
has a list of domains for which the mail server will accept emails.
/etc/mail/access
let you configure who you will accept email from and who you will relay email for
mail -v user
the -v option is quite useful..
mailq - mail queue
mailq -Ac (mail submission queue)
[root@station4 mail]# which sendmail
/usr/sbin/sendmail
[root@station4 mail]# ls -l /usr/sbin/sendmail
lrwxrwxrwx 1 root root 21 Dec 16 09:50 /usr/sbin/sendmail -> /etc/alternatives/mta
[root@station4 mail]# ls -l /etc/alternatives/mta
lrwxrwxrwx 1 root root 27 Dec 16 09:50 /etc/alternatives/mta -> /usr/sbin/sendmail.sendmail
alternatives --config mta
alternatives --display mta
system-swith-mail can also be used...
alternatives program is used to switch between different version or alternatives of the same program.
Postfix
The configuration files are stored in /etc/postfix
modular suite of programs..
daemons :- master nqmgr,
postconf
postconf -e 'my_interfaces=locahost,172.24.0.1'
The above command will update the postfix
postsuper
the above command is quite useful tool
control command for postfix.. postfix superintendant.
postmap - to get postfix to regenerate the hash map of the modular config files
postalias - used to inform postfix that you have updated the alisa file
you can use regular expressions to filter your email.
PROCMAIL
procmail is the MDA or the mail delivery agent.
postconf -e 'mailbox-command=/usr/bin/procmail'
is used to enable the procmail mail handing for postfix.4
procmailex
useful to configure procmail
Dovecot
The main configuration file is
/etc/dovecot.conf
The default values for the varibales are shown in # comment lines. If you are going to use the default values you don't have to uncomment them.
The one setting you definitely have to configure is the "mail_location" variable.
This variable is required for Dovecot to function properly, and defines the location where email is stored.
Certificates and keys for secure POP3 and IMAP connection are stored in the following directories
/etc/pki/dovecot/certs
/etc/pki/dovecot/private
Before deploying new certs, move the existing ones out of the way.
The main configuration file which holds setting for the certificate are located in
/etc/pki/dovecot/dovecot-openssl.cnf
Make the necessary changes to the above configuration file and run the below script to generate new certs and keys.
/usr/share/doc/dovecot-1.0.7/examples/mkcert.sh
-----------------------
-----------------------
--------------------
sniffit
htop
bing
latencytop
powertop
cowsay
smbnuke
adventure shell
mp (can be used to play video in text mode)
vimtutor
ccze (colourise text)
pbzip2 (parallel bzip2)
rbash (restrictive bash shell)
inkscape (
http://www.supergrubdisk.org/ (boot disk to troubleshooting partition issues..)
gpart - can be used to guess partitions.. once deleted and recover stuff etc..
http://www.stud.uni-hannover.de/user/76201/gpart/
http://www.alink.co.za/books/
http://vorbis.com/ (open source audio format)
http://www.rockbox.org/
wikipedia searches
echelon
carnivore software
jetset (used to set the status of the printer)
jetset
etherape a gui.. for mapping network traffic
